linux-index.md

Linux Atomic Tests by ATT&CK Tactic & Technique

defense-evasion

• T1055.011 Process Injection: Extra Window Memory Injection CONTRIBUTE A TEST
• T1205.002 Socket Filters CONTRIBUTE A TEST
• T1027.011 Fileless Storage CONTRIBUTE A TEST
• T1218.011 Signed Binary Proxy Execution: Rundll32 CONTRIBUTE A TEST
• T1027.009 Embedded Payloads CONTRIBUTE A TEST
• T1564.012 File/Path Exclusions CONTRIBUTE A TEST
• T1216.001 Signed Script Proxy Execution: Pubprn CONTRIBUTE A TEST
• T1574.007 Path Interception by PATH Environment Variable CONTRIBUTE A TEST
• T1006 Direct Volume Access CONTRIBUTE A TEST
• T1564.008 Hide Artifacts: Email Hiding Rules CONTRIBUTE A TEST
• T1027.013 Encrypted/Encoded File CONTRIBUTE A TEST
• T1014 Rootkit
  • Atomic Test #1: Loadable Kernel Module based Rootkit [linux]
  • Atomic Test #2: Loadable Kernel Module based Rootkit [linux]
  • Atomic Test #3: dynamic-linker based rootkit (libprocesshider) [linux]
  • Atomic Test #4: Loadable Kernel Module based Rootkit (Diamorphine) [linux]
• T1036.007 Masquerading: Double File Extension CONTRIBUTE A TEST
• T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control CONTRIBUTE A TEST
• T1542.001 Pre-OS Boot: System Firmware CONTRIBUTE A TEST
• T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness CONTRIBUTE A TEST
• T1542.003 Bootkit CONTRIBUTE A TEST
• T1218.013 Mavinject CONTRIBUTE A TEST
• T1036.005 Masquerading: Match Legitimate Name or Location
  • Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux]
• T1036.008 Masquerade File Type CONTRIBUTE A TEST
• T1564 Hide Artifacts CONTRIBUTE A TEST
• T1484.002 Domain Trust Modification CONTRIBUTE A TEST
• T1562.009 Impair Defenses: Safe Boot Mode CONTRIBUTE A TEST
• T1497.001 Virtualization/Sandbox Evasion: System Checks
  • Atomic Test #1: Detect Virtualization Environment (Linux) [linux]
  • Atomic Test #2: Detect Virtualization Environment (FreeBSD) [linux]
• T1218.004 Signed Binary Proxy Execution: InstallUtil CONTRIBUTE A TEST
• T1027.008 Stripped Payloads CONTRIBUTE A TEST
• T1574.001 Hijack Execution Flow: DLL Search Order Hijacking CONTRIBUTE A TEST
• T1553.002 Code Signing CONTRIBUTE A TEST
• T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification CONTRIBUTE A TEST
• T1574.014 AppDomainManager CONTRIBUTE A TEST
• T1218.007 Signed Binary Proxy Execution: Msiexec CONTRIBUTE A TEST
• T1556.002 Modify Authentication Process: Password Filter DLL CONTRIBUTE A TEST
• T1070.007 Clear Network Connection History and Configurations CONTRIBUTE A TEST
• T1070.003 Indicator Removal on Host: Clear Command History
  • Atomic Test #1: Clear Bash history (rm) [linux, macos]
  • Atomic Test #2: Clear Bash history (echo) [linux]
  • Atomic Test #3: Clear Bash history (cat dev/null) [linux, macos]
  • Atomic Test #4: Clear Bash history (ln dev/null) [linux, macos]
  • Atomic Test #5: Clear Bash history (truncate) [linux]
  • Atomic Test #6: Clear history of a bunch of shells [linux, macos]
  • Atomic Test #7: Clear and Disable Bash History Logging [linux, macos]
  • Atomic Test #8: Use Space Before Command to Avoid Logging to History [linux, macos]
  • Atomic Test #9: Disable Bash History Logging with SSH -T [linux]
  • Atomic Test #10: Clear Docker Container Logs [linux]
• T1202 Indirect Command Execution CONTRIBUTE A TEST
• T1140 Deobfuscate/Decode Files or Information
  • Atomic Test #3: Base64 decoding with Python [linux, macos]
  • Atomic Test #4: Base64 decoding with Perl [linux, macos]
  • Atomic Test #5: Base64 decoding with shell utilities [linux, macos]
  • Atomic Test #6: Base64 decoding with shell utilities (freebsd) [linux]
  • Atomic Test #7: FreeBSD b64encode Shebang in CLI [linux]
  • Atomic Test #8: Hex decoding with shell utilities [linux, macos]
  • Atomic Test #9: Linux Base64 Encoded Shebang in CLI [linux, macos]
  • Atomic Test #10: XOR decoding and command execution using Python [linux, macos]
• T1562 Impair Defenses
  • Atomic Test #2: Disable journal logging via systemctl utility [linux]
  • Atomic Test #3: Disable journal logging via sed utility [linux]
• T1055.003 Thread Execution Hijacking CONTRIBUTE A TEST
• T1036 Masquerading CONTRIBUTE A TEST
• T1070.008 Email Collection: Mailbox Manipulation
  • Atomic Test #2: Copy and Delete Mailbox Data on Linux [linux]
  • Atomic Test #5: Copy and Modify Mailbox Data on Linux [linux]
• T1055 Process Injection CONTRIBUTE A TEST
• T1205 Traffic Signaling CONTRIBUTE A TEST
• T1218 Signed Binary Proxy Execution CONTRIBUTE A TEST
• T1070.006 Indicator Removal on Host: Timestomp
  • Atomic Test #1: Set a file's access timestamp [linux, macos]
  • Atomic Test #2: Set a file's modification timestamp [linux, macos]
  • Atomic Test #3: Set a file's creation timestamp [linux, macos]
  • Atomic Test #4: Modify file timestamps using reference file [linux, macos]
• T1620 Reflective Code Loading CONTRIBUTE A TEST
• T1480.002 Mutual Exclusion CONTRIBUTE A TEST
• T1564.011 Ignore Process Interrupts CONTRIBUTE A TEST
• T1497.003 Time Based Evasion
  • Atomic Test #1: Delay execution with ping [linux, macos]
• T1218.003 Signed Binary Proxy Execution: CMSTP CONTRIBUTE A TEST
• T1562.002 Impair Defenses: Disable Windows Event Logging CONTRIBUTE A TEST
• T1218.002 Signed Binary Proxy Execution: Control Panel CONTRIBUTE A TEST
• T1550 Use Alternate Authentication Material CONTRIBUTE A TEST
• T1562.004 Impair Defenses: Disable or Modify System Firewall
  • Atomic Test #7: Stop/Start UFW firewall [linux]
  • Atomic Test #8: Stop/Start Packet Filter [linux]
  • Atomic Test #9: Stop/Start UFW firewall systemctl [linux]
  • Atomic Test #10: Turn off UFW logging [linux]
  • Atomic Test #11: Add and delete UFW firewall rules [linux]
  • Atomic Test #12: Add and delete Packet Filter rules [linux]
  • Atomic Test #13: Edit UFW firewall user.rules file [linux]
  • Atomic Test #14: Edit UFW firewall ufw.conf file [linux]
  • Atomic Test #15: Edit UFW firewall sysctl.conf file [linux]
  • Atomic Test #16: Edit UFW firewall main configuration file [linux]
  • Atomic Test #17: Tail the UFW firewall log file [linux]
  • Atomic Test #18: Disable iptables [linux]
  • Atomic Test #19: Modify/delete iptables firewall rules [linux]
• T1553.003 Subvert Trust Controls: SIP and Trust Provider Hijacking CONTRIBUTE A TEST
• T1556.007 Hybrid Identity CONTRIBUTE A TEST
• T1218.015 Electron Applications CONTRIBUTE A TEST
• T1207 Rogue Domain Controller CONTRIBUTE A TEST
• T1553.006 Subvert Trust Controls: Code Signing Policy Modification CONTRIBUTE A TEST
• T1112 Modify Registry CONTRIBUTE A TEST
• T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking CONTRIBUTE A TEST
• T1027.001 Obfuscated Files or Information: Binary Padding
  • Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [linux, macos]
  • Atomic Test #2: Pad Binary to Change Hash using truncate command - Linux/macOS [linux, macos]
• T1484.001 Domain Policy Modification: Group Policy Modification CONTRIBUTE A TEST
• T1078.001 Valid Accounts: Default Accounts CONTRIBUTE A TEST
• T1070.001 Indicator Removal on Host: Clear Windows Event Logs CONTRIBUTE A TEST
• T1222 File and Directory Permissions Modification CONTRIBUTE A TEST
• T1548 Abuse Elevation Control Mechanism CONTRIBUTE A TEST
• T1134.002 Create Process with Token CONTRIBUTE A TEST
• T1218.008 Signed Binary Proxy Execution: Odbcconf CONTRIBUTE A TEST
• T1055.013 Process Doppelgänging CONTRIBUTE A TEST
• T1574.005 Executable Installer File Permissions Weakness CONTRIBUTE A TEST
• T1562.006 Impair Defenses: Indicator Blocking
  • Atomic Test #1: Auditing Configuration Changes on Linux Host [linux]
  • Atomic Test #2: Auditing Configuration Changes on FreeBSD Host [linux]
  • Atomic Test #3: Logging Configuration Changes on Linux Host [linux]
  • Atomic Test #4: Logging Configuration Changes on FreeBSD Host [linux]
• T1036.002 Right-to-Left Override CONTRIBUTE A TEST
• T1542.002 Component Firmware CONTRIBUTE A TEST
• T1070 Indicator Removal on Host CONTRIBUTE A TEST
• T1550.003 Use Alternate Authentication Material: Pass the Ticket CONTRIBUTE A TEST
• T1036.004 Masquerading: Masquerade Task or Service
  • Atomic Test #3: linux rename /proc/pid/comm using prctl [linux]
  • Atomic Test #4: Hiding a malicious process with bind mounts [linux]
• T1055.004 Process Injection: Asynchronous Procedure Call CONTRIBUTE A TEST
• T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass CONTRIBUTE A TEST
• T1542 Pre-OS Boot CONTRIBUTE A TEST
• T1055.002 Process Injection: Portable Executable Injection CONTRIBUTE A TEST
• T1218.012 Verclsid CONTRIBUTE A TEST
• T1562.010 Impair Defenses: Downgrade Attack
  • Atomic Test #1: ESXi - Change VIB acceptance level to CommunitySupported via PowerCLI [linux]
• T1497 Virtualization/Sandbox Evasion CONTRIBUTE A TEST
• T1218.005 Signed Binary Proxy Execution: Mshta CONTRIBUTE A TEST
• T1480 Execution Guardrails CONTRIBUTE A TEST
• T1134.001 Access Token Manipulation: Token Impersonation/Theft CONTRIBUTE A TEST
• T1205.001 Port Knocking CONTRIBUTE A TEST
• T1027.012 LNK Icon Smuggling CONTRIBUTE A TEST
• T1564.002 Hide Artifacts: Hidden Users CONTRIBUTE A TEST
• T1134.003 Make and Impersonate Token CONTRIBUTE A TEST
• T1562.003 Impair Defenses: Impair Command History Logging
  • Atomic Test #1: Disable history collection [linux, macos]
  • Atomic Test #2: Disable history collection (freebsd) [linux]
  • Atomic Test #3: Mac HISTCONTROL [macos, linux]
  • Atomic Test #4: Clear bash history [linux]
  • Atomic Test #5: Setting the HISTCONTROL environment variable [linux]
  • Atomic Test #6: Setting the HISTFILESIZE environment variable [linux]
  • Atomic Test #7: Setting the HISTSIZE environment variable [linux]
  • Atomic Test #8: Setting the HISTFILE environment variable [linux]
  • Atomic Test #9: Setting the HISTFILE environment variable (freebsd) [linux]
  • Atomic Test #10: Setting the HISTIGNORE environment variable [linux]
• T1556.008 Network Provider DLL CONTRIBUTE A TEST
• T1497.002 User Activity Based Checks CONTRIBUTE A TEST
• T1134.004 Access Token Manipulation: Parent PID Spoofing CONTRIBUTE A TEST
• T1574.010 Services File Permissions Weakness CONTRIBUTE A TEST
• T1574.013 KernelCallbackTable CONTRIBUTE A TEST
• T1218.001 Signed Binary Proxy Execution: Compiled HTML File CONTRIBUTE A TEST
• T1070.005 Indicator Removal on Host: Network Share Connection Removal CONTRIBUTE A TEST
• T1562.001 Impair Defenses: Disable or Modify Tools
  • Atomic Test #1: Disable syslog [linux]
  • Atomic Test #2: Disable syslog (freebsd) [linux]
  • Atomic Test #3: Disable Cb Response [linux]
  • Atomic Test #4: Disable SELinux [linux]
  • Atomic Test #5: Stop Crowdstrike Falcon on Linux [linux]
  • Atomic Test #39: Clear History [linux]
  • Atomic Test #40: Suspend History [linux]
  • Atomic Test #41: Reboot Linux Host via Kernel System Request [linux]
  • Atomic Test #42: Clear Pagging Cache [linux]
  • Atomic Test #43: Disable Memory Swap [linux]
  • Atomic Test #47: Tamper with Defender ATP on Linux/MacOS [linux, macos]
  • Atomic Test #50: ESXi - Disable Account Lockout Policy via PowerCLI [linux]
• T1574 Hijack Execution Flow CONTRIBUTE A TEST
• T1027.005 Indicator Removal from Tools CONTRIBUTE A TEST
• T1078 Valid Accounts CONTRIBUTE A TEST
• T1055.012 Process Injection: Process Hollowing CONTRIBUTE A TEST
• T1027 Obfuscated Files or Information
  • Atomic Test #1: Decode base64 Data into Script [macos, linux]
• T1556.006 Multi-Factor Authentication CONTRIBUTE A TEST
• T1036.001 Invalid Code Signature CONTRIBUTE A TEST
• T1564.006 Run Virtual Instance CONTRIBUTE A TEST
• T1027.014 Polymorphic Code CONTRIBUTE A TEST
• T1134.005 Access Token Manipulation: SID-History Injection CONTRIBUTE A TEST
• T1553 Subvert Trust Controls CONTRIBUTE A TEST
• T1218.010 Signed Binary Proxy Execution: Regsvr32 CONTRIBUTE A TEST
• T1036.003 Masquerading: Rename System Utilities
  • Atomic Test #2: Masquerading as FreeBSD or Linux crond process. [linux]
• T1562.011 Spoof Security Alerting CONTRIBUTE A TEST
• T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path CONTRIBUTE A TEST
• T1027.003 Steganography CONTRIBUTE A TEST
• T1078.002 Domain Accounts CONTRIBUTE A TEST
• T1218.009 Signed Binary Proxy Execution: Regsvcs/Regasm CONTRIBUTE A TEST
• T1553.004 Subvert Trust Controls: Install Root Certificate
  • Atomic Test #1: Install root CA on CentOS/RHEL [linux]
  • Atomic Test #2: Install root CA on FreeBSD [linux]
  • Atomic Test #3: Install root CA on Debian/Ubuntu [linux]
• T1027.004 Obfuscated Files or Information: Compile After Delivery
  • Atomic Test #3: C compile [linux, macos]
  • Atomic Test #4: CC compile [linux, macos]
  • Atomic Test #5: Go compile [linux, macos]
• T1564.007 VBA Stomping CONTRIBUTE A TEST
• T1197 BITS Jobs CONTRIBUTE A TEST
• T1127.001 Trusted Developer Utilities Proxy Execution: MSBuild CONTRIBUTE A TEST
• T1656 Impersonation CONTRIBUTE A TEST
• T1564.003 Hide Artifacts: Hidden Window CONTRIBUTE A TEST
• T1127.002 ClickOnce CONTRIBUTE A TEST
• T1070.010 Relocate Malware CONTRIBUTE A TEST
• T1070.009 Clear Persistence CONTRIBUTE A TEST
• T1036.010 Masquerade Account Name CONTRIBUTE A TEST
• T1556.001 Domain Controller Authentication CONTRIBUTE A TEST
• T1027.006 HTML Smuggling CONTRIBUTE A TEST
• T1556.005 Reversible Encryption CONTRIBUTE A TEST
• T1027.010 Command Obfuscation CONTRIBUTE A TEST
• T1070.004 Indicator Removal on Host: File Deletion
  • Atomic Test #1: Delete a single file - FreeBSD/Linux/macOS [linux, macos]
  • Atomic Test #2: Delete an entire folder - FreeBSD/Linux/macOS [linux, macos]
  • Atomic Test #3: Overwrite and delete a file with shred [linux]
  • Atomic Test #8: Delete Filesystem - Linux [linux]
• T1221 Template Injection CONTRIBUTE A TEST
• T1134 Access Token Manipulation CONTRIBUTE A TEST
• T1027.002 Obfuscated Files or Information: Software Packing
  • Atomic Test #1: Binary simply packed by UPX (linux) [linux]
  • Atomic Test #2: Binary packed by UPX, with modified headers (linux) [linux]
• T1564.005 Hidden File System CONTRIBUTE A TEST
• T1055.005 Thread Local Storage CONTRIBUTE A TEST
• T1622 Debugger Evasion CONTRIBUTE A TEST
• T1550.002 Use Alternate Authentication Material: Pass the Hash CONTRIBUTE A TEST
• T1574.002 Hijack Execution Flow: DLL Side-Loading CONTRIBUTE A TEST
• T1216.002 SyncAppvPublishingServer CONTRIBUTE A TEST
• T1027.007 Obfuscated Files or Information: Dynamic API Resolution CONTRIBUTE A TEST
• T1055.015 Process Injection: ListPlanting CONTRIBUTE A TEST
• T1484 Domain or Tenant Policy Modification CONTRIBUTE A TEST
• T1220 XSL Script Processing CONTRIBUTE A TEST
• T1564.001 Hide Artifacts: Hidden Files and Directories
  • Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
• T1480.001 Environmental Keying CONTRIBUTE A TEST
• T1564.004 Hide Artifacts: NTFS File Attributes CONTRIBUTE A TEST
• T1055.001 Process Injection: Dynamic-link Library Injection CONTRIBUTE A TEST
• T1556 Modify Authentication Process CONTRIBUTE A TEST
• T1216 Signed Script Proxy Execution CONTRIBUTE A TEST
• T1078.003 Valid Accounts: Local Accounts
  • Atomic Test #8: Create local account (Linux) [linux]
  • Atomic Test #9: Reactivate a locked/expired account (Linux) [linux]
  • Atomic Test #10: Reactivate a locked/expired account (FreeBSD) [linux]
  • Atomic Test #11: Login as nobody (Linux) [linux]
  • Atomic Test #12: Login as nobody (freebsd) [linux]
• T1211 Exploitation for Defense Evasion CONTRIBUTE A TEST
• T1127 Trusted Developer Utilities Proxy Execution CONTRIBUTE A TEST
• T1218.014 MMC CONTRIBUTE A TEST
• T1564.010 Process Argument Spoofing CONTRIBUTE A TEST
• T1574.012 Hijack Execution Flow: COR_PROFILER CONTRIBUTE A TEST

privilege-escalation

• T1055.011 Process Injection: Extra Window Memory Injection CONTRIBUTE A TEST
• T1053.005 Scheduled Task/Job: Scheduled Task CONTRIBUTE A TEST
• T1037 Boot or Logon Initialization Scripts CONTRIBUTE A TEST
• T1574.007 Path Interception by PATH Environment Variable CONTRIBUTE A TEST
• T1546.013 Event Triggered Execution: PowerShell Profile CONTRIBUTE A TEST
• T1543 Create or Modify System Process CONTRIBUTE A TEST
• T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control CONTRIBUTE A TEST
• T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness CONTRIBUTE A TEST
• T1547 Boot or Logon Autostart Execution CONTRIBUTE A TEST
• T1547.014 Active Setup CONTRIBUTE A TEST
• T1484.002 Domain Trust Modification CONTRIBUTE A TEST
• T1543.003 Create or Modify System Process: Windows Service CONTRIBUTE A TEST
• T1547.012 Boot or Logon Autostart Execution: Print Processors CONTRIBUTE A TEST
• T1574.001 Hijack Execution Flow: DLL Search Order Hijacking CONTRIBUTE A TEST
• T1574.014 AppDomainManager CONTRIBUTE A TEST
• T1053 Scheduled Task/Job CONTRIBUTE A TEST
• T1098.007 Additional Local or Domain Groups CONTRIBUTE A TEST
• T1055.003 Thread Execution Hijacking CONTRIBUTE A TEST
• T1546.011 Event Triggered Execution: Application Shimming CONTRIBUTE A TEST
• T1547.010 Boot or Logon Autostart Execution: Port Monitors CONTRIBUTE A TEST
• T1055 Process Injection CONTRIBUTE A TEST
• T1611 Escape to Host CONTRIBUTE A TEST
• T1547.009 Boot or Logon Autostart Execution: Shortcut Modification CONTRIBUTE A TEST
• T1547.005 Boot or Logon Autostart Execution: Security Support Provider CONTRIBUTE A TEST
• T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking CONTRIBUTE A TEST
• T1484.001 Domain Policy Modification: Group Policy Modification CONTRIBUTE A TEST
• T1078.001 Valid Accounts: Default Accounts CONTRIBUTE A TEST
• T1547.003 Time Providers CONTRIBUTE A TEST
• T1548 Abuse Elevation Control Mechanism CONTRIBUTE A TEST
• T1134.002 Create Process with Token CONTRIBUTE A TEST
• T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL CONTRIBUTE A TEST
• T1546.012 Event Triggered Execution: Image File Execution Options Injection CONTRIBUTE A TEST
• T1055.013 Process Doppelgänging CONTRIBUTE A TEST
• T1574.005 Executable Installer File Permissions Weakness CONTRIBUTE A TEST
• T1546.008 Event Triggered Execution: Accessibility Features CONTRIBUTE A TEST
• T1055.004 Process Injection: Asynchronous Procedure Call CONTRIBUTE A TEST
• T1546.009 Event Triggered Execution: AppCert DLLs CONTRIBUTE A TEST
• T1098.005 Device Registration CONTRIBUTE A TEST
• T1055.002 Process Injection: Portable Executable Injection CONTRIBUTE A TEST
• T1134.001 Access Token Manipulation: Token Impersonation/Theft CONTRIBUTE A TEST
• T1134.003 Make and Impersonate Token CONTRIBUTE A TEST
• T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription CONTRIBUTE A TEST
• T1134.004 Access Token Manipulation: Parent PID Spoofing CONTRIBUTE A TEST
• T1546.001 Event Triggered Execution: Change Default File Association CONTRIBUTE A TEST
• T1574.010 Services File Permissions Weakness CONTRIBUTE A TEST
• T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder CONTRIBUTE A TEST
• T1098 Account Manipulation CONTRIBUTE A TEST
• T1574.013 KernelCallbackTable CONTRIBUTE A TEST
• T1574 Hijack Execution Flow CONTRIBUTE A TEST
• T1078 Valid Accounts CONTRIBUTE A TEST
• T1055.012 Process Injection: Process Hollowing CONTRIBUTE A TEST
• T1068 Exploitation for Privilege Escalation CONTRIBUTE A TEST
• T1546 Event Triggered Execution CONTRIBUTE A TEST
• T1134.005 Access Token Manipulation: SID-History Injection CONTRIBUTE A TEST
• T1547.002 Authentication Package CONTRIBUTE A TEST
• T1546.015 Event Triggered Execution: Component Object Model Hijacking CONTRIBUTE A TEST
• T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path CONTRIBUTE A TEST
• T1078.002 Domain Accounts CONTRIBUTE A TEST
• T1037.003 Network Logon Script CONTRIBUTE A TEST
• T1546.010 Event Triggered Execution: AppInit DLLs CONTRIBUTE A TEST
• T1546.002 Event Triggered Execution: Screensaver CONTRIBUTE A TEST
• T1546.016 Installer Packages CONTRIBUTE A TEST
• T1134 Access Token Manipulation CONTRIBUTE A TEST
• T1055.005 Thread Local Storage CONTRIBUTE A TEST
• T1574.002 Hijack Execution Flow: DLL Side-Loading CONTRIBUTE A TEST
• T1098.002 Account Manipulation: Additional Email Delegate Permissions CONTRIBUTE A TEST
• T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows) CONTRIBUTE A TEST
• T1055.015 Process Injection: ListPlanting CONTRIBUTE A TEST
• T1484 Domain or Tenant Policy Modification CONTRIBUTE A TEST
• T1547.008 Boot or Logon Autostart Execution: LSASS Driver CONTRIBUTE A TEST
• T1053.002 Scheduled Task/Job: At
  • Atomic Test #2: At - Schedule a job [linux]
• T1055.001 Process Injection: Dynamic-link Library Injection CONTRIBUTE A TEST
• T1546.007 Event Triggered Execution: Netsh Helper DLL CONTRIBUTE A TEST
• T1078.003 Valid Accounts: Local Accounts
  • Atomic Test #8: Create local account (Linux) [linux]
  • Atomic Test #9: Reactivate a locked/expired account (Linux) [linux]
  • Atomic Test #10: Reactivate a locked/expired account (FreeBSD) [linux]
  • Atomic Test #11: Login as nobody (Linux) [linux]
  • Atomic Test #12: Login as nobody (freebsd) [linux]
• T1574.012 Hijack Execution Flow: COR_PROFILER CONTRIBUTE A TEST

execution

• T1053.005 Scheduled Task/Job: Scheduled Task CONTRIBUTE A TEST
• T1047 Windows Management Instrumentation CONTRIBUTE A TEST
• T1129 Server Software Component CONTRIBUTE A TEST
• T1059.007 Command and Scripting Interpreter: JavaScript CONTRIBUTE A TEST
• T1559.002 Inter-Process Communication: Dynamic Data Exchange CONTRIBUTE A TEST
• T1204.002 User Execution: Malicious File CONTRIBUTE A TEST
• T1559.001 Component Object Model CONTRIBUTE A TEST
• T1053 Scheduled Task/Job CONTRIBUTE A TEST
• T1106 Native API CONTRIBUTE A TEST
• T1059.010 Command and Scripting Interpreter: AutoHotKey & AutoIT CONTRIBUTE A TEST
• T1059 Command and Scripting Interpreter CONTRIBUTE A TEST
• T1204 User Execution CONTRIBUTE A TEST
• T1072 Software Deployment Tools CONTRIBUTE A TEST
• T1059.001 Command and Scripting Interpreter: PowerShell CONTRIBUTE A TEST
• T1559 Inter-Process Communication CONTRIBUTE A TEST
• T1059.011 Lua CONTRIBUTE A TEST
• T1203 Exploitation for Client Execution CONTRIBUTE A TEST
• T1059.006 Command and Scripting Interpreter: Python
  • Atomic Test #1: Execute shell script via python's command mode arguement [linux]
  • Atomic Test #2: Execute Python via scripts [linux]
  • Atomic Test #3: Execute Python via Python executables [linux]
  • Atomic Test #4: Python pty module and spawn function used to spawn sh or bash [linux]
• T1569 System Services CONTRIBUTE A TEST
• T1059.003 Command and Scripting Interpreter: Windows Command Shell CONTRIBUTE A TEST
• T1059.005 Command and Scripting Interpreter: Visual Basic CONTRIBUTE A TEST
• T1204.001 Malicious Link CONTRIBUTE A TEST
• T1569.002 System Services: Service Execution
  • Atomic Test #3: psexec.py (Impacket) [linux]
• T1053.002 Scheduled Task/Job: At
  • Atomic Test #2: At - Schedule a job [linux]

persistence

• T1053.005 Scheduled Task/Job: Scheduled Task CONTRIBUTE A TEST
• T1205.002 Socket Filters CONTRIBUTE A TEST
• T1037 Boot or Logon Initialization Scripts CONTRIBUTE A TEST
• T1574.007 Path Interception by PATH Environment Variable CONTRIBUTE A TEST
• T1546.013 Event Triggered Execution: PowerShell Profile CONTRIBUTE A TEST
• T1543 Create or Modify System Process CONTRIBUTE A TEST
• T1133 External Remote Services CONTRIBUTE A TEST
• T1542.001 Pre-OS Boot: System Firmware CONTRIBUTE A TEST
• T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness CONTRIBUTE A TEST
• T1542.003 Bootkit CONTRIBUTE A TEST
• T1547 Boot or Logon Autostart Execution CONTRIBUTE A TEST
• T1547.014 Active Setup CONTRIBUTE A TEST
• T1543.003 Create or Modify System Process: Windows Service CONTRIBUTE A TEST
• T1137 Office Application Startup CONTRIBUTE A TEST
• T1547.012 Boot or Logon Autostart Execution: Print Processors CONTRIBUTE A TEST
• T1574.001 Hijack Execution Flow: DLL Search Order Hijacking CONTRIBUTE A TEST
• T1137.006 Office Application Startup: Add-ins CONTRIBUTE A TEST
• T1505.002 Server Software Component: Transport Agent CONTRIBUTE A TEST
• T1574.014 AppDomainManager CONTRIBUTE A TEST
• T1053 Scheduled Task/Job CONTRIBUTE A TEST
• T1556.002 Modify Authentication Process: Password Filter DLL CONTRIBUTE A TEST
• T1505.005 Server Software Component: Terminal Services DLL CONTRIBUTE A TEST
• T1176 Browser Extensions
  • Atomic Test #1: Chrome/Chromium (Developer Mode) [linux, windows, macos]
  • Atomic Test #2: Chrome/Chromium (Chrome Web Store) [linux, windows, macos]
  • Atomic Test #3: Firefox [linux, windows, macos]
• T1137.005 Outlook Rules CONTRIBUTE A TEST
• T1098.007 Additional Local or Domain Groups CONTRIBUTE A TEST
• T1546.011 Event Triggered Execution: Application Shimming CONTRIBUTE A TEST
• T1547.010 Boot or Logon Autostart Execution: Port Monitors CONTRIBUTE A TEST
• T1205 Traffic Signaling CONTRIBUTE A TEST
• T1547.009 Boot or Logon Autostart Execution: Shortcut Modification CONTRIBUTE A TEST
• T1547.005 Boot or Logon Autostart Execution: Security Support Provider CONTRIBUTE A TEST
• T1556.007 Hybrid Identity CONTRIBUTE A TEST
• T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking CONTRIBUTE A TEST
• T1505.003 Server Software Component: Web Shell CONTRIBUTE A TEST
• T1078.001 Valid Accounts: Default Accounts CONTRIBUTE A TEST
• T1547.003 Time Providers CONTRIBUTE A TEST
• T1136.001 Create Account: Local Account
  • Atomic Test #1: Create a user account on a Linux system [linux]
  • Atomic Test #2: Create a user account on a FreeBSD system [linux]
  • Atomic Test #6: Create a new user in Linux with root UID and GID. [linux]
  • Atomic Test #7: Create a new user in FreeBSD with root GID. [linux]
• T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL CONTRIBUTE A TEST
• T1546.012 Event Triggered Execution: Image File Execution Options Injection CONTRIBUTE A TEST
• T1574.005 Executable Installer File Permissions Weakness CONTRIBUTE A TEST
• T1546.008 Event Triggered Execution: Accessibility Features CONTRIBUTE A TEST
• T1136.002 Create Account: Domain Account
  • Atomic Test #4: Active Directory Create Admin Account [linux]
  • Atomic Test #5: Active Directory Create User Account (Non-elevated) [linux]
• T1542.002 Component Firmware CONTRIBUTE A TEST
• T1137.001 Office Application Startup: Office Template Macros. CONTRIBUTE A TEST
• T1546.009 Event Triggered Execution: AppCert DLLs CONTRIBUTE A TEST
• T1098.005 Device Registration CONTRIBUTE A TEST
• T1542 Pre-OS Boot CONTRIBUTE A TEST
• T1205.001 Port Knocking CONTRIBUTE A TEST
• T1556.008 Network Provider DLL CONTRIBUTE A TEST
• T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription CONTRIBUTE A TEST
• T1554 Compromise Host Software Binary CONTRIBUTE A TEST
• T1546.001 Event Triggered Execution: Change Default File Association CONTRIBUTE A TEST
• T1574.010 Services File Permissions Weakness CONTRIBUTE A TEST
• T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder CONTRIBUTE A TEST
• T1098 Account Manipulation CONTRIBUTE A TEST
• T1574.013 KernelCallbackTable CONTRIBUTE A TEST
• T1137.003 Outlook Forms CONTRIBUTE A TEST
• T1574 Hijack Execution Flow CONTRIBUTE A TEST
• T1078 Valid Accounts CONTRIBUTE A TEST
• T1556.006 Multi-Factor Authentication CONTRIBUTE A TEST
• T1505.004 IIS Components CONTRIBUTE A TEST
• T1546 Event Triggered Execution CONTRIBUTE A TEST
• T1547.002 Authentication Package CONTRIBUTE A TEST
• T1546.015 Event Triggered Execution: Component Object Model Hijacking CONTRIBUTE A TEST
• T1137.004 Office Application Startup: Outlook Home Page CONTRIBUTE A TEST
• T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path CONTRIBUTE A TEST
• T1078.002 Domain Accounts CONTRIBUTE A TEST
• T1037.003 Network Logon Script CONTRIBUTE A TEST
• T1197 BITS Jobs CONTRIBUTE A TEST
• T1546.010 Event Triggered Execution: AppInit DLLs CONTRIBUTE A TEST
• T1546.002 Event Triggered Execution: Screensaver CONTRIBUTE A TEST
• T1505 Server Software Component CONTRIBUTE A TEST
• T1556.001 Domain Controller Authentication CONTRIBUTE A TEST
• T1556.005 Reversible Encryption CONTRIBUTE A TEST
• T1546.016 Installer Packages CONTRIBUTE A TEST
• T1136 Create Account CONTRIBUTE A TEST
• T1574.002 Hijack Execution Flow: DLL Side-Loading CONTRIBUTE A TEST
• T1098.002 Account Manipulation: Additional Email Delegate Permissions CONTRIBUTE A TEST
• T1653 Power Settings CONTRIBUTE A TEST
• T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows) CONTRIBUTE A TEST
• T1137.002 Office Application Startup: Office Test CONTRIBUTE A TEST
• T1547.008 Boot or Logon Autostart Execution: LSASS Driver CONTRIBUTE A TEST
• T1053.002 Scheduled Task/Job: At
  • Atomic Test #2: At - Schedule a job [linux]
• T1556 Modify Authentication Process CONTRIBUTE A TEST
• T1546.007 Event Triggered Execution: Netsh Helper DLL CONTRIBUTE A TEST
• T1505.001 SQL Stored Procedures CONTRIBUTE A TEST
• T1078.003 Valid Accounts: Local Accounts
  • Atomic Test #8: Create local account (Linux) [linux]
  • Atomic Test #9: Reactivate a locked/expired account (Linux) [linux]
  • Atomic Test #10: Reactivate a locked/expired account (FreeBSD) [linux]
  • Atomic Test #11: Login as nobody (Linux) [linux]
  • Atomic Test #12: Login as nobody (freebsd) [linux]
• T1574.012 Hijack Execution Flow: COR_PROFILER CONTRIBUTE A TEST

command-and-control

• T1205.002 Socket Filters CONTRIBUTE A TEST
• T1132.001 Data Encoding: Standard Encoding
  • Atomic Test #1: Base64 Encoded data. [macos, linux]
  • Atomic Test #2: Base64 Encoded data (freebsd) [linux]
• T1568.002 Domain Generation Algorithms CONTRIBUTE A TEST
• T1071.004 Application Layer Protocol: DNS CONTRIBUTE A TEST
• T1071.005 Publish/Subscribe Protocols CONTRIBUTE A TEST
• T1573.001 Symmetric Cryptography CONTRIBUTE A TEST
• T1568.001 Fast Flux DNS CONTRIBUTE A TEST
• T1071 Application Layer Protocol CONTRIBUTE A TEST
• T1219 Remote Access Software CONTRIBUTE A TEST
• T1659 Content Injection CONTRIBUTE A TEST
• T1205 Traffic Signaling CONTRIBUTE A TEST
• T1572 Protocol Tunneling
  • Atomic Test #5: Microsoft Dev tunnels (Linux/macOS) [linux, macos]
  • Atomic Test #6: VSCode tunnels (Linux/macOS) [linux, macos]
  • Atomic Test #7: Cloudflare tunnels (Linux/macOS) [linux, macos]
• T1071.003 Mail Protocols CONTRIBUTE A TEST
• T1092 Communication Through Removable Media CONTRIBUTE A TEST
• T1090.002 External Proxy CONTRIBUTE A TEST
• T1090 Proxy CONTRIBUTE A TEST
• T1568 Dynamic Resolution CONTRIBUTE A TEST
• T1102 Web Service CONTRIBUTE A TEST
• T1568.003 DNS Calculation CONTRIBUTE A TEST
• T1104 Multi-Stage Channels CONTRIBUTE A TEST
• T1205.001 Port Knocking CONTRIBUTE A TEST
• T1071.002 File Transfer Protocols CONTRIBUTE A TEST
• T1102.003 One-Way Communication CONTRIBUTE A TEST
• T1090.003 Proxy: Multi-hop Proxy
  • Atomic Test #3: Tor Proxy Usage - Debian/Ubuntu/FreeBSD [linux]
• T1001 Data Obfuscation CONTRIBUTE A TEST
• T1571 Non-Standard Port
  • Atomic Test #2: Testing usage of uncommonly used port [linux, macos]
• T1573 Encrypted Channel CONTRIBUTE A TEST
• T1102.002 Bidirectional Communication CONTRIBUTE A TEST
• T1573.002 Asymmetric Cryptography CONTRIBUTE A TEST
• T1095 Non-Application Layer Protocol
  • Atomic Test #4: Linux ICMP Reverse Shell using icmp-cnc [linux]
• T1001.003 Protocol or Service Impersonation CONTRIBUTE A TEST
• T1090.004 Domain Fronting CONTRIBUTE A TEST
• T1132 Data Encoding CONTRIBUTE A TEST
• T1132.002 Non-Standard Encoding CONTRIBUTE A TEST
• T1071.001 Application Layer Protocol: Web Protocols
  • Atomic Test #3: Malicious User Agents - Nix [linux, macos]
• T1105 Ingress Tool Transfer
  • Atomic Test #1: rsync remote file copy (push) [linux, macos]
  • Atomic Test #2: rsync remote file copy (pull) [linux, macos]
  • Atomic Test #3: scp remote file copy (push) [linux, macos]
  • Atomic Test #4: scp remote file copy (pull) [linux, macos]
  • Atomic Test #5: sftp remote file copy (push) [linux, macos]
  • Atomic Test #6: sftp remote file copy (pull) [linux, macos]
  • Atomic Test #14: whois file download [linux, macos]
  • Atomic Test #27: Linux Download File and Run [linux]
• T1665 Hide Infrastructure CONTRIBUTE A TEST
• T1001.002 Data Obfuscation via Steganography
  • Atomic Test #3: Execute Embedded Script in Image via Steganography [linux]
• T1008 Fallback Channels CONTRIBUTE A TEST
• T1090.001 Proxy: Internal Proxy
  • Atomic Test #1: Connection Proxy [linux, macos]
• T1102.001 Dead Drop Resolver CONTRIBUTE A TEST
• T1001.001 Junk Data CONTRIBUTE A TEST

collection

• T1560.001 Archive Collected Data: Archive via Utility
  • Atomic Test #5: Data Compressed - nix - zip [linux, macos]
  • Atomic Test #6: Data Compressed - nix - gzip Single File [linux, macos]
  • Atomic Test #7: Data Compressed - nix - tar Folder or File [linux, macos]
  • Atomic Test #8: Data Encrypted with zip and gpg symmetric [linux, macos]
  • Atomic Test #9: Encrypts collected data with AES-256 and Base64 [linux, macos]
• T1113 Screen Capture
  • Atomic Test #3: X Windows Capture [linux]
  • Atomic Test #4: X Windows Capture (freebsd) [linux]
  • Atomic Test #5: Capture Linux Desktop using Import Tool [linux]
  • Atomic Test #6: Capture Linux Desktop using Import Tool (freebsd) [linux]
• T1557 Adversary-in-the-Middle CONTRIBUTE A TEST
• T1056.001 Input Capture: Keylogging
  • Atomic Test #2: Living off the land Terminal Input Capture on Linux with pam.d [linux]
  • Atomic Test #3: Logging bash history to syslog [linux]
  • Atomic Test #4: Logging sh history to syslog/messages [linux]
  • Atomic Test #5: Bash session based keylogger [linux]
  • Atomic Test #6: SSHD PAM keylogger [linux]
  • Atomic Test #7: Auditd keylogger [linux]
• T1213.002 Sharepoint CONTRIBUTE A TEST
• T1123 Audio Capture CONTRIBUTE A TEST
• T1560.003 Archive via Custom Method CONTRIBUTE A TEST
• T1114 Email Collection CONTRIBUTE A TEST
• T1025 Data from Removable Media CONTRIBUTE A TEST
• T1074.001 Data Staged: Local Data Staging
  • Atomic Test #2: Stage data from Discovery.sh [linux, macos]
• T1114.001 Email Collection: Local Email Collection CONTRIBUTE A TEST
• T1119 Automated Collection CONTRIBUTE A TEST
• T1115 Clipboard Data
  • Atomic Test #5: Add or copy content to clipboard with xClip [linux]
• T1074.002 Remote Data Staging CONTRIBUTE A TEST
• T1005 Data from Local System
  • Atomic Test #2: Find and dump sqlite databases (Linux) [linux]
• T1560.002 Archive Collected Data: Archive via Library
  • Atomic Test #1: Compressing data using GZip in Python (FreeBSD/Linux) [linux]
  • Atomic Test #2: Compressing data using bz2 in Python (FreeBSD/Linux) [linux]
  • Atomic Test #3: Compressing data using zipfile in Python (FreeBSD/Linux) [linux]
  • Atomic Test #4: Compressing data using tarfile in Python (FreeBSD/Linux) [linux]
• T1560 Archive Collected Data CONTRIBUTE A TEST
• T1185 Browser Session Hijacking CONTRIBUTE A TEST
• T1557.003 DHCP Spoofing CONTRIBUTE A TEST
• T1557.001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay CONTRIBUTE A TEST
• T1056.003 Web Portal Capture CONTRIBUTE A TEST
• T1125 Video Capture CONTRIBUTE A TEST
• T1114.003 Email Collection: Email Forwarding Rule CONTRIBUTE A TEST
• T1074 Data Staged CONTRIBUTE A TEST
• T1056.002 Input Capture: GUI Input Capture CONTRIBUTE A TEST
• T1039 Data from Network Shared Drive CONTRIBUTE A TEST
• T1114.002 Email Collection: Remote Email Collection CONTRIBUTE A TEST
• T1056 Input Capture CONTRIBUTE A TEST
• T1557.002 ARP Cache Poisoning CONTRIBUTE A TEST
• T1213 Data from Information Repositories CONTRIBUTE A TEST
• T1056.004 Input Capture: Credential API Hooking CONTRIBUTE A TEST

lateral-movement

• T1021.005 Remote Services:VNC CONTRIBUTE A TEST
• T1080 Taint Shared Content CONTRIBUTE A TEST
• T1091 Replication Through Removable Media CONTRIBUTE A TEST
• T1021.002 Remote Services: SMB/Windows Admin Shares CONTRIBUTE A TEST
• T1550 Use Alternate Authentication Material CONTRIBUTE A TEST
• T1021 Remote Services CONTRIBUTE A TEST
• T1563 Remote Service Session Hijacking CONTRIBUTE A TEST
• T1021.006 Remote Services: Windows Remote Management CONTRIBUTE A TEST
• T1021.003 Remote Services: Distributed Component Object Model CONTRIBUTE A TEST
• T1550.003 Use Alternate Authentication Material: Pass the Ticket CONTRIBUTE A TEST
• T1072 Software Deployment Tools CONTRIBUTE A TEST
• T1210 Exploitation of Remote Services CONTRIBUTE A TEST
• T1534 Internal Spearphishing CONTRIBUTE A TEST
• T1570 Lateral Tool Transfer CONTRIBUTE A TEST
• T1563.002 Remote Service Session Hijacking: RDP Hijacking CONTRIBUTE A TEST
• T1550.002 Use Alternate Authentication Material: Pass the Hash CONTRIBUTE A TEST
• T1021.001 Remote Services: Remote Desktop Protocol CONTRIBUTE A TEST

credential-access

• T1557 Adversary-in-the-Middle CONTRIBUTE A TEST
• T1056.001 Input Capture: Keylogging
  • Atomic Test #2: Living off the land Terminal Input Capture on Linux with pam.d [linux]
  • Atomic Test #3: Logging bash history to syslog [linux]
  • Atomic Test #4: Logging sh history to syslog/messages [linux]
  • Atomic Test #5: Bash session based keylogger [linux]
  • Atomic Test #6: SSHD PAM keylogger [linux]
  • Atomic Test #7: Auditd keylogger [linux]
• T1110.001 Brute Force: Password Guessing
  • Atomic Test #5: SUDO Brute Force - Debian [linux]
  • Atomic Test #6: SUDO Brute Force - Redhat [linux]
  • Atomic Test #7: SUDO Brute Force - FreeBSD [linux]
• T1003 OS Credential Dumping CONTRIBUTE A TEST
• T1539 Steal Web Session Cookie CONTRIBUTE A TEST
• T1003.002 OS Credential Dumping: Security Account Manager CONTRIBUTE A TEST
• T1110.002 Brute Force: Password Cracking CONTRIBUTE A TEST
• T1003.004 OS Credential Dumping: LSA Secrets CONTRIBUTE A TEST
• T1606.002 Forge Web Credentials: SAML token CONTRIBUTE A TEST
• T1555.005 Password Managers CONTRIBUTE A TEST
• T1040 Network Sniffing
  • Atomic Test #1: Packet Capture Linux using tshark or tcpdump [linux]
  • Atomic Test #2: Packet Capture FreeBSD using tshark or tcpdump [linux]
  • Atomic Test #10: Packet Capture FreeBSD using /dev/bpfN with sudo [linux]
  • Atomic Test #11: Filtered Packet Capture FreeBSD using /dev/bpfN with sudo [linux]
  • Atomic Test #12: Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo [linux]
  • Atomic Test #13: Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo [linux]
  • Atomic Test #14: Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo [linux]
  • Atomic Test #15: Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo [linux]
• T1552.002 Unsecured Credentials: Credentials in Registry CONTRIBUTE A TEST
• T1556.002 Modify Authentication Process: Password Filter DLL CONTRIBUTE A TEST
• T1558.004 Steal or Forge Kerberos Tickets: AS-REP Roasting CONTRIBUTE A TEST
• T1558 Steal or Forge Kerberos Tickets CONTRIBUTE A TEST
• T1555 Credentials from Password Stores CONTRIBUTE A TEST
• T1552 Unsecured Credentials
  • Atomic Test #1: AWS - Retrieve EC2 Password Data using stratus [linux, macos, iaas:aws]
• T1556.007 Hybrid Identity CONTRIBUTE A TEST
• T1555.003 Credentials from Password Stores: Credentials from Web Browsers
  • Atomic Test #9: LaZagne.py - Dump Credentials from Firefox Browser [linux]
• T1557.003 DHCP Spoofing CONTRIBUTE A TEST
• T1552.004 Unsecured Credentials: Private Keys
  • Atomic Test #2: Discover Private SSH Keys [linux, macos]
  • Atomic Test #3: Copy Private SSH Keys with CP [linux]
  • Atomic Test #4: Copy Private SSH Keys with CP (freebsd) [linux]
  • Atomic Test #5: Copy Private SSH Keys with rsync [macos, linux]
  • Atomic Test #6: Copy Private SSH Keys with rsync (freebsd) [linux]
  • Atomic Test #7: Copy the users GnuPG directory with rsync [macos, linux]
  • Atomic Test #8: Copy the users GnuPG directory with rsync (freebsd) [linux]
• T1557.001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay CONTRIBUTE A TEST
• T1003.001 OS Credential Dumping: LSASS Memory CONTRIBUTE A TEST
• T1110.003 Brute Force: Password Spraying CONTRIBUTE A TEST
• T1056.003 Web Portal Capture CONTRIBUTE A TEST
• T1003.005 OS Credential Dumping: Cached Domain Credentials CONTRIBUTE A TEST
• T1558.001 Steal or Forge Kerberos Tickets: Golden Ticket CONTRIBUTE A TEST
• T1649 Steal or Forge Authentication Certificates CONTRIBUTE A TEST
• T1552.001 Unsecured Credentials: Credentials In Files
  • Atomic Test #1: Find AWS credentials [macos, linux]
  • Atomic Test #3: Extract passwords with grep [linux, macos]
  • Atomic Test #6: Find and Access Github Credentials [linux, macos]
  • Atomic Test #15: Find Azure credentials [macos, linux]
  • Atomic Test #16: Find GCP credentials [macos, linux]
  • Atomic Test #17: Find OCI credentials [macos, linux]
• T1606.001 Web Cookies CONTRIBUTE A TEST
• T1552.006 Unsecured Credentials: Group Policy Preferences CONTRIBUTE A TEST
• T1556.008 Network Provider DLL CONTRIBUTE A TEST
• T1606 Forge Web Credentials CONTRIBUTE A TEST
• T1621 Multi-Factor Authentication Request Generation CONTRIBUTE A TEST
• T1212 Exploitation for Credential Access CONTRIBUTE A TEST
• T1056.002 Input Capture: GUI Input Capture CONTRIBUTE A TEST
• T1110 Brute Force CONTRIBUTE A TEST
• T1110.004 Brute Force: Credential Stuffing
  • Atomic Test #1: SSH Credential Stuffing From Linux [linux]
  • Atomic Test #3: SSH Credential Stuffing From FreeBSD [linux]
• T1556.006 Multi-Factor Authentication CONTRIBUTE A TEST
• T1187 Forced Authentication CONTRIBUTE A TEST
• T1056 Input Capture CONTRIBUTE A TEST
• T1557.002 ARP Cache Poisoning CONTRIBUTE A TEST
• T1558.002 Steal or Forge Kerberos Tickets: Silver Ticket CONTRIBUTE A TEST
• T1555.004 Credentials from Password Stores: Windows Credential Manager CONTRIBUTE A TEST
• T1556.001 Domain Controller Authentication CONTRIBUTE A TEST
• T1556.005 Reversible Encryption CONTRIBUTE A TEST
• T1111 Multi-Factor Authentication Interception CONTRIBUTE A TEST
• T1003.003 OS Credential Dumping: NTDS CONTRIBUTE A TEST
• T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting CONTRIBUTE A TEST
• T1003.006 OS Credential Dumping: DCSync CONTRIBUTE A TEST
• T1556 Modify Authentication Process CONTRIBUTE A TEST
• T1056.004 Input Capture: Credential API Hooking CONTRIBUTE A TEST

discovery

• T1033 System Owner/User Discovery
  • Atomic Test #2: System Owner/User Discovery [linux, macos]
• T1016.001 System Network Configuration Discovery: Internet Connection Discovery
  • Atomic Test #2: Check internet connection using ping freebsd, linux or macos [macos, linux]
• T1069 Permission Groups Discovery CONTRIBUTE A TEST
• T1615 Group Policy Discovery CONTRIBUTE A TEST
• T1652 Device Driver Discovery CONTRIBUTE A TEST
• T1087.002 Account Discovery: Domain Account
  • Atomic Test #23: Active Directory Domain Search [linux]
  • Atomic Test #24: Account Enumeration with LDAPDomainDump [linux]
• T1087.001 Account Discovery: Local Account
  • Atomic Test #1: Enumerate all accounts (Local) [linux]
  • Atomic Test #2: View sudoers access [linux, macos]
  • Atomic Test #3: View accounts with UID 0 [linux, macos]
  • Atomic Test #4: List opened files by user [linux, macos]
  • Atomic Test #5: Show if a user account has ever logged in remotely [linux]
  • Atomic Test #6: Enumerate users and groups [linux, macos]
• T1497.001 Virtualization/Sandbox Evasion: System Checks
  • Atomic Test #1: Detect Virtualization Environment (Linux) [linux]
  • Atomic Test #2: Detect Virtualization Environment (FreeBSD) [linux]
• T1069.002 Permission Groups Discovery: Domain Groups
  • Atomic Test #15: Active Directory Domain Search Using LDAP - Linux (Ubuntu)/macOS [linux]
• T1007 System Service Discovery
  • Atomic Test #3: System Service Discovery - systemctl/service [linux]
• T1040 Network Sniffing
  • Atomic Test #1: Packet Capture Linux using tshark or tcpdump [linux]
  • Atomic Test #2: Packet Capture FreeBSD using tshark or tcpdump [linux]
  • Atomic Test #10: Packet Capture FreeBSD using /dev/bpfN with sudo [linux]
  • Atomic Test #11: Filtered Packet Capture FreeBSD using /dev/bpfN with sudo [linux]
  • Atomic Test #12: Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo [linux]
  • Atomic Test #13: Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo [linux]
  • Atomic Test #14: Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo [linux]
  • Atomic Test #15: Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo [linux]
• T1135 Network Share Discovery
  • Atomic Test #2: Network Share Discovery - linux [linux]
  • Atomic Test #3: Network Share Discovery - FreeBSD [linux]
• T1120 Peripheral Device Discovery CONTRIBUTE A TEST
• T1082 System Information Discovery
  • Atomic Test #3: List OS Information [linux, macos]
  • Atomic Test #4: Linux VM Check via Hardware [linux]
  • Atomic Test #5: Linux VM Check via Kernel Modules [linux]
  • Atomic Test #6: FreeBSD VM Check via Kernel Modules [linux]
  • Atomic Test #8: Hostname Discovery [linux, macos]
  • Atomic Test #12: Environment variables discovery on freebsd, macos and linux [linux, macos]
  • Atomic Test #25: Linux List Kernel Modules [linux]
  • Atomic Test #26: FreeBSD List Kernel Modules [linux]
• T1016.002 System Network Configuration Discovery: Wi-Fi Discovery CONTRIBUTE A TEST
• T1010 Application Window Discovery CONTRIBUTE A TEST
• T1087.003 Email Account CONTRIBUTE A TEST
• T1497.003 Time Based Evasion
  • Atomic Test #1: Delay execution with ping [linux, macos]
• T1217 Browser Bookmark Discovery
  • Atomic Test #1: List Mozilla Firefox Bookmark Database Files on FreeBSD/Linux [linux]
  • Atomic Test #4: List Google Chromium Bookmark JSON Files on FreeBSD [linux]
• T1016 System Network Configuration Discovery
  • Atomic Test #3: System Network Configuration Discovery [macos, linux]
• T1087 Account Discovery CONTRIBUTE A TEST
• T1482 Domain Trust Discovery CONTRIBUTE A TEST
• T1083 File and Directory Discovery
  • Atomic Test #3: Nix File and Directory Discovery [linux, macos]
  • Atomic Test #4: Nix File and Directory Discovery 2 [linux, macos]
• T1049 System Network Connections Discovery
  • Atomic Test #3: System Network Connections Discovery FreeBSD, Linux & MacOS [linux, macos]
• T1497 Virtualization/Sandbox Evasion CONTRIBUTE A TEST
• T1654 Log Enumeration CONTRIBUTE A TEST
• T1057 Process Discovery
  • Atomic Test #1: Process Discovery - ps [linux, macos]
• T1497.002 User Activity Based Checks CONTRIBUTE A TEST
• T1069.001 Permission Groups Discovery: Local Groups
  • Atomic Test #1: Permission Groups Discovery (Local) [linux, macos]
• T1201 Password Policy Discovery
  • Atomic Test #1: Examine password complexity policy - Ubuntu [linux]
  • Atomic Test #2: Examine password complexity policy - FreeBSD [linux]
  • Atomic Test #3: Examine password complexity policy - CentOS/RHEL 7.x [linux]
  • Atomic Test #4: Examine password complexity policy - CentOS/RHEL 6.x [linux]
  • Atomic Test #5: Examine password expiration policy - All Linux [linux]
• T1614.001 System Location Discovery: System Language Discovery
  • Atomic Test #3: Discover System Language with locale [linux]
  • Atomic Test #4: Discover System Language with localectl [linux]
  • Atomic Test #5: Discover System Language by locale file [linux]
  • Atomic Test #6: Discover System Language by Environment Variable Query [linux]
• T1012 Query Registry CONTRIBUTE A TEST
• T1614 System Location Discovery
  • Atomic Test #2: Get geolocation info through IP-Lookup services using curl freebsd, linux or macos [macos, linux]
• T1518.001 Software Discovery: Security Software Discovery
  • Atomic Test #4: Security Software Discovery - ps (Linux) [linux]
  • Atomic Test #5: Security Software Discovery - pgrep (FreeBSD) [linux]
• T1018 Remote System Discovery
  • Atomic Test #6: Remote System Discovery - arp nix [linux, macos]
  • Atomic Test #7: Remote System Discovery - sweep [linux, macos]
  • Atomic Test #12: Remote System Discovery - ip neighbour [linux]
  • Atomic Test #13: Remote System Discovery - ip route [linux]
  • Atomic Test #14: Remote System Discovery - netstat [linux]
  • Atomic Test #15: Remote System Discovery - ip tcp_metrics [linux]
• T1046 Network Service Discovery
  • Atomic Test #1: Port Scan [linux, macos]
  • Atomic Test #2: Port Scan Nmap [linux, macos]
  • Atomic Test #12: Port Scan using nmap (Port range) [linux, macos]
• T1518 Software Discovery CONTRIBUTE A TEST
• T1622 Debugger Evasion CONTRIBUTE A TEST
• T1124 System Time Discovery
  • Atomic Test #3: System Time Discovery in FreeBSD/macOS [linux, macos]

impact

• T1561.002 Disk Structure Wipe CONTRIBUTE A TEST
• T1498.001 Direct Network Flood CONTRIBUTE A TEST
• T1491.002 External Defacement CONTRIBUTE A TEST
• T1499.001 OS Exhaustion Flood CONTRIBUTE A TEST
• T1499.003 Application Exhaustion Flood CONTRIBUTE A TEST
• T1561 Disk Wipe CONTRIBUTE A TEST
• T1565.001 Stored Data Manipulation CONTRIBUTE A TEST
• T1489 Service Stop
  • Atomic Test #4: Linux - Stop service using systemctl [linux]
  • Atomic Test #5: Linux - Stop service by killing process using killall [linux]
  • Atomic Test #6: Linux - Stop service by killing process using kill [linux]
  • Atomic Test #7: Linux - Stop service by killing process using pkill [linux]
• T1499.004 Application or System Exploitation CONTRIBUTE A TEST
• T1565.003 Runtime Data Manipulation CONTRIBUTE A TEST
• T1498.002 Reflection Amplification CONTRIBUTE A TEST
• T1499.002 Service Exhaustion Flood CONTRIBUTE A TEST
• T1491 Defacement CONTRIBUTE A TEST
• T1496.002 Bandwidth Hijacking CONTRIBUTE A TEST
• T1657 Financial Theft CONTRIBUTE A TEST
• T1491.001 Defacement: Internal Defacement CONTRIBUTE A TEST
• T1496.001 Compute Hijacking CONTRIBUTE A TEST
• T1565 Data Manipulation CONTRIBUTE A TEST
• T1531 Account Access Removal
  • Atomic Test #4: Change User Password via passwd [macos, linux]
• T1486 Data Encrypted for Impact
  • Atomic Test #1: Encrypt files using gpg (FreeBSD/Linux) [linux]
  • Atomic Test #2: Encrypt files using 7z (FreeBSD/Linux) [linux]
  • Atomic Test #3: Encrypt files using ccrypt (FreeBSD/Linux) [linux]
  • Atomic Test #4: Encrypt files using openssl (FreeBSD/Linux) [linux]
• T1499 Endpoint Denial of Service CONTRIBUTE A TEST
• T1496 Resource Hijacking
  • Atomic Test #1: FreeBSD/macOS/Linux - Simulate CPU Load with Yes [linux, macos]
• T1565.002 Transmitted Data Manipulation CONTRIBUTE A TEST
• T1485 Data Destruction
  • Atomic Test #2: FreeBSD/macOS/Linux - Overwrite file with DD [linux, macos]
• T1498 Network Denial of Service CONTRIBUTE A TEST
• T1495 Firmware Corruption CONTRIBUTE A TEST
• T1490 Inhibit System Recovery CONTRIBUTE A TEST
• T1561.001 Disk Content Wipe CONTRIBUTE A TEST
• T1529 System Shutdown/Reboot
  • Atomic Test #3: Restart System via shutdown - FreeBSD/macOS/Linux [linux, macos]
  • Atomic Test #4: Shutdown System via shutdown - FreeBSD/macOS/Linux [linux, macos]
  • Atomic Test #5: Restart System via reboot - FreeBSD/macOS/Linux [linux, macos]
  • Atomic Test #6: Shutdown System via halt - FreeBSD/Linux [linux]
  • Atomic Test #7: Reboot System via halt - FreeBSD [linux]
  • Atomic Test #8: Reboot System via halt - Linux [linux]
  • Atomic Test #9: Shutdown System via poweroff - FreeBSD/Linux [linux]
  • Atomic Test #10: Reboot System via poweroff - FreeBSD [linux]
  • Atomic Test #11: Reboot System via poweroff - Linux [linux]

initial-access

• T1133 External Remote Services CONTRIBUTE A TEST
• T1195.001 Compromise Software Dependencies and Development Tools CONTRIBUTE A TEST
• T1566.002 Phishing: Spearphishing Link CONTRIBUTE A TEST
• T1566.001 Phishing: Spearphishing Attachment CONTRIBUTE A TEST
• T1195.003 Compromise Hardware Supply Chain CONTRIBUTE A TEST
• T1091 Replication Through Removable Media CONTRIBUTE A TEST
• T1195 Supply Chain Compromise CONTRIBUTE A TEST
• T1190 Exploit Public-Facing Application CONTRIBUTE A TEST
• T1659 Content Injection CONTRIBUTE A TEST
• T1078.001 Valid Accounts: Default Accounts CONTRIBUTE A TEST
• T1199 Trusted Relationship CONTRIBUTE A TEST
• T1566 Phishing CONTRIBUTE A TEST
• T1078 Valid Accounts CONTRIBUTE A TEST
• T1566.004 Spearphishing Voice CONTRIBUTE A TEST
• T1195.002 Compromise Software Supply Chain CONTRIBUTE A TEST
• T1078.002 Domain Accounts CONTRIBUTE A TEST
• T1200 Hardware Additions CONTRIBUTE A TEST
• T1189 Drive-by Compromise CONTRIBUTE A TEST
• T1566.003 Spearphishing via Service CONTRIBUTE A TEST
• T1078.003 Valid Accounts: Local Accounts
  • Atomic Test #8: Create local account (Linux) [linux]
  • Atomic Test #9: Reactivate a locked/expired account (Linux) [linux]
  • Atomic Test #10: Reactivate a locked/expired account (FreeBSD) [linux]
  • Atomic Test #11: Login as nobody (Linux) [linux]
  • Atomic Test #12: Login as nobody (freebsd) [linux]

exfiltration

• T1567 Exfiltration Over Web Service CONTRIBUTE A TEST
• T1567.004 Exfiltration Over Webhook CONTRIBUTE A TEST
• T1029 Scheduled Transfer CONTRIBUTE A TEST
• T1011 Exfiltration Over Other Network Medium CONTRIBUTE A TEST
• T1011.001 Exfiltration Over Bluetooth CONTRIBUTE A TEST
• T1020 Automated Exfiltration CONTRIBUTE A TEST
• T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST
• T1567.001 Exfiltration to Code Repository CONTRIBUTE A TEST
• T1048.002 Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
  • Atomic Test #2: Exfiltrate data HTTPS using curl freebsd,linux or macos [macos, linux]
  • Atomic Test #3: Exfiltrate data in a file over HTTPS using wget [linux]
  • Atomic Test #4: Exfiltrate data as text over HTTPS using wget [linux]
• T1041 Exfiltration Over C2 Channel CONTRIBUTE A TEST
• T1048 Exfiltration Over Alternative Protocol
  • Atomic Test #1: Exfiltration Over Alternative Protocol - SSH [macos, linux]
  • Atomic Test #2: Exfiltration Over Alternative Protocol - SSH [macos, linux]
  • Atomic Test #4: Exfiltrate Data using DNS Queries via dig [macos, linux]
• T1052.001 Exfiltration over USB CONTRIBUTE A TEST
• T1567.003 Exfiltration Over Web Service: Exfiltration to Text Storage Sites CONTRIBUTE A TEST
• T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage
  • Atomic Test #2: Exfiltrate data with rclone to cloud Storage - AWS S3 [linux, macos]
• T1030 Data Transfer Size Limits
  • Atomic Test #1: Data Transfer Size Limits [macos, linux]
• T1052 Exfiltration Over Physical Medium CONTRIBUTE A TEST
• T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
  • Atomic Test #1: Exfiltration Over Alternative Protocol - HTTP [macos, linux]
  • Atomic Test #3: Exfiltration Over Alternative Protocol - DNS [linux]
  • Atomic Test #8: Python3 http.server [linux]