diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index c60142c3..ff586704 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -201,6 +201,9 @@ defense-evasion,T1112,Modify Registry,35,Disable Windows Toast Notifications,003
 defense-evasion,T1112,Modify Registry,36,Disable Windows Security Center Notifications,45914594-8df6-4ea9-b3cc-7eb9321a807e,command_prompt
 defense-evasion,T1112,Modify Registry,37,Suppress Win Defender Notifications,c30dada3-7777-4590-b970-dc890b8cf113,command_prompt
 defense-evasion,T1112,Modify Registry,38,Allow RDP Remote Assistance Feature,86677d0e-0b5e-4a2b-b302-454175f9aa9e,command_prompt
+defense-evasion,T1112,Modify Registry,39,NetWire RAT Registry Key Creation,65704cd4-6e36-4b90-b6c1-dc29a82c8e56,command_prompt
+defense-evasion,T1112,Modify Registry,40,Ursnif Malware Registry Key Creation,c375558d-7c25-45e9-bd64-7b23a97c1db0,command_prompt
+defense-evasion,T1112,Modify Registry,41,Terminal Server Client Connection History Cleared,3448824b-3c35-4a9e-a8f5-f887f68bea21,command_prompt
 defense-evasion,T1027.001,Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
 defense-evasion,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
 defense-evasion,T1078.001,Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 578c39c2..d6e0a828 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -151,6 +151,9 @@ defense-evasion,T1112,Modify Registry,35,Disable Windows Toast Notifications,003
 defense-evasion,T1112,Modify Registry,36,Disable Windows Security Center Notifications,45914594-8df6-4ea9-b3cc-7eb9321a807e,command_prompt
 defense-evasion,T1112,Modify Registry,37,Suppress Win Defender Notifications,c30dada3-7777-4590-b970-dc890b8cf113,command_prompt
 defense-evasion,T1112,Modify Registry,38,Allow RDP Remote Assistance Feature,86677d0e-0b5e-4a2b-b302-454175f9aa9e,command_prompt
+defense-evasion,T1112,Modify Registry,39,NetWire RAT Registry Key Creation,65704cd4-6e36-4b90-b6c1-dc29a82c8e56,command_prompt
+defense-evasion,T1112,Modify Registry,40,Ursnif Malware Registry Key Creation,c375558d-7c25-45e9-bd64-7b23a97c1db0,command_prompt
+defense-evasion,T1112,Modify Registry,41,Terminal Server Client Connection History Cleared,3448824b-3c35-4a9e-a8f5-f887f68bea21,command_prompt
 defense-evasion,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
 defense-evasion,T1078.001,Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
 defense-evasion,T1070.001,Clear Windows Event Logs,1,Clear Logs,e6abb60e-26b8-41da-8aae-0c35174b0967,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 36b04a9e..9df4894e 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -276,6 +276,9 @@
   - Atomic Test #36: Disable Windows Security Center Notifications [windows]
   - Atomic Test #37: Suppress Win Defender Notifications [windows]
   - Atomic Test #38: Allow RDP Remote Assistance Feature [windows]
+  - Atomic Test #39: NetWire RAT Registry Key Creation [windows]
+  - Atomic Test #40: Ursnif Malware Registry Key Creation [windows]
+  - Atomic Test #41: Terminal Server Client Connection History Cleared [windows]
 - T1574.008 Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1027.001 Binary Padding](../../T1027.001/T1027.001.md)
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index ee67c693..5e95cd1a 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -209,6 +209,9 @@
   - Atomic Test #36: Disable Windows Security Center Notifications [windows]
   - Atomic Test #37: Suppress Win Defender Notifications [windows]
   - Atomic Test #38: Allow RDP Remote Assistance Feature [windows]
+  - Atomic Test #39: NetWire RAT Registry Key Creation [windows]
+  - Atomic Test #40: Ursnif Malware Registry Key Creation [windows]
+  - Atomic Test #41: Terminal Server Client Connection History Cleared [windows]
 - T1574.008 Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.001 Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1484.001 Group Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index f4abab31..fa4f684f 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -10555,6 +10555,70 @@ defense-evasion:
           '
         name: command_prompt
         elevation_required: true
+    - name: NetWire RAT Registry Key Creation
+      auto_generated_guid: 65704cd4-6e36-4b90-b6c1-dc29a82c8e56
+      description: |
+        NetWire continues to create its home key (HKCU\SOFTWARE\NetWire) as well as adding it into the auto-run group in the victim’s registry.
+        See how NetWire malware - https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v NetWire /t REG_SZ  /d "C:\Users\admin\AppData\Roaming\Install\Host.exe" /f
+          reg add HKCU\SOFTWARE\NetWire /v HostId /t REG_SZ /d HostId-kai6Ci /f
+          reg add HKCU\SOFTWARE\NetWire /v "Install Date" /t REG_SZ /d "2021-08-30 07:17:27" /f
+        cleanup_command: |
+          reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v NetWire /f >nul 2>&1
+          reg delete HKCU\SOFTWARE\NetWire /va /f >nul 2>&1
+          reg delete HKCU\SOFTWARE\NetWire /f >nul 2>&1
+        name: command_prompt
+        elevation_required: true
+    - name: Ursnif Malware Registry Key Creation
+      auto_generated_guid: c375558d-7c25-45e9-bd64-7b23a97c1db0
+      description: |
+        Ursnif downloads additional modules from the C&C server and saves these in the registry folder HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\
+        More information - https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add HKCU\Software\AppDataLow\Software\Microsoft\3A861D62-51E0-15700F2219A4
+          /v comsxRes /t REG_BINARY  /d 72656463616e617279 /f
+
+          '
+        cleanup_command: |
+          reg delete HKCU\Software\AppDataLow\Software\Microsoft\3A861D62-51E0-15700F2219A4 /va /f >nul 2>&1
+          reg delete HKCU\Software\AppDataLow\Software\Microsoft\3A861D62-51E0-15700F2219A4 /f >nul 2>&1
+        name: command_prompt
+        elevation_required: true
+    - name: Terminal Server Client Connection History Cleared
+      auto_generated_guid: 3448824b-3c35-4a9e-a8f5-f887f68bea21
+      description: 'The built-in Windows Remote Desktop Connection (RDP) client (mstsc.exe)
+        saves the remote computer name (or IP address) and the username that is used
+        to login after each successful connection to the remote computer
+
+        '
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: "Must have the \"MR9\" Remote Desktop Connection history Key
+          \n"
+        prereq_command: 'if ((Get-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Terminal
+          Server Client\Default\").MR9) {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -path "HKCU:\SOFTWARE\Microsoft\" -name "Terminal Server Client"  -ErrorAction Ignore
+          New-Item -path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\" -name "Default" -ErrorAction Ignore
+          New-Itemproperty -path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\Default" -name "MR9" -value "127.0.0.1"  -PropertyType "String" -ErrorAction Ignore
+          New-Item -path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\" -name "Servers" -ErrorAction Ignore
+          New-Item -path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\Servers" -name "Redcanary" -ErrorAction Ignore
+      executor:
+        command: |
+          reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
+          reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
+        name: command_prompt
+        elevation_required: true
   T1574.008:
     technique:
       x_mitre_platforms:
diff --git a/atomics/T1112/T1112.md b/atomics/T1112/T1112.md
index 6b0a8033..1e22fbdf 100644
--- a/atomics/T1112/T1112.md
+++ b/atomics/T1112/T1112.md
@@ -86,6 +86,12 @@ The Registry of a remote system may be modified to aid in execution of files as
 
 - [Atomic Test #38 - Allow RDP Remote Assistance Feature](#atomic-test-38---allow-rdp-remote-assistance-feature)
 
+- [Atomic Test #39 - NetWire RAT Registry Key Creation](#atomic-test-39---netwire-rat-registry-key-creation)
+
+- [Atomic Test #40 - Ursnif Malware Registry Key Creation](#atomic-test-40---ursnif-malware-registry-key-creation)
+
+- [Atomic Test #41 - Terminal Server Client Connection History Cleared](#atomic-test-41---terminal-server-client-connection-history-cleared)
+
 
 <br/>
 
@@ -1414,4 +1420,120 @@ reg delete HKLM\System\CurrentControlSet\Control\Terminal Server /v fAllowToGetH
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #39 - NetWire RAT Registry Key Creation
+NetWire continues to create its home key (HKCU\SOFTWARE\NetWire) as well as adding it into the auto-run group in the victim’s registry.
+See how NetWire malware - https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 65704cd4-6e36-4b90-b6c1-dc29a82c8e56
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v NetWire /t REG_SZ  /d "C:\Users\admin\AppData\Roaming\Install\Host.exe" /f
+reg add HKCU\SOFTWARE\NetWire /v HostId /t REG_SZ /d HostId-kai6Ci /f
+reg add HKCU\SOFTWARE\NetWire /v "Install Date" /t REG_SZ /d "2021-08-30 07:17:27" /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v NetWire /f >nul 2>&1
+reg delete HKCU\SOFTWARE\NetWire /va /f >nul 2>&1
+reg delete HKCU\SOFTWARE\NetWire /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #40 - Ursnif Malware Registry Key Creation
+Ursnif downloads additional modules from the C&C server and saves these in the registry folder HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\
+More information - https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** c375558d-7c25-45e9-bd64-7b23a97c1db0
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add HKCU\Software\AppDataLow\Software\Microsoft\3A861D62-51E0-15700F2219A4 /v comsxRes /t REG_BINARY  /d 72656463616e617279 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete HKCU\Software\AppDataLow\Software\Microsoft\3A861D62-51E0-15700F2219A4 /va /f >nul 2>&1
+reg delete HKCU\Software\AppDataLow\Software\Microsoft\3A861D62-51E0-15700F2219A4 /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #41 - Terminal Server Client Connection History Cleared
+The built-in Windows Remote Desktop Connection (RDP) client (mstsc.exe) saves the remote computer name (or IP address) and the username that is used to login after each successful connection to the remote computer
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 3448824b-3c35-4a9e-a8f5-f887f68bea21
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Must have the "MR9" Remote Desktop Connection history Key
+##### Check Prereq Commands:
+```powershell
+if ((Get-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\Default\").MR9) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -path "HKCU:\SOFTWARE\Microsoft\" -name "Terminal Server Client"  -ErrorAction Ignore
+New-Item -path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\" -name "Default" -ErrorAction Ignore
+New-Itemproperty -path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\Default" -name "MR9" -value "127.0.0.1"  -PropertyType "String" -ErrorAction Ignore
+New-Item -path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\" -name "Servers" -ErrorAction Ignore
+New-Item -path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\Servers" -name "Redcanary" -ErrorAction Ignore
+```
+
+
+
+
 <br/>