diff --git a/rta/kernel_module_removal_execution.py b/rta/kernel_module_removal_execution.py
new file mode 100644
index 000000000..a0076f31d
--- /dev/null
+++ b/rta/kernel_module_removal_execution.py
@@ -0,0 +1,46 @@
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+
+from pathlib import Path
+from . import common
+from . import RtaMetadata
+
+
+metadata = RtaMetadata(
+    uuid="900e8599-1d5f-4522-9aed-6eab82de2bad",
+    platforms=["linux"],
+    endpoint=[
+        {
+            "rule_name": "Kernel Module Removal",
+            "rule_id": "e80ba5e4-b6c6-4534-87b0-8c0f4e1d97e7",
+        }
+    ],
+    siem=[
+        {
+            "rule_name": "Kernel Module Removal",
+            "rule_id": "cd66a5af-e34b-4bb0-8931-57d0a043f2ef"
+        }
+    ],
+    techniques=["T1562", "T1562.001", "T1547", "T1547.006"],
+)
+
+
+@common.requires_os(metadata.platforms)
+def main():
+
+    masquerade = "/tmp/rmmod"
+    source = common.get_path("bin", "linux.ditto_and_spawn")
+    common.copy_file(source, masquerade)
+
+    # Execute command
+    common.log("Launching fake commands to remove Kernel Module")
+    common.execute([masquerade], timeout=10, kill=True)
+
+    # cleanup
+    common.remove_file(masquerade)
+
+
+if __name__ == "__main__":
+    exit(main())
diff --git a/rta/mimipenguin_execution.py b/rta/mimipenguin_execution.py
new file mode 100644
index 000000000..d96859b90
--- /dev/null
+++ b/rta/mimipenguin_execution.py
@@ -0,0 +1,50 @@
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+
+from pathlib import Path
+from . import common
+from . import RtaMetadata
+
+
+metadata = RtaMetadata(
+    uuid="e5a98cc9-1f15-4d14-baf2-96bebb932ae9",
+    platforms=["linux"],
+    endpoint=[
+        {
+            "rule_name": "Potential Linux Credential Dumping via Proc Filesystem",
+            "rule_id": "508226f9-4030-4e86-86cd-63321b7164bc",
+        }
+    ],
+    siem=[
+        {
+            "rule_name": "Potential Linux Credential Dumping via Proc Filesystem",
+            "rule_id": "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311"
+        }
+    ],
+    techniques=["T1212", "T1003", "T1003.007"],
+)
+
+
+@common.requires_os(metadata.platforms)
+def main():
+
+    masquerade = "/tmp/ps"
+    masquerade2 = "/tmp/strings"
+    source = common.get_path("bin", "linux.ditto_and_spawn")
+    common.copy_file(source, masquerade)
+    common.copy_file(source,masquerade2)
+
+    # Execute command
+    common.log("Launching fake commands to dump credential via proc")
+    common.execute([masquerade, "-eo", "pid", "command"], timeout=10, kill=True)
+    common.execute([masquerade2, "/tmp/test"], timeout=10, kill=True)
+
+    # cleanup
+    common.remove_file(masquerade)
+    common.remove_file(masquerade2)
+
+
+if __name__ == "__main__":
+    exit(main())
diff --git a/rta/unshadow_execution.py b/rta/unshadow_execution.py
new file mode 100644
index 000000000..3b5c4f89e
--- /dev/null
+++ b/rta/unshadow_execution.py
@@ -0,0 +1,46 @@
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+
+from pathlib import Path
+from . import common
+from . import RtaMetadata
+
+
+metadata = RtaMetadata(
+    uuid="c5cecd6d-a7c4-4e3b-970d-6ca5cfc5c662",
+    platforms=["linux"],
+    endpoint=[
+        {
+            "rule_name": "Potential Linux Credential Dumping via Unshadow",
+            "rule_id": "05f95917-6942-4aab-a904-37c6db906503",
+        }
+    ],
+    siem=[
+        {
+            "rule_name": "Potential Linux Credential Dumping via Unshadow",
+            "rule_id": "e7cb3cfd-aaa3-4d7b-af18-23b89955062c"
+        }
+    ],
+    techniques=["T1003", "T1003.008"],
+)
+
+
+@common.requires_os(metadata.platforms)
+def main():
+
+    masquerade = "/tmp/unshadow"
+    source = common.get_path("bin", "linux.ditto_and_spawn")
+    common.copy_file(source, masquerade)
+
+    # Execute command
+    common.log("Launching fake commands to dump credential via unshadow")
+    common.execute([masquerade, "/etc/passwd /etc/shadow"], timeout=10, kill=True)
+
+    # cleanup
+    common.remove_file(masquerade)
+
+
+if __name__ == "__main__":
+    exit(main())