atomic-red-team/atomics/windows-index.md

# Windows Atomic Tests by ATT&CK Tactic & Technique
# defense-evasion
- [T1134 Access Token Manipulation](./T1134/T1134.md)
  - Atomic Test #1: Access Token Manipulation [windows]
- [T1197 BITS Jobs](./T1197/T1197.md)
  - Atomic Test #1: Download & Execute [windows]
  - Atomic Test #2: Download & Execute via PowerShell BITS [windows]
  - Atomic Test #3: Persist, Download, & Execute [windows]
- [T1009 Binary Padding](./T1009/T1009.md)
- [T1088 Bypass User Account Control](./T1088/T1088.md)
  - Atomic Test #1: Bypass UAC using Event Viewer [windows]
  - Atomic Test #2: Bypass UAC using Event Viewer - PowerShell [windows]
  - Atomic Test #3: Bypass UAC using Fodhelper [windows]
  - Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows]
- [T1191 CMSTP](./T1191/T1191.md)
  - Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
  - Atomic Test #2: CMSTP Executing UAC Bypass [windows]
- T1116 Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1500 Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1223 Compiled HTML File](./T1223/T1223.md)
  - Atomic Test #1: Compiled HTML Help Local Payload [windows]
  - Atomic Test #2: Compiled HTML Help Remote Payload [windows]
- T1109 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1122 Component Object Model Hijacking](./T1122/T1122.md)
  - Atomic Test #1: Component Object Model Hijacking [windows]
- [T1090 Connection Proxy](./T1090/T1090.md)
- [T1196 Control Panel Items](./T1196/T1196.md)
  - Atomic Test #1: Control Panel Items [windows]
- [T1207 DCShadow](./T1207/T1207.md)
  - Atomic Test #1: DCShadow - Mimikatz [windows]
- [T1038 DLL Search Order Hijacking](./T1038/T1038.md)
  - Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- T1073 DLL Side-Loading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1140 Deobfuscate/Decode Files or Information](./T1140/T1140.md)
  - Atomic Test #1: Deobfuscate/Decode Files Or Information [windows]
  - Atomic Test #2: Certutil Rename and Decode [windows]
- [T1089 Disabling Security Tools](./T1089/T1089.md)
  - Atomic Test #8: Unload Sysmon Filter Driver [windows]
  - Atomic Test #9: Disable Windows IIS HTTP Logging [windows]
  - Atomic Test #10: Uninstall Sysmon [windows]
  - Atomic Test #11: AMSI Bypass - AMSI InitFailed [windows]
  - Atomic Test #12: AMSI Bypass - Remove AMSI Provider Reg Key [windows]
- T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1107 File Deletion](./T1107/T1107.md)
  - Atomic Test #4: Delete a single file - Windows cmd [windows]
  - Atomic Test #5: Delete an entire folder - Windows cmd [windows]
  - Atomic Test #6: Delete a single file - Windows PowerShell [windows]
  - Atomic Test #7: Delete an entire folder - Windows PowerShell [windows]
  - Atomic Test #8: Delete VSS - vssadmin [windows]
  - Atomic Test #9: Delete VSS - wmic [windows]
  - Atomic Test #10: bcdedit [windows]
  - Atomic Test #11: wbadmin [windows]
  - Atomic Test #13: Delete-PrefetchFile [windows]
- T1006 File System Logical Offsets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1222 File and Directory Permissions Modification](./T1222/T1222.md)
  - Atomic Test #1: Take ownership using takeown utility [windows]
  - Atomic Test #2: Take ownership recursively using takeown utility [windows]
  - Atomic Test #3: cacls - Grant permission to specified user or group [windows]
  - Atomic Test #4: cacls - Grant permission to specified user or group recursively [windows]
  - Atomic Test #5: icacls - Grant permission to specified user or group [windows]
  - Atomic Test #6: icacls - Grant permission to specified user or group recursively [windows]
  - Atomic Test #7: attrib - Remove read-only attribute [windows]
- T1484 Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1158 Hidden Files and Directories](./T1158/T1158.md)
  - Atomic Test #4: Create Windows System File with Attrib [windows]
  - Atomic Test #5: Create Windows Hidden File with Attrib [windows]
  - Atomic Test #11: Create ADS command prompt [windows]
  - Atomic Test #12: Create ADS PowerShell [windows]
- T1143 Hidden Window [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1183 Image File Execution Options Injection](./T1183/T1183.md)
  - Atomic Test #1: IFEO Add Debugger [windows]
  - Atomic Test #2: IFEO Global Flags [windows]
- T1054 Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1066 Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1070 Indicator Removal on Host](./T1070/T1070.md)
  - Atomic Test #1: Clear Logs [windows]
  - Atomic Test #2: FSUtil [windows]
- [T1202 Indirect Command Execution](./T1202/T1202.md)
  - Atomic Test #1: Indirect Command Execution - pcalua.exe [windows]
  - Atomic Test #2: Indirect Command Execution - forfiles.exe [windows]
- [T1130 Install Root Certificate](./T1130/T1130.md)
- [T1118 InstallUtil](./T1118/T1118.md)
  - Atomic Test #1: InstallUtil uninstall method call [windows]
  - Atomic Test #2: InstallUtil GetHelp method call [windows]
- [T1036 Masquerading](./T1036/T1036.md)
  - Atomic Test #1: Masquerading as Windows LSASS process [windows]
  - Atomic Test #3: Masquerading - cscript.exe running as notepad.exe [windows]
  - Atomic Test #4: Masquerading - wscript.exe running as svchost.exe [windows]
  - Atomic Test #5: Masquerading - powershell.exe running as taskhostw.exe [windows]
- [T1112 Modify Registry](./T1112/T1112.md)
  - Atomic Test #1: Modify Registry of Current User Profile - cmd [windows]
  - Atomic Test #2: Modify Registry of Local Machine - cmd [windows]
  - Atomic Test #3: Modify Registry of Another User Profile [windows]
  - Atomic Test #4: Modify registry to store logon credentials [windows]
- [T1170 Mshta](./T1170/T1170.md)
  - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
- [T1096 NTFS File Attributes](./T1096/T1096.md)
  - Atomic Test #1: Alternate Data Streams (ADS) [windows]
- [T1126 Network Share Connection Removal](./T1126/T1126.md)
  - Atomic Test #1: Add Network Share [windows]
  - Atomic Test #2: Remove Network Share [windows]
  - Atomic Test #3: Remove Network Share PowerShell [windows]
- [T1027 Obfuscated Files or Information](./T1027/T1027.md)
- T1502 Parent PID Spoofing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1186 Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1093 Process Hollowing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1055 Process Injection](./T1055/T1055.md)
  - Atomic Test #1: Process Injection via mavinject.exe [windows]
  - Atomic Test #2: Process Injection via PowerSploit [windows]
  - Atomic Test #4: Process Injection via C# [windows]
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1121 Regsvcs/Regasm](./T1121/T1121.md)
  - Atomic Test #1: Regasm Uninstall Method Call Test [windows]
  - Atomic Test #2: Regsvs Uninstall Method Call Test [windows]
- [T1117 Regsvr32](./T1117/T1117.md)
  - Atomic Test #1: Regsvr32 local COM scriptlet execution [windows]
  - Atomic Test #2: Regsvr32 remote COM scriptlet execution [windows]
  - Atomic Test #3: Regsvr32 local DLL execution [windows]
- [T1014 Rootkit](./T1014/T1014.md)
  - Atomic Test #3: Windows Signed Driver Rootkit Test [windows]
- [T1085 Rundll32](./T1085/T1085.md)
  - Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows]
- T1198 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1064 Scripting](./T1064/T1064.md)
- [T1218 Signed Binary Proxy Execution](./T1218/T1218.md)
  - Atomic Test #1: mavinject - Inject DLL into running process [windows]
  - Atomic Test #2: SyncAppvPublishingServer - Execute arbitrary PowerShell code [windows]
  - Atomic Test #3: Register-CimProvider - Execute evil dll [windows]
- [T1216 Signed Script Proxy Execution](./T1216/T1216.md)
  - Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows]
- T1045 Software Packing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1221 Template Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1099 Timestomp](./T1099/T1099.md)
  - Atomic Test #5: Windows - Modify file creation timestamp with PowerShell [windows]
  - Atomic Test #6: Windows - Modify file last modified timestamp with PowerShell [windows]
  - Atomic Test #7: Windows - Modify file last access timestamp with PowerShell [windows]
- [T1127 Trusted Developer Utilities](./T1127/T1127.md)
  - Atomic Test #1: MSBuild Bypass Using Inline Tasks [windows]
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1102 Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1220 XSL Script Processing](./T1220/T1220.md)
  - Atomic Test #1: MSXSL Bypass using local files [windows]
  - Atomic Test #2: MSXSL Bypass using remote files [windows]
  - Atomic Test #3: WMIC bypass using local XSL file [windows]
  - Atomic Test #4: WMIC bypass using remote XSL file [windows]

# privilege-escalation
- [T1134 Access Token Manipulation](./T1134/T1134.md)
  - Atomic Test #1: Access Token Manipulation [windows]
- [T1015 Accessibility Features](./T1015/T1015.md)
  - Atomic Test #1: Attaches Command Prompt As Debugger To Process - osk [windows]
  - Atomic Test #2: Attaches Command Prompt As Debugger To Process - sethc [windows]
  - Atomic Test #3: Attaches Command Prompt As Debugger To Process - utilman [windows]
  - Atomic Test #4: Attaches Command Prompt As Debugger To Process - magnify [windows]
  - Atomic Test #5: Attaches Command Prompt As Debugger To Process - narrator [windows]
  - Atomic Test #6: Attaches Command Prompt As Debugger To Process - DisplaySwitch [windows]
  - Atomic Test #7: Attaches Command Prompt As Debugger To Process - AtBroker [windows]
- T1182 AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1103 AppInit DLLs](./T1103/T1103.md)
  - Atomic Test #1: Install AppInit Shim [windows]
- [T1138 Application Shimming](./T1138/T1138.md)
  - Atomic Test #1: Application Shim Installation [windows]
- [T1088 Bypass User Account Control](./T1088/T1088.md)
  - Atomic Test #1: Bypass UAC using Event Viewer [windows]
  - Atomic Test #2: Bypass UAC using Event Viewer - PowerShell [windows]
  - Atomic Test #3: Bypass UAC using Fodhelper [windows]
  - Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows]
- [T1038 DLL Search Order Hijacking](./T1038/T1038.md)
  - Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1044 File System Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1179 Hooking](./T1179/T1179.md)
  - Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
- [T1183 Image File Execution Options Injection](./T1183/T1183.md)
  - Atomic Test #1: IFEO Add Debugger [windows]
  - Atomic Test #2: IFEO Global Flags [windows]
- [T1050 New Service](./T1050/T1050.md)
  - Atomic Test #1: Service Installation [windows]
  - Atomic Test #2: Service Installation PowerShell Installs A Local Service using PowerShell [windows]
- T1502 Parent PID Spoofing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1034 Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1013 Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1504 PowerShell Profile [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1055 Process Injection](./T1055/T1055.md)
  - Atomic Test #1: Process Injection via mavinject.exe [windows]
  - Atomic Test #2: Process Injection via PowerSploit [windows]
  - Atomic Test #4: Process Injection via C# [windows]
- T1178 SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053 Scheduled Task](./T1053/T1053.md)
  - Atomic Test #1: At.exe Scheduled task [windows]
  - Atomic Test #2: Scheduled task Local [windows]
  - Atomic Test #3: Scheduled task Remote [windows]
- T1058 Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1100 Web Shell](./T1100/T1100.md)
  - Atomic Test #1: Web Shell Written to Disk [windows]

# persistence
- [T1015 Accessibility Features](./T1015/T1015.md)
  - Atomic Test #1: Attaches Command Prompt As Debugger To Process - osk [windows]
  - Atomic Test #2: Attaches Command Prompt As Debugger To Process - sethc [windows]
  - Atomic Test #3: Attaches Command Prompt As Debugger To Process - utilman [windows]
  - Atomic Test #4: Attaches Command Prompt As Debugger To Process - magnify [windows]
  - Atomic Test #5: Attaches Command Prompt As Debugger To Process - narrator [windows]
  - Atomic Test #6: Attaches Command Prompt As Debugger To Process - DisplaySwitch [windows]
  - Atomic Test #7: Attaches Command Prompt As Debugger To Process - AtBroker [windows]
- [T1098 Account Manipulation](./T1098/T1098.md)
  - Atomic Test #1: Admin Account Manipulate [windows]
- T1182 AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1103 AppInit DLLs](./T1103/T1103.md)
  - Atomic Test #1: Install AppInit Shim [windows]
- [T1138 Application Shimming](./T1138/T1138.md)
  - Atomic Test #1: Application Shim Installation [windows]
- T1131 Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1197 BITS Jobs](./T1197/T1197.md)
  - Atomic Test #1: Download & Execute [windows]
  - Atomic Test #2: Download & Execute via PowerShell BITS [windows]
  - Atomic Test #3: Persist, Download, & Execute [windows]
- T1067 Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1176 Browser Extensions](./T1176/T1176.md)
  - Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
  - Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
  - Atomic Test #3: Firefox [linux, windows, macos]
- [T1042 Change Default File Association](./T1042/T1042.md)
  - Atomic Test #1: Change Default File Association [windows]
- T1109 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1122 Component Object Model Hijacking](./T1122/T1122.md)
  - Atomic Test #1: Component Object Model Hijacking [windows]
- [T1136 Create Account](./T1136/T1136.md)
  - Atomic Test #3: Create a new user in a command prompt [windows]
  - Atomic Test #4: Create a new user in PowerShell [windows]
- [T1038 DLL Search Order Hijacking](./T1038/T1038.md)
  - Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- T1133 External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1044 File System Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1158 Hidden Files and Directories](./T1158/T1158.md)
  - Atomic Test #4: Create Windows System File with Attrib [windows]
  - Atomic Test #5: Create Windows Hidden File with Attrib [windows]
  - Atomic Test #11: Create ADS command prompt [windows]
  - Atomic Test #12: Create ADS PowerShell [windows]
- [T1179 Hooking](./T1179/T1179.md)
  - Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
- [T1062 Hypervisor](./T1062/T1062.md)
  - Atomic Test #1: Installing Hyper-V Feature [windows]
- [T1183 Image File Execution Options Injection](./T1183/T1183.md)
  - Atomic Test #1: IFEO Add Debugger [windows]
  - Atomic Test #2: IFEO Global Flags [windows]
- T1177 LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1037 Logon Scripts](./T1037/T1037.md)
  - Atomic Test #1: Logon Scripts [windows]
- [T1031 Modify Existing Service](./T1031/T1031.md)
  - Atomic Test #1: Modify Fax service to run PowerShell [windows]
- [T1128 Netsh Helper DLL](./T1128/T1128.md)
  - Atomic Test #1: Netsh Helper DLL Registration [windows]
- [T1050 New Service](./T1050/T1050.md)
  - Atomic Test #1: Service Installation [windows]
  - Atomic Test #2: Service Installation PowerShell Installs A Local Service using PowerShell [windows]
- [T1137 Office Application Startup](./T1137/T1137.md)
  - Atomic Test #1: DDEAUTO [windows]
- T1034 Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1013 Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1504 PowerShell Profile [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1060 Registry Run Keys / Startup Folder](./T1060/T1060.md)
  - Atomic Test #1: Reg Key Run [windows]
  - Atomic Test #2: Reg Key RunOnce [windows]
  - Atomic Test #3: PowerShell Registry RunOnce [windows]
  - Atomic Test #4: Startup Folder [windows]
- T1198 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053 Scheduled Task](./T1053/T1053.md)
  - Atomic Test #1: At.exe Scheduled task [windows]
  - Atomic Test #2: Scheduled task Local [windows]
  - Atomic Test #3: Scheduled task Remote [windows]
- [T1180 Screensaver](./T1180/T1180.md)
  - Atomic Test #1: Set Arbitrary Binary as Screensaver [windows]
- [T1101 Security Support Provider](./T1101/T1101.md)
  - Atomic Test #1: Modify SSP configuration in registry [windows]
- T1505 Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1058 Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1023 Shortcut Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1019 System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1209 Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1100 Web Shell](./T1100/T1100.md)
  - Atomic Test #1: Web Shell Written to Disk [windows]
- [T1084 Windows Management Instrumentation Event Subscription](./T1084/T1084.md)
  - Atomic Test #1: Persistence [windows]
- [T1004 Winlogon Helper DLL](./T1004/T1004.md)
  - Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
  - Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]
  - Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows]

# impact
- [T1531 Account Access Removal](./T1531/T1531.md)
  - Atomic Test #1: Change User Password - Windows [windows]
  - Atomic Test #2: Delete User - Windows [windows]
- [T1485 Data Destruction](./T1485/T1485.md)
  - Atomic Test #1: Windows - Delete Volume Shadow Copies [windows]
  - Atomic Test #2: Windows - Delete Windows Backup Catalog [windows]
  - Atomic Test #3: Windows - Disable Windows Recovery Console Repair [windows]
  - Atomic Test #4: Windows - Overwrite file with Sysinternals SDelete [windows]
- T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1488 Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1487 Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1495 Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1490 Inhibit System Recovery](./T1490/T1490.md)
  - Atomic Test #1: Windows - Delete Volume Shadow Copies [windows]
  - Atomic Test #2: Windows - Delete Volume Shadow Copies via WMI [windows]
  - Atomic Test #3: Windows - Delete Windows Backup Catalog [windows]
  - Atomic Test #4: Windows - Disable Windows Recovery Console Repair [windows]
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1496 Resource Hijacking](./T1496/T1496.md)
- T1494 Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1489 Service Stop](./T1489/T1489.md)
  - Atomic Test #1: Windows - Stop service using Service Controller [windows]
  - Atomic Test #2: Windows - Stop service using net.exe [windows]
  - Atomic Test #3: Windows - Stop service by killing process [windows]
- T1492 Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1529 System Shutdown/Reboot](./T1529/T1529.md)
  - Atomic Test #1: Shutdown System - Windows [windows]
  - Atomic Test #2: Restart System - Windows [windows]
- T1493 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)

# discovery
- [T1087 Account Discovery](./T1087/T1087.md)
  - Atomic Test #8: Enumerate all accounts [windows]
  - Atomic Test #9: Enumerate all accounts via PowerShell [windows]
  - Atomic Test #10: Enumerate logged on users [windows]
  - Atomic Test #11: Enumerate logged on users via PowerShell [windows]
- [T1010 Application Window Discovery](./T1010/T1010.md)
  - Atomic Test #1: List Process Main Windows - C# .NET [windows]
- [T1217 Browser Bookmark Discovery](./T1217/T1217.md)
- [T1482 Domain Trust Discovery](./T1482/T1482.md)
  - Atomic Test #1: Windows - Discover domain trusts with dsquery [windows]
  - Atomic Test #2: Windows - Discover domain trusts with nltest [windows]
- [T1083 File and Directory Discovery](./T1083/T1083.md)
  - Atomic Test #1: File and Directory Discovery [windows]
  - Atomic Test #2: File and Directory Discovery [windows]
- [T1046 Network Service Scanning](./T1046/T1046.md)
- [T1135 Network Share Discovery](./T1135/T1135.md)
  - Atomic Test #2: Network Share Discovery command prompt [windows]
  - Atomic Test #3: Network Share Discovery PowerShell [windows]
- [T1040 Network Sniffing](./T1040/T1040.md)
  - Atomic Test #3: Packet Capture Windows Command Prompt [windows]
  - Atomic Test #4: Packet Capture PowerShell [windows]
- [T1201 Password Policy Discovery](./T1201/T1201.md)
  - Atomic Test #5: Examine local password policy - Windows [windows]
  - Atomic Test #6: Examine domain password policy - Windows [windows]
- T1120 Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1069 Permission Groups Discovery](./T1069/T1069.md)
  - Atomic Test #1: Elevated group enumeration using net group [windows]
- [T1057 Process Discovery](./T1057/T1057.md)
- [T1012 Query Registry](./T1012/T1012.md)
  - Atomic Test #1: Query Registry [windows]
- [T1018 Remote System Discovery](./T1018/T1018.md)
  - Atomic Test #1: Remote System Discovery - net [windows]
  - Atomic Test #2: Remote System Discovery - ping sweep [windows]
  - Atomic Test #3: Remote System Discovery - arp [windows]
  - Atomic Test #6: Remote System Discovery - nslookup [windows]
- [T1063 Security Software Discovery](./T1063/T1063.md)
  - Atomic Test #1: Security Software Discovery [windows]
  - Atomic Test #2: Security Software Discovery - powershell [windows]
  - Atomic Test #4: Security Software Discovery - Sysmon Service [windows]
- T1518 Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1082 System Information Discovery](./T1082/T1082.md)
  - Atomic Test #1: System Information Discovery [windows]
- [T1016 System Network Configuration Discovery](./T1016/T1016.md)
  - Atomic Test #1: System Network Configuration Discovery [windows]
- [T1049 System Network Connections Discovery](./T1049/T1049.md)
  - Atomic Test #1: System Network Connections Discovery [windows]
  - Atomic Test #2: System Network Connections Discovery with PowerShell [windows]
- [T1033 System Owner/User Discovery](./T1033/T1033.md)
  - Atomic Test #1: System Owner/User Discovery [windows]
- [T1007 System Service Discovery](./T1007/T1007.md)
  - Atomic Test #1: System Service Discovery [windows]
  - Atomic Test #2: System Service Discovery - net.exe [windows]
- [T1124 System Time Discovery](./T1124/T1124.md)
  - Atomic Test #1: System Time Discovery [windows]
  - Atomic Test #2: System Time Discovery - PowerShell [windows]
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)

# credential-access
- [T1098 Account Manipulation](./T1098/T1098.md)
  - Atomic Test #1: Admin Account Manipulate [windows]
- [T1110 Brute Force](./T1110/T1110.md)
  - Atomic Test #1: Brute Force Credentials [windows]
- [T1003 Credential Dumping](./T1003/T1003.md)
  - Atomic Test #1: Powershell Mimikatz [windows]
  - Atomic Test #2: Gsecdump [windows]
  - Atomic Test #3: Windows Credential Editor [windows]
  - Atomic Test #4: Registry dump of SAM, creds, and secrets [windows]
  - Atomic Test #5: Dump LSASS.exe Memory using ProcDump [windows]
  - Atomic Test #6: Dump LSASS.exe Memory using Windows Task Manager [windows]
  - Atomic Test #7: Offline Credential Theft With Mimikatz [windows]
  - Atomic Test #8: Dump Active Directory Database with NTDSUtil [windows]
  - Atomic Test #9: Create Volume Shadow Copy with NTDS.dit [windows]
  - Atomic Test #10: Copy NTDS.dit from Volume Shadow Copy [windows]
  - Atomic Test #11: GPP Passwords (findstr) [windows]
  - Atomic Test #12: GPP Passwords (Get-GPPPassword) [windows]
- T1503 Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1081 Credentials in Files](./T1081/T1081.md)
  - Atomic Test #3: Runs Mimikatz & Mimikittenz by name [windows]
  - Atomic Test #4: Extracting passwords with findstr [windows]
  - Atomic Test #5: Access "unattend.xml" [windows]
- [T1214 Credentials in Registry](./T1214/T1214.md)
  - Atomic Test #1: Enumeration for Credentials in Registry [windows]
- T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1187 Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1179 Hooking](./T1179/T1179.md)
  - Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
- [T1056 Input Capture](./T1056/T1056.md)
  - Atomic Test #1: Input Capture [windows]
- [T1141 Input Prompt](./T1141/T1141.md)
  - Atomic Test #2: PowerShell - Prompt User for Password [windows]
- T1208 Kerberoasting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1171 LLMNR/NBT-NS Poisoning and Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1040 Network Sniffing](./T1040/T1040.md)
  - Atomic Test #3: Packet Capture Windows Command Prompt [windows]
  - Atomic Test #4: Packet Capture PowerShell [windows]
- [T1174 Password Filter DLL](./T1174/T1174.md)
  - Atomic Test #1: Install and Register Password Filter DLL [windows]
- [T1145 Private Keys](./T1145/T1145.md)
  - Atomic Test #1: Private Keys [windows]
- T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1111 Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)

# lateral-movement
- T1017 Application Deployment Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1175 Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1210 Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1534 Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1037 Logon Scripts](./T1037/T1037.md)
  - Atomic Test #1: Logon Scripts [windows]
- [T1075 Pass the Hash](./T1075/T1075.md)
  - Atomic Test #1: Mimikatz Pass the Hash [windows]
- [T1097 Pass the Ticket](./T1097/T1097.md)
  - Atomic Test #1: Mimikatz Kerberos Ticket Attack [windows]
- [T1076 Remote Desktop Protocol](./T1076/T1076.md)
  - Atomic Test #1: RDP [windows]
  - Atomic Test #2: RDPto-DomainController [windows]
- [T1105 Remote File Copy](./T1105/T1105.md)
  - Atomic Test #7: certutil download (urlcache) [windows]
  - Atomic Test #8: certutil download (verifyctl) [windows]
  - Atomic Test #9: Windows - BITSAdmin BITS Download [windows]
- T1021 Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1051 Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1080 Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1072 Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1077 Windows Admin Shares](./T1077/T1077.md)
  - Atomic Test #1: Map admin share [windows]
  - Atomic Test #2: Map Admin Share PowerShell [windows]
- [T1028 Windows Remote Management](./T1028/T1028.md)
  - Atomic Test #1: Enable Windows Remote Management [windows]
  - Atomic Test #2: PowerShell Lateral Movement [windows]
  - Atomic Test #3: WMIC Process Call Create [windows]
  - Atomic Test #4: Psexec [windows]
  - Atomic Test #5: Invoke-Command [windows]

# collection
- [T1123 Audio Capture](./T1123/T1123.md)
  - Atomic Test #1: SourceRecorder via Windows command prompt [windows]
  - Atomic Test #2: PowerShell Cmdlet via Windows command prompt [windows]
- [T1119 Automated Collection](./T1119/T1119.md)
  - Atomic Test #1: Automated Collection Command Prompt [windows]
  - Atomic Test #2: Automated Collection PowerShell [windows]
- [T1115 Clipboard Data](./T1115/T1115.md)
  - Atomic Test #1: Utilize Clipboard to store or execute commands from [windows]
  - Atomic Test #2: PowerShell [windows]
- [T1074 Data Staged](./T1074/T1074.md)
  - Atomic Test #1: Stage data from Discovery.bat [windows]
- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1005 Data from Local System](./T1005/T1005.md)
- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1114 Email Collection](./T1114/T1114.md)
  - Atomic Test #1: T1114 Email Collection with PowerShell [windows]
- [T1056 Input Capture](./T1056/T1056.md)
  - Atomic Test #1: Input Capture [windows]
- T1185 Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1113 Screen Capture](./T1113/T1113.md)
- T1125 Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)

# exfiltration
- T1020 Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1002 Data Compressed](./T1002/T1002.md)
  - Atomic Test #1: Compress Data for Exfiltration With PowerShell [windows]
  - Atomic Test #2: Compress Data for Exfiltration With Rar [windows]
- [T1022 Data Encrypted](./T1022/T1022.md)
  - Atomic Test #2: Compress Data and lock with password for Exfiltration with winrar [windows]
  - Atomic Test #3: Compress Data and lock with password for Exfiltration with winzip [windows]
  - Atomic Test #4: Compress Data and lock with password for Exfiltration with 7zip [windows]
- [T1030 Data Transfer Size Limits](./T1030/T1030.md)
- [T1048 Exfiltration Over Alternative Protocol](./T1048/T1048.md)
  - Atomic Test #4: Exfiltration Over Alternative Protocol - ICMP [windows]
- T1041 Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1011 Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1052 Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1029 Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)

# execution
- [T1191 CMSTP](./T1191/T1191.md)
  - Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
  - Atomic Test #2: CMSTP Executing UAC Bypass [windows]
- [T1059 Command-Line Interface](./T1059/T1059.md)
- [T1223 Compiled HTML File](./T1223/T1223.md)
  - Atomic Test #1: Compiled HTML Help Local Payload [windows]
  - Atomic Test #2: Compiled HTML Help Remote Payload [windows]
- T1175 Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1196 Control Panel Items](./T1196/T1196.md)
  - Atomic Test #1: Control Panel Items [windows]
- [T1173 Dynamic Data Exchange](./T1173/T1173.md)
  - Atomic Test #1: Execute Commands [windows]
- T1106 Execution through API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1129 Execution through Module Load [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1061 Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1118 InstallUtil](./T1118/T1118.md)
  - Atomic Test #1: InstallUtil uninstall method call [windows]
  - Atomic Test #2: InstallUtil GetHelp method call [windows]
- T1177 LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1170 Mshta](./T1170/T1170.md)
  - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
- [T1086 PowerShell](./T1086/T1086.md)
  - Atomic Test #1: Mimikatz [windows]
  - Atomic Test #2: BloodHound [windows]
  - Atomic Test #3: Obfuscation Tests [windows]
  - Atomic Test #4: Mimikatz - Cradlecraft PsSendKeys [windows]
  - Atomic Test #5: Invoke-AppPathBypass [windows]
  - Atomic Test #6: PowerShell Add User [windows]
  - Atomic Test #7: Powershell MsXml COM object - no prompt [windows]
  - Atomic Test #8: Powershell MsXml COM object - with prompt [windows]
  - Atomic Test #9: Powershell XML requests [windows]
  - Atomic Test #10: Powershell invoke mshta.exe download [windows]
  - Atomic Test #11: Powershell Invoke-DownloadCradle [windows]
  - Atomic Test #12: PowerShell Fileless Script Execution [windows]
  - Atomic Test #13: PowerShell Downgrade Attack [windows]
  - Atomic Test #14: NTFS Alternate Data Stream Access [windows]
- [T1121 Regsvcs/Regasm](./T1121/T1121.md)
  - Atomic Test #1: Regasm Uninstall Method Call Test [windows]
  - Atomic Test #2: Regsvs Uninstall Method Call Test [windows]
- [T1117 Regsvr32](./T1117/T1117.md)
  - Atomic Test #1: Regsvr32 local COM scriptlet execution [windows]
  - Atomic Test #2: Regsvr32 remote COM scriptlet execution [windows]
  - Atomic Test #3: Regsvr32 local DLL execution [windows]
- [T1085 Rundll32](./T1085/T1085.md)
  - Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows]
- [T1053 Scheduled Task](./T1053/T1053.md)
  - Atomic Test #1: At.exe Scheduled task [windows]
  - Atomic Test #2: Scheduled task Local [windows]
  - Atomic Test #3: Scheduled task Remote [windows]
- [T1064 Scripting](./T1064/T1064.md)
- [T1035 Service Execution](./T1035/T1035.md)
  - Atomic Test #1: Execute a Command as a Service [windows]
- [T1218 Signed Binary Proxy Execution](./T1218/T1218.md)
  - Atomic Test #1: mavinject - Inject DLL into running process [windows]
  - Atomic Test #2: SyncAppvPublishingServer - Execute arbitrary PowerShell code [windows]
  - Atomic Test #3: Register-CimProvider - Execute evil dll [windows]
- [T1216 Signed Script Proxy Execution](./T1216/T1216.md)
  - Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows]
- T1072 Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1127 Trusted Developer Utilities](./T1127/T1127.md)
  - Atomic Test #1: MSBuild Bypass Using Inline Tasks [windows]
- T1204 User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1047 Windows Management Instrumentation](./T1047/T1047.md)
  - Atomic Test #1: WMI Reconnaissance Users [windows]
  - Atomic Test #2: WMI Reconnaissance Processes [windows]
  - Atomic Test #3: WMI Reconnaissance Software [windows]
  - Atomic Test #4: WMI Reconnaissance List Remote Services [windows]
- [T1028 Windows Remote Management](./T1028/T1028.md)
  - Atomic Test #1: Enable Windows Remote Management [windows]
  - Atomic Test #2: PowerShell Lateral Movement [windows]
  - Atomic Test #3: WMIC Process Call Create [windows]
  - Atomic Test #4: Psexec [windows]
  - Atomic Test #5: Invoke-Command [windows]
- [T1220 XSL Script Processing](./T1220/T1220.md)
  - Atomic Test #1: MSXSL Bypass using local files [windows]
  - Atomic Test #2: MSXSL Bypass using remote files [windows]
  - Atomic Test #3: WMIC bypass using local XSL file [windows]
  - Atomic Test #4: WMIC bypass using remote XSL file [windows]

# command-and-control
- T1043 Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1090 Connection Proxy](./T1090/T1090.md)
- T1094 Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1024 Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1132 Data Encoding](./T1132/T1132.md)
- T1001 Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1172 Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1483 Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1008 Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1104 Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1188 Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1026 Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1079 Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1219 Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1105 Remote File Copy](./T1105/T1105.md)
  - Atomic Test #7: certutil download (urlcache) [windows]
  - Atomic Test #8: certutil download (verifyctl) [windows]
  - Atomic Test #9: Windows - BITSAdmin BITS Download [windows]
- [T1071 Standard Application Layer Protocol](./T1071/T1071.md)
  - Atomic Test #1: Malicious User Agents [windows]
  - Atomic Test #3: DNS Large Query Volume [windows]
  - Atomic Test #4: DNS Regular Beaconing [windows]
  - Atomic Test #5: DNS Long Domain Query [windows]
- T1032 Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1095 Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1065 Uncommonly Used Port](./T1065/T1065.md)
  - Atomic Test #1: Testing usage of uncommonly used port with PowerShell [windows]
- T1102 Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)

# initial-access
- T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1133 External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1200 Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1193 Spearphishing Attachment](./T1193/T1193.md)
  - Atomic Test #1: Download Phishing Attachment - VBScript [windows]
- T1192 Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1194 Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1195 Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1199 Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)