Merge pull request #153 from redcanaryco/atomic-doc-indices

Atomic doc indices
2018-05-11 10:26:40 -04:00
parent 54ff6e1bc6 e80fa2f759
commit d7599679b3
18 changed files with 818 additions and 193 deletions
@@ -26,7 +26,7 @@ jobs:
      - run:
          name: Validate the format of atomic tests against the spec
          command: |
-            ./validate_atomics.rb
+            bin/validate-atomics.rb

  generate_docs:
    <<: *defaults
@@ -34,4 +34,5 @@ jobs:
      - run:
          name: Generate nice markdown document for atomics
          command: |
-            ./generate_atomic_docs.rb
+            bin/generate-atomic-docs.rb
+            git status
@@ -2,3 +2,4 @@
 .DS_store
 .vscode
 .atom
+atomic-red-team/enterprise-attack.json
@@ -1,35 +1,39 @@
-## How to contribute to Atomic Red Team
-
-#### **Atomic Contribution**
+# How to contribute to Atomic Red Team

+## Atomic Philosophy
 Atomic Red Team welcomes all types of contributions as long as it is mapped to [MITRE ATT&CK](https://attack.mitre.org/wiki/Main_Page).

-The Framework is also meant to be "easy". If your Atomic test is complicated and requires multiple external utilities/packages/Kali, we may dismiss it.
+- Tests are made to be "easy". If your Atomic test is complicated and requires multiple external utilities/packages/Kali, we may dismiss it.

-TEST YOUR Atomic Test! Be sure to run it from a few OS platforms before submitting a pull to ensure everything is working correctly.
+- TEST YOUR Atomic Test! Be sure to run it from a few OS platforms before submitting a pull to ensure everything is working correctly.

-If sourcing from another tool/product (ex. generated command), be sure to cite it in your .md file.
+- If sourcing from another tool/product (ex. generated command), be sure to cite it in the test's description.

-Any and all Payloads need to be placed in the respective Windows|Mac|Linux Payload directory.
+## How to contribute
+Pick the technique you want to add a test for and run the generator:

-Be sure you update the ATT&CK url, Txxxx number, and the title (ex. InstallUtil).
+```
+bin/new-atomic.rb T1234
+```

+This makes a new test for the technique with a bunch of TBDs you'll fill in and opens up your editor
+so you can get to work.

-#### Atomic Template Example
+Fill in the TBDs with the information for your test. Read the [Atomic Red Team YAML Spec](atomic-red-team/spec.yaml)
+for complete details about what each field means and a list of possible values.

+Validate that your Atomic Test is up to code!

-    ## InstallUtil
+```
+bin/validate-atomics.rb
+```

-    MITRE ATT&CK Technique: [T1118](https://attack.mitre.org/wiki/Technique/T1118)
+Submit a pull request once your test is complete and everything validates.

-    ### Execution Examples:
+## Generating Atomic docs yourself (optional)
+If you want to see what the pretty Markdown version of your Atomic Test is going to look like, 
+you can generate the Atomic Docs yourself:

-    Input:
-
-        x86 - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
-
-        x64 - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
-
-    ## Test Script
-
-    [InstallUtilBypass.cs](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/InstallUtilBypass.cs)
+```
+bin/generate-atomic-docs.rb
+```
@@ -1,7 +1,7 @@

 The MIT License

-Copyright (c) 2016 Red Canary, Inc.
+Copyright (c) 2018 Red Canary, Inc.

 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
@@ -0,0 +1 @@
+TBD
@@ -0,0 +1,130 @@
+#! /usr/bin/env ruby
+require 'yaml'
+require 'erb'
+require 'attack_api'
+
+class AtomicRedTeam
+  ATTACK_API = Attack.new
+
+  ATOMICS_DIRECTORY = "#{File.dirname(File.dirname(__FILE__))}/atomics"
+
+  # TODO- should these all be relative URLs?
+  ROOT_GITHUB_URL = "https://github.com/redcanaryco/atomic-red-team"
+  
+  #
+  # Returns a list of paths that contain Atomic Tests
+  #
+  def atomic_test_paths
+    Dir["#{ATOMICS_DIRECTORY}/t*/t*.yaml"].sort
+  end
+
+  #
+  # Returns a list of Atomic Tests in Atomic Red Team (as Hashes from source YAML) 
+  #
+  def atomic_tests
+    @atomic_tests ||= atomic_test_paths.collect do |path| 
+      atomic_yaml = YAML.load(File.read path)
+      atomic_yaml['atomic_yaml_path'] = path
+      atomic_yaml
+    end
+  end
+
+  #
+  # Returns the individual Atomic Tests for a given identifer, passed as either a string (T1234) or an ATT&CK technique object
+  #
+  def atomic_tests_for_technique(technique_or_technique_identifier)
+    technique_identifier = if technique_or_technique_identifier.is_a? Hash
+      ATTACK_API.technique_identifier_for_technique technique_or_technique_identifier
+    else
+      technique_or_technique_identifier
+    end
+
+    atomic_tests.find do |atomic_yaml| 
+      atomic_yaml.fetch('attack_technique').downcase == technique_identifier.downcase
+    end.to_h.fetch('atomic_tests', [])
+  end
+
+  #
+  # Returns a Markdown formatted Github link to a technique. This will be to the edit page for 
+  # techniques that already have one or more Atomic Red Team tests, or the create page for
+  # techniques that have no existing tests.
+  #
+  def github_link_to_technique(technique, include_identifier=false)
+    technique_identifier = ATTACK_API.technique_identifier_for_technique(technique).downcase
+    link_display = "#{"#{technique_identifier.upcase} " if include_identifier}#{technique['name']}"
+
+    if File.exists? "#{ATOMICS_DIRECTORY}/#{technique_identifier}/#{technique_identifier}.md"
+      # we have a file for this technique, so link to it's Markdown file
+      "[#{link_display}](#{ROOT_GITHUB_URL}/tree/master/atomics/#{technique_identifier}/#{technique_identifier}.md)"
+    else
+      # we don't have a file for this technique, so link to an edit page
+      "[#{link_display}](#{ROOT_GITHUB_URL}/edit/master/atomics/#{technique_identifier}/#{technique_identifier}.md)"
+    end
+  end
+
+  def validate_atomic_yaml!(yaml)
+    raise("YAML file has no elements") if yaml.nil?
+  
+    raise('`attack_technique` element is required') unless yaml.has_key?('attack_technique')
+    raise('`attack_technique` element must be an array') unless yaml['attack_technique'].is_a?(String)
+  
+    raise('`display_name` element is required') unless yaml.has_key?('display_name')
+    raise('`display_name` element must be an array') unless yaml['display_name'].is_a?(String)
+  
+    raise('`atomic_tests` element is required') unless yaml.has_key?('atomic_tests')
+    raise('`atomic_tests` element must be an array') unless yaml['atomic_tests'].is_a?(Array)
+    raise('`atomic_tests` element is empty - you have no tests') unless yaml['atomic_tests'].count > 0
+  
+    yaml['atomic_tests'].each_with_index do |atomic, i|
+      raise("`atomic_tests[#{i}].name` element is required") unless atomic.has_key?('name')
+      raise("`atomic_tests[#{i}].name` element must be a string") unless atomic['name'].is_a?(String)
+  
+      raise("`atomic_tests[#{i}].description` element is required") unless atomic.has_key?('description')
+      raise("`atomic_tests[#{i}].description` element must be a string") unless atomic['description'].is_a?(String)
+  
+      raise("`atomic_tests[#{i}].supported_platforms` element is required") unless atomic.has_key?('supported_platforms')
+      raise("`atomic_tests[#{i}].supported_platforms` element must be an Array (was a #{atomic['supported_platforms'].class.name})") unless atomic['supported_platforms'].is_a?(Array)
+  
+      valid_supported_platforms = ['windows', 'centos', 'ubuntu', 'macos', 'linux']
+      atomic['supported_platforms'].each do |platform|
+        if !valid_supported_platforms.include?(platform)
+          raise("`atomic_tests[#{i}].supported_platforms` '#{platform}' must be one of #{valid_supported_platforms.join(', ')}")
+        end
+      end
+  
+      (atomic['input_arguments'] || {}).each_with_index do |arg_kvp, iai|
+        arg_name, arg = arg_kvp
+        raise("`atomic_tests[#{i}].input_arguments[#{iai}].description` element is required") unless arg.has_key?('description')
+        raise("`atomic_tests[#{i}].input_arguments[#{iai}].description` element must be a string") unless arg['description'].is_a?(String)
+  
+        raise("`atomic_tests[#{i}].input_arguments[#{iai}].type` element is required") unless arg.has_key?('type')
+        raise("`atomic_tests[#{i}].input_arguments[#{iai}].type` element must be a string") unless arg['type'].is_a?(String)
+        raise("`atomic_tests[#{i}].input_arguments[#{iai}].type` element must be lowercased and underscored (was #{arg['type']})") unless arg['type'] =~ /[a-z_]+/
+  
+        # TODO: determine if we think default values are required for EVERY input argument
+        # raise("`atomic_tests[#{i}].input_arguments[#{iai}].default` element is required") unless arg.has_key?('default')
+        # raise("`atomic_tests[#{i}].input_arguments[#{iai}].default` element must be a string (was a #{arg['default'].class.name})") unless arg['default'].is_a?(String)
+      end
+  
+      raise("`atomic_tests[#{i}].executor` element is required") unless atomic.has_key?('executor')
+      executor = atomic['executor']
+      raise("`atomic_tests[#{i}].executor.name` element is required") unless executor.has_key?('name')
+      raise("`atomic_tests[#{i}].executor.name` element must be a string") unless executor['name'].is_a?(String)
+      raise("`atomic_tests[#{i}].executor.name` element must be lowercased and underscored (was #{executor['name']})") unless executor['name'] =~ /[a-z_]+/
+  
+      valid_executor_types = ['command_prompt', 'sh', 'bash', 'powershell', 'manual']
+      case executor['name']
+        when 'manual'
+          raise("`atomic_tests[#{i}].executor.steps` element is required") unless executor.has_key?('steps')
+          raise("`atomic_tests[#{i}].executor.steps` element must be a string") unless executor['steps'].is_a?(String)
+  
+        when 'command_prompt', 'sh', 'bash', 'powershell'
+          raise("`atomic_tests[#{i}].executor.command` element is required") unless executor.has_key?('command')
+          raise("`atomic_tests[#{i}].executor.command` element must be a string") unless executor['command'].is_a?(String)
+  
+        else
+          raise("`atomic_tests[#{i}].executor.name` '#{executor['name']}' must be one of #{valid_executor_types.join(', ')}")
+      end
+    end
+  end
+end
@@ -20,7 +20,7 @@ atomic_tests:
      type: todo
      default: TODO

-  executors:
-    name: TODO
+  executor:
+    name: command_prompt
    command: |
      TODO
@@ -0,0 +1,110 @@
+#! /usr/bin/env ruby
+require 'open-uri'
+require 'json'
+
+#
+# Attack is an API class that loads information about ATT&CK techniques from MITRE'S ATT&CK 
+# STIX representation. It makes it very simple to do common things with ATT&CK.
+#
+class Attack
+  # 
+  # Tactics as presented in the order that the ATT&CK matrics uses
+  #
+  def ordered_tactics 
+    [
+      'initial-access',
+      'execution',
+      'persistence',
+      'privilege-escalation',
+      'defense-evasion',
+      'credential-access',
+      'discovery',
+      'lateral-movement',
+      'collection',
+      'exfiltration',
+      'command-and-control',
+    ]
+  end
+
+  # 
+  # Returns the technique identifier (T1234) for a Technique object
+  #
+  def technique_identifier_for_technique(technique)
+    technique.fetch('external_references', []).find do |refs| 
+      refs['source_name'] == 'mitre-attack'
+    end['external_id'].upcase
+  end
+
+  # 
+  # Returns a Technique object given a technique identifier (T1234)
+  #
+  def technique_info(technique_id)
+    techniques.find do |item| 
+      item.fetch('external_references', []).find do |references|
+        references['external_id'] == technique_id.upcase
+      end
+    end
+  end
+  
+  # 
+  # Returns the ATT&CK Matrix as a 2D array, in order by `ordered_tactics`
+  #
+  def ordered_tactic_to_technique_matrix
+    # make an 2d array of our techniques in the order our tactics appear
+    all_techniques_in_tactic_order = []
+    ordered_tactics.each do |tactic|
+      all_techniques_in_tactic_order << techniques_by_tactic[tactic]
+    end
+
+    # figure out the max number of techniques any one tactic has
+    max_techniques = all_techniques_in_tactic_order.collect(&:count).max
+
+    # extend each array of techniques to that length
+    all_techniques_in_tactic_order.each {|techniques| techniques.concat(Array.new(max_techniques - techniques.count, nil))}
+
+    # transpose to give us the data in columnar format
+    all_techniques_in_tactic_order.transpose
+  end
+
+  # 
+  # Returns a map of all [ ATT&CK Tactic name ] => [ List of ATT&CK techniques associated with that tactic]
+  #
+  def techniques_by_tactic
+    techniques_by_tactic = Hash.new {|h, k| h[k] = []}
+    techniques.each do |technique|
+      technique.fetch('kill_chain_phases', []).select {|phase| phase['kill_chain_name'] == 'mitre-attack'}.each do |tactic|
+        techniques_by_tactic[tactic.fetch('phase_name')] << technique
+      end
+    end
+    techniques_by_tactic
+  end 
+
+  #
+  # Returns a list of all ATT&CK techniques
+  #
+  def techniques
+    # pull out the attack pattern objects
+    attack_stix.fetch("objects").select do |item| 
+      item.fetch('type') == 'attack-pattern' && item.fetch('external_references', []).select do |references|
+        references['source_name'] == 'mitre-attack'
+      end
+    end
+  end
+
+  private
+
+  #
+  # Returns the complete ATT&CK STIX collection parsed into a Hash
+  #
+  def attack_stix
+    @attack_stix ||= begin
+      # load the full attack library
+      local_attack_json_to_try = "#{File.dirname(__FILE__)}/enterprise-attack.json"
+      if File.exists? local_attack_json_to_try
+        JSON.parse File.read(local_attack_json_to_try)
+      else
+        JSON.parse open('https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json').read
+      end
+    end
+  end
+end
@@ -0,0 +1,337 @@
+# persistence
+- [T1156 .bash_profile and .bashrc](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1156/t1156.md)
+- [T1015 Accessibility Features](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1015/t1015.md)
+- [T1182 AppCert DLLs](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1182/t1182.md)
+- [T1103 AppInit DLLs](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1103/t1103.md)
+- [T1138 Application Shimming](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1138/t1138.md)
+- [T1131 Authentication Package](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1131/t1131.md)
+- [T1197 BITS Jobs](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1197/t1197.md)
+- [T1067 Bootkit](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1067/t1067.md)
+- [T1176 Browser Extensions](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1176/t1176.md)
+  - Atomic Test #1: Chrome (Developer Mode)
+  - Atomic Test #2: Chrome (Chrome Web Store)
+  - Atomic Test #3: Firefox
+- [T1042 Change Default File Association](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1042/t1042.md)
+- [T1109 Component Firmware](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1109/t1109.md)
+- [T1122 Component Object Model Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1122/t1122.md)
+- [T1136 Create Account](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1136/t1136.md)
+  - Atomic Test #1: Create a user account on a Linux system
+  - Atomic Test #2: Create a user account on a MacOS system
+- [T1038 DLL Search Order Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1038/t1038.md)
+- [T1157 Dylib Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1157/t1157.md)
+- [T1133 External Remote Services](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1133/t1133.md)
+- [T1044 File System Permissions Weakness](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1044/t1044.md)
+- [T1158 Hidden Files and Directories](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1158/t1158.md)
+  - Atomic Test #1: Create a hidden file in a hidden directory
+- [T1179 Hooking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1179/t1179.md)
+- [T1062 Hypervisor](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1062/t1062.md)
+- [T1183 Image File Execution Options Injection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1183/t1183.md)
+- [T1215 Kernel Modules and Extensions](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1215/t1215.md)
+- [T1161 LC_LOAD_DYLIB Addition](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1161/t1161.md)
+- [T1177 LSASS Driver](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1177/t1177.md)
+- [T1159 Launch Agent](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1159/t1159.md)
+- [T1160 Launch Daemon](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1160/t1160.md)
+- [T1152 Launchctl](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1152/t1152.md)
+- [T1168 Local Job Scheduling](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1168/t1168.md)
+- [T1162 Login Item](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1162/t1162.md)
+- [T1037 Logon Scripts](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1037/t1037.md)
+- [T1031 Modify Existing Service](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1031/t1031.md)
+- [T1128 Netsh Helper DLL](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1128/t1128.md)
+- [T1050 New Service](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1050/t1050.md)
+- [T1137 Office Application Startup](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1137/t1137.md)
+- [T1034 Path Interception](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1034/t1034.md)
+- [T1150 Plist Modification](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1150/t1150.md)
+- [T1205 Port Knocking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1205/t1205.md)
+- [T1013 Port Monitors](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1013/t1013.md)
+- [T1163 Rc.common](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1163/t1163.md)
+- [T1164 Re-opened Applications](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1164/t1164.md)
+- [T1108 Redundant Access](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1108/t1108.md)
+- [T1060 Registry Run Keys / Start Folder](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1060/t1060.md)
+- [T1198 SIP and Trust Provider Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1198/t1198.md)
+- [T1053 Scheduled Task](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1053/t1053.md)
+- [T1180 Screensaver](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1180/t1180.md)
+- [T1101 Security Support Provider](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1101/t1101.md)
+- [T1058 Service Registry Permissions Weakness](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1058/t1058.md)
+- [T1023 Shortcut Modification](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1023/t1023.md)
+- [T1165 Startup Items](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1165/t1165.md)
+- [T1019 System Firmware](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1019/t1019.md)
+- [T1209 Time Providers](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1209/t1209.md)
+- [T1154 Trap](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1154/t1154.md)
+- [T1078 Valid Accounts](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1078/t1078.md)
+- [T1100 Web Shell](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1100/t1100.md)
+- [T1084 Windows Management Instrumentation Event Subscription](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1084/t1084.md)
+- [T1004 Winlogon Helper DLL](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1004/t1004.md)
+
+# defense-evasion
+- [T1134 Access Token Manipulation](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1134/t1134.md)
+- [T1197 BITS Jobs](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1197/t1197.md)
+- [T1009 Binary Padding](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1009/t1009.md)
+- [T1088 Bypass User Account Control](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1088/t1088.md)
+- [T1191 CMSTP](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1191/t1191.md)
+- [T1146 Clear Command History](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1146/t1146.md)
+  - Atomic Test #1: Clear Bash history (rm)
+  - Atomic Test #2: Clear Bash history (echo)
+  - Atomic Test #3: Clear Bash history (cat dev/null)
+  - Atomic Test #4: Clear Bash history (ln dev/null)
+  - Atomic Test #5: Clear Bash history (truncate)
+  - Atomic Test #6: Clear history of a bunch of shells
+- [T1116 Code Signing](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1116/t1116.md)
+- [T1109 Component Firmware](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1109/t1109.md)
+- [T1122 Component Object Model Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1122/t1122.md)
+- [T1196 Control Panel Items](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1196/t1196.md)
+- [T1207 DCShadow](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1207/t1207.md)
+- [T1038 DLL Search Order Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1038/t1038.md)
+- [T1073 DLL Side-Loading](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1073/t1073.md)
+- [T1140 Deobfuscate/Decode Files or Information](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1140/t1140.md)
+- [T1089 Disabling Security Tools](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1089/t1089.md)
+  - Atomic Test #1: Disable iptables firewall
+  - Atomic Test #2: Disable syslog
+  - Atomic Test #3: Disable Cb Response
+  - Atomic Test #4: Disable SELinux
+- [T1211 Exploitation for Defense Evasion](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1211/t1211.md)
+- [T1181 Extra Window Memory Injection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1181/t1181.md)
+- [T1107 File Deletion](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1107/t1107.md)
+- [T1006 File System Logical Offsets](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1006/t1006.md)
+- [T1144 Gatekeeper Bypass](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1144/t1144.md)
+- [T1148 HISTCONTROL](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1148/t1148.md)
+- [T1158 Hidden Files and Directories](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1158/t1158.md)
+  - Atomic Test #1: Create a hidden file in a hidden directory
+- [T1147 Hidden Users](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1147/t1147.md)
+- [T1143 Hidden Window](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1143/t1143.md)
+- [T1183 Image File Execution Options Injection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1183/t1183.md)
+- [T1054 Indicator Blocking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1054/t1054.md)
+- [T1066 Indicator Removal from Tools](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1066/t1066.md)
+- [T1070 Indicator Removal on Host](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1070/t1070.md)
+- [T1202 Indirect Command Execution](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1202/t1202.md)
+- [T1130 Install Root Certificate](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1130/t1130.md)
+  - Atomic Test #1: Install root CA on CentOS/RHEL
+- [T1118 InstallUtil](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1118/t1118.md)
+- [T1149 LC_MAIN Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1149/t1149.md)
+- [T1152 Launchctl](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1152/t1152.md)
+- [T1036 Masquerading](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1036/t1036.md)
+- [T1112 Modify Registry](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1112/t1112.md)
+- [T1170 Mshta](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1170/t1170.md)
+- [T1096 NTFS File Attributes](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1096/t1096.md)
+- [T1126 Network Share Connection Removal](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1126/t1126.md)
+- [T1027 Obfuscated Files or Information](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1027/t1027.md)
+- [T1150 Plist Modification](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1150/t1150.md)
+- [T1205 Port Knocking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1205/t1205.md)
+- [T1186 Process Doppelgänging](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1186/t1186.md)
+- [T1093 Process Hollowing](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1093/t1093.md)
+- [T1055 Process Injection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1055/t1055.md)
+- [T1108 Redundant Access](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1108/t1108.md)
+- [T1121 Regsvcs/Regasm](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1121/t1121.md)
+- [T1117 Regsvr32](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1117/t1117.md)
+- [T1014 Rootkit](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1014/t1014.md)
+- [T1085 Rundll32](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1085/t1085.md)
+- [T1198 SIP and Trust Provider Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1198/t1198.md)
+- [T1064 Scripting](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1064/t1064.md)
+- [T1218 Signed Binary Proxy Execution](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1218/t1218.md)
+- [T1216 Signed Script Proxy Execution](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1216/t1216.md)
+- [T1045 Software Packing](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1045/t1045.md)
+- [T1151 Space after Filename](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1151/t1151.md)
+- [T1099 Timestomp](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1099/t1099.md)
+  - Atomic Test #1: Set a file's access timestamp
+  - Atomic Test #2: Set a file's modification timestamp
+  - Atomic Test #3: Set a file's creation timestamp
+- [T1127 Trusted Developer Utilities](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1127/t1127.md)
+- [T1078 Valid Accounts](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1078/t1078.md)
+- [T1102 Web Service](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1102/t1102.md)
+
+# privilege-escalation
+- [T1134 Access Token Manipulation](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1134/t1134.md)
+- [T1015 Accessibility Features](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1015/t1015.md)
+- [T1182 AppCert DLLs](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1182/t1182.md)
+- [T1103 AppInit DLLs](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1103/t1103.md)
+- [T1138 Application Shimming](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1138/t1138.md)
+- [T1088 Bypass User Account Control](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1088/t1088.md)
+- [T1038 DLL Search Order Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1038/t1038.md)
+- [T1157 Dylib Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1157/t1157.md)
+- [T1068 Exploitation for Privilege Escalation](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1068/t1068.md)
+- [T1181 Extra Window Memory Injection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1181/t1181.md)
+- [T1044 File System Permissions Weakness](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1044/t1044.md)
+- [T1179 Hooking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1179/t1179.md)
+- [T1183 Image File Execution Options Injection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1183/t1183.md)
+- [T1160 Launch Daemon](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1160/t1160.md)
+- [T1050 New Service](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1050/t1050.md)
+- [T1034 Path Interception](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1034/t1034.md)
+- [T1150 Plist Modification](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1150/t1150.md)
+- [T1013 Port Monitors](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1013/t1013.md)
+- [T1055 Process Injection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1055/t1055.md)
+- [T1178 SID-History Injection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1178/t1178.md)
+- [T1053 Scheduled Task](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1053/t1053.md)
+- [T1058 Service Registry Permissions Weakness](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1058/t1058.md)
+- [T1166 Setuid and Setgid](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1166/t1166.md)
+- [T1165 Startup Items](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1165/t1165.md)
+- [T1169 Sudo](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1169/t1169.md)
+- [T1206 Sudo Caching](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1206/t1206.md)
+- [T1078 Valid Accounts](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1078/t1078.md)
+- [T1100 Web Shell](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1100/t1100.md)
+
+# discovery
+- [T1087 Account Discovery](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1087/t1087.md)
+  - Atomic Test #1: List all accounts
+  - Atomic Test #2: View sudoers access
+  - Atomic Test #3: View accounts with UID 0
+  - Atomic Test #4: List opened files by user
+  - Atomic Test #5: Show if a user account has ever logger in remotely
+- [T1010 Application Window Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1010/t1010.md)
+- [T1217 Browser Bookmark Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1217/t1217.md)
+- [T1083 File and Directory Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1083/t1083.md)
+- [T1046 Network Service Scanning](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1046/t1046.md)
+  - Atomic Test #1: Scan a bunch of ports to see if they are open
+- [T1135 Network Share Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1135/t1135.md)
+- [T1201 Password Policy Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1201/t1201.md)
+- [T1120 Peripheral Device Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1120/t1120.md)
+- [T1069 Permission Groups Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1069/t1069.md)
+- [T1057 Process Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1057/t1057.md)
+- [T1012 Query Registry](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1012/t1012.md)
+- [T1018 Remote System Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1018/t1018.md)
+- [T1063 Security Software Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1063/t1063.md)
+- [T1082 System Information Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1082/t1082.md)
+- [T1016 System Network Configuration Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1016/t1016.md)
+- [T1049 System Network Connections Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1049/t1049.md)
+- [T1033 System Owner/User Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1033/t1033.md)
+- [T1007 System Service Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1007/t1007.md)
+- [T1124 System Time Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1124/t1124.md)
+
+# credential-access
+- [T1098 Account Manipulation](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1098/t1098.md)
+- [T1139 Bash History](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1139/t1139.md)
+  - Atomic Test #1: xxxx
+- [T1110 Brute Force](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1110/t1110.md)
+- [T1003 Credential Dumping](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1003/t1003.md)
+- [T1081 Credentials in Files](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1081/t1081.md)
+- [T1214 Credentials in Registry](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1214/t1214.md)
+- [T1212 Exploitation for Credential Access](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1212/t1212.md)
+- [T1187 Forced Authentication](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1187/t1187.md)
+- [T1179 Hooking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1179/t1179.md)
+- [T1056 Input Capture](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1056/t1056.md)
+- [T1141 Input Prompt](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1141/t1141.md)
+- [T1208 Kerberoasting](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1208/t1208.md)
+- [T1142 Keychain](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1142/t1142.md)
+- [T1171 LLMNR/NBT-NS Poisoning](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1171/t1171.md)
+- [T1040 Network Sniffing](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1040/t1040.md)
+- [T1174 Password Filter DLL](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1174/t1174.md)
+- [T1145 Private Keys](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1145/t1145.md)
+- [T1091 Replication Through Removable Media](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1091/t1091.md)
+- [T1167 Securityd Memory](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1167/t1167.md)
+- [T1111 Two-Factor Authentication Interception](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1111/t1111.md)
+
+# execution
+- [T1155 AppleScript](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1155/t1155.md)
+- [T1191 CMSTP](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1191/t1191.md)
+- [T1059 Command-Line Interface](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1059/t1059.md)
+- [T1196 Control Panel Items](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1196/t1196.md)
+- [T1173 Dynamic Data Exchange](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1173/t1173.md)
+- [T1106 Execution through API](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1106/t1106.md)
+- [T1129 Execution through Module Load](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1129/t1129.md)
+- [T1203 Exploitation for Client Execution](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1203/t1203.md)
+- [T1061 Graphical User Interface](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1061/t1061.md)
+- [T1118 InstallUtil](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1118/t1118.md)
+- [T1177 LSASS Driver](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1177/t1177.md)
+- [T1152 Launchctl](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1152/t1152.md)
+- [T1168 Local Job Scheduling](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1168/t1168.md)
+- [T1170 Mshta](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1170/t1170.md)
+- [T1086 PowerShell](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1086/t1086.md)
+- [T1121 Regsvcs/Regasm](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1121/t1121.md)
+- [T1117 Regsvr32](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1117/t1117.md)
+- [T1085 Rundll32](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1085/t1085.md)
+- [T1053 Scheduled Task](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1053/t1053.md)
+- [T1064 Scripting](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1064/t1064.md)
+- [T1035 Service Execution](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1035/t1035.md)
+- [T1218 Signed Binary Proxy Execution](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1218/t1218.md)
+- [T1216 Signed Script Proxy Execution](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1216/t1216.md)
+- [T1153 Source](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1153/t1153.md)
+- [T1151 Space after Filename](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1151/t1151.md)
+- [T1072 Third-party Software](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1072/t1072.md)
+- [T1154 Trap](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1154/t1154.md)
+- [T1127 Trusted Developer Utilities](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1127/t1127.md)
+- [T1204 User Execution](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1204/t1204.md)
+- [T1047 Windows Management Instrumentation](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1047/t1047.md)
+- [T1028 Windows Remote Management](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1028/t1028.md)
+
+# lateral-movement
+- [T1155 AppleScript](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1155/t1155.md)
+- [T1017 Application Deployment Software](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1017/t1017.md)
+- [T1175 Distributed Component Object Model](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1175/t1175.md)
+- [T1210 Exploitation of Remote Services](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1210/t1210.md)
+- [T1037 Logon Scripts](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1037/t1037.md)
+- [T1075 Pass the Hash](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1075/t1075.md)
+- [T1097 Pass the Ticket](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1097/t1097.md)
+- [T1076 Remote Desktop Protocol](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1076/t1076.md)
+- [T1105 Remote File Copy](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1105/t1105.md)
+  - Atomic Test #1: xxxx
+- [T1021 Remote Services](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1021/t1021.md)
+- [T1091 Replication Through Removable Media](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1091/t1091.md)
+- [T1184 SSH Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1184/t1184.md)
+- [T1051 Shared Webroot](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1051/t1051.md)
+- [T1080 Taint Shared Content](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1080/t1080.md)
+- [T1072 Third-party Software](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1072/t1072.md)
+- [T1077 Windows Admin Shares](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1077/t1077.md)
+- [T1028 Windows Remote Management](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1028/t1028.md)
+
+# collection
+- [T1123 Audio Capture](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1123/t1123.md)
+  - Atomic Test #1: SourceRecorder via Windows command prompt
+  - Atomic Test #2: PowerShell Cmdlet via Windows command prompt
+- [T1119 Automated Collection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1119/t1119.md)
+- [T1115 Clipboard Data](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1115/t1115.md)
+- [T1074 Data Staged](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1074/t1074.md)
+- [T1213 Data from Information Repositories](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1213/t1213.md)
+- [T1005 Data from Local System](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1005/t1005.md)
+- [T1039 Data from Network Shared Drive](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1039/t1039.md)
+- [T1025 Data from Removable Media](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1025/t1025.md)
+- [T1114 Email Collection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1114/t1114.md)
+- [T1056 Input Capture](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1056/t1056.md)
+- [T1185 Man in the Browser](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1185/t1185.md)
+- [T1113 Screen Capture](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1113/t1113.md)
+- [T1125 Video Capture](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1125/t1125.md)
+
+# exfiltration
+- [T1020 Automated Exfiltration](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1020/t1020.md)
+- [T1002 Data Compressed](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1002/t1002.md)
+- [T1022 Data Encrypted](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1022/t1022.md)
+- [T1030 Data Transfer Size Limits](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1030/t1030.md)
+- [T1048 Exfiltration Over Alternative Protocol](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1048/t1048.md)
+- [T1041 Exfiltration Over Command and Control Channel](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1041/t1041.md)
+- [T1011 Exfiltration Over Other Network Medium](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1011/t1011.md)
+- [T1052 Exfiltration Over Physical Medium](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1052/t1052.md)
+- [T1029 Scheduled Transfer](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1029/t1029.md)
+
+# command-and-control
+- [T1043 Commonly Used Port](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1043/t1043.md)
+- [T1092 Communication Through Removable Media](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1092/t1092.md)
+- [T1090 Connection Proxy](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1090/t1090.md)
+- [T1094 Custom Command and Control Protocol](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1094/t1094.md)
+- [T1024 Custom Cryptographic Protocol](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1024/t1024.md)
+- [T1132 Data Encoding](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1132/t1132.md)
+- [T1001 Data Obfuscation](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1001/t1001.md)
+- [T1172 Domain Fronting](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1172/t1172.md)
+- [T1008 Fallback Channels](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1008/t1008.md)
+- [T1104 Multi-Stage Channels](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1104/t1104.md)
+- [T1188 Multi-hop Proxy](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1188/t1188.md)
+- [T1026 Multiband Communication](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1026/t1026.md)
+- [T1079 Multilayer Encryption](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1079/t1079.md)
+- [T1205 Port Knocking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1205/t1205.md)
+- [T1219 Remote Access Tools](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1219/t1219.md)
+- [T1105 Remote File Copy](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1105/t1105.md)
+  - Atomic Test #1: xxxx
+- [T1071 Standard Application Layer Protocol](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1071/t1071.md)
+- [T1032 Standard Cryptographic Protocol](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1032/t1032.md)
+- [T1095 Standard Non-Application Layer Protocol](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1095/t1095.md)
+- [T1065 Uncommonly Used Port](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1065/t1065.md)
+- [T1102 Web Service](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1102/t1102.md)
+
+# initial-access
+- [T1189 Drive-by Compromise](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1189/t1189.md)
+- [T1190 Exploit Public-Facing Application](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1190/t1190.md)
+- [T1200 Hardware Additions](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1200/t1200.md)
+- [T1091 Replication Through Removable Media](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1091/t1091.md)
+- [T1193 Spearphishing Attachment](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1193/t1193.md)
+- [T1192 Spearphishing Link](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1192/t1192.md)
+- [T1194 Spearphishing via Service](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1194/t1194.md)
+- [T1195 Supply Chain Compromise](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1195/t1195.md)
+- [T1199 Trusted Relationship](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1199/t1199.md)
+- [T1078 Valid Accounts](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1078/t1078.md)
+
@@ -0,0 +1,61 @@
+| initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control |
+|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
+| [Drive-by Compromise](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1189/t1189.md) | [AppleScript](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1155/t1155.md) | [.bash_profile and .bashrc](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1156/t1156.md) | [Access Token Manipulation](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1134/t1134.md) | [Access Token Manipulation](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1134/t1134.md) | [Account Manipulation](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1098/t1098.md) | [Account Discovery](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1087/t1087.md) | [AppleScript](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1155/t1155.md) | [Audio Capture](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1123/t1123.md) | [Automated Exfiltration](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1020/t1020.md) | [Commonly Used Port](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1043/t1043.md) |
+| [Exploit Public-Facing Application](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1190/t1190.md) | [CMSTP](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1191/t1191.md) | [Accessibility Features](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1015/t1015.md) | [Accessibility Features](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1015/t1015.md) | [BITS Jobs](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1197/t1197.md) | [Bash History](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1139/t1139.md) | [Application Window Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1010/t1010.md) | [Application Deployment Software](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1017/t1017.md) | [Automated Collection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1119/t1119.md) | [Data Compressed](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1002/t1002.md) | [Communication Through Removable Media](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1092/t1092.md) |
+| [Hardware Additions](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1200/t1200.md) | [Command-Line Interface](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1059/t1059.md) | [AppCert DLLs](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1182/t1182.md) | [AppCert DLLs](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1182/t1182.md) | [Binary Padding](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1009/t1009.md) | [Brute Force](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1110/t1110.md) | [Browser Bookmark Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1217/t1217.md) | [Distributed Component Object Model](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1175/t1175.md) | [Clipboard Data](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1115/t1115.md) | [Data Encrypted](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1022/t1022.md) | [Connection Proxy](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1090/t1090.md) |
+| [Replication Through Removable Media](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1091/t1091.md) | [Control Panel Items](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1196/t1196.md) | [AppInit DLLs](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1103/t1103.md) | [AppInit DLLs](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1103/t1103.md) | [Bypass User Account Control](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1088/t1088.md) | [Credential Dumping](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1003/t1003.md) | [File and Directory Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1083/t1083.md) | [Exploitation of Remote Services](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1210/t1210.md) | [Data Staged](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1074/t1074.md) | [Data Transfer Size Limits](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1030/t1030.md) | [Custom Command and Control Protocol](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1094/t1094.md) |
+| [Spearphishing Attachment](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1193/t1193.md) | [Dynamic Data Exchange](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1173/t1173.md) | [Application Shimming](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1138/t1138.md) | [Application Shimming](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1138/t1138.md) | [CMSTP](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1191/t1191.md) | [Credentials in Files](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1081/t1081.md) | [Network Service Scanning](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1046/t1046.md) | [Logon Scripts](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1037/t1037.md) | [Data from Information Repositories](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1213/t1213.md) | [Exfiltration Over Alternative Protocol](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1048/t1048.md) | [Custom Cryptographic Protocol](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1024/t1024.md) |
+| [Spearphishing Link](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1192/t1192.md) | [Execution through API](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1106/t1106.md) | [Authentication Package](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1131/t1131.md) | [Bypass User Account Control](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1088/t1088.md) | [Clear Command History](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1146/t1146.md) | [Credentials in Registry](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1214/t1214.md) | [Network Share Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1135/t1135.md) | [Pass the Hash](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1075/t1075.md) | [Data from Local System](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1005/t1005.md) | [Exfiltration Over Command and Control Channel](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1041/t1041.md) | [Data Encoding](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1132/t1132.md) |
+| [Spearphishing via Service](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1194/t1194.md) | [Execution through Module Load](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1129/t1129.md) | [BITS Jobs](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1197/t1197.md) | [DLL Search Order Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1038/t1038.md) | [Code Signing](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1116/t1116.md) | [Exploitation for Credential Access](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1212/t1212.md) | [Password Policy Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1201/t1201.md) | [Pass the Ticket](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1097/t1097.md) | [Data from Network Shared Drive](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1039/t1039.md) | [Exfiltration Over Other Network Medium](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1011/t1011.md) | [Data Obfuscation](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1001/t1001.md) |
+| [Supply Chain Compromise](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1195/t1195.md) | [Exploitation for Client Execution](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1203/t1203.md) | [Bootkit](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1067/t1067.md) | [Dylib Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1157/t1157.md) | [Component Firmware](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1109/t1109.md) | [Forced Authentication](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1187/t1187.md) | [Peripheral Device Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1120/t1120.md) | [Remote Desktop Protocol](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1076/t1076.md) | [Data from Removable Media](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1025/t1025.md) | [Exfiltration Over Physical Medium](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1052/t1052.md) | [Domain Fronting](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1172/t1172.md) |
+| [Trusted Relationship](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1199/t1199.md) | [Graphical User Interface](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1061/t1061.md) | [Browser Extensions](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1176/t1176.md) | [Exploitation for Privilege Escalation](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1068/t1068.md) | [Component Object Model Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1122/t1122.md) | [Hooking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1179/t1179.md) | [Permission Groups Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1069/t1069.md) | [Remote File Copy](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1105/t1105.md) | [Email Collection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1114/t1114.md) | [Scheduled Transfer](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1029/t1029.md) | [Fallback Channels](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1008/t1008.md) |
+| [Valid Accounts](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1078/t1078.md) | [InstallUtil](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1118/t1118.md) | [Change Default File Association](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1042/t1042.md) | [Extra Window Memory Injection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1181/t1181.md) | [Control Panel Items](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1196/t1196.md) | [Input Capture](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1056/t1056.md) | [Process Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1057/t1057.md) | [Remote Services](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1021/t1021.md) | [Input Capture](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1056/t1056.md) |  | [Multi-Stage Channels](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1104/t1104.md) |
+|  | [LSASS Driver](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1177/t1177.md) | [Component Firmware](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1109/t1109.md) | [File System Permissions Weakness](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1044/t1044.md) | [DCShadow](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1207/t1207.md) | [Input Prompt](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1141/t1141.md) | [Query Registry](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1012/t1012.md) | [Replication Through Removable Media](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1091/t1091.md) | [Man in the Browser](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1185/t1185.md) |  | [Multi-hop Proxy](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1188/t1188.md) |
+|  | [Launchctl](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1152/t1152.md) | [Component Object Model Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1122/t1122.md) | [Hooking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1179/t1179.md) | [DLL Search Order Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1038/t1038.md) | [Kerberoasting](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1208/t1208.md) | [Remote System Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1018/t1018.md) | [SSH Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1184/t1184.md) | [Screen Capture](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1113/t1113.md) |  | [Multiband Communication](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1026/t1026.md) |
+|  | [Local Job Scheduling](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1168/t1168.md) | [Create Account](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1136/t1136.md) | [Image File Execution Options Injection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1183/t1183.md) | [DLL Side-Loading](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1073/t1073.md) | [Keychain](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1142/t1142.md) | [Security Software Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1063/t1063.md) | [Shared Webroot](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1051/t1051.md) | [Video Capture](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1125/t1125.md) |  | [Multilayer Encryption](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1079/t1079.md) |
+|  | [Mshta](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1170/t1170.md) | [DLL Search Order Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1038/t1038.md) | [Launch Daemon](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1160/t1160.md) | [Deobfuscate/Decode Files or Information](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1140/t1140.md) | [LLMNR/NBT-NS Poisoning](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1171/t1171.md) | [System Information Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1082/t1082.md) | [Taint Shared Content](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1080/t1080.md) |  |  | [Port Knocking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1205/t1205.md) |
+|  | [PowerShell](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1086/t1086.md) | [Dylib Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1157/t1157.md) | [New Service](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1050/t1050.md) | [Disabling Security Tools](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1089/t1089.md) | [Network Sniffing](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1040/t1040.md) | [System Network Configuration Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1016/t1016.md) | [Third-party Software](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1072/t1072.md) |  |  | [Remote Access Tools](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1219/t1219.md) |
+|  | [Regsvcs/Regasm](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1121/t1121.md) | [External Remote Services](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1133/t1133.md) | [Path Interception](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1034/t1034.md) | [Exploitation for Defense Evasion](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1211/t1211.md) | [Password Filter DLL](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1174/t1174.md) | [System Network Connections Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1049/t1049.md) | [Windows Admin Shares](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1077/t1077.md) |  |  | [Remote File Copy](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1105/t1105.md) |
+|  | [Regsvr32](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1117/t1117.md) | [File System Permissions Weakness](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1044/t1044.md) | [Plist Modification](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1150/t1150.md) | [Extra Window Memory Injection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1181/t1181.md) | [Private Keys](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1145/t1145.md) | [System Owner/User Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1033/t1033.md) | [Windows Remote Management](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1028/t1028.md) |  |  | [Standard Application Layer Protocol](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1071/t1071.md) |
+|  | [Rundll32](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1085/t1085.md) | [Hidden Files and Directories](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1158/t1158.md) | [Port Monitors](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1013/t1013.md) | [File Deletion](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1107/t1107.md) | [Replication Through Removable Media](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1091/t1091.md) | [System Service Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1007/t1007.md) |  |  |  | [Standard Cryptographic Protocol](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1032/t1032.md) |
+|  | [Scheduled Task](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1053/t1053.md) | [Hooking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1179/t1179.md) | [Process Injection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1055/t1055.md) | [File System Logical Offsets](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1006/t1006.md) | [Securityd Memory](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1167/t1167.md) | [System Time Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1124/t1124.md) |  |  |  | [Standard Non-Application Layer Protocol](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1095/t1095.md) |
+|  | [Scripting](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1064/t1064.md) | [Hypervisor](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1062/t1062.md) | [SID-History Injection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1178/t1178.md) | [Gatekeeper Bypass](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1144/t1144.md) | [Two-Factor Authentication Interception](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1111/t1111.md) |  |  |  |  | [Uncommonly Used Port](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1065/t1065.md) |
+|  | [Service Execution](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1035/t1035.md) | [Image File Execution Options Injection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1183/t1183.md) | [Scheduled Task](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1053/t1053.md) | [HISTCONTROL](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1148/t1148.md) |  |  |  |  |  | [Web Service](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1102/t1102.md) |
+|  | [Signed Binary Proxy Execution](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1218/t1218.md) | [Kernel Modules and Extensions](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1215/t1215.md) | [Service Registry Permissions Weakness](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1058/t1058.md) | [Hidden Files and Directories](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1158/t1158.md) |  |  |  |  |  |  |
+|  | [Signed Script Proxy Execution](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1216/t1216.md) | [LC_LOAD_DYLIB Addition](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1161/t1161.md) | [Setuid and Setgid](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1166/t1166.md) | [Hidden Users](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1147/t1147.md) |  |  |  |  |  |  |
+|  | [Source](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1153/t1153.md) | [LSASS Driver](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1177/t1177.md) | [Startup Items](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1165/t1165.md) | [Hidden Window](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1143/t1143.md) |  |  |  |  |  |  |
+|  | [Space after Filename](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1151/t1151.md) | [Launch Agent](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1159/t1159.md) | [Sudo](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1169/t1169.md) | [Image File Execution Options Injection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1183/t1183.md) |  |  |  |  |  |  |
+|  | [Third-party Software](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1072/t1072.md) | [Launch Daemon](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1160/t1160.md) | [Sudo Caching](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1206/t1206.md) | [Indicator Blocking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1054/t1054.md) |  |  |  |  |  |  |
+|  | [Trap](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1154/t1154.md) | [Launchctl](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1152/t1152.md) | [Valid Accounts](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1078/t1078.md) | [Indicator Removal from Tools](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1066/t1066.md) |  |  |  |  |  |  |
+|  | [Trusted Developer Utilities](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1127/t1127.md) | [Local Job Scheduling](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1168/t1168.md) | [Web Shell](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1100/t1100.md) | [Indicator Removal on Host](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1070/t1070.md) |  |  |  |  |  |  |
+|  | [User Execution](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1204/t1204.md) | [Login Item](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1162/t1162.md) |  | [Indirect Command Execution](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1202/t1202.md) |  |  |  |  |  |  |
+|  | [Windows Management Instrumentation](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1047/t1047.md) | [Logon Scripts](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1037/t1037.md) |  | [Install Root Certificate](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1130/t1130.md) |  |  |  |  |  |  |
+|  | [Windows Remote Management](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1028/t1028.md) | [Modify Existing Service](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1031/t1031.md) |  | [InstallUtil](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1118/t1118.md) |  |  |  |  |  |  |
+|  |  | [Netsh Helper DLL](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1128/t1128.md) |  | [LC_MAIN Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1149/t1149.md) |  |  |  |  |  |  |
+|  |  | [New Service](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1050/t1050.md) |  | [Launchctl](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1152/t1152.md) |  |  |  |  |  |  |
+|  |  | [Office Application Startup](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1137/t1137.md) |  | [Masquerading](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1036/t1036.md) |  |  |  |  |  |  |
+|  |  | [Path Interception](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1034/t1034.md) |  | [Modify Registry](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1112/t1112.md) |  |  |  |  |  |  |
+|  |  | [Plist Modification](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1150/t1150.md) |  | [Mshta](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1170/t1170.md) |  |  |  |  |  |  |
+|  |  | [Port Knocking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1205/t1205.md) |  | [NTFS File Attributes](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1096/t1096.md) |  |  |  |  |  |  |
+|  |  | [Port Monitors](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1013/t1013.md) |  | [Network Share Connection Removal](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1126/t1126.md) |  |  |  |  |  |  |
+|  |  | [Rc.common](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1163/t1163.md) |  | [Obfuscated Files or Information](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1027/t1027.md) |  |  |  |  |  |  |
+|  |  | [Re-opened Applications](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1164/t1164.md) |  | [Plist Modification](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1150/t1150.md) |  |  |  |  |  |  |
+|  |  | [Redundant Access](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1108/t1108.md) |  | [Port Knocking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1205/t1205.md) |  |  |  |  |  |  |
+|  |  | [Registry Run Keys / Start Folder](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1060/t1060.md) |  | [Process Doppelgänging](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1186/t1186.md) |  |  |  |  |  |  |
+|  |  | [SIP and Trust Provider Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1198/t1198.md) |  | [Process Hollowing](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1093/t1093.md) |  |  |  |  |  |  |
+|  |  | [Scheduled Task](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1053/t1053.md) |  | [Process Injection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1055/t1055.md) |  |  |  |  |  |  |
+|  |  | [Screensaver](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1180/t1180.md) |  | [Redundant Access](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1108/t1108.md) |  |  |  |  |  |  |
+|  |  | [Security Support Provider](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1101/t1101.md) |  | [Regsvcs/Regasm](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1121/t1121.md) |  |  |  |  |  |  |
+|  |  | [Service Registry Permissions Weakness](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1058/t1058.md) |  | [Regsvr32](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1117/t1117.md) |  |  |  |  |  |  |
+|  |  | [Shortcut Modification](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1023/t1023.md) |  | [Rootkit](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1014/t1014.md) |  |  |  |  |  |  |
+|  |  | [Startup Items](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1165/t1165.md) |  | [Rundll32](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1085/t1085.md) |  |  |  |  |  |  |
+|  |  | [System Firmware](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1019/t1019.md) |  | [SIP and Trust Provider Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1198/t1198.md) |  |  |  |  |  |  |
+|  |  | [Time Providers](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1209/t1209.md) |  | [Scripting](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1064/t1064.md) |  |  |  |  |  |  |
+|  |  | [Trap](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1154/t1154.md) |  | [Signed Binary Proxy Execution](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1218/t1218.md) |  |  |  |  |  |  |
+|  |  | [Valid Accounts](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1078/t1078.md) |  | [Signed Script Proxy Execution](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1216/t1216.md) |  |  |  |  |  |  |
+|  |  | [Web Shell](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1100/t1100.md) |  | [Software Packing](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1045/t1045.md) |  |  |  |  |  |  |
+|  |  | [Windows Management Instrumentation Event Subscription](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1084/t1084.md) |  | [Space after Filename](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1151/t1151.md) |  |  |  |  |  |  |
+|  |  | [Winlogon Helper DLL](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1004/t1004.md) |  | [Timestomp](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1099/t1099.md) |  |  |  |  |  |  |
+|  |  |  |  | [Trusted Developer Utilities](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1127/t1127.md) |  |  |  |  |  |  |
+|  |  |  |  | [Valid Accounts](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1078/t1078.md) |  |  |  |  |  |  |
+|  |  |  |  | [Web Service](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1102/t1102.md) |  |  |  |  |  |  |
@@ -0,0 +1,118 @@
+#! /usr/bin/env ruby
+$LOAD_PATH << "#{File.dirname(File.dirname(__FILE__))}/atomic-red-team"
+require 'erb'
+require 'fileutils'
+require 'attack_api'
+require 'atomic_red_team'
+
+class AtomicRedTeamDocs
+  ATTACK_API = Attack.new
+  ATOMIC_RED_TEAM = AtomicRedTeam.new
+
+  #
+  # Generates all the documentation used by Atomic Red Team
+  #
+  def generate_all_the_docs!
+    oks = []
+    fails = []
+
+    ATOMIC_RED_TEAM.atomic_tests.each do |atomic_yaml|
+      begin
+        print "Generating docs for #{atomic_yaml['atomic_yaml_path']}"
+        generate_technique_docs! atomic_yaml, atomic_yaml['atomic_yaml_path'].gsub(/.yaml/, '.md')
+        # generate_technique_execution_docs! atomic_yaml, "#{File.dirname(File.dirname(__FILE__))}/atomic-red-team-execution/#{atomic_yaml['attack_technique'].downcase}.html"
+
+        oks << atomic_yaml['atomic_yaml_path']
+        puts "OK"
+      rescue => ex
+        fails << atomic_yaml['atomic_yaml_path']
+        puts "FAIL\n#{ex}\n#{ex.backtrace.join("\n")}"
+      end
+    end
+    puts
+    puts "Generated docs for #{oks.count} techniques, #{fails.count} failures"
+    generate_attack_matrix! "#{File.dirname(File.dirname(__FILE__))}/atomics/matrix.md"
+    generate_index! "#{File.dirname(File.dirname(__FILE__))}/atomics/index.md"
+    
+    return oks, fails
+  end
+
+  #
+  # Generates Markdown documentation for a specific technique from its YAML source
+  #
+  def generate_technique_docs!(atomic_yaml, output_doc_path)
+    technique = ATTACK_API.technique_info(atomic_yaml.fetch('attack_technique'))
+    technique['identifier'] = atomic_yaml.fetch('attack_technique').upcase
+
+    template = ERB.new File.read("#{File.dirname(File.dirname(__FILE__))}/atomic-red-team/atomic_doc_template.md.erb"), nil, "-"
+    generated_doc = template.result(binding)
+
+    print " => #{output_doc_path} => "
+    File.write output_doc_path, generated_doc
+  end
+  
+  #
+  # Generates Markdown documentation for a specific technique from its YAML source
+  #
+  def generate_technique_execution_docs!(atomic_yaml, output_doc_path)
+    FileUtils.mkdir_p File.dirname(output_doc_path)
+
+    technique = ATTACK_API.technique_info(atomic_yaml.fetch('attack_technique'))
+    technique['identifier'] = atomic_yaml.fetch('attack_technique').upcase
+
+    template = ERB.new File.read("#{File.dirname(File.dirname(__FILE__))}/atomic-red-team/atomic_execution_template.html.erb"), nil, "-"
+    generated_doc = template.result(binding)
+
+    print " => #{output_doc_path} => "
+    File.write output_doc_path, generated_doc
+  end
+  
+  #
+  # Generates a Markdown ATT&CK documentation matrix for all techniques
+  #
+  def generate_attack_matrix!(output_doc_path)
+    result = "| #{ATTACK_API.ordered_tactics.join(' | ')} |\n"
+    result += "|#{'-----|' * ATTACK_API.ordered_tactics.count}\n"
+
+    ATTACK_API.ordered_tactic_to_technique_matrix.each do |row_of_techniques|
+      row_values = row_of_techniques.collect do |technique| 
+        if technique
+          ATOMIC_RED_TEAM.github_link_to_technique(technique)
+        end
+      end
+      result += "| #{row_values.join(' | ')} |\n"
+    end
+    File.write output_doc_path, result
+
+    puts "Generated ATT&CK matrix at #{output_doc_path}"
+  end
+
+  #
+  # Generates a master Markdown index of ATT&CK Tactic -> Technique -> Atomic Tests
+  #
+  def generate_index!(output_doc_path)
+    result = ''
+
+    ATTACK_API.techniques_by_tactic.each do |tactic, techniques|
+      result += "# #{tactic}\n"
+      techniques.each do |technique|
+        result += "- #{ATOMIC_RED_TEAM.github_link_to_technique(technique, true)}\n"
+        ATOMIC_RED_TEAM.atomic_tests_for_technique(technique).each_with_index do |atomic_test, i|
+          result += "  - Atomic Test ##{i+1}: #{atomic_test['name']}\n"
+        end
+      end
+      result += "\n"
+    end
+
+    File.write output_doc_path, result
+
+    puts "Generated Atomic Red Team index at #{output_doc_path}"
+  end
+end
+
+#
+# MAIN
+#
+oks, fails = AtomicRedTeamDocs.new.generate_all_the_docs!
+
+exit fails.count
@@ -1,8 +0,0 @@
-#!/usr/bin/env ruby
-require 'ostruct'
-require 'yaml'
-
-Dir["#{File.dirname __FILE__}/../atomics/**/t*.yaml"].each do |technique_file|
-  technique = OpenStruct.new YAML.load(File.read(technique_file))
-  p technique.display_name
-end
@@ -0,0 +1,29 @@
+#! /usr/bin/env ruby
+$LOAD_PATH << "#{File.dirname(File.dirname(__FILE__))}/atomic-red-team"
+require 'yaml'
+require 'atomic_red_team'
+
+ATOMIC_RED_TEAM = AtomicRedTeam.new
+ATOMIC_TEST_TEMPLATE = "#{File.dirname(File.dirname(__FILE__))}/atomic-red-team/atomic_test_template.yaml"
+
+oks = []
+fails = []
+
+(ATOMIC_RED_TEAM.atomic_test_paths + [ATOMIC_TEST_TEMPLATE]).each do |path|
+  begin
+    print "Validating #{path}..."
+    YAML.load_file(path) rescue raise 'Invalid YAML'
+    AtomicRedTeam.new.validate_atomic_yaml! YAML.load_file(path)
+
+    oks << path
+    puts "OK"
+  rescue => ex
+    fails << path
+    puts "FAIL\n#{ex}\n#{ex.backtrace.join("\n")})"
+  end
+end
+
+puts
+puts "#{oks.count + fails.count} techniques, #{fails.count} failures"
+
+exit fails.count
@@ -1,58 +0,0 @@
-#! /usr/bin/env ruby
-require 'yaml'
-require 'ostruct'
-require 'erb'
-require 'open-uri'
-require 'json'
-
-def attack_technique_library
-  @attack_json ||= begin
-    local_attack_json_to_try = "#{File.dirname(__FILE__)}/enterprise-attack.json"
-    if File.exists? local_attack_json_to_try
-      JSON.parse File.read(local_attack_json_to_try)
-    else
-      JSON.parse open('https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json').read
-    end
-  end
-end
-
-def attack_technique_info(technique_id)
-  attack_technique_library.fetch("objects").find do |item| 
-    item.fetch('type') == 'attack-pattern' && item.fetch('external_references', []).find do |references|
-      references['source_name'] == 'mitre-attack' && references['external_id'] == technique_id.upcase
-    end
-  end
-end
-
-def generate_docs!(path)
-  atomic_yaml = YAML.load(File.read path)
-
-  technique = attack_technique_info(atomic_yaml.fetch('attack_technique'))
-  technique['identifier'] = atomic_yaml.fetch('attack_technique').upcase
-
-  template = ERB.new File.read("#{File.dirname(__FILE__)}/atomics/atomic_doc_template.md.erb"), nil, "-"
-  generated_doc = template.result(binding)
-
-  output_doc_path = path.gsub(/.yaml/, '.md')
-  print " => #{output_doc_path} => "
-  File.write output_doc_path, generated_doc
-end
-
-oks = []
-fails = []
-
-Dir["#{File.dirname(__FILE__)}/atomics/t*/t*.yaml"].sort.each do |path|
-  begin
-    print "Generating docs for #{path}"
-    generate_docs! path
-    puts "OK"
-  rescue => ex
-    fails << path
-    puts "FAIL (#{ex} #{ex.backtrace.join("\n")})"
-  end
-end
-
-puts
-puts "Generated docs for #{oks.count} techniques, #{fails.count} failures"
-
-exit fails.count
@@ -1,101 +0,0 @@
-#! /usr/bin/env ruby
-require 'yaml'
-
-def validate_is_yaml!(path)
-  YAML.load_file(path)
-rescue
-  raise 'Invalid YAML'
-end
-
-def validate_is_atomic!(path)
-  yaml = YAML.load_file(path)
-  raise("YAML file has no elements") if yaml.nil?
-
-  raise('`attack_technique` element is required') unless yaml.has_key?('attack_technique')
-  raise('`attack_technique` element must be an array') unless yaml['attack_technique'].is_a?(String)
-
-  raise('`display_name` element is required') unless yaml.has_key?('display_name')
-  raise('`display_name` element must be an array') unless yaml['display_name'].is_a?(String)
-
-  raise('`atomic_tests` element is required') unless yaml.has_key?('atomic_tests')
-  raise('`atomic_tests` element must be an array') unless yaml['atomic_tests'].is_a?(Array)
-  raise('`atomic_tests` element is empty - you have no tests') unless yaml['atomic_tests'].count > 0
-
-  yaml['atomic_tests'].each_with_index do |atomic, i|
-    raise("`atomic_tests[#{i}].name` element is required") unless atomic.has_key?('name')
-    raise("`atomic_tests[#{i}].name` element must be a string") unless atomic['name'].is_a?(String)
-
-    raise("`atomic_tests[#{i}].description` element is required") unless atomic.has_key?('description')
-    raise("`atomic_tests[#{i}].description` element must be a string") unless atomic['description'].is_a?(String)
-
-    raise("`atomic_tests[#{i}].supported_platforms` element is required") unless atomic.has_key?('supported_platforms')
-    raise("`atomic_tests[#{i}].supported_platforms` element must be an Array (was a #{atomic['supported_platforms'].class.name})") unless atomic['supported_platforms'].is_a?(Array)
-
-    valid_supported_platforms = ['windows', 'centos', 'ubuntu', 'macos', 'linux']
-    atomic['supported_platforms'].each do |platform|
-      if !valid_supported_platforms.include?(platform)
-        raise("`atomic_tests[#{i}].supported_platforms` '#{platform}' must be one of #{valid_supported_platforms.join(', ')}")
-      end
-    end
-
-    (atomic['input_arguments'] || {}).each_with_index do |arg_kvp, iai|
-      arg_name, arg = arg_kvp
-      raise("`atomic_tests[#{i}].input_arguments[#{iai}].description` element is required") unless arg.has_key?('description')
-      raise("`atomic_tests[#{i}].input_arguments[#{iai}].description` element must be a string") unless arg['description'].is_a?(String)
-
-      raise("`atomic_tests[#{i}].input_arguments[#{iai}].type` element is required") unless arg.has_key?('type')
-      raise("`atomic_tests[#{i}].input_arguments[#{iai}].type` element must be a string") unless arg['type'].is_a?(String)
-      raise("`atomic_tests[#{i}].input_arguments[#{iai}].type` element must be lowercased and underscored (was #{arg['type']})") unless arg['type'] =~ /[a-z_]+/
-
-      # TODO: determine if we think default values are required for EVERY input argument
-      # raise("`atomic_tests[#{i}].input_arguments[#{iai}].default` element is required") unless arg.has_key?('default')
-      # raise("`atomic_tests[#{i}].input_arguments[#{iai}].default` element must be a string (was a #{arg['default'].class.name})") unless arg['default'].is_a?(String)
-    end
-
-    raise("`atomic_tests[#{i}].executor` element is required") unless atomic.has_key?('executor')
-    executor = atomic['executor']
-    raise("`atomic_tests[#{i}].executor.name` element is required") unless executor.has_key?('name')
-    raise("`atomic_tests[#{i}].executor.name` element must be a string") unless executor['name'].is_a?(String)
-    raise("`atomic_tests[#{i}].executor.name` element must be lowercased and underscored (was #{executor['name']})") unless executor['name'] =~ /[a-z_]+/
-
-    valid_executor_types = ['command_prompt', 'sh', 'bash', 'powershell', 'manual']
-    case executor['name']
-      when 'manual'
-        raise("`atomic_tests[#{i}].executor.steps` element is required") unless executor.has_key?('steps')
-        raise("`atomic_tests[#{i}].executor.steps` element must be a string") unless executor['steps'].is_a?(String)
-
-      when 'command_prompt', 'sh', 'bash', 'powershell'
-        raise("`atomic_tests[#{i}].executor.command` element is required") unless executor.has_key?('command')
-        raise("`atomic_tests[#{i}].executor.command` element must be a string") unless executor['command'].is_a?(String)
-
-      else
-        raise("`atomic_tests[#{i}].executor.name` '#{executor['name']}' must be one of #{valid_executor_types.join(', ')}")
-    end
-  end
-end
-
-oks = []
-fails = []
-
-(Dir["#{File.dirname(__FILE__)}/atomics/t*/t*.yaml"] + 
- Dir["#{File.dirname(__FILE__)}/atomics/template.yaml"]).sort.each do |path|
-  begin
-    print "Validating #{path}..."
-    validate_is_yaml! path
-    validate_is_atomic! path
-
-    puts "OK"
-  rescue => ex
-    fails << path
-    if ENV['DEBUG'] == 'true'
-      puts "FAIL (#{ex} #{ex.backtrace.join("\n")})"
-    else
-      puts "FAIL (#{ex})"
-    end
-  end
-end
-
-puts
-puts "#{oks.count + fails.count} techniques, #{fails.count} failures"
-
-exit fails.count