All Atomic Tests by ATT&CK Tactic & Technique
defense-evasion
T1055.011 Process Injection: Extra Window Memory Injection
Atomic Test #1: Process Injection via Extra Window Memory (EWM) x64 executable [windows]
T1205.002 Socket Filters CONTRIBUTE A TEST
T1027.011 Fileless Storage CONTRIBUTE A TEST
T1218.011 Signed Binary Proxy Execution: Rundll32
Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows]
Atomic Test #2: Rundll32 execute VBscript command [windows]
Atomic Test #3: Rundll32 execute VBscript command using Ordinal number [windows]
Atomic Test #4: Rundll32 advpack.dll Execution [windows]
Atomic Test #5: Rundll32 ieadvpack.dll Execution [windows]
Atomic Test #6: Rundll32 syssetup.dll Execution [windows]
Atomic Test #7: Rundll32 setupapi.dll Execution [windows]
Atomic Test #8: Execution of HTA and VBS Files using Rundll32 and URL.dll [windows]
Atomic Test #9: Launches an executable using Rundll32 and pcwutl.dll [windows]
Atomic Test #10: Execution of non-dll using rundll32.exe [windows]
Atomic Test #11: Rundll32 with Ordinal Value [windows]
Atomic Test #12: Rundll32 with Control_RunDLL [windows]
Atomic Test #13: Rundll32 with desk.cpl [windows]
Atomic Test #14: Running DLL with .init extension and function [windows]
Atomic Test #15: Rundll32 execute command via FileProtocolHandler [windows]
Atomic Test #16: Rundll32 execute payload by calling RouteTheCall [windows]
T1027.009 Embedded Payloads CONTRIBUTE A TEST
T1556.003 Modify Authentication Process: Pluggable Authentication Modules
Atomic Test #1: Malicious PAM rule [linux]
Atomic Test #2: Malicious PAM rule (freebsd) [linux]
Atomic Test #3: Malicious PAM module [linux]
T1578.004 Revert Cloud Instance CONTRIBUTE A TEST
T1564.012 File/Path Exclusions CONTRIBUTE A TEST
T1222.002 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification
Atomic Test #1: chmod - Change file or folder mode (numeric mode) [linux, macos]
Atomic Test #2: chmod - Change file or folder mode (symbolic mode) [linux, macos]
Atomic Test #3: chmod - Change file or folder mode (numeric mode) recursively [linux, macos]
Atomic Test #4: chmod - Change file or folder mode (symbolic mode) recursively [linux, macos]
Atomic Test #5: chown - Change file or folder ownership and group [macos, linux]
Atomic Test #6: chown - Change file or folder ownership and group recursively [macos, linux]
Atomic Test #7: chown - Change file or folder mode ownership only [linux, macos]
Atomic Test #8: chown - Change file or folder ownership recursively [macos, linux]
Atomic Test #9: chattr - Remove immutable file attribute [macos, linux]
Atomic Test #10: chflags - Remove immutable file attribute [linux]
Atomic Test #11: Chmod through c script [macos, linux]
Atomic Test #12: Chmod through c script (freebsd) [linux]
Atomic Test #13: Chown through c script [macos, linux]
Atomic Test #14: Chown through c script (freebsd) [linux]
T1216.001 Signed Script Proxy Execution: Pubprn
Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows]
T1574.007 Path Interception by PATH Environment Variable CONTRIBUTE A TEST
T1006 Direct Volume Access
Atomic Test #1: Read volume boot sector via DOS device path (PowerShell) [windows]
T1564.008 Hide Artifacts: Email Hiding Rules
Atomic Test #1: New-Inbox Rule to Hide E-mail in M365 [azure-ad]
T1027.013 Encrypted/Encoded File CONTRIBUTE A TEST
T1014 Rootkit
Atomic Test #1: Loadable Kernel Module based Rootkit [linux]
Atomic Test #2: Loadable Kernel Module based Rootkit [linux]
Atomic Test #3: dynamic-linker based rootkit (libprocesshider) [linux]
Atomic Test #4: Loadable Kernel Module based Rootkit (Diamorphine) [linux]
T1036.007 Double File Extension CONTRIBUTE A TEST
T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control
Atomic Test #1: Bypass UAC using Event Viewer (cmd) [windows]
Atomic Test #2: Bypass UAC using Event Viewer (PowerShell) [windows]
Atomic Test #3: Bypass UAC using Fodhelper [windows]
Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows]
Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows]
Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
Atomic Test #8: Disable UAC using reg.exe [windows]
Atomic Test #9: Bypass UAC using SilentCleanup task [windows]
Atomic Test #10: UACME Bypass Method 23 [windows]
Atomic Test #11: UACME Bypass Method 31 [windows]
Atomic Test #12: UACME Bypass Method 33 [windows]
Atomic Test #13: UACME Bypass Method 34 [windows]
Atomic Test #14: UACME Bypass Method 39 [windows]
Atomic Test #15: UACME Bypass Method 56 [windows]
Atomic Test #16: UACME Bypass Method 59 [windows]
Atomic Test #17: UACME Bypass Method 61 [windows]
Atomic Test #18: WinPwn - UAC Magic [windows]
Atomic Test #19: WinPwn - UAC Bypass ccmstp technique [windows]
Atomic Test #20: WinPwn - UAC Bypass DiskCleanup technique [windows]
Atomic Test #21: WinPwn - UAC Bypass DccwBypassUAC technique [windows]
Atomic Test #22: Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key [windows]
Atomic Test #23: UAC Bypass with WSReset Registry Modification [windows]
Atomic Test #24: Disable UAC - Switch to the secure desktop when prompting for elevation via registry key [windows]
Atomic Test #25: Disable UAC notification via registry keys [windows]
Atomic Test #26: Disable ConsentPromptBehaviorAdmin via registry keys [windows]
Atomic Test #27: UAC bypassed by Utilizing ProgIDs registry. [windows]
T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching
Atomic Test #1: Sudo usage [macos, linux]
Atomic Test #2: Sudo usage (freebsd) [linux]
Atomic Test #3: Unlimited sudo cache timeout [macos, linux]
Atomic Test #4: Unlimited sudo cache timeout (freebsd) [linux]
Atomic Test #5: Disable tty_tickets for sudo caching [macos, linux]
Atomic Test #6: Disable tty_tickets for sudo caching (freebsd) [linux]
T1578 Modify Cloud Compute Infrastructure CONTRIBUTE A TEST
T1542.001 Pre-OS Boot: System Firmware
Atomic Test #1: UEFI Persistence via Wpbbin.exe File Creation [windows]
T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness
Atomic Test #1: Service Registry Permissions Weakness [windows]
Atomic Test #2: Service ImagePath Change with reg.exe [windows]
T1542.003 Bootkit CONTRIBUTE A TEST
T1218.013 Mavinject CONTRIBUTE A TEST
T1036.005 Masquerading: Match Legitimate Name or Location
Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux]
Atomic Test #2: Masquerade as a built-in system executable [windows]
T1600 Weaken Encryption CONTRIBUTE A TEST
T1036.008 Masquerade File Type CONTRIBUTE A TEST
T1564 Hide Artifacts
Atomic Test #1: Extract binary files via VBA [windows]
Atomic Test #2: Create a Hidden User Called “$” [windows]
Atomic Test #3: Create an “Administrator “ user (with a space on the end) [windows]
Atomic Test #4: Create and Hide a Service with sc.exe [windows]
Atomic Test #5: Command Execution with NirCmd [windows]
T1484.002 Domain Trust Modification
Atomic Test #1: Add Federation to Azure AD [azure-ad]
T1562.009 Impair Defenses: Safe Boot Mode
Atomic Test #1: Safe Mode Boot [windows]
T1542.005 TFTP Boot CONTRIBUTE A TEST
T1497.001 Virtualization/Sandbox Evasion: System Checks
Atomic Test #1: Detect Virtualization Environment (Linux) [linux]
Atomic Test #2: Detect Virtualization Environment (FreeBSD) [linux]
Atomic Test #3: Detect Virtualization Environment (Windows) [windows]
Atomic Test #4: Detect Virtualization Environment (MacOS) [macos]
Atomic Test #5: Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) [windows]
T1070.002 Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs
Atomic Test #1: rm -rf [macos, linux]
Atomic Test #2: rm -rf [linux]
Atomic Test #3: Delete log files using built-in log utility [macos]
Atomic Test #4: Truncate system log files via truncate utility [macos]
Atomic Test #5: Truncate system log files via truncate utility (freebsd) [linux]
Atomic Test #6: Delete log files via cat utility by appending /dev/null or /dev/zero [macos]
Atomic Test #7: Delete log files via cat utility by appending /dev/null or /dev/zero (freebsd) [linux]
Atomic Test #8: System log file deletion via find utility [macos]
Atomic Test #9: Overwrite macOS system log via echo utility [macos]
Atomic Test #10: Overwrite FreeBSD system log via echo utility [linux]
Atomic Test #11: Real-time system log clearance/deletion [macos]
Atomic Test #12: Delete system log files via unlink utility [macos]
Atomic Test #13: Delete system log files via unlink utility (freebsd) [linux]
Atomic Test #14: Delete system log files using shred utility [macos]
Atomic Test #15: Delete system log files using srm utility [macos]
Atomic Test #16: Delete system log files using OSAScript [macos]
Atomic Test #17: Delete system log files using Applescript [macos]
Atomic Test #18: Delete system journal logs via rm and journalctl utilities [linux]
Atomic Test #19: Overwrite Linux Mail Spool [linux]
Atomic Test #20: Overwrite Linux Log [linux]
T1218.004 Signed Binary Proxy Execution: InstallUtil
Atomic Test #1: CheckIfInstallable method call [windows]
Atomic Test #2: InstallHelper method call [windows]
Atomic Test #3: InstallUtil class constructor method call [windows]
Atomic Test #4: InstallUtil Install method call [windows]
Atomic Test #5: InstallUtil Uninstall method call - /U variant [windows]
Atomic Test #6: InstallUtil Uninstall method call - ‘/installtype=notransaction /action=uninstall’ variant [windows]
Atomic Test #7: InstallUtil HelpText method call [windows]
Atomic Test #8: InstallUtil evasive invocation [windows]
T1027.008 Stripped Payloads CONTRIBUTE A TEST
T1574.001 Hijack Execution Flow: DLL Search Order Hijacking
Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
Atomic Test #2: Phantom Dll Hijacking - WinAppXRT.dll [windows]
Atomic Test #3: Phantom Dll Hijacking - ualapi.dll [windows]
T1553.001 Subvert Trust Controls: Gatekeeper Bypass
Atomic Test #1: Gatekeeper Bypass [macos]
T1553.002 Code Signing CONTRIBUTE A TEST
T1036.009 Break Process Trees CONTRIBUTE A TEST
T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Atomic Test #1: Take ownership using takeown utility [windows]
Atomic Test #2: cacls - Grant permission to specified user or group recursively [windows]
Atomic Test #3: attrib - Remove read-only attribute [windows]
Atomic Test #4: attrib - hide file [windows]
Atomic Test #5: Grant Full Access to folder for Everyone - Ryuk Ransomware Style [windows]
T1574.014 AppDomainManager CONTRIBUTE A TEST
T1218.007 Signed Binary Proxy Execution: Msiexec
Atomic Test #1: Msiexec.exe - Execute Local MSI file with embedded JScript [windows]
Atomic Test #2: Msiexec.exe - Execute Local MSI file with embedded VBScript [windows]
Atomic Test #3: Msiexec.exe - Execute Local MSI file with an embedded DLL [windows]
Atomic Test #4: Msiexec.exe - Execute Local MSI file with an embedded EXE [windows]
Atomic Test #5: WMI Win32_Product Class - Execute Local MSI file with embedded JScript [windows]
Atomic Test #6: WMI Win32_Product Class - Execute Local MSI file with embedded VBScript [windows]
Atomic Test #7: WMI Win32_Product Class - Execute Local MSI file with an embedded DLL [windows]
Atomic Test #8: WMI Win32_Product Class - Execute Local MSI file with an embedded EXE [windows]
Atomic Test #9: Msiexec.exe - Execute the DllRegisterServer function of a DLL [windows]
Atomic Test #10: Msiexec.exe - Execute the DllUnregisterServer function of a DLL [windows]
Atomic Test #11: Msiexec.exe - Execute Remote MSI file [windows]
T1556.002 Modify Authentication Process: Password Filter DLL
Atomic Test #1: Install and Register Password Filter DLL [windows]
Atomic Test #2: Install Additional Authentication Packages [windows]
T1070.007 Clear Network Connection History and Configurations CONTRIBUTE A TEST
T1600.001 Reduce Key Space CONTRIBUTE A TEST
T1070.003 Indicator Removal on Host: Clear Command History
Atomic Test #1: Clear Bash history (rm) [linux, macos]
Atomic Test #2: Clear Bash history (echo) [linux]
Atomic Test #3: Clear Bash history (cat dev/null) [linux, macos]
Atomic Test #4: Clear Bash history (ln dev/null) [linux, macos]
Atomic Test #5: Clear Bash history (truncate) [linux]
Atomic Test #6: Clear history of a bunch of shells [linux, macos]
Atomic Test #7: Clear and Disable Bash History Logging [linux, macos]
Atomic Test #8: Use Space Before Command to Avoid Logging to History [linux, macos]
Atomic Test #9: Disable Bash History Logging with SSH -T [linux]
Atomic Test #10: Clear Docker Container Logs [linux]
Atomic Test #11: Prevent Powershell History Logging [windows]
Atomic Test #12: Clear Powershell History by Deleting History File [windows]
Atomic Test #13: Set Custom AddToHistoryHandler to Avoid History File Logging [windows]
T1202 Indirect Command Execution
Atomic Test #1: Indirect Command Execution - pcalua.exe [windows]
Atomic Test #2: Indirect Command Execution - forfiles.exe [windows]
Atomic Test #3: Indirect Command Execution - conhost.exe [windows]
Atomic Test #4: Indirect Command Execution - Scriptrunner.exe [windows]
T1140 Deobfuscate/Decode Files or Information
Atomic Test #1: Deobfuscate/Decode Files Or Information [windows]
Atomic Test #2: Certutil Rename and Decode [windows]
Atomic Test #3: Base64 decoding with Python [linux, macos]
Atomic Test #4: Base64 decoding with Perl [linux, macos]
Atomic Test #5: Base64 decoding with shell utilities [linux, macos]
Atomic Test #6: Base64 decoding with shell utilities (freebsd) [linux]
Atomic Test #7: FreeBSD b64encode Shebang in CLI [linux]
Atomic Test #8: Hex decoding with shell utilities [linux, macos]
Atomic Test #9: Linux Base64 Encoded Shebang in CLI [linux, macos]
Atomic Test #10: XOR decoding and command execution using Python [linux, macos]
T1562 Impair Defenses
Atomic Test #1: Windows Disable LSA Protection [windows]
Atomic Test #2: Disable journal logging via systemctl utility [linux]
Atomic Test #3: Disable journal logging via sed utility [linux]
T1055.003 Thread Execution Hijacking
Atomic Test #1: Thread Execution Hijacking [windows]
T1036 Masquerading
Atomic Test #1: System File Copied to Unusual Location [windows]
Atomic Test #2: Malware Masquerading and Execution from Zip File [windows]
T1070.008 Email Collection: Mailbox Manipulation
Atomic Test #1: Copy and Delete Mailbox Data on Windows [windows]
Atomic Test #2: Copy and Delete Mailbox Data on Linux [linux]
Atomic Test #3: Copy and Delete Mailbox Data on macOS [macos]
Atomic Test #4: Copy and Modify Mailbox Data on Windows [windows]
Atomic Test #5: Copy and Modify Mailbox Data on Linux [linux]
Atomic Test #6: Copy and Modify Mailbox Data on macOS [macos]
T1055 Process Injection
Atomic Test #1: Shellcode execution via VBA [windows]
Atomic Test #2: Remote Process Injection in LSASS via mimikatz [windows]
Atomic Test #3: Section View Injection [windows]
Atomic Test #4: Dirty Vanity process Injection [windows]
Atomic Test #5: Read-Write-Execute process Injection [windows]
Atomic Test #6: Process Injection with Go using UuidFromStringA WinAPI [windows]
Atomic Test #7: Process Injection with Go using EtwpCreateEtwThread WinAPI [windows]
Atomic Test #8: Remote Process Injection with Go using RtlCreateUserThread WinAPI [windows]
Atomic Test #9: Remote Process Injection with Go using CreateRemoteThread WinAPI [windows]
Atomic Test #10: Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively) [windows]
Atomic Test #11: Process Injection with Go using CreateThread WinAPI [windows]
Atomic Test #12: Process Injection with Go using CreateThread WinAPI (Natively) [windows]
Atomic Test #13: UUID custom process Injection [windows]
T1205 Traffic Signaling CONTRIBUTE A TEST
T1218 Signed Binary Proxy Execution
Atomic Test #1: mavinject - Inject DLL into running process [windows]
Atomic Test #2: Register-CimProvider - Execute evil dll [windows]
Atomic Test #3: InfDefaultInstall.exe .inf Execution [windows]
Atomic Test #4: ProtocolHandler.exe Downloaded a Suspicious File [windows]
Atomic Test #5: Microsoft.Workflow.Compiler.exe Payload Execution [windows]
Atomic Test #6: Renamed Microsoft.Workflow.Compiler.exe Payload Executions [windows]
Atomic Test #7: Invoke-ATHRemoteFXvGPUDisablementCommand base test [windows]
Atomic Test #8: DiskShadow Command Execution [windows]
Atomic Test #9: Load Arbitrary DLL via Wuauclt (Windows Update Client) [windows]
Atomic Test #10: Lolbin Gpscript logon option [windows]
Atomic Test #11: Lolbin Gpscript startup option [windows]
Atomic Test #12: Lolbas ie4uinit.exe use as proxy [windows]
Atomic Test #13: LOLBAS CustomShellHost to Spawn Process [windows]
Atomic Test #14: Provlaunch.exe Executes Arbitrary Command via Registry Key [windows]
Atomic Test #15: LOLBAS Msedge to Spawn Process [windows]
Atomic Test #16: System Binary Proxy Execution - Wlrmdr Lolbin [windows]
T1070.006 Indicator Removal on Host: Timestomp
Atomic Test #1: Set a file’s access timestamp [linux, macos]
Atomic Test #2: Set a file’s modification timestamp [linux, macos]
Atomic Test #3: Set a file’s creation timestamp [linux, macos]
Atomic Test #4: Modify file timestamps using reference file [linux, macos]
Atomic Test #5: Windows - Modify file creation timestamp with PowerShell [windows]
Atomic Test #6: Windows - Modify file last modified timestamp with PowerShell [windows]
Atomic Test #7: Windows - Modify file last access timestamp with PowerShell [windows]
Atomic Test #8: Windows - Timestomp a File [windows]
Atomic Test #9: MacOS - Timestomp Date Modified [macos]
Atomic Test #10: Event Log Manipulations- Time slipping via Powershell [windows]
T1620 Reflective Code Loading
Atomic Test #1: WinPwn - Reflectively load Mimik@tz into memory [windows]
T1564.011 Ignore Process Interrupts CONTRIBUTE A TEST
T1497.003 Time Based Evasion
Atomic Test #1: Delay execution with ping [linux, macos]
T1218.003 Signed Binary Proxy Execution: CMSTP
Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
Atomic Test #2: CMSTP Executing UAC Bypass [windows]
T1562.002 Impair Defenses: Disable Windows Event Logging
Atomic Test #1: Disable Windows IIS HTTP Logging [windows]
Atomic Test #2: Disable Windows IIS HTTP Logging via PowerShell [windows]
Atomic Test #3: Kill Event Log Service Threads [windows]
Atomic Test #4: Impair Windows Audit Log Policy [windows]
Atomic Test #5: Clear Windows Audit Policy Config [windows]
Atomic Test #6: Disable Event Logging with wevtutil [windows]
Atomic Test #7: Makes Eventlog blind with Phant0m [windows]
T1218.002 Signed Binary Proxy Execution: Control Panel
Atomic Test #1: Control Panel Items [windows]
T1599.001 Network Address Translation Traversal CONTRIBUTE A TEST
T1550 Use Alternate Authentication Material CONTRIBUTE A TEST
T1562.004 Impair Defenses: Disable or Modify System Firewall
Atomic Test #1: Disable Microsoft Defender Firewall [windows]
Atomic Test #2: Disable Microsoft Defender Firewall via Registry [windows]
Atomic Test #3: Allow SMB and RDP on Microsoft Defender Firewall [windows]
Atomic Test #4: Opening ports for proxy - HARDRAIN [windows]
Atomic Test #5: Open a local port through Windows Firewall to any profile [windows]
Atomic Test #6: Allow Executable Through Firewall Located in Non-Standard Location [windows]
Atomic Test #7: Stop/Start UFW firewall [linux]
Atomic Test #8: Stop/Start Packet Filter [linux]
Atomic Test #9: Stop/Start UFW firewall systemctl [linux]
Atomic Test #10: Turn off UFW logging [linux]
Atomic Test #11: Add and delete UFW firewall rules [linux]
Atomic Test #12: Add and delete Packet Filter rules [linux]
Atomic Test #13: Edit UFW firewall user.rules file [linux]
Atomic Test #14: Edit UFW firewall ufw.conf file [linux]
Atomic Test #15: Edit UFW firewall sysctl.conf file [linux]
Atomic Test #16: Edit UFW firewall main configuration file [linux]
Atomic Test #17: Tail the UFW firewall log file [linux]
Atomic Test #18: Disable iptables [linux]
Atomic Test #19: Modify/delete iptables firewall rules [linux]
Atomic Test #20: LockBit Black - Unusual Windows firewall registry modification -cmd [windows]
Atomic Test #21: LockBit Black - Unusual Windows firewall registry modification -Powershell [windows]
Atomic Test #22: Blackbit - Disable Windows Firewall using netsh firewall [windows]
Atomic Test #23: ESXi - Disable Firewall via Esxcli [windows]
Atomic Test #24: Set a firewall rule using New-NetFirewallRule [windows]
T1553.003 Subvert Trust Controls: SIP and Trust Provider Hijacking
Atomic Test #1: SIP (Subject Interface Package) Hijacking via Custom DLL [windows]
T1556.007 Hybrid Identity CONTRIBUTE A TEST
T1218.015 Electron Applications CONTRIBUTE A TEST
T1562.012 Impair Defenses: Disable or Modify Linux Audit System
Atomic Test #1: Delete all auditd rules using auditctl [linux]
Atomic Test #2: Disable auditd using auditctl [linux]
T1207 Rogue Domain Controller
Atomic Test #1: DCShadow (Active Directory) [windows]
T1553.006 Subvert Trust Controls: Code Signing Policy Modification
Atomic Test #1: Code Signing Policy Modification [windows]
T1610 Deploy a container
Atomic Test #1: Deploy Docker container [containers]
T1112 Modify Registry
Atomic Test #1: Modify Registry of Current User Profile - cmd [windows]
Atomic Test #2: Modify Registry of Local Machine - cmd [windows]
Atomic Test #3: Modify registry to store logon credentials [windows]
Atomic Test #4: Use Powershell to Modify registry to store logon credentials [windows]
Atomic Test #5: Add domain to Trusted sites Zone [windows]
Atomic Test #6: Javascript in registry [windows]
Atomic Test #7: Change Powershell Execution Policy to Bypass [windows]
Atomic Test #8: BlackByte Ransomware Registry Changes - CMD [windows]
Atomic Test #9: BlackByte Ransomware Registry Changes - Powershell [windows]
Atomic Test #10: Disable Windows Registry Tool [windows]
Atomic Test #11: Disable Windows CMD application [windows]
Atomic Test #12: Disable Windows Task Manager application [windows]
Atomic Test #13: Disable Windows Notification Center [windows]
Atomic Test #14: Disable Windows Shutdown Button [windows]
Atomic Test #15: Disable Windows LogOff Button [windows]
Atomic Test #16: Disable Windows Change Password Feature [windows]
Atomic Test #17: Disable Windows Lock Workstation Feature [windows]
Atomic Test #18: Activate Windows NoDesktop Group Policy Feature [windows]
Atomic Test #19: Activate Windows NoRun Group Policy Feature [windows]
Atomic Test #20: Activate Windows NoFind Group Policy Feature [windows]
Atomic Test #21: Activate Windows NoControlPanel Group Policy Feature [windows]
Atomic Test #22: Activate Windows NoFileMenu Group Policy Feature [windows]
Atomic Test #23: Activate Windows NoClose Group Policy Feature [windows]
Atomic Test #24: Activate Windows NoSetTaskbar Group Policy Feature [windows]
Atomic Test #25: Activate Windows NoTrayContextMenu Group Policy Feature [windows]
Atomic Test #26: Activate Windows NoPropertiesMyDocuments Group Policy Feature [windows]
Atomic Test #27: Hide Windows Clock Group Policy Feature [windows]
Atomic Test #28: Windows HideSCAHealth Group Policy Feature [windows]
Atomic Test #29: Windows HideSCANetwork Group Policy Feature [windows]
Atomic Test #30: Windows HideSCAPower Group Policy Feature [windows]
Atomic Test #31: Windows HideSCAVolume Group Policy Feature [windows]
Atomic Test #32: Windows Modify Show Compress Color And Info Tip Registry [windows]
Atomic Test #33: Windows Powershell Logging Disabled [windows]
Atomic Test #34: Windows Add Registry Value to Load Service in Safe Mode without Network [windows]
Atomic Test #35: Windows Add Registry Value to Load Service in Safe Mode with Network [windows]
Atomic Test #36: Disable Windows Toast Notifications [windows]
Atomic Test #37: Disable Windows Security Center Notifications [windows]
Atomic Test #38: Suppress Win Defender Notifications [windows]
Atomic Test #39: Allow RDP Remote Assistance Feature [windows]
Atomic Test #40: NetWire RAT Registry Key Creation [windows]
Atomic Test #41: Ursnif Malware Registry Key Creation [windows]
Atomic Test #42: Terminal Server Client Connection History Cleared [windows]
Atomic Test #43: Disable Windows Error Reporting Settings [windows]
Atomic Test #44: DisallowRun Execution Of Certain Applications [windows]
Atomic Test #45: Enabling Restricted Admin Mode via Command_Prompt [windows]
Atomic Test #46: Mimic Ransomware - Enable Multiple User Sessions [windows]
Atomic Test #47: Mimic Ransomware - Allow Multiple RDP Sessions per User [windows]
Atomic Test #48: Event Viewer Registry Modification - Redirection URL [windows]
Atomic Test #49: Event Viewer Registry Modification - Redirection Program [windows]
Atomic Test #50: Enabling Remote Desktop Protocol via Remote Registry [windows]
Atomic Test #51: Disable Win Defender Notification [windows]
Atomic Test #52: Disable Windows OS Auto Update [windows]
Atomic Test #53: Disable Windows Auto Reboot for current logon user [windows]
Atomic Test #54: Windows Auto Update Option to Notify before download [windows]
Atomic Test #55: Do Not Connect To Win Update [windows]
Atomic Test #56: Tamper Win Defender Protection [windows]
Atomic Test #57: Snake Malware Registry Blob [windows]
Atomic Test #58: Allow Simultaneous Download Registry [windows]
Atomic Test #59: Modify Internet Zone Protocol Defaults in Current User Registry - cmd [windows]
Atomic Test #60: Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell [windows]
Atomic Test #61: Activities To Disable Secondary Authentication Detected By Modified Registry Value. [windows]
Atomic Test #62: Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value. [windows]
Atomic Test #63: Scarab Ransomware Defense Evasion Activities [windows]
Atomic Test #64: Disable Remote Desktop Anti-Alias Setting Through Registry [windows]
Atomic Test #65: Disable Remote Desktop Security Settings Through Registry [windows]
Atomic Test #66: Disabling ShowUI Settings of Windows Error Reporting (WER) [windows]
Atomic Test #67: Enable Proxy Settings [windows]
Atomic Test #68: Set-Up Proxy Server [windows]
Atomic Test #69: RDP Authentication Level Override [windows]
Atomic Test #70: Enable RDP via Registry (fDenyTSConnections) [windows]
Atomic Test #71: Disable Windows Prefetch Through Registry [windows]
Atomic Test #72: Setting Shadow key in Registry for RDP Shadowing [windows]
Atomic Test #73: Flush Shimcache [windows]
Atomic Test #74: Disable Windows Remote Desktop Protocol [windows]
Atomic Test #75: Enforce Smart Card Authentication Through Registry [windows]
Atomic Test #76: Requires the BitLocker PIN for Pre-boot authentication [windows]
Atomic Test #77: Modify EnableBDEWithNoTPM Registry entry [windows]
Atomic Test #78: Modify UseTPM Registry entry [windows]
Atomic Test #79: Modify UseTPMPIN Registry entry [windows]
Atomic Test #80: Modify UseTPMKey Registry entry [windows]
Atomic Test #81: Modify UseTPMKeyPIN Registry entry [windows]
Atomic Test #82: Modify EnableNonTPM Registry entry [windows]
Atomic Test #83: Modify UsePartialEncryptionKey Registry entry [windows]
Atomic Test #84: Modify UsePIN Registry entry [windows]
Atomic Test #85: Abusing Windows TelemetryController Registry Key for Persistence [windows]
Atomic Test #86: Modify RDP-Tcp Initial Program Registry Entry [windows]
Atomic Test #87: Abusing MyComputer Disk Cleanup Path for Persistence [windows]
Atomic Test #88: Abusing MyComputer Disk Fragmentation Path for Persistence [windows]
Atomic Test #89: Abusing MyComputer Disk Backup Path for Persistence [windows]
Atomic Test #90: Adding custom paths for application execution [windows]
T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking
Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
T1535 Unused/Unsupported Cloud Regions CONTRIBUTE A TEST
T1027.001 Obfuscated Files or Information: Binary Padding
Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [linux, macos]
Atomic Test #2: Pad Binary to Change Hash using truncate command - Linux/macOS [linux, macos]
T1484.001 Domain Policy Modification: Group Policy Modification
Atomic Test #1: LockBit Black - Modify Group policy settings -cmd [windows]
Atomic Test #2: LockBit Black - Modify Group policy settings -Powershell [windows]
T1078.001 Valid Accounts: Default Accounts
Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
Atomic Test #2: Activate Guest Account [windows]
Atomic Test #3: Enable Guest Account on macOS [macos]
T1574.006 Hijack Execution Flow: LD_PRELOAD
Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
Atomic Test #3: Dylib Injection via DYLD_INSERT_LIBRARIES [macos]
T1070.001 Indicator Removal on Host: Clear Windows Event Logs
Atomic Test #1: Clear Logs [windows]
Atomic Test #2: Delete System Logs Using Clear-EventLog [windows]
Atomic Test #3: Clear Event Logs via VBA [windows]
T1222 File and Directory Permissions Modification
Atomic Test #1: Enable Local and Remote Symbolic Links via fsutil [windows]
T1548 Abuse Elevation Control Mechanism CONTRIBUTE A TEST
T1134.002 Create Process with Token
Atomic Test #1: Access Token Manipulation [windows]
Atomic Test #2: WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique [windows]
T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid
Atomic Test #1: Make and modify binary from C source [macos, linux]
Atomic Test #2: Make and modify binary from C source (freebsd) [linux]
Atomic Test #3: Set a SetUID flag on file [macos, linux]
Atomic Test #4: Set a SetUID flag on file (freebsd) [linux]
Atomic Test #5: Set a SetGID flag on file [macos, linux]
Atomic Test #6: Set a SetGID flag on file (freebsd) [linux]
Atomic Test #7: Make and modify capabilities of a binary [linux]
Atomic Test #8: Provide the SetUID capability to a file [linux]
Atomic Test #9: Do reconnaissance for files that have the setuid bit set [linux]
Atomic Test #10: Do reconnaissance for files that have the setgid bit set [linux]
T1218.008 Signed Binary Proxy Execution: Odbcconf
Atomic Test #1: Odbcconf.exe - Execute Arbitrary DLL [windows]
Atomic Test #2: Odbcconf.exe - Load Response File [windows]
T1548.005 Temporary Elevated Cloud Access CONTRIBUTE A TEST
T1055.013 Process Doppelgänging CONTRIBUTE A TEST
T1578.003 Delete Cloud Instance CONTRIBUTE A TEST
T1574.005 Executable Installer File Permissions Weakness CONTRIBUTE A TEST
T1562.006 Impair Defenses: Indicator Blocking
Atomic Test #1: Auditing Configuration Changes on Linux Host [linux]
Atomic Test #2: Auditing Configuration Changes on FreeBSD Host [linux]
Atomic Test #3: Logging Configuration Changes on Linux Host [linux]
Atomic Test #4: Logging Configuration Changes on FreeBSD Host [linux]
Atomic Test #5: Disable Powershell ETW Provider - Windows [windows]
Atomic Test #6: Disable .NET Event Tracing for Windows Via Registry (cmd) [windows]
Atomic Test #7: Disable .NET Event Tracing for Windows Via Registry (powershell) [windows]
Atomic Test #8: LockBit Black - Disable the ETW Provider of Windows Defender -cmd [windows]
Atomic Test #9: LockBit Black - Disable the ETW Provider of Windows Defender -Powershell [windows]
T1562.007 Disable or Modify Cloud Firewall CONTRIBUTE A TEST
T1036.002 Right-to-Left Override CONTRIBUTE A TEST
T1542.002 Component Firmware CONTRIBUTE A TEST
T1070 Indicator Removal on Host
Atomic Test #1: Indicator Removal using FSUtil [windows]
Atomic Test #2: Indicator Manipulation using FSUtil [windows]
T1550.003 Use Alternate Authentication Material: Pass the Ticket
Atomic Test #1: Mimikatz Kerberos Ticket Attack [windows]
Atomic Test #2: Rubeus Kerberos Pass The Ticket [windows]
T1036.004 Masquerading: Masquerade Task or Service
Atomic Test #1: Creating W32Time similar named service using schtasks [windows]
Atomic Test #2: Creating W32Time similar named service using sc [windows]
Atomic Test #3: linux rename /proc/pid/comm using prctl [linux]
Atomic Test #4: Hiding a malicious process with bind mounts [linux]
T1055.004 Process Injection: Asynchronous Procedure Call
Atomic Test #1: Process Injection via C# [windows]
Atomic Test #2: EarlyBird APC Queue Injection in Go [windows]
Atomic Test #3: Remote Process Injection with Go using NtQueueApcThreadEx WinAPI [windows]
T1647 Plist File Modification
Atomic Test #1: Plist Modification [macos]
T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass
Atomic Test #1: Mount ISO image [windows]
Atomic Test #2: Mount an ISO image and run executable from the ISO [windows]
Atomic Test #3: Remove the Zone.Identifier alternate data stream [windows]
Atomic Test #4: Execute LNK file from ISO [windows]
T1600.002 Disable Crypto Hardware CONTRIBUTE A TEST
T1542 Pre-OS Boot CONTRIBUTE A TEST
T1612 Build Image on Host
Atomic Test #1: Build Image On Host [containers]
T1055.002 Process Injection: Portable Executable Injection
Atomic Test #1: Portable Executable Injection [windows]
T1218.012 Verclsid CONTRIBUTE A TEST
T1562.010 Impair Defenses: Downgrade Attack
Atomic Test #1: ESXi - Change VIB acceptance level to CommunitySupported via PowerCLI [linux]
Atomic Test #2: ESXi - Change VIB acceptance level to CommunitySupported via ESXCLI [windows]
Atomic Test #3: PowerShell Version 2 Downgrade [windows]
T1497 Virtualization/Sandbox Evasion CONTRIBUTE A TEST
T1218.005 Signed Binary Proxy Execution: Mshta
Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
Atomic Test #2: Mshta executes VBScript to execute malicious command [windows]
Atomic Test #3: Mshta Executes Remote HTML Application (HTA) [windows]
Atomic Test #4: Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement [windows]
Atomic Test #5: Invoke HTML Application - Jscript Engine Simulating Double Click [windows]
Atomic Test #6: Invoke HTML Application - Direct download from URI [windows]
Atomic Test #7: Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler [windows]
Atomic Test #8: Invoke HTML Application - JScript Engine with Inline Protocol Handler [windows]
Atomic Test #9: Invoke HTML Application - Simulate Lateral Movement over UNC Path [windows]
Atomic Test #10: Mshta used to Execute PowerShell [windows]
T1480 Execution Guardrails CONTRIBUTE A TEST
T1134.001 Access Token Manipulation: Token Impersonation/Theft
Atomic Test #1: Named pipe client impersonation [windows]
Atomic Test #2:
token duplication [windows]
Atomic Test #3: Launch NSudo Executable [windows]
Atomic Test #4: Bad Potato [windows]
Atomic Test #5: Juicy Potato [windows]
T1205.001 Port Knocking CONTRIBUTE A TEST
T1027.012 LNK Icon Smuggling CONTRIBUTE A TEST
T1564.002 Hide Artifacts: Hidden Users
Atomic Test #1: Create Hidden User using UniqueID < 500 [macos]
Atomic Test #2: Create Hidden User using IsHidden option [macos]
Atomic Test #3: Create Hidden User in Registry [windows]
T1134.003 Make and Impersonate Token CONTRIBUTE A TEST
T1562.003 Impair Defenses: Impair Command History Logging
Atomic Test #1: Disable history collection [linux, macos]
Atomic Test #2: Disable history collection (freebsd) [linux]
Atomic Test #3: Mac HISTCONTROL [macos, linux]
Atomic Test #4: Clear bash history [linux]
Atomic Test #5: Setting the HISTCONTROL environment variable [linux]
Atomic Test #6: Setting the HISTFILESIZE environment variable [linux]
Atomic Test #7: Setting the HISTSIZE environment variable [linux]
Atomic Test #8: Setting the HISTFILE environment variable [linux]
Atomic Test #9: Setting the HISTFILE environment variable (freebsd) [linux]
Atomic Test #10: Setting the HISTIGNORE environment variable [linux]
Atomic Test #11: Disable Windows Command Line Auditing using reg.exe [windows]
Atomic Test #12: Disable Windows Command Line Auditing using Powershell Cmdlet [windows]
T1556.008 Network Provider DLL CONTRIBUTE A TEST
T1497.002 User Activity Based Checks CONTRIBUTE A TEST
T1134.004 Access Token Manipulation: Parent PID Spoofing
Atomic Test #1: Parent PID Spoofing using PowerShell [windows]
Atomic Test #2: Parent PID Spoofing - Spawn from Current Process [windows]
Atomic Test #3: Parent PID Spoofing - Spawn from Specified Process [windows]
Atomic Test #4: Parent PID Spoofing - Spawn from svchost.exe [windows]
Atomic Test #5: Parent PID Spoofing - Spawn from New Process [windows]
T1055.014 VDSO Hijacking CONTRIBUTE A TEST
T1574.010 Services File Permissions Weakness CONTRIBUTE A TEST
T1574.013 KernelCallbackTable CONTRIBUTE A TEST
T1542.004 ROMMONkit CONTRIBUTE A TEST
T1218.001 Signed Binary Proxy Execution: Compiled HTML File
Atomic Test #1: Compiled HTML Help Local Payload [windows]
Atomic Test #2: Compiled HTML Help Remote Payload [windows]
Atomic Test #3: Invoke CHM with default Shortcut Command Execution [windows]
Atomic Test #4: Invoke CHM with InfoTech Storage Protocol Handler [windows]
Atomic Test #5: Invoke CHM Simulate Double click [windows]
Atomic Test #6: Invoke CHM with Script Engine and Help Topic [windows]
Atomic Test #7: Invoke CHM Shortcut Command with ITS and Help Topic [windows]
Atomic Test #8: Decompile Local CHM File [windows]
T1070.005 Indicator Removal on Host: Network Share Connection Removal
Atomic Test #1: Add Network Share [windows]
Atomic Test #2: Remove Network Share [windows]
Atomic Test #3: Remove Network Share PowerShell [windows]
Atomic Test #4: Disable Administrative Share Creation at Startup [windows]
Atomic Test #5: Remove Administrative Shares [windows]
T1562.001 Impair Defenses: Disable or Modify Tools
Atomic Test #1: Disable syslog [linux]
Atomic Test #2: Disable syslog (freebsd) [linux]
Atomic Test #3: Disable Cb Response [linux]
Atomic Test #4: Disable SELinux [linux]
Atomic Test #5: Stop Crowdstrike Falcon on Linux [linux]
Atomic Test #6: Disable Carbon Black Response [macos]
Atomic Test #7: Disable LittleSnitch [macos]
Atomic Test #8: Disable OpenDNS Umbrella [macos]
Atomic Test #9: Disable macOS Gatekeeper [macos]
Atomic Test #10: Stop and unload Crowdstrike Falcon on macOS [macos]
Atomic Test #11: Unload Sysmon Filter Driver [windows]
Atomic Test #12: Uninstall Sysmon [windows]
Atomic Test #13: AMSI Bypass - AMSI InitFailed [windows]
Atomic Test #14: AMSI Bypass - Remove AMSI Provider Reg Key [windows]
Atomic Test #15: Disable Arbitrary Security Windows Service [windows]
Atomic Test #16: Tamper with Windows Defender ATP PowerShell [windows]
Atomic Test #17: Tamper with Windows Defender Command Prompt [windows]
Atomic Test #18: Tamper with Windows Defender Registry [windows]
Atomic Test #19: Disable Microsoft Office Security Features [windows]
Atomic Test #20: Remove Windows Defender Definition Files [windows]
Atomic Test #21: Stop and Remove Arbitrary Security Windows Service [windows]
Atomic Test #22: Uninstall Crowdstrike Falcon on Windows [windows]
Atomic Test #23: Tamper with Windows Defender Evade Scanning -Folder [windows]
Atomic Test #24: Tamper with Windows Defender Evade Scanning -Extension [windows]
Atomic Test #25: Tamper with Windows Defender Evade Scanning -Process [windows]
Atomic Test #26: office-365-Disable-AntiPhishRule [office-365]
Atomic Test #27: Disable Windows Defender with DISM [windows]
Atomic Test #28: Disable Defender Using NirSoft AdvancedRun [windows]
Atomic Test #29: Kill antimalware protected processes using Backstab [windows]
Atomic Test #30: WinPwn - Kill the event log services for stealth [windows]
Atomic Test #31: Tamper with Windows Defender ATP using Aliases - PowerShell [windows]
Atomic Test #32: LockBit Black - Disable Privacy Settings Experience Using Registry -cmd [windows]
Atomic Test #33: LockBit Black - Use Registry Editor to turn on automatic logon -cmd [windows]
Atomic Test #34: LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell [windows]
Atomic Test #35: Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell [windows]
Atomic Test #36: Disable Windows Defender with PwSh Disable-WindowsOptionalFeature [windows]
Atomic Test #37: WMIC Tamper with Windows Defender Evade Scanning Folder [windows]
Atomic Test #38: Delete Windows Defender Scheduled Tasks [windows]
Atomic Test #39: Clear History [linux]
Atomic Test #40: Suspend History [linux]
Atomic Test #41: Reboot Linux Host via Kernel System Request [linux]
Atomic Test #42: Clear Pagging Cache [linux]
Atomic Test #43: Disable Memory Swap [linux]
Atomic Test #44: Disable Hypervisor-Enforced Code Integrity (HVCI) [windows]
Atomic Test #45: AMSI Bypass - Override AMSI via COM [windows]
Atomic Test #46: AWS - GuardDuty Suspension or Deletion [iaas:aws]
Atomic Test #47: Tamper with Defender ATP on Linux/MacOS [linux, macos]
Atomic Test #48: Tamper with Windows Defender Registry - Reg.exe [windows]
Atomic Test #49: Tamper with Windows Defender Registry - Powershell [windows]
Atomic Test #50: ESXi - Disable Account Lockout Policy via PowerCLI [linux]
Atomic Test #51: Delete Microsoft Defender ASR Rules - InTune [windows]
Atomic Test #52: Delete Microsoft Defender ASR Rules - GPO [windows]
Atomic Test #53: AMSI Bypass - Create AMSIEnable Reg Key [windows]
T1601 Modify System Image CONTRIBUTE A TEST
T1574 Hijack Execution Flow CONTRIBUTE A TEST
T1027.005 Indicator Removal from Tools CONTRIBUTE A TEST
T1078 Valid Accounts CONTRIBUTE A TEST
T1055.012 Process Injection: Process Hollowing
Atomic Test #1: Process Hollowing using PowerShell [windows]
Atomic Test #2: RunPE via VBA [windows]
Atomic Test #3: Process Hollowing in Go using CreateProcessW WinAPI [windows]
Atomic Test #4: Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012) [windows]
T1564.009 Resource Forking CONTRIBUTE A TEST
T1027 Obfuscated Files or Information
Atomic Test #1: Decode base64 Data into Script [macos, linux]
Atomic Test #2: Execute base64-encoded PowerShell [windows]
Atomic Test #3: Execute base64-encoded PowerShell from Windows Registry [windows]
Atomic Test #4: Execution from Compressed File [windows]
Atomic Test #5: DLP Evasion via Sensitive Data in VBA Macro over email [windows]
Atomic Test #6: DLP Evasion via Sensitive Data in VBA Macro over HTTP [windows]
Atomic Test #7: Obfuscated Command in PowerShell [windows]
Atomic Test #8: Obfuscated Command Line using special Unicode characters [windows]
Atomic Test #9: Snake Malware Encrypted crmlog file [windows]
Atomic Test #10: Execution from Compressed JScript File [windows]
T1556.006 Multi-Factor Authentication CONTRIBUTE A TEST
T1036.001 Invalid Code Signature CONTRIBUTE A TEST
T1564.006 Run Virtual Instance
Atomic Test #1: Register Portable Virtualbox [windows]
Atomic Test #2: Create and start VirtualBox virtual machine [windows]
Atomic Test #3: Create and start Hyper-V virtual machine [windows]
T1134.005 Access Token Manipulation: SID-History Injection
Atomic Test #1: Injection SID-History with mimikatz [windows]
T1599 Network Boundary Bridging CONTRIBUTE A TEST
T1553 Subvert Trust Controls CONTRIBUTE A TEST
T1548.004 Elevated Execution with Prompt CONTRIBUTE A TEST
T1218.010 Signed Binary Proxy Execution: Regsvr32
Atomic Test #1: Regsvr32 local COM scriptlet execution [windows]
Atomic Test #2: Regsvr32 remote COM scriptlet execution [windows]
Atomic Test #3: Regsvr32 local DLL execution [windows]
Atomic Test #4: Regsvr32 Registering Non DLL [windows]
Atomic Test #5: Regsvr32 Silent DLL Install Call DllRegisterServer [windows]
T1036.003 Masquerading: Rename System Utilities
Atomic Test #1: Masquerading as Windows LSASS process [windows]
Atomic Test #2: Masquerading as FreeBSD or Linux crond process. [linux]
Atomic Test #3: Masquerading - cscript.exe running as notepad.exe [windows]
Atomic Test #4: Masquerading - wscript.exe running as svchost.exe [windows]
Atomic Test #5: Masquerading - powershell.exe running as taskhostw.exe [windows]
Atomic Test #6: Masquerading - non-windows exe running as windows exe [windows]
Atomic Test #7: Masquerading - windows exe running as different windows exe [windows]
Atomic Test #8: Malicious process Masquerading as LSM.exe [windows]
Atomic Test #9: File Extension Masquerading [windows]
T1562.011 Spoof Security Alerting CONTRIBUTE A TEST
T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path
Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
T1027.003 Steganography CONTRIBUTE A TEST
T1550.004 Web Session Cookie CONTRIBUTE A TEST
T1078.002 Domain Accounts CONTRIBUTE A TEST
T1218.009 Signed Binary Proxy Execution: Regsvcs/Regasm
Atomic Test #1: Regasm Uninstall Method Call Test [windows]
Atomic Test #2: Regsvcs Uninstall Method Call Test [windows]
T1553.004 Subvert Trust Controls: Install Root Certificate
Atomic Test #1: Install root CA on CentOS/RHEL [linux]
Atomic Test #2: Install root CA on FreeBSD [linux]
Atomic Test #3: Install root CA on Debian/Ubuntu [linux]
Atomic Test #4: Install root CA on macOS [macos]
Atomic Test #5: Install root CA on Windows [windows]
Atomic Test #6: Install root CA on Windows with certutil [windows]
Atomic Test #7: Add Root Certificate to CurrentUser Certificate Store [windows]
T1027.004 Obfuscated Files or Information: Compile After Delivery
Atomic Test #1: Compile After Delivery using csc.exe [windows]
Atomic Test #2: Dynamic C# Compile [windows]
Atomic Test #3: C compile [linux, macos]
Atomic Test #4: CC compile [linux, macos]
Atomic Test #5: Go compile [linux, macos]
T1564.007 VBA Stomping CONTRIBUTE A TEST
T1197 BITS Jobs
Atomic Test #1: Bitsadmin Download (cmd) [windows]
Atomic Test #2: Bitsadmin Download (PowerShell) [windows]
Atomic Test #3: Persist, Download, & Execute [windows]
Atomic Test #4: Bits download using desktopimgdownldr.exe (cmd) [windows]
T1127.001 Trusted Developer Utilities Proxy Execution: MSBuild
Atomic Test #1: MSBuild Bypass Using Inline Tasks (C#) [windows]
Atomic Test #2: MSBuild Bypass Using Inline Tasks (VB) [windows]
T1656 Impersonation CONTRIBUTE A TEST
T1578.005 Modify Cloud Compute Configurations CONTRIBUTE A TEST
T1562.008 Impair Defenses: Disable Cloud Logs
Atomic Test #1: AWS - CloudTrail Changes [iaas:aws]
Atomic Test #2: Azure - Eventhub Deletion [iaas:azure]
Atomic Test #3: Office 365 - Exchange Audit Log Disabled [office-365]
Atomic Test #4: AWS - Disable CloudTrail Logging Through Event Selectors using Stratus [linux, macos, iaas:aws]
Atomic Test #5: AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus [linux, macos, iaas:aws]
Atomic Test #6: AWS - Remove VPC Flow Logs using Stratus [linux, macos, iaas:aws]
Atomic Test #7: AWS - CloudWatch Log Group Deletes [iaas:aws]
Atomic Test #8: AWS CloudWatch Log Stream Deletes [iaas:aws]
Atomic Test #9: Office 365 - Set Audit Bypass For a Mailbox [office-365]
Atomic Test #10: GCP - Delete Activity Event Log [iaas:gcp]
T1564.003 Hide Artifacts: Hidden Window
Atomic Test #1: Hidden Window [windows]
Atomic Test #2: Headless Browser Accessing Mockbin [windows]
Atomic Test #3: Hidden Window-Conhost Execution [windows]
T1556.009 Conditional Access Policies CONTRIBUTE A TEST
T1578.002 Create Cloud Instance CONTRIBUTE A TEST
T1055.009 Proc Memory CONTRIBUTE A TEST
T1601.001 Patch System Image CONTRIBUTE A TEST
T1070.009 Clear Persistence CONTRIBUTE A TEST
T1556.001 Domain Controller Authentication CONTRIBUTE A TEST
T1027.006 HTML Smuggling
Atomic Test #1: HTML Smuggling Remote Payload [windows]
T1556.005 Reversible Encryption CONTRIBUTE A TEST
T1027.010 Command Obfuscation CONTRIBUTE A TEST
T1070.004 Indicator Removal on Host: File Deletion
Atomic Test #1: Delete a single file - FreeBSD/Linux/macOS [linux, macos]
Atomic Test #2: Delete an entire folder - FreeBSD/Linux/macOS [linux, macos]
Atomic Test #3: Overwrite and delete a file with shred [linux]
Atomic Test #4: Delete a single file - Windows cmd [windows]
Atomic Test #5: Delete an entire folder - Windows cmd [windows]
Atomic Test #6: Delete a single file - Windows PowerShell [windows]
Atomic Test #7: Delete an entire folder - Windows PowerShell [windows]
Atomic Test #8: Delete Filesystem - Linux [linux]
Atomic Test #9: Delete Prefetch File [windows]
Atomic Test #10: Delete TeamViewer Log Files [windows]
Atomic Test #11: Clears Recycle bin via rd [windows]
T1221 Template Injection
Atomic Test #1: WINWORD Remote Template Injection [windows]
T1134 Access Token Manipulation CONTRIBUTE A TEST
T1027.002 Obfuscated Files or Information: Software Packing
Atomic Test #1: Binary simply packed by UPX (linux) [linux]
Atomic Test #2: Binary packed by UPX, with modified headers (linux) [linux]
Atomic Test #3: Binary simply packed by UPX [macos]
Atomic Test #4: Binary packed by UPX, with modified headers [macos]
T1564.005 Hidden File System CONTRIBUTE A TEST
T1055.005 Thread Local Storage CONTRIBUTE A TEST
T1622 Debugger Evasion
Atomic Test #1: Detect a Debugger Presence in the Machine [windows]
T1036.006 Masquerading: Space after Filename
Atomic Test #1: Space After Filename (Manual) [macos]
Atomic Test #2: Space After Filename [macos, linux]
T1550.002 Use Alternate Authentication Material: Pass the Hash
Atomic Test #1: Mimikatz Pass the Hash [windows]
Atomic Test #2: crackmapexec Pass the Hash [windows]
Atomic Test #3: Invoke-WMIExec Pass the Hash [windows]
T1574.002 Hijack Execution Flow: DLL Side-Loading
Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
Atomic Test #2: DLL Side-Loading using the dotnet startup hook environment variable [windows]
Atomic Test #3: DLL Search Order Hijacking,DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE [windows]
T1216.002 SyncAppvPublishingServer CONTRIBUTE A TEST
T1548.006 TCC Manipulation CONTRIBUTE A TEST
T1055.008 Ptrace System Calls CONTRIBUTE A TEST
T1027.007 Obfuscated Files or Information: Dynamic API Resolution
Atomic Test #1: Dynamic API Resolution-Ninja-syscall [windows]
T1055.015 Process Injection: ListPlanting
Atomic Test #1: Process injection ListPlanting [windows]
T1484 Domain or Tenant Policy Modification CONTRIBUTE A TEST
T1220 XSL Script Processing
Atomic Test #1: MSXSL Bypass using local files [windows]
Atomic Test #2: MSXSL Bypass using remote files [windows]
Atomic Test #3: WMIC bypass using local XSL file [windows]
Atomic Test #4: WMIC bypass using remote XSL file [windows]
T1564.001 Hide Artifacts: Hidden Files and Directories
Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
Atomic Test #2: Mac Hidden file [macos]
Atomic Test #3: Create Windows System File with Attrib [windows]
Atomic Test #4: Create Windows Hidden File with Attrib [windows]
Atomic Test #5: Hidden files [macos]
Atomic Test #6: Hide a Directory [macos]
Atomic Test #7: Show all hidden files [macos]
Atomic Test #8: Hide Files Through Registry [windows]
Atomic Test #9: Create Windows Hidden File with powershell [windows]
Atomic Test #10: Create Windows System File with powershell [windows]
T1578.001 Create Snapshot CONTRIBUTE A TEST
T1550.001 Application Access Token CONTRIBUTE A TEST
T1078.004 Valid Accounts: Cloud Accounts
Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
Atomic Test #3: GCP - Create Custom IAM Role [iaas:gcp]
T1480.001 Environmental Keying CONTRIBUTE A TEST
T1564.004 Hide Artifacts: NTFS File Attributes
Atomic Test #1: Alternate Data Streams (ADS) [windows]
Atomic Test #2: Store file in Alternate Data Stream (ADS) [windows]
Atomic Test #3: Create ADS command prompt [windows]
Atomic Test #4: Create ADS PowerShell [windows]
Atomic Test #5: Create Hidden Directory via $index_allocation [windows]
T1055.001 Process Injection: Dynamic-link Library Injection
Atomic Test #1: Process Injection via mavinject.exe [windows]
Atomic Test #2: WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique [windows]
T1556 Modify Authentication Process CONTRIBUTE A TEST
T1216 Signed Script Proxy Execution
Atomic Test #1: SyncAppvPublishingServer Signed Script PowerShell Command Execution [windows]
Atomic Test #2: manage-bde.wsf Signed Script Command Execution [windows]
T1556.004 Network Device Authentication CONTRIBUTE A TEST
T1574.004 Dylib Hijacking CONTRIBUTE A TEST
T1601.002 Downgrade System Image CONTRIBUTE A TEST
T1078.003 Valid Accounts: Local Accounts
Atomic Test #1: Create local account with admin privileges [windows]
Atomic Test #2: Create local account with admin privileges - MacOS [macos]
Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
Atomic Test #8: Create local account (Linux) [linux]
Atomic Test #9: Reactivate a locked/expired account (Linux) [linux]
Atomic Test #10: Reactivate a locked/expired account (FreeBSD) [linux]
Atomic Test #11: Login as nobody (Linux) [linux]
Atomic Test #12: Login as nobody (freebsd) [linux]
Atomic Test #13: Use PsExec to elevate to NT Authority\SYSTEM account [windows]
T1211 Exploitation for Defense Evasion CONTRIBUTE A TEST
T1127 Trusted Developer Utilities Proxy Execution
Atomic Test #1: Lolbin Jsc.exe compile javascript to exe [windows]
Atomic Test #2: Lolbin Jsc.exe compile javascript to dll [windows]
T1218.014 MMC CONTRIBUTE A TEST
T1564.010 Process Argument Spoofing CONTRIBUTE A TEST
T1574.012 Hijack Execution Flow: COR_PROFILER
Atomic Test #1: User scope COR_PROFILER [windows]
Atomic Test #2: System Scope COR_PROFILER [windows]
Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
privilege-escalation
T1055.011 Process Injection: Extra Window Memory Injection
Atomic Test #1: Process Injection via Extra Window Memory (EWM) x64 executable [windows]
T1053.005 Scheduled Task/Job: Scheduled Task
Atomic Test #1: Scheduled Task Startup Script [windows]
Atomic Test #2: Scheduled task Local [windows]
Atomic Test #3: Scheduled task Remote [windows]
Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
Atomic Test #5: Task Scheduler via VBA [windows]
Atomic Test #6: WMI Invoke-CimMethod Scheduled Task [windows]
Atomic Test #7: Scheduled Task Executing Base64 Encoded Commands From Registry [windows]
Atomic Test #8: Import XML Schedule Task with Hidden Attribute [windows]
Atomic Test #9: PowerShell Modify A Scheduled Task [windows]
Atomic Test #10: Scheduled Task (“Ghost Task”) via Registry Key Manipulation [windows]
Atomic Test #11: Scheduled Task Persistence via CompMgmt.msc [windows]
Atomic Test #12: Scheduled Task Persistence via Eventviewer.msc [windows]
T1037 Boot or Logon Initialization Scripts CONTRIBUTE A TEST
T1574.007 Path Interception by PATH Environment Variable CONTRIBUTE A TEST
T1546.013 Event Triggered Execution: PowerShell Profile
Atomic Test #1: Append malicious start-process cmdlet [windows]
T1543 Create or Modify System Process CONTRIBUTE A TEST
T1546.006 LC_LOAD_DYLIB Addition CONTRIBUTE A TEST
T1053.007 Kubernetes Cronjob
Atomic Test #1: ListCronjobs [containers]
Atomic Test #2: CreateCronjob [containers]
T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control
Atomic Test #1: Bypass UAC using Event Viewer (cmd) [windows]
Atomic Test #2: Bypass UAC using Event Viewer (PowerShell) [windows]
Atomic Test #3: Bypass UAC using Fodhelper [windows]
Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows]
Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows]
Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
Atomic Test #8: Disable UAC using reg.exe [windows]
Atomic Test #9: Bypass UAC using SilentCleanup task [windows]
Atomic Test #10: UACME Bypass Method 23 [windows]
Atomic Test #11: UACME Bypass Method 31 [windows]
Atomic Test #12: UACME Bypass Method 33 [windows]
Atomic Test #13: UACME Bypass Method 34 [windows]
Atomic Test #14: UACME Bypass Method 39 [windows]
Atomic Test #15: UACME Bypass Method 56 [windows]
Atomic Test #16: UACME Bypass Method 59 [windows]
Atomic Test #17: UACME Bypass Method 61 [windows]
Atomic Test #18: WinPwn - UAC Magic [windows]
Atomic Test #19: WinPwn - UAC Bypass ccmstp technique [windows]
Atomic Test #20: WinPwn - UAC Bypass DiskCleanup technique [windows]
Atomic Test #21: WinPwn - UAC Bypass DccwBypassUAC technique [windows]
Atomic Test #22: Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key [windows]
Atomic Test #23: UAC Bypass with WSReset Registry Modification [windows]
Atomic Test #24: Disable UAC - Switch to the secure desktop when prompting for elevation via registry key [windows]
Atomic Test #25: Disable UAC notification via registry keys [windows]
Atomic Test #26: Disable ConsentPromptBehaviorAdmin via registry keys [windows]
Atomic Test #27: UAC bypassed by Utilizing ProgIDs registry. [windows]
T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching
Atomic Test #1: Sudo usage [macos, linux]
Atomic Test #2: Sudo usage (freebsd) [linux]
Atomic Test #3: Unlimited sudo cache timeout [macos, linux]
Atomic Test #4: Unlimited sudo cache timeout (freebsd) [linux]
Atomic Test #5: Disable tty_tickets for sudo caching [macos, linux]
Atomic Test #6: Disable tty_tickets for sudo caching (freebsd) [linux]
T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness
Atomic Test #1: Service Registry Permissions Weakness [windows]
Atomic Test #2: Service ImagePath Change with reg.exe [windows]
T1547 Boot or Logon Autostart Execution
Atomic Test #1: Add a driver [windows]
Atomic Test #2: Driver Installation Using pnputil.exe [windows]
Atomic Test #3: Leverage Virtual Channels to execute custom DLL during successful RDP session [windows]
T1547.014 Active Setup
Atomic Test #1: HKLM - Add atomic_test key to launch executable as part of user setup [windows]
Atomic Test #2: HKLM - Add malicious StubPath value to existing Active Setup Entry [windows]
Atomic Test #3: HKLM - re-execute ‘Internet Explorer Core Fonts’ StubPath payload by decreasing version number [windows]
T1484.002 Domain Trust Modification
Atomic Test #1: Add Federation to Azure AD [azure-ad]
T1543.003 Create or Modify System Process: Windows Service
Atomic Test #1: Modify Fax service to run PowerShell [windows]
Atomic Test #2: Service Installation CMD [windows]
Atomic Test #3: Service Installation PowerShell [windows]
Atomic Test #4: TinyTurla backdoor service w64time [windows]
Atomic Test #5: Remote Service Installation CMD [windows]
Atomic Test #6: Modify Service to Run Arbitrary Binary (Powershell) [windows]
T1053.003 Scheduled Task/Job: Cron
Atomic Test #1: Cron - Replace crontab with referenced file [linux, macos]
Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
Atomic Test #3: Cron - Add script to /etc/cron.d folder [linux]
Atomic Test #4: Cron - Add script to /var/spool/cron/crontabs/ folder [linux]
T1098.003 Account Manipulation: Additional Cloud Roles
Atomic Test #1: Azure AD - Add Company Administrator Role to a user [azure-ad]
Atomic Test #2: Simulate - Post BEC persistence via user password reset followed by user added to company administrator role [azure-ad]
T1547.012 Boot or Logon Autostart Execution: Print Processors
Atomic Test #1: Print Processors [windows]
T1574.001 Hijack Execution Flow: DLL Search Order Hijacking
Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
Atomic Test #2: Phantom Dll Hijacking - WinAppXRT.dll [windows]
Atomic Test #3: Phantom Dll Hijacking - ualapi.dll [windows]
T1574.014 AppDomainManager CONTRIBUTE A TEST
T1098.006 Additional Container Cluster Roles CONTRIBUTE A TEST
T1053 Scheduled Task/Job CONTRIBUTE A TEST
T1055.003 Thread Execution Hijacking
Atomic Test #1: Thread Execution Hijacking [windows]
T1546.011 Event Triggered Execution: Application Shimming
Atomic Test #1: Application Shim Installation [windows]
Atomic Test #2: New shim database files created in the default shim database directory [windows]
Atomic Test #3: Registry key creation and/or modification events for SDB [windows]
T1547.010 Boot or Logon Autostart Execution: Port Monitors
Atomic Test #1: Add Port Monitor persistence in Registry [windows]
T1037.002 Boot or Logon Initialization Scripts: Logon Script (Mac)
Atomic Test #1: Logon Scripts - Mac [macos]
T1055 Process Injection
Atomic Test #1: Shellcode execution via VBA [windows]
Atomic Test #2: Remote Process Injection in LSASS via mimikatz [windows]
Atomic Test #3: Section View Injection [windows]
Atomic Test #4: Dirty Vanity process Injection [windows]
Atomic Test #5: Read-Write-Execute process Injection [windows]
Atomic Test #6: Process Injection with Go using UuidFromStringA WinAPI [windows]
Atomic Test #7: Process Injection with Go using EtwpCreateEtwThread WinAPI [windows]
Atomic Test #8: Remote Process Injection with Go using RtlCreateUserThread WinAPI [windows]
Atomic Test #9: Remote Process Injection with Go using CreateRemoteThread WinAPI [windows]
Atomic Test #10: Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively) [windows]
Atomic Test #11: Process Injection with Go using CreateThread WinAPI [windows]
Atomic Test #12: Process Injection with Go using CreateThread WinAPI (Natively) [windows]
Atomic Test #13: UUID custom process Injection [windows]
T1611 Escape to Host
Atomic Test #1: Deploy container using nsenter container escape [containers]
Atomic Test #2: Mount host filesystem to escape privileged Docker container [containers]
T1547.009 Boot or Logon Autostart Execution: Shortcut Modification
Atomic Test #1: Shortcut Modification [windows]
Atomic Test #2: Create shortcut to cmd in startup folders [windows]
T1547.005 Boot or Logon Autostart Execution: Security Support Provider
Atomic Test #1: Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry [windows]
Atomic Test #2: Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support Provider configuration in registry [windows]
T1543.004 Create or Modify System Process: Launch Daemon
Atomic Test #1: Launch Daemon [macos]
Atomic Test #2: Launch Daemon - Users Directory [macos]
T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking
Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
T1484.001 Domain Policy Modification: Group Policy Modification
Atomic Test #1: LockBit Black - Modify Group policy settings -cmd [windows]
Atomic Test #2: LockBit Black - Modify Group policy settings -Powershell [windows]
T1078.001 Valid Accounts: Default Accounts
Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
Atomic Test #2: Activate Guest Account [windows]
Atomic Test #3: Enable Guest Account on macOS [macos]
T1547.003 Time Providers
Atomic Test #1: Create a new time provider [windows]
Atomic Test #2: Edit an existing time provider [windows]
T1546.005 Event Triggered Execution: Trap
Atomic Test #1: Trap EXIT [macos, linux]
Atomic Test #2: Trap EXIT (freebsd) [linux]
Atomic Test #3: Trap SIGINT [macos, linux]
Atomic Test #4: Trap SIGINT (freebsd) [linux]
T1574.006 Hijack Execution Flow: LD_PRELOAD
Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
Atomic Test #3: Dylib Injection via DYLD_INSERT_LIBRARIES [macos]
T1548 Abuse Elevation Control Mechanism CONTRIBUTE A TEST
T1134.002 Create Process with Token
Atomic Test #1: Access Token Manipulation [windows]
Atomic Test #2: WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique [windows]
T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid
Atomic Test #1: Make and modify binary from C source [macos, linux]
Atomic Test #2: Make and modify binary from C source (freebsd) [linux]
Atomic Test #3: Set a SetUID flag on file [macos, linux]
Atomic Test #4: Set a SetUID flag on file (freebsd) [linux]
Atomic Test #5: Set a SetGID flag on file [macos, linux]
Atomic Test #6: Set a SetGID flag on file (freebsd) [linux]
Atomic Test #7: Make and modify capabilities of a binary [linux]
Atomic Test #8: Provide the SetUID capability to a file [linux]
Atomic Test #9: Do reconnaissance for files that have the setuid bit set [linux]
Atomic Test #10: Do reconnaissance for files that have the setgid bit set [linux]
T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL
Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]
Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows]
Atomic Test #4: Winlogon HKLM Shell Key Persistence - PowerShell [windows]
Atomic Test #5: Winlogon HKLM Userinit Key Persistence - PowerShell [windows]
T1098.004 SSH Authorized Keys
Atomic Test #1: Modify SSH Authorized Keys [linux, macos]
T1546.012 Event Triggered Execution: Image File Execution Options Injection
Atomic Test #1: IFEO Add Debugger [windows]
Atomic Test #2: IFEO Global Flags [windows]
Atomic Test #3: GlobalFlags in Image File Execution Options [windows]
T1548.005 Temporary Elevated Cloud Access CONTRIBUTE A TEST
T1055.013 Process Doppelgänging CONTRIBUTE A TEST
T1574.005 Executable Installer File Permissions Weakness CONTRIBUTE A TEST
T1546.008 Event Triggered Execution: Accessibility Features
Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows]
Atomic Test #2: Replace binary of sticky keys [windows]
Atomic Test #3: Create Symbolic Link From osk.exe to cmd.exe [windows]
Atomic Test #4: Atbroker.exe (AT) Executes Arbitrary Command via Registry Key [windows]
Atomic Test #5: Auto-start application on user logon [windows]
T1055.004 Process Injection: Asynchronous Procedure Call
Atomic Test #1: Process Injection via C# [windows]
Atomic Test #2: EarlyBird APC Queue Injection in Go [windows]
Atomic Test #3: Remote Process Injection with Go using NtQueueApcThreadEx WinAPI [windows]
T1546.009 Event Triggered Execution: AppCert DLLs
Atomic Test #1: Create registry persistence via AppCert DLL [windows]
T1098.005 Device Registration CONTRIBUTE A TEST
T1055.002 Process Injection: Portable Executable Injection
Atomic Test #1: Portable Executable Injection [windows]
T1547.015 Boot or Logon Autostart Execution: Login Items
Atomic Test #1: Persistence by modifying Windows Terminal profile [windows]
Atomic Test #2: Add macOS LoginItem using Applescript [macos]
T1134.001 Access Token Manipulation: Token Impersonation/Theft
Atomic Test #1: Named pipe client impersonation [windows]
Atomic Test #2:
token duplication [windows]
Atomic Test #3: Launch NSudo Executable [windows]
Atomic Test #4: Bad Potato [windows]
Atomic Test #5: Juicy Potato [windows]
T1098.001 Account Manipulation: Additional Cloud Credentials
Atomic Test #1: Azure AD Application Hijacking - Service Principal [azure-ad]
Atomic Test #2: Azure AD Application Hijacking - App Registration [azure-ad]
Atomic Test #3: AWS - Create Access Key and Secret Key [iaas:aws]
T1134.003 Make and Impersonate Token CONTRIBUTE A TEST
T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription
Atomic Test #1: Persistence via WMI Event Subscription - CommandLineEventConsumer [windows]
Atomic Test #2: Persistence via WMI Event Subscription - ActiveScriptEventConsumer [windows]
Atomic Test #3: Windows MOFComp.exe Load MOF File [windows]
T1134.004 Access Token Manipulation: Parent PID Spoofing
Atomic Test #1: Parent PID Spoofing using PowerShell [windows]
Atomic Test #2: Parent PID Spoofing - Spawn from Current Process [windows]
Atomic Test #3: Parent PID Spoofing - Spawn from Specified Process [windows]
Atomic Test #4: Parent PID Spoofing - Spawn from svchost.exe [windows]
Atomic Test #5: Parent PID Spoofing - Spawn from New Process [windows]
T1546.001 Event Triggered Execution: Change Default File Association
Atomic Test #1: Change Default File Association [windows]
T1055.014 VDSO Hijacking CONTRIBUTE A TEST
T1546.014 Event Triggered Execution: Emond
Atomic Test #1: Persistance with Event Monitor - emond [macos]
T1574.010 Services File Permissions Weakness CONTRIBUTE A TEST
T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Atomic Test #1: Reg Key Run [windows]
Atomic Test #2: Reg Key RunOnce [windows]
Atomic Test #3: PowerShell Registry RunOnce [windows]
Atomic Test #4: Suspicious vbs file run from startup Folder [windows]
Atomic Test #5: Suspicious jse file run from startup Folder [windows]
Atomic Test #6: Suspicious bat file run from startup Folder [windows]
Atomic Test #7: Add Executable Shortcut Link to User Startup Folder [windows]
Atomic Test #8: Add persistance via Recycle bin [windows]
Atomic Test #9: SystemBC Malware-as-a-Service Registry [windows]
Atomic Test #10: Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value [windows]
Atomic Test #11: Change Startup Folder - HKCU Modify User Shell Folders Startup Value [windows]
Atomic Test #12: HKCU - Policy Settings Explorer Run Key [windows]
Atomic Test #13: HKLM - Policy Settings Explorer Run Key [windows]
Atomic Test #14: HKLM - Append Command to Winlogon Userinit KEY Value [windows]
Atomic Test #15: HKLM - Modify default System Shell - Winlogon Shell KEY Value [windows]
Atomic Test #16: secedit used to create a Run key in the HKLM Hive [windows]
Atomic Test #17: Modify BootExecute Value [windows]
Atomic Test #18: Allowing custom application to execute during new RDP logon session [windows]
Atomic Test #19: Creating Boot Verification Program Key for application execution during successful boot [windows]
T1098 Account Manipulation
Atomic Test #1: Admin Account Manipulate [windows]
Atomic Test #2: Domain Account and Group Manipulate [windows]
Atomic Test #3: AWS - Create a group and add a user to that group [iaas:aws]
Atomic Test #4: Azure AD - adding user to Azure AD role [azure-ad]
Atomic Test #5: Azure AD - adding service principal to Azure AD role [azure-ad]
Atomic Test #6: Azure - adding user to Azure role in subscription [iaas:azure]
Atomic Test #7: Azure - adding service principal to Azure role in subscription [iaas:azure]
Atomic Test #8: Azure AD - adding permission to application [azure-ad]
Atomic Test #9: Password Change on Directory Service Restore Mode (DSRM) Account [windows]
Atomic Test #10: Domain Password Policy Check: Short Password [windows]
Atomic Test #11: Domain Password Policy Check: No Number in Password [windows]
Atomic Test #12: Domain Password Policy Check: No Special Character in Password [windows]
Atomic Test #13: Domain Password Policy Check: No Uppercase Character in Password [windows]
Atomic Test #14: Domain Password Policy Check: No Lowercase Character in Password [windows]
Atomic Test #15: Domain Password Policy Check: Only Two Character Classes [windows]
Atomic Test #16: Domain Password Policy Check: Common Password Use [windows]
Atomic Test #17: GCP - Delete Service Account Key [iaas:gcp]
T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions
Atomic Test #1: Linux - Load Kernel Module via insmod [linux]
Atomic Test #2: MacOS - Load Kernel Module via kextload and kmutil [macos]
Atomic Test #3: MacOS - Load Kernel Module via KextManagerLoadKextWithURL() [macos]
Atomic Test #4: Snake Malware Kernel Driver Comadmin [windows]
T1574.013 KernelCallbackTable CONTRIBUTE A TEST
T1053.006 Scheduled Task/Job: Systemd Timers
Atomic Test #1: Create Systemd Service and Timer [linux]
Atomic Test #2: Create a user level transient systemd service and timer [linux]
Atomic Test #3: Create a system level transient systemd service and timer [linux]
T1574 Hijack Execution Flow CONTRIBUTE A TEST
T1543.005 Container Service CONTRIBUTE A TEST
T1078 Valid Accounts CONTRIBUTE A TEST
T1055.012 Process Injection: Process Hollowing
Atomic Test #1: Process Hollowing using PowerShell [windows]
Atomic Test #2: RunPE via VBA [windows]
Atomic Test #3: Process Hollowing in Go using CreateProcessW WinAPI [windows]
Atomic Test #4: Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012) [windows]
T1068 Exploitation for Privilege Escalation CONTRIBUTE A TEST
T1546 Event Triggered Execution
Atomic Test #1: Persistence with Custom AutodialDLL [windows]
Atomic Test #2: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
Atomic Test #3: HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation) [windows]
Atomic Test #4: WMI Invoke-CimMethod Start Process [windows]
Atomic Test #5: Adding custom debugger for Windows Error Reporting [windows]
Atomic Test #6: Load custom DLL on mstsc execution [windows]
Atomic Test #7: Persistence using automatic execution of custom DLL during RDP session [windows]
Atomic Test #8: Persistence via ErrorHandler.cmd script execution [windows]
Atomic Test #9: Persistence using STARTUP-PATH in MS-WORD [windows]
T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc
Atomic Test #1: Add command to .bash_profile [macos, linux]
Atomic Test #2: Add command to .bashrc [macos, linux]
Atomic Test #3: Add command to .shrc [linux]
Atomic Test #4: Append to the system shell profile [linux]
Atomic Test #5: Append commands user shell profile [linux]
Atomic Test #6: System shell profile scripts [linux]
Atomic Test #7: Create/Append to .bash_logout [linux]
T1134.005 Access Token Manipulation: SID-History Injection
Atomic Test #1: Injection SID-History with mimikatz [windows]
T1548.004 Elevated Execution with Prompt CONTRIBUTE A TEST
T1547.002 Authentication Package
Atomic Test #1: Authentication Package [windows]
T1546.015 Event Triggered Execution: Component Object Model Hijacking
Atomic Test #1: COM Hijacking - InprocServer32 [windows]
Atomic Test #2: Powershell Execute COM Object [windows]
Atomic Test #3: COM Hijacking with RunDLL32 (Local Server Switch) [windows]
Atomic Test #4: COM hijacking via TreatAs [windows]
T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path
Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
T1037.005 Boot or Logon Initialization Scripts: Startup Items
Atomic Test #1: Add file to Local Library StartupItems [macos]
Atomic Test #2: Add launch script to launch daemon [macos]
Atomic Test #3: Add launch script to launch agent [macos]
T1078.002 Domain Accounts CONTRIBUTE A TEST
T1037.003 Network Logon Script CONTRIBUTE A TEST
T1546.010 Event Triggered Execution: AppInit DLLs
Atomic Test #1: Install AppInit Shim [windows]
T1546.002 Event Triggered Execution: Screensaver
Atomic Test #1: Set Arbitrary Binary as Screensaver [windows]
T1543.001 Create or Modify System Process: Launch Agent
Atomic Test #1: Launch Agent [macos]
Atomic Test #2: Event Monitor Daemon Persistence [macos]
Atomic Test #3: Launch Agent - Root Directory [macos]
T1055.009 Proc Memory CONTRIBUTE A TEST
T1546.016 Installer Packages CONTRIBUTE A TEST
T1037.004 Boot or Logon Initialization Scripts: Rc.common
Atomic Test #1: rc.common [macos]
Atomic Test #2: rc.common [linux]
Atomic Test #3: rc.local [linux]
T1134 Access Token Manipulation CONTRIBUTE A TEST
T1543.002 Create or Modify System Process: SysV/Systemd Service
Atomic Test #1: Create Systemd Service [linux]
Atomic Test #2: Create SysV Service [linux]
Atomic Test #3: Create Systemd Service file, Enable the service , Modify and Reload the service. [linux]
T1547.013 XDG Autostart Entries CONTRIBUTE A TEST
T1055.005 Thread Local Storage CONTRIBUTE A TEST
T1547.007 Boot or Logon Autostart Execution: Re-opened Applications
Atomic Test #1: Copy in loginwindow.plist for Re-Opened Applications [macos]
Atomic Test #2: Re-Opened Applications using LoginHook [macos]
Atomic Test #3: Append to existing loginwindow for Re-Opened Applications [macos]
T1574.002 Hijack Execution Flow: DLL Side-Loading
Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
Atomic Test #2: DLL Side-Loading using the dotnet startup hook environment variable [windows]
Atomic Test #3: DLL Search Order Hijacking,DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE [windows]
T1098.002 Account Manipulation: Additional Email Delegate Permissions
Atomic Test #1: EXO - Full access mailbox permission granted to a user [office-365]
T1548.006 TCC Manipulation CONTRIBUTE A TEST
T1055.008 Ptrace System Calls CONTRIBUTE A TEST
T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows)
Atomic Test #1: Logon Scripts [windows]
T1055.015 Process Injection: ListPlanting
Atomic Test #1: Process injection ListPlanting [windows]
T1484 Domain or Tenant Policy Modification CONTRIBUTE A TEST
T1547.008 Boot or Logon Autostart Execution: LSASS Driver
Atomic Test #1: Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt [windows]
T1078.004 Valid Accounts: Cloud Accounts
Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
Atomic Test #3: GCP - Create Custom IAM Role [iaas:gcp]
T1053.002 Scheduled Task/Job: At
Atomic Test #1: At.exe Scheduled task [windows]
Atomic Test #2: At - Schedule a job [linux]
T1055.001 Process Injection: Dynamic-link Library Injection
Atomic Test #1: Process Injection via mavinject.exe [windows]
Atomic Test #2: WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique [windows]
T1546.007 Event Triggered Execution: Netsh Helper DLL
Atomic Test #1: Netsh Helper DLL Registration [windows]
T1574.004 Dylib Hijacking CONTRIBUTE A TEST
T1078.003 Valid Accounts: Local Accounts
Atomic Test #1: Create local account with admin privileges [windows]
Atomic Test #2: Create local account with admin privileges - MacOS [macos]
Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
Atomic Test #8: Create local account (Linux) [linux]
Atomic Test #9: Reactivate a locked/expired account (Linux) [linux]
Atomic Test #10: Reactivate a locked/expired account (FreeBSD) [linux]
Atomic Test #11: Login as nobody (Linux) [linux]
Atomic Test #12: Login as nobody (freebsd) [linux]
Atomic Test #13: Use PsExec to elevate to NT Authority\SYSTEM account [windows]
T1574.012 Hijack Execution Flow: COR_PROFILER
Atomic Test #1: User scope COR_PROFILER [windows]
Atomic Test #2: System Scope COR_PROFILER [windows]
Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
execution
T1053.005 Scheduled Task/Job: Scheduled Task
Atomic Test #1: Scheduled Task Startup Script [windows]
Atomic Test #2: Scheduled task Local [windows]
Atomic Test #3: Scheduled task Remote [windows]
Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
Atomic Test #5: Task Scheduler via VBA [windows]
Atomic Test #6: WMI Invoke-CimMethod Scheduled Task [windows]
Atomic Test #7: Scheduled Task Executing Base64 Encoded Commands From Registry [windows]
Atomic Test #8: Import XML Schedule Task with Hidden Attribute [windows]
Atomic Test #9: PowerShell Modify A Scheduled Task [windows]
Atomic Test #10: Scheduled Task (“Ghost Task”) via Registry Key Manipulation [windows]
Atomic Test #11: Scheduled Task Persistence via CompMgmt.msc [windows]
Atomic Test #12: Scheduled Task Persistence via Eventviewer.msc [windows]
T1047 Windows Management Instrumentation
Atomic Test #1: WMI Reconnaissance Users [windows]
Atomic Test #2: WMI Reconnaissance Processes [windows]
Atomic Test #3: WMI Reconnaissance Software [windows]
Atomic Test #4: WMI Reconnaissance List Remote Services [windows]
Atomic Test #5: WMI Execute Local Process [windows]
Atomic Test #6: WMI Execute Remote Process [windows]
Atomic Test #7: Create a Process using WMI Query and an Encoded Command [windows]
Atomic Test #8: Create a Process using obfuscated Win32_Process [windows]
Atomic Test #9: WMI Execute rundll32 [windows]
Atomic Test #10: Application uninstall using WMIC [windows]
T1129 Server Software Component
Atomic Test #1: ESXi - Install a custom VIB on an ESXi host [windows]
T1059.007 Command and Scripting Interpreter: JavaScript
Atomic Test #1: JScript execution to gather local computer information via cscript [windows]
Atomic Test #2: JScript execution to gather local computer information via wscript [windows]
T1053.007 Kubernetes Cronjob
Atomic Test #1: ListCronjobs [containers]
Atomic Test #2: CreateCronjob [containers]
T1559.002 Inter-Process Communication: Dynamic Data Exchange
Atomic Test #1: Execute Commands [windows]
Atomic Test #2: Execute PowerShell script via Word DDE [windows]
Atomic Test #3: DDEAUTO [windows]
T1204.002 User Execution: Malicious File
Atomic Test #1: OSTap Style Macro Execution [windows]
Atomic Test #2: OSTap Payload Download [windows]
Atomic Test #3: Maldoc choice flags command execution [windows]
Atomic Test #4: OSTAP JS version [windows]
Atomic Test #5: Office launching .bat file from AppData [windows]
Atomic Test #6: Excel 4 Macro [windows]
Atomic Test #7: Headless Chrome code execution via VBA [windows]
Atomic Test #8: Potentially Unwanted Applications (PUA) [windows]
Atomic Test #9: Office Generic Payload Download [windows]
Atomic Test #10: LNK Payload Download [windows]
Atomic Test #11: Mirror Blast Emulation [windows]
T1053.003 Scheduled Task/Job: Cron
Atomic Test #1: Cron - Replace crontab with referenced file [linux, macos]
Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
Atomic Test #3: Cron - Add script to /etc/cron.d folder [linux]
Atomic Test #4: Cron - Add script to /var/spool/cron/crontabs/ folder [linux]
T1559.001 Component Object Model CONTRIBUTE A TEST
T1053 Scheduled Task/Job CONTRIBUTE A TEST
T1059.002 Command and Scripting Interpreter: AppleScript
Atomic Test #1: AppleScript [macos]
T1106 Native API
Atomic Test #1: Execution through API - CreateProcess [windows]
Atomic Test #2: WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique [windows]
Atomic Test #3: WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique [windows]
Atomic Test #4: WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique [windows]
Atomic Test #5: Run Shellcode via Syscall in Go [windows]
T1059.010 AutoHotKey & AutoIT CONTRIBUTE A TEST
T1059.009 Cloud API CONTRIBUTE A TEST
T1610 Deploy a container
Atomic Test #1: Deploy Docker container [containers]
T1059 Command and Scripting Interpreter
Atomic Test #1: AutoIt Script Execution [windows]
T1609 Kubernetes Exec Into Container
Atomic Test #1: ExecIntoContainer [containers]
Atomic Test #2: Docker Exec Into Container [containers]
T1569.001 System Services: Launchctl
Atomic Test #1: Launchctl [macos]
T1059.008 Network Device CLI CONTRIBUTE A TEST
T1559.003 XPC Services CONTRIBUTE A TEST
T1204 User Execution CONTRIBUTE A TEST
T1072 Software Deployment Tools
Atomic Test #1: Radmin Viewer Utility [windows]
Atomic Test #2: PDQ Deploy RAT [windows]
Atomic Test #3: Deploy 7-Zip Using Chocolatey [windows]
T1059.001 Command and Scripting Interpreter: PowerShell
Atomic Test #1: Mimikatz [windows]
Atomic Test #2: Run BloodHound from local disk [windows]
Atomic Test #3: Run Bloodhound from Memory using Download Cradle [windows]
Atomic Test #4: Mimikatz - Cradlecraft PsSendKeys [windows]
Atomic Test #5: Invoke-AppPathBypass [windows]
Atomic Test #6: Powershell MsXml COM object - with prompt [windows]
Atomic Test #7: Powershell XML requests [windows]
Atomic Test #8: Powershell invoke mshta.exe download [windows]
Atomic Test #9: Powershell Invoke-DownloadCradle [windows]
Atomic Test #10: PowerShell Fileless Script Execution [windows]
Atomic Test #11: NTFS Alternate Data Stream Access [windows]
Atomic Test #12: PowerShell Session Creation and Use [windows]
Atomic Test #13: ATHPowerShellCommandLineParameter -Command parameter variations [windows]
Atomic Test #14: ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments [windows]
Atomic Test #15: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations [windows]
Atomic Test #16: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments [windows]
Atomic Test #17: PowerShell Command Execution [windows]
Atomic Test #18: PowerShell Invoke Known Malicious Cmdlets [windows]
Atomic Test #19: PowerUp Invoke-AllChecks [windows]
Atomic Test #20: Abuse Nslookup with DNS Records [windows]
Atomic Test #21: SOAPHound - Dump BloodHound Data [windows]
Atomic Test #22: SOAPHound - Build Cache [windows]
T1053.006 Scheduled Task/Job: Systemd Timers
Atomic Test #1: Create Systemd Service and Timer [linux]
Atomic Test #2: Create a user level transient systemd service and timer [linux]
Atomic Test #3: Create a system level transient systemd service and timer [linux]
T1059.004 Command and Scripting Interpreter: Bash
Atomic Test #1: Create and Execute Bash Shell Script [linux, macos]
Atomic Test #2: Command-Line Interface [linux, macos]
Atomic Test #3: Harvest SUID executable files [linux]
Atomic Test #4: LinEnum tool execution [linux]
Atomic Test #5: New script file in the tmp directory [linux]
Atomic Test #6: What shell is running [linux]
Atomic Test #7: What shells are available [linux]
Atomic Test #8: Command line scripts [linux]
Atomic Test #9: Obfuscated command line scripts [linux]
Atomic Test #10: Change login shell [linux]
Atomic Test #11: Environment variable scripts [linux]
Atomic Test #12: Detecting pipe-to-shell [linux]
Atomic Test #13: Current kernel information enumeration [linux]
Atomic Test #14: Shell Creation using awk command [linux, macos]
Atomic Test #15: Creating shell using cpan command [linux, macos]
Atomic Test #16: Shell Creation using busybox command [linux]
Atomic Test #17: emacs spawning an interactive system shell [linux, macos]
T1559 Inter-Process Communication
Atomic Test #1: Cobalt Strike Artifact Kit pipe [windows]
Atomic Test #2: Cobalt Strike Lateral Movement (psexec_psh) pipe [windows]
Atomic Test #3: Cobalt Strike SSH (postex_ssh) pipe [windows]
Atomic Test #4: Cobalt Strike post-exploitation pipe (4.2 and later) [windows]
Atomic Test #5: Cobalt Strike post-exploitation pipe (before 4.2) [windows]
T1204.003 User Execution: Malicious Image
Atomic Test #1: Malicious Execution from Mounted ISO Image [windows]
T1203 Exploitation for Client Execution CONTRIBUTE A TEST
T1059.006 Command and Scripting Interpreter: Python
Atomic Test #1: Execute shell script via python’s command mode arguement [linux]
Atomic Test #2: Execute Python via scripts [linux]
Atomic Test #3: Execute Python via Python executables [linux]
Atomic Test #4: Python pty module and spawn function used to spawn sh or bash [linux]
T1569 System Services CONTRIBUTE A TEST
T1059.003 Command and Scripting Interpreter: Windows Command Shell
Atomic Test #1: Create and Execute Batch Script [windows]
Atomic Test #2: Writes text to a file and displays it. [windows]
Atomic Test #3: Suspicious Execution via Windows Command Shell [windows]
Atomic Test #4: Simulate BlackByte Ransomware Print Bombing [windows]
Atomic Test #5: Command Prompt read contents from CMD file and execute [windows]
Atomic Test #6: Command prompt writing script to file then executes it [windows]
T1651 Cloud Administration Command CONTRIBUTE A TEST
T1059.005 Command and Scripting Interpreter: Visual Basic
Atomic Test #1: Visual Basic script execution to gather local computer information [windows]
Atomic Test #2: Encoded VBS code execution [windows]
Atomic Test #3: Extract Memory via VBA [windows]
T1648 Serverless Execution CONTRIBUTE A TEST
T1204.001 Malicious Link CONTRIBUTE A TEST
T1569.002 System Services: Service Execution
Atomic Test #1: Execute a Command as a Service [windows]
Atomic Test #2: Use PsExec to execute a command on a remote host [windows]
Atomic Test #3: psexec.py (Impacket) [linux]
Atomic Test #4: BlackCat pre-encryption cmds with Lateral Movement [windows]
Atomic Test #5: Use RemCom to execute a command on a remote host [windows]
Atomic Test #6: Snake Malware Service Create [windows]
Atomic Test #7: Modifying ACL of Service Control Manager via SDET [windows]
Atomic Test #8: Pipe Creation - PsExec Tool Execution From Suspicious Locations [windows]
T1053.002 Scheduled Task/Job: At
Atomic Test #1: At.exe Scheduled task [windows]
Atomic Test #2: At - Schedule a job [linux]
persistence
T1053.005 Scheduled Task/Job: Scheduled Task
Atomic Test #1: Scheduled Task Startup Script [windows]
Atomic Test #2: Scheduled task Local [windows]
Atomic Test #3: Scheduled task Remote [windows]
Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
Atomic Test #5: Task Scheduler via VBA [windows]
Atomic Test #6: WMI Invoke-CimMethod Scheduled Task [windows]
Atomic Test #7: Scheduled Task Executing Base64 Encoded Commands From Registry [windows]
Atomic Test #8: Import XML Schedule Task with Hidden Attribute [windows]
Atomic Test #9: PowerShell Modify A Scheduled Task [windows]
Atomic Test #10: Scheduled Task (“Ghost Task”) via Registry Key Manipulation [windows]
Atomic Test #11: Scheduled Task Persistence via CompMgmt.msc [windows]
Atomic Test #12: Scheduled Task Persistence via Eventviewer.msc [windows]
T1205.002 Socket Filters CONTRIBUTE A TEST
T1037 Boot or Logon Initialization Scripts CONTRIBUTE A TEST
T1556.003 Modify Authentication Process: Pluggable Authentication Modules
Atomic Test #1: Malicious PAM rule [linux]
Atomic Test #2: Malicious PAM rule (freebsd) [linux]
Atomic Test #3: Malicious PAM module [linux]
T1574.007 Path Interception by PATH Environment Variable CONTRIBUTE A TEST
T1546.013 Event Triggered Execution: PowerShell Profile
Atomic Test #1: Append malicious start-process cmdlet [windows]
T1543 Create or Modify System Process CONTRIBUTE A TEST
T1133 External Remote Services
Atomic Test #1: Running Chrome VPN Extensions via the Registry 2 vpn extension [windows]
T1546.006 LC_LOAD_DYLIB Addition CONTRIBUTE A TEST
T1053.007 Kubernetes Cronjob
Atomic Test #1: ListCronjobs [containers]
Atomic Test #2: CreateCronjob [containers]
T1542.001 Pre-OS Boot: System Firmware
Atomic Test #1: UEFI Persistence via Wpbbin.exe File Creation [windows]
T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness
Atomic Test #1: Service Registry Permissions Weakness [windows]
Atomic Test #2: Service ImagePath Change with reg.exe [windows]
T1542.003 Bootkit CONTRIBUTE A TEST
T1547 Boot or Logon Autostart Execution
Atomic Test #1: Add a driver [windows]
Atomic Test #2: Driver Installation Using pnputil.exe [windows]
Atomic Test #3: Leverage Virtual Channels to execute custom DLL during successful RDP session [windows]
T1547.014 Active Setup
Atomic Test #1: HKLM - Add atomic_test key to launch executable as part of user setup [windows]
Atomic Test #2: HKLM - Add malicious StubPath value to existing Active Setup Entry [windows]
Atomic Test #3: HKLM - re-execute ‘Internet Explorer Core Fonts’ StubPath payload by decreasing version number [windows]
T1542.005 TFTP Boot CONTRIBUTE A TEST
T1543.003 Create or Modify System Process: Windows Service
Atomic Test #1: Modify Fax service to run PowerShell [windows]
Atomic Test #2: Service Installation CMD [windows]
Atomic Test #3: Service Installation PowerShell [windows]
Atomic Test #4: TinyTurla backdoor service w64time [windows]
Atomic Test #5: Remote Service Installation CMD [windows]
Atomic Test #6: Modify Service to Run Arbitrary Binary (Powershell) [windows]
T1053.003 Scheduled Task/Job: Cron
Atomic Test #1: Cron - Replace crontab with referenced file [linux, macos]
Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
Atomic Test #3: Cron - Add script to /etc/cron.d folder [linux]
Atomic Test #4: Cron - Add script to /var/spool/cron/crontabs/ folder [linux]
T1137 Office Application Startup
Atomic Test #1: Office Application Startup - Outlook as a C2 [windows]
T1098.003 Account Manipulation: Additional Cloud Roles
Atomic Test #1: Azure AD - Add Company Administrator Role to a user [azure-ad]
Atomic Test #2: Simulate - Post BEC persistence via user password reset followed by user added to company administrator role [azure-ad]
T1547.012 Boot or Logon Autostart Execution: Print Processors
Atomic Test #1: Print Processors [windows]
T1574.001 Hijack Execution Flow: DLL Search Order Hijacking
Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
Atomic Test #2: Phantom Dll Hijacking - WinAppXRT.dll [windows]
Atomic Test #3: Phantom Dll Hijacking - ualapi.dll [windows]
T1137.006 Office Application Startup: Add-ins
Atomic Test #1: Code Executed Via Excel Add-in File (XLL) [windows]
Atomic Test #2: Persistent Code Execution Via Excel Add-in File (XLL) [windows]
Atomic Test #3: Persistent Code Execution Via Word Add-in File (WLL) [windows]
Atomic Test #4: Persistent Code Execution Via Excel VBA Add-in File (XLAM) [windows]
Atomic Test #5: Persistent Code Execution Via PowerPoint VBA Add-in File (PPAM) [windows]
T1505.002 Server Software Component: Transport Agent
Atomic Test #1: Install MS Exchange Transport Agent Persistence [windows]
T1574.014 AppDomainManager CONTRIBUTE A TEST
T1098.006 Additional Container Cluster Roles CONTRIBUTE A TEST
T1053 Scheduled Task/Job CONTRIBUTE A TEST
T1556.002 Modify Authentication Process: Password Filter DLL
Atomic Test #1: Install and Register Password Filter DLL [windows]
Atomic Test #2: Install Additional Authentication Packages [windows]
T1505.005 Server Software Component: Terminal Services DLL
Atomic Test #1: Simulate Patching termsrv.dll [windows]
Atomic Test #2: Modify Terminal Services DLL Path [windows]
T1176 Browser Extensions
Atomic Test #1: Chrome/Chromium (Developer Mode) [linux, windows, macos]
Atomic Test #2: Chrome/Chromium (Chrome Web Store) [linux, windows, macos]
Atomic Test #3: Firefox [linux, windows, macos]
Atomic Test #4: Edge Chromium Addon - VPN [windows, macos]
Atomic Test #5: Google Chrome Load Unpacked Extension With Command Line [windows]
T1137.005 Outlook Rules CONTRIBUTE A TEST
T1546.011 Event Triggered Execution: Application Shimming
Atomic Test #1: Application Shim Installation [windows]
Atomic Test #2: New shim database files created in the default shim database directory [windows]
Atomic Test #3: Registry key creation and/or modification events for SDB [windows]
T1547.010 Boot or Logon Autostart Execution: Port Monitors
Atomic Test #1: Add Port Monitor persistence in Registry [windows]
T1037.002 Boot or Logon Initialization Scripts: Logon Script (Mac)
Atomic Test #1: Logon Scripts - Mac [macos]
T1205 Traffic Signaling CONTRIBUTE A TEST
T1547.009 Boot or Logon Autostart Execution: Shortcut Modification
Atomic Test #1: Shortcut Modification [windows]
Atomic Test #2: Create shortcut to cmd in startup folders [windows]
T1525 Implant Internal Image CONTRIBUTE A TEST
T1547.005 Boot or Logon Autostart Execution: Security Support Provider
Atomic Test #1: Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry [windows]
Atomic Test #2: Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support Provider configuration in registry [windows]
T1556.007 Hybrid Identity CONTRIBUTE A TEST
T1543.004 Create or Modify System Process: Launch Daemon
Atomic Test #1: Launch Daemon [macos]
Atomic Test #2: Launch Daemon - Users Directory [macos]
T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking
Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
T1505.003 Server Software Component: Web Shell
Atomic Test #1: Web Shell Written to Disk [windows]
T1078.001 Valid Accounts: Default Accounts
Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
Atomic Test #2: Activate Guest Account [windows]
Atomic Test #3: Enable Guest Account on macOS [macos]
T1547.003 Time Providers
Atomic Test #1: Create a new time provider [windows]
Atomic Test #2: Edit an existing time provider [windows]
T1546.005 Event Triggered Execution: Trap
Atomic Test #1: Trap EXIT [macos, linux]
Atomic Test #2: Trap EXIT (freebsd) [linux]
Atomic Test #3: Trap SIGINT [macos, linux]
Atomic Test #4: Trap SIGINT (freebsd) [linux]
T1574.006 Hijack Execution Flow: LD_PRELOAD
Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
Atomic Test #3: Dylib Injection via DYLD_INSERT_LIBRARIES [macos]
T1136.001 Create Account: Local Account
Atomic Test #1: Create a user account on a Linux system [linux]
Atomic Test #2: Create a user account on a FreeBSD system [linux]
Atomic Test #3: Create a user account on a MacOS system [macos]
Atomic Test #4: Create a new user in a command prompt [windows]
Atomic Test #5: Create a new user in PowerShell [windows]
Atomic Test #6: Create a new user in Linux with
UID and GID. [linux]
Atomic Test #7: Create a new user in FreeBSD with
GID. [linux]
Atomic Test #8: Create a new Windows admin user [windows]
Atomic Test #9: Create a new Windows admin user via .NET [windows]
T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL
Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]
Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows]
Atomic Test #4: Winlogon HKLM Shell Key Persistence - PowerShell [windows]
Atomic Test #5: Winlogon HKLM Userinit Key Persistence - PowerShell [windows]
T1098.004 SSH Authorized Keys
Atomic Test #1: Modify SSH Authorized Keys [linux, macos]
T1546.012 Event Triggered Execution: Image File Execution Options Injection
Atomic Test #1: IFEO Add Debugger [windows]
Atomic Test #2: IFEO Global Flags [windows]
Atomic Test #3: GlobalFlags in Image File Execution Options [windows]
T1574.005 Executable Installer File Permissions Weakness CONTRIBUTE A TEST
T1546.008 Event Triggered Execution: Accessibility Features
Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows]
Atomic Test #2: Replace binary of sticky keys [windows]
Atomic Test #3: Create Symbolic Link From osk.exe to cmd.exe [windows]
Atomic Test #4: Atbroker.exe (AT) Executes Arbitrary Command via Registry Key [windows]
Atomic Test #5: Auto-start application on user logon [windows]
T1136.002 Create Account: Domain Account
Atomic Test #1: Create a new Windows domain admin user [windows]
Atomic Test #2: Create a new account similar to ANONYMOUS LOGON [windows]
Atomic Test #3: Create a new Domain Account using PowerShell [windows]
Atomic Test #4: Active Directory Create Admin Account [linux]
Atomic Test #5: Active Directory Create User Account (Non-elevated) [linux]
T1542.002 Component Firmware CONTRIBUTE A TEST
T1137.001 Office Application Startup: Office Template Macros.
Atomic Test #1: Injecting a Macro into the Word Normal.dotm Template for Persistence via PowerShell [windows]
T1546.009 Event Triggered Execution: AppCert DLLs
Atomic Test #1: Create registry persistence via AppCert DLL [windows]
T1098.005 Device Registration CONTRIBUTE A TEST
T1542 Pre-OS Boot CONTRIBUTE A TEST
T1547.015 Boot or Logon Autostart Execution: Login Items
Atomic Test #1: Persistence by modifying Windows Terminal profile [windows]
Atomic Test #2: Add macOS LoginItem using Applescript [macos]
T1205.001 Port Knocking CONTRIBUTE A TEST
T1098.001 Account Manipulation: Additional Cloud Credentials
Atomic Test #1: Azure AD Application Hijacking - Service Principal [azure-ad]
Atomic Test #2: Azure AD Application Hijacking - App Registration [azure-ad]
Atomic Test #3: AWS - Create Access Key and Secret Key [iaas:aws]
T1556.008 Network Provider DLL CONTRIBUTE A TEST
T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription
Atomic Test #1: Persistence via WMI Event Subscription - CommandLineEventConsumer [windows]
Atomic Test #2: Persistence via WMI Event Subscription - ActiveScriptEventConsumer [windows]
Atomic Test #3: Windows MOFComp.exe Load MOF File [windows]
T1554 Compromise Host Software Binary CONTRIBUTE A TEST
T1546.001 Event Triggered Execution: Change Default File Association
Atomic Test #1: Change Default File Association [windows]
T1546.014 Event Triggered Execution: Emond
Atomic Test #1: Persistance with Event Monitor - emond [macos]
T1574.010 Services File Permissions Weakness CONTRIBUTE A TEST
T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Atomic Test #1: Reg Key Run [windows]
Atomic Test #2: Reg Key RunOnce [windows]
Atomic Test #3: PowerShell Registry RunOnce [windows]
Atomic Test #4: Suspicious vbs file run from startup Folder [windows]
Atomic Test #5: Suspicious jse file run from startup Folder [windows]
Atomic Test #6: Suspicious bat file run from startup Folder [windows]
Atomic Test #7: Add Executable Shortcut Link to User Startup Folder [windows]
Atomic Test #8: Add persistance via Recycle bin [windows]
Atomic Test #9: SystemBC Malware-as-a-Service Registry [windows]
Atomic Test #10: Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value [windows]
Atomic Test #11: Change Startup Folder - HKCU Modify User Shell Folders Startup Value [windows]
Atomic Test #12: HKCU - Policy Settings Explorer Run Key [windows]
Atomic Test #13: HKLM - Policy Settings Explorer Run Key [windows]
Atomic Test #14: HKLM - Append Command to Winlogon Userinit KEY Value [windows]
Atomic Test #15: HKLM - Modify default System Shell - Winlogon Shell KEY Value [windows]
Atomic Test #16: secedit used to create a Run key in the HKLM Hive [windows]
Atomic Test #17: Modify BootExecute Value [windows]
Atomic Test #18: Allowing custom application to execute during new RDP logon session [windows]
Atomic Test #19: Creating Boot Verification Program Key for application execution during successful boot [windows]
T1136.003 Create Account: Cloud Account
Atomic Test #1: AWS - Create a new IAM user [iaas:aws]
Atomic Test #2: Azure AD - Create a new user [azure-ad]
Atomic Test #3: Azure AD - Create a new user via Azure CLI [azure-ad]
T1098 Account Manipulation
Atomic Test #1: Admin Account Manipulate [windows]
Atomic Test #2: Domain Account and Group Manipulate [windows]
Atomic Test #3: AWS - Create a group and add a user to that group [iaas:aws]
Atomic Test #4: Azure AD - adding user to Azure AD role [azure-ad]
Atomic Test #5: Azure AD - adding service principal to Azure AD role [azure-ad]
Atomic Test #6: Azure - adding user to Azure role in subscription [iaas:azure]
Atomic Test #7: Azure - adding service principal to Azure role in subscription [iaas:azure]
Atomic Test #8: Azure AD - adding permission to application [azure-ad]
Atomic Test #9: Password Change on Directory Service Restore Mode (DSRM) Account [windows]
Atomic Test #10: Domain Password Policy Check: Short Password [windows]
Atomic Test #11: Domain Password Policy Check: No Number in Password [windows]
Atomic Test #12: Domain Password Policy Check: No Special Character in Password [windows]
Atomic Test #13: Domain Password Policy Check: No Uppercase Character in Password [windows]
Atomic Test #14: Domain Password Policy Check: No Lowercase Character in Password [windows]
Atomic Test #15: Domain Password Policy Check: Only Two Character Classes [windows]
Atomic Test #16: Domain Password Policy Check: Common Password Use [windows]
Atomic Test #17: GCP - Delete Service Account Key [iaas:gcp]
T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions
Atomic Test #1: Linux - Load Kernel Module via insmod [linux]
Atomic Test #2: MacOS - Load Kernel Module via kextload and kmutil [macos]
Atomic Test #3: MacOS - Load Kernel Module via KextManagerLoadKextWithURL() [macos]
Atomic Test #4: Snake Malware Kernel Driver Comadmin [windows]
T1574.013 KernelCallbackTable CONTRIBUTE A TEST
T1053.006 Scheduled Task/Job: Systemd Timers
Atomic Test #1: Create Systemd Service and Timer [linux]
Atomic Test #2: Create a user level transient systemd service and timer [linux]
Atomic Test #3: Create a system level transient systemd service and timer [linux]
T1542.004 ROMMONkit CONTRIBUTE A TEST
T1137.003 Outlook Forms CONTRIBUTE A TEST
T1574 Hijack Execution Flow CONTRIBUTE A TEST
T1543.005 Container Service CONTRIBUTE A TEST
T1078 Valid Accounts CONTRIBUTE A TEST
T1556.006 Multi-Factor Authentication CONTRIBUTE A TEST
T1505.004 IIS Components
Atomic Test #1: Install IIS Module using AppCmd.exe [windows]
Atomic Test #2: Install IIS Module using PowerShell Cmdlet New-WebGlobalModule [windows]
T1546 Event Triggered Execution
Atomic Test #1: Persistence with Custom AutodialDLL [windows]
Atomic Test #2: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
Atomic Test #3: HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation) [windows]
Atomic Test #4: WMI Invoke-CimMethod Start Process [windows]
Atomic Test #5: Adding custom debugger for Windows Error Reporting [windows]
Atomic Test #6: Load custom DLL on mstsc execution [windows]
Atomic Test #7: Persistence using automatic execution of custom DLL during RDP session [windows]
Atomic Test #8: Persistence via ErrorHandler.cmd script execution [windows]
Atomic Test #9: Persistence using STARTUP-PATH in MS-WORD [windows]
T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc
Atomic Test #1: Add command to .bash_profile [macos, linux]
Atomic Test #2: Add command to .bashrc [macos, linux]
Atomic Test #3: Add command to .shrc [linux]
Atomic Test #4: Append to the system shell profile [linux]
Atomic Test #5: Append commands user shell profile [linux]
Atomic Test #6: System shell profile scripts [linux]
Atomic Test #7: Create/Append to .bash_logout [linux]
T1547.002 Authentication Package
Atomic Test #1: Authentication Package [windows]
T1546.015 Event Triggered Execution: Component Object Model Hijacking
Atomic Test #1: COM Hijacking - InprocServer32 [windows]
Atomic Test #2: Powershell Execute COM Object [windows]
Atomic Test #3: COM Hijacking with RunDLL32 (Local Server Switch) [windows]
Atomic Test #4: COM hijacking via TreatAs [windows]
T1137.004 Office Application Startup: Outlook Home Page
Atomic Test #1: Install Outlook Home Page Persistence [windows]
T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path
Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
T1037.005 Boot or Logon Initialization Scripts: Startup Items
Atomic Test #1: Add file to Local Library StartupItems [macos]
Atomic Test #2: Add launch script to launch daemon [macos]
Atomic Test #3: Add launch script to launch agent [macos]
T1078.002 Domain Accounts CONTRIBUTE A TEST
T1037.003 Network Logon Script CONTRIBUTE A TEST
T1197 BITS Jobs
Atomic Test #1: Bitsadmin Download (cmd) [windows]
Atomic Test #2: Bitsadmin Download (PowerShell) [windows]
Atomic Test #3: Persist, Download, & Execute [windows]
Atomic Test #4: Bits download using desktopimgdownldr.exe (cmd) [windows]
T1546.010 Event Triggered Execution: AppInit DLLs
Atomic Test #1: Install AppInit Shim [windows]
T1546.002 Event Triggered Execution: Screensaver
Atomic Test #1: Set Arbitrary Binary as Screensaver [windows]
T1556.009 Conditional Access Policies CONTRIBUTE A TEST
T1543.001 Create or Modify System Process: Launch Agent
Atomic Test #1: Launch Agent [macos]
Atomic Test #2: Event Monitor Daemon Persistence [macos]
Atomic Test #3: Launch Agent - Root Directory [macos]
T1505 Server Software Component CONTRIBUTE A TEST
T1556.001 Domain Controller Authentication CONTRIBUTE A TEST
T1556.005 Reversible Encryption CONTRIBUTE A TEST
T1546.016 Installer Packages CONTRIBUTE A TEST
T1037.004 Boot or Logon Initialization Scripts: Rc.common
Atomic Test #1: rc.common [macos]
Atomic Test #2: rc.common [linux]
Atomic Test #3: rc.local [linux]
T1543.002 Create or Modify System Process: SysV/Systemd Service
Atomic Test #1: Create Systemd Service [linux]
Atomic Test #2: Create SysV Service [linux]
Atomic Test #3: Create Systemd Service file, Enable the service , Modify and Reload the service. [linux]
T1136 Create Account CONTRIBUTE A TEST
T1547.013 XDG Autostart Entries CONTRIBUTE A TEST
T1547.007 Boot or Logon Autostart Execution: Re-opened Applications
Atomic Test #1: Copy in loginwindow.plist for Re-Opened Applications [macos]
Atomic Test #2: Re-Opened Applications using LoginHook [macos]
Atomic Test #3: Append to existing loginwindow for Re-Opened Applications [macos]
T1574.002 Hijack Execution Flow: DLL Side-Loading
Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
Atomic Test #2: DLL Side-Loading using the dotnet startup hook environment variable [windows]
Atomic Test #3: DLL Search Order Hijacking,DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE [windows]
T1098.002 Account Manipulation: Additional Email Delegate Permissions
Atomic Test #1: EXO - Full access mailbox permission granted to a user [office-365]
T1653 Power Settings CONTRIBUTE A TEST
T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows)
Atomic Test #1: Logon Scripts [windows]
T1137.002 Office Application Startup: Office Test
Atomic Test #1: Office Application Startup Test Persistence (HKCU) [windows]
T1547.008 Boot or Logon Autostart Execution: LSASS Driver
Atomic Test #1: Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt [windows]
T1078.004 Valid Accounts: Cloud Accounts
Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
Atomic Test #3: GCP - Create Custom IAM Role [iaas:gcp]
T1053.002 Scheduled Task/Job: At
Atomic Test #1: At.exe Scheduled task [windows]
Atomic Test #2: At - Schedule a job [linux]
T1556 Modify Authentication Process CONTRIBUTE A TEST
T1546.007 Event Triggered Execution: Netsh Helper DLL
Atomic Test #1: Netsh Helper DLL Registration [windows]
T1505.001 SQL Stored Procedures CONTRIBUTE A TEST
T1556.004 Network Device Authentication CONTRIBUTE A TEST
T1574.004 Dylib Hijacking CONTRIBUTE A TEST
T1078.003 Valid Accounts: Local Accounts
Atomic Test #1: Create local account with admin privileges [windows]
Atomic Test #2: Create local account with admin privileges - MacOS [macos]
Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
Atomic Test #8: Create local account (Linux) [linux]
Atomic Test #9: Reactivate a locked/expired account (Linux) [linux]
Atomic Test #10: Reactivate a locked/expired account (FreeBSD) [linux]
Atomic Test #11: Login as nobody (Linux) [linux]
Atomic Test #12: Login as nobody (freebsd) [linux]
Atomic Test #13: Use PsExec to elevate to NT Authority\SYSTEM account [windows]
T1574.012 Hijack Execution Flow: COR_PROFILER
Atomic Test #1: User scope COR_PROFILER [windows]
Atomic Test #2: System Scope COR_PROFILER [windows]
Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
command-and-control
T1205.002 Socket Filters CONTRIBUTE A TEST
T1132.001 Data Encoding: Standard Encoding
Atomic Test #1: Base64 Encoded data. [macos, linux]
Atomic Test #2: Base64 Encoded data (freebsd) [linux]
Atomic Test #3: XOR Encoded data. [windows]
T1568.002 Domain Generation Algorithms CONTRIBUTE A TEST
T1071.004 Application Layer Protocol: DNS
Atomic Test #1: DNS Large Query Volume [windows]
Atomic Test #2: DNS Regular Beaconing [windows]
Atomic Test #3: DNS Long Domain Query [windows]
Atomic Test #4: DNS C2 [windows]
T1573.001 Symmetric Cryptography CONTRIBUTE A TEST
T1568.001 Fast Flux DNS CONTRIBUTE A TEST
T1071 Application Layer Protocol
Atomic Test #1: Telnet C2 [windows]
T1219 Remote Access Software
Atomic Test #1: TeamViewer Files Detected Test on Windows [windows]
Atomic Test #2: AnyDesk Files Detected Test on Windows [windows]
Atomic Test #3: LogMeIn Files Detected Test on Windows [windows]
Atomic Test #4: GoToAssist Files Detected Test on Windows [windows]
Atomic Test #5: ScreenConnect Application Download and Install on Windows [windows]
Atomic Test #6: Ammyy Admin Software Execution [windows]
Atomic Test #7: RemotePC Software Execution [windows]
Atomic Test #8: NetSupport - RAT Execution [windows]
Atomic Test #9: UltraViewer - RAT Execution [windows]
Atomic Test #10: UltraVNC Execution [windows]
Atomic Test #11: MSP360 Connect Execution [windows]
Atomic Test #12: RustDesk Files Detected Test on Windows [windows]
Atomic Test #13: Splashtop Execution [windows]
Atomic Test #14: Splashtop Streamer Execution [windows]
T1659 Content Injection CONTRIBUTE A TEST
T1205 Traffic Signaling CONTRIBUTE A TEST
T1572 Protocol Tunneling
Atomic Test #1: DNS over HTTPS Large Query Volume [windows]
Atomic Test #2: DNS over HTTPS Regular Beaconing [windows]
Atomic Test #3: DNS over HTTPS Long Domain Query [windows]
Atomic Test #4: run ngrok [windows]
T1071.003 Mail Protocols CONTRIBUTE A TEST
T1092 Communication Through Removable Media CONTRIBUTE A TEST
T1090.002 External Proxy CONTRIBUTE A TEST
T1090 Proxy CONTRIBUTE A TEST
T1568 Dynamic Resolution CONTRIBUTE A TEST
T1102 Web Service CONTRIBUTE A TEST
T1568.003 DNS Calculation CONTRIBUTE A TEST
T1104 Multi-Stage Channels CONTRIBUTE A TEST
T1205.001 Port Knocking CONTRIBUTE A TEST
T1071.002 File Transfer Protocols CONTRIBUTE A TEST
T1102.003 One-Way Communication CONTRIBUTE A TEST
T1090.003 Proxy: Multi-hop Proxy
Atomic Test #1: Psiphon [windows]
Atomic Test #2: Tor Proxy Usage - Windows [windows]
Atomic Test #3: Tor Proxy Usage - Debian/Ubuntu/FreeBSD [linux]
Atomic Test #4: Tor Proxy Usage - MacOS [macos]
T1001 Data Obfuscation CONTRIBUTE A TEST
T1571 Non-Standard Port
Atomic Test #1: Testing usage of uncommonly used port with PowerShell [windows]
Atomic Test #2: Testing usage of uncommonly used port [linux, macos]
T1573 Encrypted Channel
Atomic Test #1: OpenSSL C2 [windows]
T1102.002 Bidirectional Communication CONTRIBUTE A TEST
T1573.002 Asymmetric Cryptography CONTRIBUTE A TEST
T1095 Non-Application Layer Protocol
Atomic Test #1: ICMP C2 [windows]
Atomic Test #2: Netcat C2 [windows]
Atomic Test #3: Powercat C2 [windows]
T1001.003 Protocol Impersonation CONTRIBUTE A TEST
T1090.004 Domain Fronting CONTRIBUTE A TEST
T1132 Data Encoding CONTRIBUTE A TEST
T1132.002 Non-Standard Encoding CONTRIBUTE A TEST
T1071.001 Application Layer Protocol: Web Protocols
Atomic Test #1: Malicious User Agents - Powershell [windows]
Atomic Test #2: Malicious User Agents - CMD [windows]
Atomic Test #3: Malicious User Agents - Nix [linux, macos]
T1105 Ingress Tool Transfer
Atomic Test #1: rsync remote file copy (push) [linux, macos]
Atomic Test #2: rsync remote file copy (pull) [linux, macos]
Atomic Test #3: scp remote file copy (push) [linux, macos]
Atomic Test #4: scp remote file copy (pull) [linux, macos]
Atomic Test #5: sftp remote file copy (push) [linux, macos]
Atomic Test #6: sftp remote file copy (pull) [linux, macos]
Atomic Test #7: certutil download (urlcache) [windows]
Atomic Test #8: certutil download (verifyctl) [windows]
Atomic Test #9: Windows - BITSAdmin BITS Download [windows]
Atomic Test #10: Windows - PowerShell Download [windows]
Atomic Test #11: OSTAP Worming Activity [windows]
Atomic Test #12: svchost writing a file to a UNC path [windows]
Atomic Test #13: Download a File with Windows Defender MpCmdRun.exe [windows]
Atomic Test #14: whois file download [linux, macos]
Atomic Test #15: File Download via PowerShell [windows]
Atomic Test #16: File download with finger.exe on Windows [windows]
Atomic Test #17: Download a file with IMEWDBLD.exe [windows]
Atomic Test #18: Curl Download File [windows]
Atomic Test #19: Curl Upload File [windows]
Atomic Test #20: Download a file with Microsoft Connection Manager Auto-Download [windows]
Atomic Test #21: MAZE Propagation Script [windows]
Atomic Test #22: Printer Migration Command-Line Tool UNC share folder into a zip file [windows]
Atomic Test #23: Lolbas replace.exe use to copy file [windows]
Atomic Test #24: Lolbas replace.exe use to copy UNC file [windows]
Atomic Test #25: certreq download [windows]
Atomic Test #26: Download a file using wscript [windows]
Atomic Test #27: Linux Download File and Run [linux]
Atomic Test #28: Nimgrab - Transfer Files [windows]
Atomic Test #29: iwr or Invoke Web-Request download [windows]
Atomic Test #30: Arbitrary file download using the Notepad++ GUP.exe binary [windows]
Atomic Test #31: File download via nscurl [macos]
Atomic Test #32: File Download with Sqlcmd.exe [windows]
Atomic Test #33: Remote File Copy using PSCP [windows]
T1665 Hide Infrastructure CONTRIBUTE A TEST
T1001.002 Data Obfuscation via Steganography
Atomic Test #1: Steganographic Tarball Embedding [windows]
Atomic Test #2: Embedded Script in Image Execution via Extract-Invoke-PSImage [windows]
Atomic Test #3: Execute Embedded Script in Image via Steganography [linux]
T1008 Fallback Channels CONTRIBUTE A TEST
T1090.001 Proxy: Internal Proxy
Atomic Test #1: Connection Proxy [linux, macos]
Atomic Test #2: Connection Proxy for macOS UI [macos]
Atomic Test #3: portproxy reg key [windows]
T1102.001 Dead Drop Resolver CONTRIBUTE A TEST
T1001.001 Junk Data CONTRIBUTE A TEST
collection
T1560.001 Archive Collected Data: Archive via Utility
Atomic Test #1: Compress Data for Exfiltration With Rar [windows]
Atomic Test #2: Compress Data and lock with password for Exfiltration with winrar [windows]
Atomic Test #3: Compress Data and lock with password for Exfiltration with winzip [windows]
Atomic Test #4: Compress Data and lock with password for Exfiltration with 7zip [windows]
Atomic Test #5: Data Compressed - nix - zip [linux, macos]
Atomic Test #6: Data Compressed - nix - gzip Single File [linux, macos]
Atomic Test #7: Data Compressed - nix - tar Folder or File [linux, macos]
Atomic Test #8: Data Encrypted with zip and gpg symmetric [linux, macos]
Atomic Test #9: Encrypts collected data with AES-256 and Base64 [linux, macos]
Atomic Test #10: ESXi - Remove Syslog remote IP [windows]
Atomic Test #11: Compress a File for Exfiltration using Makecab [windows]
T1113 Screen Capture
Atomic Test #1: Screencapture [macos]
Atomic Test #2: Screencapture (silent) [macos]
Atomic Test #3: X Windows Capture [linux]
Atomic Test #4: X Windows Capture (freebsd) [linux]
Atomic Test #5: Capture Linux Desktop using Import Tool [linux]
Atomic Test #6: Capture Linux Desktop using Import Tool (freebsd) [linux]
Atomic Test #7: Windows Screencapture [windows]
Atomic Test #8: Windows Screen Capture (CopyFromScreen) [windows]
Atomic Test #9: Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted [windows]
T1557 Adversary-in-the-Middle CONTRIBUTE A TEST
T1056.001 Input Capture: Keylogging
Atomic Test #1: Input Capture [windows]
Atomic Test #2: Living off the land Terminal Input Capture on Linux with pam.d [linux]
Atomic Test #3: Logging bash history to syslog [linux]
Atomic Test #4: Logging sh history to syslog/messages [linux]
Atomic Test #5: Bash session based keylogger [linux]
Atomic Test #6: SSHD PAM keylogger [linux]
Atomic Test #7: Auditd keylogger [linux]
Atomic Test #8: MacOS Swift Keylogger [macos]
T1602 Data from Configuration Repository CONTRIBUTE A TEST
T1213.002 Sharepoint CONTRIBUTE A TEST
T1123 Audio Capture
Atomic Test #1: using device audio capture commandlet [windows]
Atomic Test #2: Registry artefact when application use microphone [windows]
Atomic Test #3: using Quicktime Player [macos]
T1560.003 Archive via Custom Method CONTRIBUTE A TEST
T1114 Email Collection CONTRIBUTE A TEST
T1025 Data from Removable Media
Atomic Test #1: Identify Documents on USB and Removable Media via PowerShell [windows]
T1074.001 Data Staged: Local Data Staging
Atomic Test #1: Stage data from Discovery.bat [windows]
Atomic Test #2: Stage data from Discovery.sh [linux, macos]
Atomic Test #3: Zip a Folder with PowerShell for Staging in Temp [windows]
T1114.001 Email Collection: Local Email Collection
Atomic Test #1: Email Collection with PowerShell Get-Inbox [windows]
T1119 Automated Collection
Atomic Test #1: Automated Collection Command Prompt [windows]
Atomic Test #2: Automated Collection PowerShell [windows]
Atomic Test #3: Recon information for export with PowerShell [windows]
Atomic Test #4: Recon information for export with Command Prompt [windows]
T1115 Clipboard Data
Atomic Test #1: Utilize Clipboard to store or execute commands from [windows]
Atomic Test #2: Execute Commands from Clipboard using PowerShell [windows]
Atomic Test #3: Execute commands from clipboard [macos]
Atomic Test #4: Collect Clipboard Data via VBA [windows]
Atomic Test #5: Add or copy content to clipboard with xClip [linux]
T1530 Data from Cloud Storage Object
Atomic Test #1: Azure - Enumerate Azure Blobs with MicroBurst [iaas:azure]
Atomic Test #2: Azure - Scan for Anonymous Access to Azure Storage (Powershell) [iaas:azure]
Atomic Test #3: AWS - Scan for Anonymous Access to S3 [iaas:aws]
T1074.002 Remote Data Staging CONTRIBUTE A TEST
T1005 Data from Local System
Atomic Test #1: Search files of interest and save them to a single zip file (Windows) [windows]
Atomic Test #2: Find and dump sqlite databases (Linux) [linux]
T1560.002 Archive Collected Data: Archive via Library
Atomic Test #1: Compressing data using GZip in Python (FreeBSD/Linux) [linux]
Atomic Test #2: Compressing data using bz2 in Python (FreeBSD/Linux) [linux]
Atomic Test #3: Compressing data using zipfile in Python (FreeBSD/Linux) [linux]
Atomic Test #4: Compressing data using tarfile in Python (FreeBSD/Linux) [linux]
T1602.002 Network Device Configuration Dump CONTRIBUTE A TEST
T1560 Archive Collected Data
Atomic Test #1: Compress Data for Exfiltration With PowerShell [windows]
T1185 Browser Session Hijacking CONTRIBUTE A TEST
T1557.003 DHCP Spoofing CONTRIBUTE A TEST
T1557.001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
Atomic Test #1: LLMNR Poisoning with Inveigh (PowerShell) [windows]
T1056.003 Web Portal Capture CONTRIBUTE A TEST
T1125 Video Capture
Atomic Test #1: Registry artefact when application use webcam [windows]
T1213.001 Confluence CONTRIBUTE A TEST
T1114.003 Email Collection: Email Forwarding Rule
Atomic Test #1: Office365 - Email Forwarding [office-365]
T1074 Data Staged CONTRIBUTE A TEST
T1056.002 Input Capture: GUI Input Capture
Atomic Test #1: AppleScript - Prompt User for Password [macos]
Atomic Test #2: PowerShell - Prompt User for Password [windows]
Atomic Test #3: AppleScript - Spoofing a credential prompt using osascript [macos]
T1039 Data from Network Shared Drive
Atomic Test #1: Copy a sensitive File over Administrative share with copy [windows]
Atomic Test #2: Copy a sensitive File over Administrative share with Powershell [windows]
T1114.002 Email Collection: Remote Email Collection
Atomic Test #1: Office365 - Remote Mail Collected [office-365]
T1056 Input Capture CONTRIBUTE A TEST
T1557.002 ARP Cache Poisoning CONTRIBUTE A TEST
T1213.003 Code Repositories CONTRIBUTE A TEST
T1213 Data from Information Repositories CONTRIBUTE A TEST
T1602.001 SNMP (MIB Dump) CONTRIBUTE A TEST
T1056.004 Input Capture: Credential API Hooking
Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
lateral-movement
credential-access
T1557 Adversary-in-the-Middle CONTRIBUTE A TEST
T1556.003 Modify Authentication Process: Pluggable Authentication Modules
Atomic Test #1: Malicious PAM rule [linux]
Atomic Test #2: Malicious PAM rule (freebsd) [linux]
Atomic Test #3: Malicious PAM module [linux]
T1056.001 Input Capture: Keylogging
Atomic Test #1: Input Capture [windows]
Atomic Test #2: Living off the land Terminal Input Capture on Linux with pam.d [linux]
Atomic Test #3: Logging bash history to syslog [linux]
Atomic Test #4: Logging sh history to syslog/messages [linux]
Atomic Test #5: Bash session based keylogger [linux]
Atomic Test #6: SSHD PAM keylogger [linux]
Atomic Test #7: Auditd keylogger [linux]
Atomic Test #8: MacOS Swift Keylogger [macos]
T1110.001 Brute Force: Password Guessing
Atomic Test #1: Brute Force Credentials of single Active Directory domain users via SMB [windows]
Atomic Test #2: Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos) [windows]
Atomic Test #3: Brute Force Credentials of single Azure AD user [azure-ad]
Atomic Test #4: Password Brute User using Kerbrute Tool [windows]
Atomic Test #5: SUDO Brute Force - Debian [linux]
Atomic Test #6: SUDO Brute Force - Redhat [linux]
Atomic Test #7: SUDO Brute Force - FreeBSD [linux]
Atomic Test #8: ESXi - Brute Force Until Account Lockout [windows]
T1003 OS Credential Dumping
Atomic Test #1: Gsecdump [windows]
Atomic Test #2: Credential Dumping with NPPSpy [windows]
Atomic Test #3: Dump svchost.exe to gather RDP credentials [windows]
Atomic Test #4: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list) [windows]
Atomic Test #5: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config) [windows]
Atomic Test #6: Dump Credential Manager using keymgr.dll and rundll32.exe [windows]
Atomic Test #7: Send NTLM Hash with RPC Test Connection [windows]
T1539 Steal Web Session Cookie
Atomic Test #1: Steal Firefox Cookies (Windows) [windows]
Atomic Test #2: Steal Chrome Cookies (Windows) [windows]
Atomic Test #3: Steal Chrome Cookies via Remote Debugging (Mac) [macos]
T1003.002 OS Credential Dumping: Security Account Manager
Atomic Test #1: Registry dump of SAM, creds, and secrets [windows]
Atomic Test #2: Registry parse with pypykatz [windows]
Atomic Test #3: esentutl.exe SAM copy [windows]
Atomic Test #4: PowerDump Hashes and Usernames from Registry [windows]
Atomic Test #5: dump volume shadow copy hives with certutil [windows]
Atomic Test #6: dump volume shadow copy hives with System.IO.File [windows]
Atomic Test #7: WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes [windows]
Atomic Test #8: Dumping of SAM, creds, and secrets(Reg Export) [windows]
T1552.005 Unsecured Credentials: Cloud Instance Metadata API
Atomic Test #1: Azure - Search Azure AD User Attributes for Passwords [azure-ad]
Atomic Test #2: Azure - Dump Azure Instance Metadata from Virtual Machines [iaas:azure]
T1555.002 Securityd Memory CONTRIBUTE A TEST
T1110.002 Brute Force: Password Cracking
Atomic Test #1: Password Cracking with Hashcat [windows]
T1555.001 Credentials from Password Stores: Keychain
Atomic Test #1: Keychain Dump [macos]
Atomic Test #2: Export Certificate Item(s) [macos]
Atomic Test #3: Import Certificate Item(s) into Keychain [macos]
T1003.004 OS Credential Dumping: LSA Secrets
Atomic Test #1: Dumping LSA Secrets [windows]
Atomic Test #2: Dump Kerberos Tickets from LSA using dumper.ps1 [windows]
T1606.002 Forge Web Credentials: SAML token
Atomic Test #1: Golden SAML [azure-ad]
T1003.007 OS Credential Dumping: Proc Filesystem
Atomic Test #1: Dump individual process memory with sh (Local) [linux]
Atomic Test #2: Dump individual process memory with sh on FreeBSD (Local) [linux]
Atomic Test #3: Dump individual process memory with Python (Local) [linux]
Atomic Test #4: Capture Passwords with MimiPenguin [linux]
T1555.005 Password Managers CONTRIBUTE A TEST
T1040 Network Sniffing
Atomic Test #1: Packet Capture Linux using tshark or tcpdump [linux]
Atomic Test #2: Packet Capture FreeBSD using tshark or tcpdump [linux]
Atomic Test #3: Packet Capture macOS using tcpdump or tshark [macos]
Atomic Test #4: Packet Capture Windows Command Prompt [windows]
Atomic Test #5: Windows Internal Packet Capture [windows]
Atomic Test #6: Windows Internal pktmon capture [windows]
Atomic Test #7: Windows Internal pktmon set filter [windows]
Atomic Test #8: Packet Capture macOS using /dev/bpfN with sudo [macos]
Atomic Test #9: Filtered Packet Capture macOS using /dev/bpfN with sudo [macos]
Atomic Test #10: Packet Capture FreeBSD using /dev/bpfN with sudo [linux]
Atomic Test #11: Filtered Packet Capture FreeBSD using /dev/bpfN with sudo [linux]
Atomic Test #12: Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo [linux]
Atomic Test #13: Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo [linux]
Atomic Test #14: Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo [linux]
Atomic Test #15: Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo [linux]
Atomic Test #16: PowerShell Network Sniffing [windows]
T1552.002 Unsecured Credentials: Credentials in Registry
Atomic Test #1: Enumeration for Credentials in Registry [windows]
Atomic Test #2: Enumeration for PuTTY Credentials in Registry [windows]
T1556.002 Modify Authentication Process: Password Filter DLL
Atomic Test #1: Install and Register Password Filter DLL [windows]
Atomic Test #2: Install Additional Authentication Packages [windows]
T1558.004 Steal or Forge Kerberos Tickets: AS-REP Roasting
Atomic Test #1: Rubeus asreproast [windows]
Atomic Test #2: Get-DomainUser with PowerView [windows]
Atomic Test #3: WinPwn - PowerSharpPack - Kerberoasting Using Rubeus [windows]
T1558 Steal or Forge Kerberos Tickets CONTRIBUTE A TEST
T1555 Credentials from Password Stores
Atomic Test #1: Extract Windows Credential Manager via VBA [windows]
Atomic Test #2: Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] [windows]
Atomic Test #3: Dump credentials from Windows Credential Manager With PowerShell [web Credentials] [windows]
Atomic Test #4: Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials] [windows]
Atomic Test #5: Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials] [windows]
Atomic Test #6: WinPwn - Loot local Credentials - lazagne [windows]
Atomic Test #7: WinPwn - Loot local Credentials - Wifi Credentials [windows]
Atomic Test #8: WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords [windows]
T1552 Unsecured Credentials
Atomic Test #1: AWS - Retrieve EC2 Password Data using stratus [linux, macos, iaas:aws]
Atomic Test #2: Search for Passwords in Powershell History [windows]
T1556.007 Hybrid Identity CONTRIBUTE A TEST
T1555.003 Credentials from Password Stores: Credentials from Web Browsers
Atomic Test #1: Run Chrome-password Collector [windows]
Atomic Test #2: Search macOS Safari Cookies [macos]
Atomic Test #3: LaZagne - Credentials from Browser [windows]
Atomic Test #4: Simulating access to Chrome Login Data [windows]
Atomic Test #5: Simulating access to Opera Login Data [windows]
Atomic Test #6: Simulating access to Windows Firefox Login Data [windows]
Atomic Test #7: Simulating access to Windows Edge Login Data [windows]
Atomic Test #8: Decrypt Mozilla Passwords with Firepwd.py [windows]
Atomic Test #9: LaZagne.py - Dump Credentials from Firefox Browser [linux]
Atomic Test #10: Stage Popular Credential Files for Exfiltration [windows]
Atomic Test #11: WinPwn - BrowserPwn [windows]
Atomic Test #12: WinPwn - Loot local Credentials - mimi-kittenz [windows]
Atomic Test #13: WinPwn - PowerSharpPack - Sharpweb for Browser Credentials [windows]
Atomic Test #14: Simulating Access to Chrome Login Data - MacOS [macos]
Atomic Test #15: WebBrowserPassView - Credentials from Browser [windows]
Atomic Test #16: BrowserStealer (Chrome / Firefox / Microsoft Edge) [windows]
Atomic Test #17: Dump Chrome Login Data with esentutl [windows]
T1557.003 DHCP Spoofing CONTRIBUTE A TEST
T1552.004 Unsecured Credentials: Private Keys
Atomic Test #1: Private Keys [windows]
Atomic Test #2: Discover Private SSH Keys [linux, macos]
Atomic Test #3: Copy Private SSH Keys with CP [linux]
Atomic Test #4: Copy Private SSH Keys with CP (freebsd) [linux]
Atomic Test #5: Copy Private SSH Keys with rsync [macos, linux]
Atomic Test #6: Copy Private SSH Keys with rsync (freebsd) [linux]
Atomic Test #7: Copy the users GnuPG directory with rsync [macos, linux]
Atomic Test #8: Copy the users GnuPG directory with rsync (freebsd) [linux]
Atomic Test #9: ADFS token signing and encryption certificates theft - Local [windows]
Atomic Test #10: ADFS token signing and encryption certificates theft - Remote [windows]
Atomic Test #11: CertUtil ExportPFX [windows]
Atomic Test #12: Export Root Certificate with Export-PFXCertificate [windows]
Atomic Test #13: Export Root Certificate with Export-Certificate [windows]
Atomic Test #14: Export Certificates with Mimikatz [windows]
T1557.001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
Atomic Test #1: LLMNR Poisoning with Inveigh (PowerShell) [windows]
T1003.001 OS Credential Dumping: LSASS Memory
Atomic Test #1: Dump LSASS.exe Memory using ProcDump [windows]
Atomic Test #2: Dump LSASS.exe Memory using comsvcs.dll [windows]
Atomic Test #3: Dump LSASS.exe Memory using direct system calls and API unhooking [windows]
Atomic Test #4: Dump LSASS.exe Memory using NanoDump [windows]
Atomic Test #5: Dump LSASS.exe Memory using Windows Task Manager [windows]
Atomic Test #6: Offline Credential Theft With Mimikatz [windows]
Atomic Test #7: LSASS read with pypykatz [windows]
Atomic Test #8: Dump LSASS.exe Memory using Out-Minidump.ps1 [windows]
Atomic Test #9: Create Mini Dump of LSASS.exe using ProcDump [windows]
Atomic Test #10: Powershell Mimikatz [windows]
Atomic Test #11: Dump LSASS with createdump.exe from .Net v5 [windows]
Atomic Test #12: Dump LSASS.exe using imported Microsoft DLLs [windows]
Atomic Test #13: Dump LSASS.exe using lolbin rdrleakdiag.exe [windows]
Atomic Test #14: Dump LSASS.exe Memory through Silent Process Exit [windows]
T1110.003 Brute Force: Password Spraying
Atomic Test #1: Password Spray all Domain Users [windows]
Atomic Test #2: Password Spray (DomainPasswordSpray) [windows]
Atomic Test #3: Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos) [windows]
Atomic Test #4: Password spray all Azure AD users with a single password [azure-ad]
Atomic Test #5: WinPwn - DomainPasswordSpray Attacks [windows]
Atomic Test #6: Password Spray Invoke-DomainPasswordSpray Light [windows]
Atomic Test #7: Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365) [azure-ad]
Atomic Test #8: Password Spray using Kerbrute Tool [windows]
Atomic Test #9: AWS - Password Spray an AWS using GoAWSConsoleSpray [iaas:aws]
T1056.003 Web Portal Capture CONTRIBUTE A TEST
T1003.005 OS Credential Dumping: Cached Domain Credentials
Atomic Test #1: Cached Credential Dump via Cmdkey [windows]
T1558.001 Steal or Forge Kerberos Tickets: Golden Ticket
Atomic Test #1: Crafting Active Directory golden tickets with mimikatz [windows]
Atomic Test #2: Crafting Active Directory golden tickets with Rubeus [windows]
T1649 Steal or Forge Authentication Certificates
Atomic Test #1: Staging Local Certificates via Export-Certificate [windows]
T1552.003 Unsecured Credentials: Bash History
Atomic Test #1: Search Through Bash History [linux, macos]
Atomic Test #2: Search Through sh History [linux]
T1552.001 Unsecured Credentials: Credentials In Files
Atomic Test #1: Find AWS credentials [macos, linux]
Atomic Test #2: Extract Browser and System credentials with LaZagne [macos]
Atomic Test #3: Extract passwords with grep [linux, macos]
Atomic Test #4: Extracting passwords with findstr [windows]
Atomic Test #5: Access unattend.xml [windows]
Atomic Test #6: Find and Access Github Credentials [linux, macos]
Atomic Test #7: WinPwn - sensitivefiles [windows]
Atomic Test #8: WinPwn - Snaffler [windows]
Atomic Test #9: WinPwn - powershellsensitive [windows]
Atomic Test #10: WinPwn - passhunt [windows]
Atomic Test #11: WinPwn - SessionGopher [windows]
Atomic Test #12: WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials [windows]
Atomic Test #13: List Credential Files via PowerShell [windows]
Atomic Test #14: List Credential Files via Command Prompt [windows]
T1606.001 Web Cookies CONTRIBUTE A TEST
T1528 Steal Application Access Token
Atomic Test #1: Azure - Dump All Azure Key Vaults with Microburst [iaas:azure]
T1552.006 Unsecured Credentials: Group Policy Preferences
Atomic Test #1: GPP Passwords (findstr) [windows]
Atomic Test #2: GPP Passwords (Get-GPPPassword) [windows]
T1556.008 Network Provider DLL CONTRIBUTE A TEST
T1606 Forge Web Credentials CONTRIBUTE A TEST
T1621 Multi-Factor Authentication Request Generation CONTRIBUTE A TEST
T1552.008 Chat Messages CONTRIBUTE A TEST
T1212 Exploitation for Credential Access CONTRIBUTE A TEST
T1056.002 Input Capture: GUI Input Capture
Atomic Test #1: AppleScript - Prompt User for Password [macos]
Atomic Test #2: PowerShell - Prompt User for Password [windows]
Atomic Test #3: AppleScript - Spoofing a credential prompt using osascript [macos]
T1110 Brute Force CONTRIBUTE A TEST
T1110.004 Brute Force: Credential Stuffing
Atomic Test #1: SSH Credential Stuffing From Linux [linux]
Atomic Test #2: SSH Credential Stuffing From MacOS [macos]
Atomic Test #3: SSH Credential Stuffing From FreeBSD [linux]
Atomic Test #4: Brute Force:Credential Stuffing using Kerbrute Tool [windows]
T1556.006 Multi-Factor Authentication CONTRIBUTE A TEST
T1187 Forced Authentication
Atomic Test #1: PetitPotam [windows]
Atomic Test #2: WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS [windows]
Atomic Test #3: Trigger an authenticated RPC call to a target server with no Sign flag set [windows]
T1056 Input Capture CONTRIBUTE A TEST
T1557.002 ARP Cache Poisoning CONTRIBUTE A TEST
T1556.009 Conditional Access Policies CONTRIBUTE A TEST
T1555.006 Cloud Secrets Management Stores CONTRIBUTE A TEST
T1003.008 OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow
Atomic Test #1: Access /etc/shadow (Local) [linux]
Atomic Test #2: Access /etc/master.passwd (Local) [linux]
Atomic Test #3: Access /etc/passwd (Local) [linux]
Atomic Test #4: Access /etc/{shadow,passwd,master.passwd} with a standard bin that’s not cat [linux]
Atomic Test #5: Access /etc/{shadow,passwd,master.passwd} with shell builtins [linux]
T1558.002 Steal or Forge Kerberos Tickets: Silver Ticket
Atomic Test #1: Crafting Active Directory silver tickets with mimikatz [windows]
T1555.004 Credentials from Password Stores: Windows Credential Manager
Atomic Test #1: Access Saved Credentials via VaultCmd [windows]
Atomic Test #2: WinPwn - Loot local Credentials - Invoke-WCMDump [windows]
T1556.001 Domain Controller Authentication CONTRIBUTE A TEST
T1556.005 Reversible Encryption CONTRIBUTE A TEST
T1111 Multi-Factor Authentication Interception CONTRIBUTE A TEST
T1003.003 OS Credential Dumping: NTDS
Atomic Test #1: Create Volume Shadow Copy with vssadmin [windows]
Atomic Test #2: Copy NTDS.dit from Volume Shadow Copy [windows]
Atomic Test #3: Dump Active Directory Database with NTDSUtil [windows]
Atomic Test #4: Create Volume Shadow Copy with WMI [windows]
Atomic Test #5: Create Volume Shadow Copy remotely with WMI [windows]
Atomic Test #6: Create Volume Shadow Copy remotely (WMI) with esentutl [windows]
Atomic Test #7: Create Volume Shadow Copy with Powershell [windows]
Atomic Test #8: Create Symlink to Volume Shadow Copy [windows]
Atomic Test #9: Create Volume Shadow Copy with diskshadow [windows]
T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting
Atomic Test #1: Request for service tickets [windows]
Atomic Test #2: Rubeus kerberoast [windows]
Atomic Test #3: Extract all accounts in use as SPN using setspn [windows]
Atomic Test #4: Request A Single Ticket via PowerShell [windows]
Atomic Test #5: Request All Tickets via PowerShell [windows]
Atomic Test #6: WinPwn - Kerberoasting [windows]
Atomic Test #7: WinPwn - PowerSharpPack - Kerberoasting Using Rubeus [windows]
T1003.006 OS Credential Dumping: DCSync
Atomic Test #1: DCSync (Active Directory) [windows]
Atomic Test #2: Run DSInternals Get-ADReplAccount [windows]
T1556 Modify Authentication Process CONTRIBUTE A TEST
T1056.004 Input Capture: Credential API Hooking
Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
T1552.007 Kubernetes List Secrets
Atomic Test #1: List All Secrets [containers]
Atomic Test #2: ListSecrets [containers]
Atomic Test #3: Cat the contents of a Kubernetes service account token file [linux]
T1556.004 Network Device Authentication CONTRIBUTE A TEST
discovery
T1033 System Owner/User Discovery
Atomic Test #1: System Owner/User Discovery [windows]
Atomic Test #2: System Owner/User Discovery [linux, macos]
Atomic Test #3: Find computers where user has session - Stealth mode (PowerView) [windows]
Atomic Test #4: User Discovery With Env Vars PowerShell Script [windows]
Atomic Test #5: GetCurrent User with PowerShell Script [windows]
Atomic Test #6: System Discovery - SocGholish whoami [windows]
Atomic Test #7: System Owner/User Discovery Using Command Prompt [windows]
T1613 Container and Resource Discovery
Atomic Test #1: Docker Container and Resource Discovery [containers]
Atomic Test #2: Podman Container and Resource Discovery [containers]
T1016.001 System Network Configuration Discovery: Internet Connection Discovery
Atomic Test #1: Check internet connection using ping Windows [windows]
Atomic Test #2: Check internet connection using ping freebsd, linux or macos [macos, linux]
Atomic Test #3: Check internet connection using Test-NetConnection in PowerShell (ICMP-Ping) [windows]
Atomic Test #4: Check internet connection using Test-NetConnection in PowerShell (TCP-HTTP) [windows]
Atomic Test #5: Check internet connection using Test-NetConnection in PowerShell (TCP-SMB) [windows]
T1069 Permission Groups Discovery CONTRIBUTE A TEST
T1069.003 Cloud Groups CONTRIBUTE A TEST
T1615 Group Policy Discovery
Atomic Test #1: Display group policy information via gpresult [windows]
Atomic Test #2: Get-DomainGPO to display group policy information via PowerView [windows]
Atomic Test #3: WinPwn - GPOAudit [windows]
Atomic Test #4: WinPwn - GPORemoteAccessPolicy [windows]
Atomic Test #5: MSFT Get-GPO Cmdlet [windows]
T1652 Device Driver Discovery
Atomic Test #1: Device Driver Discovery [windows]
T1087.002 Account Discovery: Domain Account
Atomic Test #1: Enumerate all accounts (Domain) [windows]
Atomic Test #2: Enumerate all accounts via PowerShell (Domain) [windows]
Atomic Test #3: Enumerate logged on users via CMD (Domain) [windows]
Atomic Test #4: Automated AD Recon (ADRecon) [windows]
Atomic Test #5: Adfind -Listing password policy [windows]
Atomic Test #6: Adfind - Enumerate Active Directory Admins [windows]
Atomic Test #7: Adfind - Enumerate Active Directory User Objects [windows]
Atomic Test #8: Adfind - Enumerate Active Directory Exchange AD Objects [windows]
Atomic Test #9: Enumerate Default Domain Admin Details (Domain) [windows]
Atomic Test #10: Enumerate Active Directory for Unconstrained Delegation [windows]
Atomic Test #11: Get-DomainUser with PowerView [windows]
Atomic Test #12: Enumerate Active Directory Users with ADSISearcher [windows]
Atomic Test #13: Enumerate Linked Policies In ADSISearcher Discovery [windows]
Atomic Test #14: Enumerate Root Domain linked policies Discovery [windows]
Atomic Test #15: WinPwn - generaldomaininfo [windows]
Atomic Test #16: Kerbrute - userenum [windows]
Atomic Test #17: Wevtutil - Discover NTLM Users Remote [windows]
Atomic Test #18: Suspicious LAPS Attributes Query with Get-ADComputer all properties [windows]
Atomic Test #19: Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property [windows]
Atomic Test #20: Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope [windows]
Atomic Test #21: Suspicious LAPS Attributes Query with adfind all properties [windows]
Atomic Test #22: Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd [windows]
Atomic Test #23: Active Directory Domain Search [linux]
Atomic Test #24: Account Enumeration with LDAPDomainDump [linux]
T1087.001 Account Discovery: Local Account
Atomic Test #1: Enumerate all accounts (Local) [linux]
Atomic Test #2: View sudoers access [linux, macos]
Atomic Test #3: View accounts with UID 0 [linux, macos]
Atomic Test #4: List opened files by user [linux, macos]
Atomic Test #5: Show if a user account has ever logged in remotely [linux]
Atomic Test #6: Enumerate users and groups [linux, macos]
Atomic Test #7: Enumerate users and groups [macos]
Atomic Test #8: Enumerate all accounts on Windows (Local) [windows]
Atomic Test #9: Enumerate all accounts via PowerShell (Local) [windows]
Atomic Test #10: Enumerate logged on users via CMD (Local) [windows]
T1497.001 Virtualization/Sandbox Evasion: System Checks
Atomic Test #1: Detect Virtualization Environment (Linux) [linux]
Atomic Test #2: Detect Virtualization Environment (FreeBSD) [linux]
Atomic Test #3: Detect Virtualization Environment (Windows) [windows]
Atomic Test #4: Detect Virtualization Environment (MacOS) [macos]
Atomic Test #5: Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) [windows]
T1069.002 Permission Groups Discovery: Domain Groups
Atomic Test #1: Basic Permission Groups Discovery Windows (Domain) [windows]
Atomic Test #2: Permission Groups Discovery PowerShell (Domain) [windows]
Atomic Test #3: Elevated group enumeration using net group (Domain) [windows]
Atomic Test #4: Find machines where user has local admin access (PowerView) [windows]
Atomic Test #5: Find local admins on all machines in domain (PowerView) [windows]
Atomic Test #6: Find Local Admins via Group Policy (PowerView) [windows]
Atomic Test #7: Enumerate Users Not Requiring Pre Auth (ASRepRoast) [windows]
Atomic Test #8: Adfind - Query Active Directory Groups [windows]
Atomic Test #9: Enumerate Active Directory Groups with Get-AdGroup [windows]
Atomic Test #10: Enumerate Active Directory Groups with ADSISearcher [windows]
Atomic Test #11: Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting) [windows]
Atomic Test #12: Get-DomainGroupMember with PowerView [windows]
Atomic Test #13: Get-DomainGroup with PowerView [windows]
Atomic Test #14: Active Directory Enumeration with LDIFDE [windows]
Atomic Test #15: Active Directory Domain Search Using LDAP - Linux (Ubuntu)/macOS [linux]
T1007 System Service Discovery
Atomic Test #1: System Service Discovery [windows]
Atomic Test #2: System Service Discovery - net.exe [windows]
Atomic Test #3: System Service Discovery - systemctl/service [linux]
Atomic Test #4: Get-Service Execution [windows]
T1040 Network Sniffing
Atomic Test #1: Packet Capture Linux using tshark or tcpdump [linux]
Atomic Test #2: Packet Capture FreeBSD using tshark or tcpdump [linux]
Atomic Test #3: Packet Capture macOS using tcpdump or tshark [macos]
Atomic Test #4: Packet Capture Windows Command Prompt [windows]
Atomic Test #5: Windows Internal Packet Capture [windows]
Atomic Test #6: Windows Internal pktmon capture [windows]
Atomic Test #7: Windows Internal pktmon set filter [windows]
Atomic Test #8: Packet Capture macOS using /dev/bpfN with sudo [macos]
Atomic Test #9: Filtered Packet Capture macOS using /dev/bpfN with sudo [macos]
Atomic Test #10: Packet Capture FreeBSD using /dev/bpfN with sudo [linux]
Atomic Test #11: Filtered Packet Capture FreeBSD using /dev/bpfN with sudo [linux]
Atomic Test #12: Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo [linux]
Atomic Test #13: Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo [linux]
Atomic Test #14: Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo [linux]
Atomic Test #15: Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo [linux]
Atomic Test #16: PowerShell Network Sniffing [windows]
T1135 Network Share Discovery
Atomic Test #1: Network Share Discovery [macos]
Atomic Test #2: Network Share Discovery - linux [linux]
Atomic Test #3: Network Share Discovery - FreeBSD [linux]
Atomic Test #4: Network Share Discovery command prompt [windows]
Atomic Test #5: Network Share Discovery PowerShell [windows]
Atomic Test #6: View available share drives [windows]
Atomic Test #7: Share Discovery with PowerView [windows]
Atomic Test #8: PowerView ShareFinder [windows]
Atomic Test #9: WinPwn - shareenumeration [windows]
Atomic Test #10: Network Share Discovery via dir command [windows]
Atomic Test #11: Enumerate All Network Shares with SharpShares [windows]
Atomic Test #12: Enumerate All Network Shares with Snaffler [windows]
T1120 Peripheral Device Discovery
Atomic Test #1: Win32_PnPEntity Hardware Inventory [windows]
Atomic Test #2: WinPwn - printercheck [windows]
Atomic Test #3: Peripheral Device Discovery via fsutil [windows]
T1082 System Information Discovery
Atomic Test #1: System Information Discovery [windows]
Atomic Test #2: System Information Discovery [macos]
Atomic Test #3: List OS Information [linux, macos]
Atomic Test #4: Linux VM Check via Hardware [linux]
Atomic Test #5: Linux VM Check via Kernel Modules [linux]
Atomic Test #6: FreeBSD VM Check via Kernel Modules [linux]
Atomic Test #7: Hostname Discovery (Windows) [windows]
Atomic Test #8: Hostname Discovery [linux, macos]
Atomic Test #9: Windows MachineGUID Discovery [windows]
Atomic Test #10: Griffon Recon [windows]
Atomic Test #11: Environment variables discovery on windows [windows]
Atomic Test #12: Environment variables discovery on freebsd, macos and linux [linux, macos]
Atomic Test #13: Show System Integrity Protection status (MacOS) [macos]
Atomic Test #14: WinPwn - winPEAS [windows]
Atomic Test #15: WinPwn - itm4nprivesc [windows]
Atomic Test #16: WinPwn - Powersploits privesc checks [windows]
Atomic Test #17: WinPwn - General privesc checks [windows]
Atomic Test #18: WinPwn - GeneralRecon [windows]
Atomic Test #19: WinPwn - Morerecon [windows]
Atomic Test #20: WinPwn - RBCD-Check [windows]
Atomic Test #21: WinPwn - PowerSharpPack - Watson searching for missing windows patches [windows]
Atomic Test #22: WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors [windows]
Atomic Test #23: WinPwn - PowerSharpPack - Seatbelt [windows]
Atomic Test #24: Azure Security Scan with SkyArk [azure-ad]
Atomic Test #25: Linux List Kernel Modules [linux]
Atomic Test #26: FreeBSD List Kernel Modules [linux]
Atomic Test #27: System Information Discovery with WMIC [windows]
Atomic Test #28: System Information Discovery [windows]
Atomic Test #29: Check computer location [windows]
Atomic Test #30: BIOS Information Discovery through Registry [windows]
Atomic Test #31: ESXi - VM Discovery using ESXCLI [windows]
Atomic Test #32: ESXi - Darkside system information discovery [windows]
Atomic Test #33: sysctl to gather macOS hardware info [macos]
Atomic Test #34: operating system discovery [windows]
Atomic Test #35: Check OS version via “ver” command [windows]
Atomic Test #36: Display volume shadow copies with “vssadmin” [windows]
T1016.002 System Network Configuration Discovery: Wi-Fi Discovery
Atomic Test #1: Enumerate Stored Wi-Fi Profiles And Passwords via netsh [windows]
T1010 Application Window Discovery
Atomic Test #1: List Process Main Windows - C# .NET [windows]
T1087.003 Email Account CONTRIBUTE A TEST
T1497.003 Time Based Evasion
Atomic Test #1: Delay execution with ping [linux, macos]
T1580 Cloud Infrastructure Discovery
Atomic Test #1: AWS - EC2 Enumeration from Cloud Instance [linux, macos, iaas:aws]
Atomic Test #2: AWS - EC2 Security Group Enumeration [iaas:aws]
T1217 Browser Bookmark Discovery
Atomic Test #1: List Mozilla Firefox Bookmark Database Files on FreeBSD/Linux [linux]
Atomic Test #2: List Mozilla Firefox Bookmark Database Files on macOS [macos]
Atomic Test #3: List Google Chrome Bookmark JSON Files on macOS [macos]
Atomic Test #4: List Google Chromium Bookmark JSON Files on FreeBSD [linux]
Atomic Test #5: List Google Chrome / Opera Bookmarks on Windows with powershell [windows]
Atomic Test #6: List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt [windows]
Atomic Test #7: List Mozilla Firefox bookmarks on Windows with command prompt [windows]
Atomic Test #8: List Internet Explorer Bookmarks using the command prompt [windows]
Atomic Test #9: List Safari Bookmarks on MacOS [macos]
Atomic Test #10: Extract Edge Browsing History [windows]
Atomic Test #11: Extract chrome Browsing History [windows]
T1016 System Network Configuration Discovery
Atomic Test #1: System Network Configuration Discovery on Windows [windows]
Atomic Test #2: List Windows Firewall Rules [windows]
Atomic Test #3: System Network Configuration Discovery [macos, linux]
Atomic Test #4: System Network Configuration Discovery (TrickBot Style) [windows]
Atomic Test #5: List Open Egress Ports [windows]
Atomic Test #6: Adfind - Enumerate Active Directory Subnet Objects [windows]
Atomic Test #7: Qakbot Recon [windows]
Atomic Test #8: List macOS Firewall Rules [macos]
Atomic Test #9: DNS Server Discovery Using nslookup [windows]
T1087 Account Discovery CONTRIBUTE A TEST
T1482 Domain Trust Discovery
Atomic Test #1: Windows - Discover domain trusts with dsquery [windows]
Atomic Test #2: Windows - Discover domain trusts with nltest [windows]
Atomic Test #3: Powershell enumerate domains and forests [windows]
Atomic Test #4: Adfind - Enumerate Active Directory OUs [windows]
Atomic Test #5: Adfind - Enumerate Active Directory Trusts [windows]
Atomic Test #6: Get-DomainTrust with PowerView [windows]
Atomic Test #7: Get-ForestTrust with PowerView [windows]
Atomic Test #8: TruffleSnout - Listing AD Infrastructure [windows]
T1083 File and Directory Discovery
Atomic Test #1: File and Directory Discovery (cmd.exe) [windows]
Atomic Test #2: File and Directory Discovery (PowerShell) [windows]
Atomic Test #3: Nix File and Directory Discovery [linux, macos]
Atomic Test #4: Nix File and Directory Discovery 2 [linux, macos]
Atomic Test #5: Simulating MAZE Directory Enumeration [windows]
Atomic Test #6: Launch DirLister Executable [windows]
Atomic Test #7: ESXi - Enumerate VMDKs available on an ESXi Host [windows]
T1049 System Network Connections Discovery
Atomic Test #1: System Network Connections Discovery [windows]
Atomic Test #2: System Network Connections Discovery with PowerShell [windows]
Atomic Test #3: System Network Connections Discovery FreeBSD, Linux & MacOS [linux, macos]
Atomic Test #4: System Discovery using SharpView [windows]
T1497 Virtualization/Sandbox Evasion CONTRIBUTE A TEST
T1619 Cloud Storage Object Discovery
Atomic Test #1: AWS S3 Enumeration [iaas:aws]
T1654 Log Enumeration
Atomic Test #1: Get-EventLog To Enumerate Windows Security Log [windows]
Atomic Test #2: Enumerate Windows Security Log via WevtUtil [windows]
T1087.004 Cloud Account CONTRIBUTE A TEST
T1057 Process Discovery
Atomic Test #1: Process Discovery - ps [linux, macos]
Atomic Test #2: Process Discovery - tasklist [windows]
Atomic Test #3: Process Discovery - Get-Process [windows]
Atomic Test #4: Process Discovery - get-wmiObject [windows]
Atomic Test #5: Process Discovery - wmic process [windows]
Atomic Test #6: Discover Specific Process - tasklist [windows]
Atomic Test #7: Process Discovery - Process Hacker [windows]
Atomic Test #8: Process Discovery - PC Hunter [windows]
Atomic Test #9: Launch Taskmgr from cmd to View running processes [windows]
T1497.002 User Activity Based Checks CONTRIBUTE A TEST
T1069.001 Permission Groups Discovery: Local Groups
Atomic Test #1: Permission Groups Discovery (Local) [linux, macos]
Atomic Test #2: Basic Permission Groups Discovery Windows (Local) [windows]
Atomic Test #3: Permission Groups Discovery PowerShell (Local) [windows]
Atomic Test #4: SharpHound3 - LocalAdmin [windows]
Atomic Test #5: Wmic Group Discovery [windows]
Atomic Test #6: WMIObject Group Discovery [windows]
Atomic Test #7: Permission Groups Discovery for Containers- Local Groups [containers]
T1201 Password Policy Discovery
Atomic Test #1: Examine password complexity policy - Ubuntu [linux]
Atomic Test #2: Examine password complexity policy - FreeBSD [linux]
Atomic Test #3: Examine password complexity policy - CentOS/RHEL 7.x [linux]
Atomic Test #4: Examine password complexity policy - CentOS/RHEL 6.x [linux]
Atomic Test #5: Examine password expiration policy - All Linux [linux]
Atomic Test #6: Examine local password policy - Windows [windows]
Atomic Test #7: Examine domain password policy - Windows [windows]
Atomic Test #8: Examine password policy - macOS [macos]
Atomic Test #9: Get-DomainPolicy with PowerView [windows]
Atomic Test #10: Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy [windows]
Atomic Test #11: Use of SecEdit.exe to export the local security policy (including the password policy) [windows]
Atomic Test #12: Examine AWS Password Policy [iaas:aws]
T1614.001 System Location Discovery: System Language Discovery
Atomic Test #1: Discover System Language by Registry Query [windows]
Atomic Test #2: Discover System Language with chcp [windows]
Atomic Test #3: Discover System Language with locale [linux]
Atomic Test #4: Discover System Language with localectl [linux]
Atomic Test #5: Discover System Language by locale file [linux]
Atomic Test #6: Discover System Language by Environment Variable Query [linux]
Atomic Test #7: Discover System Language with dism.exe [windows]
Atomic Test #8: Discover System Language by Windows API Query [windows]
T1012 Query Registry
Atomic Test #1: Query Registry [windows]
Atomic Test #2: Query Registry with Powershell cmdlets [windows]
Atomic Test #3: Enumerate COM Objects in Registry with Powershell [windows]
Atomic Test #4: Reg query for AlwaysInstallElevated status [windows]
Atomic Test #5: Check Software Inventory Logging (SIL) status via Registry [windows]
Atomic Test #6: Inspect SystemStartOptions Value in Registry [windows]
T1614 System Location Discovery
Atomic Test #1: Get geolocation info through IP-Lookup services using curl Windows [windows]
Atomic Test #2: Get geolocation info through IP-Lookup services using curl freebsd, linux or macos [macos, linux]
T1518.001 Software Discovery: Security Software Discovery
Atomic Test #1: Security Software Discovery [windows]
Atomic Test #2: Security Software Discovery - powershell [windows]
Atomic Test #3: Security Software Discovery - ps (macOS) [macos]
Atomic Test #4: Security Software Discovery - ps (Linux) [linux]
Atomic Test #5: Security Software Discovery - pgrep (FreeBSD) [linux]
Atomic Test #6: Security Software Discovery - Sysmon Service [windows]
Atomic Test #7: Security Software Discovery - AV Discovery via WMI [windows]
Atomic Test #8: Security Software Discovery - AV Discovery via Get-CimInstance and Get-WmiObject cmdlets [windows]
Atomic Test #9: Security Software Discovery - Windows Defender Enumeration [windows]
Atomic Test #10: Security Software Discovery - Windows Firewall Enumeration [windows]
Atomic Test #11: Get Windows Defender exclusion settings using WMIC [windows]
T1526 Cloud Service Discovery
Atomic Test #1: Azure - Dump Subscription Data with MicroBurst [iaas:azure]
T1018 Remote System Discovery
Atomic Test #1: Remote System Discovery - net [windows]
Atomic Test #2: Remote System Discovery - net group Domain Computers [windows]
Atomic Test #3: Remote System Discovery - nltest [windows]
Atomic Test #4: Remote System Discovery - ping sweep [windows]
Atomic Test #5: Remote System Discovery - arp [windows]
Atomic Test #6: Remote System Discovery - arp nix [linux, macos]
Atomic Test #7: Remote System Discovery - sweep [linux, macos]
Atomic Test #8: Remote System Discovery - nslookup [windows]
Atomic Test #9: Remote System Discovery - adidnsdump [windows]
Atomic Test #10: Adfind - Enumerate Active Directory Computer Objects [windows]
Atomic Test #11: Adfind - Enumerate Active Directory Domain Controller Objects [windows]
Atomic Test #12: Remote System Discovery - ip neighbour [linux]
Atomic Test #13: Remote System Discovery - ip route [linux]
Atomic Test #14: Remote System Discovery - netstat [linux]
Atomic Test #15: Remote System Discovery - ip tcp_metrics [linux]
Atomic Test #16: Enumerate domain computers within Active Directory using DirectorySearcher [windows]
Atomic Test #17: Enumerate Active Directory Computers with Get-AdComputer [windows]
Atomic Test #18: Enumerate Active Directory Computers with ADSISearcher [windows]
Atomic Test #19: Get-DomainController with PowerView [windows]
Atomic Test #20: Get-WmiObject to Enumerate Domain Controllers [windows]
Atomic Test #21: Remote System Discovery - net group Domain Controller [windows]
Atomic Test #22: Enumerate Remote Hosts with Netscan [windows]
T1046 Network Service Discovery
Atomic Test #1: Port Scan [linux, macos]
Atomic Test #2: Port Scan Nmap [linux, macos]
Atomic Test #3: Port Scan NMap for Windows [windows]
Atomic Test #4: Port Scan using python [windows]
Atomic Test #5: WinPwn - spoolvulnscan [windows]
Atomic Test #6: WinPwn - MS17-10 [windows]
Atomic Test #7: WinPwn - bluekeep [windows]
Atomic Test #8: WinPwn - fruit [windows]
Atomic Test #9: Network Service Discovery for Containers [containers]
Atomic Test #10: Port-Scanning /24 Subnet with PowerShell [windows]
Atomic Test #11: Remote Desktop Services Discovery via PowerShell [windows]
T1518 Software Discovery
Atomic Test #1: Find and Display Internet Explorer Browser Version [windows]
Atomic Test #2: Applications Installed [windows]
Atomic Test #3: Find and Display Safari Browser Version [macos]
Atomic Test #4: WinPwn - Dotnetsearch [windows]
Atomic Test #5: WinPwn - DotNet [windows]
Atomic Test #6: WinPwn - powerSQL [windows]
T1538 Cloud Service Dashboard CONTRIBUTE A TEST
T1622 Debugger Evasion
Atomic Test #1: Detect a Debugger Presence in the Machine [windows]
T1124 System Time Discovery
Atomic Test #1: System Time Discovery [windows]
Atomic Test #2: System Time Discovery - PowerShell [windows]
Atomic Test #3: System Time Discovery in FreeBSD/macOS [linux, macos]
Atomic Test #4: System Time Discovery W32tm as a Delay [windows]
Atomic Test #5: System Time with Windows time Command [windows]
resource-development
reconnaissance
impact
T1561.002 Disk Structure Wipe CONTRIBUTE A TEST
T1498.001 Direct Network Flood CONTRIBUTE A TEST
T1491.002 External Defacement CONTRIBUTE A TEST
T1499.001 OS Exhaustion Flood CONTRIBUTE A TEST
T1499.003 Application Exhaustion Flood CONTRIBUTE A TEST
T1561 Disk Wipe CONTRIBUTE A TEST
T1565.001 Stored Data Manipulation CONTRIBUTE A TEST
T1489 Service Stop
Atomic Test #1: Windows - Stop service using Service Controller [windows]
Atomic Test #2: Windows - Stop service using net.exe [windows]
Atomic Test #3: Windows - Stop service by killing process [windows]
Atomic Test #4: Linux - Stop service using systemctl [linux]
Atomic Test #5: Linux - Stop service by killing process using killall [linux]
Atomic Test #6: Linux - Stop service by killing process using kill [linux]
Atomic Test #7: Linux - Stop service by killing process using pkill [linux]
T1499.004 Application or System Exploitation CONTRIBUTE A TEST
T1565.003 Runtime Data Manipulation CONTRIBUTE A TEST
T1498.002 Reflection Amplification CONTRIBUTE A TEST
T1499.002 Service Exhaustion Flood CONTRIBUTE A TEST
T1491 Defacement CONTRIBUTE A TEST
T1657 Financial Theft CONTRIBUTE A TEST
T1491.001 Defacement: Internal Defacement
Atomic Test #1: Replace Desktop Wallpaper [windows]
Atomic Test #2: Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message [windows]
T1565 Data Manipulation CONTRIBUTE A TEST
T1531 Account Access Removal
Atomic Test #1: Change User Password - Windows [windows]
Atomic Test #2: Delete User - Windows [windows]
Atomic Test #3: Remove Account From Domain Admin Group [windows]
Atomic Test #4: Change User Password via passwd [macos, linux]
Atomic Test #5: Delete User via dscl utility [macos]
Atomic Test #6: Delete User via sysadminctl utility [macos]
Atomic Test #7: Azure AD - Delete user via Azure AD PowerShell [azure-ad]
Atomic Test #8: Azure AD - Delete user via Azure CLI [azure-ad]
T1486 Data Encrypted for Impact
Atomic Test #1: Encrypt files using gpg (FreeBSD/Linux) [linux]
Atomic Test #2: Encrypt files using 7z (FreeBSD/Linux) [linux]
Atomic Test #3: Encrypt files using ccrypt (FreeBSD/Linux) [linux]
Atomic Test #4: Encrypt files using openssl (FreeBSD/Linux) [linux]
Atomic Test #5: PureLocker Ransom Note [windows]
Atomic Test #6: Encrypt files using 7z utility - macOS [macos]
Atomic Test #7: Encrypt files using openssl utility - macOS [macos]
Atomic Test #8: Data Encrypted with GPG4Win [windows]
Atomic Test #9: Data Encrypt Using DiskCryptor [windows]
Atomic Test #10: Akira Ransomware drop Files with .akira Extension and Ransomnote [windows]
T1499 Endpoint Denial of Service CONTRIBUTE A TEST
T1496 Resource Hijacking
Atomic Test #1: FreeBSD/macOS/Linux - Simulate CPU Load with Yes [linux, macos]
T1565.002 Transmitted Data Manipulation CONTRIBUTE A TEST
T1485 Data Destruction
Atomic Test #1: Windows - Overwrite file with SysInternals SDelete [windows]
Atomic Test #2: FreeBSD/macOS/Linux - Overwrite file with DD [linux, macos]
Atomic Test #3: Overwrite deleted data on C drive [windows]
Atomic Test #4: GCP - Delete Bucket [iaas:gcp]
T1498 Network Denial of Service CONTRIBUTE A TEST
T1495 Firmware Corruption CONTRIBUTE A TEST
T1490 Inhibit System Recovery
Atomic Test #1: Windows - Delete Volume Shadow Copies [windows]
Atomic Test #2: Windows - Delete Volume Shadow Copies via WMI [windows]
Atomic Test #3: Windows - wbadmin Delete Windows Backup Catalog [windows]
Atomic Test #4: Windows - Disable Windows Recovery Console Repair [windows]
Atomic Test #5: Windows - Delete Volume Shadow Copies via WMI with PowerShell [windows]
Atomic Test #6: Windows - Delete Backup Files [windows]
Atomic Test #7: Windows - wbadmin Delete systemstatebackup [windows]
Atomic Test #8: Windows - Disable the SR scheduled task [windows]
Atomic Test #9: Disable System Restore Through Registry [windows]
Atomic Test #10: Windows - vssadmin Resize Shadowstorage Volume [windows]
Atomic Test #11: Modify VSS Service Permissions [windows]
Atomic Test #12: Disable Time Machine [macos]
T1561.001 Disk Content Wipe CONTRIBUTE A TEST
T1529 System Shutdown/Reboot
Atomic Test #1: Shutdown System - Windows [windows]
Atomic Test #2: Restart System - Windows [windows]
Atomic Test #3: Restart System via
- FreeBSD/macOS/Linux [linux, macos]
Atomic Test #4: Shutdown System via
- FreeBSD/macOS/Linux [linux, macos]
Atomic Test #5: Restart System via
- FreeBSD/macOS/Linux [linux, macos]
Atomic Test #6: Shutdown System via
- FreeBSD/Linux [linux]
Atomic Test #7: Reboot System via
- FreeBSD [linux]
Atomic Test #8: Reboot System via
- Linux [linux]
Atomic Test #9: Shutdown System via
- FreeBSD/Linux [linux]
Atomic Test #10: Reboot System via
- FreeBSD [linux]
Atomic Test #11: Reboot System via
- Linux [linux]
Atomic Test #12: Logoff System - Windows [windows]
Atomic Test #13: ESXi - Terminates VMs using pkill [windows]
Atomic Test #14: ESXi - Avoslocker enumerates VMs and forcefully kills VMs [windows]
initial-access
T1133 External Remote Services
Atomic Test #1: Running Chrome VPN Extensions via the Registry 2 vpn extension [windows]
T1195.001 Compromise Software Dependencies and Development Tools CONTRIBUTE A TEST
T1566.002 Spearphishing Link CONTRIBUTE A TEST
T1566.001 Phishing: Spearphishing Attachment
Atomic Test #1: Download Macro-Enabled Phishing Attachment [windows]
Atomic Test #2: Word spawned a command shell and used an IP address in the command line [windows]
T1195.003 Compromise Hardware Supply Chain CONTRIBUTE A TEST
T1091 Replication Through Removable Media
Atomic Test #1: USB Malware Spread Simulation [windows]
T1195 Supply Chain Compromise
Atomic Test #1: Octopus Scanner Malware Open Source Supply Chain [windows]
T1190 Exploit Public-Facing Application CONTRIBUTE A TEST
T1659 Content Injection CONTRIBUTE A TEST
T1078.001 Valid Accounts: Default Accounts
Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
Atomic Test #2: Activate Guest Account [windows]
Atomic Test #3: Enable Guest Account on macOS [macos]
T1199 Trusted Relationship CONTRIBUTE A TEST
T1566 Phishing CONTRIBUTE A TEST
T1078 Valid Accounts CONTRIBUTE A TEST
T1566.004 Spearphishing Voice CONTRIBUTE A TEST
T1195.002 Compromise Software Supply Chain CONTRIBUTE A TEST
T1078.002 Domain Accounts CONTRIBUTE A TEST
T1200 Hardware Additions CONTRIBUTE A TEST
T1189 Drive-by Compromise CONTRIBUTE A TEST
T1078.004 Valid Accounts: Cloud Accounts
Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
Atomic Test #3: GCP - Create Custom IAM Role [iaas:gcp]
T1566.003 Spearphishing via Service CONTRIBUTE A TEST
T1078.003 Valid Accounts: Local Accounts
Atomic Test #1: Create local account with admin privileges [windows]
Atomic Test #2: Create local account with admin privileges - MacOS [macos]
Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
Atomic Test #8: Create local account (Linux) [linux]
Atomic Test #9: Reactivate a locked/expired account (Linux) [linux]
Atomic Test #10: Reactivate a locked/expired account (FreeBSD) [linux]
Atomic Test #11: Login as nobody (Linux) [linux]
Atomic Test #12: Login as nobody (freebsd) [linux]
Atomic Test #13: Use PsExec to elevate to NT Authority\SYSTEM account [windows]
exfiltration