# Windows Atomic Tests by ATT&CK Tactic & Technique # defense-evasion - [T1134 Access Token Manipulation](./T1134/T1134.md) - Atomic Test #1: Access Token Manipulation [windows] - [T1197 BITS Jobs](./T1197/T1197.md) - Atomic Test #1: Download & Execute [windows] - Atomic Test #2: Download & Execute via PowerShell BITS [windows] - Atomic Test #3: Persist, Download, & Execute [windows] - [T1009 Binary Padding](./T1009/T1009.md) - [T1088 Bypass User Account Control](./T1088/T1088.md) - Atomic Test #1: Bypass UAC using Event Viewer [windows] - Atomic Test #2: Bypass UAC using Event Viewer - PowerShell [windows] - Atomic Test #3: Bypass UAC using Fodhelper [windows] - Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows] - [T1191 CMSTP](./T1191/T1191.md) - Atomic Test #1: CMSTP Executing Remote Scriptlet [windows] - Atomic Test #2: CMSTP Executing UAC Bypass [windows] - T1116 Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1500 Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1223 Compiled HTML File](./T1223/T1223.md) - Atomic Test #1: Compiled HTML Help Local Payload [windows] - Atomic Test #2: Compiled HTML Help Remote Payload [windows] - T1109 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1122 Component Object Model Hijacking](./T1122/T1122.md) - Atomic Test #1: Component Object Model Hijacking [windows] - [T1090 Connection Proxy](./T1090/T1090.md) - [T1196 Control Panel Items](./T1196/T1196.md) - Atomic Test #1: Control Panel Items [windows] - [T1207 DCShadow](./T1207/T1207.md) - Atomic Test #1: DCShadow - Mimikatz [windows] - [T1038 DLL Search Order Hijacking](./T1038/T1038.md) - Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows] - T1073 DLL Side-Loading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1140 Deobfuscate/Decode Files or Information](./T1140/T1140.md) - Atomic Test #1: Deobfuscate/Decode Files Or Information [windows] - Atomic Test #2: Certutil Rename and Decode [windows] - [T1089 Disabling Security Tools](./T1089/T1089.md) - Atomic Test #8: Unload Sysmon Filter Driver [windows] - Atomic Test #9: Disable Windows IIS HTTP Logging [windows] - Atomic Test #10: Uninstall Sysmon [windows] - Atomic Test #11: AMSI Bypass - AMSI InitFailed [windows] - Atomic Test #12: AMSI Bypass - Remove AMSI Provider Reg Key [windows] - T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1107 File Deletion](./T1107/T1107.md) - Atomic Test #4: Delete a single file - Windows cmd [windows] - Atomic Test #5: Delete an entire folder - Windows cmd [windows] - Atomic Test #6: Delete a single file - Windows PowerShell [windows] - Atomic Test #7: Delete an entire folder - Windows PowerShell [windows] - Atomic Test #8: Delete VSS - vssadmin [windows] - Atomic Test #9: Delete VSS - wmic [windows] - Atomic Test #10: bcdedit [windows] - Atomic Test #11: wbadmin [windows] - Atomic Test #13: Delete-PrefetchFile [windows] - T1006 File System Logical Offsets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1222 File and Directory Permissions Modification](./T1222/T1222.md) - Atomic Test #1: Take ownership using takeown utility [windows] - Atomic Test #2: Take ownership recursively using takeown utility [windows] - Atomic Test #3: cacls - Grant permission to specified user or group [windows] - Atomic Test #4: cacls - Grant permission to specified user or group recursively [windows] - Atomic Test #5: icacls - Grant permission to specified user or group [windows] - Atomic Test #6: icacls - Grant permission to specified user or group recursively [windows] - Atomic Test #7: attrib - Remove read-only attribute [windows] - T1484 Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1158 Hidden Files and Directories](./T1158/T1158.md) - Atomic Test #4: Create Windows System File with Attrib [windows] - Atomic Test #5: Create Windows Hidden File with Attrib [windows] - Atomic Test #11: Create ADS command prompt [windows] - Atomic Test #12: Create ADS PowerShell [windows] - T1143 Hidden Window [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1183 Image File Execution Options Injection](./T1183/T1183.md) - Atomic Test #1: IFEO Add Debugger [windows] - Atomic Test #2: IFEO Global Flags [windows] - T1054 Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1066 Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1070 Indicator Removal on Host](./T1070/T1070.md) - Atomic Test #1: Clear Logs [windows] - Atomic Test #2: FSUtil [windows] - [T1202 Indirect Command Execution](./T1202/T1202.md) - Atomic Test #1: Indirect Command Execution - pcalua.exe [windows] - Atomic Test #2: Indirect Command Execution - forfiles.exe [windows] - [T1130 Install Root Certificate](./T1130/T1130.md) - [T1118 InstallUtil](./T1118/T1118.md) - Atomic Test #1: InstallUtil uninstall method call [windows] - Atomic Test #2: InstallUtil GetHelp method call [windows] - [T1036 Masquerading](./T1036/T1036.md) - Atomic Test #1: Masquerading as Windows LSASS process [windows] - Atomic Test #3: Masquerading - cscript.exe running as notepad.exe [windows] - Atomic Test #4: Masquerading - wscript.exe running as svchost.exe [windows] - Atomic Test #5: Masquerading - powershell.exe running as taskhostw.exe [windows] - [T1112 Modify Registry](./T1112/T1112.md) - Atomic Test #1: Modify Registry of Current User Profile - cmd [windows] - Atomic Test #2: Modify Registry of Local Machine - cmd [windows] - Atomic Test #3: Modify Registry of Another User Profile [windows] - Atomic Test #4: Modify registry to store logon credentials [windows] - [T1170 Mshta](./T1170/T1170.md) - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows] - [T1096 NTFS File Attributes](./T1096/T1096.md) - Atomic Test #1: Alternate Data Streams (ADS) [windows] - [T1126 Network Share Connection Removal](./T1126/T1126.md) - Atomic Test #1: Add Network Share [windows] - Atomic Test #2: Remove Network Share [windows] - Atomic Test #3: Remove Network Share PowerShell [windows] - [T1027 Obfuscated Files or Information](./T1027/T1027.md) - T1502 Parent PID Spoofing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1186 Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1093 Process Hollowing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1055 Process Injection](./T1055/T1055.md) - Atomic Test #1: Process Injection via mavinject.exe [windows] - Atomic Test #2: Process Injection via PowerSploit [windows] - Atomic Test #4: Process Injection via C# [windows] - T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1121 Regsvcs/Regasm](./T1121/T1121.md) - Atomic Test #1: Regasm Uninstall Method Call Test [windows] - Atomic Test #2: Regsvs Uninstall Method Call Test [windows] - [T1117 Regsvr32](./T1117/T1117.md) - Atomic Test #1: Regsvr32 local COM scriptlet execution [windows] - Atomic Test #2: Regsvr32 remote COM scriptlet execution [windows] - Atomic Test #3: Regsvr32 local DLL execution [windows] - [T1014 Rootkit](./T1014/T1014.md) - Atomic Test #3: Windows Signed Driver Rootkit Test [windows] - [T1085 Rundll32](./T1085/T1085.md) - Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows] - T1198 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1064 Scripting](./T1064/T1064.md) - [T1218 Signed Binary Proxy Execution](./T1218/T1218.md) - Atomic Test #1: mavinject - Inject DLL into running process [windows] - Atomic Test #2: SyncAppvPublishingServer - Execute arbitrary PowerShell code [windows] - Atomic Test #3: Register-CimProvider - Execute evil dll [windows] - [T1216 Signed Script Proxy Execution](./T1216/T1216.md) - Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows] - T1045 Software Packing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1221 Template Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1099 Timestomp](./T1099/T1099.md) - Atomic Test #5: Windows - Modify file creation timestamp with PowerShell [windows] - Atomic Test #6: Windows - Modify file last modified timestamp with PowerShell [windows] - Atomic Test #7: Windows - Modify file last access timestamp with PowerShell [windows] - [T1127 Trusted Developer Utilities](./T1127/T1127.md) - Atomic Test #1: MSBuild Bypass Using Inline Tasks [windows] - T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1102 Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1220 XSL Script Processing](./T1220/T1220.md) - Atomic Test #1: MSXSL Bypass using local files [windows] - Atomic Test #2: MSXSL Bypass using remote files [windows] - Atomic Test #3: WMIC bypass using local XSL file [windows] - Atomic Test #4: WMIC bypass using remote XSL file [windows] # privilege-escalation - [T1134 Access Token Manipulation](./T1134/T1134.md) - Atomic Test #1: Access Token Manipulation [windows] - [T1015 Accessibility Features](./T1015/T1015.md) - Atomic Test #1: Attaches Command Prompt As Debugger To Process - osk [windows] - Atomic Test #2: Attaches Command Prompt As Debugger To Process - sethc [windows] - Atomic Test #3: Attaches Command Prompt As Debugger To Process - utilman [windows] - Atomic Test #4: Attaches Command Prompt As Debugger To Process - magnify [windows] - Atomic Test #5: Attaches Command Prompt As Debugger To Process - narrator [windows] - Atomic Test #6: Attaches Command Prompt As Debugger To Process - DisplaySwitch [windows] - Atomic Test #7: Attaches Command Prompt As Debugger To Process - AtBroker [windows] - T1182 AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1103 AppInit DLLs](./T1103/T1103.md) - Atomic Test #1: Install AppInit Shim [windows] - [T1138 Application Shimming](./T1138/T1138.md) - Atomic Test #1: Application Shim Installation [windows] - [T1088 Bypass User Account Control](./T1088/T1088.md) - Atomic Test #1: Bypass UAC using Event Viewer [windows] - Atomic Test #2: Bypass UAC using Event Viewer - PowerShell [windows] - Atomic Test #3: Bypass UAC using Fodhelper [windows] - Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows] - [T1038 DLL Search Order Hijacking](./T1038/T1038.md) - Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows] - T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1044 File System Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1179 Hooking](./T1179/T1179.md) - Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows] - [T1183 Image File Execution Options Injection](./T1183/T1183.md) - Atomic Test #1: IFEO Add Debugger [windows] - Atomic Test #2: IFEO Global Flags [windows] - [T1050 New Service](./T1050/T1050.md) - Atomic Test #1: Service Installation [windows] - Atomic Test #2: Service Installation PowerShell Installs A Local Service using PowerShell [windows] - T1502 Parent PID Spoofing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1034 Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1013 Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1504 PowerShell Profile [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1055 Process Injection](./T1055/T1055.md) - Atomic Test #1: Process Injection via mavinject.exe [windows] - Atomic Test #2: Process Injection via PowerSploit [windows] - Atomic Test #4: Process Injection via C# [windows] - T1178 SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1053 Scheduled Task](./T1053/T1053.md) - Atomic Test #1: At.exe Scheduled task [windows] - Atomic Test #2: Scheduled task Local [windows] - Atomic Test #3: Scheduled task Remote [windows] - T1058 Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1100 Web Shell](./T1100/T1100.md) - Atomic Test #1: Web Shell Written to Disk [windows] # persistence - [T1015 Accessibility Features](./T1015/T1015.md) - Atomic Test #1: Attaches Command Prompt As Debugger To Process - osk [windows] - Atomic Test #2: Attaches Command Prompt As Debugger To Process - sethc [windows] - Atomic Test #3: Attaches Command Prompt As Debugger To Process - utilman [windows] - Atomic Test #4: Attaches Command Prompt As Debugger To Process - magnify [windows] - Atomic Test #5: Attaches Command Prompt As Debugger To Process - narrator [windows] - Atomic Test #6: Attaches Command Prompt As Debugger To Process - DisplaySwitch [windows] - Atomic Test #7: Attaches Command Prompt As Debugger To Process - AtBroker [windows] - [T1098 Account Manipulation](./T1098/T1098.md) - Atomic Test #1: Admin Account Manipulate [windows] - T1182 AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1103 AppInit DLLs](./T1103/T1103.md) - Atomic Test #1: Install AppInit Shim [windows] - [T1138 Application Shimming](./T1138/T1138.md) - Atomic Test #1: Application Shim Installation [windows] - T1131 Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1197 BITS Jobs](./T1197/T1197.md) - Atomic Test #1: Download & Execute [windows] - Atomic Test #2: Download & Execute via PowerShell BITS [windows] - Atomic Test #3: Persist, Download, & Execute [windows] - T1067 Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1176 Browser Extensions](./T1176/T1176.md) - Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos] - Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos] - Atomic Test #3: Firefox [linux, windows, macos] - [T1042 Change Default File Association](./T1042/T1042.md) - Atomic Test #1: Change Default File Association [windows] - T1109 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1122 Component Object Model Hijacking](./T1122/T1122.md) - Atomic Test #1: Component Object Model Hijacking [windows] - [T1136 Create Account](./T1136/T1136.md) - Atomic Test #3: Create a new user in a command prompt [windows] - Atomic Test #4: Create a new user in PowerShell [windows] - [T1038 DLL Search Order Hijacking](./T1038/T1038.md) - Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows] - T1133 External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1044 File System Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1158 Hidden Files and Directories](./T1158/T1158.md) - Atomic Test #4: Create Windows System File with Attrib [windows] - Atomic Test #5: Create Windows Hidden File with Attrib [windows] - Atomic Test #11: Create ADS command prompt [windows] - Atomic Test #12: Create ADS PowerShell [windows] - [T1179 Hooking](./T1179/T1179.md) - Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows] - [T1062 Hypervisor](./T1062/T1062.md) - Atomic Test #1: Installing Hyper-V Feature [windows] - [T1183 Image File Execution Options Injection](./T1183/T1183.md) - Atomic Test #1: IFEO Add Debugger [windows] - Atomic Test #2: IFEO Global Flags [windows] - T1177 LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1037 Logon Scripts](./T1037/T1037.md) - Atomic Test #1: Logon Scripts [windows] - [T1031 Modify Existing Service](./T1031/T1031.md) - Atomic Test #1: Modify Fax service to run PowerShell [windows] - [T1128 Netsh Helper DLL](./T1128/T1128.md) - Atomic Test #1: Netsh Helper DLL Registration [windows] - [T1050 New Service](./T1050/T1050.md) - Atomic Test #1: Service Installation [windows] - Atomic Test #2: Service Installation PowerShell Installs A Local Service using PowerShell [windows] - [T1137 Office Application Startup](./T1137/T1137.md) - Atomic Test #1: DDEAUTO [windows] - T1034 Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1013 Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1504 PowerShell Profile [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1060 Registry Run Keys / Startup Folder](./T1060/T1060.md) - Atomic Test #1: Reg Key Run [windows] - Atomic Test #2: Reg Key RunOnce [windows] - Atomic Test #3: PowerShell Registry RunOnce [windows] - Atomic Test #4: Startup Folder [windows] - T1198 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1053 Scheduled Task](./T1053/T1053.md) - Atomic Test #1: At.exe Scheduled task [windows] - Atomic Test #2: Scheduled task Local [windows] - Atomic Test #3: Scheduled task Remote [windows] - [T1180 Screensaver](./T1180/T1180.md) - Atomic Test #1: Set Arbitrary Binary as Screensaver [windows] - [T1101 Security Support Provider](./T1101/T1101.md) - Atomic Test #1: Modify SSP configuration in registry [windows] - T1505 Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1058 Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1023 Shortcut Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1019 System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1209 Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1100 Web Shell](./T1100/T1100.md) - Atomic Test #1: Web Shell Written to Disk [windows] - [T1084 Windows Management Instrumentation Event Subscription](./T1084/T1084.md) - Atomic Test #1: Persistence [windows] - [T1004 Winlogon Helper DLL](./T1004/T1004.md) - Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows] - Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows] - Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows] # impact - [T1531 Account Access Removal](./T1531/T1531.md) - Atomic Test #1: Change User Password - Windows [windows] - Atomic Test #2: Delete User - Windows [windows] - [T1485 Data Destruction](./T1485/T1485.md) - Atomic Test #1: Windows - Delete Volume Shadow Copies [windows] - Atomic Test #2: Windows - Delete Windows Backup Catalog [windows] - Atomic Test #3: Windows - Disable Windows Recovery Console Repair [windows] - Atomic Test #4: Windows - Overwrite file with Sysinternals SDelete [windows] - T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1488 Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1487 Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1495 Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1490 Inhibit System Recovery](./T1490/T1490.md) - Atomic Test #1: Windows - Delete Volume Shadow Copies [windows] - Atomic Test #2: Windows - Delete Volume Shadow Copies via WMI [windows] - Atomic Test #3: Windows - Delete Windows Backup Catalog [windows] - Atomic Test #4: Windows - Disable Windows Recovery Console Repair [windows] - T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1496 Resource Hijacking](./T1496/T1496.md) - T1494 Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1489 Service Stop](./T1489/T1489.md) - Atomic Test #1: Windows - Stop service using Service Controller [windows] - Atomic Test #2: Windows - Stop service using net.exe [windows] - Atomic Test #3: Windows - Stop service by killing process [windows] - T1492 Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1529 System Shutdown/Reboot](./T1529/T1529.md) - Atomic Test #1: Shutdown System - Windows [windows] - Atomic Test #2: Restart System - Windows [windows] - T1493 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) # discovery - [T1087 Account Discovery](./T1087/T1087.md) - Atomic Test #8: Enumerate all accounts [windows] - Atomic Test #9: Enumerate all accounts via PowerShell [windows] - Atomic Test #10: Enumerate logged on users [windows] - Atomic Test #11: Enumerate logged on users via PowerShell [windows] - [T1010 Application Window Discovery](./T1010/T1010.md) - Atomic Test #1: List Process Main Windows - C# .NET [windows] - [T1217 Browser Bookmark Discovery](./T1217/T1217.md) - [T1482 Domain Trust Discovery](./T1482/T1482.md) - Atomic Test #1: Windows - Discover domain trusts with dsquery [windows] - Atomic Test #2: Windows - Discover domain trusts with nltest [windows] - [T1083 File and Directory Discovery](./T1083/T1083.md) - Atomic Test #1: File and Directory Discovery [windows] - Atomic Test #2: File and Directory Discovery [windows] - [T1046 Network Service Scanning](./T1046/T1046.md) - [T1135 Network Share Discovery](./T1135/T1135.md) - Atomic Test #2: Network Share Discovery command prompt [windows] - Atomic Test #3: Network Share Discovery PowerShell [windows] - [T1040 Network Sniffing](./T1040/T1040.md) - Atomic Test #3: Packet Capture Windows Command Prompt [windows] - Atomic Test #4: Packet Capture PowerShell [windows] - [T1201 Password Policy Discovery](./T1201/T1201.md) - Atomic Test #5: Examine local password policy - Windows [windows] - Atomic Test #6: Examine domain password policy - Windows [windows] - T1120 Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1069 Permission Groups Discovery](./T1069/T1069.md) - Atomic Test #1: Elevated group enumeration using net group [windows] - [T1057 Process Discovery](./T1057/T1057.md) - [T1012 Query Registry](./T1012/T1012.md) - Atomic Test #1: Query Registry [windows] - [T1018 Remote System Discovery](./T1018/T1018.md) - Atomic Test #1: Remote System Discovery - net [windows] - Atomic Test #2: Remote System Discovery - ping sweep [windows] - Atomic Test #3: Remote System Discovery - arp [windows] - Atomic Test #6: Remote System Discovery - nslookup [windows] - [T1063 Security Software Discovery](./T1063/T1063.md) - Atomic Test #1: Security Software Discovery [windows] - Atomic Test #2: Security Software Discovery - powershell [windows] - Atomic Test #4: Security Software Discovery - Sysmon Service [windows] - T1518 Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1082 System Information Discovery](./T1082/T1082.md) - Atomic Test #1: System Information Discovery [windows] - [T1016 System Network Configuration Discovery](./T1016/T1016.md) - Atomic Test #1: System Network Configuration Discovery [windows] - [T1049 System Network Connections Discovery](./T1049/T1049.md) - Atomic Test #1: System Network Connections Discovery [windows] - Atomic Test #2: System Network Connections Discovery with PowerShell [windows] - [T1033 System Owner/User Discovery](./T1033/T1033.md) - Atomic Test #1: System Owner/User Discovery [windows] - [T1007 System Service Discovery](./T1007/T1007.md) - Atomic Test #1: System Service Discovery [windows] - Atomic Test #2: System Service Discovery - net.exe [windows] - [T1124 System Time Discovery](./T1124/T1124.md) - Atomic Test #1: System Time Discovery [windows] - Atomic Test #2: System Time Discovery - PowerShell [windows] - T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) # credential-access - [T1098 Account Manipulation](./T1098/T1098.md) - Atomic Test #1: Admin Account Manipulate [windows] - [T1110 Brute Force](./T1110/T1110.md) - Atomic Test #1: Brute Force Credentials [windows] - [T1003 Credential Dumping](./T1003/T1003.md) - Atomic Test #1: Powershell Mimikatz [windows] - Atomic Test #2: Gsecdump [windows] - Atomic Test #3: Windows Credential Editor [windows] - Atomic Test #4: Registry dump of SAM, creds, and secrets [windows] - Atomic Test #5: Dump LSASS.exe Memory using ProcDump [windows] - Atomic Test #6: Dump LSASS.exe Memory using Windows Task Manager [windows] - Atomic Test #7: Offline Credential Theft With Mimikatz [windows] - Atomic Test #8: Dump Active Directory Database with NTDSUtil [windows] - Atomic Test #9: Create Volume Shadow Copy with NTDS.dit [windows] - Atomic Test #10: Copy NTDS.dit from Volume Shadow Copy [windows] - Atomic Test #11: GPP Passwords (findstr) [windows] - Atomic Test #12: GPP Passwords (Get-GPPPassword) [windows] - T1503 Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1081 Credentials in Files](./T1081/T1081.md) - Atomic Test #3: Runs Mimikatz & Mimikittenz by name [windows] - Atomic Test #4: Extracting passwords with findstr [windows] - Atomic Test #5: Access "unattend.xml" [windows] - [T1214 Credentials in Registry](./T1214/T1214.md) - Atomic Test #1: Enumeration for Credentials in Registry [windows] - T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1187 Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1179 Hooking](./T1179/T1179.md) - Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows] - [T1056 Input Capture](./T1056/T1056.md) - Atomic Test #1: Input Capture [windows] - [T1141 Input Prompt](./T1141/T1141.md) - Atomic Test #2: PowerShell - Prompt User for Password [windows] - T1208 Kerberoasting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1171 LLMNR/NBT-NS Poisoning and Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1040 Network Sniffing](./T1040/T1040.md) - Atomic Test #3: Packet Capture Windows Command Prompt [windows] - Atomic Test #4: Packet Capture PowerShell [windows] - [T1174 Password Filter DLL](./T1174/T1174.md) - Atomic Test #1: Install and Register Password Filter DLL [windows] - [T1145 Private Keys](./T1145/T1145.md) - Atomic Test #1: Private Keys [windows] - T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1111 Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) # lateral-movement - T1017 Application Deployment Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1175 Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1210 Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1534 Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1037 Logon Scripts](./T1037/T1037.md) - Atomic Test #1: Logon Scripts [windows] - [T1075 Pass the Hash](./T1075/T1075.md) - Atomic Test #1: Mimikatz Pass the Hash [windows] - [T1097 Pass the Ticket](./T1097/T1097.md) - Atomic Test #1: Mimikatz Kerberos Ticket Attack [windows] - [T1076 Remote Desktop Protocol](./T1076/T1076.md) - Atomic Test #1: RDP [windows] - Atomic Test #2: RDPto-DomainController [windows] - [T1105 Remote File Copy](./T1105/T1105.md) - Atomic Test #7: certutil download (urlcache) [windows] - Atomic Test #8: certutil download (verifyctl) [windows] - Atomic Test #9: Windows - BITSAdmin BITS Download [windows] - T1021 Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1051 Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1080 Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1072 Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1077 Windows Admin Shares](./T1077/T1077.md) - Atomic Test #1: Map admin share [windows] - Atomic Test #2: Map Admin Share PowerShell [windows] - [T1028 Windows Remote Management](./T1028/T1028.md) - Atomic Test #1: Enable Windows Remote Management [windows] - Atomic Test #2: PowerShell Lateral Movement [windows] - Atomic Test #3: WMIC Process Call Create [windows] - Atomic Test #4: Psexec [windows] - Atomic Test #5: Invoke-Command [windows] # collection - [T1123 Audio Capture](./T1123/T1123.md) - Atomic Test #1: SourceRecorder via Windows command prompt [windows] - Atomic Test #2: PowerShell Cmdlet via Windows command prompt [windows] - [T1119 Automated Collection](./T1119/T1119.md) - Atomic Test #1: Automated Collection Command Prompt [windows] - Atomic Test #2: Automated Collection PowerShell [windows] - [T1115 Clipboard Data](./T1115/T1115.md) - Atomic Test #1: Utilize Clipboard to store or execute commands from [windows] - Atomic Test #2: PowerShell [windows] - [T1074 Data Staged](./T1074/T1074.md) - Atomic Test #1: Stage data from Discovery.bat [windows] - T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1005 Data from Local System](./T1005/T1005.md) - T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1025 Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1114 Email Collection](./T1114/T1114.md) - Atomic Test #1: T1114 Email Collection with PowerShell [windows] - [T1056 Input Capture](./T1056/T1056.md) - Atomic Test #1: Input Capture [windows] - T1185 Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1113 Screen Capture](./T1113/T1113.md) - T1125 Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) # exfiltration - T1020 Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1002 Data Compressed](./T1002/T1002.md) - Atomic Test #1: Compress Data for Exfiltration With PowerShell [windows] - Atomic Test #2: Compress Data for Exfiltration With Rar [windows] - [T1022 Data Encrypted](./T1022/T1022.md) - Atomic Test #2: Compress Data and lock with password for Exfiltration with winrar [windows] - Atomic Test #3: Compress Data and lock with password for Exfiltration with winzip [windows] - Atomic Test #4: Compress Data and lock with password for Exfiltration with 7zip [windows] - [T1030 Data Transfer Size Limits](./T1030/T1030.md) - [T1048 Exfiltration Over Alternative Protocol](./T1048/T1048.md) - Atomic Test #4: Exfiltration Over Alternative Protocol - ICMP [windows] - T1041 Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1011 Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1052 Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1029 Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) # execution - [T1191 CMSTP](./T1191/T1191.md) - Atomic Test #1: CMSTP Executing Remote Scriptlet [windows] - Atomic Test #2: CMSTP Executing UAC Bypass [windows] - [T1059 Command-Line Interface](./T1059/T1059.md) - [T1223 Compiled HTML File](./T1223/T1223.md) - Atomic Test #1: Compiled HTML Help Local Payload [windows] - Atomic Test #2: Compiled HTML Help Remote Payload [windows] - T1175 Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1196 Control Panel Items](./T1196/T1196.md) - Atomic Test #1: Control Panel Items [windows] - [T1173 Dynamic Data Exchange](./T1173/T1173.md) - Atomic Test #1: Execute Commands [windows] - T1106 Execution through API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1129 Execution through Module Load [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1061 Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1118 InstallUtil](./T1118/T1118.md) - Atomic Test #1: InstallUtil uninstall method call [windows] - Atomic Test #2: InstallUtil GetHelp method call [windows] - T1177 LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1170 Mshta](./T1170/T1170.md) - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows] - [T1086 PowerShell](./T1086/T1086.md) - Atomic Test #1: Mimikatz [windows] - Atomic Test #2: BloodHound [windows] - Atomic Test #3: Obfuscation Tests [windows] - Atomic Test #4: Mimikatz - Cradlecraft PsSendKeys [windows] - Atomic Test #5: Invoke-AppPathBypass [windows] - Atomic Test #6: PowerShell Add User [windows] - Atomic Test #7: Powershell MsXml COM object - no prompt [windows] - Atomic Test #8: Powershell MsXml COM object - with prompt [windows] - Atomic Test #9: Powershell XML requests [windows] - Atomic Test #10: Powershell invoke mshta.exe download [windows] - Atomic Test #11: Powershell Invoke-DownloadCradle [windows] - Atomic Test #12: PowerShell Fileless Script Execution [windows] - Atomic Test #13: PowerShell Downgrade Attack [windows] - Atomic Test #14: NTFS Alternate Data Stream Access [windows] - [T1121 Regsvcs/Regasm](./T1121/T1121.md) - Atomic Test #1: Regasm Uninstall Method Call Test [windows] - Atomic Test #2: Regsvs Uninstall Method Call Test [windows] - [T1117 Regsvr32](./T1117/T1117.md) - Atomic Test #1: Regsvr32 local COM scriptlet execution [windows] - Atomic Test #2: Regsvr32 remote COM scriptlet execution [windows] - Atomic Test #3: Regsvr32 local DLL execution [windows] - [T1085 Rundll32](./T1085/T1085.md) - Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows] - [T1053 Scheduled Task](./T1053/T1053.md) - Atomic Test #1: At.exe Scheduled task [windows] - Atomic Test #2: Scheduled task Local [windows] - Atomic Test #3: Scheduled task Remote [windows] - [T1064 Scripting](./T1064/T1064.md) - [T1035 Service Execution](./T1035/T1035.md) - Atomic Test #1: Execute a Command as a Service [windows] - [T1218 Signed Binary Proxy Execution](./T1218/T1218.md) - Atomic Test #1: mavinject - Inject DLL into running process [windows] - Atomic Test #2: SyncAppvPublishingServer - Execute arbitrary PowerShell code [windows] - Atomic Test #3: Register-CimProvider - Execute evil dll [windows] - [T1216 Signed Script Proxy Execution](./T1216/T1216.md) - Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows] - T1072 Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1127 Trusted Developer Utilities](./T1127/T1127.md) - Atomic Test #1: MSBuild Bypass Using Inline Tasks [windows] - T1204 User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1047 Windows Management Instrumentation](./T1047/T1047.md) - Atomic Test #1: WMI Reconnaissance Users [windows] - Atomic Test #2: WMI Reconnaissance Processes [windows] - Atomic Test #3: WMI Reconnaissance Software [windows] - Atomic Test #4: WMI Reconnaissance List Remote Services [windows] - [T1028 Windows Remote Management](./T1028/T1028.md) - Atomic Test #1: Enable Windows Remote Management [windows] - Atomic Test #2: PowerShell Lateral Movement [windows] - Atomic Test #3: WMIC Process Call Create [windows] - Atomic Test #4: Psexec [windows] - Atomic Test #5: Invoke-Command [windows] - [T1220 XSL Script Processing](./T1220/T1220.md) - Atomic Test #1: MSXSL Bypass using local files [windows] - Atomic Test #2: MSXSL Bypass using remote files [windows] - Atomic Test #3: WMIC bypass using local XSL file [windows] - Atomic Test #4: WMIC bypass using remote XSL file [windows] # command-and-control - T1043 Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1090 Connection Proxy](./T1090/T1090.md) - T1094 Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1024 Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1132 Data Encoding](./T1132/T1132.md) - T1001 Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1172 Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1483 Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1008 Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1104 Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1188 Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1026 Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1079 Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1219 Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1105 Remote File Copy](./T1105/T1105.md) - Atomic Test #7: certutil download (urlcache) [windows] - Atomic Test #8: certutil download (verifyctl) [windows] - Atomic Test #9: Windows - BITSAdmin BITS Download [windows] - [T1071 Standard Application Layer Protocol](./T1071/T1071.md) - Atomic Test #1: Malicious User Agents [windows] - Atomic Test #3: DNS Large Query Volume [windows] - Atomic Test #4: DNS Regular Beaconing [windows] - Atomic Test #5: DNS Long Domain Query [windows] - T1032 Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1095 Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1065 Uncommonly Used Port](./T1065/T1065.md) - Atomic Test #1: Testing usage of uncommonly used port with PowerShell [windows] - T1102 Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) # initial-access - T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1133 External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1200 Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1193 Spearphishing Attachment](./T1193/T1193.md) - Atomic Test #1: Download Phishing Attachment - VBScript [windows] - T1192 Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1194 Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1195 Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1199 Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)