Generated docs from job=generate-docs branch=master [ci skip]

2024-11-15 19:39:54 +00:00
parent e207ab6ff1
commit c78bb85e87
23 changed files with 286 additions and 262 deletions
@@ -40,6 +40,7 @@ defense-evasion,T1014,Rootkit,1,Loadable Kernel Module based Rootkit,dfb50072-e4
 defense-evasion,T1014,Rootkit,2,Loadable Kernel Module based Rootkit,75483ef8-f10f-444a-bf02-62eb0e48db6f,sh
 defense-evasion,T1014,Rootkit,3,dynamic-linker based rootkit (libprocesshider),1338bf0c-fd0c-48c0-9e65-329f18e2c0d3,sh
 defense-evasion,T1014,Rootkit,4,Loadable Kernel Module based Rootkit (Diamorphine),0b996469-48c6-46e2-8155-a17f8b6c2247,sh
+defense-evasion,T1036.007,Masquerading: Double File Extension,1,File Extension Masquerading,c7fa0c3b-b57f-4cba-9118-863bf4e653fc,command_prompt
 defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt
 defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell
 defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt
@@ -541,7 +542,6 @@ defense-evasion,T1036.003,Masquerading: Rename System Utilities,5,Masquerading -
 defense-evasion,T1036.003,Masquerading: Rename System Utilities,6,Masquerading - non-windows exe running as windows exe,bc15c13f-d121-4b1f-8c7d-28d95854d086,powershell
 defense-evasion,T1036.003,Masquerading: Rename System Utilities,7,Masquerading - windows exe running as different windows exe,c3d24a39-2bfe-4c6a-b064-90cd73896cb0,powershell
 defense-evasion,T1036.003,Masquerading: Rename System Utilities,8,Malicious process Masquerading as LSM.exe,83810c46-f45e-4485-9ab6-8ed0e9e6ed7f,command_prompt
-defense-evasion,T1036.003,Masquerading: Rename System Utilities,9,File Extension Masquerading,c7fa0c3b-b57f-4cba-9118-863bf4e653fc,command_prompt
 defense-evasion,T1574.009,Hijack Execution Flow: Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
 defense-evasion,T1218.009,Signed Binary Proxy Execution: Regsvcs/Regasm,1,Regasm Uninstall Method Call Test,71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112,command_prompt
 defense-evasion,T1218.009,Signed Binary Proxy Execution: Regsvcs/Regasm,2,Regsvcs Uninstall Method Call Test,fd3c1c6a-02d2-4b72-82d9-71c527abb126,powershell
@@ -18,6 +18,7 @@ defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,15,Rundll32 ex
 defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,16,Rundll32 execute payload by calling RouteTheCall,8a7f56ee-10e7-444c-a139-0109438288eb,powershell
 defense-evasion,T1216.001,Signed Script Proxy Execution: Pubprn,1,PubPrn.vbs Signed Script Bypass,9dd29a1f-1e16-4862-be83-913b10a88f6c,command_prompt
 defense-evasion,T1006,Direct Volume Access,1,Read volume boot sector via DOS device path (PowerShell),88f6327e-51ec-4bbf-b2e8-3fea534eab8b,powershell
+defense-evasion,T1036.007,Masquerading: Double File Extension,1,File Extension Masquerading,c7fa0c3b-b57f-4cba-9118-863bf4e653fc,command_prompt
 defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt
 defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell
 defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt
@@ -383,7 +384,6 @@ defense-evasion,T1036.003,Masquerading: Rename System Utilities,5,Masquerading -
 defense-evasion,T1036.003,Masquerading: Rename System Utilities,6,Masquerading - non-windows exe running as windows exe,bc15c13f-d121-4b1f-8c7d-28d95854d086,powershell
 defense-evasion,T1036.003,Masquerading: Rename System Utilities,7,Masquerading - windows exe running as different windows exe,c3d24a39-2bfe-4c6a-b064-90cd73896cb0,powershell
 defense-evasion,T1036.003,Masquerading: Rename System Utilities,8,Malicious process Masquerading as LSM.exe,83810c46-f45e-4485-9ab6-8ed0e9e6ed7f,command_prompt
-defense-evasion,T1036.003,Masquerading: Rename System Utilities,9,File Extension Masquerading,c7fa0c3b-b57f-4cba-9118-863bf4e653fc,command_prompt
 defense-evasion,T1574.009,Hijack Execution Flow: Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
 defense-evasion,T1218.009,Signed Binary Proxy Execution: Regsvcs/Regasm,1,Regasm Uninstall Method Call Test,71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112,command_prompt
 defense-evasion,T1218.009,Signed Binary Proxy Execution: Regsvcs/Regasm,2,Regsvcs Uninstall Method Call Test,fd3c1c6a-02d2-4b72-82d9-71c527abb126,powershell
@@ -56,7 +56,8 @@
  - Atomic Test #2: Loadable Kernel Module based Rootkit [linux]
  - Atomic Test #3: dynamic-linker based rootkit (libprocesshider) [linux]
  - Atomic Test #4: Loadable Kernel Module based Rootkit (Diamorphine) [linux]
- T1036.007 Double File Extension [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1036.007 Masquerading: Double File Extension](../../T1036.007/T1036.007.md)
+  - Atomic Test #1: File Extension Masquerading [windows]
 - [T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md)
  - Atomic Test #1: Bypass UAC using Event Viewer (cmd) [windows]
  - Atomic Test #2: Bypass UAC using Event Viewer (PowerShell) [windows]
@@ -681,7 +682,6 @@
  - Atomic Test #6: Masquerading - non-windows exe running as windows exe [windows]
  - Atomic Test #7: Masquerading - windows exe running as different windows exe [windows]
  - Atomic Test #8: Malicious process Masquerading as LSM.exe [windows]
-  - Atomic Test #9: File Extension Masquerading [windows]
 - T1562.011 Spoof Security Alerting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
  - Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
@@ -31,7 +31,8 @@
 - T1564.008 Hide Artifacts: Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.013 Encrypted/Encoded File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1014 Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1036.007 Double File Extension [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1036.007 Masquerading: Double File Extension](../../T1036.007/T1036.007.md)
+  - Atomic Test #1: File Extension Masquerading [windows]
 - [T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md)
  - Atomic Test #1: Bypass UAC using Event Viewer (cmd) [windows]
  - Atomic Test #2: Bypass UAC using Event Viewer (PowerShell) [windows]
@@ -494,7 +495,6 @@
  - Atomic Test #6: Masquerading - non-windows exe running as windows exe [windows]
  - Atomic Test #7: Masquerading - windows exe running as different windows exe [windows]
  - Atomic Test #8: Malicious process Masquerading as LSM.exe [windows]
-  - Atomic Test #9: File Extension Masquerading [windows]
 - T1562.011 Spoof Security Alerting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
  - Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
@@ -16,7 +16,7 @@
 | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | AutoHotKey & AutoIT [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | [Hide Artifacts: Email Hiding Rules](../../T1564.008/T1564.008.md) | [Forge Web Credentials: SAML token](../../T1606.002/T1606.002.md) | [Network Sniffing](../../T1040/T1040.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Domain Trust Modification](../../T1484.002/T1484.002.md) | Encrypted/Encoded File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Proc Filesystem](../../T1003.007/T1003.007.md) | [Network Share Discovery](../../T1135/T1135.md) | Cloud Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Web Service: Exfiltration to Text Storage Sites](../../T1567.003/T1567.003.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Deploy a container](../../T1610/T1610.md) | [Active Setup](../../T1547.014/T1547.014.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Rootkit](../../T1014/T1014.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Peripheral Device Discovery](../../T1120/T1120.md) | [Software Deployment Tools](../../T1072/T1072.md) | [Data from Cloud Storage Object](../../T1530/T1530.md) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Defacement: Internal Defacement](../../T1491.001/T1491.001.md) |
-| Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter](../../T1059/T1059.md) | TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Double File Extension [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | [System Information Discovery](../../T1082/T1082.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter](../../T1059/T1059.md) | TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [Masquerading: Double File Extension](../../T1036.007/T1036.007.md) | [Network Sniffing](../../T1040/T1040.md) | [System Information Discovery](../../T1082/T1082.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Kubernetes Exec Into Container](../../T1609/T1609.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Account Manipulation: Additional Cloud Roles](../../T1098.003/T1098.003.md) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | [Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md) | [System Network Configuration Discovery: Wi-Fi Discovery](../../T1016.002/T1016.002.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data from Local System](../../T1005/T1005.md) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Access Removal](../../T1531/T1531.md) |
 | Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Services: Launchctl](../../T1569.001/T1569.001.md) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Application Window Discovery](../../T1010/T1010.md) | [Lateral Tool Transfer](../../T1570/T1570.md) | [Archive Collected Data: Archive via Library](../../T1560.002/T1560.002.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
 | [Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md) | Network Device CLI [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Office Application Startup](../../T1137/T1137.md) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Kerberos Tickets: AS-REP Roasting](../../T1558.004/T1558.004.md) | Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Device Configuration Dump [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
@@ -13,7 +13,7 @@
 | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | AutoHotKey & AutoIT [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | Hide Artifacts: Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Service Discovery](../../T1007/T1007.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over C2 Channel](../../T1041/T1041.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter](../../T1059/T1059.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Encrypted/Encoded File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | [Network Sniffing](../../T1040/T1040.md) | [Software Deployment Tools](../../T1072/T1072.md) | [Email Collection: Local Email Collection](../../T1114.001/T1114.001.md) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | [Protocol Tunneling](../../T1572/T1572.md) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md) | [Network Share Discovery](../../T1135/T1135.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Automated Collection](../../T1119/T1119.md) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Deployment Tools](../../T1072/T1072.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | Double File Extension [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Peripheral Device Discovery](../../T1120/T1120.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Web Service: Exfiltration to Text Storage Sites](../../T1567.003/T1567.003.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Deployment Tools](../../T1072/T1072.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | [Masquerading: Double File Extension](../../T1036.007/T1036.007.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Peripheral Device Discovery](../../T1120/T1120.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Web Service: Exfiltration to Text Storage Sites](../../T1567.003/T1567.003.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: PowerShell](../../T1059.001/T1059.001.md) | [Office Application Startup](../../T1137/T1137.md) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | [Steal or Forge Kerberos Tickets: AS-REP Roasting](../../T1558.004/T1558.004.md) | [System Information Discovery](../../T1082/T1082.md) | [Lateral Tool Transfer](../../T1570/T1570.md) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Inter-Process Communication](../../T1559/T1559.md) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Pre-OS Boot: System Firmware](../../T1542.001/T1542.001.md) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Configuration Discovery: Wi-Fi Discovery](../../T1016.002/T1016.002.md) | [Remote Service Session Hijacking: RDP Hijacking](../../T1563.002/T1563.002.md) | [Data from Local System](../../T1005/T1005.md) | [Data Transfer Size Limits](../../T1030/T1030.md) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Defacement: Internal Defacement](../../T1491.001/T1491.001.md) |
 | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Credentials from Password Stores](../../T1555/T1555.md) | [Application Window Discovery](../../T1010/T1010.md) | [Use Alternate Authentication Material: Pass the Hash](../../T1550.002/T1550.002.md) | Archive Collected Data: Archive via Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
@@ -1181,7 +1181,7 @@ defense-evasion:
        description: Seqrite. (n.d.). How to avoid dual attack and vulnerable files
          with double extension?. Retrieved July 27, 2021.
      modified: '2022-04-25T14:00:00.188Z'
-      name: Double File Extension
+      name: 'Masquerading: Double File Extension'
      description: "Adversaries may abuse a double extension in the filename as a
        means of masquerading the true file type. A file name may include a secondary
        file type extension that may cause only the first extension to be displayed
@@ -1219,6 +1219,7 @@ defense-evasion:
      - 'File: File Metadata'
      spec_version: '2.1'
      x_mitre_attack_spec_version: 2.1.0
+      identifier: T1036.007
    atomic_tests: []
  T1548.002:
    technique:
@@ -1130,7 +1130,7 @@ defense-evasion:
        description: Seqrite. (n.d.). How to avoid dual attack and vulnerable files
          with double extension?. Retrieved July 27, 2021.
      modified: '2022-04-25T14:00:00.188Z'
-      name: Double File Extension
+      name: 'Masquerading: Double File Extension'
      description: "Adversaries may abuse a double extension in the filename as a
        means of masquerading the true file type. A file name may include a secondary
        file type extension that may cause only the first extension to be displayed
@@ -1168,6 +1168,7 @@ defense-evasion:
      - 'File: File Metadata'
      spec_version: '2.1'
      x_mitre_attack_spec_version: 2.1.0
+      identifier: T1036.007
    atomic_tests: []
  T1548.002:
    technique:
@@ -1130,7 +1130,7 @@ defense-evasion:
        description: Seqrite. (n.d.). How to avoid dual attack and vulnerable files
          with double extension?. Retrieved July 27, 2021.
      modified: '2022-04-25T14:00:00.188Z'
-      name: Double File Extension
+      name: 'Masquerading: Double File Extension'
      description: "Adversaries may abuse a double extension in the filename as a
        means of masquerading the true file type. A file name may include a secondary
        file type extension that may cause only the first extension to be displayed
@@ -1168,6 +1168,7 @@ defense-evasion:
      - 'File: File Metadata'
      spec_version: '2.1'
      x_mitre_attack_spec_version: 2.1.0
+      identifier: T1036.007
    atomic_tests: []
  T1548.002:
    technique:
@@ -1130,7 +1130,7 @@ defense-evasion:
        description: Seqrite. (n.d.). How to avoid dual attack and vulnerable files
          with double extension?. Retrieved July 27, 2021.
      modified: '2022-04-25T14:00:00.188Z'
-      name: Double File Extension
+      name: 'Masquerading: Double File Extension'
      description: "Adversaries may abuse a double extension in the filename as a
        means of masquerading the true file type. A file name may include a secondary
        file type extension that may cause only the first extension to be displayed
@@ -1168,6 +1168,7 @@ defense-evasion:
      - 'File: File Metadata'
      spec_version: '2.1'
      x_mitre_attack_spec_version: 2.1.0
+      identifier: T1036.007
    atomic_tests: []
  T1548.002:
    technique:
@@ -1130,7 +1130,7 @@ defense-evasion:
        description: Seqrite. (n.d.). How to avoid dual attack and vulnerable files
          with double extension?. Retrieved July 27, 2021.
      modified: '2022-04-25T14:00:00.188Z'
-      name: Double File Extension
+      name: 'Masquerading: Double File Extension'
      description: "Adversaries may abuse a double extension in the filename as a
        means of masquerading the true file type. A file name may include a secondary
        file type extension that may cause only the first extension to be displayed
@@ -1168,6 +1168,7 @@ defense-evasion:
      - 'File: File Metadata'
      spec_version: '2.1'
      x_mitre_attack_spec_version: 2.1.0
+      identifier: T1036.007
    atomic_tests: []
  T1548.002:
    technique:
@@ -1130,7 +1130,7 @@ defense-evasion:
        description: Seqrite. (n.d.). How to avoid dual attack and vulnerable files
          with double extension?. Retrieved July 27, 2021.
      modified: '2022-04-25T14:00:00.188Z'
-      name: Double File Extension
+      name: 'Masquerading: Double File Extension'
      description: "Adversaries may abuse a double extension in the filename as a
        means of masquerading the true file type. A file name may include a secondary
        file type extension that may cause only the first extension to be displayed
@@ -1168,6 +1168,7 @@ defense-evasion:
      - 'File: File Metadata'
      spec_version: '2.1'
      x_mitre_attack_spec_version: 2.1.0
+      identifier: T1036.007
    atomic_tests: []
  T1548.002:
    technique:
@@ -1130,7 +1130,7 @@ defense-evasion:
        description: Seqrite. (n.d.). How to avoid dual attack and vulnerable files
          with double extension?. Retrieved July 27, 2021.
      modified: '2022-04-25T14:00:00.188Z'
-      name: Double File Extension
+      name: 'Masquerading: Double File Extension'
      description: "Adversaries may abuse a double extension in the filename as a
        means of masquerading the true file type. A file name may include a secondary
        file type extension that may cause only the first extension to be displayed
@@ -1168,6 +1168,7 @@ defense-evasion:
      - 'File: File Metadata'
      spec_version: '2.1'
      x_mitre_attack_spec_version: 2.1.0
+      identifier: T1036.007
    atomic_tests: []
  T1548.002:
    technique:
@@ -2304,7 +2304,7 @@ defense-evasion:
        description: Seqrite. (n.d.). How to avoid dual attack and vulnerable files
          with double extension?. Retrieved July 27, 2021.
      modified: '2022-04-25T14:00:00.188Z'
-      name: Double File Extension
+      name: 'Masquerading: Double File Extension'
      description: "Adversaries may abuse a double extension in the filename as a
        means of masquerading the true file type. A file name may include a secondary
        file type extension that may cause only the first extension to be displayed
@@ -2342,7 +2342,81 @@ defense-evasion:
      - 'File: File Metadata'
      spec_version: '2.1'
      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
+      identifier: T1036.007
+    atomic_tests:
+    - name: File Extension Masquerading
+      auto_generated_guid: c7fa0c3b-b57f-4cba-9118-863bf4e653fc
+      description: |
+        download and execute a file masquerading as images or Office files. Upon execution 3 calc instances and 3 vbs windows will be launched.
+
+        e.g SOME_LEGIT_NAME.[doc,docx,xls,xlsx,pdf,rtf,png,jpg,etc.].[exe,vbs,js,ps1,etc] (Quartelyreport.docx.exe)
+      supported_platforms:
+      - windows
+      input_arguments:
+        exe_path:
+          description: path to exe to use when creating masquerading files
+          type: path
+          default: C:\Windows\System32\calc.exe
+        vbs_path:
+          description: path of vbs to use when creating masquerading files
+          type: path
+          default: PathToAtomicsFolder\T1036.007\src\T1036.007_masquerading.vbs
+        ps1_path:
+          description: path of powershell script to use when creating masquerading
+            files
+          type: path
+          default: PathToAtomicsFolder\T1036.007\src\T1036.007_masquerading.ps1
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'File to copy must exist on disk at specified location (#{vbs_path})
+
+          '
+        prereq_command: 'if (Test-Path "#{vbs_path}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path "#{vbs_path}") -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.007/src/T1036.007_masquerading.vbs" -OutFile "#{vbs_path}"
+      - description: 'File to copy must exist on disk at specified location (#{ps1_path})
+
+          '
+        prereq_command: 'if (Test-Path "#{ps1_path}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path "#{ps1_path}") -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.007/src/T1036.007_masquerading.ps1" -OutFile "#{ps1_path}"
+      executor:
+        command: |
+          copy "#{exe_path}" %temp%\T1036.007_masquerading.docx.exe /Y
+          copy "#{exe_path}" %temp%\T1036.007_masquerading.pdf.exe /Y
+          copy "#{exe_path}" %temp%\T1036.007_masquerading.ps1.exe /Y
+          copy "#{vbs_path}" %temp%\T1036.007_masquerading.xls.vbs /Y
+          copy "#{vbs_path}" %temp%\T1036.007_masquerading.xlsx.vbs /Y
+          copy "#{vbs_path}" %temp%\T1036.007_masquerading.png.vbs /Y
+          copy "#{ps1_path}" %temp%\T1036.007_masquerading.doc.ps1 /Y
+          copy "#{ps1_path}" %temp%\T1036.007_masquerading.pdf.ps1 /Y
+          copy "#{ps1_path}" %temp%\T1036.007_masquerading.rtf.ps1 /Y
+          %temp%\T1036.007_masquerading.docx.exe
+          %temp%\T1036.007_masquerading.pdf.exe
+          %temp%\T1036.007_masquerading.ps1.exe
+          %temp%\T1036.007_masquerading.xls.vbs
+          %temp%\T1036.007_masquerading.xlsx.vbs
+          %temp%\T1036.007_masquerading.png.vbs
+          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036.007_masquerading.doc.ps1
+          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036.007_masquerading.pdf.ps1
+          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036.007_masquerading.rtf.ps1
+        cleanup_command: |
+          del /f %temp%\T1036.007_masquerading.docx.exe > nul 2>&1
+          del /f %temp%\T1036.007_masquerading.pdf.exe > nul 2>&1
+          del /f %temp%\T1036.007_masquerading.ps1.exe > nul 2>&1
+          del /f %temp%\T1036.007_masquerading.xls.vbs > nul 2>&1
+          del /f %temp%\T1036.007_masquerading.xlsx.vbs > nul 2>&1
+          del /f %temp%\T1036.007_masquerading.png.vbs > nul 2>&1
+          del /f %temp%\T1036.007_masquerading.doc.ps1 > nul 2>&1
+          del /f %temp%\T1036.007_masquerading.pdf.ps1 > nul 2>&1
+          del /f %temp%\T1036.007_masquerading.rtf.ps1 > nul 2>&1
+        name: command_prompt
  T1548.002:
    technique:
      modified: '2023-05-09T14:00:00.188Z'
@@ -24752,79 +24826,6 @@ defense-evasion:
          del C:\lsm.exe >nul 2>&1
        name: command_prompt
        elevation_required: true
-    - name: File Extension Masquerading
-      auto_generated_guid: c7fa0c3b-b57f-4cba-9118-863bf4e653fc
-      description: |
-        download and execute a file masquerading as images or Office files. Upon execution 3 calc instances and 3 vbs windows will be launched.
-
-        e.g SOME_LEGIT_NAME.[doc,docx,xls,xlsx,pdf,rtf,png,jpg,etc.].[exe,vbs,js,ps1,etc] (Quartelyreport.docx.exe)
-      supported_platforms:
-      - windows
-      input_arguments:
-        exe_path:
-          description: path to exe to use when creating masquerading files
-          type: path
-          default: C:\Windows\System32\calc.exe
-        vbs_path:
-          description: path of vbs to use when creating masquerading files
-          type: path
-          default: PathToAtomicsFolder\T1036.003\src\T1036.003_masquerading.vbs
-        ps1_path:
-          description: path of powershell script to use when creating masquerading
-            files
-          type: path
-          default: PathToAtomicsFolder\T1036.003\src\T1036.003_masquerading.ps1
-      dependency_executor_name: powershell
-      dependencies:
-      - description: 'File to copy must exist on disk at specified location (#{vbs_path})
-
-          '
-        prereq_command: 'if (Test-Path "#{vbs_path}") {exit 0} else {exit 1}
-
-          '
-        get_prereq_command: |
-          New-Item -Type Directory (split-path "#{vbs_path}") -ErrorAction ignore | Out-Null
-          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.003/src/T1036.003_masquerading.vbs" -OutFile "#{vbs_path}"
-      - description: 'File to copy must exist on disk at specified location (#{ps1_path})
-
-          '
-        prereq_command: 'if (Test-Path "#{ps1_path}") {exit 0} else {exit 1}
-
-          '
-        get_prereq_command: |
-          New-Item -Type Directory (split-path "#{ps1_path}") -ErrorAction ignore | Out-Null
-          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.003/src/T1036.003_masquerading.ps1" -OutFile "#{ps1_path}"
-      executor:
-        command: |
-          copy "#{exe_path}" %temp%\T1036.003_masquerading.docx.exe /Y
-          copy "#{exe_path}" %temp%\T1036.003_masquerading.pdf.exe /Y
-          copy "#{exe_path}" %temp%\T1036.003_masquerading.ps1.exe /Y
-          copy "#{vbs_path}" %temp%\T1036.003_masquerading.xls.vbs /Y
-          copy "#{vbs_path}" %temp%\T1036.003_masquerading.xlsx.vbs /Y
-          copy "#{vbs_path}" %temp%\T1036.003_masquerading.png.vbs /Y
-          copy "#{ps1_path}" %temp%\T1036.003_masquerading.doc.ps1 /Y
-          copy "#{ps1_path}" %temp%\T1036.003_masquerading.pdf.ps1 /Y
-          copy "#{ps1_path}" %temp%\T1036.003_masquerading.rtf.ps1 /Y
-          %temp%\T1036.003_masquerading.docx.exe
-          %temp%\T1036.003_masquerading.pdf.exe
-          %temp%\T1036.003_masquerading.ps1.exe
-          %temp%\T1036.003_masquerading.xls.vbs
-          %temp%\T1036.003_masquerading.xlsx.vbs
-          %temp%\T1036.003_masquerading.png.vbs
-          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036.003_masquerading.doc.ps1
-          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036.003_masquerading.pdf.ps1
-          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036.003_masquerading.rtf.ps1
-        cleanup_command: |
-          del /f %temp%\T1036.003_masquerading.docx.exe > nul 2>&1
-          del /f %temp%\T1036.003_masquerading.pdf.exe > nul 2>&1
-          del /f %temp%\T1036.003_masquerading.ps1.exe > nul 2>&1
-          del /f %temp%\T1036.003_masquerading.xls.vbs > nul 2>&1
-          del /f %temp%\T1036.003_masquerading.xlsx.vbs > nul 2>&1
-          del /f %temp%\T1036.003_masquerading.png.vbs > nul 2>&1
-          del /f %temp%\T1036.003_masquerading.doc.ps1 > nul 2>&1
-          del /f %temp%\T1036.003_masquerading.pdf.ps1 > nul 2>&1
-          del /f %temp%\T1036.003_masquerading.rtf.ps1 > nul 2>&1
-        name: command_prompt
  T1562.011:
    technique:
      modified: '2023-04-12T22:46:33.995Z'
@@ -1785,7 +1785,7 @@ defense-evasion:
        description: Seqrite. (n.d.). How to avoid dual attack and vulnerable files
          with double extension?. Retrieved July 27, 2021.
      modified: '2022-04-25T14:00:00.188Z'
-      name: Double File Extension
+      name: 'Masquerading: Double File Extension'
      description: "Adversaries may abuse a double extension in the filename as a
        means of masquerading the true file type. A file name may include a secondary
        file type extension that may cause only the first extension to be displayed
@@ -1823,6 +1823,7 @@ defense-evasion:
      - 'File: File Metadata'
      spec_version: '2.1'
      x_mitre_attack_spec_version: 2.1.0
+      identifier: T1036.007
    atomic_tests: []
  T1548.002:
    technique:
@@ -1403,7 +1403,7 @@ defense-evasion:
        description: Seqrite. (n.d.). How to avoid dual attack and vulnerable files
          with double extension?. Retrieved July 27, 2021.
      modified: '2022-04-25T14:00:00.188Z'
-      name: Double File Extension
+      name: 'Masquerading: Double File Extension'
      description: "Adversaries may abuse a double extension in the filename as a
        means of masquerading the true file type. A file name may include a secondary
        file type extension that may cause only the first extension to be displayed
@@ -1441,6 +1441,7 @@ defense-evasion:
      - 'File: File Metadata'
      spec_version: '2.1'
      x_mitre_attack_spec_version: 2.1.0
+      identifier: T1036.007
    atomic_tests: []
  T1548.002:
    technique:
@@ -1130,7 +1130,7 @@ defense-evasion:
        description: Seqrite. (n.d.). How to avoid dual attack and vulnerable files
          with double extension?. Retrieved July 27, 2021.
      modified: '2022-04-25T14:00:00.188Z'
-      name: Double File Extension
+      name: 'Masquerading: Double File Extension'
      description: "Adversaries may abuse a double extension in the filename as a
        means of masquerading the true file type. A file name may include a secondary
        file type extension that may cause only the first extension to be displayed
@@ -1168,6 +1168,7 @@ defense-evasion:
      - 'File: File Metadata'
      spec_version: '2.1'
      x_mitre_attack_spec_version: 2.1.0
+      identifier: T1036.007
    atomic_tests: []
  T1548.002:
    technique:
@@ -1130,7 +1130,7 @@ defense-evasion:
        description: Seqrite. (n.d.). How to avoid dual attack and vulnerable files
          with double extension?. Retrieved July 27, 2021.
      modified: '2022-04-25T14:00:00.188Z'
-      name: Double File Extension
+      name: 'Masquerading: Double File Extension'
      description: "Adversaries may abuse a double extension in the filename as a
        means of masquerading the true file type. A file name may include a secondary
        file type extension that may cause only the first extension to be displayed
@@ -1168,6 +1168,7 @@ defense-evasion:
      - 'File: File Metadata'
      spec_version: '2.1'
      x_mitre_attack_spec_version: 2.1.0
+      identifier: T1036.007
    atomic_tests: []
  T1548.002:
    technique:
@@ -1598,7 +1598,7 @@ defense-evasion:
        description: Seqrite. (n.d.). How to avoid dual attack and vulnerable files
          with double extension?. Retrieved July 27, 2021.
      modified: '2022-04-25T14:00:00.188Z'
-      name: Double File Extension
+      name: 'Masquerading: Double File Extension'
      description: "Adversaries may abuse a double extension in the filename as a
        means of masquerading the true file type. A file name may include a secondary
        file type extension that may cause only the first extension to be displayed
@@ -1636,7 +1636,81 @@ defense-evasion:
      - 'File: File Metadata'
      spec_version: '2.1'
      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
+      identifier: T1036.007
+    atomic_tests:
+    - name: File Extension Masquerading
+      auto_generated_guid: c7fa0c3b-b57f-4cba-9118-863bf4e653fc
+      description: |
+        download and execute a file masquerading as images or Office files. Upon execution 3 calc instances and 3 vbs windows will be launched.
+
+        e.g SOME_LEGIT_NAME.[doc,docx,xls,xlsx,pdf,rtf,png,jpg,etc.].[exe,vbs,js,ps1,etc] (Quartelyreport.docx.exe)
+      supported_platforms:
+      - windows
+      input_arguments:
+        exe_path:
+          description: path to exe to use when creating masquerading files
+          type: path
+          default: C:\Windows\System32\calc.exe
+        vbs_path:
+          description: path of vbs to use when creating masquerading files
+          type: path
+          default: PathToAtomicsFolder\T1036.007\src\T1036.007_masquerading.vbs
+        ps1_path:
+          description: path of powershell script to use when creating masquerading
+            files
+          type: path
+          default: PathToAtomicsFolder\T1036.007\src\T1036.007_masquerading.ps1
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'File to copy must exist on disk at specified location (#{vbs_path})
+
+          '
+        prereq_command: 'if (Test-Path "#{vbs_path}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path "#{vbs_path}") -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.007/src/T1036.007_masquerading.vbs" -OutFile "#{vbs_path}"
+      - description: 'File to copy must exist on disk at specified location (#{ps1_path})
+
+          '
+        prereq_command: 'if (Test-Path "#{ps1_path}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path "#{ps1_path}") -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.007/src/T1036.007_masquerading.ps1" -OutFile "#{ps1_path}"
+      executor:
+        command: |
+          copy "#{exe_path}" %temp%\T1036.007_masquerading.docx.exe /Y
+          copy "#{exe_path}" %temp%\T1036.007_masquerading.pdf.exe /Y
+          copy "#{exe_path}" %temp%\T1036.007_masquerading.ps1.exe /Y
+          copy "#{vbs_path}" %temp%\T1036.007_masquerading.xls.vbs /Y
+          copy "#{vbs_path}" %temp%\T1036.007_masquerading.xlsx.vbs /Y
+          copy "#{vbs_path}" %temp%\T1036.007_masquerading.png.vbs /Y
+          copy "#{ps1_path}" %temp%\T1036.007_masquerading.doc.ps1 /Y
+          copy "#{ps1_path}" %temp%\T1036.007_masquerading.pdf.ps1 /Y
+          copy "#{ps1_path}" %temp%\T1036.007_masquerading.rtf.ps1 /Y
+          %temp%\T1036.007_masquerading.docx.exe
+          %temp%\T1036.007_masquerading.pdf.exe
+          %temp%\T1036.007_masquerading.ps1.exe
+          %temp%\T1036.007_masquerading.xls.vbs
+          %temp%\T1036.007_masquerading.xlsx.vbs
+          %temp%\T1036.007_masquerading.png.vbs
+          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036.007_masquerading.doc.ps1
+          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036.007_masquerading.pdf.ps1
+          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036.007_masquerading.rtf.ps1
+        cleanup_command: |
+          del /f %temp%\T1036.007_masquerading.docx.exe > nul 2>&1
+          del /f %temp%\T1036.007_masquerading.pdf.exe > nul 2>&1
+          del /f %temp%\T1036.007_masquerading.ps1.exe > nul 2>&1
+          del /f %temp%\T1036.007_masquerading.xls.vbs > nul 2>&1
+          del /f %temp%\T1036.007_masquerading.xlsx.vbs > nul 2>&1
+          del /f %temp%\T1036.007_masquerading.png.vbs > nul 2>&1
+          del /f %temp%\T1036.007_masquerading.doc.ps1 > nul 2>&1
+          del /f %temp%\T1036.007_masquerading.pdf.ps1 > nul 2>&1
+          del /f %temp%\T1036.007_masquerading.rtf.ps1 > nul 2>&1
+        name: command_prompt
  T1548.002:
    technique:
      modified: '2023-05-09T14:00:00.188Z'
@@ -20624,79 +20698,6 @@ defense-evasion:
          del C:\lsm.exe >nul 2>&1
        name: command_prompt
        elevation_required: true
-    - name: File Extension Masquerading
-      auto_generated_guid: c7fa0c3b-b57f-4cba-9118-863bf4e653fc
-      description: |
-        download and execute a file masquerading as images or Office files. Upon execution 3 calc instances and 3 vbs windows will be launched.
-
-        e.g SOME_LEGIT_NAME.[doc,docx,xls,xlsx,pdf,rtf,png,jpg,etc.].[exe,vbs,js,ps1,etc] (Quartelyreport.docx.exe)
-      supported_platforms:
-      - windows
-      input_arguments:
-        exe_path:
-          description: path to exe to use when creating masquerading files
-          type: path
-          default: C:\Windows\System32\calc.exe
-        vbs_path:
-          description: path of vbs to use when creating masquerading files
-          type: path
-          default: PathToAtomicsFolder\T1036.003\src\T1036.003_masquerading.vbs
-        ps1_path:
-          description: path of powershell script to use when creating masquerading
-            files
-          type: path
-          default: PathToAtomicsFolder\T1036.003\src\T1036.003_masquerading.ps1
-      dependency_executor_name: powershell
-      dependencies:
-      - description: 'File to copy must exist on disk at specified location (#{vbs_path})
-
-          '
-        prereq_command: 'if (Test-Path "#{vbs_path}") {exit 0} else {exit 1}
-
-          '
-        get_prereq_command: |
-          New-Item -Type Directory (split-path "#{vbs_path}") -ErrorAction ignore | Out-Null
-          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.003/src/T1036.003_masquerading.vbs" -OutFile "#{vbs_path}"
-      - description: 'File to copy must exist on disk at specified location (#{ps1_path})
-
-          '
-        prereq_command: 'if (Test-Path "#{ps1_path}") {exit 0} else {exit 1}
-
-          '
-        get_prereq_command: |
-          New-Item -Type Directory (split-path "#{ps1_path}") -ErrorAction ignore | Out-Null
-          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.003/src/T1036.003_masquerading.ps1" -OutFile "#{ps1_path}"
-      executor:
-        command: |
-          copy "#{exe_path}" %temp%\T1036.003_masquerading.docx.exe /Y
-          copy "#{exe_path}" %temp%\T1036.003_masquerading.pdf.exe /Y
-          copy "#{exe_path}" %temp%\T1036.003_masquerading.ps1.exe /Y
-          copy "#{vbs_path}" %temp%\T1036.003_masquerading.xls.vbs /Y
-          copy "#{vbs_path}" %temp%\T1036.003_masquerading.xlsx.vbs /Y
-          copy "#{vbs_path}" %temp%\T1036.003_masquerading.png.vbs /Y
-          copy "#{ps1_path}" %temp%\T1036.003_masquerading.doc.ps1 /Y
-          copy "#{ps1_path}" %temp%\T1036.003_masquerading.pdf.ps1 /Y
-          copy "#{ps1_path}" %temp%\T1036.003_masquerading.rtf.ps1 /Y
-          %temp%\T1036.003_masquerading.docx.exe
-          %temp%\T1036.003_masquerading.pdf.exe
-          %temp%\T1036.003_masquerading.ps1.exe
-          %temp%\T1036.003_masquerading.xls.vbs
-          %temp%\T1036.003_masquerading.xlsx.vbs
-          %temp%\T1036.003_masquerading.png.vbs
-          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036.003_masquerading.doc.ps1
-          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036.003_masquerading.pdf.ps1
-          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036.003_masquerading.rtf.ps1
-        cleanup_command: |
-          del /f %temp%\T1036.003_masquerading.docx.exe > nul 2>&1
-          del /f %temp%\T1036.003_masquerading.pdf.exe > nul 2>&1
-          del /f %temp%\T1036.003_masquerading.ps1.exe > nul 2>&1
-          del /f %temp%\T1036.003_masquerading.xls.vbs > nul 2>&1
-          del /f %temp%\T1036.003_masquerading.xlsx.vbs > nul 2>&1
-          del /f %temp%\T1036.003_masquerading.png.vbs > nul 2>&1
-          del /f %temp%\T1036.003_masquerading.doc.ps1 > nul 2>&1
-          del /f %temp%\T1036.003_masquerading.pdf.ps1 > nul 2>&1
-          del /f %temp%\T1036.003_masquerading.rtf.ps1 > nul 2>&1
-        name: command_prompt
  T1562.011:
    technique:
      modified: '2023-04-12T22:46:33.995Z'
@@ -20,8 +20,6 @@

 - [Atomic Test #8 - Malicious process Masquerading as LSM.exe](#atomic-test-8---malicious-process-masquerading-as-lsmexe)

- [Atomic Test #9 - File Extension Masquerading](#atomic-test-9---file-extension-masquerading)
-

 <br/>

@@ -343,93 +341,4 @@ del C:\lsm.exe >nul 2>&1



-<br/>
-<br/>
-
-## Atomic Test #9 - File Extension Masquerading
-download and execute a file masquerading as images or Office files. Upon execution 3 calc instances and 3 vbs windows will be launched.
-
-e.g SOME_LEGIT_NAME.[doc,docx,xls,xlsx,pdf,rtf,png,jpg,etc.].[exe,vbs,js,ps1,etc] (Quartelyreport.docx.exe)
-
-**Supported Platforms:** Windows
-
-
-**auto_generated_guid:** c7fa0c3b-b57f-4cba-9118-863bf4e653fc
-
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| exe_path | path to exe to use when creating masquerading files | path | C:&#92;Windows&#92;System32&#92;calc.exe|
-| vbs_path | path of vbs to use when creating masquerading files | path | PathToAtomicsFolder&#92;T1036.003&#92;src&#92;T1036.003_masquerading.vbs|
-| ps1_path | path of powershell script to use when creating masquerading files | path | PathToAtomicsFolder&#92;T1036.003&#92;src&#92;T1036.003_masquerading.ps1|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-copy "#{exe_path}" %temp%\T1036.003_masquerading.docx.exe /Y
-copy "#{exe_path}" %temp%\T1036.003_masquerading.pdf.exe /Y
-copy "#{exe_path}" %temp%\T1036.003_masquerading.ps1.exe /Y
-copy "#{vbs_path}" %temp%\T1036.003_masquerading.xls.vbs /Y
-copy "#{vbs_path}" %temp%\T1036.003_masquerading.xlsx.vbs /Y
-copy "#{vbs_path}" %temp%\T1036.003_masquerading.png.vbs /Y
-copy "#{ps1_path}" %temp%\T1036.003_masquerading.doc.ps1 /Y
-copy "#{ps1_path}" %temp%\T1036.003_masquerading.pdf.ps1 /Y
-copy "#{ps1_path}" %temp%\T1036.003_masquerading.rtf.ps1 /Y
-%temp%\T1036.003_masquerading.docx.exe
-%temp%\T1036.003_masquerading.pdf.exe
-%temp%\T1036.003_masquerading.ps1.exe
-%temp%\T1036.003_masquerading.xls.vbs
-%temp%\T1036.003_masquerading.xlsx.vbs
-%temp%\T1036.003_masquerading.png.vbs
-C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036.003_masquerading.doc.ps1
-C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036.003_masquerading.pdf.ps1
-C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036.003_masquerading.rtf.ps1
-```
-
-#### Cleanup Commands:
-```cmd
-del /f %temp%\T1036.003_masquerading.docx.exe > nul 2>&1
-del /f %temp%\T1036.003_masquerading.pdf.exe > nul 2>&1
-del /f %temp%\T1036.003_masquerading.ps1.exe > nul 2>&1
-del /f %temp%\T1036.003_masquerading.xls.vbs > nul 2>&1
-del /f %temp%\T1036.003_masquerading.xlsx.vbs > nul 2>&1
-del /f %temp%\T1036.003_masquerading.png.vbs > nul 2>&1
-del /f %temp%\T1036.003_masquerading.doc.ps1 > nul 2>&1
-del /f %temp%\T1036.003_masquerading.pdf.ps1 > nul 2>&1
-del /f %temp%\T1036.003_masquerading.rtf.ps1 > nul 2>&1
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: File to copy must exist on disk at specified location (#{vbs_path})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path "#{vbs_path}") {exit 0} else {exit 1}
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path "#{vbs_path}") -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.003/src/T1036.003_masquerading.vbs" -OutFile "#{vbs_path}"
-```
-##### Description: File to copy must exist on disk at specified location (#{ps1_path})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path "#{ps1_path}") {exit 0} else {exit 1}
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path "#{ps1_path}") -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.003/src/T1036.003_masquerading.ps1" -OutFile "#{ps1_path}"
-```
-
-
-
-
 <br/>
@@ -0,0 +1,102 @@
+# T1036.007 - Masquerading: Double File Extension
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1036/007)
+<blockquote>Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension to be displayed (ex: <code>File.txt.exe</code> may render in some views as just <code>File.txt</code>). However, the second extension is the true file type that determines how the file is opened and executed. The real file extension may be hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured using or similar to the system’s policies.(Citation: PCMag DoubleExtension)(Citation: SOCPrime DoubleExtension) 
+
+Adversaries may abuse double extensions to attempt to conceal dangerous file types of payloads. A very common usage involves tricking a user into opening what they think is a benign file type but is actually executable code. Such files often pose as email attachments and allow an adversary to gain [Initial Access](https://attack.mitre.org/tactics/TA0001) into a user’s system via [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) then [User Execution](https://attack.mitre.org/techniques/T1204). For example, an executable file attachment named <code>Evil.txt.exe</code> may display as <code>Evil.txt</code> to a user. The user may then view it as a benign text file and open it, inadvertently executing the hidden malware.(Citation: SOCPrime DoubleExtension)
+
+Common file types, such as text files (.txt, .doc, etc.) and image files (.jpg, .gif, etc.) are typically used as the first extension to appear benign. Executable extensions commonly regarded as dangerous, such as .exe, .lnk, .hta, and .scr, often appear as the second extension and true file type.</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - File Extension Masquerading](#atomic-test-1---file-extension-masquerading)
+
+
+<br/>
+
+## Atomic Test #1 - File Extension Masquerading
+download and execute a file masquerading as images or Office files. Upon execution 3 calc instances and 3 vbs windows will be launched.
+
+e.g SOME_LEGIT_NAME.[doc,docx,xls,xlsx,pdf,rtf,png,jpg,etc.].[exe,vbs,js,ps1,etc] (Quartelyreport.docx.exe)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** c7fa0c3b-b57f-4cba-9118-863bf4e653fc
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| exe_path | path to exe to use when creating masquerading files | path | C:&#92;Windows&#92;System32&#92;calc.exe|
+| vbs_path | path of vbs to use when creating masquerading files | path | PathToAtomicsFolder&#92;T1036.007&#92;src&#92;T1036.007_masquerading.vbs|
+| ps1_path | path of powershell script to use when creating masquerading files | path | PathToAtomicsFolder&#92;T1036.007&#92;src&#92;T1036.007_masquerading.ps1|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+copy "#{exe_path}" %temp%\T1036.007_masquerading.docx.exe /Y
+copy "#{exe_path}" %temp%\T1036.007_masquerading.pdf.exe /Y
+copy "#{exe_path}" %temp%\T1036.007_masquerading.ps1.exe /Y
+copy "#{vbs_path}" %temp%\T1036.007_masquerading.xls.vbs /Y
+copy "#{vbs_path}" %temp%\T1036.007_masquerading.xlsx.vbs /Y
+copy "#{vbs_path}" %temp%\T1036.007_masquerading.png.vbs /Y
+copy "#{ps1_path}" %temp%\T1036.007_masquerading.doc.ps1 /Y
+copy "#{ps1_path}" %temp%\T1036.007_masquerading.pdf.ps1 /Y
+copy "#{ps1_path}" %temp%\T1036.007_masquerading.rtf.ps1 /Y
+%temp%\T1036.007_masquerading.docx.exe
+%temp%\T1036.007_masquerading.pdf.exe
+%temp%\T1036.007_masquerading.ps1.exe
+%temp%\T1036.007_masquerading.xls.vbs
+%temp%\T1036.007_masquerading.xlsx.vbs
+%temp%\T1036.007_masquerading.png.vbs
+C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036.007_masquerading.doc.ps1
+C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036.007_masquerading.pdf.ps1
+C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036.007_masquerading.rtf.ps1
+```
+
+#### Cleanup Commands:
+```cmd
+del /f %temp%\T1036.007_masquerading.docx.exe > nul 2>&1
+del /f %temp%\T1036.007_masquerading.pdf.exe > nul 2>&1
+del /f %temp%\T1036.007_masquerading.ps1.exe > nul 2>&1
+del /f %temp%\T1036.007_masquerading.xls.vbs > nul 2>&1
+del /f %temp%\T1036.007_masquerading.xlsx.vbs > nul 2>&1
+del /f %temp%\T1036.007_masquerading.png.vbs > nul 2>&1
+del /f %temp%\T1036.007_masquerading.doc.ps1 > nul 2>&1
+del /f %temp%\T1036.007_masquerading.pdf.ps1 > nul 2>&1
+del /f %temp%\T1036.007_masquerading.rtf.ps1 > nul 2>&1
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: File to copy must exist on disk at specified location (#{vbs_path})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "#{vbs_path}") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path "#{vbs_path}") -ErrorAction ignore | Out-Null
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.007/src/T1036.007_masquerading.vbs" -OutFile "#{vbs_path}"
+```
+##### Description: File to copy must exist on disk at specified location (#{ps1_path})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "#{ps1_path}") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path "#{ps1_path}") -ErrorAction ignore | Out-Null
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.007/src/T1036.007_masquerading.ps1" -OutFile "#{ps1_path}"
+```
+
+
+
+
+<br/>