From ab4271c62f63d5ce07a4834e83be69da29c85e8a Mon Sep 17 00:00:00 2001
From: Brian Beyer <brian@redcanary.com>
Date: Fri, 11 May 2018 04:09:32 +0200
Subject: [PATCH 1/9] first cut before refactoring

---
 generate_atomic_docs.rb | 86 +++++++++++++++++++++++++++++++++++++----
 1 file changed, 78 insertions(+), 8 deletions(-)

diff --git a/generate_atomic_docs.rb b/generate_atomic_docs.rb
index af09ef60..e9fa56f0 100755
--- a/generate_atomic_docs.rb
+++ b/generate_atomic_docs.rb
@@ -7,44 +7,112 @@ require 'json'
 
 def attack_technique_library
   @attack_json ||= begin
+    # load the full attack library
     local_attack_json_to_try = "#{File.dirname(__FILE__)}/enterprise-attack.json"
-    if File.exists? local_attack_json_to_try
+    parsed = if File.exists? local_attack_json_to_try
       JSON.parse File.read(local_attack_json_to_try)
     else
       JSON.parse open('https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json').read
     end
+
+    # pull out the attack pattern objects
+    parsed.fetch("objects").select do |item| 
+      item.fetch('type') == 'attack-pattern' && item.fetch('external_references', []).select do |references|
+        references['source_name'] == 'mitre-attack'
+      end
+    end
+
   end
 end
 
 def attack_technique_info(technique_id)
-  attack_technique_library.fetch("objects").find do |item| 
-    item.fetch('type') == 'attack-pattern' && item.fetch('external_references', []).find do |references|
-      references['source_name'] == 'mitre-attack' && references['external_id'] == technique_id.upcase
+  attack_technique_library.find do |item| 
+    item.fetch('external_references', []).find do |references|
+      references['external_id'] == technique_id.upcase
     end
   end
 end
 
-def generate_docs!(path)
-  atomic_yaml = YAML.load(File.read path)
+def all_techniques_by_tactic
+  @all_techniques_by_tactic ||= begin
+    all_techniques_by_tactic = Hash.new {|h, k| h[k] = []}
+    attack_technique_library.each do |technique|
+      tactic = technique.fetch('kill_chain_phases', []).find {|phase| phase['kill_chain_name'] == 'mitre-attack'}.fetch('phase_name')
+      all_techniques_by_tactic[tactic] << technique
+    end
+    all_techniques_by_tactic
+  end
+end
 
+def generate_docs!(atomic_yaml, output_doc_path)
   technique = attack_technique_info(atomic_yaml.fetch('attack_technique'))
   technique['identifier'] = atomic_yaml.fetch('attack_technique').upcase
 
   template = ERB.new File.read("#{File.dirname(__FILE__)}/atomics/atomic_doc_template.md.erb"), nil, "-"
   generated_doc = template.result(binding)
 
-  output_doc_path = path.gsub(/.yaml/, '.md')
   print " => #{output_doc_path} => "
   File.write output_doc_path, generated_doc
 end
 
+def update_index_mapping(atomic_yaml, techniques_by_tactic)
+  technique = attack_technique_info(atomic_yaml.fetch('attack_technique'))
+  technique.fetch('kill_chain_phases', []).select {|phase| phase['kill_chain_name'] == 'mitre-attack'}.each do |tactic|
+    techniques_by_tactic[tactic.fetch('phase_name')] << technique
+  end
+end
+
+def generate_indices!(techniques_by_tactic)
+  ordered_tactics = [
+    'initial-access',
+    'execution',
+    'persistence',
+    'privilege-escalation',
+    'defense-evasion',
+    'credential-access',
+    'discovery',
+    'lateral-movement',
+    'collection',
+    'exfiltration',
+    'command-and-control',
+  ]
+
+  result = ''
+  result += "| #{ordered_tactics.join(' | ')} |\n"
+  result += "|#{'-----|' * ordered_tactics.count}\n"
+
+  all_techniques_in_tactic_order = []
+  ordered_tactics.each do |tactic|
+    all_techniques_in_tactic_order << all_techniques_by_tactic[tactic]
+  end
+  max_tactics = all_techniques_in_tactic_order.collect(&:count).max
+  all_techniques_in_tactic_order.each {|techniques| techniques.concat(Array.new(max_tactics - techniques.count, nil))}
+
+  p all_techniques_in_tactic_order.count
+  all_techniques_in_tactic_order.transpose.each do |row|
+    p row, row.class
+    result += "| #{row.collect {|t| t['name'] if t}.join(' | ')} |\n"
+  end
+
+  # all_techniques_by_tactic.to_a.transpose[1..-1].first.each do |techniques|
+  #   p techniques, techniques.count, '-----'
+  #   result += "| #{techniques.collect {|t| t['name']}.join(' | ')} |\n"
+  # end
+  File.write "#{File.dirname(__FILE__)}/atomics/index.md", result
+end
+
 oks = []
 fails = []
+techniques_by_tactic = Hash.new {|h, k| h[k] = []}
 
 Dir["#{File.dirname(__FILE__)}/atomics/t*/t*.yaml"].sort.each do |path|
   begin
     print "Generating docs for #{path}"
-    generate_docs! path
+    atomic_yaml = YAML.load(File.read path)
+
+    generate_docs! atomic_yaml, path.gsub(/.yaml/, '.md')
+    update_index_mapping atomic_yaml, techniques_by_tactic
+    
     puts "OK"
   rescue => ex
     fails << path
@@ -52,6 +120,8 @@ Dir["#{File.dirname(__FILE__)}/atomics/t*/t*.yaml"].sort.each do |path|
   end
 end
 
+generate_indices! techniques_by_tactic
+
 puts
 puts "Generated docs for #{oks.count} techniques, #{fails.count} failures"
 

From 6eb8f66e511518ab567039683e33e9a1c9e2db9b Mon Sep 17 00:00:00 2001
From: Brian Beyer <brian@redcanary.com>
Date: Fri, 11 May 2018 05:38:02 +0200
Subject: [PATCH 2/9] refactoring into APIs to clean this up

---
 atomic_red_team.rb      |  45 ++++++
 atomics/index.md        | 337 ++++++++++++++++++++++++++++++++++++++++
 atomics/matrix.md       |  61 ++++++++
 attack_api.rb           |  77 +++++++++
 generate_atomic_docs.rb | 178 ++++++++-------------
 5 files changed, 586 insertions(+), 112 deletions(-)
 create mode 100755 atomic_red_team.rb
 create mode 100644 atomics/index.md
 create mode 100644 atomics/matrix.md
 create mode 100755 attack_api.rb

diff --git a/atomic_red_team.rb b/atomic_red_team.rb
new file mode 100755
index 00000000..68eb20a4
--- /dev/null
+++ b/atomic_red_team.rb
@@ -0,0 +1,45 @@
+#! /usr/bin/env ruby
+require 'yaml'
+require 'erb'
+require './attack_api'
+
+
+class AtomicRedTeam
+  ATTACK_API = Attack.new
+
+  # TODO- should these all be relative URLs?
+  ROOT_GITHUB_URL = "https://github.com/redcanaryco/atomic-red-team"
+  
+  def atomic_tests
+    @atomic_tests ||= Dir["#{File.dirname(__FILE__)}/atomics/t*/t*.yaml"].sort.collect do |path| 
+      atomic_yaml = YAML.load(File.read path)
+      atomic_yaml['atomic_yaml_path'] = path
+      atomic_yaml
+    end
+  end
+
+  def atomic_tests_for_technique(technique_or_technique_identifier)
+    technique_identifier = if technique_or_technique_identifier.is_a? Hash
+      technique_or_technique_identifier.fetch('external_references', []).find {|refs| refs['source_name'] == 'mitre-attack'}['external_id'].downcase
+    else
+      technique_or_technique_identifier
+    end
+
+    atomic_tests.find do |atomic_yaml| 
+      atomic_yaml.fetch('attack_technique').downcase == technique_identifier.downcase
+    end.to_h.fetch('atomic_tests', [])
+  end
+
+  def github_link_to_technique(technique, include_identifier=false)
+    technique_identifier = technique.fetch('external_references', []).find {|refs| refs['source_name'] == 'mitre-attack'}['external_id'].downcase
+    link_display = "#{"#{technique_identifier.upcase} " if include_identifier}#{technique['name']}"
+
+    if File.exists? "#{File.dirname(__FILE__)}/atomics/#{technique_identifier}/#{technique_identifier}.md"
+      # we have a file for this technique, so link to it's Markdown file
+      "[#{link_display}](#{ROOT_GITHUB_URL}/tree/master/atomics/#{technique_identifier}/#{technique_identifier}.md)"
+    else
+      # we don't have a file for this technique, so link to an edit page
+      "[#{link_display}](#{ROOT_GITHUB_URL}/edit/master/atomics/#{technique_identifier}/#{technique_identifier}.md)"
+    end
+  end
+end
\ No newline at end of file
diff --git a/atomics/index.md b/atomics/index.md
new file mode 100644
index 00000000..a10f1149
--- /dev/null
+++ b/atomics/index.md
@@ -0,0 +1,337 @@
+# persistence
+- [T1156 .bash_profile and .bashrc](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1156/t1156.md)
+- [T1015 Accessibility Features](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1015/t1015.md)
+- [T1182 AppCert DLLs](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1182/t1182.md)
+- [T1103 AppInit DLLs](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1103/t1103.md)
+- [T1138 Application Shimming](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1138/t1138.md)
+- [T1131 Authentication Package](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1131/t1131.md)
+- [T1197 BITS Jobs](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1197/t1197.md)
+- [T1067 Bootkit](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1067/t1067.md)
+- [T1176 Browser Extensions](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1176/t1176.md)
+  - Atomic Test #1: Chrome (Developer Mode)
+  - Atomic Test #2: Chrome (Chrome Web Store)
+  - Atomic Test #3: Firefox
+- [T1042 Change Default File Association](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1042/t1042.md)
+- [T1109 Component Firmware](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1109/t1109.md)
+- [T1122 Component Object Model Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1122/t1122.md)
+- [T1136 Create Account](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1136/t1136.md)
+  - Atomic Test #1: Create a user account on a Linux system
+  - Atomic Test #2: Create a user account on a MacOS system
+- [T1038 DLL Search Order Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1038/t1038.md)
+- [T1157 Dylib Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1157/t1157.md)
+- [T1133 External Remote Services](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1133/t1133.md)
+- [T1044 File System Permissions Weakness](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1044/t1044.md)
+- [T1158 Hidden Files and Directories](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1158/t1158.md)
+  - Atomic Test #1: Create a hidden file in a hidden directory
+- [T1179 Hooking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1179/t1179.md)
+- [T1062 Hypervisor](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1062/t1062.md)
+- [T1183 Image File Execution Options Injection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1183/t1183.md)
+- [T1215 Kernel Modules and Extensions](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1215/t1215.md)
+- [T1161 LC_LOAD_DYLIB Addition](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1161/t1161.md)
+- [T1177 LSASS Driver](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1177/t1177.md)
+- [T1159 Launch Agent](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1159/t1159.md)
+- [T1160 Launch Daemon](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1160/t1160.md)
+- [T1152 Launchctl](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1152/t1152.md)
+- [T1168 Local Job Scheduling](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1168/t1168.md)
+- [T1162 Login Item](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1162/t1162.md)
+- [T1037 Logon Scripts](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1037/t1037.md)
+- [T1031 Modify Existing Service](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1031/t1031.md)
+- [T1128 Netsh Helper DLL](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1128/t1128.md)
+- [T1050 New Service](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1050/t1050.md)
+- [T1137 Office Application Startup](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1137/t1137.md)
+- [T1034 Path Interception](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1034/t1034.md)
+- [T1150 Plist Modification](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1150/t1150.md)
+- [T1205 Port Knocking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1205/t1205.md)
+- [T1013 Port Monitors](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1013/t1013.md)
+- [T1163 Rc.common](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1163/t1163.md)
+- [T1164 Re-opened Applications](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1164/t1164.md)
+- [T1108 Redundant Access](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1108/t1108.md)
+- [T1060 Registry Run Keys / Start Folder](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1060/t1060.md)
+- [T1198 SIP and Trust Provider Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1198/t1198.md)
+- [T1053 Scheduled Task](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1053/t1053.md)
+- [T1180 Screensaver](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1180/t1180.md)
+- [T1101 Security Support Provider](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1101/t1101.md)
+- [T1058 Service Registry Permissions Weakness](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1058/t1058.md)
+- [T1023 Shortcut Modification](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1023/t1023.md)
+- [T1165 Startup Items](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1165/t1165.md)
+- [T1019 System Firmware](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1019/t1019.md)
+- [T1209 Time Providers](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1209/t1209.md)
+- [T1154 Trap](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1154/t1154.md)
+- [T1078 Valid Accounts](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1078/t1078.md)
+- [T1100 Web Shell](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1100/t1100.md)
+- [T1084 Windows Management Instrumentation Event Subscription](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1084/t1084.md)
+- [T1004 Winlogon Helper DLL](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1004/t1004.md)
+
+# defense-evasion
+- [T1134 Access Token Manipulation](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1134/t1134.md)
+- [T1197 BITS Jobs](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1197/t1197.md)
+- [T1009 Binary Padding](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1009/t1009.md)
+- [T1088 Bypass User Account Control](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1088/t1088.md)
+- [T1191 CMSTP](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1191/t1191.md)
+- [T1146 Clear Command History](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1146/t1146.md)
+  - Atomic Test #1: Clear Bash history (rm)
+  - Atomic Test #2: Clear Bash history (echo)
+  - Atomic Test #3: Clear Bash history (cat dev/null)
+  - Atomic Test #4: Clear Bash history (ln dev/null)
+  - Atomic Test #5: Clear Bash history (truncate)
+  - Atomic Test #6: Clear history of a bunch of shells
+- [T1116 Code Signing](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1116/t1116.md)
+- [T1109 Component Firmware](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1109/t1109.md)
+- [T1122 Component Object Model Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1122/t1122.md)
+- [T1196 Control Panel Items](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1196/t1196.md)
+- [T1207 DCShadow](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1207/t1207.md)
+- [T1038 DLL Search Order Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1038/t1038.md)
+- [T1073 DLL Side-Loading](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1073/t1073.md)
+- [T1140 Deobfuscate/Decode Files or Information](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1140/t1140.md)
+- [T1089 Disabling Security Tools](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1089/t1089.md)
+  - Atomic Test #1: Disable iptables firewall
+  - Atomic Test #2: Disable syslog
+  - Atomic Test #3: Disable Cb Response
+  - Atomic Test #4: Disable SELinux
+- [T1211 Exploitation for Defense Evasion](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1211/t1211.md)
+- [T1181 Extra Window Memory Injection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1181/t1181.md)
+- [T1107 File Deletion](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1107/t1107.md)
+- [T1006 File System Logical Offsets](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1006/t1006.md)
+- [T1144 Gatekeeper Bypass](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1144/t1144.md)
+- [T1148 HISTCONTROL](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1148/t1148.md)
+- [T1158 Hidden Files and Directories](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1158/t1158.md)
+  - Atomic Test #1: Create a hidden file in a hidden directory
+- [T1147 Hidden Users](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1147/t1147.md)
+- [T1143 Hidden Window](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1143/t1143.md)
+- [T1183 Image File Execution Options Injection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1183/t1183.md)
+- [T1054 Indicator Blocking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1054/t1054.md)
+- [T1066 Indicator Removal from Tools](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1066/t1066.md)
+- [T1070 Indicator Removal on Host](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1070/t1070.md)
+- [T1202 Indirect Command Execution](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1202/t1202.md)
+- [T1130 Install Root Certificate](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1130/t1130.md)
+  - Atomic Test #1: Install root CA on CentOS/RHEL
+- [T1118 InstallUtil](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1118/t1118.md)
+- [T1149 LC_MAIN Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1149/t1149.md)
+- [T1152 Launchctl](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1152/t1152.md)
+- [T1036 Masquerading](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1036/t1036.md)
+- [T1112 Modify Registry](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1112/t1112.md)
+- [T1170 Mshta](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1170/t1170.md)
+- [T1096 NTFS File Attributes](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1096/t1096.md)
+- [T1126 Network Share Connection Removal](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1126/t1126.md)
+- [T1027 Obfuscated Files or Information](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1027/t1027.md)
+- [T1150 Plist Modification](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1150/t1150.md)
+- [T1205 Port Knocking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1205/t1205.md)
+- [T1186 Process Doppelgänging](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1186/t1186.md)
+- [T1093 Process Hollowing](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1093/t1093.md)
+- [T1055 Process Injection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1055/t1055.md)
+- [T1108 Redundant Access](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1108/t1108.md)
+- [T1121 Regsvcs/Regasm](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1121/t1121.md)
+- [T1117 Regsvr32](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1117/t1117.md)
+- [T1014 Rootkit](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1014/t1014.md)
+- [T1085 Rundll32](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1085/t1085.md)
+- [T1198 SIP and Trust Provider Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1198/t1198.md)
+- [T1064 Scripting](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1064/t1064.md)
+- [T1218 Signed Binary Proxy Execution](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1218/t1218.md)
+- [T1216 Signed Script Proxy Execution](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1216/t1216.md)
+- [T1045 Software Packing](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1045/t1045.md)
+- [T1151 Space after Filename](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1151/t1151.md)
+- [T1099 Timestomp](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1099/t1099.md)
+  - Atomic Test #1: Set a file's access timestamp
+  - Atomic Test #2: Set a file's modification timestamp
+  - Atomic Test #3: Set a file's creation timestamp
+- [T1127 Trusted Developer Utilities](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1127/t1127.md)
+- [T1078 Valid Accounts](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1078/t1078.md)
+- [T1102 Web Service](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1102/t1102.md)
+
+# privilege-escalation
+- [T1134 Access Token Manipulation](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1134/t1134.md)
+- [T1015 Accessibility Features](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1015/t1015.md)
+- [T1182 AppCert DLLs](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1182/t1182.md)
+- [T1103 AppInit DLLs](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1103/t1103.md)
+- [T1138 Application Shimming](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1138/t1138.md)
+- [T1088 Bypass User Account Control](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1088/t1088.md)
+- [T1038 DLL Search Order Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1038/t1038.md)
+- [T1157 Dylib Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1157/t1157.md)
+- [T1068 Exploitation for Privilege Escalation](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1068/t1068.md)
+- [T1181 Extra Window Memory Injection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1181/t1181.md)
+- [T1044 File System Permissions Weakness](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1044/t1044.md)
+- [T1179 Hooking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1179/t1179.md)
+- [T1183 Image File Execution Options Injection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1183/t1183.md)
+- [T1160 Launch Daemon](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1160/t1160.md)
+- [T1050 New Service](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1050/t1050.md)
+- [T1034 Path Interception](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1034/t1034.md)
+- [T1150 Plist Modification](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1150/t1150.md)
+- [T1013 Port Monitors](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1013/t1013.md)
+- [T1055 Process Injection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1055/t1055.md)
+- [T1178 SID-History Injection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1178/t1178.md)
+- [T1053 Scheduled Task](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1053/t1053.md)
+- [T1058 Service Registry Permissions Weakness](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1058/t1058.md)
+- [T1166 Setuid and Setgid](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1166/t1166.md)
+- [T1165 Startup Items](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1165/t1165.md)
+- [T1169 Sudo](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1169/t1169.md)
+- [T1206 Sudo Caching](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1206/t1206.md)
+- [T1078 Valid Accounts](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1078/t1078.md)
+- [T1100 Web Shell](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1100/t1100.md)
+
+# discovery
+- [T1087 Account Discovery](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1087/t1087.md)
+  - Atomic Test #1: List all accounts
+  - Atomic Test #2: View sudoers access
+  - Atomic Test #3: View accounts with UID 0
+  - Atomic Test #4: List opened files by user
+  - Atomic Test #5: Show if a user account has ever logger in remotely
+- [T1010 Application Window Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1010/t1010.md)
+- [T1217 Browser Bookmark Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1217/t1217.md)
+- [T1083 File and Directory Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1083/t1083.md)
+- [T1046 Network Service Scanning](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1046/t1046.md)
+  - Atomic Test #1: Scan a bunch of ports to see if they are open
+- [T1135 Network Share Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1135/t1135.md)
+- [T1201 Password Policy Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1201/t1201.md)
+- [T1120 Peripheral Device Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1120/t1120.md)
+- [T1069 Permission Groups Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1069/t1069.md)
+- [T1057 Process Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1057/t1057.md)
+- [T1012 Query Registry](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1012/t1012.md)
+- [T1018 Remote System Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1018/t1018.md)
+- [T1063 Security Software Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1063/t1063.md)
+- [T1082 System Information Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1082/t1082.md)
+- [T1016 System Network Configuration Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1016/t1016.md)
+- [T1049 System Network Connections Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1049/t1049.md)
+- [T1033 System Owner/User Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1033/t1033.md)
+- [T1007 System Service Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1007/t1007.md)
+- [T1124 System Time Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1124/t1124.md)
+
+# credential-access
+- [T1098 Account Manipulation](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1098/t1098.md)
+- [T1139 Bash History](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1139/t1139.md)
+  - Atomic Test #1: xxxx
+- [T1110 Brute Force](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1110/t1110.md)
+- [T1003 Credential Dumping](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1003/t1003.md)
+- [T1081 Credentials in Files](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1081/t1081.md)
+- [T1214 Credentials in Registry](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1214/t1214.md)
+- [T1212 Exploitation for Credential Access](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1212/t1212.md)
+- [T1187 Forced Authentication](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1187/t1187.md)
+- [T1179 Hooking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1179/t1179.md)
+- [T1056 Input Capture](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1056/t1056.md)
+- [T1141 Input Prompt](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1141/t1141.md)
+- [T1208 Kerberoasting](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1208/t1208.md)
+- [T1142 Keychain](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1142/t1142.md)
+- [T1171 LLMNR/NBT-NS Poisoning](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1171/t1171.md)
+- [T1040 Network Sniffing](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1040/t1040.md)
+- [T1174 Password Filter DLL](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1174/t1174.md)
+- [T1145 Private Keys](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1145/t1145.md)
+- [T1091 Replication Through Removable Media](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1091/t1091.md)
+- [T1167 Securityd Memory](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1167/t1167.md)
+- [T1111 Two-Factor Authentication Interception](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1111/t1111.md)
+
+# execution
+- [T1155 AppleScript](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1155/t1155.md)
+- [T1191 CMSTP](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1191/t1191.md)
+- [T1059 Command-Line Interface](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1059/t1059.md)
+- [T1196 Control Panel Items](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1196/t1196.md)
+- [T1173 Dynamic Data Exchange](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1173/t1173.md)
+- [T1106 Execution through API](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1106/t1106.md)
+- [T1129 Execution through Module Load](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1129/t1129.md)
+- [T1203 Exploitation for Client Execution](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1203/t1203.md)
+- [T1061 Graphical User Interface](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1061/t1061.md)
+- [T1118 InstallUtil](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1118/t1118.md)
+- [T1177 LSASS Driver](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1177/t1177.md)
+- [T1152 Launchctl](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1152/t1152.md)
+- [T1168 Local Job Scheduling](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1168/t1168.md)
+- [T1170 Mshta](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1170/t1170.md)
+- [T1086 PowerShell](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1086/t1086.md)
+- [T1121 Regsvcs/Regasm](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1121/t1121.md)
+- [T1117 Regsvr32](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1117/t1117.md)
+- [T1085 Rundll32](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1085/t1085.md)
+- [T1053 Scheduled Task](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1053/t1053.md)
+- [T1064 Scripting](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1064/t1064.md)
+- [T1035 Service Execution](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1035/t1035.md)
+- [T1218 Signed Binary Proxy Execution](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1218/t1218.md)
+- [T1216 Signed Script Proxy Execution](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1216/t1216.md)
+- [T1153 Source](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1153/t1153.md)
+- [T1151 Space after Filename](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1151/t1151.md)
+- [T1072 Third-party Software](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1072/t1072.md)
+- [T1154 Trap](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1154/t1154.md)
+- [T1127 Trusted Developer Utilities](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1127/t1127.md)
+- [T1204 User Execution](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1204/t1204.md)
+- [T1047 Windows Management Instrumentation](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1047/t1047.md)
+- [T1028 Windows Remote Management](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1028/t1028.md)
+
+# lateral-movement
+- [T1155 AppleScript](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1155/t1155.md)
+- [T1017 Application Deployment Software](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1017/t1017.md)
+- [T1175 Distributed Component Object Model](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1175/t1175.md)
+- [T1210 Exploitation of Remote Services](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1210/t1210.md)
+- [T1037 Logon Scripts](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1037/t1037.md)
+- [T1075 Pass the Hash](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1075/t1075.md)
+- [T1097 Pass the Ticket](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1097/t1097.md)
+- [T1076 Remote Desktop Protocol](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1076/t1076.md)
+- [T1105 Remote File Copy](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1105/t1105.md)
+  - Atomic Test #1: xxxx
+- [T1021 Remote Services](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1021/t1021.md)
+- [T1091 Replication Through Removable Media](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1091/t1091.md)
+- [T1184 SSH Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1184/t1184.md)
+- [T1051 Shared Webroot](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1051/t1051.md)
+- [T1080 Taint Shared Content](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1080/t1080.md)
+- [T1072 Third-party Software](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1072/t1072.md)
+- [T1077 Windows Admin Shares](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1077/t1077.md)
+- [T1028 Windows Remote Management](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1028/t1028.md)
+
+# collection
+- [T1123 Audio Capture](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1123/t1123.md)
+  - Atomic Test #1: SourceRecorder via Windows command prompt
+  - Atomic Test #2: PowerShell Cmdlet via Windows command prompt
+- [T1119 Automated Collection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1119/t1119.md)
+- [T1115 Clipboard Data](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1115/t1115.md)
+- [T1074 Data Staged](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1074/t1074.md)
+- [T1213 Data from Information Repositories](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1213/t1213.md)
+- [T1005 Data from Local System](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1005/t1005.md)
+- [T1039 Data from Network Shared Drive](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1039/t1039.md)
+- [T1025 Data from Removable Media](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1025/t1025.md)
+- [T1114 Email Collection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1114/t1114.md)
+- [T1056 Input Capture](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1056/t1056.md)
+- [T1185 Man in the Browser](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1185/t1185.md)
+- [T1113 Screen Capture](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1113/t1113.md)
+- [T1125 Video Capture](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1125/t1125.md)
+
+# exfiltration
+- [T1020 Automated Exfiltration](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1020/t1020.md)
+- [T1002 Data Compressed](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1002/t1002.md)
+- [T1022 Data Encrypted](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1022/t1022.md)
+- [T1030 Data Transfer Size Limits](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1030/t1030.md)
+- [T1048 Exfiltration Over Alternative Protocol](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1048/t1048.md)
+- [T1041 Exfiltration Over Command and Control Channel](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1041/t1041.md)
+- [T1011 Exfiltration Over Other Network Medium](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1011/t1011.md)
+- [T1052 Exfiltration Over Physical Medium](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1052/t1052.md)
+- [T1029 Scheduled Transfer](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1029/t1029.md)
+
+# command-and-control
+- [T1043 Commonly Used Port](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1043/t1043.md)
+- [T1092 Communication Through Removable Media](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1092/t1092.md)
+- [T1090 Connection Proxy](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1090/t1090.md)
+- [T1094 Custom Command and Control Protocol](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1094/t1094.md)
+- [T1024 Custom Cryptographic Protocol](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1024/t1024.md)
+- [T1132 Data Encoding](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1132/t1132.md)
+- [T1001 Data Obfuscation](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1001/t1001.md)
+- [T1172 Domain Fronting](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1172/t1172.md)
+- [T1008 Fallback Channels](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1008/t1008.md)
+- [T1104 Multi-Stage Channels](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1104/t1104.md)
+- [T1188 Multi-hop Proxy](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1188/t1188.md)
+- [T1026 Multiband Communication](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1026/t1026.md)
+- [T1079 Multilayer Encryption](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1079/t1079.md)
+- [T1205 Port Knocking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1205/t1205.md)
+- [T1219 Remote Access Tools](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1219/t1219.md)
+- [T1105 Remote File Copy](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1105/t1105.md)
+  - Atomic Test #1: xxxx
+- [T1071 Standard Application Layer Protocol](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1071/t1071.md)
+- [T1032 Standard Cryptographic Protocol](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1032/t1032.md)
+- [T1095 Standard Non-Application Layer Protocol](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1095/t1095.md)
+- [T1065 Uncommonly Used Port](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1065/t1065.md)
+- [T1102 Web Service](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1102/t1102.md)
+
+# initial-access
+- [T1189 Drive-by Compromise](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1189/t1189.md)
+- [T1190 Exploit Public-Facing Application](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1190/t1190.md)
+- [T1200 Hardware Additions](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1200/t1200.md)
+- [T1091 Replication Through Removable Media](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1091/t1091.md)
+- [T1193 Spearphishing Attachment](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1193/t1193.md)
+- [T1192 Spearphishing Link](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1192/t1192.md)
+- [T1194 Spearphishing via Service](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1194/t1194.md)
+- [T1195 Supply Chain Compromise](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1195/t1195.md)
+- [T1199 Trusted Relationship](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1199/t1199.md)
+- [T1078 Valid Accounts](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1078/t1078.md)
+
diff --git a/atomics/matrix.md b/atomics/matrix.md
new file mode 100644
index 00000000..a2f234a6
--- /dev/null
+++ b/atomics/matrix.md
@@ -0,0 +1,61 @@
+| initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control |
+|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
+| [Drive-by Compromise](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1189/t1189.md) | [AppleScript](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1155/t1155.md) | [.bash_profile and .bashrc](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1156/t1156.md) | [Access Token Manipulation](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1134/t1134.md) | [Access Token Manipulation](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1134/t1134.md) | [Account Manipulation](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1098/t1098.md) | [Account Discovery](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1087/t1087.md) | [AppleScript](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1155/t1155.md) | [Audio Capture](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1123/t1123.md) | [Automated Exfiltration](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1020/t1020.md) | [Commonly Used Port](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1043/t1043.md) |
+| [Exploit Public-Facing Application](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1190/t1190.md) | [CMSTP](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1191/t1191.md) | [Accessibility Features](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1015/t1015.md) | [Accessibility Features](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1015/t1015.md) | [BITS Jobs](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1197/t1197.md) | [Bash History](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1139/t1139.md) | [Application Window Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1010/t1010.md) | [Application Deployment Software](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1017/t1017.md) | [Automated Collection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1119/t1119.md) | [Data Compressed](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1002/t1002.md) | [Communication Through Removable Media](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1092/t1092.md) |
+| [Hardware Additions](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1200/t1200.md) | [Command-Line Interface](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1059/t1059.md) | [AppCert DLLs](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1182/t1182.md) | [AppCert DLLs](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1182/t1182.md) | [Binary Padding](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1009/t1009.md) | [Brute Force](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1110/t1110.md) | [Browser Bookmark Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1217/t1217.md) | [Distributed Component Object Model](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1175/t1175.md) | [Clipboard Data](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1115/t1115.md) | [Data Encrypted](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1022/t1022.md) | [Connection Proxy](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1090/t1090.md) |
+| [Replication Through Removable Media](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1091/t1091.md) | [Control Panel Items](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1196/t1196.md) | [AppInit DLLs](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1103/t1103.md) | [AppInit DLLs](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1103/t1103.md) | [Bypass User Account Control](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1088/t1088.md) | [Credential Dumping](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1003/t1003.md) | [File and Directory Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1083/t1083.md) | [Exploitation of Remote Services](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1210/t1210.md) | [Data Staged](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1074/t1074.md) | [Data Transfer Size Limits](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1030/t1030.md) | [Custom Command and Control Protocol](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1094/t1094.md) |
+| [Spearphishing Attachment](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1193/t1193.md) | [Dynamic Data Exchange](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1173/t1173.md) | [Application Shimming](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1138/t1138.md) | [Application Shimming](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1138/t1138.md) | [CMSTP](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1191/t1191.md) | [Credentials in Files](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1081/t1081.md) | [Network Service Scanning](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1046/t1046.md) | [Logon Scripts](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1037/t1037.md) | [Data from Information Repositories](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1213/t1213.md) | [Exfiltration Over Alternative Protocol](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1048/t1048.md) | [Custom Cryptographic Protocol](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1024/t1024.md) |
+| [Spearphishing Link](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1192/t1192.md) | [Execution through API](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1106/t1106.md) | [Authentication Package](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1131/t1131.md) | [Bypass User Account Control](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1088/t1088.md) | [Clear Command History](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1146/t1146.md) | [Credentials in Registry](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1214/t1214.md) | [Network Share Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1135/t1135.md) | [Pass the Hash](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1075/t1075.md) | [Data from Local System](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1005/t1005.md) | [Exfiltration Over Command and Control Channel](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1041/t1041.md) | [Data Encoding](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1132/t1132.md) |
+| [Spearphishing via Service](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1194/t1194.md) | [Execution through Module Load](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1129/t1129.md) | [BITS Jobs](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1197/t1197.md) | [DLL Search Order Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1038/t1038.md) | [Code Signing](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1116/t1116.md) | [Exploitation for Credential Access](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1212/t1212.md) | [Password Policy Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1201/t1201.md) | [Pass the Ticket](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1097/t1097.md) | [Data from Network Shared Drive](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1039/t1039.md) | [Exfiltration Over Other Network Medium](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1011/t1011.md) | [Data Obfuscation](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1001/t1001.md) |
+| [Supply Chain Compromise](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1195/t1195.md) | [Exploitation for Client Execution](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1203/t1203.md) | [Bootkit](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1067/t1067.md) | [Dylib Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1157/t1157.md) | [Component Firmware](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1109/t1109.md) | [Forced Authentication](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1187/t1187.md) | [Peripheral Device Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1120/t1120.md) | [Remote Desktop Protocol](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1076/t1076.md) | [Data from Removable Media](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1025/t1025.md) | [Exfiltration Over Physical Medium](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1052/t1052.md) | [Domain Fronting](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1172/t1172.md) |
+| [Trusted Relationship](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1199/t1199.md) | [Graphical User Interface](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1061/t1061.md) | [Browser Extensions](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1176/t1176.md) | [Exploitation for Privilege Escalation](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1068/t1068.md) | [Component Object Model Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1122/t1122.md) | [Hooking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1179/t1179.md) | [Permission Groups Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1069/t1069.md) | [Remote File Copy](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1105/t1105.md) | [Email Collection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1114/t1114.md) | [Scheduled Transfer](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1029/t1029.md) | [Fallback Channels](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1008/t1008.md) |
+| [Valid Accounts](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1078/t1078.md) | [InstallUtil](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1118/t1118.md) | [Change Default File Association](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1042/t1042.md) | [Extra Window Memory Injection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1181/t1181.md) | [Control Panel Items](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1196/t1196.md) | [Input Capture](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1056/t1056.md) | [Process Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1057/t1057.md) | [Remote Services](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1021/t1021.md) | [Input Capture](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1056/t1056.md) |  | [Multi-Stage Channels](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1104/t1104.md) |
+|  | [LSASS Driver](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1177/t1177.md) | [Component Firmware](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1109/t1109.md) | [File System Permissions Weakness](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1044/t1044.md) | [DCShadow](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1207/t1207.md) | [Input Prompt](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1141/t1141.md) | [Query Registry](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1012/t1012.md) | [Replication Through Removable Media](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1091/t1091.md) | [Man in the Browser](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1185/t1185.md) |  | [Multi-hop Proxy](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1188/t1188.md) |
+|  | [Launchctl](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1152/t1152.md) | [Component Object Model Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1122/t1122.md) | [Hooking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1179/t1179.md) | [DLL Search Order Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1038/t1038.md) | [Kerberoasting](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1208/t1208.md) | [Remote System Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1018/t1018.md) | [SSH Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1184/t1184.md) | [Screen Capture](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1113/t1113.md) |  | [Multiband Communication](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1026/t1026.md) |
+|  | [Local Job Scheduling](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1168/t1168.md) | [Create Account](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1136/t1136.md) | [Image File Execution Options Injection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1183/t1183.md) | [DLL Side-Loading](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1073/t1073.md) | [Keychain](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1142/t1142.md) | [Security Software Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1063/t1063.md) | [Shared Webroot](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1051/t1051.md) | [Video Capture](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1125/t1125.md) |  | [Multilayer Encryption](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1079/t1079.md) |
+|  | [Mshta](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1170/t1170.md) | [DLL Search Order Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1038/t1038.md) | [Launch Daemon](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1160/t1160.md) | [Deobfuscate/Decode Files or Information](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1140/t1140.md) | [LLMNR/NBT-NS Poisoning](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1171/t1171.md) | [System Information Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1082/t1082.md) | [Taint Shared Content](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1080/t1080.md) |  |  | [Port Knocking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1205/t1205.md) |
+|  | [PowerShell](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1086/t1086.md) | [Dylib Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1157/t1157.md) | [New Service](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1050/t1050.md) | [Disabling Security Tools](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1089/t1089.md) | [Network Sniffing](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1040/t1040.md) | [System Network Configuration Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1016/t1016.md) | [Third-party Software](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1072/t1072.md) |  |  | [Remote Access Tools](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1219/t1219.md) |
+|  | [Regsvcs/Regasm](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1121/t1121.md) | [External Remote Services](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1133/t1133.md) | [Path Interception](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1034/t1034.md) | [Exploitation for Defense Evasion](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1211/t1211.md) | [Password Filter DLL](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1174/t1174.md) | [System Network Connections Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1049/t1049.md) | [Windows Admin Shares](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1077/t1077.md) |  |  | [Remote File Copy](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1105/t1105.md) |
+|  | [Regsvr32](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1117/t1117.md) | [File System Permissions Weakness](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1044/t1044.md) | [Plist Modification](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1150/t1150.md) | [Extra Window Memory Injection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1181/t1181.md) | [Private Keys](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1145/t1145.md) | [System Owner/User Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1033/t1033.md) | [Windows Remote Management](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1028/t1028.md) |  |  | [Standard Application Layer Protocol](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1071/t1071.md) |
+|  | [Rundll32](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1085/t1085.md) | [Hidden Files and Directories](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1158/t1158.md) | [Port Monitors](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1013/t1013.md) | [File Deletion](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1107/t1107.md) | [Replication Through Removable Media](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1091/t1091.md) | [System Service Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1007/t1007.md) |  |  |  | [Standard Cryptographic Protocol](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1032/t1032.md) |
+|  | [Scheduled Task](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1053/t1053.md) | [Hooking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1179/t1179.md) | [Process Injection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1055/t1055.md) | [File System Logical Offsets](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1006/t1006.md) | [Securityd Memory](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1167/t1167.md) | [System Time Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1124/t1124.md) |  |  |  | [Standard Non-Application Layer Protocol](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1095/t1095.md) |
+|  | [Scripting](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1064/t1064.md) | [Hypervisor](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1062/t1062.md) | [SID-History Injection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1178/t1178.md) | [Gatekeeper Bypass](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1144/t1144.md) | [Two-Factor Authentication Interception](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1111/t1111.md) |  |  |  |  | [Uncommonly Used Port](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1065/t1065.md) |
+|  | [Service Execution](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1035/t1035.md) | [Image File Execution Options Injection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1183/t1183.md) | [Scheduled Task](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1053/t1053.md) | [HISTCONTROL](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1148/t1148.md) |  |  |  |  |  | [Web Service](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1102/t1102.md) |
+|  | [Signed Binary Proxy Execution](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1218/t1218.md) | [Kernel Modules and Extensions](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1215/t1215.md) | [Service Registry Permissions Weakness](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1058/t1058.md) | [Hidden Files and Directories](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1158/t1158.md) |  |  |  |  |  |  |
+|  | [Signed Script Proxy Execution](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1216/t1216.md) | [LC_LOAD_DYLIB Addition](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1161/t1161.md) | [Setuid and Setgid](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1166/t1166.md) | [Hidden Users](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1147/t1147.md) |  |  |  |  |  |  |
+|  | [Source](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1153/t1153.md) | [LSASS Driver](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1177/t1177.md) | [Startup Items](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1165/t1165.md) | [Hidden Window](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1143/t1143.md) |  |  |  |  |  |  |
+|  | [Space after Filename](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1151/t1151.md) | [Launch Agent](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1159/t1159.md) | [Sudo](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1169/t1169.md) | [Image File Execution Options Injection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1183/t1183.md) |  |  |  |  |  |  |
+|  | [Third-party Software](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1072/t1072.md) | [Launch Daemon](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1160/t1160.md) | [Sudo Caching](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1206/t1206.md) | [Indicator Blocking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1054/t1054.md) |  |  |  |  |  |  |
+|  | [Trap](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1154/t1154.md) | [Launchctl](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1152/t1152.md) | [Valid Accounts](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1078/t1078.md) | [Indicator Removal from Tools](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1066/t1066.md) |  |  |  |  |  |  |
+|  | [Trusted Developer Utilities](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1127/t1127.md) | [Local Job Scheduling](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1168/t1168.md) | [Web Shell](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1100/t1100.md) | [Indicator Removal on Host](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1070/t1070.md) |  |  |  |  |  |  |
+|  | [User Execution](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1204/t1204.md) | [Login Item](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1162/t1162.md) |  | [Indirect Command Execution](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1202/t1202.md) |  |  |  |  |  |  |
+|  | [Windows Management Instrumentation](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1047/t1047.md) | [Logon Scripts](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1037/t1037.md) |  | [Install Root Certificate](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1130/t1130.md) |  |  |  |  |  |  |
+|  | [Windows Remote Management](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1028/t1028.md) | [Modify Existing Service](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1031/t1031.md) |  | [InstallUtil](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1118/t1118.md) |  |  |  |  |  |  |
+|  |  | [Netsh Helper DLL](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1128/t1128.md) |  | [LC_MAIN Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1149/t1149.md) |  |  |  |  |  |  |
+|  |  | [New Service](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1050/t1050.md) |  | [Launchctl](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1152/t1152.md) |  |  |  |  |  |  |
+|  |  | [Office Application Startup](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1137/t1137.md) |  | [Masquerading](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1036/t1036.md) |  |  |  |  |  |  |
+|  |  | [Path Interception](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1034/t1034.md) |  | [Modify Registry](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1112/t1112.md) |  |  |  |  |  |  |
+|  |  | [Plist Modification](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1150/t1150.md) |  | [Mshta](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1170/t1170.md) |  |  |  |  |  |  |
+|  |  | [Port Knocking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1205/t1205.md) |  | [NTFS File Attributes](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1096/t1096.md) |  |  |  |  |  |  |
+|  |  | [Port Monitors](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1013/t1013.md) |  | [Network Share Connection Removal](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1126/t1126.md) |  |  |  |  |  |  |
+|  |  | [Rc.common](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1163/t1163.md) |  | [Obfuscated Files or Information](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1027/t1027.md) |  |  |  |  |  |  |
+|  |  | [Re-opened Applications](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1164/t1164.md) |  | [Plist Modification](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1150/t1150.md) |  |  |  |  |  |  |
+|  |  | [Redundant Access](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1108/t1108.md) |  | [Port Knocking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1205/t1205.md) |  |  |  |  |  |  |
+|  |  | [Registry Run Keys / Start Folder](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1060/t1060.md) |  | [Process Doppelgänging](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1186/t1186.md) |  |  |  |  |  |  |
+|  |  | [SIP and Trust Provider Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1198/t1198.md) |  | [Process Hollowing](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1093/t1093.md) |  |  |  |  |  |  |
+|  |  | [Scheduled Task](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1053/t1053.md) |  | [Process Injection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1055/t1055.md) |  |  |  |  |  |  |
+|  |  | [Screensaver](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1180/t1180.md) |  | [Redundant Access](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1108/t1108.md) |  |  |  |  |  |  |
+|  |  | [Security Support Provider](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1101/t1101.md) |  | [Regsvcs/Regasm](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1121/t1121.md) |  |  |  |  |  |  |
+|  |  | [Service Registry Permissions Weakness](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1058/t1058.md) |  | [Regsvr32](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1117/t1117.md) |  |  |  |  |  |  |
+|  |  | [Shortcut Modification](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1023/t1023.md) |  | [Rootkit](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1014/t1014.md) |  |  |  |  |  |  |
+|  |  | [Startup Items](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1165/t1165.md) |  | [Rundll32](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1085/t1085.md) |  |  |  |  |  |  |
+|  |  | [System Firmware](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1019/t1019.md) |  | [SIP and Trust Provider Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1198/t1198.md) |  |  |  |  |  |  |
+|  |  | [Time Providers](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1209/t1209.md) |  | [Scripting](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1064/t1064.md) |  |  |  |  |  |  |
+|  |  | [Trap](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1154/t1154.md) |  | [Signed Binary Proxy Execution](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1218/t1218.md) |  |  |  |  |  |  |
+|  |  | [Valid Accounts](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1078/t1078.md) |  | [Signed Script Proxy Execution](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1216/t1216.md) |  |  |  |  |  |  |
+|  |  | [Web Shell](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1100/t1100.md) |  | [Software Packing](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1045/t1045.md) |  |  |  |  |  |  |
+|  |  | [Windows Management Instrumentation Event Subscription](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1084/t1084.md) |  | [Space after Filename](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1151/t1151.md) |  |  |  |  |  |  |
+|  |  | [Winlogon Helper DLL](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1004/t1004.md) |  | [Timestomp](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1099/t1099.md) |  |  |  |  |  |  |
+|  |  |  |  | [Trusted Developer Utilities](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1127/t1127.md) |  |  |  |  |  |  |
+|  |  |  |  | [Valid Accounts](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1078/t1078.md) |  |  |  |  |  |  |
+|  |  |  |  | [Web Service](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1102/t1102.md) |  |  |  |  |  |  |
diff --git a/attack_api.rb b/attack_api.rb
new file mode 100755
index 00000000..d9b7679a
--- /dev/null
+++ b/attack_api.rb
@@ -0,0 +1,77 @@
+#! /usr/bin/env ruby
+require 'open-uri'
+require 'json'
+
+class Attack
+  def ordered_tactics 
+    [
+      'initial-access',
+      'execution',
+      'persistence',
+      'privilege-escalation',
+      'defense-evasion',
+      'credential-access',
+      'discovery',
+      'lateral-movement',
+      'collection',
+      'exfiltration',
+      'command-and-control',
+    ]
+  end
+
+  def technique_info(technique_id)
+    techniques.find do |item| 
+      item.fetch('external_references', []).find do |references|
+        references['external_id'] == technique_id.upcase
+      end
+    end
+  end
+  
+  def techniques_by_tactic
+    techniques_by_tactic = Hash.new {|h, k| h[k] = []}
+    techniques.each do |technique|
+      technique.fetch('kill_chain_phases', []).select {|phase| phase['kill_chain_name'] == 'mitre-attack'}.each do |tactic|
+        techniques_by_tactic[tactic.fetch('phase_name')] << technique
+      end
+    end
+    techniques_by_tactic
+  end 
+
+  def ordered_tactic_to_technique_matrix
+    # make an 2d array of our techniques in the order our tactics appear
+    all_techniques_in_tactic_order = []
+    ordered_tactics.each do |tactic|
+      all_techniques_in_tactic_order << techniques_by_tactic[tactic]
+    end
+
+    # figure out the max number of techniques any one tactic has
+    max_techniques = all_techniques_in_tactic_order.collect(&:count).max
+
+    # extend each array of techniques to that length
+    all_techniques_in_tactic_order.each {|techniques| techniques.concat(Array.new(max_techniques - techniques.count, nil))}
+
+    # transpose to give us the data in columnar format
+    all_techniques_in_tactic_order.transpose
+  end
+
+  def techniques
+    # pull out the attack pattern objects
+    attack_json.fetch("objects").select do |item| 
+      item.fetch('type') == 'attack-pattern' && item.fetch('external_references', []).select do |references|
+        references['source_name'] == 'mitre-attack'
+      end
+    end
+  end
+
+  def attack_json
+    @attack_json ||= begin
+      # load the full attack library
+      local_attack_json_to_try = "#{File.dirname(__FILE__)}/enterprise-attack.json"
+      if File.exists? local_attack_json_to_try
+        JSON.parse File.read(local_attack_json_to_try)
+      else
+        JSON.parse open('https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json').read
+      end
+    end
+  end
+end
\ No newline at end of file
diff --git a/generate_atomic_docs.rb b/generate_atomic_docs.rb
index e9fa56f0..b3d88f37 100755
--- a/generate_atomic_docs.rb
+++ b/generate_atomic_docs.rb
@@ -1,127 +1,81 @@
 #! /usr/bin/env ruby
 require 'yaml'
-require 'ostruct'
 require 'erb'
-require 'open-uri'
-require 'json'
+require './attack_api'
+require './atomic_red_team'
 
-def attack_technique_library
-  @attack_json ||= begin
-    # load the full attack library
-    local_attack_json_to_try = "#{File.dirname(__FILE__)}/enterprise-attack.json"
-    parsed = if File.exists? local_attack_json_to_try
-      JSON.parse File.read(local_attack_json_to_try)
-    else
-      JSON.parse open('https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json').read
-    end
+class AtomicRedTeamDocs
+  ATTACK_API = Attack.new
+  ATOMIC_RED_TEAM = AtomicRedTeam.new
 
-    # pull out the attack pattern objects
-    parsed.fetch("objects").select do |item| 
-      item.fetch('type') == 'attack-pattern' && item.fetch('external_references', []).select do |references|
-        references['source_name'] == 'mitre-attack'
+  def generate_all_the_docs!
+    oks = []
+    fails = []
+
+    ATOMIC_RED_TEAM.atomic_tests.each do |atomic_yaml|
+      begin
+        print "Generating docs for #{atomic_yaml['atomic_yaml_path']}"
+        generate_docs! atomic_yaml, atomic_yaml['atomic_yaml_path'].gsub(/.yaml/, '.md')
+        
+        oks << atomic_yaml['atomic_yaml_path']
+        puts "OK"
+      rescue => ex
+        fails << atomic_yaml['atomic_yaml_path']
+        puts "FAIL\n#{ex}\n#{ex.backtrace.join("\n")}"
       end
     end
 
-  end
-end
-
-def attack_technique_info(technique_id)
-  attack_technique_library.find do |item| 
-    item.fetch('external_references', []).find do |references|
-      references['external_id'] == technique_id.upcase
-    end
-  end
-end
-
-def all_techniques_by_tactic
-  @all_techniques_by_tactic ||= begin
-    all_techniques_by_tactic = Hash.new {|h, k| h[k] = []}
-    attack_technique_library.each do |technique|
-      tactic = technique.fetch('kill_chain_phases', []).find {|phase| phase['kill_chain_name'] == 'mitre-attack'}.fetch('phase_name')
-      all_techniques_by_tactic[tactic] << technique
-    end
-    all_techniques_by_tactic
-  end
-end
-
-def generate_docs!(atomic_yaml, output_doc_path)
-  technique = attack_technique_info(atomic_yaml.fetch('attack_technique'))
-  technique['identifier'] = atomic_yaml.fetch('attack_technique').upcase
-
-  template = ERB.new File.read("#{File.dirname(__FILE__)}/atomics/atomic_doc_template.md.erb"), nil, "-"
-  generated_doc = template.result(binding)
-
-  print " => #{output_doc_path} => "
-  File.write output_doc_path, generated_doc
-end
-
-def update_index_mapping(atomic_yaml, techniques_by_tactic)
-  technique = attack_technique_info(atomic_yaml.fetch('attack_technique'))
-  technique.fetch('kill_chain_phases', []).select {|phase| phase['kill_chain_name'] == 'mitre-attack'}.each do |tactic|
-    techniques_by_tactic[tactic.fetch('phase_name')] << technique
-  end
-end
-
-def generate_indices!(techniques_by_tactic)
-  ordered_tactics = [
-    'initial-access',
-    'execution',
-    'persistence',
-    'privilege-escalation',
-    'defense-evasion',
-    'credential-access',
-    'discovery',
-    'lateral-movement',
-    'collection',
-    'exfiltration',
-    'command-and-control',
-  ]
-
-  result = ''
-  result += "| #{ordered_tactics.join(' | ')} |\n"
-  result += "|#{'-----|' * ordered_tactics.count}\n"
-
-  all_techniques_in_tactic_order = []
-  ordered_tactics.each do |tactic|
-    all_techniques_in_tactic_order << all_techniques_by_tactic[tactic]
-  end
-  max_tactics = all_techniques_in_tactic_order.collect(&:count).max
-  all_techniques_in_tactic_order.each {|techniques| techniques.concat(Array.new(max_tactics - techniques.count, nil))}
-
-  p all_techniques_in_tactic_order.count
-  all_techniques_in_tactic_order.transpose.each do |row|
-    p row, row.class
-    result += "| #{row.collect {|t| t['name'] if t}.join(' | ')} |\n"
-  end
-
-  # all_techniques_by_tactic.to_a.transpose[1..-1].first.each do |techniques|
-  #   p techniques, techniques.count, '-----'
-  #   result += "| #{techniques.collect {|t| t['name']}.join(' | ')} |\n"
-  # end
-  File.write "#{File.dirname(__FILE__)}/atomics/index.md", result
-end
-
-oks = []
-fails = []
-techniques_by_tactic = Hash.new {|h, k| h[k] = []}
-
-Dir["#{File.dirname(__FILE__)}/atomics/t*/t*.yaml"].sort.each do |path|
-  begin
-    print "Generating docs for #{path}"
-    atomic_yaml = YAML.load(File.read path)
-
-    generate_docs! atomic_yaml, path.gsub(/.yaml/, '.md')
-    update_index_mapping atomic_yaml, techniques_by_tactic
+    generate_attack_matrix!
+    generate_index!
     
-    puts "OK"
-  rescue => ex
-    fails << path
-    puts "FAIL (#{ex} #{ex.backtrace.join("\n")})"
+    return oks, fails
+  end
+
+  def generate_docs!(atomic_yaml, output_doc_path)
+    technique = ATTACK_API.technique_info(atomic_yaml.fetch('attack_technique'))
+    technique['identifier'] = atomic_yaml.fetch('attack_technique').upcase
+
+    template = ERB.new File.read("#{File.dirname(__FILE__)}/atomics/atomic_doc_template.md.erb"), nil, "-"
+    generated_doc = template.result(binding)
+
+    print " => #{output_doc_path} => "
+    File.write output_doc_path, generated_doc
+  end
+
+  def generate_attack_matrix!
+    result = "| #{ATTACK_API.ordered_tactics.join(' | ')} |\n"
+    result += "|#{'-----|' * ATTACK_API.ordered_tactics.count}\n"
+
+    ATTACK_API.ordered_tactic_to_technique_matrix.each do |row_of_techniques|
+      row_values = row_of_techniques.collect do |technique| 
+        if technique
+          ATOMIC_RED_TEAM.github_link_to_technique(technique)
+        end
+      end
+      result += "| #{row_values.join(' | ')} |\n"
+    end
+    File.write "#{File.dirname(__FILE__)}/atomics/matrix.md", result
+  end
+
+  def generate_index!
+    result = ''
+
+    ATTACK_API.techniques_by_tactic.each do |tactic, techniques|
+      result += "# #{tactic}\n"
+      techniques.each do |technique|
+        result += "- #{ATOMIC_RED_TEAM.github_link_to_technique(technique, true)}\n"
+        ATOMIC_RED_TEAM.atomic_tests_for_technique(technique).each_with_index do |atomic_test, i|
+          result += "  - Atomic Test ##{i+1}: #{atomic_test['name']}\n"
+        end
+      end
+      result += "\n"
+    end
+
+    File.write "#{File.dirname(__FILE__)}/atomics/index.md", result
   end
 end
 
-generate_indices! techniques_by_tactic
-
+oks, fails = AtomicRedTeamDocs.new.generate_all_the_docs!
 puts
 puts "Generated docs for #{oks.count} techniques, #{fails.count} failures"
 

From 6225b0caa694aee94d06bd88fdb9f319b86b4daf Mon Sep 17 00:00:00 2001
From: Brian Beyer <brian@redcanary.com>
Date: Fri, 11 May 2018 05:59:03 +0200
Subject: [PATCH 3/9] lots of comments

---
 atomic_red_team.rb      | 16 ++++++++---
 attack_api.rb           | 59 ++++++++++++++++++++++++++++++++---------
 generate_atomic_docs.rb | 34 +++++++++++++++++-------
 3 files changed, 83 insertions(+), 26 deletions(-)

diff --git a/atomic_red_team.rb b/atomic_red_team.rb
index 68eb20a4..7f1a9d47 100755
--- a/atomic_red_team.rb
+++ b/atomic_red_team.rb
@@ -3,13 +3,15 @@ require 'yaml'
 require 'erb'
 require './attack_api'
 
-
 class AtomicRedTeam
   ATTACK_API = Attack.new
 
   # TODO- should these all be relative URLs?
   ROOT_GITHUB_URL = "https://github.com/redcanaryco/atomic-red-team"
   
+  #
+  # Returns a list of Atomic Tests in Atomic Red Team (as Hashes from source YAML) 
+  #
   def atomic_tests
     @atomic_tests ||= Dir["#{File.dirname(__FILE__)}/atomics/t*/t*.yaml"].sort.collect do |path| 
       atomic_yaml = YAML.load(File.read path)
@@ -18,9 +20,12 @@ class AtomicRedTeam
     end
   end
 
+  #
+  # Returns the individual Atomic Tests for a given identifer, passed as either a string (T1234) or an ATT&CK technique object
+  #
   def atomic_tests_for_technique(technique_or_technique_identifier)
     technique_identifier = if technique_or_technique_identifier.is_a? Hash
-      technique_or_technique_identifier.fetch('external_references', []).find {|refs| refs['source_name'] == 'mitre-attack'}['external_id'].downcase
+      ATTACK_API.technique_identifier_for_technique technique_or_technique_identifier
     else
       technique_or_technique_identifier
     end
@@ -30,8 +35,13 @@ class AtomicRedTeam
     end.to_h.fetch('atomic_tests', [])
   end
 
+  #
+  # Returns a Markdown formatted Github link to a technique. This will be to the edit page for 
+  # techniques that already have one or more Atomic Red Team tests, or the create page for
+  # techniques that have no existing tests.
+  #
   def github_link_to_technique(technique, include_identifier=false)
-    technique_identifier = technique.fetch('external_references', []).find {|refs| refs['source_name'] == 'mitre-attack'}['external_id'].downcase
+    technique_identifier = ATTACK_API.technique_identifier_for_technique(technique).downcase
     link_display = "#{"#{technique_identifier.upcase} " if include_identifier}#{technique['name']}"
 
     if File.exists? "#{File.dirname(__FILE__)}/atomics/#{technique_identifier}/#{technique_identifier}.md"
diff --git a/attack_api.rb b/attack_api.rb
index d9b7679a..20922adc 100755
--- a/attack_api.rb
+++ b/attack_api.rb
@@ -2,7 +2,14 @@
 require 'open-uri'
 require 'json'
 
+#
+# Attack is an API class that loads information about ATT&CK techniques from MITRE'S ATT&CK 
+# STIX representation. It makes it very simple to do common things with ATT&CK.
+#
 class Attack
+  # 
+  # Tactics as presented in the order that the ATT&CK matrics uses
+  #
   def ordered_tactics 
     [
       'initial-access',
@@ -19,6 +26,18 @@ class Attack
     ]
   end
 
+  # 
+  # Returns the technique identifier (T1234) for a Technique object
+  #
+  def technique_identifier_for_technique(technique)
+    technique.fetch('external_references', []).find do |refs| 
+      refs['source_name'] == 'mitre-attack'
+    end['external_id'].upcase
+  end
+
+  # 
+  # Returns a Technique object given a technique identifier (T1234)
+  #
   def technique_info(technique_id)
     techniques.find do |item| 
       item.fetch('external_references', []).find do |references|
@@ -27,16 +46,9 @@ class Attack
     end
   end
   
-  def techniques_by_tactic
-    techniques_by_tactic = Hash.new {|h, k| h[k] = []}
-    techniques.each do |technique|
-      technique.fetch('kill_chain_phases', []).select {|phase| phase['kill_chain_name'] == 'mitre-attack'}.each do |tactic|
-        techniques_by_tactic[tactic.fetch('phase_name')] << technique
-      end
-    end
-    techniques_by_tactic
-  end 
-
+  # 
+  # Returns the ATT&CK Matrix as a 2D array, in order by `ordered_tactics`
+  #
   def ordered_tactic_to_technique_matrix
     # make an 2d array of our techniques in the order our tactics appear
     all_techniques_in_tactic_order = []
@@ -54,17 +66,38 @@ class Attack
     all_techniques_in_tactic_order.transpose
   end
 
+  # 
+  # Returns a map of all [ ATT&CK Tactic name ] => [ List of ATT&CK techniques associated with that tactic]
+  #
+  def techniques_by_tactic
+    techniques_by_tactic = Hash.new {|h, k| h[k] = []}
+    techniques.each do |technique|
+      technique.fetch('kill_chain_phases', []).select {|phase| phase['kill_chain_name'] == 'mitre-attack'}.each do |tactic|
+        techniques_by_tactic[tactic.fetch('phase_name')] << technique
+      end
+    end
+    techniques_by_tactic
+  end 
+
+  #
+  # Returns a list of all ATT&CK techniques
+  #
   def techniques
     # pull out the attack pattern objects
-    attack_json.fetch("objects").select do |item| 
+    attack_stix.fetch("objects").select do |item| 
       item.fetch('type') == 'attack-pattern' && item.fetch('external_references', []).select do |references|
         references['source_name'] == 'mitre-attack'
       end
     end
   end
 
-  def attack_json
-    @attack_json ||= begin
+  private
+
+  #
+  # Returns the complete ATT&CK STIX collection parsed into a Hash
+  #
+  def attack_stix
+    @attack_stix ||= begin
       # load the full attack library
       local_attack_json_to_try = "#{File.dirname(__FILE__)}/enterprise-attack.json"
       if File.exists? local_attack_json_to_try
diff --git a/generate_atomic_docs.rb b/generate_atomic_docs.rb
index b3d88f37..cfd24de3 100755
--- a/generate_atomic_docs.rb
+++ b/generate_atomic_docs.rb
@@ -1,5 +1,4 @@
 #! /usr/bin/env ruby
-require 'yaml'
 require 'erb'
 require './attack_api'
 require './atomic_red_team'
@@ -8,6 +7,9 @@ class AtomicRedTeamDocs
   ATTACK_API = Attack.new
   ATOMIC_RED_TEAM = AtomicRedTeam.new
 
+  #
+  # Generates all the documentation used by Atomic Red Team
+  #
   def generate_all_the_docs!
     oks = []
     fails = []
@@ -15,7 +17,7 @@ class AtomicRedTeamDocs
     ATOMIC_RED_TEAM.atomic_tests.each do |atomic_yaml|
       begin
         print "Generating docs for #{atomic_yaml['atomic_yaml_path']}"
-        generate_docs! atomic_yaml, atomic_yaml['atomic_yaml_path'].gsub(/.yaml/, '.md')
+        generate_technique_docs! atomic_yaml, atomic_yaml['atomic_yaml_path'].gsub(/.yaml/, '.md')
         
         oks << atomic_yaml['atomic_yaml_path']
         puts "OK"
@@ -25,13 +27,16 @@ class AtomicRedTeamDocs
       end
     end
 
-    generate_attack_matrix!
-    generate_index!
+    generate_attack_matrix! "#{File.dirname(__FILE__)}/atomics/matrix.md"
+    generate_index! "#{File.dirname(__FILE__)}/atomics/index.md"
     
     return oks, fails
   end
 
-  def generate_docs!(atomic_yaml, output_doc_path)
+  #
+  # Generates Markdown documentation for a specific technique from its YAML source
+  #
+  def generate_technique_docs!(atomic_yaml, output_doc_path)
     technique = ATTACK_API.technique_info(atomic_yaml.fetch('attack_technique'))
     technique['identifier'] = atomic_yaml.fetch('attack_technique').upcase
 
@@ -41,8 +46,11 @@ class AtomicRedTeamDocs
     print " => #{output_doc_path} => "
     File.write output_doc_path, generated_doc
   end
-
-  def generate_attack_matrix!
+  
+  #
+  # Generates a Markdown ATT&CK documentation matrix for all techniques
+  #
+  def generate_attack_matrix!(output_doc_path)
     result = "| #{ATTACK_API.ordered_tactics.join(' | ')} |\n"
     result += "|#{'-----|' * ATTACK_API.ordered_tactics.count}\n"
 
@@ -54,10 +62,13 @@ class AtomicRedTeamDocs
       end
       result += "| #{row_values.join(' | ')} |\n"
     end
-    File.write "#{File.dirname(__FILE__)}/atomics/matrix.md", result
+    File.write output_doc_path, result
   end
 
-  def generate_index!
+  #
+  # Generates a master Markdown index of ATT&CK Tactic -> Technique -> Atomic Tests
+  #
+  def generate_index!(output_doc_path)
     result = ''
 
     ATTACK_API.techniques_by_tactic.each do |tactic, techniques|
@@ -71,10 +82,13 @@ class AtomicRedTeamDocs
       result += "\n"
     end
 
-    File.write "#{File.dirname(__FILE__)}/atomics/index.md", result
+    File.write output_doc_path, result
   end
 end
 
+#
+# MAIN
+#
 oks, fails = AtomicRedTeamDocs.new.generate_all_the_docs!
 puts
 puts "Generated docs for #{oks.count} techniques, #{fails.count} failures"

From 4042cb3433bce024e304500dcfe3c5590571573a Mon Sep 17 00:00:00 2001
From: Brian Beyer <brian@redcanary.com>
Date: Fri, 11 May 2018 06:49:20 +0200
Subject: [PATCH 4/9] move bin scripts into bin, apis into atomic-red-team

---
 CONTRIBUTIONS.md                              |  46 ++++---
 LICENSE.txt                                   |   2 +-
 .../atomic_doc_template.md.erb                |   0
 atomic-red-team/atomic_red_team.rb            | 130 ++++++++++++++++++
 .../atomic_test_template.yaml                 |   4 +-
 .../attack_api.rb                             |   0
 {atomics => atomic-red-team}/spec.yaml        |   0
 atomic_red_team.rb                            |  55 --------
 .../generate-atomic-docs.rb                   |  20 +--
 bin/generate-docs                             |   8 --
 new_atomic.rb => bin/new-atomic.rb            |   0
 bin/validate-atomics.rb                       |  29 ++++
 validate_atomics.rb                           | 101 --------------
 13 files changed, 199 insertions(+), 196 deletions(-)
 rename {atomics => atomic-red-team}/atomic_doc_template.md.erb (100%)
 create mode 100755 atomic-red-team/atomic_red_team.rb
 rename atomics/template.yaml => atomic-red-team/atomic_test_template.yaml (89%)
 rename attack_api.rb => atomic-red-team/attack_api.rb (100%)
 rename {atomics => atomic-red-team}/spec.yaml (100%)
 delete mode 100755 atomic_red_team.rb
 rename generate_atomic_docs.rb => bin/generate-atomic-docs.rb (79%)
 delete mode 100755 bin/generate-docs
 rename new_atomic.rb => bin/new-atomic.rb (100%)
 create mode 100755 bin/validate-atomics.rb
 delete mode 100755 validate_atomics.rb

diff --git a/CONTRIBUTIONS.md b/CONTRIBUTIONS.md
index 88cea1de..9dd2c5a0 100644
--- a/CONTRIBUTIONS.md
+++ b/CONTRIBUTIONS.md
@@ -1,35 +1,39 @@
-## How to contribute to Atomic Red Team
-
-#### **Atomic Contribution**
+# How to contribute to Atomic Red Team
 
+## Atomic Philosophy
 Atomic Red Team welcomes all types of contributions as long as it is mapped to [MITRE ATT&CK](https://attack.mitre.org/wiki/Main_Page).
 
-The Framework is also meant to be "easy". If your Atomic test is complicated and requires multiple external utilities/packages/Kali, we may dismiss it.
+- Tests are made to be "easy". If your Atomic test is complicated and requires multiple external utilities/packages/Kali, we may dismiss it.
 
-TEST YOUR Atomic Test! Be sure to run it from a few OS platforms before submitting a pull to ensure everything is working correctly.
+- TEST YOUR Atomic Test! Be sure to run it from a few OS platforms before submitting a pull to ensure everything is working correctly.
 
-If sourcing from another tool/product (ex. generated command), be sure to cite it in your .md file.
+- If sourcing from another tool/product (ex. generated command), be sure to cite it in the test's description.
 
-Any and all Payloads need to be placed in the respective Windows|Mac|Linux Payload directory.
+## How to contribute
+Pick the technique you want to add a test for and run the generator:
 
-Be sure you update the ATT&CK url, Txxxx number, and the title (ex. InstallUtil).
+```
+bin/new-atomic.rb T1234
+```
 
+This makes a new test for the technique with a bunch of TBDs you'll fill in and opens up your editor
+so you can get to work.
 
-#### Atomic Template Example
+Fill in the TBDs with the information for your test. Read the [Atomic Red Team YAML Spec](atomic-red-team/spec.yaml)
+for complete details about what each field means and a list of possible values.
 
+Validate that your Atomic Test is up to code!
 
-    ## InstallUtil
+```
+bin/validate-atomics.rb
+```
 
-    MITRE ATT&CK Technique: [T1118](https://attack.mitre.org/wiki/Technique/T1118)
+Submit a pull request once your test is complete and everything validates.
 
-    ### Execution Examples:
+## Generating Atomic docs yourself (optional)
+If you want to see what the pretty Markdown version of your Atomic Test is going to look like, 
+you can generate the Atomic Docs yourself:
 
-    Input:
-
-        x86 - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
-
-        x64 - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
-
-    ## Test Script
-
-    [InstallUtilBypass.cs](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/InstallUtilBypass.cs)
+```
+bin/generate-atomic-docs.rb
+```
\ No newline at end of file
diff --git a/LICENSE.txt b/LICENSE.txt
index cad34f8e..efebd02d 100644
--- a/LICENSE.txt
+++ b/LICENSE.txt
@@ -1,7 +1,7 @@
 
 The MIT License
 
-Copyright (c) 2016 Red Canary, Inc.
+Copyright (c) 2018 Red Canary, Inc.
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
diff --git a/atomics/atomic_doc_template.md.erb b/atomic-red-team/atomic_doc_template.md.erb
similarity index 100%
rename from atomics/atomic_doc_template.md.erb
rename to atomic-red-team/atomic_doc_template.md.erb
diff --git a/atomic-red-team/atomic_red_team.rb b/atomic-red-team/atomic_red_team.rb
new file mode 100755
index 00000000..5a2eaae0
--- /dev/null
+++ b/atomic-red-team/atomic_red_team.rb
@@ -0,0 +1,130 @@
+#! /usr/bin/env ruby
+require 'yaml'
+require 'erb'
+require 'attack_api'
+
+class AtomicRedTeam
+  ATTACK_API = Attack.new
+
+  ATOMICS_DIRECTORY = "#{File.dirname(File.dirname(__FILE__))}/atomics"
+
+  # TODO- should these all be relative URLs?
+  ROOT_GITHUB_URL = "https://github.com/redcanaryco/atomic-red-team"
+  
+  #
+  # Returns a list of paths that contain Atomic Tests
+  #
+  def atomic_test_paths
+    Dir["#{ATOMICS_DIRECTORY}/t*/t*.yaml"].sort
+  end
+
+  #
+  # Returns a list of Atomic Tests in Atomic Red Team (as Hashes from source YAML) 
+  #
+  def atomic_tests
+    @atomic_tests ||= atomic_test_paths.collect do |path| 
+      atomic_yaml = YAML.load(File.read path)
+      atomic_yaml['atomic_yaml_path'] = path
+      atomic_yaml
+    end
+  end
+
+  #
+  # Returns the individual Atomic Tests for a given identifer, passed as either a string (T1234) or an ATT&CK technique object
+  #
+  def atomic_tests_for_technique(technique_or_technique_identifier)
+    technique_identifier = if technique_or_technique_identifier.is_a? Hash
+      ATTACK_API.technique_identifier_for_technique technique_or_technique_identifier
+    else
+      technique_or_technique_identifier
+    end
+
+    atomic_tests.find do |atomic_yaml| 
+      atomic_yaml.fetch('attack_technique').downcase == technique_identifier.downcase
+    end.to_h.fetch('atomic_tests', [])
+  end
+
+  #
+  # Returns a Markdown formatted Github link to a technique. This will be to the edit page for 
+  # techniques that already have one or more Atomic Red Team tests, or the create page for
+  # techniques that have no existing tests.
+  #
+  def github_link_to_technique(technique, include_identifier=false)
+    technique_identifier = ATTACK_API.technique_identifier_for_technique(technique).downcase
+    link_display = "#{"#{technique_identifier.upcase} " if include_identifier}#{technique['name']}"
+
+    if File.exists? "#{ATOMICS_DIRECTORY}/#{technique_identifier}/#{technique_identifier}.md"
+      # we have a file for this technique, so link to it's Markdown file
+      "[#{link_display}](#{ROOT_GITHUB_URL}/tree/master/atomics/#{technique_identifier}/#{technique_identifier}.md)"
+    else
+      # we don't have a file for this technique, so link to an edit page
+      "[#{link_display}](#{ROOT_GITHUB_URL}/edit/master/atomics/#{technique_identifier}/#{technique_identifier}.md)"
+    end
+  end
+
+  def validate_atomic_yaml!(yaml)
+    raise("YAML file has no elements") if yaml.nil?
+  
+    raise('`attack_technique` element is required') unless yaml.has_key?('attack_technique')
+    raise('`attack_technique` element must be an array') unless yaml['attack_technique'].is_a?(String)
+  
+    raise('`display_name` element is required') unless yaml.has_key?('display_name')
+    raise('`display_name` element must be an array') unless yaml['display_name'].is_a?(String)
+  
+    raise('`atomic_tests` element is required') unless yaml.has_key?('atomic_tests')
+    raise('`atomic_tests` element must be an array') unless yaml['atomic_tests'].is_a?(Array)
+    raise('`atomic_tests` element is empty - you have no tests') unless yaml['atomic_tests'].count > 0
+  
+    yaml['atomic_tests'].each_with_index do |atomic, i|
+      raise("`atomic_tests[#{i}].name` element is required") unless atomic.has_key?('name')
+      raise("`atomic_tests[#{i}].name` element must be a string") unless atomic['name'].is_a?(String)
+  
+      raise("`atomic_tests[#{i}].description` element is required") unless atomic.has_key?('description')
+      raise("`atomic_tests[#{i}].description` element must be a string") unless atomic['description'].is_a?(String)
+  
+      raise("`atomic_tests[#{i}].supported_platforms` element is required") unless atomic.has_key?('supported_platforms')
+      raise("`atomic_tests[#{i}].supported_platforms` element must be an Array (was a #{atomic['supported_platforms'].class.name})") unless atomic['supported_platforms'].is_a?(Array)
+  
+      valid_supported_platforms = ['windows', 'centos', 'ubuntu', 'macos', 'linux']
+      atomic['supported_platforms'].each do |platform|
+        if !valid_supported_platforms.include?(platform)
+          raise("`atomic_tests[#{i}].supported_platforms` '#{platform}' must be one of #{valid_supported_platforms.join(', ')}")
+        end
+      end
+  
+      (atomic['input_arguments'] || {}).each_with_index do |arg_kvp, iai|
+        arg_name, arg = arg_kvp
+        raise("`atomic_tests[#{i}].input_arguments[#{iai}].description` element is required") unless arg.has_key?('description')
+        raise("`atomic_tests[#{i}].input_arguments[#{iai}].description` element must be a string") unless arg['description'].is_a?(String)
+  
+        raise("`atomic_tests[#{i}].input_arguments[#{iai}].type` element is required") unless arg.has_key?('type')
+        raise("`atomic_tests[#{i}].input_arguments[#{iai}].type` element must be a string") unless arg['type'].is_a?(String)
+        raise("`atomic_tests[#{i}].input_arguments[#{iai}].type` element must be lowercased and underscored (was #{arg['type']})") unless arg['type'] =~ /[a-z_]+/
+  
+        # TODO: determine if we think default values are required for EVERY input argument
+        # raise("`atomic_tests[#{i}].input_arguments[#{iai}].default` element is required") unless arg.has_key?('default')
+        # raise("`atomic_tests[#{i}].input_arguments[#{iai}].default` element must be a string (was a #{arg['default'].class.name})") unless arg['default'].is_a?(String)
+      end
+  
+      raise("`atomic_tests[#{i}].executor` element is required") unless atomic.has_key?('executor')
+      executor = atomic['executor']
+      raise("`atomic_tests[#{i}].executor.name` element is required") unless executor.has_key?('name')
+      raise("`atomic_tests[#{i}].executor.name` element must be a string") unless executor['name'].is_a?(String)
+      raise("`atomic_tests[#{i}].executor.name` element must be lowercased and underscored (was #{executor['name']})") unless executor['name'] =~ /[a-z_]+/
+  
+      valid_executor_types = ['command_prompt', 'sh', 'bash', 'powershell', 'manual']
+      case executor['name']
+        when 'manual'
+          raise("`atomic_tests[#{i}].executor.steps` element is required") unless executor.has_key?('steps')
+          raise("`atomic_tests[#{i}].executor.steps` element must be a string") unless executor['steps'].is_a?(String)
+  
+        when 'command_prompt', 'sh', 'bash', 'powershell'
+          raise("`atomic_tests[#{i}].executor.command` element is required") unless executor.has_key?('command')
+          raise("`atomic_tests[#{i}].executor.command` element must be a string") unless executor['command'].is_a?(String)
+  
+        else
+          raise("`atomic_tests[#{i}].executor.name` '#{executor['name']}' must be one of #{valid_executor_types.join(', ')}")
+      end
+    end
+  end
+end
\ No newline at end of file
diff --git a/atomics/template.yaml b/atomic-red-team/atomic_test_template.yaml
similarity index 89%
rename from atomics/template.yaml
rename to atomic-red-team/atomic_test_template.yaml
index e3bbfbda..b6fdee10 100644
--- a/atomics/template.yaml
+++ b/atomic-red-team/atomic_test_template.yaml
@@ -20,7 +20,7 @@ atomic_tests:
       type: todo
       default: TODO
 
-  executors:
-    name: TODO
+  executor:
+    name: command_prompt
     command: |
       TODO
diff --git a/attack_api.rb b/atomic-red-team/attack_api.rb
similarity index 100%
rename from attack_api.rb
rename to atomic-red-team/attack_api.rb
diff --git a/atomics/spec.yaml b/atomic-red-team/spec.yaml
similarity index 100%
rename from atomics/spec.yaml
rename to atomic-red-team/spec.yaml
diff --git a/atomic_red_team.rb b/atomic_red_team.rb
deleted file mode 100755
index 7f1a9d47..00000000
--- a/atomic_red_team.rb
+++ /dev/null
@@ -1,55 +0,0 @@
-#! /usr/bin/env ruby
-require 'yaml'
-require 'erb'
-require './attack_api'
-
-class AtomicRedTeam
-  ATTACK_API = Attack.new
-
-  # TODO- should these all be relative URLs?
-  ROOT_GITHUB_URL = "https://github.com/redcanaryco/atomic-red-team"
-  
-  #
-  # Returns a list of Atomic Tests in Atomic Red Team (as Hashes from source YAML) 
-  #
-  def atomic_tests
-    @atomic_tests ||= Dir["#{File.dirname(__FILE__)}/atomics/t*/t*.yaml"].sort.collect do |path| 
-      atomic_yaml = YAML.load(File.read path)
-      atomic_yaml['atomic_yaml_path'] = path
-      atomic_yaml
-    end
-  end
-
-  #
-  # Returns the individual Atomic Tests for a given identifer, passed as either a string (T1234) or an ATT&CK technique object
-  #
-  def atomic_tests_for_technique(technique_or_technique_identifier)
-    technique_identifier = if technique_or_technique_identifier.is_a? Hash
-      ATTACK_API.technique_identifier_for_technique technique_or_technique_identifier
-    else
-      technique_or_technique_identifier
-    end
-
-    atomic_tests.find do |atomic_yaml| 
-      atomic_yaml.fetch('attack_technique').downcase == technique_identifier.downcase
-    end.to_h.fetch('atomic_tests', [])
-  end
-
-  #
-  # Returns a Markdown formatted Github link to a technique. This will be to the edit page for 
-  # techniques that already have one or more Atomic Red Team tests, or the create page for
-  # techniques that have no existing tests.
-  #
-  def github_link_to_technique(technique, include_identifier=false)
-    technique_identifier = ATTACK_API.technique_identifier_for_technique(technique).downcase
-    link_display = "#{"#{technique_identifier.upcase} " if include_identifier}#{technique['name']}"
-
-    if File.exists? "#{File.dirname(__FILE__)}/atomics/#{technique_identifier}/#{technique_identifier}.md"
-      # we have a file for this technique, so link to it's Markdown file
-      "[#{link_display}](#{ROOT_GITHUB_URL}/tree/master/atomics/#{technique_identifier}/#{technique_identifier}.md)"
-    else
-      # we don't have a file for this technique, so link to an edit page
-      "[#{link_display}](#{ROOT_GITHUB_URL}/edit/master/atomics/#{technique_identifier}/#{technique_identifier}.md)"
-    end
-  end
-end
\ No newline at end of file
diff --git a/generate_atomic_docs.rb b/bin/generate-atomic-docs.rb
similarity index 79%
rename from generate_atomic_docs.rb
rename to bin/generate-atomic-docs.rb
index cfd24de3..25fc370d 100755
--- a/generate_atomic_docs.rb
+++ b/bin/generate-atomic-docs.rb
@@ -1,7 +1,8 @@
 #! /usr/bin/env ruby
+$LOAD_PATH << "#{File.dirname(File.dirname(__FILE__))}/atomic-red-team"
 require 'erb'
-require './attack_api'
-require './atomic_red_team'
+require 'attack_api'
+require 'atomic_red_team'
 
 class AtomicRedTeamDocs
   ATTACK_API = Attack.new
@@ -26,9 +27,10 @@ class AtomicRedTeamDocs
         puts "FAIL\n#{ex}\n#{ex.backtrace.join("\n")}"
       end
     end
-
-    generate_attack_matrix! "#{File.dirname(__FILE__)}/atomics/matrix.md"
-    generate_index! "#{File.dirname(__FILE__)}/atomics/index.md"
+    puts
+    puts "Generated docs for #{oks.count} techniques, #{fails.count} failures"
+    generate_attack_matrix! "#{File.dirname(File.dirname(__FILE__))}/atomics/matrix.md"
+    generate_index! "#{File.dirname(File.dirname(__FILE__))}/atomics/index.md"
     
     return oks, fails
   end
@@ -40,7 +42,7 @@ class AtomicRedTeamDocs
     technique = ATTACK_API.technique_info(atomic_yaml.fetch('attack_technique'))
     technique['identifier'] = atomic_yaml.fetch('attack_technique').upcase
 
-    template = ERB.new File.read("#{File.dirname(__FILE__)}/atomics/atomic_doc_template.md.erb"), nil, "-"
+    template = ERB.new File.read("#{File.dirname(File.dirname(__FILE__))}/atomic-red-team/atomic_doc_template.md.erb"), nil, "-"
     generated_doc = template.result(binding)
 
     print " => #{output_doc_path} => "
@@ -63,6 +65,8 @@ class AtomicRedTeamDocs
       result += "| #{row_values.join(' | ')} |\n"
     end
     File.write output_doc_path, result
+
+    puts "Generated ATT&CK matrix at #{output_doc_path}"
   end
 
   #
@@ -83,6 +87,8 @@ class AtomicRedTeamDocs
     end
 
     File.write output_doc_path, result
+
+    puts "Generated Atomic Red Team index at #{output_doc_path}"
   end
 end
 
@@ -90,7 +96,5 @@ end
 # MAIN
 #
 oks, fails = AtomicRedTeamDocs.new.generate_all_the_docs!
-puts
-puts "Generated docs for #{oks.count} techniques, #{fails.count} failures"
 
 exit fails.count
\ No newline at end of file
diff --git a/bin/generate-docs b/bin/generate-docs
deleted file mode 100755
index d50aa3ae..00000000
--- a/bin/generate-docs
+++ /dev/null
@@ -1,8 +0,0 @@
-#!/usr/bin/env ruby
-require 'ostruct'
-require 'yaml'
-
-Dir["#{File.dirname __FILE__}/../atomics/**/t*.yaml"].each do |technique_file|
-  technique = OpenStruct.new YAML.load(File.read(technique_file))
-  p technique.display_name
-end
diff --git a/new_atomic.rb b/bin/new-atomic.rb
similarity index 100%
rename from new_atomic.rb
rename to bin/new-atomic.rb
diff --git a/bin/validate-atomics.rb b/bin/validate-atomics.rb
new file mode 100755
index 00000000..bb2f31a1
--- /dev/null
+++ b/bin/validate-atomics.rb
@@ -0,0 +1,29 @@
+#! /usr/bin/env ruby
+$LOAD_PATH << "#{File.dirname(File.dirname(__FILE__))}/atomic-red-team"
+require 'yaml'
+require 'atomic_red_team'
+
+ATOMIC_RED_TEAM = AtomicRedTeam.new
+ATOMIC_TEST_TEMPLATE = "#{File.dirname(File.dirname(__FILE__))}/atomic-red-team/atomic_test_template.yaml"
+
+oks = []
+fails = []
+
+(ATOMIC_RED_TEAM.atomic_test_paths + [ATOMIC_TEST_TEMPLATE]).each do |path|
+  begin
+    print "Validating #{path}..."
+    YAML.load_file(path) rescue raise 'Invalid YAML'
+    AtomicRedTeam.new.validate_atomic_yaml! YAML.load_file(path)
+
+    oks << path
+    puts "OK"
+  rescue => ex
+    fails << path
+    puts "FAIL\n#{ex}\n#{ex.backtrace.join("\n")})"
+  end
+end
+
+puts
+puts "#{oks.count + fails.count} techniques, #{fails.count} failures"
+
+exit fails.count
\ No newline at end of file
diff --git a/validate_atomics.rb b/validate_atomics.rb
deleted file mode 100755
index 983989ac..00000000
--- a/validate_atomics.rb
+++ /dev/null
@@ -1,101 +0,0 @@
-#! /usr/bin/env ruby
-require 'yaml'
-
-def validate_is_yaml!(path)
-  YAML.load_file(path)
-rescue
-  raise 'Invalid YAML'
-end
-
-def validate_is_atomic!(path)
-  yaml = YAML.load_file(path)
-  raise("YAML file has no elements") if yaml.nil?
-
-  raise('`attack_technique` element is required') unless yaml.has_key?('attack_technique')
-  raise('`attack_technique` element must be an array') unless yaml['attack_technique'].is_a?(String)
-
-  raise('`display_name` element is required') unless yaml.has_key?('display_name')
-  raise('`display_name` element must be an array') unless yaml['display_name'].is_a?(String)
-
-  raise('`atomic_tests` element is required') unless yaml.has_key?('atomic_tests')
-  raise('`atomic_tests` element must be an array') unless yaml['atomic_tests'].is_a?(Array)
-  raise('`atomic_tests` element is empty - you have no tests') unless yaml['atomic_tests'].count > 0
-
-  yaml['atomic_tests'].each_with_index do |atomic, i|
-    raise("`atomic_tests[#{i}].name` element is required") unless atomic.has_key?('name')
-    raise("`atomic_tests[#{i}].name` element must be a string") unless atomic['name'].is_a?(String)
-
-    raise("`atomic_tests[#{i}].description` element is required") unless atomic.has_key?('description')
-    raise("`atomic_tests[#{i}].description` element must be a string") unless atomic['description'].is_a?(String)
-
-    raise("`atomic_tests[#{i}].supported_platforms` element is required") unless atomic.has_key?('supported_platforms')
-    raise("`atomic_tests[#{i}].supported_platforms` element must be an Array (was a #{atomic['supported_platforms'].class.name})") unless atomic['supported_platforms'].is_a?(Array)
-
-    valid_supported_platforms = ['windows', 'centos', 'ubuntu', 'macos', 'linux']
-    atomic['supported_platforms'].each do |platform|
-      if !valid_supported_platforms.include?(platform)
-        raise("`atomic_tests[#{i}].supported_platforms` '#{platform}' must be one of #{valid_supported_platforms.join(', ')}")
-      end
-    end
-
-    (atomic['input_arguments'] || {}).each_with_index do |arg_kvp, iai|
-      arg_name, arg = arg_kvp
-      raise("`atomic_tests[#{i}].input_arguments[#{iai}].description` element is required") unless arg.has_key?('description')
-      raise("`atomic_tests[#{i}].input_arguments[#{iai}].description` element must be a string") unless arg['description'].is_a?(String)
-
-      raise("`atomic_tests[#{i}].input_arguments[#{iai}].type` element is required") unless arg.has_key?('type')
-      raise("`atomic_tests[#{i}].input_arguments[#{iai}].type` element must be a string") unless arg['type'].is_a?(String)
-      raise("`atomic_tests[#{i}].input_arguments[#{iai}].type` element must be lowercased and underscored (was #{arg['type']})") unless arg['type'] =~ /[a-z_]+/
-
-      # TODO: determine if we think default values are required for EVERY input argument
-      # raise("`atomic_tests[#{i}].input_arguments[#{iai}].default` element is required") unless arg.has_key?('default')
-      # raise("`atomic_tests[#{i}].input_arguments[#{iai}].default` element must be a string (was a #{arg['default'].class.name})") unless arg['default'].is_a?(String)
-    end
-
-    raise("`atomic_tests[#{i}].executor` element is required") unless atomic.has_key?('executor')
-    executor = atomic['executor']
-    raise("`atomic_tests[#{i}].executor.name` element is required") unless executor.has_key?('name')
-    raise("`atomic_tests[#{i}].executor.name` element must be a string") unless executor['name'].is_a?(String)
-    raise("`atomic_tests[#{i}].executor.name` element must be lowercased and underscored (was #{executor['name']})") unless executor['name'] =~ /[a-z_]+/
-
-    valid_executor_types = ['command_prompt', 'sh', 'bash', 'powershell', 'manual']
-    case executor['name']
-      when 'manual'
-        raise("`atomic_tests[#{i}].executor.steps` element is required") unless executor.has_key?('steps')
-        raise("`atomic_tests[#{i}].executor.steps` element must be a string") unless executor['steps'].is_a?(String)
-
-      when 'command_prompt', 'sh', 'bash', 'powershell'
-        raise("`atomic_tests[#{i}].executor.command` element is required") unless executor.has_key?('command')
-        raise("`atomic_tests[#{i}].executor.command` element must be a string") unless executor['command'].is_a?(String)
-
-      else
-        raise("`atomic_tests[#{i}].executor.name` '#{executor['name']}' must be one of #{valid_executor_types.join(', ')}")
-    end
-  end
-end
-
-oks = []
-fails = []
-
-(Dir["#{File.dirname(__FILE__)}/atomics/t*/t*.yaml"] + 
- Dir["#{File.dirname(__FILE__)}/atomics/template.yaml"]).sort.each do |path|
-  begin
-    print "Validating #{path}..."
-    validate_is_yaml! path
-    validate_is_atomic! path
-
-    puts "OK"
-  rescue => ex
-    fails << path
-    if ENV['DEBUG'] == 'true'
-      puts "FAIL (#{ex} #{ex.backtrace.join("\n")})"
-    else
-      puts "FAIL (#{ex})"
-    end
-  end
-end
-
-puts
-puts "#{oks.count + fails.count} techniques, #{fails.count} failures"
-
-exit fails.count
\ No newline at end of file

From b45069814ff6d2875f60af0d39f87c99eec38fe7 Mon Sep 17 00:00:00 2001
From: Brian Beyer <brian@redcanary.com>
Date: Fri, 11 May 2018 06:50:54 +0200
Subject: [PATCH 5/9] update git ignore so we dont accidentally check this in

---
 .gitignore | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitignore b/.gitignore
index 11b2afe9..44f892bc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,4 @@
 .DS_store
 .vscode
 .atom
+atomic-red-team/enterprise-attack.json
\ No newline at end of file

From 3d6198cc99fc494d4061f63f70e6035034db6d6a Mon Sep 17 00:00:00 2001
From: Brian Beyer <brian@redcanary.com>
Date: Fri, 11 May 2018 06:54:19 +0200
Subject: [PATCH 6/9] update git ignore so we dont accidentally check this in

---
 .gitignore | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.gitignore b/.gitignore
index 44f892bc..452196a3 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,4 +2,4 @@
 .DS_store
 .vscode
 .atom
-atomic-red-team/enterprise-attack.json
\ No newline at end of file
+atomic-red-team/enterprise-attack.json

From dd2aa50685a681a873e1d614cb041e50821b2b49 Mon Sep 17 00:00:00 2001
From: Brian Beyer <brian@redcanary.com>
Date: Fri, 11 May 2018 07:09:43 +0200
Subject: [PATCH 7/9] update circle

---
 .circleci/config.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index bad28995..9c88046c 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -26,7 +26,7 @@ jobs:
       - run:
           name: Validate the format of atomic tests against the spec
           command: |
-            ./validate_atomics.rb
+            bin/validate-atomics.rb
 
   generate_docs:
     <<: *defaults
@@ -34,4 +34,5 @@ jobs:
       - run:
           name: Generate nice markdown document for atomics
           command: |
-            ./generate_atomic_docs.rb
+            bin/generate-atomic-docs.rb
+            git status

From 7ba6588f5f0e7812084c485a364517d0b7600b3e Mon Sep 17 00:00:00 2001
From: Brian Beyer <brian@redcanary.com>
Date: Fri, 11 May 2018 07:29:16 +0200
Subject: [PATCH 8/9] cut of execution docs for testing

---
 bin/generate-atomic-docs.rb | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/bin/generate-atomic-docs.rb b/bin/generate-atomic-docs.rb
index 25fc370d..62f0bf66 100755
--- a/bin/generate-atomic-docs.rb
+++ b/bin/generate-atomic-docs.rb
@@ -1,6 +1,7 @@
 #! /usr/bin/env ruby
 $LOAD_PATH << "#{File.dirname(File.dirname(__FILE__))}/atomic-red-team"
 require 'erb'
+require 'fileutils'
 require 'attack_api'
 require 'atomic_red_team'
 
@@ -19,7 +20,8 @@ class AtomicRedTeamDocs
       begin
         print "Generating docs for #{atomic_yaml['atomic_yaml_path']}"
         generate_technique_docs! atomic_yaml, atomic_yaml['atomic_yaml_path'].gsub(/.yaml/, '.md')
-        
+        # generate_technique_execution_docs! atomic_yaml, "#{File.dirname(File.dirname(__FILE__))}/atomic-red-team-execution/#{atomic_yaml['attack_technique'].downcase}.html"
+
         oks << atomic_yaml['atomic_yaml_path']
         puts "OK"
       rescue => ex
@@ -49,6 +51,22 @@ class AtomicRedTeamDocs
     File.write output_doc_path, generated_doc
   end
   
+  #
+  # Generates Markdown documentation for a specific technique from its YAML source
+  #
+  def generate_technique_execution_docs!(atomic_yaml, output_doc_path)
+    FileUtils.mkdir_p File.dirname(output_doc_path)
+
+    technique = ATTACK_API.technique_info(atomic_yaml.fetch('attack_technique'))
+    technique['identifier'] = atomic_yaml.fetch('attack_technique').upcase
+
+    template = ERB.new File.read("#{File.dirname(File.dirname(__FILE__))}/atomic-red-team/atomic_execution_template.html.erb"), nil, "-"
+    generated_doc = template.result(binding)
+
+    print " => #{output_doc_path} => "
+    File.write output_doc_path, generated_doc
+  end
+  
   #
   # Generates a Markdown ATT&CK documentation matrix for all techniques
   #

From e80fa2f759d38d74426142eb56ece00881f7f475 Mon Sep 17 00:00:00 2001
From: Brian Beyer <brian@redcanary.com>
Date: Fri, 11 May 2018 10:37:05 +0200
Subject: [PATCH 9/9] add missing file

---
 atomic-red-team/atomic_execution_template.html.erb | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 atomic-red-team/atomic_execution_template.html.erb

diff --git a/atomic-red-team/atomic_execution_template.html.erb b/atomic-red-team/atomic_execution_template.html.erb
new file mode 100644
index 00000000..2fd9f957
--- /dev/null
+++ b/atomic-red-team/atomic_execution_template.html.erb
@@ -0,0 +1 @@
+TBD
\ No newline at end of file