Typo fix

Generated docs from job=generate-docs branch=master [ci skip]
Fix all invalid char (#1914 )
2022-04-30 05:51:59 -06:00 · 2022-04-30 11:39:02 +00:00 · 2022-04-30 05:38:32 -06:00 · 2022-04-30 01:44:53 +00:00 · 2022-04-30 01:44:47 +00:00 · 2022-04-29 19:44:18 -06:00
20 changed files with 438 additions and 12 deletions
@@ -4,7 +4,7 @@

 ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master)

-Atomic Red Team™ is library of tests mapped to the
+Atomic Red Team™ is a library of tests mapped to the
 [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use
 Atomic Red Team to quickly, portably, and reproducibly test their environments.

@@ -617,6 +617,7 @@ defense-evasion,T1218.011,Rundll32,8,Launches an executable using Rundll32 and p
 defense-evasion,T1218.011,Rundll32,9,Execution of non-dll using rundll32.exe,ae3a8605-b26e-457c-b6b3-2702fd335bac,powershell
 defense-evasion,T1218.011,Rundll32,10,Rundll32 with Ordinal Value,9fd5a74b-ba89-482a-8a3e-a5feaa3697b0,command_prompt
 defense-evasion,T1218.011,Rundll32,11,Rundll32 with Control_RunDLL,e4c04b6f-c492-4782-82c7-3bf75eb8077e,command_prompt
+defense-evasion,T1218.011,Rundll32,12,Rundll32 with desk.cpl,83a95136-a496-423c-81d3-1c6750133917,command_prompt
 defense-evasion,T1134.005,SID-History Injection,1,Injection SID-History with mimikatz,6bef32e5-9456-4072-8f14-35566fb85401,command_prompt
 defense-evasion,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
 defense-evasion,T1574.011,Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
@@ -854,6 +855,8 @@ discovery,T1087.002,Domain Account,9,Enumerate Default Domain Admin Details (Dom
 discovery,T1087.002,Domain Account,10,Enumerate Active Directory for Unconstrained Delegation,46f8dbe9-22a5-4770-8513-66119c5be63b,powershell
 discovery,T1087.002,Domain Account,11,Get-DomainUser with PowerView,93662494-5ed7-4454-a04c-8c8372808ac2,powershell
 discovery,T1087.002,Domain Account,12,Enumerate Active Directory Users with ADSISearcher,02e8be5a-3065-4e54-8cc8-a14d138834d3,powershell
+discovery,T1087.002,Domain Account,13,Enumerate Linked Policies In ADSISearcher Discovery,7ab0205a-34e4-4a44-9b04-e1541d1a57be,powershell
+discovery,T1087.002,Domain Account,14,Enumerate Root Domain linked policies Discovery,00c652e2-0750-4ca6-82ff-0204684a6fe4,powershell
 discovery,T1069.002,Domain Groups,1,Basic Permission Groups Discovery Windows (Domain),dd66d77d-8998-48c0-8024-df263dc2ce5d,command_prompt
 discovery,T1069.002,Domain Groups,2,Permission Groups Discovery PowerShell (Domain),6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7,powershell
 discovery,T1069.002,Domain Groups,3,Elevated group enumeration using net group (Domain),0afb5163-8181-432e-9405-4322710c0c37,command_prompt
@@ -972,6 +975,8 @@ discovery,T1082,System Information Discovery,9,Griffon Recon,69bd4abe-8759-49a6-
 discovery,T1082,System Information Discovery,10,Environment variables discovery on windows,f400d1c0-1804-4ff8-b069-ef5ddd2adbf3,command_prompt
 discovery,T1082,System Information Discovery,11,Environment variables discovery on macos and linux,fcbdd43f-f4ad-42d5-98f3-0218097e2720,sh
 discovery,T1082,System Information Discovery,12,Show System Integrity Protection status (MacOS),327cc050-9e99-4c8e-99b5-1d15f2fb6b96,sh
+discovery,T1614.001,System Language Discovery,1,Discover System Language by Registry Query,631d4cf1-42c9-4209-8fe9-6bd4de9421be,command_prompt
+discovery,T1614.001,System Language Discovery,2,Discover System Language with chcp,d91473ca-944e-477a-b484-0e80217cd789,command_prompt
 discovery,T1016,System Network Configuration Discovery,1,System Network Configuration Discovery on Windows,970ab6a1-0157-4f3f-9a73-ec4166754b23,command_prompt
 discovery,T1016,System Network Configuration Discovery,2,List Windows Firewall Rules,038263cb-00f4-4b0a-98ae-0696c67e1752,command_prompt
 discovery,T1016,System Network Configuration Discovery,3,System Network Configuration Discovery,c141bbdb-7fca-4254-9fd6-f47e79447e17,sh
@@ -991,6 +996,7 @@ discovery,T1033,System Owner/User Discovery,4,User Discovery With Env Vars Power
 discovery,T1033,System Owner/User Discovery,5,GetCurrent User with PowerShell Script,1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b,powershell
 discovery,T1007,System Service Discovery,1,System Service Discovery,89676ba1-b1f8-47ee-b940-2e1a113ebc71,command_prompt
 discovery,T1007,System Service Discovery,2,System Service Discovery - net.exe,5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3,command_prompt
+discovery,T1007,System Service Discovery,3,System Service Discovery - systemctl,f4b26bce-4c2c-46c0-bcc5-fce062d38bef,bash
 discovery,T1124,System Time Discovery,1,System Time Discovery,20aba24b-e61f-4b26-b4ce-4784f763ca20,command_prompt
 discovery,T1124,System Time Discovery,2,System Time Discovery - PowerShell,1d5711d6-655c-4a47-ae9c-6503c74fa877,powershell
 discovery,T1124,System Time Discovery,3,System Time Discovery in macOS,f449c933-0891-407f-821e-7916a21a1a6f,sh
@@ -438,6 +438,7 @@ defense-evasion,T1218.011,Rundll32,8,Launches an executable using Rundll32 and p
 defense-evasion,T1218.011,Rundll32,9,Execution of non-dll using rundll32.exe,ae3a8605-b26e-457c-b6b3-2702fd335bac,powershell
 defense-evasion,T1218.011,Rundll32,10,Rundll32 with Ordinal Value,9fd5a74b-ba89-482a-8a3e-a5feaa3697b0,command_prompt
 defense-evasion,T1218.011,Rundll32,11,Rundll32 with Control_RunDLL,e4c04b6f-c492-4782-82c7-3bf75eb8077e,command_prompt
+defense-evasion,T1218.011,Rundll32,12,Rundll32 with desk.cpl,83a95136-a496-423c-81d3-1c6750133917,command_prompt
 defense-evasion,T1134.005,SID-History Injection,1,Injection SID-History with mimikatz,6bef32e5-9456-4072-8f14-35566fb85401,command_prompt
 defense-evasion,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
 defense-evasion,T1574.011,Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
@@ -591,6 +592,8 @@ discovery,T1087.002,Domain Account,9,Enumerate Default Domain Admin Details (Dom
 discovery,T1087.002,Domain Account,10,Enumerate Active Directory for Unconstrained Delegation,46f8dbe9-22a5-4770-8513-66119c5be63b,powershell
 discovery,T1087.002,Domain Account,11,Get-DomainUser with PowerView,93662494-5ed7-4454-a04c-8c8372808ac2,powershell
 discovery,T1087.002,Domain Account,12,Enumerate Active Directory Users with ADSISearcher,02e8be5a-3065-4e54-8cc8-a14d138834d3,powershell
+discovery,T1087.002,Domain Account,13,Enumerate Linked Policies In ADSISearcher Discovery,7ab0205a-34e4-4a44-9b04-e1541d1a57be,powershell
+discovery,T1087.002,Domain Account,14,Enumerate Root Domain linked policies Discovery,00c652e2-0750-4ca6-82ff-0204684a6fe4,powershell
 discovery,T1069.002,Domain Groups,1,Basic Permission Groups Discovery Windows (Domain),dd66d77d-8998-48c0-8024-df263dc2ce5d,command_prompt
 discovery,T1069.002,Domain Groups,2,Permission Groups Discovery PowerShell (Domain),6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7,powershell
 discovery,T1069.002,Domain Groups,3,Elevated group enumeration using net group (Domain),0afb5163-8181-432e-9405-4322710c0c37,command_prompt
@@ -670,6 +673,8 @@ discovery,T1082,System Information Discovery,6,Hostname Discovery (Windows),85cf
 discovery,T1082,System Information Discovery,8,Windows MachineGUID Discovery,224b4daf-db44-404e-b6b2-f4d1f0126ef8,command_prompt
 discovery,T1082,System Information Discovery,9,Griffon Recon,69bd4abe-8759-49a6-8d21-0f15822d6370,powershell
 discovery,T1082,System Information Discovery,10,Environment variables discovery on windows,f400d1c0-1804-4ff8-b069-ef5ddd2adbf3,command_prompt
+discovery,T1614.001,System Language Discovery,1,Discover System Language by Registry Query,631d4cf1-42c9-4209-8fe9-6bd4de9421be,command_prompt
+discovery,T1614.001,System Language Discovery,2,Discover System Language with chcp,d91473ca-944e-477a-b484-0e80217cd789,command_prompt
 discovery,T1016,System Network Configuration Discovery,1,System Network Configuration Discovery on Windows,970ab6a1-0157-4f3f-9a73-ec4166754b23,command_prompt
 discovery,T1016,System Network Configuration Discovery,2,List Windows Firewall Rules,038263cb-00f4-4b0a-98ae-0696c67e1752,command_prompt
 discovery,T1016,System Network Configuration Discovery,4,System Network Configuration Discovery (TrickBot Style),dafaf052-5508-402d-bf77-51e0700c02e2,command_prompt
@@ -942,6 +942,7 @@
  - Atomic Test #9: Execution of non-dll using rundll32.exe [windows]
  - Atomic Test #10: Rundll32 with Ordinal Value [windows]
  - Atomic Test #11: Rundll32 with Control_RunDLL [windows]
+  - Atomic Test #12: Rundll32 with desk.cpl [windows]
 - [T1134.005 SID-History Injection](../../T1134.005/T1134.005.md)
  - Atomic Test #1: Injection SID-History with mimikatz [windows]
 - T1553.003 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1369,6 +1370,8 @@
  - Atomic Test #10: Enumerate Active Directory for Unconstrained Delegation [windows]
  - Atomic Test #11: Get-DomainUser with PowerView [windows]
  - Atomic Test #12: Enumerate Active Directory Users with ADSISearcher [windows]
+  - Atomic Test #13: Enumerate Linked Policies In ADSISearcher Discovery [windows]
+  - Atomic Test #14: Enumerate Root Domain linked policies Discovery [windows]
 - [T1069.002 Domain Groups](../../T1069.002/T1069.002.md)
  - Atomic Test #1: Basic Permission Groups Discovery Windows (Domain) [windows]
  - Atomic Test #2: Permission Groups Discovery PowerShell (Domain) [windows]
@@ -1508,7 +1511,9 @@
  - Atomic Test #10: Environment variables discovery on windows [windows]
  - Atomic Test #11: Environment variables discovery on macos and linux [macos, linux]
  - Atomic Test #12: Show System Integrity Protection status (MacOS) [macos]
- T1614.001 System Language Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1614.001 System Language Discovery](../../T1614.001/T1614.001.md)
+  - Atomic Test #1: Discover System Language by Registry Query [windows]
+  - Atomic Test #2: Discover System Language with chcp [windows]
 - T1614 System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1016 System Network Configuration Discovery](../../T1016/T1016.md)
  - Atomic Test #1: System Network Configuration Discovery on Windows [windows]
@@ -1533,6 +1538,7 @@
 - [T1007 System Service Discovery](../../T1007/T1007.md)
  - Atomic Test #1: System Service Discovery [windows]
  - Atomic Test #2: System Service Discovery - net.exe [windows]
+  - Atomic Test #3: System Service Discovery - systemctl [linux]
 - [T1124 System Time Discovery](../../T1124/T1124.md)
  - Atomic Test #1: System Time Discovery [windows]
  - Atomic Test #2: System Time Discovery - PowerShell [windows]
@@ -687,6 +687,7 @@
  - Atomic Test #9: Execution of non-dll using rundll32.exe [windows]
  - Atomic Test #10: Rundll32 with Ordinal Value [windows]
  - Atomic Test #11: Rundll32 with Control_RunDLL [windows]
+  - Atomic Test #12: Rundll32 with desk.cpl [windows]
 - [T1134.005 SID-History Injection](../../T1134.005/T1134.005.md)
  - Atomic Test #1: Injection SID-History with mimikatz [windows]
 - T1553.003 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -983,6 +984,8 @@
  - Atomic Test #10: Enumerate Active Directory for Unconstrained Delegation [windows]
  - Atomic Test #11: Get-DomainUser with PowerView [windows]
  - Atomic Test #12: Enumerate Active Directory Users with ADSISearcher [windows]
+  - Atomic Test #13: Enumerate Linked Policies In ADSISearcher Discovery [windows]
+  - Atomic Test #14: Enumerate Root Domain linked policies Discovery [windows]
 - [T1069.002 Domain Groups](../../T1069.002/T1069.002.md)
  - Atomic Test #1: Basic Permission Groups Discovery Windows (Domain) [windows]
  - Atomic Test #2: Permission Groups Discovery PowerShell (Domain) [windows]
@@ -1083,7 +1086,9 @@
  - Atomic Test #8: Windows MachineGUID Discovery [windows]
  - Atomic Test #9: Griffon Recon [windows]
  - Atomic Test #10: Environment variables discovery on windows [windows]
- T1614.001 System Language Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1614.001 System Language Discovery](../../T1614.001/T1614.001.md)
+  - Atomic Test #1: Discover System Language by Registry Query [windows]
+  - Atomic Test #2: Discover System Language with chcp [windows]
 - T1614 System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1016 System Network Configuration Discovery](../../T1016/T1016.md)
  - Atomic Test #1: System Network Configuration Discovery on Windows [windows]
@@ -33,7 +33,7 @@
 |  | [Software Deployment Tools](../../T1072/T1072.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | Deploy Container [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [LSASS Memory](../../T1003.001/T1003.001.md) | [Software Discovery](../../T1518/T1518.md) |  | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  | Source [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | [Direct Volume Access](../../T1006/T1006.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Checks](../../T1497.001/T1497.001.md) |  | Remote Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Protocol Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Account](../../T1136.002/T1136.002.md) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Disable Cloud Logs](../../T1562.008/T1562.008.md) | [NTDS](../../T1003.003/T1003.003.md) | [System Information Discovery](../../T1082/T1082.md) |  | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Protocol Tunneling](../../T1572/T1572.md) |  |
-|  | [Systemd Timers](../../T1053.006/T1053.006.md) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Emond](../../T1546.014/T1546.014.md) | Disable Crypto Hardware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Device Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Language Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Screen Capture](../../T1113/T1113.md) |  | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  | [Systemd Timers](../../T1053.006/T1053.006.md) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Emond](../../T1546.014/T1546.014.md) | Disable Crypto Hardware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Device Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Language Discovery](../../T1614.001/T1614.001.md) |  | [Screen Capture](../../T1113/T1113.md) |  | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  | [Unix Shell](../../T1059.004/T1059.004.md) | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Escape to Host](../../T1611/T1611.md) | [Disable Windows Event Logging](../../T1562.002/T1562.002.md) | [Network Sniffing](../../T1040/T1040.md) | System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Sharepoint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Remote Access Software](../../T1219/T1219.md) |  |
 |  | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping](../../T1003/T1003.md) | [System Network Configuration Discovery](../../T1016/T1016.md) |  | [Video Capture](../../T1125/T1125.md) |  | [Standard Encoding](../../T1132.001/T1132.001.md) |  |
 |  | [Visual Basic](../../T1059.005/T1059.005.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | [Password Cracking](../../T1110.002/T1110.002.md) | [System Network Connections Discovery](../../T1049/T1049.md) |  | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
@@ -26,7 +26,7 @@
 |  | [Visual Basic](../../T1059.005/T1059.005.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Direct Volume Access](../../T1006/T1006.md) | [LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) | [Software Discovery](../../T1518/T1518.md) |  | [Local Data Staging](../../T1074.001/T1074.001.md) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Service Stop](../../T1489/T1489.md) |
 |  | [Windows Command Shell](../../T1059.003/T1059.003.md) | [Default Accounts](../../T1078.001/T1078.001.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Disable Windows Event Logging](../../T1562.002/T1562.002.md) | [LSA Secrets](../../T1003.004/T1003.004.md) | [System Checks](../../T1497.001/T1497.001.md) |  | [Local Email Collection](../../T1114.001/T1114.001.md) |  | [Multi-hop Proxy](../../T1090.003/T1090.003.md) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | [Windows Management Instrumentation](../../T1047/T1047.md) | [Domain Account](../../T1136.002/T1136.002.md) | [Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | [LSASS Memory](../../T1003.001/T1003.001.md) | [System Information Discovery](../../T1082/T1082.md) |  | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
-|  |  | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Language Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Remote Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Non-Application Layer Protocol](../../T1095/T1095.md) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+|  |  | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Language Discovery](../../T1614.001/T1614.001.md) |  | Remote Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Non-Application Layer Protocol](../../T1095/T1095.md) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  |  | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [NTDS](../../T1003.003/T1003.003.md) | System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Screen Capture](../../T1113/T1113.md) |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | [System Network Configuration Discovery](../../T1016/T1016.md) |  | Sharepoint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Non-Standard Port](../../T1571/T1571.md) |  |
 |  |  | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping](../../T1003/T1003.md) | [System Network Connections Discovery](../../T1049/T1049.md) |  | [Video Capture](../../T1125/T1125.md) |  | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
@@ -39594,6 +39594,25 @@ defense-evasion:
        command: 'rundll32.exe shell32.dll,Control_RunDLL #{input_file}

          '
+    - name: Rundll32 with desk.cpl
+      auto_generated_guid: 83a95136-a496-423c-81d3-1c6750133917
+      description: "Rundll32.exe loading an executable renamed as .scr using desk.cpl
+        \nReference: \n  - [LOLBAS - Libraries/Desk](https://lolbas-project.github.io/lolbas/Libraries/Desk/)\nSIGMA
+        rules:\n  - [SCR File Write Event](https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/file_event_win_new_src_file.yml)\n
+        \ - [Rundll32 InstallScreenSaver Execution](https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml)\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        exe_to_launch:
+          description: Path of the executable to launch
+          type: Path
+          default: "%windir%\\System32\\calc.exe"
+      executor:
+        name: command_prompt
+        command: |
+          copy #{exe_to_launch} not_an_scr.scr
+          rundll32.exe desk.cpl,InstallScreenSaver not_an_scr.scr
+        cleanup_command: del not_an_scr.scr
  T1134.005:
    technique:
      object_marking_refs:
@@ -58688,7 +58707,47 @@ discovery:
      executor:
        name: powershell
        elevation_required: false
-        command: ([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
+        command: '([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
+
+          '
+    - name: Enumerate Linked Policies In ADSISearcher Discovery
+      auto_generated_guid: 7ab0205a-34e4-4a44-9b04-e1541d1a57be
+      description: |
+        The following Atomic test will utilize ADSISearcher to enumerate organizational unit within Active Directory.
+        Upon successful execution a listing of users will output with their paths in AD.
+        Reference: https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: '(([adsisearcher]''(objectcategory=organizationalunit)'').FindAll()).Path
+          | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink)
+          -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host
+          "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host
+          "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName}
+          };Write-Output "`n" }}
+
+          '
+    - name: Enumerate Root Domain linked policies Discovery
+      auto_generated_guid: 00c652e2-0750-4ca6-82ff-0204684a6fe4
+      description: |
+        The following Atomic test will utilize ADSISearcher to enumerate root domain unit within Active Directory.
+        Upon successful execution a listing of users will output with their paths in AD.
+        Reference: https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: '(([adsisearcher]'''').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host
+          "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]"
+          -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy
+          Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host
+          "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName}
+          };Write-Output "`n" }}
+
+          '
  T1069.002:
    technique:
      type: attack-pattern
@@ -62181,7 +62240,33 @@ discovery:
        description: Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses
          the Doppelgänging technique. Retrieved May 22, 2018.
        source_name: SecureList SynAck Doppelgänging May 2018
-    atomic_tests: []
+      identifier: T1614.001
+    atomic_tests:
+    - name: Discover System Language by Registry Query
+      auto_generated_guid: 631d4cf1-42c9-4209-8fe9-6bd4de9421be
+      description: "Identify System language by querying the registry on an endpoint.
+        \n\nUpon successful execution, result in number format can be looked up to
+        correlate the language.\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language
+
+          '
+        name: command_prompt
+    - name: Discover System Language with chcp
+      auto_generated_guid: d91473ca-944e-477a-b484-0e80217cd789
+      description: |
+        Identify System language with the chcp command.
+
+        Upon successful execution, result in number format can be looked up to correlate the language.
+      supported_platforms:
+      - windows
+      executor:
+        command: 'chcp
+
+          '
+        name: command_prompt
  T1614:
    technique:
      object_marking_refs:
@@ -62849,6 +62934,18 @@ discovery:

          '
        name: command_prompt
+    - name: System Service Discovery - systemctl
+      auto_generated_guid: f4b26bce-4c2c-46c0-bcc5-fce062d38bef
+      description: 'Enumerates system service using systemctl
+
+        '
+      supported_platforms:
+      - linux
+      executor:
+        command: 'systemctl --type=service
+
+          '
+        name: bash
  T1124:
    technique:
      object_marking_refs:
@@ -8,6 +8,8 @@

 - [Atomic Test #2 - System Service Discovery - net.exe](#atomic-test-2---system-service-discovery---netexe)

+- [Atomic Test #3 - System Service Discovery - systemctl](#atomic-test-3---system-service-discovery---systemctl)
+

 <br/>

@@ -79,4 +81,32 @@ del /f /q /s #{output_file} >nul 2>&1



+<br/>
+<br/>
+
+## Atomic Test #3 - System Service Discovery - systemctl
+Enumerates system service using systemctl
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** f4b26bce-4c2c-46c0-bcc5-fce062d38bef
+
+
+
+
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+systemctl --type=service
+```
+
+
+
+
+
+
 <br/>
@@ -35,4 +35,13 @@ atomic_tests:
    cleanup_command: |
      del /f /q /s #{output_file} >nul 2>&1
    name: command_prompt
-
+- name: System Service Discovery - systemctl
+  auto_generated_guid: f4b26bce-4c2c-46c0-bcc5-fce062d38bef
+  description: |
+    Enumerates system service using systemctl
+  supported_platforms:
+  - linux
+  executor:
+    command: |
+      systemctl --type=service
+    name: bash
@@ -30,6 +30,10 @@ Commands such as <code>net user /domain</code> and <code>net group /domain</code

 - [Atomic Test #12 - Enumerate Active Directory Users with ADSISearcher](#atomic-test-12---enumerate-active-directory-users-with-adsisearcher)

+- [Atomic Test #13 - Enumerate Linked Policies In ADSISearcher Discovery](#atomic-test-13---enumerate-linked-policies-in-adsisearcher-discovery)
+
+- [Atomic Test #14 - Enumerate Root Domain linked policies Discovery](#atomic-test-14---enumerate-root-domain-linked-policies-discovery)
+

 <br/>

@@ -504,4 +508,64 @@ Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearc



+<br/>
+<br/>
+
+## Atomic Test #13 - Enumerate Linked Policies In ADSISearcher Discovery
+The following Atomic test will utilize ADSISearcher to enumerate organizational unit within Active Directory.
+Upon successful execution a listing of users will output with their paths in AD.
+Reference: https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 7ab0205a-34e4-4a44-9b04-e1541d1a57be
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #14 - Enumerate Root Domain linked policies Discovery
+The following Atomic test will utilize ADSISearcher to enumerate root domain unit within Active Directory.
+Upon successful execution a listing of users will output with their paths in AD.
+Reference: https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 00c652e2-0750-4ca6-82ff-0204684a6fe4
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
+```
+
+
+
+
+
+
 <br/>
@@ -238,4 +238,30 @@ atomic_tests:
    name: powershell
    elevation_required: false
    command: |
-      ([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
+      ([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
+- name: Enumerate Linked Policies In ADSISearcher Discovery
+  auto_generated_guid: 7ab0205a-34e4-4a44-9b04-e1541d1a57be
+  description: |
+    The following Atomic test will utilize ADSISearcher to enumerate organizational unit within Active Directory.
+    Upon successful execution a listing of users will output with their paths in AD.
+    Reference: https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81
+  supported_platforms:
+  - windows
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      (([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
+- name: Enumerate Root Domain linked policies Discovery
+  auto_generated_guid: 00c652e2-0750-4ca6-82ff-0204684a6fe4
+  description: |
+    The following Atomic test will utilize ADSISearcher to enumerate root domain unit within Active Directory.
+    Upon successful execution a listing of users will output with their paths in AD.
+    Reference: https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81
+  supported_platforms:
+  - windows
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      (([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
@@ -32,6 +32,8 @@ Adversaries may also attempt to obscure malicious code from analysis by abusing

 - [Atomic Test #11 - Rundll32 with Control_RunDLL](#atomic-test-11---rundll32-with-control_rundll)

+- [Atomic Test #12 - Rundll32 with desk.cpl](#atomic-test-12---rundll32-with-deskcpl)
+

 <br/>

@@ -499,4 +501,47 @@ Invoke-WebRequest "#{input_url}" -OutFile "#{input_file}"



+<br/>
+<br/>
+
+## Atomic Test #12 - Rundll32 with desk.cpl
+Rundll32.exe loading an executable renamed as .scr using desk.cpl 
+Reference: 
+  - [LOLBAS - Libraries/Desk](https://lolbas-project.github.io/lolbas/Libraries/Desk/)
+SIGMA rules:
+  - [SCR File Write Event](https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/file_event_win_new_src_file.yml)
+  - [Rundll32 InstallScreenSaver Execution](https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 83a95136-a496-423c-81d3-1c6750133917
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| exe_to_launch | Path of the executable to launch | Path | %windir%&#92;System32&#92;calc.exe|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+copy #{exe_to_launch} not_an_scr.scr
+rundll32.exe desk.cpl,InstallScreenSaver not_an_scr.scr
+```
+
+#### Cleanup Commands:
+```cmd
+del not_an_scr.scr
+```
+
+
+
+
+
 <br/>
@@ -251,3 +251,26 @@ atomic_tests:
    name: command_prompt
    command: | 
      rundll32.exe shell32.dll,Control_RunDLL #{input_file}
+- name: Rundll32 with desk.cpl
+  auto_generated_guid: 83a95136-a496-423c-81d3-1c6750133917
+  description: |
+    Rundll32.exe loading an executable renamed as .scr using desk.cpl 
+    Reference: 
+      - [LOLBAS - Libraries/Desk](https://lolbas-project.github.io/lolbas/Libraries/Desk/)
+    SIGMA rules:
+      - [SCR File Write Event](https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/file_event_win_new_src_file.yml)
+      - [Rundll32 InstallScreenSaver Execution](https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml)
+  supported_platforms:
+      - windows
+  input_arguments:
+    exe_to_launch:
+      description: Path of the executable to launch
+      type: Path
+      default: '%windir%\System32\calc.exe'
+  executor:
+    name: command_prompt
+    command: | 
+      copy #{exe_to_launch} not_an_scr.scr
+      rundll32.exe desk.cpl,InstallScreenSaver not_an_scr.scr
+    cleanup_command: 
+      del not_an_scr.scr
@@ -0,0 +1,77 @@
+# T1614.001 - System Language Discovery
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1614/001)
+<blockquote>Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host. This information may be used to shape follow-on behaviors, including whether the adversary infects the target and/or attempts specific actions. This decision may be employed by malware developers and operators to reduce their risk of attracting the attention of specific law enforcement agencies or prosecution/scrutiny from other entities.(Citation: Malware System Language Check)
+
+There are various sources of data an adversary could use to infer system language, such as system defaults and keyboard layouts. Specific checks will vary based on the target and/or adversary, but may involve behaviors such as [Query Registry](https://attack.mitre.org/techniques/T1012) and calls to [Native API](https://attack.mitre.org/techniques/T1106) functions.(Citation: CrowdStrike Ryuk January 2019) 
+
+For example, on a Windows system adversaries may attempt to infer the language of a system by querying the registry key <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language</code> or parsing the outputs of Windows API functions <code>GetUserDefaultUILanguage</code>, <code>GetSystemDefaultUILanguage</code>, <code>GetKeyboardLayoutList</code> and <code>GetUserDefaultLangID</code>.(Citation: Darkside Ransomware Cybereason)(Citation: Securelist JSWorm)(Citation: SecureList SynAck Doppelgänging May 2018)
+
+On a macOS or Linux system, adversaries may query <code>locale</code> to retrieve the value of the <code>$LANG</code> environment variable.</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Discover System Language by Registry Query](#atomic-test-1---discover-system-language-by-registry-query)
+
+- [Atomic Test #2 - Discover System Language with chcp](#atomic-test-2---discover-system-language-with-chcp)
+
+
+<br/>
+
+## Atomic Test #1 - Discover System Language by Registry Query
+Identify System language by querying the registry on an endpoint. 
+
+Upon successful execution, result in number format can be looked up to correlate the language.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 631d4cf1-42c9-4209-8fe9-6bd4de9421be
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #2 - Discover System Language with chcp
+Identify System language with the chcp command.
+
+Upon successful execution, result in number format can be looked up to correlate the language.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** d91473ca-944e-477a-b484-0e80217cd789
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+chcp
+```
+
+
+
+
+
+
+<br/>
@@ -0,0 +1,27 @@
+attack_technique: T1614.001
+display_name: 'System Location Discovery: System Language Discovery'
+atomic_tests:
+- name: Discover System Language by Registry Query
+  auto_generated_guid: 631d4cf1-42c9-4209-8fe9-6bd4de9421be
+  description: |
+    Identify System language by querying the registry on an endpoint. 
+
+    Upon successful execution, result in number format can be looked up to correlate the language.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language
+    name: command_prompt
+- name: Discover System Language with chcp
+  auto_generated_guid: d91473ca-944e-477a-b484-0e80217cd789
+  description: |
+   Identify System language with the chcp command.
+
+   Upon successful execution, result in number format can be looked up to correlate the language.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      chcp
+    name: command_prompt
@@ -979,3 +979,9 @@ d5b886d9-d1c7-4b6e-a7b0-460041bf2823
 6bef32e5-9456-4072-8f14-35566fb85401
 385e59aa-113e-4711-84d9-f637aef01f2c
 f8757545-b00a-4e4e-8cfb-8cfb961ee713
+f4b26bce-4c2c-46c0-bcc5-fce062d38bef
+7ab0205a-34e4-4a44-9b04-e1541d1a57be
+00c652e2-0750-4ca6-82ff-0204684a6fe4
+631d4cf1-42c9-4209-8fe9-6bd4de9421be
+d91473ca-944e-477a-b484-0e80217cd789
+83a95136-a496-423c-81d3-1c6750133917
Author	SHA1	Message	Date
Carrie Roberts	4f1694c170	Typo fix	2022-04-30 05:51:59 -06:00
Atomic Red Team doc generator	a5d645d806	Generated docs from job=generate-docs branch=master [ci skip]	2022-04-30 11:39:02 +00:00
$frack113$ frack113	2d2818d65f	Fix all invalid char (#1914 )	2022-04-30 05:38:32 -06:00
Atomic Red Team doc generator	a6f3763249	Generated docs from job=generate-docs branch=master [ci skip]	2022-04-30 01:44:53 +00:00
Atomic Red Team GUID generator	c99b1399ec	Generate GUIDs from job=generate-docs branch=master [skip ci]	2022-04-30 01:44:47 +00:00
Jorge Orchilles	e91928c7e1	Add Rundll32 with desk.cpl (#1912 ) * Update T1218.011.yaml Add Rundll32 with desk.cpl * Update T1218.011.yaml * Update T1218.011.yaml * Update T1218.011.yaml * Update T1218.011.yaml * Update T1218.011.yaml	2022-04-29 19:44:18 -06:00
Atomic Red Team doc generator	09cef80231	Generated docs from job=generate-docs branch=master [ci skip]	2022-04-29 21:21:26 +00:00
Atomic Red Team GUID generator	afa5987cd9	Generate GUIDs from job=generate-docs branch=master [skip ci]	2022-04-29 21:21:20 +00:00
Jorge Orchilles	19e2814e3c	Adding System Language Discovery (#1906 ) * Create T1553.005 * Create T1553.005.yaml * Update T1553.005.yaml * Update T1553.005.yaml * Update T1553.005.yaml * Update T1553.005.yaml * Update T1553.005.yaml * Update T1553.005.yaml * Update T1553.005.yaml * Updated T1553.005 * Merging * Create T1614.001.yaml * Update T1614.001.yaml * Update T1614.001.yaml * Update T1614.001.yaml Co-authored-by: Carrie Roberts <clr2of8@gmail.com>	2022-04-29 15:20:59 -06:00
Atomic Red Team doc generator	a0c2520962	Generated docs from job=generate-docs branch=master [ci skip]	2022-04-29 21:19:24 +00:00
Atomic Red Team GUID generator	389f4d13f0	Generate GUIDs from job=generate-docs branch=master [skip ci]	2022-04-29 21:19:19 +00:00
tccontre	20e304c516	enumeration of active directory organization unit and root domain (#1907 ) * Update T1112.yaml * Update T1112.yaml * typos * Update T1087.002.yaml * Update T1087.002.yaml * Update T1087.002.yaml Co-authored-by: Carrie Roberts <clr2of8@gmail.com>	2022-04-29 15:18:53 -06:00
Atomic Red Team doc generator	a082fb047a	Generated docs from job=generate-docs branch=master [ci skip]	2022-04-29 21:06:05 +00:00
Atomic Red Team GUID generator	238ff5b80a	Generate GUIDs from job=generate-docs branch=master [skip ci]	2022-04-29 21:06:00 +00:00
Mohammed Hassan	8b57f31fc4	Update T1007.yaml (#1909 ) Co-authored-by: Carrie Roberts <clr2of8@gmail.com>	2022-04-29 15:05:33 -06:00
Adam Mashinchi	988675b98b	Merge pull request #1911 from redcanaryco/testest Empty-Commit	2022-04-29 09:36:04 -07:00